Managing a Remote Workforce: Critical Security StepsGroup CISO Shivkumar Pandey of Bombay Stock Exchange on Key Issues During COVID-19 Crisis
To ensure business continuity, companies that support India's critical infrastructure need to validate the functioning of the security controls and other tools deployed to support the remote workforce during the COVID-19 pandemic, says Mumbai-based Shivkumar Pandey, group CISO at the Bombay Stock Exchange.
"As a CISO, my prime focus is to ensure business continuity with information and data security, and toward this, I have automated most of our processes so the systems can be made available with minimum human interventions," Pandey says in an interview with Information Security Media Group.
In this interview (see transcript below), he offers insights on:
- The challenges presented by the COVID-19 pandemic;
- Technologies deployed to enable the remote work force to operate securely;
- How to make users accountable for protecting their systems and data.
Pandey has over 20 years of experience in cybersecurity and IT service delivery. Before joining BSE Ltd as group CISO, he was CISO at National Payment Corp. of India, Reliance JIO, SUD Life, Future Generali India, Kotak Mahindra and TATA AIG.
GEETHA NANDIKOTUR: For critical infrastructure, what are the unique challenges that the coronavirus is ushering in, and how is it impacting your business and security?
SHIVKUMAR PANDEY: Due to growing cases of COVID-19 and the spreading behavior of this biological virus, there was a certain need to have precautionary steps taken for the safety of people. Thus, the lockdown was inevitable, and as we do in IT, unless you have a remedy or control, you have to rely on workarounds to keep your systems running and protected.
The restrictions and controls implemented to overcome this situation are very farsighted, which helps control the spread of the virus and ensure the basics are not affected. As part of the national critical infrastructure, we executed our business continuity plan and ran the market unaffected ... in this critical situation.
As part of the BCP strategy, the single point of contact from the business functions is designated with required RACI (Responsibility, Accountability, Consulted, and Informed) matrices to keep the systems up and running. My prime focus is to ensure business continuity with information and data security. Toward this, I have automated most of our processes so the systems can be made available with minimum human interventions.
From a security standpoint, we have our protected systems mostly configured in autonomous mode with the "zero trust" model, and we enabled our 24x7 next-generation SOC monitoring teams to work from home so that monitoring and actions are not affected in this pandemic situation. We also have our next-gen SOC operations running from multiple sites to ensure operations continue seamlessly.
NANDIKOTKUR: With the amount of phishing going on and the amount of COVID-19-related fraud that's being attempted on all levels, what should be the CISO's game plan?
PANDEY: There's a bit of chaos among the employees right now as everyone is eager to get more information about the COVID-19 outbreak and how it can affect them. Malicious actors are attempting to trick users by tempting them to get such information.
We proactively educated users to ensure they visit only business-specific sites and do not click any unwanted links in expectation to get more information about any topic. Some initiatives include:
- Enable proactive monitoring and update of Indicators of compromise (IOCs) related to COVID-19 based attack vectors;
- Minimize changes to the infrastructure and systems to avoid any unwanted exposure of systems which may go unnoticed.
NANDIKOTKUR: How are technologies helping you in securing your infrastructure?
PANDEY: Most of our tools are already in autonomous mode, which means it requires minimum human intervention to detect and protect against most of the attack vectors and on top of it. We have aligned our next-gen SOC with secure VPN, along with multifactor authentication, to ensure monitoring and alerts are not affected and also help distribute the workload.
We always run with the rule of zero trust and least privilege, and all the actions are recorded into systems, with necessary security tools and controls, to ensure the transactions between us and our members are secured with the highest level of encryption and that the traffic and data is monitored. And we configured these systems with data leak prevention tools to enable them with secure access via a VPN.
NANDIKOTKUR: What are your considerations for reducing risk and ensuring security as the threat vectors change with COVID-19?
PANDEY: The cybersecurity landscape is changing very rapidly, and there are continuous and evolving threat vectors as the business needs to be more agile, functional and available. CIA (Confidentiality, Integrity and Availability) of information is a key responsibility of any CISO. With COVID-19, the VPN, virtual desktop infrastructure and work from home ... have now become a mandate to run our business function. This has opened up high risk of system compromise or data exfiltration. To overcome this situation, the controls and policies are in place so the accountability of users and protection of systems and data is ensured.
NANDIKOTKUR: What are the immediate steps that CISOs should be taking?
PANDEY: CISOs should revisit their remote access and work-from-home BYOD policy. It is critical to validate security controls and related tools put in place and their functioning status, while monitoring the data channels, as in case of enabling BYOD, the user's devices are less restrictive than the company allocated device.
Importantly, update management about the security and data risk when controls are relaxed or exceptions are put in place to enable users to continue business during a pandemic situation.