From Security Evolution to Generative AI: A Q&A with an Industry Leader

Tim Chase, Field CISO at Lacework, recently sat down with Rahul Gupta, Head of Security and Governance, Risk, and Compliance (GRC) at Sigma Computing. The two discussed a wide range of topics, including Gupta’s perspective on the evolving security industry, how to attract and retain talent, things to look for in a security solution, the impacts of generative AI in cybersecurity, and much more.

TIM: Tell me about your role as Head of Security and GRC at Sigma Computing.

RAHUL:
In my role at Sigma, I wear a lot of hats. At its core, I’m responsible for the teams that ensure our overall security posture and regulatory adherence.

My responsibilities include assessing and prioritizing risks, developing security policies and procedures, ensuring the organization meets or exceeds regulatory requirements, and implementing effective security controls to mitigate potential threats. I communicate regularly with internal and external stakeholders (including our customers) about our security program’s effectiveness.

As you’d imagine, collaboration is a key aspect of my role. I work closely with cross-functional teams, including IT, legal, product, and compliance, among others. Together, we ensure a unified and cohesive security strategy that aligns with business objectives. We also work together to ensure that security is a part of our organizational culture.

I’m also passionate about talent acquisition and nurturing the skills of existing team members. This emphasis on talent acquisition and skill development contributes significantly to achieving organizational goals and maintaining a high standard of performance.

TIM: You’ve been in security for some time. What’s the biggest difference in the cybersecurity profession today versus when you began your career?

RAHUL:
One of the most significant differences lies in the sheer scale and complexity of the cyber threats that organizations are facing today. When I started, cybersecurity was more focused on traditional measures like perimeter defense and antivirus software, which were primarily designed to protect against known threats. However, the threat landscape has expanded exponentially. Today, cybersecurity professionals must contend with advanced persistent threats, zero-day attacks, ransomware, nation-state sponsored attacks, and supply chain vulnerabilities, among others.

The attack surface is also enormous due to cloud computing, internet of things (IoT) devices, and other interconnected systems. A reactive approach alone is no longer enough. To me, we have to be both proactive and reactive, remediating the highest priority risks while promoting advanced threat detection and response through threat intelligence, machine learning, and artificial intelligence (AI)-driven technologies.

To make matters even more complicated, governments come into play. The regulatory environment has become much more stringent. Cybersecurity is no longer solely a technical discipline; it now encompasses legal, regulatory, and business considerations.

Basically, the cybersecurity profession has transformed from a primarily defensive posture to a dynamic and strategic field that demands continuous adaptation to emerging threats, technological advancements, and regulatory changes. This evolution underscores the need for cybersecurity professionals to stay abreast of the latest developments and adopt a comprehensive, risk-based approach to safeguarding organizations in today's rapidly changing digital environment.

TIM: As you are well aware, security budgets are facing the same pressure as other functions in today’s economic climate. What is your approach to securing the resources needed to run your security org?

RAHUL:
Yes, this is a real challenge. For me, it’s all about approaching these conversations strategically and transparently. I prioritize resource allocations based on risk. I also often justify these budget decisions by aligning them with regulatory requirements.

On top of this, we try to cut costs wherever possible. We outsource certain functions. We also have a unique way of approaching security technologies. We actually layer cost-effective technologies like open-source solutions and new, innovative service provider solutions with some in-house integrations. We’ve learned that some custom development like this is critical to providing robust protection without significant upfront costs.

Really, more than anything, executives and stakeholders need to be educated on the threats we’re up against. I make sure that they know the consequences of underinvesting in security, and I promote the value of proactive security measures.

TIM: Speaking of limited resources, let’s talk headcount. I know you are passionate about building and equipping teams. What’s your advice to other security leaders looking to grow their teams at a time when headcount is a precious resource?

RAHUL:
Many times when we discuss “prioritization,” it’s in the context of risk. However, I think we need to adopt that same mentality when it comes to headcount.

Prioritizing critical roles that directly contribute to the highest cybersecurity priorities is key. This goes without saying, but those priorities will differ from company to company. Also, cross-training existing team members is a great strategy since it enhances flexibility. And, generally, invest in education, whether this be on-the-job training or external training. This will attract top talent to your company, while making your security organization best-in-class.

Companies should also automate wherever possible. This will allow the team to focus on complex security initiatives and give your team the satisfaction of working on high value work.

TIM: There has traditionally been a negative perception of security when it comes to product development. How do you take steps to ensure that security is an innovation driver at Sigma, rather than a blocker?

RAHUL:
In my leadership role, I try as much as possible to use my influence to promote security as an enabler to innovation, rather than a blocker.

We embed security early in the development lifecycle, making it an intrinsic part of product and software development. We have collaborative risk assessments with development and other business teams to find ways to balance security requirements with business objectives. We also have innovation-friendly security policies that encourage creativity while promoting security.

Within Sigma, our security awareness program is more than a yearly check-box exercise. We make sure our employees understand that security is integral to our company. The training demonstrates how security measures contribute to overall organizational success. We also find security champions within different functions around the company to promote secure behavior and celebrate security wins.

TIM: You mentioned your unique approach to building a security tech stack. In cloud security, there are point solutions for everything you can imagine. What’s your approach to buying or building to cover the gaps in your cloud security posture?

RAHUL:
My strategy involves a balanced blend of buying and building solutions. As I mentioned earlier, we do quite a bit of custom development to get the most out of our investments.

That said, when I evaluate new security solutions, here are a few questions that I consider:

• Does the solution have deep integration capabilities?
• Is this a cutting edge technology? I’ve found that innovative technologies are often more cost effective.
• Is the solution easily customizable and flexible?
• Can I build on this solution or layer this solution on top of my existing tech stack to fit our unique requirements?
• What’s the total cost of ownership, including upfront costs, maintenance, scalability, and integration expenses?

TIM: Finally, we have to touch on generative AI (GenAI). It was the buzz of 2023 and will continue to impact how we work in 2024 and beyond. How do you view its potential for good (or bad) in terms of cloud security?

RAHUL:
Some good, some bad. On the positive side, generative AI has the potential to revolutionize threat detection and response. Its ability to analyze vast amounts of data in real-time can enhance anomaly detection, identify sophisticated attack patterns, and bolster overall cybersecurity resilience in the cloud.

However, the rapid advancement of generative AI also introduces concerns regarding potential misuse and exploitation. Generative AI-powered cyber threats could pose new challenges, requiring continuous adaptation and innovation in defensive strategies. As with any technology, there is a possibility of AI algorithms being manipulated or exploited by threat actors to evade detection or launch targeted attacks on cloud infrastructures. Additionally, the reliance on AI-driven solutions may introduce new data privacy complexities and challenges.

So, in short, generative AI could be tremendous for cloud security, but it must be approached with caution.

To hear more Q&As between Tim and industry trailblazers, subscribe to the Code to Cloud podcast. With the recent launch of Season 2, now is a great time to join an audience of 1,000+ other weekly listeners.

Tim Chase leads the Global Field CISO team at Lacework and co-hosts the Code to Cloud podcast. Tim is a 20 year information security veteran with deep experience advising business leaders on cybersecurity decision-making. Recently, Tim has been focused on DevSecOps, having spoken on the topic at many industry events.

Rahul Gupta is currently Head of Security and GRC at Sigma Computing. As a 16-year cybersecurity veteran and accomplished author, Rahul brings a wealth of knowledge and experience to the realm of information security. His extensive background includes working with Fortune 100 companies, Big Four firms, startups, and more.