Cybersecurity has become a major challenge for organisations of all sizes, with threats rising in number and sophistication. The cyberattacks have hit unprecedented levels in the wake of the pandemic. India has seen a 300% increase in attacks last year.
We got in touch with Vidit Baxi, Co-founder of Safe Security, to talk about the challenges in cyber risk management, the use of AI & ML by cybercriminals, the future of cyber risk management, and more. Incubated at IIT Bombay in 2012, Safe Security helps organisations measure and mitigate the enterprise-wide cyber risk in real-time using its SAFE Platform by aggregating automated signals from five key vectors of risks across people, process and technology.
AIM: How did cybersecurity become a thriving industry, especially after the pandemic?
Vidit: The World Economic Forum lists cybersecurity as one of the topmost threats to the global economy. Cybersecurity was already a key boardroom concern even before the pandemic hit. The pandemic has ushered digital transformation for most organisations quicker than they had planned for and has made cybersecurity one of the top Boardroom concerns as we continue to see cyberattacks skyrocket. While the number of sophisticated cyberattacks has only increased throughout 2020, what is worrisome is the sophistication with which cybercriminals are executing even the most basic cyberattacks.
Prior to the pandemic, businesses invested heavily in securing their perimeter, which thwarted the first wave of attacks, but now, with most organisations forced to adapt to remote work, cybercriminals have a much wider canvas to base their attacks on. This has increased complexities for most Chief Information Security Officers and the security teams. This has given rise to an increased need for visualising cybersecurity through an objective and unified real-time lens and adoption of Digital Business Risk Quantification platforms. Businesses are looking at platforms that bring actionable data-backed insights, consistent and accurate representation of the organisation’s risk posture, free from subjective, sample-based and point-in-time evaluations.
This is how I look at the journey of cybersecurity becoming one of the most crucial business functions. For us, 2020 was one of the best years as we grew at a rate of 250% y-o-y, and 70% of our revenue was generated from our Cybersecurity & Digital Business Risk Quantification platform SAFE.
AIM: What is the importance of cybersecurity and digital risk quantification in today’s world?
Vidit: Security & Risk management leaders often struggled to communicate cyber risks effectively, and the absence of data-backed metrics for discussing cybersecurity and risk reporting was a major challenge with traditional forms of cyber risk management practices. Finding a common language that is accepted and understood by all stakeholders in the business is important not just for ensuring clear communication between the C-suite and the cybersecurity function but also for raising awareness about potential cyber threats and risks among employees throughout the company.
Digital Business Risk Quantification platforms such as SAFE enable Security & Risk management leaders to measure what matters most, communicate cyber risk more consistently and in a way that everyone understands. It brings a continuous, data-backed trending view of the risk stature of key assets across people, process, technology and third-parties and helps prioritise efforts on improving the enterprise-wide risk posture. Organisations have to map their cyber risk appetite and tolerance as per their Geography, Industry and Size to know where they stand with their current Enterprise Risk Posture and how to manage cyber risks more effectively.
AIM: What are the traditional forms of cyber risk management? How’s Safe Security different?
Vidit: The threat-driven, reactive approach to cybersecurity needs to make way to a predictive and risk driven approach where enterprises are taking control of every aspect. Especially with digital transitions happening at a rate more rapid than most enterprises had planned for, it opens up newer avenues for cybercriminals. Not just new modalities but also traditionally used attack vectors have risen throughout 2020. Research shows a 715% increase in ransomware attacks in 2020. Even though organisations wanted to keep security as a priority, they struggled to do so because of multiple road-blocks such as subjective abstractions, influences of the security executives and Board, heat maps and ambiguous low-medium-high risk matrices. The ‘sense of security’ or ‘analysis placebo’ is the enemy of true cybersecurity, and that is what we are trying to eradicate! With SAFE, we have enabled security and risk management leaders to take actionable insights based on real-time data rather than depending on point-in-time assessments. Our mission is to make the SAFE Score which represents the likelihood of a breach happening in the next 12 months, the de-facto standard of measuring and mitigating cyber risks by 2025.
AIM: How cybercriminals are using AI & ML to launch advanced attacks? How do companies take them on?
Vidit: Recently, a video of Tom Cruise went viral, where someone used a very basic AI tool to create a deep fake video. Imagine the consequences of such technology being misused to spread misinformation in the world – for instance, a deep fake of your CEO or worse, a world leader. According to the Sophos State of Security Report 2020, almost 28% of SOC alerts go unaddressed primarily because the security teams are overwhelmed. Any one of those threats could snowball into a data breach. Organisations need to fight iron with iron – use AI/ML-based predictive models, which cut through labour-intensive tasks, freeing security analysts to be where they are needed. Our platform SAFE offers a unique niche of AI-enabled, real-time and objective cyber risk assessment of the enterprise as a whole. The other advantage of using AI in cybersecurity is that as soon as it is used by cybercriminals, AI itself can be trained to stop hackers from ‘cruising’ in the enterprise’s servers and devices.
AIM: Tell us how Safe Security leverages technologies like AI and ML
Vidit: We use an AI-enabled supervised machine learning engine to generate a simple ‘breach- likelihood score. This ‘risk measuring engine’ takes feeds from every asset, IP, cloud instance, end-point, employee, vendor, etc to feed input into a Bayesian Network that generates real-time objective output in terms of a ‘score’ between 0 and 5. What the score represents is the likelihood of a breach happening in the enterprise based on the assessment. The lower the score, the higher the possibility of an organisation being hacked. The score also translates into the dollar value impact of a breach happening in the environment. Using advanced algorithms and the ATT&CK MITRE framework, we can predict the probability of a breach happening through any particular type of attack-vector, such as Ransomware or Insider threat, amongst others. Organisations can see everything on a single dashboard and receive prioritised actionable insights into where their weakest links lie and what should be patched, and when.
AIM: What does the future of cyber risk management look like?
Vidit: Before I answer this, let us take a step back and understand why businesses today need an effective cyber risk management strategy. Today, cyberattacks are not just limited to legal, reputational and operational impact; it has a direct impact on the top line and bottom line of a company. Slowly but steadily, I see a trend where the Boardroom wants to know the risk appetite of their business and the financial impact a hack can have.
I foresee a future where the security and risk management teams will be focused on proactive quantification of cyber risk in real-time and measure the financial impact of an attack through predictive risk quantification models. The CISO will be focused on managing and handling the risk appetite of the organisation and lowering the financial impact of attacks.
AIM: Do we have enough cybersecurity professionals to meet the surging demand?
Vidit: I have a unique perspective on this – I do not think there will ever be enough cybersecurity professionals. Cybersecurity has to evolve from being the problem of the IT & Risk team to everyone’s prerogative. We have to move towards enabling every user to contribute to an enterprise’s cybersecurity practices.
The way we have looked at cybersecurity awareness and training need to change; it needs reengineering of consciousness. We need to be able to tailor-make cyber education to each individual and map their progress through a mobile-first approach.
Given the Government of India’s focus on digital enablement for every individual and the success of programs such as Digital India, we need to focus on making cybersecurity awareness accessible, affordable and easily understandable for the masses. Starting from how to securely use emails, messaging and social media apps to tips to avoid being prey to phishing scams, we need to make cybersecurity awareness intuitive and map the progress of every individual by using artificial intelligence and machine learning.
We very recently launched the first-ever mobile-based cybersecurity training awareness application – SAFE Me, which is changing the way individuals learn about cyber and its security.
AIM: What is the roadmap of the company for the coming year?
Vidit: Safe Security is looking to expand globally, and we aim to make the SAFE score the de-facto standard of cybersecurity by the year 2025. To do that, SAFE will always keep customer feedback as the first source of information to grow and become more comprehensive. We are constantly working with our customers and adding newer capabilities to our product that solve true customer challenges.