Login

Promote Your Company       |     Contact

Independent Cyber News.

The Voice of Cyber®

KBKAST
Episode 296 Deep Dive: Vishwanath Nair | Emergence of IT/ Cyber Leaders as Trusted Advisors and Business Value Creators
Leadership
First Aired: February 19, 2025
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here

“The views, thoughts, and opinions expressed in this interview are solely Vishwanath Nair’s and do not necessarily reflect the views, policies, or positions of his employer, clients, or any affiliated organizations.”

In this episode, we sit down with Vishwanath Nair, Head of Cyber Risk and Compliance at Baptist Care, as he explores the evolving partnership between IT and business. Vishwanath discusses the critical role of IT in digital transformation, the importance of data as a key business asset, and the proliferation of AI tools in enhancing IT-business alignment. He addresses the historical lack of trust between IT and business, emphasizing the need for effective communication and co-design to improve this relationship.

With over 25 years of experience, Vishwanath (Vish) is a leading authority in Risk Management, specializing in Information Security (InfoSec), IT Service Management, and Business Resilience on a global scale. He has led multi-million-dollar transformation initiatives across key sectors such as Public Sector, Critical Infrastructure, Healthcare, and Manufacturing.

Vish’s recent work as the inaugural Chief Information Security Officer (CISO) at the NSW Electoral Commission earned him the prestigious CSO30 Business Value Award 2024 by Foundry. His role was critical in safeguarding the Commission’s cybersecurity, where he developed security services from the ground up, embedding them into the organization’s processes to support the delivery of secure and transparent elections.

Currently, Vish serves as the Head of Cyber Risk and Compliance at BaptistCare NSW/ACT, one of Australia’s leading Aged Care providers, where he oversees the security and compliance frameworks that protect critical services.

Previously, as Global Continuity Lead at Emirates Airlines, Vish was responsible for enhancing IT and Business Continuity practices globally. He also established Cyber/IT Trusted Advisory services, aligning business and IT strategies for optimal results across the airline’s operations.

Known for his collaborative, inclusive leadership style, Vish has built and nurtured high-performing teams, maintaining exceptional retention rates. His commitment to professional development and industry advancement is reflected in his active contributions to organizations like ISACA, AISA, and BCI, where he has served on the Board of Directors for ISACA UAE and BCI UAE.

Vish is also a prolific public speaker and has earned numerous industry accolades, solidifying his position as a trusted leader and influential voice in the cybersecurity and risk management sectors.

 

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Rate KBKast

Other Recent Podcasts

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Vishwanath Nair [00:00:00]:
When does IT, get involved? What role does IT play? Is it due diligence? Is it gap assessment? Is it addressing the gaps? Or is it taking to the designing the future of the emergent environment? So there are multiple phases that will be there and then understanding who plays a role at what point is crucial.

Karissa Breen [00:00:32]:
Joining me today is Vishwanathanair, more commonly known as Vish, head of cyber risk and compliance from Baptist Care. And today, we’re discussing the partnership between IT and the business. So, Vish, thanks for joining, and welcome.

Vishwanath Nair [00:00:50]:
Thanks for having me, Keras. It’s fabulous being here.

Karissa Breen [00:00:53]:
Okay. So before we jump on, we did say it was about a year or so ago that we probably spoke and then things happen and then, you know, you get sort of caught up in delivery of certain things. So I think that I wanna get into that a little bit later on the delivery side, but what’s your view on where the partnership between IT and business would stand at the moment? Now depends on who you are, so I’m really keen to hear your thoughts.

Vishwanath Nair [00:01:17]:
Absolutely. This is a very good question. Now, personally, I feel that we are in a very, very crucial phase in the industrial revolution. I feel that we’ve business and IT had never been closer. And the three factors in my mind, which I think determine this, one is the number of digital transformation exercises happening across organizations. IT is someone sometimes leading some of those initiatives as well, so that’s one aspect. Data is considered as the fuel for the business operations now and not something that’s and byproduct. So it’s it’s essential for IT and business to understand and value that data appropriately.

Vishwanath Nair [00:01:54]:
And third, the proliferation of the AI tools in the market. These three factors together, I think, ensure that IT works very closely with the business, is aligned to the strategy and goals, and sort of partner and drive sometimes the outcomes of the business. The other aspect also is that the many of the customers, current and future customers, are very tech savvy. So they are used to using the devices and everything else. So the mode of operations for the business and the way we do business has to adapt to that. And if IT is in a different tangent, it will not serve this purpose. I think these are some of the aspects that I I feel leads this close partnership. One very crucial thought that I have is none of these are compliance led or forced due to some regulations.

Vishwanath Nair [00:02:41]:
That tells me that this is more longer term relationship that we’re developing, and compliance and governance frameworks would then adapt themselves to adapt to adopt this kind of a new thinking. So I’m feeling very positive at this point of time.

Karissa Breen [00:02:54]:
Do you think historically I mean, in my experience, there seemed to be be a little bit of animosity between IT, security, and in the business. What do you think’s changed over the years?

Vishwanath Nair [00:03:05]:
I would put it other way. It is the lack of trust which has been causing this gap, I feel. Predominantly because I business is made of people, human beings after all. Human beings know what are they comfortable doing what they’ve been doing. And if someone comes and challenges them or poses questions, which changes the way that that they operate, they would always have the first kind of asset defense going up, and the trust becomes a difficult aspect at that point of time. So what have what happens generally is that you have the shadow ITs across the business where business runs its own IT. And this leads to a immensely high highest trend, for the organization. There’s a complete lack of standardization.

Vishwanath Nair [00:03:48]:
The operational overheads are are extremely high, and these things have been happening for a long time. I think the things that’s changed is I would I would suggest the one of the aspects that’s helped in this transformation is that the the regulations and that we have helped that because the regulations have asked the measurements to be such that the business and IT have a consistent view of what being what is being measured. So that’s helped a lot. There’s been a lot of cross pollination between business and IT from the personnel perspective. You have lots of business people, leaders coming to IT and starting to lead the, changes and vice versa as well. I also feel that the way that business is operating these days with more dependence of IT. For example, if I look at it from financial industry perspective, there’s very less requirement of visiting a branch to get an operations done. So everything can be done using your devices and your applications.

Vishwanath Nair [00:04:41]:
That’s because the business and IT has worked together such that the business outcomes are delivered using those those services and, also helps the, environmental goals. So I think there’s been lots of changes happening and driving slowly these discussions forward. At the end of the day, it’s the bottom line for the organization that matters. So any decisions, any actions that both IT and business take, which is helping the bottom line, would go longer. I think this has been driving these changes in my view.

Karissa Breen [00:05:09]:
So going back to your trust comments, you were saying originally or historically, there was a lack of trust. Do you still think that there is somewhat a lack of trust there now only because of things, like, constantly going wrong or there’s breaches or the thing is that people get frustrated because, you know, there’s a lot of friction that’s introduced around, oh, you know, MFA and everything like that. It’s annoying for certain employees as they see it as an additional thing that they’ve gotta do. So do you think that maybe there is trust and that there is still there, but it’s sort of like people’s perception of security has changed. So maybe the trust is there. Maybe now people are feeling more annoyed because they feel like they slowed down a lot.

Vishwanath Nair [00:05:50]:
Yes. Of course, that is a better, but but as I said, I’m going back going back to this, the initial statement that I meant. Business is driven by people, by human beings. So every human being have that different thresholds for accepting change. With the threat landscape changing so constantly, the security controls are also trying to keep abreast of those changes. This obviously introduces a huge amount of disruption in the way that people operate. So adoption of technology such as multifactor authentication or deciding what applications they could use on the devices and, whom to call at what point of time and all those kinds of restrictions do come in. And it all depends on how these changes are being communicated.

Vishwanath Nair [00:06:31]:
The changes are required to operate in the current threat scenario to ensure that the organization is sustainable and is able to go forward with its goal. So the changes are required, but the way that it is communicated, modularized, and sort of you show the benefits of these changes rather than the impact of these changes is something that needs to be required. Now the best way that cyber professionals do this is, obviously, try to link your work profile and your personal profile. So when you’re messaging changes for multifactor authentication, you try to liken it to the impact that cyber impact would have on a on a personal life. And, you try to say that, okay. You don’t want to lose your personal information. You would need to protect the information that you are managing at your workplace. So bringing in a different way of communicating, working with them, co designing it, and collaborating, I think, the changes is is the best way forward.

Vishwanath Nair [00:07:26]:
And this is not gonna stop because the threat landscape is gonna change. There will be more fatigue introduced by the existing technology, which will be replaced by something else in the future. So there has to be this constant discussion, technology teams and the business users. And as I said, it has to be co designed. The way, the way forward has to be co designed.

Karissa Breen [00:07:45]:
So you said before how the changes are communicated. So given your position and your experience, can you walk through perhaps not an ideal way of communicating and then the other side of that, a more ideal way of communicating. Because what I’ve often seen in the space is people say, oh, you know, it’s how we communicate. But do you have any sort of examples that you can share?

Vishwanath Nair [00:08:05]:
Each organization needs to do some budgeting for the cost for IT controls and and show why you’re spending this fund. The other aspect is we also need to show how the returns on on investment are being achieved. So we have lots of reporting going back to the business, showing what we’re doing with that funding. But this discussion generally don’t really gel well with the organizations because business has a different view of what’s happening, what’s required, and the IT might not be getting through that view at all. So the ways that I have personally tried out in the in the past, some of the tips that I would suggest is one is rather than view IT viewing it as an application or a system, we need to start looking at it as a service that is being rendered. So what that means is the IT service is part of the business service, and there’s always an upstream and a downstream impact of that service. When you were looking at as a service, service has a customer or sets of customers or and it has some suppliers and service providers. So you’re sort of expanding the ecosystem.

Vishwanath Nair [00:09:08]:
By looking at it as just an application, you’re not having that view at all. So when you’re designing something as as you’re implementing a change, for example, you’re not considering the impact that’s happening outside that application. But if you look at it as a service, you’re having much more broader impact. You know, okay. If I make this change here, it will impact a set of customers who are not using this application the way that they’re supposed to, and so I need to address that separately. The support that I have at the IT, service desk might not be catered to the way that we are rendering that service, so the support has to change. And third parties, obviously, this is a very big factor. Understanding how the suppliers, impact the change and also adopt the change is also going to be a big major center.

Vishwanath Nair [00:09:51]:
So as I said, viewing it and designing it as a service is something that would be very, very, very beneficial. The second aspect that I’ve tried a lot is that IT and business, they have they’re always operating at at their own positions in a way. So that’s a that’s a concept call us. You when you’re designing something, you need to look at from the balcony view and the dance floor view. So, basically, we have multiple inputs coming in. So what I’d I’d used in the past was I used to take the cross section of the IT representatives to business operational areas and let the business talk about what happens on a day to day basis in the business operation areas irrespective of what has what systems or applications or whatever they use. So this gives the IT representatives much better idea of what that black box that is supporting does for the business. So that’s the understanding increases.

Vishwanath Nair [00:10:40]:
And, also, from for the business, it gives a better view of what are the different teams in IT who are involved in providing the service back to them. So getting this discussion together is very, very useful, and that’s how the partnership works. This has been tried and tested and works. It generally assists those organizations which are very operational in nature. So I think these are some of the things that have been, I would I would suggest doing, and I’ve tried it out. It might not work every time, but I think most of the times, this should work.

Karissa Breen [00:11:08]:
But going back to the communication side of things, so in term like, is there is there language that perhaps that Yep. People should be avoiding? I know that, you know, even in my experience of working in the field historically, maybe people said things a little brash or people communicated things that they didn’t mean to, so their intention was there, but it just came across probably the wrong way. So is there anything that really stands out for you that people maybe don’t even realize that they’re doing? And then also, what are some of the things that you think people are doing well in terms of communicating the value of this?

Vishwanath Nair [00:11:42]:
That’s very interesting thing. Now, for example, when we are reporting cyber hygiene to the business, general KPIs that we report are the incidents that we have had or, number of phishing attempts, that’s gone or the security awareness sessions that the teams have attended. These don’t really mean much to the organization, to the business stakeholders. I think what we need to do is understand what’s required. So for example, if I’m talking about awareness, my KPI that I’m measuring and communicating is how many times in the in the in the past reporting month has a business individual assisted us in preventing an incident from happening by highlighting near misses or phishing attempts. So this is a very good measure of showing how it is working in the organization and how the and that’s a very good ROI, as well. If I’m looking at just incidents, rather than showing the number of attempts that’s happened in the, to the fire perimeter, I would rather show how how many of those have translated into a formula attack and how many of them were prevented in time. So that shows how the investments that we’re putting to the teams and the technologies working together as as a unit.

Vishwanath Nair [00:12:54]:
I think the definition of KPIs and reporting it is one of the most difficult challenge that a cyber leader or an IT IT executive has because, it has to it has to be subjective and not objective. So we need to understand the subject that that the people that we are reporting it to. We need to understand who’s what their frame of mind is. So changing the reporting is very, very key. The other aspect that I would say is engagement plan. So we need to to ensure that we have the right communication going, be it as for example, if you have a cyber uplift project happening, and we need to update the business appropriately. It is essential to understand what are the acceptable means of accepting the information for business. So giving a one way presentation, showing where we are and where we are gonna be is might not really gel in that case.

Vishwanath Nair [00:13:45]:
So I have employed things such as attending team meetings, removing presentation materials entirely, just showing putting people in front and talking about it, or I get industry experts come and talk about what’s happening in the industry and sort of give a view of how we are benchmarked against them, and that’s what the executives really like to know. I think what’s required is a bit of thinking outside the box of how the communications should happen, which is very, very key. And it has to be contextual, it has to be concise, and it has to be clear. I think, otherwise, we lose lose again completely, and we’ll lose the stakeholders. It’s an, never ending thing, and I don’t think anyone has the right solution for it. Everyone has to develop their own ways of doing it.

Karissa Breen [00:14:29]:
So when you say clear, would you say, at at times, people in this space can get very detailed very quickly and then people seem to get lost about what this person’s talking about? I’ve seen that happen a lot. Is that what you mean by clear?

Vishwanath Nair [00:14:41]:
Yes. So, for example, clarity in what we are trying to talk about. So showing a dashboard of from this, I don’t know, from the SOC, for example, might not really mean anything. We need to show what it really has meant to the business. We also need to be sure that it is not confusing the business a lot. It’s so, basically, it has to be consistent in the way that we’re showing. If we are showing putting our messages across in a in one way for this month and changing it entirely in the next month, it’s not not going to help you at all. The other aspect is that we have to link it with set that we’re addressing.

Vishwanath Nair [00:15:14]:
So that gives a clarity of thought. We are showing why we are doing it, and it’s clear. So business is understanding why we are doing this and not through your to a technical control. That language, is not going to help at all. Linking it to business sets, linking it to the business risk that we’re facing, the benchmarking against the industry standards. I think these are the things that we need. Also, avoiding technical jargons, and we are very accustomed to using acronyms. We have to stop using the short forms.

Vishwanath Nair [00:15:42]:
We use the entire terms. In effect I mean, sometimes, I just avoid using the technology terms and the technology names completely. I just say what the what the control is doing. So rather than telling I’m using an XDR, which the business doesn’t understand, I’ll say that I’m using something to protect that information and the endpoint data, the device that we are having. So change the language. Make it more understandable. It’s a very easy saying thing to say, but it’s extremely difficult to implement in Rabia.

Karissa Breen [00:16:12]:
So then in terms of everything that you discussed, which is important, right, how would you advise then to to build a closer working relationship? Because as you said, there’s a lot of things going on, a lot of new projects. You know, people are the business is very, very heavily involved with IT and security professionals even more so than before. But is there anything else that you would sort of add that people can build on with the business?

Vishwanath Nair [00:16:36]:
I think what the business would really like to have is a platform where business and IT partners can sit together and and discuss on what’s happening now and in the future. So having that seamless interactions and the platform which is enabling that, seamless interaction is very, very essential. That’s that’s number one thing that I would say. Second thing that I would mention is just bidirectional transparency and continuous assurance that we are working together. So both parties need to be very open in the way that they’re discussing. So if there’s any hidden aspects such as there’s some technology that’s coming up, in the future, which we don’t want to talk about it right now, but that can impact the business, it’s not the right way of starting. So rather than doing that, just understand and be upfront. These are the things that you want to do in the future.

Vishwanath Nair [00:17:22]:
This can impact you this way, and it can also help you in such a way. So that’s something that we could do. The, other thing that I think we should be very conscious of is that business needs and, early warning system. So how do we work on that together? How do we identify what can go wrong? What has gone wrong in the industry in the past? And how can that factor into your discussions and your future plans? I think that’s, very, very crucial for them. I mean, all of us have that issue of being in the silo and working in our rent. We we tend to ignore what’s happening outside. Getting that view into our discussions is very, very essential. We also need to ensure what are the minimum baseline controls, which are nonnegotiable so that we cannot go ahead and implement something in in the business or start thinking of something without having this minimum baseline controls.

Vishwanath Nair [00:18:14]:
This ensures that you have sufficient and necessary controls and a security in place when you’re doing, launching into an activity. I think that that is sort of with the engagement model. Engaging the right teams at the right time with the right information but only only then can we have the right outcomes.

Karissa Breen [00:18:32]:
So you said engaging the right teams at the right time. How does someone know if they’re at the right time? Is there any sort of indicators? Or

Vishwanath Nair [00:18:40]:
It depends on the process. Now, for example, if you’re, doing an m and a, merger and acquisition, for example. So the merger and acquisition starts off with the business goal of expanding, having organic growth. So in this case, how do we how do we know which parties need to engage? So this means that there should be a view of what are the different services and the service organization in our organization, which can help us in this discussion. So having a clear view of the existing catalog of services is sufficient and understanding how those services would impact my m and a activity is going to be is essential. So so when you’re planning the life cycle of the m and a, we know which team has to be involved at what time. We also need to have clear measurements in place so that we understand that this engagement is working effectively. And the goal is obviously to have a seamless way of ensuring that the m and a goes ahead while we consider all the risks and plans for it and manage it and meets the timeline for the business.

Vishwanath Nair [00:19:41]:
Because the m and a, as an example, is always time bound. If you don’t do it in time, it doesn’t serve the purpose. So getting all the teams required aligned at the right time. So when does IT get involved? What role does IT play? Is it due diligence? Is it gap assessment? Is it addressing the gaps, or is it taking to the designing the future of the of the emerged environment? So there are multiple phases that will be there and then understanding who plays a role at what point is is crucial. We might not get it right always. There so there will be a trial and error involved in this. But then documenting those learnings and then ensuring that the next attempt more correctly is is the only way to move forward. But having that engagement plan to start off with gives an understanding of how do we approach a particular activity or a problem.

Karissa Breen [00:20:30]:
So, Vish, it sounds to me what you’re saying that you’re obviously very well organized and very methodical, and a lot of planning is involved to to do some of these things. I would say there are definitely people out there who are not. So how do you sort of approach people that perhaps haven’t been as methodical or they had literally a couple of hours before they’ve got to start quite a heavy project because they’ve been directed to and they’re scrambling? Do you see that a lot? And then if so, how can people manage that more effectively? Because in a perfect world, these these things are really amazing to do. But what about in an imperfect world?

Vishwanath Nair [00:21:04]:
I mean, to get to the perfect world, it started with an imperfect world. So it’s always fine tuning and learning and improving that’s required. That continuous learning, continuous improvement is essential. So I’m not saying that all of my projects have been so well planned. There have been instances where we have to do something immediately. So we need to prioritize. We need to look at what what are my tactical goals versus what I mean, strategic goals, and how do I marry them together. That is essential.

Vishwanath Nair [00:21:29]:
We need to look look at what are the key risks that we are managing. How do we address that first? For example, operations are always and security operations are a key aspect. So how do we address that we are we have the adequate protection for the organization while we are doing a project in the uplift? Entering that as a high priority, and then everything else could be done fine. We still have some more green space to, sort the things out, which also ensures that I can always revisit my operations in the future. Once I have managed the rest of the activities, I can go back to the initial one and then fine tune it, make it better so that I have a longer term solution or a service. So everything is a continuous improvement. Everything has to have a feedback mechanism. If you stop learning and accepting what you have, from from your learn from your mistakes, I think that’s when the organization stops, and the individual also individual also starts growing.

Vishwanath Nair [00:22:23]:
I don’t think there are major many organization because, I mean, it is human nature to keep on improving himself, himself or herself. So I think it is not something that is very difficult to adopt, but it is just that reluctance to change that, sometimes come in which we have to, overcome. And only only we are doing this is if you have a good leader, good mentor, someone who can who can share their thoughts with you. Never be afraid of asking questions. Never be afraid of doing a mistake. I think that’s one of the also, if you can if the the fear of failure is always the issue. So if you can fail fail fast and learn from that and recover is the best thing to do. I have failed in many of my projects in the past, but then, obviously, I’ll need to go back, understand what I’ve done, and then improve so that next time I don’t do the same mistake.

Vishwanath Nair [00:23:10]:
I think it’s a it’s a never ending cycle to just, keep on improving ourselves every day.

Karissa Breen [00:23:15]:
So going back to the feedback mechanism, so I have a question around that. Now I go to a lot of industry events as you know, and sometimes you’ll ask me for feedback. But then sometimes, I don’t know if they like the feedback. So how do you set it up where you want people to give you feedback, but then people can’t necessarily be offended by the feedback? How do you find that balance? Because then, like you said, if you don’t have the feedback, you can’t get better. But then equally, you may not get the feedback that you are hoping for, and people may be critical or negative. So how do you balance that out from a team perspective?

Vishwanath Nair [00:23:50]:
It’s an interesting one. And I think the one thing that has worked for me in the past, and I continue doing that, is having that three sixty degree feedback. So rather than having seeking feedback from someone who we know will be giving us good feedback, let’s go and be a bit more brave and ask feedback from someone who’s not worked with us quite well in the past. So that will help us identify what’s the what are the gaps. Taking it outside your team for a change, going to your your supplier partners, your business stakeholders, and asking them on the feedback is something that, I have done in the past. The thing, that we can’t enforce is we can’t enforce someone accepting our feedback. That’s something that individual has to do. But if you have, yeah, if you have providing a mechanism of of sharing open feedback, the other, aspect is also we don’t need to enforce.

Vishwanath Nair [00:24:40]:
Just seek the feedback for that just for that purpose. It has to be there has to be intent behind it. So that’s something that an individual also needs to learn. So I have always gone outside my HR system, and I’ll sort for feedback. And I keep it outside the HR system because sometimes HR systems might not have that kind of mechanism. So I use it for my own personal improvement. And I I would rather put the outcomes into the HR system as a measure. So we need to work to, that way.

Vishwanath Nair [00:25:08]:
Sometimes people might not give us feedback or might might just delay seeking. So that’s something that you need to understand as well. So either you stop asking, feedback from such persons in the future or just have an open discussion on why they can’t provide the feedback. So I think it’s all about being open and engaging and having a conversation.

Karissa Breen [00:25:26]:
Okay. So now I wanna sort of slightly shift gears for a moment. So you say you can achieve better business outcomes by driving better service delivery. So I wanna get into this because I wanna understand how or what are the mechanisms for that, And what does it sort of look like in your eyes?

Vishwanath Nair [00:25:45]:
I’ve worked in an airline industry earlier, and in my view, that’s one of the best industries for for an individual to work in simply because you have an opportunity to work with the customers directly, and the actions that you do has a direct impact on the off premise. So if I take the baggage systems in the airline industry, none of the airline would give a % KPI or assurance that your baggage would follow you when you’re traveling. That’s not possible always. You would always have lost baggage issues. The intent is always, obviously, to have that as a at a very, minimal as minimal as possible. So if the intention is to say if a target is 80% or baggage traveling with the passenger, how do I ensure that I’m not going beyond 80 or or or going below 80 or I’m improving that? So for that to happen, what what can happen is that the business service delivery teams and the IT teams, which is supporting that business service, as I said, going back to the previous discussion of viewing it as a business service and not as an application on the system, work together and identify what are the areas where there might be single points of failures or there might be latency coming in? And how do we try together to measure and manage that? So, for example, if there is one server which is doing the scheduling of people who are working on the baggage systems or handling baggage handling systems, How that server going down can impact the entire rostering of the of the teams. That is not nothing to do with the baggage system at all, but the people who are managing that system. So how do I ensure that that component, which is a single server, doesn’t cause a a disruption? So we plan for resiliency for that and everything else.

Vishwanath Nair [00:27:26]:
So this drives your the funding discussions to a much more effective level, and then the service delivery’s impact is directly improved. And at the end of the day, your customer is not happy. So I think this is just an example, but there each industry would have their own unique way of doing it. I took the airline experience because all of us are directly can feel it, can understand, and can relate to it. And this is something that I’ve worked on personally, so I know that this works. So it’s all about getting understanding the entire business flow, understanding what the, different components are, the dependencies are, and how do I remove or manage the risks around those dependencies to ensure that this delivery is not impacted.

Karissa Breen [00:28:06]:
So just on that note, I I’ve interviewed people in the past, Vish, and they’ve said that there are some security people out there that they’ve experienced in their career that when they’re speaking to other security people in the team, they can’t explain how the business makes money, for example. So does that sort of lead into the business flow? So do you think that there’s people out there that doesn’t understand how their business makes money, they should probably understand that in terms of a better service delivery, but it also gives a holistic view, like you said, on the on the business flow. Have you experienced that as well? Because like you said, sometimes people do operate in silos. Right? And sometimes things can be be missed because it’s a big corporation and you sort of feel like a cog in the wheel. You can’t really see things moving as substantially perhaps. So have you seen that before?

Vishwanath Nair [00:28:55]:
Oh, yes. I have seen multiple occasions. Now I think it’s more the mature organizations which have realized this and then put this business flows into onto paper and have this codesigned with the different teams. Now there there are always these chances, as I mentioned, if if you make a change to a particular system, you don’t foresee the impact of that to all, all the stakeholders, all the all the users that you have. For example, if you are making a change to a telephony system, but we have not, understood, whether the contact center for a location a, which is not operational always, has the same kind of an impact. How do I change that? Or we are not seeing that and we factor that into the change. The other aspect is when you are making firewall changes to our systems to talk to another system through the firewall. We don’t really look at what are the information that it’s going through.

Vishwanath Nair [00:29:47]:
What how how is it is it really really relevant to for it to go through. So so we need to get that. There’s been always incidents where we open the firewall course, but we find that there’s more than required information being shared across systems. This has higher impact to the organization. So I think I think it’s essential to document what their outcome says. Now there are multiple ways of looking at it. There is a school of thought which says that we need to have this sort of a line of sight. And so what mechanism? So, basically, what changes you’re bringing in? How is it impacting to the final outcome of the of the service or or of the of the business? That has to be documented and analyzed.

Vishwanath Nair [00:30:26]:
It all goes back to the level of data that we have come accumulating, what is the analytics beyond going behind it, understanding what the impact of the dependencies between the upstream and downstream processes are. Again, going back to the airline, the airlines have something that is called as t minus one eighty. So what they do is for t is the time of departure for any flight. And so they’d have documented activities to be done by different teams to one eighty minutes prior to that departure. So you understand the you you have better understanding of what can go wrong at what time and how do we have redundancies built in so that the departure of the flight, which is of paramount importance to the airline, is not impacted. What I’ve done in the past is if you are rolling out patches to the to the airline’s, service I mean, the check-in systems at the at the airport, we always do it alternate systems. So we don’t take the service out completely. So the way that you are designing the network could be then having an alternate path for each of these second desks, which which ensures that you are not impacting the departure of services.

Vishwanath Nair [00:31:30]:
So these are some thoughts that has to go. And, again, it it takes an incident for sometimes to teach you the right way of doing it, but then there are other ways to sit together, collaborate, and co design the entire architecture and the system flow.

Karissa Breen [00:31:45]:
So then lastly, I really wanna understand more about you know, you said you’ve got some simple tips on how to partner between the, you know, the business and IT and how they can work better. What are they?

Vishwanath Nair [00:31:56]:
They’re something that I spoke about earlier. First step, I would say, is view it as a service and not an application. So have a broader view of what what’s happening. And it’s it’s not only for IT, it’s also the business. Business also needs to look at it, to much broader, view of what are the different people, teams involved in renting the services. Understand if it is service, there’s always peaks and troughs. So we understand when is a critical period, what do we do with it, and how do you manage it. Second aspect is to understand the problem statements much deeper rather than having so do use design thinking.

Vishwanath Nair [00:32:30]:
Keep on questioning the problem statement so that we have a better understand understanding of that before you jump to the decision making. Then we have a more effective solution design in that case. The and the other aspect is aligning the business the KPIs between IT and and business operations such that there’s a close dependency between both of them. And to all do all of that, we need partners who can understand, speak the same language between IT and business. We have a much more better understanding. They are speaking. They they sort of serve as a bridge, a conduit between these two organizations. So this adviser slash partner that I call are shielding the business from the different specialists that we have in IT and just giving the business the right view.

Vishwanath Nair [00:33:13]:
And, also, the other way, provides IT the right the the picture of what the business really wants from a outcome perspective and drive that decision making and designing. So that model of having a trusted adviser kind of a role between business and IT will serve a lot. We can have our shadow ITs. We can really streamline spending. We can look at having, much more. The cyber hygiene improves tremendously because we the business understands why the cybersecurity teams are asking questions that are they are they’re they’re asking, and there’s a better option of the technology as well. So I think having that trusted adviser role, in my view, or a business partner role, will be very essential for the success of such such an engagement. I think it

Karissa Breen [00:33:58]:
was a really good summary on just recapping some of the main points that you discussed. So then do you have any closing comments or final thoughts you’d like to leave our audience then, Vish?

Vishwanath Nair [00:34:09]:
I had been doing some bit breastfeeding on this for some years now. Now I’ll just talk a bit about how the medical industry has worked. If you notice, they’re around that. They’re more specialists in the industry than the general physicians. So I did a study, had said that there are more specialists than at 40% general physicians. And the issue I mean, obviously, it’s more lucrative for an individual to become a specialist because, individually, you can make more money. But the issue is that with lesser physician general physicians, you have a lesser holistic health management of a of a of an individual or of a family. So that that personal touch and understanding the human being is is getting lost.

Vishwanath Nair [00:34:48]:
Similar thing can happen for any organization if you have many specialists who are directly working with business and driving change on their own behalf, but not keeping the whole holistic goal in mind. So we need to have those those business partner kind of people who work very closely with experts such as cybersecurity and and translate these the changes, the ideas that cybersecurity teams are bringing in to the business and they and showing the positive impacts of it. And also, serve as a feedback mechanism. I think that’s the only way that the this partnership would really help the organization a lot in the long run. And I really believe that we we’ll have a this tribe of trusted advisers growing in the future, which is much more beneficial for the organization rather than having a load of functions who are just doing their individual activities and taking, their own individual activities. We need that player to help the business and and the organization to do it.

Share This