Having a sound cybersecurity program in place is critical for companies
Published on : Wednesday 01-12-2021
Alex Lam, Chief Strategy and Business Development Officer – TechDemocracy.
What is the cybersecurity status of an average Indian enterprise and the level of awareness?
I would characterise most as emerging to mid-level awareness of cybersecurity. Of course, most have basic anti-virus on their endpoint compute devices and probably network firewall solutions to protect the perimeter.
However, inside the firewall, there is an opportunity to develop more training, software, and service solutions to better protect enterprises from cybersecurity breaches that are not coming necessarily through the “front door.” For example, solutions to protect the enterprise from “Attack Surface” like attacks are seeing more prominence, as companies are looking to protect their business-critical (oftentimes revenue-generating) workflows from nefarious attacks.
What is the range of services offered by Cotelligent and are these solutions customised according to the size and scale of a typical enterprise?
Cotelligent offers a wide range of consulting services across the lifecycle (from advisory, implementation, audit, and support services) across 3 main practice pillars – Identity Security, Cyber Risk & Governance, and IT Threat Management. As part of these solutions, we partner with leading cybersecurity software vendors in each of these segments and serve as their trusted advisor and authorised consulting partner in the implementation and support of the said solutions.
While some of the solutions are fairly horizontal, with best practices applicable across industries, we have created some additional customisation of offerings to better address verticals like Healthcare and Higher Education.
The process industry (e.g., oil & gas), is particularly vulnerable with some high-profile breaches in the recent past. Can such incidents be prevented?
The process industry, like others in the Industrial and Manufacturing sector, are challenged when it comes to cybersecurity because most of the time they are running the backbone of their IT on legacy IT systems and platforms (everything from mainframe to custom, home-grown applications unique for their industry). Many of the IT business workflows do not port over completely to the modern Mobile computing and Cloud delivery model. So what happens is that you see a lot of manual process workarounds and human interaction required at various stages of the IT business workflows.
All of the shortcomings from the above introduce potential entry points for nefarious actors.
Our recommendation for customers, especially those with legacy platforms, is for them to start an IT modernisation effort to transform their environments to become Cloud-ready and multi-site/multi-user enabled. One key step in that journey is to implement a modernised Identity Administration and Governance model, to be able to holistically manage and secure user identities from a site and business applications perspective, and to be able to take advantage of key technologies like Multi-Factor Authentication (MFA).
Cotelligent operates a Cybersecurity Centre of Excellence in India – what is its role and how does it help the industry?
Cotelligent’s Cybersecurity Centre of Excellence (CCoE) is designed at its core to be an Innovation Hub for R&D in the Cybersecurity space. The goal of Cotelligent’s CCoE is to unify the cybersecurity thought leadership coming out of the local higher education academia into actual solutions that can be leveraged by Enterprises. To enable this goal, we are creating partnerships with leading academic institutions like IIT, IIIT, NIT and other engineering colleges to encourage R&D into new Cybersecurity areas that could be future disruptive technologies for the industry. The CoE can be thought of as an incubator and pilot lab for new entrepreneurial thought in the Cybersecurity space and driven out of the intellectual capital that we have here in the Telangana state.
As part of the CoE initiative, Cotelligent is looking to train and develop over 2,000+ ‘Cyber Warriors’ from the Telangana state over the next few years. Not only will this spur additional job creation in Hyderabad and the surrounding Telangana state region, but we hope that this will serve as a positive role model to the global audience of the intellectual talent we are cultivating here in India.
Finally, we want to take the best practices and new technologies developed in the CoE and to work collaboratively as an advisor and anchor partner for the State Government of Telangana on their comprehensive Cybersecurity Policy initiative.
Are company managements guilty of not allocating enough funds or resources for this critical aspect of plant safety?
Probably so. Even in the United States, we have seen traditional enterprises allocating budgets for cybersecurity based on historical funding trends, which were typically based on including cybersecurity as a checkbox funding item vs. business-critical. Coming off the Covid-pandemic, we have seen a fundamental shift in this thinking, as having a sound cybersecurity program in place is critical for companies to execute any remote work and/or distributed workforce environment. In addition, as the online B2B transactions increase, some of the well-publicized security hacks have highlighted the importance of having sufficient cybersecurity safeguards in place for enterprises (across Software, Infrastructure, and Cybersecurity-proficient resources).
Do new generation IIoT devices have more layers of security built-in to combat existing and emerging threats?
Next-generation devices should have increased levels of security at the device level, e.g., improvements in device-level firewalling, encrypted storage, device-level security monitoring.
However, one also needs to evaluate the entire value chain of where these IIoT devices will plug into, so there are continual threat entry points that can exist downstream across the network transport layer (from a gateway to WIFI to 5G) and ultimately to how it is accessed in the Cloud. So while IIoT device-level security should improve with every generation, our advice is for enterprises to be diligent across the stack.
How does Cotelligent approach this problem in order to provide effective solutions?
At Cotelligent, we look beyond just the device level solution and look holistically to the overall IT and Business workflow to understand the potential risk points. For one, we look strongly at the Identity Security component, as the concept of “identity” extends not only to humans (i.e., carbon-based identity) but also to the machine-level and SW process-level identity that exists (i.e., silicon-based identity). As we look to design a holistic security and governance posture for the customer, we look at both these carbon and silicon-based identity structures and focus on solutions sets that properly marry the two into a common management and governance framework. Solutions like MFA help and we also are seeing applicability for Zero Trust topologies to better manage this ever-increasing mix of environments.
It is said that daily millions of threats are tackled successfully. Does this lead to a certain level of complacency?
While it is true that many attacks are thwarted from the get-go by cybersecurity tools in place, companies and individuals alike, need to understand that cybersecurity threats are a constant threat, and it is a law of percentages
How can organisations be better equipped to face the growing threat of cyber-attacks?
I have a simple acronym I use BRM, which stands for Budget-Resources-Mindset.
Budget – As stated, Cybersecurity should be top of mind for every CIO and Business leader, and budget spending needs to align to this new shift in priority. Our internal survey of our CIO customers shows that most are looking to expand their Cybersecurity spend, year on year, and in most cases is the #2 budget item behind Cloud IT spend (and in some cases approaching parity).
Resources – The ability to find Cybersecurity-knowledgeable resources is still a key shortfall we are seeing in the industry today. Driven in part by the high demands of the job and the various technical certifications one needs for the various vendor stacks, it is impossible to find a one-size-fits-all approach to skilled cybersecurity resources. So our recommendation for CIOs is that it is ok to build up your cybersecurity team with narrower technology-stack focused resources, provided they are knowledgeable of their domain area. Then, by leveraging a rapid delivery service model (via offsite/offshore IT consultants), an enterprise can quickly build up its team with sufficient scale and breadth, all under the guise of a flexible and cost-effective service delivery model.
Mindset – Finally, this is not just a philosophy, but something that needs to be ingrained into everyone in the organisation from a day to day best practice. Every employee (from contract worker to full-time employee) needs cyber-attacks are not localised to just the individual (e.g., being locked out of one’s computer), but that these could be potentially major breaches with million-dollar ramifications (e.g., from ransomware attack to a severe data breach of proprietary and confidential materials like that experienced during the Sony Pictures hack.). To address this, enterprises need to not only be persistent with keeping updated training for their employees but from a management team perspective to think of cybersecurity as a proactive tool to protect and grow the company’s business.
Alex Lam, as a key member of the executive management team, leads the corporate strategy, GTM, and corporate development/M&A functions at TechDemocracy. He is a seasoned professional with over 20 years of experience in the high-tech industry. He has excelled at developing and driving strategic transformation into actionable results. He has served in various leadership roles at leading technology companies like Brocade, Fujitsu, Netapp, Quantum, and SanDisk. Prior to TechDemocracy, Alex was the Vice President and Head of the Strategy and Business Development at Fujitsu and has significant corporate development, product management, and consulting services experience.
Alex has been recognized as “Most Innovative People to Watch” by Technowize Magazine. He has also received the ABA Silver Stevie Award for “IT Executive of the Year.” As part of his professional network, he also services as an official and a Council Member to the Forbes Business Development Council, an organization for executive leaders in the field of business development & strategy.
He has an MBA from the Ross School of Business, University of Michigan, and a BS in Mechanical Engineering from the University of California, Berkeley. Given his dual background across engineering and business, Alex has always been a firm believer in “Thinking creatively out of the box, but doing so in a practical manner where execution success can be maximized through quick-cycle iteration.”
Alex enjoys travels with his family in his spare time and has also taken up online sim racing as a recent hobby.