Infosys CISO: Being good at technology is no longer enough

by

Vishal Salvi says investing time and developing influence are the keys to making the shift to a secure-by-design mindset.

How CISOs can gain a better understanding of their cybersecurity attack surface
At RSA 2019, Emily Heath of United Airlines explained the top security challenges businesses face.

Vishal Salvi’s career in cybersecurity does not fit the current short-tenure trend among CISOs.
He has been at Infosys for four years as the chief information security officer. Before that he spent eight years at HDFC Bank and 11 years at Standard Chartered Bank managing security. Salvi said that three years in a company is the minimum requirement for CISOs to make real change.

SEE: What is fileless malware and how do you protect against it? (free PDF) (TechRepublic)

“The minimum tenure is three years to drive the change and make it non-reversible and fundamental,” he said. “I completed three large transformations at HDFC, and that’s why it took me eight and a half years.”

Salvi attended RSA 2020 this week in San Francisco along with members of his team who were speaking at the conference. He said that high security standards allowed the bank to grow.

“Because of security and controls, we could become bolder and be more confident about opening up the bank for global usage,” he said.
 
Getting the right sponsorship for security work is vital to success for CISOs. Security leaders will need this level of trust and support from leadership to navigate the next evolution of the role.

“Being good at technology is no longer enough,” he said. “A CISO needs to speak a business language and give the board an assurance that where you’re going is the right direction.”

Here is Salvi’s advice on how CISOs can expand influence at all levels of a company.

Speaking a business language to executives and boards

In addition to a commitment of time, Salvi said that the current job requirements for CISOs includes: executive presence, influence, great communication skills, and the ability to give direction and define a vision.
 
Salvi said that navigating between the board and the company leadership is another crucial skill, now that security is a regular topic at the top levels of corporate leadership.

“I’ve had board members look me in the eye and ask, ‘Are you getting enough money?’ right in front of my leadership,” he said.

SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic)

“The future is going to be extremely different, it’s all about really executing on that promise,” he said. “Those who have done their job well will come out shining but others will be exposed.”

Setting a new standard for cybersecurity

The future is going to be about cyber resilience, and CISOs need to lead the charge to recalibrate how security teams and entire companies think about security. Security leaders have to engage board members and team members in the right way and drive the shift to a new mindset about security. 
 
“A truly effective CISO can shape the thinking of the organization, and that’s where influence comes in,” he said.

Salvi said that the pressure to shift to a secure-by-design approach is not yet as powerful as the need to get a product on the market as quickly as possible.

“You need a leader who is willing to take the business loss for two weeks to make sure the product is secure,” he said.

Salvi spends a lot of time cultivating a secure-by-decision mindset in the industry and internally at Infosys.

“You have to drive that thinking on an ongoing basis, it’s not something that is easy because it is not natural,” he said.

Driving optimization and innovation in cybersecurity

Salvi’s team at Infosys includes three direct reports, a leadership team of 50 people, and about 300 staff members.

“The average tenure on the leadership team is 10 years, so compared to them, I am a newbie,” Salvi said.

SEE: Brute force and dictionary attacks: A cheat sheet (free PDF) (TechRepublic)

The Infosys security division’s two main tasks are developing new controls and fine-tuning existing tools. Salvi said new controls get between 25 and 30% of his team’s time with optimization taking up about 70% of the workload

“The mandate to our team is: Assume that you are constantly under attack. That is how we start building our controls,” he said.

Infosys is opening a new Cyber Defense Center in Indianapolis on March 3. This will be the company’s seventh global Cyber Defense Center and will be part of the Infosys Technology and Innovation Center that opened in Indianapolis in 2019.

Also see

How to become a cybersecurity pro: A cheat sheet (TechRepublic)

Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
Windows 10 security: A guide for business leaders (TechRepublic Premium)
Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
All the VPN terms you need to know (CNET)
Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)

leadershipistock000072425619maxsattana.jpg