Pankaj Thakkar, head-Information Security (CISO), Birlasoft has rich experience in information security framework implementation, compliance and governance.
His expertise includes IT security best practices, business continuity management, data privacy and protection, application security, policy review, audits and assurance, etc.
In an exclusive interaction with CSOonline.in, Pankaj Thakkar gives a bird’s eye view on how he and his company is preparing for any kinds of cyber risks, their plans and much more:
“The CISO role is shaping up to keep yourself abreast of not only the latest technologies but also regulations, threats and risks to the business.”
2017 witnessed many cybersecurity breaches, how are you preparing for 2018? Any particular step that you have taken to make your clients more secure?
We were ISO 27001 certified and basis growing demand we did a detailed assessment on our current controls, these include NIST/ CoBit/ Contractual requirements, etc. Additionally, we have done some technology refresh (which will be continued even this year) and are also planning for more frequent and a dynamic employee awareness campaign addressing different roles in the organization.
As cybersecurity has been evolving over the years, so have the challenges which stretches across the cloud, mobile, IoT devices and more endpoints. How is Birlasoft working to bridge this gap?
As we know security is a journey and not a destination, we will continue to abreast ourselves with latest trends and risks arising from technology, regulatory compliances and environmental threats, etc.
As you know, now awareness for cyber security has increased comparing to last five years, now organizations have started increasing their budget towards cyber security, what do you think about it? Do you think it is enough by providing enough funds? Or there can be alternatives?
This is correct, budgets are being provided by management, however, I feel fundamentals will remain the same. With the dynamics of cyber space, professionals like us will have to continue to follow a risk-based approach with cost-benefit-analysis. We will continue improve processes, use a few open-source products (where possible) and invest in technology and resources as deemed justified.
Why decision makers are having a difficult time in planning their long-term cybersecurity strategies and what is the barrier? Is it the fast evolving cybersecurity solutions?
Well it is not the fast evolving cybersecurity solutions but the dynamics and innovation in technology. As we understand, everything in this world has inherent risks despite it provides convenience or provides assurance for a better tomorrow. Decision makers have difficult time as the strategies that are now needed must be agile and may or may not be long-term. Everything will depend upon the business growth, upcoming technologies and global regulations.
How has your role changed as CISO / CSO in last couple or years? Do you interact more with internal stakeholders and external customers to have robust security posture?
The role is shaping up to keep yourself abreast of not only the latest technologies but also regulations, threats (including but not limited to zero days and new technologies, etc.) and risks to the business. There is always an interaction with business people, partners, vendors and auditors who add value to help us stay updated and informed to make right decisions at the right time.
How do you see uptake in new age security technologies like EDR, UEBA, and security analytics?
These technologies have always been there, however, the objectives have been shifted from addressing productivity issues to detect and respond to potential threats. The trend and pattern analysis helps in better protecting the business environment from threats originating from mistakes or by malicious events. It assists to address the need of the hour while continue working for a longer term security road map.
Which key technology trends will rule across the industry in 2018 and why?
I foresee deception technology, AI and machine learning ruling this year. This is simply because of past experience and results, a demand in automation due to heavy dynamics in attack vectors, etc. which are beyond manual human controls to identify, detect and respond.