Globalization may have lost some of its gloss in recent years — with trade wars and exits supposedly sounding its regression — however, its interconnected qualities have become ingrained and, in many senses, revolutionized the way that organizations around the world do business today.
Businesses realize the importance of being interconnected internally as they are externally, and for their leaders to be across all facets of operations, ready to front stakeholders, shareholders or the media. This has particularly become apparent within the realm of cybersecurity, which not too long ago was a topic merely discussed between IT departments and those in the industry.
“Like many economies, in Sri Lanka we have seen information security become a board-level discussion point with more and more board members and senior managers requesting our services in order to receive updates on the current security status of their organization; in addition to obtaining advisory services on protecting their vital IT infrastructure,” says Dileepa Lathsara, CEO of TechCERT, Sri Lanka’s first Computer Emergency Readiness Team (CERT).
“If these large corporates get exposed to possible cyber-attacks, they have an overall obligation to ensure that their organizations are ready to respond to the large scale data breaches, website defacements and scams.”
Lathsara has been with TechCERT since it was established in 2006. Originally it was set up by the LK Domain Registry and its academic partners to provide a safety net for large and small organizations against cyberattacks. Since then it has broadened its responsibility and clientele to include most of the nation’s leading banks, financial and professional institutions, telecommunication and Internet service providers, and insurance and manufacturing companies.
This includes providing training to IT department staff members, not only on how to mitigate and handle attacks but also to get their message across to the senior management, as they are ultimately accountable.
Lathsara’s tips for network administrators when communicating to management about security
- Be specific on the cybersecurity protection measures that are in place and how it directly impacts/protects the company. Having the latest cybersecurity protection procedures in place does not provide assurance.
- Understand that senior management of large corporations do not want to buy security products and services separately, but as a package. For example, they are interested in securing the core banking system or a secure email system. Therefore, propose bundled solutions without fragmenting the solution into individual products or services.
- Convince management that security is more like an insurance policy — expenditure on information security rarely generates revenue. It will add business value in many ways, for example, reducing the potential occurrence of security incidents, faster resolution of security incidents, and supporting the organization’s reputation.
Industry and organizations are becoming more proactive
Apart from greater awareness and interest in seeking out assistance, Lathsara is also impressed by the actions that organizations and industries in Sri Lanka have taken internally and collectively to set up their own Security Operations Centres (SOCs) and to appoint Chief Information Security Officers and teams under them to protect vital information.
“The banking and finance sector has probably been the leader in this area, having established the first sector-specific CSIRT in the Asia Pacific region, obtaining international standard certification (PCI-DSS), and investing in adopting best current practices and systems to protect their customers and online presence,” says Lathsara.
Building on this groundswell, TechCERT has also been working with Sri Lanka CERT|CC and other government partners on implementing the National information and Cybersecurity Strategy (2019-2023) and Cyber Security Act. According to the Minister of Digital Infrastructure and Information Technology, Ajith P Perera, these measures provide an appropriate regulatory framework for securing individual and organizations in cyberspace, and strengthen the prosecution support for modern cyber offences.
Sir Lanka: Govt to enact Cyber Security Act within next two monthshttps://t.co/H6jHS0Lzoh
— Kaja (@KajaCiglic) March 23, 2019
Perhaps more importantly, such regulation and strategies enable Sri Lanka and its CERTs to align themselves with other international cybersecurity efforts.
“The Internet has ultimately changed the face of law enforcement. No longer are crimes solely carried out in person by physical actors, who can be prosecuted under the legal jurisdiction of where they committed their crimes,” says Lathsara.
“Cybercrimes such as fraud, scams, and harassment can be facilitated by one or a number of actors spread across the globe, which makes it very hard to verify their identity or location let alone prosecute them. Although we’re still a long way off from a solution, having international standards and regulations bring us a step closer.”
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.