All Resources

CISO to CISO Webcast with Rohit Parchuri, CISO at Collective Health

Webcast and Podcast | Altitude Networks, March 15th, 2021

We would like to welcome Rohit Parchuri, CISO at Collective Health, previously a security leader at Service Now and Rackspace. Rohit is an accomplished Security leader with an established record building, structuring and institutionalizing Security principles and disciplines in the Cloud Hosting, Network hardware(IaaS), Cloud Software(Saas & PaaS), and Healthcare domains. He is currently leading the enterprise security program at Collective Health, a health administration platform for self-funded employers. Previously Rohit spent a decade focused on the Network Security, Application Security, and Security operations domains at software and hardware giants such as ServiceNow and Rackspace.

Read, Listen, and Subscribe to the Podcast

Rohit-audio only.m4a: Audio automatically transcribed by Sonix

Rohit-audio only.m4a: this m4a audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Michael Coates:
All right, welcome, everyone. This is another edition of the CISO to CISO webcast podcast. I'm your host, Michael Cotes, CEO and co-founder of Altitude Networks. And as I like to say, the reason I can be here in a CISO capacity previously CISO at Twitter. Super excited to have Rohit Parchuri with us today. CISO at Collective Health, many years at Service Now, a great history in security. Rohit, thanks so much for joining us.

Rohit Parchuri:
Glad to be here.

Michael Coates:
Yeah. So we're going to dive into some interesting topics today. Really excited to hear about cybersecurity with the lens of of health care, like we all think about cybersecurity, but is very much specific to our companies in the worlds, the types of users, the types of information. And so exploring this health care angle is going to be really neat. So can't wait to dive in on that. And then for everyone listening, you know where to find our shows, the videos, the webcast on Altitude Networks' website. Hopefully you're listening to our podcast, maybe subscribed. And again, these shows are sponsored by Altitude Networks. We tackle data security and cloud collaboration platforms like GSuite, Office365 and more. If that's interesting, please check us out. With all that said, Roett, let's dive in. So tell everyone, how did you get into the field of security? You are now a CISO. How did you end up there? Was that always your goal? Like I'm going to be a CISO? You said, you know, at age four, as you are running out into the street, how did you find yourself there?

Rohit Parchuri:
Absolutely not. I would love to share my story, though. The thought of security itself came to me really unconsciously. This goes back almost more than a decade when I was doing my bachelor's in Science, Electronics and Communications. So we were doing this thesis project and me and my buddy were basically researching a few software programs we had to install into our very log programming, which is more specific to electronics. So that's the blend of software and electronics there. So when we're doing that, we stumbled upon something called the Rootkit. Back then, I didn't really know what Rootkit was, to begin with. So it was I was amazed by its capabilities in terms of how it was able to manipulate the programs and tamper with the operating system processes. And for me, that was just super awesome. As soon as I saw that and I knew there's a legitimate way of using the computer systems and the programs would then but I didn't know there was a different angle. And this kind of introduced me to that.

Rohit Parchuri:
And for me it was curiosity driven. From then on, I was like, OK, I need to learn more about this. This is really cool. And then I was searching for different courses and different training, but I couldn't really find anything specifically in India back then. And cybersecurity was pretty immature when we're talking about in 2000s or pre 2000s for that matter, are actually 2000 to 2005, 2006 is when I was actually thinking about this. And for me, since I didn't really get any help in that realm, I was like, OK, I need to go beyond and see if there's opportunities outside in terms of learning to begin with. And that's what I applied for, Masters and a school called DePaul University of Chicago. There were a handful of universities that were actually given out of the cybersecurity program into itself.

Rohit Parchuri:
And I was you know, I was still been there. That's how the journey began. And from there on, I load into Rackspace as a network security professional. And I started off with the network security to begin with, and then I moved into application and product. And then now where I am just basically just trying to get a holistic understanding of security. Never a dull day. It's, I think, the best decision that I've ever taken for sure. And I don't regret a single part of that.

Michael Coates:
Yeah, you know, I think the newer batch of of CISOs very much are in this vein of coming up through a technical track or two with a deep appreciation for the underlying security specifics. And then, you know, as you probably saw as I always did too, that transition into like, all right, let's think about everything from risk. Let's think about this holistically is certainly a mental journey and instead of hoops to go through.

Rohit Parchuri:
That's so true. Yeah, I totally agree with you on that. I think that the cybersecurity education is still lacking in a few places even now. But that's not to say that, you know, we don't really have a strong community that can actually help us bolster that those capabilities in there. But I think cybersecurity as a function or as a discipline still definitely needs more investment as a community, as an industry. But I think we're getting better for sure.

Michael Coates:
Yeah, I agree. Man, never a dull day is totally right and. A ways to go. I would agree that. So now for people that have listened and watched before, I guess more watched and listened, they will recognize and remember that we travel on the Altitude jet all around the world for these calls and videos. So each time we do these, we have the guest pick a place in the world to go. So Rohit, where have you taken us today? Tell us a little bit about the image in the background people are seeing.

Rohit Parchuri:
Sure thing. Yeah, I picked a city called Hyderabad, and this is how this happens to be my hometown. And the image that you see right right behind Michael's head there, is something called Charmander. So it's loosely translated as Four Towers. This is the landmark when it's kind of representing Hyderabad. So Hyderabad itself is a place in south east India. And and the reason I think this is really going back to roots, because this applies to everyone right, the people that we are because of all the the people that helped us get here, the traditions, the culture that's embedded within us when we're doing certain things and everything and how we interact with certain things in life. And for me, I just wanted to go back and, you know, showcase that this is where I this is where it began. And everything that I'm right now is because of that and how I hold deep appreciation and respect towards that. And that's really why I picked that.

Michael Coates:
I like it. I like it. I also see there's a pretty thriving night market, which is always enjoyable to check out in any city you visit in the world.

Rohit Parchuri:
Absolutely. And India for sure. It's you know, it's a lot of people, a lot of activity happening all the time. And. Yeah, and Hyderabad is not an exception to that.

Michael Coates:
So let's dig into, you know, health care specific security. When you're thinking about that, you know, what are some of the things that are fundamentally different or unique or, you know, as I as we were kind of talking, you know, an area where you think about a lot is around supply chain. Like how does that turn out to be so important for health care? Not that it's not important other industries, but why the focus there and how is that unique?

Rohit Parchuri:
Oh, absolutely, I think I think this is definitely a big topic, right, but let me let me take a step back. And you did talk about the broader industry and how supply chain itself is a pain point for us at this time. And this has always been a pain point. Right now, I think we see more breaches and we see more adversaries towards this because there's there's more value that they actually get out of that. So taking a step back. Right, it's a multifaceted problem, in my opinion. And we're talking about different sectors within supply chain. We're talking about the vendors, the traditional vendors that we do business with us companies. And we got the business relationship partners that we interact with and also have some level of deep integration within our systems and processes. And then you also have open source. I feel like a lot of times we don't talk about open source in the same breath as we do with the supply chain, but I think they're open source is right in there. And if anything, I think it plays a vital part when we look at it from that general or holistic point of view. And so looking at all these three things, like when you think about the vendor assessments or when you think about how you go about reviewing the vendor systems before they make into your company, we currently I think we still invest a whole lot in point in time assessments, in my opinion.

Rohit Parchuri:
I think that is we're kind of immature in terms of how we do assessments there, especially we talk about know we basically review the responses and we make an assumption that, OK, these are the controls that we need to have in place, and these are what we are asking the vendors to do or maybe having our own compensating controls before we go do business. But that's going to change very soon. Right? Just given how fast the development lifecycles happen today, like every single day, you have multiple commits, to say the least. And but the vendor management processes still very in the back stage at this time. And where, if anything, we do a quarterly audits and even that do it's not a lot of companies do that and you typically rely on those annual assessments. So I think having the very fast pace of how the products are being evolved versus how you do the vendor assessment, I think I don't think there is a proper connection there.

Rohit Parchuri:
And also coming very specific to health care, to our original question, for us, it's really about our bread and butter really depends on our business partnerships, because that's how we manage the claims. We do the adjudication in terms of eligibility, processing, health plans, etc. So that's really that's really the reliance that we have on our partners to actually make the business run smoothly, and securely, of course, from my perspective, a.e. So with that with that in mind, for us, when we talk about deep integrations, there are two ways of doing it. One is we have a cloud system that we interact with, which happens to be a business partner in this case. And in a health care sense, that's really modern right if you're a forward thinking vendor or partner in that case. And that's where you would actually have a cloud service enabled, typically we don't get those those partners. And we in a traditional sense, we have to install or deploy something in our own environment and we have to rely on that just given the antiquated nature of how the systems and processes work in health care. And so there are two different things I'm going to talk about.

Rohit Parchuri:
The first one, if you have a cloud system, there's more incentive to the partner, because if there's a breach, for example, it's not just a customer being impacted, it's also them. So I think the incentive for them is to actually have a proper security before they have something up, you know, exposed to the Internet. But it's not the same thing when you have something deployed as a binary or as a tool within your own environment. There's no incentive, especially because your. The way you do it, like if there's a breach of force and that in the same scenario, it's really affecting the customer, not treating the parter, don't read me wrong I mean, partners are doing everything they can. I'm a supplier myself. I see myself on both sides of the realm, a customer and also a supplier. So I think everybody's doing the best thing they could, but I think there has to be more done. And also there has to be better incentives given towards the supplier ecosystem that, OK, this is how the regulation should be. And this is what the framework we need to follow, you know, in terms of how the security has to be enforced there. But also one more thing is we also have something called channel partners. And Channel Partners are really trying to you could think of them as resellers or white label partners, how they're trying to resell the software.

Rohit Parchuri:
And in that case, there's a lot of data that's being transacted. And when you think about health care, the first thing you think about is VHI. And that's absolutely right. Right. Because VHI within that, they're heavily regulated both on the federal and state levels. And we are obligated to have a strong data lifecycle pipelines. And this happens when you have internal data, for example, transacting within your own systems. Yes, you can have that. But what happens when I want to transcend beyond that? And that's really one of the biggest pain points that I've seen so far, you know, since I've been in health care. And it's not an easy thing to work. I think that's a very complex ecosystem in terms of data classification and how you go about separating different environments. And I think, you know, basics play a huge role when it comes to that. But we can talk about that more. But I want to start off with the things that are the pain points within that realm so far.

Michael Coates:
Yeah, yeah. You know, the thing you said at the beginning there really struck a chord with me of that comparison of how we think about vendor security assessments and how we think about like software security. And you're totally right. Like the old way of software security was like, let's do a waterfall, let's do a big release after X amount of months or years, let's do a big security gate. And that, of course, doesn't work anymore. Like code shift all the time. Security has to happen all the time, part of that that continuous process. But you're right, the vendor security thinking is very much that old way. Like, let's do one big review at the very beginning and then for most companies, never again. Or to your point, maybe the better ones are doing it by annually quarterly, but it sure doesn't speak to that continuous risk and the continuous deployment they may be having and changing in their environment. And that's fascinating that it makes so much sense, I said, but I hadn't even thought of it that way. I really like that comparison.

Rohit Parchuri:
Yeah, absolutely. I think, you know, that's something that we we're kind of assessing day in, day out, just given within health care. But also, you know, looking at the license violations, not just the open source vulnerabilities themselves when they're strong confidence in popular licenses, those are something that we need to have a keen observation on how they're flowing through the systems, how they're being distributed either as a part of the software or something that's used for internal tools. Those are all real good potentials for lawsuits and liabilities for the company and something we certainly don't want to have. No company wants that. And I think, one, having the visibility and coverage is where you can start off with at least, you know, knowing what the risk is to the organization. And then, of course, the subsequent steps about thinking about what kind of remediation you need to have. But like you said, I think I can't stress enough on how we need to combine all these. You know, typically we never had these this concept in the past. But we need to combine both the software vendor and parter into the same realm and talk in the same breath when we talk about the supply chain.

Michael Coates:
Mm hmm. Yeah. And as you've tackled that, have you found any kind of unique approaches or techniques that are working particularly well for you, even doing these assessments quarterly seems challenging for anyone to do so. You must have found some way to make that that possible.

Rohit Parchuri:
Yeah, no, that's a good question. And I'm not going to lie. I don't think there's an effective way or there's a perfect way for anybody to actually tackle the supply chain. We're not there yet as an industry and I'm not going to say I'm going to be there at this point. No, I think we're working towards that. But few things that work for me specifically is I think when we're doing the assessments themselves, questionnaires are really good for open ended questions. It doesn't really talk about the specific controls themselves. I think having a call with the security team before we actually jump on that, that happens to be one of the prerequisites that we have, before we approve the vendors are secure their systems or applications, for example, and we talk through different criteria in terms of the build architecture, you know, the data life cycles and how they manage their own access controls and segmentation, et cetera, so those are all something that we typically put that into the contracts that go in that really talks about the general program itself. The question here really handles the software to certifications, or HIPPA, for example. Right. That's all good for that. But also, I think really something that helped me with the findings themselves is having as strong a control in terms of right to audit. So if we if we identify something in terms of within this infrastructure or within the environment, let's let's keep it simple, right.

Rohit Parchuri:
Within this VHI environment specifically that we found, you know, you won't really have a mature data access policy. And that's something we would like to audit and see which systems are actually not adhering by that. And for that, we would say a right to audit is required. And that's something we'll put into the contract. Right. So that's really from an administrative policy standpoint. But from a technical standpoint, for me, something that helped me is to gain more access to our data before it can use our systems, which is, you know, technically we would have either a broker or some kind of bash in our proxy set up in our environment, which could automatically help us with the URL filtering or stripping off sensitive data before it leaves our cloud. And that is more of a protective and a proactive control before something bad even happens. And in that sense, we're actually reducing the risk and also transferring the risk more on our site where we have better control over that. I think those are a few things that worked for me. And also I did talk about O.S.S. Open Source. And, you know, it wouldn't be right if I don't talk about the controls within that, too. I think I think we're as an industry into the open source side. We are really good in terms of detection and visibility. We do have a number of tools that do that. We know how we categorize the risk, but not the other side.

Rohit Parchuri:
So this is based on my chats with the other industry leaders like yourself. What I saw is that the remediation and recovery of how how we're tackling these issues is not it's not still mature enough. And there's a lot of room for improvement there. Just given there. We're relying on an open source. Right. And by definition, open source is you don't you don't really count on the open source because it's open source. And so you've got to you've got to know what that community serves and also how effective they are when a when a vulnerability comes up, you know, what kind of fixes go in and how fast they do things like that. I think we're we're not there yet. I think we should do more work in that realm. For us we have our own internal workflows that we set up, like from the get go. If we find something that's a high risk, we would break the build. We would tackle that within the GitHub repo itself before it even gets worse. And there are a few things I think we have to balance security with the with the business priorities. Right. And that's where having some level of compensating controls helped us out, such as WAF implementation or some level of control to the data on the data itself. But yeah, I think those are a few things from from a technical policy that kind of helped us out.

Michael Coates:
Yeah, I really like what you said about that minimizing data movement. And I think one thing that people get wrong with either vendor security reviews or third party or supply chain is the confidence that they get. Like you can do an assessment and you can see that they have some security controls, some certifications. But to your point earlier, like, things change a lot and you're not going to be able to keep assessing. So while you might get some sense of whether or not they're doing nothing versus something, it's still, you know, is important for you as a company to say, well, let's minimize our potential exposure anyway. And I love what you're saying about that of like stripping data that doesn't need to go to them to protect it, like to take that responsibility. That's very much something that we were doing at Twitter, too, when when we'd have a third party relationship, there'd be a conversation over that specific data that's going to go back and forth. And depending on how sensitive that was, there'd be a conversation also of where could we strip some of that out? Do we even need to give them all that stuff? And even asking that question, you'd be so surprised. People like, oh, yeah, they don't think that we could, if that makes things better. Sure. Well, it's not something that like great. That makes things dramatically better. Let's do that.

Rohit Parchuri:
That's so true. And also, I think to point out, you know, when you're when you're stripping the data out, it's also so much important for you to have have a good understanding about what those what classification you have in-house to begin with before you can even go there, because it starts with really understanding what data you have and what what is supposed to or not supposed to leave your environment. And that's where the execution comes in. So I think that that aspect of things, I think we are aware, whereas an industry still working towards that, OK, how do we effectively make those classification is important and how do we have the right tags in there to specifically mention about which data is supposed to leave or not.

Rohit Parchuri:
Mm hmm. So now we're back to data classification policy. We've hold the whole world. We can go very deep on very exciting technical things and pull it all the way back to how policy actually does matter.

Rohit Parchuri:
That's true. Yeah.

Michael Coates:
Fascinating. So the channel partners, the the third party, the vendors I see that kind of has a big play, especially, as you're saying, in health care. Are there other elements that you were surprised kind of had an outsized impact in the in the health care space or even how you talk about your security program, maybe internally or to your leaders or stakeholders?

Rohit Parchuri:
Yeah, absolutely. I think I think the supply chain, if anything, is a big topic to be discussed. And it's broken down into different segments. Right. It's not just an application security problem. It's not just an airport security problem. It's about one thing that really helped me, especially since the SolarWinds happened. And that's a leverage that I could use and more power to security practitioners. Right? I'm not saying it's bad for things like that to happen, but also there are lessons to be learned so that things don't. The copycat attacks that would happen right after that. We don't increase that. For me, I think getting basics right, really doubling down on the basics really helped me, can read the story right to the board and also to our executive team that why this matters. What's the benefit? And we can't really calculate the ROI for security. Right. I mean, the metric system exists, but the ROI for security is just a concept that doesn't exist. But what you can do is forecast on the risk. You forecast on the metrics and you figure out what factors are going to contribute towards that risk equation. And for me, that was, of course, how do we implement the right level of access controls? This could mean the principle of least privilege or access management, and this could be a combination of tools and workflows, for that matter, but also segmentation. Right, because we're talking about VHI, very sensitive data, and although we have the data classification, like we spoke about just before this, we have to isolate those into different environments.

Rohit Parchuri:
And also there's a strong requirement for us within health care that we have to de-identify anonymized data and that those have to be specifically in different environments. And those are both the compliance and also contractual obligations for us. So although we have strong controls and checks and balances in terms of how we do that, tying that back into network and service segmentation was something that we didn't have before and something we are working towards at this time, and also making sure where our data is hosted itself. Right. We currently have AWS and we have certain systems that are actually using, processing the data. And we have VTL pipelines, for example, to transfer from an unstructured to a structured data. And this is all sensitive in nature. So for us, making sure we have the right configuration set up on these tooling and also how to enhance on the telemetric and traceability when things go bad, how are you going to detect it? How are you going to respond to it? This ties into the incident response. Again, that's a big topic. We could discuss another day, but it's it's just it's just important for us to convey the story and put the storyline in perspective to the leaders that they understand what's the point of entry and how does that if a bad actor is actually within your network and infrastructure, like what exactly are we talking about in terms of financial impact, the customer impact, compliance impact, et cetera, right?

Rohit Parchuri:
And the response is not for us, for health care specifically. The response is really burdensome. If something bad happens, we're not only dealing with the incident in question, but also we're dealing with how we respond to the FBI, the local and federal agencies, OCR, for that matter, and also have that constant engagement with them to investigate and identify what the what the impact itself is. So all these kind of bundled into a single story and talking about what where do we you know, if something bad happens, right. Something like SolarWinds that scale, then what exactly are we looking at from that impact standpoint? The reputational damage we would have as a company, the brand impacted would be having on Collective Health, specifically talking about my company and also how this kind of propagates into our partner networks. I spoke about channel partners because that's all the pivot points that an endorser would need. Right. One point where they could escalate across all the different systems if you don't have the right controls set up, like segmentation and all that. So I think that if anything, definitely more, I think there was more awareness, there's more applicability in how things would happen and also bringing it closer to home in terms of how it would affect health care and my company, definitely, you know, put a mark on that.

Michael Coates:
Mm hmm. Yep, definitely. And, you know, the notion of security basics, you know, man, when we say basics, it sounds obvious, and easy, and something you should of course, you should do this. Of course, why not? But so many things are covered by just doing those basics right. And it's not that it's hard to do the individual item. It's hard to do it everywhere all the time, you know, at scale. And that's where like like, sure, there's the basics and then there's maybe a zero day on the zero day definitely changes things, but the basics still contains that blast radius that contains all sorts of factors. And it's hard to do the basics right. But it makes such a big difference.

Rohit Parchuri:
Oh, absolutely. Like you said, I think you you tapped on one one very specific statement there. So basics in terms of intent, but not by not in terms of effort. Effort does a lot when you're thinking about basics. Right. That's if you're thinking about a foundational element. You know, it's it's a lot of work to define that, design that, architect that and also make sure your you have some kind of an upkeep and maintenance going on. It has to be iterable. Otherwise, you know, we wouldn't go anywhere. So I think that's where cyber resilience it really relies on. And I think we should definitely get better on the basics, you know, when we're thinking about that realm. And supply chain definitely as a as a big thing, if you don't have those basics enabled, then the impact is only going to grow.

Michael Coates:
Great, great, great, great. Now, any any big topics we missed on the health care security front, I want to make sure to also give you a chance. Everybody is listening. Always loves to get those nuggets of like, how can they find themselves in your shoes one day? But before we go there, anything that we that I missed that you wanted to make sure to touch on?

Rohit Parchuri:
I don't think so. I think if anything, we're in health care. We're more focused on our it's more inside out. I would like to say, although there's an external engagement with our clients and members, but there's also a lot of work that's unseen that has to be done to actually deliver the security by default and by design to our customers. And it's funny that people say security is a thankless job. I don't completely believe that. But sometimes when you're working, it's like an iceberg, right? You don't really see the below part of it, but that's where the work is being done and health care happens to be that way. We're having these relationships with all the external entities. I'm not just talking about the business partners in this case. I'm also talking about the broader ecosystem where we run our systems, like AWS, for that matter. What kind of pipelines and processes do we have set up and how they interact with all the client relevant systems and partner relevant systems? I think having all that having a view in terms of what what is the market perception on security specifically for your company? And also how does the board view different priorities from a health care standpoint? And this is not just VHI, how we want to go do business and are we tackling federal regulated programs, for example. That itself would open a can of worms when you think about security. And I think having a notion about how you think ahead about things that are going to come into your business matrix and also thinking about what are some specific things that you need to rely on from a security standpoint and convey the story would be the right thing to do and educate the board members.

Rohit Parchuri:
I think that's where for me, that really has helped out a whole lot. Educate them on what security you know, what kind of pusher do we currently have and where we need to go and make use of the right frameworks, make use of the compliance as a foundational element for you to actually get things done. That's a great lever, in my opinion, to use it. I think these are all the little things you need to start doing. And like we like we spoke about the basics, right? I can't emphasize enough on that. You got you got to have the basics right. You got to figure out if you're if you're running through frameworks or if you're running through HIPPA or HITRUST, for example, don't just look at it from a from a generic administrative standpoint, but also bring it down to a level very technical and logical enough for you to make those enforcements or deployments within your environment. And that is one thing that actually gives you the confidence. Know something, if something is not right or if something has been detected within your incident response, for example, you get to some degree, you know that we have the right controls in place and at least the blast surface, like you said, the blast itself is not too bad and something you can control.

Michael Coates:
Hmm. Yeah. Yep. Well said. Well said. All right. So jumping back to that last question then, what is your advice? Somebody is just now entering the security field. They're saying, I've got this long career ahead of me and I do want to be a CISO one day. How should how should they think about getting there? What did you wish you knew when you started out?

Rohit Parchuri:
That's a great question. I wish I knew a lot of things that everybody would, of course, because the market is changing so rapidly. It's an exponential change in how security operates. No matter what I say now, it's going to change for sure in the years to come. So definitely take this with a grain of salt. For me, I think security is very, very rockfield, although people reference security as a security encryption, right? That's not, it is really really broad. I'd be very if you really have the passion towards it, that's when you come into security. Please, otherwise don't. Because it's it's I don't want to say that it's a stressful job, but not a lot of people manage the stress in an effective way. And there's a lot of things you need to think about when you actually come into security. So if you really have the passion, if you really want to do the right thing, please do. But also be narrow, narrowly focused about the things you want to accomplish. This could be you want to be specific on the network security side or operations or application engineering, security engineering, etc. but be very specific about that. And also, one thing that helped me is having a strong support system and a mentor system. Right. I wouldn't be the person I am right now without the mentors that I had along the way really helped me.

Rohit Parchuri:
And the security community is super awesome, like. Any any question that I have, they're very open to talk about things that they've implemented or things that could help me get my job done right. So reach out to people, follow the thought leaders in the space. You have many people and I can recommend this to you offline. And I followed that. Like to this day, I follow a lot of a lot of people in the industry and I'll get all the all the bites from them whenever I get a chance. So reach out to people, use LinkedIn platforms, reach out to them, ask the right things. And if if if people come to me, I'm more than open to talk about the things that I faced and also how I can help them out or at least point them to resources that could help them out if I'm unable to answer that. And I believe everybody does that. So think about that. And also one thing. When you when you actually make it into security. Right. When you're at a company. Right. I think the notion of security has always been that we're the blockers, we are the policy agents, we don't really get the job done, we don't really let the business move forward. That's not true. Right? That's absolutely not true.

Rohit Parchuri:
I think we we're just like other other business leaders or other business folks at the company. We're trying to do the right thing. We're trying to report the risk, but also we rely heavily on people who are executing on it. So I think one thing that we could do, and this is something, you know, for people coming into security is that be empathetic, be aware about the things that are happening within the company. Security is not the only goal for for a business. There are a number of things that have to happen. So think about that. When you actually go into discussions with different team members and have being an empathetic businessperson than being a specific security practitioner would be really helpful in your career as you go along. This is where you would actually build the bridges this way. This is where you don't actually have a place where you can actually talk about your problems, but at the same time focus on the right things that business needs to do. If there's no business, there's no security. It's as simple as that. So try to align with the business goals as much as possible and you've got to fit security into the business goals. It's not the other way around if if anything. So I would focus on that to begin with.

Michael Coates:
Mm hmm. Totally agree. The that notion of like make the business successful. There's no security without a business. I could totally agree. And a really good point to about the the kind of mental space, like being able to put it all in perspective and understand you alone cannot prevent the company from having an incident. But you can set structures and frameworks and policies that all help. But if you try and put it all on your shoulders, that can be incredibly overwhelming. And so getting your headspace about it is important.

Rohit Parchuri:
Absolutely. And also, one thing I can't stress enough is that the burnout is real for sure. Right. But also, I would say that just take it easy, right. Because this is this is the path I've been in and there's always going to be security issues. It's like they said, it's the journey, it's not the destination. That's that is so true, especially with security. And it's really about how you prioritize those and tackle the big fishes before you get to it. There's always going to be problems. And that's why we have the job too. Right, or else we wouldn't. So, you know, it's take with that. And I think just having that sense of awareness, that actually will help you get the job done right.

Michael Coates:
Agree. Well, I think that's a that's a fantastic spot to end on, Rohit. Thank you so much for all of your time and your wisdom shared today. And for everyone watching or listening, you can find other episodes at Altnet.to/ciso or on your podcast platform. But again, really enjoyed your time, and thanks so much for sharing it with everybody.

Rohit Parchuri:
Thanks a lot. Thanks a lot for giving me the stage. Thanks, everyone.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your m4a files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you'd love including automated translation, collaboration tools, enterprise-grade admin tools, secure transcription and file storage, and easily transcribe your Zoom meetings. Try Sonix for free today.

Subscribe for More

Get notified of future CISO webcast and other exciting security content

Thanks for subscribing!

Ready to get your Cloud Security in Check?

Fill in some contact info below or schedule a meeting so we can reach out to provide more details on how Altitude Networks can protect you from data loss in the cloud.

We'll be in touch!
OR