A CISO’s perspective on pressure

Mihir Joshi (Group CISO at Tata Power; Advisory Board Member for Xchain Technologies) is responsible for cybersecurity for the biggest power generation company in India, tasked with providing uninterrupted power supply across the nation.

Before he heads to Riyadh later this year to speak at Black Hat MEA 2023, we asked Joshi for his perspective on the attack surface right now – and how he manages the pressure of being a CISO in a critical industry.

Here’s what he shared.

Could you tell us about your career journey so far?

“I started my career in 2008 as Linux Systems Engineer – Level 1 in a domain hosting provider. The phase was very difficult in a way; there was a recession, and on top of that, in spite of clearing B.E. with Distinction in 2007, I landed my first job in 2008.

“December 2008 was a month where the tables turned – we experienced our first hack. This was my first face-off with a large spread attack. That’s how my journey started. I worked closely to set-up Info-Sec (IS) Framework for Domain Hosting Providers in India, Australia, and Thailand. It was a pivotal moment in which I had to show up and work in an unknown territory to ensure that data was fully recovered, and entire operations were back to normal.

“Throughout my 15 year journey, I’ve worked in numerous roles; starting from Linux Engineer – Level 1, then SOC, and then as a consultant and now a Group CISO. I landed my first CISO role in 2016 with DSP BlackRock and after that there was no stopping.  

“Now when I look back, just showing up is half the battle. The willingness to show up changes us and makes us braver each time. It has been a roller coaster ride – which in a sense is a good indicator that it’s not monotonous, and we still have to learn much more than we know at this very moment.”

Working as a CISO in a critical industry, do you face any specific challenges on the job? And how do you manage that pressure on a personal level?

“As a Group CISO in a critical industry, we have to defend when we know that we can’t even level up the patch cycle compared to the IT world. SCADA/OT is an area where we can’t build the walls yet we have to defend our territory with all we have.

“We as humans have a natural tendency to manage pressure, and what makes us unique is our propensity to deal with pressure. I’ve realised after multiple failures and trial and errors that even before trying to manage the pressure, it’s very important to know the threshold and identify the pressure triggers.

“I have those in line – which helps me to manage the pressure by finding a solace in spending time with my family, playing with my kid, reading books and running. I’ve clearly defined the pressure points into ‘urgent & Important’ and ‘important but not urgent’. I won’t say it works every time – but yes, most of the time. When it doesn’t work, we all have our own propensity to deal with it.”

What are the most prevalent threat types you're seeing in 2023?

“With the increased need for visibility and correlation, IT & OT convergence will bring a whole new level of attack surface. Integration of IT with AI and the need to analyse more and more data also increases the data points. Gone are the days where we were working towards reducing the attack surface. It’s a whole new era of adoption and learning for all the Info-Sec professionals around the world.”

You also act as an advisory board member for Blockchain and NFTs. How do you see the relationship between cybersecurity and blockchain technology?

“Blockchain and Cybersecurity have a wide variety of use cases; for example, it can be very much applicable during the convergence of IT/OT, where Blockchain can help secure device-to-device encryption to secure communications between SCADA systems.

“It also helps in providing decentralised storage for securing the crown jewels. To access those storage areas on the blockchain, 3-4 validators are required to access the storage/data.

“Blockchain as a technology has been adopted by multiple organisations; but at the same time the skill shortage in assessing the risk, defining the framework for Blockchain and securing by design culture before adopting blockchain is something that needs attention and must be carefully evaluated.”

What's one thing you wish everyone knew about cybersecurity?

“An info-sec professional will always be a newbie. There is a beautiful analogy by Kevin Kelly that fits here well:

‘In this era of becoming, everyone becomes a newbie forever. That should keep us humble. Endless Newbie is the new default for everyone, no matter your age or experience.’”

Thanks to Mihir Joshi at Tata Power. Join us at Black Hat MEA 2023 to learn more.