Secret CSO: Yogesh Badwe, Druva

What do you feel is the most important aspect of your job? “The ability to dissect people, process or technology systems to their lowest micro level and to understand how systems work together…”

Headshot of Yogesh Badwe, CSO at Druva

Name: Yogesh Badwe

Organisation: Druva

Job title: CSO

Date started current role: November 2021

Location: California

As Druva’s CSO, Yogesh Badwe is responsible for overseeing all facets of the company’s cybersecurity program and driving initiatives to help its customers achieve cyber and data resilience. He is passionate about helping organisations secure their digital transformation journeys to the cloud. Badwe brings 15 years of cybersecurity leadership experience to Druva, having held senior positions at high-growth organisations such as Okta, Salesforce, Orange Business Services and Global Telesystems Ltd. Most recently, Badwe served as Senior Director of Information Security at Okta where he was instrumental in helping build and lead the security function through a period of significant business growth from $40M to $1.2B in ARR, and securing the company’s journey through a successful IPO in 2017.

What was your first job? My first professional job was as a Tier 1 Security Operations Centre Analyst, making ~$200 a month, at a Fortune 500 US financial institution. This was probably one of the earliest iterations of a SOC that was driven by regulations that existed in the financial industry at that time. I had to work the 8-hour night shift and analyse, triage and escalate security events using a SIEM called Sentinel (later acquired by Novell, Inc.). I have spent most of my professional life down in the trenches closer to the action, and this first job really exemplified the start of that journey. I have earned a lot of battle wounds and precious pearls of front-line wisdom.  

How did you get involved in cybersecurity? My passion for cybersecurity really took off during my undergraduate studies. The computer lab in the university was shared by 100 students at any given point. This was more than two decades ago and internet speeds were not nearly what they are today. After my frustrating struggles with the insufficient bandwidth, I figured out how to get control of the full lab network (tip: always change your default admin/admin password on your network gear) and essentially travel in the carpool lane. This was an “ah ha” movement for me that really kick-started and narrowed my focus on cybersecurity as a profession. I soon became engrossed with breaking things and finding loopholes - and the rest was history!

What was your education? Do you hold any certifications? What are they? I earned a Bachelor of Engineering in Information Technology at University of Pune and have a Masters in Information Security Policy and Management from Carnegie Mellon University. I also completed a post-graduate certificate program in Marketing at University of California, Berkeley where I learned marketing strategy, pricing analytics and strategic brand management. Early on in my career, I have held a bunch of industry specific certifications from CCNP, ITIL, ISO27001 Lead Auditor etc - but stopped brewing that alphabet soup after a few years. All of these are good to enter the feld, but nothing trumps on-the-ground experience and exposure to cybersecurity situations.

Explain your career path. Did you take any detours? If so, discuss. No detours. I have always been associated with the cybersecurity domain in one form or another. Over the years, I’ve internally detoured, operating in and having led various functions within the cyber security domain from Product Security to Incident Response. Prior to joining Druva, I spent the last eight years in a number of security leadership roles at Okta where I led teams responsible for managing Okta’s prevention, detection and response strategies. I’ve also managed various security programs at companies such as Salesforce, Orange / France Telecom and Global Telesystems. I have been fortunate to wear some non-traditional cybersecurity hats as well: influence product strategy, drive investments and in-organic growth decisions and champion customer safety initiatives. I’ve dabbled in a little bit of everything.

Was there anyone who has inspired or mentored you in your career? There are too many to list! Some that have inspired me include Vint Cerf and Eugene Spaford for the foundational role they have played. It will be difficult for me to call out a single mentor. There is something valuable to learn from everyone you work with. I’ve reported to many different leaders over the years, and have learned many important lessons from each of them.

But if I had to choose one person that has had the most impact on my life, it would be my father. At an early age, through example, he instilled in me a strong sense of work ethic, integrity and ambition joined with humility - that play a very crucial role in who I am as a professional today.

What do you feel is the most important aspect of your job? Being technical is very important. Cybersecurity is all about risk, and businesses face a lot of it. It is important to understand the business context in which cybersecurity plays a role - so as to accurately analyse, communicate and take effective decisions on those risks. Having strong interpersonal skills to influence and drive alignment or change is also essential.

The ability to dissect people, process or technology systems to their lowest micro level and to understand how systems work together at a macro level is also important. Having a breaker's mindset that is able to find gaps and loopholes at both these levels is crucial for any security professional and worth separately calling out.

What metrics or KPIs do you use to measure security effectiveness? We have a security dashboard with various metrics that we use to measure the current security posture of the organisation across various dimensions, program maturity state and also effectiveness of our security controls. It will be hard to list all of the KPIs, but I will call out one: SLA Efficiency. This KPI is a percent of vulnerabilities that were remediated within our internally defined SLAs over any given time period. It is a great macro level metric to measure how effective we are as an organisation at remediating vulnerabilities appropriate to the risk we believe they pose to us.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? The supply demand curve is skewed and continues to be a problem in general for the security industry. It is a larger problem for smaller teams that are trying to find more experienced candidates to bootstrap their security functions. I have previously experienced that the time to hire can go past 9 months for critical skill sets. The hardest roles to find are security engineers with development experience (Product Security / DevSecOps type roles) and Cloud Security engineers - both are relatively nascent fields.

Cybersecurity is constantly changing – how do you keep learning? You can’t get away from learning if you work in cybersecurity. Every day you might need to understand the very core of a new technology, process or systems that are used by other functions. The external cybersecurity landscape is also constantly evolving with new paradigms coming up every year (just look at the Gartner Hype cycles!). Security is also sort of a cat and mouse game with threat actors where you have to learn and adapt to changing adversarial tactics. To answer your question: the job makes sure that I keep learning! For everything else, we have Twitter (just kidding).

What conferences are on your must-attend list? Every year I try to attend BlackHat/Defcon, BSides and RSA. These industry events are great opportunities to reconnect with friends and peers across the globe and also see the product innovation happening in the industry. I would also love to attend Nullcon this year, which is one of the largest security conferences in India.

What is the best current trend in cybersecurity? The worst? Securing software supply chains is a widely discussed topic at the moment as hackers continue to penetrate and leverage software suppliers chains. Gartner even lists digital supply chain risks as one of the top security and risk management trends for 2022 and expects that 45% of global organisations will have experienced software supply chain attacks by 2025. Supply chain security startups are also receiving significant venture funding over the last few quarters and we will continue to see more funding going towards technology that can help with this area over the coming years.

Another good trend we see is regulatory oversight and policy to drive changes in enterprise cybersecurity operating models. From the SEC’s cybersecurity rules proposal in the US to the CERT-In security directive in India - all play a pivotal role in incentivising and maturing cybersecurity structures for maximum societal benefit.

The worst trend?: Every security product stating they leverage Machine Learning to do security magic.

What's the best career advice you ever received? The best advice I have ever received is: make customers successful! From frequent zero-days, to threat actors in your neighbourhood, to simple technical mistakes having outsized security impact, there is never a dull moment in cybersecurity. The second best advice, and the one that my wife will confess I rarely follow: the work will always be there tomorrow morning.

What advice would you give to aspiring security leaders? For individuals aspiring to be a CSO, it is critical that they understand their organisation’s business, its mission and wider purpose. Organisations exist to increase shareholder value, so cybersecurity professionals must understand where the security organisation fits within this paradigm. Also there will always be high-pressure situations in cybersecurity - never let a crisis go to waste and lead from the front and with example.

For those that are just starting out, I would encourage them to get involved with the security community early on. Taking up extracurricular activities or joining an online volunteer group will help demonstrate a desire to work in the field and are also great networking opportunities. It may just be what will lead you to your next opportunity.

What has been your greatest career achievement? It is hard to pinpoint a singular event that was the greatest over a two decade journey. Different stages in your career have different defining movements appropriate for that stage of your career. The earliest one I can remember is winning a CTF (also called Capture the Flag or Hacking contest) during my undergrad years. I had 24 hours to successively break into ten different stages of the contest by exploiting different vulnerabilities (SQL Injection, Format string vulnerabilities etc). If I recall correctly, I got a 16 MB USB Stick and a hoodie as a prize.  

Looking back with 20:20 hindsight, what would you have done differently? It may sound cliche, but I wouldn’t change a single thing. I believe that each experience I’ve had throughout the span of my career has played a critical role in getting to where I’m at today.  I wouldn’t do anything differently.

What is your favourite quote?The Poem of La Mancha has always stuck with me.

“To dream the impossible dream,

To fight the unbeatable foe,

To bear the unbearable sorrow,

To run where the brave dare not to go,

To love the pure and chest from a far,

To right the unforgivable wrong,

To try when your arms are too weary,

To fight for the right, without question or pause,

To be willing to march into hell, for that heavenly cause,

To reach that unreachable star,

This is my quest to follow that star…

No matter how hopeless, no matter how far”

What are you reading now? The Intelligent Investor by Benjamin Graham

In my spare time, I like to… spend time with my family and daughter. I love to walk as a form of exercise so in my spare time you might find me with my airpods on, listening to a podcast and exploring my neighbourhood.

Most people don't know that I… have flown a single engine Cessna plane over the Golden Gate Bridge. I also went on a fifteen day expedition trekking through the Hampta Pass. It is one of the most scenic, high altitude treks in Himachal Pradesh, India.

Ask me to do anything but… Eat non-vegetarian food. I keep anything with a mouth or mother away from my dinner plate. I grew up vegetarian and just can’t manage to cross that mental barrier.