Security that speaks to heart; understanding emotional intelligence and third-party risk management with Shivani Arni

TLDR;

  1. From a culture perspective, create an environment where your Team feels comfortable in taking Risks. Without Risk Taking, there’s no Innovation.
  2. When it comes to Security, show the ROI to the Leadership and do not forget to recognize effort and celebrate small wins.
  3. Assign Tiers to vendors based on Business Criticality. This helps in prioritization in future.

Transcript

Host: Hi, everyone. This is Purusottam, and thanks for tuning in to Scale to Zero podcast. Today's episode is with Shivani Erni. Shivani has been in the information security domain for the last 18 years, where she has played several roles, from a support analyst to consultant, auditor, and now she's working as a CISO for TransUnion Sibyl.

At TransUnion, she leads the information security for India region. She's also part of Women of Technology Initiative at TransUnion representing a select set of women leaders. Shivani, thank you so much for joining us today.

For our audience who may not know you, do you want to briefly share about your journey?

Shivani: Sure, absolutely. First of all, thank you so much, Pushottam and Abhiram, to have me on this particular podcast. It's definitely exciting to be here. For a small intro from my side, yes, I have been into InfoSec since last 18+ years now.

I started my journey in Genpact, where I have worked in the Security Operations Center and then thereby moved to Deloitte and a few other companies, but always was stuck with the subject, information security.

I think InfoSec has been my passion since the time I was in college. So I've finished. I've done a bachelor of computer applications. And those college projects, etc, that time we actually built a portal for identifying if a system has got. vulnerable to any viruses or something.

Very small project, however, that's where my interest in InfoSec started. And here I am with information security since last 18 plus years now, yes.

Host: That's quite a journey and it's our pleasure to have you on the show. So a question that we generally ask to all of our guests is and we get unique answers right? What does a day in your life look like nowadays?

Shivani: All right, so I would actually start by saying, you know, all my days are definitely starting with a positive note in the morning. You know, I love making a to do list for sure, whether it is my personal work or is it my personal or a professional, whatever list I'm making.

So the to do list is first done. And then, you know, in that, then I have assigned my priorities, whether it is, you know, calling up the school for my son's work or ordering groceries or doing any of my priority emails from which email has to be responded first, etc, etc. So all of that is in my to-do list first.

That's the first thing I do when I start my day after whatever first morning rituals like yoga. Or so I'm into running. So I go for a run in the morning. I have my own fitness schedule. After that, this is what happens. The to-do list comes into picture.

And then I assign the priorities to what my to-do list is. I also have a ritual of, you know, I've subscribed to a lot of different websites, which gives me feed on what's happening on the cyber world today. You know, that's something which we have to be updated with on a daily basis, I would say, because as you enter the office, you will have 100 people coming into you and asking you for some sort of solution. You know, what can I do with this particular problem? Or what can I really do? You know, this is not working out for me, etc. Or, oh my God, did you hear that about the breach? Are we impacted by any way?

So I think having a view of all of these different updates is also very important. So that's the second thing on my list, I would say, after the to-do list. And then my day starts, of course. I mean, after. I think entering the office, you have your meetings. These days, it's good. I'm very happy that we're back in office. I was really tired of work from home and these calls and all of that. So I'm happy to be face-to-face meeting people, talking. And instead of just getting onto an email or responding on an email, I think it's you talk. You give them a solution. You understand what their issues are and then resolve it there.

It reduces so much time, management time basically. So yeah, that's how my day basically goes on. And in the evening, like I was mentioning to you, I have my colleagues working in the US and UK. So basically, there is a little lap. So I have to get on the calls in the evening as well, just to show that.

We are working collaboratively and we know globally what's happening and is there anything that we need to do from India's perspective, etc. So yeah, that's how the whole day is. And obviously there are some important events during the day. Sometimes it's board meetings, sometimes it's an important meeting with the management, preparation for those meetings, etc. So yeah, I mean, it sounds like a busy day, but I love the busy part of my life.

That's what keeps me happy. I think I am happy to get assigned more challenges rather than mundane work, which is like, oh my God, I know all the answers to these things. I don't have to worry. I don't want that day. That's how I look at it. Yeah.

Host: So I really like how you said you start with your to-do list. And a lot of folks do that, but they don't even they don't talk about that quite a bit. Because sometimes it feels like, yeah, it's part of my job, so it's not important. But to-do list is very important when it comes to planning your day. And one of the keywords that you used is the prioritization.

As a security leader, you might have to work on 50 items in a day, but you cannot get to all of them, right? How do you get to the topmost priority ones? So that's where like creating a to-do list and going through it so that you can prioritize makes a lot of sense.

Shivani: Yes, yes, absolutely. I mean, I mean, and then, you know, you don't want to boggle down yourself by giving yourself a task which you cannot complete for that day, right? I mean, you know that you could do only this much.

And that's where the priorities kick in. You know, if I'm if I know that today, there are like so many meetings, I wouldn't be able to handle, say 15 on a normal day, I could answer but today because of these meetings, I would only be able to do eight things. So, you know, basically just filter them out so that you don't feel end of the day that, oh my God, I couldn't finish what I started in the morning.

Host: And it gets overwhelming at the end of the day, right? That, hey, I have so many things left. It goes to next stage to do list and it never, it never finishes. Right. So yeah, absolutely.

Shivani: Yeah, and in my mind, suddenly, you know, Purusottam, when things don't finish on time, then you know, you're thinking about that during your, you know, me time or when you're sitting with your children. Yeah, exactly. And then I'm like, okay, you need to just rub them off. So don't burden yourself to commit to yourself how much you can do and then start a new day the next day.

Host: Yeah, yeah, absolutely makes sense. Yeah, with that note, let's get started on the episode. So today we are going to talk about like around culture and third party risk management. So let's jump into the first part, right?

In one of the recent interviews, you said that emotional intelligence is crucial in today's world and should be a priority for all leaders as it goes beyond just cyber security.

So for our audience, can you tell us What does emotional intelligence mean?

Shivani: Yes. Absolutely. So, see, this subject is very near and dear to me. I practice, you know, it's not like, I even can't say that I practice. It's like how people are actually observing you and they are looking at how you're conducting things, right? So basically, emotional intelligence is an ability to understand or manage self-emotions, right? What I'm going through.

When I'm able to recognize my own emotions, I'll be able to recognize the person I'm talking to in front of me, his emotions. It's like, I would say, if I have to calculate how I want to really look at all of this, if I'm saying, if I'm good at the, am I good at emotional intelligence at all, then there are like, by book, if you go, there are some five, six parameters that you have to evaluate yourself on, like self-awareness.

How aware are you about your own emotions?

How are you able to identify?

Do you have the ability to control your emotions?

You know, how are you using those emotions either to strengthen what you're doing or are these like becoming your weaknesses?

Second is self-regulation, for example, right? Now, how when you are actually controlling your emotions and you're trying in a healthy way, of course, you know, without harming yourself, how are you able to handle impulsive...you know, situations, for example, right? How are you able to discipline yourself using emotional intelligence within yourself?

Motivation, now I'm a very self-motivated person. You know, I, of course, every one of us looks for feedback. Every one of us looks for some praise for the work we do, whether it is at home or at office. But I'm a person who is self-motivated. I really do not.

Yes, I'm happy if people are giving me feedback. I'm very happy if they say good words or they have some feedback on improvement areas, etc. But that wouldn't stop me from doing anything more or getting demotivated because I'm not being praised for what my work is.

Because motivation comes from within. That's what I believe in. And I use my emotions even to motivate or inculcate that ability for me to achieve whatever goals or, you know, whatever ratings or something, you see a lot of things that they're in this world to achieve, but then you can't achieve everything.

You need to have again a bucket list, I would say. So I motivate self-motivation is something very important for me to achieve maybe one or two goals that I have or the bucket list what I have.

So we spoke about self-awareness, we spoke about self-regulation, self-motivation. And then I think a very simple thing like empathy, right? I mean, when we are talking to people, our ability to understand, empathize.

It's not about sympathy. It is more about empathy. You don't put yourself in their shoes and start still sympathizing with them. But then, yes, you maintain that balance and also ensure that they're able to understand. We are able to understand opposite person's feeling and we are able to control our own feelings.

So empathizing with self, that would be another one. And I think the best part of EI is the social skills. So I'm a big one on social skills. I love networking. I love making new friends. I love making new relationships where I want to learn things from others. So that ability also kicks in.

So It's a combination of all of these things, Purusottam, if I have to summarize how emotionalism actually influences a self, you know, over others and how you're able to control your own emotions in that area.

Host: Okay, so thank you so much for going in detail, right? What does emotional intelligence, like what are different parameters and why is it important?

Why should as a security leader, I should even think about it?

Shivani: Right. Yeah. So as a security leader, I wouldn't just again constrain this to security itself, but anybody who is in that role where you have to handle a high, you know, you're put into that situations, there are impulsive situations, there could be a security incident, there could be something which is just coming on your way, and you're not aware. So, you know, unwanted surprises. So when I have to handle such situations,

I think the EI really helps to make you calm, first of all, because you're controlling your emotions there, whether it is Infosec or anything, any other profession also. It is important that we look at it in a different way. It's not like we're taking impulsive decisions and you're trying to just do something and just get rid of whatever has come on your way because you were not prepared for it.

And these kinds of situations definitely will come in every other profession. But I think when I talk about information security, I think we are sitting on that red chair that could blow you up any day, any time. And we really don't know how from where and how is it going to come and hit you. So I think having these skills, what we just spoke about, will help in managing such situations well.

And then you have to work a lot with other people in this profession too, right? I mean, you have to have very close relationship with your IT teams or the business teams or even the compliance or, you know, risk, etc, etc.

And everybody will have their own perspectives. They will come and talk to you about how this needs to be handled. But end of the day, it is in your hands, you know, how you are taking it, how are you managing all of those conversations.

I think when you have these skills, I would say it is, it's going to be making your life easy. And because you're able to understand other people's, you know, emotions as well while you talk, you're able to understand and then you're making a balance out of it. So that's why I say, you know, EI is really crucial for any leader, whether it is side security or outside, doesn't matter.

Host: Okay, so the way I see it is it helps as a security leader to myself and also to the team that I'm collaborating with so that they also feel safe to contribute in an open manner. So that's a good segue to my next question, which is

When we speak with many security leaders, they often talk about culture and it sometimes boils down to culture to the safety, how safe the team feels, your team or the team you are collaborating with. Because the more comfortable or safe they feel, they feel comfortable to share their opinion or to add the value, right? So

How do you create a culture where psychological safety in your team, like people feel comfortable to even report their mistakes and learnings with others?

Shivani: Right. So on this one, right, it is actually a very, very touchy subject, I would say for sure, because every person will have their own style of, you know, managing a team or creating that culture, and making, you know, people really feel safe about, you know, coming and talking to you about anything and everything. Right. So I would I would say, from

When I do these things or what I really follow is with my team, I make them feel comfortable by giving them that space to work. Everybody wants, nobody wants micromanagement first of all. And when you're talking to a bigger team, now we have a team of say 15 people, obviously you will not be able to talk to each one of them on a daily basis. But yes, you should know.

What is happening with each one of them? Do they really need you for something where you need to be available for? Or is there anything that they need to come and talk to you about? So maybe one example I can give you is, I encourage my team to take risks. So when I say,

You have to try out new things, right? I mean, without trying out new things and without failing in whatever you are doing, someday you will fail and you'll have to learn through that failure. Unless you give them that space of, OK, don't worry. You are safe. I have your back. Go ahead, try this out, and come back and tell me what really happened. Was it a success or a failure? So

And it's not like that's one mantra actually I have. And as a team leader, for example, even when I do something which is I cannot always doing the right thing, I mean, there would be some situations where I might do something which may not be the right thing as for the policy, for example.

So my team needs to have that courage that courage to come and tell me, Shivani, you know what, you suggested something, but then this is not in line to what we actually do. Do we want to relook at it? That courage has to be there. So when will they have that courage when they actually see me going and telling them that, you know what, looks like I have not given a proper solution on this one. Maybe this is not going to work for this particular solution what I was proposing to the business teams.

So when I have that open conversation, I think that's when the team will also open up. They will not shy away from coming and talking to me about anything and everything. So I think vulnerability, what I have, like if I have done something, I have to be honest about it. I have to be showing that yes, maybe it was a genuine mistake. Of course, nobody's gonna get punished about it. We are not in school.

But yes, that confidence or that, yes, my manager or my team leader is going to be supporting me in this journey. I think that feeling when a person gets in the team, that's where I would say there is that culture of you're creating a nice culture. Plus, the team is basically feeling safe within.

Host: Right, right. Ah, I really liked the point where you highlighted that you give freedom to your team to explore and take risks. Often what happens is we penalize our team members if they make even a slightest mistake, right? And then they don't feel safe anymore. They do not feel comfortable to take any risk. They will rather follow the playbook, right? Hey, do step one, step two, step three. there is no comfort anymore.

So I really love that. When you give freedom to take risks, that helps with innovation and culture also.

Shivani: Yeah, exactly. Innovation is the word. Exactly. Innovation is the word. I mean, we have so many youngsters, right, Purusottam. They are like two years experience in the infosec. They are here to do a lot of things. I mean, I would say I have spent like 18 plus years already. I mean, when I had two years experience, I wanted to just explore a lot of things. And I can understand when they come and tell me I want to do this, I want to do that.

And I'm like, yes, please go ahead and let's see what happens and then see, uh, see how it is turning out as a positive for the company, basically. So everything that we're doing obviously has to help the organization in some way or the other, but then one mantra again, uh, Puusottam, I would like to say is you can't repeat the same thing. That's not acceptable. Yeah. I mean, you have learned, you did once. Yes, you learned your, you learned your lesson and then you can't repeat that again. That's not something which is, uh you know, acceptable, I would say.

Host: Make sense, make sense. I mean, you learn that shows that you are learning from your mistakes, right? If you cannot learn from your mistakes, then yeah, it's a challenge. Yeah, yeah. So now if I want to take the culture to one more level, which is most organizations have a defined culture in a way, right? Some are engineering-driven, and some are security-driven. So as a security leader, how would you ensure that...or

How will you bring awareness or develop a security-centric culture in your team, in your organization?

Shivani: Absolutely. I think that question is something which I love to answer because a lot of these organizations I've worked with, a lot of them I had to start with zero. I mean, when you are a consultant and you are representing a consulting firm and going there and you're telling something, obviously there are some situations where they don't want to listen to you, right?

And they will say, no, we already have this client, you know, we don't want to do this, we don't want to do that. I mean, your suggestions just go in the air. So, so, uh, how do you bring back, bring them back, you know, because we are here to help you guys. It's not about, it's not a fault-finding exercise or we're not trying to find, uh, you know, some things which are definitely not relevant for your organization or for your environment.

So I think bringing that conversation on the table, you know, it's not just about.

Why am I giving this recommendation? It's about how is this going to help you in the future? How is this going to help you in achieving whatever you had on your list? Say if you want to clear a certification, this is the bare minimum of what you need to do. There are some organizations like that.

Another example I can give you is, again, I would say the same team example what I gave. I want

I have like a information security help desk, right? You have an IT help desk where you go and solve your laptop problems, right? And then I have, I'm just funnylly calling it as information security help desk, it's me. So I'm sitting there, people just come walk to my desk and they say, Shivani, how do I handle this?

I need one, two, three things from you. Could you help me with this one? You know, the client is asking me, there's an RFP, it has 200 questions and I don't know how to answer.

So when you start handling these things, they understand from what perspective am I giving those answers, right? You're trying to tell them, you're trying to educate them on what an organization's security policy is, for example. And then how much can be shared to the other outsider? How much is the, and what is internal confidential?

So these things, when you start discussing with the business teams or any other teams within the organization, that means you're actually spreading security culture out there. If people know that, OK, before I do something, for example, before I have an application onboarded on production, I know what the process is. That means it's a win situation for InfoSec teams. That, OK, people know what scans have to be done. People know is a remediation people know.

And how are we achieving that by engaging developers? For example, I'm talking to the developers. I'm telling them, you know what, this is the CI CD pipeline. This is how the scans are. This is the reports I will need as a part of my change management process as a part of my app sec related process. And if those reports start coming to you without even asking, that means you have done a good job of spreading the awareness.

So, I think small things like this will help us in spreading that culture. Another thing I would want to add is celebrating small successes. Now we do that by calling someone a security champion, for example. This guy or this girl has demonstrated the security culture. So we give them a security champion award, for example.

That will motivate others, right? And when it starts coming out in the public saying, he or she has done this and she's now a security champion, who doesn't want a recognition like that from a security team? So those small things collaboratively working with different business teams, making them understand why information security is important.

Gone are those days when you're sending those security awareness emails. Nobody reads those. So I think we have to think of new ways of doing these things. Yeah.

Host: Yeah, makes sense. I really love the part where you said, right? Like maybe every month you have a security champion, which shows two things, right? One is that you recognize someone's effort when it comes to security. And also it shows that there is recognition, right? Sometimes what happens is we do not celebrate small wins because we are always looking for a… let's say end of the quarter rollout or end of the year rollout, we often forget about what's happening on a day to day basis. Right. So yeah, I really love those two things.

And that's what I love about sports, because no matter what the outcome is, let's say cricket, right, every wicket or every six sometimes is enjoyed or celebrated. So yeah, absolutely. Yeah, absolutely.

Okay, so I want to pivot to the next topic which is third party risk management. So let's start with some definitions.

What is third-party risk and why does it need attention?

Shivani: All right, so basically, if I have to put it in this way, I'm having somebody I don't know either giving me services or taking services from me. So before I have, before I'm onboarding these guys, any third party, I do want to do a proper background check. So the HR process, what we have, where a person gets hired,

Exactly. So when I'm onboarding a third party, obviously I'm doing some checks and balances before I give them access, give them any services or take any services from them. So that in a simple way, I would say that's what third-party risk management would do.

Host: Okay. And let's say, or what's your opinion, like at what stage of an organization does it become important?

Is it like, does it apply to a 5 person startup or it is only for enterprises with, let's say, 10,000 employees? How would you define when should I invest time on third-party risk management?

Shivani: I think this is applicable for anyone and everyone who is taking any of the third party services. It's not about how small the organization is and how big the organization is. Since you are going to connect to this particular third party or to provide services or to take services, we need to be aware of what this third party is all about, what's their security posture looks like, how mature are they from an infosec perspective.

I mean, third party risk management is just one part. And when do I start thinking about this? The moment I know that I'm going to outsource or insource a third party for anything, I think that's when you start doing the third party risk management period. I mean, how it works, right? I mean, the legal formalities and the risk assessments should go hand in hand so that obviously business has their own urgencies. So I would say we need to…

The moment the business thinks that, okay, I will need to onboard somebody for providing these services to me, that's when you start doing the third party risk management for that particular vendor or a third party, whoever it is.

So that before even we conclude or say, yes, this is the third party I want to go with, the risk assessment has to be completed before that.

Host: Mm-hmm. Okay, so one of the things you highlighted earlier was the RFP. Like sometimes let's say you're working on somebody is working on an RFP and they ask you some questions around security. And that is nowadays a norm, right? When you are onboarding a new vendor, you often ask them to fill in a security questionnaire, which talks about, let's say, pen test, certifications, STLC process and many more things.

Does that not cover all the requirements like does that not safeguard me as an organization when I'm on boarding a vendor. What else do I need to do?

Shivani: Right. I think that's just a starting point, Pashutam. What I'm trying to understand by sending out an RFP is do the company or the organization actually has the capabilities what I'm looking for from InfoSec perspective? Do they have a governance compliance, that culture? It will give me an understanding of what kind of processes do they have within the company, which ensures or gives me assurance that, yes, they are doing you know, whatever good job on information security domains what we have.

That's like a starting point. That's definitely not enough for me to go ahead and onboard this third party. There are certain other things which I would be interested. It's like, I would put this in a way like pre-onboarding, right? There's a prerequisites what I have post- onboarding and then I have my governance and monitoring basically.

Pre-onboarding would be that checklist. Basically, I'm asking for some certain things to be shared with me. Once I review those things, I do an audit on them. So basically, I go now and say, okay, now that you've given me, say for example, network diagram, okay? I would say, now that you've given me a network diagram, could you give me a walkthrough of what this is? Now, let's take a scenario where I am going to give the services to them.

Right. So in this case, there is data exchange, for example. So

which environment is this data going to go and sit in? OK,

which server is that?

Is that a segregated server?

Is that a dedicated server or is it like a shared server?

Who all has access to that?

Access control is again another domain, which is very important. What could be now depending on, you know, what kind of data it is, if it's a PII data, if it's a SPDI data, what kind of circulars or say rules as per the InfoSec policy, what the company has, are they in line to what is being followed on the other side or not?

So basic example, a simple example could be purging of data. I might have an internal policy which says within six months or within eight months, you will have to purge that data, what you got from us, right? So are they really doing that or not? Okay, so such things, we will have to do that as a part of the audit process, prerequisites have come in, now I'm doing the audits.

Once I do the audit, I have a post onboarding request, which we have. Am I doing the IP white testing? For example, if it's a integration of API, how am I doing the white testing of those IPs? How am I doing the certificate generation? How is that shared basically? How am I actually controlling the traffic which is coming in? How is it coming in, etc, etc? Is it all this you are is what I have? Do they have like a WAF? What kind of network control do they have in place, et cetera, et cetera?

So all of these things basically fall into that checklist. The bigger part now is, I think these are the simpler ones, right? The bigger thing now is post onboarding, where it comes to governance and monitoring.

What tools do I have, which is going to give me visibility on the health of that network, for example, the vendors network, right? How the legal agreements, for example, I am being safeguarded only by legal clauses, but that's not going to help me in the future. If something really happens, legally, I would be able to do something, but then, you know, what's gone is gone. So proactively, is there a way that I get notified about anything which is changing?

A simple example could be you'd have heard about BitSight and RiskRecon kind of portals, right? Where publicly available information is actually monitored by these third party vendors. And they send out a report or they send out an alert saying, okay, they monitor some 10 domains, which are good enough for us to monitor our third parties, for example. So these guys give you the alerts saying, okay their score has fallen down from say 9.8 to 6.5. So an alert comes to us saying, okay, you know what? So and so vendor of yours, the score has gone down. Do you want to take an action? Right? Or it could be a surprise in the papers, for example, something comes out about the vendor.

So I think all of these checks, I think onboarding is not a problem, but post onboarding the governance structure has to be very strong when you're looking at these third parties, because since you are onboarding those systems or integrating those services within your network, your network is also at risk. So it is definitely more than important to get additional assurances from them and not just the RFP responses.

Host: Mm-hmm. Yeah, I love how detail-oriented you are, like how many details you have shared, right? Often what happens is when you are the sender, when you are filling in the questionnaire and sending it to, let's say, one of your customers, you only see one side of it, right? You only see pre-onboarding requisites. But there is so much more after that, right?

Like post-onboarding requisites and even the monitoring and governance thing. And the websites that you mentioned will make sure to tag them also so that our audience can go in. So yeah, I love that. Yeah, I can see, right? The way we used to have, let's say, SLAs earlier for any vendor services that you're using. Now, these also play a role what's the credibility of your vendor? Has it gone up? Has it gone? Like if it goes up, it's good. If it goes down, that's when you have to at least be aware of it, right? So that you can take action on it. So it makes a lot of sense. So a follow-up question to that is, like at your scale, like the company that you work at,

You might be working with thousands of vendors, right? Or let's say hundreds of vendors, and they might be integrated into many of your applications. Some of them are...Business critical, some of them are maybe not the highest priority applications.

So what practices do you generally expect your vendors to have in place so that you know that your business-critical, like critical business applications are not important?

Shivani: Yes. Yeah, I think yes. Those guys are doing a fantastic job.

Right, so I think we should not be just leaving it to the vendors, one thing. We should also be monitoring our side of story too. As an organization, we are connected. And how long does it take to traverse from our network to any other network which are connected? So these tools, what we just spoke about, those are one thing which we actually do a lot of work on. A few other things like, you know, so we do an annual… attestation.

What happens is every year we have to go and redo the assessment. So basically what we do is we divide the vendors into criticalities. So we have some tiering attached to it, basically tier one, tier two, tier three, tier four, tier five. So based on the services which we are giving or taking, we bucket them into these tiers. So when you bucket them, then you know how you want to handle, say, what kind of importance are you going to give to the tier one vendor versus a tier five vendor.

So that gives me a leeway on using my prioritization again here on which vendor needs to be concentrated more on, monitored more, maybe additional assurance certifications to be requested for, and which vendor am I OK with if I don't audit them, for example, for two years also not going to harm me much.

Right. So I think this bucketing is very important. Adding a tier based on some criteria, which will help you putting a particular third party into these tierings is going to help you in prioritization. It's going to help you in monitoring aspects as well.

Host: Mm-hmm. Okay, that's spot on, right? It helps as you highlighted. Unless you know which bucket that particular vendor goes into, it's very difficult if their score goes down, let's say. How do you take action? If it is critical business application, you have to act right away, right? Versus if it is maybe not so critical, maybe you can do it next week. I'm just giving an example. So yeah, makes a lot of sense.

And yeah, that's a great way to end the security questions section.

Let's go to the security practices section.

Rating Security Practices

So in this section, what we do is we'll share a security practice. And we are looking for a rating between 1 to 5, 1 being the worst and 5 being the best. And along with the score, if you want to, along with the rating, if you want to provide any additional context so that our audience can relate to it.

That's also helpful. So let me go to the first one.

  1. Provide training and awareness programs to employees so that they can identify and respond to potential security threats.

Shivani: Right. I think this is like old way of doing things. I would say, so it's a scale of one to five, is it Purusottam? Okay, then I'll rate this maybe five. Because these days, I mean, I personally, if you ask me, I am not interested in reading any of those mailers. Unless, unless I'm getting something out of it. So yeah. I would rate that as five.

Host: OK, the next one is granting users unrestricted access to systems and applications so that we can move faster and roll out new features.

Shivani: So access control has been my baby since I think I'm in InfoSec, I would say. And that's like a basic, basic thing. And I wouldn't shy away. I mean, a lot of us across are still struggling in managing accesses. So giving, giving understated access is definitely a no-no for me.

I will rate this as number one priority for any organization. I think access control is the bare minimum thing we could all concentrate on. There are so many things available in the market today, but yet, because of the legacy systems, the new technologies, somebody wants something new, integrations, etc, etc, we always have an improvement area, right?

I mean, it's not like 100%. How much of a view you try? I mean, access control has always been a… a painful point for all of us. So this is our number one priority.

Host: Yeah, makes sense. And nowadays, a lot of folks talk about network is not the perimeter now. Like identity or the access has become the new perimeter, especially in the cloud era. So you are spot on.

Shivani: Exactly. Absolutely. Correct. And then the COVID times. Yeah, and the COVID times, right? I mean, everything is remote. So obviously, everything starts from access. So yeah.

Host: Mm-hmm. Yeah, yeah. So the last one is continuous integration is a must for DevOps practices. Security architecture review should be conducted as part of integration itself.

Shivani: If I can read this also one, but no, I'll read this as two, because since one is already taken. But this one is also another thing which we all actually have to work on. We've always said, I think the recent days, the past one and a half, two years, we've always heard people talking shift left, security shift left. I think DevSecOps concept actually came in from there, where you code, You scan, you do these inject and eject of these code, basically.

And then you really have a clean, polished deployment built or whatever. But yes, we do have a lot of things to work on from this aspect. But then if you're making things automated, I think it's helping everybody. Not just the InfoSec team. I think the developers are also very happy that they don't have to put in into some extra engines get the scan done, get the reports to us, get it reviewed, and then spell a lot of the time asking us, no, this is false positive, this is true, this is something which we cannot fix and all that.

So I think I would rate this as two, but then we have to make each other's life easy. I think CICD or DevSecOps is something taking us into that path, I would say. Yeah, it's helping us big time.

Host: Yeah, absolutely. So I generally ask this question before we end the episode. I know that you said at the beginning of the day, you go through your newsletters or subscriptions to read about what's going on. Right. Any reading recommendation that you have for our audience, it can be a blog or a book or a podcast, anything, anyone.

Shivani: OK. So from cybersecurity perspective, I would say I like what's there in the ISMG media website. I like the cyber world related news, which comes in on various forums. I can give you maybe some forums. And I'm also a big reader of Harvard leadership tips.

So those are something which I really enjoy listening to. So there are some podcasts available on Spotify where Women at Work, Harvard Women Leadership Talks, there are specific case studies they pick up and they try to solve the problem on the podcast itself for that person.

I think it's really interesting sometimes to just listen to them while you're driving to office. It kind of motivates you for that day. I mean, I'm a big...music lover, but then sometimes I switch to podcasts as well. So these kinds of podcasts really motivate me, they give me a positive outlook of, you know, and these subjects are so relevant. I'm, you know, I can't tell you. These are something which every professional actually go through these things on a daily basis. So it's like, I'm not able to cope up with my co worker. I mean, who doesn't go through that?

Do I really like my how do I handle my micromanagement boss and who does go through that? Everybody goes through all those things, right? So these podcasts are another way of You know managing EI I would say emotional intelligence and self motivating So these are some things which I really love listening to

Host: OK, so what we'll do is when we publish this episode, we'll link to some of these websites so that our audience can also get benefited from it. And thank you so much, Shivani, for joining. It was a fun episode.

Shivani: Absolutely. Sure, sure. Thank you so much for having me, Purusottam. Thank you.

Host: Absolutely. Thank you to our audience as well for watching. See you in our next episode. Thank you.

Shivani: Thank you, everyone.