Organizations are still urged to build a robust strategy for risk management framework, secure cloud design, security governance, and skills expertise in the cloud as most incidents occur due to lack of a strong security strategy.
— Vishal Salvi, CISO, Infosys
Vishal Salvi, who joined Infosys four years ago, as the chief information security officer (CISO) is leading the charge. Salvi spent over 30 years in the industry, while spending two decades in banking alone. Salvi believes that the regulatory landscape was tightened to bring in the rightful strength to the banking cybersecurity ecosystem. As a leader who wears a dual hat of a CISO as well as the head of cybersecurity practice, Salvi sheds lights on how IT security as a space has increasingly deepened its focus on cybersecurity.
In this edition of Toolbox’s Tech Talk with Neha Pradhan, Salvi shares his observations on how CISOs are being viewed as enablers of business growth. He plots an action plan for IT leaders to combat phishing and ransomware attacks and prepares them to face the challenges of cybersecurity risk management while deploying edge computing.
Key Takeaways on How To Build a Cybersecurity Risk Management Strategy:
- Security trainings should be at the forefront of a CISO’s agenda.
- Address any short- or long-term cyberattack prevention efforts with a periodically tested cyber resilience plan.
- For a cyber resilient organization, zero trust network architecture is the future.
Here are the edited excerpts from our exclusive interview with Vishal Salvi:
1. The ambit of a CISO is ever evolving today. In what ways can CISOs be viewed as enablers of business growth?
The Chief Information Security Officer has become a well-defined, mainstream role – it is now a leadership role. The role of the CISO has significantly evolved over the past year from being focused on technology alone to also considering business risks as well. CISOs should engage with their peers across business units, explaining the significance of having a robust cybersecurity program. CISOs now need to re-evaluate their existing teams, identify gaps, and define a strategy to hire, train or retrain employees to meet organizational security needs. CISOs should also consider partnering with other organizations.
Also read: How to Prevent Cyber-Attacks: Q&A With David Ferbrache of KPMG
2. From technology brands to automotive brands, every industry is impacted in 2021 with data breaches. What, according to you, should be the action plan for IT leaders to combat phishing and ransomware attacks for these two industries, while fostering a strong sense of security awareness?
Infosys recently authored a report called “Invisible Tech. Real Impact,†with brand consultancy Interbrand, quantifying the long-tail impact data breaches have on a brand’s value. To quantify the risk, we identified the brand factors most impacted when a company suffers a data breach – presence, affinity, and trust – and simulated the resulting brand value at risk in the event of a breach, using Interbrand’s brand valuation methodology.
Our report found that the world’s 100 most valuable brands could lose as much as $223 billion from a data breach. The cost of a data breach influences brand image and negatively impacts revenue.
— Vishal Salvi, CISO, Infosys
That is why, it is more critical than ever before for CISOs to build a robust governance ecosystem while employing a ‘secure by design’ approach to safeguard their brand reputation.
While difficult to achieve, a robust strategy begins by creating a culture of security within the organization. A strong organizational foundation for it is also necessary, and often this begins by placing the CISO at the center of the organization. CISOs must assume ownership of the cybersecurity agenda, including not only assigning roles and responsibilities of the people, but also the organization. CISOs must ensure security is a priority for everyone, not just the IT team. CISOs should also ensure independence and empowerment are upheld in their role, resulting in critical security-related changes being driven effectively and efficiently.
3. By 2025, Gartner estimates that 75% of enterprise data will be generated and utilized outside of the data center. How can CISOs be prepared to face the challenges while deploying computing power and storage capabilities at the network’s edge?
CISOs need to prepare against specific threats such as data breaches, denial of service, insecure APIs, account hijacking, and more. Most cloud service providers offer security services for data protection, regulatory compliance and privacy, secure access control capabilities for effective security risk management and protection in the public cloud.
Organizations are still urged to build a robust strategy for risk management framework, secure cloud design, security governance, and skills expertise in the cloud as most incidents occur due to lack of a strong security strategy. In the case of edge computing, devices present in an organizations’ infrastructure need to be both cybersecure and physically secure.
— Vishal Salvi, CISO, Infosys
4. A modern cloud-centric digital business needs access to information anywhere and everywhere. While a connected employee is a boon to the enterprise, it is a nightmare to the CISO. How do you see these emerging cloud-centric technologies impacting secure networks? How can we build more trust around cloud for cyber threat response?
It is critical that organizations begin to build a robust strategy for cyber risk management with a secure cloud design, security governance and skills expertise in the cloud. With a growing amount of information available in the cloud, cyberattacks will continue to rise. Prevention, risk management, and mitigation should be prioritized, but there is no “one-size-fits-all†approach to cybersecurity.
5. In your view, which three network security best practices CISOs need to avoid or relook at in 2021?
CISOs should communicate frequently to all staff about potential cyber risks to keep them apprised of phishing emails and other suspicious communication. Security trainings should also be at the forefront of a CISO’s agenda, ensuring employees know how to set up secure home networks and physically secure devices. Lastly, CISOs should have a well-developed and periodically tested cyber resilience plan in place to ensure their organization is equipped to address any short or long term cyberattack prevention efforts.
Running test drills on a regular cadence will ensure all stakeholders are aware of how issues could play out and what they should do to minimize the impact.
— Vishal Salvi, CISO, Infosys
6. Which security initiatives will you prioritize at Infosys this year? What is your cybersecurity wish list for 2021 and beyond?
We have almost our entire workforce remotely connected, thereby making it critical for us to continuously monitor our threat landscape through our cyber defense centers and prevent possible attacks. Furthering our automation in our cyber defense centers is key, even though we are at a level of maturity wherein we are providing our capabilities to our clients today.
For any organization to be cyber resilient, I would expect it undergoes a continuous assessment of its cybersecurity posture. I would double down on our vulnerability management program and resiliency measures. Zero trust network architecture (ZTNA) may appear to be a buzzword these days, however, we have been on this path for few years now. That said, I would focus on enhancing our ZTNA journey.
About Vishal SalviOpens a new window :
Vishal Salvi is CISO at Infosys. He is responsible for the overall information and cyber security strategy and its implementation across Infosys. With over 25+ years of industry experience in cybersecurity and information technology across different industries, Vishal has extensive management and domain experience in driving transformation cybersecurity programs, delivery, and sales in all key areas.
About InfosysOpens a new window :
Infosys is a global company in next-generation digital services and consulting. They enable clients in 46 countries to navigate their digital transformation. With nearly four decades of experience in managing the systems and workings of global enterprises, Infosys expertly steers the clients through their digital journey. They do it by enabling the enterprise with an AI-powered core that helps prioritize the execution of change.
About Tech Talk
Tech Talk is an interview series that features notable CTOs and senior technology executives from around the world. Join us as we talk to these technology and IT leaders who share their insights and research on data, analytics, and emerging technologies. If you are a tech expert and wish to share your thoughts, write to [email protected]Opens a new window .
How cybersecurity can be improved at your organization? Share your thoughts with us on LinkedInOpens a new window , FacebookOpens a new window , and TwitterOpens a new window .