In the sixth episode of our podcast Risk Grustlers, we explore how to lead security teams effectively with Satya Nayak, Head of Security Engineering & Operations at Outreach, a software development company in Seattle, Washington. 

Satya started out as a developer and grustled his way into security. He shares what sparked his passion for cybersecurity and gives solid advice on how to lead security teams with finesse. His tips on how to keep up with hackers and boost cybersecurity are sure to inspire security leaders to up their game.

He also discusses optimistically how innovation can help make GRC a whole lot easier and more appealing in his conversation with our CEO Aayush Ghosh Choudhury. Get ready to see both GRC and security in a new light!

Watch the complete podcast here

Read on for some interesting highlights from the episode.

Aayush: What led you to fall in love with security?

Satya: In 2019, I started my career as a developer. One day, I met this guy in the Delhi metro, and we started chatting about this hacking book that had caught my interest. Turns out he had a couple of friends who were also intrigued by the threat landscape. So, we began to meet up and discuss cybersecurity. We would research topics and swap insights.

Then I did my Masters in security, and my journey in cybersecurity began. I joined Expedia where I built their security teams at a very early stage. I  then joined Outreach, one of the top fast-moving SaaS startups, and I got the opportunity to build their security team as well. The difference between the two experiences was tremendous, and they further strengthened my passion for cybersecurity.

Aayush: Security professionals are known for being mavericks. How do you build a security team in an organization without killing their maverick spirit?

Satya: When it comes to the folks in security, their real drive is the passion for security itself. That’s what brought them here in the first place. Now, the key when forming a security team is to make sure you don’t smother that passion under a pile of processes and organizational rules.

So, what’s crucial is to create an open and safe atmosphere within the team, where innovation can thrive within certain limits. We’re not out to obliterate everything in our path; we’re responsibly exploiting vulnerabilities. 

So, how do we get this going? Step one: set a clear purpose and mission for your security endeavors. Then, introduce solutions while keeping your business secure. Map out connections and dependencies, assign roles, and be crystal clear about who’s accountable for what and where the boundaries lie.

You also want to keep things smooth between teams. No stepping on each other’s toes! That’s where good communication comes in. We’re dealing with a lot of uncharted territory here. So, you want a team that feels safe to tackle challenges head-on. When they stumble, you’ve got their back, and that’s how they’ll have the guts to take on even bigger challenges.

And let’s not forget the power of recognition. When they hit it out of the park, as a leader, you make sure they get their time in the spotlight. When something doesn’t quite pan out, you shield them from the storm. This kind of support creates that psychological safety net.

Aayush: How much should growth-stage companies invest in security? What kind of message should they start strengthening first?

Satya: Starting simple—it’s not smart to spend a thousand dollars on something that’s worth ten dollars. So, that sweet spot is key when you’re building a dedicated team.

Now, think about it. If there’s no business, there’s no security. It’s a business thing—it’s not just about throwing money at a security team. Once you’re able to afford a security team, you should approach security from two angles.

First, the ‘feeling secure’ angle, which is all about making your potential customers feel comfortable doing business with you. This involves all your compliance certifications.

Then, there’s being secure. That involves the nitty-gritty work. You’ve got engineers in action, putting in all those security controls to toughen up your systems.

Remember, these aren’t separate from your compliance efforts. Being secure actually backs up feeling secure. As you amp up security controls, your compliance reports are covered.

So, these are like two sides of a coin. One pulls in customers, and the other ensures you’re a trusty guardian of their data. It’s a neat strategy where both sides win.

Aayush: How do you convince the board to increase the budget for security? 

Satya: You know, they often say security is a thankless gig, right? You’re in the background, only noticed when things aren’t smooth. But that’s when you’re doing your job well, keeping things solid. 

When you approach the board, you have to make things crystal clear. You should show them why security matters and how it ties to investments and the overall health of your programs. You should not wave away the possibility of incidents, but show how you will put up a strong defense.

Also, looking ahead is key. Think three years down the line. You’re not just dealing with today’s threats, but tomorrow’s too. Technology keeps evolving, and those sneaky bad actors are evolving with it. I’ve got an example: AI being used by hackers for lightning-fast identity breaches.

So, your defenders need cutting-edge tools too. You don’t want them bringing knives to a tech-gunfight. Your role as a security leader includes keeping up with these advancements and making the case for upgrades to the higher-ups.

Oh, and data is your friend. You’ve got a story to tell, but back it up with those hard numbers. It’s great to weave a tale, but adding data makes it rock-solid for your organization.

Lastly, you’ve got to know your enemy. What threatens a big e-commerce company might not be the same for another. So, do a proper risk assessment and threat intel, tailored to your turf.

Aayush: Attackers are getting a lot smarter. How do security leaders help their teams keep up?

Satya:  You don’t have to be an expert in everything as a security leader, but you’ve got to have a strong grasp of the different security functions and how the threat world is evolving.

If you’re not in sync with the security scene, you might end up passing the decision-making buck onto your security team and stakeholders.

As a leader, you’ve got to stay on the pulse. Attend those conferences, chat with industry folks, and keep tabs on the latest security products in the pipeline. This way, you’re armed with the right info to make well-informed choices.

Operating from the sidelines won’t cut it. You’ve got to be in the know about what’s happening out there. That’s how you back up your team, manage projects, and make those smart moves.

Aayush: There is a bit of a framework soup right now, with new frameworks popping up every now and then. It’s impossible to keep growing the GRC team to keep up with them. How do you think organizations can keep up with these new frameworks?

Satya: Yes, new frameworks keep exploding on the scene. However, the security controls we use are not changing. We’re sticking to the same controls regardless of how many frameworks are out there.

There should be innovation when it comes to how we match these controls to all these different frameworks. Think continuous compliance, where you can check your compliance status anytime without those audit headaches.

What’s important is having a unified way to map these controls. You need tools and tech that can link your controls to various frameworks. That way, when you’re gathering evidence, it’s not about the frameworks, it’s about those controls. If you can show you’ve got the controls locked down, you can reuse that evidence for all those different frameworks.

Also, it’s not just about saving your security team’s time or streamlining those audits. There’s more to it, especially when it comes to your stakeholders. They benefit a lot too. Imagine this: instead of just using evidence for one purpose, you’re reusing it across the board.

Focus on those controls, and let the technology handle the mapping to different frameworks. That’s the smart way to do GRC in this day and age.

Aayush: Do you think GRC can become sexy again?

Satya: GRC right now is viewed mainly as a business function. You do your audits maybe once or twice a year. But things are changing, and fast.

We’re looking at a future, maybe 2 to 3 years down the road, where GRC will be streamlined. Imagine a one-stop platform where all your certifications, risk management, compliance requirements, and even vendor assessments are linked up.

You won’t be stuck hunting down data in different places. Nope, it’ll all be right there, in real-time, ready to go. You’ll be able to see the network effect in play. Like, how evidence from controls feeds into policies and how risk management gets a boost from this tight connection.

With the way tech is racing ahead, you’ll see more platforms popping up, aiming to knit all this together seamlessly. GRC is getting a major upgrade!