- Formulated strategy for managing security issues associated with Cognizant's rapid growth
- Formulating an effective people strategy based on self-service and user empowerment
- Instrumental in Cognizant's constant efforts to automate business processes
- Built up a security team from scratch to 100-strong, responsible for security globally
- Manages a broad base of technical controls to secure Cognizant's business
Satish Das of Cognizant believes that life in information security cannot be encapsulated in a few events. You live from incident to incident, of which there are many, he says. This is what drives Das, with every incident that is successfully hurdled becoming a milestone on the nonstop journey.
Since the time Das joined Cognizant in May 2004, the organization's rapid growth, combined with the nature of its business, has been a major challenge. Das believes that the processes need to be kept simple yet constantly evolving to deal with such a scenario. Persistently delivering user awareness and fine tuning it to the requirements of the present generation and the current threat scenario is the game he plays, and plays well.
The challenge in an organization like Cognizant, according to Das, is the average employee's level of technical expertise. Norms need to be strict in such an environment, since Cognizant not only creates intellectual property, but also has access to its customers' intellectual property. Das believes that it is essential to coach employees in risk management, and ingrain it into daily hygiene.
At the time of Das's joining, Cognizant's security policy covered only corporate IT resources, and had a team of three. Since then, the team has grown to close to 100 under Das. The infosec policy that Das manages is reviewed constantly, given the need to share it with the company's customers. There is a robust auditing mechanism involving internal as well as external audits.
Upon joining, Das first reported to the COO, followed by the CRO. At present, Das reports to the CIO in an administrative capacity, and the enterprise risk management (ERM) council in an operational capacity. Management participation has never been an issue for Das at Cognizant. Presenting each case as a business risk rather than a security risk is what works for him, he says.
Cognizant has been ISO 27001 compliant across the enterprise since 2002. Given the span of nine years, the maturity levels are very high. Das also manages PCI DSS compliance for specific business segments that need it. Being a global organization, Cognizant is also SOX compliant.
To deal with the growth challenge, Cognizant's security strategy under Das revolves around the basic tenets of automation, a self-service principle, and user-empowerment. Given the growing nature of Cognizant's business, Das is constantly looking for ways to automate processes to maintain an ongoing compliance posture.
Das believes that to stay on top of one's game in security, one has to be informed. Tools are acquired or developed based on need. The team manages an SIEM, IDS and IPS, anti-virus and patch management systems and various other technical controls covering applications, networks and desktops. Das' team also manages a 24x7 SOC and an emergency command center.
While all applications and processes at Cognizant come under the purview of information security, Das scrutinizes them on the basis of their risk and its impact on the organization. If and when a process or application graduates to the priority list of the risk portfolio stack, it is brought under the monitoring umbrella.
Das feels that for a mature company, information security is a hygiene factor from the operational perspective, while it still remains strategic from a senior management perspective. Looking to the future, he says that traditional security officers will have their task cut out for them, and sees the CISO's role turning strategic as a matter of course.