How to communicate security in layman's words to boards and non-technical stakeholders

now let's head to stewards another panel which is how to communicate Security in Layman words to boards and non-technical stakeholder so now we have with us our moderator for this panel board room discussion Mr Smith cons always welcome you sir he is a director and principal consultant at Saba Smith we welcome you sir so now our panel is for discussions are Mr nitin bhatnagar he is associate director at pcie security standard Council next we have with us Mr dilip panjwani [Applause] he is principal director and chief information security officer and also ID controller at lnt next we have with us Dr khushru

he is CEO and founder of tasa Tasha Tech info solution private limited and president of ISAC finally we have with us Mr majesh Khanna AMS Mr majiskanna AMS yes okay that so on the behalf of besides Ahmedabad team I welcome you each one of you thank you so good afternoon everyone my name is Smith Gonzalez and I would be moderating one of the finest panel that we are going to basically present to you all organized by besides on a very very interesting topic and this topic is going to impact each and every person sitting over here in terms of thinking what is it going to be his career as part of the next five years or ten years

and how he is going to evolve and communicate or is going to influence him to reach to the senior levels and being said that we have got an amazing panelist who would be talking on the topic communicating security to non-stakeholders and speaking it in Layman words basically simplifying it so we have got amazing panelists a different sort of combination we have got Mr dilip panjwani the CSO of lnt infotech he comes from the ciso mindset of communicating with board and then we have got Mr nitin but Naka who is the director for PCI uh payments a payment card industry standard who basically comes from the side of the what are the governing standards that the Enterprise

and organization needs to focus on and then we have got Mishra kushru who is the president for isaka chapter who comes from the security advisory side who advises Enterprises on what are the best security measures and enforcement that needs to take up now friends when I start talking about all this the reason of putting all this is very clear this theme to you all is I'm sure you people want to grow in your career you want to reach to the high level insights that how you can be a CSO or a AVP VP after 10 years 15 years 12 years why few people are able to make it out now this is because of communication

and simplifying Concepts to the non-technical stakeholder and it's important for you all to understand what we these non-technical stakeholders are being presented and communicated by this three level of combination that we have got in the panel so let's first start with Mr dilip and I want to basically uh dileep I have a very interesting question for you and this question is when you must be in situations where you have to communicate with the board for demanding a technology or a service or getting a sort of product or technology which will help you to solve that particular mitigation but in order to do that you need to have that accuracy gravity and Clarity to the board to the

CEO then CU expects you to give him why he need to invest so tell me that secret jaduka Mantra which is basically going to simplify and convince the board in terms of why exactly he needs to invest in security thanks Matt so I think there's no jaduga Mantra in this specifically it is a definite trial and error situation that happens and it is more understanding the sentiment of the board end of the day the company is responsible to meet his stakeholders provide value what does value mean provide Revenue provide the visibility the market provide the brand reputation as required now security does not give you that directly as an outcome it helps reach that outcome in certain aspects by

preventing cyber attacks happening on the company so that's an aspect that you have to use towards helping the board understand in non-technical terms you can't talk about EDR and virus attacks and SQL injections out there what does the SQL injection really mean what does that ransomware attack really mean when it means in terms of dollars when it means in terms of business Revenue but it means in terms of the go to market capability of the customer or the customer perceptions that is what you need to translate the technical jargons in front of the board make them understand that uh okay I am today using an antivirus which is the standard antivirus which has been used

for last 20 years so far but this is not enough it is as good as your guard sitting outside the main gate he can only see possibly okay do you have a lanyard on your uh next showing up besides or no and hence allow you in the conference but beyond that you need somebody else would also possibly a metal detect scanner later on you need to have baggages checked through a x-ray system and all those aspects hence the new capabilities have to be brought in your person with a lanyard could be anybody I could just throw a mine in the Dustbin outside once I leave the conference somebody else walks in with it so you

don't identify it by lanyard alone hence you need to allow every person to be scanned to be checked validated again and those things require more Investments similar way why antivirus versus y EDR that aspect has to be brought up in simple terms as to what is it that the idea is going to help with what is it really that the board can relate to for example border related to the headlines which have happened in the market with regards to which organization got hacked what was the impact of the organization from a regulator perspective customer perspective Revenue perspective and how possible is it to happen in our organization when we are trying to ask for the budget it cannot be just a

hypothetical situation that you say a healthcare industry got hacked and the same control is required for a banking industry that does not work it has to be insane line of business to understand that context and that's when the board can relate to what you are asking for interesting so ultimately it Downs towards business requirements the business impact and particularly the incidents that can be taken up as an example definitely one thing we have to always keep in mind is security is there to protect the business business is not there to run security true so with that I moved to Mr nitin and Mr nitin while dilip was mentioning about ransomwares and different attacks or vulnerabilities

that brings me to a very important point and that is non-compliance so we have seen or what we see in the overall the overall side of the auditor side is there are different sort of ruckus that happens with the auditor and with the organization about non-compliance that the auditor basically states that this is a non-compliance then the internal team is not able to react on it and often there is a toughle that happens so how do you see to this and how do you address as as basically from a security standpoint I think you know seriously is uh non-compliance should be taken by Enterprise yeah definitely I think see these standards are meant to protect you

from some unforeseen circumstances for sure but at the same time what is important is how effectively that you are implementing these standards right talking about the Auditors coming and reviewing the controls and suggesting you some mitigations you know definitely it's going to help you but organization wise you have to prioritize your risks and you know ideally you should be doing some kind of a risk assessment for your infrastructure for your applications for your network whatever you feel is part of the scope of your engagement with the auditor because there are so many standards if I have to talk about the PCI standard so PCI standards largely focusing on focus on your payment data so if you are an

organization where payment data is the critical element for you to protect definitely the the qualified security assessors who does the audit for the similar infrastructure would need to review all your controls in terms of the you know the implementation of that and at the same time the scoping plays a very important role you know if you're not able to scope your environment uh correctly then it becomes a challenge because PCI is is all about minimizing the scope not maximizing the scope right so you know talking about you know what you just talk you know there's a differences that comes between the Auditors and the organization it's def it's because sometimes there is a little uh Gap in

the communication on understanding what was the scope and once you have a Clarity on the scope it becomes really very easy for organization in order to work in tandem work together to mitigate those uh those risks that you will see and yes definitely these are standards as I actually said starting uh you know effective implementation of this standard is very critical uh to protect your infrastructure from getting compromised very very relevant points have interest security standards risk assessments scoping so this is where I come to Mr kushru and I have a very interesting point to ask you now when you work with Enterprises you advise these Enterprises on doing security assessments I want to know what is the approach that you have

in terms of conveying this security related measures in a simplified way and how does that overall conversation or communication happens in which the board is actually able to resonate the non-compliances Okay so both the panelists have made a very very interesting points about how to convey things to the the board but there are two definitions that any like let me take one step back right now I was in Mumbai attending the conference on the global fintech Fest and our information technology Minister was talking there and he talked about three things as far as information technology is concerned one is infrastructure second is regulation and third is social compliance but that other two are not important but the most

important thing is regulation and the government as well as a lot of other bodies are working very heavily on regulating the data or the information systems as a whole now there are two words that you every seesaw should really write on his uh uh room and that is View Care and due diligence when you have an exposure when you when there is exposure of data or any vulnerability that gets exposed the implementation or the investigating agency only looks for two things did you do do you care were you aware that standards or security is needed and did you do enough to protect the data if you have done these two things then you can be saved but if not

then you will land yourself in an amazingly large problems now for example if I tell you there is HIPAA like every healthcare industry has to implement HIPAA you know what is the penalty for exposure of HIPAA if my if if my information is Right fifteen thousand dollars per instance per user of exposure is the penalty that's a big amount huge I have seen companies close down just because when there was an exposure they had not done due care they had not done due diligence and then they were forced to pay penalty every every security measure everything that you do today is governed by some rule some regulation or the other so in a very specific manner like like of course PCI

when you implement PCI there are a lot of other compliances that need to happen and any exposure like for simple things can you can you store aadhaar number without encryption can you store it in your local database no but a lot of lot of people do it lot of security information systems officers don't know about it so very very important that in your domain find out your information what roles govern you and what does an exposure cost you very important true so very relevant Point Mr kushru has rest friends you guys would be doing vapt you would be identifying bugs right so as rightly pointed by khushiruji regulations so going forward also see what vulnerability is identified and

what particular section it is abusing as part of non-compliance of the particular framework or a regulatory the Enterprise would be having a particular framework like let's say ISO 2071 so or let's say PC adss for payment Gateway so that can be channelized you can put those pointers a very relevant point you have mentioned can I can I add one more one more point there are a lot of bug bounties and public bug hacking things going on just be very careful of that right there is a system that is a way to report bugs and find those out if you break it even though you are trying to say you are an ethical hacker true but

you might end you might end up being on the wrong side of law but they can definitely report to certain yeah that's responsible so that is what I am saying find out the process and report if you're in so with that I come to Mr dilip and I have a very important question now you have got regulations you have got assessments to do you have got gaps you have got priorities the question comes is visibility now what I see most of the time is this technical people you would be working with a lot amount of security researchers and various people who are giving you excellent vulnerabilities in fact we learn from them at times this

secure young researchers 17 year old 16 year old and they come up with crazy vulnerabilities and what I see is the vulnerability is amazing let's say a local file inclusion familiar with local file inclusion or insecure deserialization but what happens with that is when they come to you and they present it firstly it's not presentable they just give the POC or just give a standardized description but for the organization what it needs means do they need to have presentable report and does it matter because end of the day the non-technical uh the the stakeholders the board wants to simplify things so how do you put over that and how you be a translator on those

scenario okay so I'll try to take a step back into the early days of my career when I started off so I started with this company called Palladium networks which now has been integrated into atos as we all know so start with our social security consultant God learn into all the various fields of services or security they provide I was one of the testers just like you guys were at that point of time one of the common questions that came to me every time by all my customers you do all these fantastic testings you come out with all the findings in the reports and we are not able to challenge you on those items because they all

factual but one I'm not able to present this to my management because they don't understand what is the importance of this SQL injection or crisis scripting or file inclusion vulnerabilities second you give me 10 000 vulnerabilities tell me where do I start because every vulnerability has a timeline given as per some standard or some policy I have got 800 volunteers which are critical and they all need to be closed in 10 days how do I do that I've got 80 applications to fix I can't even imagine 80 restarts on 80 application related servers in 10 days it'll shut down my entire business give me a way how do I buy some time from management to extend this schedule

but at the same time I don't put the risk on my head that I will allow the application remain vulnerable but if any attack happens I can't take the blame on myself so those aspects were worrying at that point of time the main item which troubled me and I think will be a challenge in many of these people over here in the uh audience today will be not able to translate into business risk true that's one area which I struggled and that was when I took a decision to move out of Consulting because I was a fresher in that space and moved to the service side industry we went across the BFS sector been in banking nbfc trading

companies mutual funds fintech now in itit's organization been almost 22 years in the industry so now I've been there into across businesses I understand what does the application do what data it handles what is the sensory of data why it matters so much to the company and why would the company care if this application is exploited that aspect is important you can possibly throw out a number of bugs but can you tell the business which bug is more important this one right now because this is very critical this can damage your reputation today this one possibly you can still buy time another five more days another one week is cool that is the difference when you bring in

as a when you move from a technical tester to a security expert you have really touched down the hardcore concerns that most of the Enterprise are facing and I'm sure the people would be able to relate on these pointers so which comes me to an interesting question to Mr batnakur and it is how do you simplify regulatory requirements to board members now for a startup or with unicorns they are in a race to go climb they have the they have to reach valuations public listing all those things are there and that time they have to address the regulations as well so how do they address this regulation like we saw an example what Mr kushru gave fifteen thousand dollars

per instance penalty big number so how do we do it I think see the industry is evolving very drastically and I think we all acknowledge the fact that there are a lot of new fintech startups you know that are coming into the space whether it's a health care or a payment or whichever the vertical that we talk about but at the same time what is important is how they are prioritizing their compliances how they are prioritizing the regulatory requirements understanding those regulatory requirements also plays a very critical critical role because I think it's a thin line between what you read and what you implement right and now in order to have that happen you know you need to

have the right Partners right associations write SSS you know coming across onto the table if for example again I'm just take a reference for the PCI standards you should have the qualified security assessors tie up work with them in order to make sure that you are implementing those requirements uh with the with the intent that what The Regulators are looking for now at the same time at the same time the organizations also need to prioritize see you cannot achieve the security in one day it has to be a phased manner that the the companies have to ah take care of right now PCI talk about PCI standards you know PCI has a has a concept called self-assessment

questionnaire right so if an organization is not ready day one uh to go for an on-site compliance where the qsa has to visit on-site do the compliance Audits and do all controls check and then finally do the annual validation may not be practically possible but at the same time what is possible is that you doing assessments with the self-assessment questionnaire and making sure that you are improving day by day and getting to the next stage of improving your security posture and that's where you need to communicate well to your board that this is approach that you're taking it's all about the approach that you're going to take it cannot be just a Last Mile that you want

to go and then Implement something and then uh you know you have some glitches you know you have some glitches in the form of breaches or data compromises so it's about building your Grassroots well so if you have a strong Grassroots the chances of you getting Fallen is less continuous resiliency is what you're talking about that's true so with this I come as we talk about continuous resiliency I come to Mr khushru and I want to ask him the reality I want to ask him what are the challenges that we as security advisors face what are the challenges that security advisors face because most of the time security advisors are looked as external people so yeah

that's that's an amazing fact of life okay and up till very very recently security was the first thing that would get neglected in your go to market strategy if you want to cut time you would want to add external features at the cost of cutting down on security Now that there are regulations in place peoples have started realizing that how important this is large exposures have happened large vulnerabilities have been detected large like like if I remember right I was in U.S when Windows Server the first version of Windows server was getting released and they released that server with 65 000 known vulnerabilities on that day at that point of time so that was the audacity at that point

of time when people were not paying any attention to security like I audited I will not name I'll not name the institution but I helped audit one very large academic institution very very well known academic institution in Ahmedabad and they were hacked they were hacked by internal students we found out to our surprise so many vulnerabilities but when we decided to put that report in front of the management they said oh that takes a lot of money or that takes a lot of effort we'll we'll come back to you sometimes later so and that is a way of life but today things are changing because the regulations if you look at the I.T Act of India or the new data protection act

that is coming in all those things coming in are forcing people to think of security as the first line of defense another thing uh is that Legacy systems do not have security there are we are sitting on tons of Legacy systems tons of them where security goes in as an afterthought so when security goes in as an afterthought there are a lot of areas a lot of still Lacuna areas which are open for exposures for vulnerabilities all of this put together interesting so you have mentioned a very important point and that is hack correct most of the people or Security Board is is concerned that they don't want to be hacked and that's the very fine reason

why they are investing on cyber security now this also showcases two three things number one is that their seriousness correct now with that I have a very important question to you Mr dilip and I want to ask you sometimes this happens and you must have seen this that a low vulnerability is marked as critical and it is exaggerated and it is pushed in such a way that it has a bigger impact and it sometimes reaches to the levels of CEOs from the who's or who's do you think because of all this the security interest among board is being reduced definitely Smith so that's what I called an earlier uh point also that you need to understand how to qualify a risk item

you cannot just say every SQL injection or every cross scripting or every uh attack is going to be of equal value for example we have servers deployed or applications deployed in the organization some could be sitting way far away inside your organization uh Fortress and protected by layers of security accessible only to say possibly two or three users in the organization whereas some of them would be only accessible to a certain segment of the organization of a certain VLAN or certain trusted computers and a third set of applications could be accessible to the entire world we could be your customers now you can't have the same vulnerability across these three different type of applications with the

same severity provided you have to understand and profile every application or every system how many people access it what data does it hold what is the sensitivity of the data what will happen if this data is compromised or the system is attacked will the information go out will it get breached will it be reported news does it have any reputation impact does it have regulatory impacts there are Financial impacts unless you do those assessments and profiling for every application the vulnerability will just be availability it becomes a risk-based vulnerability management only after you provide the risk context of the organization the data and the context of the impact to the organization interesting so one one question I would

be having to Mr nitin and that is what would be so there are all security researchers we see sitting over here the Young Generation from the standpoint of security as part of their career what would be your advice to them in terms of growing their skills and focusing com and simplifications of their non-technical stakeholder related aspects how they how they can communicate and simplify I think as a security researcher I think most importantly I think you know we have been discussing this in the morning I think in the room I think we'll have two set of people here sitting right one um you know who are focused on on the uh on the on finding the vulnerabilities

and trying to uh you know keep the organizations update updated about the vulnerabilities that they have right and there will be one set of people in the room which way who will be having a mindset of like how we can improve on the security posture of an organization right and with that I think I want to answer that in a way that you know you need to find your interest level uh and improve on your skills meet the like-minded people from the industry uh you know from the compliance side and also from the non-compliance side from the technical side and from the uh from both aspects you know you have to get the insights and then accordingly

choose the uh choose the aspects you know that you want to consider in your profile now having said that again one one point I just wanted which you said you know how you want to communicate as a security researcher I think communication is a key and presenting your thought process to the senior level Senior Management board members is also going to play a very very critical role now some people misunderstood when I say presentable presentable doesn't mean that you have to be suited booted and go and present to someone but it has to be in a very palatable way that you know what you want to communicate it should not look like that you are trying to

make use of that opportunity to make some kind of a financial gain instead you should look make it feel like like you know this is something been uh exposure which could lead to a major disruption for your organization and could have a financial impact so this is the way that you should look at it instead showing on the other side and that's where many uh many uh you know security researchers would also face that kind of heat from the industry but having the right set of communication uh it's very very critical interesting so you mentioned about compliance so that's where I come to khushuji so one important point I would like to ask you is about GRC so how is GRC being taken

by board and are they basically focused on in terms of perceiving their governance risks and compliance how are they measuring their GRC an honest answer very few people even understand the full gamut of the Earth okay so it is still a very evolving very very uh because still we are still working to understand and capture very basic vulnerabilities okay a very high level structural vulnerabilities are still very very far off so people are going there because unfortunately or fortunately they are forced to do that there are regulations there are it acts the government is cracking The Vape a lot of these things are happening so people are going there so but if you ask me still we have a far

way to go because like I was reading right now Optus one of the largest uh tele networking setup in Australia had a huge exposure where 9.8 million accounts were stolen now 9.8 million accounts means 25 percent population of Australia still we are sitting on that kind of exposure with with a lot of these kind of security in place we are still working and getting these kind of exposure so honestly honestly we are still very far off from having proper gr jrc mechanisms in place at a lot of large and small Enterprises small Enterprises still manage and do a good deal because they are evolving they have recently started so they can pivot very quickly but for the large

uh corporates still it is very difficult still a long way to go so one last question I would like to highlight and then we would be open for questions that we can take up so one important question I want to ask each panelist over here so I start with Mr dilip I want to ask you often we hear in news or when we are speaking with corporates we are discussing with our clients there is a skill shortage in the industry but you see the town hall is full we have got couple of people security researchers how do you see to a dead Talent shortage that is there in the country in terms of cyber security is it really or we do we

need to just change certain things on the ground or on to the process form which can simplify so honestly let's do a little this test right here how many of you guys are Engineers over here and how many are non-engineers so this is where the understanding is typically the myth in the companies is if you see most of the JDS coming out it is btec be is a requirement for all your JDS the moment you put that in your jda the HR person blindly puts that as a filter into LinkedIn and all other nokri and other sites halfway populations of this entire room is disappeared they are not considered also for the interviews in the first place

that is the problem with the company that we are having over here today and when they have turned a blind eye to this vast Talent out here then they say that their school shortage so same what would be making more with the leap I think this is the uh I think besides I think I would like to thank besides I think it's a great platform for the security researchers to come and you know and get a chance to meet with the industry uh uh you know leaders and I think I'm really glad to see you know we have such a pool of talent in the country you know I've been been asked in various TV interviews you know you know

we have a shortage we have seen dsci reports that you have a shot of the 100 million cyber Security Professionals I I think there is no lack at this point I think it's just about you know you coming out and we taking you to back to the industry and uh and you know say to the world that you know India is ahead of the other countries and comes of the talent pool I think a massive one I think thanks to beside together all of these security researchers and professionals here at one place and I would love to be part of it in some way that's a benchmark statement what would be uh what's your views Mr

Kushner on it uh there is a tremendous shortage of qualified resources demand and Supply the demand that is there for qualified resources for security we are not able to keep Pace with and if you go to the fundamentals your academics and your education courses are to blame for it because I teach at a lot of academic institutions as a visiting faculty as a lot of it but I am yet to find a good structured course that teaches computer security yes there are a lot of lot of just basic fundamental certificates all those things these poor guys have all gone out and learned security but if you ask me is there a course which has majors in

computer security I am sorry I buy I might not be able to even name five educational institutes that really certify you as B Tech security cyber security my table I just wanted to add here to sir I think definitely I think there is a requirement for the educational institutions to come up with these courses I did my masters in information security from triple it allahabad and I think one of the finest Institute of the country and they also do have an amp Tech in information security if they are interested probably can go and I think there are some Ministries in Bhopal I think they also offer and in Mumbai also there are some Industries which offer

but yes definitely these kind of courses needs a rapid ramp up in terms of spread across to various universities and various institutions but at the same time if you want to really grow your career in the payment security space I think the PCI standards you know if you talk about there are several certifications that are professional in nature which will give you that exposure on how you should be protecting the payment data you know just for the larger set of organization including financial institutions and and globally so you should look for the PCI trainings and certification programs if you are really interested in payment security interesting so considering the times shortage will be taking two questions

uh yes we can start with the gentlemen over here yep can someone get a mic good good

I'll give it an attempt so uh you are working with company sir okay awesome so let me take my example first I started off with whatever learnings that I had done as part of my induction my earlier days of careers then as in when you are doing your testings and your various projects and assignments you will learn more through those activities because only practice will teach you more stuff when you make errors when you come in front of people then you learn more next you have to constantly stay updated with what's happening in the market you need to know what are latest Technologies what are the latest attack vectors what are latest hacks that are

happening and you need to find ways from the media or from other sources to see what were the various methods used to perform that attack like the recent Uber attack or the artist attack how have they happened what really translated into it the Swift hack that happened some time back what really happened in that many people do not really read the entire concept of what happened in the attack this is understand that an attack happened it impacted so much uh into the organizations across and so many companies were impacted period they don't look after that you need to come beyond that get a little deep down to understand exactly the motors operandi around it if you remember somewhere around in 2000

uh eight nine I'm talking about there was prepaid card hack that happened in India and there were prepaid cards to the tune of say 500 cards roughly I believe if I'm not mistaken and they were translating to almost 41 million worth of transactions despite having zero balance on them the cards were cloned and then they would use across the US so how did it happen what really resulted in it what was the failure point those aspects are very important to learn from our perspective at least today if I have to learn new things I look at a couple of sources of information on news reading sites articles uh physical material as well as do attend some

trainings and conferences like these for example there are CSO conferences we have a c so WhatsApp group that keeps us updated on what's Happening latest Nathan and I are part of many of them today and we do connect offline also on personal interest just on a cup of coffee or for dinner we discuss our problems or whatever achievements we've done we experimented each other's ideas these are various methods that keep on helping us grow with something that's worked for him might work better for me or might not work for me and that's what helps her understand what is good bad ugly in those spaces lastly uh don't stop learning learning does not mean only looking at the

certifications or formal training programs it has to be in any and every form any place is a knowledge point I hope I answered your questions somewhere yeah can I can I add sure there is one big source that you cannot neglect and that is the government regulation right salt trt has to be your best friend and then The Domain in which you work and the geography in which you work has to be the two variables that will impact what you read and what you should know about your as your first line of defense after that sky is the limit as you said in an I.T development world how do you keep track of what happens in Java development

similarly you you keep track of what happens in security we can take one final question yeah Mr gentlemen we can take one yep can you be louder

you're seeing as a fresher in the industry there are multiple ways my friend so you could possibly approach into a consulting firm for example or a Services organization where you start off with a tester and then keep on growing out but if you're looking at us uh an industry for example like a banking industry or some organization under the CSO office the point is uh there could be multiple requirements it could be a straight ahead tester like you guys for example today that you are performing where you are supposed to pointedly go and just blindly attack find out something and give me back then then help my other team translate it for me that could be one method the second

method could be that are you able to understand the business aspect of it now when you're talking about in fresher perspective what I would look at is are you able to understand and grasp the basic concepts of security do you know the basic jargons that are there today in the market and what do they mean

don't look at those aspects what you are doing in your engineering for example that is also good enough are you able to know what are the antivirus versus the Next Generation antivirus versus EDR do you know the difference three of them what does it do and for example if I say uh today from a organization compliance perspective if the standard check for malware protection was you check whether antivirus agent is showing on your machine does it have the latest definition date and does it show as a weekly scan is configured or no these three checks were done in normal antivirus days all right now let's short circuit come 20 years later you're an EDR Zone today you don't have

an antivirus anymore do you have an agency in your machine no do you have any definitions no do you have a weekly scan no how do you prove that your malware control is there you understand the difference how do you bring that part that is what you will be asked to understand when you come into the corporate Zone all right so those aspects will come in as far as learning so you need to understand what is the fundamental difference between how antivirus works with how EDR Works to give you still the same or better protection if you understand fundamentals you can answer those questions I will just add there is a YouTube channel known as Eric Cole do see to it

it would help you a lot foreign

so yes with this we come to the end of our panel and I will quickly like to summarize the way we were able to put forward pointers views and thought process it was really amazing the power pack panel is distinguished professionals you people were able to give Clarity to the end audiences to the security researchers what really it is to communicate with non-stakeholders what are the key areas like we discussed about cyber attacks we discussed about ransomware regulations we discuss about standards then we discuss about what the people can do the students or the young Generations can do as part of their career indeed it was great to have you all thank you so much for giving an

amazing Insight this will certainly help all these peoples sitting over here to transform their thought process and career I would like to thank each and every panelists for giving their amazing views and with that I will also like to thank beside zamdabad for giving an excellent Hospitality to each and every speaker for me thank you for giving an excellent uh excellent conference to the security research and for speakers as well for us like thank you so much [Applause] Mr Smith and all the panelists such an insightful session on which is how to communicate Security in Layman worlds to boats and non-technical stakeholders thank you so much