The Field Of Cybersecurity: In talks with a CISO


What does it take to become a Chief Information Security Officer (CISO)? What does the field of cybersecurity look like in a bird’s-eye view? We reach out to a CISO for answers to these questions and more.


About The CISO

Mr. Ayush Gupta is an industry expert with formidable expertise on everything cybersecurity - from research work on anonymity and privacy to working with various prominent organizations on their Security Policies, Procedures, Compliance, and Security Architectures. An IIITian hailing from Jaipur, India, Mr. Ayush is also a speaker on Cybersecurity and conducts seminars on Ethical Hacking. We’ve sent him a few questions and here are his responses.

1. What drew you to this field? Was this something you always wanted to do?

The story behind getting into information security started at a library. During my third year of B.Tech, I went to the library to find some books on network security. Eventually, I discovered a few on ethical hacking, cracking operating systems, etc. That’s how it started initially and later I completed a few certifications as well. Today I head the information security department of an Indian company and enjoy new challenges every day.


2. As a CISO, what does your day look like?

A CISO usually wears many hats. The major part of my roles and responsibilities can be divided into three sections. The first and most important task is to continuously assess risk and compliance. Depending on the vertical you are functioning in, you must be able to comply with different applicable standards. The second thing that I must talk about is – vendor management; in which you have to be careful about intellectual property rights and related regulations. Thirdly, you have to keep an eye on the data point and ensure strict security control measures are in place. A single data breach can invite a huge penalty. That’s why you have to stay on top of things. In addition, you have to meet client expectations including compliance with different regulations i.e. ISO 27001, HIPAA, etc., and look at the ITGC audit as well.


3. In your experience, what’s the most common/fundamental problem faced by organizations and clients insofar as their cybersecurity is concerned?

One of the fundamental issues that companies face today is the lack of a reliable cybersecurity team and the right set of tools. The people who work behind the scenes are equally important as the tools. This is why most of the companies outsource the data security bit of their business. As an organization, you must ensure that your business data is in good hands.


4. For someone starting off in the field, what would your advice to them be?

The demand for cybersecurity professionals has been growing over the years. That’s why it is a good time to start if you are planning to build a career in network security or cybersecurity. Companies pay handsome salaries to professionals experienced in compliance management or even ethical hacking.


5. What is your go-to method to gauge the effectiveness of a cybersecurity strategy to address business risks?

The strategy is pretty simple. You need to have the right set of tools which you can keep assessing the business applications and systems. Also, you need to track a few cybersecurity metrics like compliance percentage, etc. This will help you to improve your performance. So with these frameworks in place, you are good to go.

6. How do organizations protect sensitive information handled and stored by third-party vendors?

The best practice, in this case, includes ensuring a strong due diligence process. While making the contract, companies usually include contractual obligations that consist of different clauses i.e. confidentiality, privacy, and right to audit. Also, when you annually audit the assessment, you will get a fair idea of if the vendor is practicing the latest information security practices or not.



7. Given the constantly evolving nature of cybersecurity, how do suggest organizations and fellow CISOs stay current on the cyber threat landscape?

A CISO needs to be aware of the threat landscape with respect to his company. Usually, the best way to go about is to keep an eye on different cybersecurity forums such as CIS Security, CIO Security, and so on. Also, you must have up-to-the-minute knowledge of different tools, databases, and vulnerabilities


8. What does a CISO do to prevent a data breach, and what does he/she do in case a threat/breach is found?

CISOs are definitely responsible for any data breach that happens. But with continuous data point assessments, CISOs will be able to stay confident about the process deployed in keeping the data secure. Some breaches can be managed internally as well.


9. What are the consequences of a data breach or a cyber attack for an organization? What steps does a CISO take to contain the breach?

Any critical data breach involving client data will impact many things including your reputation, stock prices, client investor relations, etc. Most companies hire third-party experts in order to identify the issues after an attack happens. That is why it is crucial to have a SOC (Security Operations Center cyber team in place.


10. With the ban on Chinese apps, do you think smartphones of Chinese brands with their software?

Recently the Indian Government has banned 59 apps on the ground of data privacy and information security. But that probably has nothing to do with Chinese smartphones. As long as the smartphones and software by Chinese brands adhere to the regulations set by the Government of India, there shouldn’t be any problem.