“The pandemic accelerated the rate of adoption of technology by companies, which also led to a lot of innovation in the digital world. But while we talk about innovation, there is also a need to secure those innovations,” said Vishal Salvi, chief information security officer and head of cybersecurity practice at Infosys, during Microsoft Future Ready.
Infosys, the fourth largest IT services company in the world, successfully enabled its 280,000 employees across 50 countries to work remotely within weeks at the onset of the pandemic. Salvi attributed this agility to the organization’s ability to keep pace with changing trends.
He emphasized the importance of thinking about security right at the beginning of building digital solutions for the future.
“It’s imperative to find a balance between security, agility, and quality. Enabling employees to work from anywhere and simultaneously ensuring that the data is secure is every organization’s requirement, ” the cybersecurity leader said while elaborating about the Microsoft solutions the IT services giant utilizes for security, compliance, and identity management. “Remote working has diminished the monolithic perimeter defense and I concur with one of Microsoft’s Zero Trust statements that identity is the new perimeter.”
Edited excerpts follow:
Have instances of cybersecurity increased during the pandemic? What are the new risks that have emerged?
The number of cybersecurity incidents and breaches had been on an annual rise even before the pandemic. The intensity and frequency of these attacks had also been increasing. But when the pandemic struck, organizations had to pivot towards working from home and from cloud during a very short period. This created a sense of temporary vulnerability as organization went through rapid and massive changes.
From a cybersecurity perspective, the attack threat surface increased dramatically during the pandemic because of rapid adoption of cloud, data, and analytics. Therefore, this period provided an opportunity for threat actors to really exploit vulnerabilities. So initially, we saw amplified and accelerated attacks.
We also saw unrelenting pandemic-related phishing attempts. We saw advanced malware, various versions of ransomware attacks, and advanced persistent threats like organized crime against nation states and financial institutions.
The pandemic has led companies to realize the importance of digitalization. How can they ensure that everything they do is still safe?
We are seeing an increased rate of digital adoption. In fact, any enterprise today that does not have a digital strategy is not innovating. What was earlier within the perimeter of your organization can now be anywhere on the internet, which is borderless and has no geographical control. All of these have created a different kind of threat perception for organizations to manage. While we are talking about innovation emerging from accelerated tech adoption, there is also a need to secure those innovations.
How important is it to think about security while building solutions?
Let me explain this through an analogy. When we drive a car, we need to have brakes to have things under control. In fact, the stronger the engine, the more powerful the brakes need to be. We have to look at all risk management functions, including security, in a similar way.
It is very important to ensure that security is not an afterthought for organizations. If security is an afterthought, companies can be left vulnerable. It is very expensive to implement security into your products and solutions after you have already built it.
Imagine trying to fit in brakes into a vehicle after all the design is complete. That’s almost impossible.
The same thing applies to technology, but people tend to ignore it because it’s difficult to imagine it. So, democratizing technology and making sure security is included (in your solutions) by design are very important aspects to securing your digital presence.
What are the top risks that security professionals should keep in mind to foster innovation in this digital world?
The board of every company is worried right now, and rightly so. It’s not just that the risks are increasing but the ecosystem is making leadership accountable for the management of cybersecurity risks. So, it starts from the top and companies need to really set the tone for what they want to do and how they want to drive their strategy when it comes to setting up cybersecurity measures.
Broadly, there are four goals that companies need to focus on.
- The first is finding a balance in the tradeoff between convenience and control. Companies need to find an equilibrium.
- The second is to constantly keep upgrading your cybersecurity posture. Companies need to remember that they are really not competing with their peers or the industry. They are competing with their own past versions, and they need to ensure that they are better than they were the day before.
- Thirdly, companies need to build a sense of cyber resiliency within the organization. The attacks and breaches are inevitable, but companies need to ensure that their response to these are composed and calm so that they really manage these instances, and then resume business quickly.
- The fourth would be to build a cybersecurity culture within organizations. Security should not only be the problem for the cybersecurity team or the IT team. It is meant for everyone, and all employees need to incentivize and realize the role that they need to play.
How is Microsoft enabling Infosys in achieving these four goals?
It’s imperative to find a balance between security, agility, and quality. Enabling employees to work from anywhere and simultaneously ensuring that the data is secure is every organization’s requirement. Remote working has diminished the monolithic perimeter defense and I concur with one of Microsoft’s Zero Trust statement that identity is the new perimeter. Zero trust takes data as the central pivot, but it revolves around identity.
Microsoft O365 services like Azure AD, Azure MFA, Microsoft Intune and conditional access have enabled us to tag identity as user plane with device and data plane which translates to 360-degree security, striking the optimal balance between user convenience and control.
With the advancement and sophistication of attack and techniques, organizations need to be a step ahead in terms of technology and must keep upgrading their cybersecurity capabilities. The Microsoft compliance stack helps perform gap assessment of the deployment and determines progress.
Infosys uses Microsoft Security and Compliance Center, and Secure Score dashboards guide IT and Information Security teams at Infosys to track and monitor latest and historical scoring based on Security controls enabled. It also provides actionable insights to improve the organization’s data protection capabilities and overall compliance posture.
Also, building a cybersecurity culture within organizations is important and I think it needs to be the primary goal. The fact that security is the responsibility of each individual needs to be inculcated, Infosys has adopted multiple training programs in partnership with Microsoft towards building that culture. We also perform multiple phishing campaigns using Microsoft Attack Simulation to determine and enhance user awareness. Tools like Azure Information Protection (AIP) increased awareness among employees on the significance of classifying and protecting information.
Infosys uses defense in depth approach to build cyber resiliency and Microsoft’s Security stack plays an important role to identify, detect and protect any phase of program. Infosys uses Azure AD premium, Microsoft ATA, O365 DLP, Exchange Online Protection, MCAS, and other services to help build that confidence. Microsoft’s worldwide network of datacenters provide highly available network, detect adversaries, and proactively apply required remediation strategies.
How can businesses prepare to return to work? Will the future be all about hybrid work models?
There are two important factors when it comes to the future of work–the role of technology as a driver, but also the contribution of employees. Today, technology is not an issue at all because it can support all kinds of models–remote, hybrid or completely back to office.
What we are seeing in the corporate world right now is a preference for the hybrid work model, where people are returning to work in a calibrated manner. But at the same time, we have the flexibility for employees to keep working from home to increase their productivity. So, I think the future is all about hybrid work models.
One thing that is clear is that we will not go back to the old legacy architecture that we had. We will have a modern, pivoted technology architecture that will allow employees to work from anywhere, any time and from any device. And this will be possible 24X7 in a trusted and secure manner.