Gaurav Agarwal: CISOs should invest in incident response mechanisms and skills

CISOs should look up to doing more with less; embracing business through use of mobility, cloud, and analytics; and working more closely with each other than entering a power struggle, says Gaurav Agarwal, MD, Symantec India, in an exclusive interview with IDG Media.

Edited Excerpts:

What were the big changes witnessed in the enterprise and consumer spaces in 2017?

The adoption of cloud is changing at a pace, which I don’t think a lot of people anticipated at the start of 2017. It is accelerated by how customers are both embracing cloud and mobility on a day-to-day basis. This is also causing gaps in the legacy infrastructure. CIOs I meet today are still struggling with cloud access control and expansion issues. Building a maturity model on cloud is the big thing that’s happening in the enterprise space. On the consumer side, there is recognition of the fact that IoT is getting pervasive in homes and cities become smarter. So, security in the IoT era is assuming importance. Definitions and boundaries are breaking down.

Security as part of the board agenda and security as percentage of overall IT budget has become a slightly more significant percentage. Have you really seen the maturity of the frameworks and the compliance curve, in your conversations with CISOs?

The maturity curve is constantly changing with the change of workload etc. Wannacry and Petya increased the board level awareness of the gaps that existed in organizations, and how the board could be held accountable and an organization could be held to ransom – simply because of not spending enough on security, and paying due attention to it. Budgets have gone up dramatically on one hand, but clients really don’t know what they need to protect. Once they are aware, they step up since they realize their business depends on being organization-secure.

How do you view cyber insurance going mainstream in India, with large scale traditional insurance players such as Bajaj Alliances now jumping into the cyber insurance bandwagon?

It is a balance between the insurance cost in terms of what one will have to pay to be protected against data theft or whatever. Cyber insurance is an interesting dimension but it is still early days in India.

Where do you see the actual cybersecurity skill set gap? What are the new skills that you think this space needs, especially in the Indian enterprise?

There are two aspects to this question because skill gap is not going to go away anytime soon because the threat landscape is changing. If you try to fix it, you will have another gap coming by the next year. Companies like ours are investing heavily on machine learning and artificial intelligence to make sure mundane stuff can be analyzed as a combination and then projected to a human interface for right action.

I think organizations should look at people who have the experience of analyzing the data and can offer services around that. Organizations in India need to start investing in incident response as well. This is to ensure they can learn from what happened and develop the skills over the next 12 months, rather than thinking they can hire off the ground.

Last year, Symantec was talking about unified security strategy and four focus areas. So, does anything change in 2018?

The strategy remains the same – just that it will pick up pace. We have done some eight world class integrations between the Blue Coat family and the Symantec family already. We have acquired three new technology companies in the enterprise side – data protection, mobile threat management, and one on isolating risky web.

The last acquisition complements our proxy technology extremely well. So I think we are putting our paddle on the acceleration for the integration, acquiring companies that fill the gaps based on the changing requirements in the enterprise space. We are well on our way to becoming the most relevant enterprise security player for enterprises and for consumers by mixing identity and protection.

Everybody is talking about using public Wi-Fi; but consumers are not sure how public Wi-Fi is safe. So we acquired a company just recently to make public Wi-Fi safer by offering VPN to the consumer side in a manner that it makes sense for people to be safe while opening a bank account on a mobile phone screen and making sure their information’s keystroke is not taken away by somebody who is watching their phone.

So, overall, the strategy remains the same. We are just executing on it and doing a good job in that.

Sure. So how will you be engaging with your partners keeping the integration strategy in place? What changes or what remains the same?

Our partners are seeing the value of integration. They are actually seeing a new Symantec because we have been on this message for last 12 months. So whenever we talk to the CEOs, they are voicing that this is a different Symantec – the articulation is very relevant.

Honestly, at their end, they are also going through the journey gap because we have had legacy partners who are focused on data center side with the Blue Coat family and those who are focused on the user side with the Symantec family.

Partner organization skills are undergoing a transformation – and there is general excitement around preparing for deeper client engagement, acquiring skills around integration etc.

Lastly, we are signing up with service providers as partners, Airtel India, being one of them two months ago. Both on the consumer and enterprise side, the scale that a service provider can give is incomparable.

So, if one were to ask your recommendations on the three things CISOs should be looking at, what would those be?

Firstly, doing more with less. Secondly, embracing business through use of mobility, cloud, and analytics, while still being secure. GDPR will be the big thing for service-based organizations and anybody who is selling to US or Europe in that sense. In India there is a lot of discussion around privacy laws.

Lastly, in the next 6 to 12 months, CISOs will play an important role with defining that position in the company. I think increasingly, the CISO will have to work with the CIO a lot more closely than it becoming a power struggle between infrastructure teams and security teams as to who should control the decisions.