Episode 57: From Biotech to Cybersecurity Leadership with Kavia Venkatesh

Narrator:

Welcome to 909 Exec, the executive leadership podcast from 909 Cyber, where cybersecurity intersects with business strategy. Your host is Den Jones, founder and CEO of 909Cyber. For more than three decades, Den has led security at Adobe, Cisco, SonicWall, and Banyan Security, helping executives navigate risk, trust, and transformation. Each episode goes beyond headlines and hype with conversations that matter to leaders shaping the world of technology. So please join us for 909 Exec episode 57 with Den Jones and Kavia Venkatesh.

Den:

Hey, everybody. Welcome to another episode of 909 Exec. I think it's the journey that all of us executives are on. We make some mistakes here and there and sometimes we're successful. But if we all share some of those fun things, then we can maybe help each other as we grow and I'd love to say we thrive and we strive forward. So every guest I bring in is someone that I believe that I've met at my journey that I think can help you in your journey. And today is no exception. Kavia Venkatesh, welcome to the show. Now you've got an exciting background. Everything from where you are now to where you've been, we'd love to dig into that. So thanks for joining.

Kavia:

Well, thank you for having me.

Den:

Excellent. So I'd love to start a little bit. Let's talk a bit. So first of all, females in cyber, not a common thing. Female immigrants in cyber in the US, less common even still. So I'd love to learn a little bit about your journey. How did you get into cyber to begin with? And where did you start life and how did you get to the US? So there's a few things already.

Kavia:

I know those are a couple of questions right there. I'll start with my journey to cyber was actually a delightful mix of happy accidents. Some were deliberate leaps of faith. I have a background in biotechnology, so I have an engineering in biotechnology. And I did move to the US with that degree and soon realized that technology meant different in different areas. So as I moved here to do my master's, I was interning at a coorse brewing company also because biotechnology in my mind at that time was more relatable to beer. So that's how that started. And while I was at course, course was going through an unexpected change. I won't say it was an unexpected change for them. It was a more unexpected change for me. They were going through a merger and acquisition with Miller Course, and that was great timing for me because I got to experience some of the due diligence and the integration phases real time.

And as the intern, I got thrown into all the little things that someone did not want to pick up, which was a great opportunity for me. And that really led me into working with multiple teams within multi-course, within the tech and ops department. So essentially I was working with supply chain, I was working with the technology migration, I was working with the security team. And interestingly, at that time, the security team was a very, very small team. So they needed extra hands to help with that integration. And I started working more closely with some of the cyber-related asks that they had. And that was essentially my crash course with introduction into cyber. My role was essentially just connecting folks together, making sure tasks were getting done, very project coordination related, but it was a great way for me to understand the different elements associated with cybersecurity.

And- Go ahead.

Den:

No, I was going to say that's wrong. And so this is about 10 years ago, right? So you've been in cyber for 10 years. And forgive me, because I should have said at the very start, let's begin with where you are now, but I got so excited on the beginning of your journey. So you've been doing this for 10 years. So we went from cores, but let's share where you are now for one brief second, and then we're going to come back to that journey.

Kavia:

Yep. So I started as the intern who was helping with cyber projects to now leading application security at Cigna, a healthcare company in the US. And it has been very exciting, overwhelming, and wholesome experience through the last 10 years.

Den:

Yeah. And so for me, when I listened to the journey, it's like you've gone from intern while you were here. And so when did you move, so from India over to here?

Kavia:

10 years ago. I go straight into that internship.

Den:

All as part of the study abroad kind of business, and then you got the job. And so 10 years have gone by, you got attracted either by drinking beer, I guess, or is this the chemical element of it?

Kavia:

Honestly, my journey in the cyberspace has been the people. I have been fortunate to have found great partners, mentors, bosses through the last couple of years that have helped pave the path for me. When I landed here a decade ago, I probably didn't even know what cyber was. It was that introduction at Coors through the migration exercise that we were doing for the merger and acquisition that got me a sneak peek. And then it was an individual that I work with that inspired me to even consider the cyber space. So people play a big role, and I think that's mostly underestimated. And as a young individual who is still figuring things out, you really look to people to get inspiration. So having that security leader, and definitely want to give her a big kudos, because without her, I would not be in the cyberspace. It was Christine Vanderpole.

She was a security leader at Coors, and I just was amazed with the things you could do and the things that were primetime in the cyberspace that nobody talked about on a day-to-day basis. Because we were always like, "Hey, this is a breach of confidence. We don't want to talk about it. " So you never get into the details till you're actually doing the day-to-day. And she led me into the cyberspace, introduced me to the entire cyber world. And then I transitioned to Kaiser Permanente where I helped with their cyber portfolio. That essentially was my bootcamp into all the different domains within NIST and within cyber. And that's essentially where I really dove into the details and found my niche in the cyberspace. I spent about two years driving the portfolio, which was focused on investment. And while I was there, we spent a lot of time looking at new technologies in the cyberspace that we would like to invest on, try to analyze some of the technologies, mostly startups, see how they're tied to some of the domains, how we would see impact in the maturity of the organization.

And that was really the on the ground learning experience for me to be focused in cyber, to stick to cyber and say, "Hey, this is where I want to grow. This is where I see a future. This is where I want to make a

Den:

Career." Yeah. And I was just thinking, so what was the one, so that one piece of advice that you were given that made you think cyber is the thing for you. So you said that Christina gave you that advice or opened the door. So what was the one thing that hit you on it?

Kavia:

I don't think there was one thing. I think it's also, it was mostly that opportunity. Having someone trust you, knowing that you don't have a background in cyber and say you can do it. And this is something that I practice today. I definitely look to folks who have the fire in the belly, the willingness to learn, the willingness to do what it takes to deliver. And having confidence in folks who are willing to do that definitely is the reason I am here. So I definitely translate that today in my day-to-day. The one thing that I really liked about cyber is I realized that you don't have to always be in a position that people are talking about what you're doing, but you could do things in the background that could really help drive a business, which is really underestimated. At that point, there was a joke that someone made in my office saying, "Hey, who cares about cyber?

If we get breached, we won't sell beers for a day." But cyber's transitioned so much in the last decade. It's not just not selling beer, it's about identity, it's about privacy, it's about making sure that you have customer trust, which is the biggest element of doing business today for organizations. So the piece that I like about being a part of cyber is the fact that you have such a close tie-in to the business without having to deal with the direct impact of sales

Den:

Specifically. Yeah. And it seems early in your career, there was the whole, there's a leader above you that sees something in you and sees a path for you. And I think it's really important for people to take away from that, which is quite often in our career journey, we don't actually know where we're going next. We're like, "Hey, I'm doing my little thing. I remember I'm a server admin, I'm doing my thing, I'm building servers, I'm building computer, now I'm coding a project or whatever." And you don't necessarily know what you don't know. So I think it's very important for leaders to look at people in the organization and look for opportunities or areas. And I remember hitting Cisco and there was a project manager, TPM in our team and she was junior and I saw what she was working on, but I actually saw her.

I saw her attitude and enthusiasm and I knew we were about to do a big project around Zero Trust. And I'm like, "Okay, we're going to deploy ZT to 110,000 people. We're going to do it in QuickTime. I need a core team of people that I trust." And instantly grabbed one of the leaders that reported to me, Josephina, said, "Hey, you run this. " But then Lila, I'm like, "Over here, move you out of this team, over to this team." And then I brought somebody in from my old previous team as well, from Adobe, and pretty much like, okay, now we got a core team and then let them build a few more players in that team. But ultimately, I don't think she saw in a month of Sundays that that create opportunity even existed to get to do something that was so visible and big for the company.

And I think as a leader, and like you said, it's very important for us to demonstrate that and find people because building the right team is really about us finding players and sitting them on the right seat in the bus.

Kavia:

Right. And honestly, one of the things that you mentioned is sponsorship. Women, and I don't want to make this about women in cybersecurity, but if you look at the numbers, they have more mentors than sponsors. And having sponsors like you identify talent, make those opportunities available is what is going to help drive that advancement, whether it's in leadership or in cybersecurity. So when you ask me, "Hey, what drove you into cyber?" Yes, a huge element is going to be that sponsorship of having individuals identify what you could bring to the table, advocate for you, promote high potential women, make sure you bring them the visibility and those opportunities so they can grow. And that's exactly what is going to help drive this industry forward for women specifically. Yeah.

Den:

And I mean, I think it's upon all leaders to look at the organizations and look for diversity in the team they build from backgrounds to, I mean, all of it. I think it's sometimes hard because the pipeline doesn't necessarily support that. So I also think it's incumbent upon us to jump into the pipeline and try and encourage and figure out ways to give back to the community and work there and then encourage more kids to take this seriously. I'm curious, so you jumped from Kaiser and then you got to what I'll call the cooler tech companies. So do you want to share your experience at Twilio and Google-

Kavia:

Absolutely.

Den:

... where you got you are now.

Kavia:

And when I started earlier, I mentioned most of my opportunities were opportunities that came to me. I didn't really have to go look for them. I had a recruiter reach out to me from Twilio and said, "Hey, you have an interesting background. I see you've worked on mergers and acquisitions and you are helping drive a cyber portfolio at Kaiser. We're looking for someone to build out our mergers and acquisitions security program. Is that something you'd be interested in? We're a hypergrowth company." And Triple Told at that point, I probably knew Twilio, but I really didn't know what they did. But I was like, "Oh, this is interesting." So a lot of folks believe, "Hey, you moved around a lot, you have experiences in different areas that's not aligned to the standard path to make a career." But that was not the case for me. For me, that was actually something that accelerated my career.

I got an opportunity to work on something cool, which was bringing mergers and acquisitions and security together. And at that point, the focus of the program was how do you assess a company for breachability and how do you put a number to the quantitative risk you take on when you acquire a company? And what would you do from a cyber standpoint to building mitigating controls to make sure you have minimum impact off that?

Den:

Yeah. And so for me, actually, I had a level of responsibility in that space at Adobe as well. Our enterprise security team, the M&A piece of it was when you're bringing in another company, it all falls on enterprise security. So I empathize with the struggle on that one because a lot of breach, I don't think people realize the number of breaches that happen because a company acquires another company and the bad actors go in the back door of the acquired company because they maybe didn't have the funding and therefore the security practices of the mothership. I mean, can you share just a little bit on your experiences and what you are seeing in that space?

Kavia:

So most acquisitions, I think when they're local to the US, there's a lot of regulation around reporting a breach. That is not the case for all international companies. And when you are acquiring companies, you are acquiring at an international scale. So the biggest piece is you're always having to deal with the, "Hey, the company you're acquiring might already be breached." Just they might not know, you might not know, and there might be a threat actor sitting in their environment that you will be literally introducing into your environment, which is a huge, huge risk.

One of the things that we did through my time at Twilio was really focusing on, "Hey, what does day one cutover mean?" It means, hey, no one connects networks till they get new laptops to help with that lateral movement concern. There were small things that were being done, but we didn't really tie it into the risk that the organization was taking. Another thing that you will also see is some people just don't know. Employees want to do the right thing, but they don't realize. Through mergers and acquisitions, there's a lot of emotion and sentiment tying to it. Employees do things that they don't realize is a risk to the company. They share information, they share information on LinkedIn too early before it's ready for primetime.

Those are different elements that you only will start looking into those nuances when you are focusing on that program and building more intentional controls over them. So there've been many set use cases that we focus on. I could spend a whole day talking about them, but again, I'll go back, and this is what I'll double click on, is the people element. Cyber is technology, but there's a huge people element. And when you're building capabilities, when you are building mitigation controls, you can't forget, yes, you're doing it for the people, but there's also a considerable risk factor that comes in from the people element that you want to protect the people from. So it's a tricky situation to be in, but there's a huge people focus. A lot of people think cyber is someone sitting in a basement and doing things and doesn't really have a people- centric outlook to it.

But I think within cyber, there's so many people- centric elements that go into consideration of designing a great cyber program.

Den:

Yeah, no, you're absolutely correct. Now we're going to pause for a brief message and then we'll be right back. Hey folks, just want to take a minute to say thanks for listening to the show, watching the show, however you engage with us. If you're liking the conversations, if you think we're adding some value, we'd love you to like, subscribe, and share the show with your friends, if you know of anyone else that would benefit. Ideally for us, that will help us be able to grow the show, invest more in the quality, get some more exciting guests, and keep bringing you some executive goodness. Thanks everybody. Take it easy and enjoy the rest of the discussion.

So Caveat, so I'd love to dig in. And I think you're right. We always talk about people, process, technology, and when you look at the way companies are being reached right now, the people piece for me generally is way worse than the process and technology piece. I mean, they'll play a part. Getting the right people, but educating the right people. And then I think the thought of people now being socially engineered is so simple. And we hit DevCon and you go to the social engineering village for me, that's such a fun trip to sit there and watch what's going on. I mean, what advice do you give to companies where you're trying to talk about how you select the right people, how you train the right people, and how you keep the right people?

Kavia:

I think it's intentional leadership, right? Making sure you're looking out for people. A large number of companies are going through this shift, and we've seen it over the last couple of years where there's been series of layoffs after layoffs. And what in the past was considered, "Hey, I feel secure in my job." There's a sense of insecurity built in to every individual. And it's important for organizations to be investing on people, one, for the skillset that they bring in to help protect the organization, but also helping them grow as individuals and feel safe. Psychological safety today is something that I think most organizations are struggling with

Den:

Just

Kavia:

With the recent trend of how companies are handling cost reductions.

Den:

Yeah, it's very interesting. I had this conversation earlier in the week, which is you used to think that these big tech giants were a place that you could have safety and that they cared. And I think some companies still do, but I think on the whole you're watching how, and you just mentioned how the layoffs are happening. There used to be some thought and care on how a layoff would happen because they cared. Now you're like, your account's terminated and you're lucky if you get a text message. It's like, you're done, that's it. And I'm like, holy crap, how people are being laid off and stuff, there's just a total inhumane side to it. And I've heard of people have been at a company for 10 years and then all of a sudden they're laid off via email and it's like, holy shit, there's no loyalty.

And so yes, I figure there's a problem in their industry right there, but we can tag that for another day. Well,

Kavia:

Another thing to think about, there's that aspect of it, but it is also from a leadership standpoint, how does a leader make that difference? If you have a leader who can help drive that psychological safety, who can help define a path for you, find your opportunities, it could shift that sentiment to a large degree. So I do feel, yes, there's this transactional relationship that is being created between organization and employees to some degree that we don't want to see or want to accept. But as a leader, your relationship with your team member is beyond that transactional relationship and it's that investment you're making in not just building a great team, but also helping them drive their career forward.

Den:

Yeah. Yeah, no, absolutely. And then this goes back to the importance of networking, the importance of, excuse me, even networking within your own company. I think there's your team and your direct line of sight people, and then there's other people that you interact in the course of doing business. I think there's a great opportunity for people to build up more relationships and grow your network within the company and out the company, because sometimes your stability in the business is based on relationships. I mean, pretty often it is, right? So I see that as a huge, huge piece of this career path. Now, when I jump in, so from Twilio to Google, what was the jump there? And one thing I was thinking is choosing roles versus titles as you're doing these career moves, what was driving the decision between the move? Years ago, some guy said to me that if you're unhappy in your job, rather than looking for another job, try and fix the things that make you unhappy.

I think he's still at the same company that I was at 30 years ago. So I'm not sure if that's a good thing or not, but what made you take the next move and then what were you chasing? Title, role, money, opportunity?

Kavia:

For me, it's always been taking on an opportunity that I don't understand or don't know and is an opportunity for me to learn. All my roles, they're always jumping into a completely new area. So I did M&A and I jumped into the bug bounty side of the house when I went to Google, and now I'm doing product security at Cigna, all different domains, all different areas. And the reason I pick these, they're intentional because I want to be in a position where I'm constantly learning. I don't want to be in a position where I feel like I understand it well enough and I've become more the, "Hey, I've done this once. I will do it again." I want to be able to try different things and explore. So that's been my reasoning for some of the opportunities. I've been fortunate though. I don't think everyone has had the ability to find roles in different domains that help them mix things up.

But for me, it's really been being able to experiment and find different areas and grow in different domains because I think that's what holistically brings you together to be a better person or a better leader or a better individual in your career. You need different Lego blocks and you need to bring them all together. That's been my focus area over the last 10 years is any opportunity that I feel I don't know and is going to challenge me, I will take it and use that to learn and grow.

Den:

Yeah. And I always think of changing your role every two or three years. It could be within the same company, but however you choose to do it, I think changing your role regularly is a good opportunity for growth and you can build deep in one area or you can go wide. I'm the kind of person that, for me, I wanted to go wide and learn different disciplines. So that as I went on my path to being a CISO, I wanted to get as many different experiences in the area of security that I could so that when eventually I run the whole organization, I can feel like I've done most of the jobs. And I think for me personally, that was what I was chasing. Now, it's hard enough being a woman in this male dominated tech industry. So what piece of advice would you have for other women following your footsteps on how they build credibility and really get that seat at the table that you've got?

Kavia:

Networking is a huge one, but also putting yourself out there. Cyber, yes, is a niche area, but it's a very strong community. You have multiple forums, conferences, participate in them, try to be actively involved in that. Everyone has a role to play, One of the things that I really like about cyber is there's room for everyone. You don't have to be someone who only did cyber to be successful in cyber. I have met so many leaders in this space who've come from different walks of life, whether it's finance, marketing, whatever it might be. It's just the drive, the willingness and the interest of making a difference, showing that impact. A huge one is bug bounties. I think for me specifically, it's been tying into the community through bug bounty programs that the large tech have. It's a great way to understand, keep your tech skills all spruced up, understand the market, and get access to technology leaders in big tech.

That's a big one that I recommend, especially all my mentees to try out. Not everyone is technical, not everyone wants to do it, but you should try it out to know whether you like it or not. If you

Den:

Never

Kavia:

Tried it, you'd never know.

Den:

Yeah, yeah, yeah. And our industry is also full of people who burn out regularly. We got a bit of a high stress occupation. What's one tip you'd give to people to avoid burning out?

Kavia:

I need to figure that one out myself. That's a hard one. I also think it's the same thing. It goes back to within cyber, there's a lot of things you could do that are domain specific, but they're gamified, like the bug bottles, like CTFs. Those things are a great way to break out of the ruts and do something new and feel energized. That's a good one for folks to try out. Get out there, go to DEFCON. That's a great way to deal with burnout. Is a great one. We'll hang out

Den:

And party.

Kavia:

Go ahead.

Den:

Well, I was just thinking that. Yeah, it's like go to these events and hang out with your peers and then you can all cry together.

Kavia:

Or laugh

Den:

Together. Or laugh together. You laugh or cry. So a couple of things. One is where do you see the industry going now that we've got this AI thing kicking around? I mean, everyone was talking about Zero Trust for the last five years, but now it seems to be forgotten and everybody's all about the AI business. So where do you see the industry going and what excites you about AI and what scares you?

Kavia:

What excites me about AI is new domains, areas, opportunities for cyber. One that I'm particularly very excited about is some of the security controls within the SCLC process with wipe coding and some of the AI generated code. That's because it impacts me real time today, but there are more areas within AI that I think will create new domains in the cyberspace and more opportunities for folks. One thing that I've heard a lot of people say in my past life is, "Hey, I'm not too technical for this. " And I think AI will help elevate some of that and people will be able to take on more opportunities and bring fresh perspectives, ideas, and problem solving to the table that they didn't do in the past more actively. A lot of folks said, "Oh, if I'm not a coder, I'm not technical enough." Now you can get AI to do the coding for you and you can focus on other things too.

So I do think there's going to be a shift in the mindset of the workforce. You're going to have people coming in with new perspectives and creation of a whole newer domains to pick from. So that's what I'm most excited about. And I really think that that has been something that I have seen and has hit me personally because when I was reached out by Google, I was actually surprised Google reached out to me because I'm like, I'm not a coder and I don't think I'm Google worthy. And when I spoke to the developer, I said that. The team, I said, "Hey, I'm not a developer. I can't code. Why do you think I could be a part of this team?" And I said, "Hey, we have other roles in tech that are not coding oriented." And I think we'll see more of that. And that's what I'm very excited about with AI.

You're

Den:

Going to

Kavia:

See more people bringing on new ways of problem solving. We are already seeing a huge, huge number of startups, whether it's in the cyberspace or any area thanks to AI. Things are just going to be, what, 10,000 X faster now. That's something I'm looking forward to do. Everything's going to be lightning speed. That's something exciting to look forward to as well. Yeah.

Den:

No, I totally agree. Totally agree. And I think we'll skip onto what scares you business because I'd love to get a couple of more questions in about ... So at Cigna Group, I mean, what do you see as different on your approach or the kind of work you're doing going from Twilio to Google to now a healthcare company? Or is it just the same stuff with a different product at the end of it?

Kavia:

I think the appetite to risk is different. And because of the appetite being different, how intentional are you with the product or the offering you designed for your customer changes? What I really like about working at the Cigna Group is when we are thinking about a solution, we're thinking about a holistic solution that we can deliver to our user population because we are more risk adverse. While in other technology companies, you're willing to iterate and test. So you're willing to make small mistakes and course correct. So I think that's something I've seen as a big change in my working style.

Den:

Yeah. Yeah. I mean, that for me, it goes from being a less regulated to a higher regulated environment. And that always brings some challenges, but I think sometimes it brings a little bit more funding because they are forced to be more regulated. And I think the higher the regulation, then the more serious they are about certain areas of security that traditionally some companies would ignore. They'd be fine otherwise. Well, Kavia, it's been great having you on the show. I could actually ... All my questions that I had here that I was looking at, I was like, I never got to half of them. So I'll need to get you back on the show at some point. I know you're a hard woman to nail down. We've been working on this schedule for quite a minute, so I really appreciate you taking the time. Everybody, Kavia Venkatesh, director of product security at the Cigna Group.

Kavia, thank you very much.

Kavia:

Thank you for having me, and I really enjoyed the conversation, and I will always be up to have a more detailed conversation on product security next.

Den:

Yeah, no, exactly. Well, thank you very much. And everybody, take it easy.

Narrator:

That wraps up this episode of 909 Exec. If you found value here, subscribe and leave a rating to help others discover the show. To learn more about 909 Cyber, our advisory services, and how we help organizations secure growth, visit 909Cyber.com. Thanks for listening. And until next time, lead with clarity, build trust, and stay secure.

‍