Matthew Chiodi (00:00.822)
Rinki, thanks for coming on the show.

Rinki Sethi (00:03.361)
Thanks for having me, Matt. It's an honor.

Matthew Chiodi (00:05.97)
I'm excited. So I was intrigued. You have been at security companies like Twitter, IBM, Palo Alto Networks, but you recently transitioned from the CISO role at Bill.com to a startup, Upwind Security. Tell me a little bit about that. What prompted the move and what's been your biggest surprise since moving over?

Rinki Sethi (00:28.373)
Yeah, so I, it was really interesting. So I had been now a public company CISO for a while and spent three years at Bill as CISO and CIO. While I was there, I also created Lockstep.

which is VC firm investing in cybersecurity companies with another practicing CISO and was really kind of building out the security community. And towards the end of the year, I was ready to take on something new. And so I started looking kind of like...

Matthew Chiodi (00:58.574)
Hmm.

Rinki Sethi (01:02.615)
different types of rules, was about to actually take on a public company see-saw role when this opportunity at Upland came up and it lit a fire in me and I felt like it's one of my favorite cyber companies. I was a customer and just.

the opportunity to like go and help build a dream solution for cybersecurity practitioners excited me. And so here we are. like really having fun being at upwind and kind of like championing this concept around runtime security.

The one thing is it's the smallest company I've ever worked for. It's a Series A company. It's a hot, hot company, especially with some of the news around others that are in the space and kind of what's been happening. It's just like our time to win, but it's also like being at a startup. There's a lot of building and plugging in different areas. And so you get to learn something really like constantly learning, learning, learning, which is amazing and fun and also challenging.

Matthew Chiodi (01:59.022)
you

I get this question probably over the last six months, many times from my peers who are CISOs. They're, they're in the industry and they're curious about what's it like. I'm thinking about moving over to a vendor and they just have a lot of questions. So I've got this question a lot. So for you specifically, the space that, that I think upwind is in, and you can tell us a little bit more about that. Like you guys are competing with some of the heavyweights, right? Like Palo Alto networks.

your old alma mater, mine as well, you're competing with Wiz. Like, what would prompt you so much to join an early stage startup that's going up against these heavyweights?

Rinki Sethi (02:47.031)
What really struck me was back in 2022, I met Amir Am the CEO of Upwind and he had just kind of started this, started Upwind and he told me, first of all, like just hearing about his background, they had sold their prior company to NetApp for 500 million SpotIO. The team came from a DevOps background and this was very different for me to hear that there was a cyber company being built.

not from the cybersecurity unit in Israel, but it was from the DevOps unit and the unit that owned like massive cloud infrastructure deployments. so their whole thing was we're coming at it from a DevOps perspective, which we think that context is missing in current cybersecurity tools. But it was also the very first time three years ago that I heard runtime security.

Matthew Chiodi (03:18.806)
Hmm. Hmm.

Rinki Sethi (03:37.127)
And I was like, what is this? What is runtime? And he was like, look, you've got to do cloud security posture management. You've got to do those things for compliance, but you really can't do security right unless you're at runtime.

And that's what we're here to build. And at the time, they were kind of early in that journey, and especially solving specifically for cloud security at runtime. that's what caught me and caught my attention. It was not the pitch that you heard from other companies. Upwind had really invested heavily on building the best sensor technology. And that was their bread and butter, and they did it in a very lightweight way. And so...

Matthew Chiodi (03:49.288)
Hmm.

Matthew Chiodi (03:55.278)
.

Rinki Sethi (04:18.589)
It was to me like a no brainer, like we're going to consider you as as a potential product here. And at the time they weren't competing against Palo Alto networks or whiz or anything. fact, our investors are the same for a whiz and upwind fast forward. Now we're going head to head. And I think it's a really good place to be with the valuation of whiz. Whiz is an amazing product and you know, being acquired. I think it's like now we're kind of the hottest up and comer independent cybersecurity company in the cloud security platform.

and runtime security, that to me was really interesting. And I think we're kind of paving the path for this how to think about runtime security and what it needs to look like in more modern environments.

Matthew Chiodi (05:02.654)
So for our peers that are thinking about this move over to vendors, it sounds like for you, there was a couple criteria that you looked at, like the founders, you know, their, their background, their history, their success. You looked at the product itself. You said you were a customer, so you knew it well. there any other like heuristics that you.

kind of used or that went into your thought process while you were evaluating this move? I stay on the public company CSO side? Do I go like, what else went into your decision making?

Rinki Sethi (05:33.243)
I think a of the things that you mentioned, I love the team. That to me was like number one. Whether you're at a public company, private company, wherever you go, you wanna work with people that you're just gonna love working with and that you're gonna have fun doing whatever it is, whether it's building or scaling together. That was definitely number one. I obviously was a customer of the tech and thought it was incredible because I don't think if I'm gonna join a company like on the cybersecurity side, I have to be very passionate about what they're solving for and have to feel like

the biggest champion. So obviously those two things were table stakes. The third part of it, and this is kind of, especially in the last, want to say like two to three years, has become really important and personal to me, is this sense of really giving back and building the cybersecurity community. We go to events and we do things with the community and I feel like our jobs are really taxing as it is in security and then these things they just take

take, take, take. And so my thought was like, I think the way we build this community, like our security community needs to be different. We need to give back. need to feel like we're part of this community where we walk away with really meaningful relationships with other security practitioners and that kind of thing. And so that became really important to me. And Upwind felt like they believe in that and they believe in the relationships and I wanted to go and help them build that. you know, that's been really important. So I would say those three things were the most important.

for me.

Matthew Chiodi (07:04.603)
One of the things that I hear from these, you know, this, this great number of people that I've spoken to in last six months, it's probably upwards of a dozen people that I've spoken with who have asked me like, how did you make this move? You know, I see you've been at Serby for three plus years, but one of the things that's usually underlying that, that desire to change is that, they feel, they feel burned out, right? And you did a, I think you had a LinkedIn post sometime the last couple of weeks about why CISO's leave.

And you called out broke environments as like the real reason, like not compensation. So, you know, staying on kind of this track, like, what do you think are maybe some of the early signs that a company doesn't actually want a real security leader? Like, how would you, how would you coach others to spot them? And I think you could go two ways with this. One is like, they're, they're either just, they want to stay on the non-vendor side and keep doing what they're doing, but maybe they're evaluating a new role. Or maybe they are evaluating going to a vendor. Like how would you.

approach that what are some of those early signs you would look for.

Rinki Sethi (08:05.045)
I think...

Let's just, I'll answer generically first and then maybe we can go deeper into the types of companies. But I think CISO type rules come in different shapes and forms. Sometimes if it's a very early stage company, they truly need to be thinking about security. It might be more of a security architect type rule where you're really kind of technical and building out capabilities with the opportunity or option to like scale into a proper CISO role over time as the company grows.

Matthew Chiodi (08:26.496)
Hmm.

Rinki Sethi (08:36.816)
you have to identify.

and be real, right? Like with yourself on, it a CISO just by title, but an actual, it's a security architect type role or building out in technical role. So recognize that and know what you're signing up for. If it's a proper CISO role, think like interviewing the leaders and the leadership is just as important as them interviewing you in the sense you get of the culture within the company. Like, do they truly care about security? Do they feel, do you feel like they're gonna have your back

if there's a security incident, like do they feel share accountability and responsibility around security or is it like, that's, need to see so to just come and own all that stuff so we don't like need to worry about it. So I think those are really important things. think understanding like budget size of team, like what you're gonna be given the opportunity to go and build or transform or change is important. Meeting with the board members or asking for it, cause many times the...

The may or may not be part of the interview process, but if it's a public company, you may want to ask to say, hey, can I talk to somebody on a committee that I'm going to be presenting to, because I'd like to understand. And I think that can give you a really good view. And if the answer is like, the CISO doesn't present, that might be some red flags. And I think it's OK to ask during the interview process, like what kind of incidents have happened, how have they been dealt with, just to get a sense of the company.

Eyes wide open as you're walking in and knowing things could change, Like environments change, economy changes, and it could have an impact, but like know what you're walking into day one. Especially like this advice, like, you know, the people you're going to be working with and working for is so, so important, more important than the title of CISO. And I can't stress that enough for folks that are taking on their first CISO job. It's like really important, go into a very supportive environment.

Matthew Chiodi (10:32.115)
I do agree with you there. think it's really important a lot of times especially if somebody is stepping into a Cesar role for the first time they're so excited like I've been working for it on finally, you know the the leader and they focus so much on just the compensation and the title that they forget about like the truly important part is like you said the people like who are you gonna be reporting to who are your peers is this a supportive environment?

What is their history? Like, why did the person that was maybe in the role before, like, why did they leave if they're still not in seat? I think those are all like critically important questions, especially again, if someone's just, you know, or maybe they've even had the CISO role before, but they're just, they just want to get out from where they're at. I've had a number of peers who have been, you know, were CISO for a number of years. They were through a number of incidents and they were just totally burned out and they just took the first thing that came along and there, there are like six months.

And then they're, bouncing again. Yeah. So, you know, I think it's, it's interesting again, the number of places that you've been in, obviously it is almost impossible now to talk about cybersecurity without talking about AI artificial intelligence. So you've, you've had this unique background of being with vendors, being public companies, public companies that are vendors right across the board. I'm curious in the, the programs that you've built.

Rinki Sethi (11:25.975)
Yep. Yep.

Matthew Chiodi (11:54.976)
over the last call it two years. How has AI shifted your approach to building those programs, if at all?

Rinki Sethi (12:02.839)
I think what's happened and I want to say like definitely over the two years even more so over the past year, year and a half is every and I'm talking to peers across like different industries and it's this is not just for security but I think it goes across any discipline everybody's being asked on

Matthew Chiodi (12:10.114)
Mm.

Rinki Sethi (12:22.241)
How are you thinking about AI and how it builds into your, like how it works in your program? The cool thing, and Matt, you and I share history here is like, we know that like in cyber, especially the products that have been built, like machine learning and AI has always been a tactic that cybersecurity products adopt, because we've known that that is the only way to stay ahead of the attackers or to stay on par with the attackers. And so we've been talking about this very early in cyber, right? But now...

It's not just like how you built this into the products, but how are you looking at your entire program from a process standpoint, from a people standpoint, like everything, right? And this is for marketing and this is for IT and other disciplines as well. But everybody's being asked by the board and by the executive team that how are you going to drive more productivity? How are you leveraging AI to scale your program? And so 100 % we've had to go back. And to me, I felt like when we first started hearing about this,

It was like, this might be a really good time to just, what if we like, let's do zero sum? Like what if we're going to rebuild our program entirely with the tooling that's available today? Like what would we build out differently? How do we start like upskilling talent? How do we like slowly start shifting into what the future needs to look like? And so, and then what does that mean? Like, does that mean we need to like, now that like, we're going to be able to actually scale without adding more headcount? Does it mean that we need to just rip out products that are there and look at things differently?

And I think it's actually like, if you, there's, like, I think we have to adopt the change that's happening, adopt AI, know that the future is gonna be agentic and that, like, how do we start shifting to that, in that direction? And so for me, I think like, tangibly what that's meant is that start evaluating, like, working with early stage companies on like, what this could look like in your environment. I think the further, the earlier we do this, I think it's gonna be better for the whole industry.

Matthew Chiodi (14:18.126)
What have you found? there any specific use cases that you've seen maybe in the last year or 18 months that are perhaps what you would consider just like these are easy wins with AI? I'm curious if anything comes to mind for you.

Rinki Sethi (14:32.535)
Yeah, the ones I adopted immediately, I think there's some disciplines where it's gonna be.

we still need some maturity to see kind of what's gonna happen. like one that was immediate win was third party security. So like looking at our questionnaires, getting AI support, like getting a product in that was gonna come in and basically take a look at like, we automate a lot of what's happening? Look at the SOC twos, like apply and then ask, like just do complete analysis, ask the questions you wanna ask, fill out even the questionnaires that you may need to fill out.

Matthew Chiodi (14:44.706)
Mm.

Rinki Sethi (15:06.483)
automate, like do all the emails back and forth. Like we had like, I think we cut down by 70%.

Matthew Chiodi (15:12.421)
Wow.

Rinki Sethi (15:12.887)
like the amount of work. And so there was an immediate gain there. I would say like the other areas I was excited about where we were, you could see products that were coming a long way was an identity governance space. A lot of companies that are smaller can't afford the big identity governance players, not just from the tech stack, but like you need people that can implement and really kind of scale those programs. And so we need leaner solutions. I think there's a lot of interesting innovation that's happening there. And then I think there's areas where I think the story is still

to be told, but there's a lot of excitement like around how you like sock AI companies. I think there's going to be some really cool compelling stories. There's a lot of players and it's I think there's a little bit for teams that are a little bit more mature on the operations side. We need to kind of wait and see when those are going to catch up to be more sophisticated. But right now I think for teams that are very early on building on sec ops, that's another one where there's a lot of innovation happening to take a look at and adopt.

Matthew Chiodi (15:48.16)
Hmm

Matthew Chiodi (16:10.886)
Yeah. I remember this was probably two years ago at RSA when not everybody was messaging that they had AI, just the early ones. But I remember sitting down with, I think it was the founder of Dropzone, which is a SOC, Autonomous Automation. I remember the conversation then and just this past RSA, seeing how like, you know, you were there, right? Like it was like, I don't know if there was probably only like 10 % of vendors that did not have some type of AI washing on their product.

But I agree with you. think when we look at, when I look at kind of the landscape, the models have changed so dramatically in the last six months and we're likely to continue to see that progress happen. I know one of things I've challenged my team with over the next two quarters is to start cataloging, right? So we've had this little bit of a catalog of like, here are the things that we do on a daily, weekly, monthly basis that are high value, but are extremely rote. they're just, they're boring, high value, but boring.

And now we've started the process of taking those tasks and automating those with different automation tools. And it's amazing the lift that you can get out of that. So that's like, think just like if you're on a marketing team, you might use chat GPT to generate some content, to repurpose content. And for a cybersecurity team, I think there are tasks. When you think about

from the protection side, right? Because there's a lot of organizations now that their primary concern is like, hey, I don't want my intellectual property. I don't want my whatever it might be to end up being trained in these public models. How do you approach that? I know a lot of companies try to approach it with kind of just like a policy process where, hey, we just blocked chat GPT.

What's your sense? How do you recommend CISOs and compliance teams? How do you recommend they approach that, the use of it?

Rinki Sethi (18:02.037)
the use of, Matt, your question is going back to like the use of different models and ensuring it's not training on data you don't want it to train on.

Matthew Chiodi (18:08.236)
Right, you can take it down the privacy path or can even take it down any other path you want. But yeah, how do you approach that from a cyber program?

Rinki Sethi (18:17.299)
cybersecurity, and I'll kind of give like a more generic cybersecurity slash privacy, but I think there's some really, this is where I think like if you're, especially if you're building models, I think this is where it can get really interesting. There's some really interesting companies that are emerging and we're now also learning that like some of them are even pivoting because they're understanding like, is MCP gonna be the future and do we need to build on top of that? And so you think about like, how do you really look at the like...

How do you adopt technologies that can really support you in looking at that? I think also like, it's not the best, like one of the things you do need to get aligned on is like principles across the company. Cause if you ask two leaders on like what...

what's okay and what's not, they're gonna give you two different responses. And I think getting that alignment, I think there was like, we used to talk about data governance committees and I was like AI committees. so I think, just getting, it could be a one-pager on here are the principles that we stand by and there should be transparency around that. And then I think behind that, you can get the tech to like help make sure that you're testing and doing the right things around how you're using those models.

Matthew Chiodi (19:01.71)
100%.

Matthew Chiodi (19:25.488)
And I think that AI is not new. There's a lot of organizations that everybody's using it. You've seen those workplace studies now where it's anywhere from like 40 to 60 % of the workforce uses it on like a weekly basis. But I think there's still a lot of fear.

Especially in cybersecurity teams just around cybersecurity in general. So I guess my question for you is, like, are there, based on your experience, are there any myths around AI and cybersecurity that you think security leaders need to rethink?

Rinki Sethi (20:00.427)
think that AI is not going to solve cybersecurity. I think that it's going to amplify both attackers and defenders. Obviously defenders in a good way, attackers where we need to go and defend against. But we still need the context, we still need strategy, and we need human judgment. And so I think it's not going to be fully solved. I also keep hearing like,

AI is going to replace humans. I think AI is going to replace those that don't use AI. And I think that it's so, so important that we leverage AI and we embrace it. And it opens you up to doing things more creatively, focusing on more important things and more complex things. And I think that's going to be super important that adopt AI, figure out a way to leverage it, because that's going to be the future. And the folks that learn to use it really well are going to be 10xers.

Matthew Chiodi (20:34.368)
Mm-hmm.

Rinki Sethi (20:58.041)
the rest are going to be replaced.

Matthew Chiodi (21:01.346)
I would agree with you. I agree with you there. think that, for those that have started to use it early on, they, remember early on using it, you know, two plus years ago. And I remember, you know, just responses from bosses, like, how did you do that so fast? You know, things like that, right. But it was more of like this personal productivity piece. And then if you remember last year toward the end of last year, all the talk was maybe even mid last year was around prompt engineering. Like this is going to be that the next big thing. Well, the models again, have.

have changed so fast at like prompt engineering, like, I didn't even hear anybody talking about anymore because the models have gotten so, so good. So I don't know, I guess, I guess from your perspective, when you think through those different myths, it sounds like you're saying that, you know, there are, there is this perception out there that like, am I going to have a job as a cybersecurity leader? Or as a cybersecurity practitioner? Am I still going to have a job? It sounds like you're saying the answer is yes, but

If you're not learning how to use AI on a daily basis, your job could be at risk. Is that about right?

Rinki Sethi (22:06.837)
I think so. And I think it applies to every field, right? When you hear about developers that are using cursor, right? And they're like, this is like a tool that's making me a 10X or, and then what about the ones that aren't now, right? Like you compare like their output and what they're delivering is going to be so different. In cyber, I think it's the same thing. Like all of a sudden you use like some kind of AI tool for phone management or like force, it's anything you name it. And if it's going to like help you do things way faster, way better.

Matthew Chiodi (22:18.743)
Hmm.

Rinki Sethi (22:35.499)
then you're going to be able to do so much more other work and other things that it's like you're going to be, again, like a 10Xer. versus those that aren't, because we know that the scale and the speed with which AI can solve for things is like we should leverage that and then to drive more efficiency and productivity.

Matthew Chiodi (23:01.454)
One of the things we had talked about earlier in our chat was just about how, you know, security individuals almost always are looking at like, what's it, what's it going to be like if one day I get to be a CISO, right? What would that look like? What are the skills? And I know you've served on boards, like to put it this way, like if, know, go back 10 years ago, CISOs were very technically focused, right? It was all about technical and et cetera. That's how they talked on the industry.

you've been on boards, how does that CISO role shifted when the CISO is sitting at the boardroom table? How does that role change and what have you seen work and what have you seen not work?

Rinki Sethi (23:44.289)
Yeah, think, so I'll talk about the CISO in the boardroom table in two different ways, right? One is presenting to the board, because you're still at the table, even though you're presenting to the board. I think like one, like everybody used to say, remember like even five, six years ago, it's like, yeah, like we have our CISO present to the board quarterly. But then like you go and ask CISOs, are you actually presenting quarterly? And it's like, nah, I'm pretty much bumped and I do maybe once a year. That's no longer the case. Like I think there is once a year for sure, but like.

most CISOs are presenting, especially for public companies to the board quarterly or audit committee quarterly. And so I think that that's a massive change that's happened that cybersecurity is definitely an important discussion at the board level. For public companies, you're checked on what kind of level of education the board members have around cyber, how often they're trained, how often CISOs are coming and presenting. And so I think it's a really important change that's happened. And that exposure has made, I think, CISOs better leaders. And how do you handle the questions? How are you thinking about the business? So I think that's

one aspect of it. The other aspect is like actually being a CISO that sat on a board, I sat on a private company and public company board and it's not, and both of them have been in the cybersecurity space and so what I would say about that is like,

You're not a CISO when you're in the boardroom. You're a board member and you're thinking about the business and you're thinking about governance. And so it's a very different role. was amazing for me in being in the boardroom was you learn a whole set of skills that we are not necessarily trained on as cyber practitioners through experience or through training. And so like you're now getting to hear what's on the minds of the key things that are on

on the minds of the executives and what that company needs to do to really, really propel and what are they talking about from an environmental perspective, all of those things. And you get exposure to that, which to me then makes, it gave me exposure and I'm like, okay, it's not all about security. They need to focus on revenue. They need to focus on, my gosh, there's a pandemic. What are we gonna do? Not just from a cyber perspective, but complete company perspective. And it really opened up my eyes to be more kind of like, okay,

Matthew Chiodi (25:45.87)
you

Rinki Sethi (26:03.199)
I need to be a better business leader when I'm going around leading cyber programs, because at the end of the day, you want to speak security in the language of these leaders and understand what's more important and how do you negotiate accountability and negotiate prioritization around security. So for me, like that's the big difference, but your role is so different there in guiding the company. And a lot of us as CISOs, security is not the only thing we do. We're like business leaders within the company. So bringing that perspective into the room is like so, so important in those conversations.

questions.

Matthew Chiodi (26:34.417)
How did you get ready for that? you think back to maybe the first time, like maybe it was your first board presentation, you're probably pretty nervous. Like how did you get ready for that first time? you think back to it, I know how long ago it was, but what was that like for you and like how did you prepare?

Rinki Sethi (26:49.527)
I don't think I was ready. I think it's still, when your experience as you like board members change or you like take on a new CISO job and you're now presenting, it's hard. It's so hard because at the end of the day, you're presenting to people and everybody on the board like.

Maybe they have cyber experience, maybe they don't, but everybody has a different level of experience with cybersecurity. And so it can be so daunting to present to board members because there are these like very seasoned leaders that have accomplished so much. I think the one thing that's really helped me is meet with the board members, like get to know them outside of your first board presentation, ask them what's important to them, ask them what their level of confidence is around cybersecurity. What do they want to hear about? Share with them what you think

it's important for them to hear about. And you can even do like pre read cycles with them and things like that so that you get input. And that kind of helps with the confidence when you have these relationships that you're slowly building over time with the board members. I was still like, I remember I was like sweating and shaking and I was nervous in my first presentation, even though was like a very friendly board and but it's it is nerve wracking. I also think like, I like

Matthew Chiodi (27:49.774)
you

Rinki Sethi (28:05.907)
I talked to other cybersecurity leaders and said, here's how I'm thinking of presenting this. Give me feedback, give me input. Everybody's willing to help. We've all gone through it. So many folks leaned in and said, Rinki, would tweak this, tweak that. And of course, you have to make this your own in the context of the company that you're working at. you can take all the input and then synthesize and decide what's right. And then, of course, practice makes perfect. You get better at these things as you go. One thing I strongly believe,

Like I never had the opportunity to go to see a board meeting, experience it until I had to do it for the first time in my first CISO job. There's like so many things you're scared, like you're worried about in your first CISO job, right? Like so many things, hiring the right talent, where do you even start with the strategy? What should you be focused on? And then you add like board meeting and board presentation on top of that. Like I'm championing this idea that...

Matthew Chiodi (28:44.561)
Hmm.

Rinki Sethi (29:01.237)
I don't think that should be the first time we do that. Like we as leaders now need to bring in our security leadership team into the board meetings and push that. It's good for the board, it's good for the company because they then get to know people other than just the CISO and they get confidence in the team, but you're starting to prep them to take on their next moves and it won't be their first time presenting.

to the board when they take on their CISO jobs, right? So I think it's really important to take this first time fear away. And I think those of us that have held jobs where we've been presenting to the board, we can go and demand that it's time to bring these folks in.

Matthew Chiodi (29:42.248)
I love that. I love that about calling up your team and they will likely be pretty scared. Like the first time I can remember being in that position where I had a leader I worked for many years ago who

made it a habit. And I think it was intentional. And I did ask him about this years later. I'm like, did you purposely do that to me? And he was like, yes. But there was times where it would be like an hour before, maybe not a board meeting, but a very senior audience. at the time of my career, I was not senior at all. I was very technical. And I remember him saying an hour before, hey, can you run this for me? And I was like, what? Like, it's an hour from now. And

I remember being scared out of my mind, but you know, after he did that a number of times, a, I knew to be ready that he had that meeting company that he might ask me. but it was also just, I think being a good coach in that he saw something in me that I didn't know that I even had yet. And I think that is a crucial part of leadership is like, we enjoy, like you, get to a certain level of experience and you enjoy presenting to the board because you've done it a number of times, right. And you have that. But I think as you rightly pointed out, we have to remember that.

It is our job as leaders to make sure we're giving that opportunity to who might be the next leader in that spot. And so I love that.

Rinki Sethi (30:54.975)
Yeah, and even if it's that sounds daunting to put you an hour before like to go, I, know, also like.

Matthew Chiodi (30:59.149)
It wasn't a board meeting, it was still a pretty high-level meeting.

Rinki Sethi (31:03.989)
Yeah, that's even better. but it's like, even if it's just like, hey, I'm gonna bring in my SecOps manager, like into the meeting, you don't need to say a word, just observe, like see what's.

what it is, because a lot of it is confidence building during the question and answer sessions, not when you're presenting your own content. So it's like they get to observe that, they get to see how the answers are handled, how the questions are told, like get to understand. So it's very, just even being an observer is so meaningful versus just hearing it secondhand when the CISO comes into their staff meeting and say, here's how the board meeting went. That's not like, that's not experienced. So I think it's super important.

Matthew Chiodi (31:40.504)
So maybe somebody's listening to this and they're thinking like, my boss does not bring me into those meetings. What kind of leadership traits would you encourage them to work on? Maybe again, their boss maybe not giving them that experience. Maybe it's just not even an option. How would you encourage them to start working on those things in advance? we've always heard, like, hey, if you want that next role, you should already be doing as much of it now as possible. Like, what would you encourage them to focus on?

Rinki Sethi (32:10.753)
I think like being a strong communicator, like as you go up the leadership team, leadership team, especially in cyber, like being a strong communicator is so, so, so.

in every way, shape and form. That was not the case a decade ago. You needed to communicate, but you didn't need to be the best at it. It was okay. We were known as quirky folks that didn't know how to communicate well. Now, that's changed, right? You need to communicate to the board. You need to be a clear communicator if there's an incident. We just need constantly communicating risk and building partnerships across the company. And so I think that communication piece is so key. And so that's the thing to work on. And if it's not through your own...

leadership chain for whatever reason. I think there's like many of us in the community that are like would love to coach, mentor, and do things, you know, and help. And I think that, and even guide, like here's maybe what you need to go work on. Your presentation is great, but like how you're telling the story is not great. I think being a storyteller is really important too, that like we're not just talking about technical jargon, but like how do you paint the picture you're trying to like have folks walk away with. So I think these are really important things to work

on and there's many of us that have done the CISO job. I've had to present to boards and we're more than happy to like guide and coach and share. There's a lot of like I think now there's like even vendors putting out content on that other CISOs have contributed to just around like...

here's a template for a board presentation, this is what it looks like, like have, start presenting in that way and start preparing that kind of content even if you're not presenting to the board for your, you know, even if it's to your CISO to say like here I'm to present like state of operations for my team and so I think you can, there's a lot you can do to practice even if there's, you're not getting the opportunity to be at the board.

Matthew Chiodi (33:59.052)
I love that. And I think this is an area where for me personally, when I've had to present to the board, I use AI a lot, like on the materials beforehand, where I will, you know, and I learned this hack, listened to a podcast a couple of months ago where you tell the model, like you are, whatever it might be, you are a series B venture capitalist, or you are this type of person. And it really does change the way the model answers. So I usually have it, you know, I will usually say be harsh, give me harsh feedback.

on this deck and I'll give it the PDF of the deck. And I found that to be extremely useful. So that for me is usually the first two or three passes with a board deck or any kind of height. What I would consider a high stakes deck is go back and forth a couple of times with, know, pick your model and, and start there before I even give it to, you know, the CFO to review, look at, right? I think it just kind of raises the bar. That's been extremely helpful for me.

Rinki Sethi (34:52.107)
No, I love that.

Matthew Chiodi (34:54.967)
So let's switch gears a little bit. Again, you've worked at a lot of amazing companies. I'm curious, like when it comes to personal growth, what's the formula that works for you? What's your routine look like?

Rinki Sethi (35:07.969)
No, I'll talk about, I like to surround myself both personally and at the workplace around people who are challenging me to think differently and forcing me to learn something. I think that's really important. Whether that's founders, peers, operators.

Matthew Chiodi (35:19.917)
Hmm.

Rinki Sethi (35:27.915)
whether that's my family. And I like to say yes to things that scare me. In fact, taking on this role at Upwind was a little bit of that. Like it's a totally different kind of role on taking on things I've never done before and Matt, you and I talked about that and it's like really exciting, but it forces you to say like, I don't know what this is, like teach me, like, and just kind of.

Matthew Chiodi (35:36.534)
I bet.

Rinki Sethi (35:50.293)
like immerse yourself in something new. to me, like I, the happiest I've been is when I'm constantly learning, I'm challenged and I'm busy and I'm feeling like I'm making impact. I mean, those are the times that I grow the most personally, I think, even though it might be a work related situation. And I think like growth comes from discomfort, but it also comes from clarity. And so I like, I stop a lot of times and I still do it. And I'm like, am I just grinding or am I growing? Right. And

Matthew Chiodi (36:19.949)
Hmm.

Rinki Sethi (36:20.217)
Sometimes you realize I'm just grinding. I'm actually what am I doing? Like pause, reevaluate. I also think like for me, you have to take breaks from work and you have to take breaks from everything. Take vacations, take time off. I think that helps with personal growth. It puts things in perspective. You come back from a break and you go back and look at things and you're like, I don't know why I was worried about that. It's so petty and dumb and like it's not even important to me anymore. Or like...

Matthew Chiodi (36:43.777)
Yeah

Rinki Sethi (36:49.579)
For me also, the daily break is I'm very, very, very like, I have to spend at least half an hour to 45 minutes, if not an hour, to find time to exercise, even if that means I'm waking up 4 a.m. to like find the time to do it. That is incredibly, incredibly important to me. That helps me like be a better human. So I think those are the things that I think are really important.

Matthew Chiodi (37:11.319)
I love that. I love that. love asking this question because, you know, I've spoken with dozens of leaders over the last five plus years on this podcast and they all have some commonality. There's usually some form of regular exercise that they have. It's usually that they have the desire to learn like continuous learning. And I'd say, the third thing is, is that they are often, they have learned over the years to force themselves to do things that others don't want to do.

Like essentially like they've built that muscle of self-determination, self-control, and they're able to just stick to things that others might not, might just give up on after a while. I think what a lot of people don't realize, especially if you're very early on, you're just out of school, is you might look at somebody who's been working for 20 years and think, wow, I could never do that. But I always remind them like, Hey, they've had 20 years to build that muscle. Just like you got to go to the gym and build muscle while, you know, building that willpower.

is is equally a muscle as well and it sounds like you've you've sounds like you've been doing that really well. Well is there is there anything else I should have asked you or or you wanted to cover?

Rinki Sethi (38:16.567)
Thank you.

Rinki Sethi (38:24.139)
no, I think we covered it. I just like, I don't know if it's like a point that I'm at in my career, or what, but I just like, you know, I, I

like want to put myself out there for those that might be listening that need support either like you're working on the next board deck or anything like that. But I also like have become this big believer of like we need to help each other and have a strong community of folks. And it's like not a hard, you know, it's not an easy job. And so like, let's do that. Let's build communities in the right way. And let's like push the industry to like really kind of give to the security community, not just take. I think that's going to be really important.

Matthew Chiodi (39:04.619)
I love that. Rinki. Thanks for coming on the show.

Rinki Sethi (39:07.127)
Thanks for having me, Matt, I appreciate it.