Teamwork — Always remember your team’s success is your success. Mentor and guide junior members, learn from your leaders and be creative in solving problems.
As a part of my series called “Wisdom From The Women Leading The Cybersecurity Industry”, I had the pleasure of interviewing Shanthi Boppana, Co-Founder and CTO of Sotero where she oversees the company’s technology development. Shanthi has held several senior technology positions throughout her career and built innovative, analytical solutions on a broad range of modern platforms. Prior to co-founding Sotero, she worked as VP of Big Data and Analytics at Infogroup where she was responsible for modernizing legacy platforms and re-architecting applications to leverage cloud computing.
Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?
I was born and brought up in Southern India. Growing up in India, a land of a vast cultural diversity has been quite a ride for me. My childhood has been a fairly good one and I am indebted to my parents, grandparents, and family for that. I was raised to be allowed to voice my opinions and given the freedom to shape my destiny, which I am thankful for! I grew up amidst the best teachers who encouraged us to take pride in who I am and encouraged me to follow my dreams without any limits and restrictions.
Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
Yes, I read the book Roots written by Alex Haley in my teenage years. It resonated well as the whole book revolves around family as a central unit and how a family links you to your past and to your future. Long and ardent journey the author takes to find his own identity is unprecedented.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
In 2013 Adobe data breach which exposed approximately 40 million active users and their names, IDs, passwords, debit and credit card information was the tipping point. I started my career as a data engineer, but as the data started exploding started embracing distributed technologies and cloud computing. With cloud computing came the challenges of data security. I realized the importance of protecting data from breaches and started spending significant amounts of time in coming up innovative solutions to address the problem.
Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?
I once emailed the CEO of the company to tell him that it is his turn to pick up kids from the daycare and to make dinner that night. Lesson learned: Always double check that you are sending the email to the right person. It’s easy to start typing someone’s name in the ‘To’ line and click on the first name that pops up.
Are you working on any exciting new projects now? How do you think that will help people?
I am currently involved with developing the next generation data security platform. This platform not only protects sensitive elements in the data stores but leverages sophisticated machine learning algorithms to detect malicious activity and can help organizations not only to curb data breaches, but also enable them to monetize data without any security concerns.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?
Data security is being pushed to the forefront of Organization’s cybersecurity strategy as:
- More and more Innovative smart IoTs are coming into market.
- Organizations move to the Cloud for cost and operational efficiency.
- Organizations leverage third-party services and platforms to accelerate time to market.
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
Data Explosion through Smart IoT devices — For example, as more and more health devices are connected to hospitals and clinical networks, patient data will be increasingly vulnerable. The healthcare industry is still adapting to the digitization of medical records, and hackers are exploiting many vulnerabilities. Healthcare industry should embrace tools and platforms that can protect sensitive data without compromising ease of use.
Third Parties pose huge risk to corporations. In today’s world Corporations rely on third parties for multitude of services to accelerate growth and minimize costs. Corporations have to put practices in place to protect their sensitive data and to not expose it to Third parties.
Severe shortage of Skilled cybersecurity professionals.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?
IoT devices with sensors that can collect sensitive information are expanding rapidly especially in healthcare. In most cases they are making daily lives easier, but the attack surface is increasing with the use of these IoT devices. Currently organizations are not focused on protecting the sensitive information generated by these devices, making it vulnerable to breaches. Organizations should adapt technology platforms that can protect these elements seamlessly without compromising ease of use or performance.
Adoption of third-party platforms and service to gain operational efficiencies is also increasing the risk for data breaches. A compromise at a third party may affect the organization as well. Companies should take all measures to protect the sensitive information before loading or exposing it to third parties’ platforms or services. They should adapt platforms which can:
- Protect sensitive information.
- Manage granular access to sensitive elements using Role based access.
- Monitor user activities that can detect suspicious activity.
Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
As a security software provider, I would never reveal any of my experiences with our customers. It is unprofessional and not good practice. In general, we help our customers protect their data from both internal and external threats. We not only help our customers protect themselves from malicious threats we actually help them grow their business by providing the best data security solution ad use that as a differentiator. What I have also notice is our ability to help organizations unlock the value in their data assets when we remove the threat of data loss.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
I am currently working on a product that can protect sensitive elements in datastores. I typically use the following tools to making sure we deliver a high-quality product:
- Veracode — Vulnerability Scanning for Codebase
- Anchor Engine — Detailed analysis of container images and vulnerability scanning
- MetaSploit — Penetration testing platform that enable companies to find, exploit, and validate vulnerabilities.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
Login Related Signs — One of the important signs is anomalous connections from odd locations with nonstandard usernames and at odd times of the day.
Sudden Change in Rates of transactions — Sudden spike in transaction rates; unexplained traffic; sudden increase in transaction latency and decrease in throughput.
Other worrisome signs include errors in the application and system event logs; New users with admin privileges; failed logins and unusual user behavior.
You need to have robust, real-time anomaly detection in place to catch these kinds of odd occurrences and raise alerts and put a stop to anomalous behaviors.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The first and foremost piece is to stop the breach as quickly as possible. Time is of the essence here. The nature of containment depends on the kind of breach and systems impacted. Once it is contained, effective measures need to be put in place to prevent any further damage.
Once the breach is stopped, damage is the next logical step to investigate, while assessing the damage caused by the breach. Assessment should include the type of data involved in the breach and whether it includes any sensitive attributes.
If sensitive data is breached all affected parties must be notified. Regulations govern the time frames in which a breach should be reported. It is often best practice to report a breach as soon as possible.
Finally, a comprehensive security audit needs to be conducted to:
- Assess current security practices.
- Identify any gaps.
- Bridge measures to fill the gaps.
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
Most common mistakes are:
- Exposing sensitive data to employees or third parties without protecting it
- Lack of password policy, which enables users to set weak passwords.
- Using outdated and unauthorized software
Companies should perform an internal audit of sensitive data within the organization and adopt a platform that can comprehensively protect these elements no matter where they are stored. They also should develop and implement security measures to safeguard applications.
Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?
I am not happy with the status quo. The tech industry, after years of pretending that there was not a problem or hoping the system would correct itself, is at least finally admitting they aren’t where they hoped to be with diversity.
Encouraging and providing opportunities for women in STEM related programs is the first step to train more women with necessary skills. Once they enter the workforce, removing hindrances that keep qualified women from rising to the ranks of leadership is another game-changing strategy. Promoting qualified women through ranks exposes a promotional pipeline for other women in the company, and will not only increase retention, but will also help organizations close skills and gender gap.
What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?
Data at-rest encryption protects data — Encrypting data on a disk will only protect against someone physically stealing the disk. It does not protect from insider threats. If an attacker gains access to the system, he will have access to plain text data even though sensitive elements are encrypted on the disk. An application that supports only disk encryption will operate only when encrypted data on the disk is decrypted and made available for use.
Encryption is only for compliance — Many compliance standards require sensitive elements to be protected using encryption, but the primary goal of encryption is data security. The main purpose of encryption is to protect our information from perceived threats.
Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned from My Experience as a Woman in Tech” and why? (Please share a story or example for each.)
- Passion — Choose something you can really connect to and be a leader regardless of your title.
- Teamwork — Always remember your team’s success is your success. Mentor and guide junior members, learn from your leaders and be creative in solving problems.
- Innovate — Think of the problem holistically from multiple angles.
- Evaluate — Be objective in analyzing your own action and get an accurate picture of your own strengths and weaknesses.
- Network -Reach out to people you admire. Build out a personal network. It has the potential to help establish opportunities and results.
We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂
Yes, it would be great to get any opportunity to meet Melinda Gates. I admire her immensely not only for her work to address the toughest problems faced by humanity, but also her efforts to empower young girls and women. She is keen in investing in organizations that “Empower girls and women”. One such organization is Girls Garage”, a non-profit running design and building programs for girls ages 9–18.
Thank you so much for these excellent stories and insights. We wish you continued success in your great work!