No IT leader wants to tell the C-suite about a serious breach that took advantage of a known infrastructure vulnerability. 

Hackers develop new attack strategies so often that it’s easy to forget a fundamental truth about cybersecurity: hackers don’t have to rely on finding new vulnerabilities. The inability of organizations to promptly address the rapidly growing number of known vulnerabilities means they can successfully breach their target’s defenses using well-understood exploits. 

For example, exposed in December 2021, Log4J is a flaw in a ubiquitous open-source framework that could enable attackers to take complete control of a server — and though it’s more than a year old, now, hackers are still attempting to exploit it. A study from Tenable found that as of October 2022, 72% of organizations remained vulnerable to Log4J [1], and in November, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that an Iranian-sponsored group compromised a federal network in an attack that leveraged Log4J [2].   

It’s disturbing that such a dangerous, highly publicized vulnerability would remain unpatched in most environments for nearly a year after its discovery. And the Log4J example is just the tip of the iceberg. CIASA began compiling its Known Exploited Vulnerabilities (KEV) catalog in November 2021. As of February 2023, the number of vulnerabilities was approaching 900. 

Bad actors are chomping at the bit to exploit these vulnerabilities to steal data, launch ransomware attacks, and wreak havoc. For example, the Conti Group is a Russian organization that launches devastating ransomware attacks based on a franchise model. The damage they’ve caused is so devasting that one nation, Costa Rica, declared a national emergency last year [3]. And Conti leverages dozens of known vulnerabilities listed in the CISA KEV catalog to do their malicious work. 

With so many vulnerabilities identified in the last two years, no organization can keep up using manual systems, especially given the vast complexity of modern IT infrastructures. Missing a single patch on a single server could create an attack opening.   

Prevention practices should include the deployment of an automated platform to identify, report on, and patch vulnerable systems. Reputable third-party services can further enhance your defenses by continuously searching for and patching the latest vulnerabilities. 

IT teams also need to understand the state of their infrastructure to enable continuous compliance. Most organizations do not know which of their endpoints, for example, are on the latest patch for their standard operating system, much less other software applications. 

HCL’s answer to cybercrime 

BigFix CyberFOCUS Analytics is a new capability designed to help IT Operations team discover, prioritize, and patch critical vulnerabilities and reduce cybersecurity risk in real time. Unlike siloed processes based on disparate teams and tools, BigFix delivers a single, integrated solution that eliminates the inefficiencies in passing data from multiple tools to the different teams who are responsible for enterprise security. 

BigFix CyberFOCUS Analytics are included with BigFix Lifecycle, BigFix Compliance, and BigFix Remediate. By leveraging endpoint information that only BigFix knows, BigFix CyberFOCUS Analytics provides the ability to simulate vulnerability remediations, to define and manage Protection Level Agreements (PLAs) and analyze CISA Known Exploited Vulnerability exposures. 

With proper planning and preparation, IT leaders can sleep a bit easier knowing that their environment can repel attacks that exploit known vulnerabilities. And with their defenses in place, they can react quickly should an attack get through.  

Be ready before an attack occurs. Learn more at https://www.hcltechsw.com/bigfix/products/cyberfocus 

[1] Tenable. Tenable Research Finds 72% of Organizations Remain Vulnerable to “Nightmare” Log4j Vulnerability. 30 November, 2022. https://www.tenable.com/press-releases/tenable-research-finds-72-of-organizations-remain-vulnerable-to-nightmare-log4j. Retrieved 25 February 2023. 

[2] CISA. Cybersecurity Advisory: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester. 25 November 2022. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a. Retrieved 25 February 2023. 

[3] AP. Costa Rica declares national emergency amid ransomware attacks. The Guardian. 12 May 2022. https://www.theguardian.com/world/2022/may/12/costa-rica-national-emergency-ransomware-attacks. Retrieved 25 February 2023. 

Data and Information Security

The end of the Great Resignation — the latest buzzword referring to a record number of people quitting their jobs since the pandemic — seems to be nowhere in sight.

“New employee expectations, and the availability of hybrid arrangements, will continue to fuel the rise in attrition. An individual organization with a turnover rate of 20% before the pandemic could face a turnover rate as high as 24% in 2022 and the years to come,” says Piers Hudson, senior director in the Gartner HR practice.

The Global Workforce Hopes and Fears Survey, conducted by PwC, predicts that one in five workers worldwide may quit their jobs in 2022 with 71% of respondents citing salary as the major driver for changing jobs.

The challenge for IT leaders is clear: With employees quitting faster than they can be replaced, the rush to hire the right talent is on — so too is the need to retain existing IT talent.

But for Kapil Mehrotra, group CTO at National Collateral Management Services (NCMS), high turnover presented an opportunity to cut costs of the IT department, streamline its operations, and find a long-term solution to the perpetual skills scarcity problem.

Here’s how Mehrotra transformed the Great Resignation into a new approach for staffing and skilling up the commodity-based service provider’s IT department.

Losing 40% of domain expertise in one month

From an IT infrastructure standpoint, NCMS is 100% on the cloud. The company’s IT department comprised 27 employees, with one person each handling business analytics and cybersecurity, and the rest of the team split between handling infrastructure and applications. The applications had been transformed into SaaS and PaaS environment.

With a scarcity for experienced and skilled resources in the market and companies willing to poach developers to fulfill their needs, it was just a matter of time before NCMS too saw a churn in its IT department.

“In March, 10 of the 27 employees from the IT department resigned when they received job offers with substantial hikes. At that time, application migration was under way, and our supply chain software was also getting a major upgrade. The sudden and substantial drop of 40% in the department’s strength made a significant impact on several such high-priority projects,” says Mehrotra.

“Those who left included an Android expert and specialists in the fields of .Net and IT infrastructure. As the company had legacy systems, it became tough to hire resources that could manage them. Nobody wanted to deal with legacy solutions. The potential candidates would convey their inability to work on such systems by showing their certifications on newer versions of the solutions,” he says.

Besides, whatever few skilled resources available for hire were expecting exorbitant salaries. “This would have not only impacted our budget but would have also created an imbalance in the IT department. HR wanted to maintain the equilibrium that would have otherwise got disturbed had we hired someone at very high salary compared to existing team members who had been in the company for years,” says Mehrotra.

Nurturing fresh talent in-house

So, while most technology leaders were scouting for experienced and skilled resources, Mehrotra decided to hire fresh talent straight from nearby universities. Immediately after the employees quit, he went to engineering colleges in Gurgaon and shortlisted 20 to 25 CVs. Mehrotra eventually hired four candidates, taking the depleted IT department’s head count to 21.

But Mehrotra now had two challenges at hand: He had to train the freshers and kickstart the pending high-priority projects as soon as possible.

“I told the business that we wouldn’t be able to take any new requirements from them for the next three months. This gave us the time to groom the freshers. We then got into a task-based contract with the outgoing team members. As per the contract, the team members who had exited were to complete the high-priority projects over the next months at a fixed monthly payout. If the project spilled over to the next month, there would be no additional payout,” Mehrotra says.

“Adopting this approach not only enabled completion of the projects hanging in the limbo, but also provided the freshers with practical and hands-on training. They ex-employees acted as mentors for the freshers who were asked to write code and do research. All this helped the new employees in getting a grip on the company’s infrastructure,” he says.

In addition, Mehrotra also got the freshers certified. “One got certified on .Net while another on Azure DevOps,” says Mehrotra.

New recruits help slash costs, streamline operations

The strategy of bringing first-time IT workers onboard has helped Mehrotra in slashing salary costs by 30%. “The new hires have come at a lower salary and have helped us in streamlining the operations. We are getting 21 people to do the work that was earlier done by 27 people. The old employees used to work in a leisurely manner. They used to enter office late, open their laptops at 11 a.m., and take regular breaks during working hours. The commitment levels of freshers are higher, and they stay in a company for an average of three years,” says Mehrotra.

After three months of working with the mentors, the freshers came up to speed. “We started taking requirements from business. The only difference working with freshers is that as an IT leader, I have stepped up and taken more responsibility. I make sure that I participate even in normal meetings to avoid any conflicts. Earlier what got completed in one day is currently taking seven days to complete. Therefore, we take timelines accordingly. We are currently working at 70% of our productivity and expect to return to 100% in the next three months,” says Mehrotra.

Sharing his learnings with other IT leaders, he says, “There will always be a skills scarcity in the market, but the time has come to break this chain. Hiring resources at ever- increasing salaries is not a sustainable solution. The answer lies in leveraging freshers. Just like big software companies, CIOs also must hire, train, and retain freshers. We must nurture good resources inhouse to bridge the skills gap.”  Mehrotra is now back to hiring and has approached recruitment consultants with the mandate to fill 11 positions, which are open to all, including candidates with even six months to a years’ experience.

IT Skills