“Innovation in Cyber Security is not just about thinking outside the box, it is also redefining the box.”

CISO Interview Series: Sanjay Verma, Head of Information Security & Risk, Deakin University

I’ve seen that you have academic staff, such as the Deakin University chair of information security Matt Warren, who are opinion leaders. How do you as CISO tap into expertise and opinion leaders within your own organisation to further your goals?

I have the privilege to work closely with enormous pool of talent within our University. Leveraging on the existing skills and expertise across the University will be a key focus to institutionalise our Cyber Security strategy.

Matthew Warren is an esteemed researcher in the areas of Cyber Security and Computer Ethics. Over coffee we not only cover Cyber Security with a 360 degree view points focusing on research, teaching, professional and institutional aspects, but we also discuss everything around broader initiatives across the University regarding Cyber Security@Deakin.

Could you describe your average day as CISO at Deakin University? Do you have a particular routine for the start and end of day?

Every day is not the same but the only thing that is constant is change.

My “average day” starts with meeting people (preferably outside four walls!) and understanding how Cyber Security strategy can be best aligned to help them achieve their goals.

Doing a pulse check on an average day is important for me to ensure my team is focused in delivering on our promises. Everyday can be a D-Day for me and I love to celebrate success, no matter how small it is!

On a scale 1-5, do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that?

I believe investment in Cyber Security will continue to increase across most of the industry sectors since the web is now the de-facto channel for revenue. Thus, I see a progressive increase in the Cyber Security investment.

There are range of driving factors which includes not only our focus in Digital Innovation but also how we protect our digital footprints with the rapid increase in the cloud adoption.

When you see your Deakin University colleagues refer to hackers in Russia, Ukraine etc in the newspapers. Does this make you and your team concerned that perhaps this will attract the wrong attention from such parties?

Our colleagues talk to media on several fronts – including Cyber Warfare and Cyber Security. This can be individual viewpoints or based on information which may already be out there in the public domain.

Personally I do not think this will attract the wrong attention from such parties as our focus is only to provide the best digital learning experience to our students.

How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?

To be able to link today’s issue with the longer term security agenda is important. This helps me to continuously focus on the big picture and be able to plot every piece of work on the canvas.

Similar as a driver, it is important for me to be vigilant about the surroundings, entry / exit points, detour etc, but making sure that I am heading in the right direction and arrive safely at the destination.

Deakin Digital I understand is a new offering and takes the University into new territory with the business market. Is there a play for Deakin to provide professional Cyber Security accreditation for public and private companies?

The accreditation is an interesting idea – but it is a very complex area.

Clearly, the shortage of experienced Cyber Security talent is putting a lot of pressure on organisations. This has created a new trend where public and private companies are now approaching Universities for a partnership model on how to make Cyber security programs more hands on with real world problems and help to reduce the ever widening gap between threats and defence.

Allyn J Radford, CEO of Deakin Digital, is a thought leader in Credentialing. When discussing this topic with him, he not only appreciates the complexities of accreditation but also believes that considering credentials for Cyber Security would add value in this space.

By not doing “teaching and learning” ourselves we are able to work with both vendors and education providers to build a more flexible model for closing the skills gap. There is little hope that the IT Skills shortage can be met by traditional education methods, the task is too large. If one includes a broader range of learning opportunities and a validated assessment and Credentialing approach, we can make a bigger impact on reducing the IT skills shortage, especially in high value areas like Cyber Security.

How much cooperation do you have with other cyber security teams at other sister universities and also with private companies?

The security professionals here are pretty well networked. It does help each of us to catch-up and share ideas on different fronts. The increased collaboration which I have seen over the last few months being in the education sector is very encouraging. It demonstrates seriousness within the Cyber security world.

I would like to see more cross-collaboration with private companies in establishing a wider Cyber Intelligence community. More or less we share the same pain and learning from each other’s win or losses will enable all of us to solve the problem we face in a very pragmatic manner. We are now living in a world where the risk universe is constantly changing. There is no place for trail and error method in the Cyber world.

On a campus like Deakin with 55,000 users who are all wireless and mobile. What extra challenges does this create for you as CISO?

Every opportunity brings its own risk. In my role, it is important to maintain and provide the best user experience to all our students and staff, while maintaining a Cyber Safety culture. All aspects of controls plays a critical role – so one size does not fit all.

I would like to further mature the concept of ‘cyber elasticity’. This ensures we build a solid Cyber Security footprint, while still making it flexible enough to support the organizational needs.

If you have to estimate, what proportion of the small student population are actually ‘black hat’ or potentially going that way? What measures are you taking to track and re-direct this group?

Sorry, one more point, when it comes to the misbehaving students, traditionally which faculty has the most offenders?

It is a good research area but I am not aware of any analysis done to provide any specific view point. Without labelling an individual or a group, I would say that there are exceptionally talented students within our University. Who knows what role these talented people can play in future – the opportunity in vast in the research, operations, advisory, network and other areas of Cyber Security. There is no boundary or limitations for talented students.

What keeps you awake at night?

I will be bored if there’s nothing to keep me awake at night.

Most of the time, it’s all about spending some time to connect all the dots backwards - reflecting on what’s worked and what’s did not and then plan forward.

When I get some sleep, I love to dream on how to make things better and simpler. Something to have a go first thing in the morning!

Tags CISOcybercrimeLinkedInDeakin UniversityDavid Geesecurity professionalsdigital bankCISO LeadersSanjay Verma

Show Comments