Vishal Salvi, CISO, Infosys speaks on security trends in 2017
Vishal Salvi, CISO, Infosys speaks on security trends, recent ransomware and malware attacks and his security agenda, at Trend Micro's CloudSec India 2017 event in Mumbai.
We have heard that 2016 has been a year of ransomware and in 2017 also we saw that there were two incidents that took place simultaneously. What does that really tell us about our security preparedness?
If you look at the recent ransomware attacks: WannaCry on 12th of May and "Petya" on 27th of June, both are watershed events as far as cyber security is concerned. In my two decades of cyber security experience, I haven't seen so much of devastation being caused by any single cyber security event which has impacted multiple organisations at the same time in a very short span of time. These are the events we should sit back and understand, learn and take lessons from. In my mind it has changed my outlook towards how we look at the issues in cyber security, how we look at our value that we add to the business, and how we need to change our strategy, our vision and our response when it comes to dealing with managing the overall cyber security. Of course it will be a mistake to just look at ransomware as an issue and focus on that, but also if we look at the overall strategy, it is extremely important but ransomware is one example which gives us how important cyber security is for today's digital evolution. While we can’t expect the technology evolution and innovation to change dramatically, we can definitely change the way we look at it. As cyber security experts, we must have an influencing capacity in terms of being able to engage the stakeholders and send the right message, get the right budgets, and make sure that you work closely with the CIO and the technology teams to be able to build necessary controls. I think we need to observe zero tolerance when it comes to basic hygiene.
How has the role of the CISO evolved in the last few years?
Organisations which have got impacted have made the CIO and the CISO equally accountable for their role in the organisation. Today the CISO must be able to influence and convince people to invest in the right controls and build a trust with the stakeholders. Otherwise you are not doing your job. So it’s not about externalising the problem, you need to internalise the problem and you need to take ownership in order to make sure that it’s not just implementation of control but getting sponsorship for implementation of control is equally an important part of your role to entrust people and get it done. So I think that people should realise that's the change. In fact it was always there but it is now more fundamental now that people realise that you know you are accountable and you need to make sure that a business case needs to be presented. It is also about making sure that you are also accountable to get maximum return on investment.
What is the importance of vendors collaboration in security and how does that impact the solutions that you choose within your organisation or for your organisation?
Generally speaking, you know most of the vendors have a closed approach towards their solutions and how they would want to bring them to the market. That definitely is a problem. Every security vendor has his own standard and strategy. And they haven't really been able to come together and create a common architecture and a common standard which the world will benefit. We obviously have challenges in the bureaucracy and the processes and practitioners also. So all these are loopholes which are exploited by cyber criminals who don’t have any processes that are very cohesive.
As practitioners you have to do the best with what you have. For example, we invest in engineering, orchestration, and automation; so there is hope. But not many organisations are able to do that. We are able to do it but not many organisations are able to that and therefore, there is always a struggle in terms of depending on an external party to come and deliver that value.
What are the top 3 things on your agenda in 2020 as far as security is concerned?
I think this year has largely been in terms of investing and building capabilities. We are actually embarking on a journey of operational excellence and making sure that every single control that has been invested on is actually delivering the value for the buck right. There are four important objectives: The first one is to build a team which will give assurance to our clients about security of their data and business that they are entrusting on us. The second objective is to constantly improve the efficiency and effectiveness of the controls that we have deployed. The third objective is to ensure that people remain calm and composed when you respond to cyber events and cyber incident that happen to your organisation so that you not only contain, but also recover from them quickly. The fourth objective is to build a security culture. At Infosys, we have various tools and methodologies along with the maturity models that we have defined, both of which focus on the improvements as well as operational excellence, and every year, we revisit ourselves and constantly evolve to deliver the value that our customers expect from us.