I am bringing out this half yearly newsletter, summarizing my key article publications done during the first half of 2023. Thanks for the great responses to my articles on Identity and Access Management (IAM) and wider cybersecurity topics. It has been an exciting journey so far.
Identity Access Management (IAM) is defined by Gartner as “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons” The definition looks simple, but the implementation is not! Contrary to the popular belief, IAM is not mere technology implementation, but rather a business-focused enterprise-wide strategic set-up. Hence, like any other Cybersecurity transformation, IAM implementation needs a clear strategy aligned to the Organization’s strategic priorities as well as long term view. It is important to remember that IAM impacts every employee (internal user of IT applications), contractors, and in some cases customers in case they access your IT systems. Hence, the user experience should be the centre of IAM implementation. Million-dollar technology investments will go down the drain if the users are not happy due to usability issues. IAM implementation is a strategic decision irrespective of the initial scale in scope. Have a big picture view in mind when commencing the implementation. The implementation should not be done hurriedly. The IAM rollout is a multi-year enterprise-wide transformation. It requires disciplined programme/project management for the delivery of the intended benefits.
When you click a button to accept all cookies on a website have you ever thought that it might impact your privacy? While cookies are important to provide a good browsing experience, it is important to know how they might impact your privacy.
Cyber experts have opined that ChatGPT gives new ammunition to cybercriminals to intensify their attacks. An interesting article from Harvard Business Review states that ChatGPT opens up new avenues of attack for hackers. Are we exaggerating or is this really worrisome?
More than a cyber threat, I think ChatGPT is a bigger phycological threat. Our new generation is already reeling from addiction to smartphones, which changed the whole of the social interactive dynamics. We see people living in a virtual social networking world rather than the real world. With ChatGPT, even more, powerful giving a sense of “there is someone there” chatting with me could bring another wave of socio-psychic changes in our society. I see this as a bigger threat than a cyber threat.
Although employees have started returning to the office, the hybrid work culture seems to be the new normal. As per Microsoft research, hybrid work is inevitable; 66% of the leaders say that their organizations are redesigning office space for hybrid work, 73% of employees want the flexible remote working model to continue, and 67% want the in-person working model as per the Microsoft research. Just because hybrid work culture is picking up, does it mean that the insider threat has disappeared? As per the IBM 2019 survey, 31.5% of the cybersecurity occurrences were from malicious insiders, and 23.5% were from non-malicious insiders. A professional hacker might have all the tools and technical knowledge to harm your IT systems externally. However, a bad intentioned insider i.e. someone who has got access to your IT systems is even more harmful. Insider threat is quite a serious security risk to be mitigated with well-crafted security controls. Examples of insider threats could be a disgruntled employee, contractor or ex-employee who still has access to IT systems due to loopholes. These people may cause serious damage such as leaking sensitive information to a competitor, making use of confidential information for illegal purposes and many more ways to cause damage to the organization. Even inadvertent acts by well-intentioned employees could cause serious financial and reputational damages to the organization. Thus, the organizations need to take the insider threat very seriously.
Cloud ranks top amongst the emerging technologies for the past couple of years. COVID-19 effect pushed the digitization wave further, making Cloud even more prominent. With this, even the highly regulated industries such as Financial Services and Pharmaceuticals are now keen on Cloud adoption. The key questions that we keep hearing are : - Is Cloud as secure as our on-premise Data Centers? - Can we trust a third party in storing sensitive data? - How do we ensure compliance with regulations such as GDPR(General Data Protection Regulation)?
Cybersecurity capability set up are not merely Information Technology (IT) rollouts. Hence, benefits realization doesn’t happen with just the Technology set-up. The equally important and in many cases even more critical is the operationalization of technology delivery to ensure that the project objectives are fully achieved. Many times, Technology product vendor demos may seem that roll out of security tools is very straightforward. But benefits realization gets stuck in the post-implementation operationalization unless this is well thought through from day one of the project kick-offs. Nothing wrong with getting demos, but they provide a simplified view of the Technology product capability. The demos are often good to understand basic functionality as well as to compare different product features. But, these demos will not provide an overall impact on the upstream as well as downstream processes. When seeing the product in silos it might look fantastic, but when we try fitting the product in the overall ecology, we will come to know the overall impact. While this could be true for any technology rollouts, this is even more prominent in the security space. Cybersecurity implementations need to be seen from the lens of change management discipline. Benefits delivery will require systematic change planning ahead of even kicking off the project. Very critical to understand the change impact even before making a heavy investment so that we don’t struggle to deliver benefits after we would have implemented an expensive technology. Start from understanding AS-IS set up through what is needed from people, process and technology point of view to ensure that the implementations are successful. Remember, not just the implementation but the operationalization that would be key to the benefits delivery as project teams will disappear post the project delivery.