Rashmi Ramesh: Hi there! I'm Rashmi Ramesh from Information Security Media Group. Today, we're speaking with Subhajit Deb, who is a cybersecurity and data privacy leader with two decades of experience in creating, leading and managing global information security, business continuity, risk management and data privacy programs. He has worked in the pharma industry for eight years and is now the CISO of immigration consultancy, Envoy Global. Thank you for joining us in this Profiles in Leadership conversations, Subhajit.
Subhajit Deb: Thank you very much, Rashmi. It's a pleasure to be here today. CyberEdBoard has been a community we all look forward to. I'm glad to be a part of it. Thank you so much, again, for having me here.
Ramesh: Thank you. So tell us, you come from a non-technical background, but you have been excelling in your profession of choice. Walk us through how that happened, and what you'd like to tell the folks still on the fence about picking cybersecurity as a profession?
Deb: I think that's an interesting question. There is this time when I used to dread walking into every interview because I knew that this would be the most evident question. I started off as a pretty much non-technical profession. I used to work in a hospitality industry, then moved over to one of the largest logistics provider of the world. And as luck would have it, there are accidents in your life that change the course of your destiny. And I think there has been a couple of accidents in my life as well that has steered me toward the career of cybersecurity. I'm very glad that they happened. When I look back, I cannot think myself doing anything else other than what I do today. So absolutely happy that those accidents happened. So when I used to work with FedEx, due to the economic pressure, the company folded their operations in India and went back to the U.S. And I walked into an interview in one of the largest hardware or computer manufacturers. I walked in for customer service, but I was taken into a tech support role - accident number 1. I'm very glad that happened. And that was my first brush with technology. It hasn't been an easy journey as such. When my colleagues finished their shift and went back home, I used to head back to the labs, tearing down a chassis, looking at a heatsink processor, motherboard, power supply, memory cards, and trying to dismantle it, put it back together, and so on and so forth. Back in 2007, when I used to work with one of the largest U.S. banks, I got a chance to lead a couple of processes for information security, which were being moved from U.S. to India. Somebody had a lot of faith in my ability, but I did not have. I'm very glad that the leaders of that time had that trait, and they really pushed me into cybersecurity. And like I said, I'm very glad that it happened. Since then onward, there is not even a single day in my life where work was drudgery. It was sheer fun and a lot of learning. I absolutely love what I do today, what I do it for, and what I do it with. There couldn't be anywhere else better than I want it to be. I think cybersecurity is a very enriching and exciting career. People who want to aspire to be into the cybersecurity profession, I would say, jump into it right away. If there is something that you want to do, where there is a lot of learning every day, there's a lot of excitement, there is a lot of fulfillment, there is a lot of sense of satisfaction that what you do is material and creates value not only for the organization you're working for, but also for the larger ecosystem and the community, this is going to be it. There is no other better profession that I can think of.
Ramesh: That was very well put. So, you worked in pharma quite a bit - a sector that has recently embraced change with respect to digital transformation. So, how did you maneuver the challenges that you faced?
Deb: I think pharma is a different ballgame altogether. In all manufacturing industry, there are two distinct environments - one is your typical IT environment: end-user computing environment, people coming in with normal desktops, laptops and so on. And then there is OT - the operational technology. The ethos is very different in OT. The focus is really on safety and integrity, not just as confidentiality and availability as such. So, you need a lot of ingenuity; you need a lot of creativity to do cybersecurity in those OT systems and machines. And each of these is like 30-40 crores worth of machines and equipments connected to the manufacturing lines. Anything goes wrong, your entire plant and manufacturing come to a standstill, and that directly hits your top line of the company. So, cybersecurity in an OT space, especially in the pharma and manufacturing sector, needs to be very well thought through and that was an exciting challenge that I took up when I joined this company back in 2017. Five and a half years, I had a very exciting journey. With the pandemic as well, the entire wellness and pharma sector has evolved a lot. There was this lot of proliferation of omnichannel, ways by which a company reaches out to a patient or to a consumer. There are not just medicines, but there are health-associated services, mental wellness and physical wellness, means and establishments. Essentially, when you deal with so much of data, when you directly interact with the customers, the prerogative of security changes significantly. And hence you need to bring in the element of what is the most material risk the company experiences and then taking a look at them and fixing it as you go along. There is no one-size-fits-all approach, and hence, it is important to understand, what is your unique risk appetite? What is the landscape that you're operating? What are those geographical nuances that you need to keep in mind when you do a cybersecurity for our business, which is spread across multiple different geographies and then create a consistent integrative framework, which doesn't tax you too much, yet helps you to do a reasonable and a baseline security.
Ramesh: And your work experience is not limited to just pharma, it's actually quite varied. So I'm sure the risk varies with each sector. But what are some common threats that you've seen?
Deb: I think I am fortunate to be able to work in the financial services sector, the insurance sector, the manufacturing, and now in technical and legal, which is mostly an immigration business. I think one constant theme that I have seen across all the sectors is the importance of saving data, which is, more specifically, the personal information or the PII or the sensitive personal information. And one reason why it is mostly prevalent is because the shelf life of a personal information of an individual is rather long. Somebody can steal an intellectual property, but the moment it is disclosed, the value of the intellectual property diminishes significantly. But if you look at personal information, we seldom change that. And hence, I have seen, there is a spike in how attackers or the bad actors are increasingly targeting personal information. And companies like marketing, pharma, healthcare, immigration, etc., essentially our business is all about dealing with personal information of individuals and hence, they are very highly targeted. And once this information is accessed by the bad actors, they have the ability to slice and dice it, and reuse it over and over again. How many times did we change our social security number, Aadhaar card or PAN card numbers? Seldom, right? And hence, this is the constant theme that I've seen across all the industry. Personal data has become the crown jewel, not only for the defenders, but also for the attackers.
Ramesh: And speaking of data protection, you've played the dual role of a data protection officer and a CISO. And you have previously spoken to us about the benefits of having an integrated compliance model or risk management. Tell us more.
Deb: I'm very passionate about privacy as a concept. This concept is little native in India, because of the culture we have and that we are in - we are very open, warm and embracing. And hence, it is absolutely okay to ask somebody about who all do they have in their family, where do they work, and what kind of salary do they draw, and so on and so forth. But if we look at other countries and other geographies, privacy is something that we tell with a lot of sincerity and a lot of honesty, and I think it is about time when we have become a digital citizen, so to speak, even in India. And it is just not us, but our family members, our children, our parents and our grandparents are also on social media, using an internet-enabled device. I think privacy becomes very important. From that passion of privacy, I took up this role of a data privacy officer as well, although privacy and data protection and information security do converge at one common time. But privacy is overarching. There are a lot of aspects of legal, and there are a lot of aspects of compliance, which need to be factored in. And it's a fine balance to sort of maintain. It has been an exciting journey. And in my experience, the reason why defenders sort of always have to catch up with the bad guys is because we do everything in a silo. And if you look at the assurance functions in any organization - security, privacy, legal, compliance and risk management - everyone pretty much operates in their own space without interacting too much with each other. And hence, we picked up this project. We said, let's integrate everything. And we created an integrated compliance model where all the assurance functions come in together, start putting the common language, and start looking at the risks that are overlapping across multiple risk domains and then holistically look at managing them. It bought a world of difference in the way we were doing risk management back then.
Ramesh: Right. And the cost-benefit balance is something that every CISO looks for to get all of this done, especially because they always have to convince their boards that they need the money for cybersecurity. So what's your approach to being frugal and managing cyber risk well?
Deb: I think this is an interesting question, because we operate in the world. Look at what the state of affairs in U.S. is - all-time high inflation. They have not seen that in the last two decades. The cost of goods sold is very high, the wage has gone up, and all of that has an impact on the budget as well. And there has never been a situation where CISOs would have a deep pocket to go and do everything they want to do. I think that's an advantage because it helps us to drive innovation. It helps us to think out of the box. It helps us to look at what do we need to install? Does it have a primary use? Does it have a secondary usage and a tertiary usage as well? It brings in a lot of creativity and ingenuity at work at large. I think the way to convince the board is purely by numbers and risks. And I think that is an improvement. For each one of us, I have had my share of failures, when I walked up to a board and spoke everything technical, and I came back with $0 in my hand. And I've learned from there on. I have started learning how to translate a technical risk into a business risk that is what the board would understand. I typically go with a lot of matrix with the dollar value associated with the risk of business risks that can translate into a technology risk. I show them the outside-in perspective of what's happening in the external landscape, what's happening to a peer company, or to another institution, similar to the business of ours. And I also come back and show them the inside-out perspective that if this incident were to happen to us, what is the maximum potential for loss we're looking at, and then, it's always an exercise of prioritization. Pareto is my favorite principle where we look at the top 20% of the risks that are material to us, take a look at them, fix it, and then go back to and look at the rest 20% of it. I think it's always a balanced game. But with the right kind of negotiation skills, matrix and data, you can pretty much convince anybody. And if you're convinced that it needs to be fixed, you will get it fixed no matter how.
Ramesh: That's very interesting. And when we last spoke, you mentioned that there was a gap between academia and the application of innovation in cybersecurity. Why does this gap exist, and how do we close it?
Deb: I think there are two different aspects to it. We all do innovation at work. You have shortage of man-power, you innovate. You have a tool that you need that you don't have, you innovate. You have a new attack coming up, you have no clue how to fix it, you innovate. I think innovation is rampant. But what happens is, there is a lack of a platform where innovations can be nurtured, where innovation pipeline can be created. And most importantly, the value quantification or the value realization of an innovation is something that is done in a siloed fashion. So if you look at academia, a lot of these excellent theoretical work, white papers and research papers get published. Some of those do translate into a product, but then, none of these actually gets operationalized. So, folks who are at an operational realm do innovation in a very different way than the academia, who do innovation in a very different way. So there are new novel, niche products that are coming out of the market, but then operationally, who is closer to the ground, it's the CISOs who are looking at cyberattacks every day - managing these and the cybersecurity program every day. If there is an adjacency to academia, private companies and the CISOs, who are on the ground, and if there is a collaboration, I believe that would provide the ideal ground to foster innovation. Innovation is only great when it is promulgated, when it is spread across, and when everybody else are able to draw the benefit out of it. What good is an innovation that only helps me and not the ecosystem or the community? I think that is what the gap is. And that's what we need to bridge it collectively.
Ramesh: I hope the right people are listening to that. And Subhajit, we've spoken for just a few minutes now. And I see that you have so much passion for the work that you do. What's your secret?
Deb: I think I'm convinced that what we do for cybersecurity is material, it has a lot of value. We create value every day; it might seem like a mundane set of chores that we come and do every day. But I am absolutely convinced that we do bring in a significant amount of change in the way we look at technology. We harness the power of technology for good, and not only help protect the organization, but also the customers, the shareholders, the stakeholders and the business partners - everybody in the ecosystem has a role to play. And I'm very convinced that what we do is material. And I think this is a passion that fuels us. Job is not just a job but rather it's a mission. We're very happy to fulfill this mission on our own.
Ramesh: And how does a forum like CyberEdBoard help the community do that?
Deb: It helps immensely. One gap that we have always seen in the industry is a lack of a consortium where practitioners can come in exchange ideas, share best practices and learn from each other. There are unofficial forums on WhatsApp. But then it is only an unofficial forum. CyberEdBoard is a forum where you see people from different walks of life, different industries, different set of challenges and with different mindsets. Everybody is different, every risk is different. The way we look at risk is very different. And when we come in together and collectively brainstorm, put our thoughts together, and share and exchange our best practices, there is nothing better than that. I always say that the attackers are a lot more organized than the defenders are, and with the help of CyberEdBoard, we will make that game change for good.
Ramesh: Well, thanks so much for sharing your journey and for offering some valuable advice to your peers and new entrants to the cybersecurity industry. I'm Rashmi Ramesh speaking with Subhajit Deb for the Profiles in Leadership series for Information Security Media Group. Thank you for joining.