Mansi Thapar, IT Leader, Head Information Security, Jaquar Group takes us through her journey as CISO and how critical security and automation have become in the current context.
What moved you towards security and how did the shift happen?
Security came to me by chance. Actually my experience was mostly in all verticals of IT and so there security was part and parcel of what I was managing. But from last four years, Jaquar was growing multifold and the decision was taken that we need a CISO and a CIO both to run the show. I took up the challenge because I understood the business. Taking up the CISO role and understanding IT would be a great challenge.
I accepted the challenge and that was when security happened and now I am glad that I did it. I really enjoy this and feel as leaders we need to give back to the community. So I really try to mentor people especially women mentorship. I worked with a lot of schools so that we can bring up the talent in tech. That is my passion as to how we can get more and more females into tech, especially security.
What is the biggest challenge your industry faces today?
At the start of this pandemic, it was a big impact because the factories were not working. For us IT was an enabler. The main thing was that the products needed to be made and to be sold. Jaquar group came up with very innovative products, which are helping in this COVID situation a lot of hotels and hospitals with sensors, touch free systems and stuff like that. So the biggest thing was to how to get our factory operational and how to support people sitting at home because in manufacturing you would agree that work from home is not a very common concept. People are not used to working from home and neither the management is used to not seeing people in office. So that was a big change that we were able to do it. This was the biggest challenge that we overcame during pandemic.
What has been your greatest accomplishment?
My greatest accomplishment is that my learning curve never stops. I have taken every new role that came to my way, maybe because someone in the organization left and they requested to take it over or the management asked me to switch roles, with a pinch of salt and I love learning. This has shaped my career to reach at this level. That is what I tell everybody that the learning curve should never stop. And that is my biggest achievement that till date that I try to really work on that learning curve.
What surprises you the most about your job?
I would say CISOs these days have sleepless nights. What surprises me the most is that how we build up so many walls, we do so much in security, everything possible we have thought of, but still there is a new threat which comes in the market. There is a world full of people trying to fight this cyber terrorism or cyber crime, but still something or the other pops up. So what really surprises me that why we being at the good side of things are not able to find the proper solution for it.
What is one biggest challenge CISO faces today?
The biggest challenge a CISO faces today is the end point security. How to make sure that my end point working from home, attending to a different network is secure? Is my data secure on that end point or not, because everything else is business as usual. The only thing which has changed this now is that my desktop or laptop has moved from my premise to a remote premise and that is why our focus should move from perimeter to end point security. That is the biggest challenge and we need to mitigate it very fast.
Where the great idea does comes from in Jaquar?
Great ideas come from everybody. Jaquar’s key for success is that the management doors are open even for the front line and the junior most resource which is there and have an idea. So I would say ideas comes from all places. Everybody remains very motivated for new ideas are implement without any thought about hierarchy on who has given the idea and what all approvals are required. That is one of the biggest growths that has happened, but the main ideas are coming from customers, who are our voice and who love our products.
As a CISO how were you able to integrate different domains like audit and compliance, infrastructure management, BPM analytics into security ecosystem?
Security is not there to stop your work, but to tell you this is not right or do it that way. Sometimes what happens is security team develops a mindset of allowing this or that. We being CISOs are enablers but at the same time, making sure that things are in good perspective. So the first thing that is very helpful is to integrate all the different functions. Secondly, I was blessed that I have worked in all these domains like analytics or infrastructure, or IT operations. I understand the pain areas of what all these people face, if security is really pressuring them to do some things. So that helps me to integrate them better as I have been there in their shoes to understand how you well integrate it.
But from the security standpoint, we should always provide them with very clear cut policies and standards, which is what you need to work on so that we can integrate things better. We should have a culture of security. Security has to be in-built in your design. Whatever you are doing, maybe an audit or SDLC transition, it should not be that security is an afterthought. At the time of design, the culture of the organization needs to be such that it gets integrated. Thirdly, conduct a lot of trainings for all these people who are looking after all these roles. That will really help integrating all these things across.
How would you recommend the application of AI and machine learning into security and what sort of roadmaps should organizations follow for that purpose?
You need machines to fight machines. But having said that, machines are not about to replace the need of human intelligence. The future of cyber security is not about man or machine, but it is about man and machine. So the secret of actionable threat intelligence lies in playing it to the individual strengths of machines and human analysts. The machine would perform all the heavy lifting, data integration with the use of machine learning and AI, pattern recognition etc, and provide a number of manageable number of actions. Now the human analyst can put his brain on it and take an action. So the battle in threat intelligence is balancing time and context. Analyst needs intelligence prompted decisions within a specific time so that he can take a decision. That is what we really need to look at.
It is essential that we respond quickly to security incidents andnd that is where AI/ML capacities help us. But at the same time we should not just jump into and buy any AI/ML. We should see what our need is, what our risk appetite is and what are our crown jewels and try to put AI/ML there. As a roadmap, there is a shift from network perimeter security to endpoint security because the endpoint is the first line of defense, especially now like in COVID situation. Look for starting for an endpoint with AI/ML capacities so that it can understand the human behavior, understand the system behavior and quickly detect and give you an alert that something is wrong.
How do you predict the evolution of a CISO role in terms of synchronization with other business functions in the future?
Words like hacking, malicious, phishing were not known to a person who was not in IT. These are terms which are used by IT people. But these days you, me, everybody have heard these and we all understand these. So this is the importance of this role now, and I firmly believe that CISO needs to be chaired at the board level. It is a senior leadership position and it should not be that there is any conflict of interest with the CIO. Because CIO is into this position of delivering and he wants to reduce the time to the market of the software, and sometimes it can at the cost of not implementing all security controls. The CISO should be in place at that level so that his voice is heard.
Second, I think the most important role of CISO is to align the senior leadership mindset from thinking security being something which enforces control and hinders our work to a culture where they feel security is something which will help them move faster. They need to understand that they need to own the security postures of their specific departments. They need to understand that we are here to protect the crown jewels. We are here to protect their critical processes from a malware. These kinds of information and this kind of awareness needs to be put in for all the C levels so that they understand the importance of security. And slowly and gradually, I really feel that CISOs should move out from an IT function to a very advisory function and business owners need to be the risk bearers and the owners of security. They need to implement it and understand the importance of it.
What is the operating business model of Jaquar Group and how all does technology drive the business?
Jaquar has got presence globally in Europe, South Africa, in South Asia, Africa, and in India we are the market leaders having more than 70% share. We are a highly customer focused driven company. We really work in providing the best quality solutions to the customers and especially to the Indian needs, but having said that we are a very technology driven company as well. I am amazed to see the budgets and the vision the senior management has for technology, which is not so common in manufacturing companies. We had deployed systems much earlier which people are deploying now. Like we have a dealer management system already in place on which all our dealers and distributors are there. it is an online based system. It is an ERP, which we have given to the dealers free of cost so that they can also use the technology and it helps them in their customer management, stock management, finance and order management and things like that. And this software is very tightly integrated with our ERP so they get regular updates on the prices to discontinued items, the stock availability, the material which has been dispatched to them, their barcodes and stuff like that. IIT provides you a complete automation of the dealer management, which happens in Jaquar.
Secondly, our customer care is completely automated. From the call center, when your call lands, then the call is recorded, there are automated algorithms so that all is automated and technology driven. Our manufacturing units have got world-class robots which are using technology. Our lighting division is using IoT heavily in their products. The best thing that we did was we just implemented an automated storage and retrieval system, which is like the machine goes and gets the material out because you can understand we have a big STU and a lot of products come out. I would say we are far better than a lot of manufacturing company where technology is concerned.
What are the major adoptions in your supply chain management and mobile applications usage by your sales staff and customer care teams?
All my customer care staff has a Jaquar customer care app on their mobiles. What the app does is that the moment a job is given to this customer care personnel, he goes and he can just see where the location of the problem is. So it is all geo-fence and he can take the route or select select what is the closest route to reach this location. Secondly, whatever work he has done when he reaches the customer location, he can just record that then and there. He can even take out a customer feedback or photo and load it using the mobile app and it gets sent to our main system.
Secondly the sales staff also has a similar kind of sales app in their mobile phones. It gives them info like these are your 12 customers and it geo-tags them. Secondly, they get a notification that this is the last time you visited the customer and do you want to reschedule the visit. If you are in the locality it will prompt saying that since you are here do you want to visit this customer as well. Now, if they are going to a new customer, they can even look at what we call in Jaguar is “customer’s Janam Kundli”. If someone else has already visited that customer, if he had bought something or not– with a click of a button you can see what all Jaguar people has done the integration there.
We have completely automated WiFi enabled CCTV enabled warehouses, where everything is bar coded. You just say that this is my sheet dispatch and I want this material so automatically it informs you that this material is in this particular rack and this is the route you need to take and just pick your material. My entire manufacturing is barcoded. Starting from a product which is getting made to the dispatch tool when it reaches the customer,every piece has a unique barcode. All our procurement are on automated algorithms, based on what all information they are gathering for our sales tools. That is how we position our procurement for our suppliers and so it is not an adhoc thing that someone sends us material and then we are left with inventory.
How are the shop floors automated?
On the shop floor we are using the CCTV cameras and stuff, but the main thing is the automated inventory retrieval system. What it does it on the shop floor is to track hundreds of small parts, which goes into a main park. So now to track what is my inventory there, how do I take it out, what are my stock levels in that, the automated retrieval system really helps me out there also on the shop floor. We have robots in place that help to prepare your products in the highest quality standard. How has the security infrastructure synchronized with the other technologies?
Security is a part and parcel for all the technology.We have a very robust user awareness system so that all our departments know that if they are trying to buy a new technology or using an existing technology what are the risks involved. They know that they need to come back to security to ask if there is any risk in the technology or how will you integrate the infrastructure with the security infrastructure. If anyone tries to put in any new technology and is not aware they need to come back to security, we get an alarm saying that is a new switch or a new machine or something has been detected, which then quickly we can turn around and work on the security aspect of things.
In the light of the Covid19 Crisis, how has business continuity planning become critical? Now being an IT person, for auditing and for security and endpoint protection in place. we have good EDR capabilities. EDR means Endpoint Detection and Response. So this is a tool which helps you sitting at a central location, manage all your end points and look at what is happening and alarms can be raised. In some of the EDRs even automated action can be taken by the EDR itself because these days we have shortage of manpower.. Some people might be having Internet issues for your IT support. So these kinds of rules can also be set up for your audit that if there are some anomalies detected, automation should come in.
For audit function we have a very least privileged model in place so that the audit infrastructure or your surface decreases. Make sure that all admin rights are not there on the machines and only audit and give to those who really require that. For audit it’ is very difficult sitting in a remote location and look at audit from all perspectives. So first and foremost prioritize key business functions, understand what are the crown jewel, understand what are the main business processes or main machines because they go down, the business will have a lot of impact on it.
When you have identified this, make sure the data is designing on an endpoint and only for those predictable systems, make sure that you have a good DLP or good data leak prevention solution in place. All of this together will help us better and make sure that our systems are up and running. And of course, then you have your CISO audit calendar, which is already in place, and which you really need to look at for all the servers. All the drills need to be in place for so that whatever you were doing before the pandemic, you need to make sure that in this situation, you need to follow those rules and make sure that you do not take downtime. Follow your drills whatever you have, it can be a firewall drill, or it can be a fail over drill. We will really have audit calendar in place with clear responsibility markings and these are the reports that you expect to come out and how to mitigate if something comes wrong.
In a manufacturing setup IoT is gradually becoming mainstream. What are specifically the challenges from the security side to have a perfect synchronization between IT and OT?
Most of the departments now have SaaS deployments. They have IoT, they want to integrate IoT with Alexa. Now OT is also there and a lot of sensors are being deployed and lot of startup systems are there, but a small leak can jeopardize your entire security landscape. The first and foremost challenge which I have been facing and which we are working on is user awareness. They need to understand the security landscape, how one small leak can reach to a major jeopardy of the network and even entire operation of the company can go down. So we should really invest on giving user awareness.
We can put hundreds of products of security in place but insider threat and that too of an unknown is now rated number one priority of most of almost all CISOs. We should have our own process in place. There should be some kind of mechanism security needed to be put in so that if any new thing comes in, the trigger comes to security and they can go back to the departments and understand what they have done.
Third is we should have our own audit. Even if the department has not implemented it, we can go back to the department and ask if something is legitimate and if not then we quickly remove it. But it is a very big challenge and we are also learning in this channel right now because IT is no longer just desktop and networks and servers. The parameters have increased with IT and OT coming in.
What is the SOC infrastructure at Jaquar Group?
For me SOC is not only infrastructure but a very good combination of people process and technology who work together. They identify monitor and security incidents and then help us to mitigate them. We at Jaquar have got a good team of security analysts, who are very well trained to manage any kind of security incident which comes in. We also have some consultants on board who help us manage our SOC. Thirdly in terms of technology, we are now implementing a SIM tool, which helps integrate all the different logs that you are getting from different places to integrate and show us where there is any problem going on. SIM is a very important thing when SOC is concerned, and we should really work on implementing it.
We have an EDR in place so that the SOC can manage the endpoints from a remote working environment. We also have a network monitoring tool in place which helps us understand that if any network device or anything has a sudden trigger in our SOC, we can see if something has really come up which is not in our periphery and the SOC can quickly take an action on it. We also have a ticketing tool in place where people can go. We also have automated tickets, which has come on the firewall or other security devices for the software manage.
Our roadmap is we should always have a SIM in place. We should have people. It can be either your people, or it can be consultants who are continuously helping you integrate all the new vectors of threats which are coming in. We should have EDR at least which helps to get control over your end point.
What is the roadmap of the Global Protect Implementation at the Jaquar Group?
I am very happy to announce that Jaquar is 100% on Global Protect right now. All our machines are working on global protect. And this tool has helped us to take care of this pandemic without any problems. Even all our desktop has global protect workings which help us to secure VPN and to manage everything.
How have you managed the economic and business impact of Covid19?
Jaquar is a highly innovative group of people who strive to survive in every situation possible. This has helped us to grow and this is what we follow in IT and for other departments as well. When IT is concerned we were ready at day one. Most of the companies are struggling, but because we had VPNs in place we did not have to go and buy any VPN licenses for desktops or laptops. Most of our desktops were Wi-Fi enabled so people could easily pick up their desktops and go home. And we had very secure policies in place already like no one has admin passwords. We have a very robust endpoint solution already done. We also have bandwidth in place because we already have contracts with our data centers that we can increase our bandwidth.
From business standpoint we have now integrated IT into new innovation which is coming up. We have a lot of sensor-based products which are coming up for faucets or a bathroom where you do not need to touch by hand and feet, and the water flowing and things like that. So innovative ideas are coming in with the use of technology of AI/ML.
Would you like to name what office solutions are you using?
For VPNs we are using Global overprotect with Palo Alto firewalls at the backend. Those are very robust firewalls. And in Palo Alto firewalls, there is a tool called VPM where you can take a report out from the firewall to know where you stand versus the best practices around the world. Jaguar is the only deployment in North India, which is standing in 99% of the best practice. Implement a security tool, but use it fully and for the best of its capabilities and configure it properly. Secondly, what we are using is CrowdStrike for our endpoint protection and which is the market leader right now. For USB blocking we are using CrowdStrike. For DLP we are using open source and we are now evaluating some different tools which can help us work on DLP better.
Would you like to tell us about the collaboration tool?
On collaboration, we are using Cisco WebEx right now. We are also using Lifesize for video conferencing. The collaboration tools have helped us multifold to handle this COVID situation better and it has helped us in our customer base as well. Now our customer teams are engaging virtually with our customers and showing our products with the use of these collaboration tools. Now we will evaluate the new collaboration tools which are coming in and I am really excited to look at how they have a gelled in all these features and the security.
Will you like to share some figures when it comes to business in Jaguar during this situation?
Last three months was very tough. But now since the operation has started, the work has really grown and because of these new initiatives which are coming up, we are geared up that we will be able to hit our targets, which we have met earlier. We are really looking at it in a very positive way.
How are digital technologies going to help you tide over the crisis without significant disruption?
Digital technology is really helping us to shape up things in a better way. It is virtually connecting with the customer and that is what we are really looking at. Like there are software now where you can design a bathroom, get a product, put in your products and show it to a customer. So that technology is really helping us out. We are also looking at VR technologies. We are giving the specifics to the customers so that it is not only on paper that they are seeing, but virtually in 3D effects they can see that how a bathroom will look. This disruption has given us a new norm.