The information security and cyber security should be integrated: N. Raman, Group GM – CISO, ONGC

The enterprises, instead of focusing on security solutions, products, softwares, etc, should set right the security philosophy. In many occasions, information security is taken as an afterthought, whereas it should be seen as a business and a board function and not a technical function.

The information security and cyber security should be integrated. “It should be embedded right from conceptualising to the disposal stage, for e.g. zero trust is currently a widely discussed topic,” says N. Raman, Group GM – CISO, ONGC.

Usually, on an ongoing basis, for e.g. the operations department implements a solution for cost reduction or improving efficiency and then it is being brought to the IS department, as an afterthought for the sake of compliance. This is not the right approach.

The corporate ecosystem is growing up to the realisation about CISO being a board function and relatively more important than other corporate functions. ONGC comes under the Critical Information Infrastructure (CII) category. “Recently, requirements have come-in to integrate the operations technology (OT) with the internet. This is a major challenge as it amounts to security repercussions,” says Raman.

is a demand from the government for growth in digitisation to ramp up business productivity, coupled with the onslaught of security regulations of unprecedented nature. It’s imperative to balance the both, which is also a major challenge for government organisations. The benefits of cloud computing is driving government adoption of cloud in one of the many options that cloud is offered however it has its own share of security challenges too. The current staff is also ill equipped to handle the changing technology landscape.

ONGC is also in the process of laying out an initial set of baseline guidelines from the regulatory bodies for securing the OT systems. Initiatives on the people part of the people, process, and technology triad are being taken. The endpoint security is of paramount importance and thus the VAPT tests will soon be exercised. In an already established process of simulating the exercise of sending phishing emails, the plan is to continue with the programme.

The regulatory regime issues lengthy guidelines and regulations, which equally apply to the OT systems, thus the company is mulling on simplifying some specific guidelines on OT. Even, globally, the regulators have not come to a crystalline and conclusive regulatory approach.

On the adoption of cloud computing, Raman says, it is more suited to the customer focussed industries, where demand elasticity is higher compared to the oil industry. “It’s also important that the skills of the employees are upgraded to match to manage the cloud system and we are in the process of getting skill certifications. Even the world over, our kind of organisation hasn’t gone for cloud adoption because of lack of demand elasticity,” concludes Raman.