Welcome to CFInfluencia, a distinguished series by CyberFrat, where we celebrate the unsung heroes of cybersecurity. Join us on a journey of recognition and appreciation as we showcase the remarkable stories and professional journeys of cybersecurity professionals. Through this exclusive series, we aim to shine a spotlight on their invaluable contributions, passion, and dedication in safeguarding the digital realm.
In this edition, we are thrilled to have Ronita Sengupta, a trailblazer in technology and a powerhouse in the HR domain, sharing her inspiring journey.
Please Note: The views expressed are those of the author/interviewee.

How would you describe your professional journey in the IT and Cybersecurity sector?

I embarked on my journey in the IT Industry in 2013 with a passion for employee well-being and helping them manage change. As an HR and communication professional, I recognized the pivotal role effective communication plays in incident response. Early in my career, I actively sought opportunities to bridge the gap between technical experts and non-technical stakeholders.

My commitment to fostering a collaborative environment led me to engage in various forums, where I gained insights into the industry’s intricacies. I immersed myself in learning about emerging threats, compliance standards, and best practices, translating this knowledge into communication strategies and organizational practices that resonate with diverse audiences.

Over the years, I have cultivated an understanding of the unique challenges within the cybersecurity landscape through my interaction with industry experts and working in the IT space. I have worked in close coordination with information security and compliance teams, facilitating streamlined communication during high-stakes situations.

My journey has been marked by a commitment to continuous learning. I actively pursue training and stay in sync with industry trends to enhance my proficiency in navigating the dynamic IT landscape. Through workshops, webinars, and networking events, I have built a robust professional network, fostering collaborations that contribute to the collective knowledge base.

In summary, my trajectory in the IT Industry has been shaped by a fusion of HR expertise, communication acumen, and a genuine dedication to employee upliftment. I am poised to bring these multifaceted skills to the organization, contributing to its mission of fostering resilient and informed employees.

Can you mention any significant achievements/awards you have received in the industry?

Besides being acknowledged as an impactful HR and communications professional, I have been recognised by Fox Story India as one of the top 100 women influencers in our country. I have been featured in Her story Inspiration and the Indian History of Women’s Museum. In 2019, I won the first runner-up title in the Mrs. India International Pageant and was an English News anchor with Delhi Doordarshan for more than 10 years.

One piece of advice you would like to give to new Cybersecurity leaders.

To emerging leaders in the cybersecurity industry, my foremost advice is to recognize the symbiotic relationship between effective leadership and a resilient cybersecurity environment. In my 19+ years of journey in the industry I’ve witnessed the transformative impact leadership can have on any organization’s cybersecurity culture.

Firstly, prioritize fostering a culture of security awareness and inclusivity. In a field where collaboration is crucial, leaders should champion an environment where employees feel empowered to report potential threats without fear of retribution. Open communication channels and regular cybersecurity training sessions can significantly contribute to creating a vigilant workforce.

Secondly, embrace a proactive stance in addressing the human element of cybersecurity. Recognize that employees are not merely end-users but integral components of the organization’s defence mechanism. Provide continuous awareness on the latest cyber threats and equip the team with the knowledge to identify and respond effectively. Additionally, cultivating a sense of responsibility among employees towards the organization’s cyber resilience is essential.

In the realm of change management, I advise new leaders to approach cybersecurity as an ongoing evolution rather than a static set of protocols. Stay agile and adaptable, fostering a mindset that is responsive to emerging threats and industry advancements. Encourage a culture of continuous learning, enabling your team to evolve alongside the rapidly changing cybersecurity landscape.

Lastly, lead by example in championing a holistic approach to cybersecurity. Acknowledge that it is not solely the responsibility of the IT and Cybersecurity department but a collective effort that involves every individual in the organization.

In conclusion, my advice to new leaders in the cybersecurity industry is to embody leadership that prioritizes people, fosters a culture of continuous learning, and recognizes the collective responsibility for cybersecurity.

According to you, which are the top 2 threats in Cybersecurity?

In the dynamic landscape of the cybersecurity industry, two prominent threats that demand attention are phishing attacks and insider threats. As an HR professional and communication professional, I recognize the critical role of proactive communication in mitigating these risks.

To tackle phishing attacks, fostering a culture of cyber awareness among employees is paramount. Regular training programs, simulated phishing exercises, and clear communication about the evolving tactics of cybercriminals can fortify the human firewall.

Addressing insider threats involves a comprehensive approach that extends beyond technological solutions. Emphasizing a positive work culture, encouraging open communication channels, and conducting periodic reviews contribute to early detection. Sensitizing leaders to the importance of their role in cybersecurity and involving them in fostering a cyber-resilient culture can significantly enhance the organization’s overall defence posture.

Do you have any feedback for CyberFrat?

As a newcomer to CyberFrat, I am immensely grateful for the opportunity to engage in a fireside chat on the crucial topic of “Navigating the Digital Storm: Corporate Communication Strategies in Cyber Incident Response.” Being invited as a panelist is an honor, and I am eager to contribute insights, especially from the perspective of an HR professional, to the conversation. I express my sincere gratitude to CyberFrat for this opportunity.

To stay updated with the current trends/updates in the cybersecurity domain.

Masterclass on Secure Coding & Active Directory Security

Tell us about your overall journey in the industry

I am a Dynamic Technology Audit, Risk, and Control professional with a rich 13+ years of experience in BFSI industry audits for various lines of business, such as investment banking, wholesale payments, cloud, and data privacy. My mission is to add value to each client by providing independent and objective assurance and advisory services on their IT and business control environment.

According to you which is the top threat in your Industry and how do you think we can tackle it?

People: the weakest link in cybersecurity With a matured training and awareness program framework, we can safeguard this link and make systems and processes more secure.

What are your significant achievements/awards in the industry?

  • Awardee: Top 10 Women Tech Leaders in India 2023, I am a renowned banking and cybersecurity professional working with global banks and clients. I hold several professional degrees and certifications, such as an MBA, Diploma in Cyber Law, CISA, CCA, PMP, ITIL v3, CEH, CSM, AWS CCP, CCIO, and CPEW.
  • I am an ISAC ambassador for women in cybersecurity and am dedicated to raising awareness and encouraging women to pursue cybersecurity roles.
  • Interestingly, I am also a successful professional bodybuilder who qualified for the ICN International bodybuilding competition representing team India with several titles in regional and national competitions!
  • I have led the process of audit issue validation management across the line of businesses to identify and close the issue remediation plan within timelines and budget resulting in saving many hours and thus cost savings. I have crafted and implemented a successful campus internship program, where fresh postgraduate students from technical programs from premier institutes were hired and trained with the end goal of making them industry-ready.

What would you like to tell the women in the tech industry, to motivate them as the recipient of Top 10 Women Tech Leaders India Awards 2023?

Endeavour to give your best consistently in whatever you pursue on the professional and personal front I am greatly influenced by the Bhagwat Geeta: as it quotes, you are only entitled to the action, never to its fruits Continuous learning and upgrading oneself is very important to keep pace with rapid changes technology. On job learning we do during our day job. Off-job, you can learn via self-study, attending external training and conferences, and obtain professional credentials. Also, as part of giving back to community, you can conduct knowledge-sharing sessions, webinars, etc. Also, I believe that fitness is for everyone irrespective of gender, age, genetic lineage, or ethnicity. Taking care of one’s health is the best investment for anyone. To take care of others, one should be fit and fine by oneself. The more you sweat in peace, the less you bleed in war.

Have your lessons in bodybuilding helped you in your career? If yes, tell us more about it

Consistency and discipline are two key traits needed for bodybuilding. It mirrors the same for professional careers too. Also, it helps me to keep grounded as we all are same on the gym floor: weights don’t treat you differently based on who you are, they give results to one who puts in efforts!

You have been appointed as Brand Ambassador for ISAC, tell us about your experience and journey leading to that

I am also a Brand Ambassador at Information Sharing and Analysis Center, a nonprofit organization that facilitates the exchange of cyber threat intelligence and best practices among its members. In this role, I leverage my expertise in Technology Audit, information security, cyber laws, and financial crime compliance to promote awareness and collaboration among the cyber community. I am passionate about staying updated and sharing my knowledge on the latest trends and developments in the Technology control and risk domain.

CISSP Refresher Course 2024 at an amazing price!!

INTRODUCTION

Information security is becoming more important than ever in our digital world. Organizations are looking for qualified people to safeguard their important data and assets as cyber threats continue to develop and become more sophisticated. 

One of the most prestigious and widely recognized qualifications for information security professionals is the Certified Information Systems Security Professional (CISSP) certification. In this ultimate beginner’s guide, we’ll explore what CISSP is, its requirements, how to become certified, the CISSP exam, associated costs, training options, concentrations, benefits, statistics on information systems jobs, and CISSP salaries. 

WHAT IS CISSP?

CISSP, short for Certified Information Systems Security Professional, is a certification offered by (ISC)², the International Information System Security Certification Consortium. CISSP is designed to validate the expertise and knowledge of information security professionals. It is widely regarded as a benchmark for professionals working in the field of cybersecurity. CISSP covers a broad spectrum of security topics, making it an excellent choice for those aspiring to become security experts.

CISSP REQUIREMENTS

Before you can pursue the CISSP certification, you must meet certain prerequisites. These requirements are designed to ensure that candidates have the necessary background and experience to tackle the CISSP exam effectively: 

  1. Experience: You must have a minimum of five years of full-time work experience in two or more of the eight CISSP domains. However, you can substitute one year of experience with a relevant four-year college degree or an approved credential from (ISC)²’s list.
  2. Endorsement: After passing the CISSP exam, you need an existing (ISC)² member to endorse your application, attesting to your professional experience.

HOW TO BECOME CISSP CERTIFIED

Becoming CISSP certified involves several steps: 

  1. Study: Acquire the necessary knowledge and skills through self-study, training courses, or CISSP exam prep books. Online resources, study guides, and practice exams are available to help you prepare (learn.cyberfrat.com).
  2. Exam Registration: Register for the CISSP exam through the (ISC)² website. Choose a suitable exam location and date.
  3. Pass the Exam: Successfully complete the CISSP exam, which consists of 250 multiple-choice questions. You have up to six hours to complete it. Candidate needs to score at least 700 points out of 1000 points to pass the examination
  4. Endorsement: Once you pass the exam, submit your endorsement application to (ISC)² for verification.
  5. Pay Annual Maintenance Fees: Maintain your certification by paying annual maintenance fees and earning continuing professional education (CPE) credits.

CISSP EXAM

Knowledge and skills in various information security domains. The eight domains covered in the exam are: 

  1. Security and Risk Management (15%)
  2. Asset Security (10%)
  3. Security Architecture and Engineering (13%)
  4. Communication and Network Security (13%)
  5. Identity and Access Management (IAM) (13%)
  6. Security Assessment and Testing (12%)
  7. Security Operations (13%)
  8. Software Development Security (11%)

To pass the exam, you need to demonstrate your proficiency in each of these domains. Proper preparation is crucial, and many candidates opt for formal training or exam prep courses. 

CISSP TRAINING OPTIONS

There are several training options available to help you prepare for the CISSP exam: 

  1. Self-Study: Many candidates opt for self-study using CISSP study guides and practice exams. (ISC)² also provides official study materials.
  2. Training Courses: Various organizations and institutions offer CISSP training courses, which can be classroom-based or online. (Visit learn.cyberfrat.com for full training)
  3. Boot Camps: CISSP boot camps are intensive, short-term training programs designed to prepare you for the exam in a matter of days.

CISSP CERTIFICATION BENEFITS

Earning the CISSP certification offers several advantages, including: 

  1. Global Recognition: CISSP is recognized worldwide as a symbol of excellence in information security.
  2. Career Advancement: CISSP certification can open doors to higher-paying positions and leadership roles in cybersecurity.
  3. Network Building: Becoming part of the CISSP community allows you to network with fellow professionals in the field.

CISSP JOB ROLES & SALARIES

After completing CISSP certifications one can get many job roles in the security domain top ones include: 

  1. Chief Information Security Officer (CISO): The CISO is the highest-ranking information security officer in an organization. They are responsible for developing and implementing the organization’s overall information security strategy and ensuring that security initiatives align with business goals.  

    Salary Scale: $106,727 to $203,345 

  2. Security Manager/Director: Security managers or directors oversee an organization’s entire security program. They are responsible for developing security policies, managing security teams, and ensuring compliance with regulations and standards.  

    Salary Scale: $81,930 to $140,311 

  3. Security Architect: Security architects design and build the security infrastructure for organizations. They create security frameworks, develop security policies, and ensure that security measures are integrated into all aspects of an organization’s IT environment. 

     Salary Scale: $90,834 to $153,280 

  4. Information Security Analyst: Information security analysts are responsible for protecting an organization’s computer systems and networks. They monitor for security breaches, investigate security incidents, and implement security measures to safeguard data. 

    Salary Scale: $90,834 to $153,280

CISSP CONCENTRATIONS:

In addition to the standard CISSP certification, (ISC)² offers specialized concentrations for CISSP holders who want to deepen their expertise in specific areas of cybersecurity. As of my last knowledge update in September 2021, the available concentrations were: 

  1. CISSP Concentration in Architecture (CISSP-ISSAP): Focused on security architecture and infrastructure.
  2. CISSP Concentration in Engineering (CISSP-ISSEP): Concentrates on security engineering principles.
  3. CISSP Concentration in Management (CISSP-ISSMP): Emphasizes leadership and management skills.

CONCLUSION

Becoming a CISSP-certified professional can be a rewarding career move, providing you with the knowledge and credentials needed to excel in the dynamic field of information security. With the ever-increasing importance of cybersecurity, CISSP certification can open doors to a wide range of opportunities in both the public and private sectors. For more information and full CISSP training visit: learn.cyberfrat.com.

 

Foundation of CyberFrat:

When CyberFrat was initially founded, Gaurav Batra – the mind behind what is now a constantly expanding fraternity, had no clue that it would witness such an incredible amount of success in such a short period of time. The idea that took off as a WhatsApp group of a bunch of friends coming from the Cyber Security and Tech field now boasts of a community of 25,000+ members globally with a presence in over 50 countries, 90 cities, and hundreds of Indian colleges. The basic building block of CyberFrat was a common platform for the purpose of sharing knowledge and networking among professionals from the Cyber Security domain. This idea was brought to life in 2016 chaired by Mr. Pradeep Batra as the Director.

Ever since its inception, CyberFrat provides a social networking platform for individuals from the Cyber Security domain, and additionally, it is also specialized in offering a plethora of services ranging from exclusive cyber trainings, career advancement programs, webinars, and workshops through programs like CFThursday, CFCXOConnect, and Fireside Chats for our members taken by Industry leaders and SMEs. The CyberFrat Thursday Series is a weekly webinar conducted every Thursday where a well-established speaker talks about relevant topics concluded by an interactive Q&A. The CXOConnect is a similar session where CXOs from diverse fields come over and talk about the latest trends and developments in Technology. Over the years, we have evolved our niche as a cyber security marketing services provider to B2B Brands. We help drive growth by understanding the needs of the client and the industry and incorporating those in our efforts. Our members get to enjoy these services while they learn, grow, and network, all at the same time. Now you may think about what sets CyberFrat apart from other organizations. We’re more than just a networking platform. We understand our members’ needs and work towards an enriching and fulfilling experience that they look forward to in every activity and event that we organize. Our members are not just members, they are a part of the family that is held together by the force of learning and growing.

About the Founder & CEO:

Gaurav is a Tech Entrepreneur, Risk Advisor, and Cybersecurity professional with 14+ years of direct experience. He Possesses Strong knowledge of IT-Business alignment, large-scale project deployment, and organization-wide security deployments.

Founder & CEO of CyberFrat and have experience of working with organizations i.e. Hewlett Packard Enterprise, MetLife, JP Morgan, Axis Bank, and Mondelēz international.

Has been awarded CISO of the year 2017 – 2020, Top 100 InfoSec maestros, Data security champion, India’s top 20 InfoSec influencers, and many more speakers and InfoSec level recognition including one from The Economic Times.

Specialities: Cyber Security Marketing, IT Strategy & Execution, Technology Integration, Mergers and Acquisition, IT Budgeting, Datacentre Migrations, Vendor Management, Risk Management, Security Deployment, information security Governance, Security Operations, Consulting, Controls, Audits, Fraud Analysis, Business Continuity Management, Vulnerability Assessment, Penetration testing, Budgeting and Resourcing within the BFSI, IT and FMCG sectors.

In this edition of CyberFrat Bytes we will look at major developments all around the globe. Many bold moves were done by established companies to combat the menace of fake news. Governments also took action to thwart malice by nation state actions on espionage / citizen privacy by banning apps and coordinating with social media platforms. The current Pandemic situation forces us all into a new normal Work from Home situation and as a result attackers have gone very creative with exploiting trust factor in people. Incidents of ransomeware too are on the rise.

Lets look over these aspects in some more details in this edition.

Security News

Microsoft has developed a tool to spot deep-fakes – computer-manipulated images in which one person’s likeness has been used to replace that of another. Read More

India bans PUBG, Baidu and more than 100 apps linked to China. Read More

Facebook Reality Labs (FRL) Research audio team is developing “Audio Presence,” which will recreate how sounds travel and bounce around in the real world for AR and VR. It would make audio like you’re actually listening to what’s happening around you instead of something that’s coming from a device. Read More

FBI warns Facebook and Twitter that the Russian group that interfered in the 2016 presidential election is at it again, using a network of fake accounts and a website set up to look like a left-wing news site. Read More

Zoox the automated vehicle technology startup that was acquired by Amazon this year, has been issued a permit from California regulators that will allow it to test driverless vehicles on public roads. Read More

Attacks / Breaches

Bugs in the multi-factor authentication system used by Microsoft’s cloud-based office productivity platform, Microsoft 365, opened the door for hackers to access cloud applications via a bypass of the security system. Read More

Atrium Health said it uses a popular company, Blackbaud, to manage its software, and that Blackbaud had a ransomware attack recently. Read More

The “BLURtooth” flaw allows attackers within wireless range to bypass authentication keys and snoop on devices utilizing implementations of Bluetooth 4.0 through 5.0. Read More

Cygilant is believed to be the latest victim of NetWalker, a ransomware-as-a-service group, which lets threat groups rent access to its infrastructure to launch their own attacks. Read More

The sudden spike in attacks happened after hackers discovered and started exploiting a zero- day vulnerability in “File Manager,” a popular WordPress plugin installed on more than 700,000 sites. Read More

Jai Daga joined Sony Pictures Network India as Vice president technology with key role to outline current and future vision enterprise architecture, including traceability from business and IT strategies to suggested technologies.

He has previously worked with companies like Viacom18 Media Pvt ltd wherein headed different portfolios in technology vertical. Also worked with organizations like Syntel, Oracle US, Satyam computers.

Jai is a technocrat with experience and expertise across supply chain of technology portfolio i.e. Enterprise applications, Digital Brand Services, IT Infra and Operations as well as Cyber security. Have over 19 years of progressive experience in areas of enterprise architect solution, consulting, heading delivery, leading business application, IT Infra and operations.

In the last couple of days, two friends from two different companies from two different cities reached out to me with a similar issue. Emails sent from their corporate accounts are getting bounced (rejected), or delivered to the spam/junk folder. The reason – there were many emails sent from these corporate email domains in the past and are identified as spam. But they claim no such emails were sent from their systems.

It seems there were a lot of spoof emails sent impersonating as these domains due to which the sender reputation of the domains took a hit. When the sender reputation of the domain is low, email providers who receive the emails from these domains deliver them to the junk folder or worse they are bounced or rejected as it is happening in one of the cases here.

These domains have DMARC enabled, but the policy is set to None. Which means even though the email providers who received the spoof emails knew they are impersonating as these domains, they had to deliver the emails due to the DMARC policy. Because of the large volume of spoof emails being received from these domains and delivered, email service providers reduced the reputation of the domain. They even started delivering genuine email received from these domains in spam/junk folders.

These companies did not monitor the DMARC reports and were not aware of the spoof email attack.

If the DMARC policy of these domains were set as Reject, the spoof emails would have been rejected keeping the sender reputation intact.

So, if you are thinking implementing DMARC does not bring any value to add to your organization, then think again. Not implementing can cripple your email communication.

Implementing DMARC is not a simple task. It is a journey. First, you need to set the DMARC policy as None to start getting the reports and then analyze them. There was this company which implemented DMARC with reject policy straightaway. Some emails sent from their third-party service provider began to bounce as they failed DMARC because the IP addresses were not present in the SPF record and the emails were not DKIM signed.

There are many organisations such as Rediff.com provide the DMARC Analysis dashboard for a subscription. These analysers parse the DMARC reports and show the IP addresses from where emails are sent on your behalf and if they are passing or failing SPF or DKIM or DMARC.

Then proper modifications can be made to the SPF and DKIM settings as needed. When all the email sent by you and your third-party on your behalf are passing DMARC, the policy can be changed to Quarantine and then Reject – the ultimate goal of DMARC journey.

Security News

1. Hour One develops technologies for creating high-quality digital characters based on real people. The upshot of this is that what appears to be a real human could talk about any product or subject at all, to the point of infinite scale. Read More.

2. Microsoft announced the availability of an out-of-band update that addresses the vulnerability in Windows 8.1 and Windows Server 2012 R2. Read More

3. Most devices accessing the Internal Revenue Service’s internal network using wireless connections and virtual private networks weren’t authenticated, according to an audit. Read More

4. Facebook have discussed a “kill switch” to shut off political advertising after Election Day since the ads, which Facebook does not police for truthfulness, could be used to spread misinformation. Read More

5. Future Tesla cars may come with a built-in feature that can make sure no kids are inadvertently left behind in hot cars. The device uses millimeter-wave radar technology to detect movements within a vehicle and to classify its occupants. Read More

6. 67-year-old former CIA officer and FBI linguist was arrested Friday after allegedly selling U.S. government secrets to China for thousands of dollars spanning multiple years. Read More

7. YouTube banned a large number of Chinese accounts it said were engaging in “coordinated influence operations” on political issues. Read More

8. U.S. Department of State’s Rewards for Justice (RFJ) program will pay for info that can identify or locate someone working with or for a foreign government for the purpose of interfering with U.S. elections through certain illegal cyber activities. Read More

9. China AI chat robots can make 3,000 calls a day without getting tired or temperamental and even blocking their number won’t stop them. Read More

10. Apple accidentally approved one of the most popular Mac malware threats – OSX.Shlayer – as part of its security notarization process. Read More

Attacks / Breaches

1. Federal prosecutors have charged Uber’s former security chief, Joseph Sullivan, with obstruction of justice for attempting to hide the company’s 2016 data breach from the Federal Trade Commission (FTC). Read More

2. Experian has suffered a major breach of customers’ personal information, affecting an estimated 24 million South Africans and nearly 800,000 businesses. Read More

3. Credit card provider Capital One Financial Corp fined with $80 million over last year’s data breach that exposed the personal information of more than 100 million credit card applicants of Americans. Read More


4. Canon has suffered a ransomware attack that impacts numerous services, including Canon’s email, Microsoft Teams, USA website, and other internal applications. Read More

5. Ritz Hotel Data Breach Allowed Scammers to Make Expensive Purchases With Stolen Credit Card Information. Read More

6. A hacker has released the databases of Utah-based gun exchange, hunting, and kratom sites for free on a cybercrime forum. Read More

7. Havenly, a US-based interior design web site, has disclosed a data breach after a hacker posted a database containing 1.3 million user records for free on a hacker forum. Read More

8. The University of Utah was stung by cybercriminals for almost $500,000 in ransom following a July attack that gave the state’s flagship institution the choice of sacrificing private student and employee data, or paying up and hoping the information wasn’t compromised. Read More

9. Intel is investigating a security breach after earlier today 20 GB of internal documents, with some marked “confidential” or “restricted secret,” were uploaded online on file-sharing site MEGA. Read More

10. US corporate travel management firm Carlson Wagonlit Travel has suffered an intrusion, and it is believed the company paid a $4.5m ransom to get its data back. Read More

I started reading CSA guidelines around the first week of May 2020. Due to my work commitments, I was having a hard time sitting down and read the material properly. A lot of interruptions happened during my CCSK studies. It was then I understood the importance to have a fixed schedule and dedicated time to do things. From June 2020 onwards, I promised myself that I’d dedicate at least 2 hours per week for the exam and finish up the material by July end.

(more…)

20 August 2020 | 07:00 PM – 08:30 PM IST | 01:30 PM – 03:00 PM GMT


When the global pandemic changed the way organizations did business overnight, companies had to adapt and pivot to address the new challenges being faced. CyberFrat in association with Netskope brings you a much-needed webinar on Mitigating the Risks and Challenges that lay in the cloud for remote workers.

(more…)

Stay Tuned With Us

Subscribe now and receive weekly newsletter with educational materials, , interesting posts,
upcoming free events, popular books and much more!