Purusottam: Hi Everyone, Thanks for tuning into our Scale to Zero show. Today we have Gaurav Batra with us. Gaurav is the Founder & CEO of CyberFrat (A Cross-Training Platform for Nexgen Cybersecurity & Risk Leaders). Earlier he was a Global Information Security & Cloud Expert at Mondelez International.
Gaurav, Thank you so much for joining me today.
Gaurav: thanks Purusotham for having me on the show.
Purusottam: Alright let’s get started with the questions. So the first question is-
What methods would you recommend to bring awareness and develop a security-centric culture and mindset in an organization?
Gaurav: Sure Purusottam, I think that’s very interesting question and it’s a need of the hour. So today most of the attacks which are happening if they are not happening from the perspective of attacking the technical boundaries but its exploiting The user behaviour and making them make some mistakes about it. So awareness becomes an important aspect in today’s environment and when we talk about training or traditionally what people are doing they are getting some expert or some videos and they’re asking them to you know provide a security training to their employees which goes like you know one hour or 1 1/2 hours together and then someone comes in bombard all the security jargons to all those people like you know it’s about leaders what is phishing , how to protect their passwords you know they have a long a lot of vector in one and 1 1/2 hour. After one year six months no one talks about security so that is the real issue so when we talk about user behaviour and how you see the schooling has happened to us you know it’s not that you have learn mathematics in one day, you have not learnt English in one day, it’s a continuous process.
So what we have to do is you know when we are talking about security awareness to the users we have to create content in a way where user will be able to correlate and able to understand how their day to day life will get impacted with this and should be a continuous effort like you know I have been working with many organisations there when they say that okay you want to do the training I said okay let’s not do a training for one 1 1/2 hours in a year let’s do it every 2 to 3 minutes in a week so that continuously with the same amount of time people get to learn so you can actually explore the content like videos or which is in trend these days the motion graphics and the gamification is the biggest thing and how we can actually simulate the scenarios where the user experts like phishing simulation these are quite in this and what you have to do is simply put this in your organisation and if anyone clicks on malicious link they have to go through a mandatory training and understand the impact of things they are clicking. If the user is doing again and again then you should have a separate treatment.
We can also encourage something like you know who ever reports more security incidents who ever does something they’ll make a culture of security investor security champions and also create something for the user so that they are willing to be part of a security. Security people feels like it’s you know hectic boring make it interesting make the content which is user can actually correlate. I know there are many good organizations which are doing well in this, like I’ll give you few portas like, Awarego, they have a human centric videos which you know one to 2 minutes, we have ninjas who has characteristic Best even we have made a small platform call culsite that is culture site and envisioning the security culture in your organization and it’s like you know two minutes content with give me if Acacian crosswords count and motion graphics. We are trying to do a business so that is what I say instead of having won 20 minutes in one time have two minutes every weekend in every year and make it consistent effort.
Purusottam: so it’s more of a continuous learning process rather than a one time activity.
Gaurav: Exactly and where user can actually correlate where you can actually make them use that okay yes this can happen to me because a person est awareness is also required because sometimes HR things you know it’s a technical work, or finance team think so, so we can make content where we can say okay if this happens that is how it will impact your financing, how the HR date today activities require to be aware for the security so that is what we need to do.
Purusottam: make sense now the next question-
With a rise in migration to the cloud cyber security and data protection are becoming like top drivers for legal disputes, what litigation risk should seek? So security teams be concerned about and What can we do about it?
Gaurav: Okay so, cloud migration is yes the way to go and everyone is even it’s a start up or every thing because it’s easy to start so people are moving to the cloud. The thing is if we look the traditional legacy you control the environment. Here when you go to the cloud you don’t have the right beyond the virtualization layer. So how is this virtually before the virtualization what kind of server, what kind of hardware is placed, you don’t have the right to see, right to know or to a VIP or functionality test or testing which is a big issue.
So now earlier one thing which you control you know where the data is and if something required tomorrow how can you get it but in spite of the controls when you are in the cloud environment which a seesaw or a security professional don’t have and when I talk about privacy you need to have that, so that is the biggest challenge and when I spoke to many of the clients and when they say okay I will go to or move to the cloud, so let me say one thing if tomorrow government goes to the cloud provider and ask that for this particular company I want to have the server or I want to have a look into this, will the cloud provider I love them or not?
So you know how that’s going to happen, because in my environment if they come to me before I give them the permission I know they’re coming and if I need to do something whatever it is right I can do but will the cloud will act in the same way and the other biggest issue is the seesaws or the security professionals or technical in nature and they generally don’t have the expertise to read between the lines.
When you are migrating something to the cloud and when you have to do the only precautions you can have is having a right level of contract in your favour. Like right to audit, right to visit and ask the question you know what kind of controls you have and what and how I can see how I can test and generally if the big players will not provide that kind of access but small cloud providers who are new they will give you the kind of right of audit as well as you know do some scale of testing or something but if something happens tomorrow if there is privacy leak, it something you know what kind of penalty clause you want to have what kind of service level agreement you have have not only the service level agreement because I see that if the thing has happened you have responded to me but if the things are happening again and again so there is something called as SEA as well as service excellence agreement so how that’s going to work. So reading between those lines, defining the right contract is the only thing which will save you from the cloud so the controls which you have, the control over the virtualization layer and about right but whatever you can control but beyond that the contract is the only safeguard to you so having the right expertise in the team to define the right contract and reading between the lines and making it in your favour is the must thing to have.
Purusottam: make sense. I didn’t know about SEA, so that something new I learnt. Thank you. So the next question-
For a health tech start-up what is the right time to hire the first security team member and Why do you think that?
Gaurav: okay so I have a question here by health tech start-ups okay so when you are talking about tech startup that is I don’t think anyone even think that they can hire a security one at the latest stage. Whenever you have it thinking that you are going to have a tech start-ups, the security should come in place the very first time you’re thinking about tech because earlier you know there used to be scenarios when you are actually making something and in three months or six months down the line you get to know if there was a fraud happening. But if you are into the tech environment and you are starting up something, the day you launch it immediately there will be you know people who are trying to hack it, break it or trying to bring it down. You are going to sell your tech service so there is no calling it at a later stage, your first hiring if you’re thinking about a tech startup, your first hire should be the security that this is something i’m going to do can you tell me what all things I need to be taken care of. I will tell you many of the students from colleges Who was chatting to make application, they are making some tools and things and when say that okay governance perspective but what they’re doing any security controls they have put if they have done VIPT.
They know by making a small application on android they’re collecting all the user data, after the data where is it getting stored, Who is getting the control of it, they are not even bothered about it. Immediately if something happens who will be behind the bars so who will be you know taken care of this, who will be responsible for this. So whenever even if you are in college and you are starting to make an application, either it’s a health tech or any kind of tech, you need to have a security preview even if you do not need an immediate hire, you need to have some consulting firm or someone you know part-time virtual CISO or auditor who can actually guide you that when you are making this application these are the steps you need to take care of and also from the hiring perspective even the first developer you hire or the engineer you hire they should know the security because now everyone if you have something you know written coding in your resume, people will not pick up they will ask you to write secure coding.
You need to know secure coding you need to be a security engineer or a security developer and that is how DevSecOps is also coming in picture so who ever it is whatever if the tech startup is their security needs to be there.
Purusottam: make sense. The next question is-
For a growing business what security metrics are most important to monitor?
Gaurav: So growing business or even a small business or whatever the security practices I think today everyone need to have the very first thing I will say that need to have a security management program okay they should have like what all they need in security like as your previous question you mentioned about health tech or if it’s a manufacturing industry or educational tech or whatever you know if the business is into retail so the first thing what kind of security program may need to have that management should be there that who will act on that security, and after that I will tell you the very first thing which comes in my mind is the access control.
Who is going to have access to my infrastructure my data so today we talk about you know zero trust policy and if I am opening it up for my employees all my colleagues what kind of axis they have what kind of external access I am giving, so access control will be the first thing and then you need to have some monitoring space in there like how many people or actually feeling to login what kind of false positives are coming in if the right kind of people you know how many passwords are getting changed every year because that gives you an inside that how many intruders are trying to come into your environment okay so then having after access control I think data encryption, is what is required for a growing business because a data is the earning oil these days and securing it is the most crucial thing which we have so putting up the right kind of encryption like-I will say that when I talk about data encryption it’s about having your right visibility to the asset inventory as well right, if you have you know 1520 mobiles getting used in your organisation and then there are like 50 laptops then what kind of encryption are done on what devices what are end encrypted devices so kind of having a full control over there which is required and then I will put to another things, apart from this is like having business continue tea which is like creating the backup of the systems or the core systems which you have, what are your I will again come to the data classification and then going to the crown jewels what are your key infrastructure level servers all the laptops or the resources you have and then do I have a back up for the same or not okay because in case what is happening even the issue with the start-up is they or having very limited business or Limited budget for the setting up something and then once you set up they immediately create a backup facility for the same is also very difficult.
But for the growing business it is a must to have because if something or some incident or some system failure happens, getting recovered out of it is very difficult and that can I actually impact the growth they have you know started with that path. And the last thing I will say is the incident response because if we have access control if we have data encryption and as it inventory if we have put the business continue tea system failure and every thing you know patching level and every thing we are checking so then if some incident happens how we are going to monitor and what kind of incidents we are having every month, so that those are the few key aspects I will advise all the CISOs of this small businesses or the growing businesses to have minimum
Purusottam: Okay. The next question is related to the previous one-
What steps would you recommend to recover from a ransomware attack?
Because those are pretty normal nowadays right we hear about ransomware attacks almost every other day.
Gaurav: Yeah, frankly you know if I will say ransomware is more about taking the precautionary steps so if the ransomware attack happens in your organisation, the paying and getting the key will not help because if they’re already in your system they can do it again and then they must be having the data, you know, from you which is happening again.
The only safeguard I will say from a ransomware attack will be recovering it from the clean backup. Formatting your system and having it from the previous clean back up and if you don’t have a clean back up then that is the gone case, so that is why I say ransom where is nowadays with you know people knowing about this trend somewhere and so much awareness which is happening from there, is having the right kind of backup is must and if the attack happens you are ready so that you can recover your systems from a clean backup.
Else what you will be doing is you will be hiring some you know coders or the malware experts you can actually try to generate the keys for you then recover the data for you or you have to end up paying up with a ransomware which people are doing which I will say if you don’t have a backup you don’t have the option, you have to do but then that’s not a safe option because if you do this, this can happened to you tomorrow again so having a right status back up and then restoring your system from the clean backup is what will help you in case of ransomware
Purusottam: Makes sense. So now let’s move to the rapid-fire section.
So, What is one of the myths about cyber security?
Gaurav: That I am 100% secure
Purusottam: What advice would you give to your 25-year-old self starting in security and why?
Gaurav: I will say, don’t assume but ask. I have been doing things that you know many things which we assumed and you know you are acting on but I will always tell myself now when you are doing something always ask never as you. Get the clarification again and again if required.
Purusottam: So in one sentence let’s say,
If you are hiring, What stands out in a candidate’s resume for you?
Gaurav: Seeing the diversity of the work they have done. So I Mili hired in my organisation many freshers having you know six months to 1 year of experience are there coming directly from college. The resume which I see then there are freshers you know they have just spent four years doing that degree or maybe one internship or a project which colleges you know must have and then I have seen the profiles you know from the very first year of the college people are doing something and by the time they have done the degree in four years, they have done like more than 20 projects in different areas. so that means that person has that kind of diversity of work which I can see in the resume definitely helps you know to talk to that person.
Purusottam: What’s your persona animal?
Gaurav: I don’t know how to define it but if I need to say I will say wolf, it’s more of a devoted caring and family person.
Purusottam: A one-line quote that keeps you going?
Gaurav: I don’t know about the quote but I think one thing which I always love to do is , ‘Just Do It’. it’s not a quote but it have the saying in my thing like whatever coming your way and if the kind of attitude which I have in my day today environment is like if the things which take like less than five minutes to do it, then do it immediately, just do it. Another thing which I put it in is there is a perfection is a myth so if you have to do something, if you have to roll out even if you are we are interviewing this if this needs to happen let’s do it, let’s just do it
Purusottam: Makes sense. Thanks, Gaurav it was lovely to chat with you. Looking forward to learning from you in future.
Gaurav: It’s lovely talking to you Purusottam. Really. Thanks for having me here and great connecting with you