Secret CSO: Vidit Baxi, Safe Security

What is the worstcurrent trend in cybersecurity? "Enterprises have traditionally been threat-driven and have been reacting to breaches... This is perhaps the worst approach to cybersecurity."

Safe Security

Name: Vidit Baxi

Organisation: Safe Security

Job title: Co-founder & CISO

Date started current role: June 2012

Location: India, New Delhi

Vidit Baxi is the Co-Founder and Chief Information Security Officer (CISO) at Safe Security. He is responsible for leading customer success globally, ensuring Safe Security follows the necessary cybersecurity guidelines and compliances and leads multiple product functions. With over a decades’ experience, he is also key in driving Safe Security's enterprise and product journey forward. Baxi has been featured twice in Fortune’s in 40-under-40 and was awarded the 2019 Entrepreneur of the Year by Entrepreneur Magazine.

What was your first job? I started working in cybersecurity right away post-graduation. I was working with an organisation that primarily focused on cybersecurity training and awareness, and I was responsible for training around how to proactively manage cyber risk for board members, government agencies and educational institutions across India. This helped me understand the state of cybersecurity in India which led to building Safe Security in 2012 alongside my co-founders Rahul Tyagi and Saket Modi.

How did you get involved in cybersecurity? From an early age technology interested me, I was always curious and tried to get deeper into how technology worked. When you start understanding and exploring cyber in-depth, security becomes one of the key aspects.  

By the time I graduated, cybersecurity was starting to become a major challenge for businesses, governments and individuals globally. I was very keen to understand how to protect technology and got involved in cybersecurity. I started my career in the services and training business, then took a step forward co-founding Safe Security, where I also took responsibility for managing the security operations of the company.  

What was your education? Do you hold any certifications? What are they? I have a Bachelor's in Computer Science from Saurashtra University. In the early years of my career, I earned multiple certifications with Microsoft and got my certification as an ISO 27001 Lead Auditor.

Explain your career path. Did you take any detours? If so, discuss. I met my current partners, Rahul Tyagi and Saket Modi, while taking cybersecurity training and awareness sessions across India. In 2012, we decided to build our own company, that’s when Safe Security (previously called Lucideus) was born.

We began as a cybersecurity services company, providing cutting edge solutions to help businesses mitigate their cyber risk. However, we soon realised that the problem of enterprise cybersecurity runs deeper, and cybersecurity services were just one arm of what a full solution should be. We developed our cybersecurity and digital business risk quantification platform - Security Assessment Framework for Enterprises (SAFE) - in 2017 and brought a completely new approach to enterprise cyber risk management. We created a new category with our product within the cybersecurity realm and shifted our company’s focus from services to products. As of 2020, 70% of our revenue comes from our product business which is currently used by multiple Fortune 500-2000 companies across the world.

Was there anyone who has inspired or mentored you in your career? Throughout life, I’ve learnt and imbibed from multiple people around me. Pointing out just one of them would be unfair. Even at work, I believe I learn from investors and our board but also from my team and colleagues.

At home, I learn something new every day from my daughter. She  keeps me on my toes all the time.

What do you feel is the most important aspect of your job? I play multiple roles within the organisation, I lead the product and customer success team and spearhead the information security department. 

As a CISO, one of the key aspects of my job is to ensure the security of our product SAFE. As many of our customers operate in highly regulated industries - from banking, financial and insurance services to aviation and fast-moving consumer goods - we need to keep airtight security. We maintain appropriate processes as well as roll out necessary enhancements to our product in order to provide them with the resources they need to accurately measure and mitigate their cyber risk.  

What metrics or KPIs do you use to measure security effectiveness? We use our SAFE platform to measure the security effectiveness of our organisation. Specifically, knowing where most of the risks lie within our business is always the first step.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? There is definitely a skill gap and manpower crunch in the cybersecurity industry. However, we have been lucky to have been able to build the absolute best team we could have wished for, which is reflected in our year triple digit over year growth and global expansion.

That said, there is a major gap in cybersecurity when it comes to experts in new technology fields and leadership roles. As technology evolves so do the positions; for example, organisations are now looking for seasoned DevSecOps or experts on everything AI and ML, but the pool of professionals with the necessary skills is very small. The gap also extends to leadership roles, since many organisations look for top professionals that showcase both technical skills and business acumen – something that is not nurtured enough within the talent they already have.  

At Safe Security we pride ourselves on promoting from within, we try to leverage as much as possible the existing talent, we see our growth in tandem with our employees’ growth.

Cybersecurity is constantly changing – how do you keep learning? As a cybersecurity company, we have a strong R&D and product development team coupled with specialised services, which has helped me stay abreast with the constantly changing dynamics of the cybersecurity industry.

We are constantly mapping industry standards and work closely and contribute with CERTs across the globe, the National Vulnerability Database and more, which allows me to get different perspectives on the threat landscape and how other organisations are facing them.

I also attend several conferences and events throughout the year to connect with peers from across the world to share experiences, intelligence and new trends in different markets.

What conferences are on your must-attend list? Some of the conferences on my must-attend list are CyberTech, DefCon and BlackHat. These provide a lot of invaluable knowledge around what other experts and companies are seeing within the industry, what is changing and how they are addressing current challenges.

What is the best current trend in cybersecurity? The worst? Enterprises have traditionally been threat-driven and have been reacting to breaches, which is why we’re seeing events of the scale of SolarWinds or Microsoft Exchange happen repeatedly. This is perhaps the worst approach to cybersecurity. One needs to be on the offense when it comes to cybercriminals. The best trend right now is the shift to a proactive and predictive approach to cybersecurity. I am beginning to see organisations wanting to make that switch, especially through digital business risk quantification, meaning they would start seeing what could go wrong before it happens instead of simply reacting to threats once they have occurred. 

What's the best career advice you ever received? One of my family mentors had told me in my early years of my career, “It is important to do what you love, and once you do that, your work is not defined by the hours you spend but the quality you produce.” It is the passion and interest that matters most and until you find that, keep searching. I was lucky enough to find my passion early on.

What advice would you give to aspiring security leaders? I would urge aspiring security leaders to focus on two things. First and foremost, to spend time to understand how technology works and how cyberattacks happen.

The second aspect to this is being vigilant. As a security leader, you will always have to be on your toes and have the right proactive defences in place in case a cyberattack occurs. Know your technology stack, know your policies inside and out, understand the risks from your employees and your partners, then focus on measuring what matters most - the financial impact of a cyberattack – and how to protect and prevent.

What has been your greatest career achievement? It has been my absolute joy and pride to have been a part of Safe Security since its beginnings. A team that has built, from the ground-up, a category-leading product – SAFE – that is creating a niche for itself, solving actual business problems without the IT jargons that swamp the cybersecurity industry.

I have also been fortunate enough to build a team which is focused, passionate and wants to make an impact by solving real customer challenges.

Looking back with 20:20 hindsight, what would you have done differently? It was a record-breaking year for our company and for cybersecurity at large. We saw a 250% YoY growth and have expanded to Australia, Japan, the EU - all during the pandemic. Since we were a tech-first company, a lot of our work was already remote-working ready and the shift, although slightly difficult initially, went on smoothly for us. I wouldn’t change anything from a business point of view for 2020.

What is your favourite quote? “Ideas are worth nothing unless backed by application. The smallest of implementation is always worth more than the grandest of intention.” I read this in a book by Robin Sharma which really has stuck with me.

What are you reading now? I am presently reading, The Fifth Discipline by Peter M. Senge.

In my spare time, I like to… Spend time with my family, play with my four year-old daughter, and learn as much as possible from her!

Most people don't know that I… Still continue to write poems.

Ask me to do anything but… Being unfair or untruthful to anyone.