In a world where everyone is going digital, cyber-attacks and hacks are unaffordable. However, it is a challenge that every stakeholder—the government, service and technology providers, experts, as well as the users will need to come together to tackle.
The heads of IT and chief information and chief security officers of various firms came together at the Mastercard Payments Summit 2019—Innovating NXT to discuss, debate and share their experiences. The Forbes India Marquee panel discussion on 'Prioritising cybersecurity in the digital era', at the Mastercard Payments Summit, discussed the importance of giving cyber security a priority and shifting the conversation out of the CIO’s office and into the board room.
Forbes India’s special correspondent Manu Balachandran moderated the discussion, also highlighted the importance of data as the new oil and the need for corporate, government and individuals to secure it safely.
The participants at the panel were Bibhu Krishna, Vice President & Head of IT Infra, PolicyBazaar; Sachin Jain, Group CIO-Global IT Operations & CISO, EvalueServe; G Narendra Nath, Joint Secretary, National Security Council Secretariat; Unique Kumar, Head - Digital Security, Digital Transformation, Enterprise Application, Max Healthcare; Anil Porter, Head-IT, InterGlobe Technology Quotient Pvt Ltd; Mayank Bhargava, CIO, DHFL Pramerica; and Tirthankar Dutta, Senior VP & Head of Information Security, Infoedge
In his opening remarks, G Narendra Nath from the Government of India, expressed the challenge of managing cyber-attacks. Despite new cyber-attacks on a daily basis, "We are at par with the rest of the world. That is what we can say in terms of the skill sets we have in our country, both in the government and the private sector," Nath said. However, he pointed out that it is a 'race' that his department has to run each day, as the technology and hackers keep improving.
Nath also explained that India has a cybersecurity act (2013) and is currently working on a cyber strategy. The stakeholder consultation is in process for the cybersecurity strategy 2020-2025. He also pointed out that India has signed memorandums of understanding (MoUs) with various countries on cybersecurity.
Sachin Jain, Group CIO-Global It Operations & CISO, EvalueServe stressed on standards of compliance that businesses are required to follow for clients in other countries. "In India, the law is not clear (on data and security), there is a lack of awareness and enforcement is going to be the key," said Jain. He also pointed out that a lot changed with regards to the General Data Protection Regulation (GDPR) globally and India should catch up fast.
Panelists emphasised on the need for rules and regulations to ensure transparency and urged the government to work towards it. Bibhu Krishna, Vice President and head of IT Infra, Policybazaar said he also looked forward to more stringent policies and acts for cybersecurity from the government. "The current act needs to be implemented. At the same time, new ones should be introduced to meet the industry requirements," said Krishna.
At a time when all hospital data is getting digitised, mobile apps are connecting people to doctors, and laws regarding online selling of medicines are also on the table, the panelists stressed on the need for data security in the healthcare sector. "The security of patient's data is critical and needs to be safeguarded. A complete framework has to be in place. There is no single silver bullet to solve this," Unique Kumar of Max Healthcare pointed out.
Anil Porter, Head IT, Interglobe Technology Quotient Pvt Ltd said that the travel industry is probably the mostly digitised today. However, he averred that there is a need to develop a collective ecosystem in the country.
The speakers also highlighted that globally, the regulations and penal actions ensure that corporates adhere to strict compliance on cybersecurity and privacy. "In India, there is a need for a strong regulator to enforce it," said Porter. If that happens, then India would be in a better position to face future cyber attacks.
Responding to the industry's concerns, Nath agreed that India does not have a cross-sectoral regulator, which is effective. The financial and telecommunications sector have a sectoral regulator. The effective role played by the regulator is reflected in a high level of compliance by the stakeholders in those sectors.
The Reserve Bank of India (RBI) and the Department of Telecommunications (DoT) have stood up to the challenge and opportunities of the digital era, said Nath. "I hope the new cybersecurity strategy will examine the aspect of a cross-sectoral regulator," said Nath. He added the government is currently in talks with various stakeholders for a cross-sectoral regulator.
Krishna said that there is a need for more awareness about technologies and cybersecurity amongst the corporates. "There is a need to understand that as we protect anything valuable in a physical world, we should do the same in the cyberworld," said Krishna. Further, he said that corporates should also develop a system of peer-sharing, to share information about cyber-attacks, which can ensure that the damage does not spread and can be handled well in the future.
He also said that corporates need to upgrade their systems and processes with the help of experts. "This will help them get relatively early warning signs instead of a warning due to an accident—by a customer's complaint or a third party alert," Krishna added.
Thirthankar Dutta, Senior VP and head of information security, InfoEdge believes that the human element in the security chain is the weakest link. "We should have an incident response manual for corporates. In the absence of it, managing the situation will be difficult," said Dutta.
Jain pointed out that cybersecurity is more focussed on crisis management response and options, rather than just limiting it to budget. The organisations today understand that it is closely related to their insurance, business sustainability, credibility and growth factors.
Nath suggested a penal action and regular cybersecurity audits would be the right steps in the matter.
The personal data protection bill is in line with GDPR, said Nath. For example, in the telecom sector, operators are not allowed to take data out of India, he added.
Porter feels that there is a need for constant awareness to keep individuals alert not only against cyber-attacks but also about the ways and means of how it all works. To which Nath responded saying that he believed that that cybersecurity should become part of the school curriculum.
"People, processes and technologies are critical and should be actively discussed and implemented," Kumar said agreeing.
Next decade: It is all about cybersecurity
Breaches are bound to continue and increase in volume in a digital world. Organisations and individuals need to be equipped to recover quickly, Krishna said.
While governance and awareness mechanisms will be critical, Jain added.
There is a need for a multi-pronged, multi-dimensional approach and all stakeholders need to work on it, Nath said.
While Kumar urged users to maintain basic hygiene in the digital world."Make more people aware of the risks. Share real life experiences," Mayank Bhargava, CIO DHFL Pramerica said. Disclaimer: The views, suggestions and opinions expressed here are the sole responsibility of the experts. No Forbes India journalist was involved in the writing and production of this article.