Kavitha Mariappan of Zscaler: “Take your seat at the table”

Take your seat at the table: The only way you are going to win is to play. Make your ideas and opinions heard because they matter. The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed […]

Thrive Global invites voices from many spheres to share their perspectives on our Community platform. Community stories are not commissioned by our editorial team, and opinions expressed by Community contributors do not reflect the opinions of Thrive Global or its employees. More information on our Community guidelines is available here.

Take your seat at the table: The only way you are going to win is to play. Make your ideas and opinions heard because they matter.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading Cybersecurity Industry”, we had the pleasure of interviewing Kavitha Mariappan, Executive Vice President of Customer Experience and Transformation at Zscaler.

Kavitha is an experienced technology and go-to-market executive with 20+ years of industry experience in building and scaling early and growth-stage companies, as well as delivering repeatable revenue for large multinational organizations. As the Executive Vice President, Customer Experience and Transformation at Zscaler, Kavitha is responsible for driving global transformation and innovation across all facets of the company’s business, customers, strategy, products, and operations, with a strong focus on customer experience, advocacy and business value.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I was born in Malaysia, but moved to Australia when I was very young. Perhaps because of the influence of my father, a scientist and healthcare professional, I learned from an early age that I had a deep desire to explore, challenge and build the world around me. I became naturally curious about the engineering of the world and realized I really enjoyed tinkering with toys, devices, you name it. I studied engineering in university, and moved to Silicon Valley to work in tech.

Early in my career, I discovered that the best way to learn is to fail, yet have the courage to shake it off and try again. At Zscaler, I’ve been able to cultivate a culture that allows me to bring all my learnings to the table and encourage a team of innovators to build technology to solve real problems. Customer empathy is key to our success and majority of our business ethos is effectively translating customer priorities into the solutions we deliver. I’m happiest when I’m sitting right in the intersection of technology, business and the customer and so excited for the ability to explore this fascinating intersection at Zscaler.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

One of my favorite books of all time is Legacy by James Kerr. It is an inspiring book about the New Zealand All Blacks Rugby team. It is a business and sports book that has an interesting and touching element to it that weaves in the Māori culture and constantly comes back to the burning question of “what is the legacy you’re going to leave behind?” It is about being a good ancestor and planting trees you’ll never see. It is not about instant gratification or investing in quick returns, but instead about what you’re doing for others, and the seeds you will leave for future generations to reap. It is a book about leading a team or an organization — but, more importantly, about leading a driven life.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Thanks to my father, I was introduced to math at a very young age. Because of his influence, my interest in STEM subjects developed, and I ultimately studied engineering in university. My desire to understand how things work, to both build and deconstruct things, drove my interest in technology. I’ve always sought to be a problem-solver, and my career in cybersecurity derives from that: What can I do to help industry reduce business risk?

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

On my first international assignment as a systems engineer, I was sent to Oxford in the UK with another colleague of mine to demonstrate a hardware prototype at a London trade show. But much of the development and systems integration work was not yet completed. We spent six weeks writing code, doing all of the integration and testing, while we waited for the only prototype line card to show up from California so we could drop it in the system chassis. When the card came from the United States, I did not check the voltage switch (note: no auto-sensing in those days) and ultimately blew the card up. Immediately, I got the feeling that everyone in the lab was questioning whether I deserved to be there exhibiting our work. For a moment, I wondered if the group felt I was inadequate because I was a woman. I’ll never forget how embarrassed I was.

Thankfully, the team in California was able to build another one in record time and it just so happened that someone who was also traveling, had to connect through London Heathrow Airport and somehow we were able to collect the new card we needed in time. The key lesson learned from that experience is you have to be meticulous — check, check, and check again. Mistakes will happen, but it’s not the end of the world. We learn from them and build muscle memory to do better the next time.

Are you working on any exciting new projects now? How do you think that will help people?

We recently announced the launch of the Zscaler CXO REvolutionaries Community, in line with our Zero Trust announcement. We understand that digital transformation requires buy-in from and deep engagement with the C-suite and IT leadership. The REvolutionaries forum brings together visionary tech leaders to showcase Zero Trust success stories, share digital transformation best practices, participate in industry events designed for CXOs, and to connect with like-minded innovators. Together, these leaders can help other enterprise leaders, push forward new technology architectures that will allow businesses to excel at their mission, and set standards for a new digital future that lives securely in the cloud.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

First, this is an industry that’s never boring. Cybersecurity is a dynamic space, one with evolving challenges, technologies, and use cases. Second is the never-ending chess match between those of us on the cyber defense front line and the threat actors we oppose. The Zscaler™ ThreatLabZ threat research team analyzes more than 150 billion platform transactions and 100 million blocked attacks every day to understand emerging threats and how to stop them. In 2020, ThreatLabZ observed a notable escalation of ransomware in terms of frequency and the sophistication and severity of incidents, resulting in higher — and more guaranteed — payouts from victims. Our 2021 Ransomware Report reveals key trends and a detailed overview of some of the most prolific ransomware examples we’ve seen in the past 20 years. It is vital research like the ransomware report that equip cyber defense frontline workers with the right tools to shift with the ever-changing security ecosystem. Third is the opportunity that the industry presents. As tech leaders, we all must work together to ensure we stay one step ahead of cybercriminals. A great cybersecurity professional realizes that the learning never stops and that’s a massive opportunity to stay engaged and challenged. When security teams started out, they were built from “jack-of-all-trades” types. The discipline had not grown enough to support specialties in forensics or application security or incident response. The current workload has forced security teams to quickly scale up and out. Opportunity is there for professionals willing to challenge themselves to take it.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

Too often, we focus on technology to the detriment of user impact. Examples of that include facial-recognition software that can only distinguish certain classes of faces, or surveillance tools that impinge on civil liberties. Another concern is one of speed: The cybersecurity industry races to innovate, and yet breaches and ransomware attacks continue. Which leads me to my third concern, legacy infrastructure. Traditionally, hardware-based security approaches have focused on throwing “boxes” at the problems, impacting user experience without improving threat posture. That has to change, and it will change only when enterprise IT leaders move away from legacy infrastructure to a cloud-native cybersecurity architecture.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

Yes. First, ransomware is exploding: cyberterrorists are launching more sophisticated, more frequent, and more damaging attacks. Second, there are new vulnerabilities: old-school castle-and-moat security cannot effectively secure IoT/OT device connectivity, and as we’ve learned in the past year, nor can it scale to accommodate a fully-remote workforce. Third, no one knows the next attack vector. Supply-chain attacks, for instance, represent a new kind of threat. What will the next one be?

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Last year, a major insurance company’s VPN was compromised. That company took its VPN offline and shifted 11 thousand franchisees from client-side Outlook to OWA. (No one was happy about that.) Then the company deployed Zscaler Private Access (ZPA) to enable secure connectivity to its internal resources. The install was up and running and fully tested within 48 hours, with users on-boarded on day three. We dropped thousands of users onto the Zscaler cloud platform overnight…with no capacity constraints. (Oh, and they enjoyed considerably better connectivity performance than with the old VPN.)

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

  • Zscaler develops and runs the Zscaler Zero Trust Exchange platform, and I use all of its services on a daily basis. A few to call out:
  • Secure private app access: ZPA offers cloud-enabled zero trust access to private applications in our data centers and in the public cloud.
  • Secure internet access: Zscaler Internet Access (ZIA) secures and directs connectivity to the open internet, ensuring nothing important leaks out and nothing bad sneaks in.
  • Security and Identity Event Management (SIEM) capabilities provide IT leads with comprehensive, centralized visibility into data traffic, aggregating logs from a variety of sources to enable reporting, trend analysis, and even forensics. And that ultimately improves business decision-making.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

The bad news is that often by the time a user notices the performance impact of a data breach, the damage has already been done — systems have been compromised, data has been exfiltrated, ransoms have been demanded. But users should be wary of unexpected or unusual machine behavior such as windows opening or closing for no reason, account access requiring a different workflow, or performance degradation. (One notable DLP example a colleague encountered at a former employer was discovered when a spear-phished R&D employee brought his laptop in because it was running slower than usual. Turns out he had downloaded sniffer malware when he opened an email attachment from an unknown sender while working on an unsecured Starbucks wifi network.)

Unusual financial activity on your accounts is also a big signal: Consumers should monitor credit reports for any credit or account-opening activity using their identity, and set up notifications for any such activity.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

When a breach occurs, security leaders must act fast. First, preserve all evidence, restrict/remove access, and patch any and all vulnerabilities immediately. Second, be transparent, and acknowledge breaches as soon as they occur. Third, understand/document the attack vector used, know all systems and accounts leveraged, and call in experts to help if needed. Fourth, contain the threat, and then rotate encryption keys. Finally, ensure timely notification to all customers so they can take steps necessary to protect themselves as well.

Of course, then they should move from their legacy security infrastructure to Zscaler (!), and reduce risk to their business.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Too many enterprises cling to old tools or processes that have outlived their relevance. The way of work has changed — employees work on the internet or in the public cloud. Yet most organizations still employ legacy perimeter-based castle-and-moat models designed more than a half-century ago to secure a closed environment. Perimeter-based security doesn’t work anymore when everyone’s on the internet. Enterprise IT leaders must consider cybersecurity designed for the way people work now and in the future, not how they worked in the past.

Enterprise cyber hygiene practices are so important and yet too often relaxed. Most companies keep up with vulnerabilities in their public-facing applications, and perform regular vulnerability-scanning, but many do not address client browser vulnerabilities. This is one reason phishing attacks will be the #1 attack vector for the foreseeable future. Additionally, not educating their employees on the seriousness of their responsibilities in keeping the company secure continues to be a prevailing issue. Cybersecurity is everyone’s responsibility and a company is only as strong as its weakest link. It is important to frequently update your employees on new wave threats and put them through training exercises once per quarter to keep them sharp on their skills.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

As senior leaders, it’s our job to make sure all our teams feel connected and supported. Part of this involves creating a work environment where diversity of thought is encouraged and celebrated, and the assimilation of different cultures and norms can thrive. While a company may maintain a specific business culture, it is pertinent to be mindful of the individuals that make up your collective, organizational culture and be responsive to a variety of needs. For example, working mothers make up a significant part of the labor force, accounting for nearly one-third (32 percent) of all employed women, and may have different priorities compared to their colleagues without children.

Through the course of my career, we’ve definitely seen an upward trajectory. More and more women are entering not just STEM (science, technology, engineering and math) fields of study, but entering the workforce, definitely. Have the numbers been dramatic? No. I think there’s still more work to be done. This time during Covid, with its assumption of remote work, has also created tolerance around work-life integration, allowing women homeschooling their children while juggling their careers to have a flexible work schedule. As we reenter the hybrid workforce in the next year, I think we’ll see lots of changes that will be more accommodating to those needs.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

  • Myth #1: You must have a computer science degree or be able to code in your sleep to work in cybersecurity. Not true! Cybersecurity is a diverse field that holds opportunity for people from all backgrounds. My team comes from different backgrounds, geographies, and generations. But they are inquisitive, logical, and interested in how systems work (and how they can fail).
  • Myth #2: “Soft skills” are “optional” in cybersecurity. Not true! Cybersecurity is no longer relegated to the realm of IT: It’s a business enabler, and tech leaders must be able to speak the language of corporate strategy. Communication, collaboration, empathy, and respect are all critical skills in helping bridge the gap between business and infosec, technical and non-technical, execs and administrators, IT and end users.
  • Myth #3: Cybersecurity professionals must specialize in a single, focused area of expertise (like forensics, application security, database security, vulnerability management, firewall management, etc.). Not true! The most effective cybersecurity leaders are well-rounded innovators who leverage their own breadth of experience and even other experts to get up to speed on a specific issue to make rapid decisions.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

Gender disparity in tech companies is nothing new and has existed for decades. Although concerted efforts are being made by companies and women’s awareness groups to narrow this gap, the statistics over the past five years indicate that we still have much work to do.

There are several reasons why women are underrepresented in tech. First, the lack of female role models in tech and in the C-Suite discourages women from pursuing careers in this area. Second, the lack of support networks along the path to help, guide and motivate women at every stage in their tech careers can limit their success. Third, retention of women technologists within the workforce is a major problem due to cultural and work-life integration issues. The pipeline leaks: There is a 50% decline in representation of women from entry to executive levels. We must address that.

Throughout my experiences, I’ve found these five leadership lessons to be most helpful for me and I try to pass along these words of advice to future women leaders:

  1. Stretch your technical skills: Invest in your learning and build that toolkit. Ask the stupid questions — it is only going to help you sharpen that saw. Get your hands dirty and explore the technologies and tools out there.
  2. Seek out mentors and find networks: Find thought leaders and experts in your area of interest — these can be both women and men. Reach out to them and build that network.
  3. Be authentic: The one thing I learned early on in my career in tech is that you are better off to be yourself. Focus on who you are and harness your individuality and talent. It will be less tiresome, and you’ll find that both women and men will appreciate you more for it.
  4. Take your seat at the table: The only way you are going to win is to play. Make your ideas and opinions heard because they matter. Diversity of opinion and input enriches the final outcome of any project. Learn to debate pragmatically and not emotionally — you can’t win every professional debate but you will come away with a better outcome with every professional discourse, and believe it or not, it will enrich you as a person.
  5. Be a lifelong learner: You have to want to be in this for the long haul. Set defined goals, make a plan to get there and put in the work. As Margaret Thatcher once said, “plan your work for today and every day, then work your plan.”

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

I find Elon Musk to be quite fascinating. His fearlessness, and willingness to be so cutting edge, push limits and challenge the status quo truly makes me feel like anything is possible. Looking at the initiatives he’s executed and concepts he’s pursued that change how the world interacts is remarkable

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!

    Share your comments below. Please read our commenting guidelines before posting. If you have a concern about a comment, report it here.

    You might also like...


    Kelly Nuckolls Of InfoSystems: “Become more nimble”

    by Jerome Knyszewski

    Kevin Grimes Sr. of Pharmalex: “Understand your Customer”

    by Jason Hartman

    The Five Foundational Elements of Trustworthy Digital Transformation

    by Tom Kellermann
    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.