No matter how smart you are, cyber security is a team sport; no single person can achieve the goals
When asked how he planned his career path to be a successful technology leader, Dr Ram Kumar G, Cyber Security & Risk Leader with a global automotive major, in an exclusive interview with CIO News, said, “Honestly, I never planned to be in technology.” I completed my bachelor’s degree in Commerce and was reluctantly pursuing chartered accountancy, but in a twist of fate, I got into computers by signing up for a master’s degree.
Furthermore, my first tech job post my PG was with an American ISP, and that’s where I cut my teeth into cyber security (in those days it was called information security). Call it fate or divine guidance, I was assigned to the security team, and that’s how I got into cyber security.
Soon, I realised that to do well in this domain, I needed exposure and learning beyond my assigned tasks, and I was in a tearing hurry to get out of the pile. Early in my career, I got my break with a large non-IT MNC to spearhead their foray into cyber security consulting, and that stint gave me insights into management decision making, the dynamics of the cyber security market, honed my leadership skills, etc.
I also understood that constant learning is the key to keeping pace with the domain. Hence, continuous learning became part of my routine, and I invested early on in learning new domains in cyber security and getting certified. Certifications are a way to validate my knowledge and skills, which otherwise I wouldn’t have gained in my day-to-day job routine. Acquiring knowledge needn’t necessarily be through the certification route. I started reading up a lot on diverse topics in security and started attending security conferences and events to hear experts speak on practical issues. And networking with industry peers helped in my learning endeavours too.
With time and newly acquired skills and experience, I got opportunities to work for companies that were in the top 3 rankings in their respective industries and had the fortune of working with amazing leaders, most of whom are icons in the industry.
If you look at my career journey, I never shied away from taking up challenging roles—in one of my earlier stints, I took up the tough assignment of heading information security, corporate security, and business continuity functions at a very young age. That 3-year tenure gave me rich and varied experience, which normally you would gain after spending many years in the job.
In hindsight, it is clear that I pursued quite an unconventional career working for unusual companies across industry verticals. And today, I’m serving a global automotive major and, being a petrol head from my childhood, it’s kind of aligned with my passion.
When asked about challenges he faced in his career path and how he overcame them, he said, “Staying on top of the game is a constant challenge in the ever changing technology domain, especially in cyber security.” In this context, it is critical to stay relevant and add value to your job.
I come from a time when cyber security (it was called IT security or data security) was perceived as a necessary evil. Leaders, from then till now, wax eloquent about the importance of cyber security, but when it comes to walking the talk—in terms of budget, resources, visible management support and commitment there is always a gap. Getting the management to see the security value-add and obtain their support is a big deal. In time, I learnt to adapt to making do with less and demonstrate the benefits of a robust cyber security programme and continual investments to raise the maturity and security posture.
At the individual level, keeping pace with the dynamically evolving tech space through constant learning and adapting is a key challenge. Learning new concepts, technologies, and tools is a way of life for me, and I’m fortunate to have time, interest, passion, opportunity, resources, and an environment that supports my learning pursuits.
I have to constantly compete with young professionals to keep up with technological changes; even though I’m no longer hands-on, I still need to have a conceptual understanding of new age technologies. Recently, I pursued a PG programme in Cloud Computing, and 90% of my classmates were youngsters who were practitioners, so I had to put in additional effort to stay afloat. Of course, one shouldn’t shy away from learning just because you consider yourself too old to learn. Knowledge is power only when applied.
The cyber security domain is vast; specialise in one or more core technical areas and then expand your horizons by getting exposure to multiple areas that are aligned with your career aspirations.
I always believe, especially in the tech domain, the day you stop learning you stop being relevant. In that way, learning is life and learning is growth.
When asked about challenges faced by technology leaders today while implementing digital technologies, he said, while challenges keep changing with the times, I’m listing below the most constant ones in my career experience:
Conducive organisational culture: We understand that a conducive organisational culture is critical to sustaining security-conscious leadership and a security-aware workforce that prioritises security in everything we do. Management’s commitment and support is vital, and leadership by example enhances the security culture that needs to be fostered and sustained. Unfortunately, the culture aspect is the most underrated and ignored in companies, and whatever security strategy we may have falls flat in front of the prevailing security culture. It’s not for nothing that it is said that culture eats strategy for breakfast.
Management buy in and cohesive strategy: It’s a tall order to get management buy-in to a new security strategy and programme with multiple members of the management team looking at security in a different way, suiting their interests or point of view. It makes things complex to obtain management buy-in for the planned strategy. Engaging the Board of Directors on cyber security and risk management is difficult as many times they are not well versed in the domain. Does the CISO have a seat on the board? Or at least dotted line reporting to the board? There are companies that look at cyber security purely as a compliance issue—nothing more, nothing less. They just need the certification or clearance from the client audit to be done with it. Apart from this, the lack of a cohesive strategy to improve the security posture as well as to keep threats at bay by managing risks is a continuing challenge.
Attrition of tech talent and skill shortage: The Great Resignation Movement underway during this COVID-19 pandemic has accelerated the security talent attrition numbers greatly. And we all know about the serious shortage of skills in the security domain. Today we are staring at a scenario where no matter how big your company is, you are unable to retain talented professionals, nor does your brand name have the pull to attract talent to join.
Security teams today are grossly understaffed and overworked, with rewards not commensurate with the efforts, leading to burnout and eventual attrition. On the other hand, taking undue advantage of the prevailing scenario, candidates too ask for fancy hikes and permanent remote working ways beyond the experience levels and digital skills they possess.
Inadequate budget: Security budgets are always tight, except for some companies that have well-funded programs. No CEO gives a blank cheque to the CISO to run a security programme optimally. We understand the constraints and work under challenging conditions to make do with less. What’s worse is clubbing cyber security functions under enterprise IT and using out dated benchmarks for security budget as a percentage of the overall IT budget.
Evolving threat landscape: The threat landscape is dynamic and ever-changing. Hackers and cyber criminals are constantly one step ahead of cyber defenders. With new age attacks, new attack vectors, increasing attack surfaces, APTs, and targeted attacks, securing and protecting the extended enterprise is a big challenge. In COVID-19 times, adapting security to a remote workforce is a new challenge.
We can only assume we are safe as we have not yet been targeted by hackers and not because our cyber defences are robust enough to protect us. Investing in detection technologies can help in finding out if we have been breached. We are only safe as long as we do not come under the radar of the APT groups. Given the scenario, we are at best trying to build confidence and resilience through our cyber security program.
Too many vendors and solutions: It is well known that there is no silver bullet to security risks. There’s no single solution (it’s impossible to design one as well) that would cover all the risks and help secure our digital assets. With multiple vendors and varied solutions, our security strategy and programme have become complex, to say the least. Cutting through the marketing speak and evaluating the solution objectively is critical to zeroing in on the optimal solution. With the change of pace in cyber security defence technology and threat landscape, it is a challenge to constantly calibrate our security strategy and response and receive management support to mitigate the unexpected risks under cost pressure.
The Changing Regulatory Compliance Landscape: The world’s ever-increasing regulations spanning cyber security, data privacy, and resilience present a constant challenge for all security leaders today. The regulatory landscape is changing rapidly, and keeping pace with it and bringing about a well-defined compliance programme is tough. Sensitizing management to the key features, requirements, and penalties of these expanding regulations, as well as staying compliant, is an on-going effort to gain their buy-in and support for a security and privacy compliance program.
Assurance and Trust Issues: With the ever-present threat of data breach or cyber-attack, which is bound to happen sooner or later, it is impossible for CISOs to provide assurance to management and other stakeholders guaranteeing against breaches or attacks, despite a well-funded, well-defined, and optimised cyber security program.
In the event of a data breach or a debilitating cyber-attack, it is normal in the present times that the CISO will get the sack by the management more for political correctness than for giving an opportunity to fix the actual issues. Even if the CISO continues in the aftermath of a breach or attack, trust issues crop up and he/she is never perceived the same way by the management. No wonder the average tenure of CISOs is just about 18–24 months, as several industry surveys confirm.
In summary, some of the common constant challenges in vogue today are:
- Management that doesn’t hesitate to make the CISO the fall guy
- Poorly funded security program
- No agility to respond to a changing threat landscape
- High attrition and inability to backfill
- Complex regulatory compliance requirements
When asked about best practices, industry trends, or advice he would like to suggest to fellow technology leaders for their successful professional journeys, he said:
- Be situationally aware all the time by keeping tabs on the latest trends, developments, and pointers
- Nurture a child-like enthusiasm to learn anything new and be curious
- Continuous learning is critical to having a successful career in cyber security
- Be ready to adapt to the changing environment – learn, unlearn, and relearn
- Take the lead in a technology/process implementation exercise, which will teach you way more than all the theoretical learning you may gain
- Learn the art of people management – this is underappreciated, but as we advance in our careers, we will be dealing with people rather than technology on a daily basis.
- Become a consummate communicator. This is important to get your message across the board—management, staff, regulators, and beyond
- Build a persona that comes across as a strong, confident leader that the management can rely on and entrust with higher responsibilities
- Collaborate to succeed – no matter how smart you are, cyber security is a team sport; no single person can achieve the goals.
- Keep networking with industry peers and senior professionals constantly—this can help in many ways in your professional career
- Give back to the community by sharing your knowledge and experiences; you will be remembered long after you are gone
- Finally, hope for the best but be prepared for the worst
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics