OT environment can be secured by adopting a holistic approach

Kartik Shahani, Country Manager, Tenable (India), analyzes the key trends shaping the cybersecurity world in 2024. He discusses how the intersection of IT and OT, particularly in critical infrastructure, has led to heightened security risks.

The year 2024 has brought an evolving and challenging cybersecurity landscape, marked by increased digital connectivity, the complexity of cloud environments, and the convergence of information technology (IT) and operational technology (OT). These developments have significantly expanded the attack surface for organizations, making them more vulnerable to various cyber threats.

Recently, Kartik Shahani, the Country Manager for Tenable India, Country Manager at Tenable, in conversation with Nisha Sharma, Principal Correspondent at CIO&Leader, emphasized the need for a holistic approach to secure OT environments, which includes technical controls, policies, and procedures to mitigate the risks of cyberattacks.

CIO&Leader: What are the key trends shaping the cybersecurity landscape in 2024, and how do you anticipate these trends will impact organizations? What strategies should organizations adopt to address them?

Kartik Shahani: Increased connectivity and poor visibility combined with the complexity of cloud environments in critical infrastructure will continue to help cybercriminals exploit the known unknowns in 2024. As IT/OT converges to allow essential infrastructure operators to make better-informed decisions about demand, customer requirements, quality, and efficiency, their attack surface has expanded, resulting in deficient security and safety controls. 

Threats to OT environments can occur due to unauthorized access, tampering, malware, exploitation of vulnerabilities in firmware or software, and social engineering attacks. 

Securing OT environments needs a holistic approach involving technical controls, policies, and procedures to minimize the risk of a successful cyberattack. The first step organizations must take when building an OT security strategy is to assess security posture and consider key foundational capabilities continuously. 

CIO&Leader: What are the key threats in cybersecurity? Could you provide specific examples or scenarios that illustrate these threats and the potential consequences for businesses?

Kartik Shahani: The reality is the majority of cyberattacks and ransomware infections can be traced back to an unpatched vulnerability in the infrastructure. Recent attacks against various companies, including the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing – all had one thing in common: an unpatched vulnerability in Citrix Netscaler, called CitrixBleed. With publicly available proof-of-concept exploit code, a variety of threat actors have been leveraging this flaw as part of their attacks over the last few weeks, including affiliates of the infamous LockBit ransomware group and Medusa. Ransomware groups are mostly indiscriminate in their attacks, motivated by profits over anything else. 

CIO&Leader: In light of the growing emphasis on data-driven decision-making, what specific features or capabilities will your solutions offer to help organizations derive maximum value from their data?

Kartik Shahani: Tenable One is an exposure management platform to help organizations gain visibility across the modern attack surface, focus efforts to prevent likely attacks, and accurately communicate cyber risk to support optimal business performance.

The platform combines the broadest vulnerability coverage spanning IT assets, cloud resources, containers, web apps, and identity systems, builds on the speed and breadth of vulnerability coverage from Tenable Research, and adds comprehensive analytics to prioritize actions and communicate cyber risk. Tenable One allows organizations to gain comprehensive visibility across the modern attack surface, anticipate threats, prioritize prevention efforts, and communicate cyber risk to make better decisions.

CIO&Leader: The talent gap in cybersecurity remains a concern. Can you elaborate on any partnerships or educational initiatives your company is undertaking to bridge the skills gap, and how can CIOs and IT professionals benefit from these efforts?

Kartik Shahani: Addressing the talent gap in cybersecurity is a much larger challenge than any single company can resolve. It will require major investments from, and collaboration between, public and private sectors to retrain and retool candidates and a concerted effort on all fronts to attract people into our field.

We need to encourage an interest in science, technology, engineering, and mathematics (STEM) fields at a younger age, and that includes ways to address the under-representation of diverse backgrounds in these subjects. Diversity of thought, background, and experience is critical to the problem-solving needed in cybersecurity. We need to foster that dynamic and show the next generation of the cyber workforce there are people like them in the industry. 

The Women@Tenable ERG is an excellent example of how we are focused on creating a community and providing resources for women within the organization and beyond. Additionally, Tenable is invested in building DEI competencies for all employees through our Diversity Equity & Inclusion Learning and Development Curriculum. We also partner with diversity organizations to recognize and reward the contributions of our female employees in STEM. Overall, these efforts create a more inclusive workplace and foster a sense of belonging for all employees.

CIO&Leader: How is your company helping CIOs ensure their IT environments remain compliant with evolving compliance and regulatory requirements in 2024? What innovative approaches or technologies are you implementing in this space?

Kartik Shahani: While compliance with regulations is necessary, it cannot be viewed as the only measure to safeguard against cyber threats. It would be hubris to believe an organization is secure once it follows necessary compliance norms. Instead of a compliance-driven approach, organizations need to adopt preventative measures like exposure management to reduce cyber risk. Cyber adversaries need only one vulnerability to perpetrate an attack, making it important for organizations to proactively find and fix issues and establish a level of deterrence, where it is more expensive to perpetrate a breach. 

CIO&Leader: Could you share examples from various industry sectors where your solutions have significantly impacted and how these successes will shape your 2024 strategy?

Kartik Shahani: Approximately 43,000 organizations around the globe, including approximately 60 percent of the Fortune 500 and approximately 40 percent of the Global 2000, and large government agencies trust Tenable to understand and reduce their cyber risk.

Tenable attributes its strong customer growth to its continued product innovation and customer service. Tenable’s approach to risk management and cybersecurity is focused on providing customers with the visibility, vulnerability data, and context-driven risk analytics to reduce risk across their entire attack surface – IT and OT infrastructure, web apps, public cloud, and identity systems. As the leader in VM and now a platform-first company, Tenable has earned the trust of its customers to be the vendor of choice as they looks to cover more of their attack surface. 

CIO&Leader: What key milestones or innovations do you expect in your company’s journey throughout 2024, and how will these innovations benefit CIOs and IT decision-makers in the evolving challenges and opportunities of the enterprise IT landscape?

Kartik Shahani: Preventive security has become a necessity rather than an optional approach to risk management for organizations. Relying on scattered firefighting within security operations is increasingly a recipe for failure, particularly with the growing attack surface and exposure points resulting from cloud migration and AI trends. Many organizations understand the importance of proactively addressing and reducing risks, yet they often face challenges beyond their control. Moving into 2024, the focus must be on fostering collaborative discussions among stakeholders to simplify practices and enable organizations to access essential risk data for faster prioritization and remediation.

Image Source: Share on

Leave a Reply

Your email address will not be published. Required fields are marked *