Episode 38
Cybersecurity As A Strategic Opportunity
In this episode, Kal Sambhangi, Senior Vice President, Cybersecurity Strategy and Architecture at Truist, shares his vision of the future of cyber governance. According to him, the leadership mindset needs to change whereby they are optimistic and opportunistic about cybersecurity and view developing cybersecurity capabilities as a source of competitive advantage. Kal also emphasized the importance of attracting professionals from other fields. He said, “I think cyber security as a community should start embracing people with other skills. I think there is a lot of opportunity here, for people skilled in software development, program management, product management, and data analytics.”
Time Stamps
01:28 -- How about providing listeners with some highlights of your professional journey?
03:04 -- You said, "the security industry needs to pivot away from getting things done rather than talking about things. This is a problem that does not have a purely technological solution." Can you please expand on this statement?
08:38 -- Based on your experience Kal, having worked in different organizations, currently you're a senior leader in a very large institution, do you feel that steps are being taken to create and sustain a high-performance information security culture? Also, what are your thoughts and perspectives on the ideal CISO reporting structure?
16:38 -- I have seen different views of the leadership across different industries and they are not all aligned in terms of seeing cybersecurity as part of their strategic core. What are your thoughts?
34:10 -- I'd like to give you the opportunity of sharing some final words before we call it for for today.
Memorable Kal Sambhangi Quotes/Statements
"The security industry needs to pivot away from talking about things and why they go wrong into getting things done and fixing things. This is not a problem that has or can have a purely technological solution."
"I think the goal of securing a business is a bigger strategic decision rather than a set of technical tasks."
"Cybersecurity should not be an afterthought. It should be part of the business model itself, or part of the digital strategy itself."
"Cyber leadership should help embed security throughout the company's products, channels, and operations. And to do so, one has to be able to influence fellow senior leaders. It has to be a collaborative effort. If you have to influence fellow senior leaders, then you got to be talking the same language."
"It's about how securely we are engaging with our customers, how securely we are running our business. So information security needs to be embedded in the culture."
"Cybersecurity could be a competitive advantage."
"I think the key is the ability to abstract the technical concepts into messages that would grip senior leaders, both logically and emotionally."
"I think cybersecurity needs to move towards the paradigm of product management in terms of delivering cyber capabilities within the organization."
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712
Transcript
Welcome to the Cybersecurity Readiness Podcast
Kal Sambhangi:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Kal Sambhangi:the book Cybersecurity Readiness: A Holistic and
Kal Sambhangi:High-Performance Approach, a SAGE publication. He has been
Kal Sambhangi:studying cybersecurity for over a decade, authored and edited
Kal Sambhangi:scholarly papers, delivered talks, conducted webinars and
Kal Sambhangi:workshops, consulted with companies and served on a
Kal Sambhangi:cybersecurity SWAT team with Chief Information Security
Kal Sambhangi:officers. Dr. Chatterjee is Associate Professor of
Kal Sambhangi:Management Information Systems at the Terry College of
Kal Sambhangi:Business, the University of Georgia. As a Duke University
Kal Sambhangi:Visiting Scholar, Dr. Chatterjee has taught in the Master of
Kal Sambhangi:Engineering in Cybersecurity program at the Pratt School of
Kal Sambhangi:Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Our discussion will revolve around recognizing
Dr. Dave Chatterjee:the strategic potential and capabilities of cybersecurity,
Dr. Dave Chatterjee:instilling security in the executive mindset, the
Dr. Dave Chatterjee:importance of holistic cybersecurity governance, how do
Dr. Dave Chatterjee:you draw professionals from other fields into cybersecurity,
Dr. Dave Chatterjee:and more. I'm delighted to host Kal Sambhangi, Senior Vice
Dr. Dave Chatterjee:President, Cybersecurity Strategy and Architecture at
Dr. Dave Chatterjee:Truest. Kal, welcome.
Kal Sambhangi:Thanks Dave for having me here today.
Dr. Dave Chatterjee:Well, I know the listeners are in for a
Dr. Dave Chatterjee:treat. Because when we had our planning meeting, you shared
Dr. Dave Chatterjee:some very powerful perspectives. And I'm looking forward to
Dr. Dave Chatterjee:discussing those with you this afternoon. But before we get
Dr. Dave Chatterjee:into all that, how about providing listeners with some
Dr. Dave Chatterjee:highlights of your professional journey?
Kal Sambhangi:Sure, I started my professional journey soon
Kal Sambhangi:after I completed my engineering and MBA in finance in India. And
Kal Sambhangi:you know, back in the late 90s, ERP was a big thing. And my
Kal Sambhangi:background in finance helped me to establish myself as a intern
Kal Sambhangi:to start with and then worked my way up in the consulting world,
Kal Sambhangi:specifically in ERP implementation and
Kal Sambhangi:customization, then as chance by chance into data analytics, and
Kal Sambhangi:all. From an experience standpoint, working with large
Kal Sambhangi:systems integrators, consulting firms, retailers, and financial
Kal Sambhangi:services. Specifically, most of my career has been in data
Kal Sambhangi:analytics, but I took some risk, made a pivot in during the
Kal Sambhangi:pandemic, when an opportunity struck for me to take a role in
Kal Sambhangi:cybersecurity. I thought that could be something new,
Kal Sambhangi:refreshing, and I moved to cybersecurity in 2019. So it's
Kal Sambhangi:been close to five years for me in this space, apart from my
Kal Sambhangi:previous experiences. Hope that helps.
Dr. Dave Chatterjee:Fantastic! that's such an eclectic
Dr. Dave Chatterjee:background. In fact, that brings back memories of my own
Dr. Dave Chatterjee:experience, where I started my career in accounting as a
Dr. Dave Chatterjee:chartered accountant, and then gravitated to information
Dr. Dave Chatterjee:systems. And now I'm focusing on cybersecurity. So that's
Dr. Dave Chatterjee:phenomenal. So Kal, I'll reference our planning meeting
Dr. Dave Chatterjee:that we had, where you shared some very powerful and
Dr. Dave Chatterjee:interesting perspectives. And I quote from one of them. You
Dr. Dave Chatterjee:said, "the security industry needs to pivot away from talking
Dr. Dave Chatterjee:about things and why they go wrong, into getting things done
Dr. Dave Chatterjee:and fixing things." This is not a problem, which has or can have
Dr. Dave Chatterjee:a purely technological solution. Can you please expand?
Kal Sambhangi:Sure, I said, getting things done, rather than
Kal Sambhangi:talking about things. I think it goes back to some of the other
Kal Sambhangi:thoughts I shared in terms of a moving away from a
Kal Sambhangi:compliance-oriented function towards really doing something
Kal Sambhangi:from an implementation standpoint. But before I get
Kal Sambhangi:there, I think today, as we all know, cyber risk is everywhere.
Kal Sambhangi:And for all the investments we've been making, to secure our
Kal Sambhangi:systems, product, customers, we're still struggling to make
Kal Sambhangi:cybersecurity, in my view, a vibrant, proactive part of
Kal Sambhangi:strategy, operations and the enterprise culture. In my view,
Kal Sambhangi:the root cause could be twofold. Now, obviously, cyber security
Kal Sambhangi:most of the time is treated as a back office job. 2) most cyber
Kal Sambhangi:leaders, at least I have come across I have had experience
Kal Sambhangi:with, not to kind of belittle anything, but I've come from
Kal Sambhangi:technology backgrounds, just like me and we lack a little or
Kal Sambhangi:maybe a little ill-equipped from exerting strategic influence
Kal Sambhangi:across the organization. So given that, again, we also hear
Kal Sambhangi:that an average tenure for a cyber leader is 18 months. But
Kal Sambhangi:it's clear that something is not right, something needs to
Kal Sambhangi:change. And we have all seen historically, companies have
Kal Sambhangi:expected security leaders to focus on technical tasks. And
Kal Sambhangi:not maybe a lot of expected more of them. But as the regulatory
Kal Sambhangi:policies change, as this cyber threats and the compliance
Kal Sambhangi:regulation aspect, and as companies become more and more
Kal Sambhangi:digital enabled, I think the goal of securing the business is
Kal Sambhangi:a much more big strategic decision, rather than a set of
Kal Sambhangi:technical tasks. It's all about the business models, the digital
Kal Sambhangi:strategy, the product mix, the merger and acquisitions.
Kal Sambhangi:cybersecurity, in my view, is or should not be an afterthought,
Kal Sambhangi:but should be part of the business model itself, or part
Kal Sambhangi:of the digital strategy itself, part of the product mix itself,
Kal Sambhangi:we can discuss those in detail later. But at a at a high level,
Kal Sambhangi:that's what I think.
Dr. Dave Chatterjee:I couldn't agree with you more.
Dr. Dave Chatterjee:Cybersecurity needs to be part of the strategic core, integral
Dr. Dave Chatterjee:to strategic decision making, and a key and distinctive value
Dr. Dave Chatterjee:proposition. So please continue. This is great.
Kal Sambhangi:I think the cyber leadership should help embed
Kal Sambhangi:security throughout the company's products, channels,
Kal Sambhangi:operations. And to do so, obviously have to influence
Kal Sambhangi:fellow senior leaders, right. Has to be a collaborative
Kal Sambhangi:effort. So if you have to influence fellow senior leaders,
Kal Sambhangi:then you got to be talking the same language, you got to be
Kal Sambhangi:talking and walking the same languages as well. So I think
Kal Sambhangi:that's the key from a cyber leadership standpoint. That
Kal Sambhangi:means, companies need to develop security executives, who have
Kal Sambhangi:the skills to do so. And this goes back to my point of how
Kal Sambhangi:much of inboarding could we do to expedite building these
Kal Sambhangi:skills within the organization versus onboarding, or basically
Kal Sambhangi:bringing in more business leaders into security in some
Kal Sambhangi:form or fashion, building that connectivity, that thread
Kal Sambhangi:between the various functions in the organization.
Dr. Dave Chatterjee:Interesting. So essentially, what you're
Dr. Dave Chatterjee:saying is, unless the C-suite folks recognize the significance
Dr. Dave Chatterjee:of security, and are willing to make it centric to the overall
Dr. Dave Chatterjee:strategic goals of the organization, you're unlikely to
Dr. Dave Chatterjee:see an organization-wide acceptance, organization-wide
Dr. Dave Chatterjee:involvement, whereby everybody does their part, as opposed to
Dr. Dave Chatterjee:kind of outsourcing it to a group of people, whether
Dr. Dave Chatterjee:internal or external, to do the heavy lifting.
Kal Sambhangi:Absolutely, absolutely. And security should
Kal Sambhangi:not just be embedded in the processes, but at the end of the
Kal Sambhangi:day in the culture. So it's about how securely we are
Kal Sambhangi:engaging with our customers, how securely we are running our
Kal Sambhangi:business. So it needs to be embedded in the culture. I think
Kal Sambhangi:that that's where I was going to. And that kind of resonates
Kal Sambhangi:with your statement as well.
Dr. Dave Chatterjee:For security, to become part of the
Dr. Dave Chatterjee:organizational culture, for security to become part of the
Dr. Dave Chatterjee:executive mindset, organizational mindset. It
Dr. Dave Chatterjee:requires training, it requires awareness, it requires job
Dr. Dave Chatterjee:rotation. Like you said, it requires creation of attractive
Dr. Dave Chatterjee:roles, which will draw people from other fields into
Dr. Dave Chatterjee:cybersecurity. How the CISO function and reporting
Dr. Dave Chatterjee:relationships are structured also depends on how information
Dr. Dave Chatterjee:security is perceived by the leadership. Talking about
Dr. Dave Chatterjee:structuring CISO reporting relationships, there are various
Dr. Dave Chatterjee:views out there. According to one school of thought the Chief
Dr. Dave Chatterjee:Information Security Officer CISO should report directly to
Dr. Dave Chatterjee:the CEO. According to another school of thought CISOs should
Dr. Dave Chatterjee:report to the external audit committee. Based on your
Dr. Dave Chatterjee:experience Kal, having worked in different organizations,
Dr. Dave Chatterjee:currently, you're a senior leader in a very large
Dr. Dave Chatterjee:institution, do you feel that steps are being taken to create
Dr. Dave Chatterjee:and sustain a high-performance information security culture.
Dr. Dave Chatterjee:Also, what are your thoughts and perspectives on the ideal CISO
Dr. Dave Chatterjee:reporting structure?
Kal Sambhangi:I think yes, there is the intent. And large
Kal Sambhangi:organizations specifically in certain industries are moving
Kal Sambhangi:towards that. But you just mentioned about where should the
Kal Sambhangi:cyber leadership role align to? Shouldn't it be reporting into
Kal Sambhangi:the CEO or the chief operating officer, or the risk committee?
Kal Sambhangi:I think there are different variations of the model, there
Kal Sambhangi:are different thought processes. I think, from my perspective, I
Kal Sambhangi:always felt it is about setting the intent. There is no one size
Kal Sambhangi:fits all. But I think setting the intent in terms of primary
Kal Sambhangi:options considering building the strategy around business
Kal Sambhangi:continuity, brand protection, bottom line growth, regulatory
Kal Sambhangi:compliance, I think setting the intent around these larger
Kal Sambhangi:strategic themes is key. I think the business context drives
Kal Sambhangi:these choices where it should lie. I think the business
Kal Sambhangi:context and the intent are very, very important. You may want to
Kal Sambhangi:think factors like regulatory pressure or risk exposure, what
Kal Sambhangi:really customers are looking for. I'll give you a couple of
Kal Sambhangi:examples here, an electric company may prioritize business
Kal Sambhangi:continuity to ensure the highest service or time, in a cost
Kal Sambhangi:pressure market, while an IoT manufacturer may focus on
Kal Sambhangi:growth, betting on cyber security's ability, to be a
Kal Sambhangi:differentiator, and to justify the premium raises. Similarly,
Kal Sambhangi:if financial services firm given that the thin line between
Kal Sambhangi:fraud, privacy, and cybersecurity is kind of thin
Kal Sambhangi:line, and it's waning away, I think the intent here in terms
Kal Sambhangi:of hey, if, at the end of the day, it's the customer
Kal Sambhangi:experience which matters. At the end of the day, it's the
Kal Sambhangi:customer experience on digital channels, which is going to was
Kal Sambhangi:growth, I think that intent and the context should drive the
Kal Sambhangi:choices in terms of the cyber leader should report into and so
Kal Sambhangi:on, so forth. I think it's all about the why for cybersecurity,
Kal Sambhangi:the why for cybersecurity, and, and these choices, go back to
Kal Sambhangi:the why. And choosing strategy, or the response to the why will
Kal Sambhangi:obviously cascade down to operational activities will then
Kal Sambhangi:drive business outcomes. I think at the end of the day,
Kal Sambhangi:cybersecurity as a function cannot afford to be just
Kal Sambhangi:technology and tools driven, because there's too much at
Kal Sambhangi:stake right now. So I think it is the business context. And it
Kal Sambhangi:is the intent, and why which will drive a broader strategy
Kal Sambhangi:and the alignment of cyber leadership within the
Kal Sambhangi:organization. That's my perspective, rather than saying
Kal Sambhangi:it should be aligned to the CEO or the COO or the risk
Kal Sambhangi:committee.
Dr. Dave Chatterjee:Very fair. You have to contextualize
Dr. Dave Chatterjee:cybersecurity, given the vision, mission, goals of the
Dr. Dave Chatterjee:organization,
Kal Sambhangi:Growth strategy as well, where am I in? How do I
Kal Sambhangi:want to grow? Yeah, things like that.
Dr. Dave Chatterjee:This reminds me of another guest, who
Dr. Dave Chatterjee:made a very interesting and poignant statement. He said, I'd
Dr. Dave Chatterjee:encourage the C level leaders to look at cybersecurity as an
Dr. Dave Chatterjee:opportunity, instead of viewing it as a hurdle, a stumbling
Dr. Dave Chatterjee:block, and a cost of doing business. So the leadership
Dr. Dave Chatterjee:mindset needs to change, where they are optimistic and
Dr. Dave Chatterjee:opportunistic about cybersecurity. They view
Dr. Dave Chatterjee:developing cybersecurity capabilities as a source of
Dr. Dave Chatterjee:competitive edge, competitive advantage. So
Kal Sambhangi:Exactly. I think the key is the cybersecurity
Kal Sambhangi:could be a competitive advantage. I think that's the
Kal Sambhangi:paradigm shift.
Dr. Dave Chatterjee:Yes, that is the kind of paradigm shift
Dr. Dave Chatterjee:that is needed for information security, to become part of the
Dr. Dave Chatterjee:strategic core. When the leadership starts looking at
Dr. Dave Chatterjee:cyber. from a strategic standpoint, they will include
Dr. Dave Chatterjee:cybersecurity in their discussions of whether they
Dr. Dave Chatterjee:should launch a certain initiative or a certain product,
Dr. Dave Chatterjee:and if so, what are the security implications? And how are they
Dr. Dave Chatterjee:going to address it?
Kal Sambhangi:You're absolutely right Prof. Chatterjee. I just
Kal Sambhangi:wanted to, you know as the businesses are evolving, and the
Kal Sambhangi:digital channels are becoming the prime channels to, to sell a
Kal Sambhangi:product or an offering or to service a product or an
Kal Sambhangi:offering, I think the the the trust factor, and the importance
Kal Sambhangi:of trust factor, between the one who is offering the service and
Kal Sambhangi:one who is consuming the service, I think that the
Kal Sambhangi:importance of the trust factor has kind of an elevated level
Kal Sambhangi:and for the business to be successful. Be it any industry,
Kal Sambhangi:you don't see, we're talking about back or a few years ago,
Kal Sambhangi:when we say a bank was a brick-and-mortar walkin branch,
Kal Sambhangi:similarly, retailer was the same thing. But now, when we're
Kal Sambhangi:talking about e-commerce and e-banking and digital channels,
Kal Sambhangi:the trust factor is the key, and that becomes a competitive
Kal Sambhangi:advantage. Establishing a greater trust, when we're
Kal Sambhangi:talking about the digital channels, when we are not really
Kal Sambhangi:touching them talking to people at a branch. So establishing
Kal Sambhangi:that trust is a competitive advantage. And obviously,
Kal Sambhangi:cybersecurity is part of that trust. Breach means you have
Kal Sambhangi:your customers who are kind of thinking about, hey, should I
Kal Sambhangi:actually stay with this organization where there is a
Kal Sambhangi:breach and my data could be compromised, my personal
Kal Sambhangi:information could be compromised. And that's a
Kal Sambhangi:reputational risk, huge reputational risk, apart from
Kal Sambhangi:the financial risk and other risks for the organization. But
Kal Sambhangi:at the same time, for the end-customer, not having the
Kal Sambhangi:trust, I think I know that some much broader business risk for
Kal Sambhangi:the for the organizations.
Dr. Dave Chatterjee:I like the way you brought in trust to
Dr. Dave Chatterjee:frame the significance of what we are talking about. Trust is
Dr. Dave Chatterjee:such a great leveler. And it brings to perspective, what's
Dr. Dave Chatterjee:key, and how cyber can play a role in enhancing trust.
Dr. Dave Chatterjee:Customers have to trust the quality of the product, quality
Dr. Dave Chatterjee:of the service, and alongside with those, customers must also
Dr. Dave Chatterjee:be able to trust that the information they're sharing, or
Dr. Dave Chatterjee:the information the company has about them is being safe
Dr. Dave Chatterjee:safeguarded, to the best of the organization's abilities. So
Dr. Dave Chatterjee:trust is definitely a common denominator. And that's a great
Dr. Dave Chatterjee:way of trying to raise the level at which cybersecurity should be
Dr. Dave Chatterjee:perceived and integrated within the organization. On a related
Dr. Dave Chatterjee:note, as we have seen time and again, it brings back memories
Dr. Dave Chatterjee:of the Enron scandal, then the arrival of the SOX legislation,
Dr. Dave Chatterjee:time and time again, history tells us that organizations are
Dr. Dave Chatterjee:more reactive, organizations need the fear of enforcement of
Dr. Dave Chatterjee:compliance requirements, to get things done, the proactive
Dr. Dave Chatterjee:effort is not there. And to to make it a proactive initiative,
Dr. Dave Chatterjee:one has to find a way of linking it to the strategic goals, to
Dr. Dave Chatterjee:the business goals, to revenue generation. So that's the
Dr. Dave Chatterjee:challenge, because otherwise, you're gonna have a hard time
Dr. Dave Chatterjee:convincing leadership to spend time focusing on cyber because
Dr. Dave Chatterjee:they'll say well, we got to run the business, we got to manage
Dr. Dave Chatterjee:our customer base and so on so forth. And it varies from
Dr. Dave Chatterjee:industry to industry, you are in a financial services industry,
Dr. Dave Chatterjee:the regulations are very stringent. So probably the
Dr. Dave Chatterjee:perspective is different. But I have seen different views of the
Dr. Dave Chatterjee:leadership across different industries, and they are not all
Dr. Dave Chatterjee:aligned in terms of seeing cybersecurity as part of their
Dr. Dave Chatterjee:strategic core. What are your thoughts?
Kal Sambhangi:Yeah, as you rightly said, depending upon the
Kal Sambhangi:industry, the size of the business, I think the focus and
Kal Sambhangi:magnitude of focus could differ. However, I think there are some
Kal Sambhangi:common factors or common forces irrespective of the industry
Kal Sambhangi:size as we see this sprawl with the digital products channels. I
Kal Sambhangi:think there are some common factors, right. It has nothing
Kal Sambhangi:to do with the size of the organization or the offering the
Kal Sambhangi:organization has, or the regulatory compliance to serve
Kal Sambhangi:the organization. At the end of the day, every business is
Kal Sambhangi:dealing with consumers, and we're seeing more and more and
Kal Sambhangi:more increasingly complex regulation around consumer data
Kal Sambhangi:protection, and I would say it is across the board. 2) The role
Kal Sambhangi:of smart decisions, the role of smart equipment. We could about
Kal Sambhangi:IoT as an industry. We all talk about self driving cars, very
Kal Sambhangi:soon. So when we talk about all of these, which are very
Kal Sambhangi:software driven, and the moment we talk about these digital
Kal Sambhangi:channels, platforms, products, we obviously talk about the data
Kal Sambhangi:we capture, the analytics we conduct on the data, machine
Kal Sambhangi:learning, artificial intelligence, the ecosystem
Kal Sambhangi:partnerships, because no one company can build all the nuts
Kal Sambhangi:to nuts and bolts and all the all the moving shaking parts,
Kal Sambhangi:for digital products. Obviously, there is going to be an
Kal Sambhangi:ecosystem partnership, a platform partnerships
Kal Sambhangi:irrespective of the industries. So that's where that's where we
Kal Sambhangi:are seeing the business models, evolving into ecosystem partner
Kal Sambhangi:partnerships, platform partnerships, and so forth. And
Kal Sambhangi:as these ecosystems evolve, and as more of these platform
Kal Sambhangi:partnerships are built so that the smaller businesses could
Kal Sambhangi:grow quickly, grow fast, obviously, there is an increase
Kal Sambhangi:in supply chain risk, because now we have too many touching
Kal Sambhangi:connected points. So obviously there is supply chain risk. And
Kal Sambhangi:it goes back to how well are we protecting my customer
Kal Sambhangi:information, and then and then the threat could be from the
Kal Sambhangi:supply chains you're operating within. So I think I think the
Kal Sambhangi:the leadership aspect of cybersecurity, irrespective of
Kal Sambhangi:the size that needs to be positioned to function for
Kal Sambhangi:lateral impact across the organization, not just across
Kal Sambhangi:the organization, but also across the supply chain. So the
Kal Sambhangi:lateral impact or positioning for the lateral impact, I think
Kal Sambhangi:that's the key and it has nothing to do with the size of
Kal Sambhangi:the organization or the industry in which the organization is
Kal Sambhangi:operating. I think having the if we all agree that having that
Kal Sambhangi:lateral impact is key, then proper authority is vital. And
Kal Sambhangi:having a inter organizational political sway, and extra
Kal Sambhangi:organizational political sway to orchestrate the change. I think
Kal Sambhangi:that's the key. So I don't think we should are we we could or we
Kal Sambhangi:should look at it from a lens of the organizational size and the
Kal Sambhangi:and then the industry itself.
Dr. Dave Chatterjee:Great point! competition today is not
Dr. Dave Chatterjee:simply between say Publix and Kroger. But between Publix and
Dr. Dave Chatterjee:its network, and Kroger and its network. As you put it,
Dr. Dave Chatterjee:competition is taking place at the ecosystem level, at an inter
Dr. Dave Chatterjee:organizational network level.
Kal Sambhangi:Yeah,
Dr. Dave Chatterjee:I couldn't agree with you more. And that
Dr. Dave Chatterjee:brings up something that I've been recommending through my
Dr. Dave Chatterjee:book, articles and talks. And that is establishing some sort
Dr. Dave Chatterjee:of shared accountability and responsibility among the value
Dr. Dave Chatterjee:chain partners, whereby, when data of Company A resides on the
Dr. Dave Chatterjee:server of Service Provider B, Service Provider B should work
Dr. Dave Chatterjee:in unison with company A, to make sure that the data is safe.
Dr. Dave Chatterjee:The two supply chain partners should work as a team to ensure
Dr. Dave Chatterjee:the most rigorous information security standards are being
Dr. Dave Chatterjee:maintained and met. In other words, it is not okay to simply
Dr. Dave Chatterjee:rent out the storage space or computing power and say, okay,
Dr. Dave Chatterjee:here are your servers. This is how you configure the security
Dr. Dave Chatterjee:settings. And now it's your problem, it's your
Dr. Dave Chatterjee:responsibility to secure your customer data. I think that's
Dr. Dave Chatterjee:where there has to be some changes, whether it comes in the
Dr. Dave Chatterjee:form of regulations, or it is through SLA provisions, whereby
Dr. Dave Chatterjee:both the parties, in this case A and B, will be held jointly
Dr. Dave Chatterjee:liable for the breach consequences. Only when there is
Dr. Dave Chatterjee:responsibility and accountability Kal are you
Dr. Dave Chatterjee:likely to see the kind of security centric supply chain
Dr. Dave Chatterjee:partnerships that you talk about. Security controls have to
Dr. Dave Chatterjee:be embedded within inter-organizational processes
Dr. Dave Chatterjee:and business models.
Kal Sambhangi:Totally, totally agree. I think we're not too
Kal Sambhangi:far, at least from my perspective, and the way I look
Kal Sambhangi:at it, we are not too far to get to that place, not just from a,
Kal Sambhangi:in this case, you mentioned, for example, cloud providers, party
Kal Sambhangi:A and party B, one of that could be a cloud provider. I think
Kal Sambhangi:it's much broader than that. We're talking about data
Kal Sambhangi:sharing. We're talking about ecosystem partners, monetizing
Kal Sambhangi:shared data and information, because their offerings are
Kal Sambhangi:built around that. So as we get into those complex ecosystem
Kal Sambhangi:models, it can never be the responsibility of the partner,
Kal Sambhangi:where the data is originating, versus when it is hosted versus
Kal Sambhangi:who is using it, so on so forth. Becomes a collective
Kal Sambhangi:responsibility. And I think the industry, two things, there is
Kal Sambhangi:an organic natural shift to self regulate ties and self regulate
Kal Sambhangi:this and some kind of a model to support the increasing needs and
Kal Sambhangi:the challenges. Mitigate the challenges. 2) More of
Kal Sambhangi:regulation, more of the oversight from the government
Kal Sambhangi:and institutions. I think we will get to the path. And my
Kal Sambhangi:view is before a lot of the regulation comes into frame,
Kal Sambhangi:more than driven by regulation, I think, as partners in the
Kal Sambhangi:ecosystem, because again, as we talk about evolving technologies
Kal Sambhangi:like blockchain, but we're talking about, again, leveraging
Kal Sambhangi:technologies across the partner ecosystems, building platforms,
Kal Sambhangi:across partner ecosystems, I think some amount of sanity will
Kal Sambhangi:prevail. And people would come together and say, Hey, how do I
Kal Sambhangi:protect the interests of my customer, consumer, and I think
Kal Sambhangi:we will arrive at that kind of a point, that's my view.
Dr. Dave Chatterjee:I'm so delighted that you're painting
Dr. Dave Chatterjee:such an optimistic picture. And that's how leaders like you
Dr. Dave Chatterjee:should be, because you're kind of guiding where cybersecurity
Dr. Dave Chatterjee:governance needs to go. And talking about cybersecurity
Dr. Dave Chatterjee:governance. And I'm glad you mentioned that it's not enough
Dr. Dave Chatterjee:just to focus on the technical controls. Technical controls are
Dr. Dave Chatterjee:important, not trying to minimize their significance. But
Dr. Dave Chatterjee:I like to emphasize holistic governance. Drawing upon my
Dr. Dave Chatterjee:framework, holistic cybersecurity governance is
Dr. Dave Chatterjee:reflected in the three dimensions of a
Dr. Dave Chatterjee:high-performance, information security -- culture, commitment,
Dr. Dave Chatterjee:preparedness, and discipline. Each of these dimensions are
Dr. Dave Chatterjee:associated with success factors, 17 of them to be precise. Many
Dr. Dave Chatterjee:of these success factors are linked to leadership and
Dr. Dave Chatterjee:governance. For instance, one of the success factors of holistic
Dr. Dave Chatterjee:cybersecurity governance is hands-on top management; how
Dr. Dave Chatterjee:actively engaged is top management from the standpoint
Dr. Dave Chatterjee:of providing oversight, and also participating in cybersecurity
Dr. Dave Chatterjee:strategy development, implementation, monitoring,
Dr. Dave Chatterjee:measurement, and more. Other managerial factors include the
Dr. Dave Chatterjee:structuring and empowering of the CISO function, shared
Dr. Dave Chatterjee:ownership and responsibility, cross functional participation,
Dr. Dave Chatterjee:and strategic alignment and partnerships. So anyhow, the
Dr. Dave Chatterjee:bottom line is that the approach to cybersecurity governance must
Dr. Dave Chatterjee:be holistic by focusing on people, process, and
Dr. Dave Chatterjee:technology-centric measures.
Kal Sambhangi:Absolutely Prof. Chatterjee. And again, there
Kal Sambhangi:cannot be 100% Cyber safe.
Dr. Dave Chatterjee:Absolutely.
Kal Sambhangi:Situation. Right? You know, that's not not even a
Kal Sambhangi:statement of Nirvana and we can never have 100%.
Dr. Dave Chatterjee:Totally,
Kal Sambhangi:I think I think it's all about when we talk
Kal Sambhangi:about commitment, discipline, preparedness against these three
Kal Sambhangi:dimensions, and when I said, the technical concepts versus the
Kal Sambhangi:management and leadership concepts here, I think the key
Kal Sambhangi:is the ability to extract the technical concepts into messages
Kal Sambhangi:that would grip senior leaders, both logically and emotionally.
Kal Sambhangi:Right. So the ability to do that, I think, that attribute in
Kal Sambhangi:a cyber leader would help the commitment part, the discipline
Kal Sambhangi:part and also the preparedness part. And what this means is to
Kal Sambhangi:have the ability to exstract the technical concepts. And as I
Kal Sambhangi:have seen, in my experience, for example, the best person to lead
Kal Sambhangi:the digital transformation, or a best person to lead AI adoption
Kal Sambhangi:within an organization and the products offer, need not be or
Kal Sambhangi:necessarily be a digital expert, right, I have not seen a
Kal Sambhangi:technical digital expert becoming the chief digital
Kal Sambhangi:officer or a chief data officer, at least in my experience, I
Kal Sambhangi:think, to a large extent, it could work for cybersecurity, or
Kal Sambhangi:it should work for cybersecurity, as well. Now, the
Kal Sambhangi:cyber leader could be a proven non cyber executive, but who
Kal Sambhangi:knows the business has key relationships throughout the
Kal Sambhangi:organization, and a general appreciation of the technology.
Kal Sambhangi:I think having those traits, obviously, if there is much more
Kal Sambhangi:than general appreciation for technology, well and good. But
Kal Sambhangi:it's not the other way. Right? I think, finding these critical
Kal Sambhangi:traits, I think that would ensure and serve as an enduring
Kal Sambhangi:force from a upliftment standpoint of your cyber
Kal Sambhangi:posture, and also making it part of the broader organizational
Kal Sambhangi:design, organizational culture.
Dr. Dave Chatterjee:Fantastic, fantastic. I like the way you
Dr. Dave Chatterjee:articulated the reality that for a cyber leader to be truly
Dr. Dave Chatterjee:effective, having the necessary technical skills is not
Dr. Dave Chatterjee:sufficient. It's great if it's there, but the business savvy,
Dr. Dave Chatterjee:the ability to connect and communicate with the leadership,
Dr. Dave Chatterjee:and probably, most importantly, the point you made at the very
Dr. Dave Chatterjee:beginning, is the ability to articulate technological issues
Dr. Dave Chatterjee:from a security standpoint, in a manner and a fashion that
Dr. Dave Chatterjee:everybody can relate to. So the speak has to be simple, the
Dr. Dave Chatterjee:speak has to be easily understandable, because
Dr. Dave Chatterjee:otherwise, you're going to lose a lot of the constituencies, and
Dr. Dave Chatterjee:you can't afford that. The moment you get into extreme tech
Dr. Dave Chatterjee:speak and extreme security speak, and you are engaging in
Dr. Dave Chatterjee:acronyms and jargons, immediately folks who are not
Dr. Dave Chatterjee:familiar, they jump to the conclusion, Oh, that's too
Dr. Dave Chatterjee:complicated for me. Just tell me what I have to do. And I'll do
Dr. Dave Chatterjee:it.
Kal Sambhangi:exactly right.
Kal Sambhangi:As it transitioned into cybersecurity few weeks ago, the
Kal Sambhangi:initial six to eight months, very challenging, because there
Kal Sambhangi:was the speak of IP addresses, speak of different frameworks,
Kal Sambhangi:NIST framework, CIS framework, and basically some numbers which
Kal Sambhangi:would talk about a particular requirement in a framework like
Kal Sambhangi:NIST. At the the end of the day, it was a bit challenging for
Kal Sambhangi:someone like me who's coming from a different area. But I
Kal Sambhangi:think, 1), I could bring in my experience and my skills in data
Kal Sambhangi:analytics, digital experience space, to cyber. I'm just
Kal Sambhangi:quoting this as an example, having worked in data, I was
Kal Sambhangi:always a little scary to talk to, and operate within my peers
Kal Sambhangi:in the cybersecurity space, because I've always seen them as
Kal Sambhangi:someone who would come and say, No, you can't do this. But then
Kal Sambhangi:moving here, I realized the challenge here is both parties
Kal Sambhangi:are not able to talk the same language. I think that helped me
Kal Sambhangi:appreciate the the challenges within cybersecurity and also
Kal Sambhangi:the mindsets, within my fellow teammates, it will appreciate.
Kal Sambhangi:2) help build that bridge, that relationship, with the business
Kal Sambhangi:partners. To be a real bridge from a communication standpoint,
Kal Sambhangi:calls for the cross pollination of skills, cross pollination of
Kal Sambhangi:leadership skills, managerial skills, and also the domain
Kal Sambhangi:expertise and understanding the business itself. I think that's
Kal Sambhangi:the key.
Dr. Dave Chatterjee:Fantastic, I could use that as I wrap up,
Dr. Dave Chatterjee:because we are coming to the end of our time here. And I also
Dr. Dave Chatterjee:want to take this opportunity of congratulating you on your new
Dr. Dave Chatterjee:role. And I like the way you envision the future of cyber and
Dr. Dave Chatterjee:I have no doubt that you will be super successful in your in your
Dr. Dave Chatterjee:current role. I wish you the very best. But once again, I'd
Dr. Dave Chatterjee:like to give you the opportunity of sharing some final words
Dr. Dave Chatterjee:before we call it for for today.
Kal Sambhangi:Thank you, Professor Chatterjee. It was a
Kal Sambhangi:pleasure for me to sit with you and have this conversation.
Kal Sambhangi:Again, you know, personally, I'm learning a lot. This has been a
Kal Sambhangi:great journey for the last four years, as I peek into the
Kal Sambhangi:different mindsets of our mates and very interesting journies.
Kal Sambhangi:It's not just about the technology, it's about how we
Kal Sambhangi:operate in cyber, how we can build relationships across the
Kal Sambhangi:board, both internally and outside. And as I said, as
Kal Sambhangi:platform based ecosystems become the central point of how
Kal Sambhangi:business models evolve, and how artificial intelligence machine
Kal Sambhangi:learning and these technologies come to the, to the middle and
Kal Sambhangi:how we deliver more and more of digital products, I think this
Kal Sambhangi:is going to get much more interesting, not just because
Kal Sambhangi:there is going to be more of regulation and compliance needs.
Kal Sambhangi:And at the same time, one other thing I want to mention as a
Kal Sambhangi:closing comment, there needs to be a digital transformation
Kal Sambhangi:within the cyber function itself. What I mean by that is
Kal Sambhangi:cut down a lot of plethora of tools, make it simple. Adopt
Kal Sambhangi:artificial intelligence, or machine learning to automate a
Kal Sambhangi:lot of the cyber functions, be it on the product side or the or
Kal Sambhangi:the Detect side. So I think there is there is a lot of
Kal Sambhangi:opportunity here, for people with software development
Kal Sambhangi:skills, people with program management skills, people with
Kal Sambhangi:product management skills, because I think cybersecurity
Kal Sambhangi:needs to move more towards the paradigm of product management
Kal Sambhangi:in terms of delivering cyber capabilities within the
Kal Sambhangi:organization. So there is an opportunity for agile
Kal Sambhangi:practitioners, data scientists. So I think there is opportunity
Kal Sambhangi:for a lot of different skills, not just specific cyber skills
Kal Sambhangi:with cyber certifications, because I see a lot of people
Kal Sambhangi:focusing on a lot of cybersecurity certifications I
Kal Sambhangi:think that is needed. That is for a set of functions, for a
Kal Sambhangi:set of roles. But I think cyber security as a community should
Kal Sambhangi:start embracing people with other skills, as I mentioned
Kal Sambhangi:earlier, and vice versa. I think there is a huge opportunity
Kal Sambhangi:going forward and kind of feel really happy and delighted to be
Kal Sambhangi:part of this movement at this point in time. Thank you again
Kal Sambhangi:for having me.
Dr. Dave Chatterjee:Thank you so much, Kal. I'm sure we'll
Dr. Dave Chatterjee:have many more conversations. It's been a pleasure.
Dr. Dave Chatterjee:A special thanks to Kal Sambhangi for his time and
Dr. Dave Chatterjee:insights. If you like what you heard, please leave the podcast
Dr. Dave Chatterjee:a rating and share it with your network. Also, subscribe to the
Dr. Dave Chatterjee:show, so you don't miss any new episodes. Thank you for
Dr. Dave Chatterjee:listening, and I'll see you in the next episode.
Kal Sambhangi:The information contained in this podcast is for
Kal Sambhangi:general guidance only. The discussants assume no
Kal Sambhangi:responsibility or liability for any errors or omissions in the
Kal Sambhangi:content of this podcast. The information contained in this
Kal Sambhangi:podcast is provided on an as-is basis with no guarantee of
Kal Sambhangi:completeness, accuracy, usefulness, or timeliness. The
Kal Sambhangi:opinions and recommendations expressed in this podcast are
Kal Sambhangi:those of the discussants and not of any organization.
