Is cybersecurity the same across industries?

We caught up with Black Hat MEA 2023 speaker Makesh Chandramohan (CISO at Aditya Birla Capital) to get a snapshot of his career so far, and find out how he stepped into the role of CISO at an Indian Fortune 500 company with a presence in 36 nations around the world.

Chandramohan has worked at a high level in a number of different industries. So we wanted his perspective on whether cybersecurity is more or less the same across industries – or if the skills, knowledge and tooling required are specific to different lines of trade.

To illustrate his answer, he provided a comparison of two critical industries: banking, financial services and insurance (BFSI) and the manufacturing sector.

Could you briefly share your career journey so far?

“I am a graduate in electronics and masters in computer applications. Since I completed my MCA, I started working in a software product company as a software engineer – and soon I realised my interest is towards network and network security.

“I joined a tech company as a network security consultant and got an opportunity to work with the CISO of one of the largest payment companies in the world in 2005. I learnt about Information Security and global standards around the same, like BS 7799.

“In 2006 I became a pure play Information Security Manager in the automobile manufacturing sector. There I learnt and implemented global standards in information security for multiple business units, in addition to my core area of network security. I also provided freelance business continuity consulting for a global conglomerate.

“With these experiences, I joined one of the largest financial services conglomerates in the country, which has 9 different business entities – where I, along with my Group CISO, was instrumental in building the security ecosystem across businesses. I’m now responsible for Information, Cyber Security and Data Privacy at Aditya Birla Capital.”

You've worked across a range of industries – including financial services, automobile, manufacturing, and more. Do different industries face very different, specific security challenges; or is cybersecurity more or less the same wherever you go?

“Based on my experience in various sectors, I feel the fundamental risk management concept remains the same; but the threat landscape, risk appetite and risk exposure varies a lot due to the unique characteristics and requirements of each sector.

“Please remember, challenges are not exclusive to each sector, and there can be overlaps and similarities. But here are a few key differences:

• BFSI Sector:

1. Data Protection and Privacy: The BFSI sector deals with sensitive financial and personal data, making data protection and privacy a significant concern. Safeguarding customer information, preventing unauthorised access, and complying with data privacy regulations become top priorities.
2. Financial Fraud and Cybercrime: The BFSI sector is a prime target for financial fraud, including phishing attacks, account takeovers, and payment fraud. Cybercriminals often aim to exploit vulnerabilities in online banking systems, payment gateways, and mobile banking applications.Regulatory Compliance: The BFSI sector is heavily regulated, with strict requirements related to cybersecurity, data privacy, and risk management. Organisations must comply with industry-specific regulations like the Payment Card Industry Data Security Standard (PCI DSS) and anti-money laundering regulations.

• Manufacturing Sector:

1. Industrial Control Systems (ICS) Security: The manufacturing sector relies on industrial control systems, including Supervisory Control and Data Acquisition (SCADA) systems, which manage critical infrastructure. Securing these systems is crucial to prevent disruptions, tampering, or unauthorised access that can impact production or even public safety.
2. Supply Chain Risks: The manufacturing sector often has complex supply chains, making it vulnerable to cyber threats through third-party vendors and suppliers. Attackers may exploit weak links in the supply chain to gain unauthorised access or introduce malicious software or hardware components.
3. Intellectual Property Protection: Manufacturers invest heavily in research, development, and intellectual property (IP). Protecting trade secrets, proprietary technology, and product designs from theft or unauthorised access is essential to maintain a competitive advantage.
4. Legacy Systems and IoT Integration: Many manufacturing facilities still use legacy systems that were not designed with cybersecurity in mind. Integrating IoT devices and connecting operational technology (OT) systems to information technology (IT) networks introduces new cybersecurity risks that need to be addressed.
5. Operational Disruptions: Especially after industrial 4.0 revolution, Cyberattacks against the manufacturing sector can result in operational disruptions, such as production downtime, supply chain delays, or compromised product quality. These disruptions can have significant financial and reputational consequences.”

On a personal level, how do you manage the pressure of being responsible for the security of an enterprise? If you were giving advice on this to someone just starting out, what would you say?

“Build a strong team, Provide them with best in class training, empower them. Clear guidelines on roles and responsibilities, robust governance, seamless communication from CEO to the ground level IS team member and vice versa. Be focused – as there are many distractions in cyber security!”

What's one thing you wish everyone knew about cybersecurity?

“Believe in the statement: Breach is inevitable. Be prepared for quick detection and response.”

Thanks to Makesh Chandramohan at Aditya Birla Capital. Learn more at Black Hat MEA 2023.