India Urges Organizations to Hire CISOs, Conduct AuditsBut Security Experts Demand More Detailed Guidance
After the recent leak of details on more than 3.2 million debit cards, Ravi Shankar Prasad, minister of IT and law, is calling for more organizations to have a third-party security audit and hire a CISO.
At a recent Press Information Bureau economic editors' meeting, Prasad also said the Indian government will spend Rs 985 crore on the National Cyber Coordination Centre project to help develop a real-time situation awareness and rapid response mechanism. Plus, it will soon develop a software product security policy.
Some cybersecurity experts contend, however, that the government isn't moving fast enough on its initiatives, such as the coordination centre. Plus, they question the effectiveness of third-party audits and call on the government to provide more guidance on the role of CISOs.
"The minister's recommendation for organisations to have a CISO must come with a strict guidance to enable them to comply," says Chennai-based V. Rajendran, advocate and cyber law consultant and past president of Cyber Society of India. "It took several years for the banking sector to comply with the guidelines of Sri Gopalakrishna Committee report, which recommended that every bank must have a CISO as part of security strategy. And this should not be the case with all other organizations."
In his address, Prasad emphasized that the government can provide organizations with auditing support.
"The government has empanelled 35 IT auditors for third-party audits which organizations can leverage to make themselves cybersecurity compliant," Prasad said.
Some security practitioners say most large organizations already hire auditing firms to assess their security. But Coimbatore-based cybersecurity investigator Ravichandran Swaminathan, a member of DSCI, says too many such audits are superficial.
"Auditing is not all encompassing, it does not include physical security of assets and does not possess the skills to value information or data that needs protection against attacks," he says. "Just hiring auditors will not serve the purpose."
Government-empanelled auditors will concentrate more on process, rather than ferreting out vulnerabilities, some security practitioners argue. Bangalore-based J. Prasanna, director and founder of Cyber Security and Privacy Foundation, argues, for example, that most auditing organizations lack teams with knowledge of zero-day vulnerabilities.
Rakshit Tandon, cybersecurity adviser to the UP Police, contends that the government-sponsored auditing process lacks transparency and is not designed to help pinpoint emerging security issues.
The audit process has shortcomings because it focuses on income tax, sales tax and credit risk, which come under the Company Registrar Act and does not usually include auditing for data security, Rajendran contends.
"Most organizations, though they are conducting financial audits, have not deployed auditing processes established under the IT Act and IT Amendment Act under Section 43-A, which require auditing to establish reasonable security practices and procedures - a major loophole," he says.
Developing Rapid Response
India wants to move toward achieving real-time awareness of threats and build a rapid response mechanism to tackle cyberattacks, Prasad said in his address.
To achieve this goal, the government has launched a five-year project to build the National Cyber Coordination Centre. Plus, the government will soon roll out a draft policy on software product development to help ensure security is embedded at the design stage.
But some critics say the government has made little progress in the year since it announced the coordination centre project. For example, it hasn't recruited a complete technical team or created a mechanism for intelligence gathering, Rajendran says.
"There are no strong signals sent to cybercriminals as a concerted effort by the government to prevent so-called breaches," Rajendran says.
What Does the Country Need?
If the government is to play a vital role in cyber defence, it must incorporate a few stringent measures of evaluation, some security practitioners say.
For example, Ravichandran suggests it's time to set up a national cyber investigation agency with its own courts, lawyers and judges. Some security experts also say:
- The government should take steps to pass the Privacy Act to address data leakage;
- Every e-governance project must be monitored by a CISO;
- Empanelled security auditing organizations must have highly skilled white hat hackers to help address risks;
- Organizations must ensure empanelled security auditors are well versed in handling APTs, vulnerability assessment and penetration tests and zero day vulnerabilities.
Government critics also underscore a clear need to move beyond formulation of policies and take action, including reporting security breach incidents, deploying effective breach responses and implementing effective intelligence gathering mechanisms and preemptive threat intelligence tools.