Aug 14, 2024

Trust & Security: The Cornerstones of a Resilient Organization! With Sandeep Agarwal

TLDR;

For organizations, alignment between Revenue Goals vs Cost vs Risk is key for success. Instead of teams working in isolation, collaborate to improve the security of the organization.
Security is seen as a team of No. Instead of saying No, security teams should show the path to Yes for business.
The most important asset in Security is not the Tools or Processes but the People. And people consider what they observe as culture vs what’s preached. Practice security basics to set a solid foundation.

Host: Hi, everyone. This is Purusottam, and thanks for tuning into the ScaletoZero podcast. Today's episode is with Sandeep Agarwal. He's a security specialist at Google Cloud and brings two decades of security, risk, compliance, and audit experience, particularly in the financial services domain. He was the CISO at Max Life Insurance and Moody's Analytics in India, and VP of InfoSec and Data Protection Officer at Oak North, a cloud-based fintech firm in the UK.

He's passionate about evangelizing those security, risk compliance, and the benefits that cloud computing brings to organizations of all shapes and sizes.

With that, welcome to the podcast, Sandeep. It's lovely to have you here!

Sandeep Agarwal: Thanks for having me.

Host: Before we... Yeah, absolutely. It's a pleasure. Before we start, do you want to briefly share about your journey in the security and compliance space?

Sandeep Agarwal: Okay. So again, you know, this is this was I think a lot of luck. I believe luck plays a great amount of role in everybody's life. And for me, it was no different, but it was also a combination of my conscious decision. So I started off, I did my computer science and engineering from in the School of Minds, Thanbad, and I have always been interested in the field of networking and computer graphics.

For some reason, these two fields always excited me. When I was doing my engineering, on this concept, there was no courses or subjects on information security or cyber security as such. So networking was a clear path to get into this domain. So what happened is I happened to get placed in the Defense Research Organization and over there, I went to a lab where… which worked on security stuff. So based on my interest, I had a mentor who gave me an assignment on, you know, just creating software so that our armed forces can securely communicate with each other. So that was my first test with security. Then I went to do my MBA again. I consciously chose subjects like IT management. And then I got hired by a company for, you know, something which… MBAs are hired for like a data warehouse and business intelligence consultant.

But in the company that hired me, you had to do a three-month internship before you started your official role. So in those three months, they floated our resumes to every team that here we have a bunch of interns and see what you can do with them. So my resume was picked up by the chief security officer of the organization because of my DRDO experience and I spent two months working in the networking department of a big investment bank.

So that it took me for three months. I joined them. I like the bunch of people, you know, when you're starting off your career, all that matters is you have a good set of folks who you like to hang around with. I obviously like the work because networking, security, these were all things and you know, because I did my MBA, I always had a… liking for risk management. And so that role was a great intersection of my interest areas, what I wanted to do, good set of people.

So I asked the, and luckily they also liked me, the chief security officer liked me and I told them that I'd like to continue here. I don't want to go into data warehousing and business intelligence. Yeah. And he pulled his weight around in the organization and got myself reallocated to his own.

That was the start of a lovely 20-year career so far.

And I don't regret that. Every day still feels so fresh. Of course, in these two decades, I have done multiple roles. I have been with multiple organizations. I was lucky enough to get a chance to be on different sides of the table. I've been a security consultant in a big four. I've been a security auditor and an IT auditor. I've been a security implementer. And now I'm a security specialist with a cloud provider in a pre-sales role. So yeah, it's been a very happy journey so far, and yeah, cyber security. And you know, when I started in the 2000s, security was not as exciting or as sexy a space as it is today.

But with… the advent of cloud computing and IT and mobile technologies and IoT and so much of digitalization happening in society which has brought and attracted a lot of bad people, which has made cybersecurity such an important thing for every organization. So what used to be like a small team sitting in an IT department somewhere, today is a board of discussion topic and so multi-billion dollar industry so yeah it's a super exciting time to be in cyber security.

But I never thought it would turn up like this even though I was very excited about security all my life I never thought it would be this glamorous half of the people who I meet all want aspire to be related to security it was not so when I was starting

Host: Yeah, yeah, yeah. No, totally. Even I feel the same that when I started my career, there was not a lot of focus on security. It was more around building something and just more around business, running the business. But now security is also getting equal importance. And I hope that we'll get to touch some of these areas during the recording today. Before we start,

One question that I generally ask all of our guests and we get unique answers is what does a day in your life look like?

So yeah, what does it look like for you nowadays?

Sandeep Agarwal: Okay, so I mean, I rise at 6 a.m. I go for a small workout, come back, dress up, and turn up to the office at 8:30 a.m. after dropping my kid to school.

And yeah, work begins with checking a few emails, and announcements as to what Google Cloud announced the previous night because a lot of our engineering and product teams are based out of the US. So catching up on our latest announcements, looking at what, if there are any customer engagements. So I'm a customer engineer. My role is as a customer engineer and security specialist. So a large part of my life or a day in my life goes towards solving security problems, whether it is addressing a customer who has a concern related to adopting a particular service or Google Cloud, or it is about they want to do something and they want me to have a look as a security specialist and tell them, give them guidance as to are they doing it well, how can they do it better?

And then a lot of the rest of the time when I'm not talking to customers and I really love solving security problems. So I'm constantly either practicing building out a small demo inside my own learning environment or researching something that is coming up new, learning about new other companies, and how are they solving problems?

So Cloudanix learning about how they do stuff? How do other security partners? So it's a, as I said earlier, it's a great space to be in. So I love to learn a lot about, you know, because you never know when can a particular piece of tech or thought process can help solve a customer problem.

So yeah. And then I retire in the evening by unwinding watching… Yeah, just spend some time on the internet, letting it guide me to wherever I just like to be curious, and then yeah, I go to bed by 10 pm. That's it.

Host: OK. What I hear is you spend a lot of time in learning and also trying to see how you can help customers, right? Both from two capabilities or services that Google Cloud provides, and also you're working with partners to see what's the best fit for the customer. So there will be a lot of learning as part of that as well, I can imagine. So, Let's get started into the security questions. So today we are going to talk about cloud security in general and compliance, and trust. So my first question to you is,

When it comes to IT security, whether it's cloud or on-prem, most organizations have dedicated security teams. And one of the critical factors for success, which not many people talk about, is trust. And it may seem like an underrated area, but I think it's important. So let's start with that.

What are your views on trust and building trust across like security and rest of the organization?

Sandeep Agarwal: Sure, sure, Purusottam. And before I get to respond to many of your questions,

I'm a very opinionated person. And so I'd like to tell everybody who's listening is that the views that I share here are completely my own. They are not necessarily aligned to those of my employers. So I'm representing myself as an individual here. Now coming to your question, which is on the importance of trust in security.

So I really believe that I think culture is super important. It's a very underrated piece. You know, most CISO security teams who I talk about, you know, they're very excited about the latest fanciest tools that are there in the market. But there's nobody who gives any importance or as much importance as I believe they should be giving to culture. And good culture comes from having great trust between teams. So I think it's a super important component of building a good culture.

And if you ask me to define trust, you know, that trust can mean different people to different things to different people. What I believe is trust is gained and established by doing two things.

People will trust you when they observe consistency over a period of time between what you say and what you do between your words and your actions.
Trust is gained by giving back control. So if you want the rest of your organization to trust you as a security team, it also depends on how much control have you given back to them and relied on their good judgment.

Because I've seen many security teams who are, who try to be very controlling. For example, I've come and worked in organizations and there are so many organizations today who try to control every bit of what their users can do or not. For example, some organizations control whether people can access YouTube and whether people can access news sites, or social media sites while they're, so it comes with a lot of insecurity, and with insecurity, they try to overimpose things, which makes people hate their security team.

So I think it is super important that good trust is built. It's a foundation of a security program and trust is very difficult to build but very easy to lose. Like I'm reminded of a quote by Warren Buffet who said that, you know, it can take you 20 years to build a reputation and five minutes to ruin it. So it's also something that has to be treated with caution.

Host: Yeah, it is very true and it is something very similar to what I heard this week. So I was at FwdCloudSec and I met with a few leaders and they were also talking about very similar things to what you said, right? One is no matter what tools you bring in or whatever you do, people are your real asset like your security engineers are your real asset. So you like going back to the culture thing that you highlighted, right?

Building the right culture helps you build successful programs in the long term. And trust plays a key role in that as well. A follow-up question to this is, you said that it's difficult to build.

What challenges have you seen organizations face while building it?

Or how can they build collaboration between security and the rest of the organization?

Sandeep Agarwal: Yeah, so I think some of it is by design. So, you know, when you deal with any regulated or a highly, you know, if you look at a large enterprise or if you take down any business and ask the CEO, what are your objectives, they would say three things. You know, one would say increase revenue. The second would be to decrease costs. And the third would be to reduce risk.

So what organizations typically the way they design their structure is, you know, the classic lines of defense. So you will have some business functions who would think that their only job is to increase revenue or there'll be some operations teams who think their only job is to decrease costs and that there'll be risk teams and security teams and legal teams who believe that their only role is to reduce risk.

The challenge with this kind of approach is when these teams start believing that their objectives are in isolation. So one thing is increasing revenue is in isolation. The security team believes my role is to minimize or eliminate any kind of cyber risk and keep a check on those guys, whereas the dev and the ops teams believe their responsibility is to keep the business running. So I think when you have this kind of mindset and again culture, it is very difficult to build trust and collaboration between these teams because each of them feels that they can only be successful at the cost of the other.

So I think the way to solve this would be to have a belief that, you know, these things are all aligned. One should not come at the cost of the other. It is possible to increase costs and reduce risk. And, you know, again, these things… There are many people who have said this before me as well. It's also like your ability to reduce risk actually helps you increase revenue.

So, you know, many people would have heard the classic car and car brakes and accelerator thing, the way these two works work in unison. Having brakes actually allows you to move farther, and faster.

So, yeah, I think a classic way to, the way I like to define and you know, I picked this quote from Eric Brandwin, who was the deputy CISO of AWS and who I consider as my mentor is he feels and he says, which I completely agree with

The objective of any security program is to maximize the business value of security at a minimum risk and at a minimum cost.

So when security teams start believing that their role is to ultimately maximize business value, not just minimize risk for the sake of minimizing risk. That is when these objectives start converging and that is when these teams start looking at each other, you know, and start trusting each other as partners.

Host: as partners, as partners. Yeah. And I think the key term that you used is the collaboration and alignment, right? Instead of working in isolation. If the security team is just thinking about building security controls and enforcing security controls and what are the best in security, then you are putting other areas at risk, right? You might buy security tools, and you might hire many people, but if you are not, helping grow the revenue then you're out of business right anyway I think this is one of the quotes that I read somewhere “A secure business is out of business a fully secure business is out of business”.

Yeah yeah, so you have to find a balance between all three areas right other than just looking at one area which which brings me to my next question that you suggested should be collaboration and alignment.

Any tactics that you recommend to organizations so that they can work well?

Sandeep Agarwal: I think not treating your security team as a department of no, is like not accepting a simple no answer from your security team. One of my previous bosses, so there was a, so I used to work with a company where I had a dotted reporting line to the head of IT and that was a time when the security team moved out of the IT team and went to the risk team because the regulator wanted to have a check and balance. They did not, they specifically wanted to avoid this conflict of interest when a CISO is reporting to the head of IT, the CTO. So the person told me Sandeep, when I come to you with a thing, please don't just tell me no, give me a path to yes. Tell me that yes, we should do it. But these are the three things or four things that you need to do.

I think when… as a security person, if you adopt that kind of a mindset that sure, we need to do this. This is a business initiative. There's an IT initiative. And here is how you can secure it. Or here is how you can find out a way with yes. And also, one final element is security teams also need to relax a bit and hang out with other colleagues. You generally have to come across as a good approachable person.

Yeah, I have seen people who take their jobs very seriously. They don't are not very liked individuals. Of course, you need to take hard and firm stances. It's not that you come across as a pushover person who can push around. But yeah, you generally need to hang out, have a chat, have a coffee, and have lunch with those folks, because this will also give you empathy!

Host: No, no, I totally agree. Like when you said the security is seen as a team of no, that is very real. Like I have been in many meetings. I'm pretty sure you must have been as well. Like in many conversations, the moment the security team walks into the meeting, everybody starts like smiling or like, yeah, we'll hear no's from them most of the time. Whatever we say that, hey, we need this, we need that. That's what I like the suggestion that you made, right?

That… Instead of just saying no, show me the path to yes. So that the rest of the organization understands that, yeah, security is enabling us, not just blocking us at every point. Right?

Now, my next question is, security is a team sport, right? Like we have been speaking about security and rest of the organization, they should mingle with others and stuff like that.

And in order to make the organization understand the importance of security, not just within the security team itself, we often have to train the rest of the organization. This not only helps them to judge whether it's a phishing attack or a threat but at the same time understand the gravity of them as well. So, one question that comes to my mind is,

What effective ways have you seen organizations can follow to build security awareness?

Sandeep Agarwal: So, you know, again security as I say is ultimately a cultural thing. You know, you can have the fanciest of training programs. You can have great training modules, in-person training, classroom training, and big halls full of training, but ultimately people will do what they see other colleagues do. They will also look at how their CEOs or their senior leaders are inside the organization. What do they do when they are faced with a thing where they need to balance security versus business? What are some of their actions? How do they treat security actually in a day -to -day work?

So I think those softer elements, how does the CEO or the senior leader in the organization, how do they voiceover security in a town hall meeting? Do they brush it under the carpet or do they actually bring it to the forefront and highlight the importance of security?

It's like… following traffic rules or maintaining cleanliness. When new people join an organization, they will look and observe people, and what are they doing around them. So I think it's ultimately a cultural thing. And personally speaking, I'm not a big fan of traditional security awareness training. Trust me, nobody likes going through one hour, or two hours of training. People take it as a huge pain. The good thing is that there are a lot of security controls that can minimize the cognitive load that you put on your users to make the right decisions.

For example, if fishing is the most common user awareness training, there are Fido-compliant keys, and security keys, which give you fishing-resistant MFA, which eliminates the need to do traditional fishing awareness training at all. Like the last two organizations I've been part of, we don't do regular fishing training in these organizations because these organizations have completely secured all user accounts using a phishing-resistant key.

The same is true with many training programs that will talk about how to create a strong password. Today we have this concept of pass keys or passwordless authentication which eliminates passwords altogether. All there's stuff like Chrome operating system or Office 365, GWS which removes the need for people to send attachments. So there is no risk. There is no risk even if you leak somebody because as long as you are sending them a link every document becomes a link and if you're sending links even to a wrong email address nothing gets leaked because until and unless you give somebody online access to that document there's nothing is shared. So there's a lot of technology that people can adopt to eliminate these trainings altogether.

Lastly, there will be some compliance-related training. There's some minimum amount of training that you would need to do because there are standards that mandate this training.

My recommendation is to make it fun as much as possible. Try to identify it, make it a cool thing, like make it something that people are proud of completing, and make it dynamic. Like if somebody tests somebody on a topic if they already know that topic, don't make them spend 15 minutes on it. If they already know.

Host: Yeah. Yeah. totally agree. And I think this is one of the examples of the keys, right? Like hardware keys. Nowadays with pass keys, you can even use it like touch IDs or from Apple or Android devices for securing. One thing that you highlighted like you are going back to culture most of the time, and I see the relation of security with the culture, right? And, the way you highlighted that culture, what I got from this is like what I've seen as well, right? That you can, when you are onboarding an employee, you can give them a presentation on culture, but at the end of the day, they'll see how others are behaving. And based on that, they will learn that as the culture versus the tech that you presented while onboarding. Right?

So the more and more your team is practicing security, the culture gets built around that as well, rather than just going through the training and just doing it once a year.

So any tips that you have to promote a better way to make your organization aware of security?

Because it's not just the security team's responsibility, right? That everyone in the organization is accountable when it comes to security. Any other tips that you have?

Sandeep Agarwal: I think one thing that I have, one of my ex-organizations, we did amazingly well and this was not something that I did. It was populated from the top and like most matters related to culture, they flow from the top. So the first thing is, you know, security is a thing where you feel security when it does not work well, you know when an incident happened, that is when, and those are the times when people really observe how much of a blame game do you play when stuff goes wrong.

So I think accountability is important, but if you want people to really feel that everybody has a role to play in security, people have to adopt this concept of blameless postmortems. Again, you know, the industry has adopted this pretty well when it comes to incident management. So don't look for a proverbial neck that needs to be hanged, right? Make it okay. It's okay if an employee does something bad. Don't penalize the employee. Try to understand why that happened.

Secondly, when stuff goes wrong, try to share those learnings from an incident. Share it as widely as possible. And when somebody has reported it, don't shoot the messenger. Make it easy for people to raise an alarm. Actually celebrate them and the fact that somebody got to raise an alarm, even if those alarms are false. You know, one of my ex-employees again, what they did is they encouraged everybody who sees a security incident, even if they feel it's a suspicion, they can raise a safe to get a safe to ticket is the next ticket like say one, two, three, one being the highest. If two tickets are somebody like a person in the security team would have to wake up in the middle of the night.

So just giving people a very easy way to raise an alarm and not penalizing them for raising a false alarm again, just creates this vicious cycle of a virtuous cycle of security awareness and culture that works wonders.

Host: Totally! I love what you said, right? Like taking the human element out of the postmortem. Otherwise, the moment you start blaming someone, they become defensive, right? And you will not get the information or the insight that you are trying to find out from them. Yeah, that's a very key tactic that you shared.

Sandeep Agarwal: And what happens when you do that is people go into a shell and they would not report anything the next time. And you know, I see, I was an auditor for a long time in my career.

You would ask as an auditor, how many security incidents happened in the last six months? And the answer would be no security incidents happened. Now this is a classic case where stuff happened, but nobody reported it, which is even it's a worse thing than having security incidents, not knowing security incidents is a worse place to be than having security incidents and knowing them. So, yeah, you don't want to be in a place where people are scared to call out the ship.

Host: Yeah, yeah, if you are getting attacked and you feel like I cannot even report without being called out in public that, hey, this person made a mistake, then I'll try to hide it, right? And which doesn't help the organization in any way. Very, very good point. One of the things that often security teams and organizations think about is security cannot be guaranteed. But it can be contained in a way or we can minimize the attack surface. And often it comes down to defining the right security boundaries.

Do you have any strategies to define security boundaries for different groups or even cloud resources?

Sandeep Agarwal: Yeah, so yeah, again, great comment that your security cannot be guaranteed. There is no such thing as 100 % security. And ultimately, security is an optimization problem. Like how much is good enough to keep the attacker away? And so I think a lot of, you know, just having boundaries for users and cloud resources boils down to this principle of least privilege.

Although it's a great thought on paper, but it is very difficult to implement. So I don't want to trivialize this thing that, hey, let's do the principle of least privilege. And there is this magic button which can help you do this. Having said that, it is much easier to do this when you adopt this principle of infrastructure as code.

One of the best things about the cloud is that you can define firewalls, servers, clusters, and storage all as code, and when you do that you know exactly what resources are being created, who needs what permissions, what is allowed, and what is disallowed in your environment. So automating stuff as code makes it much easier.

But when you come to humans it is very difficult because human beings you never know what can they require and if you try to be very controlling and least privileged you will ultimately stop them from doing good things. So you want to start broad, but over a period, take stock of what permissions have been used. So there are a lot of tools today in the market. Cloud providers themselves offer a lot of policy intelligence tools. There are a lot of third-party security providers who have started solving this problem and can look at past activity. So you'll solve this using big data, you will have a pool of activity that has happened historically.

You will use it and say that, hey, amongst the 4,000 permissions you gave this particular cloud resource or a programmatic agent or a principle, only 70 have been used. So you can narrow it down to the 70 plus maybe a few like five or 10, which they are likely to use because of other patterns that we have seen elsewhere. So, using this, I think it's a great way to start broad but ultimately narrow down to exactly the permissions.

And again, the other thing is you don't want to do this everywhere. You want to do this for your production environments where you are sure and you want to be very risk-averse. But when it comes to dev-test environments and innovation sandbox environments, you should be pretty liberal over.

Host: Okay, so yeah, I was going to ask like how can we balance productivity versus security? I think you highlighted two things, right? One is maybe start with a broader set of permissions and optimize it as you see it's being used. And the other thing is prod versus non-prod. Broad restricted down as much as you can, but when it comes to maybe a development environment, have developers more permission so that they can experiment with, let's say, a new service or new capability and things like that, which makes a lot of sense.

Now, you highlighted one of the things, which is automation, right? And as businesses scale, organizations also move towards automation, and they continuously try to see how they can use automation for security as well.

And what challenges have you seen when automation is there, and you are trying to manage and audit the enforcement of security baselines?

Sandeep Agarwal: Yeah, I think the biggest challenge that I've seen, you know, is that as cloud adoption is becoming more automated, cloud security and most many security teams who I see are still lagging behind in the adoption of an engineering mindset, especially when it comes to auditing and enforcing baselines. So I see security teams again, you know, nothing against I am from the same community, but..

In the last two decades, a lot of security people have come across from a process background or generally from a, you know, a click ops background. So when it comes to auditing and again, traditionally audits have been done periodically. So you will have an audit once every six months, and once every year, you will take out a checklist. You'll today, you will use a tool to generate a checklist, which will send you a point-in-time report. Then they will disseminate and break that checklist in a typical Excel spreadsheet and send it to 50 different teams and then chase and follow up.

But the thing with the cloud is that in the time that you have waited to generate that thing, the cloud would have moved so much. And by the time you are working on an offline checklist of things, your cloud environment will have changed by 50, 60 percent by the time you claim that everything is remediated. But in actuality, that thing has moved. Because cloud is a living breathing animal. So I think these are the typical challenges that I see in auditing security baselines.

Host: Makes sense. Now, a follow-up question to that is you slightly touched on half-yearly audits or quarterly audits where you are creating a checklist and going through it. Often it comes down to compliance, right? You have to be compliant with a particular SOC 2s or HIPAAs of the world.

And which makes sense maybe when you are starting your organization, if you are in the healthcare space, you have to be HIPAA compliant. So that you can run your business and stuff like that. Now,

What do you think is the right time to maybe invest to improve overall security posture on top of these, on top of whatever you have done for security certification?

Sandeep Agarwal: I think the right time is now. Again, I am not saying this because I am a security nerd. But I think security should be a continuous journey. And whether you are small, medium, large, whatever stage of your security maturity you are in, you should always do it again more as a cultural thing. And good culture is not something that you can fix with a tool or do it at a later stage.

If you don't do security well when you are small or when you are young, you will not do it when you are big. So I think security needs to scale and grow with your business. The important thing is, that improving security does not necessarily have to be a budgetary item every time. So you don't need to wait until some big event happens, et cetera.

What I have seen is, that many organizations, if they are smart about it, can do a lot of things at a very minimal cost. There's so much of open source goodness available across the world. You have to do your due diligence and be a bit careful. But if you play it smart, you can do security well with a very lean budget. And actually, what I've noticed, ironically, I've noticed that the biggest spenders on security are those who have deep-rooted problems that they try to buy their way out of.

So I think, yeah, if you try to make it a continuous exercise, the way I equate good security is like good health. If you sleep well, if you eat well, you do a minimum amount of work, yeah, you should be good.

Host: Basics right? Yeah, I think I like what you pointed out, right? Often we don't focus on the basics. Rather, we look for edge scenarios and we focus a lot on that and we spend a lot of that while avoiding the basics. And what you mentioned, right? Maybe even with a smaller budget, you can have a very good security program if you do the basics right. Often we don't do MFA, but we are buying a tool to find out if any of our users are not following MFA or not, right? So doing the basics takes you a long way.

Last question that I have on security is often this is a debate between like security and the rest of the organization, even between security teams is compliance versus security, right? Many people think that compliance is enough. Many people think that, no, you need to have deep security. So for organizations,

Do compliance like certifications. Is that a foundation to improve overall security or we should start with the foundation first and then think about these certifications or compliance? What's your take on it?

Sandeep Agarwal: So I like to treat certifications as a milestone in a security journey. By itself, it should never be a destination because you can have all of the compliances in the world, but you can still be horrible in security. So security is a risk management concept. Compliance is a compliance concept. You need to fulfill certain obligations and prove something to somebody. So it is an intersection, but…

Yeah, the way I see certifications is like a checkpoint to benchmark yourself against the industry. So to that extent, it is good to have certifications. And, you know, of course, apart from the value that it gives you some structure to your security program, otherwise security can be very nebulous. You know, it's a big risk management, especially with so much of tech adoption, you can easily get lost. So certifications try to bring some method to the madness.

Of course, if you are in the trust business, for example, if I talk about the business of a cloud provider, where you need the trust of your stakeholders, your customers, whoever you are dealing with, and your partners, you need to prove something to them. And it's a great value addition for a business when you have certifications that you can use to demonstrate the health of your security practices.

It gives somebody outside, an independent assurances and independent assurance that you are doing certain things well. Of course, by itself, it does not mean that everything you still need to have a lot of trust and you know, that's where large cloud providers have on the trust because anybody can have certifications at the end of the day, but ultimately it's your name. It's the consistency between how good you have been delivering and doing security well, but you know, to the uninitiated, it's a great way to prove yourself and benchmark yourself against the industry.

So it's a good thing. You should have it as a milestone, but don't stop just at certifications. Use it to prove it and just move ahead. Yeah. Ultimately, it all boils down to how well you manage your risks, not the bunch of paper that you have.

Host: Right. And I slightly want to go back to the example that you gave, right? Like your health example you might do, let's say exercises every day and all of that, but to set you, do the basics, but at the same time, you should have regular checkups to see how you are progressing, right? Overall from a health perspective.

So those are like different milestones you might have from a, for the progress of your health to get at a better state, right? But that should not be a destination that, hey, I ran a marathon and then I'm done. Now I can eat whatever I want and I don't have to go to the gym anymore, right?

Yeah, makes a lot of sense.

So with that, we come to the end of the security question section.

Rating Security Practices

This next section focuses on rating. So the way it works is I'll highlight a security practice and I'm looking for a rating from you from one to five. One being the worst and five being the best.

So the first one is to conduct periodic security audits to identify vulnerabilities, threats, and weaknesses in your systems and applications.

Sandeep Agarwal: So if I break this into two parts, I'm a big fan of conducting, knowing what your vulnerabilities are, but I hate periodic audits. Today we live in an age of cloud security. I want audits to be real-time. If you are the security team running a cloud estate or even an on-prem estate, I want to know within seconds when stuff goes wrong inside my environment. So I'd give it possibly say a three. Yeah. out of five. I'd like it to be more continuous and real-time.

Host: The next one we touched on slightly during the security questions is to provide training and awareness programs to employees to help them identify and respond to potential security threats.

Sandeep Agarwal: Yeah, I'm not a big fan of periodic training and awareness. Stuff has been solved through tech. So it's high time that we adopt tech, which makes it easier for security. So many times, security tools are thought of as introducing friction. So many people are hesitant to adopt. But these days, you have stuff like passwordless, security keys, et cetera, that make it simpler for users. So I don't see any reason why you should make your users' lives miserable.

Firstly, by not giving them the tech and secondly, by imposing hour-long, boring security training on them. So, I'd give it a one.

Host: Okay, speaking of passwords, the last question is, or last practice is, use strong passwords that contain a mix of upper and lowercase characters, numbers, and symbols, and change it frequently and avoid using the same password for multiple accounts.

Sandeep Agarwal: So yes, again, I'll give it one. I hate this concept. Again, I took my time to overcome this thought process. I was born into my security career. I was born in an environment where we were taught that good passwords are a mix of uppercase, lowercase, et cetera, et cetera, and changing it frequently. Passwords and it's a proven thing now, and IST has recommended, and many organizations like Google, we don't enforce periodic password changes to our foreign employees. Passwords are supposed to be long. Passwords are supposed to be and you have to protect your accounts using multi-factor authentication. So if you have already introduced something like multi-factor authentication, your password itself does not carry that amount of weight. It has to be long enough to introduce randomization, but it should be in a way that people can remember it easily.

And that is where… I'm a big fan of password managers. So whether you use a password manager that comes with your favorite browser or a tool like a passkey, a key pass or I think last pass, one password. My favorite is Bitwarden. I use Bitwarden to store all my passwords. So my passwords are truly random, super long, 16-character, 14-character passwords, and I don't change them unless and until I believe that they have been compromised. So that's my recommendation. So I'll give that one rating.

Host: Yeah, we use Bitwarden as well. And I agree that some of these practices have been there for decades. And at that time there was no concept of MFA or it was not that widely adopted. And even though password managers that you highlighted, right? Nowadays it's super easy. It's available in your system. It's available in your browsers. It's available on your phone. So you can sync them up as well. So it has become more convenient to use some of these tools. So yeah.

Sandeep Agarwal: And I'll tell you a small joke, like, you know, I had an organization that adopted a 30-day password rotation practice, a 30-day. So what employees I know of a few employees, what they used to do is they used to select the password as January 1, 2, 3 hash, February 1, 2, 3 hash, and March 1, 2, 3 hash.

So users will find a way around you. You don't want to make their lives miserable and degrade your security posture.

Host: Mm-hmm. Hahaha! Yeah! yeah! yeah!

Sandeep Agarwal: You think you're doing good in security, but actually it's a worse thing.

Host: Yeah, and another thing is sometimes folks write it in sticky notes or something and they keep it in the desk drawer or something, right? So that it's easy to remember if it is long and it's random and you have to change maybe every often and stuff like that. So yeah, very valid point. With that, we come to the end of the episode.

But before I let you go, I have one last question. Which is, do you have any recommendations for our audience? It can be a blog a book a podcast or anything.

Sandeep Agarwal: So, you know, one of the things that has shaped my learning and journey as a security person is Eric Brandwin. I mentioned him earlier in our podcast. He was the deputy CISO of AWS at one point in time. He's still a distinguished engineer with AWS and he has done a lot of talks at reInvent, which is AWS's flagship marketing and learning conference. Yeah, for people who… who want to know more about culture and how do you do security at scale, I'd highly recommend watching Eric's talks at Riemann.

Host: Okay, thank you so much, Sandeep, for joining and sharing your learning. I'm pretty sure that we can record another episode just on culture. I know that we touched on multiple areas. But yeah, thank you so much for coming and sharing your knowledge and experience with us.

Sandeep Agarwal: Super! It was fun talking to you Prasattam. Thank you for having me.

Host: Absolutely. And thank you to our audience as well for watching. See you in the next episode.