Interview

A healthy CIO-CISO friction is key to success: Sean Duca, Palo Alto Networks

Sean Duca, regional CSO of Palo Alto Networks explain the necessary friction between CIO and CISO and its business benefits and the company’s plans for Indian security market.

Sean Duca, VP and regional CSO, Asia Pacific, Palo Alto Networks, works on the development of thought leadership, threat intelligence and security best practices for the cybersecurity community and business executives.

 

With more than 18 years of experience in the IT security industry, he acts as a trusted advisor to organizations across the region and helping them improve their security postures and align security strategically with business initiatives.

 

In an exclusive interview with CSOOnline, Duca explains the future CIO-CISO collaboration, the importance of cybersecurity in India and Palo Alto’s plans for 2018.

 

How will the future CIO-CISO collaboration look like?

 

The topic of CIO and CISO is very debatable. I think what has changed over the years is not an IT problem anymore. Many experts believe that a CISO should directly report to the CEO.

 

Yes, there should be a healthy friction between CISO and CIO, because ultimately CIO will be introducing the new technology market, whereas CISO should be seen guiding, saying what is good and bad for the company and how they can plan together to protect their systems.

 

Collaboration has to happen. A CIO just can’t bring a new team and new technology all the time, CISO will have to step in and say what is going to be more secure.

 

How important is cybersecurity for a developing nation like India?

 

India is one of the largest developing nations in the world, you have more than a billion people, you have got some of the largest companies here. There is no reason to think that India is immune (to threats), compared to any other country. Every single company should put themselves on guard, that there are cyber attackers looking to cause mayhem. The attacker’s motivation and objective ultimately is going to be based on financial fraud or some sort of information stealing.

 

“There should be a healthy friction between CISO and CIO, because ultimately CIO will be introducing the new technology market, whereas CISO should be seen guiding.”

Sean Duca

VP and regional CSO, Asia Pacific, Palo Alto Networks

 

 

For the past two years, the conversation has changed, people have started looking at the existential threat to their business and not only they are just saying but now they are now acting on how to prevent it.

 

The businessmen will have to understand that when they are connected online, there are some people who will try to intrude.

 

But I am loving the conversation here. People have started thinking how they can make changes in their business. Executives are being accountable for a risk to their business if they don't do anything about it. It is a good sign for the business.

 

India is the epicenter of the outsourcing world, it has a lot of stakes because they are not only managing their own business, but they are also managing back-end of thousands of other businesses.

 

Indian businessmen/ CIOs are no longer talking about the typical Indian security structure. They want to move away from the legacy, which has been followed for years. Now they are thinking about how to prevent any kinds of attacks or threats.

 

There is increased awareness for cybersecurity and increased budget compare to what was five years ago. Do you think it is enough to just provide funds? Can there be other alternatives?

 

People have started to understand how we can change an outcome. So the big and small organizations are thinking that there has to be a better way and moving away from legacy security architecture.

 

The security funding in the companies is still lacking and CIOs especially should be aware to not spend frivolously. They should be thinking about changing what they have done in past and try to work on something different.

 

Don’t try and re-invent, what we have been doing for the past 20 years, because for starters the threat is actually changed, out-pieces have changed. We are consuming things as services now so ultimately we have to move away from this whole system-centric security model to where is my data, and how secure it is. Spend money wisely, rather simply going to 20 vendors and buying 20 different services.

 

2017 saw many threats, and attacks. What does Palo Alto Networks have in store for 2018?

 

We have been focusing on how we really look at disrupting the network security market by getting a lot of different disparate solutions. We have taken a lot of market share, we are clearly number one from a product revenue standpoint. What changed for the past four to five years is where we simply said data is everywhere and we needed to give proper safety to it.

 

“The security funding in the companies is still lacking and CIOs especially should be aware to not spend frivolously. They should be thinking about changing what they have done in past and try to work on something different.”

SEAN

                                              Sean Duca, VP and regional CSO, Asia Pacific, Palo Alto Networks

 

Yes, we saw an exponential amount of threats in 2017, and we are helping organizations transform the way they can leverage new technologies, where it allows them to do it in a more secure manner, at the same time preventing a successful cyber-attack from taking place.

 

Palo Alto Networks believes in prevention. It believes anyone can prevent anything that is known, that should be automatically done. And anything is unknown, they should go through a process, where they can simply automate that and quickly turn into a known threat. Palo Alto Networks is doing that right now with their customers. They have around 45,000 customers growing at the rate of 1000-2000 every single quarter.

 

For us, our ambition is we want people to understand, that there is an existential threat to their business, they need to do something right now, they need to move away from legacy security architecture. If you push attackers down, they will get up dust themselves off and they will do something different, we need to be as agile and think how to prevent the next attack.

 

Looking ahead in 2018, we are obviously going substantially in India. Things are hot here. The government is moving well too. With initiatives like Digital India, security is paramount. I think it is making sure that from an awareness perspective we got to make people understand that there are threats and challenges to their business. They need to do something different, you just can’t rely on this old way of thinking.