Digital Dialogues – Podcast

Sai: Thank you for everyone tuning in to yet another edition of Cigniti’s Digital Dialogues podcast series. As always, we take pride in hosting some of the best industry leaders who always grace this platform, sharing a rich plethora of information, treatise of insights that they bring in. Today, I’m excited to have Raj Sargule Raj, who’s based in the US, and is the Global Head of Information Security at Christie’s with a diverse expertise spanning 25 years. Raj has collaborated with leading MNCs such as Corliant, Walt Disney, Viacom, and SL Green Reality Corporation. Committed to advancing information security programs, he endeavors to align governance, risk, and compliance objectives through ongoing technology innovation, a procedural refinement that’s an interesting word for sure, which we will delve into deep and talent cultivation. Raj, thank you so much for joining us. Raj combines technical proficiency with immense business insights in developing security strategies and provides insightful guidance to leadership amid evolving risk landscapes. He’s deeply committed to fostering a culture of security within global organizations, ensuring resilience against emerging threats. With that background, I, as the host of this platform, I’m so happy to have Raj here. The endeavor of Cigniti Raj, as you would appreciate, is to provide frictionless and digital customer experiences for global companies. As you would appreciate, security becomes a key component of modern-day digital landscape initiatives and we help our clients with that. We believe a world that has growingly become increasingly complex as the number of digital touchpoints increases in a connected enterprise, security has to be at the center of it and it’s never an afterthought. So with that as a little context, this is Sairam Vedam, the Global Chief Marketing Officer. I’m thrilled to have you here. Let’s dive deep into this and I hope this conversation will be of very true insight to our audience as it will always be. Thank you for being here, Raj.

Raj: Thank you. First of all, with such an impressive introduction of myself, I’m curious to hear myself as a speaker. But thanks again for all the accolades. So from a security standpoint, I can start with my thoughts or if there’s any specific line of thought?

Sai: Yeah, I think what we could do is for the sake of the audience, if you could just give a little context of your role, what do you think is the emerging landscape of security that you see from your view lens as an industry practitioner? what is it that you’ve been driving currently? That’ll be absolutely useful.

Raj: Sure. I’ve been with Christie’s for about seven years. I have about 25 plus years of experience in information security, right from the initial days when security was just essentially one firewall and anti-virus on the machines. So it’s been a long journey, quite a fulfilling one. Fortunately, I’ve been able to experience all the technologies as they came along and they’re still coming today. Coming back to your question about the security landscape, what does it look like? It’s always evolving. It’s a journey. You have to be a part of that journey when it comes to security, just like in other areas. Challenges are always there. There are technologies coming in, businesses keep on evolving. Threat actors keep on evolving. They also make use of misuse technologies and we just have to be on the forefront in, if not going a step ahead of the threat actors, at least being in step with them. So constant journey, happy to speak about the specifics as we go along.

Sai: Yeah. I love those two words, right? One, it’s evolving, it’s continuous, it’s constant. And I like the phrase that you used, the threat actors. I can recollect some of my own experiences of working on identity management on cloud and security, but in today’s landscape, I can tell you that it’s manifold complex than what I’ve seen. So nice of you to be sharing this. Let’s probably talk about the role of the cloud and the security. As an industry leader, how do you foster, in terms of culture, I think it’s very important in a people-intensive industry, a culture of cyber security awareness, and accountability within an organization. Its employees have to be sensitized a lot, I believe, right? And they might not be familiar, probably they may not be aware and sometimes they might be unintentional. And very few times they may be intentional. How do you promulgate this whole culture of cyber security inside an organization?

Raj: A few things, number one is what I’ve seen is there’s risk misperception everyone has a certain understanding of the risk but depending on your roles and depending on your experience you may assign different levels of seriousness to that risk developers. Let’s take business users they may have a different perception of risk because as part of their operations whatever they think they like and their projects, they may assign it less risk they may assume that as less risky because it serves their purpose right. As security practitioners when we look at it from the outside we may assign it a different level of risk than you look if you say legal if they look at certain operations they might find a different level of risk so what I’ve noticed is that it’s important to have everyone this on the same page when it comes to understanding the risks because based on that people will understand the actions that we take right so that’s one thing. The second thing is the fact that everyone is responsible for security you know we have technologies to protect bad actors but bad actors also go after humans because they know they are the weakest link in the chain so there has to be an awareness that we are a part of the security we are the first lines of defense so so that’s another thing we need to be aware of because we are a part of the security we are the first lines of defense so that’s another thing. There was a recent report I read where it says close to 59% of the users are either unaware or claim that they are not responsible for security. That mindset has to change. Second, as I mentioned a few minutes earlier security is a journey because users might think once we have security in place that’s it we are done. No, that’s not the case because controls today may become obsolete tomorrow new threats keep on emerging. So this journey has to be led by both the security teams as well as the users more importantly together even though we are on different sides of the same fence when it comes to security we have to walk this together if we have to protect from threat actors. I think that’s these are some of the few things we try to push to our users to make them aware and as you said, education, very important. In general, if users are aware of why we are doing it, they’re more receptive. As opposed to just pushing or being heavy-handed. And I think it’s a human tendency. If anyone approaches us with a proper explanation or a proper rationale on why we are doing it, I’ll be more willing to listen to what they’re saying, as opposed to just complying. So there’s another phrase I learned somewhere we want our users to be committed, then be compliant. So that’s another thing. There are many ways.

Sai: I think that drives accountability, right? When they’re committed, naturally the ownership goes up. Rather than if you just push it through, the response may not be as favorable as it is. That’s what I have always seen in any change management program.

Raj: It reminds me of one of the stats. This was many years ago. There was this debate about BYOD. Should we allow users to bring their own devices and use one device for personal and work? What they found out is people are more committed to protecting devices that they use both for personal and work. Because, you know, some things are at stake. When it’s a work phone they seem to be less committed when it’s a personal phone they’re more committed which means if they can use a personal phone for work purposes they are bound to protect it more than the work phone so I think we have to align their interests as well in terms of their commitment.

Sai: I think the last line that you just mentioned catches my attention you got to align their interests that’s very key. In continuation to that, you’ve seen many waves of security practices evolve technologies changing. What sort of overall strategy you would apply in terms of for a large employee base making them aware, educating them, bringing them up to speed about regulatory changes how do you translate one as practitioner knowledge that you carry and then there is an organizational context into actionable insights that imagine an organizational pyramid so there could be many methods that you would be applying right and I’m a firm believer that it starts from the top but it has to also calculate down so share some experiences.

Raj: Definitely, we have different employee outreach programs where we use these channels to evangelize security so number one is at Christie’s we have a global induction program, any new joiner every quarter gets together and they get an overview of all the departments that are involved in the program so we have a lot of information about the departments and all the business operations so even I went through it as when I joined it’s a two-day program but there’s also a session on information security so we take that opportunity and we have sessions and these are open sessions with the users. It’s a great opportunity because we get to ask questions right and it helps us to make them aware of the risks and the threats that are happening and what role they can play in addressing these risks. So that’s number one. The second thing is we have compliance training for end users when it comes to information security and data privacy. In Christie’s, I’ve done this in my previous roles as well, we have a mailbox. It’s a channel of communication where, and we have published this mailbox and there’ll be users aware. You can reach out to us at this mailbox for any security questions. If you come across anything suspicious, feel free to reach out. We will respond within 30 minutes or one hour. I’m telling you over the past, I think, four, five years since we’ve had this, we’ve tracked the stats and almost our user base is about 2,500 to 3,000. We’ve almost had 1,000 unique users reach out to us every year.

Sai: That’s more than half. Almost 2,000 of you.

Raj: That’s how we continue to have a dialogue with our end users when it comes to security. It has worked wonders. That’s another thing. We also have these newsletters every week where we disseminate any security awareness tips, whether it’s generative or whether it’s something news related. So users are aware of what’s happening within the industry and outside the industry. We have a lot of information about that as well. And then we also hold regular phishing campaigns just to, I should say test, just to ensure that users stay aware and are diligent about security tips and security threats that are out there. It’s a combination of all these things.

Sai: Excellent. So you have a mailbox, you have a newsletter going, and that’s interesting. You also do some mock phishing campaigns to keep them all out of their doors. Beautiful.

Raj: One last thing, at the leadership level, I hold information sessions (steering committee) and we hold regular meetings with the data privacy and legal team. We have a lot of leadership to make them aware of the security risks, but at the same time, we also make ourselves aware of the regulatory changes. They share tips with us and then we see how we look at it and see if it applies to our environment and then if there are any actions that we need to take.

Sai: You basically translate a constant set of interactions that you have with experts and then see what applies to your organization and then put it back into their thoughts. That’s great. So in your opinion, what would we do, what are the security threats that companies of today’s modern enterprise nature should be aware of in the current market? And hopefully, how can leaders essentially effectively prepare to mitigate this as they say, prevention is better than cure.

Raj: Good point. Slightly different. Yes, prevention is better than cure, but that motto has changed a bit. Because it’s not possible today to prevent any threat.

Sai: That’s a very pragmatic insight. I love that statement from you.

Raj: We can’t say that we are a hundred percent secure, right? Which means we cannot prevent any threat. I think the motto here is we have to be prepared. So if we can’t be a hundred percent secured, we have to be a hundred percent prepared for any event. I think what I’ve seen is ransomware unsurprisingly has been at the top for the last few years. And it’s evident because every other day in the news, you come across some organization getting hit with ransomware. In fact, I was on vacation last week, so I didn’t get a chance to read the news, but one of my peers told me that one of the major healthcare providers in the US got hit with the ransomware and had to shell out, I think, $22 million. That’s huge. So coming back to my initial statement, you can’t prevent it. So what do you do? The best thing you can do is detect it and take action as quickly as possible, which means we have to make sure that we have the capabilities to discover and detect threats as they emerge in the environment and be able to quickly contain it and eradicate it. How do we put our efforts in order to do that? Well, first of all, we need to have a strong response plan. Which means you need a strong incident response plan. It has to be well documented. Every stakeholder has to know their responsibilities, and it has to be tested. So it’s like rehearsing for the main event, hoping that you don’t get a chance to witness the main event, but just being prepared.

Sai: Yeah. I think the preparation is the key. That’s the major thing that I take away from what you just mentioned. Can you share a specific example where the cybersecurity incident has happened, your team has faced it, possibly in real-time, and you’ve been in the middle of that whole thing, I’m sure, and led the recovery process? What are those key lessons that you think you can share with us? Because that would be of real interest.

Raj: Yes, we have had attempts. So we have not had any breaches. I want to keep it that way.

Sai: I like that.

Raj: But we have had attempts at our infrastructure. Absolutely. And yes, we’ve been successfully able to stop them. As I mentioned, what helped us was, fortunately, in the past few years, we reviewed our incident response plans. We made sure that they were thorough. We involved all the IR stakeholders, not just tech teams, but also privacy, legal, communication, press, executive management, as well as risk and compliance. We brought all these stakeholders together. We made sure they understood their responsibilities in case there was a breach. Because as I said, time is of a sense here. And so key lessons learned. Number one is how do you reduce time to detect? Because the sooner you detect and contain, it drastically reduces your downstream efforts. If we have only five servers that show indicators of compromise, it’s easier to remediate those as opposed to doing 15 20, or 50. When I detect something in the environment, what it means is the threat actor is already in the environment.

Sai: True. It’s already penetrated.

Raj: Exactly. So now how do you contain that? That’s number one. The second is knowledge of TTP. TTPs are tools, techniques, and procedures, which ransomware threat actors use. And in most cases, they do have a standard set of TTPs. To understand if there’s a ransomware threat, what are the tools, and techniques they use? Because that will help you understand how to respond. For example, when a threat actor gets into the environment, they’ll try to stay persistent. They’ll try to hide, and stay under the radar, right? So what are those techniques that they use to do so? And if you know what they are, you know exactly what to look for in a system to identify whether the system is compromised or not. That’s, I think, one of the other things I’ve seen. The last thing is having a well-established channel for communication. When things go wrong I have to mobilize or collaborate with a larger team, and we’ve done this in the past where we had to reach out to almost 50 to 70 different stakeholders. Whether they are server teams network teams application teams, or operations, how do we effectively communicate with them when we have to address an incident? What I learned was Microsoft Teams did a great job for us. We had multiple channels depending on the audiences, and it proved extremely effective because we were able to communicate with a larger team. Having said that, I also know that it’s good to have an independent or out-of-bank channel for communication in an IR scenario.

Sai: Yeah. Got it. That’s very relevant. I think, one, the ability to detect, the ability to respond, and most importantly, the ability to communicate and collaborate so that it just percolates, and then you can be safe. Very well articulated, I must say. We just touched upon the importance of communication, right? No matter how much ever we say, it continues to be important. Effective communication is essential, bridging the gap between your tech teams, senior leadership, and a whole bunch of stakeholders. Are there some best practices that you can share in terms of tailoring your messaging in terms of the sensitivity type of stakeholders? Because you can’t just let go of a message of the same sort to all, right? There’ll be maturity differences between various stakeholders. While you have had this tremendous amount of experience that you just mentioned, 50 to 70 stakeholders, I heard you talk about the press, I heard you talk about investors. How do you tailor this whole response messaging?

Raj: Before we get to that, I think one of the things is, what I’ve noticed is essentially making the audience aware, right? As you correctly mentioned, depending on the level, depending on the audience, they may have different levels of maturity in terms of understanding what information security is or what the risks are. Number one, with regards to the senior leadership, raising awareness of the threat landscape. What is it out there? What are the threat actors? What are the technologies today at present that could be exploited by the bad actors? That’s one thing. The second thing is keeping them aware of what’s happening in the world. And then the media today, do a good job of publishing any news regarding cybersecurity. We see data breaches happening now and then. So I would say that the senior leadership is more or less aware, and they have started asking the right questions to security professionals. But this serves as a great platform because we have to keep on doing it so they become aware. In addition, we also have to let them know what are our capabilities in our environment. What tools do we use? Yes, it might get a bit technical, but if we keep on repeating the same message now and then, which we do so on a monthly basis, they fully become aware of what tools we have, what technologies we have, and what our gaps are as well. Because the gaps essentially are the risks that the business has accepted. Today they may accept those risks, but tomorrow, if those gaps are going to get plugged and then they realize the risks have gone up, and this is where it helps us to ask for investments in those areas where we want to plug the gaps. Same thing, an ongoing process. We have to make sure that we have to keep them apprised of what’s happening. One of the things I do with my CIO is every month or every quarter, we just provide a dashboard of the risks to the board. So they are aware, right? That is where we should be thinking about investing. Where risks are going up and where they have gone down based on our past investments.

Sai: Well said. That’s a lot of insight. Well, I can’t stop myself now from touching AI and ML. That’s the flavor of the day. But having said that, it’s an AI-first step. It’s the first scenario in many global business enterprises. Where do you foresee… I’m sure you’ve already been using a lot of AI and ML, whether in terms of your inspection technologies, or the type of tech tools that you might be using. But in terms of the next five years, let’s say if we do a crystal balling, where do you foresee technology evolving? And are there any specific apps or advancements you probably are experimenting or might have already implemented, that you find promising with the amalgamation of AI and ML deep tech?

Raj: Honestly, it’s new for me as well. Just about a month ago, I attended a conference of security professionals and they had the same question. And my observation was, it is still chaotic. Everyone has a different view of what AI does and what the risks are. But eventually, you get to a state where everyone is on the same page with regard to AI, its risks, and its users. I see the impact on a few fronts. Number one is the increased use of AI by business users. I’ve seen this in the environment where business users have begun to explore AI apps that are out there. This is a great sign because if it’s going to make their businesses more efficient, that’s great. But there are risks as well. Because it’s unknown to us, as security professionals, and even the legal teams, there’s a tendency to not use it. Why? Because we are unaware at this point. We don’t know what it is. So if we don’t know what it is, we don’t want to allow its use. But that may be unwise because we can’t stop users from using the latest technologies. They are smart today. They’ll find other means.

Sai: The more you prevent they’ll find another way. Yeah.

Raj: Again, it comes back to awareness. But in terms of risks, if we don’t do that users should be aware of the risks that they may expose themselves to if they use AI. It’s a great tool, but if you don’t use it properly, there’s a risk of exposing unwanted data. So that’s one impact I see. The second is threat actors. Nothing’s stopping the threat actors from using AI. And we have seen this. You may have heard about the latest news about, I think three weeks ago, where a Hong Kong-based firm, they were duped for $25 million. What did the threat actors use in that case? Deepfakes.

Sai: Deepfakes. That’s the reason why my question is trying to tell deepfakes. Deepfakes are scary.

Raj: Yeah. So again, the legit use of AI in the environment by business users may lead to data exposure if not used correctly, as well as illegitimate use by threat actors. It’s impacting from both sides. And from a security standpoint, I think it’s the governance aspect. Because with AI, the tool, you don’t have to go hunt for data. The tool does it for you. Let’s say I’m using Copilot or Googlebot, and the finance team has a repository that’s exposed. Now all I have to do is just type in, hey, I’m just throwing an example. What is my CEO’s salary? And if the tool is doing its job, it’s going to get that data from the finance repository because it’s exposed. Without the tool, I would not, I mean, it would be extremely difficult for me to go find that repository and then see what the data is. But the tool makes it easier. In this case, it’s very important to have strong governance. Who has access? Where is all our data? And who has access to it? And should they be having access to that data? Yeah. It’s data governance, extremely, in my opinion, very important in this case. And then there’s information security, and I’m exploring this as well. How do I make use of AI to better security operations? And there are many ways it could be done. Just like you run AI models on different data, you could also run AI models on security data and get meaningful insights. For example, show me the top five riskiest assets in my environment, and it’s going to list all the systems or what systems are vulnerable to this type of attack. Hopefully, it will get that information with a proper AI model in place.

Sai: Wonderful. I think these are very relevant examples, to be very honest.

Raj: Thanks. It is an interesting field. It comes with opportunities as well as challenges. We just have to address both.

Sai: Excellent. See, just like we spoke about AIML and deep tech. I probably used this word called a connected enterprise at the beginning of my conversation. The proliferation of IoT devices, between us as this session is happening, a bunch of devices and sensors in this room, I promise. So how do you live in a complex myriad of digital technologies, IoT devices, and a whole bunch of other things? And is there something that, from your organization’s standpoint, in terms of maintaining access, authorization, protocols that come in the way, are there some insights and experiences that you can share from an IoT sort of a perspective? And security, of course.

Raj: Unfortunately, we don’t have IoTs in our environment. But I can speak to system interconnectedness. We have so many applications, cloud-based applications, and almost every app claims or provides the ability to interact with any other app. This is where I and my team have seen some challenges. Because what’s happening is if we try to plug a hole in one channel, there are other channels. Just to give you an example Companies generally block e-mail forwarding due to data privacy reasons. But we recently found that there are other ways to do so even if we blocked 1 way to do so we came across scenarios where they are getting auto-forwarded because Microsoft power apps have the ability to provide the features to the users and users get smart they started using power apps and this started auto-forwarding. Again this is unintentional but leads to potential exposure of data. Yeah, so these challenges are there where the applications Provide the users to share the data seamlessly And we have to be aware of what those are What those channels are. Unfortunately, at this point right technologies In place will help discover these vulnerabilities or these gaps so that they can be addressed. Coming back to my initial statement it’s a journey, that never ends

Sai: Also, I would like back to go to the word that we used in the beginning, the word that is called unintentional. But still, it has happened. The power apps example you have given is very interesting. As a technology leader, you will have to have this whole balance that you need to strike when it comes to prioritizing investments. There are certain investments that have forgone conclusions that you probably get your budget approved, but you might want to invest looking ahead In terms of your preparation. How do you manage this and what sort of shareholders? How do you strike this whole thing so you manage the business objectives on one side And also a technology information security practitioner your vision of creating a long-lasting security posture? How do you do that?

Raj: If you look at enterprise security, all the initiatives are driven by something. There are some initiatives that are driven by us, our job is to protect us from threat actors. But there are also initiatives that are driven by business. Data privacy can have some business objectives they want to prevent data from going outside for example or legal may have certain requirements, GDPR requirements I mentioned about keeping the senior leadership informed every month or every quarter. So through those interactions with them, we keep them aware of what’s coming up on the horizon. When the time comes to take action on any particular initiative and decide to make investments, the decision-makers are aware in that case of what risks we are trying to address. If those risks are acceptable, then we present the options correctly And that’s when they make the investment decisions If those risks are acceptable then those investments or those proposals are paused until a future point where they will get. So that’s one of the things that I’ve noticed. More importantly, If we can tie our investments clearly to our business objective where it helps mitigate our risk or reduce our risk It becomes a bit easier to sell the concept.

Sai: Well as we come towards the end of the conversation it’s still very important for me to bring this up it’s a remote first or it’s a hybrid work environment all of us are living in. As a leader of information security at your current organization and an industry practitioner, what is your outlook in terms of managing the whole context in an emerging hybrid world where you have to sensitize the whole data information access and still maintain compliance in a distributed environment? With this sort of landscape how do you foresee things and what are your current challenges and priorities and what is your outlook on this?

Raj: I think the technologists are a bit mature today to facilitate remote working. I mean you name it and the technologies are aware and are available and more importantly they’re getting more and more mature at least from a security standpoint Now we have the concept of GTNA Which essentially is it doesn’t matter what device you use where you’re coming from, what app you’re trying to access you’ll get the same level of security. If you look at it from a remote working standpoint It’s a great concept But I’m gonna come back to the people because security is about people, processes, and technologies. We can have strong processes, and we can bring stronger technologies but our goal is to have people who are strong as well. So this is my view and I think remote working is great and it would still be able to maintain the same level of security If number one our users are kept educated and committed. At the end of the day if they follow basic security hygiene and if they are diligent about the risks and if our systems are patched today, then I think the bad actors are gonna have a hard time infiltrating those systems.

Sai: I think it was point precise to be very honest. I must admit that this conversation has been the most Insightful one that I have hosted. At Cigniti we have an initiative called a “Digital ARMER”. It’s a collection of various best practices, postures, security assessments, technologies, tools, and frameworks that we put together because we believe just like you have outlined, it needs to be extremely sensitive, protective, proactive, and educative to make sure Enterprises stay safe, secure and compliant, On that regard I could not ask for a leader more than you to have come on this platform. To be honest you have been pragmatic, meticulous, detailed, and very insightful. Thanks for being so nice sharing your Rich insights. I look forward to continuing to host and I’m sure our audience is going to love this conversation. Thank you Raj

Raj: Thankyou