Security controls need to be defined based on the current economic scenarios, for which a technology leader must have a sound understanding of the economy, finance, and business
This is an exclusive interview conducted by the Editor Team of CIO News with Mr. Devam Shah, Head Information Security – CISO at Great Learning
How have you planned your career path to be a successful technology leader?
Since the beginning of my professional journey, I had planned a career in technology. I always wanted to reach the position of a technological leader, such as a CIO or a CISO, and so I started my career in a technical role. Once I had a foundational understanding of technology, I opted for an MBA programme. I was able to understand the business and map technology with the business after completing my MBA.
In technology, areas such as security are seen as cost centers. But when a leader integrates technology with the business and makes technology a business enabler, your leadership gains value because the technology is of no use if it does not benefit the business.
Therefore, having a clear vision for how to use technology to enable business is essential for becoming a technological leader.
What challenges have you faced in your career and how did you overcome them?
Almost seven years ago, the approach to security was not as good as it is now. At that time, many of the business leaders were not treating security as a serious matter, which was a big challenge. It is necessary to understand the value of data/assets and map with the security controls to take decisions related to information security and infrastructure.
Then, another challenge was the cultural change. As leaders, we need to explain and educate the entire staff that implementing security would not hamper their productivity but would help in conducting a secure business.
The third challenge is the rapid advancement of technology. For instance, serverless architecture, OT based infrastructure, etc. Developing a new security framework and crafting traditional security controls for these kinds of cutting-edge technologies is complex.
What challenges are other IT leaders facing while implementing digital technologies? How can these challenges be overcome?
Based on my interactions with other technology leaders, currently there are two major challenges across the industries:
The first challenge is that in the pre-COVID era, work-from-home was not available for everyone. But now, it has become normal. So, security needs to be deployed accordingly. So, in the pre-COVID era, perimeter security was limited to the company’s premises, but now, in the entire world, wherever the employee is working from becomes the organization’s perimeter. So, at the people level, the entire architecture has become micro-fragmented, and even if in the current times companies are calling employees to the office, the environment will remain hybrid. Implementing a zero trust architecture or a variable trust architecture based on asset risk scores can solve this problem.
The second challenge is that the IT industry has been affected a lot by COVID. The cost of hiring experienced employees has increased. Employees benefit from this, but the cost has to be balanced against the cost of security. This challenge can be solved by concentrating on automation, which requires the leader to recruit an employee with programming and scripting knowledge in order to automate many of the operations. We need to enable one individual to handle the burden of ten employees.
Any best practices, industry trends, or advice you would like to give to fellow IT leaders for their successful professional journeys?
My personal advice is that security should not be taken as just a technology or a technical thing. Security is techno-managerial and techno-art, which means security is a combination of technology, business and art together. Security controls need to be crafted based on the economical macros, understanding of the industry and position of your company in the specific industry.
For instance, the information security management system and security frameworks are completely different for fintech and edtech companies, a SME, an enterprise and a startup, and they also vary depending on the factors like the areas where they conduct business and their clientele.
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics