Service-Based Mindset: The Missing Link in Cybersecurity | Dheeraj Pandey
Guest at a Glance:
💡 Name: Dheeraj Pandey
💡 What he does: Dheeraj is the CISO & Head of Organization at Crédit Agricole Corporate & Investment Bank, India
💡 Noteworthy: He enjoys learning about marketing and is an avid listener of several demand generation podcasts!
💡 Where to find Dheeraj: LinkedIn
Every time a vendor comes through the door, what they're looking at is just a closure of a deal.
Having frequent service evaluation calls or catch up calls with us so that they can serve us better is not only beneficial to security practitioners, but for the vendors themselves.
The industry moving in that direction, but currently this service-based mindset is largely missing in cybersecurity.
Brutally honest insights from Dheeraj Pandey, CISO & Head of Organization at Crédit Agricole Corporate & Investment Bank, India.
In this episode, I had a conversation with Dheeraj about his challenges, goals, the value of community and peer to peer engagement, how to best leverage community as a vendor, what vendors do that piss him off, and the alternatives.
Becoming a CISO for Dheeraj was fast paced and he loves the thrill of the job.
What Dheeraj hates most about the industry:
- There is a lot of catching up to do. The staffing is a big challenge.
Cybersecurity can vary a lot from organization to organization. If we talk about a country like India and organizations whose head offices are not in India, will face these challenges a lot because they don't have a lot of decision making capability locally and staffing becomes an immediate challenge.
There's so much to do because the threat landscape is continuously evolving. You have to improve the security, and there's a lot of pressure from the product standpoint to deliver, upgrade security tools and softwares, and also, you know, do more pentests, application security tests, regulator following up, report to the board, etc.
- There is a lack of quality education in the cybersecurity area.
The other challenge is the fact that I think the industry is a bit nascent.
I can probably talk more about this from an India standpoint because a lot of people in security are self taught. And they are in security because they have a deep interest in it. But if you look at the demand in the industry, the demand is huge. So, if you compare it with other areas like software engineering or application development, there is a proper pedagogy.
There's proper quality of education, which is, and training infrastructure, which is present, because good quality people are coming out and it's not a hit and miss when you're trying to look at resources and you're trying to hire, because even, and you can even hire people who, who are just out of college, et cetera, so that and can train them.
So, that is something which I think is missing, especially in India.
As a CISO, Dheeraj’s bleeding neck challenge is:
- There is so much to do and there are little resources to execute those things.
We have so much to do and we have very little resources to execute it. If you know about regulators, you know specific industries like banking, healthcare, the regulation is very, very strict and we have less leeway in terms of what is coming through at us.
I would say with a smaller setup, it's even more challenging because you have your setup centralized in regional head offices versus when you have regulations coming in, they look at it from, from a very wide angle.
If a regulator writes something, they would write it from the perspective of a retail bank. Now, if you are into pure, pure corporate or commercial banking, the scope of the regulation for you is very limited, but the lens does not change from a regulatory standpoint.
So for us, these regulations are like books. We have to go through them. It keeps on evolving. Every couple of years we get new requirements and these are huge. And for us it's a bit of a catch situation because we are, we don't know what is applicable because it's written in a very, very, I would say broad sense.
It's not very pointed. So we have to kind of assign its meaning for us, and then basically discuss it with a lot of internal teams to say, to say that, okay, this is the meaning and this is what people do.
So for us to find out the scope of the regulations which come in to find out which applications are scoped, what to exclude, what to include, it becomes a bit of a, a long haul for us. And because of multiple layers of defense and regulatory requirements and reporting that has been put, we are already behind.
A hacker has only one job - to hack, right? They don't have to report. We have to report, we have to maintain KPIs, KRIs, and a lot of different stuff, processes, documents, policies, which hacker doesn't have to. So we are already on the back foot, and so it's a continuous chase that we are in.
So that is something which, you know, can only be tackled through a couple of things:
- More qualitative discussion and involvement in the evolution of the regulation vis a vis different sectors and different geographies.
- Sensitization towards security at the highest level has to be done more actively so that the threats are met with adequate resources to mitigate them.
Otherwise, you know, we are only back foot and we are praying that we don't get hacked.
How Dheeraj and his team handle the challenge of constrained resources:
We are trying to automate a lot of things that. We are trying to set up internal processes in a way that whatever resources we can salvage, we can utilize them to of offload this reporting and process management tasks for us to give way to a more perimeter management.
- Simulating attack scenarios
Doing things like simulating a scenario where an attack has happened and how much time are we taking to respond to that attack is something that I think is very much necessary because large organizations have a lot of infrastructure. The holes can be anywhere.
So for us to simulate something is paramount. The way that we are managing it is we are trying to get some resources to offload the operational day to day and reporting tasks.
And then managing these aspects of improving our resiliency.
How Dheeraj evaluates new cybersecurity solutions and tools:
The overall global security roadmap is something which we are a part of but the decision making is centralized in the region, in our head office.
So we have a say in it but we are not part of the deployment of it, so we don't evaluate vendors for, typically valued vendors.
And this is true for all foreign entities, which have their offices elsewhere, while they are centralized in a specific location.
The decision making is top down. I'm a CISO for one of the geographical entities.
So we ask for referrals and, uh, from our networks and we look at some organizations which have a good reputation, typically who have worked with organizations like us in other geographies or with similar setups. And we look for direct proof of concept with them.
In India, data localization is a big thing. There was an incident which happened, I think a couple of years back - there was a breach and the data was not able to be brought back to India because the data was not in India.
So, the regulation has evolved for banks to have all of the end to end payment data in India so that in case there's an event which happens, the entire chain of units can be established.
So, when we were looking for a security vendor to conduct this audit and find out how we can implement this regulation for us, we asked in our local for networks.
I've seen quite extensively people would post in the CISO networks.
We would select them on competence, experience, and budget.
It's after we continuously evaluate the basis of need and our own internal risk management framework. Whatever new risks are coming up, we are continuously looking at vendors for either regulations or basically the internal framework that we have.
The service-based mindset is missing in the cybersecurity industry - and vendors can differentiate by simply adopting it.
Every time a vendor comes through the door, what they're looking at is just a closure of a deal.
I can see that pressure on them because, you know, it's a competitive field. Everybody wants to, you know, get a project with a reputable organization.
So, instead of asking us problems, they are saying yes sometimes when they say yes to anything that we are asking them to do it. That comes out very clearly.
And after the service happens and after a project is delivered on an ongoing basis, when we are receiving service, feedback is something which is missing, which I think vendors can take advantage of.
Vendors should take advantage of because either you are using product or product as a service, or if you're using a service in security, it has to bagged by a proper service. I don't see vendors going ahead and taking feedback or having that mindset of service.
Instead of trying to sell, try to understand what are the areas that we are working on and is this, is this some way in which they can support us?
And having frequent service evaluation calls or catch up calls with us so that, you know, they can help, they can serve us better. The industry moving in a direction, but currently this service based mindset is missing in security.
Um, farms, which are offering security. That's an interesting point. Um, and I, I general, I generally strongly agree with you. Um, I, I just wanna drill down into that a little bit more because I wanna know why you think that there isn't enough service based or, or service mind set in security.
Organizations which are not customer focused or don't have this mindset in the long run will perish.
Why is this service mindset and this approach important for you?
This is important for me because, for somebody who's a CISO, they have to be in 10 different places and have a new requirements going out in the market. If I don't have a very good rapport with existing vendors, I would probably go out and ask about something in the market.
And if I have a good rapport with the vendors that I have, I would probably know that because we'll have a constructive discussion, right? They will ask me about my problems, I will tell them, they will tell me about the solutions.
So whenever I have a new, new requirement, I will not go to the drawing board again, spend time and resources, look for vendors andsend out an RFP in the market and, and ask for xyz.
It's beneficial for me. And it's very beneficial for them as well.
Outbound vs. Inbound Selling: What Works and What Doesn’t
I get so many messages on LinkedIn and these messages are direct sales. Smaller organizations are hiring someone to do their work and somebody who doesn't have experience in marketing but knows that LinkedIn is a tool, they go and search, they buy a Sales Navigator subscription.
They go and search for CISO as a keyword and whatever comes up, they have a message which they send out.
So the issue is that if a hundred people or 500 people do this, it dilutes the value that LinkedIn or any other tool. If I'm bombarded so much, I basically stop checking my messages and what happens in that case is I may be missing good vendors, but I don't have the time to go through 20-30 messages I get every day.
What happens is that somebody's messaged me and copying and pasting the same messages 10 times to me on LinkedIn. That is something which kind of puts me off a little bit.
So bombarding us will get you nowhere.
If you have a solution which is more catered towards the Indian market, that doesn't mean that every CISO who is in the Indian market is a potential target for you.
What it means is that maybe Indian banks or organizations with head offices in India are a proper target audience for you and organizations who are foreign based would have offices in India are not a target for you because the nature of operations is very different and the decision making is very different. The structure is very different.
Customer research and validation is critical to informing your content strategy.
The way customers are being educated is not right.
People are not valuing the aspect which needs to happen at the top of the funnel.
To educate your customer, I would expect a vendor to do proper research.
- Who is your target audience?
- What are their pain points?
- Who are the decision makers in the organization?
- What are their jobs to be done?
After you find all of these, do proper engagement and then take the conversation further rather than sending out direct messages.
It's value driven from both sides.
When I see value, when you see value, you hear a good conversation, a genuine conversation, non-salesy stuff, you kind of want to learn and listen more about it.
Educational topics that resonate with Dheeraj:
- The evolving landscape of cybersecurity
- Cloud security
- Application security
- The way threat management is done
- How security operations are being run
*Those topics as they tie back to current challenges, priorities and requirements buyers are experiencing at that particular time in their life, i.e. data localization, regulation,
Types of media Dheeraj likes to engage with:
- Industry forums
- Digital whitepapers and eBooks
If somebody is offering me a very good qualitative content over a podcast and somebody's inviting me to learn what is it that they are doing and how probably it can help me - education, it's the key.
The sale happens automatically after that.
Whenever you're ready, there are 3 ways I can help you and your go-to-market team:
1. Conduct a one-to-one interview with an existing or ideal customer and extract the most useful insights and recommendations for action.
2. Run a focus group with our CISO Panel to validate an idea, trend, message, service or product.
3. Plan and facilitate a customer advisory board (CAB) with your key customers to drive loyalty for your company's brand.
Subscribe to Audience 1st
Get notified every time an episode drops to better understand your audience and turn them into loyal customers.