Artwork for podcast The Cybersecurity Readiness Podcast Series
Cybersecurity As A Strategic Opportunity
Episode 389th November 2022 • The Cybersecurity Readiness Podcast Series • Dr. Dave Chatterjee
00:00:00 00:38:15

Share Episode

Shownotes

In this episode, Kal Sambhangi, Senior Vice President, Cybersecurity Strategy and Architecture at Truist, shares his vision of the future of cyber governance. According to him, the leadership mindset needs to change whereby they are optimistic and opportunistic about cybersecurity and view developing cybersecurity capabilities as a source of competitive advantage. Kal also emphasized the importance of attracting professionals from other fields. He said, “I think cyber security as a community should start embracing people with other skills. I think there is a lot of opportunity here, for people skilled in software development, program management, product management, and data analytics.”

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-38-cybersecurity-as-a-strategic-opportunity/


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Transcripts

Kal Sambhangi:

Welcome to the Cybersecurity Readiness Podcast

Kal Sambhangi:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Kal Sambhangi:

the book Cybersecurity Readiness: A Holistic and

Kal Sambhangi:

High-Performance Approach, a SAGE publication. He has been

Kal Sambhangi:

studying cybersecurity for over a decade, authored and edited

Kal Sambhangi:

scholarly papers, delivered talks, conducted webinars and

Kal Sambhangi:

workshops, consulted with companies and served on a

Kal Sambhangi:

cybersecurity SWAT team with Chief Information Security

Kal Sambhangi:

officers. Dr. Chatterjee is Associate Professor of

Kal Sambhangi:

Management Information Systems at the Terry College of

Kal Sambhangi:

Business, the University of Georgia. As a Duke University

Kal Sambhangi:

Visiting Scholar, Dr. Chatterjee has taught in the Master of

Kal Sambhangi:

Engineering in Cybersecurity program at the Pratt School of

Kal Sambhangi:

Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Our discussion will revolve around recognizing

Dr. Dave Chatterjee:

the strategic potential and capabilities of cybersecurity,

Dr. Dave Chatterjee:

instilling security in the executive mindset, the

Dr. Dave Chatterjee:

importance of holistic cybersecurity governance, how do

Dr. Dave Chatterjee:

you draw professionals from other fields into cybersecurity,

Dr. Dave Chatterjee:

and more. I'm delighted to host Kal Sambhangi, Senior Vice

Dr. Dave Chatterjee:

President, Cybersecurity Strategy and Architecture at

Dr. Dave Chatterjee:

Truest. Kal, welcome.

Kal Sambhangi:

Thanks Dave for having me here today.

Dr. Dave Chatterjee:

Well, I know the listeners are in for a

Dr. Dave Chatterjee:

treat. Because when we had our planning meeting, you shared

Dr. Dave Chatterjee:

some very powerful perspectives. And I'm looking forward to

Dr. Dave Chatterjee:

discussing those with you this afternoon. But before we get

Dr. Dave Chatterjee:

into all that, how about providing listeners with some

Dr. Dave Chatterjee:

highlights of your professional journey?

Kal Sambhangi:

Sure, I started my professional journey soon

Kal Sambhangi:

after I completed my engineering and MBA in finance in India. And

Kal Sambhangi:

you know, back in the late 90s, ERP was a big thing. And my

Kal Sambhangi:

background in finance helped me to establish myself as a intern

Kal Sambhangi:

to start with and then worked my way up in the consulting world,

Kal Sambhangi:

specifically in ERP implementation and

Kal Sambhangi:

customization, then as chance by chance into data analytics, and

Kal Sambhangi:

all. From an experience standpoint, working with large

Kal Sambhangi:

systems integrators, consulting firms, retailers, and financial

Kal Sambhangi:

services. Specifically, most of my career has been in data

Kal Sambhangi:

analytics, but I took some risk, made a pivot in during the

Kal Sambhangi:

pandemic, when an opportunity struck for me to take a role in

Kal Sambhangi:

cybersecurity. I thought that could be something new,

Kal Sambhangi:

refreshing, and I moved to cybersecurity in 2019. So it's

Kal Sambhangi:

been close to five years for me in this space, apart from my

Kal Sambhangi:

previous experiences. Hope that helps.

Dr. Dave Chatterjee:

Fantastic! that's such an eclectic

Dr. Dave Chatterjee:

background. In fact, that brings back memories of my own

Dr. Dave Chatterjee:

experience, where I started my career in accounting as a

Dr. Dave Chatterjee:

chartered accountant, and then gravitated to information

Dr. Dave Chatterjee:

systems. And now I'm focusing on cybersecurity. So that's

Dr. Dave Chatterjee:

phenomenal. So Kal, I'll reference our planning meeting

Dr. Dave Chatterjee:

that we had, where you shared some very powerful and

Dr. Dave Chatterjee:

interesting perspectives. And I quote from one of them. You

Dr. Dave Chatterjee:

said, "the security industry needs to pivot away from talking

Dr. Dave Chatterjee:

about things and why they go wrong, into getting things done

Dr. Dave Chatterjee:

and fixing things." This is not a problem, which has or can have

Dr. Dave Chatterjee:

a purely technological solution. Can you please expand?

Kal Sambhangi:

Sure, I said, getting things done, rather than

Kal Sambhangi:

talking about things. I think it goes back to some of the other

Kal Sambhangi:

thoughts I shared in terms of a moving away from a

Kal Sambhangi:

compliance-oriented function towards really doing something

Kal Sambhangi:

from an implementation standpoint. But before I get

Kal Sambhangi:

there, I think today, as we all know, cyber risk is everywhere.

Kal Sambhangi:

And for all the investments we've been making, to secure our

Kal Sambhangi:

systems, product, customers, we're still struggling to make

Kal Sambhangi:

cybersecurity, in my view, a vibrant, proactive part of

Kal Sambhangi:

strategy, operations and the enterprise culture. In my view,

Kal Sambhangi:

the root cause could be twofold. Now, obviously, cyber security

Kal Sambhangi:

most of the time is treated as a back office job. 2) most cyber

Kal Sambhangi:

leaders, at least I have come across I have had experience

Kal Sambhangi:

with, not to kind of belittle anything, but I've come from

Kal Sambhangi:

technology backgrounds, just like me and we lack a little or

Kal Sambhangi:

maybe a little ill-equipped from exerting strategic influence

Kal Sambhangi:

across the organization. So given that, again, we also hear

Kal Sambhangi:

that an average tenure for a cyber leader is 18 months. But

Kal Sambhangi:

it's clear that something is not right, something needs to

Kal Sambhangi:

change. And we have all seen historically, companies have

Kal Sambhangi:

expected security leaders to focus on technical tasks. And

Kal Sambhangi:

not maybe a lot of expected more of them. But as the regulatory

Kal Sambhangi:

policies change, as this cyber threats and the compliance

Kal Sambhangi:

regulation aspect, and as companies become more and more

Kal Sambhangi:

digital enabled, I think the goal of securing the business is

Kal Sambhangi:

a much more big strategic decision, rather than a set of

Kal Sambhangi:

technical tasks. It's all about the business models, the digital

Kal Sambhangi:

strategy, the product mix, the merger and acquisitions.

Kal Sambhangi:

cybersecurity, in my view, is or should not be an afterthought,

Kal Sambhangi:

but should be part of the business model itself, or part

Kal Sambhangi:

of the digital strategy itself, part of the product mix itself,

Kal Sambhangi:

we can discuss those in detail later. But at a at a high level,

Kal Sambhangi:

that's what I think.

Dr. Dave Chatterjee:

I couldn't agree with you more.

Dr. Dave Chatterjee:

Cybersecurity needs to be part of the strategic core, integral

Dr. Dave Chatterjee:

to strategic decision making, and a key and distinctive value

Dr. Dave Chatterjee:

proposition. So please continue. This is great.

Kal Sambhangi:

I think the cyber leadership should help embed

Kal Sambhangi:

security throughout the company's products, channels,

Kal Sambhangi:

operations. And to do so, obviously have to influence

Kal Sambhangi:

fellow senior leaders, right. Has to be a collaborative

Kal Sambhangi:

effort. So if you have to influence fellow senior leaders,

Kal Sambhangi:

then you got to be talking the same language, you got to be

Kal Sambhangi:

talking and walking the same languages as well. So I think

Kal Sambhangi:

that's the key from a cyber leadership standpoint. That

Kal Sambhangi:

means, companies need to develop security executives, who have

Kal Sambhangi:

the skills to do so. And this goes back to my point of how

Kal Sambhangi:

much of inboarding could we do to expedite building these

Kal Sambhangi:

skills within the organization versus onboarding, or basically

Kal Sambhangi:

bringing in more business leaders into security in some

Kal Sambhangi:

form or fashion, building that connectivity, that thread

Kal Sambhangi:

between the various functions in the organization.

Dr. Dave Chatterjee:

Interesting. So essentially, what you're

Dr. Dave Chatterjee:

saying is, unless the C-suite folks recognize the significance

Dr. Dave Chatterjee:

of security, and are willing to make it centric to the overall

Dr. Dave Chatterjee:

strategic goals of the organization, you're unlikely to

Dr. Dave Chatterjee:

see an organization-wide acceptance, organization-wide

Dr. Dave Chatterjee:

involvement, whereby everybody does their part, as opposed to

Dr. Dave Chatterjee:

kind of outsourcing it to a group of people, whether

Dr. Dave Chatterjee:

internal or external, to do the heavy lifting.

Kal Sambhangi:

Absolutely, absolutely. And security should

Kal Sambhangi:

not just be embedded in the processes, but at the end of the

Kal Sambhangi:

day in the culture. So it's about how securely we are

Kal Sambhangi:

engaging with our customers, how securely we are running our

Kal Sambhangi:

business. So it needs to be embedded in the culture. I think

Kal Sambhangi:

that that's where I was going to. And that kind of resonates

Kal Sambhangi:

with your statement as well.

Dr. Dave Chatterjee:

For security, to become part of the

Dr. Dave Chatterjee:

organizational culture, for security to become part of the

Dr. Dave Chatterjee:

executive mindset, organizational mindset. It

Dr. Dave Chatterjee:

requires training, it requires awareness, it requires job

Dr. Dave Chatterjee:

rotation. Like you said, it requires creation of attractive

Dr. Dave Chatterjee:

roles, which will draw people from other fields into

Dr. Dave Chatterjee:

cybersecurity. How the CISO function and reporting

Dr. Dave Chatterjee:

relationships are structured also depends on how information

Dr. Dave Chatterjee:

security is perceived by the leadership. Talking about

Dr. Dave Chatterjee:

structuring CISO reporting relationships, there are various

Dr. Dave Chatterjee:

views out there. According to one school of thought the Chief

Dr. Dave Chatterjee:

Information Security Officer CISO should report directly to

Dr. Dave Chatterjee:

the CEO. According to another school of thought CISOs should

Dr. Dave Chatterjee:

report to the external audit committee. Based on your

Dr. Dave Chatterjee:

experience Kal, having worked in different organizations,

Dr. Dave Chatterjee:

currently, you're a senior leader in a very large

Dr. Dave Chatterjee:

institution, do you feel that steps are being taken to create

Dr. Dave Chatterjee:

and sustain a high-performance information security culture.

Dr. Dave Chatterjee:

Also, what are your thoughts and perspectives on the ideal CISO

Dr. Dave Chatterjee:

reporting structure?

Kal Sambhangi:

I think yes, there is the intent. And large

Kal Sambhangi:

organizations specifically in certain industries are moving

Kal Sambhangi:

towards that. But you just mentioned about where should the

Kal Sambhangi:

cyber leadership role align to? Shouldn't it be reporting into

Kal Sambhangi:

the CEO or the chief operating officer, or the risk committee?

Kal Sambhangi:

I think there are different variations of the model, there

Kal Sambhangi:

are different thought processes. I think, from my perspective, I

Kal Sambhangi:

always felt it is about setting the intent. There is no one size

Kal Sambhangi:

fits all. But I think setting the intent in terms of primary

Kal Sambhangi:

options considering building the strategy around business

Kal Sambhangi:

continuity, brand protection, bottom line growth, regulatory

Kal Sambhangi:

compliance, I think setting the intent around these larger

Kal Sambhangi:

strategic themes is key. I think the business context drives

Kal Sambhangi:

these choices where it should lie. I think the business

Kal Sambhangi:

context and the intent are very, very important. You may want to

Kal Sambhangi:

think factors like regulatory pressure or risk exposure, what

Kal Sambhangi:

really customers are looking for. I'll give you a couple of

Kal Sambhangi:

examples here, an electric company may prioritize business

Kal Sambhangi:

continuity to ensure the highest service or time, in a cost

Kal Sambhangi:

pressure market, while an IoT manufacturer may focus on

Kal Sambhangi:

growth, betting on cyber security's ability, to be a

Kal Sambhangi:

differentiator, and to justify the premium raises. Similarly,

Kal Sambhangi:

if financial services firm given that the thin line between

Kal Sambhangi:

fraud, privacy, and cybersecurity is kind of thin

Kal Sambhangi:

line, and it's waning away, I think the intent here in terms

Kal Sambhangi:

of hey, if, at the end of the day, it's the customer

Kal Sambhangi:

experience which matters. At the end of the day, it's the

Kal Sambhangi:

customer experience on digital channels, which is going to was

Kal Sambhangi:

growth, I think that intent and the context should drive the

Kal Sambhangi:

choices in terms of the cyber leader should report into and so

Kal Sambhangi:

on, so forth. I think it's all about the why for cybersecurity,

Kal Sambhangi:

the why for cybersecurity, and, and these choices, go back to

Kal Sambhangi:

the why. And choosing strategy, or the response to the why will

Kal Sambhangi:

obviously cascade down to operational activities will then

Kal Sambhangi:

drive business outcomes. I think at the end of the day,

Kal Sambhangi:

cybersecurity as a function cannot afford to be just

Kal Sambhangi:

technology and tools driven, because there's too much at

Kal Sambhangi:

stake right now. So I think it is the business context. And it

Kal Sambhangi:

is the intent, and why which will drive a broader strategy

Kal Sambhangi:

and the alignment of cyber leadership within the

Kal Sambhangi:

organization. That's my perspective, rather than saying

Kal Sambhangi:

it should be aligned to the CEO or the COO or the risk

Kal Sambhangi:

committee.

Dr. Dave Chatterjee:

Very fair. You have to contextualize

Dr. Dave Chatterjee:

cybersecurity, given the vision, mission, goals of the

Dr. Dave Chatterjee:

organization,

Kal Sambhangi:

Growth strategy as well, where am I in? How do I

Kal Sambhangi:

want to grow? Yeah, things like that.

Dr. Dave Chatterjee:

This reminds me of another guest, who

Dr. Dave Chatterjee:

made a very interesting and poignant statement. He said, I'd

Dr. Dave Chatterjee:

encourage the C level leaders to look at cybersecurity as an

Dr. Dave Chatterjee:

opportunity, instead of viewing it as a hurdle, a stumbling

Dr. Dave Chatterjee:

block, and a cost of doing business. So the leadership

Dr. Dave Chatterjee:

mindset needs to change, where they are optimistic and

Dr. Dave Chatterjee:

opportunistic about cybersecurity. They view

Dr. Dave Chatterjee:

developing cybersecurity capabilities as a source of

Dr. Dave Chatterjee:

competitive edge, competitive advantage. So

Kal Sambhangi:

Exactly. I think the key is the cybersecurity

Kal Sambhangi:

could be a competitive advantage. I think that's the

Kal Sambhangi:

paradigm shift.

Dr. Dave Chatterjee:

Yes, that is the kind of paradigm shift

Dr. Dave Chatterjee:

that is needed for information security, to become part of the

Dr. Dave Chatterjee:

strategic core. When the leadership starts looking at

Dr. Dave Chatterjee:

cyber. from a strategic standpoint, they will include

Dr. Dave Chatterjee:

cybersecurity in their discussions of whether they

Dr. Dave Chatterjee:

should launch a certain initiative or a certain product,

Dr. Dave Chatterjee:

and if so, what are the security implications? And how are they

Dr. Dave Chatterjee:

going to address it?

Kal Sambhangi:

You're absolutely right Prof. Chatterjee. I just

Kal Sambhangi:

wanted to, you know as the businesses are evolving, and the

Kal Sambhangi:

digital channels are becoming the prime channels to, to sell a

Kal Sambhangi:

product or an offering or to service a product or an

Kal Sambhangi:

offering, I think the the the trust factor, and the importance

Kal Sambhangi:

of trust factor, between the one who is offering the service and

Kal Sambhangi:

one who is consuming the service, I think that the

Kal Sambhangi:

importance of the trust factor has kind of an elevated level

Kal Sambhangi:

and for the business to be successful. Be it any industry,

Kal Sambhangi:

you don't see, we're talking about back or a few years ago,

Kal Sambhangi:

when we say a bank was a brick-and-mortar walkin branch,

Kal Sambhangi:

similarly, retailer was the same thing. But now, when we're

Kal Sambhangi:

talking about e-commerce and e-banking and digital channels,

Kal Sambhangi:

the trust factor is the key, and that becomes a competitive

Kal Sambhangi:

advantage. Establishing a greater trust, when we're

Kal Sambhangi:

talking about the digital channels, when we are not really

Kal Sambhangi:

touching them talking to people at a branch. So establishing

Kal Sambhangi:

that trust is a competitive advantage. And obviously,

Kal Sambhangi:

cybersecurity is part of that trust. Breach means you have

Kal Sambhangi:

your customers who are kind of thinking about, hey, should I

Kal Sambhangi:

actually stay with this organization where there is a

Kal Sambhangi:

breach and my data could be compromised, my personal

Kal Sambhangi:

information could be compromised. And that's a

Kal Sambhangi:

reputational risk, huge reputational risk, apart from

Kal Sambhangi:

the financial risk and other risks for the organization. But

Kal Sambhangi:

at the same time, for the end-customer, not having the

Kal Sambhangi:

trust, I think I know that some much broader business risk for

Kal Sambhangi:

the for the organizations.

Dr. Dave Chatterjee:

I like the way you brought in trust to

Dr. Dave Chatterjee:

frame the significance of what we are talking about. Trust is

Dr. Dave Chatterjee:

such a great leveler. And it brings to perspective, what's

Dr. Dave Chatterjee:

key, and how cyber can play a role in enhancing trust.

Dr. Dave Chatterjee:

Customers have to trust the quality of the product, quality

Dr. Dave Chatterjee:

of the service, and alongside with those, customers must also

Dr. Dave Chatterjee:

be able to trust that the information they're sharing, or

Dr. Dave Chatterjee:

the information the company has about them is being safe

Dr. Dave Chatterjee:

safeguarded, to the best of the organization's abilities. So

Dr. Dave Chatterjee:

trust is definitely a common denominator. And that's a great

Dr. Dave Chatterjee:

way of trying to raise the level at which cybersecurity should be

Dr. Dave Chatterjee:

perceived and integrated within the organization. On a related

Dr. Dave Chatterjee:

note, as we have seen time and again, it brings back memories

Dr. Dave Chatterjee:

of the Enron scandal, then the arrival of the SOX legislation,

Dr. Dave Chatterjee:

time and time again, history tells us that organizations are

Dr. Dave Chatterjee:

more reactive, organizations need the fear of enforcement of

Dr. Dave Chatterjee:

compliance requirements, to get things done, the proactive

Dr. Dave Chatterjee:

effort is not there. And to to make it a proactive initiative,

Dr. Dave Chatterjee:

one has to find a way of linking it to the strategic goals, to

Dr. Dave Chatterjee:

the business goals, to revenue generation. So that's the

Dr. Dave Chatterjee:

challenge, because otherwise, you're gonna have a hard time

Dr. Dave Chatterjee:

convincing leadership to spend time focusing on cyber because

Dr. Dave Chatterjee:

they'll say well, we got to run the business, we got to manage

Dr. Dave Chatterjee:

our customer base and so on so forth. And it varies from

Dr. Dave Chatterjee:

industry to industry, you are in a financial services industry,

Dr. Dave Chatterjee:

the regulations are very stringent. So probably the

Dr. Dave Chatterjee:

perspective is different. But I have seen different views of the

Dr. Dave Chatterjee:

leadership across different industries, and they are not all

Dr. Dave Chatterjee:

aligned in terms of seeing cybersecurity as part of their

Dr. Dave Chatterjee:

strategic core. What are your thoughts?

Kal Sambhangi:

Yeah, as you rightly said, depending upon the

Kal Sambhangi:

industry, the size of the business, I think the focus and

Kal Sambhangi:

magnitude of focus could differ. However, I think there are some

Kal Sambhangi:

common factors or common forces irrespective of the industry

Kal Sambhangi:

size as we see this sprawl with the digital products channels. I

Kal Sambhangi:

think there are some common factors, right. It has nothing

Kal Sambhangi:

to do with the size of the organization or the offering the

Kal Sambhangi:

organization has, or the regulatory compliance to serve

Kal Sambhangi:

the organization. At the end of the day, every business is

Kal Sambhangi:

dealing with consumers, and we're seeing more and more and

Kal Sambhangi:

more increasingly complex regulation around consumer data

Kal Sambhangi:

protection, and I would say it is across the board. 2) The role

Kal Sambhangi:

of smart decisions, the role of smart equipment. We could about

Kal Sambhangi:

IoT as an industry. We all talk about self driving cars, very

Kal Sambhangi:

soon. So when we talk about all of these, which are very

Kal Sambhangi:

software driven, and the moment we talk about these digital

Kal Sambhangi:

channels, platforms, products, we obviously talk about the data

Kal Sambhangi:

we capture, the analytics we conduct on the data, machine

Kal Sambhangi:

learning, artificial intelligence, the ecosystem

Kal Sambhangi:

partnerships, because no one company can build all the nuts

Kal Sambhangi:

to nuts and bolts and all the all the moving shaking parts,

Kal Sambhangi:

for digital products. Obviously, there is going to be an

Kal Sambhangi:

ecosystem partnership, a platform partnerships

Kal Sambhangi:

irrespective of the industries. So that's where that's where we

Kal Sambhangi:

are seeing the business models, evolving into ecosystem partner

Kal Sambhangi:

partnerships, platform partnerships, and so forth. And

Kal Sambhangi:

as these ecosystems evolve, and as more of these platform

Kal Sambhangi:

partnerships are built so that the smaller businesses could

Kal Sambhangi:

grow quickly, grow fast, obviously, there is an increase

Kal Sambhangi:

in supply chain risk, because now we have too many touching

Kal Sambhangi:

connected points. So obviously there is supply chain risk. And

Kal Sambhangi:

it goes back to how well are we protecting my customer

Kal Sambhangi:

information, and then and then the threat could be from the

Kal Sambhangi:

supply chains you're operating within. So I think I think the

Kal Sambhangi:

the leadership aspect of cybersecurity, irrespective of

Kal Sambhangi:

the size that needs to be positioned to function for

Kal Sambhangi:

lateral impact across the organization, not just across

Kal Sambhangi:

the organization, but also across the supply chain. So the

Kal Sambhangi:

lateral impact or positioning for the lateral impact, I think

Kal Sambhangi:

that's the key and it has nothing to do with the size of

Kal Sambhangi:

the organization or the industry in which the organization is

Kal Sambhangi:

operating. I think having the if we all agree that having that

Kal Sambhangi:

lateral impact is key, then proper authority is vital. And

Kal Sambhangi:

having a inter organizational political sway, and extra

Kal Sambhangi:

organizational political sway to orchestrate the change. I think

Kal Sambhangi:

that's the key. So I don't think we should are we we could or we

Kal Sambhangi:

should look at it from a lens of the organizational size and the

Kal Sambhangi:

and then the industry itself.

Dr. Dave Chatterjee:

Great point! competition today is not

Dr. Dave Chatterjee:

simply between say Publix and Kroger. But between Publix and

Dr. Dave Chatterjee:

its network, and Kroger and its network. As you put it,

Dr. Dave Chatterjee:

competition is taking place at the ecosystem level, at an inter

Dr. Dave Chatterjee:

organizational network level.

Kal Sambhangi:

Yeah,

Dr. Dave Chatterjee:

I couldn't agree with you more. And that

Dr. Dave Chatterjee:

brings up something that I've been recommending through my

Dr. Dave Chatterjee:

book, articles and talks. And that is establishing some sort

Dr. Dave Chatterjee:

of shared accountability and responsibility among the value

Dr. Dave Chatterjee:

chain partners, whereby, when data of Company A resides on the

Dr. Dave Chatterjee:

server of Service Provider B, Service Provider B should work

Dr. Dave Chatterjee:

in unison with company A, to make sure that the data is safe.

Dr. Dave Chatterjee:

The two supply chain partners should work as a team to ensure

Dr. Dave Chatterjee:

the most rigorous information security standards are being

Dr. Dave Chatterjee:

maintained and met. In other words, it is not okay to simply

Dr. Dave Chatterjee:

rent out the storage space or computing power and say, okay,

Dr. Dave Chatterjee:

here are your servers. This is how you configure the security

Dr. Dave Chatterjee:

settings. And now it's your problem, it's your

Dr. Dave Chatterjee:

responsibility to secure your customer data. I think that's

Dr. Dave Chatterjee:

where there has to be some changes, whether it comes in the

Dr. Dave Chatterjee:

form of regulations, or it is through SLA provisions, whereby

Dr. Dave Chatterjee:

both the parties, in this case A and B, will be held jointly

Dr. Dave Chatterjee:

liable for the breach consequences. Only when there is

Dr. Dave Chatterjee:

responsibility and accountability Kal are you

Dr. Dave Chatterjee:

likely to see the kind of security centric supply chain

Dr. Dave Chatterjee:

partnerships that you talk about. Security controls have to

Dr. Dave Chatterjee:

be embedded within inter-organizational processes

Dr. Dave Chatterjee:

and business models.

Kal Sambhangi:

Totally, totally agree. I think we're not too

Kal Sambhangi:

far, at least from my perspective, and the way I look

Kal Sambhangi:

at it, we are not too far to get to that place, not just from a,

Kal Sambhangi:

in this case, you mentioned, for example, cloud providers, party

Kal Sambhangi:

A and party B, one of that could be a cloud provider. I think

Kal Sambhangi:

it's much broader than that. We're talking about data

Kal Sambhangi:

sharing. We're talking about ecosystem partners, monetizing

Kal Sambhangi:

shared data and information, because their offerings are

Kal Sambhangi:

built around that. So as we get into those complex ecosystem

Kal Sambhangi:

models, it can never be the responsibility of the partner,

Kal Sambhangi:

where the data is originating, versus when it is hosted versus

Kal Sambhangi:

who is using it, so on so forth. Becomes a collective

Kal Sambhangi:

responsibility. And I think the industry, two things, there is

Kal Sambhangi:

an organic natural shift to self regulate ties and self regulate

Kal Sambhangi:

this and some kind of a model to support the increasing needs and

Kal Sambhangi:

the challenges. Mitigate the challenges. 2) More of

Kal Sambhangi:

regulation, more of the oversight from the government

Kal Sambhangi:

and institutions. I think we will get to the path. And my

Kal Sambhangi:

view is before a lot of the regulation comes into frame,

Kal Sambhangi:

more than driven by regulation, I think, as partners in the

Kal Sambhangi:

ecosystem, because again, as we talk about evolving technologies

Kal Sambhangi:

like blockchain, but we're talking about, again, leveraging

Kal Sambhangi:

technologies across the partner ecosystems, building platforms,

Kal Sambhangi:

across partner ecosystems, I think some amount of sanity will

Kal Sambhangi:

prevail. And people would come together and say, Hey, how do I

Kal Sambhangi:

protect the interests of my customer, consumer, and I think

Kal Sambhangi:

we will arrive at that kind of a point, that's my view.

Dr. Dave Chatterjee:

I'm so delighted that you're painting

Dr. Dave Chatterjee:

such an optimistic picture. And that's how leaders like you

Dr. Dave Chatterjee:

should be, because you're kind of guiding where cybersecurity

Dr. Dave Chatterjee:

governance needs to go. And talking about cybersecurity

Dr. Dave Chatterjee:

governance. And I'm glad you mentioned that it's not enough

Dr. Dave Chatterjee:

just to focus on the technical controls. Technical controls are

Dr. Dave Chatterjee:

important, not trying to minimize their significance. But

Dr. Dave Chatterjee:

I like to emphasize holistic governance. Drawing upon my

Dr. Dave Chatterjee:

framework, holistic cybersecurity governance is

Dr. Dave Chatterjee:

reflected in the three dimensions of a

Dr. Dave Chatterjee:

high-performance, information security -- culture, commitment,

Dr. Dave Chatterjee:

preparedness, and discipline. Each of these dimensions are

Dr. Dave Chatterjee:

associated with success factors, 17 of them to be precise. Many

Dr. Dave Chatterjee:

of these success factors are linked to leadership and

Dr. Dave Chatterjee:

governance. For instance, one of the success factors of holistic

Dr. Dave Chatterjee:

cybersecurity governance is hands-on top management; how

Dr. Dave Chatterjee:

actively engaged is top management from the standpoint

Dr. Dave Chatterjee:

of providing oversight, and also participating in cybersecurity

Dr. Dave Chatterjee:

strategy development, implementation, monitoring,

Dr. Dave Chatterjee:

measurement, and more. Other managerial factors include the

Dr. Dave Chatterjee:

structuring and empowering of the CISO function, shared

Dr. Dave Chatterjee:

ownership and responsibility, cross functional participation,

Dr. Dave Chatterjee:

and strategic alignment and partnerships. So anyhow, the

Dr. Dave Chatterjee:

bottom line is that the approach to cybersecurity governance must

Dr. Dave Chatterjee:

be holistic by focusing on people, process, and

Dr. Dave Chatterjee:

technology-centric measures.

Kal Sambhangi:

Absolutely Prof. Chatterjee. And again, there

Kal Sambhangi:

cannot be 100% Cyber safe.

Dr. Dave Chatterjee:

Absolutely.

Kal Sambhangi:

Situation. Right? You know, that's not not even a

Kal Sambhangi:

statement of Nirvana and we can never have 100%.

Dr. Dave Chatterjee:

Totally,

Kal Sambhangi:

I think I think it's all about when we talk

Kal Sambhangi:

about commitment, discipline, preparedness against these three

Kal Sambhangi:

dimensions, and when I said, the technical concepts versus the

Kal Sambhangi:

management and leadership concepts here, I think the key

Kal Sambhangi:

is the ability to extract the technical concepts into messages

Kal Sambhangi:

that would grip senior leaders, both logically and emotionally.

Kal Sambhangi:

Right. So the ability to do that, I think, that attribute in

Kal Sambhangi:

a cyber leader would help the commitment part, the discipline

Kal Sambhangi:

part and also the preparedness part. And what this means is to

Kal Sambhangi:

have the ability to exstract the technical concepts. And as I

Kal Sambhangi:

have seen, in my experience, for example, the best person to lead

Kal Sambhangi:

the digital transformation, or a best person to lead AI adoption

Kal Sambhangi:

within an organization and the products offer, need not be or

Kal Sambhangi:

necessarily be a digital expert, right, I have not seen a

Kal Sambhangi:

technical digital expert becoming the chief digital

Kal Sambhangi:

officer or a chief data officer, at least in my experience, I

Kal Sambhangi:

think, to a large extent, it could work for cybersecurity, or

Kal Sambhangi:

it should work for cybersecurity, as well. Now, the

Kal Sambhangi:

cyber leader could be a proven non cyber executive, but who

Kal Sambhangi:

knows the business has key relationships throughout the

Kal Sambhangi:

organization, and a general appreciation of the technology.

Kal Sambhangi:

I think having those traits, obviously, if there is much more

Kal Sambhangi:

than general appreciation for technology, well and good. But

Kal Sambhangi:

it's not the other way. Right? I think, finding these critical

Kal Sambhangi:

traits, I think that would ensure and serve as an enduring

Kal Sambhangi:

force from a upliftment standpoint of your cyber

Kal Sambhangi:

posture, and also making it part of the broader organizational

Kal Sambhangi:

design, organizational culture.

Dr. Dave Chatterjee:

Fantastic, fantastic. I like the way you

Dr. Dave Chatterjee:

articulated the reality that for a cyber leader to be truly

Dr. Dave Chatterjee:

effective, having the necessary technical skills is not

Dr. Dave Chatterjee:

sufficient. It's great if it's there, but the business savvy,

Dr. Dave Chatterjee:

the ability to connect and communicate with the leadership,

Dr. Dave Chatterjee:

and probably, most importantly, the point you made at the very

Dr. Dave Chatterjee:

beginning, is the ability to articulate technological issues

Dr. Dave Chatterjee:

from a security standpoint, in a manner and a fashion that

Dr. Dave Chatterjee:

everybody can relate to. So the speak has to be simple, the

Dr. Dave Chatterjee:

speak has to be easily understandable, because

Dr. Dave Chatterjee:

otherwise, you're going to lose a lot of the constituencies, and

Dr. Dave Chatterjee:

you can't afford that. The moment you get into extreme tech

Dr. Dave Chatterjee:

speak and extreme security speak, and you are engaging in

Dr. Dave Chatterjee:

acronyms and jargons, immediately folks who are not

Dr. Dave Chatterjee:

familiar, they jump to the conclusion, Oh, that's too

Dr. Dave Chatterjee:

complicated for me. Just tell me what I have to do. And I'll do

Dr. Dave Chatterjee:

it.

Kal Sambhangi:

exactly right.

Kal Sambhangi:

As it transitioned into cybersecurity few weeks ago, the

Kal Sambhangi:

initial six to eight months, very challenging, because there

Kal Sambhangi:

was the speak of IP addresses, speak of different frameworks,

Kal Sambhangi:

NIST framework, CIS framework, and basically some numbers which

Kal Sambhangi:

would talk about a particular requirement in a framework like

Kal Sambhangi:

NIST. At the the end of the day, it was a bit challenging for

Kal Sambhangi:

someone like me who's coming from a different area. But I

Kal Sambhangi:

think, 1), I could bring in my experience and my skills in data

Kal Sambhangi:

analytics, digital experience space, to cyber. I'm just

Kal Sambhangi:

quoting this as an example, having worked in data, I was

Kal Sambhangi:

always a little scary to talk to, and operate within my peers

Kal Sambhangi:

in the cybersecurity space, because I've always seen them as

Kal Sambhangi:

someone who would come and say, No, you can't do this. But then

Kal Sambhangi:

moving here, I realized the challenge here is both parties

Kal Sambhangi:

are not able to talk the same language. I think that helped me

Kal Sambhangi:

appreciate the the challenges within cybersecurity and also

Kal Sambhangi:

the mindsets, within my fellow teammates, it will appreciate.

Kal Sambhangi:

2) help build that bridge, that relationship, with the business

Kal Sambhangi:

partners. To be a real bridge from a communication standpoint,

Kal Sambhangi:

calls for the cross pollination of skills, cross pollination of

Kal Sambhangi:

leadership skills, managerial skills, and also the domain

Kal Sambhangi:

expertise and understanding the business itself. I think that's

Kal Sambhangi:

the key.

Dr. Dave Chatterjee:

Fantastic, I could use that as I wrap up,

Dr. Dave Chatterjee:

because we are coming to the end of our time here. And I also

Dr. Dave Chatterjee:

want to take this opportunity of congratulating you on your new

Dr. Dave Chatterjee:

role. And I like the way you envision the future of cyber and

Dr. Dave Chatterjee:

I have no doubt that you will be super successful in your in your

Dr. Dave Chatterjee:

current role. I wish you the very best. But once again, I'd

Dr. Dave Chatterjee:

like to give you the opportunity of sharing some final words

Dr. Dave Chatterjee:

before we call it for for today.

Kal Sambhangi:

Thank you, Professor Chatterjee. It was a

Kal Sambhangi:

pleasure for me to sit with you and have this conversation.

Kal Sambhangi:

Again, you know, personally, I'm learning a lot. This has been a

Kal Sambhangi:

great journey for the last four years, as I peek into the

Kal Sambhangi:

different mindsets of our mates and very interesting journies.

Kal Sambhangi:

It's not just about the technology, it's about how we

Kal Sambhangi:

operate in cyber, how we can build relationships across the

Kal Sambhangi:

board, both internally and outside. And as I said, as

Kal Sambhangi:

platform based ecosystems become the central point of how

Kal Sambhangi:

business models evolve, and how artificial intelligence machine

Kal Sambhangi:

learning and these technologies come to the, to the middle and

Kal Sambhangi:

how we deliver more and more of digital products, I think this

Kal Sambhangi:

is going to get much more interesting, not just because

Kal Sambhangi:

there is going to be more of regulation and compliance needs.

Kal Sambhangi:

And at the same time, one other thing I want to mention as a

Kal Sambhangi:

closing comment, there needs to be a digital transformation

Kal Sambhangi:

within the cyber function itself. What I mean by that is

Kal Sambhangi:

cut down a lot of plethora of tools, make it simple. Adopt

Kal Sambhangi:

artificial intelligence, or machine learning to automate a

Kal Sambhangi:

lot of the cyber functions, be it on the product side or the or

Kal Sambhangi:

the Detect side. So I think there is there is a lot of

Kal Sambhangi:

opportunity here, for people with software development

Kal Sambhangi:

skills, people with program management skills, people with

Kal Sambhangi:

product management skills, because I think cybersecurity

Kal Sambhangi:

needs to move more towards the paradigm of product management

Kal Sambhangi:

in terms of delivering cyber capabilities within the

Kal Sambhangi:

organization. So there is an opportunity for agile

Kal Sambhangi:

practitioners, data scientists. So I think there is opportunity

Kal Sambhangi:

for a lot of different skills, not just specific cyber skills

Kal Sambhangi:

with cyber certifications, because I see a lot of people

Kal Sambhangi:

focusing on a lot of cybersecurity certifications I

Kal Sambhangi:

think that is needed. That is for a set of functions, for a

Kal Sambhangi:

set of roles. But I think cyber security as a community should

Kal Sambhangi:

start embracing people with other skills, as I mentioned

Kal Sambhangi:

earlier, and vice versa. I think there is a huge opportunity

Kal Sambhangi:

going forward and kind of feel really happy and delighted to be

Kal Sambhangi:

part of this movement at this point in time. Thank you again

Kal Sambhangi:

for having me.

Dr. Dave Chatterjee:

Thank you so much, Kal. I'm sure we'll

Dr. Dave Chatterjee:

have many more conversations. It's been a pleasure.

Dr. Dave Chatterjee:

A special thanks to Kal Sambhangi for his time and

Dr. Dave Chatterjee:

insights. If you like what you heard, please leave the podcast

Dr. Dave Chatterjee:

a rating and share it with your network. Also, subscribe to the

Dr. Dave Chatterjee:

show, so you don't miss any new episodes. Thank you for

Dr. Dave Chatterjee:

listening, and I'll see you in the next episode.

Kal Sambhangi:

The information contained in this podcast is for

Kal Sambhangi:

general guidance only. The discussants assume no

Kal Sambhangi:

responsibility or liability for any errors or omissions in the

Kal Sambhangi:

content of this podcast. The information contained in this

Kal Sambhangi:

podcast is provided on an as-is basis with no guarantee of

Kal Sambhangi:

completeness, accuracy, usefulness, or timeliness. The

Kal Sambhangi:

opinions and recommendations expressed in this podcast are

Kal Sambhangi:

those of the discussants and not of any organization.

Chapters

Video

More from YouTube