VP – Corporate IT, Head Group CIO office & Process Excellence,
Mahindra & Mahindra Ltd
Tell us in brief about your professional journey till date.
My professional career moved through all routes of a manufacturing organisation. It started with Part developments, Tool optimization, Multi-machine planning and process cost optimization. Later the organisation decided Re-Engineering and I moved to the Business Process Re-engineering (BPR) cell. I think since then professionally I turned to IT. Knowledge of business processes turned out to be the key thing for my next role of ERP implementation. Then I moved into the corporate role. It was all about building IT strategy using business BSC. A new concept got developed as Shared CIO: Developing future CIOs for newly evolved organizations and building them to the level of stable Mahindra way of working. An extension of the role which brings me to this chair of Head of Group CIO office, where its developing business transformation journey for each sector, based on their maturity, capability and nurturing them to become cost effective. The Information Security portfolio is part of this role.
Why did you choose information security as a profession?
Choosing InfoSec as a profession was never envisaged. It became integral part of my current role. But I must say that in today’s world “Security” is not a gate-keeper; but it should be infused into the organisation as the information resides in all corners and in all forms. One needs to be alert all the time, inside-out and outside-in. That makes the InfoSec role more and more challenging. With spread of internet, mobility, cloud, big data and the social world out there; the threats are increasing day-by-day and organisations need to be on their toes to mitigate all the risks.
According to you what are the big challenges CISOs facing today?
BYOD is bringing variety of devices into the organisation and synchronising the security tools for this variety is appearing as a new challenge. Freedom v/s control is another challenge which rapidly growing organisations are demanding. The pace with which business wants to run, demands the flexibility; but without proper controls in place it would fetch a terrific setback at some point of time. Internet of things is posing far more challenges. If anything and everything gets on to the internet and needs to talk to something, it’s tough to pass only relevant data and stop everything else from being propagated across.
Lastly the entry of Big Data, Cloud, and Mobility into the organisation needs to be dealt very cautiously. We are taking baby steps to ensure that there is a secured path available. I would call it as ‘Security at what cost, else how much is the cost for what gets lost?’
Do you believe in ‘information security outsourcing’, and if so, to what extent?
I would say Yes & No. ‘Yes’ for the simple reason to get the best in the world and ‘No’ for keeping all the controls with oneself. Outsourcing would mean getting expertise and the tools being used worldwide. The cloud would be bundled with the InfoSec. Adopting outsourcing could also be dependent on the business maturity. At the same time, for certain sensitive areas like design, marketing; InfoSec Outsourcing would not be right choice. The confidentiality would always supersede the outsourcing decision.
How do you define the thin line difference between data privacy and data security?
Data Privacy to me is ‘what you use is what you get’ and data security is ‘what you get is what you can use’ The CIA triad of InfoSec encompasses the needs v/s usage of information. All the three components Confidentiality-Integrity-Accessibility are equally important and so is privacy & security goes hand-in-hand. It’s all about consuming the information, but one can bite what’s available and what’s possible to bite.
What will be your suggestions to information security vendors providing solutions to reach your expectations and satisfaction?
Vendors should be partnering rather than just being a vendor. Spreading the awareness of InfoSec should be at societal level rather organisation level. Vendors always should prompt the organisations with upcoming threats. Vendors should focus the complete value chain instead only organization. The approach could be similar to the ‘Quality-in-Built’; so that InfoSec is integral part of business than a separate monitoring mechanism.