Transcript
This transcript has been edited and refined for clarity.
Suparna Goswami: Hello there. I'm Suparna Goswami, I'm associate editor with Information Security Media Group. We just wrapped up our Mumbai Cybersecurity Summit which saw more than 700 delegates attending it. And I thought why not give a highlight to our audience here. Please join me in welcoming Prajeet Nair, who is our assistant editor and Jayant Chakravarti, who is our senior editor. Prajeet and Jayant, welcome. Such a lovely Summit. We saw so many delegates, and just wanted to check what were the highlights for you.
Prajeet Nair: Absolutely, Suparna, couldn't agree more with you. We had an amazing keynote, we had brilliant plenary sessions. The keynote, which was by the government representative Dr. Yoginder Talwar, senior director and chief information security officer for the National Informatics Centre Services Incorporated, the technology arm for government of India. He presented some very interesting points about how our technologies, which were adopted in India, Aadhaar and other systems, are being widely adopted in other countries and how ready we are in terms of the growing threat landscape and how we are countering that, how the government is taking action. He also mentioned about generative AI, the government plans, not revealing a lot of details, but it's good to know that the government is actually working on it, we are on top of it. They don't have that kind of reputation. But it's good to know that we are on top of the technology in terms of if we talk about other countries, and among us, so it was really enlightening session. People were more curious to know about what's happening and another session which grabbed my attention was from CrowdStrike representative. His name was Satheesh Kalyanasundaram. He went on to explain about the threat landscape and how the remote monitoring tools are being exploited. And an interesting stat was around over 300% attackers are now using these tools to infect machines, get into systems. So, how important it is now we know these remote monitoring tool - it has become number one vector of intrusion into our system. And I think one of the other session was by Dr. Durga Prasad Dube. He is the group's CISO at Reliance Industries Limited and how he explained about implementation of SIEM. And what is the importance of it, and how behavioral-based threat detection can make an impact, since it's very old, but how it can be manipulated. So he went on to details, how it's going to work and what are its cons and pros both?
Goswami: I think one of the points that was mentioned in the keynote was 40% of total digital payment comes out of India, across the world. And we keep talking about real-time payments. I cover a lot of real-time payments from the U.S. point of view. And this is massive from an Indian point of view. Over 34 crore Indians consuming and unveiling e-service-enabled Digital India, which is enabled by Digital India. So I think this is massive news coming from India. This is a growth story, we keep talking about how APAC and Asia is where the next growth will happen. Jayant, you cover Asia a lot. I come to that part later. But what were some of the interesting sessions for you?
Jayant Chakravarti: The keynote was absolutely wonderful in terms of the insights and the level of knowledge that has come from the Government of India. I was really impressed with the way he represented how the government of India is using the JAM trinity to extend online services to the citizenry, how the digital payments have picked up over the last four or five years since demonetization and how the JAM trinity has helped people adopt banking services and a lot of other online services from the Government of India itself that they could not afford or adopt before that, they even did not know about before. The keynote was certainly impactful on that front. Apart from the keynote, another particular session that I really liked was by the director of the Indian Institute of Management in Nagpur, Dr. Bhimaraya Metri. So that particular session was about the board members in India, how attuned or in line are they are with modern cybersecurity challenges? Do they really appreciate threats, are they on the same page with the information security personnel - the CIOs, CISOs. So I believe he gave quite a few very interesting insights on that. For example, the government of India through the data protection law and through RBI regulations, it is now mandating board members to come to terms with cybersecurity, understand, increase their cyber awareness through education. So I believe it is no longer an option for the board to pass the buck to CISOs anymore. So I believe he said that it is imperative for board members to brush up the skills in the subject because the World Economic Forum in its 2023 Global Risks report said that cybersecurity is among the top major risks worldwide. So he said that the cybercrime costs around the world annually is going to exceed $10.5 trillion. So I believe it's time that board members actually have people within the boards who are experts in cybersecurity. It's important that the time has come for CISOs to be part of the board or even CIOs. So I think it's a very interesting development. And that's something that he highlighted.
Nair: Just to add, Jayant, his exact words were "ensuring the board becomes the first line of defense." He gave so much emphasis on that, and also talked about that bridging the skill gap issue in India.
Goswami: I sat through that session, and I also got an opportunity to interact with him personally. And he's saying that how he's visiting different corporates to make them realize the importance of cybersecurity. Of course, the bigger ones know about it, the smaller ones probably know, and do not have the budget, but within the budget, how they need to work it out. He was telling me that how he and his colleagues are probably helping them understand and chalk out a plan. But Jayant, you cover a lot of Asian market as well. So what are some of the topics that probably resonated with you, our which are probably common in India, which you heard here across Asia?
Chakravarti: I believe I found a lot of similarities. There's not much difference in terms of what is happening in India, with the rest of Southeast Asia, in terms of, for example, there were a number of sessions in which the fact that a paucity of cybersecurity professionals and a lack of awareness of data protection rules and regulations is hindering development in the field. Organizations are not able to figure out how to exactly comply with myriad regulations. For example, we have sector specific regulations, and all of them apply beyond those sectors as well, because there's so much intercommunication between the sectors. So we need to have an umbrella data protection law in every country and Southeast Asia is certainly making progress toward that. But at this point of time, awareness, and a lack of professionals and lack of understanding about the right cybersecurity tools and solutions, they need to really comply with existing laws.These are some of the concerns that we will see resolved over the next decade, the more we have summits these where, we can share information in real time.
Nair: Yeah. Also, I think we don't want to miss about the DPDT Act. There was an interesting conversation, panel discussion, actually, on data localization versus cross-data movement, and I happen to speak with one of the speaker as well. And his concern was that we are well-placed right now, but we have certain challenge issues on implementation. It is not that big a challenge, but it is still, because, there are international companies who are offering services in India, how the data is going to manage, we are going to create a lot of data, and where are they going to be? How safe they are going to be, and when the government says it's going to be friendly nations, they're going to share it. Who are the friendly nations? They could be friendly right now, but things can change tomorrow. Right. So pretty interesting points, I think and things to be noted, which is going to be developed in next year, I think we will have some great news to cover.
Goswami: Plenty of news and in fact friendly nations. It's always that the nation can be friendly, but when they might not have the best privacy or the security practices in place. So yes, a lot of things to take into account. And I think this is the same situation which I'm seeing which we recently covered, Jayant, in the Indonesian Data Protection Act as well. Their also they have said that for certain nations, they will keep it little lenient. But again, how will they measure the security or the privacy awareness of those nations is something that only time will tell but yes, a lot of lot of things happening in India as well as APAC. In fact, I found one of the sessions very interesting, which was with Sameer Ratolikar, he's the CISO of HDFC Bank. Nothing technical, but I thought it resonated with those CISOs on how CISOs need to have a leadership role. And because the CISOs keep talking about the TSI, as far as knowledge is concerned, I have that, as far as my communication with the board is concerned, I'm doing my best. But how is it that I can make the board take me more seriously. Bigger organizations are doing that. But he emphasized on the need of taking that leadership, ownership, in fact. He said if today businesses of the salespeople, sales team doesn't meet the goal, the sales head takes the ownership. that, even if there is a cybersecurity incident, the CIO, the CISO cannot be in the business and say that I told them to do these things, they did not take it or they did not do it. So it's not my responsibility. As much as when you take the responsibility of security investment, you need to take the responsibility when a breach happens, and you own that responsibility. So he was saying that when you draft a poll, there is a policy framework business or at least interested in following that. But you need to be an influencer. And here he said, you need to interact with the business on a constant basis, develop relationships with them. He said that CISOs often do not give emphasis to the relationships that they build. But this is so important if you need to convince businesses to follow up on particular policy. And he also spoke about whether CISOs need to be technical in their aspect, or it needs to have technical knowledge. So that's debatable, because many CISOs say that, no, I'll just draft the policies. I have the CTOs and the other technical guys to take care of it. But he said in order for the board to take you seriously, you need to have the technical knowledge. Only then will you be able to convince the board. Of course, you won't speak that technical language with the board, you will obviously speak the business language on the board. But it's important to have the technical knowledge as well and CISO should just do away with that thought that no, I need not be technical anymore. And that is something else. He also keeps emphasizing that, yes, a CISO cannot just be talking about compliance and regulations, you need to understand the technical side as well. So I think some of those discussions, we keep talking amongst each other. But that is something we heard in the summit as well.
Chakravarti: So Suparna, when we talked about responsibilities of the CISO, I had a very interesting Fireside Chat with Pooja Shimpi, who is the co-founder and CEO of Pune based company called SyberNow. So she had a very interesting take on this, she said that sometimes scapegoating the CISO, or putting the blame for a cybersecurity incident or a data breach could possibly deter the CISO from taking digital initiatives. And they could possibly just tick all the boxes and you don't do nothing more, because they will think that the axe will fall on their head. So what she said was that collective liability for the management, those who have signed off on a particular initiative is the only way to go. That's when the team will play together.
Goswami: That's a good thought to end the discussion with but fascinating summit. I think a lot of takeaways for us and a lot of stories that we can write for the rest of the year. Thank you, Prajeet and thank you, Jayant for sharing your views here and giving us a highlight of the summit. Thank you.