In an email interview with CIOAXIS, Anand Aggarwal, Head – IT, ACRE Limited, shared his insight on the various aspects of cybersecurity to secure an organization.
1. How can a CIO team up with CISO to evaluate the organization’s infrastructure, applications, and data storage systems to identify potential weaknesses that could be exploited by malicious actors?
It’s extremely important for both CIO & CISO to work in tandem for an organization to be cyber safe. Some of the tasks that can be done together to prevent organization exploitation by malicious actors are:
1. Identify critical assets and risks, and work to mitigate them. The risk assessment should also include gap analysis in the current state of various security control and desired state.
2. Conduct Vulnerability assessments and penetration testing on Organization Infrastructure to identify weakness and flaws.
3. Implement and monitor the implementation of recommendations based on risk assessment and vulnerability scan.
4. Document learnings for future use and continuous improvements.
2. With generative AI tools like ChatGPT being used for cybersecurity, how do you parse the AI hype to understand what is its real application and what is simply marketing fluff?
Navigating the realm of AI can indeed be challenging, especially when it comes to distinguishing real applications from marketing fluff. Generative AI tools use huge amounts of data, some of it may be outdated, incorrect, incomplete or malicious. Hence the source and quality of data must be checked and verified.
By critically evaluating claims, understanding the limitations, seeking independent verification, and relying on expertise, you can make informed decisions about the real-world application of AI in cybersecurity.
3. What are the various challenges involved in creating an Information Security awareness training program for various section of employees and different levels of program in an organization?
Creating an Information Security awareness training program can be challenging for various reasons. Some of the common challenges are:
• Availability of budget, time and support and buy-in from management.
• Creating a program that employees can relate to rather than a routine, mundane IT program.
• Creating a program that fits different roles and levels within an organization.
• Security programs must have clear metrices to measure the effectiveness.
4. How crucial and practical is cost-effectiveness in your vision for the organization’s information security landscape?
In my view It’s extremely crucial to deploy not only practical but cost-effective solutions to protect an organization from cyber-attacks.
I believe that cybersecurity investments should be aligned with the organization’s risk appetite, business objectives and budget constraints. CISOs should first be able to identify crown jewels within the organization and then need to take necessary steps to protect them.
Too much and too less, both the situations are not good for any organization.
For the InfoSec leaders, it’s not always crucial to go for big brands. When it comes to security of organization, there are multiple open-source monitoring tools and good start-ups solution available in the marketplace.
5. What are the various things that CEO needs to be informed on the business impact of IT security and compliance changes?
CEO needs to be informed on the business impact of IT security and compliance changes as they can impact organization reputation, financial penalties, customer trust and organization performance itself.
Generally, CEO needs to be aware of:
1. Regulatory framework applicable and related impact.
2. Organization’s cybersecurity posture.
3. Financial implication of IT Security and changes in compliance.
4. Risk related to third party outsourcing and associated liabilities.
6. On Cybersecurity, how can a CIO foster a culture of continuous improvement and learning in an organization?
CIOs can foster the culture of continuous improvement in cybersecurity by following below practices:
1. Organizational Leadership making it clear to all employees that cybersecurity is an integral part of an organization’s corporate values.
2. Infusing security into the organizational fabric so that every employee is constantly reminded of their role and responsibility to keep the organization secure.
3. Regularly conducting security awareness programs related to common methods of cyberattacks and how to identify and prevent them.
4. Impart cybersecurity training in a language that is understood by employees.
5. The process and procedure to follow for reporting cyber incidents.
6. Involvement of employees in creating awareness around cyberattacks and rewarding employees during the quiz or awareness campaigns.