How has the face of 'insider threat' changed in the security world?
Insider threat is not restricted to only company employees. That's another big difference that has happened. Today the insiders include supply chain, service providers, contractors, customers and their partners of the ecosystem. Earlier the company never extended their internal systems to suppliers or customers but today the larger companies have completely integrated with their value chain partners including customer and suppliers. This expansion of the definition of insider is a new phenomenon.
How much headache would IoT be for CIOs and CSOs because everything connected potentially means the network prone to more threats?
Absolutely. In fact the largest threat I see today more than IoT is industrial control systems. ICS is the most neglected item even for CIO and CSO of larger companies and those who have invested in other technologies.
There have been instances of industrial machines blocked and ransomware demanded by hackers. The industrial sector is facing this problem to a large extent. I see interest building up on industrial control systems. Once you have conceptual level security and established industrial control systems then comes IoT (which is expanded version of ICS).
Currently on a scale, Indian companies are at negative for IoT while they are at zero in ICS. The first thing companies have to move and establish some basic ICS security then move onto IoT.
Does that mean IoT will inflict newer challenges for India Inc.?
IoT will bring varied levels of challenges. Indian companies are struggling to manage individual identities and now with devices proliferation they have to manage the device identity. The market is not mature for both contextual awareness as well as the solutions for the moment. That will the challenge for companies to first manage identity of devices.
Once the device authentication happens then it moves to what applications are needed to secure at what level. This is the fundamental challenge for Indian CIOs whenever IoT proliferates. At present IoT is largely limited to logistics and ecommerce firms and it has not moved beyond that.
Securing different and growing number of mobile devices is another nightmare for CISOs?
Thankfully as far as mobility is concerned, it is one way traffic. We don't have transactional level application on mobile yet across most corporates. Indian enterprises have thus not faced as much as risk for enterprise users.
The companies that need to be worried in the mass space are in financial services. Retail and e-commerce retailers who use mobile App for sourcing their transactions. I personally don't see other enterprises yet prepared because it has not been too much of two way traffic. But once transactional applications mature like in financial services, it will require a greater attention for companies. Today enterprises are only preparing to manage identities now. And MAM, MDM solutions do not work beyond a point as they are getting outdated.
Sign up for CIO Asia eNewsletters.