There has been a pioneer rush lately in the otherwise over cautious Banking, Financial Services and Insurance (BFSI) industry, the sector that in the good old days would have just waited and watched a certain technology perform for some years before even slotting it for a demo.
Those dynamics are now changing, and quite frankly they have been changing for a while now. With the advent of mobile services, and their growing accessibility and diminishing cost over the last couple of decades, there has been a major thrust to this digital wave.
The financial industry is primarily made up of data is the most susceptible industry for digital transformation. And the pace at which these changes have got affected over the last few decades, coupled with the launches and advancement of new technologies in this domain, has been phenomenal, while also warranting a need for exercising some caution while embracing them.
Security was always on the agenda, but it is no longer about meeting the regulatory or compliance requirements alone or keeping your auditors happy. Security challenges have now started emanating from a variety of sources, rising just proportionally with all your digital channels of business.
Today, organisations don’t just have to manage anti-viruses and spamwares, now there is mobile security to be looked into, cybersecurity to be handled, a variety of access controls to be managed and an assortment of Bring Your Own Devices (BYODs) to be secured. With Vulnerability Assessment and Penetration Testing (VAPT) cycles becoming frequent, security dynamics are changing every day.
Today there is a direct intrinsic value attached to these risks that every organisation tries to ward off with its security initiatives. There is no standard benchmarking – each company needs to define its own adequate level of security. A question that often pops up amongst the savvy and non-savvy circle alike is just about how much security is enough?
Quite clearly, perfection, as with every other entity, is pretty unachievable when it comes to Information Technology (IT) security as well. You simply cannot protect and prevent everything. A lot of vendors work in a reactionary mode – which means security got compromised somewhere after which point the fix for it was included in the next product release.
So even if you’ve managed to pull a guard against all known threats, hackers are working equally hard to come up with new ones. Such a constantly evolving space can get overwhelming at times, making you feel as if you are chasing a moving target. Hence it’s important while putting together your security risk management framework that you ask the right questions and determine what the acceptable level of risks are for you and what your definition of adequate security is.
Consider answering the following questions at a company level –
- What are we protecting and why do we need to protect these? Do we have clarity on all aspects of business ‘value’ that we need to protect?
- Which are the product services or processes translating into those values? Do we have complete or shared control on these?
- What are the potential conditions (both internal and external) that need to be managed and avoided to protect them, and at what cost? What are the implications if they are not protected?
- What is our risk tolerance capacity? How much damage can we take before we take action?
- How do we identify and manage residual risk?
- How often is our risk review cycle? Is it good enough given the nature of our industry? How dynamic is our business risk environment?
Now depending upon your organisation characteristics and the markets you operate into, you are most likely to come up with a unique level of security adequacy. The complexity of your landscape, both business and IT, will determine the IT strategy you’ll frame and the calls you’ll take when it comes to managing IT security risks.
For instance, if you depend heavily on IT systems and the internet to offer products and services to your customers, your reliance on a more stable and secure system will be relatively higher – system downtimes will translate into direct business losses for you.
Similarly, if you are operating in a politically sensitive region where information leaks can have tumultuous impacts data security will be of paramount importance.
Your security investment decisions will also be influenced by your spending capabilities – how much you have stashed in your Information Technology (IT) budget.
However, if your risk scores are high, you wouldn’t have much choice unless you take an informed decision to live with the risk. Nonetheless, whatever your security investment decisions are, ensure that your management understands, in their language, that there is always a residual risk that remains even post-mitigation.
It is important that your leaders know and understand that 100 percent security is a myth. However, that is no excuse from shying away on making adequate investments in the right directions. Remember, achieving and sustaining adequate security is a continuous process, not a final outcome.
The world is all set on a digital journey and with a few bumps hither and thither, so far it has been a fun illuminating ride. Organisations, however, need to realise that while this might be the way to go, they need to adopt technology only when they are ready for it.
The whole idea of rush is hype. They don’t have to ape a certain technology simply because their peers or competitors have it. Any technology should be adequately studied and assessed on all accounts – utility, business, risk, security – and an informed decision must be taken.
Digital transformations have given Information Technology (IT) security a whole new dimension. From being a check in the box directive, it has moved quite a few notches above to gain centerstage prominence. With a direct impact on the bottom line, it’s no longer about reputational risk alone.
Today, how much security you need totally depends upon your own understanding of your business, the value it creates and what part of that value you wish to protect. The one-size-fits-all vogue is over. Organisations have evolved from the days of simply adopting ‘Best Security Practices’ to charting and implementing their very own ‘Best-Fit security practices’.
(Views expressed in this article are a personal opinion of Mehjabeen Taj Aalam, Head of Information Technology at Muthoot Homefin (India) Limited.)