Compliance should never come as an after-thought: Tarun Kaura

In the digital age, businesses of all sizes are increasingly reliant on electronic data, and a breach of security can have serious consequences. In an interview with TechCircle, Tarun Kaura, Leader - Cyber Advisory, Deloitte India, discussed how companies can keep up with a constantly changing regulatory environment and how they can achieve regulatory compliance. Edited excerpts:

What kind of data privacy and compliance policies are needed today, and what are companies doing to achieve regulatory compliance?

With the rise of digital activities, there’s more exchange of personal data across platforms, and hence there’s greater focus on privacy and data protection. Some organizations are introducing security strategies at an earlier stage. Driven by the changing business environment and the regulatory mandate, boards are also giving more importance and time to security leaders to holistically look at organizational resilience. 

Despite companies working on their data, there are still gaps when it comes to cyber and privacy literacy, which makes customers vulnerable to identity theft, frauds, crimes, etc. Regulators are taking note of this and finding ways to safeguard all stakeholders. Regulators such as CERT-In have a key role to play in not just changing the way compliance works but as more organizations submit their logs and report breaches, more clarity comes in on the modus operandi of threat actors. 

The reporting mandate also requires an organization to look at the way they detect threats and manage incidents, bringing in more efficiencies and collaboration within an organization, compelling them to move to better security tools and platforms. The new Digital Personal Data Protection Bill that will soon be introduced would certainly provide a greater clarity about personal data protection.

What companies can do to reduce their compliance cost? 

Traditionally, compliance always came as an after-thought. Companies would go-ahead with their business or IT projects and look at security at a much later stage. In such a scenario, an organization’s compliance cost drastically increases because one wouldn’t have taken into account shadow IT or any backdoor created because of newer tools, technologies, or even models of working. That said, cost of compliance is very relative, depending upon the business model and the entire digital footprint. Today, we have hybrid businesses, managing both legacy and the cloud as well as cloud-first, digital-first, and AI-first businesses. It’s important that security is embedded in both greenfield and brownfield projects. When organizations bring in security right at the conceptualization stage, what we call as ‘security-by-design’, I think, that definitely helps in keeping the compliance costs down.

What kind of countermeasures should CISOs take to improve their security posture? 

The first step is to know the attack surface and the exposure. Because of greater adoption of digital transformation, changing business models and mode of working like the remote or hybrid setup, the perimeters don’t exist the way it did traditionally. With connected devices, 5G, cloud, and edge - all paving way towards more autonomous systems we need to look at security requirements at different levels – data, systems, applications, and the network.

Secondly it is important to have layered defenses such as zero trust that doubles-down on establishing trust at every layer of the deployment stack. Looking at the architecture by removing the assumption of trust is vital in authenticating every action, user, and the device is critical. It is relatively easier for all cloud or all digital organizations than those managing both legacy and the cloud together. For traditional organizations planning to embrace the digital way, implementing zero trust means taking one step at a time – securing the network, data etc. But the concept is gaining momentum as it is a more robust and resilient security posture.

Thirdly, with so many security products and solutions in the market, oftentimes it becomes a little overwhelming for CISOs to make the right decision. Organizations should look at platform-based solutions that offer greater interoperability, insights and threat detection and response mechanisms. Fourthly, companies need to comply with various regulatory requirements if they want to prove its integrity, reliability, and ethics-all of which can engender stakeholder trust and strengthen its competitive position. And finally, working towards creating a cyber-savvy organization, keeping people in the center of any cyber risk management strategy.

How do sectors like BFSI and healthcare handle sensitive data in different ways? 

Both the sectors are distinct, in terms of their value-chain, digital journey, customer touch-points, and also in the way they handle data. 

In banking it is all about safeguarding the financial transactions. In healthcare, it’s the life of people that’s really at stake. That changes the whole outlook of how regulators look at it, how security must be catered to, and what kind of policies should be in place. At the same time, both the industries are at different levels of maturity in terms of their digital transformation journey and the way they are regulated. Healthcare, as a sector, is relatively unstructured, with public hospitals, private hospitals, and clinics, but certainly, to an extent propelled by the pandemic, is embracing digital and emerging tech. That makes it more important for the sector to have policies, procedures, and controls in place that protects - both personal and patient data.