Purusottam: Hi Everyone, Thanks for tuning into our Scale to Zero show. Today we have Aseem Rastogi with us. Aseem is the Head of CyberSecurity and Compliance at Meesho. Prior to joining Meesho, he was leading the CyberSecurity & Compliance efforts at RazorPay.
Aseem, Thank you so much for joining me today.
Aseem: Thanks Purushottam for having me, pleasure is mine!
Purusottam: Okay so let’s get started with the questions. So the first question is-
For a fast-growing fintech company, What steps would you recommend to store and protect sensitive financial data like bank account info or credit card info?
Aseem: This is a very big challenge for any fast-growing fintech company. I would say ‘focus on the basics and get them right. Giving a very actionable input, isolate the production environment from other environments. Give very limited access to people in your environment which should be only on a ‘need-to-know’ basis.
There shouldn’t be any data copy to the test environment from production and a well-tested backup and recovery procedure is very important which is often overlooked. Rest all the configurations, vulnerabilities management is all checklist-driven and best practice. Basics are really important and should be kept in mind
Purusottam: Okay, make sense, the next question is –
How should we ensure our systems are ready to handle large-scale attacks?
Aseem: In order to be ready, we don’t know the attacker’s schedule. The only way to ensure our system is ready is to become an attacker ourselves. In other words simulation. We need to simulate all types of attacks on our own infrastructure maybe DOS/DDOS, ransomware attacks, like, backup restoration from scratch, installation of our entire software stack, using automation in a brand new cloud environment or so, whatever is applicable.
So we need to become an attacker and then ensure the resiliency on part of handling.
Purusottam: Okay make sense.
There have been many data breaches in the last couple of years. In the event of a data breach, What should the response plan look like?
Aseem: This is very context-driven, for example, depending on the risk and the stakeholders involved, the response plan has to be devised ahead of time. for example, if it’s a consumer based company, then the plan has to be prepared to reach out to end consumers and notify them and secure their data- maybe credit monitoring, if there is any financial data leak, involved so on and so forth. If it’s a B2B company, then it’s a different type of stakeholders that needs to be notified, the response plan differs. And if this is a regulated one, for example, a fintech or so, then in that case the response plan should include stakeholder management, Government, licensing,
Legal things as well. So it really depends, there’s no one size fits, all cookie-cutter type of thing, the only thing to keep in mind is to Be ready ahead of time.
Purusottam: Make sense, so a lot of planning.
Aseem: Yes, lot of planning, simulation And having a role-play ahead of time so everybody in the risk response team knows what they’re supposed to do, otherwise when the crisis Heads, it will become chaos so we need to have that simulation and should be a muscle memory pretty much, we don’t have to figure out what to do next.
Purusottam: Okay, so the next question is
What areas should be considered while planning a budget in case of any possible attacks?
Aseem: Again this goes back to the risk assessment of a particular business that is trying to do this budgeting exercise. So starting from risk assessment as well as threat modelling we can come around say with the list of stakeholders or rather threat actors who will be interested in harming the business and based on that the solutions and the budgeting needs to be done.
So for example, there is a business where state actors might be involved that requires much much higher response planning and budgeting than a consumer business where state threat actors may not be interested. So that depends on what kind of factors are going to be involved there and what their interests are going to be looking like
Purusottam: Okay, the last question is
What security roles should be hired first for a fin-tech startup and why?
Aseem: When it comes to setting up any function, not just security, it has to be higher the leader first and let the leader choose their team. That makes it a bit easier for everybody because the members are hired ahead of time, there may be other crosscurrents that new leaders may not be aware of or may not be able to spend the energy into managing those crosscurrents then set up from scratch.
That’s one reason of course and there is another reason, type of people who will be there, everybody has a leadership style and everybody has a certain experience and base of cyber security or any other items, any functions for that matter. So in that model, all the team members and the hierarchy etc need to fit it. So it’s best to hire the leader first and the rest of the things should follow.
Purusottam: Okay makes sense, so now let’s move on to the rapid-fire section.
What is the biggest lie you heard about cybersecurity?
Aseem: Well that’s a good one. So the biggest lie I have heard is you buy my product and you will be secure.
Purusottam: What is one of the myths about cybersecurity?
Aseem: Give me criteria on which you can measure it and you can show me like exact security posture of the company that can be done at that summit. It’s very subjective at times there are certain dimensions which can’t be measured and so on
Purusottam: What advice would you give me a 25-year-old self starting in the security and why?
Aseem: Yeah I would say to Myself is I was 25 years old, be a developer first. Having security carrier is good but at least couple of years should be spent being a developer and seeing the struggles and challenges of the developer, so that is very important because security is a business of empathy because we had in security we are interrupting a lot of people in their day to day job so if you don’t have that empathy it will be very difficult and epic empathy cannot be told are taught it has to be felt so that’s why it should be a couple of years of development work is very very essential.
Assuming you are hiring, In one sentence, What stands out in a candidate resume for you?
Aseem: Yeah, I mean candidates that are different levels right so I would say for a leadership role it really demonstrates the maturity of the deliverables right, delivering up say a pen testing is one thing right but having a process which can be optimized and run and does Intel mediated by themselves right so a leader should be able to this intermediate themselves from the task and that’s what when I see in a resume I get very very impressed because that demonstrates that the person is ready for next level of challenges.
He is not stuck with what he has built right he’s not falling in love and it’s providing the growth for growth path of the next run
Purusottam: Okay make sense.
Thank you so much Aseem it was very insightful to speak with you looking forward to learning more from you in future.
Aseem: Thank you Purusottam for having me, it was a pleasure!