BSides Bangalore X W3-CS Podcast - Episode 1 - Suvabrata Sinha

I'm s go one of the C team members of bides Bangalore and W3 CS now I'm super excited to welcome you all to the bides Bangalore podcast which is in collaboration with W3 CS worldwide women in cyber security Now sit back listen to this podcast and learn all about cyber

security hello guys good morning thanks for joining in to the bsides podcast today I have subata sin with me now he's a person who's been there for more than two decades in this cyber security domain he's on the other line today I am privileged enough to have a conversation with him knowing about him and getting to know about what excited him to get into cyber security hey sub thanks for joining in how have you been thank you good morning it's is a privilege to be with all of you in this podcast and um thank you for inviting me and giving this opportunity to tell my story so to say and um it I I hope it

inspires at least one person in this whole wide universe to take up this exciting exciting career super so sub before I get into the questions right I would want the audience to know who subata sin is because today we get to know about the professional level at LinkedIn which we do get to know that okay this person has been from this this company I want to know about your journey how you came into cyber security where did it all start thank you my journey has been uh very very interesting one and I would say rather like The Accidental prime minister I've been an accidental cyber security person I started my career of all things as a chartered

accountant and um then just by pous coincidence I would love to claim deep foresight and I had seen the future and I knew what was happening and I had great wisdom but unfortunately it was a series of forus accidents and I just took the opportunities and um one thing led to another and here I am U so I started my career with Deo in the early '90s and just around that time Deo was setting up an IT audit practice it was in the aftermath of the 90 security scam and all the banks were computerizing National Stock Exchange was set up BC was computerizing a lot of things were happening and they wanted to set up its

I practice and I think I was one of the few who DED to join a completely new practice that nobody had heard about and um had my passion for computers I could code and um I was very comfortable with computers I mean one thing led to another and of course every career moves need someone who is willing to take a risk on you right uh knowing that you have no demonstrated skill on that on that TR and um My Mentor in those days gentleman K G he said okay you know like dude join and let's see what we can do together that was the beginning um you could say I was young I was foolish but that's how interesting

Journeys in life St uh then I did a stint in KPMG Information discis Management I worked with wh Pro for a very brief while and by then I wanted to come out of con and I wanted to be a practitioner I said that you know I can't write audit reports for a living right I need some more excitement in life um so I joined Bank of America's Global competency Center which was just about being set up and I think I was there 200 employee or something um I knew nothing of how operational security Works in a large scale uh again fortunately I had a manager in US and the managing director in India who was willing to take a risk on my passion

and said okay you know you join uh I hope you can succeed and let's do it and that led me to operational cyber security I set up a large Security operation Center um we did pretty much something of everything we VI to a 23 40 or people and um but then I felt there was a word there's something I know nothing about which is security engineering and how does engineering at scale for cyber security products work and then again one thing led to another and I joined Microsoft as a director for digital security risk engineering again um my great fortune in life has always been that I found these leaders who are willing to take risks on

me and somebody did take a risk on me and thank you Joe so um I joined Microsoft and that was again another very very exciting period where I learned the nativities of security engineering and um then I felt that okay I'm I think I'm ready for executive leadership maybe a ciso or a deput so kind of role and of course I know nothing about it you how it works in real life and again one thing led to another and I joined NX semiconductors uh as their head of cyber security and then I got promoted to their ciso and that was also very very exciting time in my life um I have very recently left nxp and I'm exploring options for

what can I do with my life for the next 10 years and so here we are um in conclusion I would say always think about a career to one to 3 years ahead um don't be afraid to desire more and such you will find someone who will take a risk on you it usually works that way superb I think your need for knowledge and knowing new things have led you to to this point in your life and also it's just not about the other person taking risk in you even you're taking a risk that okay I'm going into an unknown domain so that works I know people who are wanting to get into cyber security

knowing a little bit from your journey would want to get into cyber security and will be willing to take a risk no your you said that your Keen interest was not knowing about this thing but now once you're into the cyber security domain how are you keeping yourself updated on things interesting question so I I I try to read a lot as much as I can I also think that you cannot be a cyber security professional by just reading and creating PowerPoint slides so I try to do my own Labs all right most of the labs fail splendidly miserably and in every which they can fail they all fail but I feel that through the process I learned something

new right all right and to me it's not whether the lab succeeds or not but the fact that I do it and you know like struggle through it and it it it gives me insight about how features work how products work how how different things can be traded together and I I learned that way um the third way that I learn is that I try to attend conferences and workshops where I have practitioners speaking all right and so I'm I train myself to ignore designations of speakers all right and see is it somebody who does that thing who is speaking all right versus the maybe the most senior most people in that organization who was it

but not really hands on with it okay um so that that drives me so I attend a lot of technical conferences as much as I can and besides is a great example now sa you have been in the industry for so long you have worked in large scale Industries with Security Programs right can you highlight some challenges that you faced and the successful outcomes that you have achieved during this phas when you were working with these industries please so thank you that's a interesting question and um I would say what is success because in any cyber security Improvement initiative success usually happens with the moment of truth right and there is an attack and you manage to you know

either track it spot it identify it re it mitigate it before a lot of has been done um but then you don't really want that moment of truth right you prefer a peaceful life so I what is Su is an interesting way to frame problem statements as well and um the most recent one that I could site is that in nxp we did a factory security Improvement initiative and that was an interesting problems Stace because as you know factories are typically be soft under value for any hybrid Enterprise tons of Legacy lots of O iot most of them are now you know hay Resto networked most many of them cannot be upgraded patched maybe out of support

and yet now you have to secure it how do you do that um and of course factories especially if you're in the process industry or discreete manufacturing they prac is done all the time so how do you analyze find time to analyze find time to Tri find time to put the right mitigation measures all of these are not just the technical challenges especially when it comes to operational technology um but also a program management Challenge and then how do you keep it refreshed um so our Factory security initiative was one I think I'm particularly proud of it because we manage to put in a fairly decent defense in depth posture around the factories um but it's like all large

security initiatives it's always going to be a work in progress because you always need to do something else from your huge long list of backlog all right and by the time you have groomed your backlog to any reasonable level new vulnerabilities are showing up on things that you have already fixed so it's factory security I would say is a interesting space right now across the industry all right so one thing one question came here because this was a factory setup right you were able to control this environment a little bit it was in your control okay I have these things coming in these things going out these are what I could see the loopholes I could fix the vulnerabilities now

let's say when you're managing risk and security right when you're approaching these at managing at a region level how do you go let's say regions such as India Europe USA and because see again when we are taking cyber security into picture there are a lot of rules and regulations which are there each regions have different regulatory Landscapes or threat Landscapes also how do you approach managing them I would maybe dream it a little differently especially for large Enterprises M the threat landscape are sort of now the same across the Enterprise okay because if put put the bad actor SL hacker hat on and if you are the bad acted you just want the weakest link in CH you don't

really care whether it's in Europe India you know like Asia us wherever it is and whatever it is be it a lab be it a factory be it a research research establishment within the Enterprise be it a third party processing center with a dedicated link right be it a cloud presence managed by somebody else I mean so you you are just probing for the weakest l in the chain so the so the threat landscape is uniform um what I think changes is the culture because each culture across the world are very very unique um in Europe for example most employees most citizens are very very privacy conscious and they are very skeptical about often about new complex

Technologies unless they are aware of what the Privacy security tradeoff is so often you need to spend time to explain it to them uh explain the risk reward benefits because obviously you lose something with every new technology that comes up there is always a tradeoff and those conversations take a little time and some convention and you have to C to that in part as part of your plan in Asia you know it's different likey is not so much of a concern but there are I mean you different languages and you know how you implement something in India versus how do you do it in Malaysia and in Taiwan will have to be very different right um right so you have to

C to the culture um um we did lots of interesting experiments for example in um as part of red teing and fishing simulations there are some cultures where anything that you send in their native language mhm people are extremely trustful all right if I I mean if I send something to let's say in hindii you will trust it maybe not but I'm taking India as an example but around the world there are many cultures where an email or a fish 30 native languages has a far higher probability of being successful they need to tune your awareness differently you need to tune your defenses differently right some cultures are have a very high power distance if you can fish in the name of

their skip level manager or the managing director it will be opened and instructions will be followed people naturally resume their first reaction is that if it comes from a management from a man director I must do it right now you know questions l so that will tend to succeed eventually hackers Know It Bad actors know it they understand psychology as well as I do if not better so it's often it is not good defense is not about just technology it's about understanding culture and psychology a little more deeply and with more wants I think that's this is the entire that experience and everything that culture plays a very important part and the fishing example where you gave right

if you tell someone in their own language they'll interested better and might fall for it how do you go about it it's really nice in the previous question when I asked you you also mentioned about you running a operation center right now now when you started this Operation Center the security Operation Center what were the strategies that you employed in setting it up and how did you go about managing it I have actually had the fortune of Good Fortune of setting up Security operation Center more than once I did it once in Bank of America we did it once in Microsoft and um again in nxp and um again as I shared right at the beginning

that in my journey every mistake that a person can make I have made in different parts of my career right so so what have I learned I mean I I think that the construct of one large talk to rule them all does not work okay I mean you can get probably some minor economies of scale and cost efficiencies like it may be one large sock may be cheaper than two three socks but it does not work I mean nobody likes to do night shifts for example even if they say they're okay to take a it I and my rule of f is that if I am not willing to do it myself I don't think I should expect my team members to

do it all right so I I favor at least two Security operation centers Federated if not three mhm and um just follow the Sun and follow the case the second part is exactly that the cultural nuances play A Part Ian the more diverse your representation in your security operations team the better they understand these nuances about actual threats and how it impacts the user base um and I feel that responses are much more informed people react and respond in a more informed way they you they bring more diverse perspectives to case management and the outcome is much more favorable all right so um yeah so if I have to do another stop another time again I'll follow the same thing not

even at the cost of spending more money is better to do two or three all right so I think one of them was culture was there any other key lessons that you learned from this while setting it up culture is one second is people I mean stock is not an army of you know homogeneous 20 people it whatever else it looks in business cases in spreadsheets I mean it is about people and so you need you need the right people you need to have the right people um people are willing to experiment people who are willing to stand up people who have a bias for Action demonstrated bias for Action um at even at the risk of I mean

if you are a sock analyst and you see something happening and if you think I will wait for approval till next day morning then it will be too late correct you have to be the kind of person who will do what needs to be done then and then explain lat why you had to be done and sure out of 20 times one time there will be some there will be some disruption and there will be some escalation but that's that's part for the course all right so you you need the right people whoever they are okay now uh I wanted to know that when you're running these operation centers right there are a lot of information that we

get through when we are analyzing the uh particular uh package or any dat data right now how much does innovation and intellectual property take place when you're running a sock I would answer that question in two parts okay one is that any any so and I don't me just Security operation Center like if you are running a cyber security defensive operation which is the monitoring team the threat analysis team the automation team the like the whole defensive operations team constantly generate um new innovation and that should be one of the objectives of running defensive operations that you constantly generate new innovation and you um some of those are um Trade Secrets I mean there are

different ways of securing intellectual property that comes out of it um could TR secret some could be patentable but that it but it's it's it's the again it goes back to the culture that if you defensive operation teams have to focus on creating the culture of people think in this Innovative way in one of my students um there was a bright young analyst who uh created a detection model based on a open sourced model used by the Financial community at the end of the Financial Cross uh the crash in 2008 2009 so there is a model that tracks the share price movement to find anomalies of inside the trading as a leading indicator of uh a potential you know like adverse

action on that company and that model was tuned to track for anomalies in the the threat Intel feed that comes out of our own systems right okay it it it was an interesting approach to security problem solving by leveraging something that has been done in the financial industry for monitoring for insider trading in stocks MH but it did work uh for a pretty long period of time so and that is innovation where you think differently and the it is the duty of leaders but also I think for the team as a whole to think that how do we how do we think differently because there is never going to be enough people and enough time and enough money to monitor

everything and everyone and be on top of all the threat signals that come in you have to be selective you have to be focused and that's where Innovation comes in super all right so you wear a lot of different hats when I was going through your profile right one of the hats you wear is you Mentor a lot of women in India for cyber security not even women you uh Mentor men also so but when you're mentoring these mentees what's the approach that you take in basically let's say encouraging and supporting them let's say let's say I'm a newcomer to cyber security right how do you what's your approach to helping us get into cyber security or entering this

field so the thing that I try to do is to help my mentees Define what do you really want okay right I mean and like in this conversation I could POS the same question to you what do you really want and if you start framing it MH and start writing it down and you start deconstructing it it is not a simple question it's it's it's a fairly non-trivial problem at an individual level um and once you start exploring what do you really want and then as a mentor I can maybe point you to the right people of the right resources and maybe challenge your construct a bit and I think that is one of the key

roles of a mentor um helping my [Music] mentees look at things and situations in a different light um often and often it leads to interesting outcomes many of my mes have gone on to do interesting things in their lives and um that gives me satisfaction that you know I've been able to help them in some way all right um yeah but I don't have a different approach to mentoring women versus mentoring men all right I what I only try to be conscious about that I do not have any preformed bias of who can do what that women can do a certain kind of role and men can so I try to consciously stay out of

that bias but other than that my Approach is not different okay all right on that note I would want to know two women leaders of professional now who have doing well in their particular career in the domain right or they they know you and they have inspired you and they're empowering others to join the field of cyber security so not just let me say three one from each one of the significant roles that more is better always so yeah so so I with this I had the pleasure of working with this lady called Susan Hall um when I was in Microsoft I mean and over the years I have found her more more and more inspiring all

right she faced some significant personal health challenges in life and but that did not pull her down he took time off while recovering to actually go and do a masters in cyber security and then she came back in a more technically complex role than and and that is something I think is inspiring for everyone okay and yeah so I mean that it's that you nobody can pull you down not even the hardest adversities can pull you down I mean you always if you desire it there is always a second chance and a third chance and you just pull yourself up and keep moving and you will get it and by she has been very very inspiring over

the years I it I happen to traveled to us for her graduation and it was inspiring um second I would say is a lady called Mah afro is a very close friend of mine um she has mentored me more than once she was the general manager and partner in Microsoft core Services engineering um to me she was the emblem of how you lead with empathy and with uh with with empathy across different challenging technical projects um delivering deeply technical outcomes through very different difficult timelines but still lead with empathy and that that to me was has always been inspiring of and something that I try to emulate as best as I can um and lastly in my last job I

worked with um lady called Puja she had identity and access and very insightful leader a great attractor of talent um so many people like know just look look up to her and she has been able to attract again a lot lot of people to join our company um both men and women right has been inspiring you has an experienc active speaker in these public forums right and workshops you have been contributing to a lot in the inclusion of cyber security what are your me memorable Ms or impactful stories around these engagements in conferences yes confes are all about I meet interesting people MH and and to me that's uh an equally important dividend of going to these

conferences other than the technical learnings I try as much as I can to be in touch with some of them um but again as you you know that once you start going to some of the conferences you tend to meet the same set of people correct in the conferences so that's a that that's a good way of being in touch all right because we are in the field of cyber security right supr G so now let's say every technology has its end point and there are the new technologies arising every day or every one hour or every minute there's something of the new coming up now what would you give advice to Young professionals because

what happens is when something new comes out everyone is hyped about it that we need to learn this now if a young professional who's joining cyber security or your advice to them to start experiencing to create experiences in the this domain and I thought for a couple of seconds because I realized that over the many years my advice has not really changed okay yeah and I what I tell everybody is that focus on the core foundational skills and that's becoming increasingly more and more critical you must have the right engineering skills you must have the right automation skills you have to have the ability to think and act differently you have to have the questioning mindset um and today even

more than in the past we know that use of machine learning massive Cloud scale automations now the opportunities of the generative AI tools that are coming up many many many of the current roles will become redundant don't really need as many people in some of the places that we have large amount of stuffing so expect your role will get redundant so you have to constantly reinvent yourself and every year now that's that pressure is going to get more and more intense um other thing that is also critical is data analysis skills and historically data analysts were a different breed of people who sat somewhere and did their own thing but now increasingly everybody has to be a

data analyst yes you have to be able to make sense of the data analyze it statistically so that's the other skill that you need um for focus on learning and experimentation um keep building wireframes prototypes things that test whether it works or not go for bug bounty hunting right so to me if I am hiring if you have even a $15 of bug Bounty that you have won somewhere it is far more important than indicator of your transferable skill and value then any number of certifications that you may have done right I mean if you have five different bug bounties totaling up to $35 to me that shows something I mean even if you don't have a single

certification I don't really care so so that's last but not the least what I keep telling everyone is that checklist do not build a career right I mean if in your job you are basically running on a checklist then something is wrong either with you or your role or the company just stop right there and question right and think what what do you need to do next I think you just answered three four questions I had in the start and you covered every point there that even certifications even having these practical knowledge like you mentioned in bug Bounty plays a very important role so I think that that sums up if anyone whoever is listening to

this and will listen to this podcast will get her to know an idea that how they can go about it absolutely I would rather look at you know your J contribution your stack contribution bound you have won where have you participated if you participated in 15 and not yet won a single penny it is still an important signal right um then then certifications and certific are okay but not all right not the highest Fidelity indicator of who you are okay all right now one of my last questions because you love experimenting you love attending conferences one of the upcoming conferences is of bides Bangalore in 24 now you have attended these conference in past and you mentioned it so what

stood out for you then and what do you expect to look for the upcoming conference number one U I love it that it's such a melting part of ideas different kinds of topic subjects and kind of speakers who come and speak um I love it that it brings a diverse set of people into one Forum some the people who are fairly senior in their career journey to people who are early in their career Journey everybody is in that one Melting Pot and interacting and there's always something to g u the quality of conversation I think is excellent and besides confidence and I want that to continue and last but not the least it personally it helps me make new

connections and to me that's the greatest value of all all right thanks a lot everyone we going to put in sagi's handle and you can reach out to him I think he's a lovely person and he'll answer your queries or any doubts you have given that he has a lot of depth and knowledge into what he's doing what he can give us a pathway to thank you so much thank you conferences and I want that to continue and last but not the least it it personally it helps me make new connections and to me that's the greatest value of all all right so I mean it's it's it's it's an industry which has grown a lot

but cyber security is still a small industry and it's still about all about PP hey there thank you so much for tuning in to our episode of this particular podcast now I hope you enjoyed it as much as we enjoyed it creating it for you we would be very grateful to you if you could just like share subscribe our bides Bangalore channel so that it reaches more people now you're the reason what we do and why we do we will appreciate your continued support stay tuned for the next [Music] episode [Music]