Yudit is breaking ground and flying the flag for women in compliance, from entering the field not knowing she would enjoy it so much, she explains how compliance is challenging and ever-changing, but it is super fun once you understand it. It is just a bunch of big words where people claim that it is stressful or boring.
During the podcast, you’ll understand how she’s breaking ground and helping her team and Rapyd.net succeed.
She believes in logic, in understanding the benefit of compliance and why it makes sense of what she does. She hopes that as an IT and security operations director, she can develop a culture where she isn’t seen as frightening and more an arm that can assist and help the business and reduce risk and prevent further issues that prevent the business from growing and being successful.
She believes in collaboration and ensuring that everyone is kept up-to-date – keep up the coffee she says – but in all seriousness, she believes understanding your business and what is most critical is one of the key aspects in ensuring and staying compliant and secure, by aligning with risk assessment and company goals on a daily basis. She also breaks down being audit-ready, knowing to be prepared on a daily and monthly basis. If you wait, then it affects all the processes and alignment, and being prepared year round, ensures your company is ready to go and built for success.
So a very warm welcome to everyone listening and welcome back to another episode of Coomply or Die. Today, we’ve got a very special guest who’s a thought leader in their field and has a wealth of knowledge and experience to share with us today with some insights and perspectives on the evolving landscapes of cybersecurity and compliance.
So without further ado, I would like to introduce Yudit Moldavsky to you today. Yudit is none other than breaking ground and flying the flag really, really high for and in her current role as the director of IT and security operations at Rapid.
Also, a former defense force member in the information security field that I’m sure we’ll get into a little bit shortly and a quick brief background from our side. Yudit with a ton of experience in cybersecurity and compliance, like we’ve already mentioned, and also holds a certification in the certified information systems security professional certification.
So Yudit, thank you so much for joining us today and taking some time out of your very busy schedule to chat to us a little bit about compliance. And apart from what I’ve mentioned already, please give us a bit of an introduction about yourself.
Thank you, Kyle. Thank you for having me. And thank you for the opportunity to speak about this interesting topic. So, as you described, I really started off my career in the in my military service in the Israeli defense force. Then, the first time I started to work in the IT industry and the information security. And that’s how I really started my career.
Maybe moving on from that and obviously beginning part of your career in the military service, but having an exposure to information security, I imagine that maybe sparked the interest to want to continue a career in cybersecurity, or what was it for you that made you want to make your career out of this?
So that’s a great question. I never knew that I want to get into cybersecurity. It basically happened by mistake. You can say that. I just wanted to know what I want to do on my daily basis and my day-to-day work and tasks. And then I just started my career and I found those projects that I’m interested in. Somehow I got into security in Rapyd.
I had a lot of opportunities since it’s a very fast-growing company. And you start on one project and in one role in one team. And then your responsibility is just multiplying themselves from day to day because of the huge growth of the company. So this is basically how I got to those positions. And this is how I became in charge of GLC, which we’ll discuss in the next questions. But actually, it happened by mistake. Nothing inspired me to get into that in that field. But I’m super happy that I’m in this field right now.
Amazing. That’s so cool. And that was actually going to be my next question. You’ve done it. And if you did it over again, would you have changed it?
But I mean, you’ve already said you’re super happy to be in that field. So let’s think about from maybe even from the military days and your exposure to information security, what things looked like then to what your very senior role is now.
How has the landscape and your approach to security and GLC, both in maybe your role and just how the world works, how has that changed?
So I think a lot of things are changing in this industry from day to day because regulations and requirements are always changing. There are new requirements every year. And I think that the landscape is changing a lot also because of the tools and the new technologies and the new systems.
So whatever was relevant five years ago will probably will not be relevant today. Maybe the main idea of security and compliance will be the same, but we always have new things that we need to adjust to. And the way of management is changing from day to day because we have new companies, we have new fields, the new industries that we are working with. So I can say for sure that it changed a lot, especially from my time in the Israeli defense force,
which is super different than a private company and the fintech industry, which is completely different from those that I mentioned before as well.
So it’s not, it sounds like maybe a boring area to work in, compliance, but it’s not, it’s changing all the time.
Kyle Morris: Being someone that’s in compliance as well, I’d definitely echo that. It isn’t boring at all, but I suppose everyone has their own things.
Yudit Moldavsky:And people think it’s super boring because it sounds like that.
Yeah, it does. It’s big words and terminology that gets thrown around, but maybe, maybe even so, I’m digressing a little bit here, but talking about that and people find it boring. What, what gets you up and out of bed every day to do your job?
I think that what I like most about the job is the collaboration that I make, make inside the organization, because in roles of security and compliance, you are not always, it’s, it’s not a role that enables the business. And a lot of times, a lot of times people are looking from inside organization on security and the compliance people are people that are trying to stop their work and trying to, you know, they’re focused on security and compliance, but they don’t really understand the business and the business needs and everyone hates when they get a call from someone from the security or an email from the security. And what I enjoy most about my role is that I’m, I hope that I’m able to not be so frightening for the users and the employees in the company, and I really think that the employees are trying to show them the logic behind the things that we’re doing and to build a real collaboration between the teams.
And I think this is the most rewarding thing when employees in the company are coming to us and asking for advice and asking for a question, and we don’t only meet them at the end of the year when we are right before an audit and they’re just coming and consulting with us. And that’s amazing.
Absolutely. And exactly what you’ve described there to be able to, to transform like you are doing people that have the mindset, oh, no, it’s the compliance, it’s the security team, don’t come back to me to having that role fully reversed where they are coming to you and asking for help.
Um, and, and exactly like you say, it’s not something necessarily people want to do most of the time. They don’t want to do it, but the logic was a key word you use there because it role, this is the benefit of it, why it makes sense in what I’m doing.
So that’s super cool. You, definitely someone that, that enjoys a challenge in the workplace and the integrations, all the different, sort of operational areas. And with that being said, and with you being someone that’s always up for challenges, being a woman in your position in such a high position of power in IT and security operations at a global company, that’s again, something that years gone by in the past, you didn’t see happen all the time – so that is in itself a really incredible achievement.
Um, what’s it, did it just logically sort of happen with the role in your interests or what has that been like being in your position as a woman in particular?
I would say that it’s super fun because, you know, I’m the only woman in the room all the time and that’s fun. And I’m the first woman I was interviewing to this podcast. And I hope I will not be the last one that’s challenged for you now, Kyle.
Kyle Morris: Absolutely.
It’s fun. It’s super challenging both for men and women to be in such high positions in this industry. Uh, I love it. I enjoy my day-to-day work and I hope that, uh, more, uh, people and women in particular will be exposed to those positions and will have the courage to go to those positions because it sounds like something very, uh, far all the high positions in security. Uh, and I hope that people will feel more comfortable to apply to those positions. And I’m sure there is a place for much more women in the industry.
I know you’ve been involved with a few projects, or you were on a few workshops for, um, specifically for women in these sort of positions. How, how does that go? What’s your experience with those being like?
Actually, to be honest, I have never been in something that is specific only for women. Uh, because, uh, you know, this field is there are women in security, of course. Uh, but every time that I go to conferences or any workshops and all, uh, other activities that related to the field, I feel like maybe I’m a part of 10% of the, of the people inside, uh, that are women.
But, I don’t put too much attention to that because I don’t think that it’s really relevant because whoever wants to get into the field, it doesn’t matter if you’re a man or women, it happened. It happened that somehow that there are fewer women in this field, but I wouldn’t say it says, it says something.
Yeah, absolutely. And I think that shift to, to basing it on meritocracy, I think is the correct word basing it on, on merit and who deserves and should be in that position. So let’s talk a little bit about, um, your projects and, and on a, a daily basis. I mean, I assume you get up in the morning, you brush your hair, you do your teeth, talk us through your, your normal, typical work day for you at Rapid.
Yudit Moldavsky:So I start with the coffee. That’s the most important thing.
All the Americano because I’m in Israel. I cannot always drink hot coffee in the morning, but, uh, the rest of the year it’s a hot coffee. Uh, so yeah, that’s the most important thing in your role to have your coffee in the morning. And then I have, I have a few teams that they manage. I manage the IT service team and the infrastructure team, and the GRC. My day to day, you know, it starts with things I have teams for all those, responsibilities.
So I always love to have meetings of updates of everyone and to make sure that the GRC team is collaborating with, an IT and security team. Uh, in my case, they are both reporting to me, so they have to work in collaboration, but it’s still an issue to have everyone, uh, updated and aware of what the other teams are doing. So it’s a challenge.
So you mentioned obviously the governance risk and compliance aspect, IT security, both teams needing to report to you.
How do you prioritize, or what is your thought process to figure out what risks to prioritize from a business, IT side? How does that look?
So, the part of understanding which risks are more critical. I think it’s the most important thing that you can do in a higher management positions because the time is limited and the people that you have on your team, their time is also limited, and you want to make sure that you’re not wasting time on a task that is less critical than the others.
So I do, uh, on even a daily basis, some kind of mini risk assessment. And I have the risk of the organizations that are aligned with the business and with the goal of the company. And I’m trying on a daily basis to make sure that all the tasks that we’re working on are according to the risk assessment and according to the company goals, and I think this is the most important thing, to not waste time, not yours, not your teams, and to make sure that you address, uh, the things, you know, the most critical systems, the most critical processes and the critical partners and vendors that you are working with, and their prioritization is really the most critical part of the job, uh, because your team knows what they’re doing, but they don’t know how to prioritize everyone sees only their own tasks and that’s, that’s basically what you need to do as a good manager to understand and to see the bigger picture and to know which tasks will help your team to succeed and not only to a specific person on your team,
and then you basically build the plan and understand what are the most critical things to address.
Would you say that’s the biggest challenge if we can call it that in the role of deciding and getting that prioritization as accurate and correct as possible?
Yeah, I think it’s a big challenge. We have a lot more challenges, but there’s one, I think when you, when you address the most critical things first, it solves most of your problems as a manager.
Absolutely. Yeah, sure. And one, I like to, to take key things away from, from some certain answers. And one thing you mentioned there is on a daily basis to do a mini type of risk assessments.
What I see also from a, from a compliance basis. And again, you will have seen a time and time again for compliance. You need certain controls and processes and for a risk assessment, someone would want to maybe do it once a year to have a checkbox, but the value they’re getting out of that is, is next to zero because what you did three months ago and now versus a year down the line is so different.
So to have implemented that, the logic that we spoke about earlier, the value on a daily basis, just to keep everything actually in check, focus on what’s important that that’s amazing. I mean, how, how did you even get to a point where you had the teams buying, and it just works efficiently that on a daily basis, you do, you know, a mini risk assessment.
Yeah. I think the team is used to that because, you know, I came from IT operations and that’s my approach always about operations, about delivery, about what’s important for the business. And my team knows that this is how I work, and they are adjusting to this method and this method is basic for, for my opinion is best for employees as well because they get more recognition of what they’re doing because if the task that they’re completing, enabling the business and contributing to the business, then they get seen much more, and they get recognition for their, their daily work.
Amazing. And if we’re looking at the other side or maybe giving some advice to anyone that might be listening to this, an organization that’s looking just to get started, they need to build up the IT security they want maybe in the future to be in a place where they have a proper GRC function in place, what would you suggest to them as maybe a few good tips or starting points for them to get going?
I think that if you’re in the early stages, what’s most critical is to implement security in all stages, right when you start and when you’re just, you know creating your, for example, users and identities and organization, and to really start to implement security policies from beginning, because that later it would be much harder to go back and look for all the things that can make you fail in an audit.
Let’s say like, let’s say it like that, and when you know all the requirements and all the policies that you are going to implement and do it from the first day, it’s much easier in later stage to make sure that your company is compliant.
And it will be much easier for the employees in the company that they’re used to specific policies from day one and not after one year, you’re saying, okay, now you have to change your passport every two, every two months.
So when you’re starting with the policies from the first day, you get the collaboration of the employees because that’s what they know from the beginning.
And you don’t have to deal with their responses of changes later. So I would recommend to start from the beginning with all the policies that you are planning to have and to have a plan for at least one year from when you’re standing on where you want to be as a, as a GRC team, as an IT security team, what are the security standards that you want to follow, and then you actually build that, but from the beginning and not in the final stages.
Amazing. I’m fully, fully confident that there will be many people listening to that, that are going to take that exact advice and start building things up for them and look back and say, thank you, you did it. You got us going and things are working great at our company.
So that’s amazing. Let’s, maybe tie the picture together now. So we’ve obviously spoken about the compliance side. We’ve spoken about the different organizational roles. Let’s talk about the audit side now.
So on this, on an ongoing basis, you’re obviously doing the preparation and in any ideal world, I suppose, whether you had an audit in three months time or tomorrow, you want the organization to be operating in a way that it would be ready. How do you go about preparing for an audit?
So the most important part is to be audit-ready the entire year and not wait for an audit, because if you have an audit in one week or in one month, wherever you remember that you need to be prepared for an audit, it would be much more difficult to get all the technical teams because this is not their first priority.
It will be much more difficult to get their time, to get the evidence collected, to make sure that the processes are even aligned with the requirements and with the compliance program that you want to follow. So I think the most important part is to really be prepared for the audit the entire year, you can make like a mini audit. You have your, you can have your GRC team, uh, auditing the technical teams throughout the year and not only wait for the specific date.
And again, as I said in my previous answer, to make sure that the security policies that are implemented are aligned with the requirements. And then you make sure that you are prepared for an audit, and you are doing that because you appreciate the security level that you want to be in, and not only because we have an audit.
You make it sound very, very simple.
Yeah, it is.
That’s as easy as that.
Yudit Moldavsky:Yeah. Easy when you manage the IT team, you see because we just control everything.
But that even, even just that, that understanding of, of how they work. And again, in, in what you said, how you go about preparing for an audit. Yes, there’s a lot of preparation, but time management of the team’s that, that is so vital to the whole process. Like you said, if you’ve got different control and process owners that aren’t able to actually prioritize or make the time to gather evidence or make sure things are right, it’s never going to work.
They’re going to hate you. So to have that at the forefront and that was right at the, the head of, of your onset to say, manage the team’s time and get them in place. Um, it seems like it’s a very effortless process, that’s, that’s very cool.
Make sure that the technical teams understand the value of what you’re doing. Um, because if they don’t understand why you need to be compliant or why you need to go through a specific audit, it will not work. And then we go back to the logic that we previously discussed. You cannot say someone don’t do that without explaining the logic behind that.
And when you have all the teams on board and when you have high awareness in the company to security and compliance, you have their collaboration, because this is when they know why they’re doing that and when they know the dates of the audits, and they know what exactly will be tested and checked, they will also be part of the effort and it’s a joint effort. You cannot have just one GRC team or compliance team and to make the company compliant, you need a joint effort of all employees, especially the technical teams and your security and IT teams.
And this is how you make sure, and this is how you make it easy on the actual day of the audit.
Definitely. And if, if we think, think ahead now. So this is how the process is currently working. Let’s take you in your role in an organization in, in five years time. What do you think, do you see any developmental changes, maybe trends in compliance, anything really that’s going to be drastically different to how you prepare and go about compliance on a daily basis from today?
I think that a lot of regulations will change because we are all as a society, for example, are becoming more and more sensitive to our privacy, let’s say, for example. And you see that, you see that many countries are, we have the GDPR and now, you know, many countries will treat privacy in a different way. And I believe the regulation will change, and we will have to be prepared for that. And make sure we are up-to-date with all the new regulations and policies and follow them. But in addition, I think that we will also have changes in the tools that we will be using. I believe in automating a lot of processes.
And I think that with the right tools that we will have, it will change the scope of the role and then maybe if we will eliminate a lot of manual work and a lot of repetitive processes, we will make more time for the security professionals and the GRC specialist to focus on things that are not, that are more in a perspective and vision and less on manual work and repetitive tasks.
Absolutely. And you stole the words right out of my mouth, what I wanted to ask next in terms of automation and tools like that and getting the right tools that will be able to help automation and repetitive tasks.
That, that has to be key there because just to automate something again, with no value or no assurance, or being able to rely on, on what it’s actually doing. But again, I suppose the value for the different teams as well. If you can take away a large part of the manual requirements of what they have to do for preparation and be able to rely on tools accurately,
that’ll, that’ll make things much better, won’t it?
Yeah. And it will give the security professional more time to focus on other things like real prioritization, risk assessment, which I don’t think automated tools will be able to solve. So it will give really more time to focus on the critical things and to evolve the field and to also expand the scope of what the GRC are doing.
Amazing, yeah. The future looks bright. It looks promising. It’s filled with a lot of sensitive data and a lot more regulations and controls. But I mean, we, we’re moving in a very technological space always.
So, for anyone that’s listening to this, and I’d like, if we can, to maybe focus on, on women in industry that are looking to be the next unit, what guidance can you give them?
To find what you’re good at and improve that, to find your best qualities and to understand how you can bring added value to this field, you need to improve those and base on them and be confident in what you can give to a company and what you can bring to the table. This is the way to go, in my opinion, to go into any industry that you want to go and to start any, any change in your career. Always focus on your best qualities and evolve them. Don’t focus on the things that you don’t know because it’s not relevant. You will never know everything and be confident about yourself.
Always learn new things. Just read about security and compliance, see what other companies are doing, see what other industry professionals are saying, what they’re speaking about. We have a lot of information online. It’s not hard to get information about anything that you want to know. So that’s for me, that’s the easy part. I think that most of the people that are finding it hard to get into a specific industry is not because they don’t have enough information about the industry. It’s because they don’t have enough confidence to apply to those positions.
As I see it, maybe I got it wrong, but if this is the case, so just really focus on the things that you know, and you love to do. And the most important thing is that you find the place and the position that you love what you’re doing, that you enjoy your day-to-day tasks. So find what you’re good at, do that, be confident, and that’s it.
Amazing. I think that’s, that is perfect career guidance. So fantastic advice there. And one, one last thing for you after you’ve given us such good guidance there.
Is there anything else you want to add about the role, about you? Absolutely anything whatsoever you’d like to close off with.
Yeah. So first, I wanted to say thank you about the opportunity to discuss this topic. I hope this conversation and discussion was useful for those who wants to get into this field. And I also hope that it was maybe refreshing for those who are already in this field for years. And I hope that I was able to bring some different perspective about the industry, about security, about compliance and about, you know, just your career. And that’s it.
Amazing. Thank you so much for being with us on the podcast today. It, it really has been an absolute pleasure and a privilege to chat to you. And exactly like you said, some really, really insightful, exciting answers for a really, really phenomenal career so far. So thank you for taking time out of your day today to speak to us.
Yudit Moldavsky:Thank you, Kyle.