"The cyber security leadership helped in inculcating a mindset of having basic checks in your mind while performing your daily tasks, like URL checking, password strengthening, downloadable data vs malicious data, what data to send to AI tools, vendor checks, physical security checks, phishing, etc.."
The ethos “completely secure is a myth” resonates deeply in cybersecurity circles. How does this perspective influence your strategies and decision-making processes?
For every cyber security researcher and blue team individual working in an organization, awareness of the fact that “completely secure is a myth” is not just a knowledge trait but also an understanding of what is the right amount of security that must be built in the environment to appropriately run the business function & requirements and efficiently handle the process of security handshake.
Yes, the locks can be placed at every door, but that comes with the hardship of unlocking each of them for normal work.
On the contrary, yes, there is a risk associated with placing fewer locks, and someone CAN compromise a door without a lock, but that is where you have multiple other onion peel layers to protect against it.
"So, to answer the question, while making business decisions and strategies, a security researcher must choose the best layer to protect his company’s environment, and these layers vary based on the compensating controls, tech stack and business outlook of the organization. None of them guarantee 100% security and a robust environment that cannot be compromised, but you can definitely minimize the impact. "
In your opinion, how has your cybersecurity leadership evolved while navigating the unique challenges of a dynamic, customer-centric industry?
We belong to the hospitality industry; we are one of the biggest budgeted hotel chains in Southeast Asia. When it comes to high customer-centricity or dynamic industry cultures, we have been the most vulnerable targets of cyber attackers. Cybersecurity leadership played a crucial role in enhancing the security of the organization by just bringing a major focus on “cybersecurity awareness & best practices”. Most companies go through a breach due to their employees being less aware, sharing credentials, not abiding by policies or being a victim of social engineering.
“The cyber security leadership helped in inculcating a mindset of having basic checks in your mind while performing your daily tasks, like URL checking, password setting, downloadable data vs malicious data, what data to send to AI tools, vendor checks, physical security checks, phishing, etc.”
In the context of the hospitality industry’s digital transformation, how do you prioritize cybersecurity investments to address evolving threats effectively?
“Cybersecurity investments are directly proportional to business risk vs cost involved in the implementation of the solution.”
The higher the risk, the better solution we need and the better investment we fetch. For the critical areas which cannot bear any gaps, we even get a flexible budget for adversary planning like BCP/DR or WAF.
With the sector’s reliance on third-party vendors, how do you assess and manage the cybersecurity risks associated with these external partnerships?
Every vendor has to go through a stringent adaptation process within the organization where the initial step is to design the architecture of its integration with the present infrastructure and what data would be flowing to it. Every data asset and every endpoint is classified into fields of P0 and P1 criticality, where P0 is the most critical one. If a vendor wants to access P0 data, they must have global cyber security certifications in place, like ISO 27001, GDPR, PDPA, PCI DSS, etc.
Then, there should be an in-house cyber security team and processes to look at the cyber security of the data & individuals, inbuild incident management programs, backups created and other processes in place. They all form the first line of decision-making, and once all of them are fulfilled, we move towards the integration aspect and look for how the solution is working for us, including delays, data masking, data protection, etc., in consideration. The last step is our internal VAPT of whole solution integration and see if we can bypass it at any step.
Once all of this is complete, the vendor will be live.
With the increasing emphasis on data privacy regulations worldwide, how can organizations ensure compliance while maintaining robust security measures?
“Compliance and robust security measures always have a hurdle to smooth process handshake, i.e., the security must not block the customer flow or business flow of the organization.”
This becomes tough when we have multiple layers to look at.
So, to achieve compliance, we always have some controls marked as accepted risks, which every organization understands are hard to implement and do not justify the yearly costs. And some controls are never to be achieved because we have other compensating controls in place.
Looking ahead, how do you see the cybersecurity landscape evolving in coming years?
Definitely! Cyber security has to evolve with the increase in devices, the complexity of technology, the advancement in solution building, the new tech stacks in the market and the better attacks evolving. Safeguarding infra is becoming a necessity since AI engines are new guns for automated, well-planned attacks. They not only help to design the attack but also mimic the victim’s environment for a targeted attack scenario with all the controls and variables matching the technology stack he uses. These crafted attacks make them stealthy and robust. Thus, a need for a better cyber security solution is always a need of the hour.
About Anurag Goyal:
Anurag Goyal, Head of Cybersecurity, RedDoorz, brings a sharp, hands-on approach to securing digital infrastructure at scale. Over the past three years, he has led RedDoorz’s cybersecurity evolution from strengthening core systems to embedding a security-first mindset across teams.
Driven by the conviction that “completely secure is a myth,” Anurag treats cybersecurity as a moving target, one that demands constant learning, sharp instincts, and cross-functional clarity.
A recipient of the CIO100 and Cyber Digital Excellence awards, Anurag holds certifications including OSCP, CREST CRT & CPSA, AZ-500, and is a qualified SWIFT & Fedline auditor. He is also a cybersecurity researcher and an active global speaker and moderator, contributing to conversations shaping the future of digital security.
