Windmill Experts: Khushali Solanki, Information Security Officer
In this edition of our Thought Leadership Series, we spoke to our Information Security Officer Khushali Solanki. In our interview, Khushali highlighted several crucial factors involved in information security and offered advice to fresh graduates in the field.
What are your three main responsibilities as Information Security Officer?
Khushali Solanki: Establishing and maintaining security culture to protect information assets from unauthorized access and developing the best practices and security standards for the organization. To support the business with a range of compliance implementation requirements. I also provide and facilitate the information security risk assessment process, report audits and manage governance. One of my main goals is to reduce the risk of data breaches and attacks in IT systems by continuously monitoring and identifying weaknesses in the organization’s IT systems and infrastructure.
In your opinion, what is the best way to handle security breaches? What are the biggest threats to IS (information security)?
KS: A cybersecurity breach occurs when an intruder gains unauthorized access to an organization’s protected systems and data. A security breach is any incident that results in unauthorized access to computer data, applications, networks, or devices. It typically happens when an intruder is able to bypass security mechanisms.
So if you ask me, the best way to handle a security breach is to prevent it before it happens.
It is of utmost importance that an organization has all the necessary mechanisms in place not only to prevent cyber security breaches in the first place, but also to counteract them on time and in an appropriate manner.
Preventive actions can be taken such as training and educating employees, enforcing strong password rules and MFA, limiting access to systems and data, patching software and device vulnerabilities, encrypting data, and preparing incident response teams and breach recovery plans, while continuous monitoring and auditing can be helpful, too.
In spite of all the preventive measures, we cannot deny the fact that it may happen and hence an organization needs to be prepared for it. When a cyber security incident is detected, several steps need to be taken to minimize any negative impact to the organization and to be compliant with legal requirements.
These include internal responsibilities and fact-finding: A responsible person has to be identified for co-ordinating incident management internally. Identify the affected hardware and software to understand the degree of the risk and its effect. The next step would be to notify affected parties: Report the incident and notify affected parties and officials about the associated risk. And lastly, identification of remedial action: to remedy the adverse effects of a cyber security breach, mitigating measures have to be taken.
Today’s digitization era has changed the threats landscape. New Threats/challenges to info sec are remote Workforce evaluation/adoption, blockchain and cryptocurrency attacks, emerging 5G applications, phishing scams, Internet of Things (IoT) attacks, and cyberthreat evolution.
What are some current developments in Information Security?
KS: The past year has shown organizations that uncertainty and a transformed reality are the new normal in business. While remote work was intended as a temporary response to the global pandemic, it is now considered a regular part of the business culture—fundamentally altering the way companies operate.
Homeworking, the ongoing digitization of society, and the increasingly online nature of our lives has increased opportunities for phishers, hackers, scammers, and extortionists.
This has led the organization to shift its cybersecurity strategies and keep up with expanding IT infrastructure, the explosion of IoT devices. Organizations need protection and resiliency against the significant increase in the volume of attacks on their network. Every private and public sector organization needs to gain insight into vulnerabilities on their IT infrastructure to take necessary measures to ensure security. This changing security scenario will bring about three trends throughout this year.
#1 Remote work cybersecurity
The adoption of remote working in organizations has raised the focus on security measures. While adapting to the new normal of remote work, there were many vulnerabilities in enterprise cybersecurity infrastructure which organizations need to take into consideration. Such as setting up network and device security policy and access controls to ensure data safety and seamless operations and rapid response to a security incident. Educating and training employees to follow the best security practices.
#2 AI-driven cybersecurity
Artificial intelligence (AI) can counteract cybercrime by identifying patterns of behavior that signify something out of the ordinary may be taking place. It’s the predictive powers of AI that make it so useful here, which is why innovative AI technologies and solutions have begun to be a part of the organization’s rapid response strategies.
Recent research by Capgemini shows that two-thirds of the businesses now believe AI is necessary to identify and counter critical cyber threats and about three-quarter of businesses are already using or testing AI for this purpose.
#3 Smart budget allocation or investment in infrastructure security
Budget allocation in cybersecurity have become smarter in 2022 as compared to the previous years. Now there is greater recognition—and funding—for cybersecurity strategies and solutions.
Proactively identifying the vulnerabilities firsthand helps organizations cut down their investments and spend money in the right areas.
While organizations are willing to heavily invest in cybersecurity to avoid getting in the news for a breach, hack or ransomware attack, they are not willing to spend a penny more on something that will not bring value to them.
Organizations will start investing more in loss prevention capability, bringing in data security and protection officers and bulking up their security teams.
What’s the difference between symmetric and asymmetric encryption?
KS: The basic difference between these two types of encryptions is that symmetric encryption uses one key for both encryption and decryption, and asymmetric encryption uses a public key for encryption and a private key for decryption.
Asymmetric encryption takes longer to execute because of the complex logic involved.
Symmetric encryption is said to be the simplest and best-known encryption technique. The plaintext is encrypted using a key, and the same key is used at the receiving end to decrypt the received ciphertext. The algorithm behind symmetric encryption is less complex and executes faster. It is also the preferred technique when transmitting data in bulk.
On the other hand, asymmetric encryption is referred to as public-key cryptography. In this technique a message is encrypted using a public key, it can only be decrypted using a private key. This encryption method is used in everyday communication over the internet. Asymmetric encryption is considered to be more secure than symmetric encryption as it uses two keys for the process.
While both of these have their own pros and cons, asymmetric encryption is definitely a better choice from a security perspective.
What are black hats and white hats and how are they relevant to your role?
KS: These are types of hackers in the world of information security. These colored hat descriptions were born as hackers tried to differentiate themselves and separate the good hackers from the bad. The roots of the black and white hat labels are drawn from Western movies, where protagonists wore white hats and antagonists wore black hats.
When it comes to cybersecurity, things aren’t all that black and white. Hackers’ hats come in a variety of colors.
A black hat hacker is someone who breaks into computer networks with malicious intent, searches for and exploits vulnerabilities in devices and networks, destroys files, holds computers hostage, or steals passwords, credit card numbers, and other personal information.
These are motivated by self-serving reasons, such as monetary gain, revenge to steal or destroy data, to disrupt systems, to conduct cyber espionage, or just to have fun.
White hat hackers are known as ethical hackers who disclose all the vulnerabilities to their employer. These are security specialists hired to find vulnerabilities in software, hardware and networks that black hats may find and target. Companies and government agencies hire white hats as information security analysts, cybersecurity researchers, security specialists, penetration testers, etc. They work as independent consultants or freelancers as well.
White hat’s role is important to security as their skills are used to test vulnerabilities and strength of the security so that the data can be better protected.
How do you handle confidentiality in your work?
KS: Workplace confidentiality refers to any confidential information that you come across in the course of business. In any business, one must know what the day-to-day activities of the business are, and what keeps your business up and running. So, making sure that this expertise and information is kept within your business is very important.
In our company we have implemented technical measures as well as organizational measures.
Technical measures include implementation of different policies and procedures. Such as logical and physical access control on systems and data, clear desk and clear screen policy which focuses on neat and clean workplace, screen lock, hardcopy documents security, device security, backup and retention policy for business-critical data etc. Other administrative control includes enforcing MFA and SSO and device hard-disk encryption.
In addition to this, organizational measures include regular employee training and education by conducting quizzes, sharing tips and best practices, emails, random devices check etc. We get NDAs (non-disclosure agreements) signed by employees and our vendors to safeguard the data misused.
With all the measures we continue to monitor, audit and improve administrative control on data sharing and access to connecting business apps to ensure all the controls placed are effective.
What advice would you give to fresh graduates in your field?
KS: One—stay up to date with cybersecurity domains. It’s fast evolving, with constantly emerging technologies and threats. Go for security certifications based on your interests and current trends! Decide which area within security you would like to follow i.e., governance and compliance-focused or technically oriented.
Two—have passion and patience. Understand the fact that experts don’t appear out of thin air! A lot of security threats are handled by existing solutions, but the actual challenge is when you need to investigate something to identify a proper solution and close that security hole. Research is required, and, because you might have to read through pages and pages of documentation, patience is required, too.
To be precise I would say “Keep refreshing your knowledge, be adaptive to change.”
What would you say are the client-side implications of your work? Or is your role strictly Windmill-related?
KS: At present, my role is more focused on building a strong security base within Windmill to boost the confidence of our clients in terms of security.
We achieved ISO/IEC 27001:2013 at our locations in India and Ukraine, which is foundational to creating a culture of information security. The certification is demanded by our clients in core sectors of banking/finance, pharmaceuticals/healthcare and data analytics. Obtaining ISO/IEC 27001:2013 certification was a strategic decision to meet our client needs and underlines Windmill’s dedication to building the highest standard of security and transparency into our security practices and controls.
Windmill Digital offers high-quality product design services. Our experts are highly skilled in their field and are experienced in creating exceptional products for our broad range of clients. For more information, contact us here.