There is a consistent and note-worthy shift from automotive processes to cognitive systems. AI-powered cognitive decision-making is transforming the way humanity interacts with technology. Amidst all these, the “one-size-fits-all” concept of cyber security has been replaced by individual business-driven protection policies requiring embedded operational processes, individual governance models, and organizational ethos, especially since the Covid pandemic. It has resulted in the need for a robust Enterprise Risk Advisory strategy, with a need to adopt a ‘Risk Intelligence Approach’ to deliver & imbibe the necessary ‘Enterprise Risk Management capabilities.
In this light, Apoorva Dawalbhata, Associate Director at Quadrant Knowledge Solutions had a stimulating conversation with Philip Varughese Vayarakunni in our TechTalk Video Series. They talked about Enabling a proactive cyber defense strategy in this changing environment. Philip Varughese Vayarakunni is a Global Head of Applied Intelligence, Platforms, Engineering & Architecture at DXC Security. He has more than 20 years of experience in the field of Enterprise Data Strategy. Here is the summary of their conversation.
A Shift is happening in the direction of Cognitive Decision Systems
Looking back at history, human beings have always been curious to discover new capabilities that make our lives better and less complex. The area of technology and digitization are becoming more intelligent and autonomous with technologies like AI and machine learning. Happening as time evolves, advanced capabilities that help you deliver things that get monotonous and transactional are becoming the need of the hour. AI-powered cognitive decision systems are built either to solve a problem or to make the existing processes better by innovating. At the same time, these very capabilities are capable of bad things too. So, it is fundamentally about the perspectives. The ideal situation would be to use them for the former purpose only. But unfortunately, they are also the reason for many bad things happening.
Apoorva: What do you think are the possible future outcomes of cognitive computing technologies? Is there any possibility that we should be concerned about?
Philip: Every business is a technology business. Earlier, technology was built to support business functions as opposed to today when businesses are built around technology. Entire business ecosystems and technologies are tightly connected today with data as the fundamental element. Rest all are mere peripherals and enablers, whether it is AI or advanced technology systems. These enablers, with data as an important ingredient, are creating more connected and intelligent devices. The systems are already in use, and people will have to use this along with building systems to manage them as well. For example, one Chinese company valued at over 10 billion has created an AI CEO (A virtual CEO). Hence, to manage cognitive systems, cognitive humanoids are being developed.
So, I think cognitive technologies are here to stay for a very long time, but it is important how we use them and for what purpose. Knowing what real outcomes we are targeting is important to make it more efficient and effective.
Key Drivers & Trends Enabling a Proactive Cyber Security for Businesses
Apoorva: Moving ahead, it’s known that the “one-size-fits-all” cyber security solution is now outdated. Instead, individual business-driven protection policies that require embedded operational processes and individual governance models are being focused on. The covid pandemic brought home the significance of cyber security as a holistic business operations-driven and broad cyber-service perspective, rather than the mere implementation of cyber strategy initiatives.
Given this context, what are your thoughts on the key drivers and trends enabling a proactive cyber strategy for an enterprise?
Philip: Unfortunately, cyber security has always been considered an afterthought. Some companies have invested their resources in cyber security initiatives just to check the tick box or to meet compliance requirements. However, this is changing because it is just a matter of time now before the companies either know they are hacked, or do not.
As mentioned earlier, business ecosystems and technologies are tightly connected. Hence, even if you are secured, the partners, subcontractors, vendors, or employees connected with you in the ecosystem are not protected, and you are still at risk. We are living with a zero-day click tax and zero-day vulnerabilities. We are not aware of their existence most of the time. I personally see that the more connected we are with intelligent systems, the more risk-prone we become. 50 billion connected devices mean 50 billion entry points for cybercriminals. Security is a necessity not only for the larger corporate systems, but we also need to ensure that security is embedded and infused at every test point in the organization. Not only in the larger IT systems but also in all the connected operational systems and other physical points (such as receptions and entrances with security cameras) say that a robust that are digitally connected.
Apoorva: So, would you then say that a robust enterprise risk advisory strategy is needed across all industries and industry sizes?
Philip: I think security should be looked at not as a road blocker for an organization, but as an enabler. I personally believe that security has to be seen as an integral part of the overall resiliency of the business by the top-level executives and board members. The reason is other threats such as inflation, the cost of a product, or competitive threat impacts certain aspects of the business, but one cyber-attack can completely shut down your business, damaging your share value, reputation, and customer trust, and can also put lives at risk. I have learned from my experience that cyber-attacks are the number one risk for a business, and that is why your enterprise strategy must have cyber security on the top three list when you do the risk modeling for your organization.
Best Practices & Strategies
Apoorva: What are the best practices and strategies in it that need to be strengthened from an organizational ecosystem point of view?
Philip: I have seen that organizations, regardless of their size, invest resources in buying a lot of tools and technologies with the hope that they will save them. However, the truth is that the right tools and technologies are enablers. I would recommend that the organizations ensure that the basics and fundamentals are there in terms of cyber security. Additionally, remember that security is a shared responsibility of everyone connected in the ecosystem. Do not push it to the IT or the CSO team. The third point is to build a zero-trust mindset/approach, instead of merely owning some zero-trust tools and tech. Fourthly, build security inside the organization and integrate is as part of your culture. Developing a secure first culture from the top down. So, I think these are some of the things to keep in mind when it comes to security.
At the implementation level, an integrated security view is very important. Security is a reactive approach. Companies need to move to a proactive defense approach and infuse intelligence to ensure that defense systems are operating with its help. This will be an intelligence-led security operation rather than merely an integrated security operation. Since you have a lot of siloed and diverse systems, it is important to ensure that these systems themselves are intelligent enough to help you defend your organization. That is where automation, analytics, and technologies like AI come into the picture. Hence, intelligence-led, integrated systems enabled by the right tools and technologies and focus on fundamentals and foundations ensuring that you bring security into your culture can help you real resilience.
Apoorva: Apart from an intelligence-led approach, what are the other qualities/capabilities that need to be developed to adopt a holistic enterprise risk management approach?
Philip: The list goes on. Leveraging the tools and technologies is the most important. At the same time, creating awareness across the pyramid in an organization is helpful. There should be some initiatives and programs to create awareness. The attacks are getting very sophisticated with advanced technologies. So, you do not want your organization shutting down just because an employee clicked on some phishing email.
AI can be used in the areas of cyber security. The same cyber security should also be applied in AI. The reason behind this is that cybercriminals are using the same AI capabilities to launch more sophisticated attacks such as building self-learning swamp boards, intelligent malicious bots, carrying out vulnerability discovery, and building autonomous drones that are slaughter boards. Research conducted at Maryland University in 2019 reported an interesting fact that every minute, there are 3000 targeted attacks happening and the methodology used by these attackers are continuously changing along with their motivation.
That is why we need to look at both these extremes. Ensuring the fundamentals on one hand and ensuring that we have the sophisticated capabilities in place to defend it. They need to be successful just once, but as an organization, you need to ensure security successfully at all times.
Role of the Information Security Officers
Apoorva: The C-suit navigates the company through many tumultuous times which are quite complicated, and full of opportunities at the same time. What are the roles and responsibilities of the C-suit executives here? In your opinion, Is the role of Information Security Officers (CISOs) evolving in the current times? What extra value can the CISOs bring to the table in terms of employee-oriented policies, digital transformation, etc.?
Philip: Traditionally, the security officer’s roles used to fall under the IT department’s functions in the organization. However, with time this has changed into them directly reporting to the board because businesses now see cyber attacks as one of the key business risks. There are many initiatives and programs launched by the companies to ensure that the CISOs are taking more responsibility for achieving organizational resiliency from the risk management point of view. This is happening not only from the company’s point of view but also from a regulatory perspective. Governments are levying various regulatory compliance requirements to ensure that businesses are having matured resiliency where C-suits have a crucial role to play.
As I mentioned, it is easy to deploy tools and solutions, but changing the organization’s mindset and culture is difficult. This is where a company’s C-suit can really step up and play a business role in the journey. They are getting more visibility, support, funding, access, and influence in the larger business processes. It varies with industry course. In some industries like Banking, insurance, telecom, or pharma which are relatively more regulated, the adoption and transformation are much faster. In traditional industries like mining, oil & gas, energy, or supply chain logistics, the change is slow as they have not experienced the real challenges as seen by the industries rich in data and money. These industries are unfortunately easy targets for cyberattacks because of their lack of cyber maturity.
Hence, it is a journey with the change happening in the right direction. But I have seen that wherever it is heavily regulated, the pace is faster as compared to where it is not.
Apoorva: My last question is slightly open-ended in nature. The criticality of big data analytics within innovation models or cyber defense frameworks cannot be understated. In a nutshell, what do you think the future holds in terms of continuous disruptive innovations and their effects on data privacy and individual opportunity areas? Where is this market going?
Philip: That is a very interesting question to answer. We are building these capabilities and cognitive systems to augment human beings for doing better things and for improving their convenience. But when we have more cognitive systems not coming from highly secured companies, we are exposed to a higher risk of cyber security breaches. So, either we are choosing convenience over security or we are just being lazy. But governments are increasingly coming up with many privacy protection regulatory laws and frameworks, but I am not sure whether it is coming at the right pace. It is taking more time. It needs to be fast-forwarded to ensure that these price processes and these frameworks have to be there, especially from the governance and regulatory perspective, to ensure that privacy is protected with the convenience and intelligent systems.
This brought an end to this stimulating conversation. It is interesting to witness the growth and shift of AI-powered cognitive decision systems for cybersecurity, making it stronger and a necessity at the same time. The time ahead is an era of intelligence with a lot to look forward to.
Author:
Vaishnavi Dave, Content Writer at Quadrant Knowledge Solutions
