One career, two decades of change in cybersecurity

Last week we shared our interview with Makesh Chandramohan (CISO at Aditya Birla Capital).

With two decades of experience working in cybersecurity, Chandramohan has seen seismic shifts occur in the industry. So we also asked him to talk about those changes – to understand how the experience of working in cybersecurity has evolved since the start of his career.

Here’s what he told us.

The question: How has working in cybersecurity changed over the course of your career?

Chandramohan said, “Cybersecurity has undergone significant changes due to technological advancements, evolving threats, and increased awareness of the importance of protecting digital assets.”

“I’d like to highlight some key changes cybersecurity has seen over this period.”

Sophistication of threats

“Attackers have developed advanced techniques, including advanced persistent threats (APTs), ransomware, and social engineering attacks, that have caused major disruptions and financial losses.”

Sophistication continues to advance – and as emerging technologies hit the market, threat actors have a growing number of tools to play with.

According to research by Check Point, global cyber attacks rose by 7% in Q1 2023, with each company having to withstand an average of 1,248 attacks every week. And a public data breach tracker created by UK media company The Independent found that up to time of writing, over 364 million people have been affected by publicly reported data breaches so far this year.

Adoption of cloud and mobile computing

“The adoption of cloud computing and mobile devices has transformed the cybersecurity landscape. Organisations have migrated their data and services to the cloud, resulting in a need for new security approaches and technologies to protect cloud-based infrastructure and applications.”

Cloud adoption has changed cybersecurity in a number of ways – including:

• Increased vulnerability as cloud platforms are always connected to the web
• Lack of transparency in how data is used and stored
• Increased complexity of tools, services, and skill sets needed to secure information
• New threats that are native to cloud

Skills gap and workforce challenges

“The demand for skilled cybersecurity professionals has grown rapidly, resulting in a significant skills gap. Organisations struggle to find and retain qualified personnel, leading to increased reliance on automation, outsourcing, and managed security services. On average, organisations take six months to fill an open position.”

A 2023 report by Fortinet on the global cybersecurity skills gap noted that the most needed cybersecurity skills (and the hardest to fill for cybersecurity firms and recruiters) are cloud security, cyberthreat intelligence, and malware analysis. And 68% of business leaders agree that skills shortages create additional cyber risks for their organisations.

Regulatory landscape

“Governments around the world have recognised the importance of cybersecurity and enacted or updated regulations to enforce security practices. Compliance requirements have become more stringent, and organisations must adhere to specific cybersecurity standards and frameworks.”

This year, we’re seeing a rise in the rollout of new legislation that affects cybersecurity – including:

• New AI and automated processing obligations under consumer privacy laws in the US
• New cyber incident reporting rules for the financial services sector
• And in the UAE, regulations have ramped up to safeguard critical national infrastructure and identify and manage risks according to industry frameworks – including the Cyber Security Strategy framework

Rise of Artificial Intelligence (AI), Machine Learning (ML), Internet of Things (IoT)

“AI and ML technologies have gained prominence in cybersecurity. They are used for threat detection, anomaly detection, and behavioural analysis, enabling organisations to identify and respond to threats more effectively. IoT devices often have vulnerabilities that can be exploited, and securing them has become a critical concern for organisations and individuals alike.”

Indeed, as we settle into the second half of 2023, we’re seeing sophisticated threats on a new level – driven at least in part by increased attack efficiency as more threat actors leverage generative AI to cover more potential entry points at greater speed. Other emerging technologies, including 5G, an explosion of IoTs, and quantum computing are also reducing barriers to entry for cyber criminals – and making the attack surface bigger.

Boundaryless architecture and more focus on data privacy

“The past decade has seen a substantial increase in awareness and regulations regarding data privacy. The introduction [in Europe] of the General Data Protection Regulation (GDPR) in 2018 and similar data protection laws worldwide has forced organisations to prioritise the protection of personal data and implement measures to ensure compliance.”

Beyond Europe, data privacy laws that have come into play to shift the focus of organisations towards personal data protection include:

• Brazil’s General Data Protection Law (LGPD), which gives Brazilian citizens the right to know what personal data is being collected about them, as well as the right to request the deletion of that data
• California’s Consumer Privacy Act (CCPA), which also ensures the right for residents to know what data is being collected about then, and the right to request that their information be deleted
• Saudi Arabia’s Personal Data Protection Law (PDPL), implemented in 2021, which covers a number of requirements – including that organisations must obtain consent from individuals before processing their personal data; and that individuals have the right to access, correct, and delete their data

From information technology to business strategy

“Overall,” Chandramohan said, “cybersecurity has evolved from being an IT problem to a strategic business risk. It is now recognised as a critical aspect of risk management and requires a holistic approach that encompasses technology, people, processes, and governance.

“The dynamic nature of cybersecurity means that organisations must continually adapt their defences to keep pace with evolving threats.”

Thanks to Makesh Chandramohan at Aditya Birla Capital. Learn more at Black Hat MEA 2023.