Cloud Security Today

Building a SaaS security program

Matthew Chiodi Season 4 Episode 8

Send us a text

This month, we welcome Swathi Joshi, VP of SaaS Cloud Security at Oracle, to discuss key moments and decisions that shaped her career path, including rejections from Google and Twitter. She emphasizes the importance of learning from rejection and seeking feedback to improve. Swathi also shares insights on the role of mentors and advises on finding and working with mentors. In the second part of the conversation, she discusses building a SaaS security program as an enterprise consumer of SaaS. She highlights the importance of addressing misconfigurations, ensuring visibility and access control, and meeting compliance needs.

Swathi also suggests asking about backup and exploring risk scoring for vendors. In this conversation, Swathi discusses best practices for managing vendor risk, vulnerability management through third parties, and incident response in SaaS applications. She also shares insights on privacy operations and critical privacy controls in SaaS. Swathi emphasizes the importance of collaboration, robust incident response plans, and data lifecycle management. She also highlights the need for identity and access control and the challenges of normalizing incident response across different SaaS platforms. Swathi's leadership philosophy is collaborative and pace-setting, and she emphasizes the importance of stress management.

Takeaways

  • Learn from rejection and seek feedback to improve
  • Build long-term relationships with mentors and create a personal advisory board
  • When building a SaaS security program, focus on addressing misconfigurations, ensuring visibility and access control, and meeting compliance needs
  • Ask about backup and explore risk scoring for vendors. 
  • Managing vendor risk requires close collaboration with privacy, legal, and contract partners.
  • Incident response in SaaS applications shares foundational principles with traditional on-prem software, but there are differences in data snapshotting and managing dependencies.
  • Privacy operations can be operationalized by focusing on identity, access control, and data lifecycle management.
  • Leadership should be collaborative, open to ideas, and adaptable to different situations.
  • Stress management is crucial for effective leadership and should be acknowledged and actively managed.

Links
Privacy Operations Template
Swathi's LI Profile

Chapters

00:00 Navigating Career Challenges and Learning from Rejection
08:13 The Role of Mentors in Career Growth
15:26 Building a Strong SaaS Security Program
21:20 Meeting Compliance Needs in a SaaS Environment
21:56 Backup and Risk Scoring for SaaS Vendors
22:38 Managing Vendor Risk
26:12 Improving Vulnerability Management through Third Parties
26:35 Navigating Incident Response in SaaS Applications
34:03 Operationalizing Privacy Operations in SaaS
40:50 The Importance of Collaboration in Leadership
43:04 Managing Stress for Effective Leadership


The future of cloud security.
Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Matt (00:00.782)
Swathi, thank you for coming on the show.

Swathi Joshi (00:02.825)
Hey Matt, thank you for having me.

Matt (00:05.006)
This is going to be fun. I'm really excited. So let's just let, yeah, let's jump right in. So you've had a really remarkable career journey. I love it. You've worked for companies like Oracle, Netflix, and FireEye. Talk maybe a little bit about some key moments or decisions that you feel significantly shaped your career path.

Swathi Joshi (00:07.561)
Likewise.

Swathi Joshi (00:27.241)
No, thank you. Thank you for the generous praise. I was recently chatting with a friend and I was saying, you know, honestly, I've not thought of my career as the strategic move. It's just been happenstance. It's been this series of incredible accidents. And I have just learned so much along the way. So a couple of stories come to mind. I remember...

I was at Gartner, I was leading three different security teams, identity and access management, incident response, and then client security center, talking to the business, talking to them about how can we integrate security, like a BISO or a security partnership team. So those were the couple of teams that I was leading. And I interviewed with, I remember at the time, Twitter and Google, and they rejected me and they said,

you are so great, but we don't know where to put you. So I had the, I was a generalist, right? Like I had the, I had the problem of I was not a specialist. So then I kind of decided maybe I need to pick a specialty within security. And throughout my career, I'd gotten some really great feedback on, hey, you're great, you know, under pressure, you're great within certain response, I think you should do that. And then also when I kind of looked at my resume,

I'd done a lot of proactive security work, like application security and compliance and forensics, some of those pieces of risk, and I hadn't done defense operations. So that was, I would say, one pivotal moment where I decided I wanna go into defense operations, and I had an opportunity to go join Mandiant.

So that's where kind of the second, I think pivotal moment came in where I decided to go from being a manager, being an associate director to go become an IC with managed defense group with Mandiant. And a lot of people were like, why do you wanna do that? Why do you wanna kind of you're on this leadership path, you're managing all these people, why do you wanna go be an IC? And it was just an opportunity to.

Swathi Joshi (02:47.017)
to be at the front line, to learn cutting edge and kind of do something different. So I think, yeah, so kind of shifting a little focus to being specialized and also saying, hey, career is not linear. You can have kind of this zigzag path and to continue and grow. Yeah.

Matt (02:59.982)
Mm.

Matt (03:07.534)
I love that. Now I want to, I want to hone in on one thing because you talked about being rejected by Google. So I've had some similar experiences in my life. And for me, the initial rejection is always painful, especially when it's a big name brand like that, right? Like, cause generally people want to have something like that on the resume. Talk with us just a little bit about what was that like for you getting that, getting that rejection and like, how did you, how did you move forward from that?

Swathi Joshi (03:10.697)
Yeah.

Mm -hmm.

Swathi Joshi (03:21.545)
That is.

Swathi Joshi (03:35.977)
Yeah, it was it was difficult, like like anything, right? Like it's it's always really hard. But one of the key things I think is kind of not making your mistake twice. So later when I got the opportunity to interview with Netflix, I had learned so much from those rejections. Right. So I think in a way those rejections got me ready for what was ahead, which I couldn't even see then.

right, because you don't know in the moment. So one key thing I will say is I try and really push for feedback even after the rejection. And it's hard. And some recruiters are great. Like you email them and say, hey, no, I know this didn't work out. And that's completely fine. But what did you hear? What did you hear from the panel? What was it? So if you kind of push a little bit, you'll definitely get some things.

Also later stage when I started interviewing for more senior leadership CISO roles, I did the same thing and I would directly email the interviewers. It's a little bit risky, I will say, but some people will respond. So you have a 50 -50 rate. Some people will respond. So there have been a couple of people even later stages who have been generous and responded and they've said,

you're right there, you know, the last 10 % is missing and what is that? So that's, that's always helpful. So it is painful, but you just have to go through it and, and, and do it. It'll be, it'll be useful in the long term.

Matt (05:19.79)
In my experience with there was one in particular, a rejection I had that I really wanted the role. And I remember coming back to my office, I was still right here in this physical office. This is pre pandemic. And I remember sitting in that chair back there crying, like literally crying. Cause I really, I was emotionally invested. It was, it was, it was, I think it was close to the final interview round. And I remember sitting in the chair crying, but then also journaling, journaling about it.

Swathi Joshi (05:24.177)
Yes. Yes.

Swathi Joshi (05:33.257)
Yes. Yes.

Swathi Joshi (05:43.689)
Yes! that's great!

Matt (05:44.622)
And then, like you said, like not knowing what was next. And then very quickly after that is when I took my first job at a startup, which was, which ended up being light years better than if I had gotten that role. But at the time I didn't know that, but being able to go back and read in my journal and kind of laugh about it now, like, man, I didn't, like, I didn't know that prepared me for that next step. So I love, I love that.

Swathi Joshi (06:06.857)
No, that is, yeah, no, that is that is truly incredible. And it is true. Like, I remember one of one of the folks, you know, I get reach out on LinkedIn and it's hard. Like, I try to respond, but sometimes you just can't because your job is demanding and you got stuff at home, you know. So I remember one reach out specifically. She was going through she was prepping for a couple of interviews and she wanted some interview prep.

Matt (06:22.318)
Hmm. Yeah.

Swathi Joshi (06:35.689)
And I remember like really politely saying, I may not have enough time to like really work with you on couple of the interview preps, but I can talk to you for 30 minutes. And it was to your point, it was a similar situation where she was like, yeah, this is this is my dream job. This is it. Like, and I remember thinking in my mind, you know, that's gonna hurt if it doesn't happen. And I remember telling her, hey, it's OK.

there will be another dream job. I think it'll take a little bit to realize what that might be. But also I think it's good to feel that way, isn't it? It's actually good to be a bit emotional. That means you care. It really means you want that step up or whatever it is in your mind that's gonna give you that a little bit. So I think that's why feeling the nervousness, feeling emotional and that's okay. Yeah.

Matt (07:19.598)
Yeah, you're right.

Matt (07:34.254)
Yeah, like I had I had already pictured myself in the role. I was already six months in the role. I had I had the team picked out and you know, I had the house picked out all literally and but yeah, it was a it was a good experience and it was and I learned from it, right? I learned from the experience.

Swathi Joshi (07:38.633)
Yes.

Swathi Joshi (07:43.017)
Yup.

Swathi Joshi (07:48.745)
Yeah. Yeah, yeah, yeah. Yeah, likewise, yeah.

Matt (07:54.094)
Maybe can you talk about the role, because you mentioned doing a little bit of this yourself with someone reaching out to saying, Hey, can you help me with interview prep? But talk maybe a little bit about the role that mentors have played in your career. And how would you, how might you advise someone else about approaching and finding and working with mentors?

Swathi Joshi (08:13.457)
Yeah, I cannot, yeah, I'm so grateful and thankful for some of the most incredible men and women who've been my mentors. And I think this is another thing. I've chatted with a few different people and my mentees also that this mentor -mentee relationship, some of the...

the strongest ones and some of the most successful ones that I've seen have grown organically. There have been some amazing relationships that I have seen where, hey, your company runs a mentee program and then you're matched against with someone. I think for short -term growth, I think they are beneficial. But I think for really long -term growth, I've had the...

Matt (08:48.11)
Mm -hmm.

Swathi Joshi (09:08.745)
pleasure of having people like in my corner for years. For example, I talk about Sean all the time. Sean was my first manager when I started at App and even to this day, he says, you're still on my team. That's the relationship we have, right? And I think one of the, and I hope,

that it's because as a mentee, I have also hopefully provided or given something to the relationship. And Sean's been like so great at some point, I remember him telling me, I think you've graduated from my, you know, mentee program. So now I'm going to introduce you to my mentor who probably can, you know, so I have had such.

generous and thoughtful kind of mentors. So people talk about talk a lot about it, but this is super effective is having your personal advisory board. You know, it's really hard to have one person do all of this. Like if I was just burdening Sean with all of this, like that would be difficult. So I have kind of my personal board, my connections where, hey, I have this question. I recently had a question.

on some of the privacy regulations and compliance. So I have my friend Flora Garcia, who's an exceptional lawyer and also a GRC person. Like I reached out to her and say, hey, can you teach me? So I think having kind of multiple people, I think is beneficial. And kind of having those long -term connections, right? Like 10, 15 years, like you build that kind of over time.

And I also, another friend, I was on a panel recently and something she said has stuck with me. She said, mentors are like therapists. If you don't like one change, you know, so I thought that was very interesting, right? Like, you know, you try to form this connection and if it's not there, if they don't have the time, you know, if they're not pushing you, maybe that's not the right type of mentor for you. So.

Swathi Joshi (11:24.073)
you know, respectfully sort of have that conversation and maybe look for someone else. Yeah.

Matt (11:29.486)
I like that. And I have been part of those, let's say corporate run mentor mentee programs. And I'll be honest, they never really seemed to work well. It was too forced.

Swathi Joshi (11:34.569)
Yeah.

I know. Yes, yes. And I also wonder because it takes a little bit of like choice away from you, right? Like you sometimes like you do look for something specific. And if you don't get that, then it truly might be like a probability, like a clear up math equation of like, here are the chances that you'll actually find someone that that's a

Matt (11:49.774)
It does.

Swathi Joshi (12:07.113)
good match or has the time.

Matt (12:09.87)
How would you, if you know, especially, I think we all need mentors no matter how, where we are in our careers. That's become really clear to me. I think when you're first starting out, the idea of asking someone to mentor you can seem like, why would they bother spending time on me? And I've told people over and over to me like, you know, that's not usually the case. Like usually if you ask somebody and you're just looking to learn.

Swathi Joshi (12:28.937)
Hmm.

Matt (12:38.606)
Normally, like you said, someone reached out to you about, hey, can you know, and you said, I don't have a ton of time, but I give you 30 minutes. I found that most people, even if they're a senior, will generally find some time if they, if they know that you are, you don't have an ulterior motive, right? Number one, you're not trying to sell them something.

Swathi Joshi (12:52.841)
Yes.

Matt (12:55.822)
And you really are just looking to learn. Like I did this a lot, especially earlier in my career, but I would, I would kind of go through my LinkedIn network and I would say this person has an interesting like career or at least it's different. Like they were in a totally different field and then they jumped over. And, and I remember just reaching out to people that were in my local area just saying, Hey, can we, can I buy you lunch? I'd love to hear about how you, you know, did X, Y, and Z. And now a lot of these people, I met with one time and, and never talked to them again, but there's one or two of those people who I still, I still talk to.

Swathi Joshi (13:25.833)
Yeah, no, that's a great point. And also one of the things that's been really effective is internally in your company, finding someone that's not in like your direct chain, but laterally or in another organization. That's another thing I've found that internally people are very generous with your time. To your point, right? Like I...

people do get a lot of reach outs. Now I understand, like looking back, I was also one of those people who would be like, hey, here is like this VP in this organization. I'd love to. But now I realize that it's very hard to kind of make that time. So I look for opportunities like like this one that I'm on where it's it's just like our engineering or automation tools. Even this is like a matter of scale.

Like how can I scale and how can I kind of, what I have learned and all the mistakes I've made, how I can kind of communicate. That's a quick plug. I did a talk, a day of security keynote last year. It's called seven questions to propel your security career forward. So questions are the answers. That was my...

Kind of think about, look, I don't have all the answers, but I have questions for you that you can ask yourself these questions to kind of get the answers. So I was kind of trying to do, hey, here is how I coach, but here is a talk that way you all can listen and hopefully get that versus, you know, I can't find that 30 minutes for everyone. So yeah, if folks who are listening are interested, I would say, please check out the talk and hopefully that's useful.

Matt (15:08.782)
If they Google that, will we find it? Because that sounds really interesting. I want to go listen to it. Awesome.

Swathi Joshi (15:11.817)
Yes, it's on YouTube. Yeah, but maybe, maybe we can include it in the show notes or something. Yeah. Yeah.

Matt (15:17.678)
I will, we will absolutely put it in the show notes. So let's, let's switch gears a little bit. Let's talk about SAS from a B2B perspective. So I recently read that 77 % of business software is now SAS, which is an astounding number. So if you were building a SAS security program from scratch, not as a product company, but as an enterprise consuming SAS, like where would you start and why?

Swathi Joshi (15:21.897)
Yeah.

Swathi Joshi (15:26.345)
Mm -hmm.

Swathi Joshi (15:32.169)
Yes.

Swathi Joshi (15:46.409)
Yeah. Yeah. Fantastic question. So, so let's kind of look back a little bit, right? Let's look back, say, last 10 years of our security industry. So in the early part, you know, moving to cloud was like a huge thing. Like people were trying to move from on -prem towards cloud technologies. You know, right now, that's like the norm.

So we are here, the cloud is here, ephemeral microservices type architecture has helped security tremendously. Now what has happened with that switch? With that switch now, recovery and response is getting really expensive because our SaaS ecosystem is applications are getting very expensive.

there are multiple APIs talking to each other. So the interconnectedness of the systems are increasing. I think that's because of the direct correlation of our business problems are also getting complex, right? Like you consider any kind of industry, you consider manufacturing, you consider logistics. There are multiple pieces here for any business to operate. So that reflects in your IT ecosystem, that reflects in security.

And we've also in the last 10 years, what we've seen is the infrastructure costs have come down, not as down as we would like, but they still have significantly come down. So we saw a huge increase in ransomware as a service or account takeovers, compromised credentials. Those continue to grow. And so attacks and the recovery.

are continuing to get complex. So now we are in sort of that, that kind of with that background, we are kind of in this stage of the technology lifecycle, right? So I think a couple of different things. SAS is obviously here to stay. That's the only way kind of other businesses are able to scale. With that, there is also risk transfer.

Swathi Joshi (18:04.105)
and up to a point risk acceptance that, hey, this risk is moving to a SaaS vendor. So as more kind of putting my enterprise hat on, I would say three things, right? Year over year, we've seen in the DBIR report that misconfigurations are the number one thing that are causing problems. It can be attacker driven or it can be human error based. And most of them sometimes are also human error based.

So like making sure your SaaS configurations are in the right place, I think would be number one. Number two would be visibility. Obviously having the right kind of access control, but knowing as an internal security team, what kind of access controls are in place? What kind of RBAC, if it's segregation of duties, specific types of policies, having those. And I think third one,

making sure all the compliance needs are met, right? Like there's an entire kind of compliance industry around this. And it's one of the things that you provide your customers with the assurance that, hey, we are doing these things. So yeah, making sure that your internal compliance needs are met by your SaaS provider. So I would put those top three on the list.

Matt (19:26.606)
So obviously you work for Oracle now, and I would imagine that you guys probably have a massive team that deals with all of the different security questionnaires that come through probably in the hundreds to maybe even thousands from all your massive number of customers. Are there?

Are there questions that you are surprised that maybe aren't being asked? That you're like, wow, I'm surprised that we don't get asked this question a lot. That maybe you would advise listeners who are dealing with maybe not an Oracle, but maybe a smaller SaaS provider that you say, hey, these are questions that you should probably be asking.

Swathi Joshi (19:47.721)
Mm.

Swathi Joshi (20:03.241)
Yeah, I think if I were kind of in that position, I think backup would be like the number one thing that I ask for. I think, and I'm sure you kind of listeners know the context with like everything like happening. I think that's one level rate like that you can use. And of course,

you know, cross in the T's and dot in your I's everything from how is it, you know, availability and contractual requirements. So I think those are sort of the standard ones I see. I think, you know, with the sort of ML and AI kind of blowing up in the way as a security practitioners on the internal side, I'm kind of really excited about how can we use those tools to kind of answer these security questions, right? So kind of reducing that toil.

reducing that work for the team. So creating sort of the knowledge base and kind of constantly kind of updating the answers to reflect sort of the current compliance and regulations. So I'm kind of excited by that. I think in a way, we all know security questionnaires is like the not the best way of handling things.

So I think some type of risk scoring, like that's associated with your vendor. I'd love to see like more of that. Like, hey, this vendors, we take a heavy reliance on these vendors, so they would be put in a high risk category, whatever kind of criteria you have. Maybe it's the type of data you collect, maybe lack of certain controls. That's why the vendor might be on high list. So.

Some form of grouping of the vendors versus like plain checklist and questionnaire based approach is something that I would get behind.

Matt (21:56.206)
So I would imagine that Oracle is also a consumer of SaaS services. Obviously, you have your own platform that have multiple different applications. And I think you touched on this a little bit. You had talked about this growing complexity and the interconnected nature of SaaS platforms, where you may think you're just interacting with platform X, but platform X,

Swathi Joshi (22:01.929)
Yes.

Matt (22:19.246)
And behind the scenes is an interactive platform, YZ, A, B, C, D, right? And so there's just this web of complexity and fourth party risks, right? So we've said that 77%, roughly 70 % of software right now is delivered as SaaS, which means that every business is more than likely relying on multiple SaaS vendors. You started talking about this a little bit about looking at your different SaaS vendors through different risk lenses, but.

Swathi Joshi (22:38.761)
Yes.

Swathi Joshi (22:43.689)
Yeah, a couple of different ways I would say, I think there is a lot of chatter around.

Matt (22:48.27)
Like what kind of best practices might you recommend for managing that vendor risk? Like how would you look at that? How do you look at it?

Swathi Joshi (23:05.385)
hey, you know, making sure your contract language and all of that is updated. I think having that close relationship with your privacy partners, with your legal partners and with your contract partners as a security team to manage that I think is quite important, having the sort of that collaborative approach and some type of, you know, centralized model for risk tracking. Hopefully, you know, there is a risk register that you...

that you manage and feeding that sort of vendor and third party risk into that. The third biggest one that I've seen which causes a lot of unplanned work is vulnerability management through third parties. So I don't have a straight answer for this except for maybe a multi -step process of having a really strong on -call culture.

Matt (23:50.286)
Hmm.

Swathi Joshi (24:03.721)
because this can come up kind of anytime, then the other thing is changing sort of your, how you calculate vulnerabilities, right? So if you consider just straight off the bat, if you're considering a CVSS score, that's really not useful because it does not talk about how that CVSS score is applicable in your environment. But the framework talks about, hey, you can actually...

add a factor X or a Y, it's called an environmental factor. And that's what we have done. We've tried to kind of change that and say, okay, here is a vulnerability with the CVS score of eight or nine, whatever you want to consider. What is the exposure? Right? Like how much, how many systems are we talking about? There's a huge difference between like 10 systems versus say 400 systems. Then do we have a...

is a publicly available exploit. So is an exploit available where anybody can take an exploit and then target this all day, right? So we've added those environmental factors into our vulnerability management program. So kind of not taking these rating right off the bat. And having...

I was a consultant at MendiEnd, right? Like, so you work with a lot of your partners and vendors. And some of the great security teams have been the ones that treated me as an extension of their team. So having that really relationship with, when you form that connection, the person will be like, hey, irrespective of what's going on, if there is a problem, I am gonna come and call you.

because I see myself as an extension of your security team. So having that vulnerable disclosure program or whatever you want to call it with vendors to say, okay, being on that list to say, hey, yeah, please let us know if there is a problem because we're going to solve it together. So I would kind of say those kind of four things to manage third party risk.

Matt (26:12.334)
So you've led incident response teams at both Netflix and Oracle. And this is a question that I've gotten a lot over time is that, how do I do, what does incident response look like in SaaS? So maybe talk a little bit around what that looks like for SaaS applications compared to traditional on -prem software.

Swathi Joshi (26:15.325)
Yeah.

Swathi Joshi (26:35.433)
I am a huge fan of sort of, you know, foundational principles for security and some of those, you know, classic timeless. So in some ways, to be honest, Matt, for incident response, you know, detection, maturity and all associated things, some of those foundational pieces are the same. I think they're kind of these classic building blocks that are needed to

to say run an efficient crisis, right? Like if there is, there's always gonna be chaos in a crisis, you can't avoid that, but some kind of controlled chaos. So I think some of those basic pieces are different. So maybe if we talk a little bit about those and then kind of say, okay, but there are some pieces that are completely different, right?

So in those, in sort of these timeless pieces, I think having a really strong incident response plan, okay, having the severity level, okay, what's high, what's medium, what's low and kind of being flexible with that because as the investigation progresses, sometimes you might go from a low to a medium to a high, greatly depending on what you come across. One of the interesting metrics that we,

really focused on tracking at Netflix was not mean time to resolve because sometimes I think mean time to resolve can be like an off indicator because then the focus is actually to close the incident. But closing an incident and resolving an incident are kind of two different things. So one of the things that we tried to track is mean time to assemble. How long does it take for the right folks to be in the group?

we saw that if we have the right folks on the bridge, we were able to resolve the incidents faster. And one of the big problems, I'm sure, big companies, small company, kind of maintaining that call tree, who's where, who is responsible for what service. So having a really strong kind of phone book mechanism, whatever that is, you know, pager duty.

Swathi Joshi (28:47.625)
whatever internal systems you have, having that, keeping that updated. I think it's quite important. And of course, like handoff, right? I think it's proven after six, seven, eight hours being in a high stress situation, it like affects decision making, you're tired. So having sort of that, yeah, hey, I'm gonna hand this incident off to someone is helpful. One other kind of timeless thing,

I've seen, it's hard to do in small teams. I will acknowledge that, you know. Having sort of that liaison role, a lot of times when incidents are formed, people will come in, say four or five hours later, okay, what's going on? Like, what's the status? There's executive swoop, there is an executive jumps in and like, what's happening with this and what's happening with that? So having like a referee to say, hey, okay, protecting the team to say, okay.

the folks on the team are working diligently to resolve each stream of the incident, let me kind of tell you. So I kind of take that either, you want to call it executive liaison, executive sponsor role to say, okay, let me kind of manage kind of the stakeholder a bit, a little bit. That role I've seen to be quite helpful. I think with the traditional kind of software environments and with the SaaS environments, I think,

You know, with in -stream data, right? Like with structured and unstructured data, a lot of times, because of the ephemeral nature of this, snapshotting gets really hard. So that's one thing I've seen, you know, kind of teams struggle with, okay, do I be a data hoarder and hold all the data for, you know, endless, you know, times, or do we really say,

here is the data in stream, we take a snapshot, whatever detections we wanna run, we run. If we see some anomaly, then we see what the drift is and then we kind of, we get rid of that data, right? I think that's kind of the one of the biggest questions that a lot of the enterprises are dealing with, kind of how to do incident response in that kind of environment. And then to your point, you know,

Swathi Joshi (31:12.393)
Dependencies, we see this, right? Like in SAS, DAS, SCA tools, a lot of times, like the findings that we see are dependent with other third parties. So how do we kind of manage that chain? I think is another kind of difference between on -prem and cloud, yeah.

Matt (31:29.55)
One of the things I see for security teams that maybe grew up where the predominant software model was on -prem, I'd say this is especially the case in large, let's call them Fortune 500, Fortune 100 companies, is they say, well, I can't put taps in on a SaaS provider, right? So how do I, you know, so what am I limited to just the cloud logs that that SaaS provider may expose?

Swathi Joshi (31:32.361)
Yeah.

Swathi Joshi (31:52.233)
Mm.

Matt (31:55.438)
How do you and obviously it's different, right? So if I look at what maybe Oracle provides to me as a consumer, that might be one thing versus what a Salesforce provides versus what maybe a smaller, you know, maybe let's, let's maybe a verticalized solution may offer. And so what I've seen the questions I've gotten a lot of time is, is how do I standardize incident response when each of these SaaS platforms may provide me something completely different?

in terms of logging. I'm curious, how do you think about that type of normalization?

Swathi Joshi (32:24.677)
Yeah, this, you know, this kind of, this is very similar to the detection problem, isn't it? Like adjacent, but very similar to we have data coming in from different areas of the business, but it doesn't form like a same common information model or a common format. So normalization becomes very hard. So,

I think sometimes one size fits all is not the solution. So maybe there is different classification in the type of incidents, which is also what I've seen in multiple places that I've worked at. If there is a specific type of, incident type is something that we said, okay, when we do take a look at the last one year of all the incidents we've handled.

when we do that report, taking a look and seeing, okay, what's the specific classification type of an incident? And then for each of those types, maybe you follow a different run book, right? Like to your point. And I think it's a great point that you bring up. And also we've seen now big enterprises are multi -cloud. So the same run book now is not gonna apply to every one of your environments, right? Because...

The info you run on that is different. The customers you support on it is different. So I think maybe a one size fits all solution is not the way to go and you kind of have a different flavor of each.

Matt (34:03.374)
So I found I was doing a little stalking on you prior to the show. I saw that you recently published a privacy operations template on GitHub. And I love that you're still very active on GitHub. Talk a little bit about what inspired you to create it, and how would one go about operationalizing that operations template?

Swathi Joshi (34:11.145)
Yes.

Swathi Joshi (34:19.081)
Mm.

Swathi Joshi (34:23.881)
Yeah, so, you know, as I was kind of talking to different people, one thing I saw was kind of the lines for privacy and security. They've been blurring and we know this. And there's such a complimentary skillset, right? Like, so kind of to our point of different flavors of Runbook, I think there are different like operating models for security and privacy teams. There have been places where now for...

At Netflix, for example, privacy engineering was within security and it was part of that. I know a lot of other places where privacy and trust is a different organization and security is a different organization. Here, my team works very closely with our privacy counterpart. So I think there are kind of different flavors, but seemed like kind of the underlying principles and the type of problems.

each team was trying to solve were the same. How do we integrate more? What are the differences? How do we kind of have security and privacy closer together? And conceptually, there are some, say, top five criteria that we can follow. And then there are specifically policy related.

I wanted to focus a little bit more on not on the policy side, but how to integrate into general operations of security. I also saw a talk, I think Shobit Mehta from Headspace gave on privacy operation center. I thought that was interesting as well. So I was kind of getting all of these data points from the industry on looks like we're kind of struggling or discussing kind of same kind of problems. So that was kind of my inspiration.

And then the template kind of lays out, okay, here are some of the practical things you can do to operationalize your privacy program, to have the data processing agreements in place, to have that review of the contractual language. Then, let's talk about data masking. That in itself is a very difficult problem to solve and like all of these kind of other areas. So that was kind of...

Swathi Joshi (36:44.681)
kind of my side project in my personal time to kind of work on that and publish it. So yeah, thank you for checking out.

Matt (36:53.262)
We'll put a link to that in the show notes. So I guess somewhat of a follow up on that is, what are maybe some key privacy controls that organizations overlook in SaaS? And where does maybe your privacy operations template come in? Can it help address that? Is it aimed primarily at product companies? Or can it be used by the enterprise? How does that all kind of fit?

Swathi Joshi (37:01.609)
Yeah, yeah, great question. So our hope was this template is like a base that we provide and then practitioners take that and change that to.

to match their needs. So it's definitely written from a more internal security kind of point of view where I kind of come in. But definitely, I think for folks who are building security products, this could be a great way to take a look at the template and say, OK, what are some of the considerations of our customers? Like, what are they thinking about? So hopefully that gives

security vendors and product engineers and product managers and idea of what is their base kind of looking for. So there are kind of two things that I'd like to kind of call out from the template. Our first section is can focused on identity and access control. And I think we touched on this a little bit, right? Like with our SaaS providers, we want the controls in place and more than that, you also wanna have visibility to those controls.

So user authentication, authorization, access auditing, and then to tag on to that user provisioning and deprovisioning, which also continues to be a massive problem in security. And I think there has been so many identity kind of related companies coming from that. So I would say number one being that identity and access control. And then data lifecycle management. This kind of attaches on Matt to your previous point of, you know,

Matt (38:40.398)
it is.

Swathi Joshi (38:55.145)
we can have this massive amounts of data coming from different areas for an enterprise. And I think that's where you really need to kind of think about operationalizing privacy as well, you know, data classification and labeling and, you know, retention and then disposal. So I would, I would say like, those are some of the top ones and they are for a reason, number one and two in the template.

Matt (39:20.878)
That's great. And that's really, that's highly relevant. I was one of my clients through some of the work I do outside of where I am today. We did a tabletop exercise and it was specifically focused on some of these things. And one of the things that got flagged was, was around IAM, but also secondary. The thing you talked about was, was data. Like they didn't have a good sense of what data was where. And during part of the tabletop, you know, this, obviously this incident was, you know, this, this scenario was laid out. And of course everybody's kind of scrambling to figure out where to put it.

Swathi Joshi (39:22.121)
Wow. Yeah.

Swathi Joshi (39:48.193)
Yes. Yeah.

Matt (39:50.832)
figure out what it is, but no one even asked the question, well, what type of data is it? Is it risk here? Right. Because is it, was it public information, right? Do we really even need to worry about it or was it PHI, right? And so they, they didn't have a good way. And as part of that, that was one of the prompts that came later on was, well, what type of, what type of data is there? Do you know? Right. And they didn't have a quick way of knowing. And so I thought that was interesting that, you know, you have those in your privacy operations template. And so I think those are, I think those are awesome.

Swathi Joshi (40:12.585)
So I thought that was interesting that you wouldn't have those in your privacy operations. So I think those are really fantastic. fantastic. This is exactly the type of validation you hope, right? Like as an author, you're putting something out there and you're hoping it's useful. So yeah, no, thank you. I appreciate it. Thank you. Yes.

Matt (40:30.958)
I'm gonna use that. I'm actually gonna send that to the client. So I appreciate that. Thank you for creating that. So as a leader, you manage really massive global teams. This might be hard to do, but I'm curious, like in one word, how would you describe your leadership philosophy?

Swathi Joshi (40:50.057)
Yes, one word is hard. But no, no, no, no, I appreciate it. I definitely, you know, early part of my career, I feel like I got some like really bad advice on leadership. It was, you know, more around, you have to be strong, you have to be a certain way, you have to have this executive presence. And and I kind of took

Matt (40:52.59)
Alright, maybe two or three words, two or three words.

Swathi Joshi (41:18.217)
that advice. And so I think early on, maybe it was not natural or like more authentic to how I was. But as I've kind of gained experience, kind of worked now a long time, slowly, I think I found my confidence to for my leadership style to be very close to who I am as a person. So you kind of show up as as who you are.

Otherwise it's really hard if you have to put on a certain persona, say. So yeah, definitely. I'm definitely a more collaborative leader. I've also had my direct reports kind of say that I'm very laid back, except for I think when it comes to incidents. I think I definitely tend to be a little bit more.

assertive or more direction oriented because I think that's what the team and the situation needs. But otherwise, I would say kind of combination of very collaborative style, open to brainstorming and ideas. And then also, I think when the situation requires kind of pace setting, if it's not going at a certain pace, kind of saying, yeah, here is the, like I'll set the pace and I say,

This is where we want to go and kind of take the team along. So my team has gotten better with, they'll say, Swati, I don't know, one week seems very short. So they've learned that. And now they'll come back to me and say, don't worry about that. I think that's a bit too fast. I'm like, OK, fair. There are these other things going on. So yeah, I would say collaboration and pay setting style.

Matt (43:04.782)
So how do you stay sharp? What's your routine look like?

Swathi Joshi (43:06.921)
man, this is a really tough one. I am definitely involved with a few different security communities where really relevant discussions happen. So I really learned quite a lot from my peers. And especially there are a few communities where honest and healthy and respectable debate is really encouraged. So I really appreciate that.

where we throw some questions out and kind of start getting responses from other people. I also podcast and other things. I kind of read leadership books and Risky Business is one of my favorite podcasts. I listen to that, some great stories and guests there. Yeah, I learn from my peers most definitely.

I am not great at making the time to take training. I think it's getting harder and harder, right? Like taking the four or five days, like doing the training. So I think that was more helpful though, in early part of my career. So for folks who are listening, you know, continue to do that. But that model, like taking five, six days just to learn. I haven't been able to do that recently.

Matt (44:29.678)
Yeah. And I tell people all the time, I think even training, like when I first started my career 20 years ago, it was, it was get on a plane, fly to some other city, go be there all week for training. And that was certainly helpful, but I think, you know, in the last decade and a half with the advent of YouTube, there's so much free content. That's really good. Now.

Swathi Joshi (44:31.977)
Yeah.

Swathi Joshi (44:50.985)
Yeah.

Matt (44:52.558)
There's certainly, there's, there's definitely a case for this, you know, the sans trainings and those very kind of specific trainings where you can get access to, you know, some of the best in the world. But I think for, I think probably 80 % of the time, I tell people a lot of times they're, you know, I've had a couple of clients who've asked about, you know, their training budgets. And I say, like, give people time to train, but let them go on YouTube, let them come up with their own curriculum on YouTube. And there's really good things that you can learn from that.

Swathi Joshi (45:04.297)
Yeah, and it takes focus because you know like if anything everything is gonna pull you away from like work is gonna pull you away like you know obviously this family commitments, you know so yeah making

I would say now it's been more episodic. Like, I'll take an hour on a Friday and then take another hour in a couple of days. And then, yeah, audiobooks have been really great for me, especially when it comes to organizational design or leadership, any of the topics that I want to get better at. So audiobooks have been very helpful. Yeah.

Matt (46:01.358)
So is there anything else I should have asked you? I know we covered a lot.

Swathi Joshi (46:02.473)
No, no. I think one thing I would say is stress management. So I think as you kind of, you know, talked about sort of, you know, in this role, there are various things to consider, right? Like there is leading the team, there is, you know, latest.

trends that you have to get yourself updated on. So there is your personal stuff to manage. So I think if there was anything that I knew sort of couple of years ago, or even say 10 years ago, I wish I'd spent more time learning how to manage stress, because that's always going to be there. So in a way, kind of accept it and

the next thing would be to kind of manage. So yeah, I think I've done more work on that in the last few years, but I wish I had kind of known that maybe 10 years ago and started getting better at that.

Matt (47:10.062)
What's that look like for you? What are some ways that you found to help manage stress?

Swathi Joshi (47:12.325)
I think first is just acknowledging that it's always gonna exist and it's really up to you whether you choose to engage with it or not. And then kind of having the right routine, your right kind of secondary factors around you to support that.

I think it was, it looked very difficult for me during COVID, which was very hard because I had little kids and they were home and they couldn't quite understand like, mom's here, but not available, right? Like that's a difficult concept, but obviously for young kids. So I think that period like taught me quite a bit, kind of having that separation of like, yeah, here is kind of where.

where work ends and here is some of the other stuff begins. I have a lot of respect for people who have this integrated style of working. Like I've tried to do that. And I think I'm getting a little better at that. But I think that's another way, right? Like it's, there's no like strict separation. It's kind of cyclical. Sometimes like work might be a lot more than there are some of the other weeks. Maybe you take a little bit more time to focus on other things. So yeah, that's been.

kind of helpful for me.

Matt (48:37.87)
I love that. I love that. Well, Swathi, thank you so much for coming on the show. And this has been absolutely fascinating and a fun discussion.

Swathi Joshi (48:39.881)
Thank you so much for coming on the show. This has been absolutely fascinating. Likewise, this was a blast. Thank you so much for having me.