Russian companies continue to operate in an environment of constantly growing cyber threats, which increases the demand for information security (IS). Roman Chaplygin, consulting director of the Solar company, spoke in an interview about how consulting services in the field of information security help businesses assess risks, organize protection and optimize costs for cyber security.
— What are the difficulties and risks associated Are Russian companies most often faced with cybersecurity today?
— It is obvious that attackers do not stand still, they evolve: they develop attack techniques and tactics, use advanced tools, review and combine motives and goals. For example, in the second half of 2023, the number of sophisticated targeted attacks increased by almost a quarter (23%), and there was a trend of causing reputational damage in combination with extortion and causing direct financial losses. With the number of targeted attacks on the rise and breaches continuing, organizations' critical challenge is to move from disparate, point-based solutions to cohesive cybersecurity architectures. And here there is a need both for the integration of various technologies and solutions from various manufacturers, and for the construction of end-to-end information security processes at the operational and management levels of the organization. This requires very serious expertise, and often administrative resources.
Another challenge for information security is accelerated digitalization, which significantly expands the digital landscape of companies and government organizations, thereby creating additional points of exposure to cyber risks. Digital transformation initiatives do not allow businesses to stop, put things in order and make the necessary settings in the IT infrastructure and security measures. Based on experience, companies use only half of the functionality of comprehensive information security tools, and another third of success in protecting against cyber attacks depends on secure settings in network equipment and business systems. Shortcomings or the lack of a comprehensive approach to cyber defense nullify the benefits of the technical arsenal of information security services, and the defense of companies is often broken under the onslaught of cybercriminals. Information security companies must expand their coverage to new entities emerging during transformation processes and increase their resilience to changing tactics and attack techniques.
An additional burden is created by the implementation of import substitution both in IT and in the field of information security. Specialists have been working for decades on building infrastructures based on foreign solutions (for example, from Microsoft, Oracle, IBM, SAP and others), and now completely different products have appeared — with their own advantages and vulnerabilities, and it is necessary to adapt the processes and functionality of technical tools to the changed IT -architecture. In addition, domestic information security tools need to catch up with their imported opponents in terms of ease of use, level of fault tolerance and quality of technical support.
In combination with trending cyber risks, classic threats and their associated consequences still remain relevant. These are DDoS attacks that knock our companies out of the digital world, fraud and social engineering aimed at the direct theft of funds or confidential information. The entire known set of cyber threats remains relevant, and the number and speed of cyber attacks is growing. It is obvious that the attacking party is actively using automation tools and modern technologies, thereby increasing the dynamics and complexity of their actions.
— And what difficulties does the information security industry itself face?
— In terms of technology and protective equipment, we look pretty good. For example, a number of Russian developers have already created and brought to market advanced network protection tools (NGFW — Next Generation Firewall). When foreign vendors left the Russian market, solutions of such classes simply did not exist in Russia, but we very quickly replaced them.
A more significant negative effect of the breakdown in communications with foreign players was the restriction of access to the necessary professional practices and knowledge. Nowadays, a huge base of international consulting knowledge in the field of building processes, performance control systems, management supervision and systemic development of information security, which was available to the Russian market several years ago, is in many ways being reassembled.
How did information security consulting work before? For example, a large company needed to plan the development of information security taking into account the characteristics of its business, goals, strategy, and new business models. She turned not only to Russian experts, but could additionally attract specialized specialists from other countries who had already solved similar problems and knew what difficulties might be along the way. This made it possible to create information security systems much faster. We are now dynamically developing the cybersecurity industry, and we have enough intellectual resources, but in the absence of an influx of additional external knowledge, we may find ourselves at a disadvantage unless we find a way to replace the source of knowledge or create our own.
Another problem is the lack of comparative analysis capabilities. Every company in all areas of activity wants to understand where it stands relative to its competitors. This is doubly important for large players when entering foreign markets: they must have a good understanding of who they are competing with. In cybersecurity, there is also a need for such a comparative analysis, and, meanwhile, the severance of systemic contacts with the international professional consulting community has significantly limited access to such data. We are actively working to accumulate the necessary knowledge. And here the issue of confidentiality is important: when creating comparative analysis tools, in no case should confidential information be allowed to be disclosed. Creating such a system is a very complex and time-consuming task, but it is within the scope of our tasks and priorities.
Another component of the effective work of the information security industry is a unified professional community. There are many excellent professionals working on the Russian market, but in order for their collaboration to produce real results, create best practices, and allow the exchange of knowledge and solutions, such a community must be supported by regulators. We have already seen a good example when the Ministry of Digital Development, together with professionals in the field of information security, formed initiatives aimed at developing the practical aspects of cybersecurity, which were then enshrined in presidential decree number 250 (On additional measures to ensure information security of the Russian Federation), another example is the creation by information security experts at support of the Big Data Association Industry Data Protection Standard aimed at increasing the efficiency of personal data protection processes. Such initiatives and results are extremely important for the development of a methodological basis for cybersecurity and a systematic increase in the level of information security in the country.
— The Russian IT consulting market today is not inferior to the Western one, offering services in all main areas. How long ago did consulting appear in information security?
— Consulting in the field of information security appeared in the late 1990s, but began to gain popularity along with increased attention to the protection of personal data. The Personal Data Law, adopted in 2006, actually became the first regulatory requirement in the field of information security that applied to all organizations, and its appearance began to create demand for consulting services. That is, companies that, in principle, could never have had information security specialists on staff, found themselves faced with the need to comply with an important regulatory act, for which it was necessary to turn to external experts. Around the same time, there was a development of voluntary regulation of information security in the banking sector and the practical application of a series of Bank of Russia standards. It is important to note that the initiatives of the Central Bank of the Russian Federation in the field of information security remain relevant today; they are represented by a set of four standards of the GOST R 57580 series.
Another incentive for the development of information security consulting was the introduction in Russia of international information security standards of the ISO 27000 series, as well as the practical application of international requirements for payment card security (PCI DSS).
The next stage of information security consulting is associated with the active development of subsidiaries of foreign companies in the Russian Federation. International players, starting to work in the Russian market, brought their own information security requirements along with their businesses, expecting mature management in this area internally and from their partners. At the same time, companies wanted to know not only the legal and financial “health” of their Russian counterparty, but also its technological level, including in the field of information security. Here, international consulting companies played their role, bringing foreign practices and quality standards for professional and management consulting services in the field of information security to the Russian market.
Today, when the coordinated work of a comprehensive information security architecture becomes even more important than technical equipment, the role of qualified consultations and process approaches is increasing. Over the past few years, companies have increased the technical base of security tools, and the task is to configure these tools, interconnect and orchestrate them, understand their work and make the right decisions based on data.
— How in demand is the IS consulting service now and in what exactly does it consist of?
— There is a need in all spheres and at every level of society. Starting from the level of a common man living in the digital world, he can be called a digital citizen. We hear requests for someone to help us figure out where the attackers are and how they operate, how to protect ourselves from scammers and protect ourselves in the digital space. This problem is solved, in particular, by the All-Russian Cyber Hygiene Program, which has been implemented since 2022 by the Ministry of Digital Development, Solar and St. Petersburg State University of Technology named after. Bonch-Bruevich. Other large players with a high level of social responsibility are also working on this: for example, many banks in their applications provide tips on how to avoid fraudulent transactions.
Microbusinesses and individual entrepreneurs are exposed to classic cyber risks: theft of money, information, disruption of information systems. They need someone to give advice on how to set up a home office, protect a CRM system (Customer Relationship Management), and build proper communications. This is a separate market niche with its own information security players.
At the level of small and medium-sized businesses, complex IT infrastructures are already appearing. And this is where the market for corporate information security solutions begins. The manufacturer providing the protective equipment provides technical support and gives advice on how best to use a particular tool. There are service offers for more advanced SME representatives.
And finally, big business. These are the pillars of our economy — key players in the banking sector, energy complex, transport and logistics, and state-owned companies. Here there is a converged distributed IT infrastructure and business ecosystems, compliance with a host of legal requirements, increased operational efficiency, and protection from complex targeted cyber attacks are required. This is where management consulting comes into play, which allows you to get a full picture of potential risks for a business and offer solutions depending on the company’s budget, its goals and development strategy. Here we take the role of an integrated cybersecurity architect, providing the necessary managerial and economic knowledge and skills in managing a project office and portfolios of initiatives. What is needed here is oversight of how a cybersecurity system operates with a large number of different tools, people, and vendors. Here we are creating a cyber defense ecosystem. In order to organize all participants in the right way, direct them to achieve a common goal, go through this route with them and guarantee results, a special level of professional maturity and a different set of competencies is needed. When working with large businesses, we complement our technical expertise with process expertise and pay great attention to management practices. We coordinate and control the work of a pool of contractors, organize hundreds or even thousands of information security experts, build information security financial flows, interact with key front and back office leaders of the organization, take into account the external influence of regulators, competitors and shareholders.
In general, consulting is interesting for any company, and it all depends on whether it is able to convert the results of consulting services into its competitive advantage. The essence of consulting is to hear the request, understand the reasons and offer a targeted solution; its benefit is to create practical and understandable value from investments in information security at every level of the organization.
— What do customers come to you with more often: there are more of them Are you interested in specific questions or are you immediately asking for help with choosing an information security strategy?
—The most common request is an analysis of compliance with regulations and Russian legislation in the field of information security. All aspects of personal data protection and the protection of critical information infrastructure (CII) remain trendy here. At the same time, we see good demand for consultations in the field of strategic management and information security development. Despite the high uncertainty in the development of the economy and international relations, companies want to have medium-term development plans (3-5 years) and want to correctly distribute financial flows. Our response to this desire is to create strategies for the development of information security, and to ensure that these plans and strategies are supported by financial returns, a cyber risk management tool emerges. If IT’s ultimate task is to create a digital product (for example, a marketplace), then the task of information security is to prevent this platform from being hacked or stopping its operation. Therefore, unlike IT, which creates additional profit, investments in information security often allow one to avoid significant losses, eliminating the implementation of strategic risks and maintaining competitive positions. It is the comparison of the scale of potential damage with the investments necessary to avoid this damage that is the basis of risk management and the formation of a balanced, risk-oriented information security development program.
— Can a company independently assess cyber risks and understand where to concentrate efforts to build information security without disrupting its systemic development?
— I am confident that, given sufficient time and expert resources and administrative willpower, the company is able to make an assessment and independently develop development plans. Consultants can complete this work much faster, eliminating the diversion of the company’s internal resources to non-standard and resource-intensive tasks. Due to their horizons and insight, consultants bring non-obvious initiatives and solutions that are invisible from within a single organization. Consultants are a knowledge base, a point of safe aggregation of various cases and practices from similar and opposing industries. In addition, the consultant’s brand and independence of assessment have a positive effect on the reputation of the client company.
— What can you advise a business to optimize IT security costs? How to ensure that investments in cybersecurity do not go down the drain and bring real benefits?
— Organizations often have requests to optimize costs or increase the efficiency of information security. This is relevant primarily for large companies that have invested in this area for more than 10 years: here, indeed, it is necessary to automate processes, increase their efficiency, and reduce operating costs. And we help to do this, increasing the profitability of the information security company.
It’s another matter when such requests for optimization come from companies that previously underfunded this area. According to our statistics, the average cost of information security should be at least 10% of the IT budget, including digitalization, development of new products, etc. Only industry leaders have this level of investment in information security, while for others it is noticeably lower. And a situation arises when, due to insufficient investment, the company was unable to build an information security system capable of resisting the attackers of today (and among them are not only ordinary hackers, but also groups associated with the intelligence services of unfriendly countries). In such situations, our task is to explain and demonstrate the real level of threats in order to show the gap between the level of security of the organization and the level of those who attack it. As a result of this work, there is a rethinking and rebalancing of information security funding.
It is important to note that increasing the efficiency of information security, first of all, is necessary and typical for organizations where the area is well funded. For companies where this is not the case, what is needed is more of an impetus for increased attention and increased investment in information security.
— Cybersecurity often stands alone in the corporate governance system. How to properly integrate the information security function into the overall system from the point of view of financial management, personnel risks, etc.?
—If we take the regulated communities in the field of corporate governance (the Society of Corporate Directors, the National Association of Corporate Secretaries), then we will hardly see aspects related to information security on their agenda. Moreover, if we look at the reports of large companies, cybersecurity is mentioned there only in connection with real attacks and incidents that took place in the reporting year. Of course, leading companies are actively investing in information security, but this topic is not included in their corporate governance until damage has occurred or until shareholders have asked a loud question.
Currently, the thesis about including information security issues on the agenda of the Management Board or Board of Directors is being actively voiced. But in reality this is not easy, because making decisions in the field of cybersecurity requires members of boards and boards to have the appropriate knowledge and skills. Companies have expectations regarding top decision makers regarding information security decisions, but these top officials may not be sufficiently informed and require additional consultation on this issue. Therefore, Presidential Decree No. 250 provides for the inclusion of information security managers in the collegial management bodies of the largest companies.
At the same time, we encounter requests for information security consultations at the corporate management level. We see interest among management associations and members of Boards of Directors in clarification on how a collegial body can properly influence information security and oversee its development.
An important aspect is regulation in the field of critical information infrastructure, including administrative and criminal liability of top officials of companies for failure to comply with rules in the field of information security. However, fines scare managers less than issues of reputation and customer trust. But, if fines can be calculated, then the assessment of losses from reputation is still quite difficult to digitize from the point of view of cybersecurity and risks. This aspect remains at the level of expert, professional and management decisions rather than at the level of algorithms.
— As you know, no one is immune from hacking. How to act correctly to preserve the company’s reputation and the trust of counterparties?
-Indeed, recently companies are more often faced with hacks, which have become larger and more visible in the public field. Often, incidents are related precisely to supply chains, when the company does not operate as a single entity, but has an entire external partner system. In this case, the correct approach is the regular use of stress testing mechanisms in the field of cybersecurity.
The preparatory part for conducting stress tests is cyber exercises — exercises that help organizations practice actions in various crisis situations in advance in order to know who is responsible for what, have access to internal and external resources at hand and use them quickly.
In turn, the load part involves simulating a real cyber attack, when the entire cyber arsenal of the organization, its readiness, coherence and ability to overcome a crisis situation are tested for strength. Of course, backup security measures are extremely important, including data backup, redundant communication channels, redundant security measures, and even redundant expertise (where the company can draw experience and knowledge in the event of loss of the main base).
Another point that companies may be missing. What is meant is the development of a crisis communications plan in the event of information security incidents. Such a plan includes an indication of the leaders responsible for a particular area, a formed public position of the company with a forecast for the timing of eliminating the consequences and measures to minimize similar risks in the future.
It is important not to lose sight of retrospective measures after processing an incident or reflection cyber attacks. The company needs to make sure that there are no back doors left by attackers in its infrastructure, and that changes they made to system settings and software are returned to a safe state.
Compliance with all these recommendations allows you to survive cyber attacks and leaks with minimal losses for the business, its clients and partners and maintaining business reputation.