When Samir Aksekar joined as CISO at Tata Digital in 2021, he had his work cut out for him—to secure the Tata Group’s soon-to-be-launched super app, Tata Neu, which integrated nearly a dozen existing brands with a combined base of more than a 100 million users.
The seasoned security professional went back to the basics and began with prioritizing people and processes.
“Security is not just technology; it’s passed that stage. It’s a mindset, that impacts the entire organization,” he says. “My objective was very clear—keep it simple, start with the basics, and don’t jump into anything complex on day one.”
He also leaned upon a strategic partnership with Microsoft to bring a cloud native approach to secure the platform and data of millions of users. Tata Digital was the first customer in India to get Microsoft’s XDR solution for managed security, even before it was formally launched in the country.
“It offers us the assurance that the Board and that the leadership wanted because Tata synonymous with India as a target for bad actors. And when it comes to security, you want Microsoft in your corner,” Aksekar adds.
Microsoft Stories India caught up with Aksekar to discuss his approach towards security, the role Microsoft is playing to secure Tata Neu, and the need for diversity in building a secure foundation. Edited excerpts follow.
You’ve been in the IT security space for over two decades now, but Tata Digital is unique – it’s a born in the cloud company. As a security professional, did that offer any new opportunities and challenges?
As you mentioned, Tata Digital is a cloud native company and we built it from scratch during the pandemic. When I started, I looked at my bag of experiences, from banking to technology to cybersecurity across the region to think about the things I wanted to do but also those that I wanted to avoid.
My objective was very clear—keep it simple, start with the basics, and don’t jump into anything complex on day one. For me, the prioritization has always been around people and processes.
On the people front, it’s important to hire the right people with diverse backgrounds and empower them.
And ensure we are process dependent and not people dependent when if comes to handling incidents, audits, or reviews.
And then finally, we have a strong partnership with Microsoft on the tech front that also exposes us to thought leadership not just from India but a global perspective.
Coming to the challenges, the business wanted to scale fast—so how do you support them in all of the initiatives. The key principle was to be agile and keeping things simple.
You emphasize about the processes around security, why is that so important?
I keep emphasizing about the process because it’s very easy to get lost in what I call the fog of cybersecurity. There are so many fancy tooling products, artificial intelligence (AI) and machine learning (ML) enabled products that it’s easy to think you can plug in a box and it will take care of the problem. But it won’t, unless you put in a process to stitch it across your tech environment, your organization, and your people. So, it must be a process and people approach first and only then you can get technology to come in.
Were there any advantages of implementing cloud-based security solutions? Did it help you move fast, and more importantly, get a return on your security investments quicker?
Largely yes. The agility that a cloud environment gives you is fantastic. The ability to stitch all the tooling in a cloud agnostic manner, whether it’s cloud native from an Azure perspective or to integrate different industry solutions. It allows you to ensure that what you’re getting meets your needs from a features and price point of view.
Microsoft has been very supportive where we’ve been able to offer insights into the product roadmap and help build solutions that we could see would make more sense for us and the industry. At the same time, Microsoft has exposed us right up to their product design and engineering teams, which has been fantastic.
So yes, being on the cloud empowers you to move quickly but it’s a shared responsibility.
Let’s talk about Tata Neu, the super app from Tata Digital. It brings together over a dozen experiences from multiple Tata Group products and services with over 100 million users. What were the challenges there?
One of the initial challenges we faced was to build a robust single sign on environment that could scale up to the number of users we were looking at. There was no solution in the market, and we ended up building our own product with Microsoft’s help that continues to function and scale magnificently.
The partnership with Microsoft started when Tata Digital was set up in 2019. Microsoft just opened its doors and started building it out with us by bringing its data architects, engineering teams, developers, among other teams.
We had to stitch together 8-12 initial Tata Group partners into this platform. While Tata Digital was a cloud native company, most of our partners were not necessarily cloud native. Again, Microsoft along with several partners, including TCS, came together and helped build this.
They helped answer questions like how we architect for such a heterogeneous environment, keeping the customer in mind. How do we stitch a loyalty program across all of the partners when many of them had their own programs in some shape or form.
And finally, scaling up for the launch that was timed with a cricketing event. We tapped into the knowledge of some of the best minds globally at Microsoft to prepare for that scale.
Given that the Tata Group is synonymous with India as a target for bad actors and looking at the scale of Tata Neu, how did you plan for securing the platform and the data of millions of users? How is the partnership with Microsoft helping Tata Digital in this aspect?
When we started in 2019, a lot of Microsoft’s security capabilities were evolving at a significant pace. Hence, you didn’t necessarily have experienced engineers or talent in the market. For instance, Sentinel is the brain of the Azure security ecosystem and if you don’t set it up right it’s going to hurt you later, especially given the scale at which we were operating.
So even though we hired a strong team, Microsoft brought in their global experts who’d guide our teams on various aspects on weekly calls. In fact, some of those Sentinel dashboards were all across the command center when we went live.
As Tata Neu went live for the nation, we wanted to really have strong and robust security monitoring, detection, and response capabilities. And that’s when we initiated conversations with Microsoft around managed services.
We were the first in India to get on Microsoft’s XDR offering. It gave us capabilities not only across security incident monitoring and response, but also from an architecture perspective. It also gave us capabilities from a forensic perspective.
It offers us the assurance that the Board and that the leadership wanted because Tata is synonymous with India as a target for bad actors. And when it comes to security, you want Microsoft in your corner.
We continue to work with the XDR team to customize it to our needs. I think it’s an ongoing process but the value that it brings is phenomenal.
The role of a CISO has evolved over the years, especially in the last decade with increased regulations around data privacy, more frequent attacks, and building trust with the consumers of your service. How do you see your role changing over the years?
The role of a CISO has changed fundamentally – the security organization is no longer on the backfoot. You have to be shoulder to shoulder with your frontline businesses as they engage in new markets, engage with customers, and engage with regulators. You have to be at the table enabling them.
I think regulations will continue to evolve and they generally have the right intent. We should support regulators and provide them inputs from an industry perspective as we have the pulse on the ground.
In terms of consumer trust, I think you must make security work for them. We need to build security into our systems, so we don’t make them jump through hoops just to secure their own accounts. Their job is to use the service and do what they need to do. We must build security into our tooling, into our processes, and ensure our people do the right thing.
Let’s talk about people and talent crunch in the security industry. You spoke about the lack of talent but also about building a team at Tata Digital with diverse experiences. Why is that important?
I think there’s a lot of effort required across the industry to build the talent pipeline. We need to help shape the educational curriculum to get them ready for the actual environment that’s out there. That’s the way to address the cybersecurity talent shortage.
Diversity has been a key play for me right from the time I wrote job descriptions for my leadership team. It’s not only gender diversity, I look for other diversities too, like their background, their age, their religion, and even the industries they come from.
I look for diverse opinions that challenge me and bring diverse perspectives to have the best outcome. I think that’s the key for building a secure foundation. Security is not just technology; it’s passed that stage. It’s a mindset, that impacts the entire organization.