Accelerating business transformation means accelerating change management strategy

DR. SANJAY BAHL
Director General, CERT-In

These days we are observing that businesses are undergoing a transformation at a rapid pace. The definition of accelerating business transformation varies among organizations. Dr. Sanjay Bahl, CISM, CIPP/ IT, CERT-In has vividly elaborated the meaning of accelerating business transformation. Dr. Bahl is also an adjunct faculty with IIIT Delhi. He has been providing consultancy in the area of governance, risk, compliance, security, privacy, forensics, investigation and fraud management to some national level projects in India. Prior to CERT-In, he was the Chief Security Officer (CSO) for Microsoft Corporation (India). Prior to joining Microsoft, he has also worked with Tata Consultancy Services (TCS) as the Global CSO.

In his words, “Accelerating business transformation means accelerating change management strategy, which you can define as accelerating any shift or realignment or fundamental change in business operations. Why is this acceleration required now, so that the business can survive and thrive in an environment which is throwing up new innovation driven opportunities as it responds to shifting market demands, while navigating the evolving regulatory complexities. This survival of the business is now dependent on maintaining trust in these services that it provides.”

THE AAJA ENVIRONMENT

At present we are living in a volatile environment which Dr. Bahl mentioned as AAJA. Further elaborating on this he said, “We are living in an AAJA environment. It is Asthirta or volatile. It is Anishchita or uncertain - lack of clarity about the present and the future. It is Jatilta or complexity - the multiple factors which are impacting key decisions. It is Ashspashtta or ambiguity - lack of clarity about the meaning of events. So, why is it now that we require this acceleration of business transformation because now we are living in this AAJA world and this is an extraordinarily challenging time, where this pandemic has given rise to a contact free economy which is accelerating digital business transformation and it is changing our society, government and industry. So, businesses are now taking informed data driven decisions and making choices which have the potential to shape our economy, politics, Digital India, culture and society. We need to decide what kind of society, government and industry we wish to create rather than trying to foresee the kind of society, government or industry that will be created. So what would be the building blocks for digital transformation? It requires connectivity without it obviously there is no digital transformation. Once you have connectivity, the tools etc. then you should know how to effectively use them. For that you require skills. Once you have these, you need some policies to address the security and privacy issues in the digital transformation and also you need governance and strategy coordination.”

UNDERSTANDING THE THREAT LANDSCAPE

Understanding the threat landscape is very important without which it is difficult for organizations to provide necessary security capabilities. Discussing it Dr. Bahl said, “As a business leader, you need to understand the threats which your organization will be facing including your people when they are working from home during these times. You have to provide clear guidance and encourage communication from them, so that they ensure that the policies are clear and easy to use when they are working from home and they know whom to contact if there is any issue or suspicious activities they notice. You have to provide the right security capabilities in the sense that whatever machines or digital devices that you have given to the employees, they are managed from a corporate perspective and you have the necessary tools on these digital devices, so that the people are not impacted when there is something malicious happening.

As I said that, you have to understand the threats and what is the threat landscape at present? What we see is that there are nation state actors who are involved in espionage operations and also financially motivated crime and frauds. There is targeted ransomware which is available as a service, destructive malware, remote login, credential stealing memory executable ports - attacks which are increasing, also on the increase is the distributed denial of service attacks frequency. With the entry of IoT or Internet of Things, the attacks have also increased. Also, there is an observation on traffic, the internet traffic being hijacked. On the crime side, the ecosystem is demonstrating extreme flexibility in terms of the tactics, techniques, procedures they use and are able to change their course mid campaign to achieve their objectives.”

SECURITY GOVERNANCE

Talking about security governance he highlighted, “There is obviously a challenge in terms of trust in the digital devices and connectivity. To address it in a holistic manner, you need to look at the governance. When you look at governance, I am specifically talking about security governance because security is a quality aspect. So security governance has a direct impact on the security service quality and also on the organization's performance. The services that you have to provide should be resilient, you are seeing what happens if the services are down or for a few days, if you are not able to get connected and not able to do your business activities, you have to face huge losses. Your policies should be in place for security and privacy. Whatever software you are developing will have to follow a secure software development lifecycle. You also have to look at the operational aspects in terms of the security and safety operations center that you have depending on the size of the organization. You should be able to integrate all your different devices from a security perspective, including all the supply chains so that you have complete visibility as to what is happening and what is the threat that is emerging and from where. Once you get all these then you will be able to provide value added services which will improve organizational performance and also provide a better user experience.”

ZERO TRUST ARCHITECTURE& CYBER-PANDEMIC

The Zero Trust Architecture is a new approach to security, discussing on this he said, “There is a trust deficit in technology based systems which has increased during the COVID time. So there is a new approach known as a zero trust architecture. This architecture is a security concept fixed on the principle that organizations need to proactively control all interactions between people, data and information systems to reduce security risks to acceptable levels by creating discrete granular access rules for specific applications and services within a network.

Basically, cyber-attacks erode customer trust. The cost of the cyber-attacks has increased 52% and the primary goal of it is service disruption and infrastructure destruction. It is mentioned in various reports that Ransomware attacks will occur in every 14 seconds and create a loss of $11 and a half billion. These cyber-attacks are becoming more frequent and impactful because they are impacting the digital infrastructure and that is why they need to be robust and resilient, otherwise this foundation itself will be shaken. It is impacting digital confidence because confidence is comprised of transparency, trust and security. Finally, it is impacting the digital economy because with fractured technology or infrastructure, the economic growth will not be sustainable. So what will happen if there is a cyber-pandemic? If it has a similar characteristics of the Coronavirus, then during the cyber pandemic it will spread faster and much further than any biological virus. This has been mentioned by the World Economic Forum. The reproductive rate of COVID-19 is somewhere between two to three when there is no social distancing and this number reflects how fast the virus can spread. If we contrast this with a cyber-pandemic then it is estimated that the reproductive rate of the cyber-attack is 27 and above. You have seen what damage two or three has created by this biological virus and what will happen when there is a cyber-pandemic which impacts 27 and above. The economic impact of this widespread digital shutdown will be of the same magnitude or maybe greater. In a single day, without the internet the cost to the world will be $50 billion. So if you have a 21 day cyber lockdown that will cost over $1 trillion. The recovery from this widespread destruction of digital systems will be extremely challenging. So, just imagine replacing five percent of the world's connected devices which may have been impacted by a malicious software etc., will require about 71 million new devices. And how do you get these new devices? Suppose the manufacturing and logistics systems are also impacted, is there a mechanism to manufacture and produce so many new devices on an urgent basis and then whatever has survived can you at breakneck speed patch and reinstall whatever has been impacted? These are nightmares that we are sitting on.”

BUILDING TRUSTED BUSINESS INFRASTRUCTURE

Building a trusted business infrastructure is important and Dr Bahl explained how to build it, he said, “So how do you finally look at building a trusted business infrastructure? I will say there are six basic things - five pillars and a foundation. One is having a trusted supply chain. You need to make sure that you implemented a trusted value chain framework where you are in a position to do security testing of the framework, equipment and software which is coming in through certification labs, to carry out risk analysis to understand how much is the risk, whether you are willing to accept that risk, are you willing to outsource that risk or mitigate it. That will define who will be the trusted supply chain partners and how you are going to interact with them. You have to look at a trusted architecture where you identify and adopt standards. The zero trust architecture which you will have to probably look at, also the managed service providers as part of your trusted supply chain and a trusted architecture because now they are going to be sitting inside the business architecture. So, how secure are their infrastructure, processes and the people, you have to start addressing those issues.

Next will be robust and resilient infrastructure in terms of network monitoring, detection of attacks and outbreaks etc., information exchange or any attacks and security issues or anomalies because no one is in a position to do everything on their own, you will have to start looking at partners.”

CERT-IN INITIATIVES

Dr. Bahl talked about various initiatives of CERT-In. He said, “From the Indian Computer Emergency Response Team or CERT-In we have put in place various projects which are helping a variety of organizations and sectors such as the Cyber Swachhta Kendra, which is providing service on a daily basis like which are the devices that have malware, which are the vulnerable services that are to be looked at by your organization.

We have the National Cyber Coordination Center which is in a position to look at situational awareness and give advanced notices as what is happening, what you may want to do and what steps you may want to take. We are providing Cyber Threat Intelligence using the S TIX and TAXII format so that there is no manual intervention. As soon as we understand what is the threat, we are providing the indicators of compromised, the details that can be ingested by our SIEM's etc. directly, so that there is no manual intervention and there is no scope of error and the devices are then appropriately secured and this is almost in real time.

Security by design is the next pillar, where you are looking at compliance and adequacy of security controls. We have empaneled auditors in place - more than 90 of them today. We have put in place the Cyber Crisis Management Plan. So when there is a crisis, what needs to be done, who needs to be informed and how you need to carry out what activities, there is an incident response so that you let us know that this is the sort of incident that has happened and we will provide you guidance. This is a 24/7 operation. You will have to participate in various drills that we perform and or exercises which helps you understand what your security posture is, where you need improvements, how good your people are, how good your processes are, how good your tools are.

The fifth pillar is capacity building because there is a huge gap in terms of what skill set available with people and what is the skill set that is required. One way is obviously the skill set which is required for securing all this infrastructure and devices. So, that is the technical skill, but you also have to make sure that you build capacity across the organization by letting them know what they have to do in terms of security and how they need to make sure that they are not falling victims to simple things like phishing etc.

So, there are mechanisms of carrying out these awareness sessions. One is you can do it yourself, there are various other entities doing awareness sessions, then also for the technical people, there are formal courses, which are available and certifications and the foundation for all this is the ecosystem which needs to be in place where we need to look at the academia which can come up with certain research and development aspects which can help and feed into this whole system. We need to look at the privacy impacts, we need to create more auditors.”

GRIEVANCE AND REDRESSAL SYSTEM

Talking about the necessity of grievance and redressal system, he concluded saying, “Obviously, when you are providing services, there might be grievances. So, you need to have a grievance and redressal system because now you have gone digital. So, you have to start addressing the grievance redressal systems for privacy. You should have someone to contact in case there is a privacy impact for the users.

Since you are looking at multiple partners in the supply chain, you may have to carry out background checks not only within your organization but also across the supply chain and ensure that there is no issue and challenges from that perspective. Also look at how you can, as the honourable Prime Minister has been saying, look at products and services which will make our go towards Aatmanirbhar Bharat, Make in India which will help you in doing some of these things.

So, I think if you have these things in place and look at security, you will have a much better organizational performance. A proper security governance and the results will be obviously available to all and you will be able to look at the requirements of innovation which have come up during these times. So these new opportunities which have been opened up and you will be able to address the market demands and be compliant to the needs of regulations which are evolving and coming up in place.”