This is an exclusive interview series conducted by the Editor Team of CIO News with Ayush Gupta, Chief Information Security Officer (CISO) at ShareChat.
How to scale security from 0 to 10x?
Well, I shall be talking more about high-growth startups and how it’s scaled there, since lately most of the time has gone working with them, but in principle, it’s the same across organizations.
1: Form a leaner but talented security team mix of compliance and security engineers at your disposal who are ambitious, ready to take on challenges, receptive to constructive feedback, and aligned with the leader’s and company’s mission.
2: Spend a good time understanding the company’s business, whether B2B or B2C, how they earn revenue, and who are the entities involved in the entire business. While doing this exercise, you keep on questioning yourself and ruling out non-critical areas of the business, and that should leave you in the end with a set of areas that are either core revenue-making or consumer- or client-centric sensitive data to focus upon and protect.
3: Run a security test or risk assessment across the areas you found critical; this will give you the visibility to a greater extent to solve the things and current state of the security.
4: Develop policies custom to your organization, educate stakeholders, and use them as an official document approved by management, as powerful and important as a weapon to enforce the security controls in the organization.
5: Focus on modern security tools that are aligned toward security by design philosophy, because that way you will position and inculcate security and its culture early in the cycle.
6: Last but not least is a strategy that is often missed out on by many and not done proactively unless it is realized by unexpected situations, so one should constantly put effort into finding the second-best alternative strategy, tool, or measure that is cost-effective yet powerful enough to get the things done almost at the same competence level.
There are different ways and tactics that can be used; one could be, you should spend some time with the security engineers to look out for quality open-source tools which are very powerful and customize them to your needs. Customization through code may take some time, it may even attract some changes at the architectural level at times, but going this way not only give you more control of the things that speed up the things but also helps optimizing the cost on on end, to transfer and funnel it into the next priority item, and the cycle continues to scale and descale to sustain and improve security.
This has helped us a lot here and we are seeing improvements coming out of this, which are far more true positive findings and lessen the review work for engineers.
What are the prime hard challenges one should be aware of to not become a bottleneck later in the security journey?
To strike the right balance between business priorities and security goals, most of the heavy lifting should be done by the security team, which should prepare a simple path for the teams and organization to use.
There should be consensus by everyone involved in the chain of command and by different business unit leaders on the security goals at the start, before we start the implementation. It is to set the expectation that in that journey, everyone has to give their time and effort as needed, and no surprises or excuses shall be entertained later.
I often see that in the absence of such upfront alignment and consensus by cross-functional teams, it delays the entire execution and desired results. It is like executing a covert operation by the military where everyone involved in the mission is briefed with the manual and set of duties with the approval and oversight of high command, and when the time comes for action, every soldier plays out their role properly and effectively, and there is no room for errors. For such a covert operation, it may be slightly exaggerating the situation, but that’s how the cyber security strategy should play out, and even if we are able to achieve half of it that way, then the job is done well.
What does it take to be in CISO’s role?
One should be very faithful to this title and the responsibilities that come with it; it has its own decorum, and risks are aligned directly with the company’s goals and founder’s mission. There are very few mistakes you can make; any security incident or breach can shake the company’s operations, reputation, and revenue drastically.
So you have to keep evolving with new strategies and constant monitoring that keep the entire system and organization healthy from cyber attacks. It is as similar as protecting a sensitive line of control; you cannot take a break, you cannot have loopholes, and you cannot live without constant monitoring.
Similarly, CISOs’ role has grown larger that way to protect from internet-based cyber attacks, be it online payment frauds, OTP-based frauds, phishing attacks, denial of service, application, network layer attacks, or internal bad actors.
In modern times, where technology changes every 4–5 years, legacy apps or code are changed or rewritten to keep up. That even applies to the security domain, where different attacks and new ways to exploit systems and applications keep changing, and so does the need for new controls and techniques to prevent those.
If attackers can employ AI-based phishing attempts to exploit users, companies should also use AI-based security tools to prevent or thwart such attacks. The digital era has just begun and is growing rapidly, transcending boundaries from national to international and making cross-border payments in seconds.
New wars will be fought on the internet or between machines, not on soil, and when such a thing happens, it doesn’t just attack national security forces or government bodies but rather the entire country, including companies. So CISOs should stay tuned to modern security technologies and strategies to stay ahead of the game.
Also read: “Fail Fast Learn Fast and Move On”
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics.