As part of Cyber Management Alliance’s Insights with Cyber Leaders series, Amar Singh had the pleasure of interviewing Manish Tiwari, CISO at Microsoft India, sharing his experiences in IT and cyber security from his time in the Indian Navy and in his current role.
Manish spent over 25 years in the Indian Navy and it is here that he started his IT an IT security journey. He was also part of the team that set up and established the first CERT in the country, CERT Navy, and was later involved in developing CERT India in 2004. On leaving the Army, Manish moved into a new role, expanding his experience in IT and cyber security, where he was responsible for the service delivery and implementation of cyber security governance in the Aadhaar program, one of the largest biometric programs in the world. Amar probed further into Manish’s views on the way forward for IT and security people that aspired to be CISOs in the future. From Manish’s point of view, there is no substitute for hard work. However, that said, he also believes that there is too much segmentation in ‘civvy’ street. Today, you are either in cyber forensics, a penetration tester, a firewall engineer, or this, or that, and that’s the role in which you continue your career. Therefore, when you reach your goal of CISO, people may find themselves unprepared as their expertise, their exposure to a range of technologies, is limited and too segmented.
There is no shortcut to being a CISO?
So, Amar asked, there is no shortcut to being a CISO? Manish agreed, there isn’t and his advice to anyone aspiring to be a CISO is to gain as much exposure to different technologies as possible in other areas of the IT and security field, or it may limit your vision.
So, do employers have a role to play in providing the opportunities? Not necessarily, says Manish, it’s down to employability factors, their attitude and the opportunities out there. You can be on the client side, or IT consultancy side, or IT vendor side, such as OEM, or system integration. But he observes that typically, organisations don’t want to invest too much in providing cross-skills for people, for a variety of reasons, one being cost-effectiveness. They’d rather employ someone in a particular vertical – they may want to have someone that has the range of skills, but are not willing to invest as they see roles in specific verticals. That’s not to say that they wouldn’t exploit the talents of a person in a particular role if they can, which may or may not be possible, but overall, they aren’t willing to invest.
Manish believes it is down to people’s own efforts to ensure that they don’t get stuck in a particular vertical; it’s down to them to develop and become a much more well-rounded person for CISO roles.
With much of the youth in India pursuing many different certifications, Amar opened up the topic of certifications and asked Manish for his views on whether this is the right focus. Manish explained that there isn’t one college in India that offers a B-TEC in Cyber Security. Most people tend to pursue a PhD or Masters course at a later date in which they can specialise in this area.
Because cyber security is such a specialised, different field, many certifications have come into existence as an underlying platform, guidance, in how to operate, work, in cyber security and a form of standardization. But having a certification is not necessarily proof of capability, it is a good benchmark though.
With a plethora of certifications available – CISSP, CISM, CEH – is it necessary to have all three? It doesn’t, says Manish who believes that if you have a combination of two, you’re are already there and it’s not essential to take all three certifications.
So, what does Manish look for when considering taking on a new employee? Firstly, he says, they have to be smarter than me. They have to have the skills, have aptitude and the ability to work as part of a team. If they have these qualities then you can give them the opportunities, the exposure they need to progress.
Watch Amar’s Insights with Cyber Leaders interview with Manish Tiwari and learn more about his start in IT and security, his views on certifications and segmentation, and about his role at Microsoft India.