We spoke to Maitreya Buddha Samantaray, Senior Manager, Crisis Management & Business Continuity, Digital Operations & Platforms and founder of Crisis Intelligence Community (CIC) - an online platform of around 250 senior corporate security professionals from all across the globe, about the changing role of a CSO in ensuring security for an organization, how security strategies are going to mature in Indian corporate organisations and how technologies such as AI, IoT, Machine Learning and Big Data play in enhancing security of an organization.
Interviewed by Adeesh Sharma
Please dwell on the changing role of a CSO in ensuring security for an organization.
Industry peers may differ but I somehow feel there has not been any drastic change in broad scope of a CSO. The CSO is responsible for the organization's entire security posture including physical and digital security. CSO has to ensure protection of resources, assets and information; since any challenge to these broad deliverables mean a direct reputational loss with high accountability of the CSOs. In the feudal regime, there were moats, battlements, lookout and Drawbridges which have been replaced in the modern era with man and guarding and now with a digital makeover wherein security technology has taken over. Thus the role of Remote Surveillance and Access Management cannot be denied.
Read somewhere, way back in history, Julius Caesar had used encryption to pass on confidential messages to army generals during the war, so as our modern mechanism for communication encryption. As a matter of fact it was not just about guards, guns and gates typically but innovative measures were devised to pass on information safely.
So blending of physical and information security knowhow has always been a priority for any CSO. To ensure the safety of the emperor, security was considered as strategic and operational activity and so is in modern day corporate world to ensure Business Continuity.
Mantri (Defence Minister) was a key figure in the King’s team, so is the modern day CSO, who is a part of the CEO business leadership team. What has really changed now is industry specific tweaking of CSO's role based on risk, stakeholder management and degree of importance to core objectives such as people, property, information and reputation. For example a CSO of IT firm will have more focus on protection of people and information than Logistics industry where prime focus is to ensure loss prevention in the supply transfers thereby requiring an expertise in Supply Chain Management.
No doubt, everyone is responsible for security in an organization but everybody’s business is nobody’s business and you need a leader with multidimensional skill set who sets the tone, give direction, do mentoring (to create new generation of CSOs), develop, implement and manage entity’s security vision, strategy and programs aligned with the organization’s principles and that’s what CSO is meant for. Today’s CSO is more of a Business Enabler. CSO must speak the language of business and be conversant with the basic activities and values of the business. He must be well networked in industry and need to master the art of fear management. Additionally, in Indian context, besides physical, digital and leadership acumen, the role needs to have a command over local language in the geography where the operation needs to be carried out.
How do you foresee security strategies maturing in the Indian corporate organisations?
Security is today no more a monostatic duty rather considered as service enabler and market catalyst. It is considered as a service line for an organization in compliance with regulatory laws and leading to creation of a structure that adheres to compliance and legal requirements.
As the competition in the market grows and businesses are expanding, stakeholders, shareholder and potential investors would like to see the growth and stability of an organization they are investing in. Secure organization with clearly documented SOPs for threat monitoring, risk assessment, incident response plan, Business Impact Analysis, Business continuity strategies, crisis communication protocols, travel security and safety, information security, training, rehearsal and awareness etc gives a sense of confidence and act as a market catalyst. Most medium to large corporate Indian entities have been adhering to global best security practices in various intensity but smaller entities are still lagging behind.
Now if we discuss about India’s cyber security investment landscape, we will see it is primarily around prevention technologies like firewalls and antivirus, whereas investments in detection and response capabilities is maturing with time. Largely Banks and telcos are the most mature in terms of cybersecurity. Indian organizations are primarily compliance driven and reactive. Response capabilities need attention across sectors.
Nonetheless, in India’s corporate security landscape, there has been off late an inclusion of a greater diversity in the workforce and that has additionally resulted in value creation. It’s great to see national and international forums started to recognize, honor and reward Indian entities and individuals who have done commendable work towards achieving organizational resiliency and create an environment conducive to business and IFSEC ranks prominent as a forum to recognize talent.
What role can technologies such as AI, IoT, Machine Learning and Big Data play in enhancing security of an organization?
AI and ML apparently go hand to hand with AI leveraging ML capabilities to increase its intelligence. These systems can be advantageous when it comes to identifying and working to guard against the latest security threats, such as ransomware, or any malware attack. An AI system powered by ML can expand on what it knows besides with understanding about past attacks and threats to identify other attacks in the same vein or style. AI, fed with the previous data related to breaches and other recognized vulnerability already present in the market, and with human interaction can leverage the traditional security infrastructure, giving out more robust, more secure and more pro-active security solutions, generating less false-positive alerts, more reliable information about threats, be it external or internal. It is time to incorporate AI and ML into protection solutions during this time. Organizations can not only benefit with the same, the business can then transition into smoother operations, assuring that the confidentiality, integrity and availability of data cannot be hampered that easy.
Organizations shell out as much as $1.3 million per year responding to inaccurate and erroneous intelligence or chasing erroneous alerts, according to a study by SANS Institute. Better solutions are trained by using ML to analyze vast stores of human-labeled data so that it can find patterns within the seeming white noise. For as long as ML has existed, training has been the most lengthy and cumbersome part of AI/ML implementation, but several AI solutions have now been developed that permit the software to train itself autonomously, at least. When properly trained, AI threat analysis can apply human-like intuition to every interaction on the network and pluck a single strange packet from millions of others for human review. We would not then need a lot of security analysts, going over packet captures in Wireshark, reviewing malicious HTTP requests in tools like Burp, et cetera. All we would need are ones who can action on them accordingly and mitigate alarming threats.
Big data can play a role in disaster management, something that concerns every corporate security professional. It helps in predicting disaster path, pinpoint flooded areas, mapping and making any necessary arrangements and in a way help save many lives. Forecasting gets easier as every disaster provides huge data and combined with sensor, surveillance and satellite image data collection, big data analytics allow critical areas to be surveyed and assessed. Big data can not only provide you information about what are the natural risks that can intervene within day-to-day business activities, but can also make us aware about business continuity proposals, that we can imply to ensure that the business is smooth, the clients are happy, and our people are safe and sound.
How do you think expos such as IFSEC India can be leveraged by the security stakeholders to enhance awareness about security products and learn about security strategies?
Thought provoking industry relevant conferences, exhibitions by domestic and globally renowned industry players, awards have been hallmark of IFSEC events and has always been much awaited destination for security professionals from various domains to learn from each other of the industry best practices, cutting edge technologies and networking with fellow professionals, prospective customers or suppliers and seek solutions to some of the most pressing challenges in the security.
Probably, some thoughts can be given on how to promote risk imbibe culture for academic institutions involving students and faculty, household /residents involving Resident Welfare Associations(RWA) and requisite IFSEC partnership with relevant groups through training, awareness and recognition. Could be my oversight, additionally, IFSEC can start thinking in terms of industry specific security certifications. Overall, it is interesting to observe the paradigm shift in security deliverables in the coming era.