I think it’s very important to provide proper resources and staffing to the cybersecurity teams within your business. Luckily, this is a trend we’ve seen increase in recent years, but security still remains a more neglected function of most businesses. By simply increasing more budgetary focus on cybersecurity now, you could potentially save millions of dollars in the future. This could be as simple as adding new SaaS resources, or auditing your stack regularly to see what improvements can be made.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Vidya Phalke.
Vidya is responsible for MetricStream’s technical architecture and strategy. Prior to being promoted to the CTO position, Vidya served as Vice President of Product Management and Engineering at MetricStream where he was responsible for Software Products and Platform Delivery. Since joining in 2003, Vidya has been instrumental in transforming the, then nascent, GRC Platform vision into an industry-leading GRC Software.
Over the course of his career, Vidya has held various Senior Product Management and Engineering positions in Bivio Networks, Narus and Network Programs, building enterprise-grade businesses and operations support systems. Before joining the software industry, Vidya was an Academic at Rutgers University where he won two SBIR grants for cutting-edge research on Databases and Network Optimization. Besides a PhD in Computer Science from Rutgers University, Vidya holds a Management degree from MIT Sloan and a Bachelor’s degree from IIT, Delhi, India.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
That’s a great question. It is always interesting to just understand someone’s history and get a sense of where their perspectives are coming from. Roughly the first half of my life I grew up in Delhi, India, second half has been in the U.S. I was brought up in a middle-class family with an academic focus. Back in India I learned a lot about importance of building on your passions, family values, and tenacity. Once in the US I learned about how to shape your destiny and those around you.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I grew up in the 80’s and you see the Chernobyl disaster; we have seen the Bhopal gas plant major cyanide gas leakage and fast forward to the Bernie Madoff scam and offshore drilling accidents at Deep Water Horizon. The common thread in those is they are all man made. In the last two decades you think about digitization, the internet and everything becoming data driven. Through cybersecurity and Governance, Risk and Compliance (GRC), we look to unearth information and hidden insights that can mitigate and avoid future disasters.
Can you share the most interesting story that happened to you since you began this fascinating career?
I always get fascinated by the additional “aha” moments the customers get. It is always about the customer. They buy into a GRC risk platform and way of thinking. The “aha” moments are when they realize there is something else the platform allows them to do.
As an example, we had a banking client where they were using our SaaS solution for managing their risk and platform. After multiple years, we introduced an AI and natural language processing-based solution on top of that. They were able to unearth issues and insights around what that they thought were solved the first time. Almost like unearthing ‘unknown unknowns’ for them — this definitely helped them bolster their risk management and cybersecurity. Those are things I get excited about; it is a cool innovation exercise where we co-innovate with customers. Each customer is different and needs something in a different fashion, I love ideating alongside them as a GRC SaaS leader.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Oh boy, that could be a very long answer! Going back to my business school, thesis and PhD days, my advisors have always been a core set of my inspiration. It is because in an academic situation there is always room to grow and explore different things. Not only during those programs but further on my colleagues and team members inspire me. There is a program where interns come to MetricStream and I get inspired by their work. They are given high level guidance, but the level of research and legwork they did on their own was amazing to witness.
Are you working on any exciting new projects now? How do you think that will help people?
There are the ‘unknown unknowns’ use cases at MetricStream. I also run the GRC labs where we execute on machine learning, robotic process automation and chatbots. We are also working on risk analytics in contractual documents. Any company has hundreds of thousands of contract documents that can lead to risk and compliance problems. I am working on that program to sift out nuggets of information and insights that can help our customers.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I think the more senior you are, the more you need to be careful of the amount of work you are creating for others. What we don’t realize, in a position of power, a literal one-liner said by you can become a mini project for somebody else. That self-realization, I think, is extremely important, especially during COVID-19. While working from home we lose face-to-face contact and the body language from your peers. Other than that, you need to figure out what to manage, know what assignments to do yourself without overextending your workload.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
Number one, cybersecurity is morphing beyond infrastructure, to a more fundamental enabler of business and looking beyond it. It is amazing the rate at which companies have picked up cloud and SaaS applications. It is an opportunity for cybersecurity to say, no matter where the business goes, we need to be a trusted partner to ensure that all the tenants and fundamental controls are in place to protect assets and data.
The digitization pace has also gone up significantly. The fact of the matter is there is no more verbal and conversation whiteboarding, even the whiteboarding is done in a digital space. This gives you a way to really investigate the material and form a foundation. It is a much better place to look for and intercept risks, fraud and breaches because of digitization.
And then third, I think there is a good understanding, at a global perspective for cybersecurity and risk, that all the government, private and public collaboration is going to become even more important than we have seen due to COVID-19. The amount of collaboration we have seen in healthcare, business and policy makers has stepped up quite a bit. I am working on a project called MPrivacy.org where we work across telecommunications, healthcare, government agencies and MetricStream to figure out how to use mobile connection data for contact tracing during COVID-19. We are streamlining the metadata so the decision making on this can be done in real time. This is just one example where we see various industries coming together so next time something like this happens, we are ready.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The way I think about it is, as cybersecurity roles are expanded to all areas of the company, their job is transforming from merely being watchdogs to being educators in a sustained fashion. They shouldn’t be an educator only in the beginning where you buy a SaaS application to do some diligence then forget about it. It needs to be a sustained way of doing it where you have regular assurance that the cyber teams are working together with third party operators.
At MetricStream, we say that cybersecurity has transformed into cyber resilience. It is not just about making sure your password is set correctly but making sure the integrity of the company is maintained across actions and tools. MetricStream just released a trust center where customers and prospects can engage and find out what we are doing in terms of cyber resilience and cybersecurity compliance. Thinking about the threat horizon, the bad actors are there, but it is key to have resilient thinking that allows for multiple backup plans in place. For threats, companies need to evaluate how good their resilience program is. Threats are going to occur, building backups into your philosophy is advice I recommend all the time.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I have worked in those a bit, but unfortunately the specific stories fall under confidentiality zones. As an organization in those situations you need to assess how well prepared you are as a learning organization. You need to have a strong foundation on the kind of thinking and people you have in the cyber team. They need to obsess about root cause analysis to make sure any breaches, or near misses, never happen again. It is part of the DNA when people say, “secure by design” those are the kind of things companies really need. If you have those in a good fashion you will be prepared when a threat arises.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Well we do use our MetricStream GRC tools every day, and various asset security assurance tools. However, more important is the philosophy of how we use these tools. The fundamental purpose of these tools, on the large scale of a company, is to get the first line intelligence and take instant action. These tools need to be insightful and actionable to avoid threats. The staff need to be trained on the business impact as well as the security implications. As companies grow bigger, you can get lost on choice of tools instead of ensuring the meaning and purpose of them.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
You essentially need to look at the customer lens. This starts to give you a sense of what data you are dealing with. If you have a simple application without consumer data, you can probably stick with an off-the-shelf solution. It really depends on what data you are a custodian of and what is the volume. If your IT has enough understanding of your datasets, you can start with a smaller, more focused solution, but depending on the scale, it could require a larger team. It’s truly a continuum, but you really need to start by looking at the current information you’re processing and go from there.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Employee diligence can have a major impact on your overall security and resilience and something more organizations should be emphasizing. One of the oldest measures you can take is still very relevant and that’s looking for basic phishing emails. Zoom and email fatigue are real, and people may be paying less attention to the sender’s address, potentially leading to a breach.
Another sign to look for is inconsistencies or suspicious activity across devices. Is your application behaving the same on desktop vs. mobile? This is good insurance to determine if a bad actor is trying to impact your infrastructure.
Finally, it may sound simple, but ensuring your employees are educated on your cybersecurity policy can ensure they know what to look for, as it can change depending on the organization or data.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The first course of action needs to be containment. You must immediately determine what will be impacted within the organization and take appropriate action, while also alerting your customers to the issue. Once it has been contained, work with your cybersecurity insurance provider to determine who can best help. Many insurance providers offer more than just insurance, with access to various professionals and task forces. There are government agencies such as USSS that will get involved and help if the problem is large enough. Working with these folks early can make all the difference.
As a risk and compliance company, customers are really looking for our help here to integrate various privacy controls as the global regulatory landscape continues to evolve. While these laws are primarily focused on consumer privacy, businesses still need to be aware of the complications, especially in a global setting. One thing we’ve consistently seen is the power of automation in dealing with different regulations. By automating certain consumer interactions and things like unsubscribing consumers from a mailing list can make life easier for your policy and compliance teams down the road.
What are the most common data security and cybersecurity mistakes you have seen companies make?
I think the most common mistake I see is not treating cybersecurity as a shared responsibility across the entire enterprise. Many organizations see it as something that can be simply solved and maintained by SaaS and a smaller team, but every single team needs to consider security in their day-to-day operations. Additionally, if cybersecurity is to become a core focus within an organization, information must be shared regularly and aggressively, something we don’t see a lot of in various industries. By giving employees access to crucial information, you are empowering them and their teams to consider security and resilience in all of their activities.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Our customers see MetricStream as a trust center for the risk and compliance operations within their organization, and they are engaged with our platform at higher levels than ever, suggesting a renewed organizational emphasis on security and resilience. Of note, we are seeing more end user security protocols as more employees are responsible for their devices away from the comfort of an IT team. We’ve also seen an increase of targeted attacks on individual work laptops as bad actors try to infiltrate infrastructure from potentially weaker endpoints.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
Number one, as mentioned earlier, it’s critical to see cybersecurity as a shared responsibility across your organization. For example, if your commerce team isn’t aware of a potential breach with a payment vendor, they might carry on as normal not realizing they are risking customers. If they had a better understanding and visibility into the organization’s security stack, they could provide better risk mitigation and customer communications regarding the issue.
Number two is to really evaluate your security team’s ‘best practices’ on a regular basis. The state of cybersecurity is constantly changing and this year’s best practices in preventing an attack might not be relevant at all next year, or even in six months. By not resting on your laurels and pushing your policies to the cutting-edge will lead to a more resilient organization.
Third, I think it’s very important to provide proper resources and staffing to the cybersecurity teams within your business. Luckily, this is a trend we’ve seen increase in recent years, but security still remains a more neglected function of most businesses. By simply increasing more budgetary focus on cybersecurity now, you could potentially save millions of dollars in the future. This could be as simple as adding new SaaS resources, or auditing your stack regularly to see what improvements can be made.
Next, the sharing of information must expand beyond the cybersecurity team and C-suite. Most companies are resistant to sharing “complex” security information with too many employees, but by empowering your employees with the knowledge of your security stack, you are helping them make smarter decisions that take security into consideration from the start.
Last but not least, education may be the easiest and most effective tool in quickly tightening up your security stack. Hold regular webinars with employees to remind them of data policies, create an internal newsletter on notable industry breaches and how they could have been prevented; do whatever it takes to educate employees on the importance of cybersecurity within your organization, and more diligent and attentive employees will follow.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
To stick with cybersecurity, I just want to spread the movement of trust, but verify. You hear a lot about zero trust security environments, but that can slow organizations down and stymie innovation. I would love to see a broader acceptance of the trust, but verify movement, as I think it leads to smarter and more agile business practices.
How can our readers further follow your work online?
We’re always blogging at the MetricStream blog, so be sure to check out our articles there. You can also follow me on LinkedIn.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!