Risk Grustlers EP 9 | The Art of Cyber Defense: Wisdom from a Seasoned Security Leader

In life, we often come face-to-face with critical choices that shape our future. Akshay Ahuja, a driven individual armed with a B. Tech degree, stood at such a crossroads. The decision to either tread the common path of the development industry or embark on an MS certification in cybersecurity would ultimately define his professional trajectory.

Choosing the road less traveled, Akshay embraced the realm of cybersecurity, delving into the intricacies of safeguarding digital assets and ensuring compliance. Little did he know that this bold choice would lead him to become a distinguished professional in the field, amassing over a decade of experience in the cybersecurity and compliance domain.

We are excited to kick off our new podcast series with Akshay Ahuja, Principal of Information Security at M2P Fintech!

From highlighting the need for automation in ensuring compliance to revealing what it takes to become a cybersecurity professional today, here's a look at some of the things that Akshay and Pratyush discussed in their hour-long conversation.

PK: Why don't you start off by telling us about your career journey so far?

AA: Sure. In my early career, I transitioned from electronics and communication engineering to become a SOC analyst driven by my passion for cybersecurity. Although I initially planned to pursue a master's degree, circumstances led me down a different path. Engaging in the business side of cybersecurity, I gained valuable experience in SOC operations before transitioning into consulting at Panacea. As an associate consultant, I grew to handle significant engagements, particularly in certification matters.

Within the PCI accreditation domain, I served as a Qualified Security Assessor (QSA), akin to an auditor, providing rigorous assessments and recommendations to clients. Over the course of my career, I audited 100+ organizations spanning diverse sectors, including multinational corporations, Indian clients, banks, and merchants. These experiences exposed me to various geographies and enriched my understanding of different security environments.

PK:  PCI access being  your core expertise in consultancy, a large part of your exposure would have been to Fintech regulations and organizations. Is that correct?

AA: Yes, that is true, but I also worked with various industries beyond fintech, including hospitality, e-commerce, and m-commerce. While each industry has its own regulations, cybersecurity and compliance are common concerns. Regulators like SEBI and IRDA governed specific sectors, while the overall concepts of cybersecurity and compliance remained similar across industries.

PK: As far as regulators are concerned every company is a payments company, be it commerce, hospitality or a hardcore finance financial services company. What is your opinion on this?

AA: I agree. Take, for example, Flipkart.com, which is primarily an e-commerce platform, interacting with end consumers. However, when it comes to accepting payments, they enter the realm of fintech regulations. Safeguarding the payment process becomes crucial in ensuring compliance with the relevant regulations and maintaining security throughout the lifecycle. This demonstrates how even non-payment-focused companies can become subject to fintech regulations due to their involvement in payment transactions.

PK: What are your thoughts on the growing number of regulations that fintech organizations have to adhere to?

AA: Over the past seven years, I have witnessed a significant increase in regulations, especially post-COVID. The digital era, coupled with India's focus on digital transformation, has led to a surge in inquiries about the Indian market and concepts like UPI (Unified Payments Interface). As a result, there has been a corresponding increase in cyber threats, prompting the need for stricter regulations.

Many regulators in the Middle East closely follow the guidelines set by the Reserve Bank of India (RBI), with some regulations being almost identical. The RBI's research and development efforts have influenced other regulators to adopt similar approaches rather than going through the same hurdles independently.

PK: How do you think Indian fintech organizations can stay up to date with these regulations?

AA: Regulatory frameworks are released with specific compliance deadlines, and companies are expected to adhere to them. While I appreciate the regulators' efforts to enhance cybersecurity, certain circulars, particularly those affecting the fintech industry, have disrupted the market. The circulars change business strategies and can be both positive and negative for companies.

To manage these regulatory changes, staying up to date with RBI circulars is crucial. Joining communities or dedicating team members to review RBI circulars has become a common practice among companies. Regulated entities (REs) directly answerable to the RBI have a more extensive role in staying informed and managing vendors accordingly.

These days, keeping up with regulatory updates has become an essential part of the role, ensuring compliance and effective vendor management.

PK: How can an organization leverage technology to be compliant?

AA: One viable option that comes to mind is implementing a common control framework. Conducting audits on a daily basis is impractical, but through my research, I have found that around 65 to 75% of regulations relating to Infosec, major compliances, and industry practices share common principles. This indicates a convergence of requirements across different regulations and governance frameworks. The key objective now is for companies to establish their own common control framework.

I witnessed a company that deviated from standard audits and created its own company control framework. They performed internal audits based on this framework, ensuring compliance with regulations and standards. They aligned their controls, conducted audits, validated evidences, and generated reports. This approach provided a streamlined process.

We can observe similar principles followed by major cloud providers like Amazon Workspace, Google Cloud, and Microsoft Azure. They adhere to numerous compliances, not only national standards but also local regulations such as GDPR in Europe, PDPL in Singapore, NGDPR in Nigeria, CCPA and HIPAA in the US, and local versions of ISMS in South Korea. It becomes crucial to establish a common control framework that can be adapted to meet these diverse regulatory requirements.

PK: How does automation, particularly in the compliance space, address the limitations faced by auditors and enhance their effectiveness in adapting to rapid technological changes?

AA: Automation is crucial in the current landscape as it allows for reduction of manual efforts. As an auditor, both technical and non-technical aspects rely on their knowledge, but there are limitations to how deep they can delve into an environment.

In my experience, I have witnessed exponential changes within five years, transitioning from physical data centers to cloud and serverless architectures. Auditors must adapt, constantly learn new technologies, and stay updated with industry trends. Third-party audits alone are insufficient in this rapidly changing landscape.

Automation, including the use of AI technologies like OpenAI and ChatGPT, is becoming essential in the compliance market. It is the future and a necessary direction for organizations to move forward in compliance efforts.

PK: What advice would you give young people who are interested in becoming cybersecurity professionals?

AA: To excel in the cybersecurity industry, it is crucial to start early and plan your path. Whether you are pursuing engineering, law, or any other field, gaining knowledge and skills in cybersecurity early on is essential. Take courses and engage in learning opportunities to understand the various profiles within the cybersecurity domain. Look for internships that allow you to gain practical experience and outperform expectations. Determination and focus are key attributes that will set you apart in this rapidly evolving industry.

Starting early and defining your specific field of interest within cybersecurity is vital. Simply mentioning “Infosec” is not enough; you need to understand the nuances of the specific field you want to pursue. Consider internships as they provide exposure to different domains within Infosec, helping you determine your career direction. Internship experiences will guide your learning path and enable you to make informed decisions. Remember that opportunities are abundant in the cybersecurity field, particularly in addressing supply chain gaps, and being prepared will help you seize them.