Name: Rohit Parchuri
Organisation: Yext
Job title: Senior Vice President & Chief Information Security Officer
Date started current role: June 2021
Location: Morgan Hill, CA
Rohit Parchuri is an accomplished security executive with an established record of building, structuring, and institutionalising security principles and disciplines across a variety of organisational domains. He is currently leading the Cybersecurity program at Yext, a bleeding-edge AI Search platform. In this role, Parchuri is responsible for building and executing a Cybersecurity program that manifests itself into domains such as Product & Application Security, Cloud & Corporate Infrastructure Security, Threat Intelligence, Data Forensics & Incident Response, Privacy, Risk & Compliance. Continuing in this role, Parchuri educates the board of directors and executive management on cybersecurity matters such as maturity, outstanding risks, and remediation strategies on a quarterly basis. In addition to his day job at Yext, Parchuri serves as a Board Advisor for Eclipz, California State University (CSU), and venture capital firms.
What was your first job? My first paying job was working as an employee in a grocery store in Chicago when I was pursuing my master’s to make some extra cash for living and food expenses. This was my first year in the United States, and my parents were helping me pay my tuition, but the living and other expenses were something I needed to figure out myself.
This experience taught me quite a bit about the dignity of labour and how difficult it really is to put food on the table–this made me realise the importance of work ethic and ultimately the satisfaction of buying your own bread.
How did you get involved in cybersecurity? When I was pursuing my Bachelor of Science back in India, my buddy and I picked a research project that had to do with software rootkits and their behaviour in the computer. Keep in mind, the nefarious activities were still in their infancy and rootkits were gaining popularity by script kiddies (the adversary cohort who were known for turnkey malicious practices, such as leveraging existing scripts to perform malicious actions and thus the name). As we delved deep into the subject of rootkits, I was personally quite amazed by this software that was able to manipulate Windows programs and ultimately tamper with the functionality of the operating system.
This led me to start researching cybersecurity with the intention of going deeper into the attacker practices (. . . or threat models as we call them now) and ways to defend against such attacks. This research led me to apply for universities that offered cybersecurity education but found only a handful of universities in US that actually offered cybersecurity degrees and were open for international students and I was lucky enough to get into one of those universities that enabled me to ultimately break into the job of my dreams–Network Security.
What was your education? Do you hold any certifications? What are they? I completed my Bachelor of Science with a focus on Electronics and Communications during the day, and pursued a Diploma in Computer Science during the night. After my bachelor’s, I enrolled at DePaul University in Chicago for the master’s program in Computer, Information, and Network Security, and completed the master’s program with distinction. Later on, I went on to pursue a master’s degree in Business Administration with a concentration in Entrepreneurship.
I hold other domain certifications with GIAC (GSSP- Java), Cisco (CCNA, CCNA Sec), F5 (BigIP F5 LTM), and Microsoft certifications under the security domain.
Explain your career path. Did you take any detours? If so, discuss. I consider myself lucky to have found my purpose as I began working for an enterprise which let me build a professional foundation before delving into other domain adjacencies. My job at Rackspace hosting as a network security administrator was my first job that gave me hands on experience on topics that I had only interacted with on a theoretical level thus far, and allowed me to see real world problems in cybersecurity through a customer lens. One year into my role, I knew that the bulk of the security debt actually resided in the application or software side of the house, and given the importance of building secure software (for any product facing organisation), I quickly started exploring application security roles and responsibilities.
I was fortunate enough to find an opportunity at ServiceNow to help build their application security function as this function was non-existent and they needed someone to take hold of customer requests for penetration testing and other customer assurance related activities. During this time, ServiceNow was also pivoting into the government vertical and as a result, the team was in the process of setting a vision for FedRAMP certification (aka a barrier for any service oriented business to enter the federal market)–this gave me an edge since we needed our software, more than anything else, to stay ahead of the security curve and build a maturity plan to become compliant before rolling it out into other functions. During my 8-year tenure at ServiceNow, I had an opportunity to move laterally across the Information Security department and get my hands into Security Operations, Risk and Compliance, Field Security, and Secure SDLC; which later on helped me with understanding the basic building blocks of any successful cybersecurity program.
Post ServiceNow, I wanted a change of scenery, and this led me to take up a leadership role in one of the heavily regulated industries, healthcare technology. I was brought on as a Director of Information Security at Collective Health to build a security program with HIPAA and HITRUST in mind. Later on, I was able to move into a formal Chief Information Security Officer role and assumed other governance and risk management responsibilities, in addition to physical security. While I was operating in this role, I received exposure into privacy elements that were managed by other partner teams–this is something I wanted to explore as an extension of my CISO role.
To that end, while exploring options for my next CISO role, my focus was to build something from the ground up, with privacy as a key ingredient. This is when I found Yext–an AI search company that was leveraging AI to significantly enhance the search algorithms. This was a perfect opportunity for me as the company needed cyber guidance and was also willing to invest into broader security and privacy objectives. Currently I am happy to say that I have a mighty team that helps me curate and structure the Cybersecurity program for Yext with a strong customer focus and intent to deliver on the right security controls without being burdensome on the teams–which enables us to realise our long term vision.
Was there anyone who has inspired or mentored you in your career? My first inspiration was my father, as he instilled in me the importance of education, hard work, and more importantly, how to connect those with smart work so things could be accomplished not with mere brute force, but with a reasonable thought process. This has always been my motto growing up and led me into areas that helped me propel my life and career forward.
Later on, I was very impressed with this person named Sadhguru (Jaggi Vasudev), who in my eyes, is a person of action in how he was able to garner massive support from the populations around the world to make systemic changes on how we live on this planet. You may ask what this has to do with cybersecurity, but let me explain–there is always this one person who changes the trajectory of our lives; how we think, how we operate, and most importantly, how we execute–for me, this was Sadhguru. I learned quite a bit (not from his teachings, but from his actions) on the willingness to jump into extremes and making things work with a sensible mind and action–this is how I was able to jump into cybersecurity domains without a lot of working experience or knowledge. Another thing I learnt was how to prioritise objectives that benefit a larger population, by applying the right narratives to influence the masses to take that next logical step.
What do you feel is the most important aspect of your job? If I have to talk about one most important aspect, I would say “Risk Visualisation and Treatment.” Although it may seem trivial at the first glance, trust me, it packs a ton of action. Ultimately, the company leadership looks to CISO or any senior security leader to help them understand the risk landscape and how to penetrate the noise with an outcome of applying the risks to business with the intention of treating them effectively in an efficient manner.
This not only allows your board and other C-Suite executives to look at your program with a risk lens, but also allows you to build a culture of transparency and accountability across the organisation with critical partners such as internal audit, engineering, and IT, to name a few.
What metrics or KPIs do you use to measure security effectiveness? Metrics serve different purposes, so the metrics' creation and delivery depends on who will be ultimately consuming this information. For me, metrics ultimately have to showcase the current success and future direction of the security program, while aligning with business goals.
When I was running security programs at heavily regulated companies, my sole focus for board presentations would be on regulatory and compliance metrics, as this is the holy grail for business and as a complementary metric, I would showcase the productivity gain for the entire company or a department, from using security technologies or processes. On the flip side, when sharing the metrics with other department leads, my focus would be on key risk indicators and accountability; i.e., what risks have been identified as a part of our risk modelling exercise that either ties into compliance/contractual obligations or reduction of risk (note there is no absolute elimination of risk no matter what you do) for the enterprise.
Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I don’t think there is a shortage of security skills in the broader market, and I think the problem exists in how we seek the individuals to fill these roles. Most often I see leaders looking to fill these roles with only experienced folks (although the position clearly states a junior position) and trying to make the role sound like a jack of all trades.
In my organisation, while I do feel the pain of not being able to hire security personnel in a timely manner, nevertheless we have been successful in hiring the right people, although it took some time to get it going. Most challenging roles fall in the specialist categories such as Application Security and Data Forensics–and while the engineers, architects, and managers were easy to come by, the engineers came at both a price and with a significant time lag.
Cybersecurity is constantly changing – how do you keep learning? As discussed above in the inspiration section, I was brought up to learn and appreciate education and continuous learning to be able to make myself informed about various things. Cybersecurity is no exception to that rule, and I personally invest my time into listening to podcasts hosted by leaders across different disciplines and I’m also an avid reader of books, newsletters, and blogs. Another place I learn a ton is from round table discussions with other CISOs and security practitioners, and I jump on those every chance I get.
What conferences are on your must-attend list? Conferences cater to different audiences, and depending on what you plan to take away from the conference, you should decide accordingly. It's the first time I visited the RSA conference, and I had a blast both networking with the professionals from all cyber spheres, while enjoying the sessions that were geared towards practitioners. I also enjoy attending DEFCON in Vegas because it allows for more technically oriented sessions with a ton of bootcamps and training for security practitioners.
What is the best current trend in cybersecurity? The worst? I feel there is a ton of visibility and observability push from a solutions perspective in general within the cybersecurity industry, of late, and I love it. These solutions are helping us see the assets for what they are. For the longest time, cybersecurity was known to merely enable and enforce controls without fully understanding what's at stake–this is changing and I am glad it is because we need to know what exists in our ecosystem before we can start protecting them, and to what extent. A few buzzwords that manifest these principles are ASM, CSPM, ASPM, CAASM.
In my opinion, the worst is the vendors trying to do everything without a sole focus on a specific domain. While I would love to have a single solution that helps with multiple different risks, I feel that the effectiveness of the tool diminishes when you put your fingers in a lot of things.