Understanding The Ins and Outs of Information Security

CISO Rohit Parchuri delves into the intricacies of the information security field with host Amir Bormand in this episode of The Tech Trek.

Or listen on

Understanding The Ins and Outs of Information Security

CISO Rohit Parchuri delves into the intricacies of the information security field with host Amir Bormand in this episode of The Tech Trek.

Or listen on

Description

This episode of The Tech Trek explores the field of Information Security. Host Amir Bormand sits down with Rohit Parchuri, the Chief Information Security Officer of Yext, to discuss Rohit’s background, experiences , and insights concerning the world of Cyber Security.

Show Notes

02:09 – Amir and Rohit briefly discuss the history of the CISO (Chief Information Security Officer) role.
06:23 – Rohit explains his strategies for building out Security Information teams.
10:14 – How do Security Architects fit into the Cloud Security pipeline?
14:12 – Rohit shares his insights on dealing with human issues versus technical issues.
21:52 – How to meet the needs of your team by anticipating potential challenges that may arise later.

Rohit Parchuri

CISO at Yext

Meet our guest

Rohit Parchuri is an accomplished Information Security executive with an established record building, structuring and institutionalizing Cyber Security principles and disciplines in a variety of organizational domains. He is currently leading the Cybersecurity program at Yext, a bleeding-edge AI Search platform.

Episode transcript

Amir Bormand: [00:00:00] On this episode of the podcast I have with me at Rohit Chui, he is the CSO at Yext. We’re gonna be talking about the different functions in the security ecosystem different roles, different involvement how the reporting structure works interaction with other stakeholders and. Can top it all off.

The C on the security function is pretty new. We’re gonna talk to RO about all this stuff. Thanks for being on the podcast. 

Rohit Parchuri: Absolutely. Thanks for hand me. Glad to be here. 

Amir Bormand: Awesome. Let’s start off with two quick things. One tell everyone what Yext does, and I know you’re the C but just let everyone know what’s some of your responsibilities entail.

Yeah, 

Rohit Parchuri: for sure. Let me start off with the company and the things that we do. So Yext is basically an answers platform. So in other words, we’re searching in a listings portfolio company. So what Google Search basically does for consumers like you and me, we do that to the enterprise businesses and clients thereof.

So we do have different product lines. Of [00:01:00] course, everything branch off into something called a knowledge platform which is where we collect the business facts such as locations, data, your timing, your work hours, et cetera, for a business. And then we disseminate that elsewhere into the products that I just spoke about.

So from my role standpoint, I am responsible for basically all things. This means all the way from it and enterprise security, zero trust data protection, application product and cloud security. And also audit field security and third party risk also fall falls into my realm. We do have a pretty great team that works for the CSO office and We’re pretty proud of things that we do protecting the company and also defining, how exactly we need to think about security function as we mature out.

So yeah, that’s me and my team. There we go. 

Amir Bormand: I guess let’s a good starting point is, I know you had mentioned obviously the CSO title’s pretty new. I went and Googled it, but maybe, give us a little insight in terms of, how new it is and how it’s grown over the last decade.

Rohit Parchuri: Yeah, for [00:02:00] sure. So this actually came as a surprise for me. I didn’t know that Caesar title was sent new, but it’s, it makes sense if I, if you think about, how it’s been evolving and how young the industry itself has been youngest, like cybersecurity industry has been I think I caught the statement somewhere in one of the podcasts and one speaker was talking about, it was only in 95 when we actually had a, a new security executive title, which is, which happens to be.

And now of course it has taken in different shapes and forms, but we’ll talk about that more. But I think this began in 95. I think Citigroup was the first company that actually introduced this. The intent was to, have this title respond to maintaining security of information and operations, information systems and operations, within.

Within the company within the internal technology infrastructure. So not really talking about the product or the applications that the company builds and, provides us to our customer. To the customers. But it’s more so that internally they wanted to have, some kind of a policy and person who can actually handle and process that [00:03:00] info.

So we’re protecting the employees and also the systems thereof. So that’s where it began. So I think over the past 25 ish years, it’s taken multiple different forums. And I think one of the significant changes that we’ve seen in the recent past, I would say like in last 10 years, is that it morphed from this internal only defense.

To outward defense which is, building product security teams or, making sure you have the right elements, right? Checks and balances within your application security and cloud security Cloud is a new term as you can imagine, but it still flows back into the products and, digital offerings that you build for your customers.

So I think it, it just felt, maybe, I think it felt that, CISA was doing these things internally, like why not have the. Responsibility, which is also outwardly focused. I think even in the recent past, of course, I think you see a lot of cloud transformation that’s going on and it’s no exception for security professionals to also go into that realm.

Because as much as there’s compute and [00:04:00] storage and processing of information, There also needs to have some layer of defense. And I think that’s exactly where, cybersecurity comes into play. That has, that is one of the things that also sees us are responsible for right now.

And and also one thing I would also point out, and we typically see this in some big big companies, like mostly on the heavily regulated side, where CSOs are also responsible for physical. Facilities just given, how much paper, how much physical products also exist and for example, healthcare is a good example of that, right?

So you have hipaa which, which talks about the protection of your healthcare data respective of its digital or on paper. And as you can imagine, there are a lot of antiquated processes still happening within healthcare entities, which means there’s a lot of. This is physical paper. So protection of that also comes under, ciso.

So technically that part also morphs into that. 

Amir Bormand: Yeah, I, that’s actually really, some great points and maybe we’ll unpack a few of those. The one thing you [00:05:00] mentioned obviously is the, the cloud and the emergence and the need for security to be, integrated and viewed within the cloud perspective.

And they also mentioned, some things HIPAA that are process related. Security is interesting in the sense that there’s both a technical component where you can be super technical and then also you can just be very much functional and process driven type roles. And it’s this breadth. You, I’m sure there, there’s multiple hats, different teams wears, but there’s a lot of different, components and functions within security as you’re looking at the team and when you look to set up a team, as you’ve seen this growth in cloud and cloud security, and then you have the process.

How have you been working with, building out your team to address both those, different types of functions? 

Rohit Parchuri: It’s a very interesting question and I’m, gonna say this in two different ways. I think it really depends on where in the industry you’re located. And what kind of maturity do you have within the company, even before you arrive?

Like I, I’m talking more [00:06:00] from a CISO standpoint, right? If you’re arriving to a company that also, that is pretty mature in how the program is being operated, then you take a different approach versus if you’re starting everything from the scratch. For me, I would, my principle and. Setting this team up is is very simple, right?

I’ll give credit to bill Vans about this topic. Bill Vans is a C for Google Cloud and he talked about in one of those articles, and this is where I got this impression and I modified that to my use case, is there are three. Critical components of of the security team, especially when you’re trying to build the program out.

One is the risk advisors. Advisors themselves are, people who are actually trying to push the message out, have a common narrative talking to people, build these relationships, collaborate on the projects, et cetera. But everything comes from a security standpoint. These folks could be as simple as, audit internal.

Or just program managers for building out, certain security projects. This could be a contractual thing or a regulatory thing, but we’re having these [00:07:00] people to actually push the project forward. And then we have SMEs or subject matter experts, right? So they’re, these are the folks that actually go mile deep.

And the, it’s very niche in, how how their role came about. These are the folks that, do threat hunting or are very specific on the forensics within the incident response realm. Or even architects security architects. There’s been a concept of software architects for the long time but security architects is, It’s fairly new term.

The market is still catching up to, but there’s an element of why there’s a need for architecture within the security products. Cause everything is being blend into our product infrastructure. And so there’s a need to have some talk leadership go into how the architecture and design has to happen.

With the security systems and how they integrate with our existing ecosystems. This could mean product ecosystem or developer ecosystem, whatnot. And then we have the operational analysts who keep, the doors open. Who make sure that we’re sustaining a certain project, we’re sustaining a certain discipline from [00:08:00] going, so these could mean like security operations analysts or security support or security administrators, data admins. Really the maintenance and upkeep of the security program is really handled by these operational analysts. So I feel for me, that has been, The philosophy that I work with, and it’s been successful in, in my past two gigs, I’ve been pretty successful with having a good diversity, within these three realms.

And then using that to actually build out the teams and also, don’t make a mistake of these being teams themselves. These are just disciplines and every team, should, ideally, some component of of these three disciplines to make it operational, to make it, something which is more significant in terms of how you build the maturity around that.

Amir Bormand: And I guess it’s, you had touched on, security architect specifically if you’re looking at cloud security, obviously each platform has its own nuances, has its own complexity. When you view cloud security, And obviously, we could maybe just use, Yex as an example, or you [00:09:00] can look at a previous, maybe company.

But that role does it sit within. More of the security team or is that part of more of the, architecture or the technical team and things are matrix because that seems to me very much art, not science, cuz you could easily see it’s somebody in your team I could easily see. It’s somebody maybe sitting under an infrastructure or the beeh, Hoover’s responsible for DevOps or s r e it or any other team really.

It seems like a very tricky role as to where that functional. 

Rohit Parchuri: So it comes with a lot of solid lines and dotted lines. That much I can say. It’s like you said, I think you put it very right about the matrix, about how we think about these. It’s it’s no exception to Yext as well. We think about those in the same way.

Yext is. We’re in smb, right? We’re currently in, we’re about 1500 ish employees. So we’re, we’ve been a public company, so there are certain things we need to meet in that realm, but at the same time, security is more like a startup within kind of an established company. And, a year, just one year [00:10:00] ago, we were two people, or three people, including myself.

Now we’re 17 people, which is pretty good size. But still, if you think about the the maturity, the operations, the governance around how we deploy and detect certain things that still, is something we need to improve on. So with all that in mind it’s, in one way it’s a good thing because we’re trying to build the fundamental.

Blocks before we can think about the skyscrapers. So we’re starting from the scratch and going up which actually gives us the opportunity to interact and also collaborate with our data and software architects more, and how we need to think about the cloud approach and how we need to tie that back into security disciplines.

So right now, the way it stands, we it’s a function of. We are still a lean team, right? But that doesn’t mean we’re not looking at the architecture and the design elements on how these things fit in, but there’s a pretty heavy collaboration and partnership with the development and infrastructure teams on how we can make that happen.

And we are, the way we [00:11:00] do this is more from a s. Architecture, layout of the product rather than taking it from security. So the way we think about securities, of course it has to align with the business and the business goals there, but not the other way around. So we think about that from that sense, and we get the requirements first, and then we try to build this out.

And ideally, I think what was successful is to really have a task force as opposed to a single person being responsible for that. And taskforce could mean that we have representation from different teams. Okay. Sorry, infrastructure. Product engineering and security of course. And then we put our heads together and figured out, okay, this is the right approach and this is actually gonna, self sustain itself as we go into it.

But thinking about those elements, I think has been really successful. 

Amir Bormand: Actually, those are some great, great points. And as I’m listening to you, and I think you mentioned, the history of the CSO and Yeah, it was more internal facing. You even talked about the physical security sometimes being responsible.

We hear a lot about the human element, right? And there’s a big percentage of. Security issues come from humans, [00:12:00] but the more you know, I interview CSOs, the more I talk to, just listening to you and speak. I hear this technical element. It almost seems like there’s a, there, there’s almost two sides of the role where it’s this human element that still exists.

The security champion, you know the advocate, but then this technical element’s emerging cuz of the complexity of cloud and yeah, it’s not behind your, your fenced wall that you’re protecting. And it seems like this split is forcing like a, a development of a technical aptitude that is accelerating, when you’re looking at that, Hey, I need to be worried about the human element, the functions to support that.

And now you’re talking about these sidelines, these dotted lines or the technical element. I don’t think you could pick and choose which, which kid you wanna save, but as you’re viewing each one developing, the technical element, is it something that you’re realizing is progressing technically and forcing the team to keep evolving that technical skill set versus the human elements, a little bit more stable?

Is that fair or is that completely nonsense? 

Rohit Parchuri: I don’t think it’s nonsensical. I think [00:13:00] it’s a good question to ask and I think, I don’t really have a great answer here. I’m gonna say that outright. I think, most of the people don’t like, it’s because it’s a reality of the world we that we live in on how fast the transformation is happening and how fast we have to wrap our heads around the technology and how soon that’s also increasing exponentially.

You have a tech. That talks with a certain library tomorrow, the same tech talks with completely separate library, which comes with its own practices and disciplines. So I think it’s evolving. As continuous improvement is something that we all have to do respect of your, if you’re insecurity or not.

But I what, what has helped, me think about this is more so that. We talk about the human element. I think human element is never gonna go away. It’s everything that starts with a human and ends with a human. Human is the center of the universe, like everything else that we do in the, in the industry.

And when we think about that, we think about the users. Their goal is not security. My goal is security. Like I’m not, I should not make them accountable for security. They have their own job, they have [00:14:00] their own things to. I don’t wanna put the burden on them to think about these things. Rather, I wanna turn the table around and have thought leadership within my team to think about how can we set up the right, right guardrails.

There’s this thing called validate the trust discipline that’s been going around. It’s a good intent. I’m just not sure how practice how practical it really is. And so for me it’s been like, let’s set up the guard. The right guardrails, the security faults, like in, in case we need something to establish.

Let’s not actually, rely on the training and education we provide to the users. That’s gonna be complimentary knowledge, but the technical aspects of things, or the way that we’re trying to structure the control has to be, Something that even if the user, carries out a mistake, it’s not something that’s gonna disrupt the business in any way.

So that’s, philosophy and methodology that we’re implementing on that side of things. Technology comes into that too, in a way that, I think the SME concept that I spoke about, the subject matter experts, is exactly for [00:15:00] that reason. I think if we have the right diversity in place, if the person, like the SME that we’re actually hiring, if he or she has.

Comprehensive disciplinary that comes from a foundational knowledge about how things work predominantly. I think that itself is gonna take care of a lot of things. I think everything like, typically I say this like we stand on the shoulder of the giants, right? So it’s like we have this, amazing architectures and amazing products already.

All we are trying to figure out is the shapes and forms of each of them and how we’re trying to build different components on top of them. So if you really understand the foundations of. I think it’s easy for us to pivot and adapt as the situation arise, asset tech comes about, but that of course, that also means that we need to have the continuous education in place for our people.

And that’s something, I prioritize the company prioritizes. That’s one way for us to, keep things going. But I would definitely not worry too much about, the continuous emergence of technologies. And if that’s gonna affect us, I think we should definitely stay ahead of.

Principle, and we just [00:16:00] need to think about, how how comprehensive we can think about the skillset problems and how can we, embed that with, into our roles existing right now. I guess as you’ve 

Amir Bormand: can if you look past in the last, past decade, half decade in, compared to now are you seeing security meeting a more technical skillset because.

The growth in the tools, the infrastructures, the complexity. It’s no longer, a set defined tools. If you come in and you do half the job and, with all these roles you mentioned, security architect, which is in and of itself a new term. I is the upskilling side. When you’re looking at your teams and, trying to make sure everyone’s career is advancing and working on other things, the upskilling component has to be something, I’d imagine that’s critical.

You just said it’s rapidly, spinning 

Rohit Parchuri: up. Yeah, for sure. Oh my God. There’s no doubt about the upskilling. There’s no doubt about, security being more technical advisory than not. I think that [00:17:00] we’ve seen that, we’ve seen that in the past few years and how deep we need to get into the technology to really understand the, the branches and the fundamentals of that before we can build something like we need to know something.

In and out before we can build a control around it. This is no different than an asset management. We need to know if something existed before we can protect it. I think the technology is, I think in one way it’s helping also because if you see the cyber emergence that’s happening, like where we see a proliferation of services and cyber tools that are actually coming about, and in some case we’re able to leverage them to actually use the skill of the tool.

Of the solution rather than just having a person go through. I think there’s an element of that also, tech helping tech. But the cross-training is something, we also, plan to do. We don’t do it right now, but we also plan to do is that I think, having a collective repository of knowledge would be more helpful than actually having a single person do that.

That is something we just have, I think that’s a muscle that we all have to build. Especially as security teams always have leaner [00:18:00] teams. Like we don’t really have unlimited resources. I’m not saying any other team or any other discipline has, but security specif. I think we just have to prove the things that we’re doing, forecast the risk better.

And with that comes a truly high amount of burden that actually falls under the people that continuous involvement, continuous improvement, things like that. So I think collectively, Thinking about the problems collectively, thinking about the tech and making sure we do have the right way of approaching them.

This could mean through, instructions. This could mean through playbooks, this could mean, through processes, et cetera. I think we just have to have a healthy balance between the tech that we could leverage to actually get some of these taken care of. On the other side, like of course we should have collect collection of individuals, putting their tots together and put something in place so that, new people or existing people are able to easily cross.

And made that, a possible reality as we go through, thinking about upskilling, et cetera. 

Amir Bormand: Yeah. And you mentioned leaner budgets, which is interesting because I’ve heard it a couple times. It’s, actually maybe more than a couple times [00:19:00] and, if I’m outside of the security, we’re looking in, I assume.

As much as you hear about security and obviously it’s always the news we’re hearing about ransomware, all this stuff, I just would assume big budgets, throw tons of money at it. It doesn’t seem that just chucking a ton of money is always the solution. Hence, you mentioned leaner budgets and it’s, there’s so much to defend.

It’s, then it’s a question of where do you, al where do you allocate that budget? When you look at leaner budgets and you’re looking at your team and the growth, like when you’re forecasting out like the needs of the team and you see these emerging areas, is your roadmap like, Hey, I know I’m gonna need budget down this down the road because this in of itself is growing complexity that I need to keep my.

Rohit Parchuri: I’m glad you asked that question. I think budget is always a very tricky concept onto itself, and cybersecurity plays within the budget is always, it’s gonna be even more trickier because it’s not the r I keep hearing about this. Like how do you define the ROI for [00:20:00] security? I don’t think there is one.

I think it’s gonna be really difficult for us to define ROI and also make quantitative advancements towards defining what ROI is. In my personal opinion, I don’t think we should focus on the roi, but we should focus on the. Of what exactly we’re trying to accomplish. And one, one of the things that we do within Yext is is this program called security Risk Modeling.

Is almost similar to the Technology Risk register or the enterprise Risk Register, et cetera, but it has much more technical elements to it. One of the biggest factors we look at is the company. The company direction in terms of market verticals that we are trying to approach or we’re just trying to approach a different demographic in our fine landscape and do we need to think about those things?

So when we, like I said before, security has to align with the business the other way around. So I think everything starts with the business and we have a list of goals that we need to accomplish for the next fiscal and. Helps us drive it down and figure out what are the [00:21:00] what’s the risk or the tax surface that we’re concerned about?

And then we would objectively measure the risk that we do have and what kind of tech, what kind of process do we need to put in, and of course, what kind of people do we need to hire or can we, capitalize on our existing usage of, people and. That would ultimately become, the part of the envelope that we’re trying to push for.

There’s already enough tech. So one thing I’m, very considerate about the overlap between the tech, right? I think that is gonna cause more harm than good. Because we still have to manage the tools, right? Just because it’s a security tool, it’s not inherently secure, security conscious.

It could not be. I think that’s the overhead. I don’t I’m, I’m not willing in investing, unless we do find the niche that, okay, this does what it’s exactly supposed to, and this directly relates back into the risk we’re trying to manage. And of course the risk discussion has to, look at or has.

Align with the tech or the process, our people investment we’re making, and more importantly, it has to showcase the outcome which is what I was talking about, [00:22:00] focus on the outcomes. If there’s an outcome and this is something based on the direction we’re taking as a company, let’s go for it.

So that’s typically how I think about it. 

Amir Bormand: I think that’s actually a, a great answer to the question. And I like how you mentioned, fo focus on the outcomes. Cause the R ROI is hard to define. I was gonna say thanks. I know you, time is tight.

I appreciate you making the time to be on. I’m cognizant of our time. So I was gonna ask you couple final questions before I let you go. I guess the question I’d like to. Guess is if they had an opportunity to ask a future guest to speak to a specific topic or answer one question what you would like that 

Rohit Parchuri: to be?

Since we just spoke about roi, I would really like to get more information about, or how other CSOs or leaders approach this is how do we quantify risk? What are the factors that go into risk quantification? And how specific and granular do we actually. And who do you think would be the consumers of that info, and is that actually gonna feed back into the program or the things that you’re building out?

I, [00:23:00] myself had talked through about this and, talked about the topic with multiple other CSOs, but I’m yet to get a proper response on that, so I’m just gonna throw that out there. 

Amir Bormand: Awesome. I might actually turn that into a round table and see if I can grab a few people maybe you included and see if we can have a few people talk about that topic.

I think it’d be really interesting. And then if somebody does wanna reach out to you to pick your brain on anything you said on the podcast or just in general what’s a good way of getting in touch LinkedIn social. 

Rohit Parchuri: LinkedIn is the best, and I can put my email also down, but LinkedIn is the best.

So you can find me at peturi of course search for Peturi. I’ll pop up and, I’m, like I said, I’m the season for Yext and you should be able to find me there. But I’ll share my email address too. 

Amir Bormand: Okay, awesome. We’ll make sure to put the LinkedIn in the show notes so everyone can find it.

Thanks for being on again. I thought this was a awesome discussion. Great insights. 

Rohit Parchuri: Yeah. Thanks for listening and thanks, Amir. This this is really. Awesome. 

Amir Bormand: That’s it for this episode. We’ll be back again. Different topic, different guests until then, two things. One I might turn [00:24:00] the RS question into a round table.

I think that ROI insecurity question is compelling. I think it could lead to great discussion. So if you wanna be a part of that, reach out to me. Let me know. Secondly, if you like the podcast, if you enjoy the podcast, one of two things is great. With someone else or give the podcast a solid review on whatever platform you’re listening to.

That’s how we’ve been growing. But that’s it for now. Thank you and goodbye.

Latest Episodes

Sunil Mallya

VP of Engineering at OncoHealth

Eric Labourdette

Cloud Business Operation Consultant

Kelsey Steinbeck

Director Software Engineering @ Indigo

A community built by you
for you

Subscribe to Elevano Insights

By clicking Sign Up you’re confirming that you agree with our Terms and Conditions.