WEBVTT 1 00:00:01,050 --> 00:00:04,230 Rahul Neel Mani: Hi, my name is Rahul Neel Mani, vice president, 2 00:00:04,230 --> 00:00:07,740 community engagement and editorial, at ISMG. With me 3 00:00:07,740 --> 00:00:12,120 today I have Ashish Khanna, who's the CISO at Evalueserve. 4 00:00:12,960 --> 00:00:15,120 Welcome to the ISMG Studio. Ashish, how are you doing? 5 00:00:15,300 --> 00:00:17,220 Ashish Khanna: I'm very good, Rahul. Thank you. How are you? 6 00:00:17,640 --> 00:00:20,520 Rahul Neel Mani: I'm very well. So Ashish, you have spent two 7 00:00:20,520 --> 00:00:25,080 decades in the industry. You have got immense amount of work 8 00:00:25,080 --> 00:00:29,670 experience, most of which was in technology. And then you made a 9 00:00:29,850 --> 00:00:34,470 shift to information security. Two questions here. What made 10 00:00:34,470 --> 00:00:39,030 you take this tough decision, moving from IT to security? And 11 00:00:39,030 --> 00:00:41,880 how has your security role treated you so far? 12 00:00:41,940 --> 00:00:45,120 Ashish Khanna: So, you're right. In terms of observing, I've 13 00:00:45,570 --> 00:00:50,700 actually done most of my, you know, term in the IT operations. 14 00:00:52,440 --> 00:00:55,980 Some part of it, I've done applications. For some part of 15 00:00:55,980 --> 00:00:59,100 my career, I've, you know, managed the central data center, 16 00:00:59,520 --> 00:01:04,320 new builds for the hotels, Greenfield projects, global 17 00:01:04,320 --> 00:01:08,820 rollouts, technology evaluation and all of that. But, you know, 18 00:01:10,050 --> 00:01:12,840 at some point in time, I started realizing that these things, 19 00:01:12,870 --> 00:01:17,760 with the advent of cloud coming in, with the advent of 20 00:01:17,790 --> 00:01:23,070 platforms, availability on demand, like IaaS, PaaS, SaaS, 21 00:01:24,330 --> 00:01:28,650 infrastructure is becoming a BAU activity, right? It's available 22 00:01:28,650 --> 00:01:34,410 on demand. And, you know, I was thinking about doing a 23 00:01:34,410 --> 00:01:39,270 transition and looking at ... taking up a new challenge. And 24 00:01:39,270 --> 00:01:42,600 then in the organization I was working, we started looking at 25 00:01:42,600 --> 00:01:46,020 cybersecurity. So part of my previous role, I was also doing 26 00:01:46,020 --> 00:01:53,160 cybersecurity as an additional responsibility. And, you know, 27 00:01:53,760 --> 00:01:57,060 the organization decided that we wanted to take up cybersecurity 28 00:01:57,060 --> 00:02:03,870 and privacy very strictly because we were managing a lot 29 00:02:03,870 --> 00:02:08,280 of, you know, sensitive personal information. And that's an 30 00:02:08,280 --> 00:02:11,970 opportunity, which I took, to take the cybersecurity role and 31 00:02:12,570 --> 00:02:17,040 as a primary role. Your second question how, you know, the 32 00:02:17,040 --> 00:02:23,850 transition has been. I think it's a very critical role for 33 00:02:23,850 --> 00:02:28,620 any enterprise. And as we progress in future, this role is 34 00:02:28,620 --> 00:02:32,370 going to become much more stronger, because it's not a ... 35 00:02:33,210 --> 00:02:36,330 so, there are three layers, right? You have boards, you have 36 00:02:36,330 --> 00:02:41,610 strategy and you have managerial, the IT, you know, 37 00:02:41,610 --> 00:02:45,540 head or a CTO role would always be at the managerial and 38 00:02:45,540 --> 00:02:50,220 strategy level, while the CISO role would be more board-facing. 39 00:02:50,250 --> 00:02:54,180 Rahul Neel Mani: Excellent. And your last part of answer helps 40 00:02:54,180 --> 00:03:00,300 me segue into a very different conversation. So, in these 20 41 00:03:00,300 --> 00:03:05,640 years that you have worked, most of it, or all of it, was in 42 00:03:05,640 --> 00:03:08,520 hospitality industry. Now, historically, hospitality 43 00:03:08,520 --> 00:03:13,920 industry has been very low on automation and digital 44 00:03:13,920 --> 00:03:18,690 transformation. It's only of late that they started, you 45 00:03:18,690 --> 00:03:24,300 know, doing a lot of digital push. So, how has the landscape 46 00:03:24,300 --> 00:03:28,320 changed in terms of both technology and cybersecurity in 47 00:03:28,320 --> 00:03:29,340 the hospitality industry? 48 00:03:29,400 --> 00:03:32,580 Ashish Khanna: Okay, so, to answer that, I'll have to, you 49 00:03:32,580 --> 00:03:35,760 know, give you a little bit of the technology intervention in 50 00:03:35,760 --> 00:03:40,470 hospitality. So, hospitality company always have two sides of 51 00:03:40,470 --> 00:03:43,230 technology, one is the guest-facing technology and one 52 00:03:43,230 --> 00:03:47,550 is the back of the house. And you will be surprised to know 53 00:03:47,550 --> 00:03:51,390 that the guest-facing hospitality industry has been 54 00:03:51,390 --> 00:03:54,360 leading in terms of technology interventions, because you can 55 00:03:54,360 --> 00:04:00,870 assume that, you know, a very basic example that tomorrow an 56 00:04:00,870 --> 00:04:05,250 iPhone 10 gets released in US, day after tomorrow, you will 57 00:04:05,250 --> 00:04:09,000 have a guest sitting in the hotel who would want to connect 58 00:04:09,150 --> 00:04:13,560 to your Wi Fi network with the latest gadget, right. So you 59 00:04:13,560 --> 00:04:19,020 have to be always up on the game, wherever you are, to cater 60 00:04:19,020 --> 00:04:24,630 to the guest needs and demand. So on the guest side, technology 61 00:04:24,630 --> 00:04:27,060 interventions have always been there. In fact, we have been a 62 00:04:27,090 --> 00:04:30,480 pioneer in terms of Indian hospitality, bringing some of 63 00:04:30,480 --> 00:04:33,780 these technologies to the country, like Wi Fi. You will be 64 00:04:33,780 --> 00:04:37,950 surprised to know that it was brought by hotels. But at the 65 00:04:37,950 --> 00:04:41,250 back office, you know, the technology interventions have 66 00:04:41,250 --> 00:04:47,100 been a little low. But, you know, in last two and a half, 67 00:04:47,100 --> 00:04:50,520 three years of COVID-19, it has propelled the digital, you know, 68 00:04:51,150 --> 00:04:55,170 digitization growth because this industry was never meant to work 69 00:04:55,170 --> 00:04:59,910 from home, right? We are 24*7*365, the doors are open for 70 00:04:59,910 --> 00:05:03,960 the guests to walk in. And we have been serving guests even in 71 00:05:03,960 --> 00:05:10,290 the absolute COVID period. So with this COVID coming in, with 72 00:05:10,320 --> 00:05:14,610 work-from-home culture coming, contactless technologies coming 73 00:05:14,610 --> 00:05:19,050 in, the growth in digitization has gone multi-fold in 74 00:05:19,050 --> 00:05:22,770 hospitality also. But on the guest side, it has always been 75 00:05:22,770 --> 00:05:23,010 there. 76 00:05:23,700 --> 00:05:26,850 Rahul Neel Mani: So, I will move to a very different topic now. 77 00:05:27,210 --> 00:05:32,820 It's about the recent CERT regulation to report a data 78 00:05:32,820 --> 00:05:36,990 breach within six hours. It's a very tough ask on the CISO. 79 00:05:37,740 --> 00:05:42,090 However, there is little choice that the CISO has. What do you 80 00:05:42,090 --> 00:05:46,590 think is required in terms of both infrastructure and 81 00:05:46,590 --> 00:05:49,230 preparedness to comply to this law? 82 00:05:49,800 --> 00:05:54,000 Ashish Khanna: I feel Indian CERT has come up with a great 83 00:05:54,210 --> 00:05:59,070 collaborative requirement. The approach here, which most of the 84 00:05:59,070 --> 00:06:03,420 people think is that, you know, they are policing around, right, 85 00:06:03,690 --> 00:06:07,770 but it is more of a collaborative ask. Because if 86 00:06:07,830 --> 00:06:12,390 somebody needs to look at a cyber resilience at a country 87 00:06:12,390 --> 00:06:16,140 level, a lot of data correlation needs to happen. So they're 88 00:06:16,140 --> 00:06:20,790 asking very basic and simple things in order to, for 89 00:06:20,850 --> 00:06:24,690 enterprises and industry to, you know, give them that threat 90 00:06:24,690 --> 00:06:29,550 intel, so that they can then inform the rest who have not 91 00:06:29,550 --> 00:06:33,420 been part of a cyber breach well in advance, and, you know, 92 00:06:33,420 --> 00:06:39,120 thwart that attack. Six hour, to be precise, the ask is that 93 00:06:39,150 --> 00:06:43,500 after noticing an attack, right, so, I mean, there are statistics 94 00:06:43,500 --> 00:06:47,340 of detection, you know, detection itself takes months 95 00:06:47,340 --> 00:06:50,280 and, you know, sometimes years together for an organization to 96 00:06:50,280 --> 00:06:54,060 detect. They're saying, once you detect, once you notice that 97 00:06:54,060 --> 00:06:56,910 there is an attack, please do inform us, you continue to do 98 00:06:56,910 --> 00:07:00,390 your forensic, but please inform us, so that we know that there 99 00:07:00,390 --> 00:07:03,540 is a particular bad actor who has been, you know, trying to do 100 00:07:03,540 --> 00:07:06,510 something, we can inform the rest of the industry peers, we 101 00:07:06,510 --> 00:07:09,660 can, you know, take a countermeasure at the nation 102 00:07:09,660 --> 00:07:12,810 level. So I think it's a very good step in the right 103 00:07:12,810 --> 00:07:13,410 direction. 104 00:07:13,500 --> 00:07:16,290 Rahul Neel Mani: So great to find a great proponent of this 105 00:07:16,290 --> 00:07:21,510 new mandate from CERT-In. You know, you switched from 106 00:07:22,200 --> 00:07:26,550 hospitality industry to a KPO and IT services organization. 107 00:07:26,970 --> 00:07:33,150 Now, if I ask you to define a few key challenges, especially 108 00:07:33,150 --> 00:07:36,960 cybersecurity challenges, how would you define those? And how 109 00:07:36,960 --> 00:07:40,830 are they going to decide the future of cybersecurity strategy 110 00:07:40,830 --> 00:07:41,640 in your organization? 111 00:07:42,150 --> 00:07:46,410 Ashish Khanna: Okay, so, I think the major difference, you know, 112 00:07:46,560 --> 00:07:49,380 from the previous organization to this organization is that 113 00:07:49,680 --> 00:07:56,310 there we were processing our guests data, right? And that's 114 00:07:56,310 --> 00:08:02,340 it. But, here, we are processing data on behalf of our customers, 115 00:08:03,180 --> 00:08:08,430 we are doing analytics for, you know, Fortune 500 companies, we 116 00:08:08,430 --> 00:08:12,030 are processing all their data, we are controlling all their 117 00:08:12,030 --> 00:08:15,810 data, we are providing them insights on their data, large 118 00:08:15,810 --> 00:08:19,440 mergers and acquisitions happen based on that data analytics. 119 00:08:19,770 --> 00:08:23,700 So, the responsibility is much higher to not only secure your 120 00:08:23,700 --> 00:08:30,720 captive data, but also the responsibilities to protect the 121 00:08:30,720 --> 00:08:34,140 customer data, which we also own, and for which the customer 122 00:08:34,140 --> 00:08:40,200 has relied on us. So, it's a different paradigm, you know, of 123 00:08:40,230 --> 00:08:46,380 data security. And, you know, this challenge also cuts across 124 00:08:46,410 --> 00:08:49,260 people-process technology, because we also provide a lot of 125 00:08:49,680 --> 00:08:54,300 manpower to our customers as an FTE to be working in their 126 00:08:54,450 --> 00:08:57,750 setup, working on their equipments and the technology 127 00:08:57,960 --> 00:09:04,200 intervention, but they are still, you know, badged by our 128 00:09:04,200 --> 00:09:10,320 organization. And hence, you know, our cybersecurity 129 00:09:10,350 --> 00:09:14,640 governance cuts across all these verticals. And, you know, a lot 130 00:09:14,640 --> 00:09:18,810 of tools which are deployed in order to get that insight from 131 00:09:18,810 --> 00:09:19,020 that. 132 00:09:19,200 --> 00:09:22,680 Rahul Neel Mani: So Ashish, how important or critical it is in 133 00:09:22,680 --> 00:09:28,470 today's context for a CISO to acquire new skills, learn new 134 00:09:28,470 --> 00:09:34,980 business shifts and paradigms, to be able to help the 135 00:09:34,980 --> 00:09:39,390 organization stay ahead of the threat actors and the cyber 136 00:09:39,390 --> 00:09:39,900 threats? 137 00:09:40,260 --> 00:09:42,930 Ashish Khanna: I'm not sure about the staying ahead because, 138 00:09:43,320 --> 00:09:47,520 you know, these guys have multimillion dollars budgets and 139 00:09:47,670 --> 00:09:52,860 whatnot technologies. What you can do is, you can try and 140 00:09:53,850 --> 00:09:57,660 ensure that your basics are right. And as long as your 141 00:09:57,660 --> 00:10:03,360 basics are right, you know, you are 80% covered in terms of 142 00:10:03,390 --> 00:10:08,190 cyber attack. Having said that, I think learning is inevitable. 143 00:10:08,310 --> 00:10:14,550 And it is a constant, continuous thing, which all of us being in 144 00:10:14,550 --> 00:10:18,960 a CISO, or any leadership role, learning should never stop, one 145 00:10:18,960 --> 00:10:23,760 should always keep striving to learn new techniques to learn 146 00:10:24,120 --> 00:10:27,420 about different skill sets, which are there in the market. 147 00:10:28,170 --> 00:10:31,530 And as you grow in your role, you don't need to be like ... 148 00:10:31,590 --> 00:10:37,080 you don't need to be always like a hands-on keyboard person. But, 149 00:10:37,320 --> 00:10:40,740 you know, you need to have that knack to understand how, and 150 00:10:40,740 --> 00:10:43,410 what does the tool do, and what are the possibilities. 151 00:10:44,100 --> 00:10:46,530 Rahul Neel Mani: You are part of CyberEdBoard. You've been a 152 00:10:46,530 --> 00:10:50,400 member of CyberEdBoard. What value do you see from 153 00:10:50,400 --> 00:10:53,940 collaboration with such institutions? 154 00:10:54,000 --> 00:10:56,130 Ashish Khanna: So, as we all know, bad guys collaborate, 155 00:10:56,130 --> 00:11:01,170 right? They collaborate very heavily. And, and so is, you 156 00:11:01,170 --> 00:11:04,860 know, us who are on the other side of the fence, have to 157 00:11:04,860 --> 00:11:09,180 collaborate. And collaboration gives you a lot of know-how, a 158 00:11:09,180 --> 00:11:14,310 lot of intelligence and a lot of industry academia's 159 00:11:14,340 --> 00:11:19,290 understanding, which, you know, in isolation, you cannot do. So, 160 00:11:20,190 --> 00:11:23,220 CyberEdBoard is doing a phenomenal job there. And I 161 00:11:23,220 --> 00:11:26,550 think I would recommend that more and more people should join 162 00:11:26,550 --> 00:11:29,670 them and share their knowledge so that we can all learn from 163 00:11:29,670 --> 00:11:29,820 them. 164 00:11:31,320 --> 00:11:34,800 Rahul Neel Mani: So, that was Ashish Khanna, CISO of 165 00:11:34,890 --> 00:11:39,990 Evalueserve, talking to ISMG at our studios in New Delhi. Thank 166 00:11:39,990 --> 00:11:43,170 you very much, Ashish, for talking to us and being here for 167 00:11:43,170 --> 00:11:44,250 the summit. Thank you.