CXOToday has engaged in an exclusive interview with Mr. Aayush Ghosh Choudhury, CEO and Co-Founder, Scrut Automation
Q1- Please elaborate about Scrut Automation and its offerings in India and abroad?
Scrut Automation is a risk observability and compliance automation platform built to simplify information security monitoring for cloud-native companies. It helps early-stage and growth-stage companies across the globe establish enterprise-grade information security processes through an easy-to-use GRC platform. With hundreds of customers spread across India, APAC, Europe and North America, Scrut Automation provides a 5X faster and more convenient roadway for information security to its customers and helps them meet their compliance requirements in over 20 reputed industry standards like SOC 2, GDPR, ISO 27001, PCI DSS, CCPA, HIPAA, etc. It also empowers them to use a single window to perform different functions like automating risk assessment and management, conducting employee information security training, monitoring their cloud and cyber assets, streamlining their information security processes, and more. In other words, Scrut Automation helps its customers to continuously monitor their information security and compliance postures, guaranteeing trust, convenience, and safety.
Q2- What is your current market share and clientele? Any plans for expansion?
As a SaaS-based platform, Scrut Automation has a global clientele of 200 companies across India, Indonesia, Singapore, USA, Canada, UAE, UK, France and Germany. They are always on the lookout for new opportunities in the industry to make compliance easier for early-stage startup founders and help mid-market CISOs scale their security programs with minimal friction.
Scrut is focused on deepening its product capabilities in cyber asset attack surface management and risk management to help its customers solve security and compliance by enabling them to take a risk-backed approach to information security. On the same note, they are broadening their integration landscape for increased coverage for continuous control monitoring and heavily focussing on security tools such as Snyk, Veracode, SentinelOne, and Qualys. The team is expanding its base across US and APAC, betting heavily on these regions for future growth.
Q3- What are the five emerging bothersome cyber challenges, according to you?
Today’s cyber landscape faces many obstacles and roadblocks, which pose a risk to the security of organisations. These challenges arise from various issues, including out-of-date software and large-scale struggles like lack of support from leadership teams. Here are some of the leading cyber challenges amid the ever-evolving threat landscape.
- Increasing cyber asset attack surface: The first half of 2022 saw a widened digital attack surface, where cybercriminals troubled organizations by launching old and new cyber attacks. As per a report by Trend Micro, more than 63 billion threats were reported in the first half of 2022. As threats rise with the digital tide, everything is vulnerable, including software, physical infrastructure, networks, clouds, devices, and applications. The only way to close the “gaps” in is through granular visibility into your cyber asset attack surface, and executing strict security and control measures on where you are the most vulnerable.
- Commodotisation of cybercrime: Today’s cybercrime marketplace has evolved into a managed business model. Just like organizations provide their on-demand services, technology software, and infrastructure to other businesses, cybercriminals have started to sell their services to prospective clients in return for payment, which is generally done by cryptocurrency. Such a trend has commoditised cybercrime that reduces entry barriers of potential criminals, thereby accelerating cybercrime growth. Apart from cybercrime as a service, there is a clear rise of self-service cyber-attack toolkits on the rise, such as Malware-as-a-service (MaaS) and Ransomware-as-a-service (RaaS).
- Supply chain attacks: Also known as value-chain or third-party attacks, supply chain attacks happen when hackers infiltrate a business’ system via an outside partner or provider with access to systems and data. Its best example is the SolarWinds attacks (attributed to Russia), which affected nearly 250 organizations and took advantage of their supply chain layers. It’s estimated that such attacks could cost up to $90 million to cyber insurance companies.
- Changing regulatory compliance requirements: The regulation of compliance enables businesses to prevent and identify breaches of laws, which further saves them from fines and criminal proceedings. But maintaining compliance in a world where regulations are constantly changing is challenging due to factors like complexity, lack of resources and advanced technology, the scale of obligations, poor data and performance management, manual compliance processes, etc. With the ongoing focus on privacy, the past year has been quite active from deployment of new laws (Indonesia’s Personal Data Protection Law (PDPL) came into force this year, and India has introduced India’s Draft Data Protection Bill) as well as upgrades to existing standards (for example, ISO 27001, revised the its requirements after almost a decade)
- Increasing cloud vulnerabilities: Although cloud has several advantages and its use has increased in the past few years, it attracts unnecessary attention from cybercriminals.
While in a cloud environment, the cloud service provider (CSP) and the cloud consumer share responsibility for reducing the risks, cloud consumers take on the full responsibilities of configuration. That being said, cloud misconfiguration is he most common vulnerability organizations face. Misconfigurations can come in many forms, but are mostly caused by a lack of knowledge of good practices or lack of peer review from DevOps/infra team.
At Scrut Automation, we address such challenges by simplifying information security for cloud-native organisations. We help customers establish a robust information security posture on the basis of their risk profile and help them get compliant with over 20 key standards (like SOC 2, ISO 27001, HIPAA, CCPA, PCI DSS, NIST, and many others. Our dedicated team works closely with clients to conduct gap assessment and remediate their risks, thereby assisting them in preparing for external audits.
Q4- How has the pandemic affected cybersecurity space?
The COVID-19 pandemic has intensified our dependence on technology, thereby increasing the chances of cyberattacks. Today, organisations are moving to the cloud and ever-increasingly adopting digital tools. As they become increasingly digital, monitoring risks and efficacy of controls becomes increasingly important. To build a robust security posture, organizations must anchor it in their unique risk profile, spanning across their cyber assets, vendors and employees. Only by monitoring their risks in real time, and continuously monitoring their controls can they be assured that they are truly secure.
Against the pandemic backdrop, over 100 governments have deployed strategies regarding national cybersecurity defence faced by businesses, citizens, and critical infrastructure. The Government of India has also introduced the National Cyber Crime Reporting Portal that facilitates the public to report all incidents pertaining to various types of cyber security threats. It recently launched a new and simplified version of the Digital Personal Data Protection Bill that focuses on protecting personal data, easing cross-border data flows, and increasing penalties for breaches, compared to its previous unwieldy draft. Moreover, the Data Security Council of India had conceptualised the National Cyber Security Strategy in 2020, focusing on 21 areas to ensure a safe, secure, and resilient cyberspace in India. However, the Centre is yet to implement this strategy amid the surging cyberattacks.
Q5- How to establish a strong security posture for B2B SaaS companies?
Security is a key component of B2B SaaS organisations’ business strategies. Right from password management, security coding to aligning with regulatory standards, SaaS companies must address these security requirements effectively to avoid problems in the future. This is particularly true for SaaS companies working with sensitive industries such as Banking and Finance, Healthcare, etc.
Today, customers prefer to know about a company’s security arrangements and posture in the market. A company can address this successfully if it anticipates and prepares for the requirement, which will further promote growth and profitability. Moreover, a company’s robust security framework gives customers the confidence that their data is collected, processed and transferred safely.
In this context, compliance with popular industry frameworks like SOC 2, ISO 27001, GDPR, etc. can generate instant comfort with prospects and trust in a company’s security process. Moreover, as information security is pivotal to SaaS businesses, Infosec compliance is a gamechanger for them. Infosec helps organizations to limit third-party risks, establish a great user experience without compromising on data security, avoid fines & penalties, ensure better reputation outcomes & relationships, and enables efficiency & effectiveness. Showcasing these compliances through a dedicated security page on a company website helps build trust from day 1 of the sales process and strengthen B2B SaaS foundation.
Q6- What are your thoughts on the new Digital Personal Data Protection Bill?
The data protection bill is a very welcome move. India’s startup ecosystem has outgrown its preparedness to handle PII in the past few years. While conscientious organisations have been using foreign laws like the GDPR as a benchmark, it’s high time that India has its privacy laws contextualised for local requirements. However, the success of its implementation will likely depend on two things- using automation to continuously monitor privacy controls owing to the huge unavailability of trained privacy folks and boards approving budgets for placing appropriate privacy controls in place.
Q7- Outlook for the infosec industry in 2023
Security and compliance will continue to be a key focus area in 2023. Gartner’s State of Privacy and Personal Data Protection report, 65% of personal information of the world’s population is covered by local and global privacy regulations. According to the same report, 63% of the organizations view compliance issues as critical barriers to growth. As a result, Information Security and Compliance automation will be the cornerstone of the industry, and is expected to become a $75 Bn industry by 2028
Such growth will be backed by the high frequency and sophistication of target-driven cyber attacks and enhanced demand for cyber-savvy boards and cybersecurity mesh throughout 2023 to tackle such attacks.
Q8- What best practices are organisations following to improve cybersecurity and data privacy preparedness?
The responsibility of protecting the business from cyberattacks falls upon every employee of an organisation, from end users to security professionals. Any negligence from their end can cause a significant security breach harming the business’ reputation and costing the company a lot of money. Thus, organisations must adopt the following best cybersecurity practices to improve their security standards.
- Deploying a multi-factor authentication (like a smart card with a PIN, strong password, or biometric) for users can prevent cyber attacks.
- Refreshing the organisation’s security network control is essential, like deploying additional network security software or adopting robust cloud-based security solutions.
- Security breaches and other incidents are inevitable. It will help if you remain prepared every time to handle the compromises to minimise the damage. Also, your business must be well-equipped to detect security threats/suspicious activities immediately. It can be done if companies have the latest security knowledge.
- Staying up-to-date with the current changes in the security world in areas such as threat detection, risk assessment, etc., immensely help to fill the gaps.
Q9- How is Scrut helping other startups?
At Scrut Automation, we make customers’ roadway for information security up to 5X faster and more convenient. We enable our customers to build infosec controls unique to their risk posture and comply with 21 industry standards, like SOC 2, GDPR, ISO 27001, PCI DSS, CCPA, HIPAA, etc., with minimal friction. With Scrut, our customers can reduce the amount of manual work needed to manage information security processes by up to 70%, speed up compliance audits by 5X, and get real-time visibility into their security posture.
By building a risk-first information security posture, organisations can be assured of a robust information security posture and inevitably comply with all necessary and relevant standards, enabling them to unlock growth.