Horangi Warden Named a Leader in G2 Summer Reports 2022 in Cloud Security
logo

EN

Products +

Services +

Customers +

Partners +

Resources +

Cloud Transformation and the Cybersecurity Landscape in the Middle East

How do you convince senior management to stop seeing cybersecurity as an afterthought, but rather as a business enabler? We also get a look at cybersecurity practices in the Middle East, a region most of us have never been to or worked in.

Varun is a cybersecurity veteran based in the Middle East with more than a decade's experience in cloud transformation. We had the opportunity to sit down with him this week and tap on his depth of experience to learn how we can approach senior management to change their mindset about cybersecurity, especially in organizations where it is seen more as an afterthought rather than a priority.

Tune in to this episode of Ask A CISO to hear:

  • Varun's strategy on getting management buy-in at organizations where cybersecurity is an afterthought
  • What is cybersecurity transformation, and why is it so important?
  • The cybersecurity landscape in the Middle East, and where it's headed.
  • How he approaches management to pitch a holistic cybersecurity (People, Process, Technology) program
  • Why you should manage expectations as a CISO and how to do just that?
  • Why you can't avoid the cloud, and what you need to do before moving your business onto the cloud

About The Guest: Varun Vij

Varun Vij is a prominent GRC & Cybersecurity professional in the MEA region with more than a decade’s experience in managing cybersecurity transformation programs. His leadership ability enables a paradigm shift in an organization's cloud security posture.

He has extensive experience in managing and delivering various large-scale transformation and security management projects in big enterprises. His expertise is in consulting, for leadership insights and best practices in technology strategies, Enterprise Architecture and implementation of Risk Management, Information Security, Business Continuity Management, and Cyber compliance frameworks.

About The Host: Paul Hadjy

Paul Hadjy is co-founder and CEO of Horangi Cyber Security. 

Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.

Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific. 

He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams. 

He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking. 

Transcript

Mark

Alright! Welcome, everybody. This is Ask A CISO podcast where we guide you through the treacherous jungles of cybersecurity to get your organizations where they need to be. I'm your host Mark Fuentes, and I've got another fantastic guest with us today. Today, we have Varun Vij.

He's been working for over a decade managing cybersecurity transformation programs, and he's been working with Serco to help organizations with a wide range of capabilities such as enterprise architecture, implementation of risk management, general information security, business continuity, and cyber compliance frameworks as well.

Welcome, Varun. Such a pleasure to have you with us today. Thank you.

Maybe ...

Varun

Thanks, Mark, for having me.

Mark

I appreciate it, thank you. We really appreciate your time. Maybe just to kick things off for the audience out there, maybe you can give us a little bit more about yourself, and what you've been working on lately?

Varun

Surely. So I have been in cybersecurity for almost 11 years and I was fortunate enough to start off my career in cybersecurity. I found it quite common to be honest, but when I relocated to Dubai, I realized that's uncommon. Most of the people actually transition into a cybersecurity role and this field is quite exciting. I really love it.

When you have a holistic view of cybersecurity and you see things from each angle, you know, it really expands your horizon and that's what makes a world of difference.

Mark

A hundred percent, a hundred percent. I like that you said you saw a lot of people from other walks of life kind of bouncing in. In the beginning that's what a lot of us did. I myself come from a graphic design background and fell into cybersecurity a little over 16 years ago and I was sitting next to a bunch of like cable, ex-cable guys, telephone repair men, and stuff like that. So very interesting backgrounds when you talk to a lot of people in our field.

So you've been working with Serco for five years now, right? Maybe you can tell us a little bit about Serco, what you guys do, and what you guys are doing to help people out in this environment?

Varun

Certainly, so Serco, again, it's an FTSE 250 company, a prestigious company, headquarters in the UK, and we offer government services, citizenship services, air traffic control services. So transport services are one of our prominent business, and we have headquarters in the UK so our group CISO also sits here, and we have four regions: we have North America, we have APAC region, UK and Europe, and I'm responsible for Middle East cybersecurity operations. So because data, you know, government data is so sensitive, we have to give utmost attention to it, and that's where cybersecurity is actually the cornerstone of our cyber program.

Mark

That's fantastic, you guys are pretty all over the board. You guys cover a lot of space. That's pretty awesome.

Would you say that among all of those domains, would you say that cybersecurity plays towards the top of priorities or would you say it's kind of equal across the board in the different domains you guys work in?

Varun

So absolutely cybersecurity as we know nowadays, this is a buzzword, that it's a boardroom agenda, and Serco is no different so cybersecurity, we have a management commitment top to uh bottom approach, and we ensure that we have a security by design, you know. There shouldn't be an aftermath when things spin out of control and then you have to spend huge amount of money on forensic. We have deviated away from it. It's a proactive approach but as you know it, a journey, it's a long journey so we are also learning the ropes.

Mark

Most definitely. yeah, I love that, you know, I love to tell people the same thing, you know. People should have a shift-left mentality, right. They should think about security when they're planning things, not as an afterthought, right, but as you and I both, know when we go out there and help our our clients, maybe 90 percent of them think of it as an afterthought.

How do you broach that when you come into a new organization you're taking on as a client and you see that they have this security as an afterthought approach, how do you frame it for the leadership so that they can change that mindset?

Varun

Yeah, that's a very good question. So every organization is different.

I go with this basic rule of thumb: while in Rome do as Romans, but one of the fundamentals which always remain the same and that is risk-based approach. So this is a principle which Cisco also uses and I love it. I use this fundamental in my various conversations with senior management. So what I have experienced throughout my career is: business do understand terms like loss, disruption, and reputation. So ...

Mark

Right.

Varun

me being a cybersecurity professional, if I start articulating things in terms of productivity, profitability, and brand reputation, I have a possibility to get a buy-in. So this is one way to pitch in and get a buy-in from the management: increases the security to a point where it enhances business goal. This is a strategy I use. And last thing is I strongly believe you cannot improve if you cannot measure.

So senior management, they don't have time, you will hardly get 20 minutes. If you ...

Mark

100 percent.

Varun

have some tangible metrics that where are we in terms of your competitors, you know, we can actually hit the ball rolling.

Mark

That's fantastic. Yeah, definitely, you got to speak their language, right? You have to put it in their terms, and I think that's one thing a lot of younger professionals don't understand, right? They get to the leadership and they say, you know I explained to them, I explained to them in, you know, these super technical terms why this is important. I don't know why they don't get it.

And that's a big leap that we have to take from the technical to, you know, dealing with leadership. We have to take that leap into learning that we have to show it from their perspective not from ours, right?

That's a fantastic point. And also your second point there which is you can't improve unless you measure things, right? That's another pitfall, I think, for younger professionals when they're trying to ... they're trying to bring about change in an organization.

They don't realize that you know what, a lot of this leadership, they won't make any moves unless you show it to them in numbers, right? Show them the value that you're providing in numbers, change-over-time metrics.

Fantastic! Metrics and speak their language, and I think those are great points. I'd like to take it back though. So we were just talking about how you've been doing a lot of work in transformation programs. We've been talking about large-scale transformation and cybersecurity transformation programs. For our audience out there, maybe you could break that term down. What exactly does it mean? Cybersecurity transformation?

Varun

Surely. So to explain cybersecurity transformation, first I would like to start off with the digital transformation.

So, now this is an era of industrial revolution four. Things are changing at a rapid pace, something which world has never seen before. So Microsoft, just to share a statistics around it, Microsoft is saying that by 2025, there will be 175 zettabytes of data which will be generated.

So ...

Mark

Zettabytes!

Varun

Yeah, so the amount of data which we have to manage and have to rationalize, you know, find a needle in a haystack? This problem is going to become astronomical. And this is something we ... doesn't matter whether we would try to slow it down, you know, this is inevitable. If organizations want to remain in the game, they have to adapt to these digital innovation. Now, unfortunately, the speed with which cybersecurity transformation is happening is not at par compared to the digital transformation, and that's where right now the adversaries, the bad guys, are ahead in the game.

So my approach to cybersecurity transformation program is: first we understand there is a gap. So all the industries what we see across the globe, they are having a history of 20 to 100 years. IT has a history of, let's say, 20 to 30 years. But if you look at ...

Mark

Yeah.

Varun

cybersecurity, like ... Microsoft spends a billion dollars a year on cybersecurity and it is not enough for them. But if you look at it back, in the history, Bill Gates, 2002 or 2003, you know they were heavily focusing on bringing new developments, and then there were so many cybersecurity attacks, so many vulnerabilities which were exposed. So Bill Gates pulled his team and said, you know guys, stop working on new product features, let's start ...

Mark

Yeah.

Varun

focusing on cybersecurity. That is actually going to be our selling theme.

So that's where cybersecurity transformation is becoming indispensable because no organization would like to be in a place where your profit margins are good, you know you are having good terms with your clients, and one day one unanticipated security event happens, and you are ...

Mark

And it all gets flushed down the toilet.

Varun

All wiped off

Mark

Yeah.

Varun

So that's where I think for cybersecurity transformation program, I strongly believe that we understand the business requirement but at the same time, we use risk management as one of our strongest tool, because end of the day, you can spend billions of dollars without affecting the bottom line, articulate the risk and communicate to the stakeholders you have multiple options: you can accept the risk, you can eliminate, avoid transfer, but make sure it is tangible. And one thing I wish really like in terms of a cybersecurity transformation program which many people may find boring, but I think old is gold, so I love SAN's security awareness culture framework. I have ...

Mark

100 percent.

Varun

used it in the past also,

Mark

Yeah.

Varun

so it has these five phases and it is easy to communicate this to management that we have to reach to a level four where everyone thinks security is their responsibility. They contribute to security and then you can see where you would like to steer in the future.

Mark

Oh yeah, that's, I think you're exactly right. If it's not broke, you don't need to fix it, right? Old is gold. SANS is definitely a great place for a lot of resources when it comes to cybersecurity, I think. We've all been depending on SANS for over three decades now, so definitely a place to go. I also you know, I also like to tell a lot of my clients because I think there's a, I think there's a discrepancy in, like a misconception actually, of cybersecurity. When people hear cybersecurity, what they hear is we're here to lock everything down. We're here to slow down your processes. We, you know, everybody stop while we try to figure out how to secure this thing.

That were here to put in locks, and put in doors, and gates, and bars, right? And I like to fight that misconception, you know. I like to tell people that it's not my prime directive really isn't to secure this organization. It's to ensure that this organization meets its objectives securely. It's to make sure that you guys, you know, do business securely. Not to stop business or slow it down. If I'm creating solutions that slow down the business then I'm not doing my job.

So I think that's one thing that we need to start illustrating to a lot of our clients, a lot of the people out there who they like to think of ... you know I talked to another leader before and he said that, you know, in an organization, the developers, the engineers, all these guys, they think of those guys as the gas pedal to the car, and they think of us security guys as the brakes, right? So every time we show up they're like, oh here come the guys so hit the brakes again, but we but he likes to tell everyone that we're not the brakes. We're the steering wheel. We make sure that the car is moving straight, that it doesn't hit a tree on the way there. We're not actually the brakes. We're the steering wheel.

Varun

I like the analogy by the way.

Mark

Yeah, it's great. It's stuck with me ever since that guy told me, so I like to tell my clients the same thing. We're not here to slow things down. We're here to guide the organization in the right direction. So, yeah, that's fantastic.

And another thing you said there that really struck a chord with me was that we can't slow down progress, right? It's the oldest story in the world. Progress just keeps marching on and trying to slow it down is trying to hold back a train. It's like a person trying to hold a train back, right? You're just going to get run over by progress if you try to slow

Varun

Absolutely.

Mark

it down, so definitely that's a great point to let all these business leaders know that. They, you know the train's moving. You're either want to get on it or you're going to get hit by it, right? So that's what we're here to do. We're here to make sure everyone can get on the train securely.

Yeah, that's a great breakdown of cybersecurity transformation. So you were saying earlier that you primarily operate in the Middle East region and the EMEA region. I myself, I've actually never operated there and maybe a lot of our listeners haven't either. Mostly for me it's in the West and here in APAC region.

Could you tell us about any special, any specific observations you're seeing about cybersecurity and the way it's done, the way it's viewed in that region that might surprise the rest of us who don't operate in that region?

Varun

Certainly. So cybersecurity has evolved dramatically in last decade in Middle East region.

One of the statistics which is still concerning is when it comes to the average cost of a data breach, is quite staggering. It's somewhere around six to seven million dollars. And this is the second highest across the globe. U.S. is as expected at number one which is around eight million, so yes, cost of a data breach which organization they have to endure is quite big, but at the same time there is a light at the end of tunnel because government is taking very strong steps to improve on cybersecurity. So there are bunch of examples.

To start off with, there is something called a Dubai Cyber Index. So this has been launched last year and the objective is to actually integrate all government entities in Dubai and now you will have strengthened their cybersecurity. You will have a very advanced Incident Response, and the objective is to make Dubai, and overall UAE, as one of the most digitally safe country in the world. So that's a very strong initiative.

At the same time we have a strategy - the Dubai Security Strategy which was established by ruler of Dubai, Sheikh Hamdan, in 2017. Again they keep a close eye on the improvements, and last year in November 2021, there was a very big achievement. They came up with a personal data protection law. They are following GDPR because what we have seen for a very long time in UAE region especially, cybersecurity product sales increased dramatically. It literally hit through the roof.

Now what we are seeing that it's not merely selling a SIEM solution or DLP. They are actually focusing on entire cyber programs so data security is also going to be one of the very important component.

And last but not the least, yesterday I came across the news which was also quite interesting, that UAE Cybersecurity Council, they have made a partnership with Huawei to again strengthen the cybersecurity, and then it's going to have a ripple effect because all the private organizations which are right now providing support and services to government entity, they also have to abide by cybersecurity best practices. So the ecosystem is becoming big and big, and I think we will be seeing some tangible growth in the coming future.

Mark

All right.

A couple things you touched on there. You know I find that when, in the journey, in a cybersecurity journey, when there's a certain specific phase when an organization starts pouring money into cybersecurity tools, solutions, platforms, and at this particular stage when they decide to start pouring that money in, they're not particularly taking it much focus, putting much focus into how it gets implemented, how it fits with the other solutions, right? It's not a very holistic approach. It's usually just to throw money at the problem kind of approach. Is that the same thing that you guys are seeing over there in that region?

Varun

I would say in Middle East, yes to this extent.

In our organization definitely not, because I think we had some masterminds who were competent enough to foresee the problem. And we fix the basics in a proactive fashion but definitely in Middle East that problem was there where someone with a very enticing sales pitch will say all you have to do is get my SIEM solution and that's a silver bullet.

Mark

And that's another great thing, right? What a old colleague of mine used to call the magic wand, right? Everybody wants to sell themselves as a magic wand. All-in-one solution. Set it and forget it, right?

Does that even really exist? Do you, have you ever seen one of those before?

Varun

I have seen a lot, and I was surprised, you know, when I was confronting the salespeople, they are not gonna go back, they will still keep on arguing that, yes,

Mark

They will keep pushing.

Varun

there is a silver bullet and ... but I think management, they started understanding when security incident happen, things become chaotic and then you learn, oh there is no silver bullet. You have to focus on People, Process, Technology. You miss one and then you know you get the beating.

Mark

That's right. That's exactly right. You know you gave an interview recently and you said something very similar. The attackers ... you know we have to be lucky every time as defenders; attackers only need to get lucky once.

And that's exactly what you're touching on here, right? Once we finally hit a breach, we realize that we have to cover every single corner of the organization and they only need one crack to get through. Ah, so definitely something we're always dealing with, and I think something that people don't appreciate about the jobs that we do.

Yeah, so how about going back. What would you have to say about having a more like you said a comprehensive People, Process, Technology organization wide, across the board, holistic approach. What kind of message would you like to give to the leaders and the business leaders out there about how to approach this security problem?

Varun

So I think it has two sides of the coin. One is the business side of things and then you have a technical side of things. I always come across this question because this is one of the hot topics always in these CISO forums, you know, or talks security in business language and I personally think, I think we have to strike a very perfect balance between the business side of things and the technical security. Because if you only focus on technical security, you may start splurging billions and you're not reaching anywhere at the same time.

If you only focus on the business element and you have literally got no clue what is ransomware? What is Incident Response? And when then some unanticipated event happens, you know, literally you will have shivers sent down the spine. You will have cold feet.

Mark

Yes, that's right.

Varun

So having this perfect balance, I know the responsibilities of CISO are humongous because

Mark

They're huge.

Varun

the business models are becoming extremely sophisticated. They expect you to know everything.

Resource constraints, budget constraints are always there, so that's where focusing on the business level of things, having everything documented, having a very coherent communication, at the same time when it comes to a technical angle, try to keep up to the pace what is happening in the threat landscape, and the good news is nowadays you know you don't have to spend huge amount just to get the latest updates. There are so many CERTs out there, so many agencies which you know provide you threat notifications.

Mark

Yeah.

Varun

You can make a world of difference as long as you are ready to bring a tangible change.

Mark

Yeah, definitely. That's a great point. And another thing you touched on just now was that you know CISOs have a lot of responsibilities. There are a lot of expectations. There are a lot of things that they need to get done. And one thing I run into a lot when I'm doing consulting with other organizations is they, you know, they say, okay, we've got the CISO, we just hired him, we had this giant long list of things that he needs to know and he knows all of them, so we're done. We're done, we're finished. We have our security program because we hired a CISO.

Is there anything you would like to say to those people?

Varun

I mean the kind of expectations are literally hitting through the roof. There is no doubt about it, and literally it sometimes blows my mind as well, the level of expectations, but I think one thing ... communication though it sounds, communication risk management, though it sounds boring because they are here for almost, God knows, how many decades, but I think It's not new

Varun

yeah, they're always there, you know it's not somehow inherited from IT industry. It's there in the world so communication and risk management can bring a huge profound change, and don't give some false commitments that, oh, I have just joined, in 90 days, you know, I can change the entire organization risk profile. So be transparent.

Do that initial due diligence. There are a lot of strategies and techniques I also personally use which are eye-openers for the Board of Directors and then you can buy more time. So initially you can understand the threat profile, you can show some flashy things even if you don't have much budget, and then when they will have such a dramatic experience, then you say I have a plan and I need these resources. So don't suddenly get into a boardroom and you say all I need is one million dollars and I will get the ball rolling.

Mark

Right, and you know this is what happens a lot of the time, right? Like they leave, they again just throw money at the problem. Give me a million dollars. I'll solve the problem, right, but I think ... yeah I think that it doesn't, I think hiring a CISO is not the finish line; it's the starting line, right? There's a whole race that needs to get run after you hire a CISO. Lots of steps still needs to get done like you said. You have to hit it on all three: People, Process, Technology.

Okay, yeah, yeah, I think that that's a great message to get out there. Hopefully someone's listening. Make our lives easier for us. I'd like to switch gears at this point because Horangi, we're a cloud security company where we're cloud native, we were born in the cloud, and so we love everything cloud.

So we've been talking a lot about digital transformation. We've been talking a lot about cybersecurity transformation. Do you have any thoughts on cloud and companies that are undergoing cloud transformation?

Varun

Yeah, so I generally say in security community a lot, whether you love or hate cloud and security, they are actually gonna stay here.

As a matter of fact they will coexist and I think cloud is a fascinating technology but the same time it is disruptive just like we have seen computers, phones, tablets, internet, so it is going to stay and it is lucrative. There is no doubt about it. Backups are convenient, pay to play model, but you know the analogy I use for cyber experts as well as with business who are very desperate to actually go on to a cloud, you know, what we say, so let's say you have some valuable items, extremely precious and you travel a lot.

Now you want to safeguard it somewhere and someone approaches you and they say you know what, I have a secure facility somewhere in U.S. and Japan. Just give it to me. Are we actually gonna do it? Definitely not. So cloud is a place where you are going to store your data. Now you do not know which computer it is sitting on. You don't know which country it is there. You have got no clue about who is controlling, who is managing, who is monitoring, and you want to offload your data to someone else? Definitely not. So that's where it is very imperative for every business user, every organization and entity to understand that we cannot escape from the due diligence. We have to assess cloud security. And one of my interesting stories is Code Spaces.

So again, Code Spaces was a cloud provider and they were hit by a ransomware and the adversaries, they didn't like the negotiation process and they wiped off every single infrastructure within ...

Mark

Wow!

Varun

this landscape. 12 hours, that organization was wiped off the face of the earth.

So when things go wrong you know it can go horribly wrong.

Mark

That's crazy.

Varun

And that's where I think we have to do due diligence. One of the statistics I was reading last year, which I think KPMG came up with, that 60 percent of the privileged cloud credentials were actually phished so not having a privileged account management in cloud infrastructure is also quite a common problem.

Last but not the least, I would say cloud security and cybersecurity are intertwined because, end of the day, if you don't have a private cloud, you are accessing your cloud infrastructure over the internet. So all the cyber security concepts you cannot escape.

Mark

A hundred percent. That's exactly right, and I think, to just add on to that, there's like you said due diligence, you have to do your due diligence. You have to understand, I mean people need to understand, like, you're right, a lot of people, all they're hearing is, oh it's going to help me save costs. It's going to help me with scalability. It's going to help me with all of these different portions of my business so, hey, why not? Let me just throw it all, throw all my data in the cloud. But you're exactly right.

Before moving to the cloud, before taking that cloud transformation journey, people need to do their due diligence. They need to understand cloud as a technology. They need to understand where you know availability zones, where the data is going to be stored geographically, in real life. The shared responsibility model, you know? What parts fall to them, what parts fall to the providers. There's so much to understand about cloud and cloud technologies that if you don't understand these things and you run headlong into cloud technologies, you might, like you said, when things go wrong they'll go horribly wrong, and it's not worth the the savings and the value that you get out of it if you don't do it properly.

So I think the main takeaway there is to understand what you're getting into because there are just as many dangers in doing that as doing it on-prem so definitely great points. We're kind of reaching towards the end so maybe Varun, if there's one thing that people had to, you know, people who are watching, people who are listening, if there was one thing that they had to take away from our time together here, what is the main message you want to get out there into the world?

Varun

So one which I love the most because it covers audience which is technical as well as non-technical, even the business users who are not into cybersecurity, I think we should take cybersecurity very seriously. So there is a company called Venture Capital, they say the total losses the world is going to encounter in 2022 is somewhere going to be a staggering six trillion dollars.

Now the global nominal GDP of the entire world is somewhere around 90 trillion dollars, so you can imagine the loss is something unimaginable. It's very staggering so cyber security should be taken very seriously and why I say that, not only in terms of the losses what people are encountering. You know back in the old days if, let's say, you have an enemy, let's say you have a burglar who is trying to break into your house, now you have some ways because you can see your enemy.

He's visible right in front of you. If you know martial arts, you may get into a fistfight ...

Mark

You can chop them up.

Varun

or you can have a negotiation, you know? Maybe you can just bow down and do something about it, but when it comes to

Mark

Or reason with him or ...

Varun

Absolutely, so when it comes to cybersecurity, are we even aware that this invisible ghost is actually there right now, looking at us? We don't know.

Mark

We don't.

Varun

And this invisible ghost wants to actually snatch everything what we have ever earned in life, whether it's your personal life or corporate, doesn't matter. So that's where we have to take cybersecurity extremely seriously. I'm not saying it because, you know, we are cyber professionals. We have to do, have a very amazing selling pitch, you know, the results speaking volumes and ...

Mark

Yeah, it's a little self-serving but it's true. It doesn't make it false, right?

Varun

So, personally, I have never met any person in my life who doesn't have a cyber story, some cybercrime story to tell so, you know, that says it all.

Mark

That's right, it touches all of us equally.

All right, well, thank you so much for your time, Varun, I really appreciate it. We'd love to have you on again and share some more war stories with us. For everyone else out there, thank you for joining us.

Catch us next time on the next episode of Ask A CISO. Until then, this is Varun and Mark signing off.

Varun

Thanks, Mark.

Mark Anthony Fuentes

Mark Fuentes has over a decade of experience in the cyber security field highlighted by roles in organizations such as Verizon, The International Monetary Fund, and The United States Department of Homeland Security. Mark is an avid consumer of technology trends and threat intelligence and seeks out new applications of tech and research to combat cyber crime.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.