Cybersecurity Evangelist | Speaker | Mentor |
Chief Information Security Officer (CISO) | Data Privacy & Protection Officer (DPPO) | Data Privacy Specialist
Work Experience
TATA AIA Life Insurance Company Ltd.
Dec'22 - Present
Future Generali India Life Insurance Company Pvt. Ltd.
June'19 - Nov'22
Safe Security (Lucideus Technologies Pvt. Ltd.)
Oct’17 – May’19
Girnar Software Pvt. Ltd. (Cardekho.com, gaadi.com, Collegedekho.com etc)
Feb’16 – Oct’17
Protiviti Member Firm India (India, Kuwait)
July’15 – Feb’16
Yatra Online Pvt. Ltd.
April’12 – Feb’15
Bertelsmann AG (Arvato Services India) (Germany, Hong Kong, and Singapore)
Jan’07 – April’12
Ocwen Financial Solutions Pvt.Ltd. (Mumbai, Bangalore, USA)
Sep’03 – June’06
IGATE (earlier IT&T)
May’01 – Jan’03
Chief Information Security and Data Privacy & Protection Officer (CISO & DPPO)
Heading 5 functions
1. Risk, Governance & Compliance
-
Implementing Information Security Frameworks: Develop, implement, and maintain a robust information security framework.
-
Cybersecurity Risk Management: Identify, assess, and manage cybersecurity risks across the organization.
-
Compliance with Regulations: Ensure compliance with regulatory requirements related to information security and cybersecurity.
-
Policy and Procedure Development: Formulate and enforce information security policies and procedures.
-
Risk Assessments: Conduct regular cybersecurity risk assessments and vulnerability analysis.
-
Incident Response: Lead the development and implementation of incident response plans for cyber-attacks or data breaches.
-
Data Protection: Ensure the protection of sensitive data from unauthorized access or breaches.
-
Reporting: Regularly report cybersecurity status, risks, and incidents to senior management and the Board.
-
Training and Awareness: Conduct cybersecurity awareness programs and training for employees.
-
Continuous Monitoring: Oversee continuous monitoring of cybersecurity threats and implement preventive measures.
2. IT Information Security Operations (ITSO)
-
Monitoring and Response: Continuously monitor IT systems for security threats, vulnerabilities, and breaches, and respond promptly to any security incidents.
-
Incident Management: Implement and manage a well-defined incident response plan, ensuring timely detection, containment, eradication, and recovery from cybersecurity incidents.
-
Security Infrastructure Management: Oversee and maintain the organization's security infrastructure, including firewalls, intrusion detection/prevention systems, and antivirus solutions.
-
Threat Intelligence: Gather, analyse, and act upon threat intelligence to proactively identify and mitigate emerging security threats.
-
Vulnerability Management: Regularly conduct vulnerability assessments and coordinate patch management to address security weaknesses.
-
Compliance and Reporting: Ensure that IT security operations comply with relevant regulatory requirements and report security metrics, incidents, and compliance status to senior management.
-
Access Control: Manage and enforce security controls related to user access, authentication, and authorization, ensuring that only authorized personnel can access critical systems and data.
-
Security Audits: Conduct regular security audits and assessments to evaluate the effectiveness of the organization’s security measures and ensure compliance with policies and regulations.
-
Employee Training: Promote security awareness and provide training for staff on identifying security threats, phishing attacks, and safe online practices.
-
Collaboration: Work closely with other departments (e.g., IT, legal, compliance) to align security operations with business objectives and regulatory requirements.
3. Third Party Risk Management (TPRM) and Technology Risk Assessment (TRA)
-
Third-Party Due Diligence: Conduct thorough risk assessments and due diligence before engaging with third-party vendors to evaluate their cybersecurity practices.
-
Contractual Security Requirements: Define and enforce security obligations in contracts with third parties, ensuring compliance with data protection and cybersecurity standards.
-
Continuous Monitoring: Regularly monitor the cybersecurity posture of third parties and the organization's technology infrastructure for emerging risks.
-
Incident Response Alignment: Ensure third parties have incident response plans aligned with the organization’s protocols and ensure timely reporting of incidents.
-
Vulnerability and Risk Identification: Identify, assess, and mitigate technology and third-party risks, including vulnerabilities in systems, applications, and external vendor relationships.
-
Impact Analysis: Evaluate the potential impact of risks on business operations, data integrity, and overall cybersecurity resilience.
-
Mitigation and Control Implementation: Develop and implement risk mitigation strategies, controls, and safeguards to address identified risks.
-
Regular Audits and Reviews: Conduct periodic audits of third-party security practices and technology infrastructure to ensure compliance with established policies.
-
Collaboration and Reporting: Collaborate with internal teams and third parties to address risks and provide regular updates on risk status to senior management.
-
Training and Awareness: Promote ongoing cybersecurity training and awareness programs for staff and third parties to strengthen the organization’s overall security posture.
4. Business Continuity Management (BCM)
-
Business Continuity Planning: Develop, implement, and maintain a comprehensive business continuity plan (BCP) to ensure critical operations can continue during disruptions.
-
Risk Assessment and Impact Analysis: Conduct regular risk assessments and business impact analyses (BIA) to identify potential threats and their impact on business operations.
-
Recovery Strategies: Design and implement recovery strategies for key business processes, IT systems, and resources to ensure timely recovery after disruptions.
-
Crisis Management: Lead crisis management efforts during disruptions, coordinating response actions and communication across departments.
-
Regular Testing and Drills: Organize and conduct regular testing, simulations, and tabletop exercises to ensure the BCP is effective, and staff are prepared for emergencies.
-
Compliance: Ensure that the business continuity plan aligns with relevant legal, regulatory, and industry standards, and is regularly reviewed for compliance.
-
Documentation and Reporting: Maintain detailed records of business continuity plans, risk assessments, recovery strategies, and testing activities, and report progress to senior management.
-
Collaboration with Stakeholders: Work with internal departments, external partners, and third-party vendors to ensure their roles and responsibilities are integrated into the business continuity plan.
-
Continuous Improvement: Continuously review and improve the business continuity strategy, incorporating lessons learned from disruptions, tests, and evolving business needs.
-
Training and Awareness: Conduct training and awareness programs for staff to ensure familiarity with business continuity procedures and their roles in the event of a disruption.
5. Data Privacy & Protection
-
Compliance Oversight: Ensure adherence to the provisions of the DPDP Act and regulations on data protection.
-
Advisory Role: Advise the organization on data protection obligations, policies, and best practices.
-
Monitoring Compliance: Ensure proper implementation and monitoring of data protection practices.
-
Data Subject Rights: Oversee the handling of data subject rights, including access, rectification, and deletion requests.
-
Impact Assessments: Ensure the performance of Data Protection Impact Assessments (DPIAs) for high-risk data processing.
-
Training and Awareness: Conduct training and awareness programs on data protection principles for staff.
-
Liaison with Authorities: Serve as the main point of contact for regulatory authorities, handling notifications and reporting.
-
Data Breach Management: Oversee the detection, reporting, and management of data breaches.
-
Documentation: Maintain records of data processing activities and ensure proper documentation of compliance efforts.
-
Data Minimization: Ensure data collection and processing follow principles of necessity and data minimization.
Chief Information Security and Data Protection Officer (CISO & DPO)
CISO, Partner & Delivery Head of Enterprise Customer Service (ECS)
Deputy Director of Information Technology & Security
Head of Information Technology & Security
Head of Information Technology & Security
Senior Manager of Information Technology & Security
Senior Technical Service Engineer – Telecom
Sr. IT Executive
Education Qualification
2022-2024
Doctorate in Management Studies with Specialisation in Information Technology Management and Cyber Law (Grade A)
Indian School of Management Studies
2014-2016
Post Graduate Diploma in International Business Strategy (Silver Medal)
Indian Institute of Foreign Trade (IIFT)
2004-2008
Master of Science in Information Technology (MSc IT)
Sikkim Manipal Institute of Technology
1996-1999
GNIIT
NIIT Technologies
1996-1999
Entrepreneurship and Small Business Management
College of Vocational Studies (Delhi University)
Training & Certifications
- Certified - ISO 27001:2022 LA
- Certified DCDPO from DSCI
- Certified TATA Cyber Excellence Assessor Program (CEAP) - Gold Standard.
- Certified ISO 31000 Risk Management Professional
- Certified Information Security Professional (CISSP) Training
- Certified EC Council – C|CISO
- Certified Information Security Manager (CISM) Training
- Certified Information System Auditor (CISA) Training
- Certified Data Privacy Solutions Engineer (CDPSE)
- Certified – Certified Payment Card Industry Security Implementer
- Certified - PCI-DSS Awareness Training / Session (Approach, Certification and Requirement)
- Certified - ITIL V3
- Certified Ethical Hacker (CEH) Training
- Certified - Cisco Certified Network Associate (CCNA)
- Certified - Cisco Certified Voice Professional (CCVP)
Technical Know How
- Security – IMPERVA WAF, Akamai WAF, Bot protection, DNS Security Firewall (Fortinet and Juniper net screen) and Perimeter Security devices, Antivirus (Checkpoint, McAfee Enterprise & Symantec) and IDS/IPS
- Data Loss Prevention – Symantec, Netskope, Zscaler, Prisma Access
- Data Classification – Titus, Klassify
- Database Encryption - Thales, Native and Cloud encryption
- Database Activity Monitoring (DAM) - IBM Gurdian
- Attack Surface Management - CTM360, Cyble
- Vulnerability Disclosure Program & Bug Bounty - YesWeHack
- Endpoint Encryption – Trend Micro End Point Encryption, Symantec, Checkpoint and SecureAgeServer Security – Trend Micro Deep Security, Palo Alto Cortex
- Application, Server and Network Security – Checkmarx, Tenable (Nessus)
- SIEM – Qradar, Microsoft Sentinel
- SOAR - Logic Apps
- Email Security - Trend Micro Email Security
- Breach Attack Simulation - Picus
- Ticketing Tool – Remedy, Sapphire, Manage Engine
- Web Filtering – Netskope, Bluecoat, Forecepoit, Barracuda X810 Web Filter.
- Scripting Languages – Shell, PHP, Python, Perl, etc.