CISOs need to juggle with enabling the business while defending it: Tony Buffomante of Wipro

Global IT, consulting and business process services company Wipro had boosted its cybersecurity practice with a couple of acquisitions two years ago: Ampion and Edgile. Today its cybersecurity capabilities include Security and Risk Advisory; Digital Trust; Managed Security Services; Cloud and Infra Security; Application Security and Cybersecurity Platforms. In an interaction with TechCircle, Tony Buffomante, Global Head of Cybersecurity & Risk Services at Wipro, discussed the transformation of today's Chief Information Security Officer (CISO) into a Chief Security Officer. This role now encompasses both physical and technical aspects of organizational security. He also provided insights into the company's roadmap and investment plans in generative AI and more. Edited Excerpts: 

How has the cybersecurity landscape changed in recent years, especially post-pandemic? Any trends you see shaping the industry's future? 

We regularly delve into this through customer surveys and data analysis in our security operation centres and partnerships. Our recent State of Cybersecurity Report 2023 provides valuable insights.  

In essence, the role of Chief Information Security Officers (CISO) has become notably more intricate. They are tasked with two main objectives: enabling the business and defending it. Post-pandemic, organisations are eager to embrace new technologies, accelerate their cloud adoption, and enhance customer engagement across various platforms. However, these advancements come with cybersecurity and privacy implications.  

CISOs are navigating a dual challenge: driving business innovation while contending with a dynamic threat landscape and evolving regulations. The industry's automation, ranging from standard bots to advanced AI, is being utilised by attackers, intensifying the threats. Amidst the increasing complexity, global organisations must also adapt to changing country laws.  

Balancing these dynamics in today's conservative macroeconomic environment is no small feat. Organisations strive to remain fiscally responsible while addressing the rising threats and complying with regulations. Balancing these dynamics in today's conservative macroeconomic environment is no small feat. Organisations strive to remain fiscally responsible while addressing the rising threats and complying with regulations. It's a balance, as they aim to boost efficiency without hindering business progress, all the while safeguarding both the front and back doors.  
  
How has the role of CISO evolved globally, especially with the increasing focus on cloud security? Are there specific needs, tips, or practices that enterprises should consider for enhancing security, considering the relatively limited emphasis on security in India over the past decade?  

In recent times, there have been pivotal moments in security, such as high-profile breaches and regulatory changes, increasing awareness at both the company and board levels. This shift has significantly raised the profile of Chief Information Security Officers (CISOs). As highlighted in the SOCR 2023 report, 87% of surveyed boards with cyber oversight meet regularly to understand the current risk levels, necessary investments for risk mitigation, and how to fulfil their oversight responsibilities.  

This marks a new dynamic for CISOs globally, including in India, prompting them to transition from technical roles to more business-oriented positions. In terms of improvement areas, CISOs are focusing on aligning security programs with company objectives, translating risks into tangible business issues, and communicating with senior executives and the board in a way that goes beyond technical jargon. Instead, the emphasis is on showcasing the evolution of the security program, benchmarking against industry peers, and demonstrating effective resource utilisation. This shift towards business-centric discussions is a key reason why some CISOs are now reporting more directly to the CEO, reflecting a broader trend in the industry.  
  
How is Generative AI used in cybersecurity at Wipro, and what potential benefits or risks do you foresee?  

Wipro recently declared a billion-dollar investment in AI initiatives spanning several years across the organisation. This investment aims to train our vast workforce of over 250,000 employees, bolster solution development, and explore collaborative possibilities with clients on their transformative journeys. The industry is actively debating the dual nature of AI in the cybersecurity realm – whether it poses a risk or serves as a valuable asset. My stance aligns with the latter.  

In the face of increasingly sophisticated attackers, the incorporation of AI models becomes crucial. The relentless evolution and coordination of threats necessitate constant innovation. We leverage AI tools to empower defenders in this perpetual race. For instance, we use AI to streamline processes, such as automating third-party risk management and employing natural language processing for contract reviews. These applications not only enhance efficiency but also allow security analysts to focus on critical tasks.  

Moving beyond basic applications, we've implemented advanced AI models to detect and counter specific phishing campaigns swiftly. Large language models further enable us to identify various threats, aligning with threat intelligence for a more proactive approach, possibly reaching a predictive breach state.  

While reducing the time to detect and recover remains paramount, we also acknowledge the often overlooked benefit to analysts. Combatting analyst fatigue within security operation centres is vital. Automating routine tasks not only enhances client security but also improves the overall employee experience, a facet gaining increasing emphasis in the era of AI and Gen AI.  
  
How is Wipro adapting to the rising cyber threat posed by Generative AI to meet clients' evolving security needs?  

Today, our clients frequently ask about governing AI and the associated risks of leveraging Generative AI and large language models. Similar to past concerns with emerging technologies like cloud, 5G, or quantum, the spotlight is now on AI. The central question revolves around control.  

We've crafted a specific perspective on AI governance aligned with recent standards such as NIST's risk management framework for AI and the EU AI Act, which integrates into broader regulatory compliance programs. Our focus is on helping clients understand risks, establish necessary controls, and align them with evolving regulations. Instead of creating a separate AI risk and governance program, we advocate for embedding controls into their overall integrated risk management function, leveraging existing tools or processes.  

Moving into more technical aspects, testing AI models becomes crucial. Ensuring data integrity, avoiding confidential information, and preventing unintended learning are key considerations. We offer solutions to test models effectively, utilising emerging tools and technologies in this space.  

The third facet is monitoring. We guide clients on how to use controls to detect changes in models, assess whether they pose vulnerabilities, and distinguish authorised changes from potential threats. These three service offerings — governance alignment, model testing, and effective monitoring — form our approach to help clients navigate the challenges of integrating AI into their organisations.  
  
How are you addressing the skills gap in technologies like Cloud, Generative AI, and network security, particularly in cybersecurity? 

Addressing industry challenges head-on, we're actively enhancing our team's skills to meet future client needs. Beginning with our new associates, we've initiated targeted cyber boot camp programs, covering foundational elements, as well as in-depth topics like cloud security and AI. Through partnerships with organisations like SANS, we ensure comprehensive training, benefiting both us and our clients. Another crucial aspect is our collaboration with key security platform providers. We engage in specialised programs to train and certify our staff, ensuring we stay ahead in implementing cutting-edge products and processes for our clients.  
 
Can you briefly share more about your cybersecurity investment and hiring plans, including the percentage of your company's overall tech budget allocated to cybersecurity?  

We don't disclose specific cyber budgets within our organisation publicly. Instead, we focus on understanding our clients' security spending, which guides the skills and services we provide. Our business is growing, and we're investing accordingly. Clients across different sectors typically allocate 8% to 12% of their IT spend on cybersecurity. This statistic emphasizes the need for cyber spending to align with business innovation, whether within or outside the core IT budget. While traditional metrics are part of our SOCR report, there's a new frontier in gaining visibility into cyber spending, ensuring it evolves alongside new business innovations.