In an exclusive interview with Express Computer, Dr. Yask Sharma, CISO, Indian Oil Corporation Limited (IOCL) shares his thoughts on the future of cybersecurity in light of the pandemic and how it can be effectively managed
As the popular saying goes, “you can’t manage what you can’t measure”. How do you measure safety and how important is it to know your opponents?
This question has been widely discussed in countless technology forums. So, in my opinion, knowing the opponents is important. Not just us, but if you look at the current landscape among security professionals around the world, they’re probably going through the same thing; they may know a little about the opponents and are also aware that a lot of money is pumped into them.
I believe that security or defense is a function of skills, time and money. And if one achieves abundance of these three factors, it would ideally be a safe environment for any organization to thrive in. Unfortunately, attackers and defenders usually lack one of these factors, with time being one of the factors that a defender can lack. .
Therefore, knowing that these attackers are well equipped and have a lot of time on their hands, we must be well prepared in advance and with the appropriate knowledge.
Also, if you look at large organizations that deal in critical sectors, security professionals are always at war and in danger.
And speaking of the measurement of security, I don’t think it is necessary to measure security. But if you’re talking about how long it’s been since you’ve been penetrated or raped, that might be different. I think that more than being preoccupied with security measures, we should rather devote our time to preparing, anticipating and quickly resolving risks. I firmly believe that the security aspect is a continuous game and if one wishes to be completely secure, there is no rest.
The cloud has seen rapid adoption during the pandemic. What are the benefits of cloud-native solutions?
In my opinion, the cloud has been around for quite some time now and I don’t think there is any doubt about the benefits that the cloud offers. And yes, over the last couple of years cloud usage has increased dramatically and many businesses have chosen to move from on-premises networks to cloud networks.
One of the most crucial advantages that the cloud offers is the flexibility to expand. But I’m still not saying that all organizations should migrate to the cloud because somewhere I still believe in the old thought process that some of the critical infrastructure should be on-premises, due to the fact that security is front from me gives me more confidence and confidence in the process.
A very important factor for security professionals is to comply with the compliance part, which can also be called regulatory. There are several drivers for security. Regulation, reputation and revenue would be the relevant three Rs for effective security. I think regulation plays a very important role, especially for organizations that are larger and have a lot of data.
Another important factor that the cloud provides is strong security, but I still think that also comes with certain costs and risks. As if I was looking to secure a very critical application, then I would have to clearly define my needs and then take the solution to the cloud. So, before choosing a cloud or on-premises network, it is much more important to know what kind of security you are looking for.
- VSCybersecurity has seen a change during the pandemic. How do you see the future of cybersecurity?
I hope it remains promising because my career depends on it. Now, to answer your question, with or without the pandemic, cybersecurity has been in this shifting environment of purpose position; the goal keeps changing and the skills need to be changed from time to time.
The solutions we have in the area of cybersecurity are reactive in nature. If you notice that the solutions offered on the market for cybersecurity professionals to work with are those that address the problems that have already arisen, which implies that we are always reactive in nature and one step behind the attacker.
So I think we need to invest more time and money in predictive analytics or trying to foresee potential risks and be prepared to deal with them effectively when the problem arises.