Disclaimer: This blog is a technical view of the writer and has nothing to do with the state of a nation, its economic stability or its political stand. Please note the links provided if such statements appear.

“Try not to become a man of success. Rather become a man of value.” -Albert Einstein

Read On….

Day in and day out, attackers are increasingly updating themselves with modernized methods to spin attacks on institutions who eventually become susceptible to attacks. Several cybersecurity. frameworks require modernization including NIST. Looking at various frameworks and working with several enterprises across the globe, it was found that there are vendors who still go through lower versions of cybersecurity framework within organizations. Vendors sometimes are slippery of the existence of updated versions. During our study, we also looked at importance given to cybersecurity among nations across the globe. It is interesting to note that there are only a few countries who give great importance to cybersecurity required today. Perhaps there is no other nation like the USA in the world, that has given the level of priority required towards cybersecurity,

Here below is a narrative of a recent engagement on cybersecurity, where I was involved. Multi-nationals were involved mostly in such engagements. Small and medium sized businesses either doesn’t have the budget or they give less importance. Many such engagements were part of a delegation which had heads of architecture, enterprise architecture, technical reviewers all stationed outside India. Audit services presented lots of documentations which were found to be rather obsolete or lacking clarity on what was being suggested. No clear strategy existed. Those who had SOC’s set up were battling with “what next” kind of situation. Generally, the atmosphere in India is getting the grip on cybersecurity tightened, both from government and institutions/companies/enterprises. However, disparate recommendations coming from multiple entities flow across to the established, but otherwise smoothly running organizations. Unlike the USA there are no single consortiums or private entities providing recommendations. This is a major block. Having different entities to establish their own standards become very cumbersome to enforce policies by government in future when an unforeseen and stringent event gets triggered. It is good to remember that India was one of the nations which shutdown the internet across the whole nation a few years back. In 2020 India is one of the leading nation to shut down the internet. The outage had created not much furore then but the situation is very different today. Did you know, In 2019, India’s forced internet blackouts lasted well over four thousand hours, resulting in an economic loss of over 1.3 billion U.S. dollars?Such outages today may be catastrophic for an economically emerging and developing country (EDC).

The saga continues: During the audit process, for a financial institution in India, we began seeing challenges. We found that the frameworks utilized to check compliances were reviewed and are influenced and interpreted by multi-nationals who bring in expertise from external nations. While this is good and helps in exchanging technical hands, the fact that the review and approval of such approaches are often reviewed by teams settled outside India and are mostly from team members stationed in foreign countries. This presents a huge challenge. Most of these experts are good in such processes and good in technology. But they are experts who seemingly are good in their own domestic implementation. When it comes to compliance requirements for a place like India where businesses run in a highly fast paced environment with chaotic yet full-filling customer needs and having little or no well defined processes in place, the aforementioned approach may fail. It has to be appreciated that irrespective of the fact that such processes are not in place, the customers requirements are full-filled at a satisfactory mode. This has to be acknowledged.

An example of such failure could be seen in cybersecurity approaches of vendor companies that implement the RBI delegated cybersecurity framework. According to a major multi-national firm, the RBI defined specifications for cybersecurity falls under three categories. This by itself is not a good vision. Firstly RBI framework by itself lack completeness. But given what they have defined, it could be a good start and now it is up-to the vendor companies to take it forward and make it a successful implementation. First of all, the interpretation and inferences from the framework has to be understood from the Indian legal perspectives. One good example plugged out can be dissected and looked at in detail here. Let’s take an example. When you look at RBI’s cybersecurity framework, within the specifications, RBI calls for “Preventing execution of  unauthorized software or Continuous Improvement and Delivery (CI&D). Deloitte attempts to bring it under the tag “IT Architecture”. Vendors who are conducting the cybersecurity audits or other types of work, spend very little time on the architecture or even fail to look at the details of CI&D. They fail to understand deployment models. The approach of vendors are often met with lack of clear vision and understanding on what is RBI’s standardization is asking for here. Therefore the audit fails to meets its goal. In a typical activity wherein, the analysis of an un-authorized software, engineers inspecting the servers do not have a complete transparent view of the system. Often code reviews are not conducted by the engineers involved in looking at vulnerabilities. This is mainly because of protection methods and synchronization with company policies on authorization processes. In such a scenario, often vendor companies sign off on the activity titled “inventory management of IT assets” combined with PEN testing logs. However, dealing with several institutions or enterprises, the above approach is not sufficient to protect your system and prevent a cyber event. The reason being, lack of understanding on the compliance requirements put forth on Indian based financial institutions. This probably due to the fact mentioned above; that the reviewers of documents which talk about engagement models do not understand requirement as they are often resources, practicing architects and specialists who do not understand the requisites.

What is required ?

1. Review of engagement model. Let companies review the engagement models. Bring in participation of 3rd party domain experts
2. Establish trusted relationship models. Make sure that the resources are people who understand domestic policies, understand what is set-forth by authoritarians.
3. Ask for best design principles from vendor companies. Often vendor resources of large service providers are hired to do multiple jobs. To look into their background could help.
4. Ask for blueprints. Get profile history of executors. What have been their approach etc.
5. Know your data. Understand what is called for by your compliance team. Often times, there are not one dedicated resources found within enterprises. Make a team.
6. Ask for short reports rather than full high volume reports Short and sweet documents define clearly what are the findings.
7. Ask for recommendations in verbal discussions. Documents are good, but when we start talking things become more clear. Collaborative reviews are often helpful when final sign of from vendors are done. It is good to remember, you and you alone is responsible when in times of an attack or crisis.
8. SOC and center of excellence. Resurrect unique center of excellence units
9. Collaborate with partners, bring in fresh thinkers, inculcate interactions.