Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
#7: Srivathsan Chellam image

#7: Srivathsan Chellam

Transformation Stories
Avatar
96 Plays3 months ago

Srivathsan Chellam explores how businesses are facing growing security challenges in an evolving digital landscape. While some companies prioritize proactive investment in cybersecurity, others focus solely on meeting compliance requirements. Digital transformation introduces new security concerns alongside its benefits. AI presents a double-edged sword, offering both risks and opportunities for threat detection and response. 

Hear Sri describe how ultimately, effective cybersecurity requires a customized approach and hands-on expertise from security professionals.

Transcript

Introduction to Transformation Stories

00:00:00
Speaker
This is Transformation Stories, a podcast from Atlas Systems, exploring how companies are leaping into the future through deliberate change and innovation. In today's digital landscape, businesses face a choice to transform or risk falling behind.

Transformation Strategies & Opportunities

00:00:18
Speaker
Here are the insights of visionaries and changemakers were driving transformation across various industries and roles. They'll share their experiences, strategies, and the most potent opportunities for success. Join us as we uncover the secrets of transformation.

Meet Srivastan Chellam

00:00:38
Speaker
Srivastan Chellam is Vice President of Engineering and Cybersecurity Lead at Atlas Systems. A thought leader in risk management and corporate governance, Chellam brings to Atlas hands-on experience in working with global audit teams, building digital transformation strategies, at establishing centers of excellence. For over 10 years, he played key roles on the audit team for Target India, rising to become director of internal audit. Earlier, he was an information security analyst at First Advantage and an incident lifecycle coordinator at HP Enterprise Services. Sri, it's great to welcome you to Transformation Stories. Thank you so much for taking the time to talk to us today. Thank you, Dave. My pleasure.

Cybersecurity Evolution with Digital Transformation

00:01:27
Speaker
And our topic is cybersecurity, which is a huge topic right now. And I just wonder, you know as a place to start, could you talk to us about how cybersecurity has evolved as ah as a field, you know as a concern, and even during your own career? Could you tell us that? Sure Dave, I think cybersecurity from the time that internet was invented to where it is today has grown phenomenally as ah as a matter of concern, as an area of opportunity and and also as a ah constantly evolving thing. I wouldn't say it's already evolved, it continues to evolve. And I always
00:02:11
Speaker
Relate the cybersecurity evolution with the industrial evolution itself as industries progressed as we became more and more digital. ah The need for cybersecurity grew along with it. We are in a world where There are billions of devices which are interconnected and data and transactions are are flowing every in a single second between ah countries and continents and it it adds to a layer of complexity ah and it has become a much more complex problem to solve ah because we are not talking about just two parties engaging in a transaction. It's ah it's it's so you know a layer of multiple parties
00:02:56
Speaker
using multiple different systems and each of them using their different technology. So that I would say the complexity of the problem is is the key part when it comes to evolution. Just looking at how companies are responding to all these you know these new challenges, these new demands for cybersecurity. I mean, how do you think ah they're doing overall? How do you think the marketplace is doing?

Proactive Security vs. Regulatory Compliance

00:03:22
Speaker
yeah I would say like there are two kind of approaches that companies are taking. know Some of them are ah leaders who stay ahead of ah the the trends and really look at security more proactively. ah They don't see security as an as an as an expense on their balance sheet, but but they really see it as an investment.
00:03:43
Speaker
And then there are other set of companies who think about ah doing security only for the sake of compliance, ah because somebody asked for it, some regulator asked for it. So I'm seeing those ah companies sitting on on the two ends of the spectrum. ah so Definitely for a cybersecurity professional, it's it's's very difficult sometimes because you don't know which side your organization is heading to. right So you're you're trying to convince your CIO that we need to invest in this and and versus you know somebody else coming and telling you, you know you need to get this done just to ensure that we are compliant.
00:04:21
Speaker
So that's been a ah a ground challenge for most of the companies. I would say it's it's a shift in their mindset that organizations should be thinking about ah more than anything else. Do you think that companies that are more oriented towards transformation, that are more willing to lean into transformation, are also more aware of cybersecurity and they're also more in that kind of first category of you know proactively doing it? Yeah, absolutely. um Companies that have ah thought about digital transformation are already thinking about you know securing their infrastructure because the reason that they are going after digital transformation is to meet their client expectations. And when ah one of the biggest expectations that any client would have ah more than availability or reliability is is also ah security and privacy.

Post-COVID Cybersecurity Challenges

00:05:17
Speaker
So the organizations that have taken an aggressive approach towards digital transformation have also considered this associated cybersecurity risks that comes in that process and they are willing to ah invest in security, get the right security solutions before they roll out this massive transformation. And if you just sort of key in on a few or a couple of specific areas where you know transformation is bringing with it new cybersecurity concerns and there they really are sort of locked in and and and can't be separated.
00:05:58
Speaker
Sure, i I probably would think of a couple of scenarios. know when When we speak about transformation, we naturally assume digital transformation. And and that's where, to my earlier example of you know connecting cybersecurity evolution ah to where we are today in in an industry 4.0 era, where there are a lot more connected systems. So the aspect of digital transformation is incredible ah you know with the advent of internet of things and you know OT operational technology and you know manufacturing ah security coming into picture. So more and more, ah I would say path is getting opened for a cybersecurity professional to engage and have a discussion, which otherwise you would have discarded saying that, okay, this is an area where security doesn't have a role or or or a cybersecurity person doesn't have a role.
00:06:48
Speaker
ah So that's that's one set of the transformation, the digital transformation. The other transformation, you know, especially ah post COVID is the challenge that the definition of workplace has evolved. Organizations which were hesitant to ah Not let employees work remotely or you know anybody connect remotely to their network. We're forced in ah in a week or two to to you know find out arrangements and and they had to be comfortable in in letting their employees connect from anywhere and and and
00:07:21
Speaker
and And more than that, they could connect from any device. So that what it really meant is you're really opening up the threat landscape, and how are you going to you know really ah challenge this out? So today, ah in in the world where it is, with the definition of workplace being so ambiguous, so broad, so wide, ah you You are creating a much bigger you know landscape ah from from a cybersecurity standpoint. To me, I think that's the broad two aspects of transformation, ah both digital and the workplace transformation.

AI's Dual Role in Cybersecurity

00:07:53
Speaker
And thinking specifically about AI, which of course everybody's talking about, and do you have thoughts about how AI is affecting the cybersecurity field as opposed to you know whether it's solutions or threats?
00:08:09
Speaker
there I would say both, ah I'm worried about the the the risks that AI bring in. and and But to look at a on the positive side, the opportunities that AI could add when it comes to cybersecurity. So I'm going to delve a little bit into both of those stories. ah Yeah, the way AI is evolving, definitely it puts a ah lot of ah risk and and you know a lack of trust in anybody's mind because you don't know the entity that you are discussing with whether it's a person or it's it's a machine. right so
00:08:43
Speaker
ah naturally your trust level on the information that is getting generated tends to you know go down. ah And with open source technologies coming in and and and if you think about technologies during the earlier days, they would sit and write lines and lines of code to get something working versus today somebody goes and and you know ask something on a chat GPT or another AI engine and it and it kind of you know gives you the entire code and and we are at a risk of somebody copying and pasting that code into an environment you know really not understanding what vulnerabilities could be there right that's just one small example ah but today we are extremely dependent on open AI platforms for a lot of things
00:09:30
Speaker
And sometimes ah the information that comes with an open AI platform is not reliable. It's not you know credible enough. right so But it's a mindset that we we feel that okay it it is validated by somebody else. It is an accurate information. So we we tend to ah believe in that information more than what it truly should be. And we just get that into our environment or you know implement that in our technology. So that that makes me nervous and and ah we are still lagging behind when it comes to developing a framework for regulating the use of AIs.
00:10:07
Speaker
And and but but with any invention, in always the the invention and the technology gets going first and the regulation always catches up. So that's true with AI as well. While there are frameworks ah that are being put together, ah the awareness and the practicality of implementing a regulated framework for the use of AI in organization, most of the organizations don't have it. you know i might take a wild guess of maybe more than 80-90% of the organizations wouldn't have an AI regulatory regulation framework in their organization. So that's ah a serious trouble to you know a problem to solve for. And moving on, the other aspect, while I spoke about the problems, I'm also wanting to touch a little bit on the opportunity it presence, especially when it comes to the cybersecurity field.
00:10:56
Speaker
ah The ah threats are becoming sophisticated. Threat actors are becoming sophisticated. Cybersecurity as an industry, when i you know it used to be where we were always trying to prevent a threat from happening or an event from happening. Whereas nowadays we bo we are willing to accept that's the reality. You're not going to be able to prevent an attack on you. All that you're going to do is you need to have ah sophisticated capabilities to detect and to respond to those events or incidents and the the window that you get for detection and response, it's all about narrowing it down versus preventing an occurrence of insecurity event which is far from being a reality. ah In that space, specifically, AI is going to be helpful and it's going to play a ah big role because
00:11:50
Speaker
your organizational infrastructure is generating terabytes of data in in in a given day. And how do you run through all of these logs? How are you going to correlate the the logs that are coming from different set of devices that make sense out of it? it's It's humanly impossible. Yes, you could do a common minimum check and and you know hope. you know In the olden days, they say, patch and pray. So it's similar to that, right? So you you do what you have to do and just look at the ah logs and feel that, okay, yes, we are secure and and feel that we are comfortable. But it's it's not truly an an acceptable level of assurance. But with the advent of AI coming in, today there are threat detection platforms that are out there in the market.
00:12:31
Speaker
which uses AI to support your security operations analyst or the investigator to ask more, to probe more, and they are directly able to get into the the the logs that they are interested to see. So I think that's a huge opportunity that I'm seeing, especially in the threat detection response platform. AI is is helping cybersecurity analysts to to do a much better job and to generate more different sites.

Client Motivations in Seeking Cybersecurity Advice

00:12:58
Speaker
You know, just thinking of your work at Atlas, you know, clients coming to you with their problems today, cybersecurity problems or problems they don't even know are cybersecurity problems. How do you, what do you think is the most important things that you bring to the engagement, to talking to them, to really helping them get from, you know, a position of discomfort to a position of being in control and on top of this?
00:13:27
Speaker
Yeah, so when clients approaches for any cybersecurity solution or even for an advice, right it it may not be even always formal engagement. I always try and think in terms of why are they coming in the first place. right So going back to my earlier point. Are they truly invested in in in securing it? Do they truly understand the gravity of cybersecurity issues? Are they here just and somebody asked them to be compliant with a certain requirements and and they had to have a common minimum security program? but So are you looking at a common minimum security controls? Do you really want to build a what we call as a cyber resilience? right Do you want to really make your organization cyber resilient?
00:14:10
Speaker
it It naturally takes a lot of talking and engagement with them to help them understand, to do a reality check in terms of what are the current trends in the cybersecurity space, how threat actors are evolving, and and how important it is for us to think of security beyond compliance. So that's the you know ideal conversation starter that that we have with them. And then we also try to kind of put the entire landscape of security threats, you know, be it across their infrastructure, say, let's talk about network security, or in a cloud or web application security. And what else could we do? How ah how could we add? And also, we have a very transparent you know discussion with them in terms of
00:14:58
Speaker
Look, we are not doing this alone. We are not relying only on our expertise to do this. ah We also have partners ah from ah tool providers who have sophisticated AI capabilities, as I mentioned, in Threatened Detection Response to help us solve the problem. So it's it's literally you know doing a and you know starting with an awareness, ah then you know trying to tell them what is that we could do and how do we you know build it together. And it's not enough, we we just build it and leave it. Security is in continuous and concept. right So you just can't take the foot off the pedal and and think that the vehicle is going to run on autopilot mode. ah Yes, it is going to, but you still need to you know be be alert and and and be ready to take the steering wheel when when it demands. right So ah you just can't let it be there. That's where our monitoring capabilities, which we speak about, you know comes into picture.
00:15:51
Speaker
So overall, that's that's how we approach cybersecurity engagements with an address. And just from the way you describe you know the complexity of of pick the problems the companies face, it seems like you know just sort of handing them an out-of-the-box solution, you know something that's just ah kind of a widget that you plug in and then walk away. That that's really doesn't sound like it's sufficient most of the time. You really need to get in there and kind of collaborate with them to to build the best solution. Is that a fair statement?
00:16:28
Speaker
Absolutely, Dave. and and And I can't agree more with that. it's There's no no one no one size fits all, right? So the concept is every organization's risk landscape is very different. and and and And how they perceive security and perceive security risk is very different. So that's where I would say we really want to be ah a company that provides you solutions, solves your problem versus selling products or ah services.

Importance of Tailored Cybersecurity Solutions

00:17:00
Speaker
right So ah the security industry where we see is there's a good concentration of companies who are good at selling products but to do not have the capabilities or do not have the empathy to empathy to serve the clients.
00:17:14
Speaker
And on the other side of the spectrum, you you see these players who are good when it comes to servicing, but don't have or do not have an integration with some of the leading product companies. right So you see that there is a ah space where someone needs to empathize with the with the human being that is sitting opposite to them. and and really talking about the security problem and trying to solve solve their problem and you just don't want to dump a set of tools and you know a list of you know scope of work documents or of procedure documents to say this is how we are going to manage security. right It really needs that that customized approach and and really solving the problem that matters to them the most.
00:17:56
Speaker
That's really interesting. so So just sort of returning to our theme of transformation, um I wanted to ask you you know at more of a personal level or career level, you know what what does what has transformation meant for you personally? And and how have you transformed or how has your career transformed as you know all of these things have evolved around you?

Career & Industry Reflections

00:18:21
Speaker
That was a great, great question, Devan. And it's a very deep question as well. So I'm going to take a little bit of time to explain that. ah
00:18:29
Speaker
I think I've spent about 17 years as a risk management professional right from the time I started my career in the IT infrastructure space. These are the good old days of having ah you know those big servers in your data centers and cables running all around. And that's how we've seen that. right and and and And the kind of risks were so basic at that point in time. you could you know easily have a checklist and ensure that your cybersecurity health is there.
00:19:04
Speaker
from a checklist, it evolved into you know something else ah in the next few years. And it required me to wear a different hat, ah really. So that's that's the point in time when I had to step out of being the operations guy you know who's taking care of the security and just move one layer outside of it and you know get an outsider's view of how security is there and really think like an attacker in terms of okay what else could I exploit? And then that's when I was introduced to the world of social engineering and phishing. Today, the most sophisticated cyber attacks take place with a very small ah you know ah ah technique of social engineering or phishing. right it's It's a very basic ah thing that that that the threat actors would use. And and this kind of ah gave me the perspective that
00:19:56
Speaker
Nothing is unbreakable. right if If you use the right cards, you still could break into any any system that that we consider is as foolproof. So I think evolving from there and and really looking at where my career today is, today a security professional really needs to be hands-on. There's so much of areas where your infrastructure is spread. It is no longer in in your you know own data center, but it is spread across. right I'm talking about the advent of cloud and and cloud technologies coming in ah with with the advent of APIs and things that are coming in.
00:20:34
Speaker
a cybersecurity professional today needs to be more than understanding the the compliance requirements and and really go beyond the checklist and gets his hands on. So I would say ah my my objective in my the last few years of my risk management career or specifically in cybersecurity has been to really get hands on with the field. And that in itself is ah is a huge transformation because You are assuming titles and you know leadership roles, but that never ah gives you the freedom to move away from a hands-on experience. right You need to really, really oh see see what's under the hood and and and be in you know touch with it to stay relevant. so I think that's the biggest career transformation I've had from a security standpoint. I guess you really need to be hands-on to understand the threats you know to really
00:21:30
Speaker
sort of feel what they're like and and see them up close, right? Absolutely, absolutely. So if if you ah don't understand them well, you're you're not going to be able to explain that well, right? So I would say anything that we want to prescribe to our clients, we want to talk to our clients about, I think we need to have a firsthand and information about that and what are the ways to actually look under the hood and and experience it for yourself. Ashree, I want to thank you so much for talking to us today. I think it was a great conversation. I really learned a lot. And thank you for sharing your experience and your insights. Thank you, Dave, so much for giving me this opportunity to talk about cybersecurity as a field. Like you said, it's always evolving. It will continue to evolve. but But thanks a lot for this opportunity. I really enjoyed having this conversation with you.
00:22:20
Speaker
And that's a wrap on today's episode of Transformation Stories. If you found this episode as enlightening as we did, be sure to subscribe, rate, and leave a review. Your feedback fuels our mission to bring you more thought provoking conversations. As we conclude today's journey, remember that transformation is within reach for every business, and it starts with deliberate choices. Keep pushing boundaries, seeking new opportunities, and embracing change. Until next time, this is Transformation Stories.