Bikash Barai is the CEO of Iviz. He is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has patents filed under his name.Bikash is also an active speaker at various platforms like Nasscom, University of California – Berkeley, NUS Singapore, Global Security Challenge and TiE.
In this interview with Techstory, Bikash talks about the various cyber threats that face ‘Digital India’, how we can be prepared to deal with such threats and the future of cyber security in India.
In times when India is going digital, what are some of the most prominent cyber security threats that the country faces ?
The business in India is growing tremendously and so is the cyber risk. India as a country as well as the industry is not well prepared when it comes to cyber security. India lacks both in awareness as well preparedness. There are pockets of expertise in both the government as well as in the industry but that’s like having one or two homes with doors & locks in an entire city. When the world is moving towards emerging technologies like Threat Intelligence, Cloud Access Security Brokers most of the organizations still have only network level firewalls.
Some of the biggest threats are from financially motivated hackers who would silently steal data, politically motivated cross border actors. We also have online activists who choose to disrupt online infrastructure to get them heard or hackers who just bring down things for fun.
What are some of the steps businesses and government can take to avoid being a victim of cyber threats?
The technical answer to this is very long. You can write several books on this. I will speak about something fundamental.
Firstly, there has to higher level of awareness and sensitivity in the senior management. In most of the cases we do don’t know that we don’t know. We keep our head inside the sands and think we are doing fine and we know it all. This is a major problem. People are happy with what they know. They do not have the hunger to learn what is happening. Learning as a culture is lacking severely. A hacker is learning and researching every moment. Are we doing the same? Being secure is not about building the tallest fort. It is more like being fit. To be fit you have to exercise every day or have healthy diet every day. You need to keep running. You need to always be hungry to know more and acknowledge that you don’t know a lot of stuff. This is a fundamental shift that is required.
Secondly, In many departments of Indian government as well as the industry, the procurement finds it difficult to justify the investment in security since it is not tangible. Our culture of buying the lowest price is not the best for security. Will somebody try to find the lowest priced hospital for his wife’s delivery? In case of security we exactly do that. The first thing required is a change in culture.
What are some of the latest trends in cyber security ?
There are several trends. Cloud, Social and Mobile has changed the way industry and society operates. There are new breed of problems and new breed of solution which wouldn’t have existed if such change did not happen. One of the example is Cloud Access security Brokers. This helps you to have the encryption keys of your data in a third party cloud…so foreign government will not be able to access your data even if the cloud company is forced to give it to them. This is something which did not exist 5 years back. We have Threat Intelligence as an upcoming wave which helps companies to get actionable intelligence even before an attack happens. There are new technologies in Application Security like RASP, IAST and lot more. Incident response and management is very critical. Whatever you do to secure yourself, you can be hacked. Incident response and management helps you to handle things rightly when a breach happens.
How do some of the biggest firms prepare themselves for cyber attacks ?
There are too many parts of this answer. You need to have all the basic technologies in place. But what differentiates a mature organization from others is that they go beyond technology. By beyond technology, I mean that you need to look into security like that of a program (not like a software program but like a “national program to eliminate Malaria”). This entails broader vision and alignment with the business and strategy. Every body talks about “People, Process, Technology”, what differentiates is the degree of details in which you implement it. For example in a normal organization they do penetration testing for software security. May be they will have a few more things along with it. Whereas as per BSIMM which studies 100+ top companies there are around 120 security controls for software security which organizations have adopted. So it is not not just a technology problem but to what depth it is implemented. Last but not the least how efficiently or precisely it is implemented. There are lots of companies which implement security just for sake of compliance. It is tick in the box. On paper they have the controls in place but in reality they don’t work. So what differentiates from good and bad is not just the technology but also the degree of width, depth and precision of implementation.
What is the future of cyber security in India?
India is a very big market for IT and consumer based business. However the enterprise security market is very small. I believe the market will grow. I believe there will be lots of hacks in India. That will someday shock the industry and make them take security seriously. People will realize cheapest is not the best. People will realize that they need to learn every day. The same happened in USA. It did not happen in day 1. Lot of companies got bankrupt. Lot of CEOs and CIOs stepped down. Then things changed in USA to some extent. Today we are still in the age of IT where there is too much of business out there and we do not have time to take security seriously. Things will change someday. Only then the domestic enterprise market for security solutions will be meaningfully big. Today it is not.
The employment market is very big, though. We need to hire people not just for Indian organizations but also to service global customers. There is a serious dearth of quality professionals in India compared to the demand that we have. There lies a huge opportunity for the young professionals. This is an opportunity of today as well as tomorrow.