The security professional went back to the basics and began with prioritizing people and processes.
“Security is not just technology; it’s passed that stage. It’s a mindset, that impacts the entire organization,” he says. “My objective was very clear—keep it simple, start with the basics, and don’t jump into anything complex on day one.”
He also leaned upon a partnership with Microsoft to bring a cloud native approach to secure the platform and data of millions of users. Tata Digital was the first customer in India to get Microsoft’s XDR solution for managed security, even before it was formally launched in the country.
“It offers us the assurance that the Board and that the leadership wanted because Tata synonymous with India as a target for bad actors. And when it comes to security, you want Microsoft in your corner,” Aksekar adds.
You’ve been in this IT security space for over two decades now, but Tata Digital is unique – it’s a born in the cloud company. As a security professional, did that offer any new opportunities and challenges?
Tata Digital is a cloud native company and we built it from scratch during the pandemic. When I started, I looked at my bag of experiences, from banking to technology to cybersecurity across the region to think about the things I wanted to do but also those that I wanted to avoid.
My objective was very clear—keep it simple, start with the basics, and don’t jump into anything complex on day one. For me, the prioritization has always been around people and processes.
On the people front, it’s important to hire the right people with diverse backgrounds and empower them.
And ensure we are process dependent and not people dependent when if comes to handling incidents, audits, or reviews.
Coming to the challenges, the business wanted to scale fast—so how do you support them in all of the initiatives. The key principle was to be agile and keeping things simple.
You emphasize about the processes around security, why is that so important?
I keep emphasizing about the process because it’s very easy to get lost in what I call the fog of cybersecurity. There are so many fancy tooling products, artificial intelligence (AI) and machine learning (ML) enabled products that it’s easy to think you can plug in a box and it will take care of the problem. But it won’t, unless you put in a process to stitch it across your tech environment, your organization, and your people. So it must be a process and people approach first and only then you can get technology to come in.
Tata Neu brings together over a dozen experiences from multiple Tata Group products and services with over 100 million users. What were the challenges there?
One of the initial challenges we faced was to build a robust single sign on environment that could scale up to the number of users we were looking at. There was no solution in the market, and we ended up building our own product with Microsoft’s help that continues to function and scale magnificently.
The partnership with Microsoft started when Tata Digital was set up in 2019. Microsoft just opened its doors and started building it out with us by bringing its data architects, engineering teams, developers, among other teams.
We had to stitch together 8-12 initial Tata Group partners into this platform. While Tata Digital was a cloud native company, most of our partners were not necessarily cloud native. Again, Microsoft along with several partners, including TCS, came together and helped build this.
They helped answer questions like how we architect for such a heterogeneous environment, keeping the customer in mind. How do we stitch a loyalty program across all of the partners when many of them had their own programs in some shape or form.
And finally, scaling up for the launch that was timed with a cricketing event. We tapped into the knowledge of some of the best minds globally at Microsoft to prepare for that scale.
The role of a CISO has evolved over the years, especially in the last decade with increased regulations around data privacy, more frequent attacks, and building trust with the consumers of your service. How do you see your role changing over the years?
The role of a CISO has changed fundamentally. The security organization is no longer on the backfoot. You have to be shoulder to shoulder with your frontline businesses as they engage in new markets, engage with customers and regulators. You have to be at the table enabling them.
I think regulations will continue to evolve and they generally have the right intent. We should support regulators and provide them inputs from an industry perspective as we have the pulse on the ground.
In terms of consumer trust, I think you must make security work for them. We need to build security into our systems, so we don’t make them jump through hoops just to secure their own accounts. Their job is to use the service and do what they need to do. We must build security into our tooling, into our processes, and ensure our people do the right thing.