ROI in cybersecurity is becoming redundant: Amit Dhawan, CISO, Birlasoft

Amit Dhawan, CISO & DPO (Data Privacy Officer), Birlasoft, believes the impact of cyber breaches and changing regulatory landscape is mandating the never seen before expenditure in this domain.

In a candid chat with ETCIO, he shares his belief of how the concept of linking spending to benefits in cybersecurity is becoming less important or even redundant.


How is the cybersecurity landscape evolving for IT/ ITes companies?

Today, most IT/ITes organizations maintain a plethora of data and services of their customers. The shift in technology is transitioning these operations to different platforms – the major one being cloud. Additionally, the regulatory and privacy requirements that these companies need to adhere to are also growing thus creating a pressure to focus on the privacy and security.

Further, the cyber threats we see today are different in nature from what we have experienced decades ago. That is mainly because of the transformation of where and how the important data lies. To be competitively ahead, technology companies have to innovate on new technologies. But to be truly successful in the long run, this constant innovation needs to be in-sync with the cybersecurity updates. They need to be updated with the latest policies and cyber updates to be robust and secure.


What are the top threats to watch out for in 2020?

The cyber threat landscape continues to evolve with new threats emerging daily. Flaws in microchips, massive data breaches and ransomware attacks kept the security teams busy. Keeping track of new threats and understanding the changes in the positioning of the older ones is key for sustaining the security assurance. Further, the ability to track and prepare for these threats can help security and risk management leaders improve their organization’s resilience thus supporting business goals. Few of the prominent threats of that we can see in the near future would be -- leveraging AI for exploitation, AI-based fake audios and videos, and attacks from the cloud.

Thanks to advances in AI, it is now possible to automate the whole process of exploitation. All scenarios and the actions that a hacker takes in enumeration, scanning, searching for an exploit and leveraging it to gain access is now possible by a single script.

Until recently, we only had to deal with spoofed emails followed by spoofed phone calls. However, AI generated fake videos and audios are now possible and extremely difficult to distinguish from real ones. And now hackers will be able to throw these into the mix, either to reinforce instructions in a phishing e-mail or as a standalone tactic. Social media posts of these can have a huge impact on market valuation.

The AWSs and Azure are the way to go in the present day simply because of the value they add. However, their management is by multi-tenant services companies. Compromise of these companies and systems can lead to loss of data for multiple customers as was recently visible when US navy lost personal data of more than 300k users.


How can CISOs mitigate the above threats ?

In the fast changing world of cyber threats, it is almost impossible to keep up. The tools to protect against all types of threats have a lag and come out only after the first exploits become visible. However, this does not intend the end but mandates to understand the threat scenarios from first principles. If you see the whole picture, the hackers try to open doors to get inside and find a way to reach near the crown jewels. It is the security professional’s job to understand how to ensure that despite the hacker being in proximity, the access to the actual meat remains elusive. The belief that bad people can reach this point is extremely important. With this mind-set, it becomes easy to analyse and implement multilevel controls. The last level of controls are similar to the locked safe you keep at your house despite locks on all the doors and windows.


How can CISOs justify ROI in security?

I personally feel that the term ROI and the concept of linking spending to benefits is slowly becoming less important or even redundant. The impact of cyber breaches and changing regulatory landscape is mandating the never seen before expenditure in this domain.

CISOs are now finding themselves at a never before juncture of freedom to implement controls, through tools or otherwise. However, this freedom comes with a huge accountability for ensuring the security posture is commensurate with the demands of the business and can manage the vectors of concern. CISOs thus have to be more current with the business and understand the risk landscape to determine what needs to be protected and how. If appropriate controls are implemented, remain effective and can manage the threat landscape, the ROI is of no significance.