In a traditional work environment, Mindtree Chief Information Security Officer Chandan Pani could describe security with just three G’s – guard, gate, and gateway. That changed drastically when the pandemic forced companies to adopt remote work models.
Chandan Pani, who manages security infrastructure, privacy, and compliance at Mindtree said as companies began to adopt new technologies, conversations about security also started to evolve. “Now, no conversation is complete without talking about digitisation, securing data, and keeping employees safe,” says Chandan Pani, who manages security infrastructure, privacy, and compliance at Mindtree.
Mindtree, one of India’s largest IT consulting companies which began in 1999 with the agenda of enabling digital transformation of companies, has expanded to different parts of the world in the last two decades. With over 28,000 employees and a growing roster of global clients, the company provides services across Asia, Europe, the Americas, and Africa.
When India went into lockdown last year, it did not take long for Mindtree to successfully implement a work from home model. The company focused on decentralising its security infrastructure to make it more secure. “We invested in Microsoft solutions, which enabled us to simplify and decentralise our security infrastructure. Now, we have solutions that can speak to each other, and I can view the entire organisation from a single pane. We can also scale and deploy solutions within minutes,” he says.
With pandemic-induced restrictions easing out, Mindtree Chief Information Security Officer Chandan Pani believes companies will have to be flexible in their approach to ensure the successful implementation of a hybrid work model. “We will have to start thinking about moving towards a zero-trust framework to adapt to the new normal,” Mindtree Chief Information Security Officer Chandan Pani. Microsoft Stories India recently caught up with the cybersecurity leader to learn about sustainable hybrid work models. Pani also shared his thoughts on the evolution of threat landscape, how to neutralise digital attacks during remote work, and how companies can make their security infrastructure safer. Edited excerpts from the conversation follow:
How did remote working during the pandemic change the way you look at security?
We followed a well-defined routine before the pandemic necessitated remote work models. Employees came into the office and worked from the premises. There was a controlled environment for nearly all our employees. That changed overnight with remote working. Now, 99.9% of our employees work remotely and this has also become the industry model. This transition changed the way we look at security and solutions.
Earlier, the security world was limited to three things: guard, gate, and gateway. But with remote work, it is not possible to secure physical boundaries. With no direct visibility into the work environment, there is a need for security solutions that can take control of all remote devices, talk to each other, remove blind spots, and provide a view of the entire working system from a single pane.
What were the biggest challenges you faced during this transition?
People have had a certain kind of trust in the office set-up. So, the first thing we had to do was establish a similar kind of trust with people working from their homes. There were hardware considerations as well. The on-premises antivirus solutions configured on our systems before the pandemic were calibrated to work only at the office. That needed to be changed.
With new employees continuing to join the company, we had to create even greater awareness around cybersecurity and best practices. People nowadays are more exposed to the internet. Each person must therefore be considered as a potential point of attack. So, it has become important to ingrain a culture of awareness in the organisation. We are now educating employees through gamification instead of traditional methods.
How has the threat landscape evolved in the post-pandemic world?
The biggest concern currently is ransomware. An added challenge in case of ransomware attacks is that they are customized against an organisation.
The second is phishing attempts, which have gone up in the post-pandemic world.
The third concern is regarding data security as digitisation has led to an exponential increase in data usage.
Why did Mindtree choose Microsoft to revamp its security infrastructure?
We had begun evaluating our security solutions before the pandemic. We looked at different solutions, understood their pros and cons, and concluded that we needed a holistic system that could cover the entire threat landscape. This is when we chose to invest in the Microsoft suite of solutions, including Azure Sentinel and Microsoft 365.
This has given us a single-pane view of information from various sources, thus eliminating blind spots.
Another big advantage was that these solutions were scalable and could be deployed seamlessly. Today, we can show our security infrastructure as a state-of-the-art solution that has enabled a unified view of all security concerns and made it easy for us to interact between consoles and solutions. This has helped us substantially cut down the deployment and implementation time.
Microsoft 365 has also helped Mindtree become more flexible, minimising human intervention in identifying problems. Azure Security Centre has given us another set of solutions to look at our cloud workload.
We use Microsoft 365 to run phishing simulations to assess if employees can identify these attacks.
We looked at different solutions, understood their pros and cons, and concluded that we needed a holistic system that could cover the entire threat landscape. This is when we chose to invest in the Microsoft suite of solutions.
Mindtree works across multiple countries and every country has its own concept of data privacy. How are you navigating the compliance challenges?
All companies are trying to comply with privacy standards, which differ across countries and regions.
Earlier, the key objective was to secure data. Now, there must be clear distinction between different data types. Companies also need to know where the data is stored, which laws are applicable to the data, whether the data can be tagged, till when it can be stored, and what is the life cycle of the entire process. Such mandates will only increase in times to come.
Microsoft’s data-centric solutions like Azure Information Protection allow us to label different data, providing the flexibility — at a single click — to look at how the data is being treated, where the data is being stored, what components exist in the data, the kind of security policies and treatments required, and so on.
The other aspect is secure delivery, which entails additional controls around monitoring and auditing remote workstations when employees are not working from the office.
With the pandemic easing out, we are witnessing the emergence of hybrid work environments. What challenges does that present?
It depends on the configuration of the environment. Companies can ensure a seamless transition between office and remote working by deploying the same minimum controls in both set-ups. They also need to start aiming towards a zero-trust approach.