Clarke Rodgers (00:08):
Thank you so much for joining me today.

Aman Sirohi (00:10):
Of course, thank you. It's a great day.

Clarke Rodgers (00:11):
If you'd be so kind, please tell me a little bit about your background and what you do at People.ai.

Aman Sirohi (00:16):
Sure. We are a revenue intelligence company. So, what we do is we help sales leaders actually make decisions faster using data. So, hence security is top of mind for all of us because we ingest your data and give you data to make those analytical decisions.

Clarke Rodgers (00:30):
So, when I talk to a lot of CISOs, we talk about the sort of evolution of the CISO role over time, right? And for a long time, the CISO role was looked as a, "I'm a technical security expert” and really only brought in to fight fires if something bad were to happen within an organization. But today, the majority of the successful CISOs that we see out there are really business leaders first and maybe security practitioners second. Can you talk a little bit about how you've seen the role evolve and perhaps with your experiences?

Aman Sirohi (01:05):
Yeah, absolutely. I think, if you take it back five years, ten years, CISOs were actually, spot on. Our job was to protect the company. We're security experts, we're in the background, behind the scenes, and if you look at it today and going forward, security is so paramount in everyone's mind, in every industry. Security actually needs to be upfront, right? So I always used the phrase in the company, "Bring security to the forefront. Don't play defense. Tell the customer about your security. Tell the customer how important security is to the company." Because then the customer looking at you is like, "Oh, you know what you're talking about." They feel more secure just talking to you because you're being proactive, right?

Clarke Rodgers (01:43):
Earning that trust.

Aman Sirohi (01:43):
Yeah, so you're building that trust, and I would say trust is built in layers. When you go to the executive committee, it's always about what they've heard. You always remember, these board members, E-staff, they're friends, and they're like, "Did you hear about that hack? And did you hear about this?"

So, what I do is actually talk about security at large. What's happening in our space? Whether we're impacted or not impacted, it's always great to bring that to the forefront in those meetings, because in the back of their minds it's like, "Oh, my friend was telling me about this hack and this is what happened in our environment, but this is why we weren’t impacted."

It's more about telling a story, educating, being more relative and connecting to each other's thoughts and ideas, and I think that's where security becomes more powerful.

Clarke Rodgers (02:29):
Interesting. So, when you're having those board-level conversations and you're telling these stories, are you talking about, "We had X amount of vulnerabilities and we were able to patch them in this amount of time," or are you talking in terms of risk around the P&L to the business?

Aman Sirohi (02:45):
If you look at different boards — and I've been fortunate to be in a couple of different companies — every board is a little different. Some boards are more about, "Hey, educate us." And then there are boards who are basically smart enough and savvy enough, who may not be security practitioners, but are very well-informed about the space. So, the way I do it is I do start out with, “What are we doing in the industry? What is our industry doing? What is security meaning to them?” Then I actually get into business values or capabilities that tie back to our bottom line.

I will tell you that you always need to have the data to back your own security posture. There could be a spike and, say, the phishing attempts have been 10x last month. You can't go into a board meeting and say, "So how was our phishing campaigns?" " Let me get back to you." Bad answer.

You have to be prepared, you have to have the data. You could say, you know, "Slide 54 actually has our current versus last…" End of the day, I always think if board members ask, make it easy for them.

Clarke Rodgers (03:42):
Sure.

Aman Sirohi (03:42):
Make it easy. Make it easy for them to digest the information. Then your job is easier, and then everyone comes out on the same path.

Clarke Rodgers (03:49):
So, making it easy for the board is one thing, but then if we switch to inside the company, you also want to make it easy for product and development teams to do things the right way, the secure way. Can you talk a little bit about maybe some of the mechanisms you've set up to enable that?

Aman Sirohi (04:07):
And I'll say something, maybe it's too simple — it’s having a conversation. If you actually have a conversation, you communicate and you sit down with the CTO, the Chief Engineer, or Chief Architect, and you talk about, a lot of people talk about “shift left.” And I've been in organizations where you say, "I need to solve this vulnerability and I need you to change your sprint." Most product developers are like, "I need to push this capability out." Capability makes them money, so they're driven by capability pushes, right?

So, if you actually have a conversation and say, "Look, we need to slow it down. Maybe it's not this sprint, maybe it's the next sprint, and we need to put in these security gates to make sure we're pushing out secure code." So, under the NIST SSDF model out there, I said, "If you go to any customer and say, 'Customer X, could I get an extra one week so I can produce a secure software?' They'll always say, 'Yes.'" There's no customer that's not going to do that, right? So, I always go back to fundamentals of actually being open, being communicative.

The word we're always known as, “big brother’s watching” — the cops. We're not. We're actually not. And if you go down the different path, then it's like, "Look, okay, it's not going to be this sprint, it’ll be the next sprint. Sounds good." They might need sign off from their Chief Product Officer to make sure they're okay with it, but at least it's now you're building a community and you're building a reason why we're doing this versus like, "Oh, security's forcing us to do something."

Clarke Rodgers (05:23):
That's fantastic. As a CISO, you're charged with protecting the organization and putting in all the different security programs and mechanisms to make it as safe as possible to do business. But you're also charged with enabling the company to innovate, right? How do you balance the two?

Aman Sirohi (05:43):
It's very delicate. So being a startup, velocity is everything, scalability is everything. Customer demands are also…you have a product, you have capability, and customer X wants this, customer Y wants that, right? So, it goes back to the product roadmap. So you really have to, as CISOs or any kind of security posture, you have to get a seat at the table where you're talking about the product roadmap.

When you're having the E-staff sit there and talk about what the next quarter looks like, what the next year looks like, and being part of those conversations. That's where I think you actually get that innovation and, if I take it back one more step, as a CISO, you might learn something that you need to change on the security side because some product innovation's coming in and you need to make it easier for them, right? So, of course someone says, "Oh, MFA." I’m like, “No. That's non-negotiable.” Everyone's got to have that. That's going to happen, right? But there are ways we can as security practitioners make it easier for developers so then they don't actually have to go through hoops and ladders to get their work done too.

Clarke Rodgers (06:48):
That's very, very cool. Many CISOs are, I won't say challenged, but they have limited security staff within the organization, and they're always trying to find ways to increase the performance and the influence that the security team has across non-security parts of the organization. So developers, service teams, maybe it's accounting, maybe finance, HR, whatever the case may be. How do you think about that and then how do you position the security culture in your organization to really make sure that security is everyone's job?

Aman Sirohi (07:27):
It's tough. It's not easy because Marketing wants something different. Finance wants something different. Sales folks who are traveling, different countries, different states, they want ease of business.

Especially in economic times like today, we have less folks and we have less funding or less money, but our responsibility hasn't changed. So, if our responsibility hasn't changed, we have to basically find creative ways to make this happen. So one of the ways that I think was really meaningful at my previous company and this company is when you have your team members meeting with a peer group or organizations on security upfront, again, going back to education, communicating — I don't go. I actually don't go because I don't want it to be that, "Oh, the CSO is here," or-

Clarke Rodgers (08:16):
Oh, interesting.

Aman Sirohi (08:16):
"Leadership is here and we have to listen to the leadership." I let our team members go communicate, go build and foster those relationships, right? Because then they're talking to their peer, they're talking to their colleague. So then, when you actually start deploying it across the company, it's actually more seamless because you've actually done your homework, done your due diligence.

Clarke Rodgers (08:37):
You've built some allies.

Aman Sirohi (08:38):
You've built some allies, but you build it without you being there. Because as security leaders or if the leader’s in there, it's a whole different tone, a whole different game, a whole different conversation. "Oh, my boss is here, so we got to talk about this. I got to listen." But I think you have to enable others to do the same thing. And it's really hard, but I think you have to build that ecosystem, have your individual team members be able to carry that baton and be that security practitioner for everyone.

Clarke Rodgers (09:08):
That’s fantastic. So, within your security team proper, what kind of skills or traits or backgrounds are you looking for when you're hiring somebody for your security team?

Aman Sirohi (09:20):
The number one trait is curiosity; I can't teach you to be curious.

Clarke Rodgers (09:25):
Interesting.

Aman Sirohi (09:25):
I can teach you security. I can get you X, Y, Z training. I can give you curriculums from a university, but I can't teach you to be curious. And security, as we all agree, it's not the same thing every day. It's changing from this day to the next day to moving forward. So, when you have a curious mind, you are able to adapt to different responses. You get a vulnerability one day that says X, tomorrow the same vulnerability won't be X, it'll be Y. And if you're curious enough and you're like, "Okay, let me go drill down and click this button," and you are able to do that, for me, that's the number one reason.

So, I use a very interesting test when I hire people. I give them three words — hungry, humble, and smart — and I ask them to rank themselves on whether you're hungry first, humble first, or you're smart. And it's always for me to understand what kind of dynamics do you bring to the table. Because if I had a whole team of all smart people, we've all been there, all smart people in one room, nothing would get done because everyone thinks they're smart than the next person, right? And if we had only humble people, then no offense, but security will get run over because we're just like, "Oh, okay. Not today? We'll do it tomorrow. Not tomorrow? We'll do it later." And if you have hungry people, and if everyone's number one trait is, “I'm hungry first,” you can't promote everyone every time.

So when we interview, we actually sit down and my number one thing is, "All right, everyone, show me your hungry, humble, smart. What did you think of what they were?” So then you want to build the right equation of a team. You want to make sure the team is well-balanced and depending on your ecosystem — whether you're financial, retail, SaaS, if you are crypto — you might need certain attributes to be higher. Versus, in certain industries, you might need certain attributes to be a little lower. So that's kind of how I look at building a team or hiring a team within my security organization.

Clarke Rodgers (11:18):
So, it sounds like the diversity of the team is the key element here?

Aman Sirohi (11:23):
It is, absolutely. I have a team member in Canada. I have a team member on the East Coast. I have a team member internationally. Would I love for them to all be in the Bay Area or be in the same office? Yes, but you know, that's not feasible. I think COVID taught us all that and I think that diversity, that experience, that curiosity only comes when you find different minded people.

Clarke Rodgers (11:45):
That's awesome to hear. Generative AI tools have been all over the news as of late. What are your thoughts from a security perspective as more and more people, and I'm going to presume companies, are taking advantage of some of these tools?

Aman Sirohi (12:04):
I think this is going to be innovation that we’re not ready for. It's going to be a lot of innovation and there's going to be a lot of security that we're going to need because of the speed and velocity of how tools are being innovated and released.

We're trying to grow at scale, open source tools and the list kind of goes on. What I think we are going to run into pretty quick is going to be around the AI risk. What is this risk exposure to your company, to your customers?

Every contract that I know about says third-party data cannot leave your environment and go to a third-party source. Now whether it's whichever AI model you want to use, that data is now leaving your environment, going to a third-party source and coming back and giving you some answer. So, I think there's going to be a lot of change in how legal looks at it, how risk is assumed by the customer, by the company. I think there's going to be a lot of innovation in the space.

Clarke Rodgers (13:08):
Is it the risk around the "Black box" of these services or what specifically about the risk is of concern?

Aman Sirohi (13:17):
I would say both. I mean, I think it's a black box because we don't know what we don't know, right?

Clarke Rodgers (13:22):
Sure.

Aman Sirohi (13:23):
One interesting thing that you and I probably agree on is once you teach it something, you can't just go back and say “delete,” right? It's very expensive to go back and take that out of the model. So that's a trick that you're going to have to deal with because you are going to get wrong information and it's going to spoil the equation and you're going to have to deal with that.

I think the risk will come in in terms of where companies are going to be worried about what data that they are giving this AI tool. Now, is that AI tool public? Are we all going to have AI internally in our house? I think that all needs to be sorted out.

It's going to go at a speed that we're not prepared for. And that risk that comes with it from a company perspective? One thing I'll say is that, regulatory-wise, I have no clue. This is going to be…I don't even know how regulations are going to wrap their head around it because you have to find a way to put some guardrails into it. Otherwise, it'll be a free for all.

Clarke Rodgers (14:27):
So basically, leadership has to understand the risks that they're going to undertake if they're going to agree to use these tools as part of business.

Aman Sirohi (14:35):
Yeah and how do you control someone who is in a different department who downloads one of these tools and starts feeding it information? Where does that information go? Is there a tool today that alerts you or I that says so-and-so fed this information to this AI model that's violation of the policy?

Clarke Rodgers (14:55):
Well, perhaps there's a security opportunity here?

Aman Sirohi (14:58):
Yeah, I actually think there's going to be a number of different security opportunities. I do think it's going to be great for the environment too.

Clarke Rodgers (15:05):
Along that same line of thought, if we were to have this conversation five years from now, what are we going to be talking about?

Aman Sirohi (15:13):
I think that we’ll be talking about how all our toil, mundane work is actually all done for us. I read an article recently where someone went to one of these tools and said, “I'm planning a trip to wine country. It needs to be child friendly. It needs to have this budget, and X, Y, and Z.” It went and did all the tasks, found a place with bocce ball, sent an email, reserved it, put it on the calendar.

Before, there would be a person who would call the different wineries or Google different wineries or use some sort of search engine to go figure something out, but that's all going to be done. So I think it'll be really interesting for us to see in five years from now what we are focused on. I think it will be humans interpreting this data, so it's not just automated and just free for all. I think we're going to have to have some human interaction in every critical step to make sure that it doesn't go down the wrong path.

Clarke Rodgers (16:19):
And how are you going to have that conversation with the board? What do you think that's going to look like?

Aman Sirohi (16:24):
We've already started having conversations internally. We have policies. We have principles. This is not going to be easy. It's going to take some time. I don't have a good answer to it, to be very transparent about it, but I think this is where we should have more conversations. We should have the minds of CISOs, who are… “How are you tackling this? How are you going to regulate this?” Because I think the more we talk about it, then it'll be easier for us to protect each other and keep the adversaries at bay, because adversaries are going to use this also.

Clarke Rodgers (16:57):
It's an opportunity for everyone.

Aman Sirohi (16:58):
Yes, Absolutely.

Clarke Rodgers (17:00):
So, in closing, any advice for your fellow CISOs?

Aman Sirohi (17:03):
Oh, I’d love advice from them. I would say the one thing that I've learned, and also learned from my peer group, is get closer to your business. You’ve got to be in that conversation with your CFO, with your CRO, with your Chief Product Officer, Chief Strategy Officer. You got to be closer to them, because that's what's going to help you realize what's moving the bottom line, what's protecting the company.

Then if you can be part of that conversation and having your capabilities helping them achieve their goals, then the more customers you get. When you go back and ask for funding, people understand why you're asking for funding. So, I think my advice would be get closer to that group of folks, understand their business and what drives them, will make an easier path for a CISO.

Clarke Rodgers (17:55):
Sounds like great advice to me.

Aman Sirohi (17:57):
I keep trying it. I don't know. Some days I'm successful and some days I'm not, so we'll see.

Clarke Rodgers (18:03):
Awesome. Well, Aman, thank you so much for your time today.

Aman Sirohi (18:05):
Oh, I appreciate it. Thank you so much.