Conquering Enterprise Risk Management with Amit Subhanje
TLDR;
- Risk Management should not only be reactive. It has to have the right balance between proactive and reactive strategies.
- Continuous training and awareness programs are key for running a healthy and successful security program. Also, when it comes to training, it should be targeted vs generic.
- Security is a Shared responsibility and not a responsibility restricted to security teams. Organizations should nurture a culture where everyone in the organization feel accountable.
Transcript
Host: Hi, everyone. This is Purushottam, and thanks for tuning into ScaletoZero podcast. Today's episode is with Amit Subhanje.
Amit is the regional risk leader at the world's largest aviation company, GE Aerospace. He has experience in internal audit, third -party risk management, enterprise risk management, cybersecurity, to name a few areas. He's involved in both internal and external audit, pre -sales, sales, auditing, and compliance related work.
He's an independent advisory board council member at CISA Institute and Saro Academy. He has attained many certifications like CISM, CISA, and ISO certifications, Six Sigma, Green and Black Belt, and many more.
In addition, he also has given numerous cybersecurity sessions to corporates and educational institutions, and he mentors various students in the field of cybersecurity as well.
So… Amit, thank you so much for joining us. For our audience, do you want to briefly share about your journey?
Amit: Absolutely. So before I start sharing about my journey, I would really thank you, Purusottam, and the whole team for bringing me here to share my experience and my journey to the audience. Just to upscale and just share knowledge, that's really important. So about my journey, it's all about an individual engineer not knowing about risk, getting into risk function at Infosys.
So that's how I started my journey. So I was into the business continuity domain and the information security domain at Infosys, started to learn what risk is, what's the importance of risk, why risk is considered one of the top risks for any organization. And that's how I was really passionate about the subject and that's how… I proceeded further to get my master's specialized in risk management.
Post that, I did, yeah. So I think, post that, I think it was a very different journey because I started my journey in consulting. I started advising various clients and getting certified and getting assisted to various ISO frameworks and helping them solve various cybersecurity challenges.
And at GE, it's all about wearing different hats from being an auditor to the regional risk leader wore multiple hats in the field of cyber security. But I would say the backbone of my journey was always the mantra was continuous improvement or continuous learning. I never stop learning. That's really, really important.
So one of the key aspects I would just highlight here is it's about continuous learning throughout my journey till now. So it has been a fantastic journey for Sipa.
Host: I love that. Like that should be a mantra for everyone, honestly. And it's a pleasure to have you in the podcast as well. So one question that we generally ask to all of our guests and we get very unique answers is what does a day in your life look like?
Amit: Yeah, I think very nice question but difficult to answer. So it's about starting my day would be about various meeting with various multiple stakeholders across the globe. So basically my day looks like starting with understanding where we are currently with the KPRIs, where we are currently with the KRIs in terms of the key performance indicators, key risk indicators.
I also understand about the risk trends in various regions where we work and interacting with the stakeholders and understanding what are the key challenges. In terms of challenges, what I mean is what are the key critical vulnerabilities which are open. That means that my day -to -day job at the end of the day involves that any risk which is currently in the region, how do I… bring those risks within the risk upper -right of the organization, right, to be in safer side.
So that's how my day looks like. So it's very much complicated, but yeah, but when you have passion towards the work, I think that becomes very easy.
Host: Yeah, and I was not hoping that it would be a simple day since you are dealing with risks and all. And that is what we are going to talk about today as well. We are going to talk about risk management. So let's start with the first question.
Risk management is a very critical component in cybersecurity and even in cloud security.
Can you help us understand, for our audience, what is risk management and why is it crucial for organizations in today's world?
Amit: Absolutely fantastic question because whenever the word risk comes my eyebrows goes up So basically, yeah, so basically when before we start understanding what risk management is I'll just give you a brief about what risk is risk is an uncertainty of an event right if that occurs it would hamper The company achieving this objective.
So basically we risk is all risk function should be always directly proportional to the business value. That means business runs by actually subjected. So anything that hampers the company objective would be termed as risk.
So in terms of risk management, I would say it is a structured program or a structured mechanism of identifying risk, assessing the risk, right? Then you monitor the risk and how you mitigate the risk. So when you combine all these four steps in one framework, I think that is risk management.
So, and risk management has evolved leaps and bounds over the years, right? So like prior to, I think 2000s, it was all reactive approach. Now it's more of proactive approach. Risk was always, it's kind of always a sub-function or like kind of a not an important function for the business, but now, It's as I said, it's likely proportional to the business value.
So the more the risk, the more the business value. But how much you take the risk depends on the valuation of risk or the risk appetite that you have of the organization. So that is really, very important these days. So that's how I would term what risk management is all about.
Host: Okay, thank you for setting that context, right? So now, how does it apply to cybersecurity or even cloud security?
Amit: Yeah, so basically Pushyatam when we understand the risk management, right? So cyber security as a concept, cloud security as a concept are the subset of risk management because cyber risk, cloud risk and various other risks are one of the subsets of risk management. So basically the skeleton of any risk management or cyber security in the cloud security would be risk management.
That means when we want to approach cybersecurity in an organization. So basically what do we do, what do we want? We want to bring down the cyber-related risks within the risk operator of the organization. So that means that the risk management scale or the risk scale across the organization needs to be seen.
That means that when I assess cybersecurity risk, the scale remains same. When I assess the cloud security risk, the scale remains same.
That means… the methodology of identifying risk, the methodology of assessing risk, the methodology of monitoring risk, and the methodology of mitigating the risk at a very framework level or a very high level remains same. So the importance of having risk management in terms of cybersecurity and cloud security is always risk -based decisions.
So whenever you have those… ideology, right, when mitigating cloud security risk or cyber security risk. So you should always think from a risk -based approach. So the risk -based approach comes from risk management, right? So the business needs to understand the value of risk management and hence that culture dips dive into cyber security and cloud security. And hence risk management is a very key component in cyber and cloud going further.
Host: Yeah, one of the things I really liked about what you said, right, is the risk appetite. Earlier you highlighted that you, let's say, during your day, if there are many vulnerabilities that are open, you triage them and you get those prioritized. But you cannot work on all the vulnerabilities at the same time, right? So that's where looking at the risk appetite of the organization, you have to do the prioritization, right? So yeah, that is.. Spot on.
Earlier, one thing that you mentioned is like the risk management or the cybersecurity landscape has changed leaps and bounds. And it is constantly evolving as well, right? And which brings new challenges.
So what have you seen?
What are some of the unique challenges that organizations encounter when it comes to managing the cyber risks?
Amit: All right, so I would take down that question into two parts. So first part, let's understand when we try to understand the challenges of cybersecurity as an industry, I think I would start with the technologies.
Technology these days are evolving at a very rapid pace. So as technology changes are accumulating to understand the risk for the technology needs to also change over a period of time. So there is an… So that's one of the very much one of the key challenges I feel.
The second challenge I feel is in terms of the talent crunch. So when I say talent crunch, it's about having the right person at the right place at the right time. Because we can bring in freshers, we can train them. But there are certain rules where we need someone with a specific acumen. Example in terms of an auditor, as a technology auditor, he needs to have the right technology to understand the applications and to audit in a right way.
Because if not, there are a few other critical vulnerabilities that would definitely be open.
So another key challenge I feel in terms of cybersecurity is about in terms of the phishing. These days, phishing has become one of the hottest topic because bringing the AI stuff,
anyone can create a lot of phishing kind of scenarios which even organizations can't detect.
So that is one of the key challenges in terms of phishing. And the fourth and the last challenge I feel currently is about the AI risks. We talk about chargeability, we talk about artificial intelligence.
But the hard fact that we need to digest is that majority of the organizations have already have those applications downloaded some other other employee would have that application or a software which is there on the laptop, right?
But even the even the top management knows there are no kind of foolproof solution to mitigate the AI risk, right? So that is one of the challenge and that would definitely evolve over a period of time. So so put your them here.
So I think these are the few challenges that I can definitely identify currently that we are currently facing.
Host: I like how you sort of categorize them, right? Technology, talent, and new attacks like phishing attacks, and then the new technology like AI and how that is helping and also at the same time hurting.
So now if you are running the organization, how would you address these challenges?
Amit: Right. So I would always start with so because like I am in very much advocate of training and awareness in terms of cyber and risk because 90 % of the cyber attacks when we have the root cause analysis is all because of human related risks.
So I would definitely start with having the right program to address the human risk. That means in terms of how do you train the employees? How do you aware the employees? That's one of the key component that I would definitely start handling or implementing.
The second would be definitely the multi -factor authentication is something that I'm very much advocate of. So that should evolve and that is evolving. So that needs to be so in terms of IAM, the identity access management needs to be in very much key component of the organization in tackling the cybersecurity challenges.
And third and important part I feel is in terms of the EDR or the antivirus in terms of do we have HIPs? Do we have DLP in place? So the basic basic things that we feel okay, we would have in firewall, which is switched on. And do we have an antivirus? I think this is what we feel, which is very basic. But I feel over a period of experience that I have is that I think those basic elements are killing us.
So I think the basic simple cyber hygiene needs to be in place to make sure that the simplest of the solution also doesn't provide you any cyber related attacks. So you are safe. So that's I'm a very big fan of starting with the basics then going at a very technical level. But I think these are the very important part I would definitely want to highlight.
Host: Yeah, I love that you highlighted the basics, right? Often what happens with the marketing or with the industry, we often look at edge cases, but we forget about the basics.
And what you are highlighting, I really like that, that you need to do the basics right. Like MFA is a very simple example, right? That's basic now. But we often talk about AI risks and all of that, but we forget about the basics. So… Yeah, totally, totally on board with that.
One of the things that you earlier highlighted is that when it comes to risk, it's not just about one team's risk or something like that, right? It affects the overall organization. And they're all interconnected, right? Like the analogy that you gave, like cybersecurity, cloud security, all of those fall under the risk management.
So now can you help us understand how do you see them? Do you see them as different? enterprise risk management and risk management, do you see them as different or same? What's your take on that?
Amit: I think, yeah, very good question Prasanna. I love this concept because when you talk about risk management and when you talk about ERM, the enterprise risk management, yes, they are different.
Because when I say they're different, that means I'm considering risk management as the traditional risk management and ERM as the evolved form of traditional risk management. Basically, traditional risk management was always reactive. That means…
Until an organization faces any attack, they won't react or they won't take a call how to mitigate. ERM is all about proactive. They would forecast the future coming risk or forecast the new challenges, forecast the new vulnerabilities and threats and accordingly take a call what are the things that they need to have in the organization so that they are safe.
And the second important… point between the traditional risk management and ERM is about the approach. Traditional risk management approach was always in one dimension. That means it's always reactive. It's not in holistic approach. Example, when I say holistic approach in an organization, I think except cyber and cloud related risks, there are multiple aspects of risk, which doesn't come in the ambit of traditional risk management.
ERM is all about holistic risk management. That means it has the coverage across the organization, across the various risks. So when I say various risks, it can be political, it can be environmental, it can be social, it can be technological, legal, economical related risks.
So ERM is all about a holistic approach, combining together, making sure that you are providing the right pictures to the board of directors, to the stakeholders of the organization to take a call. So this is what I always see.
Host: That makes a lot of sense.
Now, a follow -up question to that is, let's say a fast -growing startup or a late -stage startup, they have been focusing on cloud security or cybersecurity, but now they need to focus on enterprise risk management.
What would you recommend them so that they can sort of build a comprehensive risk mitigation plan?
Amit: Yeah, so having the right ERM framework in an organization would start with having the right risk culture. That's very much important. Without risk culture, there is no ERM.
Basically, when I talk about risk culture, all the employees should have that feeling of accountability that they are involved in helping the organization to mitigate any risk, right? First of all, because it's everyone's responsibility.
Second point is about having the right, setting the right risk appetite. So generally organization, what they do in terms of the example that you gave, Purusottam in terms of startup, right? Basically the risk appetite is something that they would, example, if they have or don't have the first approach should always be that they need to have the right risk appetite or the risk appetite statement needs to be formed. That means that, whenever you want to take a risk, you need to know how much risk I can bear or how much risk the organization can bear.
That means that it should be known to all the right stakeholders. That doesn't mean that there is not only one person who knows how much of risk can be taken and he takes that call. No. All the right risk -based information needs to be done by across all the… right stakeholders, they need to know what is a risk appetite until and unless they know, right, it becomes very difficult to take any risk based decisions.
And the last point is all about it's all about having the right mindset, right, because that's end of the day, ERM is all about building the right risk culture, having the risk appetite in place, you have the risk ERM committee, right, basically, ERM committee is a committee which, which has representation across the organization.
It can be facilities, it can be IT, it can be someone from a technical standpoint, someone from physical security, right? Everyone, right? Everyone is involved because ERM is about holistic approach of risk, right? So this is how I feel in terms of when you want to have an ERM, like you want to build an ERM in a startup, right?
Basically because it… also requires some budget because without tone from the top and you don't have the budget so basically no one can run the show because it's not a small program for sure it's a very big program because it cuts across the organization it involves multiple stakeholders so that's how it goes.
Host: So I agree with you on the accountability part, right? That it cannot be security team's responsibility to make sure the organization is secure. It's everyone's responsibility. It's a shared responsibility in a way, right? So that let's say earlier you gave an example of phishing. If somebody gets a phishing email, they should not ignore. They should maybe reach out to the security team saying that, hey, I have received this. Is it phishing? Right. So that's how you are aware and you contribute back as well. Yeah.
So one thing that you mentioned earlier is around training, right? When it comes to different challenges that organizations face, training and awareness is a challenge. I want to double click on that. So awareness helps engineers to analyze or triage threads and then understand the depth of the thread. So I have two questions here.
What are some ways you implement the awareness in the organization? Like training was one of the things.
Anything else that you want to highlight?
Amit: Right, so when we talk about the security program in terms of awareness training and education basically Purusottam has also evolved right the kind of limelight the team was having before and now it has a substantial difference because during one time security awareness was one of the checklist in terms of compliance.
Now that's a very much dedicated program and they do have special awareness on education security education offices appointed in the organization. So there is kind of the whole scope of the whole program has changed.
That means the organization and the leadership understands the work that the team is doing. That means that it's not about having an annual training program for all the employees and all the employees take the training and I'm done with that. No. Because that was the approach previously because it's all about compliance.
Now it's about building and forecasting the future risk, forecasting the future risk trends and letting the employees know. So basically I would highlight few important points in terms of the program of security, education and training is about first to have tone from the top. That is very much important because when the leadership doesn't understand or when the leadership understands the value of the team, all the things fall in place easily.
The second thing is about funding. So when I say funding, all the CISOs, would have been very difficult because there might be one year you have the budget in hand, there might be another year you don't have the budget in hand, right?
But the important part for the program is to definitely upskill the whole program year on year. That means that when you have one of the important aspect of the whole program is about running the phishing program successfully, right?
Now, when you have, when I say phishing program, that means… there should be multiple phishing scenarios every year. It can't be the same, right? One scenario I have, I keep repeating year and year. You can't check the effectiveness, point number one, all right?
And second thing is about understanding the number of incidents getting reported. Basically, what people or most of the employees think who are not cyber aware or risk aware that lesser the risk, which is lesser the incidents, that are reported that means we are safe. It's totally opposite, right? Because what really happens is when you are at the risk profession, you understand you want more incidents to be reported because that's how you would know that what training that you're doing people understand and report basically when you train any. Yeah, yes, absolutely effectiveness of the whole program.
The second important point here purusottam is a term is about. When you have the training programs in place, one important point where majority of the organization miss or majority of the employees miss in terms of who are not from the risk function is about, where do I report incident? Where do I report risk? Because now you have done the full -fledged training, all the like fashionable words in the world of cyber, you have done fantastic training, but...
Now, when there is an event or incident which is already in place and employees don't know what to do or where to report. So, that's where you need to understand the basics. And I'm a very firm believer of having a basic cyber hygiene. There is no doubt on that. Because when the employees don't understand where to report the risk, it makes no sense how much of training you have done.
And I think that's where I think these are the few challenges and the few areas that in terms of the awareness and training and education should have. And the last point I would just highlight is about understanding the risk trends. So when I say risk trends, Purusottam here is there are two different aspects. One is internal trends, one is external trends. That means that you need to understand as an organization which industry you belong to. Point number one.
Point number two. You need to know what are the internal trends in terms of do you see any kind of DLP issues internally increasing over a period of time. If yes, please take that as an specific domain and have a dedicated awareness session on those areas because these days comprehensive risk management training or the risk awareness training doesn't help. You need to cater to the specific group as per the language they understand.
I can't go to the engineering team and say, okay, this is what DLP talks about. They would not know what DLP is or they would not know about a lot of ERM framework or the risk appetite framework and so on. You need to get into their shoes and understand when I say engineering, you would always come up with ideology of product security, software security, SDLC cycle.
This is where they, if we have that flavor in the training, they would love that and they would have the appetite to digest it. Like if else, that's also a big issue.
Host: Yeah, I like how again, I like how you stick to the basics really well. And you have these categorized, right? Like what are the things that can be like leadership buy in or the budget or even the communication channels or understanding the risk trends internal external. So yeah, I really love the framework that you follow.
One of the things you highlighted earlier was again around accountability, right? Making others accountable also for security. Now,
How do you do that? Like if I am running a late stage startup, let's say, and I want to make sure all the teams are understanding the risk and are accountable, what advice do you have for that?
Amit: Awesome. I think here, I think there is a challenge here because there are two aspects I'll tell you. When you want the employees to be accountable, that they need to understand the real scenario.
Basically, what really happens is that most of the organization or few of the organization or few targeted industry where they don't disclose what actual incident occurs in the organization, right? Because of so many reasons, compliance reason or whatever the reason is;
But I'm a big fan of having few real incidents of the organization that needs to be demonstrated to the employees so that they understand because of their own colleague what impact the organization had. Until they don't understand if my basic, if I'm not updating my laptop or if I'm not having the right patches on time on my laptop.
Right? What can happen? The critical vulnerability can cause a lot of impact to the organization that can obviously hamper the companies, achieving the company's objective or any kind of reputation damage. And you see these days data breaches are very common, right?
When there is a data breach, there is some kind of human involvement, right? In that in terms of the internal employees, someone might not know. I, I just, unintentionally clicked on that link unintentionally sent an IP design of the company to my gmail box or to the competitor it might be various scenarios but these scenarios needs to be communicated.
Hence the employees can understand okay they would be cautious enough to okay next time they have any email or next time they have any kind of ideology of sending any document or sharing any document they would think twice because of that real incident.
If there are any scenarios where you are not able to share the real incidents, bring out or buy in lot of external trends or external incidents in your industry, similar kind of industry where you have similar kind of employees and location so that people can relate because end of the day if they are competitive, if they see their competitor, having that incident because of this what happens that also would definitely create the accountability Like within the employees to take risk -based decisions.
And hence I say risk culture is very much important So this is all the culture. All right, so people need to understand risk is not something that they have an additional work to be done No, they should always think that it's their part of the job and their internally helping the company to secure their own company and achieve their own objectives. So that's how it goes.
Host: Yeah, I think it goes back to the awareness, right? How do you make your employees aware of what has happened internally, what is happening externally, and awareness is again goes back to basics. Like these are some of the basics that you should follow so that you have a healthy security program. So yeah, love that.
And that's a great way to end the security question section.
Summary:
Thanks Amit for the insightful conversation. Here are a few points I gathered:
- Risk Management should not only be reactive. It has to have the right balance between proactive and reactive strategies.
- Continuous training and awareness programs are key for running a healthy and successful security program. Also, when it comes to training, it should be targeted vs generic.
- Security is a Shared responsibility and not a responsibility restricted to security teams. Organizations should nurture a culture where everyone in the organization feel accountable.
Let's go to the next section, which is rating security practices.
Rating Security Practices
The way it works is I'll share a security practice and you should rate it from one to five and five being the best. And you can add context also, like why you think it's a two or a five or a three or something like that. So let me start with the first one. The first one says conduct periodic security audits to identify vulnerabilities, threats, weaknesses in your systems and applications.
Amit: I would say four and a half because I think there is a fantastic approach. It's an evergreen approach of having regular audits, identifying because of regular audits you have, you can find out the kind of vulnerabilities over a period of time on regular intervals and making sure that the people are or the stakeholders understand that there is someone who would come and examine us. So I think that approach really helps. So I would definitely rate 4 .5 for that.
Host: Okay, so you're the first person who has given like a decimal point rating. Generally, everyone says either four or five or something like that. But yeah, no, make sense. The second one is provide training and awareness programs to employees so that they can identify and respond to potential security threats like phishing is a good example.
Amit: Yeah, so I think there is some kind of ambiguity in the statement that's how I would want to give it three and a half because I'll tell you why because when you say providing the awareness and education to the employees, right? What basically happens is as I told Purusottam is about having the targeted training for the targeted employees or the special like when I want to cater the engineering team, I need to be very specific.
What they want to have in terms of education. So it's one of the kind of an practice which is being followed across. But I would definitely because it's an evolving program, as I said, evolving domain. So there is a kind of improvement in the approach that we need to have in this particular practice.
Host: So more targeted training versus like generic training. Training and awareness programs. Okay. The last one is granting users unrestricted access to systems and applications so that we can move fast and roll out new features.
Amit: No, I think it's always bad, the worst because as a security professional, we always think about RBC, Role -Based Access Control. So when you say anything about undistricted access, just to have any patches or kind of production, that makes less of sense in terms of practice because the practice needs to be very much you need to have role -based access control in place. So I will definitely rate it as 1 for sure.
Host: Okay. All right. So, yeah, that's a great way to end the episode. But before you go, I have one last question, which is, do you have any recommendation for our audience? It can be a blog or a book or a podcast or anything.
Amit: Okay, so this is a very tricky question to me because I'll tell you because when you say a recommendation of any book or blog I am a firm believer of having the right attitude towards the field of risk management.
To have that attitude, I definitely want to, if I have that opportunity to recommend any book, I would definitely recommend a book called Karma Yog from Swami Vivekananda because that provides the kind of mindset or the headset as an security professional you need to have, right? Because I would relate to security as in self -led job, right? The work, how much we do, you never get recognized for the work that you do day in, day out, right? But you need to keep improving day by day, day by day on a continuous basis. Karma Yoga also talks the same, right? Just… keep doing your work without anticipating any recognition or achievement or some kind of success. So I would definitely want to recommend that one book and definitely want to highlight another book from one of the famous leadership person, I think Barack Obama. I think Barack Obama books, I think it would start… from all the books I would say, not very one specific book that I have in mind, but I'm an firm believer of leadership, right?
Security and risk management, cyber security, right? As you proceed in your career, I think your leadership, it makes a lot of sense because I would relate to one important topic, Pushyatam here is because why I recommend these two books is because a few years back, I think majority of the CIOs, wanted to have a full army of cybersecurity professionals with them in the organization to tackle the employees.
But considering the situation that we are in and considering the kind of involvement of AI that is coming up, I think the new trend is about lean -t, right? Going into lean, right? That means that if I have example, I don't want someone as an antivirus on HDR or a HIP solution, I would just select CrowdStrike as a solution, it would cover all the aspects. That means that I am making sure I am reducing the load on the organization, but covering the whole aspect. So it's about multitasking, multi -working, or the lean approach is something that we forward. I think that would really help all the organization in terms of the cyber world.
Host: Love that. And I love that you have the books that you have referred are not like technical, rather more of understanding the basics or getting your mindset right. Because it's more about the mindset than the actual like actual task that you are running. Right. So yeah.
Amit: Yeah, because Purusottam, because there are multiple fantastic books, because I don't want to be as to only one book, there are multiple fantastic books in terms of press and cyber, to be very honest, right? And that and you have multiple videos, multiple articles, where you have access to multiple forums these days, right? But the thing is about the approach of learning, right?
You need to be passionate about your work or the passion about the subject. So that passion comes through right mindset. Now I have seen there is a trend that is also going on in Pushyutam is that there are lot of attrition in terms of cyber security. That means that they are not leaving the organization but they are leaving the domain of their work. So just highlighting those key concepts because of overload of work. When you are overload of work, the mindset really helps.
Right, the leadership really helps. So I think those are the key elements where the leaders need to understand these days and take it further from that.
Host: Yeah, yeah, yeah, absolutely. No, totally agree. And I feel that doesn't just apply to security, that applies to any field. Now, all of us are overworking and stressed and all of that. So having the right mindset would help you be in the domain and contribute in a healthy way. So yeah.
That's a great way to end the episode. Thank you so much, Amit, for joining and sharing your learning, your knowledge, and your insights with us.
Amit: Absolutely, it was a pleasure having you. Fantastic session. I think kudos for the whole team for having this drive. And yeah, happy to help anytime. Thank you.
Host: Yeah, thank you so much. And for our audience, thank you for watching. See you in the next episode.