Experience the extraordinary journey of Indu Keri as he traverses the landscape of IT, from her upbringing in India to discovering her passion for computer science. With a choice between becoming a doctor or an engineer, Indu opted for electronics—motivated by her aversion to dissection—and eventually found herself captivated by the world of technology. In this episode, he shares compelling personal stories and underscores the immediate gratification of creating something tangible with technology, drawing parallels to hands-on professions and emphasizing the crucial role of mathematics in tech.
Ever wondered how unconventional thinking can expose hidden vulnerabilities in security systems? Join us as we recount a fascinating anecdote about a simple number-guessing game used during interviews to demonstrate the importance of thinking outside the box. Indu also opens up about her own career decisions, including the pursuit of a PhD and the unexpected transition to management consulting. We discuss evolving cultural attitudes towards higher education and the profound value of betting on oneself, highlighting the skills and insights gained through diverse academic and professional experiences.
Gain invaluable insights into the essential skills and mindset necessary for cybersecurity professionals. Indu emphasizes recognizing the limits of one’s knowledge and collaborating with experts for effective risk management. Discover the challenge of balancing comprehensive security measures with practical approaches, and the critical need for combining prevention with detection and rapid response. Finally, explore the exciting journey of enterprise workloads moving to the public cloud, the complexities of managing hybrid environments, and the pivotal role of software-defined infrastructure in modern digital transformations. This episode promises to equip you with a deeper understanding of the dynamic world of cybersecurity and IT infrastructure.
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going, Indu?
00:00:01
It's really great to finally get you on the podcast here.
00:00:04
I'm really excited for our conversation today.
00:00:08
Speaker 2: Same here, joe, really nice to meet you.
00:00:10
Thank you for taking the time and great to be here.
00:00:13
Speaker 1: Yeah, absolutely.
00:00:14
It's great meeting you too.
00:00:15
Finally, you know, indu, I start everyone off with telling
00:00:19
their background right, how you got into IT, what made you want
00:00:23
to go into IT to begin with.
00:00:25
And the reason why I do that is because there's a portion of my
00:00:28
audience that you know are in a situation where maybe they're
00:00:33
trying to figure out what career path they want to go down and
00:00:36
they're trying to figure out if IT is right for them or maybe
00:00:40
they're already in a career right.
00:00:40
They graduated college, they went down a different career
00:00:42
path and they're already in a career right.
00:00:43
They graduated college, they went down a different career
00:00:44
path and they're saying this thing ain't for me.
00:00:46
Maybe IT is something that I should get into right.
00:00:50
And I always feel like hearing you know everyone else's
00:00:53
background, really, you know it'll help someone, right?
00:00:57
Because someone will hear that background and say, oh, I have a
00:00:59
similar background, so if this guy can do it, maybe I can do it
00:01:03
too.
00:01:03
Similar background so if this guy can do it, maybe I can do it
00:01:08
too.
00:01:08
You know, and I felt like when I was trying to get into IT
00:01:09
myself, hearing that similar story, you know, made it
00:01:13
immediately be consumable to me saying, oh okay, maybe this is
00:01:18
actually possible.
00:01:18
This isn't impossible.
00:01:20
Speaker 2: I hope so.
00:01:20
I have sort of a silly reason and a good reason.
00:01:24
So I grew up in India and honestly, the only two things
00:01:29
that you did when you grew up in India was you either trained to
00:01:32
be a doctor or you trained to be an engineer, and so I was
00:01:38
terrified of dissection.
00:01:40
And so when I was choosing my college major, I had a choice
00:01:44
between choosing biology and electronics, and I couldn't
00:01:51
dissect a fraud to save my life and so I went to electronics.
00:01:55
So that's a silly part of the reason.
00:01:58
But then, once I started studying computer science, I
00:02:01
loved it, and I loved it for a couple different reasons.
00:02:03
One is I was good at math, and so I think a lot of computer
00:02:07
science I loved it.
00:02:08
And I loved it for a couple different reasons.
00:02:09
One is I was good at math, and so I think a lot of computer
00:02:11
science and technology is just math, right.
00:02:13
The other thing that I honestly loved is there is something
00:02:16
very rewarding in the technology profession where it doesn't
00:02:24
really matter who you are.
00:02:26
When you learn something, when you learn a new programming
00:02:30
language, when you learn a way to build a system, you can even
00:02:35
in 2024, you can actually build something tangible on your own
00:02:40
and see the immediate gratification.
00:02:42
You know, if I was more capable with my hands I might get sort
00:02:48
of the.
00:02:48
I have a really good friend who's a carpenter and he does
00:02:53
things as a hobby right and every time he does something.
00:02:57
You know, you see this just enormous sense of satisfaction.
00:03:02
And I feel a similar sense of satisfaction in computer science
00:03:06
.
00:03:06
Like, I still sort of code from time to time.
00:03:08
I don't have a lot of time for it, but I love teaching my son a
00:03:13
little bit of programming and it's just so much fun to see
00:03:17
that and see being able to create something in a short
00:03:21
period of time and just see how that, how that manifests itself.
00:03:25
So I would say that's the serious reason.
00:03:28
Speaker 1: Yeah, you really went down kind of two different
00:03:33
rabbit holes there.
00:03:35
You know, when I was in high school, actually, I took an
00:03:38
anatomy class because of course in high school you're thinking,
00:03:42
alright, I'm going to be a doctor, you know something like
00:03:44
that, right, and we dissected a cat and I was able to get
00:03:51
through it.
00:03:51
That wasn't that bad or anything like that, you know.
00:03:56
And then we went to a nearby college here in Chicago and we
00:04:01
went to their anatomy course and there's, you know, people there
00:04:06
, right, People on the tables and they're dissecting people.
00:04:09
And, uh, that was like my first red flag is like I don't know
00:04:13
if I can remove the humanity of seeing a person on a table and
00:04:20
dissect them.
00:04:21
You know, like it's something completely different.
00:04:23
And thankfully, you know, early on in my college career, you
00:04:27
know, I went down the very stupid path of taking I think it
00:04:32
was calculus one, physics and chemistry, all in the same
00:04:36
semester.
00:04:38
I figured I did it in high school.
00:04:39
It wasn't that bad in high school, surely.
00:04:42
I can do it, you know in college and I mean, I just got
00:04:46
destroyed on all fronts and I passed calculus, you know, not
00:04:50
because I studied really hard, but because calculus was somehow
00:04:53
easy to me and I was able to kind of piece it together, you
00:04:58
know, by the final.
00:04:59
But it's a really.
00:05:01
You know, it's interesting how many people actually go down
00:05:04
that path and then so few actually make it through.
00:05:10
Speaker 2: You know what the irony in all of this is, Joe?
00:05:12
My dad was a professor of anatomy, so I think this is one
00:05:17
of those things where the apple did fall a little bit further
00:05:20
from the tree.
00:05:22
Speaker 1: Yeah, yeah, it's.
00:05:24
I don't know.
00:05:26
I mean, you know, going through that, did you get a greater
00:05:31
appreciation potentially for that profession?
00:05:34
Because you know, as soon as I, as soon as I failed at it I
00:05:38
mean I failed at it like royally right, Like I failed some core
00:05:42
classes that I couldn't even do that kind of just prove that you
00:05:46
can study.
00:05:47
They don't even prove that you could be a doctor.
00:05:49
You don't use your chemistry courses when you're a doctor,
00:05:53
Right, I just failed at proving that I could study.
00:05:57
You know, it was that a little bit like enlightening in some
00:06:00
ways.
00:06:02
Speaker 2: I think it was.
00:06:03
I, you know, I've thought of it this way.
00:06:05
I don't know how true this is.
00:06:06
One of the things that is true in computer science and systems
00:06:13
is you can almost always trace something down to something that
00:06:18
went wrong somewhere right, if you're writing an application,
00:06:22
if you're writing a program, if there's a hardware problem, if
00:06:23
you're writing an application, if you're writing the program,
00:06:25
if there's a hardware problem, if you have a security breach,
00:06:30
any of those things, you can almost always trace it down to
00:06:34
something tangible that somebody did or did not.
00:06:37
And so that's almost a level of complexity that is manageable
00:06:43
by a human, I think.
00:06:50
Whereas if you even look at the body right, I mean, I don't know
00:06:53
what it's 2024.
00:06:54
Even in 2024, I don't think we really fully understand how all
00:06:56
the parts of the body come together, how the systems work
00:06:58
together.
00:06:59
And then diagnosis is still.
00:07:01
I don't know if you ever watched House MD.
00:07:02
It was one of my favorite TV shows.
00:07:03
Oh yeah, it's very cool.
00:07:03
And then Diagnosis is still.
00:07:05
I don't know if you ever watched House MD.
00:07:06
Speaker 1: It was one of my favorite TV shows, oh yeah.
00:07:08
Speaker 2: It's very silly and you listen to that and you're
00:07:11
like, wow, I mean so much of this is just inspiration and
00:07:17
really trying to think outside the box, and I have a huge
00:07:20
amount of respect for that.
00:07:21
I think we're just so maybe a different way to say it.
00:07:25
Right is carbon-based life is, I think, way more complex than
00:07:30
silicon-based life, and I chose the easy path anyway.
00:07:32
Speaker 1: Yeah, it's.
00:07:32
You know that same sort of thought pattern really benefits
00:07:38
security professionals right of thinking outside the box,
00:07:41
understanding how different systems work and then piecing it
00:07:46
together in ways that make it work for you in that use case.
00:07:51
You know, and that's, that's a huge part of what security
00:07:55
engineering is.
00:07:55
You know, I may not need to know every little finite detail
00:08:01
about a database, but I know how SQL works, or I know how
00:08:04
Postgres works, right, and I know the different services that
00:08:08
I should be looking for, the different ports that it's using,
00:08:10
even, and I can piece together, you know, a system that'll work
00:08:15
for whatever use case I'm going into.
00:08:17
You know, I kind of want to maybe even just backpedal just
00:08:22
slightly.
00:08:23
You know, I saw on LinkedIn I do very light research.
00:08:26
I call it I mean, I wouldn't even call it research at this
00:08:29
point right Like I go to my guests you know LinkedIn and I
00:08:33
look at the education, I look at the experience.
00:08:36
I don't write any questions down, I don't even get any
00:08:39
questions in mind, right, because it kind of throws off
00:08:42
the conversation in my mind, where I'm listening to ask a
00:08:46
question rather than listening to respond or listening to
00:08:50
understand that.
00:08:51
It's a different caliber, I feel, of conversation.
00:08:55
And so you got your PhD and I want to talk about the higher
00:09:00
degrees.
00:09:00
What made you decide to go after that higher degree?
00:09:05
The higher degree first, the master's you have to get the
00:09:08
master's to get the PhD and then secondly for the master's.
00:09:11
The reason why I ask is because I actually get this question
00:09:14
asked of me a lot.
00:09:17
I got my master's and I'm working on my PhD and I'm very
00:09:21
open with my audience and I talk about the actual, you know,
00:09:25
statistics and everything that I use to decide to go down the
00:09:29
PhD route, right, and everything I use for the master's route.
00:09:33
So you know what's your, what's your background with that, was
00:09:36
it, you know, like a cultural thing, right?
00:09:39
Maybe?
00:09:39
You know your father obviously probably has his PhD.
00:09:41
You know your father obviously probably has his PhD.
00:09:44
Did you want to follow along those footsteps of that level of
00:09:48
education?
00:09:49
Was there something else going on there that you said, hey, a
00:09:53
PhD and a master's is what will provide a lot of value for me
00:09:57
and my career and my family.
00:10:00
Speaker 2: I'm going to go down that route.
00:10:02
Let me answer one point you made about security engineering,
00:10:05
and then, if I may, I can answer that.
00:10:11
Yeah, of course you know.
00:10:11
It's funny what you said about security needing to think
00:10:12
outside the box.
00:10:13
One of the tests I used to give in interviews this was several
00:10:16
years ago is I would ask someone , even in an audience, just to
00:10:21
guess a number between 0 and 10.
00:10:23
And it'd be interesting.
00:10:24
Almost always you'd get back an integer.
00:10:27
You'd get a number like 4, 5, 7 , 9, whatever.
00:10:31
Nobody ever says minus 1.
00:10:33
Nobody ever says pi, nobody ever says a square root of 2.
00:10:39
You should try this test, and here's why it's interesting,
00:10:44
right?
00:10:46
So as developers, as engineers, you almost always write programs
00:10:53
to follow a certain set of requirements or a certain set of
00:10:56
rules.
00:10:56
So, of course, when you think of a number between 0 and 10,
00:11:01
you made a whole bunch of implicit assumptions that these
00:11:04
are integers, these are numbers between 0 and 10, and you're
00:11:09
only going to give an answer that fits in that pattern.
00:11:11
But hackers don't think that way.
00:11:13
They want to find the limits of the system, they want to find
00:11:18
where things break, and so, as a developer, it's actually very
00:11:25
useful to build systems that are secure, and to do that with a
00:11:30
little bit of negative thinking.
00:11:32
And so I always love people who respond with a completely
00:11:37
unreasonable answer to these sorts of questions.
00:11:39
Like I square root of minus one , that's a great answer, right,
00:11:45
because who in their right mind would actually think of that as
00:11:47
a number between zero and 10?
00:11:48
But if you have built a system, for example, that is used to
00:11:52
accepting integer and that has a memory buffer overflow or some
00:11:57
such issue, when you give it a non-integer input or a
00:12:01
non-reasonable input, boom, all of a sudden you've created a
00:12:05
security issue and developers who think that way can actually
00:12:10
protect agents that because they don't assume good intent on the
00:12:13
part of sort of the users of their system.
00:12:15
And that's something that's hard to teach.
00:12:18
It's almost something that you have to learn like through a lot
00:12:22
of effort.
00:12:23
But once you unlock sort of the magic, sort of that magic way
00:12:28
of thinking, is actually very, very powerful.
00:12:32
So you brought that up and so I just I felt like I had to share
00:12:35
that anecdote with you.
00:12:36
Let me to answer your question, jill, sorry for taking the
00:12:41
scenic route for that one.
00:12:42
Honestly, I had.
00:12:44
I would love to say that I had a plan when I did my PhD, I
00:12:50
think.
00:12:50
The reality is I was a kid.
00:12:53
I mean, I not a kid, but I just finished college.
00:12:58
Right, this is what people did and I just did what I was
00:13:03
supposed to.
00:13:03
My first intelligent, if you will, self-aware career decision
00:13:10
actually came at the end of my PhD, where I was interviewing
00:13:15
for a faculty position at a whole bunch of different places
00:13:19
and I had several sort of great offers and instead of going on
00:13:24
and being a professor, I actually joined a management
00:13:26
consulting firm McKinsey and Company and that was a big sort
00:13:31
of fork in the road.
00:13:32
Like you, you think about these important sort of decision
00:13:36
points in your life.
00:13:37
I would say that was one of the most important decision points.
00:13:41
Speaker 1: Yeah, that is it's, you know it's.
00:13:43
It's fascinating that it was almost kind of more of a
00:13:48
cultural you know decision for you.
00:13:51
And I say that that's interesting because here, you
00:13:54
know, like in America, it seems like the culture is shifting to
00:14:00
not going to college, you know, just like not not going all
00:14:03
together, and it's almost like a lot more people have the
00:14:08
mentality of it's not worth it, it's not worth the debt, it's
00:14:11
not worth, you know, the time and the effort, which I don't
00:14:16
agree with Me personally, you know, I think that there is a
00:14:20
lot of value in it if you do it right.
00:14:23
When people bring up the you know, the student loans or the
00:14:26
debt that you may or may not incur, you know I've always
00:14:31
viewed that as an investment into myself.
00:14:34
Like, am I willing to bet, you know, this money on myself that
00:14:41
I will study, I will get the degree and I will land the job?
00:14:44
That's paying two X the amount that it's going to cost for me
00:14:49
to get this.
00:14:49
I mean, that's the number, that's the equation that you
00:14:53
have to do.
00:14:53
Am I willing to take that bet on myself?
00:14:55
You know, I feel like there's a lot of development that happens
00:15:01
when you look at it that way, when you actually execute on it
00:15:05
from that angle, because now it's like, okay, I have a lot
00:15:08
more in this game than just debt .
00:15:11
I want to prove it to myself that I should bet on myself.
00:15:15
And when you make that bet and you succeed with it, you know
00:15:19
you get your bachelors.
00:15:20
It's easier for you to go and say I'm going to go learn to
00:15:24
code, I'm going to go learn Linux, you know I can do this,
00:15:28
I'm going to go learn these other skills, going to go learn
00:15:32
Linux, you know I can do this, I'm going to go learn these
00:15:36
other skills.
00:15:36
It's easier for you to start making those bets and it's just,
00:15:41
it's fascinating.
00:15:41
Speaker 2: You know, I feel like I think it's I have to say it's
00:15:43
a very personal choice and, in fact, no-transcript.
00:16:13
I learned how to write.
00:16:14
Writing is actually a very underrated skill.
00:16:18
Being able to write, being able to write persuasively, being
00:16:23
able to write concisely, is something that I really learned
00:16:29
in my PhD.
00:16:30
I also learned patience, which sounds obvious when you think
00:16:36
about it, right, there are so many dead ends that you run into
00:16:41
when you're trying to solve a really hard problem, and it's
00:16:47
easy to just say give up hope, right, but when you persist, you
00:16:50
actually end up somewhere.
00:16:50
So that was huge.
00:16:52
I also learned a lot about and this don't sound odd I learned
00:17:02
how little we know individually, and it taught me a lot of
00:17:07
humility.
00:17:07
So that is this joke.
00:17:10
I'm sure you've heard of it.
00:17:11
When you've done a bachelor's, you think you know everything
00:17:15
right and the whole universe of knowledge is contained within
00:17:18
what you know.
00:17:19
And then, when you've done a master's, you think you know a
00:17:23
little bit less and the whole universe of knowledge is a
00:17:26
little bit more.
00:17:26
And when you've done a PhD, you realize that you only know very
00:17:30
little and the universe of knowledge is really vast.
00:17:35
So I think I went through a little bit of that and that has
00:17:37
taught me to and that's really come in handy in my professional
00:17:41
career to respect other people's expertise, to really be
00:17:49
humble in terms of not thinking you have all the answers, and
00:17:55
making sure that you seek out people's opinions and viewpoints
00:18:00
right, because ultimately those things help you make much
00:18:03
better decisions, especially in uncertain environments, and I
00:18:07
think that's what cybersecurity is often right uncertain
00:18:13
environments, and I think that's what cybersecurity is often
00:18:16
right.
00:18:16
You have to deal with situations where things are not
00:18:18
clear.
00:18:18
You have to deal with people who are very, very proficient in
00:18:21
their craft but are often not fully aware of the business
00:18:25
consequences or other things, and so when you have that
00:18:30
perspective that you know you have a lot to learn from others,
00:18:33
I think it actually helps you make better decisions.
00:18:37
Speaker 1: Yeah, that is a very valuable piece of advice.
00:18:40
You know, there was a situation earlier on in my career when I
00:18:43
was working for a credit bureau where, you know, we were running
00:18:47
into a very weird upgrade issue of the security solution that
00:18:52
we were using at the time, that my team had owned, and we
00:18:55
couldn't figure out why this database was not upgrading.
00:18:59
You know, and I've worked with databases before this is not my
00:19:02
first year, you know, in IT.
00:19:04
This is like year five or something like that.
00:19:07
Right, like, we just could not figure it out.
00:19:09
And you know, at the end of the day, I'm not a, I'm not a
00:19:12
database admin, not a SQL admin.
00:19:14
I, I, you know I can spell SQL, right and I can navigate around
00:19:18
.
00:19:18
If you tell me, you know what the table is called and stuff
00:19:22
like that.
00:19:22
But God forbid.
00:19:23
You tell me to, you know, like, list the tables or anything
00:19:27
like that.
00:19:27
You know, like I'm not going to be able to do that without
00:19:29
Google.
00:19:29
And, uh, you know, it's.
00:19:32
It's fascinating that you bring that up because in that instance
00:19:35
I learned immediately like, oh, maybe I should have someone
00:19:38
that's like specialized in SQL.
00:19:42
You know, on call ready for these upgrades.
00:19:46
You know, because these upgrades are so intense, um, and
00:19:50
they really take a lot, of, a lot of dedication from a lot of
00:19:53
different people to be able to pull them off.
00:19:55
You know, maybe I should have that smi resource there and you
00:20:00
know it worked.
00:20:01
You know, tenfold right, because I I had that, that
00:20:05
subject matter expert, I had that sql admin or that database
00:20:09
admin on the call.
00:20:10
They were able to figure it out , you know, 10 seconds in, and
00:20:13
resolve the issue and the upgrade moved along right, but
00:20:16
that was two or three hours of troubleshooting and trying to
00:20:20
avoid going to them that we wasted.
00:20:23
You know when we could have been in the bar by the time.
00:20:25
You know that guy, if we would have just engaged him, right, we
00:20:29
could have been in the bar two, three hours later.
00:20:32
But no, we were there still doing this upgrade because we
00:20:35
had just solved the issue.
00:20:36
And uh, you know, as as a security professional it's you
00:20:41
have to know what you don't know .
00:20:42
You know you have to know the extent of your knowledge, like
00:20:47
where your knowledge ends and where someone else's knowledge
00:20:51
picks up.
00:20:51
You know, you have to be very aware of that and you have to be
00:20:55
willing to say I don't know what this is, but I do know
00:21:00
someone that does know what this is.
00:21:01
Let me find out.
00:21:02
You know, I feel like that's a critical, critical skill that
00:21:06
you have to learn in security.
00:21:08
Speaker 2: You know, joe, I have to say that's very, very
00:21:11
insightful and in fact, part of what made security hard is it's
00:21:18
really finding the right balance between what is a sufficiently
00:21:23
complete level of security versus doing, you know, like,
00:21:28
boiling the ocean right.
00:21:29
I know I mean somebody said this right Ships are safe in
00:21:35
harbor, but that's not what they were built for right.
00:21:40
And so I think, in everything that we do on a day-to-day basis
00:21:42
, you have to accept a certain level of risk, and one of the
00:21:47
things that I've noticed is that sometimes security
00:21:50
professionals sort of struggle with that right.
00:21:54
It was interesting when I was the CISO at Intuit.
00:21:57
There was this one time I mean I would present to the board on a
00:22:00
regular basis, and this one time I made the statement it'll
00:22:03
give me a billion-dollar budget and I still won't be able to
00:22:07
guarantee 100% security, right, right, and that's a very, very
00:22:15
uncomfortable place to be right.
00:22:18
What you can do is to make things really, really hard.
00:22:21
What you can do is to make the best use of the resources that
00:22:25
you have, but that just slows the adversary down.
00:22:30
But that just slows the adversary down, and maybe
00:22:38
sometimes they'll get, um, you know, add, and turn away from
00:22:39
you, right, um, because that does happen.
00:22:41
But part of what made cyber security so hard is, if you have
00:22:46
an incredibly determined adversary, there's almost always
00:22:51
some way that they can find to get into your systems, right,
00:22:59
and so this is where I think prevention is necessary.
00:23:03
But detection and rapid response is a must, right, and
00:23:09
that's something that every security organization needs to
00:23:13
embrace that, in spite of their best efforts, something might
00:23:17
get through the system and they really need to be on eternal
00:23:23
alert and then be prepared to respond as quickly as possible,
00:23:28
and that's as true of ransomware as anything else.
00:23:34
Speaker 1: Yeah, I feel like being a security professional,
00:23:37
you have to understand the adversary's mindset and most of
00:23:44
the time, most security professionals are not going to
00:23:47
go out of their way, are not going to go out of their way,
00:23:55
you know, to hack into your company.
00:23:56
I would say that A lot of the times they have to be challenged
00:23:59
, you know, like you know, I think, of the CISO of MGM right,
00:24:04
I think it was MGM where he said we're completely secure, no
00:24:08
one's going to be able to hack us.
00:24:10
You know I'm paraphrasing, but he did say something like that
00:24:16
and he said that in a news interview like a you know an
00:24:18
international news agency it might've been an interview with
00:24:19
CNN, right, and uh, I mean almost immediately after they
00:24:25
were hacked, and not just like a little hacked, like it was like
00:24:28
no, we have all of the information that you store that
00:24:33
you consider to be safe and secure and private.
00:24:36
We have all of that.
00:24:37
It's important for us to always keep in mind, because even in
00:24:43
my day job, someone tells me I can't do something.
00:24:47
Something switches in my head and I don't know what it is.
00:24:51
It happens every single time.
00:24:53
You're not able to do that and I take that as a challenge.
00:24:56
You know this happens every time and, like you know, my
00:25:00
current manager, he, he does a fantastic job at managing, you
00:25:06
know, because he he was, he's in the military, you know, so he's
00:25:09
used to being around people that you know are like just just
00:25:13
tell me, just point me in the right direction and tell me what
00:25:17
you want accomplished and I'm going to get it done.
00:25:19
And don't ask me any questions of how I got it done, because
00:25:22
you don't want those details, you want the results.
00:25:24
You know, and, like I have, I have that same mentality Right,
00:25:28
and so he understands like, hey, don't challenge, don't like
00:25:32
phrase things in a challenging way to to Joe, because it will
00:25:37
trigger something in Joe and Joe will literally prove you wrong.
00:25:41
He'll prove you wrong in ways that you don't want him to and
00:25:44
he'll make it public.
00:25:46
You know, and I think back to when I was working at an
00:25:49
investment firm here in Chicago and you know I had, I had just
00:25:55
gotten done, you know, really kind of getting ramped up on the
00:25:58
environment, right Of our tech stack and everything, and you
00:26:02
know we had just put in this brand new multimillion dollar
00:26:05
DLP solution that was supposed to solve all of our problems of
00:26:09
insider threat and whatnot.
00:26:11
And my manager said you know, you're not going to be able to
00:26:16
get around this thing.
00:26:17
Because we were in a meeting and he was talking about what it
00:26:21
does and I said well, are we protecting the data this way?
00:26:23
Are we thinking about this?
00:26:25
And he said none of that matters.
00:26:27
You know we're not vulnerable to that.
00:26:30
And he kind of said it in a challenging way, right?
00:26:35
So after this meeting I went right back to my desk and an
00:26:38
hour later I called him over and I said hey, remember, you know,
00:26:42
that meeting an hour ago where you said that we couldn't do
00:26:44
this right?
00:26:45
Well, I just did it.
00:26:46
You know, and here's the proof.
00:26:48
You know, in in, I guess, in my ignorant head, right, I didn't
00:26:53
realize I could get fired in that instant, right, because I
00:26:56
broke several policies and, you know, gave them grounds to fire
00:27:00
me right then and there.
00:27:01
But I I took it as a challenge and I wanted to prove this guy
00:27:05
wrong.
00:27:06
You know, I I don't even remember what spurred right this
00:27:11
part of our conversation, but you have to remember who you're
00:27:14
dealing with when we're talking about security professionals and
00:27:17
hackers.
00:27:17
And, like you said, you know you could have a billion dollar
00:27:23
budget and you wouldn't be able to guarantee you're 100%
00:27:27
protected, and a part of that is the insider threat.
00:27:31
Well, how are you, how are you going to get past a determined
00:27:36
insider which most of our employees are right, when
00:27:41
they're trying to do their day-to-day job, and you make it
00:27:43
harder as a security professional?
00:27:44
Right, they're going to find ways to do the same things,
00:27:48
different ways to make their lives easier, and so it's just.
00:27:55
It's a fascinating world in terms of you know, the mindset
00:27:59
that we have to have as security individuals, the skill set that
00:28:03
we have to have, and it's always evolving, it's always
00:28:07
changing.
00:28:07
Is that something that you also see at your own level?
00:28:13
Speaker 2: That's a very tough question to answer, joe,
00:28:17
especially about how to deal with insider threats.
00:28:22
I think you did one of two approaches for this.
00:28:24
First of all, I agree with you that if you have a determined
00:28:28
adversary, it's actually a very asymmetric game, right?
00:28:33
Because in 100 instances you have to keep them at bay 100
00:28:39
times and they have to get in only once.
00:28:42
Yes, so to begin with it's a very, very asymmetric situation.
00:28:47
Now, specifically about insiders , you know, I would say you
00:28:51
really have to decide what type of organization you are.
00:28:56
You could certainly be an organization where you're
00:28:59
incredibly paranoid about your employees and introduce so much
00:29:06
friction in normal things, right and compartmentalize and all of
00:29:11
that that you reduce the risk of any security issues.
00:29:15
You could do that.
00:29:16
I suspect that would really take away from the overall
00:29:22
employee experience.
00:29:23
Right, and the other way to think about this is have I built
00:29:30
an organization or do I operate in an organization that has
00:29:34
high levels of trust?
00:29:35
Maybe because I have values that drive a certain type of
00:29:40
behavior and I have built an overall sense of responsibility,
00:29:45
not just to oneself in the organization but to the
00:29:51
collective organization, and that might sound a little bit
00:29:55
old-fashioned, but I've been part of both types of
00:29:58
organizations, and I can tell you, as an employee or as a
00:30:04
leader, it's a lot better to be part of the second type of
00:30:08
organization than the first.
00:30:10
Now there are certain situations where you can't avoid the first
00:30:13
, and so then you do have to take all sorts of precautions.
00:30:16
You have to especially, I think , in sort of defense or
00:30:20
classified industries.
00:30:21
I mean, you have to take incredible precautions in terms
00:30:25
of making sure that the data is not compromised.
00:30:27
But for most of the work we do on a day-to-day basis with most
00:30:31
companies, I think you probably get more mileage if you operate
00:30:35
as a ladder, where you build a strong culture where you
00:30:40
minimize you can never eliminate but you reduce or minimize the
00:30:44
risk of insider bad behavior.
00:30:47
So that's what I would say.
00:30:49
Speaker 1: Yeah, I think that's a very valid point.
00:30:52
So we've talked for almost 35 minutes here.
00:30:57
We haven't talked about your current role, right, or what
00:31:01
you're doing now.
00:31:02
So you know, can we talk a little bit about you know what
00:31:07
company you're at, what your role is, what that looks like.
00:31:09
Maybe even a little bit about what your day-to-day looks like.
00:31:13
Speaker 2: Yep, so I'm actually a reformed security professional
00:31:17
, in the sense that I don't do security anymore, and I'll tell
00:31:19
you.
00:31:19
The first thing is I sleep much better at night.
00:31:21
I've worked for Nutanix.
00:31:24
I run engineering for our largest product, the Nutanix
00:31:29
Cloud Infrastructure, which is basically a private cloud
00:31:33
platform that you can use to run your applications both on the
00:31:36
private or the public cloud.
00:31:37
I'm also the general manager for the extension of the Nutanix
00:31:42
Cloud platform to the public cloud.
00:31:43
So that's what I do.
00:31:46
But as someone who is responsible for a business and
00:31:49
also runs a large engineering organization, I try to have a
00:31:55
mindset mainly because of my security experience, where we
00:32:00
build security principles into how we build our product at as
00:32:06
foundational levels as possible, at as foundational levels as
00:32:11
possible, and ultimately, that allows us to serve our customers
00:32:13
in a better way.
00:32:14
And so I enjoy what I do and I think it's actually a great time
00:32:18
to be sort of an engineer.
00:32:20
I think that infrastructure in particular because of things
00:32:25
like AI, because of a whole bunch of other things, it's
00:32:28
enjoying the renaissance Infrastructure goes through
00:32:32
these phases where there are times when it's totally boring
00:32:35
and there are times when it's incredibly exciting, and I think
00:32:39
we're at one of those moments now where it's incredibly
00:32:41
exciting and it's really fun to be part of that journey, right?
00:32:46
Speaker 1: now.
00:32:46
So what are some things that bring that excitement with
00:32:51
infrastructure?
00:32:52
Speaker 2: I'll give you something that's very simple.
00:32:53
Even though public clouds have been around for 17 years, my
00:32:59
first cloud deployment was in 2007, when I was, of all places,
00:33:04
at Oracle, where, you know, harry still used to describe the
00:33:07
cloud as women's fashion, but that's a whole different story
00:33:11
for a different time.
00:33:11
The journey of enterprise workloads to the public cloud is
00:33:18
still very, very early.
00:33:20
I think less than 10% of enterprise workloads have moved
00:33:26
to the public cloud, and that's interesting because there'll be
00:33:30
more applications built in the next five years than were in the
00:33:34
last 40.
00:33:34
And most of that innovation is going to happen in the public
00:33:40
cloud.
00:33:41
And if you try to do that innovation in the public cloud
00:33:43
and all of your workloads are on-prem, that's really hard, and
00:33:49
so enterprises are in this strange position about how to
00:33:54
navigate this journey and to do that without lock-in to a
00:34:00
particular provider and without having to have all of that
00:34:05
infrastructure be obsolete and have that really be
00:34:10
software-defined right.
00:34:11
So one of the things that we do that I think is incredibly
00:34:15
powerful is, whether it's your storage layer, your compute
00:34:19
layer or your networking layer in the infrastructure, we do
00:34:23
everything that's software-defined and
00:34:25
software-managed and that really drives enterprise agility,
00:34:30
speed and security, and that's coming in to be incredibly
00:34:37
important as enterprises are modernizing with digital
00:34:42
transformation and moving their workloads to the public cloud.
00:34:45
So that's what I find exciting, and this is very much a once in
00:34:49
a moment.
00:34:49
Right Like this, what we're going to see in the next decade
00:34:55
probably won't be repeated in terms of workload migration for
00:34:59
another 20, 30 years.
00:35:00
Speaker 1: Right, yeah, that makes sense.
00:35:02
You know, one of the biggest struggles with, you know,
00:35:09
managing your environment in a hybrid environment overall is
00:35:14
that you basically have to have two separate tech stacks.
00:35:17
You know, you have your on-prem infrastructure tech stack and
00:35:23
then you have your cloud tech stack, and they do not.
00:35:28
They typically do not play well together.
00:35:30
They all claim that they can do both.
00:35:33
Pretty much all of them claim that they can do both, but you
00:35:36
find out pretty quick that they can't and that they probably
00:35:40
shouldn't be claiming that they can do both.
00:35:43
The products that were built for on-prem.
00:35:45
When they almost get lifted and shifted to the cloud to do that
00:35:50
same operation in the cloud, they tend to cost the cloud
00:35:53
customer a whole lot more money because they're doing it
00:35:56
inefficiently.
00:35:57
They're not really coded for the cloud, they're not using
00:35:59
serverless.
00:36:00
You know applications and all these other things, and there's
00:36:04
also a pretty good limitation on those things you know they may
00:36:09
do.
00:36:09
You know, just using AWS, for an example, they may do EC2s but
00:36:13
they don't do containers.
00:36:14
Or they do containers but they don't do like the Kubernetes
00:36:20
native AWS service, right, that deploys containers.
00:36:23
That's all automated through that, right.
00:36:25
Or they don't do serverless at all, right, but some companies,
00:36:28
like the one that I'm at right now, has over 100 lamb that
00:36:30
right.
00:36:30
Or they don't do serverless at all right, but some companies,
00:36:32
like the one that I'm at right now, has over 100 lambdas
00:36:33
right.
00:36:33
So you don't do lambdas, you only do EC2s.
00:36:37
So then I got to go piece together another solution to
00:36:41
protect my lambdas.
00:36:42
The organization wants to move into containers, so I have to
00:36:46
find a solution that works with containers.
00:36:48
Wants to move into containers, so I have to find a solution
00:36:51
that works with containers.
00:36:51
But Froudstrike that I have on-prem, also offers a container
00:36:57
solution.
00:36:57
May not be the best container solution.
00:36:58
You know, like it's a mess, right, and so you know companies
00:36:59
.
00:36:59
I haven't been, I haven't been at a company that's a hybrid
00:37:03
environment that doesn't have at least two separate teams, one
00:37:08
that deals with on-prem and one that deals with the cloud and
00:37:12
you know that doesn't have two tech stacks, right, like, is
00:37:16
that something that you're also seeing in the industry and where
00:37:20
you know potentially there's a gap, right?
00:37:22
Because I mean, man, I would love, I would love one solution
00:37:26
to just see, see, to just see everything in terms of my
00:37:30
current role, right, I'm, I'm the cloud security engineer and
00:37:34
I only care about the cloud, right, if there's.
00:37:37
I'm sometimes I'm in these calls and they're bringing up
00:37:40
like on-prem, you know, colo, data center names and stuff like
00:37:45
that, and I mean I just tell them I have no clue of what
00:37:50
you're talking about.
00:37:50
I literally couldn't tell you what brand switches we have.
00:37:54
I don't care.
00:37:55
So is that something that you're also seeing?
00:37:58
Speaker 2: Yeah, so I think there's a short term and a long
00:38:01
term here and in a way, joe, you've actually hit the nail on
00:38:06
the head on what we are trying to solve.
00:38:08
The Nutanix Cloud Platform allows you to take your on-prem
00:38:13
application, on-prem virtualized application and workload and
00:38:18
move it, as is, into the public cloud.
00:38:22
And if that sounds a little bit like magic, it actually is, and
00:38:27
we do that today for AWS and Azure.
00:38:29
Now, after you move to the public cloud, obviously
00:38:34
everything that you're doing long-term in terms of the
00:38:36
security add-ons will continue to work.
00:38:38
But if you start consuming new public cloud services, then you
00:38:42
have to think about how do you secure those services?
00:38:44
Right, what is happening?
00:38:47
And going back to what I just said, right, there is incredibly
00:38:51
little upside to taking your traditional on-prem work cloud
00:38:57
and then refactoring that for public cloud usage.
00:39:00
You could do it.
00:39:01
You might get some benefit.
00:39:03
You're absolutely right that it might not be fully efficient,
00:39:08
but it turns out it's still a worthwhile thing doing, because
00:39:12
the moment you start refactoring , it's a little bit like
00:39:15
remodeling your house um, you want to replace, like you know,
00:39:20
a faucet in the sink and then you pull out the faucet and you
00:39:23
find out you have lead pipes.
00:39:24
And so you take the trace the lead pipes all the way to the
00:39:27
basement, and then you find out that, oh my god, there's all the
00:39:28
way to the basement.
00:39:29
And then you find out that, oh my God, there's asbestos under
00:39:31
the basement.
00:39:32
And so now you took out the basement and before you know it,
00:39:36
what was your $500 faucet replacement?
00:39:39
Turns out to be a $50 house remodeling.
00:39:41
So I kid you not.
00:39:42
So before I came to Nutanix, I was at Intuit and we moved
00:39:48
TurboTax onto AWS.
00:39:49
And I tell you not, there was code in TurboTax.
00:39:54
This won't surprise you.
00:39:55
That was written in Pascal in the mid-1980s.
00:40:00
So good luck trying to translate that into lambdas,
00:40:04
right?
00:40:06
And so I think there are certain workloads.
00:40:08
And so I think there are certain workloads, most of them
00:40:10
traditional, virtualized or sort of native server workloads,
00:40:14
bare metal workloads.
00:40:15
But it doesn't actually make a whole lot of sense from a
00:40:20
developer, productivity or human capital perspective to refactor
00:40:24
them.
00:40:24
But then the innovation you're absolutely right needs to happen
00:40:32
in the public cloud.
00:40:32
And so part of the security arrangement and the security
00:40:35
operations there is leverage, whatever you have, and then make
00:40:40
sure that everything new that you're doing in the public cloud
00:40:43
you actually find a way to secure them effectively.
00:40:46
The public cloud actually offers a whole bunch of benefits from
00:40:49
a security perspective.
00:40:50
There are challenges as well, but one of the benefits is that
00:40:54
the approaches that you can use in the public cloud actually can
00:40:58
lead to better security overall .
00:41:01
So if you move away from a traditional, you know crunchy
00:41:05
sort of exterior free lateral movement inside the firewall to
00:41:10
a model where you don't really trust anything, then you have to
00:41:14
end up hardening the hosts.
00:41:16
You have to make sure that your ability to detect something is
00:41:21
really fast.
00:41:22
In the on-prem, you know I'm sure you've seen stats like it
00:41:27
dates more than 90 days for most organizations to detect whether
00:41:31
there's been intrusion In the public cloud.
00:41:34
15 minutes is a lifetime, and so not only do you have great
00:41:40
tools in the public cloud, it's almost necessary in the public
00:41:46
cloud to have an active and response system, and so that
00:41:51
forces you to react and respond to a lot more security incidents
00:41:57
which you may not even have been aware of in the private, in
00:42:00
the on-prem world, in the first place.
00:42:01
So you're right, I mean it isn't easy, but if you do this
00:42:06
right and if you leverage the right underlying technology, you
00:42:10
can actually harden your overall environment and make
00:42:13
them that much easier to secure from a security perspective.
00:42:21
Speaker 1: And that kind of circles.
00:42:22
Back to what you were saying before.
00:42:24
You know security professionals really understand the security
00:42:29
side of systems and how to make them better, how to make them
00:42:32
more secure.
00:42:33
And the system engineers, they understand their systems.
00:42:38
You know, inside and out Same thing with the network guys and
00:42:41
everyone else right, and it's the combination that makes it
00:42:45
better.
00:42:45
And I feel like there should be more collaboration when
00:42:49
companies are moving to the cloud and migrating more things
00:42:53
to the cloud.
00:42:54
You know it always kind of leans on one team to kind of do
00:43:00
it all and security is typically catching up right after the
00:43:04
fact.
00:43:04
But it's really important, you know, to have those experts in
00:43:11
the room working on this thing together and especially having
00:43:15
the trained cloud security people in the room saying, hey,
00:43:20
this is how this service works, this is how they expect you to
00:43:25
write your application because of these efficiencies that are
00:43:28
built in so for us to utilize it properly.
00:43:31
You know we want to make sure it has facts 100%.
00:43:37
Speaker 2: In fact, I think there's a great analogy between
00:43:40
security and quality.
00:43:42
It's not just the security team's job to make everything
00:43:45
secure right it goes.
00:43:47
They may be the tip of the spear, they may be the front end
00:43:50
of this whole security apparatus, but the people who
00:43:54
build the software, the people who deploy the hardware, all the
00:43:58
way down to the receptionist in the front lobby to prevent, you
00:44:01
know, social engineering that acts right, they all need to
00:44:05
contribute to the overall security posture of the
00:44:07
organization.
00:44:07
You know it's not just the person who finds the bug in
00:44:13
quality engineering.
00:44:13
It's not just their job.
00:44:15
To ensure quality, the developer needs to write
00:44:18
high-quality code, and security is similar.
00:44:20
You really need to have an awareness of how your systems
00:44:26
can be taken advantage of.
00:44:27
Your systems can be taken advantage of and while
00:44:31
operations or functions like security operations are best
00:44:34
done by dealing with a specialized team, what it takes
00:44:39
to build secure systems in the first place is very much a
00:44:44
responsibility of the developers , the engineering teams, the
00:44:48
product managers.
00:44:49
They all have to care about this to make sure that you know
00:44:53
you end up with something that's ultimately useful.
00:44:55
Speaker 1: Yeah, it's a really good point, you know, and
00:44:58
unfortunately I wish we had more time, but you know I try to.
00:45:03
You know, stay within the time frame that we discussed
00:45:07
previously, within, say, within the timeframe that we discussed
00:45:12
previously.
00:45:12
You know, it's been a fantastic conversation.
00:45:13
I really enjoyed, you know, having you on.
00:45:14
I definitely want to have you back on if you're interested.
00:45:16
You know, before I let you go, how about you tell my audience,
00:45:20
you know, where they can find you if they wanted to reach out,
00:45:22
and you know, I'm sure everyone knows how to find Nutanix, but
00:45:27
in case they don't, maybe shout out Nutanix as well and tell
00:45:31
them where to find it or where to find the product you were
00:45:34
referring to.
00:45:36
Speaker 2: Our website is the best way to find out more
00:45:38
information about us wwwnutanixcom.
00:45:42
That's N-U-T-A-N-I-X.
00:45:45
If you've ever read Asterix and Obelisk's tonics, we started
00:45:51
the name of our company.
00:45:52
We have sort of new tonics.
00:45:54
That was sort of what we were meant to be a new kind of
00:45:56
infrastructure, a new kind of tonic.
00:45:58
If you will, you can find me on LinkedIn.
00:46:01
Yeah, I think I have a profile there and that's probably the
00:46:06
best way to reach out to me.
00:46:06
Awesome, Thank you so much.
00:46:10
I really enjoyed the conversation and I would love to
00:46:12
be back, if you'll have me.
00:46:14
Speaker 1: Yeah, absolutely, we'll definitely have to figure
00:46:17
that out.
00:46:17
All right, well, thanks everyone.
00:46:20
I hope you enjoyed this episode .