Cybersecurity Leaders – Amit Ghodekar
Amit Ghodekar is working with Motilal Oswal Financial Services Ltd (MOFSL), an Indian Financial Conglomerate & Leader in the area of Broking & Distribution, Asset management (AMC), Wealth Management, Institutional equity & investment Banking etc., as an SVP & Chief Information Security officer (CISO). Amit has made an immense contribution to the Information Security Industry for the last 10 years by various means, be it developing new talent for the industry, providing innovative solutions to business or creating Cyber Awareness.
Recently, he was instrumental in playing a pivotal role in establishing a Security Operation Center (SOC) for small & medium Co-operative Banks in India as an adviser. He is a CISA, CISM, LPT, ESCA, CEH & ISO 271001 certified with an MBA in Information Technology from United Business Institute Belgium, with 20 years rich experience. He writes articles for newspapers & appears on TV shows on Information Technology related subjects.
Amit has received many industry awards for his contribution to the area of Cyber Security.
What is your overall approach to information security?
Information security is the most vital organ of any organization nowadays, earlier business used to focus more on customer facing applications, business driven programs and process but now, in the new Digital World, business has started thinking about information security as a key aspect of the organization. My approach towards information security is to view it as a profit center which enables the business to generate business and at the same time keep the organization safe & secure.
What percentage of the CISO’s role is trouble shooter and what percentage is process enabler?
Traditionally the CISO profile was more considered as a consultant who advises the expectations from an information security and regulatory point of view. But nowadays as businesses are looking to agile environments for delivery and faster business turnouts, it has become imperative for CISOs to become a solution provider rather than a road blocker. Business expects faster solutions and on time delivery and if current and future CISOs don’t deliver that, then the future will be shaky for them.
For security executives who don’t have a strong relationship with their board, how can they improve it?
It’s very important for CISOs to have a strong relationship with board. For the implementation of Cyber Security most organizations adopt a TOP DOWN approach, which makes it easier for a CISO to have such a strong relationship with board. However, when it’s otherwise, then CISOs needs to do lot of hard work to ensure that the board understands the importance of information security. Some of the good things to do are to frequently interact with the TOP executives and make them aware of risk the organization may be facing, and the industry trends and countermeasures taken to prevent such risks, etc.
How can CISOs better understand a business’ needs?
Businesses across the globe are changing dramatically, the change is multidirectional and started from the consumer behaviors and consumer expectations from products and services. Due to these demands, businesses have started taking risks in fulfilling the demands of its consumers and this has paved the way for a rapid development. CISOs need to get to the root of this to understand what their business demands in which they are working are; what the challenges the business have; what the business model is; what the consumer demands are and finally what risks the business may have.
Almost everybody agrees that organizations need a culture of security. How can security leaders help facilitate that type of culture?
Security should not only be part of culture of the organization, information security should be part of the DNA of the organization. It might sound like a very bold statement but that is the reality which will be required in the future and everyone has to accept the reality. There are lot of things that need to be done by CISOs to build the DNA of information security in the organization. The industry is running high on running training programs, quiz contests etc. However, along with these we have to go beyond – and the beyond is CISOs which have one to one connects with the employees, partners and vendors to help them understand information Security in innovative ways, in the same way that things may wrong in their personal life if they don’t follow secure paths.
Ransomware and phishing are among the risks that have threatened all industries recently. From your perspective, how should companies mitigate these risks and what has worked for you?
Ransomware and phishing along with advanced persistent threats (APTs) are a deadly combination which is giving nightmares to every security professional in the world. We have seen organizations get divested due to such attacks and even big organizations and government agencies also were not secure enough to save themselves. As a security professional I personally feel we need to give the highest level of attention towards safeguarding our organizations from Ransomware and phishing, along with advanced persistent threats (APTs). These are the types of attacks the hackers will try again and again as these are very sophisticated attacks with wide weapons which can damage things very quickly. Companies need to focus on defense in depth and have a layered security approach for safeguarding their crown jewels with innovative solutions.
What are the biggest challenges you face in the year ahead?
Digital transformation, innovation and rapid fast disruption, which is changing business dynamics very rapidly, is the biggest challenge as its giving a lot of opportunities to the bad guys to evade security. In the year ahead, I see lot of innovative new technology which is going to put the CISO job under huge and constant stress. The security professionals need to remain up to date with with the new technology they need to create a strategy and solutions to best safeguard their organizations in the era of digital transformation and they always need to be on their toes to ensure that the business remains in business by all ways and means.
Security and IT professionals are bombarded with news about cybersecurity issues. How can they filter out the noise and determine what issues really matter to them?
We hear lot of security news nowadays and most of it is bad news – either what is hacked, how it is hacked and what the impact is. As a security professional it’s really disturbing. Security professionals need a focused approach to filter such news and are also required to give limited careful attention to such news that is relevant and impactful for them. What I personally feel is that security professionals pay so much more attention to the positive news in the industry i.e. what’s new and the niche innovation happening in Cyber Security world and how it can be helpful for them.
How can CISOs balance security and innovation?
Digitalization and Innovation is a double-edged sword, offering incredible benefits but also entailing serious risks. The bad guys are looking for vulnerabilities which rapid digitalization and innovation will give them. Security professionals should constantly evaluate new technologies in the technology world as well as in the cyber security world. Cyber security professionals should adopt a skillset for the zest of learning new things that will increase their knowledge base.
What is the best way to foster an image of information security being there to help support the business rather than just being about the raw technology?
CISOs & Information Security professionals should think of themselves as business enablers rather than a road blocker. This will only happen when they will start thinking how security is giving a return on investment to the business at the extent to which the business expects. The best way to support and foster an image of Information Security for the business is to give innovative solutions, better process and great SLA, maintaining turnaround time.
How important is information sharing within the sector to keep abreast of new threats and cybersecurity best practices?
Information sharing is the most important thing the information security professional should possess during his career, as that’s the only way of life to know what’s happening around the world and learn new things from peers and the industry. Information sharing will help security professionals to interact with each other and devise a mechanism to battle against the bad guys. Information sharing in the area of threat intelligence is the most important aspect of sharing and will help to give a faster response to peers and it will help to share best practices with each other.
Cyber security has become an integral part of corporates and it’s now no more a topic of information technology, but a topic of the Board. We have to see cyber security completely differently from information security – today’s cyber security is more to do with defending your organization from sophisticated new age targeted attacks with the help of cutting-edge tools and technologies rather than only focusing on policies and procedures. We should be prepared for sophisticated cyber-attacks.
A great level of push is required from government and regulators towards the interest in cyber security so that we can move in the right direction to become mature in cyber security. We should think about proactive cyber defense as our main strategy to become cyber resilient, which includes investing in cyber security tools and technologies, adapting new processes and nurturing talents in cyber security.