An industry leader with over 25 years of experience in the technology industry, starting his career in Bangalore, India, soon moving to the UK for a couple of years, before moving on to California, US, where we have resided for the past 20 years, he’s worked in 3 continents helping full-proof Fortune 100 companies and get them safe and secure. From legacy systems to full-fledged automation systems, he’s seen it all. Our guest today is Vasanth Madhure.
From starting out in the 90s, security didn’t seem like a big thing to him, with the development across business and digitization, technology being everywhere, and with that came the risk of security. He didn’t look to go into security compliance, but he got drawn in by being an honest and straight up guy who likes to conform with all the laws and regulations.
He speaks of compliance and not being an option but being a mandatory requirement, if you’re not complying, your business more than likely will not survive as a company. Not only just being compliant, but constantly adapting to ever-evolving changes in the world and regulatory landscape, Vasanth details that we need to stay abreast of changes that happen and respond with policies, controls, and certifications that keep us safe and secure. Security compliance is a business enabler and has to be at the forefront of any organization’s journey.
Here’s Vasanth view on challenges and solutions that can help organizations get and stay compliant.
- Without executives supporting the security compliance effort, security teams can’t make much headway into their initiatives – it has to be all hands on deck.
- Availability of security professionals available in the company, for example, if the product team is doing the compliance efforts, it becomes difficult as that is not their part of their core skills.
- How do companies purse which compliance framework is relevant and who can help guide them through their roadmap.
- So much work has to be done manually, unless you have an unlimited amount of resources, automation has to be a key part of your approach.
This episode is all about technology and understanding what controls are best to implement to combat risk and ensure security compliance – bottom line, stay relevant and up to date on security.
Good morning, good evening, and just an overall welcome to everyone joining us for another exciting podcast today on Comply or I, I’m your, your local host, Kyle, and with us today we’ve got Vasanth Madhure. So quick introduction and background about him. Who is this gentleman on the call with us today? Senior Director of Information Security and the Global IT Headed Couch Base.
What does this mean? Well, he’s the head of the information security organization as well as currently performing the role of CISO and on a daily basis, oversees the implementation to drive compliance for efforts such as SOC 2, as well as HIPAA.
Experts in the field of it, in the field of security and compliance itself. More than 15 years of experience in global technology companies that range right across the spectrum, from startup companies to fortune 100 companies.
Has in leadership positions to deliver high quality cloud SaaS and IT initiatives and product support and operations, and this really is just to name a few, when, when we were putting together this introduction, I really had to I don’t want to say I really had to condense it, but for, so I really did end up condensing it ’cause it was, it was extremely comprehensive and, and the knowledge and what you’ve got experience in.
I can’t wait to deep dive a little bit further today, so last final points from my side. Experts in information security cloud operations with experience across, across all the big players, your AWS’s, Azure, GCP, corporate IT experience, as well as technical support.
So that aside, firstly, Vasanth, thank you so much for taking some time out of your day to join us, apart from what I’ve mentioned, is there anything else as an introduction or about yourself you’d like to add on?
First of all, thank you, Kyle, for inviting me. It’s a pleasure, uh, to be speaking with you, hopefully we’ll go through a few of my experiences. I can share, some of my thoughts on, uh, information security, and that was a flattering introduction. Thank you for that. Yeah, just a quick addition to what you already mentioned. I have over 25 years of experience in the technology industry, and I’ve been fortunate to work in three different continents.
I started my career immediately after my engineering. I started my career in Bangalore, India, and then I was also fortunate to work in the UK for a utility company. I was there for about one and a half years. I still remember some of the great times I’ve had in the UK, and then I moved to California in the US, so I’ve been here for over 20 years.
I am with my wife. We have a, a puppy, uh, and we are, uh, empty-nesters. Our son is working in New York. Our daughter is off in, college. So I would like to say we have a lot of time on our hands, but we keep ourselves pretty busy.
Absolutely. That’s amazing, and I mean the family man that really has had experience in all of it and across the globe and for today, I, I really want to just go through some more about you and the project you’ve been through and, and the experience. I mean, like you’ve said, it is more 20, 25 years of it experience. What the world looked like before the two thousands to where it is now from a, from a compliance, from a security space.
So let’s, maybe, let’s start at that point, if you don’t mind, these three different continents. Talk us through the start of your career and that, that transition, what, what inspired you to firstly get into this, this world from your engineering background, like you made mention of already, and then what took you from one continent to another?
Absolutely. So when I started, it was the early days of the internet, really early days of the internet, and my first venture was on IBM mainframe. So I actually worked on the ES nine thousands, which could seem pretty legacy right now. Yeah, but that’s where I was, and during the late nineties and early two thousands, it was all about Y two K and companies were scrambling to get to, uh, fix the, the Y two K bug.
Although I was working on the mainframes, I actually did not work on any Y two K projects, soon enough, that was when Java was blooming, and I got into Java. At that, um, point in time. And then for the next maybe decade or one and a half decades, I’ve been working in various capacities with various Java technologies.
So you can understand about 25 years ago, security was not a, a big thing, right? Uh, With the advent of technologies across businesses, it could be small. It does not matter whether it’s a small business, a medium-sized business, large business, government entities, nonprofit organizations.
Now technology is everywhere. There’s so much of digitization, and with this comes the risk of security. So security sort of started becoming prominent, I would say, in the, the mid two thousands to now then it’ll continue to be extremely important. So for me, around 12 to 13 years ago, I joined, a small startup company, which was a financial services company.
And pretty much all of their customers were large banks spread across the US, Canada, and UK and the company was sort of a pioneer in that they were providing SaaS applications, uh, at that time, when you have SaaS applications where you process. Sensitive financial information. Banks are generally nervous, right?
So they want to make sure the, the vendor has the necessary security controls to protect their data, their customer’s data. And that was my first real entry into the, the realm of security. I was responsible for all of our SaaS operations and corporate it, and naturally security came. As part of one of my responsibilities.
So, then I moved on to Oracle, that was my second stint with Oracle, again, working on SaaS applications and hence security was important. And later on I was the vice president of a technical operation and information security at another financial services company called, Certent. So that was where I got into a lot of compliance efforts.
Soc, all the SOC audits and ISOs and implemented a lot of security policies and controls and that finally led me to Couchbase where, um, I came in to head up information security for, uh, the entire company. So it’s not something that started off as a career aspiration for me. It was probably a natural progression, a career progression and then, maybe my personality reflects in that.
I generally try to be compliant with the various laws and guidelines. So maybe that’s one of the other reasons which drew me towards, security, and I’m loving what I’m doing here at.
Wow, so, so firstly, absolutely incredible. I mean, what a, what a journey from, from the beginning until now, and one of, one of my key takeaways from what you’ve just mentioned was the, the small startup player, like you said, trying to work with all these different banks that require you to have these controls and to, I suppose, one way or another, prove yourself, but prove the company also being secure, and progression of that role.
So let’s, let’s talk a little bit about that security side, and like you said, your personality reflects trying to be, what, what does compliance do in a nutshell.
So compliance actually has multiple things. No. For example, it could be complying to regulatory requirements, it could be complying to certain standards, it could be complying to certain frameworks. It could be, ethical compliance, um, for that matter. So there are various facets to compliance, but most companies from a business perspective, you, you have to comply to the requirements, or specific to the industry that, you serve. So again, when you look at most of the companies that, uh, do business with subjects in the European Union, GDPR is something that comes to mind.
And similarly, there are various requirements that companies have to comply with to ensure that they’ll be able to do business.
Absolutely, and I think, I personally also really enjoyed the interpretive side of it as well. I mean the, the GDPR that you just mentioned, um, with the different articles and requirements within it, but how you can still, I mean, you’re, you’re doing a self-assessment at the end of the day and ensuring stuff is right until something isn’t.
But just the way you can actually implement things in different ways and two organizations that. Glaringly different, could both still be GDPR compliance?
Where do you find the, the value for that? Let’s take the, the regulatory requirements or, or the need to have it to operate in a certain industry or field that value for it. How do you, how do you motivate that?
Yes. So complying to regulatory requirements is pretty straightforward. It is an absolute must. You have to do it if you have to do business. In that space, for example, right? So if you have to do business in Europe, then you have to be compliant with GDPR because if you’re not, you start using data and for purposes that are not intended, for the way it was taken for, then you could be fined.
You could be imposed, the company could be imposed with huge fines. That is one, but then the company could go out of business. So it’s, um, it’s not an option, but it is a mandatory requirement. Similarly, let’s say a company is in the healthcare industry, right? So especially in the United States, you have HIPAA as, um, one of the regulatory requirements.
So if you’re not HIPAA-compliant then more than likely you will not survive as a company. And similarly, PCIDSS, for example, a lot of companies transact, financial information. So there could be, payments that happen as part of a business transaction, and when you are dealing with say, credit card information, you have to comply with the PCIDSS standards, otherwise, again, you’ll, you’ll not be able to do business. So for companies to survive and do business, compliance is extremely, extremely important.
I like what you’ve said. Apply this forward-looking a little bit, and the reason I say that is, let’s think about what you’ve just mentioned. We’ve spoken about so many different frameworks.
We’ve spoken about GDPR, we’ve spoken about SOC two a while ago. HIPAA, we spoke about PCIDSS, all depending on the industries you’re in. So we now more than half of the way through 2023, see regulation after regulation I mean, we, we can probably discuss the blockchains and stuff like that. Is there anything else that you’ve sort of identified that Will, will be really relevant in the coming years?
Yeah, so in terms of compliance, the, the bottom line is to, to make sure you, you, you implement the necessary controls to customer data and more reportedly your, organization’s confidential information assets and sensitive information. Now, the compliance requirements again, keep popping up depending on the industry, depending on the technological innovations that keep happening. So when we, if you go back 10, 15 years ago, SaaS was just blooming, and then we didn’t have, say, the Soc 2 or the SOC 1 at that point in time. And that’s when, when you started offering, your services on the cloud, you started off the SOC once and the SOC two started gaining importance, and ISO 270001 for example, has been around for many, many years, that will continue.
So in terms of what we might see in the future, I think it definitely depends on how the industry progresses, how innovation happens in different fields and areas. AI, for example, is, something that is the talk of the town today, and there could be some compliance requirements around AI specifically, yeah, that’s, that’s where I think compliance would go in the future.
It’s, it’s a very exciting, um, proposition and thoughts, I think for people in, in the IT space. And there’s definitely a lot of excitement, I want to say from an, from an efficiency and what you can gain from it. I mean, if we’re talking about AI, we’re talking about just new modern age technologies, but at the same time we, we talk about a lot more and, and other considerations multiple different ways that you can utilize services and rely on you as an organization making use of, of their products and bundled into the service that you’re getting from your AWS or your GCP. They are SOC two compliant and they HIPAA G D P R compliant and you can to a certain extent rely on those.
Find that balance between having comfort to rely on what Azure is providing you and saying, hang on, us as the customer actually need to have these additional considerations.
Yeah. A key thing that everybody should realize is that just because you use one of these cloud providers, AWS or Azure or GCP or any of the cloud providers, doesn’t mean that they provide all security controls for you.
So, In the cloud, security is the shared responsibility. Now, the, the cloud service providers will provide certain level of security, but then you use their infrastructure, you deploy your own applications. So it is your responsibility to make sure you secure your environment, your application specifically because, the cloud providers don’t have access to your application.
They don’t know what your application does. They don’t know the configurations for your applications. They just provide the, the backbone and everything. On top of that is the customer’s responsibility. So this is a misconception that many people have, even in the tech industry. I’ve, I’ve worked with, various folks, and they think if I deploy my application in AWS then it is, uh, Secure.
I don’t have to worry about anything. No, there is, there is much more to it than just deploying in a w s and that is where when you go through some of these, um, compliance efforts as, I’d say SOC two or ISO or even ISO 27,017, for example, is specifically geared towards, uh, security in the cloud. So there are controls that these standards, and framework, recommend. And then when you start implementing this, basically you would be providing a safe, secure environment to protect your customer’s data.
I think your mentality and understanding of it is exactly why you’ve had so many successful years in these related IT fields that shared responsibility model you mentioned and I.
Like, like you’ve, you’ve already touched on there, you need to have that insight to it. If, if no one’s sort of guiding you, and you’re starting, yes, you can make use of the AWS like we said, but if you’ve got no insight around those user entity controls and, and what you as the customer utilizing their service needs to be doing, then you could run into some problems.
Yes, absolutely. And that is where, um, constantly enhancing your knowledge plays a, a huge role, right? So just because I knew something 10 years ago does not mean I can implement products or security controls today. The security landscape is, the technology landscape is changing all the time and hence we as security professionals need to.
In tune with what’s happening out there in the world. So yeah, there’s a learning. We have to make sure we, we stay abreast of the, the latest innovations that are happening and then, uh, come up with the relevant controls.
And that knowledge and, and keeping up to date with all of it. You, you obviously have a, a ton of experience in different certifications. I, had a look at that experience field. What’s, what’s sort of your process, what have you found to be really valuable or, or meaningful maybe for you personally? Or even just what, what are your go-tos to stay in tune and stay up to?
Yeah, so there are a lot of certifications out there.
The universities as well as, um, you know, private organizations. What I would like to do is, so if I’m working in the cloud space, so AWS or Azure or GCP, I take some of the courses that they offer so that I understand. The technologies that come part of their cloud services. So once I understand the technology, then I can relate to what kinds of security controls I should be able to implement.
So that’s, that’s something that is extremely important for all technology professionals and specifically talking about security. A lot of us, I’ve seen a lot of security professionals who do the CIISSP training. This is a comp, A CIISSP certification. Uh, this is a, a comprehensive certification which covers pretty much all the areas, all the technical areas within security, I personally actually pursued, what’s called as a CSO certification. So this is a certified chief Information Security officer. So this is offered by EC console and this helps leaders to actually become CSOs because it covers different areas that leaders need to be proficient.
And so there’s governance, there’s audit management, there’s security operations, there’s core security skills. And it also covers management principles such assay forecasting, budgeting, resource management, vendor management, and things like that. So yeah, there’s, there are a lot of courses and certifications, out there.
What interests individuals, you should pick and choose those. But then the, the bottom line is make sure people are staying abreast of what’s happening out there.
Stay, stay relevant and up to date, and one thing I also sometimes find quite interesting that from your answer on the, the CISO certification specifically, I want to say it is aligned to it, is some of these courses can sometimes talk at a bit of a high level, but in terms of the actual day-to-day implementation of how you should carry out that operation could be vastly different. So from what I’m understanding what you’ve said, the CISO one is actually very relatable, and the concepts behind it can enable you.
Yeah, completely agree with that.
Amazing. I mean, that, that’s super valuable for anyone listening and sort of wanting to pursue that.
So, so thank you for, for sharing some insights there as well. I do hope and believe that anyone listening to that has sort of just had a bit of a, a light bulb moment and thought, okay, let me get involved with that. So, we’ve spoken about the knowledge, we’ve spoken about the experience, and we’ve also spoken about the emptiness that you currently have at home.
How do you balance all of this as a, as a working man, keeping up to date, keeping ahead of security trends, raising a family? How did you manage it?
Yeah, so when you’re working, when you’re heading say, information security for any large corporation or any public company, there’s a lot that’s going on.
You have to juggle various priorities. You, you’ll have to the entire responsibility of security falls on your shoulder. So you need to make sure you have the, the, the necessary controls to protect. And again, as I was mentioning earlier, not only your customer’s data, but your company’s, uh, confidential and sensitive information.
Um, there’s a lot of stress that comes with the role um, I’m actually. I actually do quite a few things outside of work to keep me distracted. About, 10 years ago I co-founded a nonprofit organization with a few like-minded folks, and, um, again, over the last 10 years I’ve been volunteering, um, at this nonprofit organization, which definitely has been a, a good distraction for me, and I’m passionate about that.
Started doing long hikes over the weekend, and definitely when you are, um, climbing up these mountains, I don’t think I’ll be able to think about security and work and what’s going wrong. So that’s, that’s been a good distraction. Then I also enjoy watching, movies or, crime thrillers on TV with my wife.
That’s been my daily ritual, taking my dog off for walks in the morning and, um, evening. Uh, yeah, so there’s various other activities, a sense of sanity, a sense of balance between work and life.
And let, let’s talk about the side. I mean, you, you’ve got it figured out at this point, but like you said, the stresses and, and maybe when you were, you were settling in it, and before you had this very distinguished experience behind your name, the time where you were proving yourself, how, how did you force yourself to shut down for a bit.
I mean, like you said, when you’re hiking, you, you’ve got slightly more important, uh, priorities to focus on at that point in time. But do you just actually limit your screen time? Do you turn devices off? How do you go about that when, oh no, let me just do another 30 minutes of work.
Let me do another hour. I mean, I’m, I’m asking for anyone listening, maybe asking a little bit for myself as well.
Yes, yes. That is extremely important, right? So if you don’t have that balance between work and life, then. And you don’t want to be in that situation. Said, I’ve been in those situations where, 2:00 AM 3:00 AM on many occasions during my career, but then that is not something that is scalable. That is not something that you’ll be able to do on a continuous basis. There’s all, I keep telling my teams all the time, there’s always going to be these sine waves, ups and downs, throughout, not only throughout your career, but even during a given year, there’ll be times when things will be really busy, and yes, you need to put your foot down, make sure you, uh, you work towards, uh, what you want to achieve and, and then there will be some low times when you take a, a breath day.
It is important to make sure that you, you have set times to, to work, and then after that you spend time with the family. Now, it is more important than ever because, with the pandemic, what’s happened is that a lot of people work from home. And what that means is that your computer, is right in front of you pretty much all the time.
So you have to be really, really disciplined to make sure that. Say six o’clock or seven o’clock or whatever in the evening, you shut your computer down, go outside the room, take a breather, spend time with the family. Yeah. So it, it’s, it’s just that discipline that people have to cultivate and it, it just takes some practice, too.
Amazing. Thank you. And we spoke about some stresses, we spoke about prioritizing. So our final topic and last sort of group of questions I think we have to discuss today. It wouldn’t be a compliance podcast without focusing a little bit more about compliance and the stresses in the future world of that.
So what do you see using your experience, using your insight, what are the key challenges that stop companies from being able to get compliant?
Okay. Yeah, there are quite a few challenges that companies face, right? From my experience, I would say the, the most important, thing is for the executives, including the CEO to support the compliance efforts. So without that, um, support, the security teams will not be able to make much headway in.
A mention to the importance of security, say, during an all, all hands presentation goes a long way in helping the security team drive these compliance efforts. The other challenge could be, Just availability of skilled professionals within the company. If you have a security team that does not understand compliance to further your compliance efforts.
I’ve actually seen companies where, say the, the product team, tries to do some of these compliance efforts, and it’s not easy because that’s not their core skills. They need to focus on developing products rather than, Getting compliance efforts. So as part of the development process, there are certain compliance requirements that they will have to adhere to, which they should be doing, but not driving compliance efforts.
Then, um, there are other challenges such as when, when we talk about compliance, there are so many different compliance efforts that companies can go through. As, as I mentioned, you have the regulatory compliance requirements. You have the, the SOC tools, you have the ISOs, you have the HIPAA, now, How do companies choose and prioritize which compliance efforts to pursue?
So that, again, depends on the, the industry, and you need to have the, the relevant expertise who will guide you through that roadmap. Finally, what I would also like to say is when you’re going through these compliance efforts, So much work that needs to be done. And it is almost humanly impossible to do this manually, right?
So unless you have an unlimited supply of resources who can help you with these, um, uh, compliance efforts, so using a, a compliance tool, using some. Of automation really helps with these, um, compliance efforts.
So yeah, I, I just mentioned a, a few key challenges that companies face. There’s definitely more than that
You mentioned the challenges they faced, you unpacked some solutions, you spoke about the teams with it. You spoke about automation, so thank you. That was a bit of a, a five answer in once I think you, you’ve read, you read my mind with what was coming next, um, and sort of package that together perfectly.
The, the one part I want to unpack a bit is, is the side experience in this is balance, balance and balance. It’s a very fine line I’ve seen. How do you get, where do you, where do you draw that line? You’ve got a product team that wants to focus on establishing a profitable business, but at the back of your mind, you also understand that you need to have compliance, and you need to be able to provide potential customers frameworks. Yes. If nothing more than a security thing. A business enablement tool. Yes. Where, where’s that balance?
Yeah. You, you actually have sort of the answer in your question. Security or compliance is a business enabler, and this is the message that we need to drive to the product teams.
Earlier, when you had said on-premise products or commercial off the shelf products? Yes, they had to have a certain level of, um, security built into the product, but then it was not as crucial as it is today when companies are going the SaaS route. So in the olden days, data was well within the company’s firewalls, right? But now our customers are entrusting their data with us, which means they want to make sure you have all the necessary security controls to protect their data. And the onus is on the vendors to prove that they have all of the security controls in place. And how do you do that? Go through compliance.
Take that route. That is when you start the awareness program within the company, you speak, you actually you, you can create security champions within, within the product teams who understand that, yes, this is a business enabler rather than a hindrance to product development.
Once they start understanding that, realizing that they will then be your spokes, uh, Initially, you’ll have to face this challenge, but once engineers get it, they know that they don’t have a, a choice but to develop secure products and be compliant with this because, uh, again, as I said earlier, the, the voice when it comes from the top, from your, um, uh, c staff, from your, uh, executives, they know that if something goes wrong during your compliance efforts, let’s say you are ISO certified, and then you stop complying, and you lose your ISO certification, that means it has a huge impact on your business.
You’ll not be able to sell, which is a big deal. So, yes, it’s a process. It is education awareness. Once this happens, then, the entire company will rally around on these compliance efforts.
And do you find maybe final comment on, on this point, ’cause I think we will unpack it for hours, otherwise that the, the transitional change is more towards developers seeing net value and understanding the need for it. Or is it, is it still met with quite a bit of pushback? If we look at 10 years ago, we look at where we are now.
No, I’m, I’m actually seeing developers understand the need for security, and it’s changing even at Couch Space, for example. Right? So when I joined, it was a, a completely different culture. And then we have seen a huge change in how developers perceive the need for security, the need for compliance.
They, they get it. They, they understand that to be able to sell our products, we need to be compliant with certain standards, this, this customer requirements. And yeah, the days of, when developers were pushing back, I would say are gone, especially in companies that offer, SaaS products or products on the cloud.
And on that. I think anyone that’s listened today has got a, a really good insight on how security postures have changed what they need to be doing in terms of using these different cloud providers if they know nothing where to look and where to begin. So you’ve really taken anyone through a real crash course.
Are there any final remarks or comments?
No, first of all, yeah. Thank you for the opportunity to be here and share my thoughts. Since we are on the topic of compliance, I’d like to reiterate a, a couple of points here. First of all, recognizing the importance of complying with regulatory requirements. Extremely important if you want to run and thrive your, business. And then, maybe using a good compliance management tool with various compliance efforts, at least in my case. In our case, it has made a huge difference both in terms of automation and efficiency gains.
Brilliant, Vasanth, thank you. Actually, you, you were the guest on our show, but I feel absolutely privileged to have had the time to speak to you today, pick your mind a bit with some interesting points and thank you. We’ll keep eyes open and keep doing everything as successfully as you have been doing in the compliance space. So thank you for your time today.
Thank you once again.