Meet…Anjan Bagchee

Anjan Bagchee, Eagle Investment Systems’ new Director of Information Security and Risk (SIRO) for Cloud Services, discusses his new role and highlights how financial services companies can safeguard their own organizations.  

Q: You recently joined Eagle from EnerNOC, where you were responsible for the design, review and architecting of the company’s energy intelligence software and its overall security infrastructure. Can you talk about your transition into financial technology?

A: The nature of what you are trying to protect may change, but the philosophy and strategy of how to protect against the cybersecurity threat is pretty consistent across most industries. EnerNOC, which offers SaaS solutions, provides energy intelligence software and demand-response applications. Similar to Eagle, their value proposition lies in the efficiencies they deliver through technology and new capabilities. However, instead of the SEC, it’s the federal mandates and customer’s security posture defining the requirements for the energy industry.

My role largely revolved around providing the security underpinning for EnerNOC’s SaaS project and its energy intelligence offering. Much of this work was focused on the Internet of Things and application security in the cloud to ensure that we remained well ahead of the curve as these solutions evolved. At Eagle, I was brought in to build upon what is already a really strong foundation as it relates to cybersecurity. To do that, I’m looking to bring a new perspective to the company’s existing program and refine our strategic and tactical approach across Eagle’s solution set.

Q: How would you describe your overall philosophy as it relates to cybersecurity?

A: I think there are two things, really, that from a high level define my philosophy. First is that instilling and maintaining security can’t be viewed as a destination; it’s a journey that requires ongoing investment, vigilance, and a strategic mindset. If you think about just the volume of data and how the proliferation of devices that connect to the internet has changed the landscape, cybersecurity has had to evolve quickly over a relatively short period of time.

Ten years ago, for instance, there weren’t nearly as many inputs or endpoints for data to be collected and distributed. The surface area just continues to grow. Today, everything is connected — from smartphones and tablets to thermostats and even washing machines. As a result, the amount of data and how quickly it moves continues to grow exponentially. So given the connected world we are a part of today — in which data volumes continue to grow by orders of magnitude — it requires ongoing vigilance to understand and stay ahead of potential vulnerabilities.

Second, in terms of my philosophical approach, I believe organizations need to apply a multi-layered defense, where multiple security controls are combined to mitigate risk and protect resources and data assets. There should be multiple mechanisms in place that all focus on the same vulnerabilities and slow the ability of an attacker. With threats slowed, organizations also need to focus on both safeguarding against threats and then quickly detecting incidents as they occur. PwC had a survey two years back in which approximately 8 out of every 10 executives had revealed that their organization had detected a security incident. Ironically, though, the biggest threat actually resides with those who hadn’t detected anything. If you look at what happened at Sony Pictures, for instance, the hackers had breached Sony’s systems months before anyone knew about the actual attack. This just speaks to the need for a multi-layered approach.

Q: Have there been any trends across the industry as it relates to cybersecurity protection over the past few years?

A: There has been a pronounced pivot in terms of how organizations prioritize their security spend. Five years ago, the focus was on protective technologies. Organizations would commit the bulk of their budget and energies to keeping hackers out. Today, there is far greater emphasis on detection and response tools. According to Gartner, only 10% of security budget was being spent on detection and response. That is projected to grow to 60% by 2020. That is a seismic shift in how security and risk is being managed. If someone from the outside manages to scale the walls, there are some next generation technologies and analytics that can quickly neutralize the threat. This helps prevent situations like you saw at Sony. As a response to the evolving threat landscape, I am looking forward to implementation of BNY Mellon’s cybersecurity program and achieving ISO27001 certification.

Q: From an organizational perspective, what would be your advice to clients as it relates to cybersecurity best practices?

A: That’s a good question, because so many organizations overlook the biggest gap when it comes to cybersecurity, which is their own employees. Security training and building ongoing awareness provides the most bang for your buck. The biggest threats are often employees who simply don’t have their antennas up for social engineering attacks, which have become far more refined than the old Nigerian Prince solicitations we’re all familiar with.

I’ve found that the best strategy to build organizational awareness is through a carrot-and-stick approach. If I’m walking by someone’s empty desk and their monitor is on, I’ll take a picture and explain all the different ways this kind of oversight can be exploited. Alternatively, I’ll recognize those who are vigilant and reward colleagues for things like detecting a sophisticated phishing email. Often, simple recognition goes a long way to ensure the themes addressed in security training really stick. It’s kind of like the Bill Belichick approach of surprising his players with pop quizzes.

Q: So it’s probably a good assumption that you’re a Patriots fan?

A: It’s hard not to be one in New England, but I’m definitely a big fan and probably spend as much time in the offseason tracking their moves in free agency as I do in the regular season watching their games. It’s interesting, because they’re a perfect example of how preparation and strategy translates into success even in a sport as dynamic as football.

I’d argue that the same rules apply in cybersecurity. Preparation and training are really critical to understanding the threats, the tools at your disposal, and, then, a course of action as to how to respond if and when a security breach occurs. You can’t learn on the fly and, similar to the Patriots, you have to know that there are people out there looking to exploit any vulnerability they can find. One of Bill Belichick’s more memorable quotes is “To live in the past is to die in the present;” that just about perfectly sums up the role of cybersecurity. It’s a job that is truly never done.

Leave a Reply