How to communicate security in layman's words to boards and non-technical stakeholders

now let's head to stewards another panel which is how to communicate Security in Layman words to boards and non-technical stakeholder so now we have with us our moderator for this panel board room discussion Mr Smith cons always welcome you sir he is a director and principal consultant at Saba Smith we welcome you sir so now our panel is for discussions are Mr nitin bhatnagar he is associate director at pcie security standard Council next we have with us Mr dilip panjwani [Applause] he is principal director and chief information security officer and also ID controller at lnt next we have with us Dr khushru he is CEO and founder of tasa Tasha Tech info solution private limited and president of ISAC finally we have with us Mr majesh Khanna AMS Mr majiskanna AMS yes okay that so on the behalf of besides Ahmedabad team I welcome you each one of you thank you so good afternoon everyone my name is Smith Gonzalez and I would be moderating one of the finest panel that we are going to basically present to you all organized by besides on a very very interesting topic and this topic is going to impact each and every person sitting over here in terms of thinking what is it going to be his career as part of the next five years or ten years and how he is going to evolve and communicate or is going to influence him to reach to the senior levels and being said that we have got an amazing panelist who would be talking on the topic communicating security to non-stakeholders and speaking it in Layman words basically simplifying it so we have got amazing panelists a different sort of combination we have got Mr dilip panjwani the CSO of lnt infotech he comes from the ciso mindset of communicating with board and then we have got Mr nitin but Naka who is the director for PCI uh payments a payment card industry standard who basically comes from the side of the what are the governing standards that the Enterprise and organization needs to focus on and then we have got Mishra kushru who is the president for isaka chapter who comes from the security advisory side who advises Enterprises on what are the best security measures and enforcement that needs to take up now friends when I start talking about all this the reason of putting all this is very clear this theme to you all is I'm sure you people want to grow in your career you want to reach to the high level insights that how you can be a CSO or a AVP VP after 10 years 15 years 12 years why few people are able to make it out now this is because of communication and simplifying Concepts to the non-technical stakeholder and it's important for you all to understand what we these non-technical stakeholders are being presented and communicated by this three level of combination that we have got in the panel so let's first start with Mr dilip and I want to basically uh dileep I have a very interesting question for you and this question is when you must be in situations where you have to communicate with the board for demanding a technology or a service or getting a sort of product or technology which will help you to solve that particular mitigation but in order to do that you need to have that accuracy gravity and Clarity to the board to the CEO then CU expects you to give him why he need to invest so tell me that secret jaduka Mantra which is basically going to simplify and convince the board in terms of why exactly he needs to invest in security thanks Matt so I think there's no jaduga Mantra in this specifically it is a definite trial and error situation that happens and it is more understanding the sentiment of the board end of the day the company is responsible to meet his stakeholders provide value what does value mean provide Revenue provide the visibility the market provide the brand reputation as required now security does not give you that directly as an outcome it helps reach that outcome in certain aspects by preventing cyber attacks happening on the company so that's an aspect that you have to use towards helping the board understand in non-technical terms you can't talk about EDR and virus attacks and SQL injections out there what does the SQL injection really mean what does that ransomware attack really mean when it means in terms of dollars when it means in terms of business Revenue but it means in terms of the go to market capability of the customer or the customer perceptions that is what you need to translate the technical jargons in front of the board make them understand that uh okay I am today using an antivirus which is the standard antivirus which has been used for last 20 years so far but this is not enough it is as good as your guard sitting outside the main gate he can only see possibly okay do you have a lanyard on your uh next showing up besides or no and hence allow you in the conference but beyond that you need somebody else would also possibly a metal detect scanner later on you need to have baggages checked through a x-ray system and all those aspects hence the new capabilities have to be brought in your person with a lanyard could be anybody I could just throw a mine in the Dustbin outside once I leave the conference somebody else walks in with it so you don't identify it by lanyard alone hence you need to allow every person to be scanned to be checked validated again and those things require more Investments similar way why antivirus versus y EDR that aspect has to be brought up in simple terms as to what is it that the idea is going to help with what is it really that the board can relate to for example border related to the headlines which have happened in the market with regards to which organization got hacked what was the impact of the organization from a regulator perspective customer perspective Revenue perspective and how possible is it to happen in our organization when we are trying to ask for the budget it cannot be just a hypothetical situation that you say a healthcare industry got hacked and the same control is required for a banking industry that does not work it has to be insane line of business to understand that context and that's when the board can relate to what you are asking for interesting so ultimately it Downs towards business requirements the business impact and particularly the incidents that can be taken up as an example definitely one thing we have to always keep in mind is security is there to protect the business business is not there to run security true so with that I moved to Mr nitin and Mr nitin while dilip was mentioning about ransomwares and different attacks or vulnerabilities that brings me to a very important point and that is non-compliance so we have seen or what we see in the overall the overall side of the auditor side is there are different sort of ruckus that happens with the auditor and with the organization about non-compliance that the auditor basically states that this is a non-compliance then the internal team is not able to react on it and often there is a toughle that happens so how do you see to this and how do you address as as basically from a security standpoint I think you know seriously is uh non-compliance should be taken by Enterprise yeah definitely I think see these standards are meant to protect you from some unforeseen circumstances for sure but at the same time what is important is how effectively that you are implementing these standards right talking about the Auditors coming and reviewing the controls and suggesting you some mitigations you know definitely it's going to help you but organization wise you have to prioritize your risks and you know ideally you should be doing some kind of a risk assessment for your infrastructure for your applications for your network whatever you feel is part of the scope of your engagement with the auditor because there are so many standards if I have to talk about the PCI standard so PCI standards largely focusing on focus on your payment data so if you are an organization where payment data is the critical element for you to protect definitely the the qualified security assessors who does the audit for the similar infrastructure would need to review all your controls in terms of the you know the implementation of that and at the same time the scoping plays a very important role you know if you're not able to scope your environment uh correctly then it becomes a challenge because PCI is is all about minimizing the scope not maximizing the scope right so you know talking about you know what you just talk you know there's a differences that comes between the Auditors and the organization it's def it's because sometimes there is a little uh Gap in the communication on understanding what was the scope and once you have a Clarity on the scope it becomes really very easy for organization in order to work in tandem work together to mitigate those uh those risks that you will see and yes definitely these are standards as I actually said starting uh you know effective implementation of this standard is very critical uh to protect your infrastructure from getting compromised very very relevant points have interest security standards risk assessments scoping so this is where I come to Mr kushru and I have a very interesting point to ask you now when you work with Enterprises you advise these Enterprises on doing security assessments I want to know what is the approach that you have in terms of conveying this security related measures in a simplified way and how does that overall conversation or communication happens in which the board is actually able to resonate the non-compliances Okay so both the panelists have made a very very interesting points about how to convey things to the the board but there are two definitions that any like let me take one step back right now I was in Mumbai attending the conference on the global fintech Fest and our information technology Minister was talking there and he talked about three things as far as information technology is concerned one is infrastructure second is regulation and third is social compliance but that other two are not important but the most important thing is regulation and the government as well as a lot of other bodies are working very heavily on regulating the data or the information systems as a whole now there are two words that you every seesaw should really write on his uh uh room and that is View Care and due diligence when you have an exposure when you when there is exposure of data or any vulnerability that gets exposed the implementation or the investigating agency only looks for two things did you do do you care were you aware that standards or security is needed and did you do enough to protect the data if you have done these two things then you can be saved but if not then you will land yourself in an amazingly large problems now for example if I tell you there is HIPAA like every healthcare industry has to implement HIPAA you know what is the penalty for exposure of HIPAA if my if if my information is Right fifteen thousand dollars per instance per user of exposure is the penalty that's a big amount huge I have seen companies close down just because when there was an exposure they had not done due care they had not done due diligence and then they were forced to pay penalty every every security measure everything that you do today is governed by some rule some regulation or the other so in a very specific manner like like of course PCI when you implement PCI there are a lot of other compliances that need to happen and any exposure like for simple things can you can you store aadhaar number without encryption can you store it in your local database no but a lot of lot of people do it lot of security information systems officers don't know about it so very very important that in your domain find out your information what roles govern you and what does an exposure cost you very important true so very relevant Point Mr kushru has rest friends you guys would be doing vapt you would be identifying bugs right so as rightly pointed by khushiruji regulations so going forward also see what vulnerability is identified and what particular section it is abusing as part of non-compliance of the particular framework or a regulatory the Enterprise would be having a particular framework like let's say ISO 2071 so or let's say PC adss for payment Gateway so that can be channelized you can put those pointers a very relevant point you have mentioned can I can I add one more one more point there are a lot of bug bounties and public bug hacking things going on just be very careful of that right there is a system that is a way to report bugs and find those out if you break it even though you are trying to say you are an ethical hacker true but you might end you might end up being on the wrong side of law but they can definitely report to certain yeah that's responsible so that is what I am saying find out the process and report if you're in so with that I come to Mr dilip and I have a very important question now you have got regulations you have got assessments to do you have got gaps you have got priorities the question comes is visibility now what I see most of the time is this technical people you would be working with a lot amount of security researchers and various people who are giving you excellent vulnerabilities in fact we learn from them at times this secure young researchers 17 year old 16 year old and they come up with crazy vulnerabilities and what I see is the vulnerability is amazing let's say a local file inclusion familiar with local file inclusion or insecure deserialization but what happens with that is when they come to you and they present it firstly it's not presentable they just give the POC or just give a standardized description but for the organization what it needs means do they need to have presentable report and does it matter because end of the day the non-technical uh the the stakeholders the board wants to simplify things so how do you put over that and how you be a translator on those scenario okay so I'll try to take a step back into the early days of my career when I started off so I started with this company called Palladium networks which now has been integrated into atos as we all know so start with our social security consultant God learn into all the various fields of services or security they provide I was one of the testers just like you guys were at that point of time one of the common questions that came to me every time by all my customers you do all these fantastic testings you come out with all the findings in the reports and we are not able to challenge you on those items because they all factual but one I'm not able to present this to my management because they don't understand what is the importance of this SQL injection or crisis scripting or file inclusion vulnerabilities second you give me 10 000 vulnerabilities tell me where do I start because every vulnerability has a timeline given as per some standard or some policy I have got 800 volunteers which are critical and they all need to be closed in 10 days how do I do that I've got 80 applications to fix I can't even imagine 80 restarts on 80 application related servers in 10 days it'll shut down my entire business give me a way how do I buy some time from management to extend this schedule but at the same time I don't put the risk on my head that I will allow the application remain vulnerable but if any attack happens I can't take the blame on myself so those aspects were worrying at that point of time the main item which troubled me and I think will be a challenge in many of these people over here in the uh audience today will be not able to translate into business risk true that's one area which I struggled and that was when I took a decision to move out of Consulting because I was a fresher in that space and moved to the service side industry we went across the BFS sector been in banking nbfc trading companies mutual funds fintech now in itit's organization been almost 22 years in the industry so now I've been there into across businesses I understand what does the application do what data it handles what is the sensory of data why it matters so much to the company and why would the company care if this application is exploited that aspect is important you can possibly throw out a number of bugs but can you tell the business which bug is more important this one right now because this is very critical this can damage your reputation today this one possibly you can still buy time another five more days another one week is cool that is the difference when you bring in as a when you move from a technical tester to a security expert you have really touched down the hardcore concerns that most of the Enterprise are facing and I'm sure the people would be able to relate on these pointers so which comes me to an interesting question to Mr batnakur and it is how do you simplify regulatory requirements to board members now for a startup or with unicorns they are in a race to go climb they have the they have to reach valuations public listing all those things are there and that time they have to address the regulations as well so how do they address this regulation like we saw an example what Mr kushru gave fifteen thousand dollars per instance penalty big number so how do we do it I think see the industry is evolving very drastically and I think we all acknowledge the fact that there are a lot of new fintech startups you know that are coming into the space whether it's a health care or a payment or whichever the vertical that we talk about but at the same time what is important is how they are prioritizing their compliances how they are prioritizing the regulatory requirements understanding those regulatory requirements also plays a very critical critical role because I think it's a thin line between what you read and what you implement right and now in order to have that happen you know you need to have the right Partners right associations write SSS you know coming across onto the table if for example again I'm just take a reference for the PCI standards you should have the qualified security assessors tie up work with them in order to make sure that you are implementing those requirements uh with the with the intent that what The Regulators are looking for now at the same time at the same time the organizations also need to prioritize see you cannot achieve the security in one day it has to be a phased manner that the the companies have to ah take care of right now PCI talk about PCI standards you know PCI has a has a concept called self-assessment questionnaire right so if an organization is not ready day one uh to go for an on-site compliance where the qsa has to visit on-site do the compliance Audits and do all controls check and then finally do the annual validation may not be practically possible but at the same time what is possible is that you doing assessments with the self-assessment questionnaire and making sure that you are improving day by day and getting to the next stage of improving your security posture and that's where you need to communicate well to your board that this is approach that you're taking it's all about the approach that you're going to take it cannot be just a Last Mile that you want to go and then Implement something and then uh you know you have some glitches you know you have some glitches in the form of breaches or data compromises so it's about building your Grassroots well so if you have a strong Grassroots the chances of you getting Fallen is less continuous resiliency is what you're talking about that's true so with this I come as we talk about continuous resiliency I come to Mr khushru and I want to ask him the reality I want to ask him what are the challenges that we as security advisors face what are the challenges that security advisors face because most of the time security advis