Episode Description
What We Discuss with Abbas Kudrati:
- What is Digital Transformation and why CISOs are being involved?
- Board meetings think about cybersecurity and risk?
- Has Cloud made Board conversations easier for more budget?
- What kind of objective is the focus for CISOs within different industries?
- What are the impact on cyber priorities for CISO because of COVID19?
- How do you show value of CyberSecurity for the organisation and the Board?
- What are the Top 3 priorities for CISOs in 2020?
- Have COVID-19 affected businesses reaching out consulting companies in a particular industry?
- How has COVID-19 affected the Business Continuity plan, Crisis Management plans, Incident Response Plan and related teams?
- Longevity of CISO roles, why most roles don’t go beyond 18 months?
- And much more…
THANKS, Abbas Kudrati!
If you enjoyed this session with Abbas Kudrati, let him know by clicking on the link below and sending him a quick shout out at Twitter:
Click here to thank Abbas Kudrati on Twitter!
Click here to let Ashish know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.
Resources from This Episode:
- Tools & services, discussed during the Interview
- Cloud Security Academy
Ashish Rajan: [00:00:00] People don’t know about who is a boss and how do you introduce yourself to people who may not know may not have heard of you?
Abbas Kudrati: [00:00:09] So, yeah, thanks for having me here. So I have been into it or cyber security field for more than 20 years now. Right. I started my career into IT as a system admin, not a network engineer, and then moved my way up.
into information security. It was, there was no cyber during those days, right. We used to call it it security or information security, become a consultant advisor to a number of companies into Governance, Risk, compliance and Penetration testing to be pen tester once upon a time.
That’s how, if you ask any, any graduate, they will always say, I want to be a pen tester, and it’s a cool thing, right? There’s more than that. So I started my career as a pen tester and then get into governance, risk and [00:01:00] compliance, and had an opportunity to become a head of security or information security as we call it.
Ashish Rajan: [00:01:05] Yeah,
Abbas Kudrati: [00:01:06] how I entered into the world of being a CSO and been there for 12 to 15 years as a CSO, worked as a CSO for a number of companies. And in number of countries before I took up a job, with Microsoft and now two years back to become an advisor to the CISO and more of a chief cyber security advisor for our strategy customers across Asia.
Ashish Rajan: [00:01:28] . Awesome. and I think you’ve touched on a really interesting point, for people who may not have been in the space for a long time. People sometimes forget that , it was information, security, before it became cybersecurity and whatever comes after this, hopefully not no more, but, yeah, there used to be a time that no one knew cyber, but now everyone just only knows cyber.
Abbas Kudrati: [00:01:50] Absolutely. I, so I do part time teaching as well. If you know, I used to be sort of practicing LaTrobe University and now I’m with Deakin [00:02:00] as an industry professor. And I take a lot of guest lectures in many universities, especially for the. So-called cybersecurity students, but I’m thinking when I asked him, how can you differentiate?
What is the difference between information security and cybersecurity, right.
People
that had never heard of how cyber is different than information. If you go back to the fundamental cyber said cyber security is more of an, a subset of information security, right? If we say information security, then it covers security across multiple things, such as it could be a security for your physical files or a date out of paper.
Right? Legal security could be your network, security, data security and information, which you store.
Ashish Rajan: [00:02:47] Yep.
Abbas Kudrati: [00:02:48] Well, could
also includes the human security. If you go back to the fundamental of ISO 27,001, the 10 domains. Right. But when we talk about cybersecurity, it only [00:03:00] talks about the external part of it.
The one which is beyond which is live right. The definition is Stay Protected While Connected.
Ashish Rajan: [00:03:13] Love it. I love it. And I’m glad you mentioned your, I guess your connection with Latrobe Uni and Deakin Uni, which is a local university here in Melbourne Australia. So it’s pretty good to know that you’ve been, I guess, teaching as well.
I do want to start with the first one. Probably should have started with this, but she has
Abbas Kudrati: [00:03:32] you go,
Ashish Rajan: [00:03:36] it’s like the show is called Virtual coffee with Ashish. I should have started with that, but I think I just got too excited to have you. I was like, I want to get straight into this, so, well obviously thank you for defining cyber and information security as well. Now, I think we have this new devil, which is cloud security.
What is cloud security for you? What does it mean for you and for your colleagues, other colleagues that you speak to, I guess,
[00:04:00] Abbas Kudrati: [00:04:02] cloud security, again, it’s a part of cyber security, right? Because what is cloud. Someone else data centre
when Management joke or the, what is cloud is not something which is fluffy. And on the sky, of course, Azure is blue, but it’s somebody who doesn’t like somebody else’s server. One of the thing is now you are migrating or transferring that responsibility for managing multiple layers of responsibility towards some towards to your cloud service provider, as we call it CSP.
Right?
So
cloud security security within the cloud is something which your cloud service provider will take care for you as a part of something. What we call it as a. Shared security model or a Shared Responsibility Model. Right. And we can have a model. What do you, what do I mean by shared responsibility, model, in a, in a coming [00:05:00] conversation, but it’s more, and on many of the responsibility, one of the responsibilities, security, which you are.
co-managing, or you having the shared responsibility between the CSP, which is cloud service provider and your organization
Ashish Rajan: [00:05:17] and no prices for guessing who’s your CSP by of choice. But my Microsoft Azure being the CSP of your choice, I think it’s from the colleagues that you speak to in the Asia Pacific region.
How are they taking, or I guess the question is around cloud security. And so what does it mean is, is that something that you find is. I guess there’s a lot of investment happening and that’s why the shared responsibility model is getting more popular or has that existed before. So I guess where I’m trying to head towards as if in order for someone to become a successful CISO in 2020, we kind of like peeling off a few layers, taking the cloud security one first and in the cloud security space.
[00:06:00] Yeah. When you talk to people about Azure, which obviously earlier you had a data center in house, everything was protected, especially if you’re a government or, I guess a defense organization, but now even defense is thinking of going online or with public cloud, what does this mean in terms of either , as a CISO doesn’t mean that okay.
My perimeter has increased beyond, but is there, is there much more to it than just my perimeter has , increased?
Abbas Kudrati: [00:06:27] Yeah, definitely. It’s more, more, to that. So we call it a cloud, as a new Security Imperative coming from a security background, coming from a CISO background I always evangelizing the cloud is a new Security Imperative.
Why Security Imperative? Because. Consider yourself as a small, or even large organization. Right?
How much
effort are you? how much effort you’re investing today to protect your in house infrastructure? Right. They’re investing in data center, then [00:07:00] data center, security, data center personnel who are managing that, or are outsourcing the data center part of it right to third party.
And then it could be, you are managing security at the network layer at a host level, infrastructure level and web layer. So it’s endless. There is nothing called, I have enough budget for security, right? It is never a hundred percent security to myth as you know, right. How much can you do on your own and how much money you can ask to your management to keep investing on them.
So why can’t you migrate , your data center or your critical data, or depends upon your business case? Of course, I won’t say right at everything, but start a journey and we regret to say it’s a digital transformation journey. Why do we call it a journey? It’s not something lift and shift, right? You can’t pick up, your inhouse data center and host it on the cloud and say I’m digitally transformed.
No digital transformation in itself. It’s a journey where you need to have a proper [00:08:00] business case. First of all, why cloud. Yeah, I guess, for moving to the cloud, although I work for a cloud company, but it doesn’t mean that I will say, yep, go ahead, move everything on the cloud. What are you trying to achieve?
What value you’re going to bring to your stakeholder and the business by moving things on the cloud. If security is one of the reason why you want to move the cloud? Of course, I would say yes. If , that is the case, then there are things which you should know, what has been taken care of by your cloud service provider and what you need to do.
And that’s where I see a gap. People think that now they have grounds for everything to the cloud service provider. They can keep their hands off, let them manage, but it’s not like that. Typical example, if I can give you an expand on my previous talk on shared responsibility model, right. Which everyone should understand what is it?
And. Maybe next time I would post the link of a shared responsibility model image. So you can have a clarity, which is nothing but depends upon what service you [00:09:00] are trying to use from your CSP. I will keep saying CSP because I don’t want to say only Microsoft because cloud service provider are many.
So it depends on who are a business where you would, you want to go for number. I’m going to say you go for only X or B let’s talk about CSP as a general , right. Cloud service provider. So it depends upon the cloud service provider. It depends upon the service. You’re going to engage with them. It could be Infrastructure as Service, Platform as a Service or a Software, as a Service, which is your first priority.
Right. You can pick up one of those among the three.
Ashish Rajan: [00:09:33] Some of the audience members over here, they might not even know what Digital Transformation is. Maybe if you can probably just give a one liner for what Digital Transformation is because we have a lot of students as well.
And to your point, they know a lot about pen testing, but not much about what Corporate IT and Corporate Security is. So what is Digital Transformation? and why is it relevant for a CISO role?
Abbas Kudrati: [00:09:55] Okay, I’ll tackle. the CSO role at a later half. Okay. Let’s talk about digital [00:10:00] transformation. , in nutshell, you know, you go back five, 10 years in, this journey, right?
We have our typical network, our organization, but the typical network, everything is protected by a firewall. Right. And we used to, we have an assurance that our objective was no bad actors should come in. So that’s a WALL, Firewall is like our WALL and everything is within the network. I’m okay. I need to only keep my Gun. Guards and Gate as we call it
The 3 Gs, and I have my security. I’ve a network security guy or security manager. I’m okay. They will take care of everything and they watch what’s coming in and what’s coming out of my gate. or so called Firewall. Now. , look at what happened in last 10 years, we then started getting our mobile phones, right. And that will buying falls are getting connected to your corporate network because staff were asking that I want to access my corporate [00:11:00] applications, or I want to access my corporate email on the phone.
So now you have. Plugged in a separate network called BYOD or a mobile network. Right. We started adding Software as a Service We have GSuite came in O365 came in, Dynamics, came in, SAP online, lot of these SAAS applications, SAAS is software as a service software from a third party and they are taking care of everything hosting.
You just use it. Like ready-made Pizzas from Domino’s or Pizza Hut. You get it, you eat it. Don’t worry about cooking it.
We added one more layer in our network. So now we have our own traditional network. We have our mobile centric network (BYOD) . We have a SaaS, then we added our. IOT, we have sensors and cameras and whatnot. All those IOT enables internet of thing, enabled devices. We third network on that. So we keep on bolting [00:12:00] on adding more and more network to , our network.
And then in no time, we realize that I have no visibility, how these things are interconnected. What am I supposed to focus on? Then the customers are thinking, okay, I think we should start on a journey called Digital Transformation because. Why they want to do Digital Transformation?. Then of course, the reason for that either they want to achieve a better Compliance, depends upon the business case, or they want to reduce their Risk.
Looking from the Risk point of view. I wonder that’s how, that’s why I want to go into a transformation mode because I have a lot of the applications and which are not, but to cater to my new set of audience or a customer who are NET savvy.
Now, everything is exposed or I would say I would have a better management of my, environment in terms of, streamlining, my application development.
Or I will take advantage of security by sharing the responsibility with the cloud service provider. Or I want to be [00:13:00] more agile in my business. ? My audience or my customers and my staff are working from anywhere. Anytime, any device I want to achieve that flexibility. Right. That’s why a business would think that yes, we should embark on a journey for Digital Transformation in a phase manner as a journey.
. And this pandemic had created , a huge spur of Digital transformation, the transformation, which industry thought will take three years and four years. We have seen those being developed in last three months
Ashish Rajan: [00:13:31] in three months
Abbas Kudrati: [00:13:33] off this pandemic, because everybody wants to work from home. It’s
Ashish Rajan: [00:13:36] that’s right.
Abbas Kudrati: [00:13:37] Yeah. Ask any company what’s your journey looks like they would say that. Yeah, we have a pipeline of digitally transforming in next three years and the date and the resources for that. Because of pandemic, the whole staff is working from home and those project, which was on shelf or going at a tortoise pace.
Now they are.spreading, like wildfire. [00:14:00] Everybody wants to jump on that and putting their investment and trying to expedite the project we used to have and move things on the cloud as the example. So they’ll stop in access those resources and be productive. .
Ashish Rajan: [00:14:14] Right. Right.
Abbas Kudrati: [00:14:15] In short, that is digital transformation.
Ashish Rajan: [00:14:18] Interesting. And how does that, I guess now with the pandemic as well, bringing that back to the CISO, I guess for them, does that mean they need probably they lack even more , visibility, because in three months that means a lot of things have gone online either without them knowing, or they have to figure out quickly, how do they get visibility to it?
Abbas Kudrati: [00:14:38] , Absolutely! Traditionally things have been changing. and , I have been into that change as well. So typically CISO will not get involved , in a larger project at an early stage that that could be the scenario many years back,
Because of the Digital Transformation journey and because of this vendor, all CISOs are, playing [00:15:00] a very key and vital role. In decision making, you write to them. And because security is, is these days, one of the top 10 risks identified by board members, if you’re seeing board member, or if you attended any board meeting, they would typically want to know what is my profit, how are we doing the customer? Who is our competitor? How are we managing risk? They would ask that.
But today the board member , are savvy in a cyberspace. They are asking the questions. How are we managing cybersecurity today? And you’ll see the number of threats, the kind of threats that are going around in the world. These days the Malware and ransomware and crypto currency mining or all those things. What we are seeing around the world, especially in the cyberspace, they are asking this question, how are we managing security? Yeah, in our, in our organization, you know, what is our current risk exposure they’re asking, did kind of a tough questions.
The people who are presenting it, and they’re saying who is managing our security, they were never interested in knowing who is the CISO before. [00:16:00] Now they’re asking, can you bring the guy who is managing our security? And the same. We don’t have one. Then what?
Ashish Rajan: [00:16:07] I think it’s, it’s a valid point because it’s funny. Cause I worked for a, I’ve work for a SAAS company here in Melbourne and one of my board meeting conversation, which is really interesting, because the SAAS space is also recognizing this. The more it comes to news, the more people realize that, Oh my God, every average person is knowing about security now.
It’s not, I mean, I guess Scott Morrison, our prime minister even came out and said, there’s a cyber security attack in Australia. Even from that point onward suddenly everyone’s like, where does this cyber security attack? Am I it’s funny. My, even my dad who’s super nontechnical. Even he started Googling what cyber security is.
Although before that I was just an IT job. Now he knows I work in cybersecurity. So that means that’s how much to point about the whole pandemic. Super speeding. So a lot of things, people are just like, Oh, I need to know about cyber security, what is this thing?
Abbas Kudrati: [00:16:57] Absolutely. , you’re spot on in that.
So [00:17:00] creating awareness at all layer it’s self propagating, I would say. Yeah. People are trying to want to learn why it is. And, soon as I’m releasing a blog , on our Microsoft website, , in which I’m talking about. Cyber security is everyone’s responsibility and everyone should learn it.
Not only the computer engineers who are studying it, . To learn what basic fundamentals of cybersecurity when engineer has to learn. And when the person who is doing the automobile repairing he needs to learn. Because he needs to protect the customer data, it could be on a single machine, a laptop, which he is using, for his own business.
So it’s getting that important. It has to be for everyone at a very early age. Everyone should learn.
Ashish Rajan: [00:17:39] , a hundred percent and I think that’s a , great segue in I’m glad you mentioned the board conversation as well. We kind of spoke about the importance of cloud security for CISOs. I guess the second half of the challenge is also talking to the board and justifying to the board.
Why do you need budget versus why do you need, or even to have that conversation earlier? It may have been a lot [00:18:00] more challenging to explain how is security risk is a business risk as well. Is that still a challenge? Has cloud enabled them to ask for more budget so that they can have more visibility?
Or where do you see that as the pattern there among your colleagues
Abbas Kudrati: [00:18:14] Cloud has enabled them to ask for more budget? I would say yes and no. So again, going back to the strategy, ? let’s start from there.
CISO is required to create a Cybersecurity Strategy, ? So when they, when they are creating a cyber security strategy, it has to fit with o business objectives as well. I just can’t join any company as a CISO and say, okay, my first step in my security strategy, move towards the cloud. That’s not going to happen.
As the CISO, I really need to think what is my objective? Is my objective for cyber security ,more from a Business Continuity perspective, or is it from a Brand Protection perspective? Is it from a compliance perspective or I want to have the bottom line growth to my company. I will talk [00:19:00] about CISO persona in a few minutes, but let’s start from there out of those four. What is my objective? Aligning with my business. And , if my business context, is going to drive my choice, for example, if my context is more about a regulatory pressure and a risk reduction, then my strategy , will be, fine tune, in that area.
So a good example, if I’m working for an energy company, for that company business continue will be the number one priority.
For a manufacturing company who is doing an IOT kind of a device , for me, the growth is more focused.
. And if I’m working for an FSI company, for which compliance becomes a very key important, .
Ashish Rajan: [00:19:40] Yep. That’s right!.
Abbas Kudrati: [00:19:42] So what kind of CISO you are also depends upon your industry where you’re working on.
Ashish Rajan: [00:19:48] . And I think to your point, that would be recognizable by the board as well. So when you talk to them, it’s not like this guy talking about this imaginary security and cloud is the new future.
They [00:20:00] don’t like sound like a crazy man.
Abbas Kudrati: [00:20:02] Yeah, why a business leader must thoroughly analyze their Why for cybersecurity? . And you should have a very clear, regards of the choice, why you are having cybersecurity in that particular conversation. And my choice of strategy will depends upon the business outcome, which I’m trying to focus.
As a CISO, . I will define my strategy and then look at it is cloud going to help me in that. Absolutely cloud has many benefits. . So going back to your earlier question and I will tie everything back together. So let’s just pick up compliance. It’s my favorite topic, ?
Compliance is the choice for me as a CISO my objective for my company is towards the compliance. As a CISO. I used to be a CISO, as I mentioned. And as a CISO, I had to comply with number of compliance or regulatory requirement in my company. First, ISO27001, which is information security standard. Because that was my strategy defined on that. Then I had my Global Compliance requirement or a security policy standard, which I had to meet for NIST Cyber Security framework. . Comply with PCI [00:21:00] DSS for the card cardholder data, I had to comply with government IRAP standard. Now as a CISO, how many such framework I need to manage?
It’s again, a nightmare plus. Imagine how many types of resources I will need in my compliance team? Who knows all these compliance? Yes. You can have one person who knows two or three compliance, but not six or eight,
Ashish Rajan: [00:21:21] Yeah, that’s
right.
Abbas Kudrati: [00:21:23] I had a good business case to go back and talk to my management that let’s migrate our office 365. Move towards O365, as a SaaS platform that way, because that was a core application for my business. . Which is, good for everyone else. And the business case, which I put forward to my board member is that. We will have transfer of responsibility of compliance on the cloud service provider.
I’ll give example of Microsoft in this case, because I know more about them. Microsoft office has achieved compliance for more than 120, 150 plus compliance bodies around the world. [00:22:00] If I’m using the product, Microsoft has taken care of 27001, PCI DSS, IRAP, APRA,
My responsibility as a customer is only to take care of two or three areas. First is Access Control because my cloud service provider Microsoft will not take care of that. They will provide the software, but I need to manage my second is the Data Security. They don’t create the data.
I get the data as a customer. I manage what’s the sentivity and criticality of my data. I can achieve a business case I can put forward.
Ashish Rajan: [00:22:31] I think it’s a, it’s a very interesting point. And it’s a good segue into some of the questions that are coming in. There’s a question from Vineeth.
How do you handle the multiple projects during COVID9 urgency? What was your approach? having multiple compliance to manage, of the same vein. So what did you see yourself or your, or people around you, other CISOs do.
Abbas Kudrati: [00:22:51] So again, going back to the priority.
So, let’s, let’s take an example of COVID-19 . And seeing these examples and working very [00:23:00] closely with many of my customers in that area. So all of a sudden, office is shut down. You can come to office into work from home. Now, if you have your laptop or office laptop, it’s fine. If you don’t have it, then the priority becomes that.
How do I allow my employee to get connect to my corporate network so they can be productive? And that’s the example. I can give it from Microsoft itself. So Microsoft around 25,000 employee in our Redmond data center, they were not able to go to office because we shut down the office and they didn’t have their devices with them.
So our CISO quickly, push the images, Microsoft certified images or our operating system on the employee machine which meets all the regulatory and our security compliance requirement. And they are able to connect to Microsoft and get productive in two days. .
Similarly, if you had a working in a company and the company has asked you to work from home, if you have the device well and good, the challenge for a CISO is how do I get assurance that the employee [00:24:00] using my company device from home, connecting to my network , meets all the security requirement I have.
So first project could be, do I have a healthy EDR solution on them, on the device, which has been connected to my network,
Ashish Rajan: [00:24:13] yeah, that’s right.
Abbas Kudrati: [00:24:16] Or how do I increase my monitoring of all the activity of employee connecting from home? Because security becomes very important. I want to know what’s who and how they’re connecting to my network.
Remotely. And what kind of access do I have? So going back to my top three recommendation, if I can do at this stage is if you’re working from home, then as a CISO, I want to make sure that all my employees have a two factor authentication. Basic identity becomes a new perimeter, ? They’re not on my firewall.
My network is no longer a perimeter. Identity becomes a perimeter because they’re working from home. So two factor authentication is a number one I would say, or my employee should have it. So that could be my project if I don’t already [00:25:00] have it. Let’s have a focus on identity management. My second project could be hypothetically is securing my end point devices, my Staff are using my machine and I want to make sure you’re always in a healthy state and all this in the compliance state. And I want to allow only those healthy device to be connected towards my network. And I’m going to throw a buzzword. Here is a zero trust approach.
Ashish Rajan: [00:25:25] Oh, yeah. Okay.
. We need a whole different conversation for Zero Trust , but I get you
Abbas Kudrati: [00:25:32] but yeah, we have seen a huge, huge take-up on this particular concept architecture decision.
. So when , , my organization, my customers, or my CISO who are now embarking their journey on a zero trust network architecture. I will share three principles of that topic to end this particular topic here. Zero trust network architecture concept is about – Trust no one! Verify everyone! That’s first [00:26:00] principle in that, .
That means I will not trust even my employees were connecting from outside. I want to verify everything. What they’re doing it? And I need to build up architecture and my technology around that. Second principal becomes least privilege. I will not give access to anyone, any employee, even the admin.
That means role based access control and just in time. And just enough access comes into picture. That’s my second principle. And my third principle to finish. This is assumed breach. As a CSO, as a head of security as a cyber sock ahead of that, I want to work as an assumed breach. I may be on a continuously under attack.
I need to have that mindset, right. And, build my, architectures or my network in a way that I would defensive layer, or be going in defense, in depth layer in my architecture. So if my first layer is compromised, I have a second layer to protect my corporate data.
Ashish Rajan: [00:26:55] Yep. Perfect. Perfect. So I guess just to quickly sum that up as well as the three things that you mentioned, the [00:27:00] first one being MFA.
Second one being endpoint security. Was there a third one, or was Zero trust the third one
Abbas Kudrati: [00:27:06] Zero Trust is a assume breach scenario. So least privilege within Identity,MFA my first -Trust Noone, but verify everyone that is getting the monitoring and I want to make sure everything is there. Third one is a defensive layer, which is my assume breach.
Ashish Rajan: [00:27:22] Yup. All perfect. And I think talking about multiple projects , is interesting because that’s a great segue into the next comment from Leah McLean. She had a question around what industry is, if you can pinpoint, are you seeing an uptick in cybersecurity since COVID and are you seeing a need from customers for more consulting services and professional services, to help them with their security efforts and deployment.
Abbas Kudrati: [00:27:46] The whole world is, infected by COVID-19. There’s not a particular industry to bring back to my case. Can your employee currently work from home and be similar, productive than what they were before? I don’t [00:28:00] think any company will say a hundred percent. Yes. Of course,
Ashish Rajan: [00:28:04] everyone’s kind of like has hack their way into this.
Abbas Kudrati: [00:28:08] In my previous role, in my, one of the company I used to work, our capacity of remote working was only 30%, . To give an example. If I have a thousand employee, I had built my strategy around business continuty that only if something goes wrong or some attack or some bomb or some, natural calamities or fraud or whatever, I have my 30% employee being productive.
For a limited period of time, nobody thought that it could be six months. ? So I was never prepared to invest my money and budget for a hundred percent online or a hundred percent remote working.
Nobody had thought.
Unless you are a cloud born company, global companies like Airbnb and Uber and all where everything is on the cloud and people can work from anywhere, .
Traditionally pick up any company. They were never thought that there would be a hundred percent requirement the cloud. So I would say everyone who was impacted. All security folks and CIO’s [00:29:00] had never thought that they will be required to set aside a business continuity plan or even have a thought or design their crisis management or a business continuity plan to accommodate this kind of a situation.
What we are seeing is. After this pandemic, they’ve all gone back to the drawing board and redesign their crisis management. They had a BCP plan. They had the disaster recovery. , I will expand. They had a business Continuity plan. They had a disaster recovery plan. They had crisis, management plan that they have cyber security incident response plan.
Yes. All those plans are there. They have been documented, but the challenge was, they were not interconnected, which plan triggers what
team who is focusing on your BCP and the IT team who is focusing with incident plan. You have a CISO team. Security team is focusing on cyber as a response plan. Then they will talk to each other. Nobody knows who to call. You know,
[00:30:00] silos, still exist
there was a need to go back to the drawing board and let’s interconnect this plan you had created the plan.
You got a tick box in your audit. You pass the audit. You were happy with your board member, but you have never tested it. You know thought of connecting them. So that was something which all the CSOs, and I would say most of the people had to go back and redesign their whole plan to make sure they are interconnected.
And there is a trigger point among them that which plan will trigger, who.
During pandemic now, which plan do you trigger question for you?
Ashish Rajan: [00:30:37] I’ll let you answer this because you’re the expert, but I would have just said it depends depending on the industry as well, but I’m keen to hear your response.
Abbas Kudrati: [00:30:44] So small industry may have a single plan called Crisis Management, but bigger companies. have too many plans and they need to interconnect them and
Ashish Rajan: [00:30:53] too many people as well. It’s not just that I think to your point about, cause I think the, the company that I workfor is a mid market enterprise and [00:31:00] obviously. It’s like a very small security team. It’s not a big enough security team that we have one team just dedicated for crisis management.
One team just dedicated for emergency one team, just for compliance. you’re doing everything. But on the other extreme, like if you’re a bank or a financial institution with a massive amount of resources, you do need that many people in each of those sectors.
Abbas Kudrati: [00:31:23] Absolutely. So going back to the person who asked the question, it’s not a part of single industry.
I think we all are in this together. Everyone has been good. How soon you are able to pump in the resources and a budget and the money to allow your employees to be more productive and get to your customer needs is something which a priority for every business. It’s not only CISO, but it’s, I would say priority how quickly they want to do it, or which area of business they want to make them productive.
. I can give a number of examples. If it is a manufacturing, then [00:32:00] I, I want to make sure my machines are on so I can continue the business I can’t shutdown my manufacturing unit if I’m in consulting, then I want my employee to be available for customers, consultants and advisory plan right now.
Ashish Rajan: [00:32:12] That’s right. I think to your point, would you say that the, I guess the need for consulting in that space, cause they might be projects which might have already been running, could be an MFA project or could be, I dunno, a cloud security posture management project or whatever it may be. Those project for temporarily may have seen being put on hold.
For the COVID period while the other things, that’s why, I mean, this is my, this is my observation. I’d be keen to know yours as well. There’s almost like a downward dip for, there was a dip for, for some time before people could figure out how do I make myself. Available online 24×7, so people can actually, run the business and then I can come back to these projects.
Abbas Kudrati: [00:32:53] Absolutely. You’re right. So, priorities has changed for the business and for the IT and security folks. [00:33:00] So one example is I can do without naming of our industry, their priority was to migrate all their application on premise application towards the cloud. However, because of this pandemic, they had to change the plan that let’s migrate the application, which are.
The highest impact to the business or the most critical application, ? Because how many people are using that application? If you say that in my entire company, employees are using their application, let’s prioritize that one first, because that’s what he’s impacting the business. Right. He has changed in what we should do in that particular project, or if my priority was to, have upgrade of my network firewall.
I think that can wait because nobody’s within the network of my company. Everybody’s working from home. Let’s do a better VPN service rather than focusing on the network because now everyone wants to connect remotely. Or. Let’s focus on securing Endpoint because that is not in my control anymore [00:34:00] within my network.
Yeah. So I would prioritize my project and focus more on EDR solution, or I would say going back to the identity, I may have the project in my mind that I will have two factor authentication for all my employee after one year, but that’s not a choice it has to be done now because now people have been targeted for their phishing and ransomware on the individuals.
Companies are not targeted for attack. They’re not being DDoS attack on your firewall. They are doing , password spray attacks on your individual employee. So you are target not the company. So let’s focus on the individual.
Ashish Rajan: [00:34:33] That’s a really interesting point as well, around priority. And I think, one more thing to actually call out and you would love to hear your thoughts on this as well that even though the priorities have been switched to say MFA or endpoint security, These are going to take time as well. So, so there have been some hacked versions of how do I make this work so that at least I can get the business going, because everyone’s asking me questions.
I really want my bike back. [00:35:00] And I think these questions, these projects are priority and probably would take up the next few months as well as it trickled through this and make it better before we kind of come back to what I glow conversation and. We’d love to know if your timeline August common makes sense, but also to add to that before the pandemic and say, if once these initial priority projects are done before COVID, where did you see the trend going towards?
Like, what was the priority focus for CSOs when it came to cloud?
Abbas Kudrati: [00:35:32] Yep. rightly say, so Cecil had a plan before to move towards a zero trust concept, right? That would have been triggered in one year or two years, or had a journey of a three year life
Ashish Rajan: [00:35:45] cycle
Abbas Kudrati: [00:35:47] of a friend that land had to kick in early architecture is itself.
It’s a journey. And you can’t do things in a lift and shift mode. And it has to go into phase by phase, [00:36:00] starting with identity, then device the network, then application that infrastructure, you know, all those other six or seven pillars in the zero, one by one. So all of a sudden now that. Something, which was in the concept and it was, in their mind or it was in the strategy in coming here.
They had to take the priority that, okay. I think we should start thinking now itself and let’s see what we have today. So. First thing is what do I have today, which I can, use without enlisting much or with the fine drink I can have. My employee productive work is supporting let’s focus on that and maybe a little bit of additional control, which can reduce the risk of my exposure before hacking a note.
to give you an example, you, you touched upon my different dots indication, right? Perfect password list, whatever we call it, going to happen over night or one or two days. So maybe first step could be, to tackle all my privilege users, right? Because those are the people [00:37:00] who, as a piece to the kingdom, let’s educate them and get them on this journey and enable them with the two factors indication very quickly.
That could be a first set of people. Second people, if you ask me, in my opinion, I would target my executives. Because they are not, they are getting tech savvy, but not as much as others. Right. And they have been targeted because they have the authority to approve things, you know, targeting towards them.
So apart from admin, I would focus on executive as my second batch. If I can handle these too quickly and then start focusing on my other set of users. Starting with an education and awareness thing that we are seeing, these kinds of things. I would, I would, I would increase my monitoring part and on a phase minor start onboarding them onto my a zero or two factor authentication journey.
I would say that has the highest impact and the lowest effort. Nope, that project. So the project, if you, [00:38:00] if you put it into this quadrant, which project has the highest impact effort, let’s take Kodak.
Ashish Rajan: [00:38:07] Perfect. That’s a good segue. I think it’s really interesting. You mentioned. The how the priority has changed and how even little things matter.
And in terms of privilege as well, onboarding has becoming a thing as well. And I say this because my, my recruitment, my company was a completely offline. I didn’t meet. I have not met anyone from my team in person. They’ve always been on the screen and I think. Now going back to six weeks of log down again, didn’t really help that as well.
I was looking forward to meeting people, but it’s really interesting how even that has changed, like even onboarding to your point about, and the, if you can probably, that’s probably an easier way to get that going as well. At least for all new people coming on board, let’s give the memo for by default.
So actually they don’t have to go back and go, Oh yeah, a huge joint and all, maybe we should give him MFA, not get, like, make that a thing as well. [00:39:00] Absolutely. Awesome. I think I’ve got one more question on the cloud space before I’m kind of moving into some of the other questions that came through, with the cloud security, as it standard, I know Gilbert has kind of changed gears for a lot of things.
And cloud has kind of become important for some companies, not important for a lot of the companies, but in the work that he was seeing it on. You. What is the kind of maturity you were seeing in cloud? Cause you mentioned lift and shift earlier, which is an interesting point for people who may not know lift and shift.
And for people who think that’s a maturity of cloud is moving into cloud and Europe you’re secure. I’m curious to know what was the kind of maturity you were seeing across say Asia Pacific versus the rest of your colleagues who might be working across Europe or us?
Abbas Kudrati: [00:39:45] No. Good question. So, crowd has been there for a while now more than five, 10 years, and people are moving according to the business case.
But I would say if I compare countries like Australia, New Zealand, [00:40:00] they are far more mature in Clara adoption because, we have, we have a cloud first policy. You know, I used to work for a local government, organizations in Melbourne. And when I, when I was thinking of procuring a hardware or something like that, I was told that according to Victoria government really going deep, it was the skate now.
I mean, so we pretty go on with yourself, have a cloud first policy it’s defined. At the government level itself, local at a country level as well. But I was so surprised and happy that, okay, this is supported at a department level that they don’t want to us to go and buy a hardware and hosted somewhere cloud.
If you can go on cloud, that should be your first option. Same thing as in New Zealand, right? Yep. We’ll make sure when it comes to the, strategy of cybersecurity strategy or cyber strategy cloud first policy, which is not a typical case with many other smaller countries [00:41:00] in Southeast Asia, I’m not going to name and shame anyone in the country in there, but what we seeing there is still a bit of a metric are required and I can see the number of reasons for that is first.
It could be a trust factor. They still don’t have the trust that yes, they can be equally secure by transferring that responsibility on or transferring the data from your own prem to the cloud. That could be one of the second one could be a regulatory and our local policy as well. Like we have seen a number of regulatory body with specific to the FSI industry, or they don’t have, they are not yet mature enough to, or dictating.
With a lion saying that yes, cloud is safe and they can move the critical or sensitive data to a cloud provider, a cloud hosting provider. Right. So it also depends upon what type of data you want to move to the cloud. Yes. I can see a huge adoption of Microsoft three 65 as a SAS. But if you, I, [00:42:00] I can see a bit of a metric between country to country when it comes to using infrastructure as a service or a platform as a service.
That is a bit of an element where. Even though, as a company, I want to move towards cloud. However, my local regulatory bodies or compliance requirement are affording me for doing that. You know, a number of factors could be other factor. I could say data. So reality. Where, where is the cloud postwar? The hosting the data.
Do I have a data center in my country? Right. Like in Australia has data centers in Sydney and Canberra and Melbourne, all for various types of business. How a data center in every country. Right. You can’t have it. Nothing can be to please them unless the country has a huge. Take up on cloud and we see a business value for our region, but we are continuously expanding, right?
The most recent one we had, we had to do testing through housing, New Zealand. We never had [00:43:00] you have no, there you go. I didn’t ask for it, but of course we sold it to each other value and now we have it there. So our region data center, but it’s not possible to have it in every country. It would take a while unless we see the maturity of the country coming up.
So, do you have a number of factors, data, data, hosting, regulatory, and policy. They all collectively decides the maturity of cloud adoption. And, you know,
Ashish Rajan: [00:43:30] to your point about, I guess cloud adoption being a lot more mature across Australia and New Zealand, is that much different, say across your European or U S colleagues.
Right.
Abbas Kudrati: [00:43:42] And, us definitely, we can’t even touch upon that. So you said is much in a, in a different league, but European is also highly regulatory requirement required from there. Like we have laws, the European, like GDPR and, on European laws of privacy. And also [00:44:00] you just do run by a lot of these compliance regulatory requirement, but they are also on a Metro state as configuration.
Yeah.
Ashish Rajan: [00:44:08] Awesome. Awesome. And I’ve got one more question. There just came in from harsh, nausea with many SMEs on cloud. No one is even bothered about security. Let alone that the all right. So I’m trying to get to the escape to the question is a longterm long question. Are there any government, is there a regulatory policies against such incidents actually make sense with many SMEs on it?
Cloud, no one is ever bothered about the security let alone that they don’t even realize that they have a breach. Are there any government regulatory policies around touch incidents and it continues? Has it encouraged SMEs to provide or take a proactive approach towards security? I think he, and he’s sharing his thoughts may good time to ask this question as well.
So I guess a, is there a regulatory thing I’m sure that you can talk about the breach thing, but, is there a regulatory thing for people to disclose as a bit of breach and second, has [00:45:00] proactive security being noticed by you in cloud as being more automated? or where do I, I guess, is there a different definition of a proactive security in your mind?
I think I’m just thinking of the automation, but keen to know your thoughts on this, is there a regulatory regulatory requirement for disclosing? There has been a breach and second one being, does this mean because there’s a breach policy SMEs are looking at being more proactive insecurity in
Abbas Kudrati: [00:45:25] cloud.
Okay. So I’m not sure where, which part of the word that particular question came from. But if you are in Australia, then you know that, we have, privacy data breach notification. Yeah right here. So if there is a breach and then you are required to inform the privacy commissioner and disclose the particular what’s happened with that area.
Right. But Australia definitely is maturing that area. what I’ve seen in a number of research says that. 85% of the Brits are not, [00:46:00] are not being disclosed. What numbers do you see on the internet or in the media is only 15 to 20% of what is actually happening.
Ashish Rajan: [00:46:08] You know,
Abbas Kudrati: [00:46:08] I do an example of a, in, in my dog that, that are.
Three types of company one who knows that they have been breached and they’re taking an action. One who don’t know that there has been a breach and have no idea about it. And one who has breached and don’t know what to do.
Maturity, we haven’t seen it. So depends. and of course, if you are using a cloud service provider, as I said, cloud is the new security imperative, then the areas of responsibility which belongs to the cloud side or CSP side, they are taking care of that. It could be.
Ashish Rajan: [00:46:52] At a
Abbas Kudrati: [00:46:53] physical layer of security because you don’t have to worry about the physical security anymore.
We’re using [00:47:00] infrastructure as a service and hardware layer and formula I’m yet to find a person. When I asked the question that how often do you do the farm level level patches? I don’t think anyone has anyone has raised their hand that they do farm level patches, or they monitor the form level security.
Especially in what we have seen in the knots of . Right? So, and if you have a cloud service provider using your, using them, then they will take care of that. And if they’re using Sybase, then they will take care of the, application layer. Then they will take care of the patches and oil. There they’ll take care of the patches, that infrastructure layer, network layer, all those things have been taken care of.
Right. So depends upon infrastructure, those hundred spectrum as assembly software, the service, what are you using with the cloud service provider? Again, back and supposed to be model the security spec and care by that. But of course you doesn’t matter if you’re SME or on a big company, you are still responsible for access control.
You’re still responsible for data security. You can’t get away. [00:48:00] I cannot help you with that because it’s your data and you provide access to whom you want to provide
Ashish Rajan: [00:48:05] going back to your shared responsibility, more or less. Well, I think you kind of need to define that very clearly in your organization.
I’ve got another question from a LinkedIn user here, how to deal with situation. When we know there are known vulnerabilities in our system or application by design, which I reported to their owner, but there is no wonderful team management process in place, but specific, but, Would you want to tackle that?
Abbas Kudrati: [00:48:27] Repeat the question again?
Ashish Rajan: [00:48:28] How do deal with situation when we know that are known vulnerabilities in our systems application? I, you can bring up the screen. Can you see it there? Go, ah, there you go. And we try to report to the owner, but that is a wonderful team management process in place.
Abbas Kudrati: [00:48:47] I would say don’t go technical discussion with your business owner or application owner.
Define that particular security issue in a, in a risk management on a business risk issue. Tell them that if we don’t [00:49:00] fix this, I’m going to lose my customer data or I’m going to lose my compliance, issue. Or I will be subject to reporting to the privacy commissioner. If something goes wrong or are we going to lost this much money?
If this is not fixed? Go back, go back and dictate this issue in a language. They will understand don’t come and tell don’t go and tell them I have 101 abilities and the CVB level. So and so blah, blah, blah, as could induction. But for the skeptic, they may not understand explained in a simple plain language, in a business language and a business risk.
If we don’t fix this, this is the impact on the business. Can you please sign off the risk by not fixing it? He will not sign off, take my money, go fix it. In that request, you are not the risk owner. Remember as a CSO, as a security person, as a laboratory manager, you are not the owner for that particular issue.
It’s a business or application owner who is the owner for that, right? This is a risk of how I do fight risk. [00:50:00] I new fight. This is the impact of the particular risk. If we don’t fix it, he had his a paper for you. Please either accept it. Helped me fix it or transferred it.
Ashish Rajan: [00:50:13] Perfect. Perfect. Great answer, man.
Abbas Kudrati: [00:50:17] You will give you three options. I don’t care. I will accept it. Here you go. Even say let’s transfer it to somebody or maybe let been hosted by somebody and they will take care of it or they will say here’s the money. Go fix it.
Ashish Rajan: [00:50:30] That’s right. That’s right. I’m going to quickly skim through the question so that I make sure that we have answered all of them.
So we’ve answered the question from Vinnie already. Yep. That was the question that he asked. And we have answered the question from Leah as well. That was the first half of the question and yeah, that’s the second half of the question. that was a question from harsh, or interesting. And I think, there’s a comment from Darpan to say, other than the U [00:51:00] S on States like New York and California mandate, that such breaches would be actually, that reminds me, one of my first few guests was one Donna in India, and she was saying, India has this thing as well as a mandatory breach policy by the government.
So that was clearly, people are seeing value in it. And they’re trying to encourage more people to go down that path. that was really amazing. I do want to tackle the one question that Jacqueline had asked in one of our LinkedIn comments before, that was yesterday. your thoughts on achieving longevity in the CFO role, considering FIFA burnouts on notorious, notoriously common.
How do you. I guess, what do you advise new fee? So it’s hard to navigate to a treacherous spot like this.
Abbas Kudrati: [00:51:43] Very, very tricky question. And, I would say you must have seen number of research done on the and the typical life of a CSO is 18 months to three years. Look at my history as well.
Ashish Rajan: [00:51:56] I was going to say, but I’m glad you pointed out
[00:52:00] Abbas Kudrati: [00:52:00] my, my lunch with your knees roll.
It’s not more than three years, to be honest, right? For reason one, you have been hired for a particular job and you have done and you’ve achieved that. And a company don’t have any further, a motive or intention or a budget to move further in that particular journey. And, and, and you feel that okay, now I think I wouldn’t do my job and I should go and move and seek out another company that could be another one.
Second could be a legitimate issues because of the support. Alright. you are only looked upon as a technical person managing the security and vulnerability and incident on your side. And you’ve never been given a position on a leadership role so that you can help further to the business. That could be an underwent.
And I’m just writing a number of reasons. Right. I, based on my own, I’m not reading anything here. I’ve been through that. So I know that you
Ashish Rajan: [00:52:54] have your own scars.
Abbas Kudrati: [00:52:55] Yeah. I have my one scab right. Or third or next [00:53:00] one could be, they are looking towards you more of a chief security scapegoat officer.
Ashish Rajan: [00:53:08] Ooh. I like that one before.
That’s a great one. Yeah.
Abbas Kudrati: [00:53:14] Information security scapegoat officer. That means they just want to have somebody to point a finger. Something goes wrong, either Seesaw him because of, because the hack has been done, you know,
Ashish Rajan: [00:53:23] but they don’t give you any money for budget for the red, for the entire area and your schools, the product.
Abbas Kudrati: [00:53:30] They just want somebody to meet. We don’t, there are some compliance department which have been dictated now that you should have a dedicated personal security in a
Ashish Rajan: [00:53:38] company.
Abbas Kudrati: [00:53:41] How infrequency is your CSO? Is he a chief information officer or does he influence of security officer?
Ashish Rajan: [00:53:50] Yep. Yep. That’s a, that’s a too good one.
That’s a good definition. And I think to your point about, I think I asked 27,001 has this cause, do some compliance work and I think that has a specific [00:54:00] color for having an information security officer. It doesn’t really call out. They should have, I guess they should be able to call out things. It doesn’t say any of that.
It just says you need to have someone in that role.
Abbas Kudrati: [00:54:10] Yeah, you need to have someone in the room. They don’t say CSO as such, because you can be called as a security manager or a security analyst, having a dedicated person with a security focus. Right. That’s all, it depends up on the business. How are you looked upon?
Are you a technical leader or are you an influential leader in your role? You know, depends upon that as well. Yes. If a Cecil usually come from two background, right? If I go back to the basics, either he’s a technical teaser or does the business for the industry. So having a technical skill is not a success criteria for a Seesaw, right?
He has to be a people person. Objective is to be more connected with the, with the board members and the leadership team on, on the, getting them all the technical risk into the business risk, you know, business bottom line compliance. Be a [00:55:00] team leader and these kinds of skills are required to be a successful CSO.
And when I see, so don’t see that these skillsets are being valued. Of course, he’s going to move on and we’ll see the burnout, people I’ve seen CSOs and these are all facts on, on the media and you can look a look upon it. People are doing suicide as well. Cecil’s are doing stress. Yeah. Australia itself.
Look at how many companies have, how many Cecil has changed the job. In last four months, I’m not going to say their name. You can find it yourself. There are top tier who has lost their CSO or resigned, or I don’t know the reason, but they have moved on and have a new job yet. They are happy to come in, taking the rest for until, until the right opportunity comes in.
Ashish Rajan: [00:55:43] Why. Yeah, I don’t
Abbas Kudrati: [00:55:46] have a change. Something to be looked upon. If you are a friends of them do call and ask them why and what are you doing this, this, but they’re happy to be spending time with the family or waiting for the right opportunity to come in, where they are being valued, you know?
Ashish Rajan: [00:55:59] Yeah.
[00:56:00] Definitely. I do. I’m conscious of the time as well. It’s time to kind of switch gears to some of our fun question. Basically, I’ve got three questions which are nontechnical just to get to know you a bit, and then we get into a where people can find you. So I’m gonna quickly go through them. They’re not really super technical, so super simple questions.
First one being where do you spend most time on when you’re not working on technology?
Abbas Kudrati: [00:56:27] In my backyard? I know me.
Ashish Rajan: [00:56:30] Oh, nice. You have a veggie patch going on.
Abbas Kudrati: [00:56:35] I have a fruit food garden that I have around seven different types of fruit in my backyard. So I spend a lot of time in pruning and collecting them and making a juice out of them and whatever
Ashish Rajan: [00:56:47] equals longevity.
If you have your own garden.
Abbas Kudrati: [00:56:56] Yeah, absolutely.
[00:57:00] Ashish Rajan: [00:57:04] That’s a good point. Especially with Goldberg. You probably need to be ready for anything. so I guess the next question, what is something that you’re proud of is, but it’s not on your social media, like LinkedIn or Twitter.
Abbas Kudrati: [00:57:16] Brown off.
Ashish Rajan: [00:57:17] Yeah. Some people are proud of my family. Some people are fired off, like, like I guess a uni bug, but I’m keen to know what, or to something that you’re proud of, but may not have posted enough about it on your social media channels.
Abbas Kudrati: [00:57:29] I absolutely, I think you, you, you touched upon him. So I’m proud of my family support because, I am a kind of a geek. I spend a lot of time on studies and things like that. and they’re always supportive, in the journey, and being a CSO or being advisor is not a nine to five job. It’s, sometimes you work long hours as well.
Yeah. So we get good support from your family. I’m very proud of the family. What I have that’s I.
Ashish Rajan: [00:57:58] Sweet and final question. What’s your [00:58:00] favorite cuisine or restaurant that you can share? Well, when we can go into restaurants again, but what’s the favorite cuisine restaurant that you can share with the audience?
Abbas Kudrati: [00:58:08] I know Thai food, but I’m yet to find a good title storms in Melbourne. So when I go to Thailand, I go, I go crazy and my wife, excellent type food. So I know the green cardigan fried
Ashish Rajan: [00:58:22] rice she makes. I think I definitely need to share some good. Recommendations for you for us to get your appetite going, but obviously Bosco, wait a minute.
Faith. Not right now. I mean, I guess it’s just toward the end of the conversation now. So for people who want to reach out to you for further questions or clarification, where can they find you on social media?
Abbas Kudrati: [00:58:46] They can follow me on Twitter or LinkedIn I’m available. They can follow me and send me questions on LinkedIn as
Ashish Rajan: [00:58:53] well. Awesome. And I’ll leave them in the show notes as well. So people can, I guess, get the direct link to that, but this was really awesome about, thank [00:59:00] you so much for taking the time out and really appreciate it.
Abbas Kudrati: [00:59:04] Yeah, I really love it. Thank you for having me.
Ashish Rajan: [00:59:09] Alright. I might just end the broadcast there, but thanks so much again, and I’ll see everyone else in next week with another guest.