Home Interviews ‘Rushing into Digital Transformation Creates Security Challenges’

‘Rushing into Digital Transformation Creates Security Challenges’

The cloud has new challenges because of very fast adoption and complexity of services, which leads to a lack of security understanding. Here’s how Trend Micro plans to help CISOs and CIOs cope with these challenges.

Trend Micro

Trend Micro opened a new office in Mumbai last month. Located in Bandra Kurla Complex, the 6,879 sq. ft. office space has a Center of Excellence (CoE) and Executive Briefing Center (EBC). With the launch, Trend Micro aims to expand its cloud business in India and grow its incident response and local support teams. The company aims to continue its current focus on BFSI and specific areas in government, including defense and state data centers. It is considering additional investment in the SMB and mid-market segments, due to the surprising growth observed last year.

Trend Micro
Image credit: Trend Micro (India)

CISO MAG was invited to visit Trend Micro’s cozy Mumbai office in December 2021. On this visit, Brian Pereira, Editor-in-Chief, CISO MAG, met Nilesh Jain, Vice President, Southeast Asia and India, Trend Micro, and Vijendra Katiyar, Country Manager, India & SAARC, Trend Micro. In an hour-long interview they spoke about the company’s achievements and plans for India. They also discussed security challenges and how organizations can cope. 

Edited Excerpts from the interview follow:

How was the year 2021 for you in terms of business performance? 

Trend MicroNilesh Jain: We had unprecedented growth this year (2021), and we just published our financial results for Q3; we outperformed what we forecasted. We did an upward correction on the forecast for the rest of the year. We recorded 11% year-on-year growth and significant growth in our SaaS business (double-digit), so retention is good. All the regions, including the Americas, Japan, Europe, and EMEA, performed tremendously well.

This growth is due to multiple reasons. Firstly, digital transformation has increased budgets for enterprises to invest in cybersecurity. We have been seen as a frontrunner for most cybersecurity technologies. In early 2019, we invested in XDR, the next generation of cross-generation detection and response capabilities. And we immediately saw the results. We had tremendous growth in the XDR product in America, Europe, and EMEA. Then we started acquiring new logos (new customers) across verticals. Many customers are looking to switch over from the struggling vendors, who probably can’t catch up.


RELATED PODCAST

Episode #19: Digital Transformation and Cybersecurity

What kind of transformation is happening with the cloud, and what (security) challenges does it raise for business?

Nilesh Jain: Cloud is getting more complex because suddenly you are trying to take a journey in six months or one year, which otherwise would have taken four or five years. Because of the pandemic, you have been forced to do something very quickly while your employees are working from home. Your competitors are born in the cloud companies, and you started competing with those players who never existed before. Business models change. There are born in the cloud companies, Internet companies, new business model companies. 

 

Look at any domain, whether it is FMCG, retail, or the financial sector — the people we are competing with now have an IT background. The promoters of Fintechs and e-commerce companies are all IT people. So, technology started building competition for the so-called “legacy enterprises,” which were never seen as competition. I’m using legacy in a very positive way; I would call these “stabilized enterprises.” But stabilized enterprises who thought they could do this digital transformation project in three or four years never had that time. 

 

Secondly, cloud adoption increased fast. New services were introduced in a short time. For instance, AWS launched as many new services (120) in the past two years as they previously launched in 10 years. Suddenly, the complexity of managing services and different threats come up because those services were not expected or explored. An organization lacks the skills to deal with all these new services, and it does not have a complete understanding of cloud architecture from a security perspective. And that’s why hackers can break into systems. It is because you lack the skills to protect those systems. 

 

About the challenges. On the one hand, CIOs and CISOs are moving quickly to support business functions. Then they realized that security was left behind. So, that is one challenge we have seen. When employees started working from home, the second challenge was that the perimeter they built up for security was not there anymore – firewall and the IPS (intrusion prevention system). They are not working within those perimeters anymore. The endpoint moved away from the office, and servers in the local data center moved out of the office (to the cloud). Within your office environment and network, you have adequate security measures, but these are no longer relevant. Critical data has now moved to the cloud, and your endpoint computing has moved to the home. That’s why the biggest concern for CIOs and CISOs biggest is how they can still get centralized visibility (like before the pandemic). 

 

Trend MicroVijendra Katiyar: No company was prepared for 100% work from home. The CISOs and CIOs we spoke with said the first problem was providing the assets (laptops). And when employees started accessing corporate applications from home, that posed a big risk to the corporate infrastructure since they were not adequately protected. Standard security policies for home users were not yet implemented. And it became a challenge to protect those endpoints and personal devices. The applications had to be protected. And that became a challenge because the applications are hosted in the cloud. And this is the reason for adopting zero-trust architecture and SASE (Secure Access Service Edge). 

 

CISOs were now asking how to do all this to secure applications and endpoints. They were wondering how to introduce more controls without compromising user flexibility. At the same time, we do not want to put in too many controls because security should not be considered a hindrance. We should ensure that the right access is given to the right individual. 

 

To summarize, the cloud has new challenges because of the very fast adoption and complexity of services, which leads to a lack of security understanding. And they wanted centralized visibility of what’s happening on their virtual network. These are the two major challenges we have seen for CISOs in the last two years.

What security advice would you give to businesses transitioning to the cloud and adopting emerging technologies like IoT, blockchain, and AI/ML?

Nilesh Jain: I have three pieces of advice. One, do not do digital transformation or cloud adoption for the sake of it, or just because someone else has done it. Please do not do it because it is popular, and you want to keep up. Because if you do that without careful consideration, you are bound to fail.

Two, look at your business objective. Cybersecurity is more about business objectives and more proactive than reactive. Understand where your business is trying to go. Understand why you want to do something.

Third, which facet of your business do you want to transform first? If you want to go the B2C way, you want to engage with customers in very different ways or create a different delivery mechanism. You want to pass on the cost advantage.

So, understand what it is that you are trying to do. Get your business priorities right.

There is a lot of virtualization going on. Even desktops are being virtualized with VDI. It is going towards the data center. I see the whole responsibility of security shifting to the cloud service provider. How are you working with data center providers? Because the infrastructure is not on-premise anymore. It’s on the cloud. That’s where the data and applications reside – which need to be secured. 

Nilesh Jain: We don’t have to worry about that because we have been providing data center security for many years. Today, the endpoint includes both: servers and clients. So, this question should not worry people who thought an endpoint would always remain an endpoint.

We always had custom design server security for a reason; it was designed to protect the data centers. The only thing that changed is that they started moving from the private cloud to the public cloud or using a hybrid cloud. New services emerged. We moved from legacy applications and shifted to the DevOps side. In this scenario, 20% – 30% of large enterprises use Kubernetes containers, which are more serverless. We know this game very well, so we don’t have to catch up. I mean, we don’t have to learn because we know how server applications work. We know how the data flow and data movements happen. That’s why we have been leaders with almost 30% global market share for Server Security. We started working with AWS way back in 2011 – 2012 when we were still teaching the world about cloud computing. Because of this, our learning curve gave us very good anticipation of what’s coming next, and we have been able to build a product, which is future ready.

So, while everyone was talking about shift-left, which is the DevOps side, we already had DevOps security for reasons there. Deep security was primarily deployed on-premise, on the virtualization security side – and we quickly shifted back to DevOps. We changed the entire architecture of our product to make it DevOps ready. And because of this, we have host-based security; we have file storage security; we do cloud cluster management; we do cloud-native application security; we do Kubernetes security. And that’s our USP.

Here’s what’s happening today. CISOs are offered one dozen different solutions for Kubernetes security. They are told to buy this, but they need a different solution if they are going serverless. If they are going on file storage, they must buy something else. And this goes back a few years when, for endpoint, you had to buy different solutions and load it up on endpoints, which is not practical. Instead, we offer comprehensive cloud security, which does everything. It is all integrated, all bundled into one customer solution.

We believe customers should not buy a product. They should buy a partner. If you happen to choose the right partner, you don’t have to keep on scouting for the right products. Your partner does it for you. We are building everything that they will require through integrations. And we work with most of the cloud services: Azure, Google, AWS, and do the integration.

There is always going to be the question about ROI in Security. Earlier, ROI was more on qualitative terms. Now you define it in quantitative terms and see how much impact it has on business. When customers deploy Trend micro’s Cloud One, we can immediately show tangible results. And if you use it over, say, five years, we will be on that journey with you, and you do not need to re-architect your cloud security posture. The same product can scale up to your future needs. So, we protect a lot of manpower efforts and customer investment.

Let’s talk about your investment in Cloud One data centers. How much are you investing? How does this fit in your India plans? 

Vijendra Katiyar: I won’t put a number on it. Of course, it is very important and relevant to us. We see a lot of interest in the cloud from both private enterprise, government, and public sector companies. Many of our customers are from the banking sector, the financial vertical, regulated by different bodies. So, data sovereignty and data residency become very important. If you want customers to adopt cloud services, you must address this.

When customers move from on-premises to the cloud, you need to think about how to secure their infrastructure. How do you ensure that the journey is smooth without worrying about those security concerns? So, one of those critical initiatives was to have a Cloud One data center hosted in India. The platform is hosted with a cloud service provider in Mumbai. It is offered to any customer, any enterprise in India, or to the government. Very recently, the government introduced a data privacy law. It released guidelines for data residency. While this applies to certain verticals, we see it also coming to other industries that are not so regulated. They will also start insisting on data sovereignty.

So, it made a lot of business sense to support our customers to ensure that we are there to secure their applications, servers, and workloads in the cloud if they are using any of the cloud service providers.

Where do you see the biggest potential in India for your solutions? And how are you going to address that market? 

Nilesh Jain: In India, the biggest potential has to be unleashed from the SMB and mid-enterprise markets. They yearn for an SOC operation at affordable pricing. One can provide that affordability only through a locally delivered ecosystem. It calls for local SOC partners who can deliver that value at economical value. And that is what we are delivering. We can unleash the potential today through XDR. But it’s been adopted only by a few large enterprise customers who have multi-million dollar budgets and some compliance to fulfill.

The biggest potential lies in the mid-market — SMB or lower pie of large enterprises. And that’s a potential that we are trying to unleash by creating a comprehensive service delivery at much more economical prices. For that, we need to have SOC partners who can do a much better job.

We are working with SOC partners and integrating our products there, scaling them up. The backbone of that SOC is still Trend Micro Vision One. It can consume data and information and respond. It is based on Trend Micro’s Vision One engine. And then, we can not only respond on Trend Micro products by leveraging SOC partner capabilities but also on third-party products. Customers don’t want to depend on only one product; they want best of breed on endpoint and server from Trend Micro, but for CASB, they might prefer someone else; for firewall, they may opt for another vendor. That’s why we must support the customer through an SOC. If you are to be successful in XDR, you must learn to work with an SOC partner. Yes, some large enterprise customers, like the large banks, have their own internal SOC and may not need an external SOC partner. We can work with their internal teams as well.

What is your vertical focus for India? How many customers do you have in India?

Vijendra Katiyar: BFSI is number one for us, and there is also a focus on digital-native companies. We have formed a business vertical focusing on the cloud, which will work with many digital-native companies whose entire business is born in the cloud. We have been working with a lot of other enterprises, especially in manufacturing, pharma, and IT/ITES.

Nilesh Jain: In 2021, we gained 120 customers in India. But in the last two years, we acquired nearly 300 customers. These are mid-enterprise to large customers. There was a surprising surge in SMB in the last two years. So, we might invest more into the SMB business and scale it up.

And we work closely with AWS. They open many accounts that we might not even have visibility into. But customers who adopt AWS would like to partner with us.

How do you serve the government and public sector? 

Vijendra Katiyar:  We have a very strong government team that focuses on central and state government. One area where we see a lot of potential is Smart Cities. We have participated in many leading smart city projects to make smart cities more secure.

Defense is another area, and we built a team to focus on this sector. It’s an important sector for the government, and the sector is seeing a lot of cyberattacks. We know that there are guidelines, policies, and government initiatives being digitalized, and we want to help the government securely do this. We are working towards that.