We had the pleasure of interviewing Agnidipta Sarkar, a highly regarded Digital Resilience Practitioner and Group CISO at Biocon, a leading Indian biopharmaceutical company. With a remarkable three decades of experience in the cybersecurity industry, Agnidipta has authored and launched “Defensible Cybersecurity“, as the new approach to cybersecurity based on ISO27001 and its family of standards, Lockheed Martin’s Cyber-Kill-Chain, NIST cybersecurity framework, and DOE C2M2.
As a technology evangelist, Agnidipta is an active participant in international standards organizations like ISO, the Cloud Security Alliance, and the Business Continuity Institute, and is sought after for his ability to help enterprises manage change and achieve assurance by leveraging his expertise in risk optimization, cybersecurity, business continuity, privacy, standards, and automation.
In this interview, he shared with us his journey into the field of cybersecurity, his perspective on the most significant developments and changes he has witnessed during his three-decade-long career, and how he has adapted his approach to addressing new challenges in the industry. He also discussed the impact of international standards such as ISO27001 and NIST on the industry and their role in shaping the future of cybersecurity. From his insights on the evolution of cybersecurity to his emphasis on proactive risk management and continuous improvement, this interview offers valuable insights for anyone looking to stay current in the ever-changing landscape of cybersecurity.
Can you tell us about your background and how you got started in cybersecurity?
I started in sales, and my first company was a networking products player in the late eighties. But I soon realized that I was better at handling tech. The company was generous; by the time I left, I was doing Product Management for their networking solutions. My entry into cybersecurity, or information security (as it was called those days), was in my next stint at HCL, and I eventually landed in the US as a Principal Consultant, securing mainframes. Yes, that was just after Y2K, and everyone was migrating into Client Server, and when I look at challenges today, it was very similar to the challenges in IT/OT integration.
I then joined Wipro as a Practice Manager, and that is when I got into Risk Management, Business Continuity, and Crisis Management, and come 2003/4/5, I was handling pandemic plans, which is probably why I felt better prepared during the COVID. I was also lucky that when I joined HP in 2004, data privacy was beginning to get interesting, and Privacy by Design and Privacy Enhancing Technology was a wish list. In a career spanning 3 decades, I have seen much evolution in cybersecurity. And as we are poised toward the digital revolution, digital resilience is the way forward.
Great to hear about your extensive background and experience in the field of cybersecurity. In your opinion, what are some of the most significant changes or developments that you have witnessed in the field of cybersecurity during your three-decade-long career?
Indeed, throughout my career, I have witnessed many significant changes and developments in the field of cybersecurity. Some of the most notable changes include the widespread adoption of encryption and Public Key Infrastructure (PKI), the evolution of standards, the evolution of antivirus into Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR), the emergence of a Security Operations Center (SOC) from a Network Operations Center (NOC), the evolution of the firewall into what it is today, and many many more.
However, in my opinion, two of the most significant developments occurred in the late 1990s and early 2000s: the Domain Naming System (DNS) and the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs. Not only because it was the most evolved security tech of that time but also because those were the genesis of cybersecurity and look at their role today.
The DNS revolutionized how organizations communicate and identify each other over the internet, providing a foundation for modern cybersecurity. On the other hand, the CVE/CWE program provided a standardized way of identifying and tracking vulnerabilities, which enabled organizations to prioritize and address them effectively.
The emergence of cloud computing and the disappearance of the enterprise perimeter also had a massive impact on cybersecurity. This required organizations to adopt a more flexible and dynamic approach to security, focusing on identity and access management and shifting away from perimeter-based defenses.
I believe that the advent of 5G will be another massive disruptor in the field of cybersecurity, as it will bring about a completely unforeseen world of IT/OT convergence and business value.
This convergence of IT and OT systems will create a new attack surface for cybercriminals, as they can potentially compromise operational systems that control critical infrastructure, causing damage or disruption. Therefore, organizations will need to prioritize cybersecurity measures that protect their entire infrastructure, from the endpoints to the core systems, and ensure that they have adequate measures in place to detect and respond to threats in real-time. Additionally, organizations will need to collaborate with 5G network providers and device manufacturers to ensure that cybersecurity is built into the design of the infrastructure and devices. To address these challenges, it is essential to adopt a proactive and holistic approach to cybersecurity that prioritizes risk management and continuous improvement.
With the rapid pace of technological change and increasing cyber threats, how have you adapted your approach to address new challenges in the industry?
My approach to cybersecurity has always been to stay current with the latest developments and trends in the industry. I have always sought to learn and stay abreast of the latest cybersecurity technologies, tools, and best practices, attending conferences and seminars, participating in online forums and collaborating with colleagues in the industry. Additionally, I have always encouraged a culture of cybersecurity awareness within my organizations, educating employees on cybersecurity risks and implementing comprehensive security policies and procedures. As new technologies and cyber threats emerge, I continue to adapt my approach and strategies to meet these new challenges and keep my organizations secure.
How have you seen international standards such as ISO27001 and NIST impact the industry, and what role do you see these standards playing in shaping the future of cyber security?
I think every standard is doing its bit and is written with an intent to shape the future of the way we manage cybersecurity. Building standards is a long process & unfortunately, many misinterpret standards. Standards have played a critical role in shaping the industry by promoting best practices and improving the cybersecurity posture of many organizations. They have also helped to establish a common language and set of practices for collaboration and information sharing.
Standardization makes practices repeatable, comparable, and hence the results predictable, to the context of what your intent is. And this is exactly why you cannot apply it to innovation because the premise of innovation is uncertainty and unpredictability. So standards cannot be applied to everything.
For example, ISO27001 is great at Governance but lacks tactics and techniques, and while NIST CSF is great at strategy, it does not help in maturity measurements. So to run a minimal standardized security and resilience program, we need to have an attitude of standardization and be open to adopting best practices to the context of the business.
In the future, these standards will continue to play a crucial role in shaping the cybersecurity landscape. As threats evolve and new vulnerabilities emerge, organizations will need to rely on these standards to stay current with best practices and guidance. However, it’s important to keep in mind that standards are not a one-size-fits-all solution and must be adapted to the unique context of each organization.
You pointed out the strengths and limitations of ISO27001 and NIST CSF. Are there any other standards that you find particularly useful for specific aspects of cybersecurity?
Of course, there are. For those willing to roll up their sleeves, there is a fascinating world of continuously evolving cybersecurity standards. In fact, my Defensible Cybersecurity approach was designed to leverage 5 standards. For serious cybersecurity practitioners, the MITRE ATT&CK and D3FEND standards are great for understanding and adopting tactics and techniques, and the C2M2/CMMC for establishing a cybersecurity maturity program beyond leveraging NIST CSF for structure and ISO27001 for Governance and Oversight. Other important standards include CIS8.0, IASME Governance, IAS 62443, BSIMM etc.
Do you think that there are any areas of cybersecurity that are currently underserved by existing standards? If so, what do you think needs to be done to address this?
Many. And the reason is that standardization follows innovation and attempts to provide guidance to make innovation repeatable. In cybersecurity, we have many areas that need attention from standards bodies. Prominent among these are Cyber Threat Intelligence, Patch Management, and Threat Modeling.
CTI does not have any standard for the interoperability of multiple feeds and therefore, integration of multiple types of feeds (including dark web intel) is complex and cumbersome. Security Patch Management is an operational nightmare, and while there are standards in IT Service Management, this area is grossly relegated to best practice and is probably the biggest root cause of most successful cyber attacks.
And then there is Threat Modeling, which is traditionally a software development practice and multiple methods exist, but if practiced in a standardized and structured manner it is probably the most contextual early warning of an attack if it can be integrated with Indicators of Compromise and Indicators of Attack. The closest anyone has today is the MITRE Att&ck Navigator.
To address these gaps, standards bodies need to optimize the preparation time for standards. It is not easy, but standardizing the process to build standards could be a step in the right direction. This will require the standards bodies to scrutinize and filter participants with respect to their competency, ability to commit time, and passion for the subject. It will also require defining clear goals and steps of the process. And this is difficult because standards-making is still a volunteer activity and is not incentivized.
What lessons did you learn from authoring “Defensible Cybersecurity”?
Honestly speaking, I was slowly becoming cognizant that the name was wrong. Defensibility should be about innovation and not cybersecurity alone. The whole idea was to leverage multiple standards and to create a framework that could be relevant to a CISO to operate a security program. I also realized that no matter how many frameworks come up, all regulated industries will only focus on compliance and not on risk optimization because that is how the CISO will show value to the leadership.
For most business leaders (and I have had the honor of working with a few exceptions), keeping the auditor away is a bigger priority than keeping the hacker away. That is akin to a child claiming that the moon is closer than Japan because you can see it. And that was my biggest lesson. I needed to articulate the invisible benefits of a Defensible Cybersecurity program without an iota of evidence.
You mentioned that regulated industries tend to focus more on compliance rather than risk optimization. How do you think this affects the overall cybersecurity landscape, and what can be done to shift the focus more toward risk optimization?
The focus on compliance over risk optimization in regulated industries can create a false sense of security, as compliance does not necessarily equate to effective security. This can leave organizations vulnerable to cyber-attacks and data breaches.
The study and practice of addressing risks are complex and hence unpopular. If you evaluate the effectiveness of regulatory compliance in risk reduction, you will probably conclude that while regulations help enterprises reduce risks considerably, they eliminate the need to engineer solutions based on the outcome of a risk assessment, and that is why leaders love them. However, it is common sense that a cyber attacker needs to succeed only once by exploiting only one weakness, while cyber defense needs to succeed every time. And this is impossible if compliance is not rooted in risk optimization.
Fixing these needs a huge overhaul. At a minimum, the auditing practices and certification of the minimum skills of an auditor need to change. If the auditor is competent and the requirement is clear, compliance can be made contextual and risk optimized and not merely based upon an aide-de-memoir. Ultimately, a shift towards risk optimization will require a cultural change in the way organizations view cybersecurity, prioritizing risk assessment and mitigation over checklist-based compliance.
On the art of incident response and crisis management: Can you please reflect on your hands-on experience in incident detection and response and the importance of this function in ensuring organizational resilience? Please share any personal experiences or lessons learned from managing major security incidents, and what processes and plans have you put in place to ensure effective response and recovery?
Yes, cybersecurity incident response and crisis management is actually an art in the guise of science and needs highly competent and experienced people at the helm of things. While I cannot share incidents for apparent reasons, I can only share what I have learned.
- Any cybersecurity incident and crisis management program needs a preparatory phase. Awareness and learnings from previous cyber attacks, Threat Models and Attack Flow Paths built for Critical Computing Infrastructure and playbooks to perform organizational tasks during the crisis can go a long way to managing time and assuring stakeholders.
- 90% of incidents that need crisis management have one success formula, and it is not cybersecurity but a well-planned and rehearsed communications program with the people involved in handling the crisis and the stakeholders thereof. Better, clearer, and crisper communications at the right time sometimes even make up for the lack of extremely mature security practices.
- While we all focus on emergency response and recovery, there is usually an essential phase in between that we need to plan for when analyzing possible impacts of discontinuity, and that is the ability to WITHSTAND the unavailability of systems and services for an unplanned period of time before we begin recovery. The coronavirus pandemic was a big example.
- And then there is the need to exercise. Most enterprises who conduct Cyber War Games, do that to improve their exercise program, so the effort is more about finding gaps, but managing cyber disruptions has a large element of strategy. And unless the objective of the exercise includes opportunities to enhance strategies, findings will never focus on them.
You mentioned the importance of the preparatory phase in incident response and crisis management. Can you walk us through how you typically approach this phase and what steps you take to ensure that your team is well-prepared for potential incidents?
While I cannot publicly disclose what we practice, there are enough best practices that are available worldwide and can be followed. These include but are not limited to hiring offensive security experts, building threat models, attack flow paths based upon threat intelligence, conducting business impact analysis, researching and understanding trends in cyber-attacks, building abilities to defend against attacks on business-critical computing infrastructure, training and building alternate capabilities to withstand the effects of discontinuity and exercising prioritized recovery procedures.
In addition to the above steps, it is also important to have a clear communication plan in place to ensure that all stakeholders are aware of potential incidents and understand their roles and responsibilities in the response. Lastly, regularly testing your incident response plan through realistic simulations can help you identify gaps and improve your team’s preparedness.
Can you please share your thoughts on the next big challenges and your predictions for the future of the field?
As I mentioned earlier, I think the most exciting technology on the horizon is 5G. Combine that with the capabilities of Artificial Intelligence and Machine Learning (read ChatGPT and its cousins), and endless possibilities emerge, viz. replacement of Fiber networks, agile SaaS services, better healthcare, smoother transportation, etc. We will witness great innovation in the time to come. And that will present security and resilience challenges, and probably the next big challenge in security. And it is no secret that if you do not visualize and put in embed security into people, processes, and technology in the culture of using innovation. It just might be too late.
Do you have any tips for life, career, or professional growth for our readers?
I am no expert at this, but I think proactive learning and applying that learning to the context of what we do is what has kept me on my toes. I make sure that I spend at least some part of my weekend auditing things that I have written down earlier. It could be an old presentation or a word file, or a spreadsheet. And I refer to the internet and other handy research as I do it. So far, it has helped me remain current with my knowledge, my auditing skills, and my ability to articulate concepts.
To achieve personal and professional growth, I can suggest adopting the practice of lifelong learning and consistent self-auditing. We can excel in our careers and lives by keeping ourselves up-to-date and improving our skills and knowledge regularly.
