Netgain Employee Spotlight: Kshitij Kathuria, CISO

Kate KrupeyCybersecurity & Compliance, Netgain, The Netgain Team

Recently, we sat down with our newest executive team member Kshitij Kathuria, who joined recently as Netgain’s new Chief Information Security Officer. In this interview, we discussed the meaning of “Security by Design”, as well as Kshitij’s responsibilities and plans for the future.

Transcript

Kate Krupey: Hi, I’m Kate Krupey, and I’m here with the Netgain Employee Spotlight discussion. Today, we’re talking with Netgain’s new Chief Information Security Officer. How are you doing?

Kshitij Kathuria: I’m doing very well, Kate. How are you?

Doing well, thank you. Can we start off with, maybe you could just give us an understanding of your roles and responsibilities as a CISO?

Absolutely. So I think, this is a leadership role, which is responsible for establishing the right security and governance framework for our operations teams to focus on delivering the services, right? In this ever-changing and challenging business landscape. I think there are three clear areas which I’m responsible for.

Firstly, the security engineering function, which is identifying, setting up the infrastructure, and tooling required to keep Netgain secure. Secondly, the security operations functions, which is more day-to-day tactical aspect of things, monitoring, response, et cetera. And then finally, the compliance function, which relates to other stations and certifications like our SOC 2 report, or an ISO 27001 certification, if we were ever to go after it.

I think another piece I’m responsible for, is to put together a portfolio of managed security services, which complement the set of services we provide our clients today, which not only provides a great client experience, but also ensures that client data and infrastructure is safe and protected at all points of time.

So it sounds like your role is partially focused internally, but also focused on clients and what we can offer there. Can you give us some examples of what we might be able to offer our clients?

Yeah, absolutely. So some of the services which I’m thinking of, that includes a managed security operations center, or a SOC, for 24/7 eyes on glass coverage. There are some audit and regulatory compliance support, security risk assessments, et cetera. In general, anything which kind of falls under the purview of a virtual CISO, is something we can help our clients with.

That’s fantastic. That’s something that, having sat on the client side, is very helpful for a service provider to be offering that. So what are your plans for security for Netgain at this point?

It all starts with basic structure and the framework which I alluded to earlier. Well, we need to think of security by design, not so much as an afterthought, and be more proactive versus being reactive.

That’s interesting. Tell me more about security by design, I like the way that sounds.

Yeah, I think what that means is we need to implement and strengthen a unified multi-layered defense framework, which kind of interweaves the three critical components, right? So people, processing, technology.

So if you look at what it means, start with people, right? A well-trained employee can be a great asset and a first line of defense, while an untrained employee can be huge liability and can make the organization vulnerable. So developing interactive and updated information security training programs is extremely important.

Every employee of Netgain has a role to play here, whether they are a part of the sales team, a part of the finance team, technical operations, human resources, doesn’t matter. And then on the process front, it’s important to have the ability to collect and analyze data with a security lens, right? Processes like change management, incident management, problem management, even disaster recovery, they need another look, keeping security in mind.

All this is a part of a security framework which we adopt, and gives us an operational approach to address any cybersecurity incidents, et cetera, which we come across, and to recover business processes as quickly and efficiently as possible. And then finally, on the technology front, right?

You can put a lot of technology in place and there are numerous tools already in place, and those which will probably be implemented in the coming days and weeks. Starting from the perimeter to the network end point application and the data layer, the goal is to minimize the impact of cyber attacks by reducing the attack surface. So enhancing visibility and shortening threat response times.

And I just wanna preface this by saying that planning is great, but execution is key, and it does take a village to get it all done, and I’m hoping that I can pull everybody together and execute on these plans.

I know that you can. I think it’s interesting listening to you talk about this. It is, security is so much more than just what happens after an incident, or even just preparing for, preparing some piece of it. It really is about all the people in the organization, having that lens. So that as they’re choosing to put data in places, or maybe choosing a new provider from a vendor perspective, or a SAS provider, in terms of, what exactly is happening with the data there? Just sort of thinking that through, beyond what the operational benefits are, but just doing our due diligence on the security side as well.

Absolutely.

It really is throughout the entire organization. So when we’re working with our clients, the responsibility for security really is shared.

Right.

I mean, we’ve met a lot of the security, oh sorry, of the infrastructure, and the applications, and data for clients. But as you just said, it really is for our clients as well as for us. It’s the responsibility of everyone in the organization. So how does that work? What is Netgain’s responsibility and what is the client’s responsibility there?

Yeah, so I think it’s important to understand the concept of shared responsibility, we use that phrase.

But when a client works with an MSP to provide certain services, sometimes they believe that they have completely removed all of the risk associated with that deal. Whereas the fact is they’ve simply transferred some of the risks to the MSP. Both parties need to be aligned, need to work together, to stay secure.

A big part of this is to clearly define the roles and responsibilities of the clients, which is that of Netgain. A client is responsible for their own data. The whole people, process, technology aspect applies to the clients as well. And they need to ensure that employees take regular security awareness trainings. They need to ensure they layout and follow the processes within the organization. Like an acceptable use policy for their laptops and desktops, change management, identity management is a huge one, right? And finally, on the technology side, they need to carefully choose which service providers and vendors to use.

They might use SaaS providers, they might use software off-the-shelf. And when they evaluate these vendors, they need to do that using a security lens. And that is also another area which we can kind of help them with. And of course, with this, there’s the core business of Netgain, right? So, which is hosting their infrastructure and applications, making sure it’s not only available, but is also secure at all points of times.

That’s a good point. Some of our clients have regulatory needs around privacy and data security. How can we help them with that?

Yeah, so I think I touched on that a little bit earlier, but we can certainly help them navigate these waters, by being the virtual CISO. There are, especially on the healthcare space, if the clients are covered entities and are HIPAA compliant, there might be the need to complete a security assessment, or other regulatory needs. And we can actually lead by example by showing them our commitment to security by producing a great SOC 2 report. And we’ll also be putting together a portfolio of managed security services, which kind of compliment the set of services, which we provide our clients today.

That is wonderful. So for our clients, what would, when security, as you’re talking and I’m listening to all these different components of security, what would you have them prioritize?

Yeah, so we come back to the whole concept of structure and framework, right? So I would say, identify a framework, and build your security program around it. There are many frameworks out there, but pick the one which fits your organization size and domain vertical.

Structure is very important. The entire organization needs to follow the same set of policies, standards, guidelines, and procedures. It can’t be different for each department.

And of course, enforcement is key. Every employee needs to know where these documents are. They must have read through it, they must accept them. So it’s not just a check box for compliance purposes and compliance should never drive security.

Secondly, I would say, it would be wise to invest in security awareness training and finding creative ways of doing it. The old days of putting posters on walls, and having people read through policies, and basically assume that they’re now trained, are gone, right? I think you need to make it interesting, interactive, fun, and absolutely engaging, in order to get the full benefit of that training and retain the training over an elongated period of time.

It’s very true. I’ve had a lot of security training, and I was responsible for security training at one point, and it will slip from you as you try to become more efficient and you don’t quite have your security lens on. So that regular training over time is just so important.

Absolutely.

So from your experience, of which I’m gathering how much you have just listening to you, what tips do you have for our clients?

So I would say this, when you’re on your computer or on your smartphones, just remember your training, be aware, right? Bad actors are out there, and they want your data, and they’ll try anything, from simple to complex, to kind of extract that from you, right? They’ll try to get into your systems.

Don’t fall for clickbait and phishing emails. It’s a bit of an overhead, I understand that, to analyze every single email you receive, or every website you visit, but being smart about it, being aware at all points of time, will help you in the long run.

Just remember that you as an employee, are the first and best line of defense for yourself and for your organization. It is important that you build a culture of security within the company, right? It’s not a one time thing. It happens over time, it takes effort, and it involves every, the efforts from every single person who is a part of the organization.

Yep, that’s very, very true. So sitting where you are right now, what are you, and looking at what’s happening with Netgain today, what are you most excited about?

Well, I’m excited to be here, I think Netgain has a great leadership team and with Sumeet leading it from the forefront as we go deeper into 2021, I think security definitely remains a key priority for Netgain. And I’m very excited to get this opportunity to lead this effort, expand the security function, and work on a roadmap to offer a service which is available, secure, and, I think, provides a great client experience, and that’s top line.

Thank you for that. We’re all excited for that as well. And this is a big plate you have, lack of time. So in the few minutes that you’re not focusing on this, thinking about it, making the plans, and executing on them, what do you like to do in your free time?

Yeah, I think with the pandemic and everything, we have all been restricted, and when that’s not the case, I definitely like to travel with my family. We pick a destination every year, and we try to target that, and try to make it that. Hopefully, things will improve in the near time, and we can go back to doing that.

Outside of that, I think I’m a sports person at heart. In fact, my team and I presented New England at the national stage in the USTA League Tennis, a couple of years ago. So I definitely find peace in playing tennis, and I find some time during the week to go do that.

And then, I got to say this, right? I mean, it’s a blessing living in the Boston area, and it’s sort of rewarding, kind of being an average sports fan, with all of our teams doing so well over the last couple of decades. But I do have to say this, Tom Brady, we will miss you. We will miss you forever.

You’re gonna make friends and enemies with that statement. Well, Kshitij, thank you so much for your time today. I really appreciate it.

No problem. Thank you so much, Kate.