Narayan Koirala is an Information Security Practitioner/Information Systems Auditor, Cofounder/ Director at Eminence Ways.

Koirala started his professional journey in the IT sector as a software engineer. As an Information Security Enthusiast, he founded Eminence Ways in 2013. Since the inception of the company, it has provided IT Security consults to more than 40 national and more than 10 international organizations. He is also an amazing orator and has delivered speeches on various platforms to raise awareness about IT security,  establishing himself as one of the key personalities in the field of IT security management.

In conversation with My City’s Nasana Bajracharya, Koirala shared bits and pieces of his journey and lessons learnt so far.

Why did you choose IT security as your field of work?

Information security is a rapidly growing sector all over the world and is also one of the most critical sectors to work in. Back in 2003, technology was still growing, proportionally increasing cybercrimes as well. Nepal, embracing technology at a rapid rate, was at high risk. So, to enhance the security of IT infrastructures at the user, organizational as well as regulatory level, I started investing my time and knowledge in Information Security. It helped that this sector particularly impressed the young. Regrettably, they were more inclined to black-hat (unethical) hacking. So basically, I wanted to motivate them to enter the white-hat team and involve them in legal/ethical security practices.

There must have been a lot of challenges in your journey. Could you tell us about them and how you overcame?

People lacked awareness about secure IT usage and its deployment. Also, there was no strict regulatory framework dedicated to security, neither at organizational nor at regulatory level or national level. Over time, we have organized several workshops and seminars on safe-surfing, safe-technology usages and safe technology deployment. The ultimate aim is to familiarize them with the advantages of considering security in each step of technological usage. In addition, we do not have enough skilled manpower that is genuinely interested in IT security who want to work ethically. Well, finding such a combination is essentially very hard in business. To counteract this, we moved towards students circle in various colleges and raised awareness of a career path in IT security.

How do you view the Nepal cyberspace in terms of IT Security?

The sector of IT security has just emerged in Nepal. Various sectors like banking, financial institutions and defense have started prioritizing security in their system with others following. Earlier, the organizations did not even consider IT security. Now, before they deploy any software, they consider software quality assurance, in-depth security testing, network security and the overall security of their systems. On a more positive note, they also have strategic plans to keep IT up and running with minimum cyber threats. In a nutshell, the journey of Nepal towards IT security has kicked off but still, growth is slow.

In your opinion, what are the areas that Nepal still needs to work on?

First, we need to increase awareness about information security among organizations as well as users. Next, we need to have proper, applicable Information Security Policies to start with, on a national level. Regulatory bodies need to impose and monitor any violation of such policies. Then, we need proper planning for IT security in organizations along with proper human resource to manage it.

If you have to name one thing. What would you say that you have learned so far?

Patience. There will always be ups and downs in life. What we can do is to keep ourselves prepared for overwhelming situations. Security is a gradual process. So, we need to inform people and organizations in a timely fashion about the consequences of digital security breaches. I am pretty sure a time will come when people and organizations like us will be remembered before the start and during software implementation.

Based on your experience, what advice would you give organization for IT security?

Because any system is inherently vulnerable, organizations need to work in two phases. In the first phase, proper planning that defines ‘what exactly do you want out of security testing’ and vulnerability assessment test. The second phase should focus on fixing found vulnerabilities. As a matter of fact, the second phase is seriously lacking at the current stage.