Ashish Rajan: [00:00:00] How do you define cyber resilience today in 2025?

Kavitha Mariappan : Can we prevent every attack or should we assume breach? And think about the fact that how fortified is our security and risk management posture, and have I built resilience into that?

Ashish Rajan: How is the threat landscape now evolving and now talking about. Cyber resilience

Kavitha Mariappan : and AI can be used in many nefarious ways.

For every one human identity, you can expect 45 new non-human identities to be created.

Ashish Rajan: How do you find a balance between innovation and saying no and being safe, quote unquote,

Kavitha Mariappan : if there was shadow it, we're gonna see shadow ai, you know, if they're going to chat GPT on their personal laptops on their phones.

Yeah. And putting data in

Ashish Rajan: how are CISOs approaching this with executives to get them on board for security as well.

Kavitha Mariappan : My empathy, uh, for CISOs and my championing for CISOs. It's a tough job. Push your vendors, you know, push 'em, ask 'em questions around the architectures that they're building towards words or words.

Architecture matters.

Ashish Rajan: If you're trying to integrate AI into your organization. You are probably working through a transformation program, and you might be [00:01:00] talking to a chief transformation officer. In this particular episode of Cloud podcast, we have Za Maria Pan, who is the Chief Transformation Officer at Rubrik.

Chema spoke about how CISOs are adopting and integrating security into their organization. How are they selling it to the executives on why it's important to think about security and why is the goalpost constantly moving for ai? And how can people find a balance? How is she approaching transforming their organization into being an AI first organization?

How does that fit into the products and everything else that they're working on? And the three pillars that she believes in terms of prevention, detection, and resilience. All done a lot more in this episode of Cloud Security Podcast. If you know someone who is a transformational leader or going through a transformation as an organization for embedding ai, this is the episode for them, so do share it with them as well.

As always, if you are watching or listening the episode of Cloud Security Podcast for a second or third time, I really appreciate if you take a second to drop that, subscribe a follow button, whether it's on Apple or Spotify, if that's where you listen to the episode. Or it's on YouTube or LinkedIn. I appreciate you taking a second to hit the [00:02:00] subscribe follow button to support the work we do here.

I hope you enjoy this episode with Kavitha and I'll talk to you soon. Hello, welcome to another episode of Cloud Security Podcast, I've got Kavitha with me. Thank you for coming to the show.

Kavitha Mariappan : Thank you for having me, Ashish.

Ashish Rajan: I am looking forward to this. Well, before we start, could you share a bit about yourself, whatever you done so far, your professional journey.

Kavitha Mariappan : Oh, it's, uh, it's been a, it's been a long and fruitful journey. I've been a technologist for, you know, actually close to three decades. My journey began actually in Australia. Alright. Early, early part of my career as an, as an engineer. And then I followed my Silicon Valley dream and moved to the Silicon Valley about 26 years ago.

And I've never looked back and, um, had an incredible run. Um, you know, as an engineer led, as a product manager, led product teams and then kind of moved into a marketing go to market. Sales and, uh, customer experience kind of run the full gamut actually. Yeah. And, uh, transformation, so Oh, right.

Have had, um, you know, really, really. Interesting opportunity to work in very small companies, very large companies, uh, scale internal startups, [00:03:00] take startups to market, take startups, public go in scale post IPO companies. So it truly has been uh, an incredible learning and a growth opportunity.

Ashish Rajan: Oh, great to hear.

'cause uh, I think, I don't know how many engineers can I get to go across the product side and kind of evolve the journey across. So. I'm looking forward to the transformation conversation as well in a bit. We are obviously talking about cyber resilience. We were talking about this just before as well.

How do you define cyber resilience today in 2025?

Kavitha Mariappan : So cyber resilience, I mean, coming from. Coming from the security space I, I think the security industry is so hyper-focused on detection and prevention, preventing every threat that's possible. And I think that's really important. Yeah. Now as we continue to think about fortifying our defenses, and I think I personally will say, having spent so much time on the other side of the fence, it almost seems like a no brainer.

Can we prevent every attack? Or should we assume breach and think about the fact that how fortified it is our security and risk management posture, and have I built resilience [00:04:00] into that, right? Yeah. And so the third leg of the stool as we think about it is to make sure, one, let's prevent attacks.

Let's make sure an attack is a non-event. Let's minimize the blast radius of the attack and what, what data is exfiltrated, right? And, and, and finally, let's make sure your organization is able to bounce back and recover. And maintain business continuity.

Ashish Rajan: Yeah. Yeah. Right. I guess to your point it's all, well, it's all fun and games that you can detect everything.

You can prevent everything, but at the same time, if it is bound to happen that something would go wrong somewhere. Right. It's not that. They may not be security incidents, but incidents do happen in every organization. Right. Almost every day. This is why people are on call, so being able to come back to, I guess a status quo is always something which people don't, don't talk about. Now, in an AI world, probably this is even more important a

Kavitha Mariappan : moving, it's a moving target. Yeah. Right. I feel

Ashish Rajan: like because, especially in enterprise context, that enterprise data is now being ingested by ai.

How's the threat landscape now changing now that with, we have data identity, [00:05:00] AI as probably the top three things most people are talking about, right? How's the threat landscape now evolving and now talking about cyber resilience? How does that kinda shape that even?

Kavitha Mariappan : I mean, let's, let's, you know, take a snapshot, right?

We have a moving target, the threat landscape. Robust. Mm-hmm. Right As it is now, you add AI and generative AI in the mix. You, you add kind of this plethora of data that, we're amassing, right? We're digital society, we're digital nomads, we're digital society. We have digital, footprint breadcrumbs, everywhere.

Proliferation of devices, and we're doing business everywhere. We're living our lives online and remotely. And you add kind of this additional vector of, uh, AI and then generative AI and kind of agentic to the mix and well. As much as, you know, the good guys are, are, are building solutions and technologies to innovate and to protect and to harness the benefits of all of this.

So are the bad guys. Yeah. Right? Yeah. Um, and AI can be used in many nefarious ways. So to perpetrate, you [00:06:00] know, threats and acts that are unheard of and. I don't think we've seen the end of that. I mean, this is just the tip of the iceberg. So, you know, as we think about resilience, as we think about, kind of fortifying our defenses, right?

The third leg of the stool like I to talk about.

Ashish Rajan: Yeah.

Kavitha Mariappan : You know, detect, prevent. And, build resilience, right? Yeah. Um, and recover. And, and, and we need to make sure that, you know, we're thinking through that, you know what, and, and is, and we are seeing so much movement around the identity space right now.

Identity kind of is the new perimeter, right? Yeah. Yeah. And as we're dealing with human identities, what about non-human identities that are introduced into that? What type of credentials are going to be stolen, you know? Yeah. As we see identity based threats being perpetrated, you know, our, um, Rubrik zero labs, and as part of our, one of our, you know, ransomware reports that were published recently, we're saying, for every one human identity, you can expect 45 new, uh, non-human identities to be created.

Oh, right. And that's just the tip of the iceberg. So let's, let's, you know. Let's think about [00:07:00] the environment that we're, you know, uh, functioning in. And, and that's not a doom and gloom story. I think we live in an incredible time. Yeah. There's so much innovation, there's so much automation, there's so much scale.

Speed up. Ability to cure diseases, ability to speed up drug recovery, ability to, to create incredible things. Right? Yeah. Um, at the same time we have, uh, we have to think about kind of what that threat landscape's gonna look like, and we have to think about architecture. I mean, you're a former CISO.

Yeah. At the end of the day, architecture matters. Yeah. Right? Yeah. If you're operating in a context where you're defining policies and you are enforcing policies, well, what does that architectural construct look like? A lot of organizations, I, I talk to, you know, CIOs and CISOs, it's a heavy investment.

You go into an architectural review, you, you go in and you begin your transformation journey. It's not a one and done. It is a continuous process. Yeah. But at some point you have to go back and take a look at that architecture. You have to take a look at your configurations. You have to take a look at your integrations and go.

Am I structured and built for where we're going and where we are now? Where we're now and where we're [00:08:00] going. Yeah. And, redefining kind of what that architectural construct look like, looks like, you know, at a regular cadence becomes really important.

Ashish Rajan: Would you say, how would you do this?

Because I, I feel there is, there is a. I funny, I think I, I'm hearing a lot of conversation about how do you find a balance between innovation and saying no and being safe, quote unquote, right. Um, how do you start even thinking about this from a, like, especially for leaders who are watching this, right?

How do you kind of a. Introduce us into a business plan somewhere. Are there any things that come top of mind for you where people can start thinking about building resilience and preparing for prevention detection in the current threat landscape?

Where do you see are, are there areas where people can introduce this?

Kavitha Mariappan : Yeah, look, I think let's take a. Innovation being balancing innovation with safety, right? Yeah. And security. And, and first and foremost we want it and security to be the department of no, K-K-N-O-W and not the department of No. Oh.

Ashish Rajan: Anytime. Like what do you want do? Right. Okay. Fair. Yeah. Yeah. So let's [00:09:00] think

Kavitha Mariappan : about that. If there was shadow it, we're gonna see shadow ai. So preventing the use of innovative applications, right? SaaS applications. Um, a lot of. agentic application saying, no, you can't use that. Is is not the way, corporate, the corporate world's, you know, gonna thrive.

Right? Yeah. Yeah. This is not the way we're gonna stay ahead of our competition. Yeah. So more and more, C CIOs, CISOs, CTOs, CDOs, they're embracing kind of like everybody has an AI initiative. Everyone's saying, look we have to automate, we have to be agile. We have to build AI based app, enable kind of an AI based.

Workforce. Yeah. What does that look like? So how do we start incorporating that into our day-to-day workflow and building guardrails around some of this acceptable use, acceptable practices rather than saying absolutely not, not happening. Because through that we learn a lot through that, we learn how we can actually create optimizations.

Mm-hmm. Through that, we learn what some of the, uh. What your attack surface can look like Through that, [00:10:00] we learn how we are, um, distributing resources. Yeah. Right? Yeah. How could we take our really valuable resources and repurpose them to places that could really drive innovation while doing all of this in a collaborative manner, right.

As an organization, as a strategy, rather than, hey, it will solve that problem security. Go make 'em secure. Mm-hmm. Right. And everybody needs to have an AI initiative, right? Yeah. Um, I think really kind of having a little bit of forethought around this being a business strategy. And making that.

Business as usual, like this needs to be part of day-to-day business. And I think you start to create acceptable use. You start to create acceptable behavior. Your employees are going to be more forthcoming about the tools they need. Yeah. To function at Rubrik, we have an AI initiative, right? Uh, we like every company, you know, we have a mandate from our CEO, my boss who says.

We need to start thinking about not just building AI-based technologies and incorporating that into our offerings, but we as a company need to be thinking about that and we need to be thinking about common leverage. Okay. Yeah. What we don't want is like 4,000 AI [00:11:00] tools that are not unsanctioned.

So let's look at it like, if. Marketing brings about a tool or an application that is enabling them to do something. Are there other teams within the company that could benefit from that? And let's kind of create greater leverage, right? Yeah. Around this. So now you start building acceptable use practices and guardrails around this.

So there is a benefit to kind of embracing that. But I think shutting it down. Is not the way of the world, you

Ashish Rajan: know, to, or four and to your point, because the, the fear people have is that am I exposing myself to new risk by Right. Opening my conversations to more AI tools. But to your point, there's a path where you can follow a standard, a standardized way to do this.

Right. Would you say, I mean, risk is

Kavitha Mariappan : already there. Ashish, your employees are going to check, you know, they're going to chat GPT on their personal laptops on their phones Yeah. And putting data in Yeah. To write better emails, et cetera. Because you've said no. No generative AI on your, on your workspace, right?

Yeah. People. And so you're gonna have like critical intellectual property sitting out there. You're better off to create a sandbox environment [00:12:00] internally and, and sanction that. And that's just my opinion. I mean, not, no,

Ashish Rajan: I mean gen general practice. But I, I also find I recently discovered something which I thought was very funny that.

Initially because the ChatGPT version was paid. People just says you, oh, Pete, no one's gonna pay money from their own pocket. But I don't think they realize this. But since ChatGPT has become free for anyone, you don't even need to log in to, like, so you could potentially be just on a browser, a quote unquote, right?

Internet browser, and you could just talk to ChatGPT, the usual questions. You can upload files, do everything you want without having to sign up for an account, right? It may not be the best model, but at least it gives you the illusion then. Hey, I don't need to sign up with my own money. So anyone probably who's watching or listening and thinking that, hey, right.

You know, they'll, they would like, our employees would not pay for this. It's technically a free version now. So because they wanted more customers or whatever the reason may have been. I guess where I'm going with this is, and I think I like the standardization approach, chief Transformation Officer.

What is that role in this world of ai? 'cause to your point now, everyone wants their ai, [00:13:00] uh, AI to be part of their workforce part of their products. It's almost expected at C-level for everyone to be pushing for that agenda, that it's a lot of investment being made in it. So what's the role of a chief transformation officer in that space?

Kavitha Mariappan : So I, um, it's a great question. Yeah. You know, my kids, I don't think know what I do for a living. This is a great way to come. My mom does something funky at work. You know something? No, I sit at the intersection of technology, uh, a technology strategy. Yeah. Go to market execution. Okay. And operational kind of velocity.

Right, right. So you think about us as a company, we're, we've, you know, publicly traded company for a little over a year. Yeah. A little, you know, over a billion dollars in ARR. Company is maturing, right? Mm-hmm. So our operations, our practices have to mature. Our go to market strategy, uh, you know, is fast evolving.

The spaces that we're getting into in the, you know, technology spaces, the personas that we sell into a fast evolving. So, how do you build an organization or, or, or an engine that [00:14:00] creates sort of this acceleration of velocity that cuts across a lot of a lot of the departments, right? Yeah. Yeah. So, my number one job is to spend every minute I have.

Creating awareness around what we do as a company around our products, our platform, yeah. Solutions we offer, and making sure we we align with the key personas that are our economic buyers and our technical champions. So CIOs, heads of it, heads of security, CISOs, chief technology offices chief architecture offices, chief data offices.

Spending my time meeting customers and future customers and walking in their shoes because we don't do that one, we're not gonna build the right products. Two, our products may not be easily operationally deployable. Yeah. Three, it's understanding what their pain points and trends are to make sure that we're going to market in the right way.

Right. So it's kind of like it. It's, let's just say, you know, I sit between champion, advocate, operator. Problem [00:15:00] solver and all of that,

Ashish Rajan: because you have to almost look ahead and while being aware of what's present as well, to your point, because I was, I was thinking, you know, at least in my mind when I first heard that, I'm like, oh, maybe a Chief Transformation officer.

'cause I feel like this is what happened to digital transformation, which you would've heard the term quite a, yeah. I feel like it's one of those ones where every organization is going through an AI transformation, right? And I guess chief transformation officer kind of fits in that space where, how is AI going to fit into all of this, right?

Because, right. For whoever your customer may be, whether it's it's an internal stakeholder or an external stakeholder, they're expecting now you to have some AI capability. But then you, to your point, how do you deploy that across the board in a standardized way? That's kind of where your challenge comes in from, while still not steering completely away from becoming an AI company instead of what your core product is.

Right. They're finding a balance there as well. I imagine that's one of the challenges you have to face. Totally.

Kavitha Mariappan : Right. Be because you've gotta meet the customers or future customers where they are. I mean, I may bring you something really cool, but you may be dealing with something, extremely rudimentary.

Yeah, and I'm not, I'm not in [00:16:00] any way, I'm being facetious by saying that that is the CIOs CISO's daily pain, right? Yeah. Keeping the lights on, solving the problems that they have to, and so making sure that we are helping them. You know, we're, we're partnering with them to help them kind of mitigate those challenges that they're experiencing operationally.

Yeah. So that they can start to think about the cool things that, uh, you know, the ecosystem, um, is bringing to them. But the other piece of it is also when we talk about digital transformation and, and really supporting heads of IT, security and data. In, in their digital transformation journeys is that we have to internally transform as a company.

So that's part of my mandate, right? Ah, right. So how do we, are we set up in the right way? Yeah. Right. Um, you know, how are systems, our processes, our tools, uh, you know, and, and, and kind of like being that a little bit of a troublemaker. Oh, fair.

Ashish Rajan: How do you prioritize what you transform? 'cause I think that's kind of where it got my curiosity.

Kind of what happened with digital transformation. There was at least looking back, yeah. Now people know what should be the first cab of the [00:17:00] rank for a digital transformation project. But in an AI transformation world where a new model is coming out, I don't know, feels like every month. Um, how do you prioritize initiatives without having pushing teams to burn outs and all of that as well.

Right. How are you doing that?

Kavitha Mariappan : I, that's a great question. Right. I think first and foremost, just because AI is there, it's not like everybody has an AI initiative today in. Play. That's like superseding everything they've got. People are still going through an application transformation. As part of the digital transformation, applications are transforming.

Right?

Ashish Rajan: Yeah.

Kavitha Mariappan : If we thought about SaaS-based applications, now we're thinking about agentic applications. Yeah. Your network transformation, you know, the constant transformation of your infrastructure. Has everybody a hundred percent moved to the cloud? Do they still have some on-prem? Yeah. Right? Yeah. Uh, are, is there some critical data that resides on-prem?

Are we thinking about a multi-cloud strategy? Mm-hmm. Because we don't want to put all eggs in one basket, for example. People are thinking about that. Yeah. And when you do all of this, you go, oh, okay. Well that security construct that I had [00:18:00] protecting all my applications on in the data center on-prem is no longer tenable.

Yeah, yeah. My applications are, and, you know, SaaS-based applications in the cloud my, you know, clouds become the new network. I mean, the internet's become the new network, right? Yeah. Um, and so. What now? People aren't sitting at their desks if COVID showed us anything. Everybody's working from everywhere and we are actually not all going back a hundred percent to the office because we're realizing that there is a balance.

That hybrid could be a new way of work. And frankly, we are five generations in the workforce today for the first time. An unprecedented. So are we, how are we building for the workforce of the future that does value? Quality of life in a different way to say my generation. Yeah. Um, so you think about all of that AI transformation becomes kind of this, this next frontier that they're taking on, right?

Ashish Rajan: Yeah. Oh I didn't realize until you mentioned there are actually five generations. Yes. Because people who have been the internet era.

Kavitha Mariappan : Yeah.

Ashish Rajan: Then there was one of the sites,

Kavitha Mariappan : boomers. Boomers, gen X, millennials Z, and now Alpha [00:19:00] coming into the workforce. Oh,

Ashish Rajan: alpha is starting

Kavitha Mariappan : to come into the workforce. I feel

Ashish Rajan: so old already.

Slowly,

Kavitha Mariappan : slowly. They're still young. Oh my God. Oh my

Ashish Rajan: God. Like, okay. Wow. But

Kavitha Mariappan : think about it, right? If we, you know, like if we think about it, like I talked, I mean, really interesting kind of off the cuff, I talked, I have kids, my kids are in, in college, you know, in high school. When I talk to them about, you know, digital breadcrumbs, right?

Yeah. And they go, mom. You were telling us about security from a perspective of your generation. Yeah, we grew up online. Yeah. So we think about security very differently. Yeah. Yeah. And so you think about that in the workforce and that is the workforce that we're building for. Right. The, you know, kind of the creative workforce.

Yeah. And to me that is super exciting, yeah. I talk to CISOs who put in like, you know, observability tools and things like that, and they're like, I use this for monitoring. But then I saw, I was able to glean a whole bunch of other insights that helped us with other things in the organization.

Right. Security tools. Yeah. That are helping them kind of transform their organization. And they're like, I'm working with my chief people officer to go think about how [00:20:00] we do certain things. So I think like CISOs. CIOs, you know, CTOs, you. We're like cool people now, you know? Yeah. We're sitting at the center of the action.

I, I think that's wonderful. Like, it's such a cool time.

Ashish Rajan: Yeah. What are you seeing people, I guess the CIOs and CISOs they're talking to, how are you seeing AI play a role in their organiz? You don't have to name customers, but different industries. I'm curious as to. How are you seeing AI kind of reshape them?

Yeah. Or make them think about security and just tech in general.

Kavitha Mariappan : Yeah. Look, some of the most like legacy companies you would think about like oil and gas. Yeah. You know. Uh, CPG companies that have been around 150 years, they're all taking on ai really. This is not just for like Yeah, it's not just for the digital native companies.

They have so much data, right? Yeah. I think this is where they're thinking about like better inventory management, better targeting, um, better personalization as we go to like, you know, click and mortar stores, right? Yeah. Um, you know, kind of seamlessly [00:21:00] creating the online to the in-store experiences.

I mean, AI can do some interesting things. I mean, I, I was talking to a retailer the other day where you go in and there, there is a, um, there's a terminal that, takes your images and tells, you know, helps you buy clothes in the store. Like fit for you. Yeah. Right? Yeah. Based on your purchasing, um, oh, right, okay.

Right. Based on your purchasing, um, history. History. Right. As well as kind of what they're offering and your body type and all of that. And it's like. How cool is that? Like, you know, they're, they're really kind of coming to the forefront and redefining Yeah. You know, how they use ai. Other things are like AI is, is speeding up.

How how, I mean how much data we have out there, like all the insights that we can glean. Yeah. Um, I think when we speak about that and we speak about security, I think it's also really imp important to preface Yeah. Duty of care. Right. There is, you mentioned that before. Chat, GPT being free, everybody's putting stuff on it.

It's really important for us to think about how much PII data we're putting out there. Yeah. Right. Yeah. Um, and we have a responsibility as [00:22:00] a technology community, as an industry to protect the minors yeah. Especially when you're dealing with healthcare data, for example, right?

Yeah. Uh, remote, remote medicine. Yeah. Uh, remote drug, drug discovery. I mean, AI is, you know, playing a tremendous role in a lot of these like industries where we would've thought a highly regulated industry, financial sector.

Ashish Rajan: Yeah. Massive. Like trading massive, massive, how AI

Kavitha Mariappan : is going to massive impact that.

So, yeah, sure.

Ashish Rajan: Funny enough, 'cause London primarily has a, so at least a lot of people that I spoke to in London who are in the fin because being a financial hub, yeah. There's a lot more conversation our financial institutions. They've all been doing this for some time. Yeah. And I think some people are still catching on going, oh, we'll probably see how we go.

But most of the banks that I know, they're all the engineering is already doing ai. Yeah. They're hiring for AI people. They, they can, they have a lot of work, don't, not enough engineers. It kind of goes against the whole, Hey, we are trying to replace humans with ai kind of goes away from that as well. I, where do you find.

CISOs can help executives and board understand the importance of security. 'cause I find that there is that [00:23:00] conversation being still had where you wanna go fast, you wanna break quickly so we can learn quickly and move quickly. How are you finding people are either cross-functional teams, so whatever the thing may be, how are CISOs approaching this with executives to get there?

Get them on board for security as well. 'cause your point right now, it's a, it's a race to the finish line. Yeah. We don't know where this ends for.

Kavitha Mariappan : And the finish line's moving. Yeah. Yeah, that's right. The goalpost

Ashish Rajan: keeps moving as well. Yeah. So a how do you even plan for this and Yeah. And what's a way to kind of do this ongoingly?

Because I feel like it needs to be continuous. Yeah. It can't, we just, like, we made a plan today, we stick with it for five years and hope for the best.

Kavitha Mariappan : I think first and foremost, important to unpack. Right. Governance, risk, compliance, privacy, and security are all very different things. Yes. There was a time and again, I, you know, I, I feel and know, I feel for CISOs, right.

Because it's a really tough job. Mm-hmm. And it's super tough job. And it is all the job that's under the spotlight right now. I mean, if you see like criminal litigation now for, you [00:24:00] know, incidents that have occurred and, and things like that. Like it's, it's a tough job. There's a lot of stress, there's a lot of burnout.

There's, you know, like not just keeping the lights on that said. I think you have different types of CISOs too, right? Because traditionally there were a lot of CISOs, you know, CISOs managing risk work, managing GRC. Mm-hmm. Right? Security with security. And as we think about CISOs now, you know, we're kind of widening this aperture to say who owns risk and, and uh, risk and security in the same conversation in the company, right?

Ashish Rajan: Yeah. Yeah.

Kavitha Mariappan : Making sure that we're compliant and checking boxes, you know, because we have to. As part of our compliance and audit requirements, does that make us secure? Does that model us as good risk? Mm-hmm. Right. And having that conversation. So, CISOs, my, my empathy, uh, for CISOs and my championing for CISOs is it's a tough job.

Ashish Rajan: Yeah.

Kavitha Mariappan : Technologists now learning to become financial astute with fi in finances, astute with executive presentations with assessing [00:25:00] risk. astute with regulations, all these things that, one didn't have to do. Yeah. Same thing with CIOs, right? Yeah. Like, you know, we're really like making this job harder.

Ashish Rajan: Yeah. And by the way, do all that in a storytelling way so people understand it. So it's not technical job as well.

Kavitha Mariappan : You know, our training is not that, right? Yeah. We're technology, we wanna present facts, we wanna give you a lot of facts. I love my facts. Yeah, my details. And we're also, we're, you know, when we, whether we go to the ELT, you know, executive leadership team, whether we go to the board, often our board members are not.

Technologists, right? Yeah. How are we packaging and presenting you know, our narrative in a way that we're assuring the organization, that I'm keeping the organization secure. These are the things I'm doing. Yeah. These are the investments and these are, this is what I need. Yeah. Right. And so I think what we need to do as an industry is.

Help our CISOs, help advocate for them. Help build champions out of them. Yeah. Help them skill up in a way that this is a lot to put on them. Right. Yeah. So I think like, onus on the vendor community is build tools and resources that actually help the [00:26:00] CISOs that you're trying to sell to. Yeah.

Skill up. You know, be, be, make them champions. And that's a really big part of what I do. You know, and my, my organization does, you know, on a day-to-day basis is thinking through those things. Right? Yeah. Value economics. What does the CISO need to do? Do they need to go to the CFO and present, uh, a business value analysis?

Like, okay, but is that business value analysis modulated by industry? Mm-hmm. Because healthcare cons, you know, industry considerations are very different to financial sector, very different to CPG, very different to manufacturing. Are we thinking through these things? Yeah. What are some of the, you know, most recent breaches and what have organizations like. Paid out, you know, in ransomware payment. What a bringing back a lot of this data and like educating them, giving them, you know, building playbooks around resilience readiness for them.

Ashish Rajan: Yeah. Um.

Kavitha Mariappan : None of this is like a hundred percent sure science, but you know, we're using as much data as we can, third party, um, our own cloud data, et cetera, to extrapolate, infer, and be able to say, here, yeah, here are [00:27:00] some tools and, and then can we connect you with a peer that is actually just undergoing similar journey or a similar journey, or perhaps has gone through what you've gone through Yeah.

A year ago, you know, building that community. I think those are the things like. To CISOs, look around and look out. Yeah. Find seek peer seek champions and push your vendors, you know, push 'em, ask 'em questions around the architectures that they're building towards, are they building towards a zero trust architectural framework?

Because words or words, yeah, yeah, yeah. Architecture matters. Yeah,

Ashish Rajan: yeah, of course. And to your point, will you say in an AI world, and I, it's funny, I think there was a obviously RSA happened a few months ago. People were like, oh, it's the first time Zero Trust kind of disappeared from, but I guess to your point now that that's almost becoming a table stake, that's why maybe it disappeared.

It wasn't that no one wants to talk about it. Yeah. Do you feel like people have gone, and obviously you've done some work in Zero Trust as well. I wonder is there. Is it fair for people to have an expectation that, um, there should be a zero trust approach to organizations, whether you are, [00:28:00] uh, seeking it from a vendor, seeking it from internally and.

Is there a role for that today in an AI world?

Kavitha Mariappan : Absolutely. I think, I think zero trust, you know, is the defacto framework that we should be operating under. Right? Yeah. Um, because in the absence of like standards, you know, specifically we've all built towards an architecture that, you know, a framework that is obviously evolving.

Yeah. Um, that. We've all embraced. Right. And we see the validity of that. Yeah. Um, so there's a lot of critical mass around that, right? Yeah. But my only thing is like, question, ask questions around architecture, ask questions around critical tenets Yeah. That define this. Because we can all make words up and we can all create campaigns, but I, you know, I truly believe, like, you know, we need to go back to kind of the key tenets.

Ashish Rajan: Yeah. And to your point, I guess, would you say transparency on the architecture will play a huge role, especially in AI world? Right. Because I, I definitely feel that I, I'm, obviously there's the whole AI action plan and everything's coming. Now you're like, oh, I've got the sub support of the government and all of that.

I definitely find [00:29:00] that it's harder to get true signal from the noise being created around the space as well. You feel now we spoke about cyber resilience. We spoke about prevention and detection. How can people who are obviously. Uh, maybe starting the AI journey as yourself as just the chief transformation officer.

What can CISOs and their teams, or what can CISOs. To learn about AI and help their team as well excel in it because to, I, I, I guess I'm curious from you to hear from you, what are you seeing? What are you doing Yeah. For your teams and yourself and otherwise, and what do you see others do as well? Yeah. To kind of keep up with this moving goalpost.

Kavitha Mariappan : Yeah. Look you have to be a lifelong student, right? Yeah. And this, we're in a world where, you know, if we are not we will be obsolete. Um, that's just the reality of it will

Ashish Rajan: be the printer no one cares about.

Kavitha Mariappan : Right. Um, and printers are actually like, you know, a a a big part of your, your security, you know, p Yeah, yeah, no, I'm saying a threat landscape.

Oh, threat landscape. Part of like, yeah. Printers are, you [00:30:00] know, quite interesting. Uh, we think about it, but, um, no. Look, you have to embrace learning, right? And this is, this is one where. Organizations have inertia, right? Yeah. And that's what holds us back with inertia. We have, reporting structures, we have budgets, you know, that's not my responsibility.

This, you know, and then we talk about resilience. If you really talk about backup and recovery, backup and recovery has been something that has sat. In it from an infrastructure perspective, because we were always building for operational failures. We were always building for physical, uh, disasters, operational failures, a file being deleted, right?

Yeah. Yeah. Yeah. Well, cyber resilience is very different right? When you think about a cyber attack. Yeah. Um, you wanna make sure that you have a clear path to recovery, right? Yeah. You know, um, and so. Look, your threat actors don't have inertia. They're gonna move faster than you. They're learning pretty fast, right?

Yeah. Yeah. So organizationally, I think it's really thinking about, most organizations think about key use cases. Okay. What are the areas that, hey, we're [00:31:00] spending a lot of resources, what is taking a lot of time, what is taking us 27 steps actually to get something done with like tickets being filed and, you know, processes internally.

Is there any speed up we can build into kind of that workflow? Right? Yeah. Um, and I think just looking at like use cases within, you know, within their organizations where they can. They can start building, building, you know, this into kind of day-to-day. Yeah. And embracing that, because I think if we don't it, it's not gonna become a standard operating practice.

But at CISO we gotta learn. We gotta, we gotta learn the tools, we gotta embrace it. And we've gotta start thinking about creatively how, you know, even coding, I mean, we hear so much about vibe coding, you see all the new coding talking about that said, right. Yeah. There you go. Right. I mean, like, and, and there's a lot of religious debates around this, right?

Yeah. But. Not embracing it, not tackling it head on and head on and actually like, conquering kind of what might be our greatest fear or, or, or our greatest learning, I think is a, is a missed opportunity.

Ashish Rajan: Yeah, and I think the, because you had an engineering background, I think we [00:32:00] were probably relate to this.

I remember PHP was one of those ones where people like, why would I do PHP Doesn't make sense, but yeah. Facebook was built on it, and I think there's a custom version of it as well. I feel like AI would have a similar thing where a lot of people may still continue to be where they are and become slow, and to your point, maybe be defeated by the next startup that comes in with disrupting the entire space.

So it's, the clock is definitely ticking on that perspective. So. Cyber resilience is I love the prevention detection, cyber resilience, and being able to kind of balance that out with a moving goalpost by staying updated. I, I love that. Kind of like a good summary of it. Those are the technical questions I have.

I've got three fun questions for you as well.

Kavitha Mariappan : Awesome.

Ashish Rajan: What, the first one being, what do you spend most time on when you're not trying to solve the, uh, cyber resilience problem in the world or doing chief transformation officer work?

Kavitha Mariappan : So, I, um, I'm a little bit of a workaholic, so that's a real problem. I do live in a very beautiful part of the country.

I live in Napa Valley. Oh, nice. Hawaiian country. And I'm a runner. Oh. So I get out and run and you know, [00:33:00] this beautiful clear air and blue skies. And so, and when I have a little bit of time, that's something I, I love doing. Fair.

Ashish Rajan: I mean, it's a good, good thing to do. Uh, second question. What is something that you're proud of that is not on your social media?

Kavitha Mariappan : You know, what I'm proud of to be truly in, in all humility is the teams I've built. And the people I've had the opportunity to work with, I've, um. Over the years, you know, built some incredible teams. I've had the opportunity to work with some incredible people. And for me, the most gratifying thing is to see the growth in them giving them and, and being a chief transformation officer, I get to build some unconventional teams.

Oh yeah. I get to bring people and see here's some raw talent and I'm gonna go make, put you in a most uncomfortable position, uh, where you didn't think you could do this. And I love seeing that growth. I love seeing the accomplishment. And, um, I love seeing how, watching their careers evolve.

Right. Yeah. That's for me, like incredibly gratifying. [00:34:00] That's not on my resume, but that's something I, I do a lot of mentoring.

Ashish Rajan: Yeah. Awesome. And, uh, final question.

What's your favorite cuisine or restaurant you can share with us?

Kavitha Mariappan : Okay, look. I'm an Aussie Indian, a person of Indian origin, living, you know, grew up in Australia, spent my adult life in the US early, early life in Southeast Asia. I was actually born in Malaysia before we moved to Australia.

So I'm kind of like a citizen of the world, but you know what? Gimme South Indian food. Oh, right, okay. Right. That is my comfort food. Right. Fair. So I'm on the road a lot. Yeah. Yeah. Come, day three I'm craving and I'm vegetarian, so I'm craving my, my Indian food. Fair enough. My South Indian food.

Oh, specifically

Ashish Rajan: South Indian food as well. Specifically South Indian food. I'm talking like Dosa Oil. I don't, and you're like

Kavitha Mariappan : not super carb heavy, but, but my, I need my sandbar, man. It's fair. It's like, it's my thing. Okay. Fair. Fair. I mean, and Fair

Ashish Rajan: Restaurant,

Kavitha Mariappan : you know, Dishoom lately. Oh really? Yeah. I was just in London recently, and it's like, okay.

Love the food

Ashish Rajan: fair. Awesome. Uh, well, they do good food as well. And actually there's

Kavitha Mariappan : another place up in San Francisco be Okay. Um, in the dog [00:35:00] patch, which is a, um, she makes amazing food. Oh, she makes like, um, gin infused pani puries and all of this. It's, it's super cool.

Ashish Rajan: I mean, for context for everyone else, it's like 9:00 AM in the morning.

You're talking about like food? Yeah. Yeah, food is good, right? So yeah, I'm making me hungry. Like that was like at, at 9:00 AM in the morning. But that's all the questions I had making. Can people find you to know more about what you're doing and what rubrics up to you as well, making can people find all that information?

Kavitha Mariappan : Um, well obviously rubrik.com to find out about Rubrik. I'm on LinkedIn Kavitha Mariappan, and, um. Get in touch. I am in DM Me. I will send love to stay in touch.

Ashish Rajan: I'll put that link in the show notes, but thank you so much for coming on the show.

Kavitha Mariappan : Thank you

Ashish Rajan: and thank you everyone else for tuning in as well.

We'll see you next time. Thank you so much for listening and watching this episode of Cloud Security Podcast. If you've been enjoying content like this, you can find more episodes like these on www.cloud k podcast or tv. We are also publishing these episodes on social media as well. You can definitely find these episodes there.

Oh, by the way, just in case there was interest in learning about AI cybersecurity, we also have a sister podcast called AI Cybersecurity Podcast, which may be of interest [00:36:00] as well. I'll leave the links in description for you to check them out, and also for our weekly newsletter where we do an in-depth analysis of different topics within cloud security, ranging from identity endpoint all the way up to what is the CNAPP or whatever, a new acronym that comes out tomorrow.

Thank you so much for supporting, listening and watching. I'll see you next time.

‍