Episode 37: From Teenage Hacker to CSO with Rinki Sethi

Narrator:

Welcome to 9 0 9 Exec, your source for wit and wisdom in cybersecurity and beyond. On this podcast, your host, veteran chief security officer at Cyber Aficionado, Den Jones taps his vast network to bring you guests, stories, opinions, predictions, and analysis you won't get anywhere else. Join us for 9 0 9 exec, episode 37 with Rinki Sethi.

Den:

Hey everybody, welcome to another episode of 9 0 9 Exec. I'm your host, Den Jones, the guy with a silly accent and the unicorn on the shirt. So every week we try and bring you guests that have some experience, some wisdom, and ideally you're going to learn something about your executive journey in technology. And our goal is let's leave you with some nuggets, a little bit of laughter, some fun, some humor, and something that makes you want to return and pretend you love the 9 0 9 vibe. So this week I'm blessed. I've been chasing this woman round. She is busier than a queen bee. And now, yeah, some other shit joke I was going to pull out there, but rinky ethie, you are a busy lady, so why don't you introduce yourself just so I don't butcher the heck out of it.

Rinki:

Sounds great. Hi everyone. I'm Rinki. I'm honored to be on the show. I am in the Bay Area. I'm currently the chief security officer at Upwind. Been in cyber for a little over 21 years now and worked with some amazing cool tech companies in the valley here. Started at Pacific Gas and Electric, have worked at Walmart, eBay, Intuit, Palo Alto Networks, IBM first CISO gig at Rubrik, second one at Twitter, and third one at bill.com. And then just up when security for the last five months.

Den:

Wow. Yeah. Upwind is the new gig. And some of these gigs as well. I think you've been the CIO and the CSO at the same time, right?

Rinki:

That's right. At bill.com I was both CSO and CIO. And then at upwind I have both security and IT as well.

Den:

Yeah, it's funny, I see more and more, especially in smaller companies, more and more they actually have the blended role and that's kind of fun. My last gig was that as well, and you've got the responsibility to try and protect the company and operate, and then you've got the other responsibility of doing the checks and balances on yourself, which never feels like a conflict of interest. So let's jump in. I'm really curious. Okay, so what got you into technology? I read somewhere, I think I read somewhere that when you were younger you were building a program to detect a key logger or something. I mean, were you in this shit at an early age?

Rinki:

I was. So it's funny, I was exposed. I was born and raised in the Bay Area, and so I was exposed to tech at a really early age and I had family, my dad, my uncles, they'd be talking about tech all the time. They had the latest and greatest computers. And so I was exposed to this super early on, although I was late on jumping on the A OL Instant messenger bandwagon as a kid. And I heard about it later, but I was like, this is so cool, you can chat with your friends. And my dad found out, what are they doing on dial up? So late at night, me and my siblings, and he suspected that I was talking to boys and so he wanted to spy on me and he put a key logger on our machine, on my machine for sure. I overheard him talking to my mom about something that I had typed about that he shouldn't have known about. So I was like, he's got something on my computer and I found the key logger and I would uninstall it, then he'd install it back again. So I literally wrote a small program to detect it and then uninstall it. I gave it to my sister too. And so yeah, we were playing this cat and mouse game and we'd purposely write things that weren't real just to mess with my dad. So yeah, that was my hack back in the day. Wow.

Den:

And how old were you then?

Rinki:

I was somewhere maybe 14 or 15.

Den:

Shit, I mean that's obviously before you're like, okay, this is going to be my career. So you're at high school at that point and you're coming up with some program to bust your dad's key logger. That's pretty awesome. What got you into the whole tech career thing? I mean, what was that first thing going from school to college to then tech?

Rinki:

It was interesting. I was trying to figure out what I wanted to do. I was really good at math. I was very tech savvy, but for some reason at that time, tech didn't seem cool as a career choice. So I was like, I'm going to be a lawyer. And then my dad, typical Indian family, was like lawyer as a second degree. What's going to be your first degree? Choose medicine or engineering. And so I ended up choosing computer science engineering and reluctantly, and I've never looked back since then. So I joined, I got my computer science engineering degree from uc, Davis, and that was kind of my entrance into tech.

Den:

Wow. And did you ever pursue the second degree of being a lawyer?

Rinki:

No. My senior year I was like, I don't want to be sitting at home. I want to be getting a paycheck when I graduate. I'm going to look for a job. That was my motivation.

Den:

Yeah, that's brilliant. Okay, so if you were going to give the teenage hacker rinky some advice now with the advent of AI and deep fakes and stuff, what would you build to protect yourself against?

Rinki:

It is interesting. I don't know if I would build, I might've been the builder of some of that stuff, of the DeepFakes and things like that. But now that when I think about that, I would definitely, especially now having kids of my own, I'm like, man, I wish I knew that security was even a thing. It wasn't back then. Nobody talked about it. And I wish that I would've built some tech to prevent attacks if I knew what I knew now.

Den:

And it's really interesting. One of the things, and I talk to people every week about this, which is another scam, another this, another that, and they're all personal. I mean, I talk to clients and companies and stuff, but in my personal life, my mom calls me up and it's like, oh, you'll never guess what happened. And I'm like, oh shit, here we go. And we actually publish an ebook in our website for free because I kind of hate hearing about people who are certainly trying to protect their family and they're not tech savvy. So it's like how do you protect your family when you and I, we grew up with technology, so it's easy for us to give our family and friends advice, but I think a thousands of people out there, especially older generations that they just don't have any idea and they're getting scammed left. So for me, I'm like, that's a bit gnarly. So let's talk about, so you leave college, so uc, Davis, you leave there. What was the first impression and the first job, what was the first job you got and what was your impression of working for the first time? Do you remember?

Rinki:

Yeah, I got my first job at a utility company here in the Bay Area. I was really lucky to get my first job because it was a really bad time in the economy and students weren't getting jobs, so they were all pursuing graduate school or sitting at home and finding projects to do. And so I was lucky and happened to be in, it was the title of the role was Information Protection analyst. I didn't care what the job was, I was just like, thank goodness that I have a job and I'm going to get a paycheck and I'm not going to be sitting at home having my parents pressure me on when are you going to get a job? And so I knew April of my last year in school that I was going to be joining pg and e and then went there and the average age of pg e at the time was 55.

And so I'd be walking into the elevator and people would be like, Hey, when does your pension kick in? And those were kind of the conversations happening. It was a cube environment like cubes with really big walls, which you rarely see now, right? It's like all open desk environments, at least in the valley. But there were these cubes with big gray cubes, with big walls. And my first roll, I remember walking into my cube and there was clicking sounds coming out of it. I'm like, what is this? One of my first tasks was to find all the modems that were unauthenticated in the company. There was a war dialer, literally this modem that dials all the modems. So that's what the clicking sound was. That was my first job. And also I didn't know how to socialize properly at work, so I was very kind of like, here's me just graduated from college and then average age 55. And so it was a very interesting environment

Den:

And I mean it's hard enough when you leave school and you try and engage with adults. I'm struggling on how do kids after COVID, so the ones who are graduating the last couple of years, their last few years of school was not sociable. So even their social skills get harder and harder. I also know that you were doing some interning and I actually turned my eyeballs towards interns in the last year after doing a conference talk. And I was just talking about leveraging school talent and internships and stuff. And I think of it like interns on steroids where they do the summer thing, but then I would keep them on as a part-time worker. So when you deal with interns now based on being an intern yourself, what do you look for in a student who wants to be a part-time worker and a company? What's the first thing you look for?

Rinki:

I think I want to see hunger to learn. Having some maybe tech table stakes skills is interesting, but with ai, I feel like that's even changing. But I think just hunger to learn curiosity, I think that is the most important thing and I felt that now more than ever. And I think when people are eager to learn and just dive in and have this, I want to do as much as I can do. I love that kind of energy. I think that energy is really infectious too amongst teams that you're doing the same. Sometimes you're coming into the same place doing similar type of work and this new energy with new ideas and this hunger to learn can just strike an energy. To me, I think that's the most important thing is people that are willing to learn and do things a different way. And then I think communication is also really important, and that's because I think you have to be able to communicate new ideas, you have to be able to talk about that. I think that's super key.

Den:

Yeah, I always coach people the ability to communicate with human language rather than being this technical genius. Because quite often you've got that tendency to try and prove to people how technically gifted you are and your ego really leads that as opposed to understanding the person you're talking to may not be technical at all and you've got to try and translate it into their language, especially the higher up the organizations you go, you get to some board level conversations. And now the valley's a bit different because we have so many technologists, but at some board level, you do meet people that really, they don't know technology very well, and if you're trying to explain some security stuff, it gets pretty tricky. So you really got to figure out who your audience is. And I learned this communications years ago was who's your audience? It's an audience driven thing,

So don't think about yourself. I mean, it's hard to not do that sometimes, but think of the audience. I want to dig in a little bit to the whole the Jewel CIO CSO role at Bill. One of the biggest challenges I see when the orgs are separate is that tension between IT and security. How did you overcome, or what advice would you give to people who are following your footsteps, who are taking on that type of role for the first time? How do you overcome that tension and try and make it thrive and partner together? What kind of tips do you have?

Rinki:

Yeah, can I share you with you what my mindset was? I think that's what made it different. So I've been in companies where security and IT are peer organizations and then I've also been where security reports into it. And every time there's tension when it's security in it as peers, you're fighting over prioritization, like security wants to prioritize security initiatives, but their whole measure of success is based on enablement and availability. And so those can sometimes be in conflict. When security reports into it, you're always going to get prioritized enablement and availability and there's no escalation path because their escalation path is the CIO. The way I thought about this was like I was a CISO with I and security reporting to me. I was a CISO and CIO, but came from a security mindset and where I think teams, it's the first time I ever saw it and security get along in a really cool way.

There was no tension. The teams why? Because if I wanted security to be a priority, I could transfer over budget or I could put additional resources and say, you know what? I'm taking a hit on enablement and availability of something in order to prioritize something that I think is really important. And the decision in that was on me many times. And so there was, okay, we're going to take a hit in this place because we are going to have to prioritize. And then the tension went away. There was nothing to argue about. It was a different way of looking at it. And you could say maybe I come from a security mindset, but it was like, let's figure out the right way to do this. Understanding that if you don't prioritize security, that is definitely going to create enablement and availability issues down the line.

Den:

Yeah, I mean the reality is you're still, and in that case, you're still working in a company which is full of engineers, highly, highly opinionated people on how it tends to be too slow, too expensive, and they look down on you. I used to always say this joke at Adobe, I'd basically say, you've got the engineers up here, then you've got the ladies and guys that cook all the food in the kitchen here. Then you've got cleaners there, then you've got it somewhere down here. That was where we were on that pecking order. And in some cases, quite rightly, because there was a lot of bureaucracy that people pump into it quite often, especially the bigger the company. I mean shit, I went from Adobe to Cisco. So I don't want to tell you how that changed from the whole bureaucracy business, but the reality is the bigger the company, the bigger the organization, the more bureaucracy, the more you slow down and the bigger the challenge, the bigger the tension. And when I went to startup next, I'm like, holy shit, this is brilliant. And I was responsible for both IT and security and was like you say there was none of that. Because when you're the one accountable, you actually know whether you're going to have a conversation about performance availability or timely delivery versus do you want to be in the news next week? I mean, it's your conversation to have them all in one goal. And I think that's the thing. It's that accountability model that I think is just brilliant.

Hey folks, just want to take a minute to say thanks for listening to the show, watching the show, however you engage with us. If you're liking the conversations, if you think we're adding some value, we'd love you to subscribe and share the show with your friends. If you know of anyone else that would benefit ideally for us that will help us be able to grow the show, invest more in the quality, get some more exciting guests and keep bringing you some executive goodness. Thanks everybody. Take it easy and enjoy the rest of the discussion. So it's funny. Would you recommend, so let's say you're looking at startups, 500 people or less in their organization. Would you recommend that they think of a model where they have one leader that runs both functions?

Rinki:

A hundred percent. And I think it's got to be, not everyone's going to agree with me, and this is probably controversial, but I like it reporting to

Den:

Security.

Rinki:

I like that model. I think if you say, because the traditional model has been IT and security reporting into one leader and it's many times the CIO, but that's because security's kind of been a, oh, we have to do this thing. Where do we put it? We'll put it under the CIO versus it's very intentional. Now, if you have security and you're putting it, that's an intentional thing. And a lot of it now is enabling the workforce securely. And so I am very biased on this. I think it works really well when you have it like this. It could be in other ways, but then I think it needs to be someone that really, really deeply cares about security and puts it first.

Den:

Yeah, I mean biases arrive though because we have some experiences that either are positive or negative and therefore we derive the bias. So in your case, and actually similar to mine, it's a case of through a positive experience, you've walked away thinking, wait a minute, this was way smoother. There was less friction. We could move faster. There's less priority drama and nonsense like that. And I think I've just always been a huge fan of accountability. I want one throat to choke. And when you start to see organizations start to conflict with each other, generally that's because you've got two leaders in a dynamic situation where neither of them are really able to be accountable for the thing. And in order for them to be successful, the other person has to play the game and they don't play the game together. And if you don't play the game very well together, then oh shit hits the fan.

And in some cases, and actually, so at Adobe I solid line to the CSO and doted line to the CIO at Cisco, it was the other way around. And in both cases, and the dynamic was one of the responsibilities I had was bridge and remove the friction. It was almost like, especially when I got to Cisco, it was can you mend the wounds between security and it? Because I actually used to report at Adobe to the guy who's now the CSO at Cisco. So I reported to the CIO and all of his team, they all knew that I had worked with him for years at Adobe. So even though he didn't bring me over, the CIO Cunningly said this would be the right guy for us because not only can he rebuild security for it, but he can mend the wounds, he can help bridge the gap, a trusted relationship. And I think that somehow you've got to figure out how to do it. I think if you're a smaller company, like you said, Hey, have them under one liter, one org, one throat to joke, and there's no reason why they can't be successful. And ideally, and I think the evidence is they would move faster. So I'm a big fan of that one.

You're also, it's funny, another hat you wear. So I picked up on the, I'm a mother hat, right? So a wife hat, a mother hat, a CIO hat, A CSO hat, but also an investor hat, right? So I've seen that you're active in the investment community. So what do you look for? I mean, actually could you maybe share a little bit, how do you get involved in the investor game?

Rinki:

Yeah, it's funny. My whole career have been so excited about innovation and in cybersecurity there was always so much happening because I saw it go from something that nobody knew what it was like rinky, what are you getting paid to do? What is this thing that you have in my first job all the way to now? It comes out of everybody's mouth. Everyone knows what security is or knows somebody that's been hacked. And so when I think about that, innovation has been such the center of that. And I've always been like, I'm going to try the way I love this new tech, I want to test it out. And that then morphed me into working with founders on here's what I need. Can you go build this thing for me to then morphing into, I want to invest in some of these companies, I'm helping them.

And so I started doing angel investments and then I was like, I've got some blind spots. Let me partner with engineers that I trust and friends I trust, and let's do these angel investments together all the way to now fast forward to today building a VC firm. Lockstep is the name of it. And now instead of writing small checks, I can write a little bit bigger checks into these cyber companies that I think are doing incredible work supporting these companies, but also supporting the community and the ecosystem that helps these companies be successful. And so that's been really meaningful work. I love meeting early founders and I love building the community out, other practitioners like you and I and how do we support the whole ecosystem, both support each other because these are hard jobs, but then also support founders. Their jobs are not easy in building in this space. So it's just like a culmination of my career now in doing that, in addition to staying an operator, which I think gives me a really unique perspective when working with founders.

Den:

Yeah, I mean that's amazing. It is rare that I've met a CSO in the industry that got into investment and really sees that as a huge part of their identity. And I'll be there one day. We already planned for 9 0 9 investments. So yeah, we plan to be there. We're just not there. We're not there yet. But what do you look for? Because you and I walk around RSA black cat wherever, and you see all these vendors, all these security companies. I mean especially with ai, there's just a mass of new AI companies coming out. So what do you look for when you're thinking of the next investment? What's the big disruptor? How do you determine where to put your money?

Rinki:

I always, when it comes down to it, look, the founders come up with ideas and the ideas can change over time. We've seen companies completely pivot. To me, it goes back to what we talked about earlier, but it's all about founder conviction. It's how I feel about the people. And are they curious? Are they going to fall in love with the problem? Not the solution, but the problem, they really want to learn what security people are struggling with. And to me, when they fall in love with the problem, when they're super curious, even when they're a little bit philosophical, but then can drive execution based on that, that's what I love. It's the people. And I think at the end of the day, this is all a people business. And I think that founder conviction is everything, especially because I like to invest in the early stage and the precede seed level. And so at that point you're investing in founders and helping them with the ideas. So that's where I start. I do think it's so noisy right now in the market, but I think it's noisy because that's how big the problem is.

And there's room for folks and there's rooms for companies that are going to build something that might get acquired. There's room for people that are building brand new platforms and different ways of thinking of things. And I think there's room for a lot of disruptors right now, and that's why I think it's an amazing time to be a security practitioner and be an investor.

Den:

And I look at it along the lines of with AI coming around the corner, there's a lot of companies that are building product that leverage AI in the product. And then there's a lot of people building product, which is an AI product to secure AI things. And I'm more excited about that ladder. I want to see what is emerging to secure all the AI stuff that's coming out. Because identities, as an example, if you think of an agent being a non-human identity, well holy shit, we didn't actually solve the problem of non-human identities. We still have service accounts that are regular ones. We've got API accounts, we've got all that bullshit, we never solved that problem, and then it's going to explode. And I just see this whole thing of you're going to end up having your directory or equivalent with 1% human identities and 99% all this other stuff.

And I'm like, okay, so who's building the thing that solves that? And I do know of some, actually I could name five companies offhand right now, but I won't. But there is one of them that we're certainly getting more involved with and we like what they're doing, but they're not sponsoring this podcast. So we're not share their name yet, but they will be at some point. So I look at it like that R key, like holy shit, this is rife. We're about to, I dunno how many new companies, but RSA last year was at three and a half thousand vendor booths or something

Rinki:

I've heard, I don't know, a dozen pitches for the agent to agent like authentication, authorization, permissions, all of that. Every non-human company, non-human identity company is pivoting to CP and other pivoting to the agent to agent machine to machine identity and pivoting to now be more agentic identity. And so I'm not surprised, I'm curious to share notes on the five that you're talking to, but

Even the existing ones are pivoting to that. And you're right, is this going to be part of a true identity platform? Where are we headed with this? Because with NHI too, we saw that a lot of companies are like, is this a platform? Is this a feature within another identity product? Where's this going to go? Where's the industry going to go around this? And I think it's going to get more complex. I think there's going to be an explosion of identities with agents. I think there's going to be explosion of data and permissions and we've got to get this under control. So then when you see that I've heard a dozen pitches, it's not surprising.

Den:

Well, I hate to be the doom person for, I'm actually an optimist generally, so just nobody pick up on this. But here's a little doomsday thing. I first read about least privileged in the year 1992. I was a novel admin minding my own business, and I'm learning my craft and I'm reading about least privilege. And what a few years later, we still haven't solved least privilege. We talk about it, we have, and then you've got all these products that talk about being least privileged, and then they jump on the zero trust bandwagon as if that's zero trust and all this shit. And I'm like, we are screwed. I'm just like someone. And I think of it now, my optimist hat on, I'm like, this problem's going to be worse. We have a huge opportunity, an opportunity for leveraging AI for security to tackle these two problems, non-human identity, at least privilege. And I am looking forward to seeing some companies come out that would work on that stuff. So yeah, so I am an optimist more than I am a pessimist for a Scottish guy. Normally Scottish people are grumpy as shit, but this one not so much. I'm just checking out my notes here.

I think if my notes are right, co-authored a book creating a Culture of security. Is that true?

Rinki:

Yeah, it's a long time back. It was with Steve Ross, and that was back when it was a long time ago, and that was in my eBay days. He actually authored it. I was really lucky to contribute to it. Actually, the way I fell in love with cybersecurity was not my first role, but it was when I had to train developers on cyber. And I realized because I came from a comp side background and I was a developer myself, I could relate. And I'm like, what is this nonsense for training developers on this is not the way to train or win hearts and minds. And then I got a chance to develop my own training, my own way of doing it. And it's what I fell in love with is how do you drive security culture within a company? How do you build security culture into the DNA of an organization? And so I got this chance as I was doing that early days at eBay, I got a chance to contribute to this book that was being written. And I should go back and read that now to see what principles are still true in it.

Den:

Well, I picked up about emotional intelligence, and one of the things for me, the two things when it comes to training, this is what caught my eye on it, was when I was at Defcon quite a number of years ago now, probably 10 years ago. And one of the women in the social engineering village, she came out and she was, after doing her little thing, she comes out, she does her magic, she comes out the booth, and then she's talking to the audience. And one of the things she said then, which totally inspired me, was don't train your people security training on all this corporate nonsense that you've been doing. They just click through it, they hate it, it's all bullshit. Instead train them on how to protect themselves and their families and get the whole, do you like your money in your bank account and do you like this?

And for me, I was like, holy shit, that's brilliant. It's kind of partly why we also wrote our little ebook was because I was inspired to do it. I never had the ability to do it. Really, none of the companies I was in really listened to that. So when I started 9 0 9, I'm like, we'll do this. And everybody in the team's like, but then we are not business to consumer or business to protecting businesses. And it's like, yeah, yeah, but I think this will help people. If this helps five people not get hacked, I'll be a happy kid. But I think the one thing about culture is there's this whole emotional empathy, trust, all these components of it. So when you're building a team, when you're, I mean at a C level, when you're building a team, how do you try and blend a corporate culture or enhance the culture within your organization to build a team where everybody wants to really jump in, stay and do more?

Rinki:

I think that one, our role has changed, right? Over time it's become more very business savvy role. You've got to understand the business. You are more an advisor of risk to the business and a communicator and a driving accountability of risk to the company. And I think what keeps, I was at my last organization, zero attrition, growing the company, zero unwanted attrition, growing the company, growing the team, 30 to a hundred. And I think it's driving innovation, keeping people excited about what's next, not making people feel like, oh my God, my job's going to be obsolete, especially with the AI trend, but it's like, I don't want to do this monotonous work. If I'm sharp, I want to stay because I see we're going to be doing cool stuff that I can talk about. And so I think that's the big thing that how do you make sure that your folks are feeling like if I'm part of this team, I get to drive innovation, I get to do the next thing and talk about things that we're thinking about things earlier than others in the industry, but also I think you've got to create exposure for the team.

I talked about this recently. Why are we as CISOs going to the boardroom by ourselves? Why is it that when you take your first CISO job, that's the first time you're presenting to the board. It's already really tough being a ciso, but then it's even more nerve wracking to be in the boardroom for the first time, bring your team with you, maybe not the entire team, but bring one person with you, one different person into the boardroom as you're presenting and give them exposure. It's good for you. You're not in the hot seat constantly. It's good for that individual. They get exposure and it prepares them for their next role, and they understand what the board dynamics and how those go. And then it also gives the company and the board succession who is in the team, you understand their capabilities. And so you're not like if the CSO leaves or if something happens, you're not left cold and dry. You have you understand that

Den:

Somewhat. Yeah,

Rinki:

That's right. And the team loves it because they're like, this is really amazing exposure and we're getting to learn in this role. So it's not, if I do decide to take on the CISO job next somewhere, I have a starting point and I know how those board discussions are going to go.

Den:

And it is funny because just as you were talking about it, I was like, yeah, one of our responsibilities as a leader is succession planning. So in my team, I think I had about nine direct reports and two of which were part of my succession plan. And each one of my direct reports had at least one person in their succession plan. And for me, that was really important because if I'm going to go on vacation for two weeks, I want someone to run the team while I'm gone and me not be bothered. I mean, under certain circumstances, yeah, give me a call. But the reality is I could go away for two weeks and trust that the people could handle it. And also that wasn't the first time that my boss or his peers had met those people. They knew them from before because we had brought them into things. And I think that's vital. Yeah, I think you had put a LinkedIn article on that one, or was that a podcast? Because I did

Rinki:

See, yeah, I put it in a LinkedIn. I was like, we need to socialize this more and enable both boards and CISOs to be like, it's okay to ask to bring someone and boards should actually want that. Don't close it just to the ciso.

Den:

Yeah. Now, do you think, is curious, right, because the CIOs have been longer at the executive table than CSOs, right? So whether you're A-C-I-S-O or a CSO, that being that role as a business forward leading role is relatively new from an industry perspective compared to all the other roles, right? Like CFO and COO and then CIO, they're way more established than ours. How do you see the role evolving at the executive level? Do you think we're on the right path? Is there anything you'd say we should change that would help our journey be smoother?

Rinki:

I think, look, we're seeing CISOs now own it. So you're seeing CISOs slash CIOs now. We've had some role models in the industry take on CT o enterprise CTO or CTO O roles even, which is so really cool to see. Just shows the level of respect that the security leader has gained. And so a lot of it has to do with the individual, but a lot of it has to do with the company and how they're seeing that role evolve. But I think it's yet to be seen. A lot of CISOs that I talk to now, they're like, I need to figure out what's next. Am I going to go into being an investor? The burnout is real. I do think companies who think about this, right? They keep CISOs and CISOs and they keep the energy of CISOs up high. And then there's the rest where it's like, I need to find a company that's going to support me, me, that's going to give me budget going to, and it's like, here we are putting folks in one of the toughest roles in the company and not supporting them in the right way. So I hope we see more CISOs take on these roles that are really strategic. I hope we see more CISOs sitting at the executive table, not just being called at the C-level, but being sitting at the CEO bench or whatever it is, and being enabled in a really meaningful way.

Den:

And I do see a lot of CISOs leave full-time employment, like gainfully good full-time employment because they're not empowered. The budget's not there, the support's not there, but the legal expectation is there. The personal risk reliability to them may be there. And I see a lot of people just jump in ship and saying, this isn't worth it because I'm not getting the support. And I know personally for me, I've expressed this before to CEOs. I'm not interested in the title in the role unless certain conditions are met because I don't want the title without having the responsibility and the empowerment.

Rinki:

Otherwise, sorry, you just got me. And we tell others that, right? But how do, when people are so eager to take their first CSO role, they're like, okay, it doesn't matter. I'm just going to go. And we've been preaching that having experience, right?

Den:

Yeah. Yeah. Well, that's it. And I think there's a great opportunity for mentorship. I think there's a lot of first time CISOs that really have the ability to network and find other CISOs who have got the experience and then ask for some help, ask for some guidance, ask for mentorship. And I think what you find within the industry is everybody's really open to helping each other. The CSO network, the networks I'm a member of, I can call many of them up in a heartbeat. And actually I've got friends who are competitive in business with 9 0 9 and still, I'll have them on my podcast. I will still call them up, I'll still let them call me anytime. We will help each other. And I like that about our industry. And next week I think you'll probably be a black cat. I'll be there and we'll be all hanging out.

People will be hanging out with each other, and it's a great experience, just that networking side of life. So I know it's funny. Yeah, we're up on time, really rinky, and I am only halfway through my notes. Shit. I had a whole bunch of other things to throw at you, but I'll save that for another day. I would love to have you on the show. Do you have any parting words? Look, this is one that I don't want to leave without. So women leaders, executives, you've trailblazed a path. If you've got one piece of advice of women that are younger trying to join in their career, younger in their career, and they're trying to get where you are, what's the one piece of advice you'd give 'em?

Rinki:

I think it's my advice, not just for women, but especially for women I should say, is take risks early on and be super curious. And it's okay to make mistakes as long as you learn from them. We don't have to be perfect in any of our roles. And I feel like because I was one of the few women on the team, I just felt like I had to work harder, prove myself harder. And that led me down this path where I was scared of taking risks and scared of making mistakes. And it's actually okay. It's when I've made mistakes that I've learned the most that gave me more fuel to go drive innovation. Because when you drive innovation, you learn from your mistakes to be able to do interesting things. And so I think that's really important, and that would be my biggest piece of it.

Den:

That is excellent. Well, rinky, thank you very much for having me on the show. It's great to see you finally. And yeah, I would love to have you back on because I've still got another billion questions there, everybody. Rinky Seti, chief Security and Strategy Officer at Upwind Security. Thank you again for joining.

Rinki:

Thanks for having me.

Narrator:

Thanks for listening to 9 0 9 exec. Subscribe wherever you get your podcasts, and don't miss an episode of your source for wit and Wisdom in cybersecurity and beyond.

‍