Hetz Presents: The humanity of a CISO, with Yext's Rohit Parchuri
"Everything starts with a human and ends with a human."
Hetz Presents: Rohit Parchuri, SVP & CISO at Yext, who shares a ton of insight into leading security, bringing empathy and respect for the job into your role, how the media is making it harder for us to truly understand the role of cybersecurity, and the biggest mistake a startup founder can make when pitching a CISO (spoiler: it's fear tactics).
Watch or read our Q&A with Rohit for more:
What was your first job? What did it teach you that you still use today?
My first job - my first paying job - goes back to me working as a grocery helper and also behind the cash register of course, 'cause you have to wear multiple hats. This was in Chicago when I was doing my Master's about, I know this dates me, but definitely more than a decade ago.
What did I learn? Quite a few things. That's the first job and you are being exposed to a lot of different elements. So in a sense, when you are exposed to that, you are actually, soaking up like a sponge and you're learning a lotta things.
But for me, the top-of-the-pile element would be the dignity of labor. The reason I say that is it was also so much more instilled in me, within my characters so much that I was kind a brought up in that similar space; I get this from my cultural backgrounds, and from my parents of course. That is something I got attracted to also in the job is that especially in terms of how I should respect the job, and also being totally devoted towards the actions that I'm performing. It doesn't matter if it's a menial job, like I was doing back then, or if I'm running a country - it should be the same thing. That definitely hit hard for me. That actually helped me out, in many different things after the fact.
Resiliency and persistence also; maybe I was not specifically consciously doing that but I think was kind of forced upon me, 'cause I have limited options and I have to stay and get the job done before I can move on.
What's an unexpected lesson from your experience in cybersecurity?
Maybe just to provide some context: cybersecurity - it's a tough job, right? Just like my first job - you are exposed to a lot of different things and especially when you're up through the mud, you actually learn things and they stick better to you just like the mud sticks with you.
For me, it's definitely been building the tough skin, especially when you're interacting with your customers or internal stakeholders for that matter, there are a lot of messages being thrown at you. You just have to be resilient enough and also adaptable enough to figure out like how do you distill that message into something that you can make use of, because ultimately as a cybersecurity professional, you are the one who's reporting the risk but you're not executing on it so you need somebody else's help. So have a balanced mindset when you're approaching these things.
Building thick skin definitely was one. Again, this was not a conscious decision for me. It just happened, it definitely was a happenstance when I was working at ServiceNow back in the day when we were just two technical professionals who were, trying to do a lotta different things and I was exposed to all these different things, especially the customer delivery. So that that kind of helped me ‘man up’ and defend the practice because nobody else would and I'd just have to do it myself.
What’s one word to describe your approach to cybersecurity?
Not just security for that matter, I'll definitely come to security, but I think any business that you do, any profession that you're in, it starts with the human, ends with the human, just like in a democracy ,right? By the people, for the people, to the people. Everything is happening because people exist and everything you're providing is to the people.
Within that mindset security should be no exception. Empathy is definitely something I focus heavily on. And I think that this is also something that I've learned, over the years, that without that empathy, it's gonna get really difficult when you're in a service oriented role.
Like I said, it's a pretty tough job and you could easily lose the focus of that service oriented mindset at times. And I think it's always good for you to bring that back. And when your core principle is the empathy, more often than not, you'll actually end up in the right place.
Dispel a cybersecurity myth:
Unfortunately, cybersecurity is a very recent happening. The practice has been in existence for about what couple decades, but we've only gotten media attention over the past few years, so it's understood that, media is completely getting this wrong. And so the public, because everybody's listening to the media and that's how majority of the, information, flows into your mind. And your perception is your reality. So your reality is directly coming from those sources.
I think CISOs, or Heads of Security, or even people within security, get scapegoated by the media and the external entities, especially when there's a compromise, just because they have 'security' in their title. I'm against that because now you are basically making an assumption that only security people are working for security stuff - which is not true.
Security is everybody's job. We are essentially bringing up things or bringing up risks that we think we have to deal with collectively. But it's very nuanced. The role itself is very nuanced because you have a consortium of people who have to take the decision, ultimately, who's executing on it, ultimately building the outcomes is a company's job, not so much just a CISO's job. That's what the public is really getting wrong. The whole element of ownership and accountability is what I think is one of the biggest blunders that we're seeing right now. I hope this goes away but there's a lot of education that needs to happen.
How do you foster a culture of security in your organization?
This goes back to empathy, as I was talking about before. Transparency and trust. An element of transparency when it comes to making sure you're non-secretive about things that you're building, and also building the trust, empowering people with the right things. And building trust can go a long, long way. That has to be your core fundamentals before you can even start building the program or building the staff for that matter.
And we do that here at Yext. Definitely the strongest factors that I would measure the success of my team before we go about asking favors from other people or asking them to do this versus that.
This essentially goes back to: security people have a lot of access and by design, that's the case. It should be because without that access we wouldn't know what threats we're trying to handle or how we're putting remediations in place.
So with more access, comes more responsibility. With more responsibility comes more trust you need to build with the company. I think we better make use of that properly.
What's a gap in the cybersecurity market you’d like to see filled?
We have enough solutions, enough overlaps between solutions; I'm taken aback with just that concept because we just have too many acronyms flying around.
I feel it’s not so much a solution we need, but we just need our practitioners to come together so we can create the standardization around building and maintaining the security program. That's missing.
For example, the CFO (sometimes a peer of CISO) has GAAP (Generally Accepted AccountingPrinciples). That's a very general framework and you could use that to help people understand like where exactly you're in the journey and how you're changing direction or not. But for security, we have tons of frameworks, right? Every entity body comes with its own framework and it's very industry specific. It's very market specific. Nothing that knits the common fabric across all these things. A lot of people are trying to do that, but I still feel we're unsuccessful as a discipline within that realm. If I had a magic wand, I would definitely hope for something like that.
What's the biggest mistake a startup founder can make when pitching you?
I'll keep it very simple. Fear-mongering techniques are the worst and the biggest mistake you can commit with any leader, not just security, any leader, period. Don't try to capitalize on the breaches. Don't try to capitalize on the situations where, you are asking unreasonable favors or asking for certain things from the practitioners when they're in middle of something big. Instead, help out. If you do think your solution is effective enough and efficient enough to help me mitigate my existing challenge, help out -don't charge for your platform, just help out. Just give a helping hand and make it happen. What that does is it builds the goodwill for me that, you are much more helping, you're much more, empathetic towards my situation that I'm in. And now when the situation actually arises, I'm going to come directly to you. You don't even have to come to me. So I would also build on that, do the homework.
Definitely do the homework before you're trying to approach someone, understand the industry that they're in, verticals that they operate in especially the market verticals. And share your perspectives about how and what can be done to improve their security posture. Sometimes you would know, sometimes you don't, that's fine. But present your proposals but never ever conflate that with your product offering. Your product offering comes second, the business challenges and how you need to remediate that comes first.
What do you do for fun?
I'm a very outdoorsy person. I need the blood flowing after my day job; I wouldn't say it's completely stressful. It depends on how people manage that. But for me, I'm okay. I've learned over the years how to balance that out. But that's my easy fix. Go out hiking, camping, whatever I can do; play tennis, for example.
My little one - I have a four year old - she keeps me super busy nowadays, so I don't really get to a lot of that, but I'm trying to ‘social engineer’ her into also taking up my hobbies. So we'll see how successful that will be. Maybe ask the same question in a year's time and I'll give you a better answer.
𝐇𝐞𝐭𝐳 𝐏𝐫𝐞𝐬𝐞𝐧𝐭𝐬: is a series featuring tech leaders and execs from around the world, exploring how they arrived at their professional milestones, how they approach management and leadership, and what comes next in their industries. Watch the full series on Hetz Ventures' Youtube channel.