3 minute read
MASTERING THE SECURITY MAZE
THE RETAIL INDUSTRY, WITH ITS VAST CUSTOMER BASE AND EXTENSIVE DIGITAL PRESENCE, IS INCREASINGLY BECOMING A PRIME TARGET FOR CYBERCRIMINALS. IN THIS INTERVIEW, ASHISH KHANNA, CISO OF SHARAF GROUP, DELVES INTO THE CYBERSECURITY CHALLENGES FACING THE RETAIL SECTOR, AND THE EVOLVING THREAT LANDSCAPE.
What are some of the biggest challenges you face as a CISO?
Advertisement
The pace at which the cybersecurity solutions industry progresses does not align with the speed of advancements within the payment industry. A prime illustration of this disparity can be seen in the utilisation of NFC technology in payments and the absence of B2B encryption in PoS systems. Despite the significant advancements made in the payment industry, it is evident that the security aspect has somewhat lagged. This discrepancy exemplifies how the evolution of both industries is unfolding. As security is a horizontal aspect, cutting across various sectors, it requires equal attention and advancement alongside industry-specific developments.
Are there any challenges that are unique to the retail industry?
The retail industry faces several significant security challenges that demand attention and proactive measures. Two crucial areas of concern are the security of PoS machines and unencrypted NFC communications. These vulnerabilities can leave retailers susceptible to breaches and unauthorised access, potentially compromising sensitive customer data.
Another pressing issue affecting the retail sector is the prevalence of botnets, which can be utilised both positively and negatively. Botnet security is crucial as these can be exploited for malicious purposes, posing risks to retailers’ systems and operations.
Moreover, ransomware has emerged as a serious threat across industries, including retail. Ransomware attacks are not industry-dependent, and they have had a significant impact on the retail sector as well. Ransomware groups continuously evolve their tactics and techniques, necessitating constant vigilance and robust security measures.
The dynamic nature of the retail industry adds further complexity to security considerations. Unlike traditional banking, where breaches can be mitigated during off-peak hours, retail is now moving to operations on a 24/7 basis. With the shift towards online marketplaces, retailers have a global customer base and are no longer confined to physical brick-and-mortar stores. This expanded reach introduces new vulnerabilities and the need for comprehensive security measures to safeguard customer data and transactions.
Why is it getting so hard to stop ransomware attacks?
The true challenge is not our ability to mitigate ransomware or other risks, but rather in our understanding of how to approach security in a pragmatic manner. It is essential to strike a balance between addressing insecurities and avoiding unnecessary fear-mongering. We must move beyond the notion that securing resources or systems requires confining them to rigid boundaries. Instead, we can allow them the freedom to operate while ensuring they stay on the desired path.
A classic example of this approach is lane-changing alerts in cars. These alerts do not prevent us from driving or hinder any other functions of the vehicle. Instead, they help us stay within our lane, a critical aspect of safe driving. Adopting a similar mindset has proven beneficial throughout my career as a security professional. It is not always necessary to completely halt business operations; rather, we can raise flags and provide solutions that support both business objectives and security requirements. This is where the true challenge liesfinding the delicate balance that supports both aspects.
At times, it can be a struggle for CISOs to fully grasp this concept. However, once we align security practices with business goals and priorities, we can evolve alongside our businesses. This approach allows us to address security concerns while fostering innovation, supporting growth, and ensuring a harmonious synergy between business operations and robust security measures.
Is security now a boardroom-level topic?
Security has become an imperative topic that demands attention at the boardroom level. As an organisation, we are acutely focused on the security aspects of how we interact with and present ourselves to our customers. This emphasis reflects the commitment of our management to prioritise security. I am fortunate to be part of an organisation that values security as a core business priority.
However, not all organisations share this level of commitment to security. For those organisations, it is imperative that they bring security discussions to the forefront of their boardroom deliberations.
Managing business risks in conjunction with security risks is where you, as a CISO, become the eyes and ears of the management team. Executives at the C-suite level, whether they are CEOs or CFOs, are well aware of their business risks. As a CISO, you serve as the bridge connecting these different components. Cyber risks must be considered not merely as obstacles, but also as enablers of business opportunities.
For example, consider the scenario where a recently launched application faces the threat of being brought down by a cyber attack within just 12 hours. In such a case, both the CEO and CIO would undoubtedly stand alongside the CISO, recognising the potential impact on the business. This example underscores the critical need for security to align with and support the overall business objectives.
