Hi, everyone. Ed Amoroso here, and I want to welcome you to an interview with a good friend of mine, Ajoy Kumar, who is the Business Information Security Officer for DTCC. Welcome to our interview series. Thank you, professor. Hey, DTCC. What does that stand for? It's Depository Trust & Clearing Corporation. Okay. It's probably one of the most important financial services company, that I'll bet a lot of the kids watching never even heard of. It is definitely a critical financial utility. We play a role in critical finance infrastructure for the US government. It's not a government company, but it's industrial in body. And that's what we do. We settle the books for the Wall Street. So, we are just facing the tail end of where the transactions basically meet their final faith, that's where we are. That sounds so important. Yes, it is. It's a fun job. Now, let's talk about you. Tell me a little bit about how you got interested in this technology career that you're involved in. What was your journey to get to the point that you're at now? Sure. So, this started I think many many decades ago. My father worked as a statistician and an economist back in India, and I used to visit his office sometimes, as a career day or whatever those things were called, and he was into data processing, and he had some punch card computers on all these. That's what he was using. And in my 8th grade, I saw actually the first PC which was 8085 based. I played lot of PAC-MAN games so that. So, PAC-MAN games there, and that sort of intrigued me. At that time they were also playing with something called Lotus 1-2-3, which was actually good in those days. And I could see like him basically getting excited about number crunching, and I think that sort of like intrigued me. I did my undergrad Engineering in Computer Science from India, and then, that was a good start for the career. But, I wanted to see something more. I ended up doing Electrical EE masters, with a focus in control and instrumentation, which I never got to use in career. But, as I was doing more and more work over years in US here, I was a database manager and I got a project which was on, on basically securing access to production, so that we can protect our data bases from developers. And somewhere there, I got into security, basically did some projects to prevent developers from changing things in production. That feel intrigued me so much that I ended up basically signing up for a graduate certificate program at Siemens. I took first class review after many decades of school. And from there on it built on me that, that was a career that I wanted to stay in. It was very interesting topic for me. Something very new to learn, something very exciting to do on a daily basis. And that's something excited me and here I am. 13 years later, 14 years later doing the same same field. That's great. Now, a lot of young people watching might be thinking, I'd like to get into the security field. What would be your advice, do you think they should be doing more technical things or programming things or hacking? What's a good way if say, a youngster who's interested in this sort of thing might, what will be a good path? So, I think a technical path is definitely an important one. You should know at least two plus programming languages in this day, and that is very, very good way to get into to this field. What are the two good programming languages? Well, I like Python. Me, too. And Java. That's too much. So, most definitely. Those are very important languages, that gets you a very good understanding of what you're trying to solve as a business problem and also gets you a very good feel of security. Because, once you are playing those languages, you need to see through like, how you can break them, right? What are the constructs that you can use to exploit to get into the applications? And that basically knowing that is very important to get into this field. So my focus has been always on the technical side. And that's where my strength lies. But at the same time, someone who has a little bit more advanced, I would say that they need to pay attention to the operational part of it as well, because if you're not paying to operational part on how that thing is going to affect and set into the production environment on a larger ecosystem, then you could miss out on the overall security aspect. So, it's a combination of focusing on programming application infrastructure and making sure how this set in large operational scheme and essentially make sure that they work securely. What do you think are some trends, like in cyber security now? Do you think the attacks are getting more difficult to stop, like does it take a lot more skill now to do cyber defense effectively? Yes, cyber defense is definitely, it's a new field. It has evolved in the last few years and it is expanding, growing, challenging. I think it takes several skills for information security professionals to deal with, right? So, they need to have leadership, a courage to say like, this is the right way to solve it. Then they should have a strategy and planning on how they want to deal with those on systemic basis. Then third more important field is technical expertise. If you're just trying to solve a process, that's good, but with in lack of technical skills, you may not be able to see the full picture. And last but not least is ensuring that basically you are balancing it with the finance aspects of it. Because you cannot be endlessly investing in one area to protect and miss out on other areas. So, the defense are in depth kind of concept has to play out well to ensure that you're protecting all the assets in a meaningful way. So, yeah, it is growing field. It is interesting, it keeps you excited on daily basis. There is new news that's happening on daily basis and that's something that keep me excited. That's so different than what you're describing as logical. A lot of people think, wow, I should be hacking, breaking into things and then I can become a security expert. Those are two very different skills, aren't they? Like breaking into things versus having the logical thought process to come up with, you've mentioned like defense and depth. It takes some careful planning. A little different than just hacking, Right? They're different skills. Yes. So, the way I have seen this field evolve is at a high level. You can say that there are two streams of tart. There is offensive security and there is defensive security. My focus has been on the defensive security, and that's the reason that leadership, and the planning, and operational excellence, and technical things, basically resonated better with me. Just basically, being a Robinhood and saying that I'm going to do offensive security. I have not done that and those are the areas that some people may find more interesting. But at the end of the day, this defense problem will be solved with a defensive mechanism for most part. Some offense is good. There is new work happening in that area. But I think right now the focus has been more on defense. Yeah. Let me ask you. How do you keep up? Like, keep up your skills. Do you use books, or websites, or articles, or courses? What's a good way or maybe it's just a daily sort of all the work that you're doing might be the way you keep up the work. How do you stay current? Yeah. It's a combination of things. So obviously, work keeps me busy and I get to know a lot through that. And then, then definitely a lot of reading on regular basis. I listened to lot of podcasts. I do volunteer my time in organizations, like OWASP and I've spent a number of years working with them. And that's community that forms there, basically tells you like what is bubbling up to the top. What you need to pay attention to. And on top of that, like the feeds that we subscribed to for the company and all, that basically tells me what is happening. Like big ticket items I need to be watching on a daily basis. What are the things which are basically growing in the marketplace, which are three months away, and how do I protect from them? So, a combination of things that's what I do to keep up with what's going on. But it's like always behind the curve I think, that's the way to see it, because there's so much happening on this field. You mentioned OWASP, the application security? Yup. Are there opportunities? I think there are opportunities for young, like for students and others to get involved, right? Yeah. Absolutely. OWASP And that and other things, I Tripoli and on and on and on. Absolutely. OWASP has been a good platform for me in past, when I was like a newcomer and I have basically sent people like interns who work for me and other folks who work for me. I always encourage them to take a membership. It's low cost membership. Students used to get a free membership, but they can attend the events still for free. They offer a lot of information you could get involved in a number of projects. You can help maintain the wiki. So there is a lot happening in that space that they offer for anyone to learn more. And the community that you form there, the information you get, the leads you get, the knowledge sharing that happens on regular basis is very important. Seems like you really enjoying what you're doing. Yeah, I love it. Well, I'm glad you do it, because if you didn't, I think our financial services industry would break if we're not getting all these traits and things cleared. That's really important function. That is a bigger effort and more of ecosystem that is formed. And on the financial sector, I'm just playing my part, but I love it. I am very passionate about it. Well, keep doing the great job for us. Thank you so much. And thanks for stopping by. Absolutely. Wonderful to see you. Same here. We will see you next time. Thank you.