All Resources

CISO to CISO Webcast with Surbhi Tugnawat, CISO at SRI International

Webcast and Podcast | Altitude Networks, April 14th, 2021

On this episode of CISO to CISO we would like to welcome Surbhi Tugnawat. Surbhi has been a reliable, driven, and award winning risk professional with over 15 years of experience driving change to improve risk posture, regulatory compliance, cost efficiency, and achieve enterprise overall security objective. Provide tactical oversight for Identity Management, Security Operations, Business Enablement and Risk Management. She serves as a Data Privacy and Integrity Advisory Committee Member for the U.S. Department of Homeland Security, and is a registered practitioner of Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB). Previously, Surbhi lead security teams at First Republic Bank and Ernst Young.

Read, Listen, and Subscribe to the Podcast

CISO to CISO-Surbhi Tugnawat-trimmed audio.m4a: Audio automatically transcribed by Sonix

CISO to CISO-Surbhi Tugnawat-trimmed audio.m4a: this m4a audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Michael Coates:
Welcome, everyone, to another edition of CISO to CISO, I'm your host Michael Coates, and couldn't be more excited to be here today, bringing to you Surbhi Tugnawat, the CISO from SRI International. We're going to a great conversation. Surbhi, thanks so much for joining us today.

Surbhi Tugnawat:
My pleasure. Michael.

Michael Coates:
And for those of you that are listening and have heard other editions of the webcast or the podcast, you know where to find these new episodes. For everyone else, you can find them at the Altitude Networks website where you can view the webcasts that you see here, subscribe to the podcast, et cetera. And these shows are brought to you by Altitude Networks. We do data security in cloud collaboration environments. So if you're using Google Workspaces, Office 365, I want to prevent your files from being shared to the wrong people, stolen by mistake, stolen on purpose. Any of those things. That's our specialty. So check us out. With that said, super excited to dive in. So Surbhi, tell us you're now the CISO at SRI International, but did you wake up one morning as a child and say my life's goal is to be a CISO or how did you end up on that path and get there.

Surbhi Tugnawat:
I wish so my journey to CISO is quite serendipitous after I graduated, I tried my hands on various jobs. I graduated from recession and I started with a tech support job. I tried that for a few months till I got my first opportunity to continue working as a programmer that I've trained for. I'm actually one of those proud holders of SCJP from certified Java programmer badges. And actually I had it lying around somewhere in the house that I know I'm completely defeating myself in this story. But essentially I thought I was just passively breaking security, or didn't have a good grasp of it till I joined Ernst & Young. And that's where I got an opportunity for how security thing works, I got a chance to deploy identity access management tools across various different industries. I went through the whole identity life cycle and this is when I did the third party risk assessments and got an understanding of identity internal controls, did many cyber security assessments, and that's where I thought I enjoy cybersecurity and I've never looked back since. So that was my introduction to cybersecurity, and got great experience across various industry, which I am able to, now apply in this role as well.

Michael Coates:
Yeah, the path through consulting is one that I see quite often. I took that path as well for a number of years. And you probably had a similar experience that I did, which was you get to see a lot of different environments which doing that in a somewhat quick period of time really helps see the variations like all the security principles. Sure, those make sense, but now everything's thrown out the window with this new set of needs and requirements in this company and then this. So I have to imagine that helped supercharge or advancement in the career too.

Surbhi Tugnawat:
Absolutely, the exposure we get and the adaptability that you get to experience like one size does not fit all. So you are able to adapt and try to tweak control. That experience is instrumental and the top classes.

Michael Coates:
And then from Ernst and Young, you made a few more steps before ultimately ending up at SRI, is that right?

Surbhi Tugnawat:
That is right. After that, I joined First Republic Bank, I was in the management team and then I started the Identity Access Management and that is the ride for I was asked to take on CISO position.

Michael Coates:
Well, well, that makes sense, I mean, identity and access management being fundamental, you know, perhaps the core item, if you don't do that right, it's pretty hard to do anything else correct at all.

Surbhi Tugnawat:
As they say, you as secure as your weakest link and identity as your weakest link.

Michael Coates:
Now, at SRI, I mean, this must be fascinating. And if you can share a little bit about that organization for everyone, I don't think everyone has a solid understanding of the the types of things you do and perhaps the types of threats. But you're working on implementing CMMC framework as well. How is that going and how is that helping position you against some of the unique threats that you have to face?

Surbhi Tugnawat:
Absolutely, before I join them, I have very limited understanding and exposure to SRI. SRI is, we are a defense contractor. We've been in business for 75 years, this year we are celebrating the 75th anniversary. This is an organization that does a lot of work for Department of Defense that's like 75%, 80% of our revenue comes from Department of Defense projects. So you can imagine the kind of sensitivity around the research work that our researchers are engaged in, and there's a wide array of research. So it's a very heterogeneous environment. We are doing research for bioscience, for education. We have a fleet research. We have speech research. We have research and robotics, artificial intelligence, a huge area of research. So. In our environment, we are dealing with a lot of regulation and compliance requirements. You mentioned CMMC and that is the brand new compliance, the regulatory requirement enforced by Department of Defense (DoD). So DoD, back in November last year, came up with this instant ruling, where they required all federal contractor, all defense contractor in the supply chain to start complying to a model that they are developing. It's called CMMC Cybersecurity Maturity Model Certification. It's just another assessment that a third party assessment will do, but it's different because it's it's a maturity model, just like CMMI, the capability maturity model.

Surbhi Tugnawat:
So the cyber security practices will be rated on level one to five based on the maturity. So CMMC is still in development, DoD is taking a very slow crawl, walk, run approach to this. They are requiring that contractors, make sure that they have the right level of maturity before they are granted any contact from Department of Defense on any project, so they have come up with this methodology that's based on various different frameworks it uses NIST 800-171, which is for controlling unclassified information. It also leverages NIST 853, moderate and high. And at this point this year, we are only rolling out till level 1, 2, 3. So that's something that our, because we are a defense contractor and we are constantly competing with other organizations for bids and we are responding to proposals, so this gives us a competitive edge to be certified early on. And that's a journey that SRI has taken. It's been a little challenging because anybody who has worked with these standards before, you know, I know that this takes time to mature as we roll out there are gazillion questions that everybody is asking and everybody is trying to make sense of. And as we are embarking on this journey and trying to be the first few contractors that get certified, there is definitely a lot of suggestions that's coming from us.

Surbhi Tugnawat:
It is definitely a great idea, especially now that we're seeing all those standards impacting the whole industry. Having a maturity model that can be leveraged consistently across the whole industry gives us good visibility into what is the maturity level of an organization who we are trusting with our data or our services. And I do see, Michael, that this is something that will create a lot of business opportunities for a lot of people in the space. Organization Target to be registered practitioner or certified practitioner so they can advise people on how to get and meet certain controls. There are new assessors that are being certified by the CMMC, so this is a great opportunity for all the firms that are, you know, doing assessments, just add another type of service to their catalog. Opportunity for the organization to have a competitive advantage, if they can CMMC also all these all your listeners who are in training they get to be the first few trainers of CMMC control. So I think there is immense opportunity. The whole industry will benefit from this, from the reliability, credibility, as well as a business opportunity perspective.

Michael Coates:
Yeah, I mean, it's fascinating in the sense that that it can unlock doors for contractors to win bids. Also, you know, the CMMI concept of the maturity model concept, it's a good approach anyway. I mean, separate from if you're doing CMMC to fully get accredited or certified. But at Twitter, when when I was there, CISO, so we still looked at the CMMI model just for an internal evaluation of like, what is the maturity of our different domains and can we express to internally to our team and to others, like where do we want to be? Because the thing I like about it is you shouldn't aim for everything to be five. I mean, unless you really need that, that would be crazy. But you can start to say, hey, this is how much rigor we have, how much maturity we have. This is right. Or we need a roadmap to move from two to three, three to four. And it helps give some structure to the otherwise somewhat nebulous field that we're in where if you don't apply some structure, you just feels like you're fire-fighting without a real purpose.

Surbhi Tugnawat:
Right, it paves the path for you to enhance your capability, then the good thing about CMMC is it fills a hole. We always have assessments you could have been an ISO level one or two or you would have federal level low, medium, high. Those kind of assessments can assess you only for your practices that are in place, we haven't accounted for processes like this is all based on processes. This model, the framework that developing combines process and practice together. So you can say that I have a practice to not have easily guessable passwords across my applications. So passwords, but that's a good practice. But do you have a process to support that, that practice does not lag behind that we have never assessed. So this is definitely a difficult undertaking and kudos for DoD for starting on this path, they started us on CMM back in 1980. So I'm glad that they are starting this. And I see a huge opportunity for the entire industry to level up to this. What I know is DoD will have every single contractor or every single proposal by 2025 to go through this. So by the time I do see a lot of organizations already having a very mature process and practice based on the amount of CUI that they handle, that's something to look forward to.

Michael Coates:
Fascinating. And perhaps dating myself. I remember when another major requirement certification came out, when Sarbanes-Oxley came out and how that was a frenzy of activity across the whole spectrum of people to assess, people to learn, people to train. So it's good, never, never a dull moment, never a shortage of work, that's for sure.

Surbhi Tugnawat:
Absolutely.

Michael Coates:
Now, for people that are watching this recording and those of you listening, podcasts are great, but you're missing something you're not watching. It's very colorful behind us. And people are perhaps wondering why. Now, for those of us who have watched previous episodes, they know that we hop on the virtual Altitude jet and fly on location. So we've really rolled out all the expenses here. But Surbhi, tell everyone where we are, why it is so colorful and what is going on behind this.

Surbhi Tugnawat:
So we are celebrating Holi, we are in India, Holi is something that the entire India celebrated. No, I hope not this year because of coronavirus, but Holi the celebration of color, as you can see from the background, it's a celebration of love. It's the celebration of the arrival of spring. This is one of my favorite festival. It's on this day we play the color and we throw colors at our friends and family and strangers. And anybody we want to there is a popular saying that thou shall not mind it's Holi. And that's what I love about it. This is fun and a lot of friendliness associated with this celebration. But last year was difficult we didn't celebrated because of the pandemic, COVID outbreak. This year, we did celebrate it at home. But within our bubble, somebody was asking me that are you looking for normal? And normal for me is when I can do something like this, play Holi just as we did before, so Michael I can just take some colors and throw at you.

Michael Coates:
I like it. Very cool. It looks like quite the experience. And if the pictures are really conveying any justice, I mean, man, that's just beautiful. Wow. OK, let's see. So you said some interesting things, you know, about SRI. In the space you're in, you're doing a lot of interesting things that need to be very secure. So if I understand correctly, there's a ton of research happening at your organization, which I'm not a PhD researcher, but I have to assume that takes a plenty of creativity and freedom to explore different things. That must be a unique challenge with the requirements of security and control, so to speak. How are you seeing that? How do you balance that?

Surbhi Tugnawat:
Oh, yeah, I'm living my dream. Implementing security, if I can say so. The research environment needs to offer some type of flexibility and opportunity for collaboration. And that's very difficult. And I'm trying to say that this environment is so uniquely different from anything out there. But research is research, like these people explore things. And as I said, at SRI we do various types of things, so it's a very heterogeneous ecosystem where some of our researchers are dealing with SPII in education, some are dealing with a defense, some of them are dealing with clinical research done on the animals. So there is a huge variety of needs to meet all of the various different compliance, regulatory requirements on top of CMMC that we are trying to address. So that definitely make our a little bit of a challenge. And it's I don't I'm not trying to say that this is very different in a way that, you know, of course, every organization would have silos where there is a different pocket where they cannot that prohibits them from standardizing controls. If you think of a baseline configuration, they might have a pocket, but it's not applicable. In our case, every 50 users are doing different research. So when you talk about standardizing, you are really looking at that kind of variation. So, yeah, definitely it's it's a problem, but it's a unique situation. And a good thing about our environment is that they are smart PhD researchers, who are able to find creative answers to our problems, things that regular solutions can not offer for us.

Surbhi Tugnawat:
Our researchers developed and provided some variation that we are able to better utilize. And it is definitely helpful when we are collaborating with other research institutions, with other education institutes, especially for projects that have very secure guidelines or critical guidelines from sharing perspective. Now that document once on a collaborative environment, the Office 365 or Box and multiple people are editing it, how do we make sure the right people want to see those kind of unique challenges that we come across and. And then we leverage on our existing solution that researchers developed to care for that situation, and also it's talking about people talking about researchers. Ours is an environment, like I've said, 75 years old, so we have a huge wide array of people with different experience. I'll give you I'll give you a story, Michael. When I first joined SRI 5 years ago, that week, I joined people celebrating a 70th anniversary. So there was an all hands that happened and our CEO, hey, everybody, if you've been with the organization for 60 years or so, please stand up, what, 60 years? I don't know the exact number now, but there are a few people who have been with the organization for that long. Then is it OK if you have been here for 55 years. They are 15, 20 people who have been with us for that long. So there is a huge institutional knowledge. This is also a challenge from change management and adoption of new technology perspective.

Surbhi Tugnawat:
Then we rolled out MFA, we were like oh and MFA we will do push for the phone based MFA. We saw that there are people who do not even have smartphones and they are people who have not put any app on their smartphone if they have it because of their because of their background and the mindset they come from. So that's that is quite different. And then, of course, we do confidential research. So there are people who will not take anything to a secured lab, which is which has to meet the confidential requirement. So those are the kind of thing that just a quick example, and that was an easy one. And now we are doing our show and talk to our users about our solution and telling people you can use this or you can use that. And this is a third option and the fourth option for you. And this gentleman said, yeah, I'm writing a statement on dual authentication for IoT, so I kind of know what you are talking about. Either I am like too naive. So, yeah. So that is the environment that we are in and that we are battling our researchers who are focused on coming up with a productive solution. We don't want to inhibit them by adding more controls, but at the same time, we are required to meet very strict requirements by DoD trying to seamlessly, in a standard way applied to what we are used to, that is different.

Michael Coates:
I mean, your story about the the MFA option and the in some cases the lack of smartphones, it really is such a good example of what we see in security. And if you think about the journey of security, of just learning, like I remember at the beginning, you learn like the ways to break something. You learn the more secure way, and then you find yourself as like a zealot like this is the only way it has to be this way. And then you go a little farther and just like you said, you find a position where you learn, like here are the variations, like here's the environments. And I remember that same thing myself. You know, at Twitter, for example, there'd be this conversation, well, why not just require 2FA for all of your users around the world? Well, one, there's usability impact. But to think of global adoption of smartphones, just like your example, just because you and all your friends, well, not you, but the proverbial you have smartphones doesn't mean that's the world. And so that becomes some of the most interesting security challenges. Like, sure, this is the way that's more secure, but that's not an option. So now what?

Surbhi Tugnawat:
Exactly. And what you just said makes sense, because there are a lot of lot of service providers, a lot of vendors right now working on cool technologies like cool services, for example, password list. This is such a thing everybody everybody's trying to pay for password list. But then they try to accomplish that, they are putting the dependency on phones. And like you just said, I mean, that might not be a very viable solution for organizations like us who cannot really rely on a smartphone for simple things. So absolutely right. I mean, this is what this was a key learning, like you just said, how you experienced with Twitter, I'm thinking this is one thing that people and your listeners, they aren't working on a solution just based on phones or just the YubiKey and what if it's not an option? What if those folks are blocked and you cannot put it there? So, I mean, those are the consideration, that's totally worth and experiences that need help through those issues.

Michael Coates:
And then, you know, working with different units throughout the company that have different requirements. It almost sounds like an example of where we're going in security, which is they're they are fundamentally our customers and how do we make our objectives be usable to them. That new world of security, which is like it's all about empowering and usable systems, which in fact is even harder for us, like it was hard enough to do security to begin with, but now to do it elegantly and easily for the end user, it's a whole another challenge.

Surbhi Tugnawat:
Absolutely. So much and so much of a priority. It is in our team vote this year that we will go we are going to meet our researchers teammates. The goal that entire team is going to have it and manage it for the entire team. Like you just said, the usability is our top priority. It's not that you'll secure all of our entire institute. That's definitely better that support. But we have to whatever service you provide, it has to be usable. We can not cause more harm to our people. It has to be friendly. Business friendly. Yeah.

Michael Coates:
Yeah, definitely. Well, when you look at the journey you've been through and seen a lot of interesting learnings along the way, what is your advice to the next generation of the the people that today they're entering the field and they say for whatever crazy reason, like I want to be in that role on day one, I sort of tell them to buckle up, it's a bit of a ride. But do you have any advice to give to give these rising stars?

Surbhi Tugnawat:
You know, Michael, we were just talking about business friendly, and I think that to me is the key. It's like I say, it's such an important aspect that it's a goal for the entire team. And I think this should be a goal for all information security professionals. My recommendation, this is something I'm trying to implement myself, I just said this is my goal, I will do this and I recommend everybody else try that as well. It is to have certain trusted partners within within your organization, within your workspace that you can bounce ideas with every time you go out, you get a pulse check on how it is being perceived. Any standard you write, any policy that you publish, get feedback. I can say that, yes, this is based on a framework and it has to be it's a mandate and it should be implemented. But if I need it to survive, and when we take people's feedback, their perception and, they are more open to it, they'll welcome it. So seek feedback and have those people that you reach out to, your technical liaison, your business liaison, that you do a pulse check with anything. And similarly have that kind of relationship outside of your organization. That is one thing I'm trying to work on, people you can bounce ideas with. You can course correct yourself if you talk to peers, other people in your industry who might be experiencing the same issue or they have already overcome that issue. So it's a good idea to have certain trusted relationships within an organization and outside organization help everybody. It'll be mutually beneficial for the whole industry.

Michael Coates:
Yeah, I couldn't agree more. The more you know about how the business works and how your actions or requests would impact it, the better. The business knowledge will make you a great security person. Well said. Well, very good. I mean, we've covered a lot of ground, a lot of interesting topics, did we miss anything through all that? Anything else you wanted to throw in there that we may have skipped past?

Surbhi Tugnawat:
I think we covered it all. I think this is my world. I laid it in front of you. Everything.

Michael Coates:
Wonderful, well Surbhi, thanks so much for your time. Really enjoyed diving into everything you're doing at SRI, which is a fascinating organization and also talking about CMMC. That is exciting. Exciting, to say the least. But thanks for sharing everything and lots of good stuff here. Well, very good. And thanks everybody for listening. Again, subscribe to the podcast, check out the webcast and hope to see you on the next show. Thanks.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your m4a files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you'd love including automated transcription, world-class support, upload many different filetypes, transcribe multiple languages, and easily transcribe your Zoom meetings. Try Sonix for free today.

Subscribe for More

Get notified of future CISO webcast and other exciting security content

Thanks for subscribing!

Ready to get your Cloud Security in Check?

Fill in some contact info below or schedule a meeting so we can reach out to provide more details on how Altitude Networks can protect you from data loss in the cloud.

We'll be in touch!
OR