Description: Rajiv Singh, SVP for Global Cybersecurity at Tech Mahindra discussed Board-level security issues at the Virsec booth at RSA 2020. The discussion covered the need for digital transformation to go hand-in-hand with security investments and Tech Mahindra’s experience working with Virsec to meet pressing security needs for major organizations.
Speakers: Rajiv Singh, SVP Global Cybersecurity, Tech Mahindra
Interviewer: Willy Leichter, VP of Marketing, Virsec
Willy: Well again thank you for joining us. Please, if you’re walking by, have a seat, relax; we’ll give you a Starbucks card.
Let me introduce Rajiv Singh. Tech Mahindra is an important partner of Virsec; we announced a global partnership just last week, I believe, and we’re engaged in many deals around the world. But we wanted to get Rajiv’s perspective, upleveling this, about the board perspective in cybersecurity and a whole lot of areas we go. But maybe just introduce yourself and Tech Mahindra as well.
Rajiv: Yeah. Thank you very much. A lot of you would probably have known about Tech M as a global system integration company that specializes in, I would say, entire IP and security conformation. Essentially if you take a very digital conservation program anywhere in the world it would be — one of those would be the kind of sweet spots where Tech M would be a part of that.
We are a $5 billion company based out of India, but with offices all over the world in 95 countries. We cover 95 countries today. Essentially the theme of Tech M is, today, to help customers transform their businesses. So when you’re talking of conservation you’re talking of how do you help customers optimize and maximize costs and transformation of productivity. So digital transformation is really all about maximizing your output and being relevant to the customers. Customers, customers is what we serve through these engagements.
From my perspective I do the cybersecurity for Tech M. It’s a business that cuts across all of these different verticals in the marketplace, be it telecom, health care, financial, those are the kind of market verticals.
What it really means is that the themes in cybersecurity are end-to-end consulting that essentially is about the quality of other sources who understand what it takes to be a consulting-led person, which is essentially saying we understand compliances, we understand the whole key of the vertical that you’re operating. How do you protect the hospital? How do you protect the bank? How do you protect the telecom company? These are themes which we have built with a lot of intellectual property around those verticals.
So it’s not just about a product-centric approach, but it’s about solving the problem of the customer in that business.
Willy: So let me ask you, Rajiv, didn’t mean to interrupt you. But let me ask just on our topic, we’ve gone in a lot of directions here, but the board perspective. I know security is such a hot topic across, you know, up and down, but we hear that it’s become a board-level issue. Like you deal with these major organizations; what are they asking you? What are they trying to solve?
Rajiv: Thank you. So I do a lot of work with the advisory boards; I cross the globe with our customers. And a common theme that comes up over there is how do I stay upline, with all that’s constantly concerned? How do you stay compliant? And compliance, for a lot of people on the board, is a top subject, a hot subject. So much so, that most of the boards are controlling hiring independent directors with a cybersecurity background. Because of the kind of concerns the board feels today these specialists on the board are now providing the strategy and direction change. They’re seeing a lot of change in the strategy direction.
Gone are the days where the report published by an independent agency, telling you what the risk is was taken as the final thing, final word, and everything followed.
It’s become more like zero trust, you know, the zero trust concept. So there is absolutely an independent view which is emerging now at the board level, which is changing the way cybersecurity is viewed.
The other thing which I see is boards are asking, “How do I limit my exposure to the non-compliances that may come up at any point in time?” And it’s a quarterly report. So the quarterly level, quarter level, if you’re reporting something, and you haven’t acted upon the risk yourself as a board member, I think that’s a big challenge right now.
How do you solve that problem? It’s not about somebody giving you a signed report of an audit member and saying, “All of this looks good.” Because right behind, the attack system, the attackers are much smarter than they used to be before. We’ve seen a lot more events coming which are undetected, going undetected. So the non-compliance is all about the kind of people–people, process and technology.
@ :23/1.49 minutes
The tech behind it is also changing very fast. Tech is no longer the same tech that we saw last year or the year before. Believe me, a lot of my customers today around the world at the board level are saying that they are ready to invest in the next generation of cybersecurity products which are going to help me stay ahead of this kind of a challenge.
At the same time you need the right people behind it. So Tech M brings that kind of ecosystem of technology and people together, making sure it’s a tight integration in the competency that’s required to offer the services, which are to be delivered to these customers.
Rajiv: So these tools are not just the kind where you have an AI and an ML kind of an engine working because the PC isn’t really connecting to them. A lot of people that we see are asking “how much is the risk that I have today and is that the level of risk I can actually handle? And if I were to do my business, is this good enough? Am I well protected and am I well invested?” I think those are the first questions people ask. So the first thing is to find the level of risk in organization, and it’s the ability and the appetite of the organization to manage that risk, and that business.
If the risks are increasing, you need to be careful that your current infrastructure, is it well-funded to handle that. So the budgets are no longer – you know, like an open conversation. They’re directly linked to the risk appetite and your current investments. So we see a lot of the discussion around, “I’ve spent so many millions of dollars but I haven’t seen any change. I still feel I’m attacked. And the risk is happening. How do you stop that?”
The first thing to do is to look at the investments which you are already in, look at those investments objectively and say, “What can you do to optimize this?”
@ :46/1:49 minutes
So optimization would mean that you may want to retire some of those technologies and tools which are no longer effective enough. And that is happening.
For example, the attacks, like memory-based attacks. How many technologies are there in an organization that actually can do that? Well, I did not find anyone having that ready today. Now this can be just the weak spot that can actually bring down your organization. Then all the investments that you made will be of no use.
So the board is saying, “Let us invest in the right things, the right areas.” And those are the kinds of conversations and the budgets I’ve been in. So framing a budget is no longer a conversation based on what I did in the past but what I’m going to do tomorrow. And based on that, writing the entire strategy roadmap from how do you transform your organization and then bring forth the kind of tools and technologies that we could need.
Willy: Great. Let me ask, with all of this digital transformation which Tech M is driving in many ways, all of these huge changes with cloud and mobility and virtualization and containers, are you finding businesses are securely keeping up? Or is the technology – are we still racing to catch up? Are there concerns? Are they trying to approach security and transformation at the same time?
Rajiv: They’re trying to do security and transformation at the same time. Patience levels are almost zero, I can tell you that. Gone are the days where somebody would say, “You take over a project, then you do the transformation.” They want us to do the transformation transition at almost the same time. So that’s the kind of rush and the push to do that. Obviously you need to be using technology that can help you from Day One, rather than trying to do at a later stage, say a year down the line or two years down the line. All of this is in a real-time basis.
So the digital transformation, one of the biggest challenges is how do you keep the customer secure. Because you’re touching the lives of your end consumer. The end consumer is the one to where all the threats emanate and also the threats are in case of an attack. So today the lawsuits which are there are the data privacy, data protection areas which we actually cover. A lot of this is related to the kind of technology that you have. If you have, for example, I wouldn’t take any names but if you had for example, the right technology, some of these attacks would have been detected so early, and you would have avoided those lawsuits, and you would have avoided the insurance. The insurance companies also, by the way, are linking the premiums to the kind of tools and technologies that you have. It’s a big area. So the right sizing of the investments, based on the risk appetite, your current posture is all customized to those organizations.
There’s no one size that fits all. But the technology behind it are limited to those areas which are for emerging threats like memory-based attacks, or like your fileless attacks, those kind of things. Zero-day attacks. How do you do that? Zero trust framework is the next thing which I see a lot of organizations investing in. The zero trust framework is the future.
Willy: So one more question. We hear a lot about the talent shortage, about all – you know, you have labor-intensive products that’s hard to maintain. But I imagine Tech M is maybe brought in to help with this, but how is your organizations approach to this? It does seem to be too much happening for the number of trained security experts we have.
Rajiv: So it’s a challenge which is not going to go away in a minute. But there is a move toward encouraging, the emerging talent from colleges. A lot of the institutes are being encouraged to do so. So we’re running a few programs where we’re encouraging the students from the cybersecurity programs in the universities to join us and work with us. We’re also training them. We will in fact design some of the curriculum, which is for the industry. So it’s like saying the academy and the industry coming together is one of the big things happening right now. It’s the need of the hour, right? So it’s a need-based kind of situation that’s driving us.
Now once we do that we see availability of talent at doing a lot of the initial groundwork in security available today, which is missing, by the way. A lot of the people aren’t available anymore. It’s not that AI and ML eliminates the people. It’s just that people are still required for doing certain jobs, and those jobs have to be – the trainings have to be aligned to those jobs. There’s a lot of that work happening, of alignment of skills to the kind of jobs which are going to be there for the future.
Also it’s the role of the technology companies who are – what do you call them? – as product companies, to provide the right kind of training. When we absorb people in our organization we take the base skills and then we train them on the technologies which we need to have. That’s how we are able to make them available to the industry where the talent is aligned to the market requirements.
But this is, again, not good enough. So it’s really kind of a collective issue for the industry. For the players like ourselves, and technology companies like yourself, like Virsec and others, who can bring this together so we can have it.
Willy: Yeah, and I just echo what you said. I think from our perspective, if you have tools that are tedious and labor-intensive you need to improve on them. But it doesn’t mean you’re going to have fewer people. You’re going to let your people do better work and be more effective.
Thank you. Any last thoughts, Rajiv? Again, thank you for joining us.
Rajiv: Again, thank you for this opportunity. But just I will say that with Virsec, we’ve been able to make some change, positive change to our customers’ lives. I see that happening because of the conversations that I’ve had so far, I’ve already seen a lot of the board members showing interest in the kind of technology and the problem-solving approach that we talked about. I’m finding a lot of that coming in handy in our conversations. I think it’s a great future ahead in the way we are working together.
Willy Leichter: Yeah, well again we’ll echo that. Thank you so much for your time. We encourage you to see our demonstrations.