CISO to CISO Webcast with Vijaya Kaza, from Airbnb

CISO to CISO_Vijaya Kaza final-audio only.mp3 transcript powered by Sonix—easily convert your audio to text with Sonix.

CISO to CISO_Vijaya Kaza final-audio only.mp3 was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2020. Our automated transcription algorithms works with many of the popular audio file formats.

Michael Coates:
So thanks everyone for joining another edition of CISO to CISO webcast, I'm your host, Michael Coates, and we're super excited today. Today, we are going to be speaking with Vijaya, who is the CISO at Airbnb and has an amazing background that we're going to talk through. But thanks so much for spending time with us today Vijaya.

Vijaya Kaza:
Oh, of course. Thanks for having me on the show. Great to be here.

Michael Coates:
Awesome. Awesome. Yeah. We've got a lot of great topics that we're going to dive into. And this podcast or webcast is being brought to you by Altitude Networks. I co-founded Altitude Networks just a few years ago after leaving Twitter. And very quickly, we focus on data security of the cloud, specifically cloud collaboration, platforms like G Suite, Box, etc.. As I know from my own personal experience, your data in those platforms can be shared in the wrong ways by accident or malice, and we've built a solution to protect that enterprise scale. So if you're thinking about onboarding, identification of sensitive documents so they are not shared the wrong way, third party apps, etc., we are your solution. Check us out at altitudenetworks.com. And with that, let's dive in. So Vijaya, you have a pretty impressive background. Airbnb is an amazing place. I can attest I'm a super host as well and love the platform. But you've been at Lookout as a Chief Development Officer. You've been at FireEye and Cisco. Tell us about your journey on how you ended up at Airbnb in the CISO role. Is that what you always aspired to or did you take twists and turns along the way?

Vijaya Kaza:
Yeah, happy to. How much time do we have exactly? So let me let me get into the details. All of my life prior to my current role, I wasn't security, but one hundred percent on the product side. My involvement in security really started at Cisco. But I led product development organizations for over 17 years and I started this will date me but really, really early on with fixed firewalls. And and since then, those three generations of firewalls where this was all before even Cisco had a dedicated security business unit. So this is that old. But the fun part about my role at Cisco is that it really gave me an opportunity to work on different products that Cisco had in terms of the overall security portfolio and doing something different every couple of years or so. And so focusing on everything from hardware to software, different software, up and down the stack, OS level to everything in between to front end management, so covering the whole gamut of the products as well as the different types of things during my time there. All of that eventually led to me meeting the end product development for the entire billion dollar security portfolio there. And that included all of the firewall, VPN, IPS, next generation firewalls, and so forth, the complete alphabet suite, as you can imagine.

Vijaya Kaza:
But that all that meant was that it was really, really an opportunity to experience large scale, not only from our product portfolio, a revenue standpoint, but also leading large organizations with hundreds of people. And even cooler, from my perspective, was the opportunity to have a front row seat, in terms of looking at acquisitions and acquisition integrations that were coming in. And just to give you an idea, during my time there within security itself, we had about 20 acquisitions at that time. Right. So it was like I was at the same place. But all these companies were changing around me and lots of cultures and lots of things coming together. So it was really fun experience. And I got a chance to maybe be involved in a couple of those acquisitions as well for integration standpoint. So after completing that 17 year long MBA program at Cisco, I figure I've had enough. I need to go expand into something else. That's what I moved to FireEye, so I was the senior vice president of Cloud Products and engineering specifically focused on the cloud portfolio responsible for their P&L, in terms of all things in cloud, or things that are transitioning from on prem to cloud. So these are malware sandboxing, web security, email security, next generation SIEM, next generation SAO platform that they had. So that was a really cool experience, and also getting to know more from a practitioner standpoint. Imagine being in the picture and really understanding the whole threat landscape and trying to tell what's really cool and unique experience. Then, of course, there was the itch of experiencing a startup, being in the valley don't work at a startup, what good are you?

Vijaya Kaza:
So I went to U Cal and then to focus on another aspect of security, newer, emerging and growing thread of that surface, more on mobile devices, very fully SaaS security products, cloud native, cloud first type of delivery. And as the chief executive officer or CTO in other organizations, as it is called, all technical functions and its engineering infrastructure side, and also actually had a chance to have a CISO, information security reporting to me, that's kind of rounded out of my experiences and led to ultimately the role that I have at Airbnb here. And here I have the double exciting gig, I would say, of both the traditional information security as a CISO, as well as building the trust technology, which is covering all of the fraud risk, online offline safety of those types of things.

Michael Coates:
Wow. It's really fascinating to see the different journeys that people take to the CISO role. You see some that are like security consulting heavy, you see others that are almost from a legal and compliance standpoint. And you very much have a product and engineering centric background, which I think is really refreshing and makes a lot of sense also being in tech companies. It seems like being able to exercise that engineering capability in your security objectives is probably worked out pretty well for you.

Vijaya Kaza:
Yeah, definitely. I couldn't have planned it better. I mean, just timed very well.

Michael Coates:
Yeah, I like it. Sometimes you look back on things like, was that really planned all that way? Because it sure worked out perfectly.

Vijaya Kaza:
Yeah, it looks great, but none of that was planned.

Michael Coates:
Yep. Yep. Definitely. Definitely. Well, very cool. And let's see so each time when we hold one of these webcasts, we virtually go somewhere in the world. So tell us a little bit about where we are and why we picked this location.

Vijaya Kaza:
Yeah, this is Alaska. I don't know exactly which parts are which pictures you pick, but you picked some amazing sceneries. It was one of the best vacations that I had, I think back in two thousand five, something like that. It's been a while. But obviously, you know, the scenery is breathtaking. And anywhere you look around, you don't have to try to see some magnificent and spectacular. And so it's pretty amazing. But the thing that actually stands out for me is the, besides the beauty and all of that, the vastness of Alaska, the openness of the nature around you just sort of puts you in a frame of mind that you just realize how small you are in this universe, it grounds you, and it's really, really soothing and meditative in a very unique way. And thankfully, it's not really all that commercialized or spoiled by lots of tourists, at least back in 2005 and how it is now. So it really has a very calming effect, especially after this. Everybody is cooped up in their homes during this time. I think once all of this is over and going to a place like this can be very, very freeing, I think.

Michael Coates:
I agree and I think we all need that cliche saying that breath of fresh air. And I don't know about you, but I've actually found some of my best security ideas come when I stop working and I leave like that normal heads down, focus on whatever is around you and suddenly your mind gets that freedom to wonder, and sure we shouldn't be working, we're supposed to be taking time off, but suddenly you have that aha moment. Like, I jot that down and go back to enjoying the world around you. So one thing that you mentioned when you were talking a little bit about your current role in Airbnb, which I think is fascinating and is a bit unique to companies in Silicon Valley, is that combination with trust and safety in doing some of the engineering for that. Tell us a little bit about how that's different from like the classic CISO role and what trust and safety means in the way that you're involved.

Vijaya Kaza:
Yeah, definitely. On the trust and safety side, it's really the way to think about it, it's all about detecting mitigating fraud and safety issues on the platform. So says you're being an Airbnb client, you know this very well, if you look at the user journey and the beginning of their journey on the platform right at the time of the account creation, sign up, log in all the way to making a reservation or making a listing to post trip aspects, everywhere along the journey, there are aspects that we need to look into from a safety fraud risk and all of these angles. Just to give an example, when I talk about online risk free trip or even unrelated to trips in general, you know anything about fake accounts, compromised accounts, KTOs, brought us a big problem in all platforms like this. Then moving into the content of the platform itself, anything about inappropriate content, the reviews or the listings themselves, then looking into all of the scams, spams, harassment, discrimination type of activities between guests and hosts and really watching for phishing campaigns and any activity that people try to take, transaction, co-op platform, all of those types of things, and then into the traditional financial fraud, if you will, credit card related, chargeback related. Those are classic ones, right. So we cover all of that. Plus the unique thing about Airbnb when it comes to real world experiences, because you're actually going and staying in someone's house or letting the stranger come and stay at your place, the aspects related to property damage, personal safety, anything related to try to solve all of the signals that are necessary for that, to identify and prevent those sorts of activities and then post-trip, about fake reviews, fake names all of those.

Vijaya Kaza:
So all of this put together. And ultimately you are trying to defend against bad actors and provide some comfort and trust and confidence to the good users on the platform without impacting that good user experience. Right. So we rely 90 percent of what we do on the merit of the eye, with the heavy emphasis on data science. And then from there, we use other types of mechanisms and other things, through agents to really put a holistic view around all of this and try and detect mitigate and provide users with really good experience. But that is what the trust and safety side does. On the security side, of course, it's a more traditional information security from everything from production security to enterprise security, governance, risk, all of those aspects. But thankfully, the good thing about this organization is a very security and engineering oriented organization as opposed to compliance oriented infosec organization. So it works really well putting those two pieces together and especially with my background.

Michael Coates:
It's an organization that I think when many people get into security, they don't necessarily immediately associate it because it doesn't exist in all industries. I mean, you have you have similar functionalities in like the financial industry around detection of fraud, but it's very much, very much removed, you would say, from classic security teams, possibly because of just the size and scale of those companies. But in the high tech companies, you see these trust and safety teams and user services. You see them in many of the companies. So Airbnb, Twitter had these Facebook has these, Uber, Lyft, et cetera, all because of kind of what you mentioned. Like, you need this element of, well, just like the name says, trustworthiness with the platform and the people you interact with. From my perspective, it creates this really interesting alignment because our security thinking works well to help tackle these problems. But it's also mindshift. And when you obviously know well, because it's not as black and white, it's shades of grey. And when does someone cross the line of being actually bad or malicious versus not? And that's a tricky thing for some people to wrap their heads around.

Vijaya Kaza:
Yeah, it's very interesting because, you know, while both roles have the same type of goals that keep bad actors out and protect the good users, the mechanics are very, very different. So that's why there are two independent organizations, yet we bring them together with the hope of connecting the dots and providing the synergies. So it's really unique. Yeah.

Vijaya Kaza:
I love that you're using the data science approach because the classic way it's to throw tons of humans and slow things down, which is the antithesis of what we want to do in a fast moving tech company. So any sort of automation and data science that can be provide enough accuracy really makes sense, is a good strategy. And I've seen that from my understanding, with lots of other tech companies that are trying to be more progressive in that space.

Vijaya Kaza:
At that scale, obviously. I mean, there's nothing else works. I mean, you cannot win this problem just by human intervention. So clearly.

Michael Coates:
Very interesting. Let's see, so I would be remiss, maybe not remiss, ignorant to ignore the reality of the world we are in. We are doing these events virtually not that I would have had the budget to fly us to Alaska. I wish I could, but we're all remote around the world because of this wild time we're in with Covid with the change to work from home. And one thing that it's certainly done, in addition to letting us work on our pajamas and cutting commute times, it's caused us to really rethink security. We built security for, at least a few years ago, the classic in the office, big perimeter, bad people out, good people in thinking, which we know has crumbled over time, I think everyone realizes you can't just do the perimeter strategy, but I think this is just fast tracked. So how are you looking at this change in how you're prioritizing security for your organization or what do you see the industry doing? Do you think that different subsections are rising in importance and others falling because of this massive change?

Vijaya Kaza:
Yeah, this is a really interesting topic. On one hand, it feels like, you know, there has been an overnight shift and everybody's working from home and how do we cope with it. But in reality, as we said, this has been happening for a while and we are just excavating things now. Right. The trend of dissolving enterprise perimeters and people working from anywhere, with the mobile and cloud taking off, that has been there for a while now. All we are doing is maybe we are changing the images of offices, moving to coffee shops and beaches with people working on kitchen tables, in garages and all that type of thing. Plus, it's obviously becoming a more permanent phenomenon for many, many companies as well. So it's mainly exploration. But it's an interesting question that how does it change in terms of which technologies are winners and losers? If you think about the broad security industry and how the industry is growing, even with the pandemic and the economic impact, depending on which numbers you trust, if it seems like it grows at anywhere between 6 to 12 percent, there's a lot of opportunities for a lot of companies and a lot of technologies to really take advantage of that. So I think it'd be good to and interesting to double click and see which ones actually have reality FIs, which ones are winners and losers from that perspective. It's funny for me to talk about this one, especially on the how given how long I have done network firewall development in my entire career.

Vijaya Kaza:
But I think that's a great place to start, right? Clearly with us, with all of the boundaries being erased, the enterprise network firewall, I think it's an easy one to start with. There is no way, in this new world, that is clearly there's no reason for this type of protecting the boundaries and technology puts up these boundaries to exist. So call it borderless, post perimeter, so many names you don't trust. Depending on whose language you use. But I think that type of architecture where you are looking at security and assuming zero trust is here to stay, that architecture is clearly a winner. So any company, any technology that supports the type of architecture I think is clear cut to begin with. What does that mean? Will enterprises stop buying firewalls and starting tomorrow or what happens? Right. That's a good question. I don't think tomorrow all of a sudden everybody stops buying them. But at the very least, I believe I strongly believe that people will think really, really hard in terms of figuring out where they want to make these investments, because as we talked about, if the trend has accelerated and even the companies that haven't looked at moving to cloud are not looking very seriously to migrate to cloud, if you are looking to invest in the firewall space, obviously you want to stop, think and see which what's the new way of doing this? What technologies would be most appropriate to do that? Do you agree with that? Michael, what are your thoughts on that?

Michael Coates:
Yeah, the the securing of the office perimeter. I agree that will I think that will totally, totally fall. The the one thing that does pop into my mind is a big challenge is a lot of the existing security controls, at least for network monitoring, detection of compromised end-points. A lot of that did fall on the ability to monitor network traffic. And that's one area where I'm really interested on what will happen, because you could have everybody full of tunnel VPN, but that's a pretty expensive cost and you're going to have some interesting delays and even more cross traffic. But if you don't do that, if you just split tunnel, then you lose the visibility to do that inspection for compromise. And so on some regard, you see people pushing for endpoint agents to try and meet that demand. But do we really want yet another endpoint agent? I mean, I kind of got I told my security teams at Twitter that you get like one, maybe two total and because somebody else's IT's got one. Like, we can't have six endpoint agents on these devices. And then for my world now at Altitude, I know that well endpoint agents are fine, but when somebody goes after your cloud data, BYOD, or contractor, well, then all that's out the window, too.

Vijaya Kaza:
Yeah.

Michael Coates:
So there's a lot of things up in the air.

Vijaya Kaza:
Yeah, no, I absolutely agree. So if VPNs are a thing of the past and what's actually replacing that? What is the mode of doing secure access in this new world? That's an important question. So if the days of having access established once and be done, those are gone. Clearly, the world is now moving towards more contextual access based on different aspects of identity. People have talked about identity being the new perimeter, but I don't think it's just identity. So it's a combination of identity, devices, device posture. All of those contextual elements taken together is the one that is replacing. And it's also, not again, given access once and be done but on a continuous basis assessing those underlying conditions and taking appropriate actions to allow or disallow. And that's an important aspect so that continuous and conditional are truly key words in that context for secure access. And to your point about endpoint, I think naturally that plays a bigger role, I think, in this world, because we are now so dependent on devices and device posture, endpoint security plays a big role, this space that's been heating up for a while. But there are so many pragmatic solutions, really. There's one for mobile, one for laptops, one for a container, one for different workspaces. Just there is no unified solution. And every vendor is trying their best to kind of put together a strategy for a holistic response. I think the space is really something that we need to watch for. A lot has happened, but a lot still needs to happen to bring together much better solutions that work across different operating systems, different types of devices, different types of the entities that we are actually be protecting if endpoints are infected.

Michael Coates:
Yeah, I was sort of visualizing this as we're talking about it. It seems to me like, you know, we used to be in our office, our nice, big walled, secure office. And now what we've done is distributed the workforce out. So everybody's distributed out everywhere. And so we're thinking about how do we do distributed security amongst our employees and business partners, perhaps. But the other thing that's been happening that we've been talking about for a few years is the data also left in the workplace, too, in the data has spread out the other way into cloud services, both infrastructure and SaaS. And so now we have everything used to be here. And this interesting I don't know what that shape is, two diamonds or two triangles, and it's really thrown everything on its head. You have to think about this mobility of everything, your mobility of your workforce, your mobility of your data. One of the things we're working towards that Twitter was even though we had the vast majority of data inside our data centers, it was still this notion of don't trust anyone or anything, like build a data first security policy, so that even if you're an employee or a service account accessing data, we should have all of the same security controls as if you were someone outside in the other world because, otherwise, you're building your entire posture of security on the fact that you don't think someone can get in, and once you're breached on the perimeter, that it's all over. That security perimeter, squishy center thing, we know it's not the right path forward. And I think everything that's happening now is reinforcing that.

Vijaya Kaza:
Yep. And then, as you mentioned, because everything is moving to different places and all of a sudden it opens up the surface for accepting many different SaaS solutions. How do you protect and how do you can have visibility into all of these things? Single Sign on is a big aspect. Multifactor authentication. You bring things to have a little bit more handle and control over this proliferation of SaaS applications is going to be a huge trend too. Right? And especially in times like this, when we have a lot of employees, that all companies have a lot of employees that are being offboarded onboarded, a lot of activity happening. If you don't have a CISO or proper way of understanding who has access to what type of SaaS applications within the organization becomes a very, very difficult problem to have any kind of control on that. So that's a huge aspect.

Michael Coates:
Yeah, I agree. Like this, the single sign on space will be huge. And that is a big one. I mean, that's the front door. You've got to take the keys away to the front door. You have no chance when somebody offboards. The other thing that I found as we've investigated this problem space, because we're very much after that stuff like single sign on is great, authentication, you have to do that, of course. But authorization to data access controls after that, especially in the cloud, what we're seeing is sure you took away the the central authentication for that user because you offboard them, but they had authorized their data already to personal accounts you don't control. So it's this new backdoor access Zombi access type of issue that is a result of the flexibility of cloud, which is a double edged sword, really, like we empower our teams to work quickly and efficiently, but then there's these byproducts of mistakes or malice. And it's a very interesting space where that's what we're exploring squarely. But it's interesting to see how that becomes even more prominent in this world we're discussing.

Vijaya Kaza:
Yeah, clearly, you guys are in the right place at the right time. There's no doubt about it. That puts you in the business bucket, for sure. Yeah. You know, going from there, then looking into you bring up the point of who has access to what and what kind of authorization. And nothing is accidental or malicious that naturally then leads into other types of solutions that traditionally have been overlooked to some extent by all of the insider threat type of solutions. That's a big area. You know, this one is a very controversial one. Obviously, there are many cultural aspects and organizational acceptance differences between different teams. Insider threat is not a straightforward or a slam dunk solution to deploy for those reasons. But I think in times like this and the trends that are that we're seeing right now, I think we ought to at least give it a serious look, if nothing else, and see what is in the space? How are things evolving? Obviously, the traditional DLP very heavy handed approach is not the right one. And there have been many developments in this area. Either agent based, agentless, user entity behavioral type of solutions or even just simple in some cases, where you are talking about third party vendors and agents that are doing providing customer support solutions, even simple tools to do screen recordings and kind of monitoring from that perspective. So there's a gamut of solutions in this space. Right. So my thinking and we've talked about this internally and also just kind of discussing with several CISOs like yourself and other friends to see what they're doing. And it feels like this is an area that needs a serious look if nothing else, and in some cases probably appropriate to deploy some solutions.

Michael Coates:
Never a dull moment in our world, if you feel like you're bored, just wait 20 minutes and something has changed dramatically. Very good. One thing that I love to spend just a few minutes on and all of these conversations. There's no question that we need more amazing security people in the field. And there's a wealth of hungry individuals that are thinking about joining the fields of security out of school. There's people, maybe mid career that are thinking of a transition, which I actually really encourage. I had a great conversation with someone a year ago who made the switch from IT into security, pinned me on Twitter a year later and said success. I was like that. That was amazing. Just fantastic. But I'd love to ask you, what are your recommendations for someone who wants to enter the field of security? And someone earlier asked also if you recommend a degree, if that's the way to go or perhaps something else.

Vijaya Kaza:
Yeah, I think, Michael, you know this really well, the thing with security is it's really vast and dynamic and changing, as we've talked about. But also there is not a single technology or a single thing that you need to really learn how to do security well, it touches so many things. Right. Networking, there's cloud, machine learning, different aspects that you need to be you need to know a lot about a lot of things. It's not a single degree, but it's really vast and and touching many, many things. So this as you said, there's never a dull moment. So I think the thing that I would say for people that want to enter this field is really brace yourself for a lot of learning. And if you are a person that would like to learn a lot and wants different types of challenges and gets bored easily, this is the place to be. There is there's always something to learn. And even after 20 years of me being security, I learn every single day something new. So come on over. Don't be daunted by all of the complexity that may seem at the surface. But once you get into it, there are a lot of really, really good people in the industry that are very willing to help. That's the other thing that I learned as part of my transition to CISO, is there's a vast amount of community that is really helpful, very supportive, and people are there to help out and provide resources. So it's a great thing to be with lots of smart people.

Michael Coates:
Yeah, I totally agree that learn by doing was crucial. You can get a degree and, you know, that may help give you some foundation, but, you have to learn so much afterwards, so I think some people might look at and say, oh, I don't have a CS degree, how can I possibly get in there? Like, well, there is a foundation of knowledge you'll need to learn. But so much of the security specific stuff you learn on the job. And if you have that passion to learn and try and build, build some sort of lab, a virtual lab with hardware or whatever, try to hack into something, fix it. So much of that was so meaningful. We had something at Twitter where, actually that Mozilla too, we would actually hire a lot of people on a security team from other non security teams because we found you could make amazing APPSEC engineers by hiring some of your developers because they already knew all the the foundations and also how your company works, which is worth its weight in gold. And then we taught them the incremental security, the same with I.T. people into APP security roles.

Vijaya Kaza:
And same thing that's coming. The API SEC fields as well, like in people that are very backend engineers and backend experts that don't necessarily are thinking about security, but they know that domain so well, from API perspective in cloud world that, you know, teaching security to them and maybe making API secure is really apt for cloud usage. I think that's another factor as well.

Michael Coates:
Yeah, well, there's going to be so many disciplines to that one, that one's going to take off, that's for sure. Yeah, well, very good. All right. We have one more question from the audience and we'll=7 wrap on that one. Let's see here. When you translate, it looks OK, so it looks like the question is around transitioning to security roles, is there advantage to doing that internal and growing inside an organization or I'll add on to this one or trying to apply it outside an organization. So what's your thoughts on that?

Vijaya Kaza:
I'll say in general. But it is transitioning into security or anything else if you are trying to make a transition, your career from one thing to the other. The easiest paths or ways is to first try intern, because at least you know the systems, you know the people, you know the culture. Half of the battle is won already. Now, it's only one incremental thing, one variable that you're changing of going into something slightly different. That's always the path of least resistance. And once you're successful there with the people that hopefully are supportive to you and your career, it makes much more sense to eventually get to some other company or fight in a different place. But if you're trying to change all of those at once, that becomes a really hard fight.

Michael Coates:
Now, I completely agree that ability to know this person is killing it, that their job really is powerful, like it's going to be a slightly different job, but we already know they deliver so well in what they are doing. That is super valuable. Well, very good. Thank you so much for taking the trip up here to Alaska. This is really enjoyable. Thanks, everyone who joined us for the live webcast recording. And if you are listening to this on a podcast or recording on a later date keep an eye on our blog as we announce other wonderful CISOs for the event. And we'll go ahead wrap it there. Thanks again so much Vijaya.

Vijaya Kaza:
Hey, thank you Mike for having me again, but I really enjoyed the conversation. Good luck to you and your company, like we talked about. You guys are definitely in that right space at the right time. So I look forward to great things from you guys.

Michael Coates:
Awesome. Awesome. Thanks so much.

Vijaya Kaza:
Thank you. Take care.

Automatically convert your audio files to text with Sonix. Sonix is the best online, automated transcription service.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Rapid advancements in speech-to-text technology has made transcription a whole lot easier. Quickly and accurately convert your audio to text with Sonix. Create better transcripts with online automated transcription. Sometimes you don't have super fancy audio recording equipment around; here's how you can record better audio on your phone. Sonix takes transcription to a whole new level. Automated transcription can quickly transcribe your skype calls. All of your remote meetings will be better indexed with a Sonix transcript. Manual audio transcription is tedious and expensive. Do you have a podcast? Here's how to automatically transcribe your podcasts with Sonix.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Sonix is the best online audio transcription software in 2020—it's fast, easy, and affordable.

If you are looking for a great way to convert your audio to text, try Sonix today.