TechCentral’s CxO Insights is a fresh look at the roles and careers that define the technology industry today. In this series, we’ll interview some of South Africa’s most successful, interesting and prominent individuals to find out how their roles evolved, the skills they need to succeed in these roles, and what has influenced or shaped their careers. These interviews provide an in-depth look into how technology is redefining the boundaries of career, skills and growth within the digitally transformed organisation.
In the seventh profile in the series, TechCentral speaks to Ritasha Kalidas, IT security risk and governance director at Tiger Brands. Her role is focused on embedding the principles of security into the business, ensuring it remains ahead of the curve in its digital transformation journey, without creating unexpected vulnerabilities. She is committed to a building a solid security posture that’s relevant and agile.
Unavailable? You’ve been hacked
Kaspersky’s Incident Response Analytics Report found that more than 50% of incident response requests take place after the damage is done. The attack has taken place, the systems are unavailable and the business floundering. It has become essential to prepare not just for cyberattacks that focus on data and information theft, but for attacks that solely focus on making the business data and systems unavailable. According to Ritasha Kalidas, IT security risk and governance director at Tiger Brands, companies need to pay attention to the prevalence of unavailability as it grows in incidence and popularity.
“These attacks are simple and vicious in their intent,” she explains. “They cause critical areas of your company to become completely unavailable. Your operations can’t continue, you can’t work, you lose money and these factors all contribute to you losing reputational currency and customers.”
Unavailability is disruptive across multiple layers. No customer service, no product or business service, employees can’t work – the entire company comes to an unpleasant and unplanned halt as the attack winds its way through systems. This type of cybercrime is becoming increasingly popular as a way of forcing companies to lose money or endure downtime or ruffle feathers, as Kalidas explains.
“If I look back 10 years, cybersecurity was built on the pillars of confidentiality, integrity and availability,” she says. “Availability was the pillar that was traditionally allocated to the business continuity manager. It was their problem to ensure that plans were in place, that redundancy was built in, and that the business could operate when systems went down. Then the tables turned, the focus moved to dealing with regulatory controls, data theft and customer protection, but this is quickly changing.”
What happens in industries where data theft isn’t as valuable as company-wide unavailability? When shutting down a factory or a supply chain or a process will have far-reaching consequences for the organisation? This is the kind of crime that would fundamentally affect companies like Tiger Brands that rely on factories and supply chains to keep up with customer commitments.
When these systems are shut down, the impact is felt throughout the market – no food on the shelves, no deliveries, no customer needs met. The impact is as great as the loss of data or ransomware.
CxO: Ritasha Kalidas
Title: IT security risk and governance director at Tiger Brands
Role: Building a solid security posture into the business
Windows or Mac: Windows
Android or iPhone: Android
Best tech purchase: Mobile phone
“For us, the worry is definitely around the crime of unavailability,” says Kalidas. “Stealing or blocking access to our data and systems does prevent us from working in certain situations, but if they closed down our essential operations then that will hurt the company the most. This has meant that the focus of our cybersecurity has had to expand to include the risks that come with unavailability and addressing any vulnerabilities that we may have.”
This shift in focus puts pressure on the security teams to go beyond offline backups and employee education and high-end security systems. It expects more questions around how the backup procedures are managed, how rapidly backups can be retrieved, and what steps need to be taken to ensure immediate business recovery in the event of an unavailability risk being materialised.
Ritasha Kalidas’s recommended reads:
It’s not a book but it’s where I go to get the latest information on the technology sector
World Economic Forum
This is an incredibly important information resource
“A lot of companies didn’t pay attention to this before, now they are listening a lot more attentively,” says Kalidas. “Over the past 12-18 months, there has been a significant rise in the number of these types of attacks. Most of those companies have relied on using backups to reinstate systems and this process has been invaluable in mitigating the damage. This is where companies need to get stronger – in creating backup and disaster recovery plans that can absolutely swing the situation back under company control.”
The consequences of unavailability may not quite be as visible now as it should be, but companies will continue to experience unplanned outages and system failures that will continue to hit the bottom line, hard. To avoid being another statistic in yet another cybercrime survey, organisations should focus on business recovery and data storage solutions that will provide them with a solid platform from which to recover in the event of an attack.
Q&A with Ritasha Kalidas
TechCentral: What’s the most important part of your job?
“Keeping pace with business strategy and digital transformation.”
The ability to ensure that security keeps pace with business strategy and digital transformation is key. If the company is about to explore the Internet of things or artificial intelligence or robotics, you need to know how to bring in the principles of security so that the company doesn’t lag behind or introduce vulnerabilities. It’s important to ensure that you have visibility within the business and that you speak simply to stakeholders about the company’s security posture. If a chief information security officer cannot tell a story about security in simple layman’s terms to the exco, then the fight is lost and nobody will understand what you’re trying to do.
What’s your top tip for staying ahead in your field?
“The most important thing is to have a strong network.”
It’s important to keep abreast of articles and papers around security, but it is equally important to have a strong network of security professionals. In my world, these networks are key – if you’re faced with something you’re not sure of, then they are just a call away. This isn’t about sharing your IP – given that one is dealing with cybercrime, it’s important for all industries to come together and share best practice. Instead of working in silos, you need to create a network that can help change the course of the fight.
What’s the biggest trend impacting your field in the decade ahead?
“It’s not if you’re going to be attacked, it’s when.”
The fourth Industrial Revolution is going to become increasingly topical and we need to be capable of embracing it and putting the business in a position where it can adopt it properly. This is going to be critical moving forward and most organisations have this as part of their agenda. The second thing is around cybersecurity and incident management. It’s not if you’re going to be attacked, not anymore, but when.
What was your first job?
“I had no idea what this was.”
My first job was as a junior consultant at Deloitte in their security team. I had a BCom in informatics and went straight into this role and I had no idea what this was.
Who do you most admire in business?
“Bill Gates and Jack Welsh.”
I’ll have to say that Bill Gates is on my list for two reasons – his management style, which is firm and clear, but also his personality, which is humble and down to earth. He doesn’t carry his status with him, and he really cares about the planet. Jack Welsh is inspiring because he has this amazing ability to drive a high-performing organisation.
How do you cope with stress?
“Music and tea.”
I have two fixes. One is a cup of tea and a moment in time to sit down and reflect. There is nothing better than tea and silence for 30 minutes to process. Music is also something that’s important to me as it helps me to relax. — (c) 2020 NewsCentral Media