Building an effective cybersecurity team

Rinki, Sethi, Palo Alto Networks’ Senior Director, Information Security

The world of cybersecurity has changed massively since Rinki Sethi entered the IT industry over a decade ago. The ingredients in putting together a good cybersecurity team have changed as well. Sethi, Palo Alto Networks’ Senior Director, Information Security, recently discussed the industry’s evolution with ChannelBuzz, as well as her perspective on how organizations and individuals can best adapt to it.

Sethi is responsible for enterprise security and product security at Palo Alto, which includes everything around security operations and defense, as well as security awareness and education. She reports to the CISO.

“I previously worked at Inuit and eBay, and while I loved working there, I feel that being a security practitioner is a dream job,” Sethi said. “And what sets Palo Alto apart is the senior executive team here. In security, the tone is set at the top. Here, I’m not fighting to try and influence the executive team about what’s important. They are pushing me to go further.”

Sethi said cybersecurity has changed massively over the past decade. Back then, few schools offered it as a specialized focus, with the result that many organizations had to recruit hackers to get people with appropriate skills.

“The big change here is that cybersecurity is now much better defined,” she said. “There are many more colleges with certificates in security. There are more hackathons and ‘capture the flag’ events. It’s all so much better defined.”

One thing that hasn’t changed though is that the demand for good cybersecurity people is still significantly bigger than the supply.

“That’s going to be a problem for a while, because even though the supply has increased, security concerns today has massively excited the demand,” Sethi said. Companies also have the challenge of competing against the federal government to attract the most desirable candidates.

“The talent pool of trained cybersecurity people in the industry is so small relative to the demand,” she stated. “But I think the way companies go about attracting talent needs to change. At Palo Alto, we emphasize going to the universities and trying to find people who think outside the box. It’s important to bring in new talent with fresh skillsets. But it also makes more sense to recruit more out of the universities, instead of constantly having to go into that small talent pool already in the industry and try to reach in to that. That’s really difficult as a strategy.”

Sethi also thinks that an effective security team needs to be very diverse in its competition and skillsets. Part of that is bringing in more women – Sethi often speaks on the topic of women in cybersecurity – but it’s broader than that.

“A good cybersecurity team at any company has folks from diverse backgrounds,” she said. “My own team is very diverse. It only includes one person who was a hacker. The rest don’t fit that profile at all. None of them trained in college specifically in cybersecurity. Some of them had internships in that area, but they majored in computer science or business. There are still many security people who fit that hacker profile, but there are fewer today, in part because the industry has attempted to glamourize security more than it did before.”

Sethi emphasizes that companies also need to structure their employees’ work in a way that keeps them interested, which makes them less likely to move on.

“In building a next-generation security workforce, you really need to build around automation rather than human tasks, because you can’t rely now on humans being happy to do monotonous work,” she said. “You have to invest in their careers, and you have to think about security in a next generation way. It has worked for us, because nobody on my team has left.”

Sethi said that mentorship, whether informal or through structured mentorship programs, is critical in cybersecurity.

“You find mentors in the most interesting ways,” she said. “When I started in cybersecurity, I was one of the folks that went into it not knowing what it was, and I didn’t know where to start. I leaned on people just to learn things. Some were willing to help, and some weren’t. You need to actively seek out that help and find it.”

Sethi said that it’s especially important for women in cybersecurity.

“The unique element for women is there aren’t a lot of us in the area,” she said. “If you enter an organization that’s a ‘boys’ club’ – and they still exist, although I never worked for one – who do you lean on? Where do you go? It’s even more important for women to find mentors.”

Sethi also said that people looking at potential employers need to look beyond the brand.

“Don’t look at brand names when you join a company,” she said. “Make sure people you work for are invested in you. I worked for companies which are brand names, but I went there for people, not the company brand. That’s served me very well in my career.”