Home Interviews “An organization’s security culture requires care and feeding”

“An organization’s security culture requires care and feeding”

Ravinder Arora, Chief Information Security Officer, IRIS Software

Ravinder Arora, Chief Information Security Officer, IRIS Software is an award-winning CISO, speaker and trainer. He is the winner of the TOP100 CISO Award (2014-2017), Innovative CIO Award (2017), and Info-Sec Maestros Award (2017, 2018). He also won the Best CIO and CISO Award from Enterprise IT World. Arora is a much sought-after CIO/CISO in India and has served on many panels and committees on Information Security. 

He has worked with India’s National Skill Development Mission (under the aegis of the Ministry of Skill Development and Entrepreneurship) for creating cybersecurity awareness and sharing knowledge with students. 

Before IRIS Software he served organizations like Hewlett Packard and GENPACT. 

In an exclusive interview with Brian Pereira, Principal Editor, CISO MAG, Arora reveals the initiatives and strategies he undertakes to make employees and management cyber-aware, in a very engaging way. We also asked him about the qualities and abilities that make a good CISO.

Are organizations in India doing enough to make their employees aware about cybersecurity? Is it only the larger companies in regulated industries?

Information security has become one of the most important and challenging issues facing today’s organizations. With use of technology and widespread connectedness to the environment, organizations increasingly have become exposed to numerous and varied threats. Outsourcing and offshoring bring new partners into an extended enterprise, with different technologies, cultures, and sensitivities to information management. Contracting, telecommuting, and mobile workers all contribute to new security risks.

A survey conducted by Computer Security Institute with the participation of the FBI’s Computer Intrusion Squad clearly stated that: “Overall financial losses from 530 survey respondents totaled US$201,797,340…”

The report also states: “Cyber-crimes and other information security breaches are widespread and diverse. A full 92% of respondents reported attacks.”

Most Indian organizations (90%) faced challenges regarding employee or leadership cybersecurity awareness and education. I would say many organizations have started working in this domain but still have a long way to go.

We can say “Yes” for large companies. This is a culture change but slowly, small companies are also getting this change in their culture.

What are some of the initiatives you have taken in your company to make employees and senior management cyber-aware?

An organization’s security culture requires care and feeding. It is not something that grows in a positive way, organically. You must invest in a security culture. A sustainable security culture is bigger than just a single event. When a security culture is sustainable, it transforms security from a one-time event into a lifecycle that generates security returns forever.

There are different programs that we run periodically to ensure awareness among employees and leadership. A month ago, we conducted Information Security Awareness Week in our organization. There were floor sessions on cybersecurity, different games, and a drill for identifying security champions. The most exciting item on the agenda was the information security skit. Apart from this, we have data privacy training that are mandatory to attend by every employee.

Apart from general awareness, there is also a need for application security knowledge. Application security awareness (AppSec) is for developers and testers within the organization, and we are doing this as we are a software company. AppSec awareness is teaching the more advanced lessons that staff need to know to build secure products and services. Our AppSec training is based on OWASP top vulnerabilities and guidelines. 

What impact has GDPR and other laws made on Indian organizations? Do you observe a change of attitude towards cybersecurity?

GDPR will replace the 1995 Data Protection Directive and is aimed at protecting the personal data of EU citizens in the new digital world. The regulation covers all the EU member states and citizens, so all global enterprises with operations or customers in EU must comply. Europe is a significant market for the ITeS, BPO and pharmaceutical sectors in India. The size of the IT industry in the top two EU member states (Germany and France) is estimated to be around US$155–220 billion. For the Indian IT industry to keep continuing to do business in Europe, it needs to comply with GDPR.

Indian companies are likely to face increased compliance costs on the back of GDPR or risk huge penalties if they fail to comply. But they could see it as a business opportunity. Moreover, following the Supreme Court’s verdict, a data protection framework has been proposed by the Srikrishna Committee in India. Of course, whether the legislation will satisfy the criteria laid down under the GDPR or not remains to be seen.

Penalties are high for non-compliance of these laws, so we can see a sense of seriousness and change of attitude towards cybersecurity.    

You have won a lot of awards and have been a Top100 CISO in India. What are the special abilities and strategies that have got you these accolades? What are the qualities that make a good CISO?

I would say I can closely listen and be ready to speak with anyone in a friendly and approachable manner. I can make risk-based business-oriented decisions and execute them.

I like to contribute to the information security community and that’s why community also rewards me, with awards. I am also a regular speaker in several colleges in India and have written more than 20 articles on cybersecurity for leading magazines.

Part of a CISO’s job is communicating directly with the board. That will involve reporting on progress, seeking funds for development, ensuring the company’s data security goals and objectives are being met, and being able to explain why, if they are not. Unfortunately for the CISOs, boards generally don’t speak “infosec.” So, their job also means translating their requirements, goals and reports into digestible chunks that a Board of directors can fully understand.

An important aspect of being a CISO is to remember that they can, if they really want, create a super vault, unbreakable and un-hackable, where information cannot escape. But this vault is probably going to impede the business from making money. After all, a business needs information to flow. A good CISO will always be playing a balancing act between what is good for security and what’s good for the business. 

You have worked with the National Skill Development Mission for creating cybersecurity awareness and sharing knowledge with students. What needs to be done in our education system to create more cybersecurity professionals or at least, nurture an interest towards cybersecurity in young minds?

I think there is clear gap in cybersecurity demand and supply of the right skill set. According to a 2019 survey, the current requirement of cybersecurity professionals is pegged at 3 million, whereas, the cybersecurity workforce is less than 0.1 million in India.

There is a lack of infrastructure in cybersecurity training in India. Many Indian institutes have launched courses on cybersecurity. But most of these courses are theoretical, based on presentations. These don’t expose candidates to practical real-world aspects of cybersecurity and the underlying dynamics–which could radically differ from one to another.

The Indian government, along with the top tier technical institutes, needs to improve the curriculum of such courses that comprise hands-on training using technologies such as cyber ranges. 

What is your biggest fear as a CISO? What gives you sleepless nights? And how are you preparing to counter that, with technology and strategy?

I think each morning seems to bring new reports of hacks, privacy breaches, and threats to national defense or our critical infrastructure. As the attacks become more sophisticated and more frequently perpetrated by nation-states, and criminal syndicates emerge, my fear is same as that of any other CISO–that my organization should be protected from any cyberattack, especially ransomware.

To counter these attacks, the most important part is to recognize the warning signs. Compliance lapses, audit issues, and a lack of metrics and transparency can all be harbingers of potential security problems as well. It’s very important to make time for innovation in security strategies and to use the latest tools and technologies.