How vedic philosophies can help managers boost security posture in Indian corporations

The sacrificial offerings demonstrate that everyone from an organisation has embraced the "best" security culture practices, [for example, a CTO prescribing that an organisation comply with the NIST (National Institute of Standards and Technology) rules, a CISO (Chief Information Security Officers) requiring multi-factor validation, personnel effectively utilising password management software, and intermittently refreshing programming patches on IoT gadgets and work PCs/work areas]. Lakshmi represents the benefits of these offerings, such as lower cyber-losses, increased customer and shareholder trust, a larger customer base, and increased profit.

For the market/cyberspace (devata) to grant the yajaman Lakshmi, offering sacrifices (svaha) is required, but not sufficient. The decision of the yajaman to willingly pour svaha into the fire, working toward the realisation of a vision or goal without guaranteeing a proportionate number of benefits, is the key to any yagna. To establish a robust and compliant cyber-security culture within an organisation and possibly reap the corresponding market benefits, capable decision-makers (the kartas) and their complementing decision-followers (the karya-kartas) are required to act at all levels of management. The oldest Hindu scripture, the Rig Veda, serves as a source of inspiration for this idea. In it, the primary business venture of any organisation is compared to a yagna. In this specific situation, each connection in business addresses a yagna between two substances (upstream, side-stream, or downstream), like financial backer and businessperson, boss and worker, chief and leader, expert and merchant, business visionary and accomplice, dealer and purchaser.

Also read: How insurance-linked securities can improve cyber-security in India

Four Vedic philosophy-driven action items for managers to boost cyber-posture

In the subsequent parts of this article, motivated by fables from the Vedas and the Puranas, we suggest four critical action items (not an exhaustive list) for the management of any IT/IoT-driven organisation to significantly enhance its security culture. These action items are as follows:

• Action #1: Encourage executives in the C-suite to highlight security culture as a noble cause.
• Action #2: Persuade stakeholders beyond the C-suite to support the just cause.
• Action #3: Empower the C-suite to make bold decisions regarding security.
• Action #4: Mere awareness of cyber-security without action is insufficient for employees.

We provide a philosophical inspiration behind these action items, where the philosophy is borrowed from ancient Indian tales, ingrained in the Indian culture and popular among most of the masses. Subsequently, they can be effectively used to educate executives, managers, and other employees within an organisation to mould for the better—the cyber-security culture within the organisation and the cyber posture. These fables, taken from the Vedas and Puranas of ancient India, follow the wisdom of the wise sages and provide valuable cyber-security education straightforwardly and efficiently.

Action #1: Encourage the C-suite and board to highlight security culture as a noble and just cause.

Through this action, the C-Suite (acting as a yajaman and karta)—whose eyes are usually ‘firmly’ shut to investing in boosting organisational security best practices, will be enticed in the first place (for example, by the government/regulator, market forces) to promote security as a just cause within the organisation.

To drive home this point with the help of a philosophical tale of wisdom from both the ancient Shiv and Skanda Puranas, asura/demon-king Tarakasura (symbolising the organisational ‘vice’ of lacking cyber-security focus) needs to be killed to save society (symbolising significantly boosting cyber-security practices and contributing to social good). However, only Lord Shiva’s (a celibate) son can kill Tarakasura. However, Shiva—the yajaman (C-Suite) has no desire to father a child (symbolising a lack of interest in making cyber-security a just cause in the organisation) and does not want to offer svaha (his marriage—here, symbolising investing to boost cyber-security practices through following NIST guidelines, deploying multi-factor authentication and zero-trust tools for employees to access services, policing the effective use of password managers, buying cyber-insurance, opening a cyber-risk division inside the organisation to manage cyber-risk exposure, motivating sharing of cyber-vulnerability information with regulators and vendors on sharing platforms) and seek a tathastu (for a child that represents successfully establishing an organisational cyber-security culture). Lord Vishnu (symbolising a regulator who is non-selfish and cares more about social good) then approaches the Goddess for help who takes the form of the extremely attractive female Lord Kamakshi/Mohini (symbolising market profits due to the competitive advantage of advertising a strong cyber-security posture to trust-seeking customers and investors over competitors) and entices Shiva through pure devotion (symbolising multiple rounds of table talk between regulators and CXOs) resulting in their marriage and an offspring (son Kartikeya) who goes on to defeat and kill Tarakasura. An important point to necessarily consider here is that the enticing act should benefit both an organisational yajaman (in the mythology context—hiva, who in this case becomes a householder post his love Devi Sati’s sacrifice) and a stakeholder devata (in the mythology context—Kamakshi, who gets Shiva as her much-desired husband after her tapasya, i.e., penance).

Action #2: Stakeholders apart from the C-Suite must be enticed/persuaded for a just cause.

It is not enough for an enticed C-Suite to embrace promoting a strong organisational security culture. All stakeholders relevant to the security culture need to be individually enticed too by a yajaman (for example, C-Suite, group manager).

More specifically, each stakeholder is a devata whose needs have to be satisfied for the security culture compass to accelerate—as an example, managers will have to be incentivised (via performance bonuses) to align with a C-suite vision; employees apart from the C-Suite need to be motivated enough by their managers (e.g., via performance bonuses measured through tangible security KPIs) to change their cyber-behaviours in favour of the just security cause; product consumers will have to make some compromises for the social good to accept product performance or application quality-of-service (QoS) that are in the ‘middle’ of the quality-security spectrum than those only on the quality end of the spectrum; and the investors/shareholders need to believe (as those of Apple and Google already believe—evident in them embracing privacy-enhancing client data storage) that the security just cause will make the organisation adaptable, competitive, and profit-sustainable in the long run. This multi-stakeholder satisfaction (MSS) problem is hardly that simple to ‘solve’ in the context of cyber-security as the interests of the stakeholders may not be aligned.

To add a Vedic perspective to this MSS problem, in the epic Mahabharata (a part of the Vishnu Purana), we find a similar real-life multi-stakeholder problem that Draupadi (the yajaman representing a C-Suite)—wife of the Pandavas, finds difficult to solve. Draupadi treats all her five husbands (devatas symbolising organisational stakeholders) equally and constantly tries to satisfy each of them. She is faithful to each husband for a full year and then passes through fire, regenerating her body, before moving on to living with the next husband. She pays careful attention to each Pandava’s diverse interests, making herself so dependable that none of them can bear the thought of losing her (symbolising each stakeholder finding it usually beneficial to be associated with the organisation). And yet, despite all of Draupadi’s efforts, when it comes to protecting her (symbolising all the stakeholders willingly helping the C-Suite to practically realise security as an organisational just cause, apart from just targeting increased revenue), all the brothers fail to protect her (symbolising the fact that they cannot get over their inherent behavioural biases) dignity (symbolising failure of the C-Suite ensuring security as a just cause in the organisation) when she is publicly abused by the Kauravas in King Dhritarashtra’s court post a game of dice. Each organisation, therefore, needs a Lord Krishna as the yajaman (symbolising a smart and security visionary C-Suite endorsed by the governing board) who can satisfy all the gopikas (stakeholders representing the devatas) simultaneously (by implementing smart intra-organisation recruitment, technical, and behavioural policies with suitable inter-stakeholder tradeoffs that are compliance-friendly and aligned with a good organisational security vision). 

Also listen: Vishal Salvi at Infosys on why the company's cybersecurity practice team has grown 5X in four years

Action #3: The C-Suite must be a bold decision-maker on a just security cause.

A security-conscious and visionary C-Suite should prioritise proactive and responsible decisions to promote a strong security culture in organisations, despite most SMBs' (that form 90 percent of IT-driven businesses around the globe) shareholders' focus on ROI. God says in the Bhagavad Gita that one should do the right duty without thinking of the outcome. This opens a platform for bold decision-making. Taking bold decisions that prioritise social good (instead of ROI solely) and align with just organisational goals is crucial for building consumer trust and gaining a competitive advantage. Although these decisions may affect stock prices in the short term, they can yield unexpected windfalls in the long run. Bold C-Suites (the yajaman) should be willing to bear responsibility for their decisions, as reflected in the following tale from the Garud Purana in the context of cyber-vulnerability information sharing with public-private entities as a just cause.

Once, Garud (a yajaman and karta), the eagle, was enjoying the song of a sparrow atop Mount Kailas when he observed Yama, the god of death, frowning upon the bird. The compassionate Garud, fearing for the life of the little bird (symbolising realising the positive effects of sharing a company’s cyber-vulnerability information on the security-improving cyber-insurance business), decided to take the bird away from Yama’s line of sight (representing a C-Suite’s action of sharing cyber-vulnerability information). Garud flew away with the bird to a tree full of succulent fruits in the forest beyond the seven mountains and seven rivers. Yama was beaming when he returned to Mount Kailas. Yama explained, “My account books are balanced because of you. The sparrow was not supposed to die today on Mount Kailas. It was supposed to die (symbolising cyber-vulnerability information sharing leading to a negative hit on the reputation of the organisation in the public media, and a consequent drop in the market share prices) in a forest far beyond the seven mountains and seven rivers, eaten by a python that lives under a tree full of succulent fruits.” Bold Garud realised in hindsight and bore responsibility that his heartfelt decision to be kind to the sparrow turned into an act of cruelty. However, since Garud’s intention was good, it reflects good karma, even if the outcome of the action behind the intention wasn’t favourable.

Action #4: Plain cyber-security awareness/importance without action is no good.

Nowadays, CEOs, who lack a core competency in cyber-security, need to acknowledge the increasing cyber-risks their organisation faces in the IT and IoT age and not exhibit corporate hubris that they are immune to major cyber-attacks. These CEOs should not publicly exhibit a strong interest in strengthening the cyber-security of their business processes—but internally transfer the liability of managing business disruptions due to cyber-events solely on CISOs, without them brainstorming on this together. Fortunately, for such CEOs, Section 5 of the FTC Act (in the US), dating back to 1914, prohibits “unfair or deceptive business practices in or affecting commerce”. The act does not mention cybersecurity.

To draw a Vedic parallel on this point, consider the story of Paundraka—the king of Karusha, from the Bhagawat Purana. Paundraka wore a crown with a peacock feather; held a lotus flower in one hand and a conch shell in the other; wore the Vanmali—a garland of forest flowers; hanged Makara-kundala earrings that shaped like dolphins; draped in Pitambara—a bright yellow silk dhoti; curled his hair; ate rich creamy butter with every meal; and played the flute in flowery meadows on moonlit nights surrounded by his queens and concubines who danced around him. Having imitated these “Krishna” characteristics perfectly (symbolising an organisation falsely advertising its cyber-security capabilities and vision), Paundraka started to think of himself as Krishna (symbolising the fact that a CEO falsely thinks that his organisation has robust cyber-security). However, he did not possess the Sudarshan Chakra (symbolising the reality that the organisation does not have a robust cyber-security infrastructure or culture). As a result, he sent a messenger to Krishna to tell him to give him the Chakra or face serious consequences. Krishna calmly denied it and asked Paundraka to come and get the Chakra himself (symbolising the fact that deception via a public projection of taking organisational cyber-security seriously in the place of meaningful action will not improve organisational cyber-security). An irritated Paundraka set out for Dwaraka, and upon reaching shouted out to Krishna to return the Sudarshan Chakra. Krishna released the Chakra towards Paundraka, who stretched out his hand to receive it. He suddenly realised that the Chakra was heavier than it looked—so heavy that before he could call for help he was crushed to death with it (symbolising the event that in the wake of a major cyber-attack on the organisation, the false claims or advertisements about a strong cyber-security posture would not help—the weaknesses would be found out instantly by hackers and exploited duly leading the organisational C-suite to experience large first and third party losses).

Ranjan Pal (MIT Sloan School of Management)