International SOS has a unique position of being a provider of services for organisations that are trying to assess Security & Operational, Cyber risks etc. You also have to secure your own organisation. What’s the most difficult part of your job at International SOS ?
The most difficult part of the job of my team is to stay on top of advanced threats, associated remediation of vulnerabilities and persuade other teams to remediate the vulnerabilities prior someone else (hackers, enemies, or competitors) exploiting these potential vulnerabilities.
Could you describe your average day as CISO at International SOS ? Do you have a particular routine for the start and end of day?
Manoj Tewari: Every day is unique and full of opportunities to learn, share and lead. On a daily basis with a few exceptional days, I get involved in:
- Negotiating in matrix structure on financial approvals closely coupled with organisation change management related to implementation of new security technologies.
- Describing and advocating the security posture of organisation to clients and help sales & marketing to achieve their objectives by building trust with clients.
- Risk based discussions with general managers and technical discussions with security analysts and engineers.
On a scale 1-5 do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??
Manoj Tewari: I’m very confident that our budget will increase over next 3 to 5 years as we have been able to plan and deliver upon the security strategy that we decided 2 years ago.
In last three years Global IT Security has built the trust with several stakeholders by delivering on plans that helped the organisation to achieve a much better security posture. Over the next few years, we will focus on implementation of advance solutions, operational aspects of fundamental security services and certifications. Surely, this journey towards excellence will continue.
How do you balance your own bandwidth between attention on you longer term security agenda and today's issue that has just arisen?
Manoj Tewari: Today’s agenda always get the first priority however strategic actions are always considered. We have a security operations team that works 24x7x365 to take care of operational issues and a dedicated team of experts and project managers working on new security solutions.
There are many new cyber security startups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?
Manoj Tewari: We are highly focussed on top security service providers with credibility and capability to execute. For almost all decisions on new service providers, two key parameters that we don’t compromise are ‘excellence in execution’ and ‘excellent support structure’.
We treat our service providers as our key partners because they bring capabilities that are necessary for the organisation to concur the cyber game. It works best when we partner with the best in the industry.
What do you regard as the crown jewels within International SOS that has the highest level of security? How well do you conduct ‘mock’ incidents so that the team is prepared for data breaches??
Manoj Tewari: For all companies and so for the International SOS , there are critical IT systems that are considered as crown jewels. Due to confidentiality reasons, I cannot document those systems here however I can assure you that we integrate security in business requirements, application build and infrastructure layer for the keys systems. We implement administrative, technical and physical security controls to build the layered security around these key solutions.
We test our incident management and data breach notification procedure by mock test every six months so that our team is prepared and aware of their role and responsibility on security incident and data breach notification procedure.
For your clients I assume that there are specific guidelines that you provide for securing their travel to certain countries and locations. Does this specifically cover IT and Information Security – could you provide a flavour of the value of this?
Manoj Tewari: Yes, it covers specific requirements of our clients related to information security. While we provide emergency medical and travel information services to our clients, we also provide an assurance on information security of the data that we collect from our clients. The information assurance is an integral part of our services.
Within the International SOS environment are you more concerned about the internal technology vulnerabilities or of rogue insiders?
Manoj Tewari: Most of the time we are busy with internal technology vulnerabilities. The technical vulnerabilities get the priorities however also have documented procedures to respond to rogue employee. Thankfully, we haven’t faced rogue employee issues in our organisation leading to information security incidents or data privacy breach so far.
When you are recruiting new talent into your team, what key attributes do you look for when selecting a new staff member? I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent??
Manoj Tewari: There is surely a shortage of right talent pool in security industry. It is very difficult to get people with right mix of technical and soft skills. It generally takes 3 months to find people with right skill set. Key technical skills such as security analysis, penetration testing, and security architecture are rare skills.
Finally what keeps you awake at night?
The idea of hackers have to be successful only once, while we have a challenge to remediate every single vulnerability keeps me awake at night.