During the current era, both big companies and small start-ups, are using Information Technology for ease of doing business, however it makes them vulnerable for Cyber-attacks. So, it becomes necessary for them to use Cyber security professionals e.g. CISO (Chief Information Security Officer) in order to protect information assets. ,It goes without saying  that information security activities in any organization consume more resources than ever before. Cyber criminals (Hackers) are becoming better all the time, and staying ahead of them is getting tougher. However, it’s not just more zero-day attacks by sophisticated criminals; competitors, growth of the organization, elevated infrastructure complexity and new compliance requirements also desire more cyber defence staff, adequate time and right technology to avoid becoming a victim of a cybersecurity breach.

In earlier days security was primarily focused on physical access to facilities and resources, or adding layers of logical controls to protect business application and data. However, security concerns of the present era don’t fit into this old traditional way anymore. Security concerns impact every aspect of an organization’s operations and should be an integral driver of strategic planning, along with all decision for future expansions.

Since cyberattacks have become smarter and more sophisticated at exploiting vulnerabilities, with the availability of many open-source tools it is easier for hackers to launch new attacks every other day. For the organizations and start-ups cyber security shall be a proactive program rather than a reactive which is to be launched at the time of cyber-attack. Thus, information security is an integral part of organizational strategic growth. It is just as important as goodwill, financial turnovers and product quality.

What is Chief Information Security Officer(CISO) and Virtual Chief Information Security Officer(V-CISO) ?

Top management team should be aware of the impact of lack of information security on their organization’s profitability and durability. A shortage of information security in the organization could result in heavy fines for non-compliance, punitive rulings after finding liability or negligence, or a loss of customers and partners after a confidence-shattering breach. There is a big risk of underestimating information security and it is too big to ignore.

In order to address the growing awareness of information security’s importance to strategic planning, many larger organizations and start-ups include a Chief Information Security Officer (CISO) at the executive level. Chief Information Security Officer is the executive who is responsible of Information security and cyber security compliance in the organization.

Many a times companies cannot afford the cost of having own CISO because of the huge salary range. There are situations where the organizations including start-ups need a CISO , but the budget doesn’t allow for a full-time person in that position.

However, there is a cost effective alternative. Organizations specially start-ups that lack the budget for a full time CISO can opt for an outsourced solution: The Virtual CISO, or V-CISO.

A Virtual-CISO is a information and cyber security expert who uses the expertise  of his/her years of industry experience to help organizations and start-ups  by developing and managing the implementation of the organization’s information security program in order to attain various government and non-government compliances. At a high level, V-CISOs help to build the organization’s security strategy, implementation and its management as well.

Organization’s internal security staff may work and report to V-CISO in order to strengthen the information security and cyber security framework and make it more impactful. In addition to this, the V-CISO is usually expected to be able to present the organization’s state of information security to an organization’s board, management team, auditors, or regulators.

Benefits of having a V-CISO

A V-CISO is generally a cybersecurity professional who works part-time basis offering information security services to multiple organizations at a time, working for several throughout any year. This gives organizations a flexibility to hire part-time CISO on requirement basis.

The V-CISO fills several needs through different types of services, including:

• Information Security and Cybersecurity guidance to management executives in order to adhere compliance guidelines
• Information Security architecture guidance
• Incident management including response
• Governance plans
• Cyber Security readiness assessment
• Compliance alignment recommendations (for ISO 27001,RBI Guidelines for banks ,NBFC, HIPAA, GDPR, PCI-DSS, CCPA and may more)
• Remediation prioritization
• Business Continuity Planning and Disaster Recovery Plans and DR drills.
• Identification of scope and objective for the information security compliance
• Risk management (risk identification and treatment)
• Vendor risk management
• Coordination of audits by regulators or customers

Why you organization need a Virtual CISO?

If your organization needs more information security compliance -related guidance at the management level, consider whether a V-CISO would be a good potential option. If you are a a start-up and your budget won’t support a CISO, you might need a V-CISO .If any of the below mentioned scenarios  are similar to  your situation, your organization might need a Virtual -CISO.

• If you are start-up and are really unaware whether you’re vulnerable to cyber security breaches: If your organization hasn’t yet assessed its information security risk, you might need a V-CISO to initiate and support that process.
• Your organization has been breached and no one from your team was able to detect the attack: Post-breach investigations and recommendations often lead to organizational leadership remodelling. One of those remodelling includes information security member of the executive suite. If this is the case, you might need a V-CISO.
• If you are a start-up dealing with critical customer data: In this case if you don’t want to hire a full time CISO, you need to have a V-CISO in order to safeguard your information assets and avoid high penalties because of non-compliance of various regulations
• Important or major changes have occurred that could impact security: If your organization is having mergers or acquisition, security risk should be assessed. Any significant outside influences, such as a global pandemic or natural disaster, which could impact business continuity as well all information security. If your organization doesn’t have anyone who can guide during these times and ensure security is not compromised you might need a V-CISO.
• If your organization wanted to share the workload for the existing CISO: Changes to the organization scope or environment, including new regulatory compliance requirements, may increase the demands of a CISO beyond their current capability. If your existing CISO requires helping hand, you might need a V-CISO.

There could be multiple reasons to have a V-CISO for your organization. An experienced V-CISO will provide valuable guidance and customised solutions as per your organizational needs. As well as it will save you from the burden of paying salary of a full-time CISO.

How to find a right V-CISO?

If you are struggling in your day-to-day information security requirements V-CISO would be a beneficial to your organization, and decided to have one. The very next step is how find the right one. A good amount or research and investigation can help you. Online reviews and existing customers feedback can help you to find a good fit, knowledgeable V-CISO for your organization.

The general process for engaging a V-CISO generally flows like this:

• Set up an initial consultation meeting (commonly one hour at no charge)
• The V-CISO delivers a proposal of scope of work including high-level information security readiness, proposed services and costs
• You may accept or reject the proposal, and then moves forward

• If you decide to engage a V-CISO, then negotiate an agreement that meets your requirements. If you need periodic gap and risk assessment and remediate report, make sure that is explicitly mentioned in the agreement deliverables.
• An agreement with a V-CISO can be set up for a hourly, monthly or quarterly basis . Make sure that you are getting the services you are paying for.
• A V-CISO can be an affordable and flexible approach to adding extensive information security experience and wisdom to your management team. If a V-CISO is a good fit, it can help your organization to identify and safeguard the weak links which could lead to aggressive cyberattacks.

#Key words- CISO,Virtual CISO, VCISO,vCISO, ISO 27001,GDPR,RBI, cyber security, information security, compliance, hackers, cyberattacks.

CYBER SECURITY MUST KNOWS FOR CLOUD SERVICE PROVIDERS

WHAT IS CLOUD COMPUTING?

The Information Technology world is emerging and with fast pace, new innovative ideas are changing the scenarios constantly and cloud computing was one of those ideas which has changed the perspective of IT services.

Cloud Computing is a network of remote servers which are used to store, manage and process data via internet, instead of local servers or hard drives.

With ease of use and flexibility, it has become most usable IT services nowadays.

SECURITY RISKS ASSOCIATED WITH CLOUD COMPUTING?

Cloud computing transformed the way organizations store, use, and share data, applications, infrastructure and workloads. Cloud computing also provides a flexible model for simplified IT management, remote access, mobility, and cost-efficiency. With so much ease of access and flexibility most of the organisations are availing cloud services, however as more mission-critical applications migrate to the cloud, data privacy and software security are growing concerns. With so much data going into the cloud including critical data like PII and PHI —these resources become natural targets for hackers.

Availing IaaS or Moving web applications to the cloud does not make organisations inherently more secure.  Organization nowadays might be ready to adopt the benefits of the cloud infrastructure. But you must also ensure you address all the potential security risks in cloud computing, especially public clouds.

WHAT IS CLOUD COMPUTING SECURITY?

Cloud computing security is the combination of guidelines and technologies controls, which are helpful to manage information security compliance and provides instructions for securing data applications and infrastructure identify with cloud computing use.

Cloud computing has many advantages, such as Ease of use for customer, speed and efficiency. But there are also many potential threats in cloud computing. These threats include human errors, misconfigurations, data breaches, insider attacks, account hijacking, and DDoS attacks. According to studies, businesses which are using cloud computing services are more prone to data breach and cyber-attacks in comparison of others.

CLOUD SECURITY: CHALLENGES AND SOLUTIONS

Below is the list of most critical cyber security challenges faced by Cloud Service providers.

1.      DATA BREACHES:

A data breach is a result of infrastructure or application vulnerabilities, human error, poor security practices such as weak password, inadequate access control etc. Data breach is one of the top most security challenges, mostly public cloud because of different requirements by different customers. Solution to this problem is that organizations should always secure their databases which contains sensitive data like user credentials, by hashing and salting and implement proper logging and behavior anomaly analysis.

2.    HUMAN ERROR:

Human errors like clicking on malicious links, sharing data with unauthorised person, using weak passwords and not having maker checker procedures etc. are challenges in Cloud security. These errors are often at customer’s end. Training and awareness pertaining to Cyber Security, imposing strong password policy and segregation of duties can really resolve this issue. Proper monitoring is also necessary.

3.    INSUFFICIENT IDENTITY, ACCESS AND KEY MANAGEMENT:

Hackers can act as legitimate users, developers, or operators can read, manipulate, and delete data; snoop on data in transit or release malicious software that appears to originate from a genuine source. Any unwanted service running on the server can allow access without authentication. Solution to this problem is implementation of preventative controls across all perimeters, and that organizations scan managed, shared and public environments for vulnerabilities.

4.    DATA LOSS:

Data loss can be because of an accidental deletion by the cloud service provider, or a disaster like a fire or earthquake, can lead to the permanent loss of customer data unless the provider or cloud consumer .takes adequate measures to back up data, Solution to this problem is having a full proved Business Continuity and Disaster Recovery plan in place, performing data backups & testing regularly and conducting DR drills at regular intervals.

5.    INSECURE APPLICATION PROGRAMMING INTERFACES (APIS):

APIs are exposed to public and so too attackers, an API is likely to be the initial entry point for attackers. Hackers exploit vulnerabilities of insecure APIs to get access to servers. Performing security assessment prior to deployment and after any significant change can help to identify the existing weaknesses and patching it.

6.    ADVANCED PERSISTENT THREATS (APT):

APT uses sophisticated and continuous attack techniques to get access in Cloud infrastructure and monitor the Cloud provider’s activity and steal the data rather damaging the networks. In this the attacker gain access and remain undetected for long. Monitoring network on regular basis for abnormal behaviour, update latest antivirus signatures and scanning networks on regular basis can resolve this issue.

7.    INSIDER ATTACKS/ MALICIOUS INSIDER:

A malicious insider can be performed by any employee or any privileged user who has access to potentially sensitive information, and critical systems which contains critical data. Organisations which are doesn’t have their own IT security mechanism and solely dependent on cloud service providers are at higher risk. A Data Loss Prevention (DLP) solution along with event logging and monitoring is a solution for this challenge. A Confidentiality Agreement signed with employees will act as deterrence.

8.    DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS: 

DDOS attack is a crafted malicious attack to disrupt normal traffic and prevent users of a service from being able to access their data or applications. Attacker can cause a system slowdown and leave all legitimate service users without access to services by forcing the targeted cloud service to consume inordinate amounts of finite system resources such as network bandwidth, processor power, memory or disk space. Implementing adequate network security measures like IDS, IPS, and Load Balancers and monitoring networks for anomalies. Having a robust Business Continuity plan will definitely help.

9.    SYSTEM VULNERABILITIES:

System vulnerabilities are the weaknesses or loopholes in any application and network, which can be exploited by any malicious user to intrude into a system to steal or manipulate data, taking control of the system or disrupting service operations. Vulnerabilities within the components of the application and operating system put the security of all services and data at significant risk. In case of public cloud, application or systems from various organizations are sharing memory and resources, creating a new attack surface. Regular patch management, bug fixing and vulnerability management is the best solution for this issue.

10. SPECTRE AND MELTDOWN:

Last but not the least, Spectre and Meltdown which are considered as the most catastrophic vulnerabilities where hackers can exploit Meltdown to view data on virtual servers hosted on the same hardware, potentially disastrous for cloud service providers. Spectre is worse –it is hard to exploit and even harder to fix.

In a nutshell the security solution is very crucial for any Cloud Service provider for their business .Compliance related to cyber security protect the organisation from unauthorized access, data breaches and other threats and also provide assurance and confidence to clients.