Meet Ricky Arora, Engagement Director
Ricky joins 6point6 from energy supermajor BP where he was a Lead Enterprise Security Architect with a global remit. We’re thrilled to welcome him to 6point6, where he’ll be an integral part of our Cyber Security team, working cross-functionally in strategy, consultancy, and delivery.
Can you tell us a little bit about your background and what you worked on at BP?
I joined BP almost a decade ago to help build a high performing group strategy and architecture function. I was responsible for developing and driving the adoption of The Open Group Architecture Framework (TOGAF) architecture process across their global operations. My focus was to drive repeatability, measurable architecture quality and I’m proud to say we did just that. This success led me to form BP’s first group enterprise security architecture function. We worked hard to develop a cyber security strategy and also garner support for a forward-thinking vision to secure information and systems. After securing funding for a multi-year programme of investment in cutting edge security services, I developed strategies for many technology domains, built teams to realise this vision across hybrid Cloud and traditional on-premise workloads. Most recently, I worked with engineering teams to secure industrial automation systems, developing an ecosystem of controls that provided visibility and protection of process control networks which were deployed to over 150 industrial assets across 70 countries worldwide. I’m proud of what we achieved, as BP is not only more secure, its approach to IT and OT security is more agile, resilient and data-driven.
What made you choose 6point6?
Two things in particular that attracted me to 6point6.
What emerging Cyber Security trends do you think organisations need to be most aware of right now and why?
We’ve seen increasing threat levels over the past few years for many reasons. Firstly, the increase in geopolitical tensions means there is more state-sponsored threat actor activity. Criminal activity has also developed as adversaries become more organised and motivated by extorting large sums of money. In addition, the increase in consumer-grade ransomware services is an example of how cyber criminals are not hidden underground operating in isolation anymore but are interconnected, collaborative threat actors posing credible threats to organisations of all shapes and sizes. Coupled with a rapidly evolving technology landscape and increasing regulation across all sectors, it’s a challenging set of circumstances that ultimately means organisations need to improve their ability to manage cyber risks.
It’s not all doom and gloom. The nature of a hyper-connected world also offers organisations an abundance of opportunities to develop innovative products and services that can change the way we live and work, and experts can help organisations do this safely and securely. Data is the new gold as machine learning and artificial intelligence become the norm, I believe we are also seeing the concept of digital trust emerge as something that provides a competitive advantage and business value. Security is no longer a choice as organisations and end consumers are more security and privacy-conscious. People want to know that their information is secure, trusting an organisation with data is a deciding factor when choosing a service. Organisations now realise that good security is an enabler – I’ve often advocated that security should be synonymous with the icon of a key rather than a padlock.
Cloud is another example. A few years ago, organisations would shy away from Cloud services, concerned about a perceived lack of security or control. However, most organisations have seen a significant improvement in their security posture by moving into the Cloud and realised that in many cases running their own “on-prem” workloads only presented an illusion of being secure and “in control”.
Visibility can be improved in the Cloud. For example, you never had an Application Programming Interface (API) in your physical data centre that could provide an up to date inventory in seconds, or give you the ability to identify vulnerabilities and swiftly respond to them. Moreover, the agility Cloud services offer businesses means that activities such as spinning up workloads could be reduced from weeks and months to minutes, providing the confidence that security and compliance controls were built-in by default.
As with everything, it does have to be designed and operated right. The approach to building secure Cloud services is different from traditional on-premise workloads. For example, the shared responsibility model can be misunderstood, so can the list of services that need to be secure. Cloud misconfigurations are currently the number one cause of security breaches which highlights the importance of good security, not only during design and build but also during operation, cannot be underestimated. If you are not continuously monitoring your system configurations, whether on-prem or in the Cloud, the question is not if but when problematic configuration drift will occur. This drives another trend, moving away from occasional inspection of systems to continual situational awareness of all systems.
Another Cyber Security trend is the importance of resilience rather than a focus on protection alone. Breaches are becoming more common, and detecting and responding to breaches is as important as protecting information and systems from attack. An organisation’s ability to respond effectively is what will make them resilient. The emergence of Extended Detection and Response, or “XDR” capabilities, that centralise security data by combining SIEM, SOAR, NDR and EDR capabilities are starting to mature security operations. This provides the ability to detect when things don’t look right, enabling well-rehearsed security teams to stop attacks in their tracks and limit the damage they could cause. I believe we will start to see more of this with a higher percentage of security funding going towards detection and incident response capabilities than we have seen previously.
Wow – certainly lots for organisations to think about and some great insights. Okay, last question, and it’s a fun one! We’ve been told you are a DJ, so you might know what’s coming: what kind of music do you play and where?
I used to be a DJ many years ago while studying at university but stopped playing professionally a few years later. Now I only really do it for fun at home. I like mixing many different types of music, from Hip Hop and RnB, through to House, Dance and even some Reggae. Although it’s fair to say that with my young kids being the main requestors these days, there is often lots of pop music in the mix too!
Interested in a career at 6point6? Explore our current opportunities.