Organizations today are facing increasing numbers of cybersecurity incidents and are turning their focus on how to manage and mitigate cybersecurity threats. With increased adoption of technologies such as cloud, AI and Internet of Things (IoT), many are realizing the importance of effective control at the early stages of software cycle development in the form of cyber security testing to help identify susceptibilities in a system and network. In an exclusive interaction with CXOToday, Nathanial Cole, Head, Testing CoE, TÜV Rheinland, a German company that provides end-to-end cybersecurity services globally, explains why it is essential for organizations to enable safety, security, and privacy in an increasingly digital world.
CXOToday: What according to you are the key challenges facing the cybersecurity industry?
Nathanial Cole: Worldwide cybersecurity is a key corporate governance issue for all organizations, irrespective of sector or size. The most common cybersecurity threat is the risk of confidential information being accessed and potentially misused by an external party in the form of data breaches. Additionally, we have noticed the current push for data regulation in different regions. With increased regulation, more resources are required to address the threats and essentially ‘checkbox’ security initiatives need to be placed to meet these regulations. An increase in attention with GDPR, California Data Privacy Law and several other countries are working on their own version but we are also seeing an increased uptick in discussions at the government level considering the possibility of criminalizing a breach.
The other challenge is that many companies are now investing in creating new tools to solve security issues. The major problem with the newly introduced self-driven tools is it runs without human interference and tuning. There is increased market competition regarding toolsets that could help to address parts of the problem but many companies are still not investing in people to address the process, maintenance, and engineering work. They need to train the existing staff, use relevant solutions and be situationally aware, to remain secure and continue to comply with the processes.
CXOToday: Why is it important that cybersecurity testing needs to be implemented in the earlier stages of software development?
Nathanial Cole: Cybersecurity testing is an essential part of the Software Development Life Cycle (SDLC). From a security perspective, software developers who develop the code for an application need to adopt a wide array of secure coding techniques. At every level of the web application such as user interface, logic, controller, database code, etc., security testing has to be an integral part.
The currently existing automated tools help with testing at the early stage of software development. The real problem arises when the test is performed as per they are programmed to test for. It is critical to utilize manual testing techniques to identify logical issues and complex vulnerabilities which cannot be identified by a tool. This can be done through building custom regression type tests with tools such as selenium and another automated scripting. The other tasks can be performed by getting involved during the initial design or redesign of the system, application or device to identify architecture-related security issues that will leave the system or device exposed. If we can identify the vulnerability or bug at an early stage, the cost will be lower in comparison with the matured stage.
CXOToday: How is TÜV Rheinland leveraging its Cybersecurity Testing and certification globally as well as in India for its clients?
Nathanial Cole: Recently, we have introduced the Centre of Excellence (CoE) for Cybersecurity Testing and OT (Operational Technology) Security separately that are working to identify current trends in the markets and addressing the trends. At present, our CoE testing is working closely with our most senior and technical resources from across regions to continue and mature our methodologies, toolsets and identify new internal tools that need to be developed. The information is shared across regions to assist our testers by providing a high-quality end product to our customers.
Additionally, we are leveraging our resources globally for our customers who are shifting resources from one region to another and provide solutions that add value and enable safer and better use of technologies. This not only helps the client to receive a higher quality product but also helps us to continue to train and create a highly collaborative community.
With over 145 years of experience in the field of testing, inspection and certification, TÜV Rheinland offers flexible engagement models to match our customer’s unique needs and requirements, in the form of consulting, testing and managed services to the enterprise.
CXOToday: Why is India important from the Cybersecurity testing perspective?
Nathanial Cole: Cybersecurity Market in India is projected to grow to USD 35 billion by 2025 from its current size of over USD 4.5 billion dollars according to report by NASSCOM, Data Security Council of India & PwC.
India is one of the biggest markets and our focus is to keep growing due to major technological developments and innovations are occurring here. We have identified advanced products, good companies to work with and highly technical resources within the India market. We work closely with India based companies and enable them to provide high-quality products to their customers. TÜV Rheinland’s 145-year heritage gives us a deep understanding of the India market we serve, with an unmatched depth of experience solving complex safety, security, data privacy, and infrastructure challenges. Global enterprises spanning product manufacturing, automotive, financial services, health care and much more rely on our best-in-class capabilities to secure their critical assets and to thrive in the digital era.
CXOToday: What are your plans for the India market?
Nathanial Cole: Quality in service delivery is non-negotiable for us. We believe that people, process and technology are the critical success factor to customer delight and we are leaving no stones unturned towards that direction. We have a strong internal team having experience in a variety of testing (from compliance, coverage and vulnerability perspective). We are confident of our abilities in application, network and IoT testing capabilities and have proved it across multiple industry segments such as BFSI, Healthcare, Technology, Manufacturing, Industrial Control System, etc. And we are increasing our headcount in the coming year.
In addition, our security labs enable testers to test exploits before pushing them into production. It also helps us in acquiring and retaining knowledge using a mixture of off-the-shelf and custom tools.
CXOToday: What are your thoughts on the recent Bug Bounty programs? Is it really worth investing in them?
Nathanial Cole: These programs are highly effective and provide access to the organizations for testing their system that they may never be able to afford on their own. The other benefit is simply that the contracting organizations do not need to pay for testing unless vulnerabilities are identified in their system. In my opinion, one of the disadvantages is that you potentially open yourself for extortion. When contracting with a bug bounty provider or trying to do it yourself, you are at the mercy of the individual providing the testing and that the tester will provide the information on the vulnerability per the agreement. The other concern I would have with a pure bug bounty program is coverage of the application or network. Most of the time, a bug hunter will find a peculiarity with one client and use it across multiple clients without testing the application, system or network. This is a viable way for that hunter to increase overall pay-out. It is very difficult to know if the most complex issues are being identified or covered in these programs.
CXOToday: Are tests only valid for large companies? Do you have any plans for the SMB market?
Nathanial Cole: Tests are not valid only for large companies. We have a long track history of working with small and medium enterprises to provide testing services. We protect organizations around the world from the ever-increasing cyber threat and enable safety, security, and privacy in an increasingly digital world. There is no one-size-fits-all solution for companies and we pride ourselves in providing a tailored solution to address the needs and budget of the smaller companies that exist. We will see a shift of attack from larger companies to smaller companies in the coming years as the larger companies can afford more resources, tools and mature processes to deal with the difficult situations.
CXOToday: According to reports, there will be a shortage of around two million security specialists in the labor market in the coming years. How can we get such a large number of employees and how can a company manage this deficit?
Nathanial Cole: To address this situation, we need to look outside our technology industry to find smart and solution-driven people who want to make a transition or move to an information security field and train themselves. In our industry, we cannot sit idle with 5-10 years of experience and turn away trainable candidates. We need to open up and understand that people do not always know what career they are choosing. They will have different educational backgrounds. To address this shortfall, companies need to take a step forward and invest more in their employees by providing them training and guidance.