In an exclusive conversation with CXO News & APAC News Network, Dipesh Jain, DGM—IT Infrastructure & Cybersecurity, Power Finance Corporation (PFC), explains the cybersecurity postures followed by PSUs today.
What is the overall business model of a Government-owned NBFC, and how does technology drive this business?
Government-owned NBFCs like PFC, REC, IREDA, IFCL etc. are mainly into infrastructure lending where they appraise the power projects proposed by the borrowers and, based on the feasibility and ROI, they lend loans to these borrowers for realising the project.
Technology plays a crucial role in streamlining core business processes like project appraisal and loan management through the digitalisation of workflow and documents.
Technology also plays a great role in increasing the productivity of employees by facilitating IT services such as email, paperless office, Internet, Online meetings, remote working etc.
What are the key digital initiatives that PSU organisations can adopt that you would like to highlight?
Having integrated ERP software with a single source of data is essential for the smooth digitalisation of business processes, ensuring data integrity during the inter-transactions among its sub-modules.
Having a robust security posture with a layered defence approach and principles of least use and need to know is a must to safeguard the IT setup from the ever-increasing cyber threat landscape.
The utilisation of Cloud computing has also proven immensely effective, flexible, and cost-effective for meeting the IT Infrastructure requirements. The cloud model provides a plethora of benefits, especially in the case of Government procurements in handling inherent challenges of prior capacity planning and procedural delays in capex-based procurements.
How can one ensure cybersecurity awareness among all the employees of a PSU? How is the security function synergized with the other business functions?
Lack of awareness and sensitivity towards cybersecurity with an easygoing attitude toward consuming pirated software continues to be an alarming challenge in spearheading the security roadmap in any organisation.
Conducting regular awareness training for all IT users, covering topics such as existing cyber threats & their avoidance mechanisms, Cyber hygiene practices etc is a must to build a cyber security culture across the organisation. Simulation of cyberattack techniques such as phishing exercises; mock social engineering traps etc should also be conducted to test the adoption level of users.
Once business users accept and absorb that Cybersecurity is just not about Technology but actually requires a change in ‘Mindset’ to be constantly wary of the persistent cyber threats, then both security and business functions can blend to work in higher levels of synergy.
As the custodian of critical public infrastructure, how can one assess the security posture and enhance cyber resilience?
An organisation typically builds its security posture by deploying security solutions on the ‘TECHNOLOGY’ front, framing policies & rules on the Applications, devices, and users on the ‘PROCESS front and communicating the best practices along with imparting awareness to users on the ‘PEOPLE’ front.
Regular assessment & review of these security aspects w.r.t to People, Processes and Technologies being deployed is instrumental for safeguarding the organization from cyber threats and hence enhancing cyber resilience.
During the assessment, each security control should be reviewed (Blue teaming) and/or challenged (Red teaming) to ascertain its effectiveness vis-à-vis risk exposure of the asset being protected. This results in a comprehensive assessment of the entire security setup liquidating to the identification of gaps & risks in the security landscape.
This immensely helps the Security staff to objectively mitigate these vulnerabilities through either patching or augmenting the security portfolio thereby making the security landscape water-tight from being compromised by any threat actor.
How would you assess frameworks like Zero Trust in the overall cybersecurity architecture of PSUs?
In the post-Covid era, utilisation of cloud-based applications along with their access through remote locations has become the ‘new norm’. This has drastically changed the definition of the ‘perimeter’ of any digital setup in an organization. In fact, there is no ‘perimeter’ now and this has made the hitherto security architecture ineffective which was essentially based on perimeter-based defences such as Firewalls, IPS/IDS, Antivirus, NAC etc.
The remedy for the above lies in the Zero Trust model which helps in building the security posture around strong fundamental security principles such as ‘Need to know’, ‘Least privilege’ and ‘Segregation of duties’ etc.
The zero trust model essentially secures each application, device, and user from being breached by having strong access control policies and practices. This has proven to be highly effective as it becomes challenging for an attacker to penetrate the layering of security on the application, device and users based on the Zero trust model.
Discussion about this post