In a suddenly remote working environment the CISO has become one of the most valued leaders in the industry. With their expertise in security, risk management and, increasingly, business value, they are well placed to ensure smooth, safe operations despite a disparate workforce. How can they continue doing so? It will require a not-so-simple combination of people, processes and technologies. In this debate on the future of their function, four security leaders focus on the concept of zero trust, how they can utilize it for security and what else is needed to protect and serve their organizations.
Mansi Thapar, Head of Information Security at Jaquar Group, Sumeet Khokhani, CISO of Intas Pharmaceuticals, George Eapen, Group CISO of Petrofac and Nick Savvides, Senior Director of Strategic Business, APAC at Forcepoint, came together at The Studio @ Home for a session moderated by Mark Chillingworth, Senior Content Editor, Financial Times.
Zero trust in 2020
For Mansi Thapar zero trust can be condensed into four words.
“Never trust, always verify.” For Mansi, the new normal for security always assumes a threat by verifying every user and application, continuously. So even if zero trust is not a new concept, the technology by which CISOs can monitor their businesses has evolved enough now to make it so.
Nick Savvides agreed: “Zero trust is where we wanted to be but couldn’t yet get to and now technology is affordable enough for us to be able to realise a lot of it. Not all of it, but most. What I’m seeing are companies employing a hybrid environment of old and new ways. And most especially exciting is zero trust identity whereby CISOs can continuously authenticate and monitor users, an evolution from the more binary measures of the past.”
The roundtable agreed that the time is right to capitalize on new technologies and strategies to protect their newly remote teams. Why zero trust for example is getting focus is because of the timeliness of its advantages.
“Zero trust is a compilation of different policies,” said George Eapen, “and will be able to consign users to the right applications, put in place additional controls to validate users and monitor how users are using the platform. It’s fantastic because around 91 percent of breaches start from identity theft.”
That’s vital for any industry, but for pharmaceutical companies, where intellectual property is guarded more closely than most, the threat landscape becomes more volatile. Sumeet Khokhani put forward his experiences.
“You’re right, my sector is very protective. That’s why, with so many tools available, I’ve actioned a multi-layered defense strategy and put forward a risk-based approach to my role so that the rest of the business understands our decisions.”
CISOs and risk management
At Sumeet’s point the rest of the roundtable nodded vigorously. For these CISOs a risk-based approach allows the cybersecurity team to shift the conversation away from disrupting innovation to mitigating loss, working with the rest of the organization to promote change, but safely.
Critically, zero trust, they say, plays a role in articulating that risk so the approach can be used outside of the security team. When that happens organically, seamless security can be enjoyed by the whole organization.
Inevitably, that means more responsibility for the CISO.
“Around 90 percent of my work is now digital, as is the CIOs, so we need to work together and with the rest of senior management to solve issues,” said Thapar. “The context of 2020 has also meant more work for us: the Indian manufacturing sector has had to shift its stance on remote working quickly and the effect is remarkable!
“In order for us to protect those workers we need to shift fast too.”
How to succeed in 2021
The other significant change in the CISO mindset is how business-centric they need to be. Much like the CIO 10 years ago, they are no longer to be kept in their own teams, siloed and isolated. They need to be visible, be actively supporting innovation within a risk-based mindset and seen as a partner to the business.
The roundtable moved on to the role of stakeholders in supporting CISOs. Vendors need to be more transparent about how they can partner with security teams and what technologies truly help. Customers require confidence that they’ll be protected and clients are managing their supply chains to ensure every relationship is secure. CISOs are suddenly excessively busy—but this time they have the right technology and the right time.
“Now you can segment your business and teams so the right frameworks are set up for all your user profiles,” said George Eapen. “What do they all need to help the business? Once you answer that you can write a granular policy for the business to recognize any deviances in behaviour.
“In zero trust, the technology is the simple part. The hard part is understanding your teams, what they need and how much access can support their roles.”