The pandemic had repercussions for enterprises across all industries, but the impact for some was more pronounced than others. Through the course of this article, I will talk about the impact of the pandemic on any IT/ITeS services or similar companies focusing on managing secure ODCs (Offshore
Development Centre) for BFSI (Banking, financial services and insurance) customers.
The abrupt transition to remote work that accompanied the pandemic forced us to move everyone to their homes. However, the comprehensive set-up that we had for all our banking customers entailed only on-site security controls. The robust security controls included a locked ODC, a guard outside, and heavy restrictions on carrying our mobile phones inside. In fact, no papers were permitted inside and neither were any printers allowed. That was conventionally the high level of security we ensured for our banking customers.
CISO & DPO
Redesigning on-site security with risk assessment
Evidently, the unleashing of the pandemic created a situation where the workforce had to work from their homes, leading to a variety of challenges. Invariably, what followed was an extremely sincere risk
assessment, accounting for all the problems that could potentially be caused. The period was accompanied by a lot of learning, implementing a couple of Proof of Concepts (POCs) to ensure seamless functioning and prevent any lack of control once work from home started.
Our sincere and diligent risk assessment helped us put many things in place. One of the first moves was to move our control servers, including the anti-virus, vulnerability management, etc. to the cloud. We brought them to cloud facing infrastructure. The next step was to enable wi-fi on desktops and laptops to connect them with these servers over the internet to update them and measure any potential vulnerabilities.
One of the biggest challenges was that people did not have enough bandwidth to transfer logs back into the system. That became one of the weak areas lacking an effective solution. We looked at one of the market leaders in EDR (Endpoint Detection and Response) technology and implemented those in all the systems in addition to the existing controls.
This promoted at least some degree of controls on computers that our team took to their homes. Several changes to the configuration came in next. The comprehensive approach to risk assessment helped us answer all the questions on what we were doing, the best way to implement the knowledge we gained, while setting up controls, etc. At the same time, the rationale behind adopting extensive risk management over blindly following any kind of checklist became clear. We didn’t just have to tick a check box, but actually needed to create solutions that pointed to impact.
Role of the CISO
I am an ardent believer that CISOs should be very technical in nature and have comprehensive knowledge of their field. If required, they should go down to the packet level to understand what is happening in the network. And, that’s what came to our rescue in the time of crisis. The kind of knowledge that went into the system, coupled with the strong profiles that we had built in the team, facilitated our entire transition process.
To begin with, it promoted the right kind of threat modelling, followed by effective and extensive threat vector analysis. This invariably led to results-driven and conclusive risk assessment, enabling us to implement the right kind of controls. Consequently, we were back to 99+% of operations for all our banking customers in virtually no time.
Despite the uncertainty and ambiguity that entailed the entire process, it was the right knowledge, intention and the will to promote our business objectives that helped us sail through. Therefore, my two cents here would be that all enterprises must capitalize on the right human, technology, and other resources to ensure continuity even during crises.
In conclusion, it is important for enterprises to adopt agility and resilience to traverse through times of uncertainty and ambiguity. Forward looking leaders, quick decision making and comprehensive risk assessment with right solutions is integral for organizations today to transition to diverse models of work and workforce, promoting high impact IT and cyber security practices and build enterprises of the future.
About the author
Amit Dhawan is CISO and Data Privacy officer at Birlasoft. He has more than 20 years of experience in the IT and information security domain. Before Birlasoft, Dhawan served in leadership roles in eAvighna (his own InfoSec Training & Consulting startup), JP Morgan and American Express driving technology controls and leading the Infosec practices.