Learn,Unlearn and Relearn

Cyber Security Professional

Manager - Information Security and Assuarance at Aitken Spence

-Damith Pathirage

When you first started your career, what influenced your decision to join IT Sector?

If I remember right, back in 1993, I got my first computer, a i386 DOS based PC. As a child, I did not know much about computing other than Gaming. But with age, my interest in Information Technology grew exponentially.

When I was in university, I realized that I’m good in Computer science than any other domain. But then I had to choose a specific discipline under computer science to specialize. With my father's backing and guidance, I decided to specialize in Information Security.

So I would say, family background and realizing my strengths, influenced me to pursue a career in IT.

You have come a long way since starting off as a consultant in CISCO Information Security Services (pvt) Ltd. How was your journey up to where you are today?

When I joined CISS, information security was still an emerging discipline in Sri Lanka. Most of the clients I had to work with were not willing to accept information security as a business enabler. Also, losses incurred due to cyber-attacks were not so common in Sri Lanka. So it was a challenge to convince corporates to invest in controls to mitigate identified risks. At that time, all these were new to me and I was on a steep learning curve.

In 2008, I decided to pursue my higher studies in Australia. While in Australia, I had the opportunity to learn and observe how corporates in Australia looked at information security and how they used technology to enhance their businesses.

In 2010, I joined Pricewaterhouse Coopers, one of the big 4 consultancy groups in the world. This was probably the turning point in my career as I could sense a strong self-esteem backed by knowledge and experience I’ve had. During my tenure at PwC, I read for CISA, CISM, CRISC and CEH and got through without much trouble.

I started working at Aitken Spence as an assistant manager, and currently I’m the manager overseeing Information Security and Assurance of the Group. My time at Aitken Spence (5 years to be precise) has given me immense joy in what I do best and opportunities to grow as a person. So to sum up, I would say, the journey was tough but fruitful

You are the first Sri Lankan who won the CRISC Geographic Achievement award. What were your competencies that helped you to achieve this award?

Geographic Awards are offered in recognition of highest marks achiever in ISACA exams in different regions of the world. I was offered this award in 2011 for obtaining high marks in the CRISC exam, in Asia region.

Exam preparation was tough as I was working in a very demanding role at the time. I would say, setting up a clear goal, determination, time management and application of knowledge from work enabled me to achieve such great heights in the exam.

What do you think about the status of Information security in Sri Lanka?

Information Security as a sector has seen big improvements during the past few years in Sri Lanka. One main reason for this has been the change of management attitude towards IT functions of organizations.

With the adoption of Cloud computing, Mobile Apps, Big Data and IOT to do business, top executives are starting to realize that IT is no longer a Cost Centre, they are starting to realize that IT is the Business. But IT without security is like a headless chicken. This is where information security comes under the spotlight.

When relying on IT for business, you cannot ignore the importance of information security. Hence, now in Sri Lanka, we could see many organizations willing to implement Information security management systems, trying to educate their staff, creating CISO positions, so on and so forth.

In parallel to this enthusiasm, Sri Lankan government has also made some efforts such as amending its legislation to tackle information security incidents, establishing national level computer emergency readiness teams etc.

With all these developments, I'm confident enough to say that information security sector is reaching maturity in Sri Lanka.


Why do you think Cyber Security is important for an organization?

Cyber security is a subset of information security. Cyber security becomes important when you connect to the Internet, for business or for leisure.

As I mentioned earlier, organizations are looking to expand their businesses through new avenues, and the Internet is the greatest tool to achieve this. With the increase of IT literacy of nations around the world, some individuals have turned to cyber-crimes as a way of earning quick and easy wealth.

Organizations and governments around the world have lost millions of dollars due to various cyber-attacks. If you look at the numbers, in 2015, according to PwC, 59 million corporate cyber security attacks have been reported. These kind of incidents will lead customers to lose confidence in organizations and ultimately find a better service provider. This is why it is crucial to incorporate cyber security with your business plans, if your organization is planning to go online for business.

What were the biggest cyber-attacks in the recent history? What were the reasons behind them according to your knowledge?

There were quite a few, I will talk about a couple.

1. Considered as the largest cyber heist in the history, Carbanak Attack, where attackers robbed as many as 100 banks taking $ 2.5 -10 M per bank. The attack was carried out in a such a way that the ATM machine could only dispense cash to their teams.

2. Another alarming data breach was reported by eBay, where 145 million customer records were compromised. Users were later requested to create new passwords.

3. The infamous bank robbery of Bangladesh Central Bank, where cyber thieves stole $81m after transferring money to different destinations including Sri Lanka.

Investigations have revealed that most of these attacks took place because organizations failed to properly patch their IT systems, block malware, infected email attachments and provide security awareness training for staff on things like social engineering attacks.

Are cyber criminals getting better or is the defense mechanism getting outdated? What is your view?

I think most of us are missing the bigger picture. Information security is absolutely a shared responsibility between People, Process and Technology.

It is not, just about relying on an expensive firewall to protect your information. It is also about strengthening your processes and training your staff to follow secure practices.

They say that ‘Security is not a problem of Technology, but a problem of Process & People’, which is correct to some extent, because if you look at the root causes of some of the attacks in the past, they were mainly due to the weakest link in the chain, I.e. PEOPLE.

Cyber criminals know this, and their first point of attack will always be PEOPLE, then processes and finally, if nothing works, the technology.

The funny thing is that, even if we constantly train staff, someone somewhere will always write down their password, configure a device incorrectly or post something confidential on the Internet. This is why it is impossible to ensure 100% security. It is a never-ending struggle.

What are the new trends related to Information and Cyber Security arena?

Well, if you look at cyber threat space, it is an ever-evolving arena. As we enter the second half of the year 2016, in addition to what is predicted at the beginning of the year, new trends have emerged.

Take Ransomware for an example, where cyber criminals lock down your important files and demand you to pay a ransom. I expect to see this trend grow in numbers in the next 6 months, because users are desperate enough to pay any amount demanded to get their devices and data released.

Spear phishing is another trend which targets key individuals in organizations mainly through emails. This often results in silent malware downloads that gives attackers access to systems and networks. This is often the first step of APT attacks.

Another very interesting trend is attacks against THINGS linked to the Internet. We call them IOT hacks. Researches have demonstrated that smart TVs, vehicles and medical devices could be hacked and now even there are YouTube videos available, demonstrating how to perform these hacks.

Do you think the Sri Lankan legal system is capable of handling the Information Security?

During the last decade or so, we have heard and experienced an alarming number of information security incidents. This trend has demanded governments around the world to upgrade the existing legislation or to come up with a new legislation to curb potential attacks.

Similarly, Sri Lankan government is also in the process of addressing gaps in its legislation. First, let's look at where Sri Lanka stands.

We have several Acts to regulate issues relating to computer crimes, intellectual properties, electronic transactions, payment devices frauds, etc. We have a national Computer Emergency Readiness Team called SL-CERT, where people could report security incidents. We have the computer crimes division of CID, setup under the Computer Crimes Act of Sri Lanka, who can investigate and prosecute offences. Sri Lanka is a member of the Council of Europe Cyber Crimes Convention, which is the first international treaty seeking to address internet and computer crime by increasing cooperation among nations.

So when we look at these measures, it is unfair to say that Sri Lankan legal system is not ready to prevent or handle information security incidents. According to my point of view, there are areas which need improvements. One thing is, that it’s important that public and private sectors working together since the majority of web infrastructure is owned by private sector. And the National Security Policy must ensure that military operations are protected against cyber-attacks. Individuals and corporates must be encouraged to report crimes. Most importantly, laws relating to Internet privacy should be established since currently there is none in this regard.

According to your point of view, how does social media affect cyber security? What is your advice for social media users to keep themselves out of trouble?

More than 2 billion people around the world use social media networks today. For individuals and corporates, they bring many benefits such as in the means of staying connected with friends, better customer service, collecting threat intelligence etc.

But according to CISCO 2016 annual report, social media networks are also the number one source of cyber-attacks against individuals and corporates.

Cyber criminals use methods such as fake offers/ advertisements, like jacking, fake plugins and fake apps to trick users on social media, mainly to steal their login credentials and to spread malware. They could also collect personal information and commercially sensitive information, without much effort, when users blindly publish them on social media networks. This could lead to blackmailing attempts, identify theft, getting fired from your job, losing market share etc.

If you are an organization who is looking to overcome these challenges, one of the key things you should have is a Social Media Policy for employees. This Policy should talk about what is permitted and what is not, when it comes to social media use. Controls such as user awareness training and blocking social media networks through proxies could also be used to support your policy.

If you are an individual who is concerned about security threats but still would like to be a part of social media networks, controls such as having an anti-virus software, keeping you OS and browsers up-to-date with patches, having strong passwords, ignoring suspicious links and advertisements, configuring privacy and security settings, posting only what is required could help protect your interest.

It is also important to know from where to look for help if you are a subject of a cyber-attack on social media. In Sri Lanka, anyone could report such incidents to the National CERT (Computer Emergency Readiness Team). CERT will liaise with similar bodies of other countries to rectify reported incidents.

Today, not only the adults but also the kids are addicted to use internet frequently. As a person who knows the dark side of the internet thoroughly, do you think it is a good place for kids?

The fact is, our kids today are obsessed with technology and browsing internet than interacting with people around them.

If a child is unsupervised while browsing internet he or she might be a subject of cyber bullying, cyber stalking, sexting, identity theft or exposed to inappropriate content.

Recently there were a few cases reported in Sri Lanka also, where minors committing suicide due to online bullying, blackmailing through fake profiles in social media, so on and so forth.

If managed well, technology and Internet can assist a child grow in his intelligence, analytical skills and provide him with access to vast amount of valuable information.

There are a few things I could suggest on how to manage technology and Internet in this regard.

A parent should know more about the Internet than a child knows about the same. If a parent is looking to block inappropriate content on a website, it will not be effective if the child knows ways to get around the parental controls. There should be supervision until you know what they are doing and that your child is safe. You can introduce technology to your child in stages. Do not buy them the ‘best there is’ first, for e.g. if it's a phone, first get them a phone which they can use in emergencies, not a smart phone which they could use to access internet.

What is your biggest achievement in life? In your point of view, what are the qualities of you, which really made you go for that achievement or become that person?

As much as I value my career and professional life, I value my time off work and personal life. I would say, being able to strike a balance between professional commitments and personal commitments while maintaining a decent health profile would be the biggest achievement so far.

Well, I try to follow a few simple steps and principles. As for maintaining good health, I go to sleep and wake up early; I never miss breakfast and exercise at least few days a week. And I have hobbies that are different from my profession. I read often and travel as much as possible. At last but not the least, I try at best not to take official work to home and to make time for family.

Finally, what is the message that you want to give out, especially for the younger generation?

I believe attitude and integrity of a person is everything, if you wish to thrive in any profession.

The Right attitude will lead you to reach out for knowledge, to listen before you speak, to ask questions irrespective of being judged and to be humble when you reach the top.

Having high integrity will lead you to be recognized and respected by your superiors, peers and subordinates.

It is also important, especially in a field like Information Security, to Learn, Unlearn and Relearn. This field is highly dynamic and could be very challenging at times. Knowledge in Information security domain changes every single day.

For this same reason, my advice to young professionals is, get exposed to knowledge as much as possible by joining professional bodies, participating in workshops, reading articles, doing professional exams and putting knowledge in to practice.


Do not be afraid to make mistakes, you learn more when you make mistakes than when you don’t.

©2016 Department of industrial Management,University of Kelaniya,All rights reserved.