Emerging Threats in Data Protection - Anand Thangaraju - Guardians of the Data - Episode # 49
GOTD - Anand Thangaraju
===
[00:00:00] Welcome to Guardians of the Data. I'm your host, Ward Balzerzak. Each episode will explore the passions, expertise, and real-world experiences of security leaders who are helping the future of data security and governance. Guardians of the Data is made possible by support from Sentro. To learn more about our AI-powered data security platform, please visit sentro.io.
Let's dive in.
Ward: Welcome back to another episode of Guardians of the Data. My guest today has over 20 years of experience in cybersecurity. He's a trusted advisor, investor, and member to too many organizations to count right now. I was looking, you've got over 23,000 followers right now on LinkedIn. Very, you know, kudos, congrats on that one.
Um, currently founder and field CISO of Alchemy Cyber, Anand Thengaraju, welcome to the show
Anand Thangaraju: Oh, pleasure. Pleasure to be here, Rod. And, uh, of course, it's, it's been an amazing journey for me and uh, tapping [00:01:00] into everything in the field. And we, we are, again, we have a very similar role trying to evangelize amazing tech to our CISO community, and so happy to be doing this with you
Ward: Doing what we can, and I really appreciate you being here. So in your professional opinion, what's the biggest data security challenge organizations are facing?
Anand Thangaraju: Well, I mean, we, we talk about cybersecurity as its own domain, and ultimately when we peel the onion, it comes down to are you protecting your crown jewels or not? Like, it could be, as simple as trying to define-- devise better strategies to make sure your crown jewels are being used in the, the right way.
And that's in the new AI world, that is basically your IP, right? Like it's, uh, most of the other things matter as long as you have your own proprietary data. Because everything else out there, the AI knows better than you, right? Like every, every information that [00:02:00] humans have created that's in public domain, it's losing its value by the minute because the, the agents are scraping through that and trying to make sense.
And it's-- at some point it's gonna, it's gonna find a way to use the data for, obviously for, uh, uh, for commercial purposes, right? So for companies that really care about, uh, fight-- like having a fighting chance, better have a, a strong, strong hold around their proprietary data. And I don't believe our traditional, uh, techniques will hold for it. that's what we are trying to, uh, uh, solve for. Like, like we-- what else are we missing out? How are we able to foresee the emerging threats and, trying to reinforce your, uh, uh, strategies?
Ward: I love it. I love it. And, and totally agree, right? There's, there's a lot of folks that are grappling with this issue. Uh, you know, let's, let's be honest. They've been grappling for many years. Unfortunately, you know, AI, or, or maybe [00:03:00] fortunately, I don't know, uh, AI has just made it, uh, you know, that much worse or, or that much more apparent on, on the need.
So, you know, you, you have a lot of these conversations, uh, uh, like I said before, you're a trusted advisor to many organizations. Like what, what are you seeing people try to do to fix this? Or what are you evangelizing?
Anand Thangaraju: So f-first of all, uh, this is a-- uh, data is a double-edged sword, right? Like we, we all live on years and years of, uh, uh, tech debt. And when it comes to a CISO job, it's not only about trying to, uh, protect the company, you also want to do it in, uh, at, at, at the right, uh, pace. And the-- your, your peers are obviously having a different mandate.
Your c-your CIO, CTO, the whole engineering team is trying to embrace new technologies as it comes and wants to ideate fast, wants to put out, uh, uh, production-ready code. [00:04:00] But CISOs are the ones who are obviously seen as the, uh, as the blockers, and, uh, nobody want, nobody wants to be that, right? Like as long as there is enough tooling out there and if you are able to, uh, just slam the brakes when it really matters and help, help you keep the course, uh, going, it, it would be ideal.
But unfortunately, the CISOs don't have the, the mandate, the, the power to do that. So they are trying to figure out what's, what's the best way to use my existing tooling to secure your, uh, uh, your crown jewels. And they, they are overcompensating for things around, uh, like detection and like may-maybe if I have a rock solid SOC team, we will detect some malicious a-act happening. But guess what? Like in the future that's gonna be too late, right? Like your data is already
Ward: All right
Anand Thangaraju: by the time you have an alert pick up in your SOC. [00:05:00] if we try to go more proactive on the data security, the CISOs are worried about opening their can of, worms, so to say, or the dirty laundry, right? Once you see it, you can't unsee it. And if the CISO doesn't have the budget and the means, they would rather not even expose what their dirty, laundry. So that's the double-edged sword I wanted to talk about, right? Like I've seen so many CISOs are worried about this. "Hey, I'm trying to build a DSP program, but I wanna do it right. I wanna make sure that when I turn on the visibility, I better have all the controls in place, including the DLP and, uh, other compensating controls to make sure that I can prove that we are, we are acting towards the, uh, uh, the remediation," right? So that's, that's been a challenge for adoption of DSPM in general, I'm, I'm seeing a lot of, uh, uh, like automated remediation and new, uh, approaches to use agents to [00:06:00] find this data and continuously, uh, mature your data program.
So I think the ti-the timing is right for us to rethink how data security should be solved with a, uh, with a true agentic workflow and looking forward to like more innovation coming in that sense.
Ward: Spot on. I mean, a-as you were saying that, I was flashing back to a few conversations I've had in the years, uh, for, from my own background being in the enterprise. I would jokingly, but also not jokingly say like, "No, don't show me that. No, don't tell me that." Because to your point, as soon as you know there's a problem, an issue, a gap, whatever, now I need to do something about it, right?
Like I, I can't just put my head in the sand. Or I could, right? I could put my head in the sand as, as a, a security practitioner. Um, but if there was never an issue, uh, guess what? That's probably now discoverable that you knew there was a problem, you didn't [00:07:00] do anything about it, and voila, uh, security event happens and, and now there's a problem.
So I, I very much agree with everything you just said because yeah, for, for many years, uh, there's been tooling to kind of solve for the discovery, the classification, even in some cases the prevention. You know, the tools weren't fantastic, but they were there, and a lot of folks focused on that. "Hey, let's go buy a tool.
Hey, let's implement DLP. Hey, let's do data classification. All of our problems will be solved when that happens." Um, but they haven't bothered having the personnel, right, to do something about it. They haven't bothered having the processes to say, "Hey, when, when, when X, then Y," sorts of things. It's, it's been, um, it's been interesting.
So are, are you seeing things start to change a little bit from your purview?
Anand Thangaraju: I mean, li- like I s-- Oh, it's funny that you mentioned [00:08:00] Purview. that's where all starts, right? Like you... Majority of the, yeah, the, uh, the tech debt lives in like Microsoft ecosystem, SharePoint, drives. And oftentimes all, all you need is a, a much more robust classification engine to work alongside Purview or any of your native DLPs to start flagging things and, that's, that's been the approach for the, for the past decade, right?
It's there's a little bit of, uh, uh, blocking and tackling that you could do with DLP, but if you don't trust your DSPM, you're still letting few things through the, uh, pipes. But what I've, what I'm seeing more, uh, more recently in the conversations is are uh, remediating some of these data, uh, data that's, that, that ends up sprawl in different environments.
They are able to set policies and think of it more [00:09:00] like, like how we solve this, uh, the, the SOC problem with source and automated playbooks. We're gonna see more of those automated playbooks for remediation, and that's gonna mo-move the needle, right? Like when you are, when you're thinking about uncovering all of your data issues, nowadays you have tools that will, that will get you so far to you visibility, to give you a risk score based on its reachability, wha- how much of, uh, uh, PII is concentrated in, in that, what are the different regulations that's impacting it. You can bring as much telemetry to that to sort of give you a sorted, uh, priority list. But what was missing is the action. You, you still needed bodies to go after the, uh, native application owners. Oftentimes, it, it, it was more of a bure-bureaucratic process. Now, with more agentic workflows, you can actually do those remediations, uh, as part of your day-to-day [00:10:00] schedule, right? So that's a, that's a huge game changer. I don't think this, this technology existed even a couple of years ago. And
Ward: Yeah, I
Anand Thangaraju: opening up for that. and also even the DLP, like there's, there's never been a conversation where a CISO said, "I love my DLP." So that's again a... been a, yeah, it's, it's been a, a perennial problem to solve, and it's not, it's not about the tooling.
Like I've always said this, like DLP is still a program you need to start with, uh, uh, the right kind of people who come with that mindset of trying to set new policies, understanding your business risk and what is truly at stake what... how does a bad actor, react to the, to the kind of, uh... Like ultimately if you have some-something of value, people are gonna try to, get to it, right? But your business is very unique. Like you need to have people who are thinking about how that's, that compromise is gonna happen, and then try to devise [00:11:00] how an insider could actually take unfair advantage of, uh, their, uh, their trust that they've earned within the system and try to work out, uh, uh, programs to continuously look for the anomalous behavior, right?
It's never, it's never gonna be buy a tool, deploy, and you're done.
Ward: Hallelujah, right? And there's, uh, you know, I think a lot of folks that think there's still the silver bullet out there that they can purchase or, or what have you, and, uh, it'll take care of all their problems. I, I'm curious, go-going back to your, your point about remediation. You know, first, totally agree, right?
If you have an issue, you gotta do something about it. Uh, e-e- today it's getting easier with, uh, you know, scripts, auto remediation, what have you. I, I think, you know, two, two things I've seen personally, you know, one, um, a lot of people have gotten bit by their data security tooling, or really their security tooling in general over the years.[00:12:00]
So they have those battle scars, they have the PTSD when it comes to remediation or prevention, and in some of the conversation I have, it's like, "Whoa, whoa, whoa. No, we're not gonna do that. We need a human in the loop." I think the other one that, you know, is very much related that I hear quite a bit is the business won't buy into that, right?
Like there, there's kind of that fear of the unknown of, "Oh my goodness, what you're talking is crazy. Auto remediation? What if you remediate something or move something that somebody needs? Now, now I'm getting yelled at, now we gotta have break the glass." Are, are you seeing similar out there when you have some of these conversations?
Anand Thangaraju: No, no, absolutely. I mean, it, it's, it's definitely, uh, uh, like it's, it's good to think about like what could be the operational impact before you actually go and like give the superpowers for your, uh, remediation agents. We've seen how-- what can happen like with, with the [00:13:00] CrowdStrike famous event. Yeah, you, you can actually bring down your entire infrastructure and time is money.
Like for many companies, they would prioritize any other risk that, that potentially could happen, right? So I totally get it, that's again, the reason why I mentioned that before you do the remediation, it's important to have the right kind of intent signals and telemetry, I'm not talking about do you know where your PII is?
Have you tagged all of your PII? It's more about the correlating with the identity and what is the intent of that person, interacting with the data. Is that a normal baseline or is that, uh, looking anomalous? Trying to understand a bit more about the identity's context. Uh, like how long have they been with the company? Are they serving notice? That's a very common use case. We-- When we talk about DLP, that's the one con-common scenario everybody picks up. Hey, what if, what if some-somebody is on serving notice and they're, they're trying to exfiltrate all the data? Of [00:14:00] course, they're gonna try doing that, and that's just one of the many insider threats that is well understood. But there are so many sneaky ways people try to, uh, uh, like get the data out. Maybe they, they actually a spy working for their competitor and trying to get out uh, engineering designs. Have you thought about having a, a, a strong control that's looking for that kind of malicious behavior? And the answer is no, it's not that easy to...
Like that, that requires like, uh, like NSA level a spycraft, right? So, but it happens. It happens all the time. So I would say like the, on, on the, uh, on the surface level, the biggest worry for people is let's not jump to remediation without a human in the loop and like bring down the infrastructure, then everybody gets fired. it's good to have like a, a crawl, walk, run phase. You would wanna have like an alert-only, phase where you're still [00:15:00] studying how the model is, uh, is working and how often there's a false positive. And there's at some point you just decide, okay, this is the amount of risk I'm willing to take.
It's all about risk-taking and appetite for your type of service that you're talking about. If it's a super critical service that's, uh, customer-facing and every minute it's down you're gonna lose a dollars, yes, don't do that. But there's hundreds of other processes behind the scenes which doesn't need the same kind of SLA. I would start with those. I would start with internal use cases. Perfect your, uh... It's, it's all about, trying, trying to continuously mature your model. It's not, it's not a static tooling anymore, right? So it's still continuously learning about your company's nuances. It's ingesting all of your company's, uh, uh, policies and procedures. So ultimately, the model should be almost like a, uh, a trained security architect or a security engineer. That's how I see the tooling is, uh, [00:16:00] shifting more, more context-aware beings that, that act almost like your, uh, uh, your security engineer. should be able to reason for every single action it's taking.
Ward: I like that. I like that. And also going back to, to what you just said, um, something else I, I, I kind of want to highlight, underline, put, put flashing lights around. You, you mentioned, um, you know, insider threat and, you know, insider risk use cases around data security. And again, I have to say hallelujah to that.
Um, you know, I, I've been fortunate i- in my own past to get buy-in from my leaders as I was building out data security programs to say, "Hey, I'm, I'm building out data security, but also let me build out the insider risk program," because they go hand in hands. And some of the initial use cases on both sides absolutely go hand in hand, right?
The known leaver, uh, was one of the scenarios you were bringing up, right? Someone leaving, taking [00:17:00] information or, or maybe somebody, um, you know, taking information to a competitor. Um, but you know, both of those really require the groundwork, right? The foundation, that research, that actually thinking about, like, "What can people do with my data?
What would they want to do?" Um, and I think some of that's missed, right? Going back to folks assuming there's a silver bullet. "I'm just gonna buy a tool and now I'm good." Um, you can't really buy a silver bullet today to understand or prevent, you know, human intent, essentially. If they want to do bad, they're gonna do bad
Anand Thangaraju: Fair enough. I mean, a-again, on, on the contrary, AI is able to be so customized for your, business. And if it's-- if the program is set right, then it, it can actually profile ev- the normal behavior of every single identity out there. Not, I'm not even talking about [00:18:00] Why not agents? Even agents
Ward: Yeah
Anand Thangaraju: malicious, malicious intent.
It's not, it's not like it's, it's trying to self-serve for its own, but people can take over an agent and, like, maybe use, like, use it, weaponize it, and use it to, talk to their agent outside of the, perimeter and try to That's, that's definitely a risk that we should talk about. The even more common outcome is trying to do what it's told to do, but it does not know when it is overstepping and trying to
Ward: Right
Anand Thangaraju: just to get to the goal.
We have already seen that happen. So I would say, I would bet majority of the insider ri-risk is gonna come because of, unintentional failures, right? It's not, it's not necessarily malicious, but things happen because these agents can go, guard, right? We need to talk about that as well and how are we gonna monitor the, the, the context window in which [00:19:00] the agent is operating.
And for that, again, it's all about having a, a lineage. I, and I talk about two different lineages. One is the lineage of intent 'cause the agent is doing something, you don't know whether it's, it's, acceptable or not unless you, you trace back the entire lineage of what agent spawned that and who's the ultimate human who is behind that, and what was the initial intent given to it.
So I don't think there's any, product out there that's already solved for that. That's probably the, the new AI security control plane that we need to, come up with. The other one is similar to the intent you wanna trace the data to. Like you want-- you often, you end up with in a, in a current state.
It's almost like having our universe, discovering our universe and figuring out, okay, we have this amazing Milky Way and all this, and trying to work backwards towards Big Bang, right? Nobody, nobody in an organization context has the true like, [00:20:00] the, should I call it? Like rewind of, the data originally came from, like trying to pinpoint the actual source of truth and where all it ended up duplicating and, the mess that you have created, right?
Ward: Mm-hmm.
Anand Thangaraju: Bet none of the DSPMs can solve that today. They can show you, oopsie, your PII is in like seven places, right? Deal with it. that, that lineage is super crucial, crucial, and I think, there, there is a market for that in a different sense. Like the, the chief AI officers and data governance officers Understand the, the concept of lineage.
There is a lot of regulation around proving data was used so that it's, uh, it, it's still the, uh, right source of truth when you're doing some kind of, uh, uh, regulatory reporting or, uh, things, things that are financial in nature. we need the same kind of rigor for all types of data to be able to reason [00:21:00] why we ended up here, and then how can we rewind back to a much cleaner state?
Ward: Yeah. Yeah. A lot to unpack there. And, and when you mention rewind, I, I'm flashing back, you know, again to another role I had in my past. I was working for a different vendor, and I remember having conversations. I, it was in the EDR space back then for me, and I remember having conversations with, uh, some of my customers and it, it really came down to like, "Hey Ward, you're putting this tool on my system.
How do we know it's clean?" I kinda laughed. It's like, "Well, um, I really don't," right? Because my, my Tivo, right, my EDR agent I'm putting on the endpoint, I can't go back in history, right? I'm looking from this point forward. So if the endpoint isn't clean and it's acting funky and I install, like I'll probably be able to detect it.
But if, you know, a bad actor already has root and it's already doing anything, guess [00:22:00] what? I'm s- it's still invisible. And I, and I kinda look at that, you know, going back to your, um, your, your statements around data and lineage, I kinda look at it the same way, right? Like we can put tools out there. From that point in time, it can watch and say, "Hey, the data started here and went all these places."
But I still have folks that they'll ask me, you know, "Hey Ward, that's great, but how do I know where it was actually born?"
Anand Thangaraju: Yep. Yep
Ward: other than putting on my, you know, advisory hat, I don't have a great answer. But like, well, let's talk about that. Like, can we make some assumptions? Do you have data flows already documented?
Do you have all of that? It's, it's a tough answer to, to, to provide and, and solve for
Anand Thangaraju: Yeah, yeah. And to some extent, if it's a cloud native company, there may be ways to track it back because it's all within one ecosystem. But if you are an on-prem [00:23:00] that's trying to go to cloud, good luck with that, right? Like, that's, that's the reality that we live in. I
Ward: Right?
Anand Thangaraju: Believe like that modern DSPMs have a hundred percent coverage.
Like we are talking about twenty twenty-six, we assume that y- when we say we, we have a tool that can scan and identify PII in ev- virtually every plat-- every format and every, uh, data structure. not the reality. We-- It's still a work in progress, right? We're still a long way, uh, uh, long way from having the deep data element level tracking. There is still, uh, like I, I know examples like people talk about, uh, what, what if people just, uh, created a encrypted zip file and sent-- tried to split it into different files, send it out via multiple channels, assembled it back. Yes, people can techni-- I mean, if there is a malicious
Ward: Oh,
Anand Thangaraju: who wanted to get the data out, they can still do it.
None of the tools, none of the DLP will catch it.
Ward: [00:24:00] Yeah
Anand Thangaraju: still a lot more of engineering that has to go through. And this is where, again, coming back to having an data security engineer that's thinking like human can do a much better the-- job than having ten tools that has no idea what they're working with.
Ward: Yeah. Yeah. I, I love the idea of that. I wanna go back to something else you had said. You're, you're mentioning, um, the concept of, you know, monitoring, you know, not just people, but your AI agents and kinda understanding baseline to, you know... A- again, if you understand baseline, you should be able to identify the anomalies, right?
The anomaly from that. And whenever I hear that line of thinking, unfortunately, I always think about UEBA technologies, right? User and entity behavior a- analytics technologies. And, and the fact that now, now granted, those came out many moons ago at this [00:25:00] point, years ago. I, I don't even know the date. We'll say 10 years ago at least.
And, uh,
you know, those solutions never lived up really. Like, they were expensive. They took a long time to develop the baseline. And frankly, I don't think I've talked to a security individual that ever actually got value, like total enterprise value out of it. Um, so I know when, when you said, you know, baselines, that you, you weren't talking about UEBA, so let's, let's talk about that a little bit.
What are your thoughts around how to actually do that well? Like, not, not only baseline people, but baseline your AI agents
Anand Thangaraju: No, yeah, fair enough. I mean, there's, there's a t-ton of criticism about, uh, UEBA, and I, I, uh, totally, agree to your, uh, uh, conclusion there, right? But it's-- I mean, we also have to take it with a pinch of salt. We're talking about the early stages of ML algorithms, which, which was created for specific, [00:26:00] kind of use cases.
We had to create a model for every type of risk that we were, uh, trying to, uh, look for, right? But, but the-- today's LLMs are a completely different beast. So,
Ward: True
Anand Thangaraju: I would argue that, like, now almost e-almost everything has to be, uh, baselined. Like, uh, you can, you can actually try to learn sa- the, the processes that are very unique to a business and quickly flag, like, this is something that's totally anomalous, for this particular business, for this particular individual, all within, like, a matter of, uh, a week of training, right?
That's how powerful LLMs have gotten. But we should also try to make sure that we, we provide enough signals to be not, uh, uh, like flaring up false positives. I'll give you examples, right? Like uh, like the UEBA, the reason it failed is, uh, people might have been, like, uh, in a different function, and then they join a, uh, a sales [00:27:00] organization from being an operator role.
Like, that-- Now they are in a completely different role. They have to deal with, uh, PII information going out to their, customers and so on and so forth, right? And UEBA would obviously, if it did not have enough context coming in from the HRIS systems, it's gonna, it's gonna just flare up with alerts, right? So those are the things I'm talking about. Like, it-it's not enough if you connect your security tools to provide the context. It should have the full business context. It-- Like, the whatever, whatever is the brain that you're building for data security, should think from a true business context. It should have all the information coming from the, uh, legal standpoint, from the HR system standpoint And then we have something that's, that's truly, baselining for every agent, every individual.
What, what is the, uh, what is their job description looking like and what have they, have they been doing? Like, sometimes it's easy for you to even try to figure [00:28:00] out, uh, their... Like based on their last actions, you can predict what they are gonna do next, right? And maybe the-- so far they haven't done anything risky. But all those act- actions, maybe the nth and n plus oneth event is the most risky, and you better have your control and policy enforcing there and not alerting your SOC after the data has left, right? So those are the things that we need to talk about. Like when it, when it is anomalous, you are building a case and you're not acting on a whim. It's, it's multiple signals adding to the overall risk posture and, uh, sort of like the tripwire, right? an- another thing we didn't, we didn't talk about is, uh, when it involves humans and you're, you're truly investigating or building a case for insider risk, you better have all the legal evidence because guess what?
Like, if you are too soon to convict somebody of a malicious act, [00:29:00] you better have all the, uh, all the proof that stands in a, uh, in a court of law.
Ward: Oh, absolutely. And I would say, like anybody who's gonna be building out an insider risk capability, if you don't understand chain of evidence and don't understand any of that, and you're not good friends with your legal team internally, your privacy or HR team, like go do that immediately. Because great that you're standing up a, a capability, but to your point, if something happens and you're gonna be pursuing some sort of legal action, um, good luck if you don't have some of those pieces figured out.
Anand Thangaraju: Oh, yeah. Yeah. That, that's, that's one of the reasons I said it's more of a program than a tool. So most of the tools lack that true audit trace and sort, sort of the things that you would want to provide as part of legal evidence. that's, that's a space again ripe for [00:30:00] disruption for any new DLP company out there which is trying to for the entire problem and not necessarily just the, the point of enforcement.
Ward: Totally, totally agree. So k- kind of going back to your thought about, um, going, going right back to this one, lineage. Lineage is the interesting one that's playing across everything that we're saying here. Um, you know, we, we talked about lineage for at rest, right? Hey, this thing was born here, now it's over here, over here.
What are your thoughts around extending that to, like, now Bob went and sent it to Sally, who sent it externally. Like, is that part of your idea of lineage as well? We're looking at in motion
Anand Thangaraju: Well, yeah, I mean, uh, when, when you talk about the ultimate risk, like you-- obviously, there's a taxonomy that goes with it. And data-- let's say data exfiltration is one of the risks that you're trying to solve for. wanna be able to go back [00:31:00] for at least the, the, the last ten different steps that have taken place that eventually resulted in the data exfiltration, right? And you wanna be able to pinpoint who is malicious. Maybe the, the nth person who actually, sent it out to their, uh, uh, like their, own, uh, legitimate sanctioned, uh, uh, box account is not the malicious act, but it happened somewhere way before when it shouldn't have happened, right? So for you to really do the chaining and figure out where the uh, act happened is very important to, uh, to justify. without lineage, yeah, none of, none of the tools today like I, I know, like the whole SSPM, uh, market took off because of this lack of visibility, right? You had certain level of visibility in your endpoint. What happens if, if the, the data leaves to a cloud environment? You have a little bit of, uh, in context with the, with your ZTNA and CASB solutions. And then you needed something totally different to [00:32:00] have build the context on your SaaS environment and so on and so forth, right? So all of that, I think it, uh, is, is converging now. Like, you don't need multiple solutions to piece together the puzzle. You, uh,
Ward: Very much agree with all that. And, you know, and, and based on our conversation so far, right? I mentioned earlier you've been in the industry over 20 years. You, you're helping a lot of organizations. You've been around the block a time or two. So I'm super curious, what's your journey been so far? How did you get to where you are today?
Anand Thangaraju: Oh, gosh. We, we all sort of stumbled into cybersecurity, isn't it? it's g-- it's the most common, uh, story that I hear from many peers. started, uh, my career in banks. I was, I was pretty much a fin-- like, Wall Street guy for the first ten years. Worked with, uh, JP Morgan, worked for, uh, as a consultant for many of the banks through EY [00:33:00] and ended up with Silicon Valley Bank, and that's where my cyber s- uh, uh, journey just started.
'Cause I was more into IT governance and strategy. Eventually started picking up, uh, adjacent areas. Cyber was one, then privacy. Ended up managing the GRC program for them. Ended up running the exam uh, with the Federal Reserve and the local, uh, DFPI. And w- it, it all kept me, uh, uh, like, more fascinated.
We-whenever it was more of a cyber conversation, was fascinated by how many different, uh, uh, trade crafts have to come together to, to be able to solve that. And I knew that, like, I'm never gonna know everything about cyber, and that was the, uh, aha moment for me. Like, it looks like I will-- I'm always gonna be learning something.
I'm always gonna be, uh, uh, on, on my toes. I-- it, it-- that's, that's how it happened for me. Like, it-- ev-everybody starts somewhere in engineering, [00:34:00] IT, and find their, uh, niche in cyber. to be fair, like, there was no cyber when we started, right? Like, it's... it, it was a completely
Ward: Oh
Anand Thangaraju: world, and I'm glad I'm get to shape the, the craft as well.
I'm part of, uh, some, like, as you mentioned, we're all part of multiple advisory boards and, uh, initiatives. So I, I love the, the aspect that I'm able to constantly, uh, de-develop best practices for my field and, and create new, uh, uh, new, new ways to approach cyber threats. So it's, it's, yeah, it's, it's been a interesting journey and I, I, I wouldn't wish anyth-anything else so far.
Ward: That's amazing. Um, tell us a little bit about Alchemy Cyber. You know, I know you're building it out. I've, you know, I d- myself, my organization had the pleasure of working with you, and I, I've been following you for years. So, you know, tell, tell the audience a little bit more around what you're doing and what that's all about
Anand Thangaraju: Thank you. Thank you for, the [00:35:00] opportunity to talk about Alchemy as well. So Al-Alchemy Cyber came about as an idea. What-- I've been in the practitioner shoes for many, many years, and in the last couple of years I have been fortunate to talk to more founders in, either in an advisory capacity or an investor. And I also ended up in a field CISO role for the first time where I was mo-- not necessarily buying products, but I was ad-advocating for the, the best ways to optimize your tooling. And I, I used to work with multiple CISOs in the West region trying to understand how are they tackling their, today's and tomorrow's problems, what kind of products are they, bringing into their, So it, it opened my, eyes around how the entire cyber market operates. So it's not about just the... The CISOs are just one, layer that we all talk about. They are the defenders. They are, they are the ones who are building the programs. [00:36:00] But we often don't see the big picture in the cyber ecosystem when, when it comes to not only the vendors' ecosystem, but all the middlemen that exist.
Like VCs are Yeah. betting on new technologies. Without them, you wouldn't have futuristic solutions being built. We have our channel partners, which I was fortunate to be part of, without whom no innovative solution can get to the nook and cranny of your, your tier two, tier three cities and people who don't have the same kind of, to the Silicon Valley, right? So I, I, I deeply appreciate all the ecosystem that's built around cyber that is all serving one purpose, to be, to, to fight against the bad guys. And that's what I wanted to, start building as a, a small shop that I can truly be valuable, not only to the CISOs that I know, but also some of the, early-stage founders who [00:37:00] are building amazing tech, and they need the kind of access. I started doing that out of my own, interest as a solo advisor. I started putting in some money as, early investment checks, and it somehow it, it dawned on me that there's more and more I could offer them. And it, it's, it's a work in progress. So think of me as somebody who helps, early-stage startups scale from zero to one in a, in a fractional capacity.
Sometimes I call myself joke as a micro VC because I do invest, it's, it's, it's more about like trying to provide all the allied services for them, which, which is Which is very hard to get a, a big time VC to dedicate time on, right? Th-th-they, they have much bigger problem to solve. So obvious-obviously the founders take the money from the big VCs, but they need help from, smaller scale go-to-market partners to [00:38:00] talk about their tactical challenges and navigate the, their journey.
So it's, it's been a interesting, uh, pivot for me and forward to, uh, building that together with amazing CISOs, uh, like you that, that are supporting me.
Ward: Well, and it sounds like you've had fun with it, for sure
Anand Thangaraju: That's, that's the goal. Ultimately, we, yeah, we wanna make, we wanna make cyber as much fun as possible, even, even for the CISOs who are in it. Like, I, I love the people that who, all the, weight that they carry, if they are able to out for an event, share a drink, and, have a time, that I I call it a, a, a pretty good day
Ward: Amazing, amazing. Well, Anand, if, if folks want to, uh, connect with you, what's the best way to do so?
Anand Thangaraju: Well, I'm, uh, like you mentioned, I'm a, I'm very, I'm a, uh, LinkedIn, uh, addict, I would say at this point in time. But yeah, you can definitely reach out LinkedIn. My, uh, my company credentials are there. You can also reach out to [00:39:00] me, uh, over that. I am an open book. My-- Literally, I have my email and phone number on LinkedIn.
I don't know what I'm thinking, but I'm, I'm very approachable
Ward: That's-- I, I didn't even notice that. That's scary. Do you, do you find yourself getting spammed quite a bit that you're doing that?
Anand Thangaraju: It's okay. Yeah. I,
Ward: Yeah.
Anand Thangaraju: I've--
Ward: That
Anand Thangaraju: I'm
Ward: would
Anand Thangaraju: so
Ward: be bad?
Anand Thangaraju: Built my own perimeter defense, so I d- I don't, I don't blame the world for being spammy. It's, all
Ward: Perfect. Oh, man. Well, Anand, thank you so much for joining today. This has been a great episode
Anand Thangaraju: Thank you. Thank you, Ward, for having me. And, uh, yeah, best of luck for your future, uh, episodes as well. And you're doing an amazing service for cyber community, and keep doing it. Keep rocking
Ward: Oh, I, I appreciate that. And big thank you to our audience. Really hope you enjoyed the episode and learned something today. Please tell others in your network to follow and listen. This has been another exciting episode of "Guardians of the Data." See you next time
Anand Thangaraju: [00:40:00] Thank you
That's a wrap on another episode of Guardians of the Data. Thanks for tuning in. For show notes and more, visit guardiansofthedata.show. Guardians of the Data is made possible by support from Sentro. To see how we help organizations discover and classify all of their data accurately and automatically while quickly achieving petabyte scale data protection without the fuss, please visit sentro.io.
Catch you next time
Creators and Guests
