In this new episode of the Redefining Cybersecurity Podcast, Sean Martin chats with Nitin Raina about pioneering a transformative approach to cybersecurity that aligns with business growth and strategy. Nitin shares invaluable insights from his journey of evolving his organization's cybersecurity framework, demonstrating how leadership activation and a business-centric mindset can lead to groundbreaking results in security practices.
Guest: Nitin Raina, Global CISO, Thoughtworks [@thoughtworks]
On LinkedIn | https://www.linkedin.com/in/nnraina/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
___________________________
Episode Notes
In this episode of the Redefining Cybersecurity Podcast, host Sean Martin connects with Nitin Raina, the global Chief Information Security Officer (CISO) for ThoughtWorks. The discussion centers around Nitin's innovative approaches to transforming and elevating cybersecurity, drawing from his rich experience and strategic mindset. Nitin shares his journey in cybersecurity, emphasizing the evolution of the security program under his leadership. He discusses the significance of adapting a business-centric approach to cybersecurity, breaking away from conventional, technology-focused strategies. This includes the development and successful implementation of a business security maturity model designed to align with the organization's diverse, global operations.
A notable aspect of Nitin's strategy is the emphasis on leadership activation and the importance of governance in driving cybersecurity initiatives. By fostering a culture of security ownership across all levels of leadership and the broader organization, Nitin underscores the transformational shift in how cybersecurity is perceived and managed within ThoughtWorks. He highlights the collaborative efforts with different departments, such as IT operations and legal compliance, to ensure a cohesive approach to protecting the organization's 'crown jewels.' Through anecdotes and examples, Nitin illustrates the impact of these strategies on enhancing security awareness, decision-making, and operational effectiveness across the company.
The conversation also touches on the technical side, discussing the role of developers within the cybersecurity landscape and the utilization of contemporary technologies and frameworks to bolster the security posture. The episode concludes with insights into the future of cybersecurity, advocating for a more integrated and business-aligned approach. Nitin's reflections on the journey and achievements of his company's cybersecurity initiatives provide valuable lessons for organizations aiming to redefine their security strategies in a rapidly evolving digital world.
Key Questions Addressed
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Leadership and Transformation: Building a Business-Centric Cybersecurity Framework | A Conversation with Nitin Raina | Redefining CyberSecurity with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello, everybody, you are very welcome to a new episode of redefining cyber security podcast. I'm Sean Martin, your host, whereas, you know, if you listen to my show, I get to talk about all kinds of cool things related to building out security programs that not only protect the business, but hopefully help it grow in a secure fashion.
And I have a lot of opinions on on how we look at security programs and a lot of idealistic Views for what's possible. And it's always a treat when I get to talk to somebody who actually does the hard work and, uh, doesn't just, doesn't just follow the norms, but actually looks at ways to transform the security program.
And my guest today, uh, Nathan Rayna, uh, from, uh, ThoughtWorks is joined me. He was a recipient of a CISO 50 award. recognizing [00:01:00] his and his team's, uh, program and initiatives regarding uh, cybersecurity. And I said, I want to talk to Nathan. So I'm very grateful that you're here joining, joining me today. And I'm, I'm sure my audience is going to enjoy this conversation.
As we talk about how you transformed your program and, uh, got some, got some good results. So Nitin, thanks for, thanks for being on.
Nitin Raina: Thank you, Sean. And hello, everyone. I'd quickly introduce myself. Um, you know, I'm Nitin Raina. I'm the global, uh, CISO for ThoughtWorks. ThoughtWorks is a, is a global technology consultancy, which works in Areas of strategy, design, and engineering.
Uh, we are in, uh, we are close to 10, 500 employees in, uh, with 48 offices and in 19 countries. And, uh, we've been in existence for, I think almost 30 years. So it's, yeah. And I've been with the phone for, this is my [00:02:00] 14th year running. So meaning a long time.
Sean Martin: You, you, you've seen a lot in the role, a lot with the company and certainly a lot, uh, from a cybersecurity perspective as well.
Um, If you could expand a little more on the, the scope of your role in terms of, as a global CISO, what do you oversee, um, maybe some of your peers that you collaborate with, because what I want to do is help, help the audience understand what you care most about, or maybe not care most, but what you, what you have on your shoulders in terms of, uh, is it Security response.
Do you look at privacy? Do you look at application security? So kind of that picture would be fantastic.
Nitin Raina: Sure, I think I can certainly do that. So in my role as the global CSO, I am responsible for security, all aspects security from a from an internal standpoint. You know, we [00:03:00] are an organization which is into professional services and we do software consulting work for our clients.
So we do provide internally. We do provide visibility and assurance to our client leadership team so you can look at them as account teams so that they have visibility on how they are doing on the aspects of security. Um, obviously my role is also to prevent the crown jewels of the organization. So, uh, the aspects around application security sits within, uh, within it.
So I collaborate and work very closely with the CIO. So we, me and the CIO, we are both peers. And, um, we, I reported the COO of the company, the chief talent and operating officer and data protection that you touched on Sean is, um, sitting with legal. And compliance. So the data protection officer reports to the, uh, the general counsel, but we collaborate and work very closely.
So a lot of collaboration, a lot of pairing, [00:04:00] partnering, uh, that happens in my,
Sean Martin: a lot of, uh, a lot of conversations, pla planning, strategy, all kinds of fun stuff we're, which we're gonna get into. So I, I know, and I, one of the questions I wanted to ask you was regarding the, the catalyst behind. A change that you, that you embarked on.
In my conversations, a lot of CISOs, it's often the old CISO left, the new CISO joined, let's take a, take a look at the lay of the land and Oh, no, that, that was a bad job. Let me, let me redo everything. Let me swap out this, this part of the program for the way I've done it before. You've been in the role.
for a number of years now. Um, so I don't know that you probably don't want to blame yourself for, for the things you've done in the past, but you've seen a lot. So I guess what, what I, there are two parts, what I want to want to talk about for a few minutes here, which [00:05:00] is kind of the, the state of the program before the transformation moment.
Where you, where one decided we have to do something different or, or was it not a moment? Was it, was it a transformation over a long time with no particular stake in the ground? So maybe describe kind of the view of the program leading up to the transformation, and, and what the catalyst was for that.
Nitin Raina: Yeah, I think, I think, and I will touch on the, the, the meaty topic of business security maturity model, but I think there is, you touched upon the journey, right? Journey of cyber program. If I have to start. At the, at the high level, at the top. So I have been in the role, um, you know, leading information security for the last, I would say this is my ninth year running.
So I've been doing this for a long time, , and I've been in the organization 14 years. I was running, uh, IT operations before, uh, before this within the organization. So I obviously know the IT side really well, the [00:06:00] operation side really well. So that basically enabled me. Actually run security program, um, in a, in a, in a, in a decent manner to now.
Within this nine year period, we have seen evolution of the program at least three to four times. In fact, you know, maybe when we get an opportunity Sean in the near future, I can talk about the reorg that just happened and we have reorganized security as well, like, you know, we were very regional in our, in our, uh, operations, but, you know, we have gone, you know, very centralized and global.
So that change just happened in. Um, in August of 2023, but every two to three years, as the business evolved, as the business grew and changed, we did our, we looked at our strategy. We looked at our organization and started to make sure that we stay aligned. What we don't want, and nobody should, you know, do this is you don't want your program to sit.[00:07:00]
Just there as an orphan, right? Not connected to the business. So, so because I'm, I see myself as a business leader too, not just as a security leader, and I always work very closely with the business leadership team and look at what strategy we have defined for the business, what objectives are defined for the business and make sure our.
Cyber program is aligned to that. So we, every two to three years, we go through a change. Sometimes it's big, sometimes it's small. Uh, but, but we evolve, we change all the time.
Sean Martin: And can you, no trade secrets here, of course, but can you share some of the nuggets from the conversation? And what I'm trying to understand is how those conversations.
Go, what do they sound like? What are the topics? Um, so yeah, who's talking about the business? How are you absorbing that in a way that you can translate it to your program, translate it to your team, determine what tech you buy. I mean, there's a lot going there. Let's talk a little bit about those [00:08:00] conversations.
Nitin Raina: Sure, and I'll talk about what's happening at present, right? We're going through a change now, so I think just closer to time, it's more relevant, and I think people will find it more useful is as as we were going through the business. Obviously, 2023 year has been fairly turbulent. We were looking at doing business restructuring internally, right?
And when we looked at business restructuring internally, we came out with. Guidelines and objectives on like, you know, when you look at operational functions, we're looking at, you know, maybe streamlining and centralizing them. So we took that as a, as a clear guidance from our business, from a business leadership team.
And then I took it back to my direct report. So I have a group called as office of CISO. So there are six, seven people who would report directly to me. Um, you know, I have a team of 40, but these six people actually are my, you know, my strategic direct reports. So we [00:09:00] work and we look at, okay, what should we do for operations of security?
What should we do for, um, the business alignment, GRC, threat hunting, like we have so many domains, right? So with all of those domain leaders, we looked at structuring our organization. We looked Uh, the processes that we have, we look at the tech that we have, we look at the staffing that we have. And then we were looking at people where they would fit in really well.
So we did a lot of movement internally over the last, I would say a course of three to four months, obviously talking with people as well. So it doesn't come as, you know, Hey, this is the model now get aligned. We don't work in that manner. So it was a lot of conversations, a lot of discussions, but we defined The, the org structure were defined, uh, what do you call as key roles and responsibilities for these new groups that were getting formed?
We're defined KPIs for these groups. And then we said, okay, let's look at a service blueprint and see what maps where. [00:10:00] So it was a very good exercise. In fact, you know, this could itself be a topic of podcast in the future. I would love to talk about it because I feel really proud of what we are, you know, changing and it's not done.
I think it's still going on.
Sean Martin: Well, you're, you're very welcome back. I can tell you now that, uh, I'm, I'm happy to have that conversation with you for sure. Um, and I suspect, so that's the current, the current workings and conversations. I appreciate that insight. Uh, yeah. I don't know what was different in, in the previous round of, of change, but I want to talk a bit about some of the challenges that were uncovered, uh, as you realize we, we needed to make some change in it.
So we're, we're here to talk about security maturity, right. And connected to the business. And. I think there's no question. I even, I have podcasts on frameworks and standards and all this kind of thing that are [00:11:00] designed to help CISOs and security leaders take that, here's what we need to do for the business and translate it into how do we build a program, um, talk to me a bit about how you looked at frameworks and maybe some of the challenges you had using them or not using them or whatever, to, to kind of make that leap from business to ops.
so much.
Nitin Raina: Yeah, I happy to do that. So, um, you know, I'll take a step back, right? So when we look at maturity frameworks, right? You know, there are clear favorites that we have internally. So, you know, when I have to go in front of the board, which is, you know, every every often every quarter, six months based on how we are doing as an organization, I usually use the NIST CSL.
So, you know, out with an 0 as well. So that's the model. It's, it's really good. I like it. The board members [00:12:00] understand areas like identify, detect, respond easy, you know, and my roadmap is aligned to that. It works well. So that's the framework that I use when it's a conversation with the, uh, you know, with the board.
But when we have to do work internally, right? So there are, we are, you know, a business which is very decentralized, right? So we operate in, uh, regions. Earlier, we used to operate in countries, but now we operate in regions. And if I take an example, let's say if I have to go to the European, Uh, region and I have to talk to the the the main business leader.
We call them the regional managing directors, right? How would I explain security to a business leader right now? I could very well go and talk about identify, protect and. That might not really, really well to a business leader. It's like, what do I do with this information? What you're showing me, is this even [00:13:00] something that I can align and think?
So clearly we saw that the communication that we were having with our business leaders through various forums, because we did have well established governance forums, we were reporting some measures, we are reporting some metrics, but it was still very. technical and relevant to us, not to them, if I could say that.
And that problem I wanted to change. I wanted to change, uh, and I, I don't want to use any strong words, but I don't like when people look at security as just a technology problem. I want people to see it as a, as a business problem. So, so, you know, heavy involvement, you know, the, the frameworks that we were using were very focused on controls.
They were very Um, you know, I would say technical nature and very hierarchical as well. So it wasn't resonating really well with the business leaders. Uh, and I, me and my [00:14:00] team, not just me, because I'm not there in all the governance forums, you are not finding it to be a good thing. We were feeling the disconnect with the business.
Sean Martin: Yeah. And I, I think, um, for me, what I'm hearing is, It's about telling a story, right? And having, having that story resonate with the audience that's listening. And if you're talking about controls, probably this, if, if they can, they can make a connection of what the control means, right, what they're likely going to hear is there's a potential for blocking.
at some point. Um, and so that's my point that I made early on. I think there's a different way to approach security. And I think you're on the same page in terms of enabling the business. And I think it starts with that story by directional, by the way of understanding what the business is trying to accomplish.
[00:15:00] And then a repeat back of here's how I enable that. Right, safe. Yes, safely. So can you maybe describe a bit about that? And I know in some of the items you shared with me ahead of time, uh, you offered a couple of problem statements that seem to be the trigger, perhaps revolving around this point that said we needed to do something differently here.
So can you. Expand on that. Yeah,
Nitin Raina: I would love to do that, Sean. So I think the problem that we were trying to describe was, uh, based on the conversations we had with various people was that we were not able to bring business leaders into the conversation, right? So when we were talking to them, They were listening to us.
They were looking at those measures and metrics, but they were still seeing this as a, as a technology problem, as a security problem. And they're like, Hey, so, and I, I want to shift. I want, clearly wanted to shift the accountability to the [00:16:00] business. Right? So take an example. If we have, uh, In a region, we have a client engagement where we have, you know, let's say 50 people working on a project, right?
And within the 50 people, it will be a mix of some, some would be developers, others would be, you know, analysts, you know, a couple of people would be quality people, infrastructure people. But when we are delivering a solution, we as security people, yes. You know, we are not close to them on a, on a daily basis, right?
I might have two people in looking at security, uh, holistically for a region where we have thousand people. So you can imagine, you know, we cannot embed ourselves, uh, in, in, in every project and every conversation, right? So we, we are trying, and we were hoping that with a framework. Where we can get a technology leader, a business leader, an account leader to recognize the gaps that are [00:17:00] there in, in, uh, with regards to security, you know, or, or the opportunities that are there with regards to security.
So we wanted to make sure we bring them in into a conversation and we help the business to look at building security. That's something which we. Talk about even externally that you should build security in while you're delivering your book. So for a software, uh, uh, consulting company like ours, I think it's very crucial.
Sean Martin: And I want to, uh, I mean, maybe a, an extra highlight on this because it's one thing to go into the annual strategy meeting or the three year planning meeting, whatever it is, and say, this is where we're headed. Go off and do it. And we'll, we'll check in every quarter, right? And, and our, uh, our, our stock price and results and all that stuff will, will reflect how well we're doing.
Um, yeah. And even you mentioned [00:18:00] every quarter, perhaps every six months, there's a meeting at the board level, looking at security stuff moves so much faster than that, right? So what you do with your program needs to, I'll say respond, but also engage as part of the change. So not just respond to the change, but, but engage as part of it.
So can you tell me a little bit about how. You manage that too. And this, this goes to the embed piece, right? How, how does that really look? Cause it's one thing I can hear it a hundred times a day in bed security and design security design doing it as different. And that's what I want to hear from you.
Nitin Raina: Yeah, I think, I think it's, it's, um, I wouldn't say we have solved, or we know the way to actually fix this completely, but I I think we're working towards it, right? So the business is changing, the, the, the speed and, and, uh, complexity is, is increasing on [00:19:00] a, on a daily basis. All we are trying to do is there are a couple of ways.
One is I have, um, very recently as well. And this has been, you know, as I said, the program is evolving. If I take a step back a couple of years back, we had introduced a role called as a BISO. Right. So business information security officer, you know, I in fact started not calling that person that were like a regional security lead in 2015.
So, you know, we've been doing this for almost nine years now, because we clearly saw that having security sit in a silo of, you know, whether it's with it or with somebody else, I don't care, but sitting as a silo never works. So embed Those people who are, are, are, are Vsauce closer to the business. So we actually did that, uh, introduced that change way back in 2015 and went through an evolution.
Now we formally call those roles as Vsauce. So we have somebody who [00:20:00] represents security as a, as a key business partner and reports to the business. That's very interesting, right? You know, that person, you know, obviously is part of my team has a dotted line to me, uh, but they also report to the, the, the head of, you know, engineering or the head of business within the country, which is very good, right?
They then see that person as part of their team, right? It changes the whole dynamics. It's not like a security person from, Global is coming in and giving their views and guidance. It's like, Hey, this person is part of my team. So placement of, of, uh, personnel or individuals who, uh, would then be successful was, was the first thing we also, you know, we are, what we also did was we created a program called as a security champions, security champions.
Program. I think Sean, you would have heard from many other people. This is. Very common now, but we did that many, [00:21:00] many years back. And we started embedding people in projects, in accounts, in regions. And in fact, you know, not just embedding them, but training them, building on the capabilities, providing them the resources they would need to actually work successfully as security champions.
So we did that. Right? And on top of that, we also created a governance forum where we can talk about this, right? We can show progress to the business. We can show we ran assessments, right? And I can go off because this topic is very dear to me. We ran assessments, um, across our client projects to get a feel of areas where we are really strong in the areas where we are not so strong.
Right. And then show that result back to the business, along with a clear list of actions that one could take to get better. So a lot of things, uh, these are some of the examples, Sean, um, I could relate, which is around [00:22:00] people process, um, you know, less on tech, because this is more around, you know, yes, they will need tools, we will provide them the tools, but I don't think the tools is a major problem.
But there's the. The people, the conversations, the forums, that's, that's key in my opinion.
Sean Martin: Yeah. And I, and I suspect the, the BISO regional security director, whatever you called them previously, um, would have a view of requirements. I was a product manager and a program manager for many, many years building stuff.
So everything looks like a project to me, right. With some, some thing you're aiming to achieve, um, Does your team have that view? And I'm looking at the point on CMMI and defining requirements. What, what do we need to do? How do we prioritize them? How do we communicate them? How do we manage risk in achieving them?
[00:23:00] Uh, work through ambiguity, communicate externally to, uh, the entities that rely on the results of that. Um, so talk to me a little bit about the model for setting the requirements and how your team. Navigates that internally, but then also navigates it externally with your, uh, with your clients, basically.
Nitin Raina: So, so we do, we did use this opportunity where we clearly saw, um, you know, gaps in, within, within the, the business to have a conversation with the business, right. And the gap existed on both the sides. So the way we, Focused and, and provided a response is to first build the model. So rather than, you know, me talking about dimensions and how do I measure those dimensions?
We said, what do we really need here? What is that tool, that framework that we could use to talk to the business? So we started, you know, there were a lot of interview [00:24:00] sessions that we did, right? So obviously, you know, there was a team of, uh, I would say four or five individuals led by. Uh, an experienced designer, uh, you know, named Diana and Trueno and, and a lot of other people who actually worked in, uh, interviewing stakeholders saying, what exactly are you looking when you look at security?
Like, so that not just from our side, but talking to business, talking to, uh, managing directors or, or demand people or, or people who are responsible for delivery. And get their views as well. So we did a lot of that, right? And, and then we also looked at our BSO group, our security champions and interviewed them as well as to what they want to bring to the table, which would be relevant, uh, to have a conversations with the business leaders.
So once we, we did that, we came up with a, uh, I would call it a 10 point model. Um, these are 10 [00:25:00] dimensions or 10 areas where we felt that we should be paying attention. And, and then what we did was all of these, uh, broad areas or broad dimensions then required Very clear requirements, right? So we basically, uh, looked at.
I'll take an example. If we have to mature our governance, right? Um, which is very crucial for any, uh, security team. How would we mature the governance? What? What are the dimensions? What are the requirements that we really have to look for? Or what are those, you know, key measure of success that we should capture in North with?
Yeah, A lot of effort with less effort, right? Because you, you know, when we start measuring things and we find it difficult, people drop it. We didn't want the model to get so complex that people hate, you know, from getting results to fulfill that. And then like, it's too difficult. I'm not doing it. You know, let's try something else.
So that's how we [00:26:00] begin the journey, making so sure that it is, um, trans, it's translating well in the business language, making sure it is, is it's relevant to both our teams, but to the business teams as well.
Sean Martin: I love it. And, uh, correct me if I'm wrong, but, uh, the, the dimension you're talking about are the relationships and the governance, that list.
Yes. Mind if I, do you mind if I read them quickly? Please, please. building relationships, adapting governance, security, event management, security, community, leader activation, secure software, delivery practices, data handling, security capability, risk management, just separate from governance, by the way, I don't know here, and visibility to everyone and everyone where there's interesting.
I list those just so people can hear them. Um, We don't have time to go through all of them, clearly on this show. Um, what I want to ask you is, [00:27:00] is there one of those areas that you found or experienced a woe moment where things just really coalesced and, and it was the turning point where you get started and the wheels get moving and then, Something happens in the program really, really kicks into gear.
Is there one of those that, that fits the bill for that description? And if so, how?
Nitin Raina: Yeah, I would, I would pick two, uh, if, if I'm allowed, one is, uh, one is the, the leader activation, right? So I think it was very difficult for my team and me as well, um, to You know, get people to think about security as an area, which they are responsible for.
So every time, you know, I'll take an example of an IT team, right? And this is not thought work. This is just my, you know, broad experience. When you look [00:28:00] at security, they're like. Two technical, there will be a specialist coming in. You don't have to worry about it. They'll tell us where we are wrong. And, you know, once they tell us, we'll work on it.
That's, that's been the traditional view that security is the most, you know, technical, smart, smartest person, somebody who is like a hacker would come in and tell them all the areas where there are problems. You know, and then somebody within the team will then, you know, come up with a backlog, you know, record things and then work on fixing it.
That thinking, that approach is not valid to be very upfront, right? It has to change. So the, the, the Eureka moment for us, when, when we started talking to people and we, Got the feeling and we saw in, in reality where people were like, yes, I know what I need to do now. I know as a technology leader, I'm responsible for security as well as a business [00:29:00] leader and responsible for security as well.
That change, it took time, it wasn't easy, but when we started seeing that change, when people started sending emails and saying, Oh, we need to take care of this, you know, with regards to security and the security person not saying that, that's when you know that the business is changing. So for me, that one was really, really, um, important and, and crucial.
And then I'll talk about governance, right? So governance forums could be, um, you know, it could be very interesting or it could be very boring where people show up, they turn off the cameras and they're like, yeah, you know, somebody would come talk for 30 minutes and, you know, and then go away. We don't run a governance forums like that.
We start with clearly the risks and the events that has happened. And we talk about metrics and measures that we have. Obviously it's, it's, it's lagging indicator, but it's useful information. So [00:30:00] we, when we were able to, you know, get our leaders all excited to join the governance and they're like, yes, I know.
The patterns of risks that we are facing. I now understand the patterns of, of events that I have seen in my region or globally, I can use that information and then go back to my teams or to my, um, you know, obviously you don't expect the managing director to fix everything, but they will go to their CTO or their head of delivery and saying, what's going on?
Can you please tell me? And, and have those conversations. I think that moment where everybody was feeling all, you know, excited. And yes, there are problems being reported. So I'm not saying it's, it is an easy conversation, but they are at least seeing that there is clear areas where they can work or they can use their decision making to improve the business for those two really [00:31:00] stood out for me and for my team.
I wanted to highlight that. Yeah.
Sean Martin: And it's almost like your first point is embedded. I'll use the word embedded in the second point, because they're kind of the reverse. They're, they're part of embedded in part of what you're doing to understand, but they have a vested interest. And I think that's where the, where the excitement comes in and, and I'll bring it back to the story telling, cause it, it.
It becomes even more than just a story. It's a, it's a conversate, a story you're building in real time together with each other. Right. Um, so it's all well and good. And, and as someone who likes to build stuff, I can see. I can see the, the, the, I don't know, the excitement of, of having built something. Uh, if it doesn't work, nobody buys it, [00:32:00] building, it doesn't matter, right?
Um, if you don't, if you don't get the requirements right and you don't develop and deliver them properly, it's all for naught. So that, that's where, and this really struck me when I saw that you were recognized for your program. Is that you, you achieved results and we can talk a little bit about Mexico.
I know you have three points that we want to walk through. So I'm going to go through all of them, but let's start with a quick view from you on where we might be measuring things, I don't want to say inappropriately. We're, But where we measure things for our teams and expect that those measurements mean something again to someone not on the team, all the, uh, time to time to remediate time to detect all the MTTXs.
Right? Um, so maybe a brief, brief you into that, your thoughts on [00:33:00] what are we measuring and is it the right stuff? And then, And then we'll get into some of the results that you see. Sounds good.
Nitin Raina: Yeah, I think the measurements that we have internally, I'm very clear with my team. First of all, you know, one principle that we follow is measure something which you can measure easily, right?
And measure the right thing too. So it has to be easy and it has to be the right thing that helps us get better, right? So we Take a lot of time and, um, you know, careful thinking, uh, to arrive at that, right? And measuring what's the completion of our awareness program, how many, you know, vulnerabilities we have fixed.
All those are, are good measures, but I never take that to the leadership or even to the board, right? It's, it basically switches everybody off. Right. And, and I do like with all due respect, I have a very technical board to report [00:34:00] to. Uh, I'm very happy with that because that keeps me on my toes all the time.
Uh, but still I wouldn't want them to be looking at, uh, my vulnerability dashboard or my CISO dashboard, because that doesn't tell them anything that they know what they care about is, is our program. Maturing are we looking at the main threats and events, how well we are prepared and you know, what are the top risks for the company?
That's what they really care about. So, you know, I'm very careful on what measures and what metrics I. Bring up, uh, even to our senior leadership and then to our board, right? Internally, we do measure a lot of things. We look at how we are doing as a team, how efficiently we're running our security operations.
There are, you know, I have a wonderful team that I'm really proud of. And a lot of folks, uh, in my team are from professional services within ThoughtWorks who have [00:35:00] now embraced security. So I'm like really proud of 70 percent of debts that I have in my team. Which is awesome, right? So, you know, you know, they really like building stuff automation.
So, uh, which really helps me to have a very strong security team, which knows they have to constantly look at improving and getting better. So we do have metrics, which I will not dwell into. But what we talk to the business is largely are, uh, You know, uh, key indicators, right? So we talk about, um, as I talked about risks, we talk about, um, security event patterns.
I think that clearly shows them areas where there is an opportunity for us to get better. And then we talk about areas where we can really show about the, the, and these are qualitative, right? When I talk about business leader confidence and engagement, these are qualitative factors, but I have [00:36:00] seen the leadership really values them.
So when we started measuring, and I'm coming back to the business security maturity model, when we started measuring how effective these maturity model has been, we found that 70 percent of our business leaders, they were reporting that they are now able to do security decision making better, which was a big thing for us, right?
If we have enabled our business leaders to do their job effectively, I think that's that's kudos that's pat on the back for for me and my team. So that's the first one. We also saw Um, you know, we do report on security events You know, I am a strong advocate the more you report the better you get as an organization Uh, and these are events, right?
I'm not talking about, you know, you know large scale security incidents But if you track events, then you would know if something could go wrong, right? So [00:37:00] that reporting Which was, um, you know, which is not relevant to business leaders, but this is more relevant to our teams because teams, they are working on problems if they don't report problems to us.
We would stay unaware. I cannot have, uh, you know, my sensors on, on client projects because the client projects have their own infrastructure. I cannot be monitoring client's infrastructure, right? So the teams could do that and the teams can then proactively inform us and say, If there is something that they feel is not right, our request to them is reported, reported to us, reported to your respective team and teams, uh, client team, uh, representatives as well on the, on the client side.
So that reporting increased by, um, I would say about 36%, uh, percent, which was, which was a great thing. And that clearly shows us that our People are engaging, they're partnering with us, [00:38:00] they're understanding that security is not only our responsibility, but everyone's responsibility. So those two, I thought I should highlight.
Sean Martin: Yeah, yeah, that's uh, that's impressive. And I, what I, I'm wondering, were those objectives set at the beginning or just results that you uncovered after?
Nitin Raina: The results that we uncovered after, because when we were doing this, nobody asked me to build one, right? You know, I clearly saw a problem. My team clearly saw a problem and it was like.
We have to do this better. And if you wait for business to tell you everything, nothing will change because they have too much on their plate. So these were after we rolled out the model, we said, Hey, this is really working well for us. We got some great feedback from, um, you know, many. Business leaders, many CTOs that we have in our organization.
They started loving it. In fact, you know, [00:39:00] ThoughtWorks is going to do a podcast on this, on their official channels with my team who has worked on it. I, I, you know, they're the ones who actually built it. So they're going to talk about it. Hopefully maybe in a month or two, it'll be out.
Sean Martin: So yeah, I was gonna ask you, uh, I didn't know if it would be an off the wall question, but especially with so many, uh, engineers, devs on your team, uh, if they get to work on stuff that, that connects closer to the, to the business.
So less, especially because I know devs like to build, they like to automate. Um, one direction is to bring efficiencies and accuracy and whatnot to the program. But in, in what you're describing here, it's about not just that, but also communicating with the other side, uh, outward to the business, uh, doing, do any of your engineers get to work on stuff that goes [00:40:00] that direction?
Nitin Raina: They do, uh, time and again, if we have an opportunity to partner with a group to build a security product or a technology solution, if we have the time and the bandwidth, you know, we do get people. Um, you know, we second people, like they go on a second wind for a few months. It's like, Hey, you know, you, you are a dev, you, that's your passion, right?
Go build stuff and, and come back because we need you. Uh, but at the same point of time, you will be cross skilled and you would still stay in touch with, uh, with tech. Which we don't want them to lose, because I obviously, you know, you know, it's a risk function. We can do tech stuff, we can do automation, but I cannot do exactly what we're doing on client projects because, you know, we don't have that all the time.
And I'm using a lot of SAS now. There's a lot of integration work that we are doing and a bit of [00:41:00] automation as well. But there's not much of custom software development that's happening. So if you have opportunities, we will do that, but. If you don't, we also allow rotations, Sean, in our organization. So I rotate people.
So if you have been with us for two to three years and you want to go back to PS. You're more than welcome to do that.
Sean Martin: Oh yeah. Yeah. Good. I, I hear, hear organizations do that. It keeps, keep things fresh in many, many regards. Um, as, as a wrap here, Nitin, I want to, um, give you a chance to maybe highlight anything we didn't touch on yet, and then also give a shout out to your team, any, anything that you want to share about your team, their capabilities, the, the, the way they keep up to date on technology.
Train lunch and learn. I don't know anything, anything about your team that makes this fun for them to be part of, not just, not just the program. [00:42:00]
Nitin Raina: Yeah, I think, um, a big shout out to, you know, all the folks, uh, who actually worked on, on this, uh, on this, uh, product or this maturity model. Um, you know, you know, uh, Diana Trueno, um, you know, she's, she's no more with ThoughtWorks, but she was the one leading it.
Uh, we had Robin, Doherty, Liza, Younger, Rohit, Mawei. I can go on this big list, but all of these individuals and, and many others too, they are constantly, um, you Looking to improve what we have today. So the way that they look at it is they, they have a, um, uh, a thing in them, but they challenge the status quo and they always look at how can we do this in a repeatable manner, much more quicker, much more.
From a, from an experience standpoint. So they'll always look at improvements, right? So that, that is ingrained within our team. And I, um, give [00:43:00] them, uh, my role as the CISO is to give them a clear path, as you call as a runway for them to launch things, right? Obviously we don't go rogue. We stay focused on what we really have to do because.
You know, if we try to solve things, which does not need to be solved, then I feel the team has gone rogue. So we, we are very careful that we stay focused on our objectives, what we are trying to do. And then within that area, constantly look at improvements. Like, you know, for example, now we have so much of hype on Gen AI and, and, you know, I have, you know, very talented devs.
So that wherever we could use Gen AI within our. Cyber function. We are already doing spikes to do that so that we can then have our time saved and utilized to do other work, right? So we do that all the time. We do provide a platform for people to Um, you know, [00:44:00] constantly look at upskilling. So as I said, majority of my team is made of devs, so they would love to learn more around, you know, you know, cyber security.
So the way I believe, and I'm a strong advocate of that. You learn by doing you can take a course that maybe 5 to 10 percent but you will learn when you do stuff. So we very recently I would say 12 or 18 months back have started our offensive security program. So we're doing a lot of work in your brand 12 campaigns if I could say that.
And, and, and they're learning, they're constantly learning, adapting, sharing the results, coming back, doing a retrospective, looking to improve. So, so that's one example, which, um, you know, folks like Madhvi, Lahaan and others have been instrumental in running within my team. I can go on.
Sean Martin: That sounds good. And you may have, you may have touched on it already.
The, my, my final question as [00:45:00] we, as we close here, which is what's the one thing you see We and I'll say we is the the collective cybersecurity community. What do we need to do to redefine? cybersecurity,
Nitin Raina: so I I think there is one code which You know, I was reading earlier today And I think I think it's very important for all of us to you know Understand that like and this is a quote from Gartner Where Gartner looks at it and security leaders are often considered the, the, the, the people accountable for protecting the enterprise from threats and, and, and the business people are the ones who are making decisions, right?
You might start, uh, you might want to do something within marketing, which. You know, yes, you know, might lead to security and technology risks, but I wouldn't be stopping them, right? [00:46:00] That's not the role of a security person. So I feel the making everybody understand that cyber security, yes, you will always need a specialized function.
You need skilled people. But you need to understand when you look at you look at doing new things or or acquiring new tools or solutions or even taking things to the market. Think about security the way you think about technology, the way you think about finance. So security is not to be seen as a special function.
And I tell this to, uh, whomever I talk to, then don't see us as a special child. See us as a part of your business. We are You know, you can see us as a technology function or operational function in ThoughtWorks. We, um, you know, I'm seen as an operational leader. I report to the CT, uh, chief technology, uh, chief tech, uh, talent and operating officer.
And that's great because that allows me to work with [00:47:00] The person who, uh, you know, is the chief people officer, the person who's running operation, the person who runs our offices and I. T. So it's then seen more mainstream. I think blocking it or putting it under I. T. I think is a disservice to security as a function.
That's that's the point I want to. Make and if, if, if it resonates with others, maybe this change can happen.
Sean Martin: I think it does. I think it will and, uh, resonate. And I think it will have an impact hopefully as well. So thanks you so much for, uh, for taking the time today for doing all the work, sharing it with whomever to get you recognized.
And I'm, I'm happy that I crossed, uh, Cross that, uh, that feed item and was able to connect with you and appreciate you taking the time today to, to share with us some of your, uh, your insights and how you manage that program, that journey. And, uh, like we [00:48:00] talked about earlier, I'm very, very happy to have you back again to, uh, talk about the current moment in time that you're working through and, uh, and how you, how you achieve success on the other side of that as well.
Nitin Raina: Thank you so much, Sean, for this opportunity. And again, I want to, um, uh, end with the point that this is, this is, I'm just the one talking about it. There are people in my team who did a lot of hard work, still are doing. So I want to acknowledge efforts from all of them who did the hard work for us to get this CSO50 award.
Recognition and we are continuing to improve this technology and security framework, the maturity model that we started a few years back.
And is it, uh, I know I said we're done, but is it Joanna Park? That is, she's my
boss. Yeah. I had a report officer.
Sean Martin: Um, I'll give her a shout out to, for giving you. The space to do this work too.
Nitin Raina: Yes.
Sean Martin: Cause I [00:49:00] think clearly leadership understanding the value of it is important. And uh, I'm glad she did that. So, all right. Well, thank you, Nitin. We're all good here. We'll, we'll see you again soon. Everybody listening, watching. Thanks for, uh, for joining us. Hopefully you got a few nuggets here for your own programs and, uh, stay tuned, subscribe, please share, and we'll see everybody on the next redefining cybersecurity.
Nitin Raina: Thank you very much.