In a wide-ranging discussion, Vishal Salvi, CISO & Head of Cyber Practice at Infosys, sheds light on a range of topics from CISO empowerment to creating and sustaining a high-performance information security culture. He highlights the importance of "delivering on your agenda" for CISOs to gain trust and credibility. Vishal also recommends making the CISO role independent of the CIO, uniformly enforcing security policies across the organizational hierarchy, and operating at a high state of readiness.

Time Stamps

00:41 -- Please share some highlights of your professional journey.

02:00 -- Does your job keep you up at night? What worries you?

04:09 -- What makes you so good at what you do, what do you bring to the table by way of strengths?

07:54 -- If you had a say on how CISOs should be empowered by the organization, who should the CISO be reporting to? What would be the ideal organizational structure?

10:50 -- You will probably agree that to gain that kind of access or that level of reporting that you're talking about, the CISO has to earn the trust and credibility and be respected. What are your thoughts?

15:14 -- What would be a few metrics that you recommend CISOs track or you track that gives you a sense of whether you're on the right trajectory, or you need to do something different? What would those important metrics be?

17:36 -- Enhancing cyber transparency to customers and investors through formalized reporting, such as SEC reporting, could bring about a sea change in a variety of things, probably the most important of which is the top management commitment. What are your thoughts?

20:16 -- Given your extensive experience working across different organizations in the public and private sector, share some best practices of top management commitment?

24:01 -- I'd like your thoughts on what a high-performing information security culture is, how do you get there, and how do you sustain it?

29:15 -- If you approach security learning from the standpoint of say, one question a day that gets emailed to every person who has to respond, it's like these word games that people play every day. They have to come up with a solution, but one a day. So instead of trying to impart a one-stop-shop training at one go and then do it again six months later, if you infuse cybersecurity training into the organizational work practices whereby, just like I said, one question a day, and you approach it that way, what are your thoughts? Do you think that might help enhance awareness and sustain the level of knowledge? What are your thoughts?

31:23 -- I've often wondered, why that sensitivity to make training more substantive, is not there? Why is it that organizations are so compliance-driven that they don't recognize that compliance is often not enough, and they need to go beyond that, to have a substantive effect?

34:28 -- Why do individuals and organizations often drop the ball when it comes to cyber intelligence?

41:24 -- What advice and recommendations do you have for professionals who are either entering the field or who are considering cybersecurity as a career?

Memorable Vishal Salvi Quotes

"Cybersecurity roles actually test all your leadership capabilities fully."

"Every single CISO in the Indian banking industry is independent of the CIO."

"It is always preferred that you make the CISO independent of CIO and elevate the CISO to a level where you are able to drive the mandate of cybersecurity. So the more elevated and more empowered the CISO, the more committed is your mission to cyber."

"The most important thing for gaining credibility and earning respect is to deliver on your agenda."

"When you start defining policies for your organization, you need to be able to implement them consistently across the organization. You shouldn't have a separate set of policies for your senior leaders, and a separate set of policies for your juniors."

"Most of the courses that we see and organizations are not actually focused on learning, but they're more focused on going through the motions and achieving compliance."

"Our endeavor should always be to make our staff battle-ready in peacetime."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

A Holistic and High-Performance

Approach. He has been studying cybersecurity for over a decade,

authored and edited scholarly papers, delivered talks,

conducted webinars, consulted with companies, and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is an Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia, and Visiting Professor

at Duke University's Pratt School of Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Today, I have the pleasure of talking with

Vishal Salvi, Chief Information Security Officer, and Head of

Cyber Practice, Infosys. I'm sure you all are familiar with

Infosys. But just in case you're not, Infosys is a global leader

in next generation digital services and consulting. So

Vishal, delighted to have you, it's truly an honor. And I'd

like to bring you into the discussion, and let you share

with the listeners a few things, your highlights about your

professional journey. So welcome.

Thank you, Dave, for having me here. And it's my

pleasure to be here on this podcast, my name as you're

already introduced me, but my role is of protecting Infosys as

a global CISO for Infosys. And apart from that, I have an

additional responsibility of delivering the same value for

our customers. So I head the cybersecurity business as well.

And this positions me to really be end-to-end accountable for

cybersecurity across all spectrums in my organization.

Great to hear! One question I like to ask

all CISOs and especially somebody like you who's a global

CISO of a major organization, does your job keep you up at

night? What worries you?

so many challenges stacked against you. It's an

asynchronous sport, you need to make sure you're protecting all

your vulnerabilities. And the bad guys need to just exploit

one. So so for a large part of my career, I always thought that

we were like sitting ducks. But then, once I started to work in

organizations, which are committed to investing in people

and technology in and committing to the cause of security, I have

kind of begun to change my opinion on this. And I do

believe that this problem can be solved. It just needs that

mindset, and the resources, which are required for you to be

able to deal with it. Right. And it's not about, it's not about

doing something today, and then forgetting about it, because

you've done some good work here. It's constantly watching how the

threat landscape is changing and pivoting to a new way of

working, and you're constantly sort of agile and adaptive to

what's happening around and not having a status quo. Now, I know

I've given a long answer to your question. But in reality, I have

a very peaceful sleep most of the time. And that's largely

because you know that you and your team have done the right

things for your organization. And therefore it would be a

better situation as compared to where it was yesterday. And so

long as you're doing that, you know, you can be happy about it,

you just don't want to have a self goal created, or, or

something which is fundamentally missing, right. So I think those

are the things that you need to really care for. If you do that,

you will have a much stress free role as a CISO. Great, great.

So continuing on that reflective

trajectory, I also want to ask you, and this is good for your

what makes you so good at what you do, what do you

bring to the table by way of strengths?

So I would not like to use that adjectives for

myself that I'm good or these are the things but I can

obviously share some of the lessons learned and what one

could look at. So I think that our first thing is about, you

know, your professional traits or your leadership traits. And

then it's about what you do for the domain. But the reality is

and it's so fascinating that cybersecurity roles actually

test all your leadership capabilities fully, because you

need to you need to be able to engage with your Are leadership

with your board. And so you need to really have a good executive

presence, right? You need to be tactful to really answer

questions, difficult questions in a very, in a manner in which

people can really understand and relate to at the same time you

don't, you don't make mistakes, and you don't give wrong

information. So you need to be on top of your data and facts,

that's very important. The next thing is, you need to be able to

articulate, first of all, define a vision and then articulate

that vision for your team. So they have something to look

forward to, and something to target that requires a fair

amount of understanding on how to design a strategy, what goes

into the execution of a strategy, that's very important.

The third, and a very important aspect of the job is your

influencing skills, right? Because at the end of the day,

you are trying to influence all of the stakeholders who are not

cybersecurity, so that typically a cyber security organization is

either 0.5 to 1%, of your whole organization. And you have, and

we all know that security is everyone's responsibility. So

this 0.5% of your organization, is trying to get the 99.5% to do

the right thing when it comes to security. And so it needs a lot

of influencing for people to do the right things, and take the

right decisions when it comes to protecting their organization,

and also making right behavior, which is a very difficult change

management program in any given organization. So you need to be

able to understand human behaviors, why people take

decisions in certain days, and then touch upon the topic of

psychology of security, understand the biases, and then

work on these biases in a way where you can have the right

interventions for you to be effective in changing the

culture and changing the behavior, right? Absolutely,

yeah. Apart from that, there are things like engaging with the

vendor community and partnering with them, because at the end of

the day, security is delivered by their technologies, and you

are as good as what weapons you have in your hand. So how do you

engage with them? How do you engage with law enforcement to

help in better propagation of how to catch the adversaries?

And how do you make them attribution and then make them

accountable. And then, you know, also law and enforce apart from

law enforcement, you talk about regulators, and looking at

shaping of compliance and all those things. So I mean, there

are plenty more stakeholders, including customers. So as a

CISO, you need to really be able to understand all these

stakeholders, and be able to work on yourself as an

individual to make these relationships successful. And

that that will test all these elements that I talked about.

Yeah, as you were talking, I was thinking

about the significance of CISO empowerment, I'd like you to

speak to that. If you had a say on how CISOs should be empowered

by the organization, who should CISO be reporting to? What

would be the ideal organization structure.

So this is one topic, which has been hotly

debated for many years in the Information Security in the

cybersecurity space, right. If you look at an example, in

India, in the Indian banking industry, the local regulator,

which is the Reserve Bank of India has mandated that every

CISO needs to be reporting independent of IT. And this

happened around seven years back as a mandate. And so there's

every single CISO in in the Indian banking industry is

independent of the CIO, right? If you look at North America,

and if you do the survey of all the global organizations, it's

5050, right 50% of the CISOs report to CIOs and 50% report to

somebody else, right, my view is like this, you need to ensure

you remove all the conflicts that could exist in an

organization when it comes to driving cybersecurity, it is

always preferred that you make the CISO independent of CIO and

elevate the CISO to a level where you are able to drive the

mandate of cybersecurity. So the more elevated and more empowered

the CISO is, the more committed is your mission to cyber. So you

could as an organization say that security is very important

to all your stakeholders. But if you're made the CISO report to

somebody three levels below a CIO, you know, in reality,

there's hardly any difference that CISO is going to make, even

if he's capable of all the traits that I talked about, the

organization structure would not allow that CISO to perform in a

manner which is required for the independence of that CISO.

Right. And the last thing I would say is that apart from

independence, you need to have the CISO report to the most

powerful person in the organization, because then you

get the right resources and sponsorship for your

organization. So if the CFO is the most powerful, then maybe go

to CFO, if it is, if the chief operating officer then go to the

Chief Operating Officer, I think it's very important that you

need to really position that person, I am not a fan of saying

that the person should report to CEO because the CEO will be so

busy doing so many other things on business and other things

that would not be able to give the time and bandwidth for the

CISO to do the job effectively. So you need somebody who is able

to give time and bandwidth as much as should be powerful. So I

think those aspects will definitely empower the CISO to

perform to the best of that person's ability.

Yeah, and I'm sure you will probably agree

that to gain that kind of access, or that level of

reporting that you're talking about, the CISO also has to earn

the trust and credibility and also be respected. To earn the

trust, to earn that respect, what are some things that CISOs

should be doing? And I pose this question with an example. I was

speaking with the CISO of a restaurant chain last year, I

believe. And she made a very interesting statement. She said,

I never cry wolf. Anytime I walk into a boardroom at a major

management meeting, and I offer my thoughts and my suggestions,

my concerns about information security related matters, it's

taken very seriously, because they know that I would not be

going in there requesting stuff that is unnecessary, or I won't

be overselling anything. So that got me to recognize and believe

how important it is for the CISO to set the mindset to set that

tone that earns the respect of the leaders, and that helps pave

the way for greater empowerment and greater access. And again,

I'm coming at it from outside-in, you're the one who

works in the organization who has significant experience, what

are your thoughts?

So I think it's very important. You know, there

are different traits of an individual or a team, which can

help you to build that credibility. I think building

that credibility is important to get what you want out of the

organization, right. And so it's not only about getting

sponsorship, it's also about getting support across all your

stakeholders that I just talked about, right? So I'll give you

an example. So whenever we used to, or whenever I go for any

funding requirement, maybe perhaps most of them it was to

the finance, you give some commitments to them in terms of

what you would do with that money. Right? I think it's very

important that once you're kind of implemented that project, you

go back and show that evidence of that outcome, and stay

accountable to do to deliver that outcome. Even if you're not

been asked to do that, that increases your credibility in

front of the person because they would be more trusting in future

when you go back and ask for something more. Right. So

that's, that's one strategy. The other example is about being

able to explain and talk the consequences of various

decisions. And to be honest with you, Dave, I think your

strategies need to be dynamic to the situation, and to the

culture of a given organization. So I've seen that I've worked in

seven organizations, and I've seen that what worked in one

would not work in another you need to really understand the

culture, and then decide on what strategies you want to adopt. I

won't say cry wolf is a good strategy. But then trying to

explain to them the impact of no action is very important. And

making it very transparent and open for decision making is very

important, right? So I think that I think is very critical.

If you do these things, then I think you're able to sort of

create a level of credibility for yourself. It could also be

the last point I wanted to mention is it could also be that

you allowed somebody to take a particular decision in spite of

you warning but and once that risk manifests, you need to make

sure you are able to actually remind that individual or team

of the consequences of the decision that are taken so that

in future they're very careful about you know, these aspects.

So I think it's a combination of all of these strategies and

more, which helps you to build your credibility within your

organization, but about all of these things. The most important

thing is that you should be able to deliver on your agenda always

right. So if you are telling all of these things, getting money,

but you're not able to deliver on your projects, and you're not

able to give the feeling to all your stakeholders that security

is going in the right direction, then you will not be able to

gain the credibility that you want

Delivering on your agenda. So, if that's

the goal, and which makes total sense, what would be a few

metrics that you recommend CISOs track or you track that gives

you a sense whether you're on the right trajectory? Or you

need to do something different? What would those important

metrics be?

So one of the things that I have been using

for almost two decades now in cyber is to really create a

maturity model of areas of work that you want to run for, for

your program. Right. And the good thing about cybersecurity

is that there is a well defined articulation of how you would

want to look at the components. Now, one of the ways to look at

it is to look at NIST, which is very clearly articulated in

terms of what are the high level components? And what are the

subcategories, you could create your own framework. I have been

using ISF, the Information Security Forums framework very

extensively, and it has really served me well. And so you sort

of make security into components. And then once you

have defined those components, you start putting a maturity

model on the controls that you want to operate in each of those

components, and then figure and build a methodology in terms of

measuring the maturity of each of those controls, and then

start executing your plan to improve the maturity on a year

on year basis. Right. And that has really worked for, for me,

in terms of engaging with the leadership engaging with the,

with the Board, helping me to create a strategy of giving a

clear vision to the team in terms of what that goal is, and

then striving towards improving that maturity. Because like I

said, security is is challenge is all about getting better

every single day as compared to whatever yesterday. So that

model has really worked. And it it helps you to define and

therefore it helps you to measure, right. And once you

start doing that you improve. The last thing I wanted to say

is that just so that you are kept honest, you always get a

third party to audit your assessment and analysis of your

maturity. So that a third party also validates that you're on

the same page. And it gives independent assurance to all

your stakeholders in terms of how you're progressing,

including yourself. Yeah,

absolutely. You want that reality check. And

you want that third party party validation and external

validation. That's so important. You know, along those lines,

once again, I'm referring to a discussion I had with a CISO,

who made a very interesting comment. He said, today's

companies lacked disclosure requirements that showed the

level of cyber risk for publicly traded companies and their

software. And he is of the opinion, he believes that

enhancing cyber transparency to customers and investors through

reporting, you know, formalized reporting, like in the US, we

have the SEC reporting that could bring about a sea change

in a variety of things, probably the most important of which

being the top management commitment. What are your

thoughts?

Yeah, I'm all for increasing the transparency and

making every organization accountable for, you know,

sharing, whatever is happening in their organization on

breaches and attacks. I'm all for that. I think we also need

to see as a society, how we are mature to receive such

disclosures. So in past whenever there has been a major breach, I

think the organization which I've got impacted have actually

been more victimized than been empathized towards, you know,

something like that could have happened to them. Right? I think

things are changing. And gradually, as I believe, you

know, when, when the SolarWinds disclosure happened, you know,

we handled it much more mature in a much more mature way as

compared to perhaps what happened in case of Target. So I

think as a society, if you are mature to say that, the more you

disclose, the more we will appreciate what you are as an

organization, I think it's important. Otherwise, you know,

the organization's find it very difficult because they get

caught between the two issues of disclosure versus the

reputational damage that that could cause so so I think we

need to start looking at that. Of course, when it comes to

matters of privacy, I think, you know, if you don't do timely

disclosures there are significant penalties, that is

motivation enough for people to do it in a timely manner, which

is a good thing. So I think overall, I would say that we

have a lot of work to do to make sure that we are able to

encourage people to do a transparent and honest

disclosures, rather than looking at them with suspicion, and the

fact that they have not had security controls in place, you

know, that's the point I would like to make.

Okay, well, thank you for that. So I'd like

to take this opportunity to share with listeners that Vishal

spoke to my class on cybersecurity at Duke

University. I teach in the Master's program there, and

Vishal was very kind to connect with us. It was late in the

night in India morning here in the US, and he came online, and

he spoke, and he made some telling points, the students

were very impressed. So I draw from some of the things you

shared with the students and with me the other day, and one

of the things you emphasize was the importance of top management

engagement, top management commitment. Again, given your

extensive experience working across different organizations,

in the public and private sector, what would you consider

to be some best practices, where you can say, you know, this is a

good example, when the top management walks the talk. So

I've been privileged to work in

organizations who have been very security conscious. And I've had

the privilege of working with leaders who have been stalwarts,

and great role models in decision making, right, but I

would not say that, that you will find this, you know, across

organizations and across industries, so you will always

have various examples. When you look at risk decisions, right?

At a very fundamental level, you're talking about value at

risk versus cost of remediation. So you really don't want to have

a situation where the cost of remediation is higher than the

value at risk, right. So that's a foundational principle. The

second thing is, when you start defining policies for your given

organization, you need to be able to implement it

consistently across the organization, you don't need to

have a separate set of policies for your senior leaders, and a

separate set of policies for your juniors, you don't want to

have a situation where all the USB admin access is removed. And

password policies are stringent for juniors and exactly the

opposite for leaders. Right. So I have had ensured, you know,

that it is consistently implemented, right from the CEO,

to the last person who's a frontline warrior. Now, this

kind of a dilemma comes in, you know, in major organizations,

and I've seen many examples where we have, we have admired

leaders who have stood by the policy statements and have

ensured that, you know, we are able to talk to some senior

people saying why it is important for them to comply.

So, for example, at Infosys, everybody has to take a

mandatory cybersecurity course, right from the President's to

the junior staff. And if they don't, the next day, their

email, outbox, you know, and sending mails will get blocked,

till such time they've completed, and that is

consistently implemented across. So this is one example of how

important it is. Another example is, you know, if you, if you're

asking every employee to display their iCard, you know, the CEO

needs to do the same, and needs to do it with pride, so that

there is consistency, and people follow your role models, right.

So, there are many such examples, you know, when you're

trying to introduce an application into production, and

there are multiple risks and gaps, you're identified. It's

the decision that a leader takes whether you hold back for

another couple of weeks and hold a business opportunity, but make

sure that the security is implemented. And it's a tough

call, but that gives them sets the tone in your organization,

whether you are security focused, or you want to take

risk decisions.

And when you say setting the tone of

whether you are security focused, or you're taking risk

decisions, that brings up the next topic that I want to talk

to you about. And you alluded to that we talked about that in my

class, which is Information Security culture. And as you

probably have read in my book, I talk about creating and

sustaining a high performance information security culture.

Culture is something which is kind of abstract, it is very

hard to get your arms around it. So whenever you bring up this

discussion on culture, people want to, for lack of a better

word look the other way, and they want to focus on things

that are more tangible. But I'd like your thoughts on what a

high performing Information Security Culture is, how do you

get there, and how do you sustain it?

That's a great question, Dave. And I think you

know, there are there are a lot of dimensions to this right. At

a fundamental level, what you would want to do is to, at a

minimum, tell all your employees or all your stakeholders within

your organization, what is the difference between right and

wrong behavior, right? So nobody can claim that they were

ignorant when they actually committed a mistake or an error.

So, at a minimum, you need to make sure that that is said to

every single stakeholder. Right? That's number one. Now, in spite

of you talking about, you know that smoking is injurious to

health, you still have people who go ahead and smoke, right.

And that's a behavior issue, or let's say, habit issue, right?

It could be because of somebody is conditioned to doing certain

things from his previous organization, and would expect

that to happen in your organization as well, right. And

I can give you an example of a person who came from another

organization, and he was boasting about that he still

continues to have the laptop with him, in spite of leaving

the organization, and nobody cared to come and collect that,

guess what, when he left, he thought he could exfiltrate

data, because he thought nobody will care. And he was caught

stealing it, and he was made accountable for that action. So

you know, there are these examples where people are

conditioned to do certain things from their previous habits and

for no fault of theirs, because that's the culture that they

were they were into, right. And so that's what they know. And so

it's a very difficult thing to make them understand and change

their behaviors and habits, once they get into your organization.

And over there, you need to use all the channels of diplomacy,

right in terms of giving them carrot, giving them a stick,

building a competitiveness within them, you know, in terms

of so all of that is required for you to really use these

avenues for you to really create a culture within your

organization. And culture is not something that you can do

overnight. It's something which takes time, you know, and you

need to give it that time for it to emerge, right, I have to keep

doing small things every day for it to become what it should,

right. So, so that's also very important. And the third thing

is the example that I just gave, you know, in terms of what is

the tone that we are setting from the Board, from the

leadership, and commitment, and that also creates a culture,

right? So so I know, for example, we we have a very

strong control over the use of USBs use of admin access, use of

download of any software. And we are a technology firm, right?

And anybody would argue that, you know, experience is

important high tech, you need to be allowed to do whatever you

want to do. But in reality, we know that security tools have

not matured enough to give you a seamless experience of using

technology without being hampered by some controls. So

you need to draw a fine balance till the tools become so mature

that security is effective and still transparent, right? Till

such time, you need to be able to understand that, yes, I need

to have a speed breaker for me to control my car, right?

Because that's really how it is. And we need to govern it. But

there are certain countries where you don't need it, because

the rules are working perfectly fine. So I think we need to be

able to build that understanding and culture and allow every

single person to adopt to that which which creates the right

behavior within an organization. And the last thing I will say is

that we spent a lot of time doing red teaming and testing

technologies and systems and finding out vulnerabilities. We

need to also do that on humans, because they are the ones who

get most exploited to social engineering and various attacks.

And you need to test their ability to take right decisions,

for example, you catch them doing these activities, that is

what we call them as teachable moments, right? That's when they

are most open to learn and change behavior. So you will

catch them through those diagnostics, and then ask them

to change their behavior. I think the change is more

lasting. So these are some of the things that goes into

creating a culture and spreading awareness within within the

organization.

Great examples. Thank you so much for

sharing. This is very helpful. So there are a couple of things

I want to follow up on. One of them is learning and you

mentioned just a little while back that doing things in small

chunks. So my thought is that if you approach security learning

from the standpoint of say, one question a day that gets emailed

to every person who has to respond, it's like these word

games that people play every day. They have to come up with a

solution, but one a day. So instead of trying to impart a

one-stop shop training at one go and then do it again six months

later. later, if you infuse cybersecurity training into the

organizational work practices whereby, you know, just like I

said, one, one question a day, and you approach it that way,

what are your thoughts? Do you think that might help enhance

awareness, sustain the level of knowledge? What are your

thoughts?

So I agree with this idea and the concept,

because, you know, doing a security awareness course, once

in a year for one hour, is just you're going through a motion to

just get it over. And then, you know, go back to what you were

doing, I would say that you need to kind of make it more modular,

I would also say that you need to make it more specific. So for

example, you can have a different kind of a

questionnaire or a course for your sales team, you could have

a different one for your operations team. And you could

have a different one for your leadership or your managers,

right. So that you can cater to the questions are more relevant

to their context and their day to day operations. So I am, I'm

fully up for making it more modular, and more specific to

them. And I think that way, you can become more razor sharp on

what you really want to achieve and what outcomes you want to

achieve.

Yeah, that's what I was thinking that

many in many organizations, you know, they are compliance

driven, and I can't fault them for that. And in the name of

complying with regulations, they have this, maybe twice a year,

this one hour, you talked about training, where you go through

the motions, I just went through one, I essentially saw the same

set of questions that I saw last time, and I just flew through it

well, maybe partly because I work in that area. But I was

thinking that I wish these questions scenarios were were

customized to what I do in the organization over and above the

general level of awareness. And I I've often wondered, I'm

surprised that why is that sense sensitivity to make training

more substantive, not there. Why is it that organizations are so

compliance driven that they don't, they don't recognize that

compliance is often not enough, and they need to go beyond that,

to have a substantive effect. You know, once again, I want you

to draw upon your experience, and shed some practical light on

this matter.

So I think, you know, the way to look at it is,

even for example, if the organization is doing for

compliance, the security teams still have a responsibility to,

you know, drive it in the way that they want outcomes to

achieve, right. So they clearly have an opportunity to make it

more modular, and, you know, drive that within the

organization. But of course, you know, if you look at an

organization of our size, where we have hundreds and 1000s of

employees, one hour commitment, or even 15 minutes commitment

translates into a huge amount of commitment, right, for every

single employee. So you need to be you need to take the

responsibility of why you're committing yourself. I would

like to add that the framing of questions and scenarios is a

very, it's an art, okay, you cannot, an average person, even

in security will not will not be able to get it, right. So it

needs to be curated in a way where every single answer, or a

decision that somebody is making in that training should lead to

a learning. And sometimes you just go through the motions of

asking questions and answers that you lose the real meaning

and reason why you're really asking that particular question.

So I think the framing is very important, where somebody would

have to really think through an answer. So that even if, for

example, it was tough for that person to answer it, eventually,

afterwards, there is a learning, which comes out of that, and it

should not be something where he's able to just get it just

breeze through it. So I think that's very, very important. And

it's not, that is not easy. And that's why, you know, people,

you know, most of the courses that we see and organizations

are not are not actually focused on learnings, but they're more

focused on going through the motions and, you know,

compliance.

Very true, very true. Okay, so, we are kind

of coming towards the end of our discussion. I do have two final

questions for you. The first one relates to effectively

monitoring and responding to cyber intelligence. You know,

when you read about breaches, and you hear stories about how

somebody dropped the ball, did not act on the intelligence they

received from their service provider. You wonder what's the

real issue. It's easy to criticize and say, you know,

you'll need to be more diligent, more disciplined, you shouldn't

drop the ball. But when you are there battling this problem,

what are the challenges? Why do you think individuals,

organizations, often drop the ball when it comes to cyber

intelligence?

Yeah, so I like to give an example, you know, and

it's a fascinating example. So I was last month, we had gone for

a trek. And it was a very difficult trek personally for

me, and I reached there, and then we saw a bunch of Army

folks walking to that cliff. And we were just observing, and they

were then rappelling down from that cliff, like, like it was a

cakewalk. Okay. And I was extremely amazed with the amount

of preparation and the physical fitness that they were actually

there. And they were planning for a run, a midnight run from a

couple of cliffs, you know, you know, then then they were going

to finally do the rappelling, and it was extremely difficult,

but that person was doing it so easily and efficiently. That was

like a simple walk. And I was I was suggesting that this is

peacetime, right. And people are training so rigorously, so that

when they're so they're basically battle hardened,

right, and, and when something really is required, they're

fully ready, and resilient to deal with it. I don't think we

are able to replicate that level of preparedness with our cyber

soldiers. We have multiple solutions, like cyber range and

bridge attack simulation and MITRE framework and, you know,

we do a lot of tabletop exercises, it's nowhere close to

how Army looks at it, right. And so when you see a real incident

happening, it's very difficult for the person to really, you

know, go through that as diligently because it's a very

rare event. 95% of the time, the security teams are focusing on

protecting building controls, they are not defending, you

know, managing incident response, only very rare

occasions when you know, somebody is really attacking

your organization. So, so that was just one analogy I wanted to

give you. But you know, we are obviously, you know, it's not

like a gloomy picture completely, because we have a

lot of solutions and tools at our disposal. And our endeavor

should always be that how do we make all our staff battle ready

in peacetime, right. And that requires a lot of rigor, a lot

of focus, a lot of training, and getting everybody ready to

capture the flag and all those events, we do a lot of that,

right. And by doing so, we are able to make good progress. But

we could do much more for them to be fully ready, you know, and

therefore, you then have the situations where we see examples

of, you know, it was there, it was to be seen, but nobody acted

on it.

Right. It's interesting, you shared that

metaphor of the army training. And that brought back some

memories. If you think about the consequences of the attacks, if

the consequences of an attack is fatal, is catastrophic, I

promise you, the training and the preparedness would be at a

different level. But when the consequences are not of that

nature, maybe that has some impact on how we prepare

ourselves. To be more specific, again, referring to my book, I

just share an example of the culture that exists in the

United States Nuclear Navy, the submarine program, and I have

several former students who have worked on those submarines who

have trained on the submarines. And they come back and tell me

that Dr. Chatterjee, the training is so rigorous, because

we can't afford to make a single mistake, because a single

mistake could be catastrophic, could lead to a nuclear

disaster. And they share with me several examples. One that I

found kind of very interesting was when you receive an order

from your superior, you're supposed to repeat the order

verbatim before you execute it. In other words, they are trying

to avoid any kind of communication loss or

communication leakage, but to do it religiously, consistently,

day in and day out, that discipline is motivated by the

consequences of not doing it, which is death. Just a thought,

means there could be any number of reasons that, like you said,

we are nowhere close to being as disciplined or as prepared as

they are in the army. Could maybe that that could be the

reason. Who knows. You're

right. Because if you look at even the another

example of, you know, airplane security system, right, whether

you're flying a low budget airline or you know, full class

airline, you would when it comes to security, there is no

compromise. Even the manuals of the different airlines have the

same table of content, that level of standardization, just

so that people are able to learn from master, the security kind

of general operations of airlines and the technology that

works underneath. So because the consequences are very high,

right, and it's linked to human human, my sense is that, you

know, we, we, the moment we start seeing the high frequency

high impact events happening, perhaps we will become much more

focused than what we are today. I'm not saying we're not

focused, but we are giving it attention as much as it

deserves. But the consequences are not, like you said, as high.

But for example, if you start seeing, given that we're talking

about connected, devices, connected, cars connected

everything, if it starts creating harm to humans,

suddenly things will start changing, right, and we'll start

giving more attention to it. Because today, right now, we are

actually adding more and more vulnerabilities and issuing more

and more patches every year. Somebody should ask the question

as to why is the case? Why is the rate of innovation and pace

of innovation so important that you are actually ignoring

security? Right? So the answer is that we can do it because we

can get away with it. Tomorrow, if you can't, and we are more

accountable, then, you know, perhaps things will start

changing, because that's the root cause of the problem. Yep,

the truth. So we shall, I also wanted to

share with the listeners, your passion about mentoring young

individuals, how you encourage them, how you guide them to

successful careers in cybersecurity. And of course,

that passion was evident when you came connected with our

class online, in the evening, your time, and you were very

generous with your time. And he spoke at length two questions.

So what advice and recommendations do you have for

professionals who are either entering the field, or who are

considering cybersecurity as a career?

So one of the things which I talked about in

the early part of our discussion was the fact that it will

actually test all your faculties, right, because of the

various dimensions to the role. So I think it's very exciting.

There's never a dull day or a dull moment in cybersecurity

space. Number two, it's such a vast topic. And there are so

many areas, so you can master one and then look forward to

going into something else, whether it is technology,

whether it is behavior, whether it is organizational dynamics,

whether it is governance, all of those get tested. And so you can

keep planning your career in a way where you can start building

those as milestones. Number three, it's a great career

opportunity. It's one of the top three jobs in the world right

now. And so, you know, once you select this as a profession,

you're assured for the next two to three decades that you know,

you will have a good career, you know, we have zero person

employment issue right now in the cybersecurity space, right?

So unemployment is never a risk, or, you know, you can remain

secure in your job, but I think most important of all, is the

cause, right? Because it's, I call it as noble profession,

because you're trying to protect you are the Sentinels, you are

and so, therefore, the ability to create value for your

organization for the ecosystem is immense, right? So, so I

think, you know, and the world is getting to a stage where we

are getting more and more digitized. And so, we need cyber

sentinels, who are doing this noble cause of fighting against

this very dangerous, you know, threat that is there in the

world. So, so, there is a lot of fulfillment, you know, when you

when you do this, you know, and, and for example, when I mentor

young kids, you know, I get immense amount of fulfillment,

and that you know I am creating value and adding value to the

community and ecosystem by getting more people initiated

into this. So I will say these four parameters clearly clincher

for a profession, like this

Fantastic! we're gonna end on that note, we

greatly appreciate your time Vishal, hope to talk to you

again. Thank you so much.

Thank you for having me. Thank you so much. It

was a pleasure.

A special thanks to Vishal Salvi for his

time and insights. If you like what you heard, please leave the

podcast a rating and share it with your network. Also,

subscribe to the show, so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.