“Future of workspace will significantly differ from what it was before the pandemic”

Vishal Salvi is Senior Vice President, Chief Information Security Officer and Head of the Cyber Security Practice at Infosys. He is responsible for the overall information and cybersecurity strategy and its implementation across Infosys Group. Salvi is additionally responsible for the Cyber Security Business Delivery, driving security strategy, delivery, business, and operations enabling enterprise security and improving overall security posture.

In a video interview with Augustin Kurian from CISO MAG, Salvi spoke about cybersecurity during the COVID-19 pandemic, how the organization should channelize its cybersecurity resources into several verticals.

Here’s an edited excerpt from the transcript of the interview:

As soon as the COVID-19 pandemic was announced, several industry leaders were apprehensive about security with WFH format. It was a big task and something that the companies weren’t sure of, as they were not aware of how dynamic the changes would be. From that perspective, how has the transition been from that period and what are the alternatives if you just cannot work from the office but still must maintain high security?

I think the transition has been smooth for us at Infosys. We were planning it well in advance in terms of looking at how the pandemic was unfolding. And we were planning for a scenario where we would eventually look at a complete lockdown. If you look at organizations the size of Infosys, it is a massive workforce. Some of our development centers (DC) have more than 40,000 employees in them. So, it was important that we had to plan well in advance and then it was all about execution.

The power of Infosys is that all the teams came other, whether it is our leadership team, our business continuity management team, our technology team, our information security team, our delivery teams, our DC heads. As a result of that, just before the lockdown, 80% of our employees were working from home. So, to answer your question, I don’t think we could have done any better than what we did. I think in many ways we were ahead of the leaders in the industry when it came to that. We made sure that people working from home are enabled and that all the approvals that were required from customers in terms of obligations and contractual requirements were also in place before a massive change happened.

As soon as the pandemic occurred, you said every industry had a void, and “every industry is now a hunting ground for cybercriminals.” And there are a lot of cases when it comes to data security, where many times industries do not know what their critical data is. So, how do you think we can combat it?

If you see cybersecurity as a topic, it has been very important for organizations for a couple of years now and every year you are seeing a different type of attack coming in, the frequency and the impact of the breaches are only growing. So, it should come as no surprise to us that when the whole world is growing through a situation where we are testing the home networks infrastructure and different models of connectivity, it is quite natural to expect that there is going to be an avalanche of phishing attacks using COVID as a theme.

If you look at all the publicly discoursed attacks which have happened in the past three months, you will also see that the frequency of the number of ransomware attacks, or malware related attacks has gone up pretty significantly. Now all of this is requiring us to (a) be aware of what is happening and (b) take necessary steps to respond to that. Because as the threat landscape changes, one also needs to change the strategy on how you are going to defend your organization.

In many organizations, cybersecurity is an opportunity, and if it is driven strategically then it can become a big potent weapon for you, for your business. So, my message is that this is something that you should all be cognizant of and we should defiantly take note of how the threat landscape as evolved. You have to, therefore, recalibrate your approach and your strategy for combating it.

If you observe the anatomy of most attacks, they are directed towards exploiting vulnerabilities, for which patches have always been available, which is incumbent on most organizations. My message to the industry is very sharp: You must get your fundamentals and basics right and should not compromise on this.

How far has Infosys or clients gone with leveraging AI and ML to curb attacks when every employee was working from home?

I think overall there is a heightened interest by the threat actors in the issue of ransomware in terms of economics. There are gangs which have started taking ownership and accountability of some of the incidents that have happened. There is some clear dynamics on how that whole activity is playing out.

I think we can see the aftermath and that is where, fundamentally, IT hygiene comes in. But it is also a high-end problem to solve, and the reason is because as you grow and become a large organization, you start getting the visibility of your IT infrastructure, and the threat surface becomes extremely hard. And after you get the visibility, you have to also make sure that every time you are able to patch and deliver the regular updates, operating systems and applications–and software keeps on becoming obsolete–the rate of obsolescence is far higher in the security and software world as compared to any other system that you can think of.

If you observe the anatomy of most attacks, they are directed towards exploiting vulnerabilities, for which patches have always been available, which is incumbent on most organizations. My message to the industry is very sharp: You must get your fundamentals and basics right and should not compromise on this. We are seeing a high degree of incidents and impacts due to the increasing contact of malware/ransomware with the systems. Based on our research and publicly known attacks, we have witnessed over 111 ransomware attacks in 2020.

The reality of cybersecurity systems and software today is that we cannot survive or deliver value without artificial intelligence (AI) and machine learning (ML). Most of the security solutions we have been using for the past decade have always had ML embedded into it as a feature,  well before it was well-known as a concept. Nearly 92% of the world’s emails are spam. The fact that the whole security world is blocking that is because it is done by intelligent software and not human beings.

When we look at threat intelligence or normalization, there is a lot of AI and ML involved to work effectively. Cybersecurity is one industry that has truly embedded AI and ML in the way it delivers value.

We are in an “in-between phase,” which is basically between the post-COVID and pre-vaccine era. It is just like implementing proper patches and segmentation in cybersecurity, which is equivalent to physical/social distancing today. We have been applying these strategies all throughout. We will continue to adopt this throughout this pandemic until we have a vaccine.

A lot of industries can’t afford to have CISOs. If a company cannot afford a CISO, what should be the benchmark that they should follow? How can they be instrumental in using their security team and their existing resources?

There are a few areas to focus on. Firstly, I do not think that the CISOs are coming into the limelight or that their importance has grown. It is not about the CISOs; it is all about securing the enterprise. A CISO is only an incidental character whose role is to protect your enterprise. We should not give too much importance to the CISOs; it is the whole team and the ecosystem that drives the implementation.

Secondly, cybersecurity has always been a mainstream issue for years now. For the last two to three years, it has prominently been on the board agenda. COVID-19 is not driving the change, it is merely validating the fact that it is an important topic. It has just highlighted the fact that cybersecurity is important.

Thirdly, when it comes to the affordability of any organization to hire a CISO or otherwise, it depends. It is for the organization to decide what is more important for them. I always say that cybersecurity is a very strategic problem for an organization. If they look at it strategically, one can make it a differentiator for them. For instance, I was a banking CISO for many years. A lot of products in banking can only be successful because of security. If they remove security even for a fraction of five minutes, there would be mayhem in terms of incidents and breaches that can happen. So, security plays a strong enabler to allow banks to work with confidence. It allows them to open their reach and access to a broader set of customers. Security can play a strategic and enabling role for any organization.

Augustin Kurian is a Senior Feature Writer and part of the editorial team at CISO MAG. He writes news features on cybersecurity trends.