CISO's evolving role: From IT Leader to Boardroom Advisor

good morning and a very warm welcome to besides Amad 2023 what a remarkable Journey it has been for us and here we are at the fourth edition it is truly an honor for me to stand before this conglomerate of cyber Security Experts thought leaders and Industry Visionaries I'm Kat Kamal one of your host for this event and I want to take this moment to thank you all to take some time out from busy from your busy schedule and be present here and also for showering us with your Endless Love support and encouragement throughout these years today uh we have an oning uh shed up events uh we have an excellent lineup of technical speakers uh who will be delivering uh sessions on

broad spectrum cyber security topics we are also having two Villages one on the hacking Village and another on the chip off Village uh make sure you can go there and we also have the cloud SEC rle going on where you can participate and win some amazing prizes and of course uh we have our cxo panelist uh who are going to like our esteem panelist who will be sharing some uh meaningful exchange of ideas insights and their experiences on some of the really pressing cyber security challenges that our Industries facing today uh in an era where digital transformation has become the Cornerstone of uh business operations and the cyber security threat landscap um uh is increasing at a

unprecedented Pace our role as Protectors of information and data has been uh more than critical like never before uh so I would like to set the stage uh for what promises to be an enlightening and thought-provoking day for panel discussions uh we have assembled a St lineup of experts and leaders uh who will delve into some of the most presentent hyber security challenges that the organizations are facing uh today we will explore uh some strategies share some best practices and take a step towards uh definitely towards a safer and more resilient digital future uh our event is designed um to forer collaboration uh knowledge sharing and networking between our among Our Guest distinguished guests and we

will open the mic to the audience uh for any questions that they may have for our guest at the end of each panel discussion if the time permits uh throughout the uh day our panel discussions cover a wider a wide range of topics uh from sea Souls Sea Rules to uh threat intelligence v v trust architectures EI and MLS iots security policies and many more uh before we get started I want to uh uh share a few more things uh like last year uh this year too we have a photo booth and uh uh we also have the message board and we really appreciate your feedback uh that really helps us and encourages Us in

becoming better with each year so I would really request you all to uh utilize all of them and share your post over social media and don't forget to uh use the hashtag besze and theut and and the after party is also scheduled here at 700 p.m. to uh see you on there after this event and for any queries that you may have or any assistance that you may require please reach out to our volunteers uh they are supporting the black t-shirts with hackers helping hackers written on them and before we get started Just One Last Request uh please keep all your devices on silent and now without any further Ado let's get started with our first pack panel uh

which is C's evolving role from it leader to boardroom adviser as a digital Ro becomes increasingly complex so has the ru of the ciso evolved traditionally the ciso was primarily seen as an IT leader responsible for securing an organization's Information Technology infrastructures however in today's digital age the ceso responsibilities have expanded well beyond the technical team uh are now increasingly recognized as y strategic advisers to the executive board and Senior leadership so let's engage in this discussion and understand the various key aspects of the seo's evolving role please join your hands to welcome our panelist DJ Ranka uh who is the CSO at Tata AIG Rahul tagi co-founder at tap security we have Satish Kumar dubashi

senior Vice president and CEO at inmobi group and this paning will be moderated by Dr abasha vas who is a business unit head Cloud security and be at Cloud act so over to you abasha so thank you ka inviting all of us yeah so looking forward to the and all the audience those who are looking forward to this discussion the topic is evolving the CIU role it leaders to boardroom advisers so uh I would like to say that the CIU role which we have seen it's not as a technical role because if we see the organization the type of attacks which are coming because of the increasing dependencies of the Technologies we see that the variety and velocity of the

attacks which are coming so small organization medium scale or large scale organization every organization is looking for dedicated professional who can identify the risk who can work on these strategies who can give the risk mitigation strategies and who is able to work on multicloud environment nowadays and also able to manage the compliance requirement as well and also they should be give some advice to the stockholders because they don't want these guys to only be techy but they want these guys to be in holding in the for the organization's purpose so because of that only this uh particular statement or particular panel discussion topic that is evolving cio's goal from it leaders to vom advisor is ke here for

today's discussion where all the Security Professionals are here and we are here to discussing the quality the roles which we are looking from ciso to make sure that the organizations are protected from such attacks which are coming and how we can use the tools like stem and soore to First identify the vulnerabilities or the malicious uh attacks which are happening and then to effectively create the automated response to give the immediate response to such incidents so uh I just would like to have a a question from all the panelist that what's your perspective on this topic because I see that you have a US experience in we have people from the the organization perspective where uh

Rahul is the founder of safe security and we have two cisos in the panel so we would like to have a perspective from all three of yeah okay the as ched for time in fact we go back to the the mly past in the sense uh traditionally the function this function this more like a support function but I think lately we have

seen the perception was like see is more of like trying to put controls and the the larger Miss was which government no I think from there I think the CH Tech while starts with distant control was the fundamentally out started complaints do I'm not saying in perspective like go back to the Bing the traditional B still the C is more a a compliance function that that's more of I call it as like uh the PSU V had a department called Inspection Department right typically audit function so so people coming from audit inspection start becoming because it was a regular require 2016 2016 RBI recognized that there's a dedicated cyber security requirement especi in fact AR SW why they AR bought

that BR Master but the cyber security fa as a fa given exch and they started defining that there need it and but other typically I come from na look at the na right it's more of a uh so security usually is always after F this family you first want the big product because you want the innovate so they probably the look like an INF because say not that so I think even the SE right I think the whole mind we cannot

beity re I'm sure my so our King security post reach the focus not be the real it's more comp function function but suddenly be uh Focus because especially oration now except business me I think I only from it compliance function it doesn't business enabler function I think that's the evolving role of I'm sure I think more more a are depend on the if we world getting B that M yeah so I just have a different perspective to this the reason being I started my career as security developer in one of the Consulting Club so during those days when whenever we used to do a Consulting and we used to meet the security practitioner not the ceso role

was not there or the title was not there at that time or even if it was there it was very rare so we were not aware about what is the ciso what is their role what is their roles and responsibility so we used to provide the security Consulting to them so that's how I started my career now as Blas said that yes the regulatory has made it mandatory and that's how uh you know this kind of we we would like to give that credit to Regulators who have enabled us to you know get this roles and responsibility into our career uh so apart from that if you talk about the evolution so it is uh

as you said from you know it was a roadblocker or the audit rule what we used to know because there was some programs that uh people used to follow like you to do uh four steps or the four tasks that you to do as part of the security right now it is more or less that there is a framework that came into the picture as part of the regulatory enforcement right so now we have to be ensure that uh it's not only the technical part of it but also the comp PL part so I believe and as we're talking about that how we'll somehow we are you know reaching the board the voice is getting heard you know so

that's that's the evolution of a ciso role I believe so I've recently taken this position for last two years and now I'm seeing these changes so so that's that's my experience on the equ no this is fine first of all apologies guys for making you so wait for the session as an organizations founder we are in in the industry from last 12 years and in my limited experience what I have seen that when we started this journey as a cyber security company usually as a young people when you meet the seource it's like your homework when you do not do your homework not because you don't like it or you do homework because it's not

that you like it you do because next day teacher has to see it if they will not ask you you will not do the homework that's typically the we have seen in the early stages in 2012 13 usually cesos do the compliances only because RBI is on their head or maybe some other regulatory body if they don't ask them nobody will do that in Last 5 Years and we have seen that the shift from compliance compliance is there it's very very important I'm not saying it's not important you cannot run the show without the compliance like rule it's like if I remove the rule of a red light though I'm not sure how many we follow

again but if you remove that you'll there'll be chaos in the city and that is a similar problem in the industry compliance is there but when a criminal hack into something they don't look at your compliance they look at the miter framework ill chain that from where the reconnaissance happen and when from where the exitation will happen when you go to the core of these mentality of these criminals this mentalities has been adopted now by the Security leaders especially the seource they have little bit shifted themselves from the the compliance based to a risk based assessments where they know to mure that they will be taking care of the regulatory bodies but along with that

they will be ensured that they will see the psyche of a threat actor or maybe atpd group that how they pivot and then change their infrastructures security according to that now that's a very mature step towards looking and predicting a breach because every company in India I must say which is a very reputed company or Ed company they have a very very strong incident response plan very very strong incident response plan but they have very weak in terms of predicting the breaches because that is not being asked by the RBI or B some other government body so I think that's where the thing come but thanks to DPL LW now things are getting changed and you'll be you should

be shocked to see that that it's only two months when US Government SEC guidelines came it's like the RBI there kind of they said that you have to report the breach in next 24 hours or 72 hours now imagine when RBI did that almost a year two years ago so we are kind of ahead in terms of security measures from uh even us in some cases so the from the evolution of a ciso what I have learned while again being a being my customer they are my mentors also because they know what's going in the industry and they tell us what's the problem and then you change the product according to their needs so we have to

know that what they are thinking so compliance is there also but with the shift we have seen that from compliance to a threat based predictions this is something evolving ciso is looking at and that's why they adopting certain solution in the market who can help you and in predicting those things so that their hands has to be a balance and again if the breach Apper incident plan is definitely there which is already solid so it's between post-active activeness and preactive things you know something which you can do so balance is on the right hand side the shifting is happening right now on the on the first hand that is the uh kind of you know on

a prediction level so that is my learning in little bit my experience ma'am don't know that my mic is vable or not okay so I'm using it yeah so uh understanding from your perspective I see that the role is evolved now we are not only focusing on one area or we are not working in Silo because we need a person who can see across the infrastructure to see that how we can predict the things which may happen and which may create a lot of risk in the so that's why this role came into picture so uh D I want to know from your perspective uh what you see as a relationship with uh Board of advisors

and executive leaders from the ciso perspective like you are a techy guy and now you have to talk to board advisers to present your points excuse me so what is the relationship you see so uh as it said that I recently taken over this position so uh you rightly said that uh from the start of my career I being a techie all the time and I would like to remain the same right but when it comes to the board meeting you need to have a different skill set you need to own those uh different metrices that board will understand in a layman terms where is my rest so at that time the role becomes or the role shifts rather than

from be techie to be a management guide so as I said earlier also that now those uh meetings are happening uh the vo is getting H so now they're giving that importance not only because uh the regulator is asking being an insurance uh industry uh it's not because the ird is asking that you have to be part of board meeting but the board is also understanding uh you know the importance of cyber security in a way so this becomes a a regular Topic in most of the board meetings um so the the importance and the emphasis is there on the cyber security uh but still I feel I believe that there are few points uh

that the board has to understand and we have to as we are saying that ciso is more of an enabler so we have to enable them to understand the dollar value of that risk you know at times like uh you know I'm not endorsing Rahul here but uh the players like safe security or any other players for that matter they help us at times convey message you know that these this is our exposure this is the risk that we are lying not only in terms of the you know the vulnerability impact on the uh what what could go wrong but in terms of the dollar value so that is that is more of I believe the matter of

fact that's that's what the board wants where where I am in terms of the security posture of my company so thank you sir for the endorsement I hope this is recorded right so I think he said a very nice point and and that's that that's really resonate what the work we doing on the ground also now let me give you a small example 3 to 5 years back usually board have a six Monon kind of a presentation from the Security Professionals cisos or cios to see that how security we are spending so much on security that what is the visibility of my risk now the problem in that situation is the board member can be

when I say board member the Young Generation usually they are 60 plus or 50 50 plus I must say who may or may not be technical very good entrepreneurs very good businessman giving money to secure the things but it's a very big gap to make sure to make them understand that what you are doing at the ground level and how that ground level work is converting into the risk reduction that was the Fig problem in the last two to three years what we have seen which was a really big change and especially in the manufacturing industry not on the VCH industry but manufacturing industry where manufacturing board is asking the cesos every month the security status of

their infrastructure that never happened before in at least in my number of customers we had they asked that so they need to show to the board in a manner which they will be able to understand this was the biggest problem in the market because ciso will ask for a budget to the CFO or the CEO or to the board to get an EDR to get an antivirus in lamentum some kind of security tools to ensure that 360° security of the organization is there but the problem with that is then next quarter or next to next quarter when they go when we go usually is said what happened to the last budget so usually it's a very gray area

which cesos are little bit hit or maybe it's very difficult because they have to collect data from one team second team third team fourth team and on an average to prepare a board report I run ran a poll I think 6 month back on an average to make a board report it takes almost 45 days imagine the loss of manpow there because everyone has to give the data and then CIS have to sit and correlate the data and present in a if I have to use the five-year child rule you have to present all those technical zero days exploits they and that red green blue CVSs scores into a manner which they will be able to understand and what I

think we were fortunate enough to be lucky to that we realize this problem a very early age in 20145 and that's a reason now what we are doing is we converting that risk from a technical term and converting into a dollar value risk or a rupe value risk so for example when I'm sitting in a as a ciso in a in a board meeting I will be saying them guys leave the technical jar gains our our company is sitting on $250 million risk today by next quarter I will ensure that this risk will go to $100 million now to reduce that $150 million I need an investment from you of 200k now that's a very very easy

conversation right to reduce a $250 million of risk you need asking for a budget of 200k I'm not sure that how many people will deny that some may of course but mostly it's a very normal so this is when quantification come to the picture so all the people who are looking at their mobile phones right now if I ask them what is the battery status of your phone right now it's very easy to say 10% 20% but if I ask you how secure is your phone you have an antivirus you have this that but that's not the right answer you have to quantify it so I think this is the problem statement which needs to be solved and it's not

only we are solving there are so many players now in the market who are solving this problem and when you see at the global level now the federal government in us they have mandated that you have to have one technical board member in in the board sitting there and this will be followed by Indian government soon so that when we are presenting something at least we have one hope that this guy will be able to understand and and we'll leave the presentation with them and then that guy is going to teach them in a free time that this is what at the ground level so AB absolutely right he said that this is the biggest communication gap which I

think is being resolved by a lot of players in the market which usually being uh utilized by the C and once this is done I think it becomes very easy because the conversation with the board members because they are businessman's mostly in in in nature it has to be about money they not care about technical jaget they care about their market cap and they care about what are the Investments they are doing so if you're able to defend that along with your practices which you are doing and I must say the young people who do not know even the definition of ciso ciso is the person who is responsible for for the entire security of the organization

and it's a very thankless job very very thankless job I am telling you because no matter how much hard work you do one breach nobody will look at that what what you did in the last so that I think the perception in the board has to change and they if you able to make them visualize your hard work in a Quantified manner that really sets the ground in a very strong manner so uh understanding this perspective that board advis can only understand the numbers but the people those who are working in the organization uh when we say that we have purchased these tools or we are going to implement these strategies so I think that ciso role is also to make sure that

the people working in the organization they also understand this culture that why security is important so when we say that uh ciso is talking to board advisor ciso also has to make sure that the people also Implement those strategies so I'll give you an example example let's say uh if the teams are working on certain projects and we have a guidelines like a fintech company and we have certain confidential data which should not be shared amongst the team inside the organization as well outside we are not talking but even inside as well so we have to have such kind of strategies which are implemented so that that can be prevented and that can be guiding the users also that this is not

the way you should be sharing the confidential information maybe intention or maybe unintentionally so uh what do you think Satish how we can work on uh the balance between the board advisor and the people we are working with in the organization to make sure that this kind of culture is implemented and used across the organization so that's a very valid point in fact uh cyber awareness right right from V to the The Last Man Standing I'm I'm sure we all know we agree that people are the weakest link right you have great Technologies I I usually say that you can put the best fireal in the in the world whatever expensive one but you can't stop uh

people foolishness in I think today we are in month of October which is the I think cyber awareness month it's a very important month I think we also take this opportunity to go and talk about the Cyber awareness so I think answering back awareness at all level is very important in fact even RBI in the cyber security framework has categorically elabor ated the awareness among even the board the management so typically I call it as operationally tactically and strategically I think at all three levels uh the Cyber awareness is very important and I think unfortunately this awareness trainings and all mostly again taken back as a compliance initiative it's like but but today thanks to newer

Technologies and as rul said like risks W scoring and how vulnerable are people you why we keep talking about CVS score and we talk of system vulnerability but people also are highly vulnerable and we seen in fact we go back go back to the past few incidents or cyber breaches and data exfiltration predominantly it's not that hackers are exploiting technical controls they're H they're typically exploiting people weaknesses maybe sometime a developer left a back door uh unknowingly in fact it's not that intentionally as you said so I think a lot has to be done at that level and but unfortunately we are very busy in tools you know we always would like to put a

lot of tools while tools definitely helps at one level but awareness the other pieces especially coming from a digital native or a tech company fintech and all so because it's all lot of Technology you know in fact that's where there's a lot of Buzz around shift left because security is usually a very afterthought you know like before the application is just about to go live we do a scan but then how about why can't we shift that whole security at a very early stage right from design development I think there's a lot of work happening in that space so again I usually say that typically a developer who runs ja who who learns java.net in

college he's never told how to write secure code suddenly comes to Industry and we say do you know how to write secure code now you be wondering what is secure code he knows how to write code right I think a lot of that has to really happen because now finally he's coming out of college prly the developers they coders they allow to code you function here but the security are talking about security vulnerabilities you I think there's a so that education because you touched about the awareness awareness happens at different levels at a different degree in fact a developer need to be told how to write secure code how this code can be exploited by bad guys and how it can

create an impact to the business I think it all depends on how you convey that message and then of course enable with him with the training with the tools with Technologies because it's again not only training and role you also need tools and Technologies to support support the overall and today I think see I come from a very fastpaced you know all the digal na right traditionally we used to call monthly build or six months today we talk every day we have two releases coming in that is the pace in which it's like a factory you it's like a factory so it's a software software Factory right so as you write the code as you build as you

deploy the security has to be embedded in fact that's the biggest challenge today especially for this relatives so one said we have to they cannot compromise speed because you know typically Cal are known to become like a show stopper so I think the ideas is to enable of course every the whole value chain and still delivered secure I think that's the challenge but equally that's the opportunity also I look at the opportunity so that to see your old CD pipeline is secure applications are built securely developed developed securely built and deployed and then of course they're running uh all the way with what compliances we have I I just like to add few few points here so I'm just again

touching on the awareness part only so the awareness I believe is uh more or less no matter how as rul said how thankless job you do you know training people uh you know doing lot of many campaigns of fishings social engineering on any or any thought you arrange a uh training sessions to developers to your all the users to understand what is the importance on uh of the cyber security but unless and until it is not a top- down approach on the awareness part it will never fly so I'll tell you one of the example so one of the country I'll not name them but uh in one of my uh experience when I was in one of the

country uh so they started the fines right if you overp speed uh you know if you jump a red light and things they started a fine the fine was too much so people were not happy so what they have done is the prime minister of that country his PA took his car he drove that jumped the signal you know speed up so then the news started flashing the Prime Minister card got fine so everybody started understanding the importance P yes if I don't follow the rules I'll get fine so then they started understanding so I'm saying the similarly if our top management if they understand the importance of these trainings or the campaigns that that the

cesos run then I believe the top down approach will help us understand the users that yes I should not click on everything that I get you know so that's that's uh one part the second part as you said on the you know Security in terms of ship left so I believe all the youngsters here they know that uh you know as part of curriculum of their education now security is slowly getting embeded now right they are understanding understanding what is security they understanding what is injection they are knowing what is the OS top 10 right and uh there itself yeah so I I believe yes of course uh this will take some time but more or less uh eventually once

these guys come on the board and start working for any other corporate or startup they will know what is security what is the importance of uh the security has to be embeded in the code itself thank you so so this is my favorite topic because I think my my career was started with respect to social engineering I working for some XYZ people some in the government and uh that's all about social engineering right now as a security company this was the biggest challenge for us because right so as a security company we have to ensure that our people are secure more than our customers at least to start with right so what we did is

and you can implement this also first thing which we did is because we are developing a security product we ensured that whatever the person who will be joining us he must be a secured code developer certified whatever the certification they have if they working on API he has to be he should understand API he should he's working on a web or mobile he should be certified in some other manner so that he's not a developer but he knows how to narrow down and construct a code which is not self-destructive or having certain loophole developers used to be hired at the time when Finance was not involved into the internet applications it's more of a communication but today it's too

much Finance involved into to much money involved into it so you cannot have the same mindset when you're hiring the developer and especially for the kids who are here you need to learn coding but in a secure manner if you really want to get into somewhere otherwise you'll not be able to jel up with the pace where organization is heading second we started a cyber awareness session in the company and my it security manager he said okay okay I'll prepare a PPD and he come up with 45 slides PPD gave the session two to three people fall in the Trap of fishing email and when we ran a survey and I said okay what you did they said this

was the worst seminar of our life and by the way we are a security company and I'm not shy in saying that imagine the companies who are not security company these people have security mindset guys they are hackers on ground they fallen for the victim then I realized that what why they do know gelled up with the content which we delivered because it was a this should be password policy this should be this because they cannot relate that thing with them human being is a very Twisted animal you know in a in a on all the species because I will not be interested in it even you're sitting here you're looking for one thing which you can take home

and apply in your life otherwise everything is for you it's English right so what we did is we removed the presentation we came to come up with the newses or the stories like WhatsApp scam happened with the finance guy some girl called him a video call and honey trapped him and steal the data from the company now these are exciting newses right so we change the content with respect to the real life scenarios rather than the traditional password you should have this that and all that's not going to fly because he's not and third thing we did is first we said that we are going to teach you how to secure your Facebook your Instagram your Gmail

your this and that now that's very very much interested topic for them because the protocols of two Factor authentication which I'm telling them to do on Instagram it's implemented on the company also but that really serves the purpose so you have to find that what's in them in what's in it for in for them otherwise they will never going to take it seriously and the third and last thing is we come up with demonstrations usually cyberwar talks which I have seen are having most English rather than some kind of of a thrilling demo which really shake the hack off the people who are sitting in the room so if you tell them do not install apps from Google uh

outside Google Play Store on an Android device now that's an English right now when you take someone's mobile put an AP install it out of saying hack their mobile show their contact list and their beautiful pictures in their gallery now that makes sense to them so how you formulate the content to the organization which can really pinch them in in another way and we changed the dis drastically change very good change in the organization every person was responsible and last thing again we did which was missed we trained we made you know what CH certification CH it's I'm not endorsing them I don't like that certification but still I'm saying it I made sure that my HR and my finance team

going go through that certification maybe we are the only accountant who is certified ethical hacker because these are the people who gets the maximum attack and they carry the most sensitive information especially the financ people so I make sure that dedic because they get a fake po they click on something and we going to lose every stuff and today maybe you are my customer my finance gu got hacked we got to the news you don't want to trust on me right and these are the small small things I think we need to inate in our cyber security programs and board members takes very big interest in it by the way because you take an example

board member lunch phone he picked the call there was a girl she was wearing the mask and it's a real story by the way and suddenly in this four to 5 seconds she just performed some oping action and took a screenshot of that 65 years of age mdn board member of so many companies he's being got blackmailed in just stupid way he just picked the call Lo so now how you will relate the traditional content which is required for the company but for the individuals because these these days especially in the pandemic criminals are tracking people from social media looking at their designation honey trapping them and then blackmailing them to give the data from me and these are the local

criminals who will trap you and then sell you your identity to the bigger criminals who want to pull a ransom where tack lizard Squad group or someone else so this is how the entire ecosystem works so secured code developers you need to hire second there has to be proper vulnerability assessment pen testing third awareness session should not be full of pp and jargin it has to be real life example which can relate with them their kids their family members and last is you have to put your agenda also which you want to bring and at the end of the day you need to conclude it with saying that okay guys this is it and now you have to follow

that and it really changed things for us at least thank you rul thank you all so uh from this discussion and the stories which you have shared I think ciso role change like we have to do the marketing in our own company in in front of the board advisers uh like I I'll give you one example like when when we are designing a training for some organizations so that time they are always asking that how we are going to pitch to The People those who are going to approve it because they are not understanding this so I think uh the it leader to adviser we also have to understand the marketing of the things and how we are going to bring this

perspective and we show the importance of such security awareness sessions or the trainings or the tools which we need where we need the company to invest so I think that also trick we need to learn as a ciso when we are evolving so I I'm sure that a few questions we can take from the audience as well if you have any and then I'll ask more questions anybody from the audience would like to ask any question okay I think they all are satisfied and I I I wanted to say like thank you for emphasizing that this is the cyber security awareness month and uh as we already said like ciso is not just a SP person for security in the

company he has a much uh more role to play right in Greening the security mentality in each of the employee even their family it's how you influence the security culture within each one and those are some really good insights I'm sure it's going to help a lot of aspiring seos and also the youngsters they get to know what kind of skill sets that you are looking in your organization thank you thank you thank you thank you all