The Essence of Cybersecurity Resilience

With the experience of more than 30 years in the IT industry, Kartik Shahani  is driving momentum for enterprises. While leading initiatives for Tenable in the enterprise security market, he manages operations and continues efforts towards channel activities in India. Kartik has extensive experience in telecommunications, finance and government sectors. Along with his innovative sales strategies, he is instrumental in driving growth in India.

Indian businesses prioritise cybersecurity resilience as they try to protect themselves from a constantly evolving threat landscape. In a recent conversation with the Editor of siliconindia, Kartik Shahani, Country Manager, Tenable India, shared his insights on the importance of cybersecurity resilience.

Cybersecurity is a growing concern for companies. How can this issue be treated and brought under control?
As organizations’ digital footprints continue to evolve, there are many different types of assets which represent different potential weak points in defenses, giving attackers more options and techniques to gain access across the attack surface.

To combat these threats, security teams often act reactively to the changes, opting to address the new gaps in the attack surface by purchasing “best of breed” solutions. A cybersecurity program built upon a hodgepodge of technologies makes it virtually impossible for security teams to reduce risk. Make no mistake, cyberattacks are bound to become more sophisticated as technology evolves. Organisations in India that can anticipate cyberattacks and communicate them with the leadership for strategic decisions will be the ones best positioned to defend themselves against emerging threats.

In the business world, mergers and acquisitions are commonplace as businesses combine, acquire, and enter various partnerships. Tell us why cybersecurity is considered important in a merger and acquisition?

The potential for cyberattacks to cost organisations millions of dollars in cleanup, lost business and reputational harm makes it a serious business risk - one that can directly impact mergers and acquisitions (M&A). With an acceleration of digital transformation and a more active M&A environment, cybersecurity must be a forethought — not an afterthought —  in the diligence process.

How do cybersecurity practices deliver on industry standards?

While compliance norms and industry standards are a baseline guide to security, organizations must go beyond and be more proactive in securing their environments. Every business is different so a one-size-fits-all approach would only create an illusion of security and leave organizations vulnerable to attacks. They must instead focus on reducing their exposure gap with a holistic exposure management platform tailored to the organization’s needs.

What are the biggest cybersecurity challenges faced by bigger organizations? How do they come out of it?

We see three distinct real-world challenges facing cybersecurity professionals across organizations. First, security programs today are reactive when they should be proactive. Most security solutions are event-driven, leaving security teams in a constant state of firefighting, rather than identifying and reducing risk.

Second, when threat actors evaluate a company's attack surface, they're not thinking in terms of organizational silos. They're probing for the right combination of vulnerabilities, misconfigurations and identity privileges. Security organizations should not be operating in silos either, instead looking at the entire attack surface in one unified view.

Organizations’ cybersecurity programs need to enable security teams to gain comprehensive visibility across the modern attack surface, anticipate threats and prioritize efforts to prevent successful attacks and communicate cyber risk to make better decisions.

How can organizations create a culture of resilience?

Building a cybersmart culture requires everyone in the organisation, from the intern to the CEO, to understand their roles and responsibilities. Identify one department or team within the organisation and spend time with them. Learn how they work and ask them to identify any security practices and policies they feel are working well and provide honest feedback about the ones they feel are holding them back. 

Look for processes and solutions that reduce friction in the employee's workflow. Remember, the builders of consumer apps and devices prioritise engagement and ease of use; security tools and processes need to be engaging and easy to use, too, otherwise, employees will avoid them.

Consider working with your organization's human resources, internal communications or marketing team to find new ways to engage employees. Joining forces could lead to fresh ideas on how to educate employees and implement a cybersmart culture.

Encourage executives to include time for cybersecurity discussions during every company-wide meeting so you can constantly reinforce the messaging and keep people up to date on new efforts.

Understand what motivates employees and then build your program around that. For example, do employees at your organization respond primarily to financial incentives? Or do they prefer public recognition for their efforts? Does motivation vary by team or department? 

How can CISOs effectively communicate cyber risk to business leaders?

An exposure management program helps CISOs effectively communicate risk to business leaders as it answers the most important question — How secure are we? It enables CISOs, BISOs and top executives to assess risk accurately, improve investment decisions, and make decisions about insurability, while also meeting regulatory and compliance requirements. CISOs need solutions that collate and analyze data, and provide actionable metrics to measure and compare cyber risk. This can easily be communicated to IT and security teams, and also to non-technical executives and operating teams. A single source of truth of cyber risk with clear KPIs will help CISOs measure the efficacy of security programs over time and draw comparisons against industry peers.

What cybersecurity predictions lie ahead in  2023?

As transformative as the 5G rollout in India will be for organizations, the level of cyber risk will explode. 5G is expected to increase IoT and IIoT adoption. With more connected devices, with poor configurations, the risk is bound to grow. Besides, cloud adoption is expected to increase by organizations both in the public and private sectors in India. Attacks on the cloud are expected to rise as many organizations are still using legacy cloud security solutions or tools that cannot be configured easily to fit proprietary software. The SaaS boom in India, which is also expected to continue growing, has left many of these organizations vulnerable to attacks. We anticipate cyberattacks on SaaS software in 2023. Additionally, the economic downturn across countries in the world is expected to give rise to cryptocurrency scams.