Rahul: Give us a brief overview of the current state of Information Security, including its awareness and challenges.
Dr. Nishit Narang: Information Security or InfoSec is the protection of confidential or private information from unscrupulous entities. Information is at the heart of most industries and businesses, and can vary from organizational intellectual property data to private personal information of individuals or employees.
The current state of Information Security is not a very satisfactory one, may be even tilting towards being a bit on the grim side. While there has been a shift in focus from all quarters to strengthen Information Security, the last few years have yet again seen a significant number of security incidents involving information leaks and thefts, across industries and domains. While Information Security principles, guidelines, and requirements are being defined and also getting standardized, it is turning out to be a myriad collection of frameworks, laws, and domain-specific regulations. There are many different domain-specific compliance frameworks (such as Cloud or IoT frameworks), geography-dependent local laws (e.g. GDPR, HIPAA, etc.) and industry-specific regulations (e.g. HIPAA for healthcare).
The level of awareness towards Information Security is still limited and patchy. While Information Security impacts everyone from a service provider to service users, from solution developers to organizations deploying those solutions, not all involved parties have the same level of awareness. We normally see a higher level of awareness in larger organizations and businesses. Smaller or medium-sized businesses are often not well aware of the benefits of being protected and compliant. A lot of times, solution developers may not be well aware of remote laws and/or trained in the nuances of the compliance frameworks or regulations, leading to gaps in the overall canvas of Information Security.
Challenges in managing Information Security are aplenty. Most organizations tend to use a complex collection of security tools that are hard to maintain or organize, leaving behind security loopholes. Most often, there is a lack of a well-designed security architecture, that is aligned with the use of the latest technology solutions, like Cloud Computing or IoT-based solutions. Further, security budgets in medium or small enterprises have always been a challenge to obtain, with the direct benefits of investing in security not immediately visible or quantifiable. Lastly, user awareness on the topic and required training for involved parties leave a lot to be desired.
Rahul: It has been widely observed that there are gaps between desired and possessed skills in ICT professionals and ICT graduates. What can be done to bridge this gap?
Dr. Nishit Narang: It is a well-known fact that there is a significant gap between the desired and the possessed skills of ICT professionals and graduates. While the educational sector has largely been focused on imparting theoretical knowledge, the industry is practice-driven. This difference in approach leads to ICT graduates lacking practical skillsets, knowledge of tools, and awareness of the latest trends and technologies. Academic focus on Information and Cybersecurity as a practice-driven skillset is limited or non-existent.
So, what should be done to overcome this gap? We need to design different platforms for enabling industry-academia to connect. The two can hardly be allowed to work in isolation. Academic curriculums need to be overhauled to align with the latest trends and technologies. Practice-driven experiential learning must be the focus of teaching in academia, with a curriculum that includes industry-driven and technology-driven courses. On its part, the ICT industry must support the academia with not only funds for setting up advanced technology centres, but also opportunities for students in the academia via industrial projects and internship opportunities.
Rahul: How can ICT graduates transform their theoretical knowledge into practical skills within a professional setting?
Dr. Nishit Narang: There are multiple opportunities today for continued learning and skill development. ICT graduates joining professional organizations and institutions must not see it as the end of their journey toward learning. Rather, it is the beginning of focused skill development for them. While on-the-job learning is definitely one of the best ways to learn, ICT graduates must also look at getting themselves enrolled in different certificate and degree programs, especially those that also specialize or focus on specific key domains (Security, Networks, Cloud, etc.) — this will help them continuously develop and build upon their practical skills. A lot of recognized and well-known institutions in the academic sector today offer such programs for working professionals. The only caveat is that the focus must be more on experiential learning; so, ICT graduates must differentiate between regular run-of-the-mill programs being offered from the ones that offer more experiential learning and enrol for the latter.
Rahul: How can organizations safeguard Operational Technology without jeopardizing their critical system?
Dr. Nishit Narang: Organizations sometimes fear that introduction of security solutions may interfere with the operations of the critical systems driving their solutions. This is often a misunderstanding. In fact, and on the contrary, there are numerous examples where the lack of security has led to malicious attacks on critical infrastructure systems, bringing them down for long hours of duration.
The correct method is to always approach it the right way; it is never advisable to introduce security solutions and appliances without a well-thought-out plan of action. Unwanted and cluttered deployment of security appliances not only makes system management a nightmare, but misconfigurations may also open up unknown or unwanted windows of opportunities for attackers. A carefully planned security architecture that is complete with identification of the critical use cases that need to be protected, associated tools needed towards this end, and their proper and planned deployment, is the way to go.
In essence, the focus is on completeness rather than patchiness — organizations must embrace the principles of security by design. A layered approach is often a good defence approach that can limit the impact to the OT layer and bring in the benefits of the defence-in-depth strategy. Lastly, remember that nothing can replace a well architected security framework, as the last thing that organizations need is an unplanned and complex collection of myriad appliances.
Rahul: It has been established that security issues are rarely addressed in academic settings, and those who attempt to incorporate it into their curriculum quickly discover that it is difficult to make learning happen in a traditional lecture-based approach. How do you approach this problem?
Dr. Nishit Narang: This is a common problem for all areas requiring practical skillsets and is equally applicable to the domain of security. Many academic institutions and sometimes, not-so-experienced teachers do struggle with the right way to plan such curriculum. It is easy to set up traditional lecture-based courses. The difficult part is to integrate these courses with aspects of experiential learning. This is where the long-term experience of well-established academic institutions comes in handy in terms of executing such programs with finesse.
Integrating practical learning into traditional lecture-based approach requires planning for the right-mix of theory and fundamentals with experiential learning. Experiential learning can come in the form of case studies, lab exercises, or assignments, which require students to learn by doing things practically. It also requires the right set of infrastructure to enable such kinds of experiential learnings. In summary, a combination of the right experience and infrastructure is what is required to approach and handle this problem.
Rahul: What are the major trends that will shape Information Security in the future?
Dr. Nishit Narang: Many recent technological changes and trends are bringing in newer challenges to Information Security. One such big change is the migration of organizations and businesses to the Cloud. Cloud Computing brings major benefits to customers, and yet, opens up new dimensions in the area of Information Security. Information is no longer protected by the organization’s network perimeter and can reside in remote data centres, limiting control of the organization owning the data. This is where the role of the Cloud service provider becomes extremely important. Information Security in the Cloud Computing era will require a working model of shared responsibility among the Cloud service provider, the organization (or the tenant) and its customers or users. The focus on collective responsibility to protect data will likely become even more evident with Cloud Computing.
Another trend that we see both in the industry and the consumer markets is the introduction of solutions that are driven by IoT devices. Whether it is the need for industrial automation, connected self-driving automobiles, or even simpler home automation solutions, all of them make use of intelligent or smart IoT devices. As we embrace these solutions for their charm in making our lives simpler, we will soon find ourselves in a state where these IoT devices are holding a lot of our data — both personal and financial. But do we trust these devices in keeping our data safe? Are these devices designed to be adequately secure? These are questions that will intrigue us, and the only way out is to build secure IoT solutions that make use of the best practices of Information Security.