Why Security And GRC Teams Must Act Like Service Teams

Raj Krishnamurthy
Hey, hey, hey, welcome to Security and GRC Decoded.

I’m your favorite host, Raj Krishnamurthy.

And today we have the most awesome Jiphun Satapathy today.

Jiphun, welcome to the show.

Jiphun Satapathy (00:14.83)
Thank you, Raj.

Raj Krishnamurthy
Jiphun is the CISO and Senior Vice President at Medallia.

He has held senior security engineering and leadership roles at companies like Lexmark, Intel, Visa, and he has successfully built zero to one security teams at AWS and Snowflake.

He’s also a very avid reader.

We are going to talk about some of your books as well, or the books that you read as well, Jiphun.

Glad to have you on the show.

Jiphun Satapathy (00:36.59)
Absolutely.

Thank you, Raj.

Looking forward to it.

I know you run a pretty good podcast and a pretty one of my obviously favorite topics.

So looking forward to speaking with you and sharing my experiences.

Raj Krishnamurthy
Thank you, Jiphun.

Let’s dive right in.

I’m struggling for words today.

Let’s dive right in.

Let’s start.

Let’s take something very controversial or heart-taking opinion you have.

What would that be, Jiphun?

Jiphun Satapathy (01:03.534)
You want to start with some spicy topic?

Yeah, yeah.

I mean, there are many. think the immediate one that comes to my mind is in general, I see sometimes like cybersecurity leaders or CISOs, they don’t have a lot of inclination to engage with vendors.

And I understand vendors, we get a lot of requests, but…

Raj Krishnamurthy
With a bang.

Jiphun Satapathy (01:33.88)
I don’t know that it is controversial enough, but they are averse to engaging with them as much as they need.

I see that as a absolute need.

So if you are not engaging with them, I’m not a vendor, I’m not trying to sell anything, but the vendors or the products that are being built in cybersecurity world gives me a pretty good view on the innovation that is happening.

So I don’t know what better way you can be on top of learning what’s latest and greatest and how the world is solved.
cyber security challenges without directly talking to those who are building it, right?

And they are learning from it.

So I feel like many of the CISOs, especially new leaders who are entering into the CISO world have some sort of aversion to that.

And that’s not right in my opinion.

I would highly encourage everybody to be more engaged, more involved.

I know we cannot support all, but stay engaged with them.

Today, we lack that.

Raj Krishnamurthy
No, that’s a brilliant, yeah, that’s a beautiful point, Jiphun, but I’m sure as a CISO, you’re getting bombarded with requests.

So how do you filter that?

Jiphun Satapathy (02:33.282)
Yeah.

Jiphun Satapathy (02:40.163)
All
Yeah, the way you filter that is somewhat based on your need.

So you need to know what are your big risks, areas, gaps, or innovation that where you want to bring.

You may not know the solution.

So you should have a plan at least for a year to two out.

Who knows what happens in five years.

But at least a good solid two, three years plan roadmap you should have.

And based on that, you should be open to talking to people.

In many cases, will see, let’s say, cloud security.

Cloud security, for example, is an area
for us, for example, for me to look at.

And when I joined Medallia, one of the areas that I looked at is how are we protecting our cloud infrastructure and also our on-prem.

So that immediate need drove me to go engage with some of the vendors.

Some of them I knew, some of them reached out to me.

So I selected a few, then I spoke with all, then we decided, hey, this is the right solution based on where we stand.

But that doesn’t mean that I’m not going to talk to more folks in that space for, let’s say, another year or two until my
renewal comes up.

So I know that is a critical area for me or a major area for us to make sure that we’re staying on top of risk.

So based on your needs, I still talk to some of the other cloud vendors, cloud security vendors, because I want to know what they are building.

Are they doing better than what I have today?

Things like that.

So I would prioritize based on that, pick few areas and be open to at least three, four in each of those vectors.

I don’t need to talk to them every week, every month, but need to go figure out that.

That is one way.

The second part is also something that do you have an interest in general?

I always have an interest coming from the world of builders.

Like I want to know what problems the world is solving in an innovative way.

Like I was talking to recently a company which is

Jiphun Satapathy (04:31.764)
looking at training cybersecurity in a very innovative way, right?

Today our cybersecurity training is very static.

Everybody gets a training set of training every once a year or once a quarter.

Everybody gets the same, but that doesn’t work really well because in a company everybody’s roles, responsibilities, access and the information they have access to is different.

So how about we, you know, target our training so they are looking at something like that.

I may not have a priority to change that
today or a year but when I’m talking to some of these companies it’s giving me ideas that you know what the world is building a solution so you know what there is an idea that we can improve so with the same cost or the same objective I can do better right so that helps me stay on top of what’s happening what’s what sort of innovation is going and then I share that with my team I bring them into that so that’s how I would I would prioritize and filter some of them
Raj Krishnamurthy
Got it.

And what role, what roles do your teams have to play in this?

And how do you sort of, is this decision democratized and how do you bring them in and where do you bring them?

Jiphun Satapathy (05:39.884)
So in general, I drive a more like a bottom-up approach when it comes to priorities, decisions.

So it’s not like I make the decision and ask my team to go drive it.

It’s a decision because they are more or closer to the problems, right?

So as a team, we prepare on a quarterly basis and go look at our risk register.

What are some of the major risks we have?

So that drives one.

Then another way we prioritize is our business needs.

So those are primarily two vectors which drives our priorities.

So that helps teams to determine which area to invest.

But let’s say certain area is not in our radar or in our plan, but we do see a potential opportunity to either, know.
improve or make our process more efficient or innovate something, then I bring in the right team who should think about it.

So they go explore that.

For example, in this case, training my compliance team’s head, she is responsible for this.

So in this case, I bring her to this.

She looks at the solution.

And so then she has now a plan.

OK, you know what?

I don’t have any plans to change.

I do see potential, so maybe two quarters out.

So that’s how we drive it.

Raj Krishnamurthy
Risk-based investments is the approach that you take.

Jiphun Satapathy (06:59.256)
Correct, primarily most of the initiatives are risk-based or business-based. of the day, risk is also driving business too.

So the primary objective is to run a cybersecurity company is more or less risk-based priority, right?

Raj Krishnamurthy
And when you bring some of these innovative tools, you’ll have to also change the culture within the organization, which is not an easy feat.

Maybe can you talk a little bit to our audience in terms of some of the challenges you typically encounter and as a leader, what do you do to overcome?

Jiphun Satapathy (07:21.858)
That’s true, yeah.

Jiphun Satapathy (07:30.582)
Yeah, I think you touched a very good point like, you know, culture and changing culture and believe it or not, it’s not the people or the process or the technology.

It’s the culture which actually drives your security posture, believe it or not.

Right.

So end of the day, is security a priority?

Security priority zero for you.

Like one of my previous CEOs when I was with Amazon specifically and AJC would always say nothing burns customer trust faster than a security
So there you go.

Is that inherent in everybody in your company?

Do people really believe in that?

Nobody’s going to say security is not a priority, but your actions define your culture, right?

So for example, in my same company,
He would spend one hour every week looking at overall major issues that happened in the security space.

A CEO of a multi-billion dollar company and his AC.

If he could spend one hour every Friday with a…

Raj Krishnamurthy
Yeah, and Jesse.

Wow.

Jiphun Satapathy (08:33.102)
the security team and the respective engineering teams, I’m sure many other CEOs can do that as well.

So fortunately, I have had been with the companies where CEOs have been extremely paranoid about security and they have made sure that priority is zero.

Here, my CEO does the same thing, Mark as well, Mark Bishop.

He has made sure that security is priority zero.

I report to the CTO who has made it very clear that security posture has to be top notch because we saw many of the top regulated, highly regulated
customers so there is no excuse there right so that’s what it drives later the culture so but with that being said you can ensure that the everybody in your company believes that security is priority zero but it’s also on the security team to make sure that the practices processes that we are bringing is actually helping teams deliver what they want to deliver in a much faster or more productive fashion
You cannot simply say that because of high security, we are going to add these five other steps, especially with AI and the development and the productivity.

If teams can build an application, let’s say, overnight, and you take another week to…
review and say that you know that’s a secured app or not that’s not going to work.

So what when you’re bringing these new tools one of the angle that when I bring in new tools or anything like that two angles I look one is how is it adding or helping or reducing the overall operational cost like for example if I am bringing like the same training tool targeted training is that going to help not just from the security side how is that helping
my developers for example or my sales people.

So today my challenge is developers get the same training as that of a sales or professional services team right but going forward I’m going to tell because of this new tool now a developer needs to know how not to let’s say leak credentials how not to you know introduce application level issues.

So now I can target that so the way you tell the story is this new introduction of the tool is not just raising the bar in security but is actually helping
Jiphun Satapathy (10:48.036)
you deliver your products or do your day-to-day work in a much more efficient fashion, right?

Like another initiative that I drove in my previous company, which I’m driving here as well, is using strong MFA, right?

MFA everybody has, but if you have a push-based MFA, that’s still prone to phishing.

So one of the things we did is we want to use…
touch-based or biometrics-based multi-factor authentication, right?

So that’s a much stronger, from the security side or man in the middle attack type, that’s a much stronger technology to put.

But if I go and tell the story about the security, this is not very exciting for our users.

But if you tell them the story that, know what, now we are going to implement a multi-factor authentication mechanism, which would not require for you to remember any password.

It would not require you to use your mobile device to get a push
and if you forgotten your mobile device somewhere you have to walk.

No, everything happens from the laptop that was given to you.

Because we know over last three, four years, all the laptops come with all the technologies.

So you’ve got to tell the story in a way. intentionally, we are also rolling this out not just to raise the security bar, but also make user experience better.

So when you are going to communicate that to the teams, you’ve got to tell them how it’s helping their business or their day-to-day work.

Don’t just go and tell, hey,
it’s a better or stronger security, we have issues that would not be very interesting for them.

So that’s how I say it, know, culture, security should be priority zero, but security team also need to believe and deliver a culture that, we are here to empower or help teams do their things much faster, much better, or more efficiently.

So that has to be ingrained in the security team.

Raj Krishnamurthy
I love the way you put it and I think that is brilliant.

And this is because of your builder, you’re a builder turned security leader.

So a lot of the builder aspects of it is something that I’m seeing as you’re having this conversation, the empathy that you have with developers.

Is that where that is coming from?

Jiphun Satapathy (12:48.748)
Yeah.

Jiphun Satapathy (12:57.218)
I would probably say that, you know, that’s a very good point you touched where this empathy or the…

Mindset is coming.

I actually you are absolutely right.

I started my career as a Software engineer and I would say my real security carrier started at Intel when I joined Intel as a senior software engineer I built products using hardware security and then that did wonders to my career and learned a lot of stuff built enterprise-grade products Which is great during that one thing I experienced is that this whole Getting a blessing from a certain group which says yep.

This is done
right from security perspective.

I was a little bit, in general, I’m a little bit of a contrarian, so was not super happy about it.

I took the ownership on being that security architect and working with that team to make sure that all the products that we are building meets that security bar, but I was not super happy.

It felt somewhat like a bureaucratic process, saying, hey, you’ve got to get the blessing from certain set of people.

I was not a big fan of that, but we had to do it for the heck of doing it.

And they were doing a pretty good job in the sense they have to make sure that all these teams are building the right thing.

And I’m talking, this is,
2015-ish time frame, so 10 years ago, right?

So that kind of, and then slowly I transitioned to the other side of the table where the InfoSec side.

So I definitely recognize and relate with the pain points that developers, engineers, or practitioners face.

That is one.

Second thing, when I joined AWS, I needed to scale product security or AppSec team at a scale that I had not seen before.

We all know Amazon, the base that they innovate or the build software and services.

Jiphun Satapathy (14:40.088)
AWS was in a pretty rapid growth around 2017 after about three, four years I stayed there.

And also customer experience.

And I treat my internal stakeholders is somewhat like a customer.

I’ll say like, know, security has a dual role.

So we have to protect our external customers and customers and their information.

We have to influence our stakeholders, but we have to treat very close to them like a customer.

We hold them accountable, but that experience matters.

And somehow coincidentally, I’m now working for a company
which is primary product is customer experience and employee experience.

So is that thread is somehow weaved.

So yeah, I would say it probably comes from that like and I will also some question right all the time.

Why?

Why should we do what we are doing?

Right?

And if you know why then you can tell the story why?

So then you buy trust from them.

Yeah.

Raj Krishnamurthy
I think one of the challenges that we constantly face is that, for example, when we talk about security or compliance style, a lot of the value, especially in technology-first companies, accrues to engineers, if done right, if done right.

And that’s a big if.

But the challenge has always been that the GRC teams or the security teams have not been able to convince their leaders that there is a broader story to be told there, which I think you beautifully articulated.

Jiphun Satapathy (15:45.294)
Mm-hmm.

Yep.

Raj Krishnamurthy
So what advice would you have to your peer CEOs and also to the, for example, a GRC manager listening or a security manager listening on how to build that business case and up level the conversation?

Jiphun Satapathy (16:00.387)
Yeah.

Jiphun Satapathy (16:13.804)
Yeah.

So first understand what’s the business is.

First understand what’s the objective of.
a team or a company end of the day, you are not here just to secure stuff.

You are here to deliver for the business so that we can continue to serve our customer like any anybody in the team, right?

Not just security, right?

Our primary objective is to make sure that we are delivering our business to the best of our ability.

So first understand what business we are in.

I would say so go talk to your stakeholders, look at their roadmap, look at talk to the sales and professional services team.
customers are asking.

I would say even go talk to customers directly, but many a time security and compliance team kind of, especially the security engineering side of things are not very customer facing.

Compliance is somewhat because they need to meet that.

But I would say look for opportunities where you can just be a fly on the wall and listen what customers are saying.

Right?

So if customers are asking for certain things in cybersecurity or some certification and you are building certain other things, then it’s not going to align.

So that is first thing, understand the business.

Then go on.
understand the pain points that security, sorry, the non-security of the stakeholder teams are facing.

And then end of the day, use that information and then you bring your subject matter expertise.

So you know what are some of the risks and what would be the impact. literally don’t, one size fits all approach is not going to work or what worked for you in a different company is also not going to work.

I’ll give you a very good example.

Like when I was with AWS, obviously a massive company, much bigger company.

So the stakes are much high.

The systems, processes, culture mindset is somewhat kind of set.

We didn’t have to reinvent that.

So I was in that journey of how do we scale better, faster, things like that.

But when I joined Snowflake, I joined Snowflake right after its IPO.

So it was in a super hyper growth mode, right?

And they hired me to build the enterprise security or corporate security team.

It didn’t exist before that.

So I was in that journey of again, same thing, like in a building a foundation and then growing, growing,
Jiphun Satapathy (18:19.856)
But what I learned the hard way is I didn’t take a step back to look at that.

Hey this process mechanisms that I had put a year ago is it still valid and I learned it hard way because what happens is when you start from scratch you are kind of trying to put a bigger net saying you know Hey, I want to catch all the fish right and then and I will probably get 10 % of it right and then I want to reduce it but You as a security team.

We also need to question all the time We cannot question every day every week every month, but one
a year, one six months.

I have a mechanism, I have a process, for example security review we do.

We say, you we want to security review our securities, scrutinize everything that goes out.

But that process needs to evolve.

And how do you evolve?

Because if the business is changing, or business is using different mechanism and the security teams are not aligned with that, then it’s not going to scale.

So it is always good to take a step back.

So I would say those three and think again, and our job is to make sure to see business succeed.

Don’t come across as a…

Compliance, the challenge that compliance teams face sometimes is that they come with a list of controls or the compliance requirements that we must meet in order for us to get certified.

So, which is perfectly fine, but tell that in a way that the business understands, right?

You can simply say, hey guys, we are going into this market and this market requires the password to be rotated.

And we are going through, let’s say, I’m just giving an example, FedRAMP or FedRAMP, because we are going into the, let’s say,
government space or defense space or whatever it is.

So we need to get the FedRAMP certification and FedRAMP certification, let’s say, requires us to rotate password every 30 days.

I mean, it is a fact, for example, then we have to convey that to the business.

So tell the why, like why is it important for the…

Jiphun Satapathy (20:17.166)
requirement of the control that you are implementing.

Always telling why goes a long way too.

So I would say those are a few things that you need to build.

Think from their perspective versus you going there, hey, I want this 10 things done by this state and this is all security.

So that won’t fly.

Raj Krishnamurthy
Got it.

And how do you think in general, in your experience, J-Foon, how others, particularly the engineering teams, view security and
Jiphun Satapathy (20:48.29)
I think it depends on how the security team and compliance team have built that relationship first.

From my experience, I would say.

Many times I have seen security, sorry, engineering teams really appreciate security teams, but I have been part of companies where that mindset and culture is there in grand.

They don’t appreciate some of the processes mechanisms that we have. don’t, I mean, enjoy obviously when we say, hey, we got a number of vulnerabilities that you need to fix.

They do feel that as a pinpoint, but look at it.

Like for example, one of the things I’m actually driving right here at Medallia is
We want to see your vulnerability posture.

Pretty good.

We don’t want out of SLA vulnerabilities in our environment.

And my team and the engineering team does really well in staying on top of it.

But what my team did is they actually went one step further instead of just using a tool, scan for findings and then dumping on the developer saying, Hey, we got this 5,000 issues, go fix it.

They actually took that extra step, worked with the tool and learned the innovation side again here to determine how can I prioritize it?

If I take the entire 50,000 findings and dump it on
developer team, cannot.

So we need to help them how they can prioritize the ones that matter.

So we looked at exploitability, reachability angle, and today’s tools can provide that, right?

So you use, if you’re using the latest and greatest tool, so you use that and you show a funnel, guys, I got 40,000 issues, but down to now 500 issues, that looks more manageable.

Okay, I give you three months, let’s figure it out how to fix it, right?

Some of them are mitigating controls.

We are also looking at now going one step further with the advent of AI technology.

Jiphun Satapathy (22:31.792)
AI is that 60 % of these issues are pretty standard issues. is pretty standard.

So AI can now recommend that, it can literally create a PR saying, you hey, all you have to do is look, this is the issue.

We understand this is a priority.

This is even the fix.

So all you have to do is just check the PR and make sure that it’s not breaking your system.

We cannot tell that because you know engineering team better your system than us.

So when the team see that security team is going and figuring out constantly how to make their life
types better while hitting security, they would love you.

And they recognize that it is important.

Nobody is saying that it’s not important.

It’s just that how you build that mechanism with scales and they really need to see that’s what I say.

Words don’t matter, actions do.

So when you are constantly working with them and showing, you connect the dots, right?

If you are on top of innovation, you’re bringing tools, challenging vendors, and then bringing it and showing it through data, then that wins hearts and minds, I would say, yeah.

Raj Krishnamurthy
I love it.

In fact, I’m going to point our listeners and maybe we’ll put a copy link to it of a paper that you wrote in 2021 on.

I think if I remember it, how to earn trust or trust has to be earned or something like that.

Brilliantly said.

I think you’re covering a lot of those points that you spoke a couple of years ago.

Right.

So, so great.

Jiphun Satapathy (23:43.372)
Yeah, absolutely.

Jiphun Satapathy (23:48.429)
Yeah.

I think trust is, genuinely believe, right?

And at the end of the day, this cybersecurity, don’t, I mean, we are a service organization, right?

We don’t, in general, I’m saying, I mean, I’m sure some CISO organizations probably ship products or build, and I have done that in the past in certain way, but in general, we are a service organization.

We want to make sure the company remains secure.

We want to make sure customer information remains secure.

So we are serving all these teams so that they can do their job.

So when you’re serving customers, you need to earn their trust.

They can’t, they should trust you, and they cannot trust
to just by words, they need to see actions and what value you are adding.

So end of the day, it’s all about that relationship and trust.

Raj Krishnamurthy
Absolutely.

Raj Krishnamurthy
So you hold two teams today, you have multiple teams, two of them, you run the security teams, engineering, architecture, on and so forth.

You also hold the GRC team, governance, risk and compliance.

How do you see these two teams and what role do they play in reinforcing each other?

Jiphun Satapathy (24:43.564)
Yeah, I think they hold somewhat each other accountable.

The way I see the GRC team is.

They are accountable to make sure that we are meeting all sorts of certification needs so that our customers can continue to use our product.

So if you are going into the finance space or healthcare or government, whatever space, whatever certification we need or our customers need rather, we must hit that.

We have to make sure that year in, year out, we are staying on top of it.
are responsible to do the audit, to make sure whatever innovation, whatever changes or updates happening in that certification space and making sure that that’s being implemented internally.

Second thing is risk.

They are managing risk.

End of the day, they are accountable to demonstrate what outstanding risks we have within the company and how are we making progress.

They are not responsible to solve that risk, but they are responsible or accountable to make sure I know or my CEO knows, hey, these are the top
and cyber risks that we as a company living with.

And you know, this is the trajectory.

These risks are getting mitigated or it’s getting worse or we are not making any changes and holding people accountable there.

Then the other part of governance, as the name says, right, end of the day, are primary team which is governing that right things are happening.

For example, the AI governance.

Okay, so we have a policy now.

So they make sure that all these policies are well executed, maintained, or operated by various stakeholders.

So their responsibility is to make sure that we have the right owners to find and they’re driving that.

Jiphun Satapathy (26:32.853)
Now comes to the security engineering part in the sense we have a product security, we have enterprise security, have SOC teams, their responsibilities make sure that we are designing, implementing processes, mechanisms, metrics, tools to meet those requirements first or the control needs first in addition to the risks that being highlighted in that risk management. it’s a very tight coupling.
that needs to happen so that then only these guys compliance guys can say to the world or the customer, the auditor, yep, we have done all this.

This is the evidence that we can show you.

But how we implement, they don’t need to know.

For example, MFA, we want MFA, for example, a certification in MFA.

The compliance team will ask, okay, do we have MFA?

But that MFA push-based notification or best MFA might be just fine from certification perspective, but we want to set a bar which is through risk, which is much higher than
than what is being asked for certification.

That’s why I always say compliance or certification is like table stakes for us.

We should be able to hit that day in day out, but that doesn’t drive or determine our security posture by its entirety.

Our security posture is determined by what our customers need and what we are paranoid about.

So that’s why we hold a much higher bar so that any day, any time if we want to go into any of the certifications, are kind of given.

Obviously there is a mechanism and process.
that needs to happen it’s not like check mark but they don’t determine the overall security posture of our company because
So that’s why I sometimes say, you know, the whole certification or the compliance, they bring us revenue because our customers will only buy if we meet that on a consistent basis.

So they bring the money, but the security or the risk or the engineering side, they save us from hackers because end of the day, your systems are vulnerable.

Jiphun Satapathy (28:33.322)
everything cannot be controlled by those certifications.

It has to be from your own security assessment and your risk management framework that you have.

Raj Krishnamurthy
Got it.

And do you see the GRC has three functions, right?

Governance, risk, and compliance.

And I think, as you rightly said, compliance establishes the baseline, the bare minimum, as you said, that you need to do, and then the risk is a continuous process, right, that you have to continuously manage.

One of the challenges that we typically come across is that technology-first companies, almost all of us have become cloud-first and AI-first companies.

Jiphun Satapathy (28:58.636)
That’s Correct.

Risk is more like, yeah.

Raj Krishnamurthy
And you are actually releasing products at a very, very rapid clip.

There are thousands of pull requests, changes that you’re making on a weekly, monthly basis.

But you’re assessing on a very less frequent basis, maybe once a quarter at best, once a year.

And these cadences are completely at mismatch, right?

How do you see this as a leader?

And is there something that you worry about or not?

Jiphun Satapathy (29:37.624)
So.

We actually don’t do once a quarter or once a year.

So the mechanism that we have, like, so what we want to do is we want to rely heavily on automation.

So when we say assessment and feature release, there are multiple things that you need to do, right?

Let’s say I am launching a brand new product, which doesn’t exist.

It needs to go through the right security review.

So what we do is we engage with the team at the design phase or in the ideation phase and then do a security architecture review or threat model review.
whether it is manual or automation that’s a different point how fast you do but that’s a stage one so people have not even written a single line of code or have built anything that that’s out there so you engage that does that happen 100 % of the cases probably not but for major releases absolutely so we make sure that that happens so you are not waiting for it to
delay on that front.

So that is there.

The second thing we do is in these days is everything that gets to your GitHub or GitLab gets scanned for any sort of security issues like you know we call it SAS scan right.

So that is automatically scanned and if you have the mechanism where you can block let’s say critical and high risk issues people cannot even check in those code to production.

Same thing we do with open source vulnerability as well.

The challenge happens with this if you have a huge
take that right if you have not done that for a while so if you are a cloud first sass first i mean we are not 100 % cloud or sass cloud presence we we have a pretty solid on-prem presence as well but all this code is going through the cicd pipeline so we actually make sure that the security review process is pretty well ingrained so that you engage with them early and you are continuously scanning and putting the right gates so that you know people should not be able to
Jiphun Satapathy (31:29.552)
introduce vulnerabilities in the first place.

So that’s how we do in regards to staying on top of it.

Raj Krishnamurthy
You actually, a couple of weeks ago, you made a fantastic, I was watching your LinkedIn post, and you made a fantastic point, and you had a call out for action for all your fellow CISOs, which is, is insider risk on your board slide?

Can you talk, double click on that a little bit, because when everybody keeps talking about stateside actors, right, or state actors, you were talking about something about insider risk.

What prompted that, and why does it concern you?

Jiphun Satapathy (31:51.585)
Yeah.

Jiphun Satapathy (32:02.84)
Yeah.

Yeah.

I mean, if you look at any of the cybersecurity reports, like, know, whether it’s from CrowdStrike or from any of the major, know, Gartner or many of the yearly cybersecurity reports, which highlights.

Exactly.

Correct.

Exactly.

So is what are the top risks or areas for in the cybersecurity industry?

Raj Krishnamurthy
Whereas the DBR report also points to insider risk as a big threat.

Jiphun Satapathy (32:32.726)
Yes, I understand external vectors, external attackers are a factor.

Our nation state is a factor as well. there is a insider threat continues to be the number one.

And when I say insider threat, doesn’t really mean that doesn’t really, can I pause for one sec?

Sorry, actually there is, need to close the window because there is a disturbance happening.

Just give me one sec.

Is that okay?

Okay.

Raj Krishnamurthy
Yeah, yeah, sure, No problem.

No problem.

That’s totally okay.

Jiphun Satapathy (33:15.266)
All right, much better.

Out of nowhere somebody needed to do…

Raj Krishnamurthy
Okay, I think Eric can take this out. can start from your response and then we’ll make sure.

Jiphun Satapathy (33:23.682)
Okay, fantastic.

Okay, cool.

That will be great.

Thank you guys.

So yeah, so insider risk, right?

So insider threat.

If you look at any of the cybersecurity yearly report coming from any of these organizations, would see insider threat continues to be the number one.

And when I say insider threat, that doesn’t mean that our insiders or internal employees going rogue.

That’s not the angle here.

What I’m saying here is insiders or their day-to-day work, their access, their permission is compromised in some form or fashion.

For example, let’s say developers, they write a lot of code, they check in some credentials,
or hard-codesome credentials in GitHub and that gets leaked.

There you go, you have now credentials for an external attacker to use to get into your systems.

Phishing, as I said, people click on something and that malicious link can now steal tokens which is used to access critical or crown jewel applications.

So insiders, this is just a couple of examples.

So insiders are the most important aspect of
cybersecurity and fortunately, unfortunately or more like unfortunately I would say is especially the product teams they tend to focus a lot on product securing the product rightfully because we want to make sure that on a product that we are building for our customers are with all the right
mechanisms or right architecture, right posture that we are building.

But those products can also be compromised through these insiders because end of the day insiders have access to systems, infrastructure, data, all that stuff.

It’s not completely blocked, right?

So you need to look at this holistically.

If we have, and I’m not even talking about scenarios where intentionally insiders doing something wrong, like that’s stealing company data and all that.

I’m not even going there.

That’s obviously a challenge, but I’m just saying
Jiphun Satapathy (35:20.304)
unintentionally how their day-to-day work, their permissions can be compromised or their systems that can be compromised and that can result in a massive breach. that’s why I was highlighting is that risk are you as it says are you on top of it?

How confident are you that this risk is solved while we are super focused on making sure externally we cannot be attacked broken anything like that.

How do you ensure that have you and I’m pretty sure
Everybody has it.

Does your board know about it?

What are those and how do you measure it?

So that’s what I was highlighting.

That is correct.

And that is true.

And I actually give a lot of credit to my role at Snowflake where I learned it.

I was always been in the product side, building products like Intel or AWS.

I was on the product side.

So I always thought like, product security is the more fun, sexier.

Raj Krishnamurthy
I guess it is less sexy to talk about some of this insider risk, but they are real.

Jiphun Satapathy (36:17.07)
and I was a little apprehensive when I corporate security or enterprise security.

But after three and a four years, I actually realized that’s where the real risk is.

And that’s where the, especially, I can say that probably for other companies as well, but especially for tech companies, which we tend to ignore that part.

That is where the main risks I have at least seen.

And we did a lot of work there to reduce that, but that’s where I probably got learned that, yeah.

Raj Krishnamurthy
For a security practitioner or GRC practitioner listening to you on this insider risk, if they want to double click and understand how do I break this down into actual set of controls or measures or metrics, any guidance or advice on how they should think about
Jiphun Satapathy (37:05.878)
Yeah I think again depending on various areas we can take a couple of examples.

First thing is anytime you want to measure something you want to measure that what matters right.

So what is the purpose?

Why are you doing what you are doing?

Let’s say in GRC one of the functions that’s there is vendor risk management or vendor risk assessment.

Why do we do that?

Why do we need to have a vendor risk assessment mechanism in place in the first place?

Answer to that is we want to make sure that we are bringing vendors which meets our security bar, right?

So then the question is, how do you define that security bar?

Okay, we need to have these 10 controls or this set of capabilities in these vendors, this sort of certification with these vendors that meets the bar, right?

So you build your metrics demonstrating, okay, first let’s
say do I have all the vendors that I have running in the company have gone through that assessment so you have one matrix there and that should tell you what’s the risk that you’re living if 80 % of the vendors that the company is using have not gone through that assessment you have no idea what risks you are living with right so that is one matrix to show the second thing is that that you want to then
every vendor is not the same, right?

If you are bringing a vendor which deals with sensitive information, their categories are different versus let’s say any vendor that is probably not accessing your sensitive data.

So it’s not one size fits all, right?

So you want to then highlight what are some of my major risks that we have.

Then again, same thing.

Like if you are building metrics, what are you measuring?

I’m measuring that am I staying on top of my high risk vendors ground zero?
how am I monitoring that, what security issues I’m seeing there, what controls I have, that is one.

The third thing I would say is again, as I said, you need to demonstrate what value you are adding and how efficiently you are running.

So first couple of parts probably can show you the value, the risk measurement, but how efficient it is.

Like for example, if you are a company of let’s say,
Jiphun Satapathy (39:17.902)
2000 people and if you are doing 500 vendor risk assessments per year, something is broken.

You are definitely not buying 500 new vendors.

So you should question like, you know, what am I doing here?

Am I doing it right?

Am I asking everybody to go through this whole this process?

Is it really adding value?

The way to measure that is what has been the outcome of that assessment.

If you reviewed 500 and 450 of them went through without any sort
of findings or any sort of
disapproval or any change then I think you are doing the process for the heck of it.

So question that before others question you that team should question like you know what value am I adding and that’s true for every function not just for GRC.

So ask those questions and measure that like okay we did 100 reviews 98 % went through the approval so maybe which is perfectly fine it is it’s okay to take them through the approval but then make the process more efficient.

So that’s our measure. of the figure out what is that you are measuring.

Same thing with vulnerabilities.

For example, why do we care about vulnerabilities?

Vulnerabilities we care because these vulnerabilities can be susceptible or can be exploited for external or internal attacker to get into our systems.

And then…
measure like you know which systems are these systems really critical systems how easy it is for them for an external attacker to access or is it really difficult for somebody to access so that is how I would say measure again there are definitely frameworks like you know going traditional route like CIS is a pretty solid framework you can use to measure some of the capabilities so what I have done in the past in more like a combination of multiple things like I use some of the NIST frameworks or CIS frameworks to first start the baseline of
Jiphun Satapathy (41:13.774)
matrix and then on top of that what we need end of the day we should know what we want to measure and then go build on top of it.

Raj Krishnamurthy
So beautiful, makes sense.

And I think I want to go back to the example that you were talking about, vulnerabilities, and the build up, the developer empathy that you were talking about.

I think one of the fundamental problems that all developers, and including security engineers face, is the signal to noise ratio, right?

There is so much of noise that happens with almost many things that we do.

The intentions may be right, but we produce a ton of data, create so much friction.

Jiphun Satapathy (41:41.132)
Yes, totally.

Jiphun Satapathy (41:48.803)
Correct.

Raj Krishnamurthy
What do you ask your teams to do?

And what he said is beautiful, right?

What he said is that you want the GRC teams and the security teams to step up to help the internal stakeholders to reduce the noise, right?

And do as much as they can.

But that also means that you require the investment.

You need to invest in people, you need to invest in technology, you need to give them the right skilling and tooling and all that stuff, right?

Jiphun Satapathy (42:14.446)
Yeah.

Raj Krishnamurthy
What do you ask your teams to come back and present you with so that you can make those investments and approve those investments or take it to your leadership?

Jiphun Satapathy (42:24.012)
Yeah, absolutely.

That’s very good.

Very good question.

So the immediate ask for my team is a mindset set, right?

So end of the day, what is our responsibility?

Security.

When we talk about ownership, who wants fixing it?

Obviously the system owners want fixing it, but it’s on us to empower them with the right expectation, tools, processes, so that they can focus on the right things.

So we all have to be super transparent that we cannot fix it all.

And that’s something that
should be well communicated all to the CEO saying, hey, we have n number of issues.
50 % of them or 40 % of them, we are not touching it.

We are transparent with customer, we are transparent with leadership, we are transparent with teams.

We are not fixing it because we do not have the bandwidth, the resource, or this is not the right thing to do in comparison to maybe building another product or having a mitigating controls which reduces that to a high to a low risk.

So that is there.

So the ask that I have when the team comes to me to present, saying, for example, in the vulnerability space, I want to bring this new tool which does
APC which identifies
vulnerabilities in certain area.

Let’s say in the AppSec space or determining SAS or SCS score.

My ask right now is not, give me more signals.

I have enough tools now to identify what the badness is across the board and efficiently at runtime.

So all those, that problem is solved.

Any tool I can pick, they will do.

If you cannot do it, you don’t exist in the market, right?

So that’s there.

My question now is,
Jiphun Satapathy (44:02.592)
do you prioritize?

How do you empower my developers to fix it faster?

So show me that funnel as I telling.

I was literally actually a matrix is in front of me and in my right now is that funnel and then determine what is that false positive rate and how are we determining that funnel like you know how are they taking the context information of that finding and then helping me prioritize.

So for example I have a vulnerability in a system which is
under multiple layers.

Don’t treat it at the same severity as that of a system which is absolutely open exposed externally right.

So I’m not going to ask this to dev… previously engineering team will flag it then in the developers are going to then say hey this is an internal system then there is back and forth no I don’t want that what I want is I want our engineering… sorry security engineering team to go or the security product security team to really
Raj Krishnamurthy
public.

Jiphun Satapathy (45:02.422)
that data and proactively say hey guys we found a number of issues we reduced x amount because they’re internal we reduced y because that is using maybe for testing purpose and not really production and maybe this is also using an end-of-life product which is going to be out of end of life in two months this is another product which is not
being used by our customers, but somehow existing there.

So you gotta bring all those angles and then provide that.

There is also a model that I’m seeing in the world.

Some of the products that have come is literally offloading managing of these vulnerabilities or open source through external service providers.

An example is a chain guard, for example.

It’s a whole new business model when it comes to managing vulnerability.

So you’ve got to think about that.

You don’t have to stay on top of it.

We are right now going through discussions about it. again, engineering team thinking there. security team’s primary focus is how do we help engineering teams scale?

That’s the…

Raj Krishnamurthy
Beautiful.

Jiphun Satapathy (46:09.998)
big objective.

Obviously, we are the subject matter on security.

So we should know what would be the impact of ramification if any of these findings get exploited.

But don’t get just hung up there.

That’s not where the responsibility ends.

Again, a service organization mindset where you’ve got to build things which works for your stakeholders or customers.

Otherwise, it’s just useless.

Raj Krishnamurthy
So I think what you’re basically saying is that security team is a multiplayer, has to have a multiplayer effect in terms on engineering, reducing friction, not adding to it.

And those are phenomenally great goals.

And at least that’s a good starting point or a prism to start looking at things from, right?

Jiphun Satapathy (46:45.312)
Absolutely.

Yeah.

Yeah.

Jiphun Satapathy (46:56.054)
Absolutely, yeah. this also goes, you also then, you can speak for those engineering team or for business in front of a customer.

Customer may say, you know what, I want all things fixed.

I don’t know any company who can say that, but they may say that.

Then you come out very transparently why we are not fixing certain things versus it’s a hundred percent thing because nobody can.

And then your stakeholders appreciate that because they know that what is the bar and it’s the goal is not fix all.

Goal is to fix things that matter.

Raj Krishnamurthy
That’s a new perspective.

So what you’re saying is that the compliance team, if done right, if empowered right, can be the evangelists to the development engineering teams in front of your customers.

Jiphun Satapathy (47:37.037)
Yeah.
have to and they are in a way right when we go for the audit or we go earn a new certification or renew our existing certification it is the compliance team who is picking on behalf of the business.

They obviously everything is not solved or everything is not checked but then they negotiate with the auditors and they provide the details and that’s where they’re evangelizing or supporting these teams to drive that.

So but with that being said I would also like to highlight one
other point as well.

While security teams should also be super stakeholder mindset and the service organization mindset.
they have a hard job to hold these teams accountable to.

And at some point the buck stops with the business as well.

And that’s what I also feel like, you we have to be super candid and transparent in the sense that I fully expect a developer should be somewhat familiar with the security, secure development process.

So if a developer is not, doesn’t understand or software engineer doesn’t understand basics of security or how to write secure code, I don’t think that developer is a full-time
pleasure developer doesn’t matter what seniority level you are think about it like you know when you when a developer or engineer writes code or builds an application he doesn’t expect to write a code which operates you know in a haphazard manner or it’s not reliable it’s not efficient
Jiphun Satapathy (49:06.094)
we expect them to build, which is production quality, right?

So in production quality, it’s not just the response time or the availability, security has to be a factor.

So that’s where the leaders also need to set that mindset with their engineering teams or any team that security is important.

There are certain responsibility that you have on yourself that you need to make sure that you are meeting that on a consistent basis.

So it cannot be just one team being super service oriented, the other team saying, you know, hey, I don’t know anything.

You just tell me I’ll do it.
it that’s also not going to work and sometimes I hear I did it because security said so I blame both the both of them first of all security should not be like that and second thing is you should not also say just because security is saying I’m doing it no you have every right to challenge you are every right end of the day you own it so you should be convinced right just because security saying don’t do it things like that so yeah I think it has to be dual yeah
Raj Krishnamurthy
It’s a partnership.

You have been a veteran, you have been an advocate of artificial intelligence, AI.

In fact, pre-gen AI days, if I can say that.

And I think you see that safe and responsible AI is a critical feature that needs to be built.

And I’m going to quote something that you said that I found very, interesting.

You and you’re talking about the pushbacks from the security team, and you’re saying the conversations like these,
Jiphun Satapathy (50:09.517)
Yeah.

Jiphun Satapathy (50:17.656)
Absolutely.

Raj Krishnamurthy
are a strong reminder of the healthy paranoia the cybersecurity brings to this space.

Can you double click and explain?

What did you mean by that?

Jiphun Satapathy (50:33.708)
Yeah.

Jiphun Satapathy (50:37.494)
Yeah, yeah, I was actually looking at that interview with Sam Altman about, know, overall, how do we see at overall AI adoption and its usage and the problems that it is trying to solve.

And as you rightly pointed out, I was leading product security at AWS.

That’s where I first forward into the
ML, that time it was not AI, that was more like the ML services and like SageMaker or many other AWS products, services that they built.

I was directly responsible for many of those products and making sure that they go through the right security and the checks or scrutiny that we do.

I think it is, we are obviously in that rush to go add up, use this technology and I’m all for it too.

I personally want to use in already use some of them in my cybersecurity space, but we also need to be extremely paranoid about its ramification if it goes wrong, right?

So specifically when it comes to user, I’m talking in the enterprise space.

Today, let’s say we have company information or employee information in our systems, right?
we bring in a whole new AI product, Origin AI product, or we build internally.

And we are, let’s say, a simple RAG app.
that we are building, which takes all this data and then summarizes it in a very succinct way that anybody can consume.

But now you are opening up that access to all this data.

So previously, let’s say only a selected group of people were able to see certain records.

Now you are summarizing it.

How are you ensuring that access for that data through that summarization app is still maintained?

Jiphun Satapathy (52:34.508)
Obviously we get very excited when you say boy we have a tool which now so easily gives us a view or a summary of things which I was spending multiple clicks or few minutes to retrieve.

So which.
teams like the data science team or AI team or engineering team or security team needs to question that, take a step back.

And when people question that, don’t misjudge them that, they are naysayers.

So in that interview, that’s I was noticing, at least when the question was coming up, sometimes it may come across that maybe the person is not believing in AI much or they are not a big believer in that.

Yeah, just because they are asking the question, that doesn’t mean they are not big believers.

So in fact,
those who question they actually want to use it in the right way as soon as possible.

So you have to appreciate that as a leader.

Don’t just go blind saying you know hey I want half of my code generated through AI.

That’s pretty easy to say maybe you can achieve that overnight but what ramification what challenges what issues that you are introducing look for that as well and it is okay to say that hey I’m going to do that due diligence maybe once I start rolling it that is perfectly fine but don’t completely discount.
and don’t obviously shoot the messenger or the person who is the most paranoid asking that question.

Otherwise what happens, security teams get burdened by that, hey, they are slowing down the business and then they will buckle up, right?

Then they are going to hesitate to raise those concerns.

So you gotta empower them while you want to make sure you want to adopt this technology by no means, there is no pushback you’re not adopting.
take the right due diligence steps.

So for example, at Medallia, we are AI first company.

We rolled out many AI products for our customers.

But when we adopt new and we are completely open culture.

Jiphun Satapathy (54:35.542)
in terms of we want to let our employees use AI products.

But it goes through the right scrutiny.

Because another way to look at it, I would rather have a controlled set of AI apps and services versus either blocking completely, which is not going to work, or not knowing what people are using.

Obviously, people are using it day in, day out.

So that’s what I meant.

Don’t shoot the messenger.

Go past, big.

But also be open-minded about people
those who are challenging it and questioning it and raising the concern.

In fact, extend them a forum so that you want to bring that devil’s advocate angle or the paranoia angle to the conversation as a leader.

Raj Krishnamurthy
Wwise are an important part of this.

The discovery process is a very important part of keeping us all safe. wanted to, I think security teams, and I wanted to focus particularly on the GRC teams, are in a very tight predicament, right?

Because we are all moving away from this cloud first to the AI first company, all of, you know, and there is a lot more emphasis on, I don’t think we necessarily build traditional models anymore.

Most of us are building some sort of fine tuning on top of LLMs, like you said.

Typically, rack-based applications are fine tuning.

Jiphun Satapathy (55:22.402)
Yeah, absolutely.

Yeah.

Jiphun Satapathy (55:35.565)
Yeah.

Jiphun Satapathy (55:45.206)
Yeah.

Yeah.

Raj Krishnamurthy
But the security teams and particularly the GRC teams have to catch up on all of the things that are happening in the engineering world and the operations world, right?

How technical, and my question is particularly to the GRC team in your portfolio, how technical do these teams need to be?

Jiphun Satapathy (55:57.944)
Yeah.

Jiphun Satapathy (56:06.402)
Yeah, they need to be somewhat technical in the sense.

So.

Yeah, I agree with you that I don’t think broadly these companies are training models.

In fact, I was actually in one of the conversations with one of the AI companies and they said 99 % of them are not even fine tuning it.

So it’s basically the models have become so sophisticated now and intelligent now that you don’t need to be fine tuned.

You basically, as you said, use the rag architecture or
Raj Krishnamurthy
Yeah.

Jiphun Satapathy (56:38.166)
agent to agent architecture which gives you all you need so you don’t need to even fine-tune so basically use foundation models to build like you know agents or apps on top of it so when it comes to GRC teams they need to
go understand what that means, right?

Like, you what is at risk?

So if the GRC claims primary responsibility is to make sure that we have to meet those certifications or we need to identify what risks are out there or we need to collect evidence so that we can continue to pass audit, then they need to understand what are some of the new use cases or new scenarios that are getting introduced or how they are getting accessed.

For example, let’s say if the way I see,
AI apps stack is basically let’s say you have at a minimum obviously we are not going into the hardware space unless you are a graphics company or building hardware on that I’m not going there purely on the software side end of the day the basic the first layer is more like the LLMs right so if you are not really building or sorry training LLMs so maybe the or fine-tuning LLMs then that concern of
know data poisoning in regards to it’s while you’re training probably doesn’t exist.

It exists in a different context, right?

So don’t come up with the same list of compliance or control needs that’s applicable for somebody who is building LLMs to just an app or using something like a chat GPT, right?

Which they are not even building anything.

So being specific and you need to understand that.

First, you need to understand, let’s say ISO 42001 certification gives you a certain framework or a needs framework.
to understand the risk but then make it specific to your company.

So go technical in the sense okay what is my team building and what risk I have.

So if they are using let’s say an off-the-shelf SaaS LLM then your risk poster is different versus I am taking llama and deploying locally or hosting it right.

So you gotta be very specific instead of generic.

So one of the challenges the GRC teams actually face sometimes is that being very generic.

Come with a list of compliance control
Jiphun Satapathy (58:49.148)
and then go simply ask engineering, hey, you gotta meet 100 % of them.

No, you need to refine it and make the requirements understandable to developers and then go from there. understand overall how this world is evolving when it comes to building AI apps while you are building and how we are using it, what risks we are worried about, which is different.

Some of them are different from what we have seen in the past, right?

Because the stack is completely changing as I see.

Raj Krishnamurthy
think that is great advice, Jiphun.

Jiphun, when you present your management team and to the board on risks, in practical terms, how much do you quantify versus qualify?

Jiphun Satapathy (59:32.672)
Yeah, I think that’s a big challenge.

I think these are touching a very good point.

Like, you how do you measure risk?

How do you present it to the board?

Which one is more important?

Obviously, you cannot go to them with a laundry list of every finding or every issue, but you got to highlight.

So the way I present or the way I have done that so far is first identify, first build a risk management program.

What does that entail?

So the way it entails is that you have a mechanism which let’s say primarily driven by the GRC team where they work with all the stakeholders to determine what are some of the major risks that are out there.

This is not audit findings.

This is not vulnerability list.

This is not security findings.

This is major risks. example, for example, I’m making it up, which is.

Data exfiltration from a company like you know certain risks can result in company data getting lost.

So that is one big risk.

Right.

So what are some of the key scenarios that can result in that.

So the way you present that is that.

So I think qualified is okay quantifying exactly being very objective is difficult.

There are some frameworks like fair framework is one that I have used in the past, but it’s extremely complicated time consuming mechanism to so
you gotta find a mix of it.

So when you go present to the board, you are not just going with just the top 10 risks, you’re also bringing some metrics.

So let’s say one of the risks is data loss can happen because, or your system can be compromised because you have a huge amount of vulnerability.

So if you bring the vulnerability metrics, that becomes very objective.

So you know what?

I got N number of vulnerabilities, let’s say a critical or X amount of that, and that is the risk that we have.

And that results to this quality.
data loss cyber risk.

So you can have a mix of it and what I have done is that like you know when I go to go present to the cyber committee audit committee or in the board is that bringing that mix of qualitative analysis and go also objective or more like data driven aspect.

Jiphun Satapathy (01:01:53.342)
And this is, risk management is the hardest thing actually in cybersecurity and that’s a very difficult problem to solve.

So that’s practical.

I know all of us would love to see the exact, hey, if this risk gets compromised, I will have a hit of 2 million versus the other risk, which is 10 million.

But there is always that qualitative angle.

I’m improving that, but it’s still there.

Raj Krishnamurthy
That’s true.

Raj Krishnamurthy
We are going to have a few guests on the show that are going to dive deeper into risk quantification, just that topic.

So it’s very topical.

Jiphun Satapathy (01:02:21.24)
Yes.

Correct.

Raj Krishnamurthy
You are a big advocate of startup companies and the sales 101 is to create customer urgency, right?

And what that actually invariably translates to in cybersecurity world is FUD.

You are on the receiving end of all this FUD.

How do you see it, right?

And what advice do you have for startup founders and sales leaders, right?

Trying to reach out to leaders like you because this is not helpful.

So the question is, how do you stop doing it and what is helpful?

Jiphun Satapathy (01:02:46.776)
Yeah.

Jiphun Satapathy (01:02:54.232)
Yeah.

Jiphun Satapathy (01:03:01.782)
Again, first understand the problem.

First go talk to, talk to, if you’re talking to the CISOs or CEOs of the companies, then first understand what problem they have versus coming and telling them.
how your product solves a problem that you have not even learned, right?

So it’s perfectly fine.

In general, I have actually more appreciation for the founders and as I said, that gives me, that’s a pretty solid angle for me to stay on top of what’s new.

So that’s why I support them, I advise them quite a bit and I enjoy that.

But one thing that I see is not understanding the problem, right?

So then in that case, what happens is,
or solving the problem not in any different way than what’s there.

So I would say my first advice is first, if you’re talking to the CISO, understand what problems they have.

Second thing, just because they have a problem, that doesn’t mean they want to solve it right away.

And they are never going to say that, no, I don’t worry about this issue, because they do, but they cannot do maybe much because either they don’t have bandwidth budget, or they just are not thinking that’s such a high risk at the moment that I need
go do that.

That’s the reality of our world.

We all have constraints that we need to work around.

So appreciate that.

Don’t have to continuously bombard them with 15 other requests if you did not see.

At least that’s how I see it.

I don’t like to waste anybody’s time.

So if you are continuously bombarding them with same thing, that says that they are not interested.

And the last thing is the point solutions.

I understand everything cannot be a single platform, but if you’re building point solutions, that’s also another.

Jiphun Satapathy (01:04:48.352)
somewhat demoralizing aspect, right?

Hey, I already have, let’s say, if you look at, I mean, it’s really painful, especially if you go to identity space, man, there are probably 1200 companies building solutions around identity.

And it’s okay to have three, four, five in each of these buckets, but tens and maybe even close to hundreds.

I don’t know how that scales.

So if you are doing that point solution,
Raj Krishnamurthy
you
Jiphun Satapathy (01:05:12.65)
extremely point solution.

I’m not saying everything should be on the platform.

We are far from that and I understand also best of breed.

All that is good, but point solutions are all over the place.

So that’s not going to…
get a lot of attention at least from CISOs of large companies in general.

So that’s another thing.

So I would probably highlight those three things first, understand the problem, no need to have too much if you have heard directly or you know.

Read between the lines and you’re saying that, hey, this person is just not ready.

It’s not that they are not appreciating the product.

It’s just that they are not ready.

And the last one is don’t go super point targeted solutions.

That’s not helping.

Yeah.

Raj Krishnamurthy
I think that is brilliant, fantastic advice.

CISOs are in the hottest seat, right?

Than any other CXO leader out there in corporate America.

How do you deal with this, this intense pressure daily?

Jiphun Satapathy (01:06:05.549)
Yeah.

Jiphun Satapathy (01:06:17.516)
Yeah, yeah I think it’s a it’s a mix of a few things and the first of all you have to be in an environment where you can depend on your team so if you have a solid team I have been extremely fortunate to have surrounded by amazing teams when I was not the CISO my CISOs were extremely supportive of me in the sense you know I cannot have sleepless night just for the heck of it yes everything is not
tightened everything is not controlled, but you cannot be restless about everything, right?

So you need to have a solid team and make sure that your team’s own stuff and they are giving you the right support.

So that’s extremely important.

But it’s easier to succeed and have a…
you know, burnout basically.

So for me, that’s extremely important.

That’s I focus a lot on building top talent, bringing top talent and building highly productive teams and constantly questioning and being paranoid about things and knowing what’s good, what’s not good, right?

So I depend on my team on that.

So that’s first.

I think second thing I do is obviously my…
family has been extremely supportive of that.

So my wife, my kids, and you know that they take care of a lot of things out of work, which gives me probably the bandwidth to focus on work.

So having that outlet.

I do as much as we could.

We do either fly out or maybe drive down to local areas.

Then
Raj Krishnamurthy
And you also travel a lot with the family, I’m guessing,
Jiphun Satapathy (01:08:01.614)
Networking and talking and learning from fellow CISOs.

So I attend some the forums I speak to some of the other CISOs how they handle this situation or what are they worried about?

So sometimes what happens is when you hear others struggling with similar challenges and they are tackling it in a different way then you learn from that right?

So that always gives you a surprise that hey you are not the only one who is failing probably everybody’s failing so you should not feel that bad.

So that is that is another or somebody’s failing how they are addressing.

And last thing is maybe, you know, stay active in the sense I like to run.

So that’s been my stress buster.

So I do that something like that’s my standard exercise.

So that has always helped me calm down my blood pressure or stress.

Just release that.

So those are a few things I would say that comes to my mind.

Yeah.

Raj Krishnamurthy
you
Raj Krishnamurthy
We are at end of the segment, Jiphun, and I want to you the yield for the last 60 seconds or so.

Any people that you want to shout out to, right, that have helped you get to where you are, or any books that have helped you shape your thought process, whatever you want to call it.

Jiphun Satapathy (01:09:10.253)
Yeah.

Jiphun Satapathy (01:09:15.466)
this is great.

No, first of all, Raj, this is great.

Thank you for reaching out and asking.

And you guys do this podcast really very professional way and I’m very happy and good luck to you.

And I’ll be more than happy to help you have amazing sessions as well wherever I can.

So thank you for reaching out and asking for this.
making the whole setup and arrangement so this is great so thank you for doing that first of all.

In regards to books here another thing is actually I do is read I in my website I publish I’ve started probably last couple of years publishing some of the books so I’m a big from I mean obviously technical side you can always find many books on cyber security or risks
regards to how to measure cyber security risk and things like that but it’s more on the attitude side is what I think personally matters a lot as you grow as you become a leader.

So I’m a big Adam Grant fan so you know Hidden Potential I think one of the books that I wrote not wrote read recently that is one again as I said building partnership and community is another so
forgetting the exact book, John O’Bacon wrote that on forgetting the exact name of the book but that is another book that you should look who led the Ubuntu open source community.

I think the Empowering Through Community or something like that, forgetting that name. that is another.

People, I mean obviously you know there are way too many so I am extremely fortunate and grateful for a lot of people.

First
Obviously my family starts with my dad, my parents, my mom is not anymore.

So dad is who has been guiding all of us and a big influencer in having that work ethics or ambition or being somewhat customer oriented.

Then I’ll say my wife, been an amazing support for.

Jiphun Satapathy (01:11:24.118)
all my life, at least for the last good solid 20-25 years.

And then I would say the colleagues and my managers.

I have been extremely fortunate to have some amazing managers.

Two of them, one of them was a director at Intel.

His name is Moji.

I consider him as a mentor even today.

That was one when I was transitioning from an IC to a manager, he gave me a certain…
advice and mentorship that I’m deeply grateful for and I think recent times my previous boss at Snowflake I would say another he was the VP of security at the CISO of Snowflake he is Mario Duarte he again same thing he did wonders to my career so these are some of the people I reach out
Raj Krishnamurthy
He’s a great guy.

Jiphun Satapathy (01:12:14.318)
Yeah, and obviously the people that I work with. that’s another thing I say, always put yourself in places and teams where you have much smarter people than what you are.

Sometimes it will be intimidating, but in the long run, it’s going to help you learn.

So that’s another attitude I have always carried out.

So yeah, that’s all I have say.

Raj Krishnamurthy
Now Jiphun, this has been a fantastic session and thanks for being on the show.

Jiphun Satapathy (01:12:40.11)
Awesome man, this is great.

Thank you.

Take care, bye.