Host: Hello everyone, welcome to the latest episode of ExtraMile by HiTechNectar, an interview series that bridges the gap between industry leaders and enthusiasts. I am your host Sayali and we’re here to discuss latest innovations, tech trends, marketing practices, expert insights, and a lot more.
Joining us is Mr. Maheswaran Shanmugasundaram, the Country Manager of Varonis Systems, a leader in cloud-native data security. Mahes has been a key contributor to data protection projects at Varonis with over 25 years in the industry, he’s an expert in cyber security. Let’s hear about his journey and learn more about the current trends in data security. Welcome Mahes, we’re thrilled to have you here.
Maheswaran: Yeah, hi, thank you so much, it’s a pleasure to be here.
Host: So Mahes, you’ve had a career over 25 years, what key qualities have shaped your journey so far?
Maheswaran: 25 years seems to be a lot, Sayali, if I have to just think and I have to pick maybe the two top most, two qualities that helped me so far in my career, I would say one, the constant passion to learn and use that knowledge to innovate in the way you approach work. I think that really differentiates you from other professionals and helps you to be successful is what I think. And the second most important quality, especially since I predominantly was in a customer-centric role, is to have a customer-centric approach and keep your customers as a top priority.
And I think if you always keep your customers on mind, you will start seeing success pretty soon. I think these are the two most important qualities that helped me, I think, Sayali.
Host: So, moving ahead, what are your main responsibilities as the country manager at Varonis?
Maheswaran: Okay, so we established operations in India three years back, almost three years back, so Varonis didn’t have any presence before that in India. So, the key priorities for me when I joined Varonis was to establish Varonis as a brand because though we were a pretty popular brand in North America, it was not a well-known brand in India. So, establish Varonis as a brand and a trusted advisor around data protection, which is the domain that we operated.
That was one of the key priorities. And for that to happen, what we did was we participated in a lot of events, we leveraged our marketing to ensure that our brand awareness is increased significantly. So that was one key priority.
The second one is, of course, the management or the leadership had revenue and growth expectations year on year. So, we had a three-year and a five-year plan, so it was important for me to execute that plan well. So, for that, it’s very critical to have the right team.
So identifying the right talent, ensure that there’s a clear communication in terms of expectations from them, and coming up with proper processes and metrics to ensure that their work is measured and it’s actually driven towards the outcome that we want to achieve is another key priority, and then guiding them wherever needed to ensure that the expectations are met was another important responsibility, I would say. And the third most critical thing is, of course, building a channel ecosystem.
So because how much of a team that we build, it’s not going to be enough to address the space or address the market that we have. So, it’s very critical to identify the right set of partners and treat them to be your extended teams and ensure that we grow and achieve our outcomes through those partners. So having the right channel partners and building a proper ecosystem to ensure that the relationship is effective is another key priority.
I think these are the top three, and of course, like I said, customer-centric approach is very, very critical, I think. And I always believe, and I call this as 3H, happy employees, happy partners, happy customers. So, if you keep your team happy and your partners happy, I’m very confident that the customers are going to be happy and help us to achieve the outcome that we want to.
Host: Data analytics is core to Varonis. How do data discovery and classification play a role in advanced analytics?
Maheswaran: Actually, data protection and data security posture management is the core capability that Varonis offers through its platform. Of course, we leverage analytics to ensure that we achieve those outcomes for customers. So, for any data protection strategy, I think discovery, when I say discovery, identifying the critical information assets fast and accurately is very, very critical.
And classifying them into different buckets, when I say buckets, how much of them is regulatory information? How much of them is intellectual property? How much is sensitive corporate information?
So, categorizing this information into appropriate buckets and ensure that those information are accurately identified is very, very critical. And that forms the foundational element for any data protection strategy. So, we definitely do that and ensure that we help our customers to go and identify critical information irrespective of where it is or in which form it is and help them to ensure that it’s properly categorized and help them to build strategies to protect data protection through that.
So again, any data protection strategy doesn’t stop alone, only with data discovery and classification. Once you do that, then you’re even more accountable. Now, once you know that you have so much of regulatory information or so much sensitive information and where is it residing, then as an organization, you become even more accountable to protect it.
So, that’s where we also help organizations to assess or understand the risk posture around various information buckets or various information categories that customers have or own and help them to automatically remediate the risk and improve the data security posture. And to do that, we leverage analytics significantly. I mean, to help customers understand what information is sensitive, how is it being used, which all users have access to it.
Are there any suspicious activities around it? If yes, how do we report and contain it? For all of this, we leverage analytics significantly.
And like I said, for this to work, the discovery of information and categorizing them into different buckets is very, very essential. And we do that efficiently.
Host: So, speaking about advanced analytics, can you explain the difference between identity management and access control in cybersecurity?
Maheswaran: OK, so as the name indicates, identity management is all about, when I say identity, it’s user management, right? So, identities that are allowed to access organizations, assets, applications. How do you create those identities?
How do you manage those identities? How do you ensure that you authenticate them the right way to get access to your network systems, applications? So those all come under part of identity management.
So how do you manage identities, provision identities and ensure that it’s managed effectively to ensure that they can get access to systems in a secure way? That’s identity management. Access control is one step after identity management.
And actually, it has to be part of identity management itself. Identity and access management becomes important when they’re looking at creating identities. Because once you give access to, once you create an identity, it’s important to restrict access.
So, access control is the mechanism or strategy through which you’re restricting an identity from accessing only authorized systems, applications or assets that the organization wants to. And anything that they’re unauthorized, the access control mechanism will ensure that they don’t get access to those systems. So, when organizations devise access control mechanisms, again, we predominantly see organizations enforcing access controls around networks, applications or even assets.
When I say assets, like endpoints or servers, but they don’t actually extend that to information or data. So, because now data is everywhere, it doesn’t get restricted within a fixed perimeter or an asset. So, we believe that it’s also equally important when organizations are enforcing access control to extend their strategy around information and ensure that only authorized users get access to information that they’re supposed to.
Host: Highlighting on cybersecurity practices, what is Managed Data Detection and Response, also known as MDDR? And how does it help companies boost security?
Maheswaran: Right. So, Varonis has in fact coined this, I mean, we launched the service called Managed Detection and Response. The reason why we thought it’s critical for us to launch this service for customers is because one, most SOC teams or most, we call it as like say Managed Detection and Response services that various vendors often, they’re focused towards threats or threat actors and doesn’t actually give enough visibility around data or helping customers to understand how a threat is going to have an impact on the data. Is that threat actually resulted in a data breach or not? So that part is a big blind spot for most of our customers, despite having Managed Detection and Response services from various volumes or trying to get these services done through our SOC teams.
So, we thought it’s important to address that gap and help customers to also get a lot of insight in terms of how data is touched by a threat is actually a threat serious when it comes to touching sensitive information. Was there a material data breach or not? And how is that threat engaging with data?
So that’s what we thought is going to help customers significantly. And since Varonis provides a lot of data-centric telemetry, when I say data-centric telemetry, helping customers to know where their sensitive information is, who all are accessing it, what behaviors of user is allowing them to access it. We thought that we could leverage this telemetry to offer the service called Managed Data Detection and Response and help customers to actually get a lot of insight in terms of how a threat is mapping towards data that is important for them and a threat is actually resulting in a material breach or not.
And we launched the service, and we have helped a lot of customers detect or predict complex threats like ransomware threats or insider threats just by the way those threats were engaging with data and the behaviors the users were exhibiting when it comes to engaging with data. And we also offer this as a 24x7x365 service where there’s going to be a dedicated team of IR specialists looking at such events coming up and proactively communicate to our customers who have subscribed for this service. And we also have an SLA anywhere between 30 minutes to two hours based on incident severity.
We also communicate the threat to the customer based on the SLAs that we sign and work with the customer to manage and mitigate those threats that we see in our environment through the service.
Host: Great insights and security measures. So, moving forward, how serious are insider threats for businesses and what steps can be taken to mitigate them?
Maheswaran: Right. So, I mean I would actually think every threat to be perceived as an insider threat because mostly I believe breaches happen either because someone not doing something that they’re supposed to do or someone doing things that they’re not supposed to do. Right.
So, it boils down to a behavior that an insider or anybody within the organization exhibits which creates this breach. So, it’s very, very critical. And actually, I can’t come up with a specific percentage, but I’m sure it’s in the upwards of 50 in terms of when high-risk insider behavior is contributing to breaches.
So, it’s a very, very serious problem and organizations have to treat very, very seriously. And like I said, perceive every threat to be like an insider threat. So, for that to happen, organizations have to understand behaviors of how users are engaging with their day-to-day operations.
Right. So normally we see when it comes to breaches, there are predominantly three behaviors that our users exhibit. An accidental ignorant behavior.
Right. So, the user does not know that what he’s doing is going to bring risk for the organization. Right.
He probably is going to click a link in an email which probably is a phishing link and creates a risk for the organization. Or he may be sending something to a person unintentionally. I mean, all of us were trying.
I’m sure everybody did this at least once in their career, trying to recall a message after trying to send it to somebody. Then they’re realizing that it went to another person. Right.
So those are accidental or unintentional ignorant behaviors. The second one is unintentional malicious behavior where the user does not have any malicious intent, but his machine could have been compromised. The hacker has compromised his credentials and using his credentials to go and create problems for the organization.
So, the user does not have any malicious intent, but the machine is behaving maliciously, or his credentials are used for malicious activities. That’s a second type of behavior that typically result in breaches. And the third one, of course, is intentional malicious users, that is disgruntled employees.
They typically behave in a different way when they are disgruntled to cause harm for the organizations. So, it’s very critical for organizations to understand these behaviors. There are technologies available in place.
The AML becoming very prominent organizations can leverage these technologies to understand behavioral patterns and then focus on high-risk behaviors like I just said. And if they do that, they’ll be able to predict these behaviors as and when they see it. And they’ll be able to contain breaches or educate employees, make them more aware, etc., and have a predictive framework set up in place and minimize and comprehensively address instead of threats is what I think.
Host: Speaking about threats with cybercrimes on the rise. What operational challenges do companies face after a cyber-attack?
Maheswaran: Well, that’s a lot, right? So, in fact, in one of the events, what we did was like we created a group, and we asked them to identify themselves as a CISO, CFO, CEO, CRO, marketing, HR. Right.
And then we thought of giving them a topic about a breach and then see how they responded to, I mean, how they prepared in actually handling that breach. Because one of the biggest challenges that we see is, I mean, every organization anticipates that there’s going to be a breach, and they deploy a lot of preventive controls to ensure that they’re not breached. But God forbid, if they get breached, that’s when I think some of the gaps that exist in their framework gets exposed.
Because once they get breached or the cybercrime happens, there are a lot of things that needs to be focused, and organizations don’t have a clearly defined standard operating procedure in place to manage a cybersecurity breach. I mean, imagine, I normally pick up this analogy, right? So, if there is a fire incident, the organizations are very well prepared to manage that incident.
There is a class clearly defined standard operating procedures. There are drills that happen periodically to test how everyone is responding to a fire alarm and things like that. And the fire alarms are very less likely to happen compared to a cyber breach or cybercrime or a data breach, right?
But when you see the preparedness of an organization to a cyber breach comparing to how they are prepared to handle a fire incident, it’s less than 10% is what I would say for most organizations. They’re really clueless on what needs to be done when they go through a cybercrime. So, there are a few things that are very, very critical or they need to understand these are the operational challenges that they have to go through when they face a cyber-attack.
The first and foremost thing for them when a cybercrime happens is to find ways to contain the breach and get back to normal. When I say get back to normal, if there is a downtime, if there is an impact on services, it’s very, very critical to ensure that the services are restored and there is no impact in terms of productivity or customer satisfaction and customer experience or satisfaction. So that’s very, very critical.
So, what procedures do they have in place to contain the breach? How are they prepared to understand the breach and what needs to be done to ensure that, I mean, what are the DRBCP practices in place to ensure that they’re up and running quickly so there is not a significant impact because of downtime or anything else. That’s very, very critical.
The second thing is communication management. When I say communication management, it could be internal, it could be external because when a breach happens, especially if it’s a serious cybercrime, it could create a loss of morale with employees, their customers, important stakeholders, leadership. So, it’s very, very critical to have come up with a proper communication plan, clearly articulate why this has happened.
What is the organization? What did the organization do? How are they confident that such things are not going to happen again?
And I think it’s very, very important to have a transparent communication with all key stakeholders, internal, external, to restore the confidence back about the organization and the team who’s managing this for that particular organization. That’s very, very key. And we see this to be a gap in most cases.
The marketing teams, the PR teams, they’re not actually very well prepared to handle how to communicate when there is a cybercrime or when there’s a ransomware attack or things like that. And as part of this communication management comes also legal or regulatory demands that are arising out of it. I mean, the organizations have to report a breach within a certain time period to key stakeholders.
Are they doing that? What are the legal implications if they don’t communicate the breach well? What are the legal implications because of the breach?
I think the organizations need to understand all of that and ensure that they have a proper plan in place to manage any legal or regulatory issues that might arise. That’s another important thing I would say. And I think if they do this in a way, I think their reputation, the risks can be managed significantly.
Any impact that this crime can happen, I mean, the breach can happen, the breach has resulted in a reputational impact for organizations can be managed well with a proper communication plan is what I think. And then, of course, understand why the breach has happened. Do a proper forensic investigation.
Understand what gap with people, process or technology have made this breach possible for that particular organization and ensure that they learn from it and plug those gaps to ensure that same breaches don’t happen again. I think these are very, very critical. Again, I know it’s a very long answer, but just to keep it simple and easy to understand, I think it’s very, very critical for organizations to immediately contain the breach and restore the services quickly so that it doesn’t create any impact on productivity or customer experience.
That’s very critical. Second thing is to have a proper communication plan in place, both internal and external, so that any legal regulatory impact or reputational risk impact are managed efficiently. And lastly, how are they keeping the security framework adaptive to learn from these breaches and ensure that the gaps that caused this breach is actually plugged so that the same cyber breach or data breach or cybercrime doesn’t happen again in future.
I think these are the key important outcomes that I think organizations need to be prepared when a cybercrime happens. And all these three would become really challenging if they’re not prepared how to address it.
Host: Thank you, Mahes, for sharing your invaluable insights and experiences with us. It was truly a pleasure to have you with us today. Thank you so much.
Maheswaran: Thank you so much for this opportunity. I hope this was useful. Thank you.
Host: Thank you, everyone, for joining us today. I am your host, Sayali, signing off. See you soon in the next episode of ExtraMile by HiTechNectar, with the next extraordinary leader on board sharing their thoughts and knowledge.
So please stay tuned!
