Here’s How Data Experts Can Impact Cybersecurity

Your data background could prepare you for an esteemed career in cybersecurity. Cybersecurity Expert Vivek Menon explains how.

Or listen on

Here’s How Data Experts Can Impact Cybersecurity

Your data background could prepare you for an esteemed career in cybersecurity. Cybersecurity Expert Vivek Menon explains how.

Or listen on

Description

Host Amir Bormand meets with Vivek Menon in this episode of The Tech Trek. Vivek is the Head of Cybersecurity & Compliance at Digital Turbine who also boasts a strong background in Data. He and Amir explore Vivek’s unique experiences and discuss how more Data experts can impact Cybersecurity.

Show Notes

04:12 – Why aren’t there more Data experts in Cybersecurity?
11:12 – Will the CISO role drastically change in the foreseeable future?
17:02 – Vivek discusses this unique background, experiences, and goals in Data and Cybersecurity.
21:43 – What are some of the benefits of closely integrated Data teams and Security teams?
26:32 – Vivek sheds light on how his Data experience helps him with his current role.

Vivek Menon

Cybersecurity Expert at Digital Turbine

Meet our guest

Vivek is currently with Digital Turbine where he is the Head of Cybersecurity & Compliance and has global responsibility around securing the firm's critical assets, ensuring regulatory compliance and building a security-aware culture for the firm. Overall, Vivek has 20+ years of corporate and consulting experience.

Episode transcript

Amir Bormand: [00:00:00] On this episode of the podcast I have with me Vivek Menan. He is the VP and head of cybersecurity and compliance at Digital Turbine. It’s gonna be an interesting episode cuz Vivek has a data background. And is also a cybersecurity professional. We’re gonna talk about how his background has shaped his views on cybersecurity, talking about how he likes to set up his program and drive change.

And I’m super excited to have you on the back. Thank you for being on the show. Yeah. 

Vivek Menon: Thank you Amir, for having me. Super excited to be on the show as well. Looking forward to our chat for the next 30, 45 minutes. Just very quickly introduction from my end. As Amir said, my name is Vbe Mannan. I’m the head of Cybersecurity and IT compliance at Digital Turbine.

Now, you might be wondering what Digital Turbine does. Essentially we connect the, we are the technical foundation that connects the mobile E. Whether it’s actual mobile phones like Android and iPhone or [00:01:00] even like connected devices, which is the next frontier that we. That we’re moving towards.

I would list a few things because there, our marketing team does a pretty good job of emphasizing what we are as a firm. So bear with me. For that we innovate the discovery of apps and content. We provide services to either carriers or original equipment manufacturers that allows a user to discover new apps.

We elevate user experience. There are a lot of things we do in app where if you are using a gaming exercise, you’re using a gaming app, you can stay in the app and not have to leave the app while playing the game to get, to elevate your experience, whether that’s buying new credits, et cetera, et cetera.

One of the biggest things we do is we connect an app develop. To a publisher and publisher, in this case being publishers who put out advertisement requests and then advertisers, meaning advertisers who put in the ads in those in those apps. And then all of this actually means [00:02:00] that we are a true partner to a Verizon sprint.

All the big carriers, T-Mobile and so on, as well as like equipment manufacturers like Samsung and other Android equipment manufacturers. We like to think that we have a mode because we are first party, we are part of the mobile device to begin with, and so that gives us a lot of I would say added benefits of, being part of the ecosystem right from the get-go.

And we are excited about where, our next few years will. Yeah, that’s a little bit about digital turbine. I’ll quickly wrap up by giving my profile as well. I’ve been with DT for the last seven months close to eight months now. Before that I was in, in leadership roles in cybersecurity at JP Mortgage Chase.

Out here in, in Dallas, Texas. And then before JP Morgan, I was with another financial services company, capital One, part of their cybersecurity leadership team as well. But as I may mentioned I made my way into cyber through data. So I have probably a bulk of my career was, has still been in [00:03:00] data.

I’ve recently shifted to cyber around seven, eight years ago. So again, looking forward to bringing all that back into how. It has led to me being 

Amir Bormand: here. Absolutely. Now, thank you for that. And yeah, the topic, obviously, we wanna talk about some of that, data convergence with your cybersecurity, Yep.

Day out for the last five, six years at least. And obviously there’s a lot of data implications in security. It’s all data. So I’d imagine someone with your background who understands data engineering and has a background of building those data solutions. Benefit. I guess let’s maybe just talk about that.

So you don’t see a ton of cybersecurity professionals that come through the data ranks as much. Maybe if they’re, within privacy or data governance perhaps. But in terms of cybersecurity, being a cso, it’s a little bit less common, why do you think that path is less taken? In general?

Why do data people don’t, make that side step to security as, as often as maybe they should? 

Vivek Menon: So I think it, it has to [00:04:00] as somewhat go back to how cybersecurity was viewed previously. A lot of cybersecurity was equated to compliance in the years past. And so that natural led people who were focus more on it general controls, for example, for public firms or have had a career in privacy or for that matter, even even legal.

There are many organizations even today, Where the CISO or the head of cybersecurity resides within the legal organization. And so it goes back to how the evolution of security has happened in that particular firm. But in general, that’s where most of the CISOs came from. I would say 10 years ago what you would see today in today’s world, a lot of the automation that has come through in cybersecurity is around automatic data automated data collection.

Security automation, the rise of the sims and the source, all abbreviations that most people in security are pretty versed with. All of that has come about because today we can collect data at a [00:05:00] scale that was not thought of or thinkable five years ago. Not only that, but aggregated to a to a degree that it, the data becomes meaningful and then analyze it.

But before I go down that route. Let me share, share a story. It would be much more, I would say, consumable for your audience, almost two decades ago, maybe more than that now, I started my career as a E T L developer, which is extract, transform, load. And you know this, that’s the bread and butter of what a data engineer would do in today’s age, right?

You extract the data, you transform the data based on business needs, and then you load the data. So did that for a good amount of years, like four or five years, learned a ton about how to do E T l extract, transform, load. And then made my way into into data consulting. I went to business school at UT Austin Yeah, in Austin.

And through that I, I got into consulting with s but I stayed true to my data roots. A lot of the management problems we were solving were [00:06:00] essentially data problems. The reporting was not there, there was no belief in the data that was collecting. A very common term that’s used in the data world is one source of truth that didn’t exist for many of my clients.

So my role was to go in and build that data governance program. Collect the data establish what was called as a one source of truth, and then use that to drive reporting that these executives could use to make decisions. So that was my evolution. And then fast forward, that got me into Capital One.

I was still focused on data, specifically building big data on cloud. And so when Cloud came about, specifically AWS with capital One, We pretty much, all of us had to learn everything from scratch, including data security on cloud and alien concept. The shared accountability model was not something that was, that people were well versed with or well understood even.

And for us to begin to [00:07:00] storing financial data on cloud was was a big deal. And so we had to self-teach ourselves a lot of cloud security roles, which today, Is, a whole bunch of tools. But at that back six, seven years ago, you had to write your own scripts. So that was my gradual introduction into I would say cloud security.

Being part of the data organization. Now, what really flipped the switch was the cybersecurity issues that we were having in the organization were pre predominantly data collection. Like we were doing a lot of operational. And we were not using data to drive decisions at a higher level and make our access management better, make our vulnerability management better and so on.

So that led to the c i o, the divisional c i o, asking me to take on additional responsibilities around cybersecurity. Focusing on identity and access management and vulnerability management. And yeah, that’s, that, that’s how I grew my career. But no 

Amir Bormand: I think that was, I thought it was a great story to see that [00:08:00] evolution.

I was gonna ask you cuz you know, as you came up through the ranks through data and you learned security data security is a good fit with each other. When you look at other peers in the industry who necessarily don’t, come through data and how they view data and the relationship to security.

Obviously core, core business is to protect the data, right? Keeping people out. But really it’s to keep them from getting to the data for the most part. It seems like it’s a big core, like you would think that this is, this would be a, maybe a natural progression to move to data security and then into CSO position.

Is it because it’s new, you mentioned it’s new, like security, from previous days to now has evolved. Is it because it’s new and we just haven’t connected the dots, or is it just, just non-traditional and just it is what it. 

Vivek Menon: I think it’s because it’s new. There is an aspect of it being non-traditional as well.

But just to pull pull further the thread I was mentioning previously a lot of previous CISOs had, they were essentially good security engineers that then [00:09:00] evolved into CISO roles and made their way into the executive ranks and so on. And a lot of those good security engineers build their credentials on essentially network security.

So that part of the equation, they knew really well. But as cloud became that much more critical and the fact that we are now generating a whole lot more data than what we were like 10 years ago there is some stat out there that we pretty much double the data every year, like on a yearly basis. So that has, I would say, tilted the equation a little bit in, in terms of people who come with a data background. If you understand how to protect data on cloud, and if you understand. Building that single source of growth, whether it’s knowing where your vulnerabilities are, where your high end critical risks are, or from a compliance point of view, like where your access issues are.

I think that drives today’s C source a whole lot more than it used to in the years past. And so you I, this is not like a [00:10:00] Nostradamus like prediction, but I do think that you would see a lot more individuals having backgrounds such as myself, Eventually making their way into the C-suite as well from a, a security point of view.

Amir Bormand: Interesting. I just, yeah. Obviously we can’t predict the future, but it is interesting that, and obviously that the traditional security through the network security. Infrastructure security side, obviously you have the data security side as well. Do you think the C role could be broken up into different pieces?

Obviously data security is a very specialized component of security. Obviously network and cloud security, it’s a little messy. The cloud has made things messy to pull them apart and build, clear lines. But do you ever envision maybe the CSO role is more absorbed into the actual functional roles and not an actual.

Like specific 

Vivek Menon: title. I think we are still early in how the CSO role is viewed at the C-suite level for it to go back into what I would call like the [00:11:00] functional levels. This happens like it’s almost cyclical. This happens with the, the accounting group the financial group quite often.

But what, what is what is termed as federated versus non-ed? Like non federated means like it’s centrally managed, but it means like the business units or groups are so big that they eventually need to have their own people who focus on data security, vulnerability and so on. I think we’re still too early in the in getting to the federated model Now, there is, there are exceptions, as with everything else in life.

Bigger organizations are already there, but the necessity of what drives that is essentially their. So a lot of business units huge, I would say Fortune 50 organizations. A lot of them have divisional ISOs or DSOs information security officers. They have business information security officers.

Then there is the field cso, which if you’re a product company, the field CSO will go out and talk about your, the security of your product and so on. [00:12:00] So we are seeing an evolution of that in various formats. But overall, would this be something that is a pattern that’s adopted by majority of the firms?

I think we are still a little bit early in that in that curve. 

Amir Bormand: No, that’s interesting. That makes a lot of sense, obviously early days, let alone, the skillsets are very hard to find to, to segregated, especially, the cloud integration and the cloud vulnerability side of this.

I guess a question for you you come to security with this background in data, when you talk to other colleagues in the industry, other peers, other security leaders, and you look at how you. Have built your program and how you view your program. Is there a fundamental difference in how you view a security program?

Obviously, I know there’s protocols and frameworks that everyone abides by, but just like from a personal standpoint, because you do have that data background, is there a difference in how you see things? 

Vivek Menon: I do the first, one of the first things that I actually did is how much data can we collect on a regular basis that is [00:13:00] trustworthy, that we can then show to a wider audience to drive behavior change.

Because today not necessarily talking about my current firm, but many of the forms that have been in otherwise as well, we tend to place a lot of emphasis on hearsay and anecdotal evidence. Where like I don’t think our email security is appropriate or I don’t think we do a user access review at the consistency at which we should do, et cetera, et cetera.

But a lot of the data is available now. It’s just a matter of whether we want to in a spend the time collecting that data in a fashion that is actually consumable. So when I came in, I certainly emphasize that. Where I I have a dashboard today that I leverage on a biweekly basis to drive discussions not only with my team, but also my peers.

Because if you can’t you can’t manage what you can’t measure. And so for that I need to know that we are making progress. And a lot of that, again, [00:14:00] tied back to your previous question, goes back to some of the innovations that have happened in cybersecurity. Like the cloud security posture management tool we use is agentless.

So I don’t have to necessarily worry about who’s pinning up what instance by, in, in which account because it’s done through the overall organizational account. It gets picked up by the agentless C S P M tool, cloud security posture management tool, and I have that data handy as soon as I log into the dashboard.

And I use that information and the trends coming from. To drive what the DevOps team should be looking at, what the site liability team should be looking at, et cetera. It’s a metric that I’m accountable for in terms of vulnerability management, but the responsibility of that is shared. So I, my goal is to put in the processes together, shine the right amount of light on it.

On how quickly we should make progress, why is it critical, triage it and so on. But then work with my peers [00:15:00] on the DevOps and SRE side to ensure that, it’s, it gets taken care of and we are mitigating the risk for the firm. But yeah, that’s a little bit of an evolution that that I brought in coming into my role.

Amir Bormand: Absolutely. And I know, digital Turbin obviously we start touching, some of the ad tech components and, I was just thinking as you’re talking, you have this data background. Ad tech and mobile tons of data, tons of discussions around, privacy and whatnot.

A as you’ve come into this role, and just as the time of this recording, you’ve been there about eight months, just so that everyone’s aware. You bring the previous experience, capital One, JP Morgan Chase as you’re looking at the current role and using some of the previous tools obvious.

You have that data centric view what have you been trying to accomplish given, it’s a different industry you do have a little bit of a, non-typical background. H how, what are some of the, high level objectives moving into this role that you’re hoping to achieve?

Vivek Menon: Yeah, so there were a couple of them and [00:16:00] I list them out. I think number one I would say is to be a trusted business advisor. In, security gets a bad rep that they’re the folks who say no to everything. And there is some growth to it, no doubt. But I think that, that mentality has also evolved.

And I was very, I would say, focused on not bringing that mentality over to to my current employer. So building those relationships with the precedents of the business units, the sales teams, and collaborating with them in ensuring how security can be a business enabler was top of the agenda for me.

And there were, there, we have had some good wins we also do business with a lot of big providers. Obviously they have their own security requirements. So someone like me coming in, like taking them through what we have done, our profile and how do we implement controls that generates a lot of goodwill for the firm.

And they feel hey, if there is some data exchange with this company we are in good hands because they have the right amount of controls and the right personnel [00:17:00] involved in this as well. So that’s number one. Second a lot of my focus and time is spent on Educat. And education is at every level.

We are a public firm, so I spend time bringing the board up to speed on what our critical risk areas are what we have done over the last quarter. Cause it’s a quarterly update and what we see, like where are we going in the next two quarters and how does that play a role in mitigating the overall risk profile for dt?

So it’s educating the board, it’s educating the executive team. This is a team that, has come together through various acquisitions. A lot of them were startups, et cetera. So while all of them are good technical, solid technical engineers and product people, security is something that needs to be talked about to be top of the mind for them.

So I’ve conducted forums where I specifically talk about it. I do fireside chats. And I did one with my cfo, F o, and the president of one our of our business unit specifically [00:18:00] because I wanted somebody who is responsible for making money and which is the president and then the cfo F who’s responsible for ensuring that everything ticks and ties from a budget point of view, et cetera, and you are their views about security and why it’s important for the organization.

So conducting those kind of fireside charts also provides an opportunity for me to educate not only the. But then our employee base as well. And then staying on the education topic, like there, there is a lot of effort that we put in on educating our employees. We sent out weekly newsletters for the Cybersecurity Awareness month.

We aligned them with. What CISA was recommending around the topics. And then now we are conducting what is called as a cybersecurity awareness proficiency assessment. Essentially it’s an assessment not a training given what they read about and what they heard about in October. Like where do they think their level of knowledge is about general cybersecurity awareness?

And then once we get the results back in, in a [00:19:00] few weeks time, the goal is to use that to drive further personalized training needs for the organization. But yes, education is still the number two topic for me. And then third, I would say there is a lot of tools. Sprawl as it is, there is a lot of tools, sprawl in the cybersecurity industry.

But given that we are, we have come together as multiple different firms through acquisitions. Some of those tools were overlapping. Some of those tools were were not meeting our needs as an enterprise organization now. So focusing on that and ensuring that we streamline what tools will meet our future needs.

And doubling down on that and I would say clearing up some of the other aspects of tools that we don’t necessarily have to manage given we have something better that meets our requirements. So that’s been the other focus that I have. So that’s the 1, 2, 3 for me.

Amir Bormand: Yeah, I guess when you mentioned yeah, obviously you’re a big data guy, you like to see the data and not just hearsay. As a part of that culture and, the, you’re focused on that [00:20:00] data, providing the metrics. How does your team deliver those, just outta curiosity, if it’s all internal, are you partnering with the data team, or how does that actually get.

Vivek Menon: A lot of it is tools that we have at hand. So I talked about an agentless cloud security posture management tool. We have a endpoint protection tool as well. Multiple tools that we gather data from. Then we use a particular tool for Collecting our risk management like in a high critical critical high ma, medium low risk, and then another tool for our it T G C compliance metrics as well.

So all of those tools are something that we have access to directly and we can leverage the data in those tools are actually not something that we own, per se, are owned by some of our peer organizations. But we have agreed to on a process with them that the only source of truth is that tool.

So we would stick to that and we would keep using that to manage progress. The goal is we don’t necessarily. I would say [00:21:00] emphasize on what the data today tells us or what’s the point in time data. We talk about the trend. We say last month it was this, are we doing better from last month?

And so if you have made progress on it, the the the source of data and the accuracy of data, there is some amount of leeway that you can have in that as long as you know you’re pre trending in the right direct. And then I aggregate that information as I present to the executives and the board and so on.

Awesome. 

Amir Bormand: I was actually thinking you probably sit in a very interesting spot to, to give advice cuz obviously you made the journey yourself, but if some, if somebody you know, isn’t data, had a similar path to, or, in the data engineering space, there could be other parts of data.

It could be analytics, could be anything but their interest in security. Obviously in your case, the opportunity just presented itself. You grabbed it, which is good. But if somebody does see some of that overlap, maybe they work in data governance, they, they deal with some of that kind of stuff.

Like how would you start [00:22:00] shifting your career just outta curiosity. That’s maybe a good takeaway if someone’s listening who’s Hey, I’m in data, I’d like to go to security. 

Vivek Menon: Yeah, I would say cloud data security, the number one reason that will or the number one avenue for you to actually make that switch.

Data security has evolved on the cloud. With incremental progress being made by the cloud service providers as well as a whole host of tools that have come along. But we still are, I would say there are a lot of Guardrails that are not followed by mature organizations. So even understanding how data sits differently in the cloud understanding how key management works what scenarios do we use keys and protect our data.

In what scenarios do we rely on a provider a cloud service provider provided keys and so on. Those things are so critical and somebody who. That in-depth data, storage knowledge we can probably talk about at length how to encrypt at [00:23:00] rest, how to encrypt in motion, how to encrypt in use, and if you are looking to make your way into security I think data security is a fabulous way to do that.

And then second tip I would say is around privacy. EU GDPR gets brought up as the 800 pound gorilla. And so it should, because that’s what sort of led everybody else, every other organization or state or country to take it seriously. And you are seeing the effects of that.

There are like five privacy laws in the US that are coming online on January 1st. But if you are, if you get well versed around, If you’re able to get some certification, both on the data security piece as well as on privacy on, to be even more specific, I would say, on data security, like AWS and G C P, they both have data security, specialty, and a security specialty.

Sorry. And so if you focus on that and get that, which will take some time, even though if you have worked in cloud that is a big. I would say door opener for you. And then on the privacy side, there is an organization [00:24:00] called C I P and they do both EU specific certifications as well as US specific.

So specifically too many specifics, but the California one and those things, I think will be a massive boost to any resume as you think about moving away from data and just focusing on security. 

Amir Bormand: I like that. Yeah. Obviously the data of your privacy aspect. Yeah I was gonna touch on that.

I was just curious to get your thoughts. Obviously a couple more laws coming online. It’s evolving your background in data. How close do you stay to that component? Because obviously it probably fits your profile. 

Vivek Menon: Yeah. The, I would say the overarching nonprofit group in advertising technology is called Interactive Advertising Bureau, or I a b.

And as part of the role that digital turbine plays in this space, I’m part of their security working group. And we meet on a weekly basis. We talk about all things security and privacy and given what’s coming up in, in the next few weeks with five different privacy laws coming online, that’s been [00:25:00] the deep dives that we have been doing.

Lot of intense conversations around this, right? Like we all the firms want to do what’s right, what’s appropriate, ensure that we are compliant to the laws, et cetera, et cetera. But there is a lot to. And so by being part of these industry forums, we are able to get together all the experts, people who have similar issues and get them to talk about how to tackle this at a holistic level as opposed to every firm going at it, in their own capacity.

So yeah those kind of conversations are happening and in there’s some good amount of headway that has already happened, and the entire industry is benefiting from. Awesome, man. 

Amir Bormand: I was gonna say, I think your background’s kind of unique and I was hoping to cover that with you since I don’t see it a lot.

I do have some cybersecurity professionals on and thought it was, thought it’d be really cool. So I appreciate you coming on and sharing. Thank you for that. 

Vivek Menon: Of course. Yeah. Yeah. I’m glad I could come on, like kinda spend this time. 

Amir Bormand: Awesome, man. So I guess before we let you go, I always like to ask each guest this to get their thoughts, but yeah, I’d like [00:26:00] to see if you could have a future guest cover a topic for the show that you’d like to hear about.

What topic would you like to see on the show? 

Vivek Menon: Yeah, so this is this is a little bit specific, but I, it would be interesting if if you can find somebody to to talk about this. For public firms there is, there’s financial compliance and then there is it general control, compliance and how it’s handled in organizations is very different.

Because overall SOX compliance resides in the financial organization, but the responsibility of ensuring adherence to it general controls is with the security organizations and so on. I would be interested to know from, from future guests specifically people who are working for public firms, how is it handled?

What are the best practices that, that they can recommend for somebody? Like me and like how do you, how do they see this evolving in the future? Because it GC is going to start gaining more and more prominence in terms of overall controls. And so it might be something that [00:27:00] takes a shape of its 

Amir Bormand: own.

Absolutely. Yeah. If somebody. If that’s somebody’s background I think, I’m sure that’s a topic other people would love to hear, so reach out to me, let me know. I’d love to have somebody on the show to talk about that. And if somebody wants to get in touch with you just to talk about anything you mentioned on the show, what, how would be a, what would be a good way of reaching out to 

Vivek Menon: you?

So best way to reach out to me would be on LinkedIn if you search for that’s v i v e k, my middle name, S and Manon m e n o n. The s is important because it’s somewhat of a common name, so if you add s you will directly land on my profile. But yeah, happy to connect, happy to talk about what we just discussed here.

I’m sure there are a lot of like-minded and kindred souls out there that. That we can, I can connect with and mutually benefit. 

Amir Bormand: Absolutely. We’ll put that in the show notes to help people find it. Thanks for being on. I appreciate it. Likewise. 

Vivek Menon: Thank you, Amir. Thank you everyone.

Amir Bormand: Awesome. That’s it for this episode. We’ll be back on different topic, different guests. Yeah, I always ask if obviously you know, someone that can talk to Vive [00:28:00] podcast topic, please reach out, love to have you on. And secondly, if you like the podcast, please share it with somebody else. That’s how the whole thing’s grown so far.

And also if you could. Drop a rating on Apple or Google or wherever you listen to the podcast. That’s great cuz that’s how the game’s won. But I appreciate everyone who does that every week. But that’s it for this week. Be back again. Thank you and goodbye.

Latest Episodes

Sunil Mallya

VP of Engineering at OncoHealth

Eric Labourdette

Cloud Business Operation Consultant

Kelsey Steinbeck

Director Software Engineering @ Indigo

A community built by you
for you

Subscribe to Elevano Insights

By clicking Sign Up you’re confirming that you agree with our Terms and Conditions.