#253 Valmiki Mukherjee On Navigating Cyber Risks, The Impact of AI and the Role of CISOs

0:00:01 - Mehmet
Hello and welcome back to a new episode of the CTO show with Mehmet. Today I'm very pleased joining me from Texas, the US, valmiki Valmiki, thank you very much for joining me today. The way I love to do it, I keep it to my guests to introduce themselves, so please, can you please tell us a little bit about yourself? 

0:00:17 - Valmiki
All right, good to be here, mehmet. Thanks for having me. It's a pleasure. I'm looking forward to the conversation. A little bit about me. 

I wear multiple hats for this show. It's going to be the Chief Information Security Officer for Acolyte and it's a global organization in engineering services Some of the sharpest people that I work with and have worked with in the industry and get to work with them on a daily basis. So really excited about the work that we're doing here at Acolyte and overall. I have about 20 years in cybersecurity Before it was called cybersecurity. I have worked previously with Deloitte, with Cognizant, with EY, so my entire career has been building up this industry with my colleagues and partners. This is a relatively pretty young industry when you compare to the others, so it's been a fantastic ride, you know. On my other role, I serve as the Chairman and Founder of Cyber Future Foundation, where we connect cybersecurity leaders such as myself and my colleagues to the C-suite and business so that we can have an informed decision and businesses can make risk management in cybersecurity a core part of their work. So glad to be here. 

0:01:46 - Mehmet
Great. Thank you very much, ramiqi, for this introduction and I have to say, you know, like you said, because you are on the cybersecurity side and with all this ride that you had, it's not the most funny, you know, I would say, because people when they think about cybersecurity, they think it's easy, they think it's something. Yeah, you know, like it's just like a couple of things, but it's one of the hardest things actually, one of the hardest jobs actually. So what attracted you to this field, ramiqi? 

0:02:16 - Valmiki
Well, as I said, you know, first I acknowledge the fact that this is not an easy job and not for the faint hearted. For sure you got to have a humor, but looks like that also can land you in trouble. But in general, cybersecurity is a very challenging, very intellectually stimulating and, if you are rightly motivated, it's a very rewarding job, right? So I didn't actually plan to be in cyber, it's just grown up on me and I have grown into this industry. So, you know, I started off with my career as an engineer way back with Infosys in the first days and then, you know, went on to work for Amdok's, which you know, before cybersecurity became hot in Israel and now known for now so many other challenges we are navigating through that. You know that area. 

But I got trained under some of the best, you know, technologists and engineers and business leaders at Amdok's, followed by Deloitte. You know got at the edge of cutting, you know bleeding edge solutions. And Deloitte then worked with the organization that was deeply ingrained in, you know, in identity security, infrastructure security and then finally coming over to Cognizant. So I grew into this industry and you know there are only so many of us. It's great to have this small, tight-knit network. But it's very challenging when you don't have the support that you need to drive as you're growing in the career and that's been a constant challenge. But I think you know, personally speaking, I would not have chosen any other career, you know. I'm really glad that you know, I've grown in this industry. 

0:04:16 - Mehmet
Great. So you mentioned something interesting. What, miki, about? You know the challenges actually, and for someone like yourself who's now, you know, in the leadership role and I speak a lot to CISOs here, locally, you know, and regionally and even globally, and I love to hear their perspective because, as we mentioned, you know it's not like a tough job because, of course, we're going to discuss this all the. You know challenges from technology perspective, but also you know the challenges from delivering the message to the rest of the leadership team in an organization. So how, you know, you'll experience with you know all these big names that you just mentioned like helped you in developing, you know a way to communicate it to non-technical people, to business mainly, and what is, you know, if you can share that with us as well a secret sauce, if you can, if you can call it like this way that makes the life of a CISO or anyone who's in a, you know, leadership role in cybersecurity to talk to the rest of the board. 

0:05:27 - Valmiki
Yeah, you touched upon a very, very important thing that I think you know people have overload over a period of time, like for cyber specifically as it's grown in inside technology. Right, cyber came out of technology and then all of a sudden now we understand the implication of cyber across the board. You know I have a first principles based approach where I think cyber security is currently the way it's been addressed and all. It's not necessarily a technology issue. It's an English language, probably. It's a language issue, right, and communication is key. 

As an engineer myself and I believe I have been all my life very much of an introvert it took me a lot of internal coaxing to come out and talk. Talk about things first. You talk about things that you know very and you are confident on, and that's primarily technology that we have been implementing. So I have had the good fortune to work with some of the best leaders. In fact, during my days at Amdok's, I was part of a skunk team that worked with the C-suite at Sprint and Nexthel, and it was a very small team. I learned from the business how they talk to, how they speak with you, how they speak to the market the same message, but it exudes confidence and transparency and collaboration. So communication, as Mehmeti mentioned, is incredibly important and I think that is the key pillar of all relationships, whether relationships with you and your technology teams or you as a leader, with other leaders who are not in this space, who don't understand the jargons, the technological nuances. 

So over the period of time I had great exposure and the opportunity to work with C-suite leaders from the get go at Deloitte, at Cognizant, at EY, and in fact that is what led me to institute this Cyber Future Foundation, because I knew I was fortunate enough to have direct access to C-suite through the companies I work for. 

But not necessarily all other technology leaders, especially the C-sores, have that exposure. They are called into a five-minute meeting and they are trying to put together a 40-page deck to present. And how can you distill what you know so deeply into the language and understanding that your business leaders, who may not need or may not know and need not have that deep understanding? They just need the crux of the issue and what impacts business, how it affects their decision making, and that is what the good fortune that I had personally and I really wanted to share it out and give it out to my colleagues and those that are growing up in this field. So I believe what you raised is very important that those that have access to leadership, those that have been co-aged by the best, need to give it forward in whichever way. It only makes the C-sores job better. 

0:08:36 - Mehmet
Yeah, great point actually, valmiki, and this is what I'm trying now to tell anyone, and especially people in tech, because you know this show and you know my work outside of the podcast is to talk to technology leaders and to talk even to, you know, entrepreneurs, and I tell them rule number one you know more than, of course, you need to know the technology in and out, especially if you are a CTO, a CISO or whatever, but learn the soft. I don't like the word soft skill, I like to call it essential skill, right? So it's not a soft skill. Yeah, so mainly, you know how to be able to communicate, how to get out of the stereotype of being introvert, because I thought I'm an introvert myself for years and then I discovered I'm not so, but nevertheless, now I know that you focus, when I was preparing, you know, for today, you focus a lot in your work around risk management and, of course, like one of the main tasks that any cybersecurity leader is to think about, the risk management. 

Now, what I'm, you know, a little bit curious about it, and this is something that comes up very often, especially across other CISOs and even when I talk to vendors as well is when we talk risk, right so? And you need to go to the business, like how it's essential to quantify this risk in order you know, so the board can take action because you know, especially when you need to do an investment, for example, there's a lot of times when you know the ROI. Let's say it's very obvious, right so, we invest this amount and we get this. But when it comes to risk, how is the best way to communicate again this to the board? 

0:10:24 - Valmiki
Well, very loaded question, mehmed. I'll break it down as far as I understand right. 

So so you know first thing. First, I'm glad that you mentioned about the risk part. Right, I think cybersecurity is a risk management function. It's actually, you know, most of the programs that I have developed in my capacity at, you know, previous to Appalachia has been those, you know, cyber risk management programs as part of enterprise risk management programs, because then you know it's threaded into the bigger narrative. It is part of the business, it's part of the C-suite understanding and you are able to actually convey not the technology vulnerabilities but what it actually means for the business. Right, so you are, you are able to qualitatively describe risk in a way that business understands. 

Now, cyber is a very, very dynamic environment, right, things are changing every day. By the time you are done patching one thing, you know you have another vulnerability race. By the time you have trained your people on a certain you know thread vector, whether it's phishing or you know now we have QR phishing, like phishing, it's really phishing, very dangerous. You know you have trained people on one vector. Something else comes up. By the time you have refined and tuned your processes to deliver and manage a certain risk, another comes up. So I think you know quantitatively, putting cyber together in dollars and cents and quantitatively putting this in a gauge is extremely hard and that is why there is a certain there are certain experts who specifically work in the quantitative risk in a risk quantification area. It's a very well defined space now and maturing the way we look at cyber security as a risk imperative is by identifying what are the key risk areas, key risk indicators, what are the leading risk? You know leading indicators and what are the lagging indicators. Tie that to key performance indicators for cyber in terms of the managing the threats and vulnerabilities you know. In the meantime, to detection response you know and you know resolution response. There are there's very key areas. And then, in terms of response and resilience, we can talk in terms of how can you recover and what's your recovery time objective type. Back to technology you know underpinnings that are there. So now we are able to break down the different components of cyber, especially those that can be quantified, and then have a quantitative risk analysis right. 

So I don't know if you have worked with or have been exposed to or your viewers may know, probably the Fair Institute. I was actually speaking at the Fair Institute's annual meeting a week or so back and they are. If you haven't explored, please I highly encourage you to go. Look at Fair Institute and their their quantitative risk methodology. Is this probably one of the most widely adopted now in the industry? It's not there where it's. You know. 

The interesting thing is I was on a panel which was like the you know the aspirations or ambitions of quantitative risk, which is very forward looking. I love to, I love to dream about future, because if you cannot dream, you cannot dare. If you cannot dare, you cannot do right. So in terms of quantifying risk, I think we are. We are kind of getting there. 

If you think about, um qualifying risk, I think we have a certain impact already made in the business. So business understands qualitatively what the risk areas are, but I definitely appreciate bringing up the quantitative piece of it which I think absolutely has to be taken forward. Yeah, and you know cyber insurance, for example. Another area probably will touch is that you know, when cyber insurance offerings started a few years back, they didn't even know what they're going for, right? I mean, they, they, they signed cyber insurance, uh, uh, you know underwritings, uh, and then they paid 100 percent of the claims and then slowly that is morphing into a little bit more mature part, and nobody can afford to take that quantitative risk from an insurance industry to pay up for every breach that's happening right. So I think we are marching forward in multiple directions, which is definitely very, very encouraging. 

0:14:46 - Mehmet
Great. Now you mentioned something which I you answered the question that I prepared, but which is fine. So about you know, having the risk part of the enterprise risk. This is very important. 

Now I am trying to understand, or let's let me rephrase it, I'm trying to see if, really, because some people claim, okay, we talk about cyber risk, so cyber risk is also coming from IT, right? So, because we are buying systems and you know these systems, whether they are in the cloud or whether they are on premise, whatever, so they are managed mainly by IT operations, like by the IT team right now. So we have the CISO, we have, you know, the probably the risk, uh, people who are in the enterprise, and we have the CIO, right? So do you see you know the CISO role, overtaking what the CIO is doing, or do you see, like, still, it's two different things, because this is focusing on one part and the other CIO focusing on, maybe, the operations part of it, but, at the end of the day, because you know, like, everyone should go and report to the board, right? So, from responsibility perspective, and I mean from coordination perspective, how do you see this? You know shaping in the future, because you talked about the future as well. 

0:16:16 - Valmiki
I absolutely love this question. Okay, you're actually hitting on many of these areas that I have kind of worked for for almost a decade now. This particular organizational structure is very close to me. This is an area that I have spent years on, several panels and discussions and private discussions with my clients, colleagues and friends. You know, I think, organizationally speaking, the role of a chief information security officer or a chief security officer or any such role that is clearly defined as the responsible authority for cyber security, has gone into prominence now. In fact, you know, one of my good friends, tim Brown, just got personally, you know, sued by the ACC yesterday for, you know, for his role in the company and previously for Joe Sullivan and Uber and all other folks that we have worked with for several years. This role is just coming into prominence. It's not really well defined. It doesn't have the authority and the budget and the and the teeth that it requires to actually remediate issues that they find out. You know, I, I, I, I. I shared this with one of my friends yesterday when I got the team. 

Brown news is that if every seesaw started blowing the whistle, the cacophony is going to be, you know, make the world deaf because the we are sitting on a pile of technological vulnerabilities those cannot be easily ripped and replaced and we are building, faster every day, newer technologies that are adding new to it, new threat dimensions, new threat vectors and new exposures to cyber threat. 

That has not been, you know, managed previously at that scale. So one thing is we have to protect the past, but we also, you know, we have to defend the past, we have to protect the future, right? I think this is a beautiful quote that one of our leaders at CISA in the USA and had initially mentioned, and and I think that becomes a key, that should become a key principle on which the seesaw's role whether the report to the CIO or the directly report to the board, you know shapes up. It is not a definite yet. For the last 10 years I have asked this same question and I don't think I've got a clearance and all of us have at this point wow, this is very deep. 

0:18:52 - Mehmet
I would say I'm a mickey, because many times in previous life let me call it this way so I used to go to the security team and I'm saying, look, I have something that, yes, it is with your other colleagues, but I think you know you should, you should listen to me. And then the answer was like hey, look, we understand what you are saying. We, we can see in from which angle you're trying to approach us. But you know, we don't own these systems and our role is just like a they put in this like we are consultants, we cannot enforce right, so we just give guidelines, we cannot enforce things. And you know, this is like immediately it's popped something in my head. Okay, fine so, so. 

So why then? 

you know everyone, if, let's say, there's a ransomware attack which is now very widespread, yeah the first people to go blame and I'm not saying it's to blame, you know the other guys, of course, but I mean the first ones to blame are the cyber security guys. Hey, you didn't do the right job. While you know, maybe, as you said, like it's, it's a, it's a vulnerability or a past that no one have done it. Maybe people raised, you know, the flag multiple times. Hey, guys, like you know, there's no issue here. You need to close this. Yeah, so, so I can understand this. 

I don't know where the, the, the things are going, but I believe, you know, I'm not, I'm not big fan of splitting things like. I believe you know, like there should be an authority for cyber security because you know it's, you know, with all what we are seeing with the data and how much is important, so someone should have the authority at least to be peer to the CIO. And you know, like, maybe you know when, when you have this very famous like you have two authentication to do a something, so maybe it should have two approvals level when, when something need to take decision about. You know, I'm just yeah, you're very right right. 

0:20:55 - Valmiki
So, in in terms of the relationship, I think for the most part, cisos have reported to CIOs right, it was under IT, under information technology, but I think there is a level of, you know, conflict of interest there, because you are asking someone who's reporting to you to protect and to verify and validate all of that that you are building right. So I think there is a natural understanding now evolving that these two roles need to be separated out and these two roles should report to the same level. So, whether you know the, the success of a CISO, I believe, has for a long time dependent on the, on the kind of boss that they had, right, but I think it's getting slowly more defined. I have had very successful CISOs under CIOs, you know. I mean, with all due respect, I think there are very, very forward-looking CIOs who have actually established cyber programs, brought in new CISOs and established that and given them the authority to work, and I think that's growing. However, you know the, interestingly, we are also tracking a trend that most of the CISOs have now become CIOs right. So it is very interesting. I have Byron Davis and, and, but you know quite a few of our, of our friends in the colleagues who were CISOs and then now they have become CIOs themselves and they are responsible for the, for not only building the systems but also managing, which I think is another way to look at. 

You cannot be both right. You can. These are two distinct roles. One is for developing information systems and that is for protecting information systems like these are two distinct roles and should go. 

Another area that I have seen you know some of my friends do really well is, you know, working in the under general counsel there are. There are CISOs who are reported to CFOs which have not really gone very well because the finance you know the motivations and incentives for finance is not the same as security. It's a very different functions. But I have seen when CISOs are reported general counsel, they have been very successful but the organizational is not structured to fund the CISOs because general counsels have a different line of operation and budget right. 

So I think that model. So we are going through a very, very transient space, I think transforming this industry into having the right direction for the CISOs. But more I think about it, I think CISOs need to be reporting directly to the chief executive and to the board and in fact I will point you to some of the interviews that I have done with my colleagues and and probably you can share some of that. But eventually I think this, this transformation, will lead to having the CISOs report to the chief executive, then to you know, one of the other CISFIT peers. 

0:23:41 - Mehmet
Yeah, make complete sense here. Now again into the area of risk. Right, so can we say, because also you have worked with the big names and I know like whether it's co-incident AI and EY, sorry, and all these big names. So you have seen multiple verticals. I would say so. Do you think like things differ from one vertical to another when it comes to risk? Or there are like some specific verticals, let's say maybe oil and gas, or maybe you know defense, where you know the concept of risk is completely different than other places? 

0:24:20 - Valmiki
Absolutely so. Yes, indeed, you know, I had the good fortune to actually, you know, my past job at EY was building up cybersecurity programs for verticals, so I have spent time previously I was in healthcare and and finance, which is so. Finance, of course, is the, is the is the most mature in terms of cybersecurity. There's a lot of investment just because of the compliance and regulatory regime that they have to, you know, they have to operate under. And then there's, you know, an actual understanding of the risk, especially cyber risk, as it pertains to the business risk. Healthcare took rightly after, I think you remember when HIPAA came up and there you know all the other, the combination of HIPAA with family chief Billy at GLB act, and then SOX, public for public credit companies and all of these, and then GDPR in terms of privacy and all of the privacy regimes. So it has matured. When I moved from those and I came to EY, I started building the technology media telecom. There I saw that you know technology companies and industries. They are the ones who are selling cybersecurity technology, but they are the most vulnerable. Okay, first thing, we have to admit, and it has not improved. It is only, you know, it has only concluded more because there are so many of them now. Right. Then media and telecom, I think at a different sense, media actually got woke up. Woke up, wake up call when Sony incident happened. Right, the entire Sony incident was a big incident for entire media call. And then telecom, I think has been technologically very mature, but in terms of security and managing that risk has evolved over time. You know definitely long ways to go. 

Then I moved to automotive right, you know that was my second year at EY. I was building up a vehicle security organization and I've been part of the automotive industry for a long time. It's part of the, of the cyber task force at. It's a which you know manages broad systems, including emergency management systems. So there is a different threats and severe vulnerabilities that are there, that are started to get resolved. 

And, and now moving forward, all the vehicles are connected, whether you agree or not, right, whether it's a electronic vehicle or not. People think only test laws and these are connected. Right, every vehicle is connected in one way or the other and there's exposure. So I have seen and growing sense of urgency in that. 

Then, subsequently, I served on my last two years at EY, was the global chair for the for our oil and gas, energy security, business and critical infrastructure. So I've seen this space very closely and I think that is where my biggest fear is that because we take, we are sitting on so much legacy that you know this decade is the decade of finding out, of discovery how much of exposure we have and then, on top of it, building out and restructuring, transforming some of those. So I have worked with pretty much every big name that you can think of, or even the mid-market suppliers in in oil and gas and especially oil and gas, and then broadly in an energy sector. I think there is a long way to go in this industry for us, and then they're all different, they're all maturing, evolving and progressing towards the right direction. 

0:27:34 - Mehmet
Yeah, you mentioned something about vendors and couple of episodes back. My friend Richard Hollis, like he was with me on the show and you know the whole episode was about how vendors failed. You know all these years, because actually everything you know it's coming because of some vulnerability every day. We of course, like we cannot secure anything 100%, but you know his point. His point was Like for 30 plus years or so, you know, like still, for example, we have flows in in Routers, which is which is he said for. To his point, that should not happen anymore because we have enough experience in the protocols and you know all this. Anyway, but you know to your point, and this is why I wanted to ask you how much you know Maybe it's a little bit weird question, I know, but from your experience, because you mentioned the vendors how much the vendors, in the way they position themselves, sometime actually they do Cause damage when it comes to cybersecurity and general and to risk in specific. 

0:28:46 - Valmiki
Well, I have a very clear view about this is not? You know, it might be controversial, but I think technology is actually, you know, when it comes to technology vendors, especially startups and I am very much closely associated with the startup myself I think it's it's something that the vendors should think about security more deeply and care about more deeply than they project in the industry. Okay, and the reason being that, typically, you know, if you think the cybersecurity industry, especially the which is claiming to protect and defend, you know the infrastructure or the processes they are, they want they need to be you know, just just working in the VC arms and all I am so they need, they want to be good at one thing very, very sharply, like one Thing very sharply. They want to be good at right. That's what they're. That's a unique proposition, but they are building, they are their business. Their infrastructure itself is probably not built secure, right, and that's what you're seeing now. 

The implications that we're seeing now is that we have pushed security, security brands and security vendors Along with the broader technology landscape, but they themselves are not that secure because they are good at Securing others for with using their products, but they are part of the supply chain, and I think that is one area that I'm personally very much, you know, passionate about and focusing on is the security of the supply chain, security of the supply chain of the of these vendors, be it people vendor or be it a technology vendor. I think both ways there is a lot of progress that is required because you know and you know they don't really understand the security implications that they have as an organization to organization. Right, and this has to be resolved. We cannot, we cannot pass the buck anymore. 

0:30:36 - Mehmet
Yeah, I think you know what's happening when we case they are looking in from a very narrow window to To the thing, so not seeing the whole picture, as they say. You know, I'm lucky enough because I was sitting on the client side back in the days, you know, and you have to see it from a very holistic approach, right, it's not like just one area. 

Yeah and you know I, I asked some of my sees of friends. I said, guys like, how do you manage all these aspects? Because you know, subiscuity became very fragmented and you know, like, very, you have a lot of point solutions out there. And then I asked them, how, how does your team manage all this? And they say you know what, we have to manage, hundreds of agents, for example. Right, but Do you think there there will be a time, maybe in the very near future, where we will start to see some consolidation in the cyberspace? 

I mean, you know, to get instead of having, just not to mention specifically these technologies? But I mean we talk about EDRs, we talk about, you know, and the arts, we talk about this, that sim, all this. And now, you know, people are very over overwound with all these terms, jargon's, technologies, and you know, we hear about it and I want to hear your opinion. And I know I say love that question a little bit, but it's causing, you know, first, sees was not to stay long in their position because they become very overwhelmed. Yeah, shortage, shortage in the skills, you know, and even people who work in cyber security they say you know what, this is very stressful, I cannot manage it anymore. So what are you seeing from that perspective for me? 

0:32:18 - Valmiki
Yeah, see, this is another area that you know. Personally, I've been pushing for a long time in terms of, you know, securing the innovation supply chain is what I would call it right. So Large organizations as much as I'm not a big fan of big boxes, but in large organizations give a sense of, you know, maturity in some process in terms of expectation, but they are not very well known for innovation. So innovation has to start with startups right, there has to be point solutions. However, I think consolidation is imminent. It's already happening. We are seeing number of, I mean even Something like, you know, cisco aquariums plunk. Right, there is going to be consolidation. Follow up to just acquired another company yesterday, you know, dig security, right. So I think DSP and all that, these considerations are now the call of the security business right, and that will make the CISO's job in at least a little bit more predictable in terms of operations, technology operations right. See, I have worked pretty much across the board of the fortune 500 and global thousand right, in various capacities. I've actually taken on CISO roles while the the companies were hunting for CISO's and I've seen In a first person basis the challenges that they have to deal with and when putting programs together and executing those programs. That the challenges that you know. You have a technology company that is providing a certain service. They got acquired by someone that completely changes the game right, both financially as well as operationally. The teams gone, the technology innovation is gone. 

I think innovation has to be protected. The innovation supply chain has to be protected as much as the software supply chain has to be protected, and these two together will improve only when the consolidation in the market happens at the right places, and I think that's happening. See, a lot of the, a lot of the cybersecurity companies have gone through an IPO. So public markets are driving Both financial outcomes as well as the business outcomes for them right. What can, what is the best value that these companies you know, whether it's, you know, palo Alto or crowds right now, and, and Cisco and then several others, are providing to this to the market. 

And I think the market will drive it Because there is more and more awareness in the market about the cybersecurity issues. There is more awareness of, there is also more Interest in the market as to what are solving those issues right. So those two hand in hand, I think will aid the CISO's as much as we have seen the cyber threats evolve. I think the CISO's are getting to see I mean, it's just starting. I think it's very early to say where the consolidation is land. But I hope again as as futurists and optimists we have to have hope that this will be, this will only grow better. 

0:35:07 - Mehmet
Yeah, hopefully. I hope so too, because at the end of the day, you know, all our lives now is digital and we need something, you know, that we can rely really on, not only in in marketing terms and no one misunderstand me, I work in sales as well, but I have a technology background. So when I say we need something that can really protect us, you know this is something very crucial. Now, you mentioned a couple of times programs and education, valmiki. Now, what makes a good security program and how to pass this through education to the end users? 

0:35:48 - Valmiki
That's probably one of the most loaded questions because you know I'll give you the consultant answer, which is the next right, because I think cyber security programs need to be built on frameworks which I believe we have made significant advances on. See, I'm a big proponent of the NIST cyber security framework because it breaks it down to. You know, english language problem, identify. You know you identify, detect, protect, respond, recover. Now, in version two, you have govern and you have privacy right. So these are the things business can relate to and you can, you know, both communicate upwards as well as you know, communicate downloads and build programs. So I think choosing a framework that's right for you, something as fundamental as NIST CSF, would help you start the program well. Then you have to assess your business as to which sector you are, on which region you operate, what are the rules and regulations you have to be. You know what compliance regimes you have, what kind of policies and procedures will make sure that business is protected and we manage the risk right. That's the next level identifying and making sure that the program is structured in a way that is tuned to the business right. This is the second step. The third step is identifying the strategy and having a clear roadmap as to what you're gonna make investments. In Greek, even if you're given an infinite amount of dollars or you know budget or resource, you're still not gonna be able to protect 100%, right? So we all know that and knowing that you should be able to prioritize, you know, consult with your business peers and your other C-suite peers and identify where would be the best protection. What are your crown jewels? What do you need to start off with? You know, in many areas that I've walked into even the largest organizations, they don't even know where the crown jewels are, excuse me. So we have to look at that. And then investment in people, process and technology right, fundamentally, understanding the business processes and protecting that process actually helps you to repeat things faster and then you can automate them. 

Sometimes you have to. You know, lead with your, you know, with inquisitive and people who are motivated by cybersecurity principles to get into the industry. But also, you know, stay in the industry. It's a game of stamina, honestly, in cybersecurity. I know many of my friends I speak with are at the end of their patience for that particular job. But you go, change another job. It's just gonna be another place, another place. You're getting paycheck from right, but I think the investment in talent is incredibly, you know, a necessity that we are overlooking, and you have to invest in talent early. So just don't be driven by technology, because technology will put you in a silo that you cannot dig yourself out. But work with a first principles-based foundation, with a framework, with the processes that the business needs, and then build your program on top of it. 

0:38:49 - Mehmet
Great and you know like I love. You know also myself because sometimes, to relate, when I talk to non-technical friends and, by the way, who works for many most of them they are into startups, right so, and I need to explain to them why cybersecurity is important, even in the early phase of a company. You know before even you become big, and I always take from the NIST frameworks just a few sentences that you mentioned, and it makes my life such easy, you know, because I don't have to explain in a very technical terms why cybersecurity is important in the first place, like prepare, you know and then recover and all this Very easily. 

Yeah, exactly so anyone, even from non-technical background, they can understand this and they can relate, as you said, to business. Now we talked about insurance briefly, but I want to come back to the cyber insurance. 

0:39:44 - Valmiki
For sure. 

0:39:47 - Mehmet
Sometimes I see news and I get myself mad. You know I don't believe you know like about the amounts. You know and later what happens. You know when an incident happens, how you know the relation becomes between the insurance company or the cyber insurance provider and the customer From you know all the experience that you have and all you know the experience that you gathered. What is your opinion in general about cyber insurance and do you see it like really something that's going to stay in the future? 

0:40:26 - Valmiki
Yes, I believe. So. You know, since we talked about risk right, managing risk includes several ways of breaking it down right. Some risks you know you manage risk, but you transfer, you mitigate in a way. Then you know you can do some risk transferring and I think that's where the insurance comes into play, right. And then many times you have to kind of accept the risk, right. So in one end you can accept the risk, the other end you can mitigate the risk and the other end, you know, at the extreme end you can transfer the risk. 

So I think, in terms of risk transference, this is an essential tool for business. I mean, you cannot protect this organization or any organization 100% of the time, so there are certain risks that you have to take and new threats and vulnerabilities are going to emerge. And when that happens, when you have done your not only basic hygiene but also have a plan to address the increasing maturity that you need, I think that there has to be a fallback on, and I think cyber insurance is extremely essential for that. It is a very essential tool for business, especially for the CISO who's managing risk overall for cyber right. However, quantifying the risk, as we touched upon earlier, is very hard, right. 

So how much dollars and cents? I think that's again goes back to the financial principles. Sometimes a simple ransomware attack can take down an entire business, so you know. So, if you have a $10 million cyber insurance for a 500 million dollar business, it's not going to be enough, it's not going to be adequate, right? You might just fold, and then that has happened, especially for the small and medium businesses that I work with, and that's one key reason why I am out of the big fortune 500 and before coming and working in the mid-market space with companies like Acolyte, because I personally believe you know, spending time in the industry that this is an area where we can have very quick uplifts with certain protections, including tools like cyber insurance, that you can fall back on but can make quick progress on the maturity side, right. So I think it's an essential tool. This is still evolving and it evolved very, you know, towards the benefit of the industry, and it will be an essential tool for the CISO. 

0:42:40 - Mehmet
I agree with you Like it's like the last throw right, like you have to recover, financially, I would say. But I've heard the stories and I've seen a lot of articles where, you know, the cyber insurance companies start, you know, to challenge their own customers around. You know, and maybe back to the discussion of the CISO and the CIO, and you know, like who patched, who didn't patch, who did what. So it become like a little bit, you know, kind of you know, move back and forward between the insurance company and the customer until they can settle. And most probably some people ask me sometimes I say like, see, like this is the business of any insurance company. 

In general, like you know, they try not to pay your money, right, so, but when it comes to business it's very much different. It's not like, you know, god forbid, you did the cast car accident and then you know, okay, you can buy a new car, but in case of business, you might lose the whole business and you know, something cannot be compromised on. Now, this is, this is MC. But again, if you want to add something on this, yeah, no, I see I understand the viewpoint. 

0:43:52 - Valmiki
However, I think it's a tool that's worth paying for and working with the insurance industry to make progress With. If we take this tool out of the toolkit, then the financial backfield that we need to have see cyber insurance pays for the protection of the system as well. 

0:44:13 - Mehmet
right, so I think it's an interesting thing to have, so I no definitely, definitely, because you know to your point and just you know like I like to make the point and the counterpoint as well. I remember I read an article about a hosting provider. I think they were in the East Coast, somewhere in the US, I can't remember exactly where, but this is like maybe five or six years back. So they were hit by ransomware attack. Everything was wiped, even they didn't have some backups, everything was lost, you know. And you know they had to go to the public and say guys, we lost the business, like we have nothing. You know, and if maybe there was some cyber insurance, maybe they could have at least rebuilt the business from scratch. 

I know that it's gonna take time to remove all the consequences like reputation damage and you know all these factors. But yeah, to your point. Yes, it is a tool, at least financially, to support the organization in hard times, because I think when any organization lives a cyber attack, whatever the nature of this attack is, it's a catastrophe from financial perspective. Right Now you touch base, you know, on a little bit the future and again, we'll stay in this futuristic place. In the past few years, you know everyone was moving to the cloud and you know the hope was, you know, the cloud gonna solve all the problems, both from infrastructure perspective, from application development perspective and from security perspective. But people, they didn't figure out that still, you have to manage your own security, even you shift to the cloud. 

0:45:56 - Valmiki
Yeah. 

0:45:59 - Mehmet
Now, what you know, advice you give you know to organizations because still, I know a lot of them they are still in this journey, so what they can focus on moving forward when they start to shift to the cloud. 

0:46:13 - Valmiki
Yeah, sort of. You know, cloud security is a very core part of my. You know my past, so to speak, and current and future. So, as one of the founding members of cloud security Alliance, which I think is a fantastic organization, I'd love you, for you, to check out their virtual in every country. Dubai has a. Uae also has a chapter. Check them out. They're really cool and this journey is not new. 

This question that you have asked is not new. This is the question on which the CSA was built, and you know there's a model called shared responsibility model, which is very much adopted in the cloud security business, which is basically that the cloud infrastructure provider has responsibility for certain areas, both in terms of the functionality as well as front of security. Then, when it goes to platform as a service, there are different level of security. When it comes to software as a service, different level of security or different level of responsibility. I think that is how the business, as well as technology leaders, should think about in terms of shared responsibility. 

Not everything is on the cloud provider. Neither you transfer the entire risk when you move to cloud, so you have to manage it based on what are you buying? Are you buying an AWS EC2 instance or Azure VM, or are you buying a Redshift product from the AWS? Are you buying Salesforce, which is probably the early cloud, as a CRM, as a service? So, depending on what you are procuring, it lends a certain amount of responsibility on you and share that with the provider. 

0:47:59 - Mehmet
Right. Of course they need to do the proper risk posture management, I believe, based on what exactly they are utilizing from the cloud. 

0:48:07 - Valmiki
For sure. 

0:48:09 - Mehmet
Now, in the past months, we all started to talk about AI and how it's going to affect everything. Now I'm interested to hear your opinion, especially again on the risk management perspective and cybersecurity in general. What are you seeing in the market now and where we could be heading? 

0:48:35 - Valmiki
Well, now that has become the bane of my existence, I think, in terms of building responsible and secure AI, which, in my current capacity at Colyte, I'm personally responsible for the security, privacy and legal, along with my technology and my legal counsel colleagues. We have a SWAT team that addresses that. That in fact led to development of what is now probably the world's largest private sector initiative in responsible and secure AI for future. So I welcome you to check out and you and your audience to check out. The Cyber Future Foundations are safe project. So what we're doing at our safe project is making sure that people don't build responsible and secure AI in their silos. I had two options. I could have just coupled together some technology controls and said, okay, business, here is my technology control and this is what we implement here at Colyte, but what we chose as leaders. That's why I work with some phenomenal leaders here at Colyte Chris Trahan, our CTO, nithya Ola, who's the president of our AI business, and Stephen Papera Manoj. All of these leaders. They understand that it's better for us to lend it to a public initiative and it led by the industry. 

Of the government. Now NIST also introduced, the White House also introduced the AI imperative, the executive order yesterday and I think collectively, this is much bigger than what we have seen in IT, in cloud. Ai is a much broader, it has much broader societal implication. So it's not just the security of AI, it's not just securing AI, but also building AI in a more responsible, ethical, trusted manner, and that's where I believe that we have to work together as leaders of the industry as well as leaders of the society, to build a more trusted AI and more responsible AI. We have to secure the data, we have to secure the provenance, we have to secure every aspect of it so that we can put more trust into the AI. There is no walking away from or shying away from AI today. 

0:50:59 - Mehmet
Will it help us in reducing the cyber threats? Do you think? 

0:51:04 - Valmiki
I think it will aid us in managing cyber threat. These AI technologies and tools are available to the cyber the industry, so to speak, as much as it is to us. So I think we have to put our creative talent is making sure that we use AI's immense power and prowess and stay ahead of the curve. 

0:51:30 - Mehmet
Yeah, hopefully it will, as you said, at least automate some of the manual work that today. Yeah security analysts they have to do, or instant response teams they have to do, probably. So the hope is that at least it will remove a little bit the pressure and the overwhelming feelings that usually they have, I think the grant work. 

0:51:54 - Valmiki
I think human is required in every loop and humans should stay ahead of AI for a good measure, as long as you can as a human race. When pollution takes over, the technions come out and the rewards take over the world. But still I think we can use AI to really immense amount of good in the world. 

0:52:15 - Mehmet
Yeah now, as we are almost coming to the end, niki. So any advice you would offer to aspiring cybersecurity professionals looking to make their first jump in the field? Or maybe, because you mentioned startups and, by the way, I cover a lot about startups Anything you would advise to founders in the cybersecurity domain? 

0:52:41 - Valmiki
Oh well, that's you know. You could have another podcast on this one. 

I work in the cyber building space and have been in this space for a long time, to realize that leaders cannot. Leaders can aspire and have, you know, but they have to inspire more than they can aspire. Okay, and what do you if you are? You know I'll break it down. One is if you're a founder at a startup, which you know personally I'm gone through the journey you have to think about where this aids in the bigger picture, right? You cannot just solve one problem and create more problems. You'll actually end up creating more problems. So think about the bigger picture. Try to understand the needs of the specific client you are trying to address. Right, and work with them hand in hand to build. If you don't do that, you're actually creating more problem and headache for the for your market than not. But definitely, you know, startup founders are essential part of the innovation ecosystem and supply chain. We must support them. 

On the other hand, people who are trying to get into cybersecurity for their first jobs right, it's extremely hard. In fact, you know, as a, as a risk manager, it's very hard for me to give an opportunity to someone without having a personal oversight on and tell my client or my business that you are the best hands. Right. It's a little bit challenging to say that, but I think we need to give more opportunities to people. Try to try to learn, follow from those that are that are ahead in the industry. It doesn't have to be a C so it can be a technologist. It can be a cyber threat analyst or explore various different fields. Cyber security doesn't have is not all about cyber threat hunting. There is so many other things that you can do. There's GRC, there's identity access management, there's cloud security. So so try, don't, don't go into the silo. Just learn broadly and then you will know where you do the best. So that's where I welcome more and more people to come into cyber and actually help us in our journey and our mission. 

0:54:45 - Mehmet
I love this. Well, mickey, because you mentioned it's not like just this threat hunting and this, and again, like because I talk a lot about blue ocean and red ocean. I tell people try to find, although, like, the cybersecurity is by itself a red ocean, everyone agrees with me but still I think there are like areas of blue ocean there, and I can see to your point. Grc is one, is big one there. There's a lot of work to be done in that space. There's, of course, like a lot, but because you know from my interaction and conversation with the other like cybersecurity leaders, I think, yeah, still, we have a lot of places, if you are a start-up founder or even if you are a professional, that you can add your value there. I know that we covered a lot, but do you think like we should have covered something or any final thing you want to tell us today? 

0:55:34 - Valmiki
well, Mickey, Well, you know I'll leave you with this thought that you know cyber defenders are the protectors of the hope and you know this is beautifully put together by my friend that was sorting, who was the director for cyber at web. You know we are the protectors of the hope of the future, so we want to make sure that we have more and more people join that mission and we need to expand that. You know cyber capacity and workforce give more people the opportunity. It has a tremendous, you know, potential to do dual opportunities, secure and protect the future, but also give more economic opportunities to people in terms of jobs in the industry. 

0:56:16 - Mehmet
Great when making a final thing where people can find more about you and you know your organization. 

0:56:21 - Valmiki
Well, I'm readily available on LinkedIn. Go find Valmiki Mukherjee, as in the name. Here I go with Al chirping me, connect with me. You can find more about my nonprofit work at cyberfuturefoundationorg. You can find more about where I'm CISO at acolifeorg accocom. So both areas you know find me and love to connect with you and your audience. 

0:56:49 - Mehmet
Sure, I will make sure that all the links will be in the show notes. Well, thank you very much, valmiki. I really enjoyed our conversation today. It was like like it was a rich one, because you touched base on a lot of topics that I think everyone in cybersecurity or even you know curious about cybersecurity. They should know about it. So, thank you very much for your valuable time today, and this is usually how I end my episodes for the audience If you are a first time listener or viewer. Thank you very much for tuning in. I hope you enjoyed it. 

For the regular audience, thank you again for your commitment and for your feedback that you provide, as usual, and if you would love, you know, to discuss any topic. You have any idea you have. You are a startup yourself and you need, you know, a place where you can showcase what you are doing. Please reach out to me. I would love to speak to you and we can arrange for that. Time zone is not a difference, it's not an issue because you know, as you see, valmiki is in Texas, I'm in Dubai, so we can manage this. No issues at all. Well, thank you very much for tuning in and we'll meet again very soon. Thank you, bye, bye. 

Transcribed by https://podium.page