Organizations need to be more open towards accepting people from different backgrounds, urges the IBM security specialist and OWASP board member

Vandana Verma on improving diversity and helping to grow the Indian security community

INTERVIEW The term ‘influencer’ is often overused. It conjures up images of fashionable young wannabes and B-list celebrities promoting cheap tech or hawking beauty products on social media.

But for some experts, influencer is exactly the right description. And when it comes to security, Vandana Verma is one of those people.

Now a security specialist with IBM India – her official job title is security solutions architect at India Software Labs – Verma followed a well-trodden career path for a technologist.

Starting her information security at Wipro, she then went to IBM, before moving to Accenture to work as an information security lead.

She followed this with just under three years at publisher Time, Inc’s Indian operations, working as information security manager, before moving back to IBM and her current role.

Impressive though that resume is, it is what Vandana Verma does outside work that gives her global prominence.

She is the co-organizer of BSides Delhi, president and Bangalore lead of InfosecGirls, which she founded in 2014, and, since November 2019, on the global board at OWASP.

Vandana Verma is head of OWASP BangaloreVandana Verma is involved in numerous security community initiatives in India and beyond

Interestingly, her career began in IT rather than security.

“My move into cybersecurity was true serendipity,” she recalls. “During my first job, at an IT firm in [the city of] Pune, I was asked to train myself to work in this domain.

“I later realized my passion for information security and decided to further build my skills and pursue it as my professional career.”

This decision led to a 14-year career in professional cybersecurity, and a growing role as a speaker and organizer of industry events.

As well as BSides, Verma has spoken at OWASP and Black Hat events, and been involved in communities including WoSec [Women of Security], null and of course, InfosecGirls.

Driving diversity

Verma is passionate about improving diversity, and gender balance, in the infosec industry. This drives her work with Infosec Girls.

“The core aim of Infosec Girls is to encourage female professionals and students to enhance their curiosity in the field of information security,” she says.

“The organization now has 13 chapters across India. We coordinate, organize and volunteer for various workshops, training programs and talks, not only for professionals but also for those who wish to start their career in Infosec.

“The meet ups [let] members gather under a roof, exchange ideas and contribute to each other’s knowledge.

“Addressing the current challenge, we have quickly moved to virtual meets. We also have an outstanding knowledge library with informative videos on a variety of topics covered by our esteemed speakers from all around the world on our YouTube channel.”

The gender balance is, Verma says, improving. She cites research by (ISC)2 that found that women now fill 24% of cybersecurity jobs, up from 11% in 2013. But there is still work do to.

“Organizations need to be more open towards accepting people from different backgrounds and avoid pre-conceived judgements in favor of, or against, a person or a group.

“Diversity brings out creative thinking, diverse ideas, and multiple perspectives. With diverse opinions, we can look at the problem from multiple angles.

“It’s often said we are attracted to people who are similar to us. In the same way, diversity attracts diversity and therefore it spreads the message ‘If I can do it, so can you’,” she says.

“With the rise of cyber-attacks during the pandemic the need for qualified personnel will continue to rise. By bringing in diverse people, we can shorten the skills gap in cybersecurity and, in general, in IT.”

The new normal

Verma’s current role includes working with engineering and development teams on security, while also working with IBM’s systems integrator partners globally for the security, identity, and access management portfolio.

Security, she believes, is increasingly important as businesses become more dependent on information and technology, a trend that the global coronavirus crisis has only accelerated.

“Cyber threats are becoming more of a norm than an exception for businesses in our information-driven age,” she warns.

“In fact, since February, IBM X-Force has observed a 4,300% increase in coronavirus-themed spam.

“The new threats include virus-themed sales of malware on the dark web, to Covid-19-related domains, which are more likely to be malicious than other domains, and numerous phishing scams.”

Coronavirus scams are on the riseThe coronavirus pandemic has increased the global attack surface

Verma added: “Since the whole world is under lockdown and everyone is working remotely, cybercriminals have also become innovative and craftier in their techniques by sending specific phishing or Covid-19-themed emails to lure people to share their confidential details, like addresses and phone numbers.

“These emails appear to come from legitimate sources like the government in the form of advisories [messages] when they are not at all related to the government in any form.

“In such a scenario, the role of the security team is even more important, especially now because most people are working remotely due to the pandemic.

“To enable this remote working, the perimeter of the organization has been drastically modified. With the rise in cyber-attacks, the need to manage multiple devices, applications, and so on has become critical.

“Infosec as an industry is more important than ever.”

Investing in India’s future

IT spending in India is expected to reach $3 billion by 2022, according to research commissioned by the Data Security Council of India (DSCI).

This is part of the wider trend for businesses across the Asia Pacific region to invest more on security.

Verma cites a figure from analysts GlobalData which predicts that spending across Asia-Pacific will reach $54.1 billion by 2023, with most of the new expenditure coming from enterprises.

“The increasing adoption of a connected devices ecosystem, the impending introduction of 5G, the inclination of enterprises towards cloud migration, and [the] formulation of cybersecurity policies by countries are accelerators for security spending in the region,” she explains.

“In India and across the world, cybersecurity has gained vital importance with governments, businesses, and individuals.

“In India, almost 40% of the population is using smartphones with internet connection, which brings about a pressing demand for cybersecurity solutions.

“Organizations are also becoming more cyber aware and better in protecting their data.

“There are specific educational programs being created by organizations to make their employees aware of cybersecurity risks. With the pandemic, cybersecurity is rapidly becoming an integral part [of work] and [is] getting embedded in the culture of organizations.”

Read more of the latest cybersecurity news from India

These challenges, though, are global, and India is positioning itself for a significant role in tackling them.

The country’s cybersecurity services industry is currently worth just over $4 billion, and is expected to grow to $7.6 billion by 2022, with 80% of revenue coming from global markets, again according to DSCI.

Where, though, should cybersecurity specialists focus their efforts?

“Cybercrimes and data breaches are some of the biggest concerns faced by industry professionals – and they are only increasing severity and scope,” Verma says.

“Infosec is everywhere and the trends start from moving to [combining] DevOps with security, to IoT security, to cloud security.”

Verma strongly believes that developers need to consider security from the outset.

“The current movement is towards zero trust, and while it may seem like a buzzword, the concept can help organizations become more secure while moving ahead in their journey towards cloud and digitization,” she said.

And to stay ahead, cybersecurity teams need to look at their own skills and experience.

“To keep up with the constantly changing threats, it’s time for infosec professionals to upskill, reskill and look again at how could broaden their horizon in tech,” says Verma.

“Most of the organizations and online learning portals have made resources available for the wider community to learn for free. At IBM we provide access to the IBM Security Learning Academy, which offers technical training for IBM Security products.”

RELATED OWASP Chapters All Day conference reunites security community in wake of Covid-19

Verma also believes that security experts need to participate in industry events and contribute to the wider community. This motivates her own involvement in OWASP and Infosec Girls.

“I was introduced to OWASP first as a web security testing guide, in 2010.

“Over the years, the local community started growing and my role evolved from an attendee, to conducting a few sessions on application and cloud security, and then becoming a volunteer.

“In 2016, I was provided with the opportunity to become the chapter leader for OWASP Bangalore and I continue to lead the Bangalore community.

“In 2019, I was offered a chance to apply for the OWASP global board, which further expanded my scope and provided me the opportunity to connect with the global audience and lead OWASP globally. I grabbed this opportunity and was elected by the community to [join] the global board of directors.”

OWASP Bangalore prior to the coronavirus pandemicThe OWASP Bangalore team prior to the coronavirus outbreak

She added: “At OWASP Bangalore, we have over 1,000 community members and at any given point of time there are around 100 people who join us for the meets.

“Keeping pace with the current restrictions due to the spread of Covid-19, OWASP Bangalore Chapter has also gone online and our sessions are published on our YouTube channel.”

This is part of a wider move towards online events: Verma was due to speak at Black Hat in August.

“I was imaging a big stage with a room full of people. Speaking at Black Hat is definitely a dream come true.”

On the positive side, she notes that online events can reach a wider audience.

“Hopefully when we go back to our new normal, we will get to meet and greet people in person, but for now it’s good to have and continue with the virtual connections.”

RECOMMENDED GitHub’s Nico Waisman: ‘Security is not just an opportunity, but a responsibility for us’