The Evolving CISO
In this episode, host Raghu Nandakumara and Vishal Salvi, former CISO and Head of the Cyber Practice at Infosys, explore the evolution of the CISO over the past 25 years, democratizing cybersecurity and why “doing the boring things right” matters.
Transcript
use they're not really having that, they're not able to see it as closely, if you just drive it as a business leader, it is in a way superficial. You'll not be able to go deep into really understanding what's happening. And so you run it as a business rather than running it as a CISO or as a practitioner. But I think to answer your specific question, I guess because of the deep empathy, I'm able to steer on both sides.
10:28 Vishal Salvi: And so when we, for example, do some innovation and we do a lot of innovation internally to try and be on the cutting edge of driving innovation in cybersecurity, like for example, from five or six years back, we ran a completely different metric measurement program within Infosys, and we did hyper automation for that, and we built a lot of IP around that and after running it for four years successfully, we thought it was... it had come to a stage where we could take it to our customers, and we kind of did a reverse engineering where we migrated that whole code and that whole solution to our practice team. And now the practice team has scaled it up and they support enforces now for all the innovation and change which are happening because they were able to sense that from our customers and get that feedback.
11:16 Vishal Salvi: And we are seeing a lot of that happening for other things, like for example, when we are incubating a practice, we can take some resources from our team and get into internally and use them to incubate that, get it to a particular level of maturity and then pull it back to give it back to our customers. So it creates a lot of possibilities and advantages for us, and the fact that we are able to expose what's happening with all our customers. The sentient nature of being able to sense and understand, we can obviously then use that knowledge to strengthen our understanding of what's happening in the threat landscape and use it internally for Infosys as well.
11:57 Raghu Nandakumara: I love the way you express that as very much almost both being incubators for improvement on the other side and that very rich feedback loop that you have. So let's now switch gears a bit and go back to what does Zero Trust mean to the CISO of Infosys?
12:14 Vishal Salvi: Yeah, so, I think, let's take a step back. Cybersecurity is all about risks, vulnerabilities, and threats, and if you are to just extend it, you can also talk about incidents. So at the end of the day, we are always dealing with incidents. We are dealing with vulnerabilities, we are dealing with threats, and we are dealing with risks. These are the only four things that we are dealing with. Now, that is irreversible, that is not, that is never going to change for decades. That's how it started, and that is how it will remain. What we do in terms of our methodology... so we had BS 7799, then we have ISO 27001, and then we have so many different standards. Then we have various risk measurement methodologies like NIST, FISMA, all of that. Then we have so many different standards, all of this is evolution of how we are looking at solving this problem. But at the end of the day, it's still about risk, vulnerability, incidents, and threats. So the fundamental tenets of information security are still in intact and fundamental tenets will continue to be there.
13:16 Vishal Salvi: So, therefore, then when we look at something like a Zero Trust, what does it really mean? We used to call this profession as “information security” till 2008, 2007. Suddenly, it became cybersecurity and everybody now talks about it as cybersecurity. Tomorrow we'll start calling it as digital security. So, the nomenclatures may change, but the profession advances but the foundation remains the same. The fundamentals remain the same, and so I would say Zero Trust is the evolution of that same thing where we have evolved toward this. Zero Trust is a new concept; tomorrow there's something else which will come in. It's just that, just like cybersecurity word has stuck for last one decade, Zero Trust perhaps will also get stuck for some more time before something else, something more appealing comes in. But it's not just marketing. I think it's emerging as a philosophy and the underhood philosophy is all about looking at, “Okay, so why are we talking about...”
14:26 Vishal Salvi: It's almost like oxymoron. Because when we look at Zero Trust, and we are in the business of trust as cybersecurity professionals, so then why are we talking about Zero Trust? So what it really means is that given the fact that now the perimeter is no longer the traditional perimeter that we had it, and we have done adoption of cloud and there is dispersion of all the endpoints, and now we are talking about any place, any time, any device access, and 24 by 7. I think the way we connect computers has fundamentally changed, and for us to really have trust in those connections in today's environment, you need to embrace Zero Trust which I will build additional checks and balances at the right gates in these connections so that I feel that these connections are trustworthy. And so therefore, from my perspective, when somebody's coming in, I will have a Zero Trust on them till I'm convinced that these connections are trustworthy, and so then you build different models around that so that you make it work. So I think that's the simplest way I could explain what Zero Trust really means.
15:45 Raghu Nandakumara: I love just listening to that in its entirety. So firstly, thank you and in all of that, I think the really powerful message that you conveyed is that every era brings its own new approach and a new strategy. But I think what to me stood out is when you said, "But the fundamentals remain the same," and that I think is such an important lesson. And I think Zero Trust is literally saying that. It's really about the fundamentals, and I want to use that actually as a stepping board to some of the items that you've been talking about in your monthly newsletter, which is a great read and I encourage everyone to go and have a look at it. You talk about the importance of security hygiene and the reason I say I equate Zero Trust with the fundamentals is that I say good security hygiene is the same as good security fundamentals and one of the fundamentals in that should be that nothing should be granted implicit trust, which is really what Zero Trust is saying. So security hygiene, it's so important. You articulated it brilliantly. But why is it often the same thing that comes - every time I read about a new ransomware attack, a new breach of any sort, you dig into it and often the root cause of it is a lack of security hygiene. Why is this such a challenge still for organizations large and small?
17:11 Vishal Salvi: I call this “doing the boring stuff”, and I think the reason it does not get so much attention is because it's so boring. But it's not just boring, it's also thankless. So that is, I think the other part, and the third part is it's a hard problem. So you can imagine why we see most of the organization get it wrong because of these three issues. I think we need to do something so that people understand that we need to glorify the boring stuff. These are fundamental stuff. Number two, we need to figure out a way to incentivize people so that doesn't become thankless and reward and recognize the sentinels. And it's not the cyber team, it's the technology team, the IT teams who are constantly at it because guess what? We are releasing vulnerabilities and patches like never before. And you got to get it right, and it's a asymmetric war. You need to get it right all the time, and the bad guys have to get it right only once. So we have a significant amount of asymmetry in the way this happens. And the third thing is that time has come when we have just like you're talking about Zero Trust, we need to have a zero tolerance towards basic technology hygiene.
18:29 Vishal Salvi: For example, no matter how dynamic your IT landscape is, you should know exactly how many assets are there in your organization, how many applications are there in your organization, how much of shadow data and how much of shadow IT do you have? How many changes which are happening, where it is happening through a change management process, and how many places you have proper hooks in managing those changes? As technology has evolved, we have forced to let go of that control and those hooks that were traditionally very strong in technology and IT teams, because the whole business’ team, business units have became empowered to drive their own technology stack. But by doing so, we get a sense of being not able to control because it becomes a multi-legged hydra.
19:19 Vishal Salvi: If you start taking an approach of zero tolerance, we need to start getting a sense of more governance around, “How do we manage this?” While we want to empower people, while we want to have speed and agility, you cannot do at the cost of IT hygiene and, therefore, risk of being breached. So I guess these are some of the important elements that one should look at when we do it, and I think, like you said, and like I've said in past, that majority of the breaches and majority of the attacks that we have seen are not happening because the attackers are using some very tech heavy or very sophisticated attacks mechanism. They're... In fact, some of the attacks are actually happening in plain sight. They don't even need to go and exploit something. They already have the credentials from somewhere else, they just log in and do the lateral movement.
20:13 Raghu Nandakumara: Yeah, absolutely. By the way, to sort of go back when you were talking about security hygiene as being boring, thankless, difficult. It reminds me of trying to get my kids to do homework because they associate homework with all those three things and you need to make it interesting. You need to make them see the value, and you need to incentivize them. But, and as you say, attackers ultimately for them, they're in it, it is a business for them, so they want to... ideally they want to do low effort, high return. And hence they're always attacking the low-hanging fruit. But I think you were really... In your response you really introduced something that was really topical, as you say that now increasingly business teams are running their own tech stack. So, it is not the case of saying, “Okay, IT, you run the infrastructure, go and patch.” You need to bring everyone along that journey. I know that one of your areas of real interest is democratizing security. So how both as a CISO and then also as a practice leader, how do you put in place that model of democratizing security so that all of these diverse groups that have some stake-hold, or stakeholders in security, in their applications, how do they all unite behind common approach to cyber?
21:38 Vishal Salvi: Yeah, I think the... It's a culture issue. It's about building a culture where we are able to get every stakeholder to understand their role in terms of accountability and responsibility towards cybersecurity. As a profession we have not done a great job of advertising this profession well because when we call ourselves the cybersecurity teams, generally the perception and expectation is that this magically... this team is going to solve and manage my risks, and I don't need to do anything. Whereas actually the truth is exactly opposite of that. The cybersecurity teams are the active catalyst for this change, but the actual change is the stakeholders, the business leaders, the board, the organization leadership, the staff, the employees, the technology teams, the IS teams and every other stakeholder that is there and each one of them needs to understand their role and accountability and then do it. The bad thing about security is that it's only visible when it's not working and it's invisible when it's working.
22:48 Vishal Salvi: So long as nobody is exploiting your bad security you can live in a fallacy that actually you are secure because nobody is attacking you. That's exactly what happened in the case of ransomware, where for the first time, when the ransomware came in with WannaCry and NotPetya, it was the first time that we had an indiscriminate impact of security vulnerability across industries. And suddenly all the insecurity that was there got exposed which otherwise was not there. And that's why you can explain that the financial industry is so much regulated and much more mature because they had all the bulk of the frauds happening till such time that we started seeing ransomware. And ransomware just impacts anybody who comes in contact. In internet, everybody comes in contact with everyone. So, coming back to your point, you need to start looking at it from that point of view to make sure that we democratize it and every stakeholder understands their role very clearly. It has to be done as a culture and every opportunity you get, you need to make sure it is driven so that it becomes a cultural problem where...
24:01 Vishal Salvi: And I must tell you this upfront, Raghu, that we still are at a nascent stage when we talk about understanding of cybersecurity is a cultural issue. People, even now as we see most of the stakeholders externalize it. They don't think it is their problem, and there's always this issue that we suffer. The cybersecurity is seen like a rocket science. It's seen as something which is only a specialist can do. It's not. I think it is a very common sense thing. Anybody who understands fundamentals of technology, it doesn't take much time for them to understand the principles and fundamentals of cybersecurity. In fact, the remediation is something which has to be done by people who have admin access, it cannot be done by the cybersecurity professionals. They can at best find out that risk and vulnerability and tell that to you. But they need to... Teams who have access are the ones who should be exercising it, and they should know how to configure systems securely. So that is the change that we need to drive, and that is what I mean by democratizing cyber.
25:06 Raghu Nandakumara: There's so much good content in what you've just covered there. That's just so much that I could just deep dive... I think we could do like a podcast episode about every segment of just what you said. And I want to ask then, firstly cybersecurity, if you boil it down, it's common sense. Applying common sense to a variety of technology and information problems is really what cybersecurity is fundamentally about and when it comes to that culture shift and everyone being involved in cybersecurity. And as the cliche goes, your first line of defense are your people, and they need to be engaged in your cyber program. For organizations who are adopting a Zero Trust strategy, does democratizing security form a key part of any successful Zero Trust adoption? What's your thoughts?
26:06 Vishal Salvi: No, absolutely. Zero Trust is a methodology to deploy your security architecture and the only way you can be successful in deploying a security architecture is where all the stakeholders come to the party. For example, when you talk about Zero Trust, one of the important changes which are happening is about...
26:29 Vishal Salvi: There is a convergence which is happening between security and network, and we need to get the network team on the table to be able to really put the architecture together because that is going to be the future of security and network. And so the old models, traditional models of connectivity are getting significantly challenged. And unless we are able to change the mindset of the network team to adopt this software defined security and software defined network, and it becomes difficult. So, I think that collaboration and partnership is important. Only if they do that at an architectural level, we can be really successful in driving implementation of that. So therefore, I think as much as it is technical, I think it's also human and aspect which needs to be driven to that. So I definitely believe that both the things have to happen together for you to have a successful program.
27:21 Raghu Nandakumara: Often I'm asked like, “Okay, how can I go and do something really quickly? How can I drive transformation really quickly? I've got this new capability I want to roll out.” And what I say to them is that we can always find a technology and we can make technology work. We can even build a process to use that technology. But you are only going to drive fast adoption if A) you've got a strong mandate as to why that adoption needs to happen and B) that the stakeholders are all engaged. And that they see the value in it. Without those two, the mandate and the stakeholder engagement, you're never going to get any kind of fast adoption. And that goes everywhere. But I want to ask actually, because I want to tie that back to something you said earlier about how the value of a security investment is never obvious.
28:13 Raghu Nandakumara: Because it's kind of it like, you never say, “We didn't get compromised because we had X.” It's more the case of “We got compromised, we got breached because we didn't have Y.” Where I'll be interested to get your, both your CISO take and your practice leader take is that, how do you demonstrate tangible ROI from security investments? Both prior to getting that commitment from your board to make the investment, but then also, let's say six months down the line, 12 months down the line where someone asks, “Okay, we made, we spent X, show me what I'm getting in return.” How do you do that?
28:55 Vishal Salvi: My views on this is that you should not get into this trouble of trying to convince any finance person ROI on security products. Because you can argue on both sides and you can never agree. If you don't want to. So I think it's a futile exercise. I know people do that, but I don't think you should do that. I think the way the model should work is like this: You need to decide as an organization what is the risk that you have because of cybersecurity to your organization and how much are you willing to invest. That is number one. And then, so in my mind, security is all about getting better every single day. So where we are today, you need to get better tomorrow and then day after it has to be better than tomorrow. So that's really what, how you should do it.
29:48 Vishal Salvi: It can never be that today you are zero, tomorrow you're going to be hundred, it's just not going to happen. So there has to be a level of trust that once you've got a team, professional team to deliver it, you say, you know what... how you need to spend this money. You go and deliver the max value and I'll hold you accountable for it. Because it's only the security team who then needs to really justify to themselves how they want to spend that money. And they would know the best, whether it is delivering value or not. There's no other person external who can ever come close to really understanding what they're doing, especially from finance. So I think this: You need to really flip it over the head and say that don't waste time in terms of trying to come out with mathematical calculation of ROI, but empower the teams to drive their own ROI. So within security teams, you can definitely do ROI. You can know how much you've invested and how that control, what is the efficiency and efficacy of that control. You can do that. But don't allow somebody else to come and challenge and challenge that process because at the end of the day, you will spend more times explaining that to the third person rather than actually that time is well spent in actually protecting your organization.
31:05 Raghu Nandakumara: I'm laughing because the reason I'm laughing is because I'm sure there are lots of sales leaders who all have heard that. And will press the tape in front of an economic buyer and say, look what the CISO Infosys says about trying to convince you about the value of this investment.
31:20 Vishal Salvi: I've been, again, privileged that I've been working in mature organizations who have left us to do our job.
31:27 Raghu Nandakumara: Yeah.
31:27 Vishal Salvi: And not really spend too much time really asking where you're spending this money, why you're spending this money here. And because what will happen is if you do that, then you'll end up spending on controls which are low on your priority because the finance guys convinced on that compared to the one which is more important for you. Right? And that's where I think it becomes a problem. So hence it is better we do it this way.
31:49 Raghu Nandakumara: I really like the way you expressed that, but so then let me ask you a related question. As a security practitioner: you've done a risk assessment. You've done, you've threat modelled your environment and you've identified your gaps. Where do you now say, “Okay, I have a pot of money. And I have, it's up to me where I invest it.” What drives the investment saying, “capability X” or “capability Y”? And then how do you measure that you are getting value out of that?
32:22 Vishal Salvi: Yeah, I think it's all about methodology of looking at your risk assessment and we do it obviously every year, and you do... the best way to do that is to have a foundation of your enterprise risk assessment where you looked at all the risk and looked at which are the ones which are high risk, and how you want to prioritize remediation.
32:43 Vishal Salvi: And then you look at, okay, what's out there and what do I need to do and what are the important elements that I need to look at it. And then you say, okay, you do a classification and then you say, okay these are the ones which I need to really, and of course, you need to look at affordability because you can't even if - for example, you get all the money that is required for all of them, it's impractical for you to actually even execute that. You'll struggle to actually then spend that money. So you need to be able to balance it between practically how much you'll be able to implement and also what is the affordability of your organization, given your organization context and your business context and you need to be realistic around that. You cannot be asking for a bottomless kind of situation.
33:24 Vishal Salvi: So I think if you're able to do both these things and calibrate it well, then you get a pot of money and then obviously you define the program, give it to your team and say, okay, now that you have this, now make sure you execute it. But more importantly, I think you need to make sure that you do a post-implementation review of that investment and give that feedback back to the teams so that they are able to get some assurance that we have been able to execute our programs as defined in a timely manner and achieve our objectives. So that builds in more trust.
34:01 Raghu Nandakumara: Yes, 100%, 100%. So with that, what are you seeing as the success rates in, let's say clients in adopting a Zero Trust strategy. Those who've taken that path and are taking that path potentially with yourselves helping them. What are you seeing as some of the successes and failures?
34:21 Vishal Salvi: The challenge in adopting it is that we are actually currently in a very complex kind of architecture world. Where we have full solutions, multiple tools. Some of them are integrated, a lot of them are working in silos and it's like a very complicated assembly of different technologies. And there is a need to consolidate. There is a need to integrate. There is a need to look at it deeply with the integration with the tech stack. And I think we are far away from that. So that is one very significant important challenge and one of the reasons the implementation are not successful is because of this. The other part is, in terms of there's so much of legacy that what do I prioritize and how do I modernize. And do I do a open heart surgery or do I take medicines?
35:08 Vishal Salvi: I think those questions are very critical and very often because of the huge amount of legacy, it's not very easy to change and pivot to a new way of doing things. There are forward looking organizations who are taking a completely different approach towards completely doing major transformations and major modernization of their tech as well as their security stack and once they look at it as a program and drive it holistically, I think those organizations have a better chance of being successful, rather than doing it this way, right? Especially because we are pivoting big time on hybrid world and adoption of cloud and that is not a trivial change. It's a massive transformation and you cannot underline the importance of security architecture change.
36:00 Raghu Nandakumara: Yeah. Do you think one transformation, this whole sort of architectural change, consumption model change and even right down to how we build applications - does that change need to be mature before the security transformation can happen? Or do you see this as very much parallel tracks that must happen together in sync?
36:23 Vishal Salvi: I think what is required is it has to be a collaborative effort. For example, when you're doing any new application you need to do, look at threat modeling. You need to start looking at, apart from doing other things, you should also start looking at API security, secure SDLC, secure CI/CD pipeline. So many things are required to be done. So I think it has to be done. I would say it'll be unrealistic to expect that everything will happen at the same time. I think what is important is a collaborative effort and approach towards secure by design. So everything that you do, you should always have security considerations into it. Do not ignore security because you can't imagine any world today without digital. And wherever there is digital, security has to be there. I think that is the fundamental foundation of creating a future proof architecture. And that change is important and if somebody is just using a credit card and buying a cloud workload and then just putting some business code and trying to do something and there is, you are blatantly ignore all security controls, you are just asking for a disaster to happen. So that's really what I mean.
37:47 Raghu Nandakumara: Yeah. You speak like you've seen that a few times. I read one of your really interesting posts, and I think it was titled “Zero Trust with Zero Touch.” And you introduce the idea about how ML and maybe in the future more sort of general purpose AI is really going to benefit the implementation of Zero Trust controls and the, I'm going to call it always-on security, or secure by design or however you want to call it. Where do you believe the application of machine learning, and then more generally AI, towards Zero Trust? Like what is that?
38:30 Vishal Salvi: Yeah, so Raghu, actually “Zero Trust through Zero Touch" really what it really means is a vision to do hyper automation. That's really what it means. Because things are not scaling up to solving security operations problem.
38:47 Vishal Salvi: You will always find lapses because we just can't get it. So just like cars are now fully automated and bots are making cars, you need to have robots who need to make security operations work. That's really what it means. But that's the vision. That's where we need to go to. I don't think we are ready there right now. I would say that we would not have come where we are in security innovation without use of ML, because there is a significant amount of ML in everything that we do. Every aspect of security or technology today has lot of learning because we won't be stopping 92% of the spam if we didn't have ML. I think the use of AI and how we do it in future is going to be an important aspect to watch for.
39:34 Vishal Salvi: There are many examples of use cases where we could do it. For example, in testing, in terms of monitoring, we could actually create AI algorithm for all of that, and they will get more and more matured. At the same time, we will also look at adversarial AI and how do we start mitigating and building some controls around that. And then there's a third thing. Just like we have security-by-design, we have privacy-by-design, ethical AI-by-design is going to be an important element of future.
40:00 Vishal Salvi: And so we'll have to closely watch and see how it impacts the cybersecurity world. I think the people are the ones who design it and all the cognitive work should go into thinking rather than doing mundane activities, which is what we are right now using some very cognitive bandwidth into doing things which are not adding value to the human. Anyway we have a serious challenge of demand versus supply. So I think we will never get away from this situation of zero unemployment for cybersecurity professionals, in spite of all the automation that we'll do. So I don't think that is any risk that we need to worry about. I think we should always strive to do more and more cognitive work and fully automate everything which does not add much.
40:46 Raghu Nandakumara: Yeah. Knock on wood that us cyber professionals have jobs forever. So just before we wrap, what excites you about what's on the horizon as a cyber practice leader? What is it that you are seeing from your clients that really gives you excitement, as a security practitioner?
41:05 Vishal Salvi: On one side, I'm always hoping that we are able to solve this problem and we have lesser breaches and lesser incidents because that is the world that we want to aim for. And we don't want to have a situation where we're waiting for more incidents to happen so that we can have more job security or more revenues coming in. At least I don't subscribe to that. So I want to have a world where we are more safer digitally, just like we have been able to solve this problem for air travel and so many other activities where there is a zero tolerance to any risks.
41:40 Vishal Salvi: I think cyber will reach that tipping point at some stage where everybody will wake up and everybody will start taking it very seriously and we would've truly democratized cyber. I think that's when actually it'll tip and then start going down, and it'll become a non-issue. Eventually it'll not be a news anymore and it'll be a way of doing things, but we are far away from that, maybe decades away from that right now. Right now it is still somebody getting breaches at headline news right now. I think we need to... So we will make hopefully more secure systems by design so that we don't have these... the challenge of patching and putting bandaids every time and getting the whole plumbing messed up.
42:18 Raghu Nandakumara: Yeah. And I think that's so interesting because it lands nicely on this real push that we are seeing around cyber resilience. That it's almost like breaches are going to happen. If we build our infrastructure, our controls, etc., in a way that allows us to just continue to function as optimally as possible, then they just essentially become an inconvenience. They don't become headline news every time the same thing happens.
42:47 Vishal Salvi: No, I think cyber resilience is a very important topic in today's context because we have to assume that the breaches are going to happen. And you have to find out, we have to have a way in which your organization is able to calmly and coolly respond to that particular breach in a manner where they're not able to just contain and recover from that, but also go back to business resumption very quickly, and do it in a very professional and a calm manner. And everybody understanding their roles and responsibilities and be having proper playbook to execute that.
43:18 Vishal Salvi: So I think that's a very important topic and most every large number of organizations are looking at that. And I think it's something which is very important ingredient of your strategy going forward.
43:27 Raghu Nandakumara: Yeah, I like the words calmly and coolly. Cyber resilience is being able to calmly and coolly continue operation even post-breach. Yeah, that's a nice thing to leave the listeners with well. Vishal, we really appreciate the time we've taken to just have this conversation with us here on The Segment. Everyone listening right, please go and check out Vishal's monthly newsletter on LinkedIn. It's excellent; amazing CISO insights from Vishal himself. It's called “CyberTalks: A CISO's Take on All Things Cybersecurity.” Vishal, thank you so much. Just this has been a pleasure.
44:03 Vishal Salvi: Thank you. And same here. Thank you so much for having me here today, Raghu, and it was a pleasure talking today and I really enjoyed this conversation.
44:13 Raghu Nandakumara: Thanks for tuning into this week's episode of The Segment. For even more information and Zero Trusts resources, check out our website at illumio.com. You could also connect with us on LinkedIn and Twitter at Illumio. And if you like today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Ragu Nandakumara, and we'll be back soon.