/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow Us/pcq/media/post_banners/wp-content/uploads/2017/10/cybersecurity.jpg)
In conversation with PCQuest, Gagandeep Singh, VP, Managed Threat Detection and Response, AUJAS speaks on the solutions they offer on cyber security.
How is Aujas different from other players?
Aujas is an organization focused on Information risk management. We specialize in cyber security
strategy, Engineering and Management. We are structured in terms of practices and I represent one
of the 6 Practices in Aujas called Managed Threat Detection and Response.
In MTDR we work on four focused domains which are Proactive Threat Discovery, Advanced Threat Detection, Incident Response, Endpoint Detection and Response and Automation and Orchestration. The practice was always there and was earlier called Security Intelligence and Operations (SIO) which with the transformation and addition of services is now referred to as Managed Threat Detection and Response.
As we see various challenges faced by the customers on a regular basis, how is Aujas offering the solutions?
Challenges faced today by customers are not in the capacity of the traditional SOCs to be addressed.
The Mean Time To Detect and Mean Time to Respond is very crucial and if we refer to one of the Ponemon studies, the average time to detect a breach is 206 days and the cost involved for identification averaged between 5.99 Mn USD to 8.7 Mn USD and another interesting thing that came up was that 53% of the detections were reported by external sources i.e. through someone other than their own staff.
To serve our customer on the hosted model, it’s given that we have also built our solution stack through a selection of technologies, however, we are flexible when it comes to models other than hosted and even in hybrid models were hosted and managed co-exist to serve the purpose.
How customers are co-managed?
We have customers who wish the engagement to be a hybrid one where we have a mix of co-managed and hosted services. The model in managed services is quite flexible. Customers can pick a chose options which best suit them from the security/legal/regulatory aspects e.g. with regards to logs storage.
In other words, it totally depends on what customer is looking for and under what budgetary constraints, what are the kind of regulations and compliances he is looking for because there are some regulations which may not allow a certain kind of model to exist the way it is.
How is the adoption of Data Protection Bill helping organizations?
Yes, we do help our customer around that. A couple of weeks ago I had another session with Information security media group where we specifically spoke about data protection Bill and also had an opportunity to do a workshop with DSCI at Hyderabad and there is no doubt that It is high time that organizations start getting cognizant of the bill from the compliance perspective as the things are expected to be at the design level.
It has huge implications in terms of cost/complexity/customization if tried to be superimposed with at a later stage. Any organization dealing with the data of the individuals residing in the EU, we will have to ensure that GDPR requirements are complied to.
Over the years, in terms of credibility, how many customers are Aujas has assured?
A reasonable assurance must be provided against the requirements. There are a lot of customers with different requirements with respect to different businesses, countries etc that need to be addressed. Therefore, I think today you cannot go ahead with a limited catalogue and say that this is what I have to offer, and you can buy this.
It’s important that we are aligned with our customer's requirement, every solution offered must be tailored to the requirements accordingly. What we are looking forward is a flexible approach not only in terms of the architecture or model but also in terms of technology and catalogues. Some customers may want a complete remote model, some may want a complete onsite model while some may opt for a mix of both.
Customers may not want a vulnerability assessment or penetration testing service from Aujas but may want to engage us for red teaming exercises. Therefore, we primarily take a modular approach at Aujas.
What is the revenue model of the company?
The revenue model is typically is built around two models of engagement i.e. Project-based and Time and Material (T&M) or annuities based. Project based engagements are focused around the milestones to be achieved at various stages of the project execution in a timely fashion along with the signoff criteria and are fixed price, while the T&M engagements are as the models suggest focused on the duration and deliverables.
It makes it pretty easy to choose that time bound objective-based engagements to covered under a fixed price to be taken up as projects and other ongoing engagements typically sustenance and operations or any other activity which is difficult to be defined in terms of the duration and clearly defined objectives to be taken up as T&M.
In Security business, in most probability, the SLA and KPIs drive the outputs which are around the quality, quantity and timelines as well, so the T&M is a different flavour (like projects) in this business compared to others.
Does it make more sense to have more Time and Material?
Both have their own advantages and disadvantages while projects may yield better margins T&M
yields better predictability. The T&M engagements are not for shorter durations, generally. Rough estimates are of the order of 65-70% T&M and projects are 30-35%. It makes a lot of sense to see a higher T&M percentage as the market is adopting more of managed services model, Projects are typically limited to Consulting and implementations rolling up to a larger T&M sustenance engagement. For example, for a lot of customers that we have, we start on a project engagement which converts into a T&M engagement.
What sort of verticals do you address?
We are serving all kind of organizations under Government, Telcos, Enterprise, Banking and nonbanking financial institutions, we’re trying to broaden our footprint in terms of MTDR both in the domestic and international market.
Is there any particular vertical in which you are focusing on?
Yes, so I take care of two practices which are risk advisory services for Asia-Pacific and Japan, and I also globally head the MTDR practice which is a transformed old Practice called SIO in Aujas.
How many customers are there across the MTDR?
We have multiple customers, wouldn’t be able to shell out the exact numbers, however, we are doing well with considerable business in hand and a lot of opportunities on the table going positive for us and since most of them are T&M engagements, it makes our business more predictable and more engaging. It’s a mix of domestic and international customers. With more stress coming on things like data localization, our models of engagement and offerings would be in consideration of that.
What are your go-to-market strategies for branding in India?
Our strategy would be to align with our customer’s objectives with a deep understanding of the
problems, stay focused on our strengths, ensure the right mix of skills/talent and stay abreast on our offerings in tandem with the changing threat landscape.
Who are the competitors?
There are many players in this space that makes it look very competitive, however, each vendor has
its own set of strengths which define their USP and helps customer chose what they would prefer. Saying that I do not mean that there is no competition, there is and the differentiator for us has been our focused approach, the experience we bring to the table, different kinds of engagements we have done and the confidence that our existing customers show being references for our credibility.
What are the vulnerabilities in shifting to a third party industry?
It may be true to an extent and hence would call it a perception issue rather. The industry is ethical when it comes to all this and customers are also very matured to handle this contractually. It is the nature of our business that we engage with customers to be their dependable partners and not to bind them through unfair means. We sign NDA and contracts before beginning any project and handle the customer's information with the utmost care.
Most vendors ensure the required knowledge transfers to the new vendor when they log off, we also ensure that we do. We do not store any information or have access to assets once logged off and do not withhold any information or knowledge from sharing with the incoming vendor.
When looking for the next three, four quarters what are going to be those areas?
The areas would be services around threat hunting, Deception, Automation and Orchestration.
How do you make the customers aware about Aujas?
We run awareness programs around both general and targeted security content and specifically. We
also, suggest running them on a continuous basis at a defined frequency and at identified stages like employee onboarding, change of projects etc.
Also, Aujas has a product too in this area i.e.Phishnix. It gets integrated with customers’ training management solutions and it will run a phishing campaign and whosoever falls prey to it for whatsoever reason, he or she will have a tailored awareness program being automatically run for him so that next time he doesn’t fall prey to that.
What is the process of the program you do in cities?
These programs are organization level programs. What we do is we enable them with skills, resources and content they need for this program to be successful. We are present in three cities but obviously, we work out of places other than those cities when it comes to India. So, it is up to the requirement of the customer. For example, we work in Pune, Hyderabad and other cities where our offices are not present.