Artwork for podcast The Cybersecurity Readiness Podcast Series
Perspectives of a Global Chief Information Security Officer
Episode 2511th May 2022 • The Cybersecurity Readiness Podcast Series • Dr. Dave Chatterjee
00:00:00 00:45:11

Share Episode

Shownotes

In a wide-ranging discussion, Vishal Salvi, CISO & Head of Cyber Practice at Infosys, sheds light on a range of topics from CISO empowerment to creating and sustaining a high-performance information security culture. He highlights the importance of "delivering on your agenda" for CISOs to gain trust and credibility. Vishal also recommends making the CISO role independent of the CIO, uniformly enforcing security policies across the organizational hierarchy, and operating at a high state of readiness.

Time Stamps

00:41 -- Please share some highlights of your professional journey.

02:00 -- Does your job keep you up at night? What worries you?

04:09 -- What makes you so good at what you do, what do you bring to the table by way of strengths?

07:54 -- If you had a say on how CISOs should be empowered by the organization, who should the CISO be reporting to? What would be the ideal organizational structure?

10:50 -- You will probably agree that to gain that kind of access or that level of reporting that you're talking about, the CISO has to earn the trust and credibility and be respected. What are your thoughts?

15:14 -- What would be a few metrics that you recommend CISOs track or you track that gives you a sense of whether you're on the right trajectory, or you need to do something different? What would those important metrics be?

17:36 -- Enhancing cyber transparency to customers and investors through formalized reporting, such as SEC reporting, could bring about a sea change in a variety of things, probably the most important of which is the top management commitment. What are your thoughts?

20:16 -- Given your extensive experience working across different organizations in the public and private sector, share some best practices of top management commitment?

24:01 -- I'd like your thoughts on what a high-performing information security culture is, how do you get there, and how do you sustain it?

29:15 -- If you approach security learning from the standpoint of say, one question a day that gets emailed to every person who has to respond, it's like these word games that people play every day. They have to come up with a solution, but one a day. So instead of trying to impart a one-stop-shop training at one go and then do it again six months later, if you infuse cybersecurity training into the organizational work practices whereby, just like I said, one question a day, and you approach it that way, what are your thoughts? Do you think that might help enhance awareness and sustain the level of knowledge? What are your thoughts?

31:23 -- I've often wondered, why that sensitivity to make training more substantive, is not there? Why is it that organizations are so compliance-driven that they don't recognize that compliance is often not enough, and they need to go beyond that, to have a substantive effect?

34:28 -- Why do individuals and organizations often drop the ball when it comes to cyber intelligence?

41:24 -- What advice and recommendations do you have for professionals who are either entering the field or who are considering cybersecurity as a career?


Memorable Vishal Salvi Quotes

"Cybersecurity roles actually test all your leadership capabilities fully."

"Every single CISO in the Indian banking industry is independent of the CIO."

"It is always preferred that you make the CISO independent of CIO and elevate the CISO to a level where you are able to drive the mandate of cybersecurity. So the more elevated and more empowered the CISO, the more committed is your mission to cyber."

"The most important thing for gaining credibility and earning respect is to deliver on your agenda."

"When you start defining policies for your organization, you need to be able to implement them consistently across the organization. You shouldn't have a separate set of policies for your senior leaders, and a separate set of policies for your juniors."

"Most of the courses that we see and organizations are not actually focused on learning, but they're more focused on going through the motions and achieving compliance."

"Our endeavor should always be to make our staff battle-ready in peacetime."


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcripts

Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach. He has been studying cybersecurity for over a decade,

Cybersecurity Readiness:

authored and edited scholarly papers, delivered talks,

Cybersecurity Readiness:

conducted webinars, consulted with companies, and served on a

Cybersecurity Readiness:

cybersecurity SWAT team with Chief Information Security

Cybersecurity Readiness:

officers. Dr. Chatterjee is an Associate Professor of

Cybersecurity Readiness:

Management Information Systems at the Terry College of

Cybersecurity Readiness:

Business, the University of Georgia, and Visiting Professor

Cybersecurity Readiness:

at Duke University's Pratt School of Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Today, I have the pleasure of talking with

Dr. Dave Chatterjee:

Vishal Salvi, Chief Information Security Officer, and Head of

Dr. Dave Chatterjee:

Cyber Practice, Infosys. I'm sure you all are familiar with

Dr. Dave Chatterjee:

Infosys. But just in case you're not, Infosys is a global leader

Dr. Dave Chatterjee:

in next generation digital services and consulting. So

Dr. Dave Chatterjee:

Vishal, delighted to have you, it's truly an honor. And I'd

Dr. Dave Chatterjee:

like to bring you into the discussion, and let you share

Dr. Dave Chatterjee:

with the listeners a few things, your highlights about your

Dr. Dave Chatterjee:

professional journey. So welcome.

Vishal Salvi:

Thank you, Dave, for having me here. And it's my

Vishal Salvi:

pleasure to be here on this podcast, my name as you're

Vishal Salvi:

already introduced me, but my role is of protecting Infosys as

Vishal Salvi:

a global CISO for Infosys. And apart from that, I have an

Vishal Salvi:

additional responsibility of delivering the same value for

Vishal Salvi:

our customers. So I head the cybersecurity business as well.

Vishal Salvi:

And this positions me to really be end-to-end accountable for

Vishal Salvi:

cybersecurity across all spectrums in my organization.

Dr. Dave Chatterjee:

Great to hear! One question I like to ask

Dr. Dave Chatterjee:

all CISOs and especially somebody like you who's a global

Dr. Dave Chatterjee:

CISO of a major organization, does your job keep you up at

Dr. Dave Chatterjee:

night? What worries you?

Vishal Salvi:

so many challenges stacked against you. It's an

Vishal Salvi:

asynchronous sport, you need to make sure you're protecting all

Vishal Salvi:

your vulnerabilities. And the bad guys need to just exploit

Vishal Salvi:

one. So so for a large part of my career, I always thought that

Vishal Salvi:

we were like sitting ducks. But then, once I started to work in

Vishal Salvi:

organizations, which are committed to investing in people

Vishal Salvi:

and technology in and committing to the cause of security, I have

Vishal Salvi:

kind of begun to change my opinion on this. And I do

Vishal Salvi:

believe that this problem can be solved. It just needs that

Vishal Salvi:

mindset, and the resources, which are required for you to be

Vishal Salvi:

able to deal with it. Right. And it's not about, it's not about

Vishal Salvi:

doing something today, and then forgetting about it, because

Vishal Salvi:

you've done some good work here. It's constantly watching how the

Vishal Salvi:

threat landscape is changing and pivoting to a new way of

Vishal Salvi:

working, and you're constantly sort of agile and adaptive to

Vishal Salvi:

what's happening around and not having a status quo. Now, I know

Vishal Salvi:

I've given a long answer to your question. But in reality, I have

Vishal Salvi:

a very peaceful sleep most of the time. And that's largely

Vishal Salvi:

because you know that you and your team have done the right

Vishal Salvi:

things for your organization. And therefore it would be a

Vishal Salvi:

better situation as compared to where it was yesterday. And so

Vishal Salvi:

long as you're doing that, you know, you can be happy about it,

Vishal Salvi:

you just don't want to have a self goal created, or, or

Vishal Salvi:

something which is fundamentally missing, right. So I think those

Vishal Salvi:

are the things that you need to really care for. If you do that,

Vishal Salvi:

you will have a much stress free role as a CISO. Great, great.

Dr. Dave Chatterjee:

So continuing on that reflective

Dr. Dave Chatterjee:

trajectory, I also want to ask you, and this is good for your

peers to hear:

what makes you so good at what you do, what do you

peers to hear:

bring to the table by way of strengths?

Vishal Salvi:

So I would not like to use that adjectives for

Vishal Salvi:

myself that I'm good or these are the things but I can

Vishal Salvi:

obviously share some of the lessons learned and what one

Vishal Salvi:

could look at. So I think that our first thing is about, you

Vishal Salvi:

know, your professional traits or your leadership traits. And

Vishal Salvi:

then it's about what you do for the domain. But the reality is

Vishal Salvi:

and it's so fascinating that cybersecurity roles actually

Vishal Salvi:

test all your leadership capabilities fully, because you

Vishal Salvi:

need to you need to be able to engage with your Are leadership

Vishal Salvi:

with your board. And so you need to really have a good executive

Vishal Salvi:

presence, right? You need to be tactful to really answer

Vishal Salvi:

questions, difficult questions in a very, in a manner in which

Vishal Salvi:

people can really understand and relate to at the same time you

Vishal Salvi:

don't, you don't make mistakes, and you don't give wrong

Vishal Salvi:

information. So you need to be on top of your data and facts,

Vishal Salvi:

that's very important. The next thing is, you need to be able to

Vishal Salvi:

articulate, first of all, define a vision and then articulate

Vishal Salvi:

that vision for your team. So they have something to look

Vishal Salvi:

forward to, and something to target that requires a fair

Vishal Salvi:

amount of understanding on how to design a strategy, what goes

Vishal Salvi:

into the execution of a strategy, that's very important.

Vishal Salvi:

The third, and a very important aspect of the job is your

Vishal Salvi:

influencing skills, right? Because at the end of the day,

Vishal Salvi:

you are trying to influence all of the stakeholders who are not

Vishal Salvi:

cybersecurity, so that typically a cyber security organization is

Vishal Salvi:

either 0.5 to 1%, of your whole organization. And you have, and

Vishal Salvi:

we all know that security is everyone's responsibility. So

Vishal Salvi:

this 0.5% of your organization, is trying to get the 99.5% to do

Vishal Salvi:

the right thing when it comes to security. And so it needs a lot

Vishal Salvi:

of influencing for people to do the right things, and take the

Vishal Salvi:

right decisions when it comes to protecting their organization,

Vishal Salvi:

and also making right behavior, which is a very difficult change

Vishal Salvi:

management program in any given organization. So you need to be

Vishal Salvi:

able to understand human behaviors, why people take

Vishal Salvi:

decisions in certain days, and then touch upon the topic of

Vishal Salvi:

psychology of security, understand the biases, and then

Vishal Salvi:

work on these biases in a way where you can have the right

Vishal Salvi:

interventions for you to be effective in changing the

Vishal Salvi:

culture and changing the behavior, right? Absolutely,

Vishal Salvi:

yeah. Apart from that, there are things like engaging with the

Vishal Salvi:

vendor community and partnering with them, because at the end of

Vishal Salvi:

the day, security is delivered by their technologies, and you

Vishal Salvi:

are as good as what weapons you have in your hand. So how do you

Vishal Salvi:

engage with them? How do you engage with law enforcement to

Vishal Salvi:

help in better propagation of how to catch the adversaries?

Vishal Salvi:

And how do you make them attribution and then make them

Vishal Salvi:

accountable. And then, you know, also law and enforce apart from

Vishal Salvi:

law enforcement, you talk about regulators, and looking at

Vishal Salvi:

shaping of compliance and all those things. So I mean, there

Vishal Salvi:

are plenty more stakeholders, including customers. So as a

Vishal Salvi:

CISO, you need to really be able to understand all these

Vishal Salvi:

stakeholders, and be able to work on yourself as an

Vishal Salvi:

individual to make these relationships successful. And

Vishal Salvi:

that that will test all these elements that I talked about.

Dr. Dave Chatterjee:

Yeah, as you were talking, I was thinking

Dr. Dave Chatterjee:

about the significance of CISO empowerment, I'd like you to

Dr. Dave Chatterjee:

speak to that. If you had a say on how CISOs should be empowered

Dr. Dave Chatterjee:

by the organization, who should CISO be reporting to? What

Dr. Dave Chatterjee:

would be the ideal organization structure.

Vishal Salvi:

So this is one topic, which has been hotly

Vishal Salvi:

debated for many years in the Information Security in the

Vishal Salvi:

cybersecurity space, right. If you look at an example, in

Vishal Salvi:

India, in the Indian banking industry, the local regulator,

Vishal Salvi:

which is the Reserve Bank of India has mandated that every

Vishal Salvi:

CISO needs to be reporting independent of IT. And this

Vishal Salvi:

happened around seven years back as a mandate. And so there's

Vishal Salvi:

every single CISO in in the Indian banking industry is

Vishal Salvi:

independent of the CIO, right? If you look at North America,

Vishal Salvi:

and if you do the survey of all the global organizations, it's

Vishal Salvi:

5050, right 50% of the CISOs report to CIOs and 50% report to

Vishal Salvi:

somebody else, right, my view is like this, you need to ensure

Vishal Salvi:

you remove all the conflicts that could exist in an

Vishal Salvi:

organization when it comes to driving cybersecurity, it is

Vishal Salvi:

always preferred that you make the CISO independent of CIO and

Vishal Salvi:

elevate the CISO to a level where you are able to drive the

Vishal Salvi:

mandate of cybersecurity. So the more elevated and more empowered

Vishal Salvi:

the CISO is, the more committed is your mission to cyber. So you

Vishal Salvi:

could as an organization say that security is very important

Vishal Salvi:

to all your stakeholders. But if you're made the CISO report to

Vishal Salvi:

somebody three levels below a CIO, you know, in reality,

Vishal Salvi:

there's hardly any difference that CISO is going to make, even

Vishal Salvi:

if he's capable of all the traits that I talked about, the

Vishal Salvi:

organization structure would not allow that CISO to perform in a

Vishal Salvi:

manner which is required for the independence of that CISO.

Vishal Salvi:

Right. And the last thing I would say is that apart from

Vishal Salvi:

independence, you need to have the CISO report to the most

Vishal Salvi:

powerful person in the organization, because then you

Vishal Salvi:

get the right resources and sponsorship for your

Vishal Salvi:

organization. So if the CFO is the most powerful, then maybe go

Vishal Salvi:

to CFO, if it is, if the chief operating officer then go to the

Vishal Salvi:

Chief Operating Officer, I think it's very important that you

Vishal Salvi:

need to really position that person, I am not a fan of saying

Vishal Salvi:

that the person should report to CEO because the CEO will be so

Vishal Salvi:

busy doing so many other things on business and other things

Vishal Salvi:

that would not be able to give the time and bandwidth for the

Vishal Salvi:

CISO to do the job effectively. So you need somebody who is able

Vishal Salvi:

to give time and bandwidth as much as should be powerful. So I

Vishal Salvi:

think those aspects will definitely empower the CISO to

Vishal Salvi:

perform to the best of that person's ability.

Dr. Dave Chatterjee:

Yeah, and I'm sure you will probably agree

Dr. Dave Chatterjee:

that to gain that kind of access, or that level of

Dr. Dave Chatterjee:

reporting that you're talking about, the CISO also has to earn

Dr. Dave Chatterjee:

the trust and credibility and also be respected. To earn the

Dr. Dave Chatterjee:

trust, to earn that respect, what are some things that CISOs

Dr. Dave Chatterjee:

should be doing? And I pose this question with an example. I was

Dr. Dave Chatterjee:

speaking with the CISO of a restaurant chain last year, I

Dr. Dave Chatterjee:

believe. And she made a very interesting statement. She said,

Dr. Dave Chatterjee:

I never cry wolf. Anytime I walk into a boardroom at a major

Dr. Dave Chatterjee:

management meeting, and I offer my thoughts and my suggestions,

Dr. Dave Chatterjee:

my concerns about information security related matters, it's

Dr. Dave Chatterjee:

taken very seriously, because they know that I would not be

Dr. Dave Chatterjee:

going in there requesting stuff that is unnecessary, or I won't

Dr. Dave Chatterjee:

be overselling anything. So that got me to recognize and believe

Dr. Dave Chatterjee:

how important it is for the CISO to set the mindset to set that

Dr. Dave Chatterjee:

tone that earns the respect of the leaders, and that helps pave

Dr. Dave Chatterjee:

the way for greater empowerment and greater access. And again,

Dr. Dave Chatterjee:

I'm coming at it from outside-in, you're the one who

Dr. Dave Chatterjee:

works in the organization who has significant experience, what

Dr. Dave Chatterjee:

are your thoughts?

Vishal Salvi:

So I think it's very important. You know, there

Vishal Salvi:

are different traits of an individual or a team, which can

Vishal Salvi:

help you to build that credibility. I think building

Vishal Salvi:

that credibility is important to get what you want out of the

Vishal Salvi:

organization, right. And so it's not only about getting

Vishal Salvi:

sponsorship, it's also about getting support across all your

Vishal Salvi:

stakeholders that I just talked about, right? So I'll give you

Vishal Salvi:

an example. So whenever we used to, or whenever I go for any

Vishal Salvi:

funding requirement, maybe perhaps most of them it was to

Vishal Salvi:

the finance, you give some commitments to them in terms of

Vishal Salvi:

what you would do with that money. Right? I think it's very

Vishal Salvi:

important that once you're kind of implemented that project, you

Vishal Salvi:

go back and show that evidence of that outcome, and stay

Vishal Salvi:

accountable to do to deliver that outcome. Even if you're not

Vishal Salvi:

been asked to do that, that increases your credibility in

Vishal Salvi:

front of the person because they would be more trusting in future

Vishal Salvi:

when you go back and ask for something more. Right. So

Vishal Salvi:

that's, that's one strategy. The other example is about being

Vishal Salvi:

able to explain and talk the consequences of various

Vishal Salvi:

decisions. And to be honest with you, Dave, I think your

Vishal Salvi:

strategies need to be dynamic to the situation, and to the

Vishal Salvi:

culture of a given organization. So I've seen that I've worked in

Vishal Salvi:

seven organizations, and I've seen that what worked in one

Vishal Salvi:

would not work in another you need to really understand the

Vishal Salvi:

culture, and then decide on what strategies you want to adopt. I

Vishal Salvi:

won't say cry wolf is a good strategy. But then trying to

Vishal Salvi:

explain to them the impact of no action is very important. And

Vishal Salvi:

making it very transparent and open for decision making is very

Vishal Salvi:

important, right? So I think that I think is very critical.

Vishal Salvi:

If you do these things, then I think you're able to sort of

Vishal Salvi:

create a level of credibility for yourself. It could also be

Vishal Salvi:

the last point I wanted to mention is it could also be that

Vishal Salvi:

you allowed somebody to take a particular decision in spite of

Vishal Salvi:

you warning but and once that risk manifests, you need to make

Vishal Salvi:

sure you are able to actually remind that individual or team

Vishal Salvi:

of the consequences of the decision that are taken so that

Vishal Salvi:

in future they're very careful about you know, these aspects.

Vishal Salvi:

So I think it's a combination of all of these strategies and

Vishal Salvi:

more, which helps you to build your credibility within your

Vishal Salvi:

organization, but about all of these things. The most important

Vishal Salvi:

thing is that you should be able to deliver on your agenda always

Vishal Salvi:

right. So if you are telling all of these things, getting money,

Vishal Salvi:

but you're not able to deliver on your projects, and you're not

Vishal Salvi:

able to give the feeling to all your stakeholders that security

Vishal Salvi:

is going in the right direction, then you will not be able to

Vishal Salvi:

gain the credibility that you want

Dr. Dave Chatterjee:

Delivering on your agenda. So, if that's

Dr. Dave Chatterjee:

the goal, and which makes total sense, what would be a few

Dr. Dave Chatterjee:

metrics that you recommend CISOs track or you track that gives

Dr. Dave Chatterjee:

you a sense whether you're on the right trajectory? Or you

Dr. Dave Chatterjee:

need to do something different? What would those important

Dr. Dave Chatterjee:

metrics be?

Vishal Salvi:

So one of the things that I have been using

Vishal Salvi:

for almost two decades now in cyber is to really create a

Vishal Salvi:

maturity model of areas of work that you want to run for, for

Vishal Salvi:

your program. Right. And the good thing about cybersecurity

Vishal Salvi:

is that there is a well defined articulation of how you would

Vishal Salvi:

want to look at the components. Now, one of the ways to look at

Vishal Salvi:

it is to look at NIST, which is very clearly articulated in

Vishal Salvi:

terms of what are the high level components? And what are the

Vishal Salvi:

subcategories, you could create your own framework. I have been

Vishal Salvi:

using ISF, the Information Security Forums framework very

Vishal Salvi:

extensively, and it has really served me well. And so you sort

Vishal Salvi:

of make security into components. And then once you

Vishal Salvi:

have defined those components, you start putting a maturity

Vishal Salvi:

model on the controls that you want to operate in each of those

Vishal Salvi:

components, and then figure and build a methodology in terms of

Vishal Salvi:

measuring the maturity of each of those controls, and then

Vishal Salvi:

start executing your plan to improve the maturity on a year

Vishal Salvi:

on year basis. Right. And that has really worked for, for me,

Vishal Salvi:

in terms of engaging with the leadership engaging with the,

Vishal Salvi:

with the Board, helping me to create a strategy of giving a

Vishal Salvi:

clear vision to the team in terms of what that goal is, and

Vishal Salvi:

then striving towards improving that maturity. Because like I

Vishal Salvi:

said, security is is challenge is all about getting better

Vishal Salvi:

every single day as compared to whatever yesterday. So that

Vishal Salvi:

model has really worked. And it it helps you to define and

Vishal Salvi:

therefore it helps you to measure, right. And once you

Vishal Salvi:

start doing that you improve. The last thing I wanted to say

Vishal Salvi:

is that just so that you are kept honest, you always get a

Vishal Salvi:

third party to audit your assessment and analysis of your

Vishal Salvi:

maturity. So that a third party also validates that you're on

Vishal Salvi:

the same page. And it gives independent assurance to all

Vishal Salvi:

your stakeholders in terms of how you're progressing,

Vishal Salvi:

including yourself. Yeah,

Dr. Dave Chatterjee:

absolutely. You want that reality check. And

Dr. Dave Chatterjee:

you want that third party party validation and external

Dr. Dave Chatterjee:

validation. That's so important. You know, along those lines,

Dr. Dave Chatterjee:

once again, I'm referring to a discussion I had with a CISO,

Dr. Dave Chatterjee:

who made a very interesting comment. He said, today's

Dr. Dave Chatterjee:

companies lacked disclosure requirements that showed the

Dr. Dave Chatterjee:

level of cyber risk for publicly traded companies and their

Dr. Dave Chatterjee:

software. And he is of the opinion, he believes that

Dr. Dave Chatterjee:

enhancing cyber transparency to customers and investors through

Dr. Dave Chatterjee:

reporting, you know, formalized reporting, like in the US, we

Dr. Dave Chatterjee:

have the SEC reporting that could bring about a sea change

Dr. Dave Chatterjee:

in a variety of things, probably the most important of which

Dr. Dave Chatterjee:

being the top management commitment. What are your

Dr. Dave Chatterjee:

thoughts?

Vishal Salvi:

Yeah, I'm all for increasing the transparency and

Vishal Salvi:

making every organization accountable for, you know,

Vishal Salvi:

sharing, whatever is happening in their organization on

Vishal Salvi:

breaches and attacks. I'm all for that. I think we also need

Vishal Salvi:

to see as a society, how we are mature to receive such

Vishal Salvi:

disclosures. So in past whenever there has been a major breach, I

Vishal Salvi:

think the organization which I've got impacted have actually

Vishal Salvi:

been more victimized than been empathized towards, you know,

Vishal Salvi:

something like that could have happened to them. Right? I think

Vishal Salvi:

things are changing. And gradually, as I believe, you

Vishal Salvi:

know, when, when the SolarWinds disclosure happened, you know,

Vishal Salvi:

we handled it much more mature in a much more mature way as

Vishal Salvi:

compared to perhaps what happened in case of Target. So I

Vishal Salvi:

think as a society, if you are mature to say that, the more you

Vishal Salvi:

disclose, the more we will appreciate what you are as an

Vishal Salvi:

organization, I think it's important. Otherwise, you know,

Vishal Salvi:

the organization's find it very difficult because they get

Vishal Salvi:

caught between the two issues of disclosure versus the

Vishal Salvi:

reputational damage that that could cause so so I think we

Vishal Salvi:

need to start looking at that. Of course, when it comes to

Vishal Salvi:

matters of privacy, I think, you know, if you don't do timely

Vishal Salvi:

disclosures there are significant penalties, that is

Vishal Salvi:

motivation enough for people to do it in a timely manner, which

Vishal Salvi:

is a good thing. So I think overall, I would say that we

Vishal Salvi:

have a lot of work to do to make sure that we are able to

Vishal Salvi:

encourage people to do a transparent and honest

Vishal Salvi:

disclosures, rather than looking at them with suspicion, and the

Vishal Salvi:

fact that they have not had security controls in place, you

Vishal Salvi:

know, that's the point I would like to make.

Dr. Dave Chatterjee:

Okay, well, thank you for that. So I'd like

Dr. Dave Chatterjee:

to take this opportunity to share with listeners that Vishal

Dr. Dave Chatterjee:

spoke to my class on cybersecurity at Duke

Dr. Dave Chatterjee:

University. I teach in the Master's program there, and

Dr. Dave Chatterjee:

Vishal was very kind to connect with us. It was late in the

Dr. Dave Chatterjee:

night in India morning here in the US, and he came online, and

Dr. Dave Chatterjee:

he spoke, and he made some telling points, the students

Dr. Dave Chatterjee:

were very impressed. So I draw from some of the things you

Dr. Dave Chatterjee:

shared with the students and with me the other day, and one

Dr. Dave Chatterjee:

of the things you emphasize was the importance of top management

Dr. Dave Chatterjee:

engagement, top management commitment. Again, given your

Dr. Dave Chatterjee:

extensive experience working across different organizations,

Dr. Dave Chatterjee:

in the public and private sector, what would you consider

Dr. Dave Chatterjee:

to be some best practices, where you can say, you know, this is a

Dr. Dave Chatterjee:

good example, when the top management walks the talk. So

Vishal Salvi:

I've been privileged to work in

Vishal Salvi:

organizations who have been very security conscious. And I've had

Vishal Salvi:

the privilege of working with leaders who have been stalwarts,

Vishal Salvi:

and great role models in decision making, right, but I

Vishal Salvi:

would not say that, that you will find this, you know, across

Vishal Salvi:

organizations and across industries, so you will always

Vishal Salvi:

have various examples. When you look at risk decisions, right?

Vishal Salvi:

At a very fundamental level, you're talking about value at

Vishal Salvi:

risk versus cost of remediation. So you really don't want to have

Vishal Salvi:

a situation where the cost of remediation is higher than the

Vishal Salvi:

value at risk, right. So that's a foundational principle. The

Vishal Salvi:

second thing is, when you start defining policies for your given

Vishal Salvi:

organization, you need to be able to implement it

Vishal Salvi:

consistently across the organization, you don't need to

Vishal Salvi:

have a separate set of policies for your senior leaders, and a

Vishal Salvi:

separate set of policies for your juniors, you don't want to

Vishal Salvi:

have a situation where all the USB admin access is removed. And

Vishal Salvi:

password policies are stringent for juniors and exactly the

Vishal Salvi:

opposite for leaders. Right. So I have had ensured, you know,

Vishal Salvi:

that it is consistently implemented, right from the CEO,

Vishal Salvi:

to the last person who's a frontline warrior. Now, this

Vishal Salvi:

kind of a dilemma comes in, you know, in major organizations,

Vishal Salvi:

and I've seen many examples where we have, we have admired

Vishal Salvi:

leaders who have stood by the policy statements and have

Vishal Salvi:

ensured that, you know, we are able to talk to some senior

Vishal Salvi:

people saying why it is important for them to comply.

Vishal Salvi:

So, for example, at Infosys, everybody has to take a

Vishal Salvi:

mandatory cybersecurity course, right from the President's to

Vishal Salvi:

the junior staff. And if they don't, the next day, their

Vishal Salvi:

email, outbox, you know, and sending mails will get blocked,

Vishal Salvi:

till such time they've completed, and that is

Vishal Salvi:

consistently implemented across. So this is one example of how

Vishal Salvi:

important it is. Another example is, you know, if you, if you're

Vishal Salvi:

asking every employee to display their iCard, you know, the CEO

Vishal Salvi:

needs to do the same, and needs to do it with pride, so that

Vishal Salvi:

there is consistency, and people follow your role models, right.

Vishal Salvi:

So, there are many such examples, you know, when you're

Vishal Salvi:

trying to introduce an application into production, and

Vishal Salvi:

there are multiple risks and gaps, you're identified. It's

Vishal Salvi:

the decision that a leader takes whether you hold back for

Vishal Salvi:

another couple of weeks and hold a business opportunity, but make

Vishal Salvi:

sure that the security is implemented. And it's a tough

Vishal Salvi:

call, but that gives them sets the tone in your organization,

Vishal Salvi:

whether you are security focused, or you want to take

Vishal Salvi:

risk decisions.

Dr. Dave Chatterjee:

And when you say setting the tone of

Dr. Dave Chatterjee:

whether you are security focused, or you're taking risk

Dr. Dave Chatterjee:

decisions, that brings up the next topic that I want to talk

Dr. Dave Chatterjee:

to you about. And you alluded to that we talked about that in my

Dr. Dave Chatterjee:

class, which is Information Security culture. And as you

Dr. Dave Chatterjee:

probably have read in my book, I talk about creating and

Dr. Dave Chatterjee:

sustaining a high performance information security culture.

Dr. Dave Chatterjee:

Culture is something which is kind of abstract, it is very

Dr. Dave Chatterjee:

hard to get your arms around it. So whenever you bring up this

Dr. Dave Chatterjee:

discussion on culture, people want to, for lack of a better

Dr. Dave Chatterjee:

word look the other way, and they want to focus on things

Dr. Dave Chatterjee:

that are more tangible. But I'd like your thoughts on what a

Dr. Dave Chatterjee:

high performing Information Security Culture is, how do you

Dr. Dave Chatterjee:

get there, and how do you sustain it?

Vishal Salvi:

That's a great question, Dave. And I think you

Vishal Salvi:

know, there are there are a lot of dimensions to this right. At

Vishal Salvi:

a fundamental level, what you would want to do is to, at a

Vishal Salvi:

minimum, tell all your employees or all your stakeholders within

Vishal Salvi:

your organization, what is the difference between right and

Vishal Salvi:

wrong behavior, right? So nobody can claim that they were

Vishal Salvi:

ignorant when they actually committed a mistake or an error.

Vishal Salvi:

So, at a minimum, you need to make sure that that is said to

Vishal Salvi:

every single stakeholder. Right? That's number one. Now, in spite

Vishal Salvi:

of you talking about, you know that smoking is injurious to

Vishal Salvi:

health, you still have people who go ahead and smoke, right.

Vishal Salvi:

And that's a behavior issue, or let's say, habit issue, right?

Vishal Salvi:

It could be because of somebody is conditioned to doing certain

Vishal Salvi:

things from his previous organization, and would expect

Vishal Salvi:

that to happen in your organization as well, right. And

Vishal Salvi:

I can give you an example of a person who came from another

Vishal Salvi:

organization, and he was boasting about that he still

Vishal Salvi:

continues to have the laptop with him, in spite of leaving

Vishal Salvi:

the organization, and nobody cared to come and collect that,

Vishal Salvi:

guess what, when he left, he thought he could exfiltrate

Vishal Salvi:

data, because he thought nobody will care. And he was caught

Vishal Salvi:

stealing it, and he was made accountable for that action. So

Vishal Salvi:

you know, there are these examples where people are

Vishal Salvi:

conditioned to do certain things from their previous habits and

Vishal Salvi:

for no fault of theirs, because that's the culture that they

Vishal Salvi:

were they were into, right. And so that's what they know. And so

Vishal Salvi:

it's a very difficult thing to make them understand and change

Vishal Salvi:

their behaviors and habits, once they get into your organization.

Vishal Salvi:

And over there, you need to use all the channels of diplomacy,

Vishal Salvi:

right in terms of giving them carrot, giving them a stick,

Vishal Salvi:

building a competitiveness within them, you know, in terms

Vishal Salvi:

of so all of that is required for you to really use these

Vishal Salvi:

avenues for you to really create a culture within your

Vishal Salvi:

organization. And culture is not something that you can do

Vishal Salvi:

overnight. It's something which takes time, you know, and you

Vishal Salvi:

need to give it that time for it to emerge, right, I have to keep

Vishal Salvi:

doing small things every day for it to become what it should,

Vishal Salvi:

right. So, so that's also very important. And the third thing

Vishal Salvi:

is the example that I just gave, you know, in terms of what is

Vishal Salvi:

the tone that we are setting from the Board, from the

Vishal Salvi:

leadership, and commitment, and that also creates a culture,

Vishal Salvi:

right? So so I know, for example, we we have a very

Vishal Salvi:

strong control over the use of USBs use of admin access, use of

Vishal Salvi:

download of any software. And we are a technology firm, right?

Vishal Salvi:

And anybody would argue that, you know, experience is

Vishal Salvi:

important high tech, you need to be allowed to do whatever you

Vishal Salvi:

want to do. But in reality, we know that security tools have

Vishal Salvi:

not matured enough to give you a seamless experience of using

Vishal Salvi:

technology without being hampered by some controls. So

Vishal Salvi:

you need to draw a fine balance till the tools become so mature

Vishal Salvi:

that security is effective and still transparent, right? Till

Vishal Salvi:

such time, you need to be able to understand that, yes, I need

Vishal Salvi:

to have a speed breaker for me to control my car, right?

Vishal Salvi:

Because that's really how it is. And we need to govern it. But

Vishal Salvi:

there are certain countries where you don't need it, because

Vishal Salvi:

the rules are working perfectly fine. So I think we need to be

Vishal Salvi:

able to build that understanding and culture and allow every

Vishal Salvi:

single person to adopt to that which which creates the right

Vishal Salvi:

behavior within an organization. And the last thing I will say is

Vishal Salvi:

that we spent a lot of time doing red teaming and testing

Vishal Salvi:

technologies and systems and finding out vulnerabilities. We

Vishal Salvi:

need to also do that on humans, because they are the ones who

Vishal Salvi:

get most exploited to social engineering and various attacks.

Vishal Salvi:

And you need to test their ability to take right decisions,

Vishal Salvi:

for example, you catch them doing these activities, that is

Vishal Salvi:

what we call them as teachable moments, right? That's when they

Vishal Salvi:

are most open to learn and change behavior. So you will

Vishal Salvi:

catch them through those diagnostics, and then ask them

Vishal Salvi:

to change their behavior. I think the change is more

Vishal Salvi:

lasting. So these are some of the things that goes into

Vishal Salvi:

creating a culture and spreading awareness within within the

Vishal Salvi:

organization.

Dr. Dave Chatterjee:

Great examples. Thank you so much for

Dr. Dave Chatterjee:

sharing. This is very helpful. So there are a couple of things

Dr. Dave Chatterjee:

I want to follow up on. One of them is learning and you

Dr. Dave Chatterjee:

mentioned just a little while back that doing things in small

Dr. Dave Chatterjee:

chunks. So my thought is that if you approach security learning

Dr. Dave Chatterjee:

from the standpoint of say, one question a day that gets emailed

Dr. Dave Chatterjee:

to every person who has to respond, it's like these word

Dr. Dave Chatterjee:

games that people play every day. They have to come up with a

Dr. Dave Chatterjee:

solution, but one a day. So instead of trying to impart a

Dr. Dave Chatterjee:

one-stop shop training at one go and then do it again six months

Dr. Dave Chatterjee:

later. later, if you infuse cybersecurity training into the

Dr. Dave Chatterjee:

organizational work practices whereby, you know, just like I

Dr. Dave Chatterjee:

said, one, one question a day, and you approach it that way,

Dr. Dave Chatterjee:

what are your thoughts? Do you think that might help enhance

Dr. Dave Chatterjee:

awareness, sustain the level of knowledge? What are your

Dr. Dave Chatterjee:

thoughts?

Vishal Salvi:

So I agree with this idea and the concept,

Vishal Salvi:

because, you know, doing a security awareness course, once

Vishal Salvi:

in a year for one hour, is just you're going through a motion to

Vishal Salvi:

just get it over. And then, you know, go back to what you were

Vishal Salvi:

doing, I would say that you need to kind of make it more modular,

Vishal Salvi:

I would also say that you need to make it more specific. So for

Vishal Salvi:

example, you can have a different kind of a

Vishal Salvi:

questionnaire or a course for your sales team, you could have

Vishal Salvi:

a different one for your operations team. And you could

Vishal Salvi:

have a different one for your leadership or your managers,

Vishal Salvi:

right. So that you can cater to the questions are more relevant

Vishal Salvi:

to their context and their day to day operations. So I am, I'm

Vishal Salvi:

fully up for making it more modular, and more specific to

Vishal Salvi:

them. And I think that way, you can become more razor sharp on

Vishal Salvi:

what you really want to achieve and what outcomes you want to

Vishal Salvi:

achieve.

Dr. Dave Chatterjee:

Yeah, that's what I was thinking that

Dr. Dave Chatterjee:

many in many organizations, you know, they are compliance

Dr. Dave Chatterjee:

driven, and I can't fault them for that. And in the name of

Dr. Dave Chatterjee:

complying with regulations, they have this, maybe twice a year,

Dr. Dave Chatterjee:

this one hour, you talked about training, where you go through

Dr. Dave Chatterjee:

the motions, I just went through one, I essentially saw the same

Dr. Dave Chatterjee:

set of questions that I saw last time, and I just flew through it

Dr. Dave Chatterjee:

well, maybe partly because I work in that area. But I was

Dr. Dave Chatterjee:

thinking that I wish these questions scenarios were were

Dr. Dave Chatterjee:

customized to what I do in the organization over and above the

Dr. Dave Chatterjee:

general level of awareness. And I I've often wondered, I'm

Dr. Dave Chatterjee:

surprised that why is that sense sensitivity to make training

Dr. Dave Chatterjee:

more substantive, not there. Why is it that organizations are so

Dr. Dave Chatterjee:

compliance driven that they don't, they don't recognize that

Dr. Dave Chatterjee:

compliance is often not enough, and they need to go beyond that,

Dr. Dave Chatterjee:

to have a substantive effect. You know, once again, I want you

Dr. Dave Chatterjee:

to draw upon your experience, and shed some practical light on

Dr. Dave Chatterjee:

this matter.

Vishal Salvi:

So I think, you know, the way to look at it is,

Vishal Salvi:

even for example, if the organization is doing for

Vishal Salvi:

compliance, the security teams still have a responsibility to,

Vishal Salvi:

you know, drive it in the way that they want outcomes to

Vishal Salvi:

achieve, right. So they clearly have an opportunity to make it

Vishal Salvi:

more modular, and, you know, drive that within the

Vishal Salvi:

organization. But of course, you know, if you look at an

Vishal Salvi:

organization of our size, where we have hundreds and 1000s of

Vishal Salvi:

employees, one hour commitment, or even 15 minutes commitment

Vishal Salvi:

translates into a huge amount of commitment, right, for every

Vishal Salvi:

single employee. So you need to be you need to take the

Vishal Salvi:

responsibility of why you're committing yourself. I would

Vishal Salvi:

like to add that the framing of questions and scenarios is a

Vishal Salvi:

very, it's an art, okay, you cannot, an average person, even

Vishal Salvi:

in security will not will not be able to get it, right. So it

Vishal Salvi:

needs to be curated in a way where every single answer, or a

Vishal Salvi:

decision that somebody is making in that training should lead to

Vishal Salvi:

a learning. And sometimes you just go through the motions of

Vishal Salvi:

asking questions and answers that you lose the real meaning

Vishal Salvi:

and reason why you're really asking that particular question.

Vishal Salvi:

So I think the framing is very important, where somebody would

Vishal Salvi:

have to really think through an answer. So that even if, for

Vishal Salvi:

example, it was tough for that person to answer it, eventually,

Vishal Salvi:

afterwards, there is a learning, which comes out of that, and it

Vishal Salvi:

should not be something where he's able to just get it just

Vishal Salvi:

breeze through it. So I think that's very, very important. And

Vishal Salvi:

it's not, that is not easy. And that's why, you know, people,

Vishal Salvi:

you know, most of the courses that we see and organizations

Vishal Salvi:

are not are not actually focused on learnings, but they're more

Vishal Salvi:

focused on going through the motions and, you know,

Vishal Salvi:

compliance.

Dr. Dave Chatterjee:

Very true, very true. Okay, so, we are kind

Dr. Dave Chatterjee:

of coming towards the end of our discussion. I do have two final

Dr. Dave Chatterjee:

questions for you. The first one relates to effectively

Dr. Dave Chatterjee:

monitoring and responding to cyber intelligence. You know,

Dr. Dave Chatterjee:

when you read about breaches, and you hear stories about how

Dr. Dave Chatterjee:

somebody dropped the ball, did not act on the intelligence they

Dr. Dave Chatterjee:

received from their service provider. You wonder what's the

Dr. Dave Chatterjee:

real issue. It's easy to criticize and say, you know,

Dr. Dave Chatterjee:

you'll need to be more diligent, more disciplined, you shouldn't

Dr. Dave Chatterjee:

drop the ball. But when you are there battling this problem,

Dr. Dave Chatterjee:

what are the challenges? Why do you think individuals,

Dr. Dave Chatterjee:

organizations, often drop the ball when it comes to cyber

Dr. Dave Chatterjee:

intelligence?

Vishal Salvi:

Yeah, so I like to give an example, you know, and

Vishal Salvi:

it's a fascinating example. So I was last month, we had gone for

Vishal Salvi:

a trek. And it was a very difficult trek personally for

Vishal Salvi:

me, and I reached there, and then we saw a bunch of Army

Vishal Salvi:

folks walking to that cliff. And we were just observing, and they

Vishal Salvi:

were then rappelling down from that cliff, like, like it was a

Vishal Salvi:

cakewalk. Okay. And I was extremely amazed with the amount

Vishal Salvi:

of preparation and the physical fitness that they were actually

Vishal Salvi:

there. And they were planning for a run, a midnight run from a

Vishal Salvi:

couple of cliffs, you know, you know, then then they were going

Vishal Salvi:

to finally do the rappelling, and it was extremely difficult,

Vishal Salvi:

but that person was doing it so easily and efficiently. That was

Vishal Salvi:

like a simple walk. And I was I was suggesting that this is

Vishal Salvi:

peacetime, right. And people are training so rigorously, so that

Vishal Salvi:

when they're so they're basically battle hardened,

Vishal Salvi:

right, and, and when something really is required, they're

Vishal Salvi:

fully ready, and resilient to deal with it. I don't think we

Vishal Salvi:

are able to replicate that level of preparedness with our cyber

Vishal Salvi:

soldiers. We have multiple solutions, like cyber range and

Vishal Salvi:

bridge attack simulation and MITRE framework and, you know,

Vishal Salvi:

we do a lot of tabletop exercises, it's nowhere close to

Vishal Salvi:

how Army looks at it, right. And so when you see a real incident

Vishal Salvi:

happening, it's very difficult for the person to really, you

Vishal Salvi:

know, go through that as diligently because it's a very

Vishal Salvi:

rare event. 95% of the time, the security teams are focusing on

Vishal Salvi:

protecting building controls, they are not defending, you

Vishal Salvi:

know, managing incident response, only very rare

Vishal Salvi:

occasions when you know, somebody is really attacking

Vishal Salvi:

your organization. So, so that was just one analogy I wanted to

Vishal Salvi:

give you. But you know, we are obviously, you know, it's not

Vishal Salvi:

like a gloomy picture completely, because we have a

Vishal Salvi:

lot of solutions and tools at our disposal. And our endeavor

Vishal Salvi:

should always be that how do we make all our staff battle ready

Vishal Salvi:

in peacetime, right. And that requires a lot of rigor, a lot

Vishal Salvi:

of focus, a lot of training, and getting everybody ready to

Vishal Salvi:

capture the flag and all those events, we do a lot of that,

Vishal Salvi:

right. And by doing so, we are able to make good progress. But

Vishal Salvi:

we could do much more for them to be fully ready, you know, and

Vishal Salvi:

therefore, you then have the situations where we see examples

Vishal Salvi:

of, you know, it was there, it was to be seen, but nobody acted

Vishal Salvi:

on it.

Dr. Dave Chatterjee:

Right. It's interesting, you shared that

Dr. Dave Chatterjee:

metaphor of the army training. And that brought back some

Dr. Dave Chatterjee:

memories. If you think about the consequences of the attacks, if

Dr. Dave Chatterjee:

the consequences of an attack is fatal, is catastrophic, I

Dr. Dave Chatterjee:

promise you, the training and the preparedness would be at a

Dr. Dave Chatterjee:

different level. But when the consequences are not of that

Dr. Dave Chatterjee:

nature, maybe that has some impact on how we prepare

Dr. Dave Chatterjee:

ourselves. To be more specific, again, referring to my book, I

Dr. Dave Chatterjee:

just share an example of the culture that exists in the

Dr. Dave Chatterjee:

United States Nuclear Navy, the submarine program, and I have

Dr. Dave Chatterjee:

several former students who have worked on those submarines who

Dr. Dave Chatterjee:

have trained on the submarines. And they come back and tell me

Dr. Dave Chatterjee:

that Dr. Chatterjee, the training is so rigorous, because

Dr. Dave Chatterjee:

we can't afford to make a single mistake, because a single

Dr. Dave Chatterjee:

mistake could be catastrophic, could lead to a nuclear

Dr. Dave Chatterjee:

disaster. And they share with me several examples. One that I

Dr. Dave Chatterjee:

found kind of very interesting was when you receive an order

Dr. Dave Chatterjee:

from your superior, you're supposed to repeat the order

Dr. Dave Chatterjee:

verbatim before you execute it. In other words, they are trying

Dr. Dave Chatterjee:

to avoid any kind of communication loss or

Dr. Dave Chatterjee:

communication leakage, but to do it religiously, consistently,

Dr. Dave Chatterjee:

day in and day out, that discipline is motivated by the

Dr. Dave Chatterjee:

consequences of not doing it, which is death. Just a thought,

Dr. Dave Chatterjee:

means there could be any number of reasons that, like you said,

Dr. Dave Chatterjee:

we are nowhere close to being as disciplined or as prepared as

Dr. Dave Chatterjee:

they are in the army. Could maybe that that could be the

Dr. Dave Chatterjee:

reason. Who knows. You're

Vishal Salvi:

right. Because if you look at even the another

Vishal Salvi:

example of, you know, airplane security system, right, whether

Vishal Salvi:

you're flying a low budget airline or you know, full class

Vishal Salvi:

airline, you would when it comes to security, there is no

Vishal Salvi:

compromise. Even the manuals of the different airlines have the

Vishal Salvi:

same table of content, that level of standardization, just

Vishal Salvi:

so that people are able to learn from master, the security kind

Vishal Salvi:

of general operations of airlines and the technology that

Vishal Salvi:

works underneath. So because the consequences are very high,

Vishal Salvi:

right, and it's linked to human human, my sense is that, you

Vishal Salvi:

know, we, we, the moment we start seeing the high frequency

Vishal Salvi:

high impact events happening, perhaps we will become much more

Vishal Salvi:

focused than what we are today. I'm not saying we're not

Vishal Salvi:

focused, but we are giving it attention as much as it

Vishal Salvi:

deserves. But the consequences are not, like you said, as high.

Vishal Salvi:

But for example, if you start seeing, given that we're talking

Vishal Salvi:

about connected, devices, connected, cars connected

Vishal Salvi:

everything, if it starts creating harm to humans,

Vishal Salvi:

suddenly things will start changing, right, and we'll start

Vishal Salvi:

giving more attention to it. Because today, right now, we are

Vishal Salvi:

actually adding more and more vulnerabilities and issuing more

Vishal Salvi:

and more patches every year. Somebody should ask the question

Vishal Salvi:

as to why is the case? Why is the rate of innovation and pace

Vishal Salvi:

of innovation so important that you are actually ignoring

Vishal Salvi:

security? Right? So the answer is that we can do it because we

Vishal Salvi:

can get away with it. Tomorrow, if you can't, and we are more

Vishal Salvi:

accountable, then, you know, perhaps things will start

Vishal Salvi:

changing, because that's the root cause of the problem. Yep,

Dr. Dave Chatterjee:

the truth. So we shall, I also wanted to

Dr. Dave Chatterjee:

share with the listeners, your passion about mentoring young

Dr. Dave Chatterjee:

individuals, how you encourage them, how you guide them to

Dr. Dave Chatterjee:

successful careers in cybersecurity. And of course,

Dr. Dave Chatterjee:

that passion was evident when you came connected with our

Dr. Dave Chatterjee:

class online, in the evening, your time, and you were very

Dr. Dave Chatterjee:

generous with your time. And he spoke at length two questions.

Dr. Dave Chatterjee:

So what advice and recommendations do you have for

Dr. Dave Chatterjee:

professionals who are either entering the field, or who are

Dr. Dave Chatterjee:

considering cybersecurity as a career?

Vishal Salvi:

So one of the things which I talked about in

Vishal Salvi:

the early part of our discussion was the fact that it will

Vishal Salvi:

actually test all your faculties, right, because of the

Vishal Salvi:

various dimensions to the role. So I think it's very exciting.

Vishal Salvi:

There's never a dull day or a dull moment in cybersecurity

Vishal Salvi:

space. Number two, it's such a vast topic. And there are so

Vishal Salvi:

many areas, so you can master one and then look forward to

Vishal Salvi:

going into something else, whether it is technology,

Vishal Salvi:

whether it is behavior, whether it is organizational dynamics,

Vishal Salvi:

whether it is governance, all of those get tested. And so you can

Vishal Salvi:

keep planning your career in a way where you can start building

Vishal Salvi:

those as milestones. Number three, it's a great career

Vishal Salvi:

opportunity. It's one of the top three jobs in the world right

Vishal Salvi:

now. And so, you know, once you select this as a profession,

Vishal Salvi:

you're assured for the next two to three decades that you know,

Vishal Salvi:

you will have a good career, you know, we have zero person

Vishal Salvi:

employment issue right now in the cybersecurity space, right?

Vishal Salvi:

So unemployment is never a risk, or, you know, you can remain

Vishal Salvi:

secure in your job, but I think most important of all, is the

Vishal Salvi:

cause, right? Because it's, I call it as noble profession,

Vishal Salvi:

because you're trying to protect you are the Sentinels, you are

Vishal Salvi:

and so, therefore, the ability to create value for your

Vishal Salvi:

organization for the ecosystem is immense, right? So, so I

Vishal Salvi:

think, you know, and the world is getting to a stage where we

Vishal Salvi:

are getting more and more digitized. And so, we need cyber

Vishal Salvi:

sentinels, who are doing this noble cause of fighting against

Vishal Salvi:

this very dangerous, you know, threat that is there in the

Vishal Salvi:

world. So, so, there is a lot of fulfillment, you know, when you

Vishal Salvi:

when you do this, you know, and, and for example, when I mentor

Vishal Salvi:

young kids, you know, I get immense amount of fulfillment,

Vishal Salvi:

and that you know I am creating value and adding value to the

Vishal Salvi:

community and ecosystem by getting more people initiated

Vishal Salvi:

into this. So I will say these four parameters clearly clincher

Vishal Salvi:

for a profession, like this

Dr. Dave Chatterjee:

Fantastic! we're gonna end on that note, we

Dr. Dave Chatterjee:

greatly appreciate your time Vishal, hope to talk to you

Dr. Dave Chatterjee:

again. Thank you so much.

Vishal Salvi:

Thank you for having me. Thank you so much. It

Vishal Salvi:

was a pleasure.

Dr. Dave Chatterjee:

A special thanks to Vishal Salvi for his

Dr. Dave Chatterjee:

time and insights. If you like what you heard, please leave the

Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also,

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

Chapters

Video

More from YouTube