In this Podcast:
Welcome to a special series of the Global CISO Forum Podcast honoring the EC-Council Foundation Infosec Tech & Exec Awards Finalist! For the next three weeks we will be interviewing the best and brightest in infosec who have been named finalists for the CISO of the Year, Certified CISO of the Year, Most Improved Security Program of the Year, and Most Innovative Security Project of the Year. Learn more about our finalists here.
Listen
Transcript
Amber:
Welcome to a special series of the Global CISO Forum Podcast honoring the EC-Council Foundation InfoSec Tech & Exec Awards finalists. For the next three weeks we will be interviewing the best and brightest in InfoSec who have been named finalists for the CISO of the Year, Certified CISO of the Year, Most Improved Security Program of the Year, and Most Innovative Security Project of the Year.
Announcer:
Welcome to the Global CISO Forum. The podcast for information security executives.
Amber:
With me today is Pavankumar Bolisetty. He is the Global Head of Information Security for Wave Crest Holdings, but more importantly he is a finalist for the CISO of the Year Award. We’re very excited to give that award and maybe even Pavankumar will be the winner. Welcome.
Pavankumar:
Thank you, Amber.
Amber:
Thank you for coming on the program. We were really excited to get your nomination, it’s very detailed. It looks like over the past year you have done a lot at Wave Crest Holdings. First things first, can you tell us what Wave Crest Holdings does?
Pavankumar:
Wave Crest is a financial institution. It’s based out of Gibraltar in the UK. Wave Crest is primarily into payment service provider as far as provider of digital direct applications. We have a core payment platform where we can integrate our white cable, our partners, for their payment solutions. We also issue prepaid cards, prepaid VISA and MasterCard, and Discover US. We operate across three continents in six countries. We have our back office and development center based out of Hyderabad in India and I currently based in Hyderabad, India, taking care of the global security operations of Wave Crest.
Amber:
In your nomination it talks about how you’ve implemented a comprehensive IT Governance, Risk and Compliance Program, GRC, across global locations and data centers. That sounds like an incredible undertaking. Can you tell us a little bit about how you did that?
Pavankumar:
Yes, we being in the financial services and are into payments, we need to abide with some of the regulatory requirements, including PCI-DSS and some of the regulatory requirements like ISO 20001, ISO 9001, ISO 40001. As well as we need to be successful in the third party audits of Meta Bank. The customer requirement of audits like SSAE 16. It was in fact a challenge to implement a comprehensive governance of risk and compliance across our data centers and the offices across the globe. To implement this stuff you have to program, which includes your debt risk management and including testing technology controls.
In the same way, having the training programs and security awareness programs on the global staff as well as the secured architecture and designing of the web and mobile applications. I would say it all was achieved only with the collaboration support of all team members and the respective department heads of all departments because it never a single man at the sites and it requires the tight support from your management in supporting your security program as well as the support of your security team as well as support from all respective head of departments when implementing the strong security practices and integrating that as part of the security culture of the organization.
Amber:
You touched on the security culture. Part of your nomination dealt with employee security education. What kind of education programs did you roll out?
Pavankumar:
In order to achieve the whole compliance program across all regions on the data centers and all regions across the globe… There should be a collaborative approach. For that I started something called SRAT. SRAT stands for Security Risk Assessment Team. It is unique collaboration of different team members so it is more like a shared resource pool of security experts which I had prepared. If SRAT is more like a nomination process, where any empty shift… The team member of any department can be part of the SRAT team. By example, all victories would become part of the SRAT team. We started with the SRAT team. It was, in fact, a very good collaborative I would say. We made a SRAT team and after that the, all SRAT members are being primed on information security practices. It could be the training that is required for the security auditing or it could be the security of the next program. Let me talk first on the security auditing exercise.
Amber:
Mm-hmm (affirmative)
Pavankumar:
All these SRAT members are trained on the information security, the compliance practices that need to be handled in the respective teams. So all were trained on security practices it was regular two month of exercise. We were able to successfully make a great SRAT team. The SRAT team is responsible for two things. Number one: To implement the security practices, the best practices within their respective teams and report to the CISO on the gaps that they had encountered. Once this is achieved, step two: It’s a Cross Design Audit. One team would be auditing the other team. Again, report back to the CISO (that’s me), on the gaps that they had encountered on the other Cross Design Functional teams. By this exercise, it was very easy a task for us to identify gaps across the teams and the competencies that are required to implement the best practices within respective teams. This also helped us in taking some of the decisions on enlistment of technology controls that are required on the respective teams. One is the internal auditor training as I said, and number two, the security awareness programs.
The security awareness programs were actually more like … What we thought of like gently calling them into a classroom and taking the training programs may not that effective. What we started was, we there should be some sort of … interesting way where we can attract the audience in making them aware and to follow the practices. For that, what we had done was, we started something called the video presentations on the latest security breaches. Where, for example, to provide awareness to developer teams, we have prepared some sort of videos how you are able to hack the respective code by respective vulnerability. So it actually makes them aware. So if I say this is one where they call so-and-so say like cross site scripting probably they may not be induced unless and until it is demonstrative. What we did was, we had them sample video demonstrations on what each vulnerability talks about and how you can able to exploit the respective vulnerability. It actually helped them to understand the impact of the respective vulnerability. Also able to understand how they were able to remediate in a faster approach.
So apart from the training and awareness programs for the development team, for the general public we also created some sort of the security awareness videos and distributed over the email and we had a separate channel created internally where every video once-in-a-week and on different sort of security awareness practices that they usually encounter. As for last, we created some sort of security newsletters which talks about the basic security breaches and the different variations that can be… Different security practices that have to be followed. In order to mitigate these kind of security breaches and to follow the best security practices.
Amber:
Wow, it sounds like you really covered everything. I like that you did different kinds of training for different levels of employees so that the developers got something a lot more robust. Did you find any developers got interested in security more after the training?
Pavankumar:
(Laughs) That’s interesting. Yes.
Amber:
You did?
Pavankumar:
When you look at the developer’s perspective… The first thing that you generally hear from every developer, every developer that I have come across, was, “My code was really great and it is more secure.” So unless you show them the possibilities of exploitation of respective code they don’t really understand the impact of it.
Amber:
Mm-hmm (affirmative)
Pavankumar:
It is more important that when you talk about the development of these things, there are two things. One is learning about the security architecture and how the security practices that has to be followed during the recording of the respective, or development of respective program. Once that is done, and phase two, you need to evaluate how secure the program has been developed. In the second phase, when you identify or evaluate how the respective program is developed you need to perform some of the vulnerability management or pentesting exercises to ensure how risky is the application or how secure is the application. Once that is done, you get the exact portion of how the code is and based on that you can actually design your training program to meet the respective target audience. If I say ten points to develop a team, probably the ten points may not suit the requirement, because he would be working or he may be interested in only those five points. These five points would be known only after the first few exercises this is, after a pentesting exercise you would see like the exploit in your code and this is what the training program is intended to do. Then that would be more appealing or interesting to the respective development teams. Even development teams are structured across different supporting platforms, supporting languages. Always needs to be target-driven exercise.
Amber:
Right. Another thing that I like is, something in your nomination says that you were able to harness business intelligence tools to build entity specific frameworks to coordinate the all into a single framework. That sounds incredibly complicated! Tell us a little bit about that.
Pavankumar:
When you talk about security, it is more on the context-driven exercise. Once you have some sort of a collaboration or a single dashboard kind of an entity, where you can able to see the exact security posture of the entire organization. That is where you can actually have the security control on your fingertips. To achieve, that you will require some sort of business intelligence tools where you compile all your compliance requirements into a single framework. When the state compliance requirements here, for example, we need to comply with regulations like PCI-DSS, ISO 270001, other third party requirements. You actually do comply with multiple regulatory standards. So unless you have a unified approach or a framework it cannot actually drive the program so it always needs some sort a business intelligence tool and the enterprise dashboard where you can actually see the entire security posture of your organization to see where you stand and how going to be able to achieve the program and what would be the estimated time to meet your compliance levels.
Amber:
All through the nomination it talks about you building tools and different dashboards and things. Are those dashboards available to just the general employees or are they just for the security team or are there different levels for each level of employee?
Pavankumar:
There are different classifications of dashboards. There are some dashboards which would be shared only to the board of directors, some which actually talk more on the executor assembly level where we stand at the moment. What is the current security posture and what it takes to re-mediate the respect to risk and how much it would cost and what would be the investment. These kinds of dashboards are targeted more to the Board and there are typical dashboards which are targeted to monitor the day-to-day activities. For example, we have a SRAT team which operates 24×7. These dashboards are available to the SRAT team can able to ensure the technical monitoring capabilities on the daily transactions. For example, we process millions of card numbers on a day-to-day basis to see what has been triggered or is any security that has been captured or any sort of a network incident that has been encountered. So things like that. There are different dashboards for the technical teams and there’s a different dashboard for the technical team and for the executive teams.
Amber:
Yeah, that makes sense. You just mentioned something, but there’s a dashboard for the board. That is very cool. Does that help them with… A lot of times on this we talk about that the CISO usually only has a little bit of time with the board, they have to make their case quickly, but if you’ve built an entire dashboard for them they could come back and look at it anytime, conceivably. Have you seen good results from that?
Pavankumar:
Yes. The most important aspect that I have noticed is how you communicate with the board and how do you actually talk in the language. If I say vulnerability or some sort of an exploit, so it may sound foreign to them but if you talk in the language, “This is what the risk is. This is what the impact is. This is the cost to mitigate the respective risk.” It actually helps them to understand in a broader level, “This is what I gonna need to spend for mitigating this risk.” It actually helps them take the strategic decisions on what to implement, what not to implement, things like that. It would actually be very helpful and, in fact, if you are able to show them the successful achievements with the dashboard and I could able to adhere to the requirements for the security enterprise. Being a financial institution, it is more important because you find, I actually find hundreds of incidents on a weekly or monthly basis.
Amber:
Wow
Pavankumar:
It’s very important to actually be really good with where we are and where we stand and what does it require to ensure you know the business withstands even aterrible security breach and to prevent any sort of security breaches to happen.
Amber:
Right.
Pavankumar:
This dashboard really helps the board to take strategic decisions and help them in the budgetary requirements as well.
Amber:
It sounds like you have a really innovative mix of technology, but then you’ve also done the other part with the policies and the education and the awareness to build up a really strong security program. They’ve just got to be so happy with you over there. (Laughs) I hope they give you a raise soon. (Laughs) It seems like you’ve done a ton of things.
Pavankumar:
Yes, in fact you’re right. I put emphasis on every month (laughs) and they got it.
Amber:
Awesome.(Laughs) I’m so happy. (Laughs) Besides getting raises, and that’s how you know you’re doing a good job, something else that you talk about in here is security metrics. What kind of metrics do you find work the best as far as driving further performance?
Pavankumar:
Security metrics?
Amber:
I guess just defining your goals, how you’re going to measure your program. What kind of metrics have you found work the best for what you’re trying to achieve? Cause we talk about it a lot and is it a decrease in incidents? Is it an increase in reported problems? Is it a decrease in employees clicking on phishing emails, that kind of thing? What kind of metrics work for your company?
Pavankumar:
In fact, as I told you before, having a comprehensive dashboard and the segregated dashboards for the respective teams. It actually helped us to create awareness programs targeting to respective departments. In fact, we also provide corporate training programs on social engineering. This is the age of advanced persistent threat and even being in a financial institution we find a lot of socially engineering on a daily basis. It is more like you get emails to be… No matter what technology you have or technology controls that you have in place, the most important factor is the people. They are very vulnerable to any kind of attacks like this. By having the security programs targeted to the respective individuals we noticed a great change in the mindset of the general public and operational teams. We also have the monthly metrics or the monthly mechanism where you can actually see how many users been clicking on malicious links or prone to the phishing attacks. We seemed reduced the users clicking on malicious links or malicious emails. In fact, they’re also helping heightening the incident management process. Even if they find something suspicious they instantly ring to the incident management team or they send email to the management team that we find something suspicious. We found that the user awareness has been increased a lot in the current global staff.
We have a phishing verification team. They actually issue pre-paid cards we do a phishing verification check. It also helped us to educate the teams. We also used some sort of social media monitoring tools, adapted using the social media monitoring tools to detect any sort of the fraud.
Amber:
Very cool. Let’s talk a little bit about you personally. How did you get into information security?
Pavankumar:
I did my Bachelor’s in Engineering, in Computer Science and Engineering. BA Computer Science and Engineering. Later my Master’s in Network & Telecommunications. We used to have a curriculum of information security, starting from the graduation base. Actually very interested in the IT networks and security getting my engineering base and later I chose the networking as my specialization so I did my Master’s.
Apart from that, the interest I could able to do some of the certification programs of EC-Council and CAW. Back in 2004 they have the specific curriculum targeted to the basic and advanced security programs. So it actually helped me to strengthen my career and I joined the TATA Technologies and Security Council then. That’s my career path into Information Security.
Amber:
Well, that’s very cool. I’m really happy to hear that EC-Council was part of it. We love hearing that. (Laughs)
Pavankumar:
(Laughs) I did certifications back in 2004.
Amber:
Oh, it’s time for a new one.
Pavankumar:
I did almost three certifications with EC-Council.
Amber:
Oh you did. So CEH, ECSA, LPT?
Pavankumar:
CEH, Certified Ethical Hacker, Computer Hacking Forensic Investigator and Certified Security Analyst.
Amber:
Very cool. I think it’s time for you to do your certified CISO …
Pavankumar:
Yeah
Amber:
Since you are part of our CISO program now. With that…
Pavankumar:
Right, right yes.
Amber:
(Laughs) Thank you so much for being such a enthusiastic member of the EC-Council family and I really hope that we get to see you next month. Wow, it’s almost this month, in Atlanta. Do you think you’ll be able to make the trip?
Pavankumar:
Yes. I got my counselor interview scheduled tomorrow.
Amber:
Oh, okay. All right.
Pavankumar:
I got my first round of interview done with the consulate. Tomorrow is the second round of the counselor interview.
Amber:
Okay. Well thank you so much for coming on our program Pavankumar and I look forward to meeting you in Atlanta.
Pavankumar:
Thank you, Amber. I’ll see you at Atlanta.
Amber:
Awesome.
That’ll do it for this episode of The Global CISO Forum podcast. The show is produced by Saba Mohammad, edited by Shandiin Tome. You can help the show by subscribing on iTunes or Stitcher and if you would leave a review for us that would help other people find the show. Until next time, this is Amber Pedroncelli.
Announcer:
Thank you for tuning in to another edition of the Global CISO Forum. The podcast for information security executives.