“Identity access management, number one. Number two, zero trust. Then third is continuing to secure the human and to make our people the first line of defense, when it comes to security”.
Ankur: Hello everyone. Welcome to another episode of ZeroToExit. This is Ankur and Neelima. We're super excited to have Rinki Sethi on the show today. Rinki is the vice president and chief information security officer at Twitter, where she's responsible for leading the efforts to protect twitter's IT assets and advises the company's continued product innovation in the security space. Prior to Twitter, Rinki was the VP and CISO at Rubrik. Rinki has also been at the forefront of developing security practices at fortune 500 companies like IBM, Palo Alto networks (where Neelima and I are) , Intuit, eBay, Walmart, and many others.
In this episode, we want to talk to Rinki about the current cybersecurity landscape and the top priority for CISOs. Hi Rinki! Welcome to the show.
Rinki: Hi, thanks for having me. I'm excited to talk to you and Neelima.
Ankur: Yeah. It's so great to have you. And, it's a busy season for CISOs, always, but especially in the post pandemic world. So, I am glad you were able to take some time to meet with us. I want to kick things off by just asking you, how did you get into the security space?
RINKI’S JOURNEY TILL ENTRY INTO THE SECURITY SPACE
Rinki: Yeah. I have a fun story here. So,I graduated from UC Davis with a Computer science engineering degree at a very bad time in the economy and I just got fortunate that I was recruited by Pacific Gas and Electric, into a role that was called information protection analysts which I later learned once I was in the job, that was cybersecurity. And so that was the start of my career but my brain was weird as a security engineer or a hacker much earlier on, when I was in high school. I think I was in ninth or 10th grade. We used to use a chat agent called AOL instant messenger to talk to our friends. So I've discovered this thing and I thought it was awesome to be able to chat with my friends without having to use the phone. Well, my dad discovered that we were doing that too. And he suspected that maybe I was talking to boys. So he put what at the time was like, a Parental spy tool now known as a keylogger onto my computer.
And I overheard him one day talking to my mom about a private conversation that I had with my friend on AOL instant messenger. And so I immediately realized that he was somehow spying on me. I then went on my computer, found the spy tool uninstalled it and then he would go back and reinstall it. So then I wrote software to alert me every time he installs it so that I could uninstall it. I also gave that to my sister and then we would go and chat about things purposely that had no meaning. So that freak out. And so I think I was weird as a hacker back then. And,I later realized, wow, that might've been considered a security engineer back in the day.
Ankur: Yeah. Yeah. Love that story. The good old days of AOL instant messenger, the kids nowadays don't know, we used to have group chats and Yahoo IRC all kinds of different ways to communicate. Obviously, the landscape has clearly changed. You were also at Ebay, during the early days, obviously any stories or any incidents, from back in the days, that come to mind in terms of a massive fraud or situations that you'd had to deal with?
AN ELABORATION ON SPEAR PHISHING
Rinki: It was interesting because they were really the start of this whole internet culture and the internet boom. And almost everything we saw, we still see, in the industry, in terms of attacks, we saw in the early days in eBay. And there was a first time that companies would hear about it because it happened on eBay but some of the interesting ones. We were spear-phished very early on and this is how I got my job at eBay. We were spearphised really early on where an attacker leveraged our VPN portal, mimicked the page and did a spear phishing attack against eBay and got in. I remember that being a huge attack against eBay and that's why I got the role over there was to go and help them with the security culture and ensure that they're prevented from spear phishing attacks. But we saw everything from anonymous attacks to everything that you can imagine. You know, now it sounds kind of old, but back then, those were kind of some sexy incidents that we have to deal with.
Ankur: Yeah, we're still dealing with some of the same problems. It’s just that the threat factors have changed now. So many more ways to do it, but spear phishing is still probably the most popular way to get into the corporate assets.
Neelima: You are at Twitter right now. you started with eBay, then you went into it and then you had been at Palo Alto Networks. So, very different, kind of, vertical companies. So, why Twitter?
Rinki: So I was the CISO at Rubrik. I had been there for just about a year and a half. I was so excited about Rubrik, helping take the company IPO. I'm still excited about Rubrik. I'm the biggest fan. And just when COVID hit, the IPO plans slowed down as it did for many companies.
And that's what I had joined for was to build a global organization, which I did. But when COVID hit, just, because of the slowdown, I found myself having a lot more time on my hands. During the pandemic, I started making extravagant meals for the family, which was fun for a few months while it lasted. I think many of us did that. but I started really questioning what is my life and what are my hobbies? I went through a little bit of an identity crisis and I found out that I lost my passion a little bit. And so when I sat down and thought about it, I needed to find something where I'm really challenged and where I get my fire and passion back and where I feel like I'm impacting the world in some meaningful way.
I started responding to the recruiting calls. One of them happened to be Twitter and Twitter had just faced a security breach and they were preparing for the US election, that's what I was excited about was to go and really join a place where the mission was to protect the public conversation. And it lit my fire. And I joined Twitter right behind the breach to help rescue them and then to help them ensure that we had a safe election.
Neelima: As you have gone through different vertical companies did you see different security problems at the forefront i.e. for Palo Alto networks, it might have been different versus Twitter, or is phishing the same problem for all organizations?
SPEAR PHISHING AND IT’S SIMILARITIES IN VARIOUS ORGANIZATIONS
Rinki: Yeah, there's a lot of similar themes company to company. When you look at the CISO agenda,you see a lot of common themes regardless of what company you are now, companies may go and decide to attack it in different ways. One thing that really did surprise me, though, when I joined Twitter was, we live, everything that happens on the platform, the news that's out there, whether it's the US election that happened or whether it was, someone that dies or even great news, it's amplified on Twitter.
And as an employee, you live and breathe on the platform all day long. So then when you think about inside Twitter, Everything that's happening on the platform, everything that's in the news, it's times 10 and it affects people personally.And when you're affected personally, emotionally, mentally, you're more likely to make mistakes, whether they're intentional or unintentional and that leads to security gaps.
And that is, the biggest difference is that unlike any environment that I've worked in, you don't see that in the prior companies that I've worked at, where the mental state and emotional state of people is affected in that way, where you really have to make sure that you're monitoring that insider use case.
Ankur: Yeah. And especially for a company that has public and top of mind for the average person, everything gets magnified a hundred times more versus probably a Rubrik or Palo Alto Networks. I mean, breaches are breach, but, you know, when it's in the media everywhere, one of the other things that I've obviously been in Twitter, many, many years and followed Jack's, trajectory, and a very mission oriented company, how might this mission orientation manifest itself in your everyday job?
TWITTER’S MISSION ORIENTATION AND ITS MANIFESTATION IN EVERYDAY JOB
Rinki: It's an amazing culture and an amazing company and it becomes something that no one could have imagined. Even in my conversations with jackets, you never knew that this is what Twitter would become. It started off as an out of office messaging platform and has become now something that serves the public conversation.
I feel like the responsibility from a security perspective is huge to not allow there to be gaps. We saw what happened with the security breach. There were very high profile celebrities and very high profile politicians, their accounts were impacted and that can really sway things one way or the other. So, the responsibility, At a different caliber, than what I've ever had to do in the past. And each and every person in the security organization at Twitter feels that way. It's very different from previous companies I've been at, security is always important and security folks carry a lot of that burden in that feeling on their shoulders. But Twitter is a whole another level.
Ankur: Speaking of which, security is a priority, let's just say Twitter otherwise. But I mean, as you know, there's just so many things you can do in security, like applications and data and infrastructure, et cetera. As you look at the market landscape, the threat factors, How do you prioritize what's most important? And then what are your top three priorities at the moment?
What are your top three priorities at the moment?
- Identity and access management
- Zero trust
- Secure the Human
THE TOP THREE PRIORITIES
Rinki: Yeah, I think at every company I've been at it's you have to take a risk, a risk driven approach i.e. what are the biggest risks to the company. And how I drive those risks down in a meaningful way. And then you have other things. So you'll say here are my top three risks and here are the projects we're going to go and execute on to drive down those risks or here's alignment that we need to go and drive down those risks. And then you prioritize based on that. The interesting thing, as I say, regardless of what company I've been at. And as I've talked to many other CISOs out there, it's very similar to the CISO agenda as they come in. And so, you hear the same type of priorities again and again. And a lot of what's happened during this pandemic has actually accelerated and made companies think differently about how they approach security as well, or accelerated a path that they were already on or changed their mindset.
Identity and access management continues to be super important and number one priority and on the agenda of every CISO at every company, and I can validate that with the last few companies that I've been at, that was number one priority.
Then when you think about this new environment that we work in, it is very hybrid. I saw an acceleration of companies moving to the cloud, including Twitter. Cloud security becomes important, but that's not the priority, the priority is really how do you build a zero trust model?How do you approach that? Given a very complex hybrid environment, where with your workforce everywhere with cloud environments, as well as bare metal, which we have a lot of at Twitter, zero trust and building out that model and, explain to folks that, around the zero trust principle drives a whole set of programs on its own.
And then I think third, so if I say
“identity, access management, number one. Number two, zero trust. Then third is continuing to secure the human and like I said, intentional or unintentional, people make mistakes”.
And how do you prevent, either that from happening through technology’s process and how do you train the human as well?
“Continuing to make our people the first line of defense, when it comes to security.”
Ankur: I'm so glad you said cloud security is your number two item that is always encouraging to hear. And maybe after this podcast, I'd love to hear what kind of clouds you have and can Prisma cloud help? I'm just kidding.
Rinki: It will always hold a special place in my heart Ankur!
Ankur: I think this is by the way, something consistently we've heard from other guests as well. I think identity cloud, application data. Now, if you really think about it, some of the recent things that we've seen with SolarWinds and Colonial Pipeline and eXchangeBridge, it would appear that the bad guys are always on gals. They're always ahead of us. You know, you on the practitioner side and us on the vendors, what can the industry do to stay ahead of this, so that we don't see this in the news, what appears to be a weekly or monthly thing.
Rinki: Yeah, it's really tough, right? Because, it's easy for me to say in hindsight, that these are the things that they should have gone and done, sometimes this is what it takes for security to really be a top priority for the company. When you think about ransomware, ransomware has been around for a long time and there's solutions for it. One is there's a lot of preventative capabilities you can put in place. But then on the flip side, if you're also looking at okay, I have all my prevention in place, How do I ensure I have a detection and response strategy as well?, ensuring you have good backup recovery, ensuring that you have a plan and you've done tabletop exercises and you have a solid response plan that you've partnered with the right industry vendors on solid backup solutions, where your backups are immutable as well. Those are a lot of the things to think about. These are new concepts, right?These have been around for a while, but unfortunately, until you see something like this, it validates that it is so important to have solid response plans for different, critical scenarios that you might see within a company.
Do you have the right preventative capabilities? Are you ready to respond to something like this? Do you have the right investments in doing that with your exact team and board on a regular basis? Is it extremely important? And just knowing that these are our top 10 use cases and we're going to regularly practice and see if we've got the strength in muscle to do this.
Neelima: You mentioned zero trust security, can you define zero trust security for our listeners? When we talk to our customers, we hear very different challenges in implementing zero trust security. So any insights around that?
INSIGHTS ON ZERO TRUST SECURITY
Rinki: Yeah. I mean a lot of companies, they shy away from using the word zero trust because it has a negative connotation, but to me, you don't trust until you've earned the trust in whatever environment that you have.A lot of people think, oh, I'm going to go buy a zero trust technology and that's going to solve everything for me.
Zero trust is a mindset, right! And it starts with how you're thinking about it. It's a mindset that drives the security strategy and what technologies you decide to have, how you architect your network, how you architect your cloud environment, how you think about identity and access management as a whole and, that whole thought process needs to be built in from everything. It's somewhat of a buzzword, but it's a true principle that needs to be followed, it's never trust, always verify, and along with everything that you're building. Like I said, companies that have or were already building that out really benefited. Right. And I'm sure you've both seen this as well, that they really benefited when the pandemic hit, because they were prepared to handle not relying on their own perimeter and perimeter security, but they had this model where they could leverage what they had already put in place.
I saw the time when cloud companies started shifting and accelerating investments in zero trust type technologies that can enable them to move in that direction. And so, it's a mindset and a culture change within the company. And then it's all pieces of your security framework that you're changing to enable a zero trust mindset.
Ankur: I have a quick follow up on that. We're starting to live more and more in a decentralized world. Obviously with crypto and blockchain, and obviously the cloud, we're seeing a lot of developers having outsize influence on what gets brought in. The question I have for you is that, in order for zero trust to be successful, you're going to need a whole bunch of decentralized people to have buy-in on this thing. How do you do that? Is it just a matter of just training everybody? Because the command and control stuff is just not going to work really.
Rinki: It never has!. Right! [BOTH LAUGHS] command and control never has,there. Yeah.this is part of what I say, a CISOs job, I would say more than 50% of the time is spent in education and communication. It's getting other executives and the leadership teams to be the champions behind this, making sure they understand what we're trying to do, then advocating for this, because it is a massive culture change that needs to happen.
And so yeah, it is decentralized and how you're making decisions is decentralized. So I couldn't agree more. It cannot be command controlled. It's gotta be kind of this culture change that happens and people have to understand why are we doing this?
Neelima: Totally. I'm very excited about zero trust in general, because I come from the orchestration space and I really see people, processes and tools getting together because it's an implementation mindset. Rather than buying a tool mindset and trying to solve world hunger with that, that's how it's going to change things. You mentioned in one of your previous comments, that CISOs have a very defined agenda and we know as a vendor, security spaces are incredibly busy. So a two-part question. What do you think about vendor selection in general? Is it totally agenda driven? Or, some new shiny start-up can come in and grab attention and get on the agenda.
THOUGHTS ON VENDOR SELECTION
Rinki: It's interesting. I just tweeted about this, yesterday I think, and it went, oh, it went somewhat viral in the security community. There are so many vendors out there that were inundated. And many times we're not, sometimes it's not the CISO that you want to sell to. But if you do, a couple of things matter and I do make the time. I think it's really important to be plugged into the startup community, to see what new vendors are doing and what they're innovating and how they're disrupting or approaching a problem differently. The most frustrating part. And I can say this like 95% of the time when I meet with vendors, it's buzzword bingo, even when I give them. And there, I got a lot of advice on my tweet that only set your meetings for 30 minutes. But even when I set the meeting for 30 minutes, the first 15 to 20 minutes will be a PowerPoint slide with buzzword bingo. And it's just every single buzzword next gen data-driven AI ML, and all of that, all the words. I have started as a security engineer. I'm not saying I'm still deeply technical, but I understand the problem that security people are facing. Tell me what problem you're solving and tell me how you're solving it and how you're doing it differently from others. And that's what I care about.
Vendors that do that well, I think we'll definitely make it to the top. The CISO community is pretty tight and we all talk to each other and when vendors do that well, they get to the top of the list. CISOs become a fan and they start recommending them to other CISOs. So that's, I think is really important.
It's all about the people at the end of the day, there's teams of people who are impressive. And, you want to be able to trust the vendors that you're going to be working with. And I think that goes really far and so when you get good vibes from the people in that company, you're going to give them more time of your day and even potentially partner with them, even though they may not have a complete solution.
Ankur: Yeah. You mean to say blockchain and AI and data-driven, next gen advanced security is not gonna grab your attention? [BOTH CHUCKLES]
Rinki: Definitely not.
Ankur: Yeah, I can totally see it's gone viral with hundreds and hundreds of likes and retweets, totally agree with you. Outside of the companies, obviously you advise a lot of companies or board members and a lot of companies. Any startups, even in security or outside, doing some really cool work in any of your priorities and otherwise?
Rinki: There's so many companies. I like, first of all, I'm really proud of Palo Alto networks, where I just see, how even from, when I was there to how it's become a cybersecurity platform and how they're solving every part of the Stack and still remain to be a sexy company in really leveraging kind of that zero trust in what happened during the pandemic.
It's been amazing to watch the other companies, I think that are really interesting to me. Companies that now are solving for security, but not going after the security team they're solving for security and going after different organizations, sneak has a really interesting model in how they're, integrating with what engineers do. And engineers are saying that we'd like to go and partner; Rinki, can you help me fund this? And it's like, oh my gosh. Now you are speaking my language which I don't have to go around convincing. We need something. They're trying to tell me we need the sense. So, I think that's a really interesting approach.
I'm seeing a lot of success happening with security vendors that are doing that. There's a very small group of security vendors that are starting to really say that maybe we go and approach different teams that have or where security's just becoming like a burden, that how do we ease the pain and make it easier for them, but not really sell to the CISO, sell to the engineering teams instead.
So, I think that's a mindset shift that I've seen over the last maybe couple years, but it's really starting to emerge as an interesting way to solve for security without targeting the security organization.
Neelima: Are you also hiring more engineering background security analysts than typically security analysts in your organization?
SECURITY ANALYSTS: TYPICAL OR ENGINEERS
Rinki: I have all kinds of people on my team with different backgrounds. We have a lot of security engineers that are working on threat management and security operations. They don't necessarily come from an engineering background. but the work that they're doing is to help us prevent and detect attacks or prevent incidents from happening.
I also have folks that have no security background that are helping with security, education and awareness and security culture change efforts, as well as architects. And I have people around the globe that are working on all different aspects of security, some on the engineering side, some on the risk management side. So, a really strong mix of people, and I think again, the pandemic has helped us realize that, if we just look out of where companies are headquartered and we now have the opportunity to go and kind of hire from around the world and really build the organization in a way that represents our customer base.
Ankur: I liked the, you know, you mentioned that obviously Sneak and other companies. I think part of the big movement that DevSecOps has is that 30 million developers and 3 million security people. I think the only way to do zero trust to train people, to coach your engineering teams is to bring security where the developers are versus the other way around. Like, if you ask developers nowadays, “Hey, I'm going to run a code scanning tool and give you 300 pages worth of vulnerability. They're like, just go take a hike. I don't have time”. But the idea, and I think Sneak is certainly doing something interesting in that area, were bringing security to the left(23:12). I agree. It's going to be a big sea change(23:14) in the way we think about it. Even in that aspect, just a quick question, is security then becoming sort of more enabler? Do you see, like the budgets are then going to the applications and engineering team, and they just partnered with security for consultative stuff? Like, is there a risk whereby Hey, the thing that the security practitioners have built over the years, their empire, like it's going to go over now with the application team. Is there sort of that talk going on among CISOs that all those merges, second was the application team, but there is, it's really a partnership type of conversation between the teams.
Rinki: No, I still see, it'd be a partnership and do engineering teams even have a budget? [LAUGHS] Like I always see that they come to security because they see security as the ones that have the money bags. And so, I know I see it as a really close partnership between the teams. I think they work together really well.
I think when the need arises from a non-security team where engg. comes and says that I need help with something it's such an amazing conversation to have as the partnership grows because that's where security can pay for or provide services or build services for the engineering team. So, I see a lot more engineering teams coming in saying security “We need you to build this service for us, or we'd like to go buy this service and have you help us in evaluating what would be best and help us integrate in and so forth”. And this is when security is a good partner. They come to security and they say, “We need a couple more of your people to be embedded in our team and work with us on a day-to-day basis”.
And that's the place the security team wants to be in. Whereas if you're running a code scanning tool, and like you said, Ankur, you're bringing a 300 page, here's all the things you need to go fix that. They're just going to bypass and ain't even to do look at it and then you're going to have security holes. I think that partnership piece is key and how you move forward.
Ankur: Yeah, we're just to wrap up on this, because this is obviously a hot topic as well. I think you're spot on, like, I think. For the equilibrium, you know, when there are security risks with your code and vulnerability shifted left, let your applications team take care of it. But when you have an advanced threat like ransomware, crypto mining, which by the way is picked up quite a bit, just giving you a heads up, keep an eye on that. We're seeing quite a bit of that. I mean, the application teams are not armed to handle those things. You need security people, SOC people to be actually managing that.
So. It's gonna be a close partnership between the two and I think that's good for the industry.
Neelima:Where does IT play in this mix in your opinion?
ROLE OF “IT” IN SECURITY
Ankur: They just cough up the dollars.
[ALL OF THEM LAUGHS]
Rinki: Yeah. The thankless jobs, right. When something's broken, you hear everybody complaining, but when everything's working, it's kind of, silence. No, IT’s are really close partners. So, when you think about the engineering side, obviously securing development practices and that kind of thing on the IT side, helping them make sure there's no shadow IT, helping them, working together on endpoint security, working together on SAS security. A lot of IT now is managing hundreds and hundreds of SAS applications. And how do you make sure those are secured in the right way? How do you make sure endpoints are secured in the right way? You mentioned ransomware and so like, ensuring that you really have the right controls on your end points as well.
So I think IT and security are very, very close partners, and work together, and in some cases, security owns IT. In some cases IT owns security. So, I've seen different models emerge. I've got my opinions on my favorite ones. But you see, you see them in any case, they have to work really closely together.
Neelima: Would you share one of those opinions?
Rinki: Yeah, I like seeing IT under security and I've seen more and more of that emerging. Traditionally you see CIOs where security reports into IT. And I think what happens in that scenario is that you have a lot of conflict of interest on where are you going to put the dollars? Are you going to put it in availability or are you going to put it in security? Whereas in the other way around, which if you think about IT these days, especially in modern companies, a lot of it's SAS. And so if that's the case, then the other piece of it is end points. What is it about end points? It's mostly security. It's how are you hardening the end points of having that as a part of security?
Well, how does it help the security posture overall? And I think you apply a different lens in how traditional IT has been run. So that's my favorite model. And, I've seen some of that emerge where CISOs now have the responsibility of IT.
Ankur: Yeah, great perspective. Never heard that before.
Neelima: Yes. Well, I think the developers are going to change the security and IT in a similar manner. It's a great perspective. With that, let me talk about your career. You've had a lot of success in your career. Any advice on things you did particularly to get where you are, and you're welcome to share any stories.
Sometimes you make mistakes and I think that's when you learn the most
Rinki: I think one interesting thing, and I was talking to somebody about this recently, if I had listened to my mom, I would have still been working at PG&E because I would have gotten a pension and I would have never left because the advice I got when I was ready to leave PG&E was you have a pension, you have a good job, people aren't getting jobs. And so why would you, why would you even consider leaving? You should just stay there. And so, one of the things that's helped me a lot in my career is I have taken risks. I have made changes. Some of those have been really good changes. Some of those have been mistakes, but I've made changes and I've learned from every single one of those changes, whether it's entering a different company or a different industry completely or taking on a different role within the security space.
That has done me a lot of good. And I think it's interesting because I was even mentoring somebody recently whose company was going through so many changes. She had been there for awhile and she was waiting for that promotion and a leader left. And then she, it was like a reset button and it was like, well, if you love your company and you love where you're at, then definitely stick it out.
But if that's important, it's not always a bad thing to go look and make a change. In fact, it can add to your portfolio. And for me, it's really helped make me well-rounded. So, to me, I think taking risks has always helped. And sometimes that lands in really good places.
Sometimes you make mistakes and I think that's when you learn the most.
And so,I've shifted. I went from PG&E to walmart.com, one of the best moves that I made. I think that's where I found an amazing peer. That was a mentor of mine, who took me under his wings and actually taught me everything there was to know about cybersecurity and made me a true security engineer. And then Walmart to eBay, again, a complete role change, as a security engineer or to somebody who was driving culture change. And then I fast -forwarded into my career. Just recently before I became the CISO of Rubrik, I made a career mistake. I joined IBM and actually that was right after Palo Alto Networks.
A lot of my mentors at Palo Alto Networks, a lot of the executives were like “Rinki! I don't think that's the right place for you to go, just knowing you”. I was like “Well no, I'm different and I'm going to make the change over there”. And sure enough, I learned my lesson and, six months later I pulled out and found a different role and I don't suggest that anybody listening to me right now, to go and leave companies after six months. That's not a good thing to do, but it was a mistake that I recognized quickly. And so I think I've had those, it's been a very interesting career journey. Never would I have thought when I started as a security engineer, I would be a CISO. I had not known a single female CISO. I don't even think I knew what a CISO was. Back then, I hadn’t heard the term. It's now a very common term. It wasn't back then. So, been an interesting ride for sure.
Ankur: you mentioned the mentors and actually I just saw, recently gave a shout out to, I think it's Mark Anderson about mentorship. How important is the role of a mentor and how can somebody find one? And, honestly, personally speaking, I wish I had one when I was in my twenties as well. It's one of the best pieces of advice, but I'd love to get your perspective on that.
TIPS TO GET A MENTOR
- Asking for help is a really good thing.
- Mentorship comes in its various forms.
HOW TO FIND A MENTOR?
Rinki: Yeah, both Mark Anderson and Mark McGlaughlin(31:23). I mean, they're my, close mentors. In fact, one of them also was the one that advised me to go to IBM. One of the interesting things is that none of us have seen any success on our own. That's a fact. People help you along the way, whether you, whether it's a peer of yours or somebody who works for you can even be a mentor. You find mentors in interesting ways. My main thing has been, and I think a lot of people are like, I don't know if I can go ask this person for help or ask them a question. And I haven't shied away. Like I think asking for help is a really good thing. And I do go and ask people for help all the time. I have a very specific question.
I know why they might be the ones with that expertise that can help me and I go and ask and I expect people to do the same to me. And I think we have an obligation in the industry to go and give back and help others and help them rise in mentor folks. And I spend a lot of time doing that. That's because I've been fortunate that a lot of people have helped me as well. But I would say the biggest thing is to ask folks to shy away from asking people and it's not necessarily like going to the CEO of a company or a CISO, like understanding what it is that you're looking for and who might be the right person to ask for the advice that you need. Right. And I think that's the most important piece. Sometimes I even go to my old employees to ask them about something because that's the help I need at that point in time. So, mentorship comes in its various forms.
Ankur: For you, I know you're big on mental health and wellbeing. What are some of the hacks you've developed over the years to keep your mind and body sane and mentally fit?
STRATEGIES TO KEEP ONESELF MENTALLY WELL
Rinki: Exercise has helped me tremendously. I spend an hour and a half every morning doing my exercise routine. Right now, I am glued to the Peloton. It has saved my life during this pandemic, to be on the bike and the Peloton tread. And so, I don't get anything from Peloton for saying that, but it's just the truth. It keeps my mind and body healthy. It's kind of my stress relief if you will. So, that's been a really important thing. I think people don't realize that when you keep your body and mind healthy, like anxieties reduce, you just feel better mentally. Mental health is a very important topic to me.
Mental illnesses run throughout my family. I have had to deal with it in a very close way during this pandemic. And I think in the cybersecurity industry, we suffer from it the most because what makes us good at what we do is that level of paranoia and that level of anxiety and that level of stress. What might I not be thinking about that could happen at any given time. And so, I think it's really important to find a good way to relieve that stress. whether it's exercise or even talking to someone or any of that.
Ankur: Are you into meditation? And if so, do you have a favorite app or something?
Rinki: Yeah, I use Headspace. I also use the Peloton app quite a bit. They have some good meditation. I've done some meditation camps in the past, Vipassana and some of the practices that came from that. And so I do, and I have to keep reminding myself too, that I need to make more time for meditation
Neelima:With that Rinki, we'll go into the rapid fire. Are you ready?
Rinki: I think so.
Neelima: So Ankur and I will probably alternate but basically I know you love to travel. What's your favorite travel destination outside of COVID time?
Rinki: That is the easiest question ever. The Maldives, I think it's the most amazing. When I saw pictures of it, it looked amazing. But when I saw it, I didn't think I could ever see in my life some place like that. So definitely the Maldives.
Neelima: Well, half the bollywood lives in Maldives, by the way. So did you ever see any Bollywood people there?
Rinki: I have not seen any Bollywood people. I've only been there once. And I looking forward after this pandemic is over, to take my family over there. So, I'm looking forward to splurging on that next vacation.
Ankur: Yeah, Neelima you know, the people in Maldives, some of them just say, “oh, I just saw the Twitter CISO”.
Ankur: I know you're a huge Warriors’ fan. So am I, so I gotta ask you, so it looks like Jokic is going to become the MVP, is the right pick or should it have been Steph?
Rinki: Oh, I love Steph. I love Stuff. It should have been Steph..
Ankur: Yeah, a hundred percent agree, maybe next year. I think that his best years are ahead of him. and, and just a quick follow up, who are you betting on winning it all in the NBA?
Rinki: Oh my gosh. I don't even know. I have no idea. Who are you betting on?
Ankur: Right now, look, I'm not betting on it. But I am rooting for Sons. Like, I want Chris Paul to get one ring. I've been a huge fan since the early days, but they're really good. So, Sons. Yeah.
Rinki: Yeah. As soon as the warriors were out, I stopped watching basketball. I was like, I'm so sad.
[ALL OF THEM LAUGHS]
Neelima: Okay. Next one. Which book has had the biggest impact on you?
Rinki: I think Sapiens was really a good one for me. I think I refer back to a lot of the facts or I think, I feel like every time I think of a situation, I can refer to something that was talked about in that book and just how, like we as human beings are. And like, I keep referring back to that book. I thought it was like, just going back to the fundamentals of what brought us here. Explains a lot about where we're going and who we are today. So I found that book to be fascinating.
Ankur: Yeah, it should be part of the high school curriculum. They should replace all the other history books and just replace it with Sapiens.
Rinki: Yes, a hundred percent agree.
Neelima: Multitasking or focused work on a single thing.
Rinki: I'm a multi-tasker, but I like my focus time. And you know, what's funny, I don't know about all of you, but I'm trying to be better at it. I swear, but it annoys me so much when you're in a meeting and you see someone typing on slack and I'm like, stop multitasking. Like, can we just focus? , so I think I have more appreciation for now on focus time and not multitasking. But I tend to lean, like I will automatically multitask.I've always been like that. And then when you become a parent, I feel like that just, you kind of have to. But I have a lot of appreciation now for focus time and appreciation for people that can focus too.
Neelima: Last question. Who should be invited next on the pod? Thank you.
Rinki: You know, I would love to hear Jason Chan from Netflix, the CISO there. He just posted on LinkedIn that he's retiring and finding his backfield role. And I found that fascinating. I would love to hear about his journey of 10 years there. What is he going and following him and what he's going to do next?
Neelima: That wraps up this episode of ZeroToExit. Rinki, it's been a pleasure to have you on the pod. We appreciate you taking the time and insights of best wishes as you helped Twitter reach new heights with privacy and security.
Rinki: Yeah. Thank you so much for having me.