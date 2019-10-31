For Cybersecurity Awareness Month, Nasdaq Decodes with Ryan Wells explores privacy and vulnerability programs with Durgesh Gupta, Vice President of Information Security at Nasdaq. Below is a transcript of the conversation, which has been lightly edited for clarity.

RW: Welcome to Decodes. For this month, as part of Cybersecurity Awareness Month, we want to talk to some folks here at Nasdaq who do cybersecurity for a living. And one of the folks we wanted to talk to was Durgesh Gupta. Durgesh Gupta is a Vice President in our Information Security division, and he's looking after privacy and vulnerability programs at the company. So you have a really interesting job here. You are involved with vulnerability, privacy management, an interesting part of cybersecurity. How did you get into this role exactly?

DG: Thanks, Ryan. So let me give you some color on what this role requires. Vulnerability is anything that can be exploited on our computer system. Nasdaq is a technology company, so we are discovering around 40,000 new vulnerabilities every week; from SEC and all the regulatory authorities, the internal audit - we track it very thoroughly to mitigate all those vulnerabilities because otherwise, that carries the risk to Nasdaq. That kind of vulnerability mitigation requires a lot of coordination across silos at Nasdaq and understanding their business priorities and what difficulties they're facing. So, we need to strike a balance between the risk to Nasdaq and the business requirements. I guess I was able to do it. That's why I got this role. And privacy is almost the same thing. Nasdaq is running 2,600 applications, and we are constantly changing applications, adding new applications, and we are constantly buying new companies. So, for every new application that comes, we need to understand what data it has, where did the data flow, from one end to another, and how it impacts Nasdaq? Do we have the consent of the people for collecting the data?

RW: So, vulnerabilities – do they change year to year? Do you see that in 2019, these are the types of vulnerabilities that are the most popular kind or does it stay consistent over time?

DG: You bet. Just look at the year 2018 – 18,000 unique vulnerabilities were discovered in 2018; 2017 it was around 16,000. But in 2016 there was only 6,000. So, from 2016 to 2017 and 2018, there was a big change. Vulnerabilities keep on changing, and the risk profile keeps on changing.

RW: From your end, what do you see in terms of what a successful vulnerability and privacy program look like? What are a couple of the ingredients that go into that?

DG: One of the things that one person should have is passion, and another one should be thoroughness. For example, every week, we go and scan every single device in Nasdaq. And once we have the device scanning done, then we go and see how to prioritize that, because everyone’s vulnerability cannot carry the same risk. And once we prioritize that, then we figure out whether we can remedy it, or do we have mitigation controls for that.

RW: As a technology company, we're very comfortable as employees with technology. When it relates to cyber, though, how do you see the balance using cybersecurity technology and the human factor? And how does that work as it relates to vulnerability and privacy programs? I'm sure there's a huge element of human interaction there, but technology is heavily involved too. How do you balance that?

DG: Very good question, Ryan, thanks for asking it. As we understand that Nasdaq is a big technology company, we have every cutting-edge technology deployed in information security, because we have to have machine learning. We need to have all that data stored. But the human factor is one of the most important factors that Lou [Modano, Nasdaq CISO] always emphasizes, and Brad [Peterson, Nasdaq Chief Information and Technology Officer] always emphasizes that security culture. Nasdaq carries the security culture to all employees. I will give you an example that no matter how many tools we deploy when you read your e-mails, there may be a phishing e-mail where some hacker is sending you an e-mail with a link. If you click it, no matter what tool I deploy, I will have some control over it, but then security is compromised. So, as we always say in information security, that security starts from our team members

RW: How do stay on top of your game?

DG: First of all, you need to make sure you're aware of what the threat landscape is in the world outside. And a lot of companies help us; the FBI helps us. They give us feedback that we have a threat. I mean, we constantly meet them. But at the same time, the way information security works, is like a cat and mouse game, you have to be ahead of it. So, you need to have a passion for security, and you have to be thorough. Because remember one thing, you can be right a million times, but you only have to be wrong at one time and security is compromised. So, passion and thoroughness is the key for this job in information security.