Profiles in Leadership: Ashish KhannaEvalueserve's CISO on Why, Unlike CTO, CISO's Role Should Be Board-Facing
Ashish Khanna spent two decades in the hospitality industry as an information technology leader before becoming the CISO at Evalueserve, a global KPO supplying specialist services in research, analytics and data management.
"The IT head or a CTO role will always be at managerial and strategy level, while the CISO's role will be more board-facing," he says.
In a video interview with Information Security Media Group, as part of CyberEdBoard's ongoing Profile in Leadership series, Khanna discusses:
- The growing importance of CISO in a boardroom;
- The importance of cybersecurity in the hospitality industry;
- How critical it is to acquire new skills and training to safeguard digital assets from being compromised.
Khanna comes with two decades of experience in technology operations, IT strategy, security, application development, compliance and governance, and stakeholder management. Prior to joining Evalueserve, he served as deputy VP of IT at The Oberoi Group.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Rahul Neel Mani: Hi, my name is Rahul Neel Mani, vice president, community engagement and editorial, at ISMG. With me today I have Ashish Khanna, who's the CISO at Evalueserve. Welcome to the ISMG Studio. Ashish, how are you doing?
Ashish Khanna: I'm very good, Rahul. Thank you. How are you?
Mani: I'm very well. So Ashish, you have spent two decades in the industry. You have got immense amount of work experience, most of which was in technology. And then you made a shift to information security. Two questions here. What made you take this tough decision, moving from IT to security? And how has your security role treated you so far?
Khanna: In terms of observing, I've done most of my term in the IT operations. Some part of it, I've done applications. For some part of my career, I've managed the central data center, new builds for the hotels, Greenfield projects, global rollouts, technology evaluation and all of that. But at some point in time, I started realizing that these things, with the advent of cloud coming in, with the advent of platforms, availability on demand, like IaaS, PaaS, SaaS, infrastructure is becoming a BAU activity. It's available on demand. And I was thinking about doing a transition and taking up a new challenge. And then in the organization I was working, we started looking at cybersecurity. So part of my previous role, I was also doing cybersecurity as an additional responsibility. And the organization decided that we wanted to take up cybersecurity and privacy strictly because we were managing a lot of sensitive personal information. And that's an opportunity, which I took, to take the cybersecurity role and as a primary role. Your second question how the transition has been. I think it's a critical role for any enterprise. And as we progress in future, this role is going to become stronger. There are three layers, right? You have boards, you have strategy and you have managerial, the IT head or a CTO role would always be at the managerial and strategy level, while the CISO role would be more board-facing.
Mani: Excellent. And your last part of answer helps me segue into a very different conversation. So, in these 20 years that you have worked, most of it was in hospitality industry. Now, historically, hospitality industry has been very low on automation and digital transformation. It's only of late that they started doing a lot of digital push. So, how has the landscape changed in terms of both technology and cybersecurity in the hospitality industry?
Khanna: To answer that, I'll have to give you a little bit of the technology intervention in hospitality. So, hospitality companies always have two sides of technology, one is the guest-facing technology and one is the back of the house. And you will be surprised to know that the guest-facing hospitality industry has been leading in terms of technology interventions, because you can assume that. A basic example that tomorrow an iPhone 10 gets released in US, day after tomorrow, you will have a guest sitting in the hotel who would want to connect to your Wi Fi network with the latest gadget. So you have to be always up on the game, wherever you are, to cater to the guest needs and demand. So on the guest side, technology interventions have always been there. In fact, we have been a pioneer in terms of Indian hospitality, bringing some of these technologies to the country, like Wi Fi. You will be surprised to know that it was brought by hotels. But at the back office, the technology interventions have been a little low. But in last two and a half, three years of COVID-19, it has propelled the digitization growth because this industry was never meant to work from home. We are 24*7*365, the doors are open for the guests to walk in. And we have been serving guests even in the absolute COVID period. So with this COVID coming in, with work-from-home culture coming, contactless technologies coming in, the growth in digitization has gone multi-fold in hospitality also. But on the guest side, it has always been there.
Mani: I will move to a different topic now. It's about the recent CERT regulation to report a data breach within six hours. It's a very tough ask on the CISO. However, there is little choice that the CISO has. What do you think is required in terms of both infrastructure and preparedness to comply to this law?
Khanna: I feel Indian CERT has come up with a great collaborative requirement. The approach here, which most of the people think is that they are policing around, but it is more of a collaborative ask. Because if somebody needs to look at a cyber resilience at a country level, a lot of data correlation needs to happen. So they're asking very basic and simple things in order to, for enterprises and industry to give them that threat intel, so that they can then inform the rest who have not been part of a cyber breach well in advance and thwart that attack. Six hour, to be precise, the ask is that after noticing an attack, so there are statistics of detection. Detection itself takes months and sometimes years together for an organization to detect. They're saying, once you detect, once you notice that there is an attack, please do inform us, you continue to do your forensic, but please inform us, so that we know that there is a particular bad actor who has been trying to do something, we can inform the rest of the industry peers, we can take a countermeasure at the nation level. So I think it's a very good step in the right direction.
Mani: Great to find a great proponent of this new mandate from CERT-In. You know, you switched from hospitality industry to a KPO and IT services organization. Now, if I ask you to define a few key challenges, especially cybersecurity challenges, how would you define those? And how are they going to decide the future of cybersecurity strategy in your organization?
Khanna: Okay, so, I think the major difference from the previous organization to this organization is that there we were processing our guests data. And that's it. But, here, we are processing data on behalf of our customers, we are doing analytics for Fortune 500 companies, we are processing all their data, we are controlling all their data, we are providing them insights on their data, large mergers and acquisitions happen based on that data analytics. So, the responsibility is much higher to not only secure your captive data, but also the responsibilities to protect the customer data, which we also own, and for which the customer has relied on us. So, it's a different paradigm of data security. And this challenge also cuts across people-process technology, because we also provide a lot of manpower to our customers as an FTE to be working in their setup, working on their equipment and the technology intervention, but they are still badged by our organization. And hence, our cybersecurity governance cuts across all these verticals. And a lot of tools which are deployed in order to get that insight from that.
Mani: So Ashish, how important or critical it is in today's context for a CISO to acquire new skills, learn new business shifts and paradigms, to be able to help the organization stay ahead of the threat actors and the cyber threats?
Khanna: I'm not sure about the staying ahead because these guys have multimillion dollars budgets and whatnot technologies. What you can do is, you can try and ensure that your basics are right. And as long as your basics are right, you are 80% covered in terms of cyber attack. Having said that, I think learning is inevitable. And it is a constant, continuous thing, which all of us being in a CISO, or any leadership role, learning should never stop, one should always keep striving to learn new techniques to learn about different skill sets, which are there in the market. And as you grow in your role, you don't need to be always a hands-on keyboard person. But you need to have that knack to understand how and what does the tool do, and what are the possibilities.
Mani: You are part of CyberEdBoard. You've been a member of CyberEdBoard. What value do you see from collaboration with such institutions?
Khanna: So, as we all know, bad guys collaborate. They collaborate very heavily. And us, who are on the other side of the fence, have to collaborate. And collaboration gives you a lot of know-how, a lot of intelligence and a lot of industry academia's understanding, which, in isolation, you cannot do. So, CyberEdBoard is doing a phenomenal job there. And I think I would recommend that more people should join them and share their knowledge so that we can all learn from them.
Mani: So, that was Ashish Khanna, CISO of Evalueserve, talking to ISMG at our studios in New Delhi. Thank you very much, Ashish, for talking to us and being here for the summit. Thank you.