Subhajit Deb, CISO, Dr. Reddy’s Laboratories, may have started off the traditional way as most CISOs do in India, i.e. working in IT, but he is far from your traditional CISO. At one time, he even had a lab set up in his own office to create malware and then reverse engineer – all this just to see how the whole thing works. He would even try things at home. Because, if you don’t know how it works you won’t know how to stop it, he quips.
If Deb comes across as someone really passionate about information security, it’s no surprise, because here is a person who essentially transitioned to information security a few years into his career because of his deep-rooted belief in its intrinsic value. As an enterprise architect at the time, he realized that unless security is seeped into the enterprise architecture or the technology stack an organization uses, the picture is not complete. And, that’s how he made his foray into information security – driven by the need to complete the picture.
Not having formal education in the information security domain has been one of the reasons that propelled Deb to walk the extra mile. Rather than becoming a deterrent, it actually helped him to see things from a very different perspective altogether.
For one, what has really helped Deb circumvent the lack of formal security education and progress up the ladder in this domain is his inherent outlook towards attacking any problem from the fundamental aspect of it. “When I look at a cybersecurity problem, I look at in the most basic way – what is my impact on the confidentiality, integrity and availability (CIA)? It can be a very advanced problem related to cryptography or it can be a very simple problem relating to issuing an application. But, when I see it through the lens of absolute fundamentals that if this were to happen how it would impact my CIA pyramid, then things become very easy,” he explains.
Another ‘basics’ mantra that he has trained himself to follow and that has helped him tremendously over the years when looking at any cybersecurity problem is to start eliminating each point of failure one by one to finally narrow down to the root cause.
Having started off his career in IT, solutioning software, hardware, OS, laptops, desktops, servers, etc., the insight into how things are made also made it easy to understand how they can be broken as well.
Deb put all these learnings to apt use at Bank of America, which was not only the stepping-stone for his infosec career but also provided him with extensive exposure around effectively tackling cybersecurity in a high risk environment. Being one of the largest American banks, the bank was quite high on the radar of cyber criminals and at the receiving end of some of the most prolific and sophisticated cyber attacks. Thrown right into the middle of the pit, so to say, the stint with the bank proved to be a great hands-on learning experience for Deb as he got exposure to some of the most advanced and mature cybersecurity systems comparatively much ahead of what other companies were used to at the time.
While all this has been instrumental in kick starting and shaping up Deb’s early career in information security, he realized that it wasn’t enough to make the cut to the CISO role. He knew this required making the transition from a technologist to a business oriented security leader. And, that he did. Having started off his information security career at the bottom rung of the ladder as a threat researcher doing operational work in 2007, Deb quickly climbed up to the CISO rank within nine years.
While the steady rise is commendable, Deb doesn’t hesitate admitting of the many times he stumbled and fell and of the initial leadership phase when he came out of the meetings with the business leaders that went nowhere. “I have made presentations to the board, slides full of technology jargons, the board didn’t understand anything and sent me back. I have had my share of failures too,” he admits.
But, instead of throwing in the towel, Deb decided to reach out to some of the senior most security leaders in India at the time and seek their advice on how they would solve their business problems and make presentations to the board. And, the number one lesson that he learnt was to understand the business problems and speak to the business in their own language.
Interestingly, what Deb started practicing and continues practicing till date is going to the business and asking them what they think is the doomsday scenario in their line of business that is going to give them real business problem. He then works backwards to find out how that can happen from a technology perspective to help resolve it.
Deb believes that a CISO’s role is to facilitate business and enable people to do better business in a safe and risk aware manner and by not understanding the business’ objectives, strategies and the products its selling, the CISO can still protect but will actually start throwing a lot of spanners in a normal business process.
“Stopping things is not effective security as organizations are driven by sales and profitability. So, how do you enhance the profitability and yet keep it secure is the name of the game. While you know the technology problem, how do you articulate it and translate it into a business problem is a real expertise that CISOs need to build today,” states Deb.
Going forward, he believes that we are looking at an age where cybersecurity and privacy will both converge into a common point and CISOs need to be prepared for that. Hence, how do you do better data governance along with cybersecurity is going to play a very important role for the CISO. Also, with limited cybersecurity budgets he anticipates the need for CISOs to be learn how to be deft in optimizing their investments.
“Being a CISO is a huge responsibility and yet you are not in the limelight all the time as with most organizations cybersecurity gets called in only when something breaks. But, I believe that we kind of manage a very critical responsibility in keeping things secured. And, till the time you are not being called upon you are actually doing a good job,” Deb aptly sums up his life as a CISO.