Ziksan Consulting Services

“Lets Get ARMeD”

Welcome to our knowledge base of research and project learnings that demonstrates our understanding of complex business challenges faced by companies around the world.

Why Choose Us

Knowledge Reigns Supreme

Reliable & Ethical

Result Oriented

Strong Senior Leadership

AI: Bubble awaiting to burst

Artificial Intelligence (AI) is a bubble waiting to burst as users are assuming too much and sellers have created too much hype. Unless, the IT and cyber security community wake up and reorient their thoughts.

What is AI? It is a method of using computing powers to arrive at near human powers, in the least to say.

What needs to be done to prevent oneself and ones’ employer from falling in the trap?

Institutionalize Intelligence, : Managing knowledge, creative thinking and abstract imagination patterns and thus arriving at a pattern of intelligence is the basic foundation to be established. We are discounting human emotions from the ambit because world of technocrats is yet to evolve. We have been actively working on developing our proprietary Intelligence Mapping (IM series) frameworks which facilitate a micro level water tight cross parameter integration and macro level bonding between constituents. This put together leads us to a fair idea of the intelligence which exists in the human side of the world (atleast as far as corporate working is concerned) and gives the basis for developing a set of algorithms for the AI to be developed. Thus, without “I” being assessed, “AI” is a design failure. Also, users should know that AI cannot be a substitute for Human Intelligence, or for that matter human intellect or emotions. We should take cognizance of our terminologies so that we can better manage expectations and prevent discontentment.

Most corporates are selecting AI as an integral of their IT and Cyber security strategy. However, we have been mentoring our clients to enhance the scope of involvement of users so that AI can be better appreciated in the time to come. Moreover, any AI initiative should be extracted from business budgets rather than largely an IT budget.

As per our research, we also recommend that measurability of any AI initiative should have threshold of UAT. Also, it is important to know the difference in the expected outcome of following different data initiatives:

Traditional Data Analysis with pre-defined algorithms or established statistical laws and aggregation methods
Big Data analytics where inputs from diverse sources are further churned east-west for refinement
Big Data analytics where inputs from diverse sources are further churned east-west and north-south for refinement
Machine Learning (ML) using adaptation algorithms
AI using mutating algorithms
AI outputs used for action in cyber-physical space (pneumatics/ hydraulics/ instrumentation etc)

Read More Collapse

Can CISOs rely on AI in cyber security

According to leading researches, this has been acknowledged as a key question in the mind of the thinking CISOs. The obvious answer is Yes, but with essential caution on supporting policies. The debate runs a parallel to whether and Intrusion Prevention System (IPS) can be relied on at all levels as a safeguard from linear, cross boundary attacks?

The job of a CISO requires a degree of dependence on the efficacy of the deployed solutions and vendors who support them. While there is a plethora of products available, each having due rightful claim in their respective sphere, the challenge is stitching them together and then making them work.

Quality and timeliness of data is important for making an informed decision, however, some system configuration level decision making can be based on the logical response to incidents or trends. Our ARMeD framework coupled with intelligence mapping techniques assists CISO community in deriving a baseline for automated changes versus manual intervention.

CISOs need to used this defined baseline to assess whether the vendor claimed AI suite is adequately purported to meet requirements.

CISOs further need to do an additional risk assessment of the impact of an automated change by an AI tool or a bug in the AI suite or a backdoor in the vendor platform. Well, yes, AI, like any other technological strategy is a risk in itself.

Read More Collapse

IoT is the new horror story for CISOs

IoT is the new horror story for CISOs, trailer released, coming soon streaming on all available media with almost endless seasons. Sound nice, but when you read between the lines, well it is a different story altogether.

The problem lies in the strategic planning of corporates globally. When a CISO is hired, does HR call for a skill set known as IoT or managing instrumentation or PLC or DAS or SCADA. Likewise when a plant security head is appointed, does HR look for IT or cyber space as a key word in the CV.

This leads to the disconnect. Knowledge on TCP/IP needs to be amalgamated with knowledge on 4 to 20 mA. Our research has lead us to believe that the flaws lies in:

Pre hiring criteria in job descriptions or job purposes
Organizational restructuring wherein the functions of CISOs and IoT security teams and not essentially having Board representations
Enterprise risk management does not present an integrated/ amalgamated risk posture combining cyber threats with IoT threats
IoT security functional teams do not report to CISO

However, whenever there is a hacking attack on or through the IoT systems, CISOs seem to be made unequivocally accountable. This is largely because of unsecured cyber touch points of IoT

Globally, security vendors are realizing the need for securing critical infrastructure and have started rolling out bespoke solutions for the same, though it appears to be at a nascent level. Whereas large SCADA system integrators have their own solutions, however, their interoperability with IT application systems and what about users who have multiple SCADA system integrators.

As a part of M&A checklist we have been working closely with mature organizations to assess the post-acquisition cost of mitigating new inherited risks and applying a corrective derivative to the valuation process.

Read More Collapse

Robust IT policies: A myth that has been broken

IT is the backbone of operations of most organizations and it is always being challenged by changing paradigms of business, economy and regulations. Industry has witnessed recent scenarios where, the well thought out and detailed policies and strategies were put to dust by the global pandemic. Only the agile, innovative, realistic and humble corporates are expected to climb back to expected growth levels. This has put to test the part of a corporate policy which was erstwhile under change management or somewhere in the IT Disaster Recovery (ITDR) plans.

The back to basics of using internet to work from home has been the saving grace of many corporates, but at what cost. We all know that any contingency of ITDR comes at a reduced scale and reduced infosec control index. Corporates now need to do a “Reduced Risk Index” based assessment to inform Board level decision makers and offer them to accept the renewed, reduced risks and control levels for any prolonged disaster or pandemic type situation. The new normal or the “transient normal” (as we call it) needs to be addressed with due emphasis.

New Strategic Risk: Increasing levels of accepted risk

With increased adoption and reliance on cloud-based solutions and enhance penetration of third parties for security monitoring, the risk exposure has truly gone north to a rather immeasurable extent as corporates are simply labelling it under risk acceptance. Cloud hosted service providers come with their own set of riders and dependencies.

The concern increases manyfold especially when dealing with financial data or personal sensitive information. This is where the plot thickens and send the bells ringing.
Will contractual clauses be enough for the Board to accept the risk?
Will an uncompromising contract with hosting service providers be adequate?
Can a cloud hosting be a hot ITDR for an on-premises system?
How does the service provider ensure that their administrators do not have access to hosted data at the backend?
How many SOC 2 reports on cloud service providers have tested controls for sensitive domains like code audit/ hosting security/ administrator access logs to user database/ anti malware on the hosted environment

Multi-dimensional Risk Management

Is risk management a repetitive desktop and board room project activity or is there more to it?

Risk is an inheritance to any business and is acquired by default, as a heading, irrespective of the nature of work. Over the past few decades there has been umpteen research on different risk and threat assessment models, each, having their own merit and limitations.

Any business requires risk management to be done, in whatever manner and whenever.

There are numerous risk perceptions which show help to see risk from a different point of view and there could be multiple perceptions which could be applicable to any particular kind of business.

These risks perceptions could be:

Strategic financial risk management
Enterprise risk management
Information asset-based risk management
Cyber threat intelligence
IoT risk management
Business Impact Assessment for Business Continuity/ Disaster Recovery risks
Privacy Impact Assessment for personal sensitive information or general data privacy
Fraud risk management
Vendor risk management

The list can be longer. Each perception brings a different value to the table and can be leveraged to ensure benefit realization. No doubt that corporates have separate teams for risk management under the able leadership of the likes of CISO, CRO, DPO, Head Continuity Services, Head IoT security and all coming under the ambit of oversight roles like Board of Directors/ regulators.

As per global research, as well our experience, Board level decision makers have to grapple with understanding the overall or unified risk posture of the organization on a real time basis.

Over the years, we have refined our ARMeD tool, which is specially designed to evaluate applicable risks and using the change, incident and IOC engines it can facilitate for an online, near real time risk dashboarding. We are enhancing the tool by enforcing the logic with (sector specific and customizable) AI engine and unified risk meter.

Read More Collapse