Mumbai Security Summit: The Hot TopicsBlockchain, IAM, OT and Other Timely Topics Discussed
Blockchain, ID and access management, OT security and boards' roles in cybersecurity were among the hottest topics topics discussed at Information Security Media Group's Security Summit in Mumbai on Nov. 29.
Although blockchain is getting plenty of marketing buzz, it's important to discern appropriate use cases, said summit speaker Rohas Nagpal, chief architect, blockchain, at Primechain Technologies.
"In most blockchain implementations, whatever data you are putting on blockchain is going to be visible to all nodes. So putting a password or sensitive data on blockchain not a great idea," he told the audience.
"You can't just implement blockchain and forget about security altogether," he stressed.
ID and Access Management
Meanwhile, many organizations continue to struggle with identity and access management.
Charanjit Singh Sodhi, executive director and head of identity and access management at Nomura Wholesale, described what an effective IAM policy framework must look like.
"Policies around identity and access management must be framed by the IT team in consultation with the business," he told summit attendees. "Also, service-level agreements for access-related activities must be clearly defined, taking into consideration the risk appetite of a firm."
Bridging OT Security Gap
Another speaker, Kaustubh Medhe, head of the cyber defense center and head of SOC at Reliance Industries, outlined the many challenges that security practitioners face when operationalizing threat intelligence for OT.
"OTs operate with a lot of legacy infrastructure. Many OT devices don't have the capability to capture relevant logs for OT. Also, OT is not designed for SIEMs," Medhe said. Among his key points:
- OT security needs dedicated governance, resources and support;
- Supplier risk governance and engagement is imperative in improving OT security;
- Closer collaboration between IT and OT staffs and threat intel sharing will greatly benefit OT security management.
Security as Boardroom Issue
While cybersecurity has become everybody's concern, there's no denying the fact that there's a gap between the boards' expectation and reality.
Sameer Ratolikar, CISO at HDFC Bank, remarked that although boards are discussing cybersecurity, businesses need to have realistic expectations for the security team (see: Dealing With Cybersecurity in the Boardroom).
Keynoter Bhaskar Pramanik, board member of State Bank of India and former chairman of Microsoft India, stressed that boards can no longer afford to ignore cybersecurity. Plus, he concluded that in times of crisis, boards need to recognize that the operating teams need adequate time to work on getting operations restored.
As India prepares for potential enactment of a new data protection law, cyber lawyer and advocate Vaishali Bhagwat said that far too many organizations still aren't aware of the details of existing laws, including the IT Act 2000, which addresses privacy issues. And despite repeated requests by CERT-In, few companies are reporting breaches to that organization.
The speakers at our summit vouched for the fact that data breaches and cyber threats cannot be fought with technologies and legal help alone; cybersecurity requires the support of all the functions, particularly buy-in from the board. "It is not and can't be the sole responsibility of the IT security team to fight cybercrime, as the board is definitely the fourth line of defense," Pramanik said.