Suresh Iyer & Murari Shanker- The Co-founders of CyRAACS (acronym for Cyber Risk Advisory and Consulting Services) shared their company’s growth and success story with The Global Hues.
A CERT-In empanelled company with expertise in cybersecurity, data privacy, and risk management. The company began its journey in 2017 when the cybersecurity consulting space only had niche consulting companies or Large IT services companies having cybersecurity consulting practice as an adjunct service. Since its inception, CyRAACS is one of the few players in India providing consulting and advisory services exclusively for cybersecurity, with a focus on the Medium-to-Large enterprise segment, that needed a credible player. The company started with a strength of two and a vision to offer world-class cybersecurity consulting service to clients. In 3 years, CyRAACS has grown to over 60 team members, completed more than 400 engagements with over 150 clients ranging across industry verticals, geographies, etc.
The stable political leadership and the Indian Prime Minister’s specific emphasis on initiatives such as Start-Up India and Digital India encouraged CyRAACS to fulfil the vision of having dedicated world-class consulting companies in India.
The company has completed complex assignments for leading Banks, Small Finance Banks, NBFCs, BPOs, IT/ITeS companies, EdTech, Fintech start-ups.
The company has focused on increasing repeatability in the service delivery, which has enhanced predictability of outcomes, quality, and reduced time. 100% of the work has been remotely delivered without impacting time, quality, and support to clients. “Automation and standardization of delivery have increased client satisfaction,” said Murari.
The Company and Team Ethos
“Having highest empathy towards clients, excel in whatever you do, and learning every day are our key ethos in CyRAACS,” Suresh claimed.
“We work as one big family with a young team providing spectacular results, winning accolades from clients, and achieving world-class certifications. Our day goes by quickly because we love our work. The unique thing at CyRAACS is that you learn every day and we embrace learning big time,” he further added.
CyRAACS Cybersecurity Solutions
CyRAACS offers a complete suite of services on Governance, Risk, and Compliance. They also provide Technical Services in niche areas like Advanced Application Security Testing, Cyber Security Audits, Red Team Assessments, Cyber Forensics, Security Architecture Review, etc. Managed Security Services such as CISO Services and an ala-carte of all the above services in a Managed Services model are also provided.
CyRAACS has developed a few niche services
- A Qualitative and a Quantitative Maturity Model Assessment on Cyber Security
Specific Focus on Work from HomeSecurity Assessment
- Balanced Scorecard to measure and report metrics-based performance of the Cyber Security program
- A homegrown tool on Advanced Malware Analysis
The Maturity Model Assessment focuses on the security posture of organizations, especially for remote working/work from home capabilities while Advanced Malware Analysis focuses on identifying malware (active, residual, or dormant) across systems. These assessments can
help organizations provide a clear indication of cybersecurity posture along with industry-accepted maturity model ratings. The company also provides an opportunity list that can be used by the clients to implement and enhance their posture. For ongoing sustenance, metrics-based reporting is the key to continuous improvement and the Balanced Scorecard focuses on that inducing the Competitive Spirit within the individual Business Units of an Organization.
“Additionally, our core offering of Vulnerability Assessments and Penetration Testing for Applications and IT Infrastructure has seen an increased demand,” said Suresh.
Company’s Core Strength Post Covid-19
High empathy with clients and a pragmatic approach to meet their needs has always been the company’s core strength. Their focus sharpened towards BFSI sector needs and brought out several initiatives to help the clients address their problems.
The Biggest Challenge In Cybersecurity
“What is a relevant control today, is not tomorrow,” said Suresh.
Emphasizing to the clients that security is a ‘continuous’ process and not ‘a point in time’ process has been the biggest challenge in Suresh’s experience. The continuous engagements that we have with our clients is a testimonial to their acceptance of this need (continuous process). “The single foremost important challenge in the field of cybersecurity is the ever-changing threat landscape,” Suresh explained.
Upgrading the services of CyRAACS, making relevant and important improvements as per clients’ desire has been another important challenge. With the onset of the unprecedented pandemic, the remote working pace accelerated and became inevitable. It has impacted a number of decisions that are not entirely compliance-driven. Sadly, decisions that are within senior management’s discretion have been put on the back burner.
Misconceptions Regarding Ethical Hacking
Many people fail to understand that it has to be continuously redone. “We still got queries saying ‘I got a black box testing done 2 years back. Why should I get it done now?’ All vulnerabilities must be prioritized in terms of remediation. Identifying vulnerability is not enough, you will have to fix it, validate, and test. In the cycle of prevention, detection, and response, prevention is always better,” said Murari. Ethical hacking is a detection process. More emphasis should be on the prevention process or remediating the known vulnerabilities.
Impact Of The Pandemic On Ethical Hackers
The demand for ethical hackers saw a surge after the covid-19 crisis. The increasing number of companies that are being affected by a cybersecurity attack indicates an evident surge of real hackers. As the contrary, the demand has increased but finding knowledgeable hackers is of importance and a challenge. Not everybody who calls themselves an ethical hacker is well-skilled in Suresh’s opinion.
The sudden outbreak of covid-19 demanded that access be provided to everyone for smooth enablement of work from home. However, the subsequent course correction of cybersecurity wasn’t done leading to a large number of cybersecurity attacks that have multiplied across the industry. Even small companies cannot claim their data to be secure, and anyone can be a target.
Mr. Suresh once encountered a cybercrime when he was associated in a CXO capacity with a large IT company where an innocuous mail was triggered from one center in India which was intentionally leaked to a few analytic companies. The market capital of that company fell by about a few billion dollars (USD), rattling the entire management and investigative agencies in the state. Suresh led the investigations to find out the intent and identify the culprit. It involved extensive use of forensic experts in the country including retired state officials, investigative agencies, both state and non-state, across multiple countries before concluding on the entire game plan of the culprit. It turned out that the culprit was identified in 6 hours, and it took nearly 40 days to close it. He considers this experience as the most challenging and compelling cybercrime in his career.
The New Normal
This pandemic caught the world by surprise. The complete lockdown in April- June 2020, nearly made all businesses crumble. Every company had their single most focus to ensure continuity clearly and more rightly so, bringing every other aspect including security backstage. While CyRAACS saw a marginal increase in the business, the orders received were largely to cater to the absolute compliance needs of the clients. The niche consulting services took a back seat. “We were heavy on digital collaboration much before the pandemic and hence the ‘New Normal’ was like fish in water,” said Murari. Being completely on the cloud, WFH had zero impact on the company’s productivity.
The focus on increased security due to the work from home arrangements in organizations attracted more clients towards cybersecurity services. Organizations want to be increasingly assured of their applications and core IT Infrastructure security. Organizations now want to build an increasingly robust approach towards security. An increased focus on virtualizing the infrastructure and getting a cloud-enabled setup will be key to allow smooth work from home. Security assessments focusing on the current state of cybersecurity posture is critical for organizations to take the right steps to embrace and adopt the “New Normal”.
Demand For Cybersecurity In Work From Home
In Murari’s opinion, the traditional model for cybersecurity is no longer sustainable. The adoption of cloud and SaaS solutions is increasing. Organizations should adopt and implement a relevant cybersecurity framework (e.g., NIST 800-53, NIST CSF, CSA STAR, ISO 27001/17/18) to build a comprehensive security program. This needs to be complemented by investing in the latest security technologies, building a workforce with the right skill sets, and engaging partners to provide specific services/skills to support the cybersecurity program. CyRAACS launched a relevant Work From Home Assessment, to focus and provide a maturity report on the enterprise’s preparedness to handle cybersecurity threats from WFH. Their recently launched home-grown Malware Analysis tool to identify active and residual malware in the endpoints was also well received by the clients.
This has led to CyRAACS doubling its workforce and seeing a 3x revenue growth.
Effectiveness of Artificial Intelligence In Resisting Cyberattacks
AI is playing a crucial role in every field. Cyber-attack prevention is also being heavily aided. Most product companies are adding several AI features to their products. It is not just one product but happening across the board. Adding more Machine Learning and AI features is the only way to ensure robust deterrence against cybercrime.
Role of CyRAACS In Providing Security To Financial Institutions
Reserve Bank of India (RBI) has laid out clear guidelines for every type of financial institution from a cybersecurity perspective. Insurance Regulatory and Development Authority (IRDAI) and Securities and Exchange Board of India (SEBI) have also provided clear guidelines for their respective sectors. CyRAACS has built an easy to adopt compliance management framework to help these institutions to comply with these regulatory guidelines, besides helping the clients with the cutting-edge best practices and technologies that can help be a clear business differentiator. CyRAACS has also built a quantitative reporting of compliance through a metricized scorecard. On a short-term basis, engagement of CyRAACS’s maturity model assessment helps their clients understand where they stand on cybersecurity and what are their opportunities to improve.
The government of India (GOI) has also increased its focus on cybersecurity by bringing in stringent norms for empanelment with CERT-In conducting rigorous online/ offline assessments to evaluate and certify credible Information Security Auditors. “We are proud to be one among 58 (which was earlier 90+),” said Murari.
Small Businesses And cybersecurity
The demand for cybersecurity solutions has increased in India over the past few months. The frequency and sophistication of phishing attacks, ransomware and malware attacks have increased and there is intense scrutiny from customers and regulators on cybersecurity posture.
Organizations have realized now that cybersecurity can no longer be a footnote, it has to be a core focus to ensure sustainability and continued business growth.
Small businesses can ensure cybersecurity by taking simple measures. CyRAACS has numerous clients from the small businesses segment. The company provides customized solutions as per the client’s requirements focusing on the required services to improve the security posture.
“We have made a difference to many small businesses in a huge way. Simple measures like tightened cloud security, periodic assessments and patching, sufficient email security and encryption, and regular backups alone can bring about a huge improvement in the cybersecurity posture,” said Suresh.
Prevalent Cyberattacks In India
Email threats to both individuals and organizations have become the foremost important threat. Targeted attacks on large companies are becoming the order of the day. With the increase in cloud exposure, it is very important to take adequate measures to keep the data secure by following appropriate controls on all aspects relating to cyber-attacks. In post-Covid-19 India, organizations will spend increasingly on facilitating a mobile workforce, which means adoption of cloud and SaaS solutions. This will, in turn, need investment in security technologies, implementing cybersecurity frameworks, and building a
workforce with the right skill sets.
“We are focusing on expanding our services for Cloud Security, Managed Security services to enable companies to focus on their core business while we manage their security requirements,” explained Suresh.
Views On Success
“Client first always. In CyRAACS we believe that delivering what we promise is success and we strive to achieve that every day,” stated Murari.
Awards And Milestones
- The Best Cyber Security Consulting Company of the Year – CISO Leadership Awards 2019
- Empanelled with CERT-In (Computer Emergency Response Team – India) till 2023
Visions And Future Prospects
“We hope to become the number one cybersecurity company in India in the next 3 years,” said Suresh.
The company’s compliance management framework and unique solution on continuous posture monitoring, detection, and self-healing on infrastructure, will be of great benefit for compliance-driven regulated industries like BFSI. CyRAACS plans to increase its revenue 3-fold in FY 2021-2022.
Views On The Future Of Cybersecurity
Suresh believes that whenever regulations and regulators are active and prevalent, the importance of cybersecurity is already there. More regulations and more legislation across the world on cybersecurity is probably the fastest trigger to gain more attention than it is currently having. Our country and the world have moved tremendously giving the right importance to cybersecurity it deserves.
Word of Advice For PreventingCyber-attacks
- Keep it simple – Everything being online does not mean that all the data is secure online. Implementing tight security controls for your data is very important.
- Use complex passwords and do not share them.
- Do not use third-party computers or public internet unless the credentials of that place are known.
- Be very careful in responding to emails, SMS, and calls from the unknown.
- A key aspect is to be more cyber aware.