Twitter CISO Rinki Sethi on Shared Security Responsibility

The Challenges of Starting a New Job During Lockdown

Commencing a new employment position can often be a source of stress, even under normal circumstances. However, the conditions imposed by lockdown measures present a particularly significant hurdle.

Rinki Sethi assumed the role of chief information officer at Twitter approximately one year ago, coinciding with the height of the pandemic. Similar to many organizations, Twitter implemented a work-from-home policy for its extensive workforce, including all new employees.

Building Trust Remotely

Sethi, who prefers a traditional office environment, acknowledged that integrating as a new, fully remote employee presented unique difficulties. Establishing rapport and trust is crucial for any leader, but particularly for those in security roles.

During a virtual interview at TechCrunch Disrupt 2021, Sethi explained that fostering working relationships via video conferencing proved considerably more challenging than in-person interactions. “I’m accustomed to building these connections face-to-face,” she stated.

Extensive Cybersecurity Experience

Sethi brings a wealth of experience to her current position. She has previously held prominent cybersecurity leadership roles at companies such as IBM, Intuit, Palo Alto Networks, and Rubrik, where she served as CISO.

As Twitter’s CISO, her responsibilities encompass the protection of the company’s information and technological resources – a task currently managed entirely remotely. Despite the inherent challenges, this situation has also yielded certain benefits.

The Pandemic's Impact on Cybersecurity and Work

The pandemic has fundamentally altered not only how companies address cyber threats, but also the very nature of work itself. Remote work arrangements have broadened access to a global talent pool, removing previous limitations based on geographical location.

Furthermore, there is increased awareness and discussion surrounding mental health in the workplace, alongside a greater emphasis on the well-being of the individuals who sustain organizational operations.

A More Secure Workforce

These developments contribute to a more robust and, crucially, a more secure workforce. “The human element is integral to everything,” Sethi emphasized. “Ensuring employee well-being, enabling optimal performance, and fostering a positive mental state are paramount.”

She believes these factors are areas where tools, technology, applications, and monitoring systems alone cannot provide adequate solutions.

The Evolving Role of the CISO

Drawing upon her extensive experience, Sethi shared insights into the evolving role of the modern CISO and strategies for future cybersecurity leaders to maintain a proactive stance.

Please note that this transcript has been edited for brevity and clarity.

Determining the Optimal Time to Employ a Security Leader

Despite substantial investment in protective measures, security breaches are a certainty for most organizations. The reality is that achieving absolute security is impossible, as a single successful attack can negate all prior defenses. However, proactive preparation can significantly differentiate a company’s response.

Given the often rapid and unpredictable growth trajectory of startups, preemptive action regarding security is particularly vital. A key question arises: at what stage should a company bring on a dedicated individual to manage its security posture?

Early-Stage Startups: Foundational Security

For companies in their seed or Series A funding rounds, a full-time security lead might not be immediately necessary. However, security shouldn’t be entirely neglected.

• Focus on establishing fundamental security practices.
• Implement basic access controls and data encryption.
• Conduct regular vulnerability scans.

Often, these tasks can be effectively handled by a technically proficient co-founder or early employee, supplemented by external consultants for specialized assessments.

Growth Phase: Increasing Complexity

As a startup progresses through Series B and beyond, the complexity of its systems and data typically increases. This expansion introduces new attack vectors and necessitates a more dedicated security focus.

Key indicators that it’s time to hire a security lead include:

• Significant customer data accumulation.
• Expansion into new markets with varying regulatory requirements.
• Increasingly sophisticated threat landscape targeting the company’s industry.

The Role of the Security Lead

A dedicated security lead is responsible for developing and implementing a comprehensive security program. This includes:

• Risk assessments and vulnerability management.
• Incident response planning and execution.
• Security awareness training for employees.
• Compliance with relevant security standards and regulations.

This individual should possess a strong technical background, coupled with excellent communication and leadership skills.

Beyond the Hire: Continuous Improvement

Hiring a security lead is not a one-time fix. Security is an ongoing process that requires continuous monitoring, adaptation, and improvement. Regular security audits, penetration testing, and threat intelligence gathering are essential components of a robust security program.

Ultimately, the right time to hire a security lead is when the potential cost of a security breach outweighs the cost of proactive security measures. For many growing companies, that time comes sooner than they think.

Cultivating a Security-Conscious Culture

Effective security is achieved when all personnel within an organization actively participate in its maintenance. It extends beyond the implementation of advanced technologies designed to mitigate threats. A core component involves integrating security principles into the company’s overall culture.

This integration is largely dependent on establishing a foundation of trust with employees.

The Pillars of a Secure Culture

Building this trust necessitates a comprehensive approach centered around three key elements: education, awareness, and training. These components work synergistically to empower employees to become proactive contributors to the security posture.

Education provides the foundational knowledge necessary to understand security risks. Awareness keeps these risks top-of-mind, while training equips individuals with the practical skills to identify and respond to potential threats.

Ultimately, a robust security framework isn't solely a technological challenge; it’s a people-centric one. Fostering a culture where security is valued and understood by all is paramount to long-term success.

Further insights can be found at: https://www.youtube.com/watch?v=QPkE4cF6nqQ

The Value of Diversity Within Security Teams

The shift towards remote work models has prompted organizations, such as Twitter, to reassess their talent acquisition strategies.

According to Sethi, the adoption of remote work has significantly broadened the potential candidate base, eliminating previous obstacles and logistical challenges. A team comprised of individuals from varied backgrounds and possessing diverse experiences can be critically important, particularly when rapid response is required.

Diverse perspectives contribute to more robust security protocols.

Sethi elaborated that a wider range of viewpoints and skillsets can demonstrably improve a security team’s effectiveness.

This is especially true when addressing unforeseen vulnerabilities or responding to emerging threats.

Diverse teams are better equipped to anticipate and mitigate risks.

Benefits of a Varied Team Composition

• Enhanced problem-solving capabilities.
• Improved identification of potential blind spots.
• Greater innovation in security strategies.
• A more comprehensive understanding of user behavior.

Ultimately, cultivating a security team that reflects a broad spectrum of backgrounds and experiences is a strategic advantage.

It allows organizations to build more resilient and adaptable security postures.