Making a Move from CISO to ConsultantPwC's Salvi on His Transition from Security Practitioner
Vishal Salvi spent nearly eight years as CISO of India's HDFC Bank, but he stepped down from that role last fall to become a cybersecurity adviser at PricewaterhouseCoopers. That's a big career change - one that many CISOs in India and elsewhere are pondering or making - and Salvi says the consultant's role is every bit as demanding as the practitioner's.
"I feel the stakes are equally high, and the transfer of risk cannot be considered a factor," Salvi says. "I feel accountability and implications are equally there, if not more, in this role as compared to my last."
At HDFC, Salvi pioneered many of the bank's InfoSec initiatives. Now as a consultant and adviser, he shares his motivations for making the transition and first impressions from working across industries on complex problems.
Salvi spoke to Information Security Media Group in this exclusive interview on the sidelines of the 6th nullcon security conference held in Goa, where he was a panel speaker. In the interview, he addresses:
- The maturity of the CISO role in India;
- The evolution in the CISO career path;
- His perspective on security in the Indian banking ecosystem.
Salvi joined PWC in November 2014 as partner for its cybersecurity practice in India. He has 15 years of experience as a security leader. He served as CISO and senior vice president at HDFC Bank, heading its information security group for eight years. Before HDFC, he served at Standard Chartered Bank for 11 years.
Below are edited excerpts from the interview:
Making the Move
Varun Haran: Vishal, you recently transitioned from your role as an active security practitioner as HDFC bank's CISO for a considerable period to the role of a consultant and adviser at PricewaterhouseCoopers. What prompted you to make this shift, and what are some of the salient differences that strike you between these two roles?
Vishal Salvi: Having been in the industry for 21 years, one of the objectives was to explore a career avenue where I could contribute to my organization's top line, as against being a security practitioner and contributing to its bottom line. I wanted to approach security as a business, and this was a very important consideration for me when I was planning this transition. Also the fact that you can work with, contribute and add value to multiple organizations across industries and verticals leverages your competencies to the fullest.
Although these are early days, one thing that strikes me is the sheer dynamism of the profession itself is pretty exciting. You are able to work with many different teams on a wide variety of problems across verticals. Overall it has turned out just the way I envisaged. However in many ways it is also different. You are required to deliver quality in a timely manner, maintaining attention to detail. I would say that you put in more working hours as a consultant than as a practitioner. As a CISO you can afford to put things off for the next day. As a consultant and an adviser, this is not possible.
New Role's Demands
Haran: I'm sure the level of risk is different as you are no longer a direct stakeholder. While they say that today many a CISO has trouble sleeping at night, Is this true for your role?
Salvi: I think it applies to my role even now. Protecting the brand and its reputation is important. At the end of the day, a brand like PwC has to deliver impeccable value to the client in the form of the right advice. Any security challenge faced by a client being advised by our consultancy has a direct and equal impact on our brand. So I feel the stakes are equally high and that's not something that changes.
Haran: Even in terms of stakeholder-ship? Because you might give your client good advice, but you have no control over how they chose to follow your advice right?
Salvi: Maybe that's true on some level. But taking a stand that I did my best as a consultant and it was the client's failure would be escapism. Maybe you failed to properly influence the client - you can't take that position. It is your duty to make sure you engage and influence appropriately. As a consultant you need to take accountability of the whole process, so I don't think transfer of risk can be considered a factor. I feel accountability and implications are equally there, if not more, in this role as compared to my last.
The CISO's Path
Haran: The transition you have made is a new trend that is catching up in the industry and may well become the new evolution in the practitioner's career path. What does that say about the CISO profession and the level of maturity?
Salvi: Personally for me, working as a CISO for the last eight years and being in a leadership role in security for the last 15 years, this move has come at a very opportune time. Interestingly in India, this is a new option that has opened up for the practitioner community, as well. This has definitely helped me in coming out of my comfort zone.
As far as the CISO's maturity is concerned, I think some of us made that transition, in terms of engaging with the leadership of the bank and influencing them to look at cyber and information security as an important problem as compared to other issues that they were handling. But there aren't too many of us who have been successful in doing that. A lot of it depends on organizations, on how much they empower the CISOs to do their job. Of course you need a capable CISO to seize that opportunity and take it to that level.
I feel both these things need to happen and it is not happening enough. But I think with security getting bigger every year, we are going to see a lot of CISOs step into the leadership role and engaging with the management. There is a lot that the community needs to do to nurture talent and recognize second level leadership and mentor them to guide this talent into future industry roles. Some of us are striving for this, aside from everything else that we do - some of it formal, but largely informally.
Advice to Banks
Haran: You were in the banking industry, which is one of the more strictly regulated verticals for information security in India. Now that you are on the outside, what are some of the issues that you can highlight? What should Indian banks be doing differently?
Salvi: I may be biased here, having worked closely, but I think the regulator has been fairly proactive and the mandates are deep and detailed as far as the cybersecurity framework is concerned. The degree with which each bank approaches implementation of these regulations has been inconsistent. Some banks have taken it very seriously and implement every aspect diligently. Some other banks have taken a checklist-based approach to compliance. Perhaps a stronger enforcement to maintain consistent practices is required. Of course you need to have that degree of variation allowed because of the type of exposure each bank has, but some effort needs to be made to build standardization.
Looking at the global security scenario right now, the advantage that a country like India has is the ability to leapfrog. Learning lessons from more developed markets without having to go through the same experiential path is a unique advantage and has already happened. If I look at my banking experience, I know that we have leapfrogged at least two generations of technology innovation in the security architecture we have built for our organizations. This has really paid dividends because we have been able to control to a large extent the increase in cybercrime. But I think we can't rest on old laurels, and we need to keep on improving the ecosystem.