When Cybersecurity Means Business: A Conversation with Rohit Parchuri, SVP and CISO at Yext

[00:00:00] Rohit: Oh my God. Trust is, trust is everything. Right? So you know what I say is like you, your business first, trust second and cyber third. That’s the mantra I go with.

[00:00:10] Andy: Welcome to Code to Cloud. I’m your host, Andy Schneider, and today’s guest is Rohit Parchuri, SVP and CSO of Yext. Yext is an AI powered search and answer platform. Additionally, Rohit is advisor for several technology startups. Rohit, welcome to the show.

[00:00:28] Rohit: Thanks, Andy. Glad to be here.

[00:00:29] Andy: What our listeners usually are very interested in is What is the one thing that is concerning you most? It doesn’t have to be really specific to your company, but what is it that is most concerning for you being a CSO and what is, I wouldn’t say troubling you, but really it’s the main thing. What is concerning you being a CSO?

[00:00:50] Andy: I’m sure many of the CSOs relate to this. It’s, it’s not a technical thing, it’s not a technical aspect that I’m truly concerned about. It’s justthe biggest concern is how to build and maintain a strong foundation for our cybersecurity program. That can self sustain.  Ultimately what we’re trying to create is, make sure we have these fundamental disciplines on how we think about risk. And I know we’ll dig more into the risk soon, but that itself is a cornerstone on how we think about the cybersecurity program. There are other risks, no doubt, but when we’re trying to build the program, the risk factor is so heavy, it has to make sense to the business, but at the same time, also self-sustain in some format so we don’t have to keep, keep bringing that dialogue, every time we have a discussion. Andall the elements are kind of tied into the risk itself is what’s gonna define a world robust and comprehensive program. So, yeah, one is building and also how do we evolve and you know, keeppushing on the buck so that we are able to sustain, over a long period of time. Sustainable security. I really like that. My last company, we said that my ultimate goal is that, I can leave the company and I’m not needed anymore because everything is still running in that circle and is self-sustaining. I’m not sure if, if you would ever achieve that, but it, it’s like the ultimate goal so that you have created such a resilient organization and culture that they just do security and do the right things. Really like that. And you’re linked to risk. So, so let’s move over to risk. You mentioned that a couple of times. So risk is very important for you. How would you describe how you do and address risks?

[00:02:35] Rohit: Risk is a pretty big topic. It’s almost like an opening, a can of worms, but I’ll try to keep it simple and we can definitely dig into any aspects thereof. But risk is much bigger than cyber. Cyber is just one part of the risk. I think about risk as a business risk and how we need to think about organizational resiliency. And cyber becomes a part of that because there is a pretty heavy element of cyber that falls into the risk, which is represented as cyber risk. Risk is a cornerstone for any business that’s literally the table stakes from which on you can build a skyscraper off of it, or you keep it at table stakes. It really depends on the business you are in. But I think addressing the risk is ultimately, like I said, is gonna be the, the company problem. But the healthy balance of prevention and detection controls would enable at least me to sleep better.  I’m pretty sure other business leaders with the things think about the same things, but I think you just need to build up the risk dialogue and narrative in such a way that it makes sense to the business. I’m, I’m talking very specifically about cyber risk. And I think you, when you’re thinking about risk, it has to have the context and backdrop on how it relates, and also applies to the other business verticals. So that you can think about, ya know, how exactly are you exposed to the risk? What are the factors that drive the risk, either upward or downward? And what kind of treatment do you need to take? Do you need to accept it, transfer it, remediate it, whatever that makes, and again, it depends ultimately on the, on the business. One of the most critical parts also of this is the accountability and responsibility of the risk themselves. More often, i, I kind of preach this to my team, also is that we, as cyber, we’re reporting the risk. We’re not really executing on them. We just need to build out the case in such a form that we’re thinking about the periphery of cyber, not just the cyber, we’re thinking about all the different aspects that fall into that. And ultimately it’s gonna be the business owner who we’ve assigned to. And this is something we’ll have to prepare before we get to that dialogue. But once we understand that, that’s where the accountability sits. And this is also gonna be one of the primary elements when I talk with my board about what are we doing with our existing risks? What’s the progress? What’s the current state? What’s the future direction we want to take? This is not just coming from me as a CSO, but this comes from everybody else. You know, finance risk is being handled by my CFO. Technology risk is handled by my CTO. So things of that nature, I think it just has to be distributed. But you are ultimately taking the call in how it affects the business. 

[00:05:03] Andy: Do you have some tips you could share? How to talk in the board. I, I think that’s, that’s really a critic topic. You usually don’t have that much time to really explain like, two hours what the risks really are. Usually you might have only 30 minutes, maybe even less. So what’s your way to getting into their head so that they understand these cybersecurity risk?

[00:05:28] Rohit: Yeah, great question. I think it’s, it’s relevant in the current times where we’re being asked more and more information about how we manage risk and how we even prioritize that. So I think even before we get to that topic, what I would suggest, is to, conduct separate sessions with your board of directors. It could be subcommittee like maybe you are reporting into an audit committee. I definitely am, as a public company audit committee has a responsibility to talk about cyber and also, provide some oversight around cybersecurity. So take the time to educate them even before you go to the board meeting about, what is it that your role entails and how do you even think about representing risk at that level. A few things I would start off with is how’s the sausage being made? Like, what’s the, what’s the details, right? Maybe these are the one-on-ones that you can share, uh, during the one-on-ones you can share details about. What exactly is gonna help at that . Point is, you being transparent about, you know, how you manage risk and what are the specific factors, you know, maybe having a policy document or, or how you are interacting on collaborating with your stakeholders right now would also give some context to the board member about, how exactly they should look at it. And then what’s the outcome, right? Of the risk themselves. So that would be, let’s say a 30 minute discussion with each of your,

[00:06:41] Andy: Mm-hmm.

[00:06:41] Rohit: you know, board members. And then when you go into the board discussion, you can use that as a backdrop. And now all you’re talking about is like a top five risks, and that’s what I do. You have top five risks and the important thing is don’t just paint that as a cybersecurity risk. Paint that as an organizational risk. Cause that’s how board members and the executives connect to if there’s a significant risk or risk to revenue or financial risk, or reputation risk. Whatever that is, how are you trying to build your risk portfolio, put them out there and then represent them. Typically, the way I use it is like, just like a traffic light representation, like, you know, an amber, a green or red. And some context about if it’s an application, secure risk, I’ll not go into details, but if it’s an application, secure risk, like what’s the current state? Are we good? Are we okay? Is it problematic? Do we need more input from the board members? Depending on that, you can, kind of convey that in, in a certain format. But also talk about the future state. You’re not asking for permission specifically with the board. What you’re trying to convey is that this is where we are, and as a CSO, this is my responsibility. I know, I’ve been given the reins for a certain reason, and the reason is so I can make a calculated decision about where investments need to happen. And now I’ll help them educate about this is a future state that we’re taking and, this is where the support we need. You’re not asking for permission. You’re saying that this is where we’re gonna go to stakeholders like my CTO or CFO to actually take account, accountability on certain things. I would start there and I think that is something you can fit in like 10, 15 minutes. And last thing also point out is this is something that comes over time as you mature the program, is think about how you measure, not just the risk, but also the, the maturity of the program. Cause ultimately the maturity of the program has a direct relationship to the risk that you’re managing. And having a metric. This could be a key risk metric or a key performance metric. Represent that in some fashion, so you are able to talk about how your maturity is gonna be inversely proportional to the risk. So you are actually building things. And you’re already using the risk thereof. Uh, There are always gonna be ad hoc projects. You need to work on the risk. But maturity definitely needs to be, needs to be in there so people know what’s the balance you’re trying to achieve.

[00:08:59] Andy: I’ve seen that very often that security is some, somewhere in the corner, many just call it IT security.

[00:09:05] Andy: But how do you believe you can bring security closer to the business so that security is ultimately understood as a business . Enabler?

[00:09:15] Rohit: Oh my God, that is such an important element of building a cybersecurity program. I think, my most important responsibility is to enable business to achieve its mission, right? It’s just that in a secure fashion. So do everything you should. I’m not the, I’m not calling the shots when it comes to building the business or how we build out our product landscape or whatnot. But I wanna be in the room. I wanna influence the decisions depending on what it means to security and how this impacts the business if they’re, not proper checks and balances implemented. Security has evolved to a place right now where it manifests into almost every business vertical, right? It’s just not technology anymore. It’s just not IT security. It’s much more than that. Just the other day I was trying to ex, debrief my executive team on the SVB collapse. How should we even think about the wire fraud and the payroll fraud? Because those elements have never fit into the, the traditional IT security mindset. Like we have certain training, we give that out, and after that we’re we’re basically, you know, gonna wait for the annual refresher to come back. We’re not gonna be, you know, more connected. But that’s changing now, which is great because everybody, every CSO out there is actually thinking about how can we evolve that element and make it more business focused. So to answer your question, I think cyber has to align back to business not the other way around. And that’s how you would actually showcase the impact. You’re not showcasing the impact because somewhere there’s a system that doesn’t have proper two factor authentication. That’s not gonna get anything. Instead, what you’re showcasing is that you have a certain business objective that we need to drive. And this could be, I’ll take an example. Maybe we’re trying to go into something which is much more internally facing. Let’s say your data that you’ll be gathering from your customers is gonna get scrutinized much more than you currently have. Uh, so, which means data security becomes an important milestone that we have to reach and also think about maturity as we go through. So now you’re connecting because business is trying to make a move into gathering some really sensitive data. Now you have to think about how can security come in and enable you have the right checks and balances in place, data mapping taxonomy, the protections, the policies, et cetera, and kind of, you know, showcase that you know, as a vocal point when it comes to cyber. And then using that as a prerequisite before you actually go out into production or into market about how you wanna delve into that. So, cause that can expect to the business leader, right? So all you’re trying to do, you wanna have better collaboration and communication. And the way you can achieve that is only when you have a common language that you’re sharing between your executives.

[00:11:49] Andy: Linking it to the business and, allowing the business to keep continuing doing the business in a secure way is, I think, the ultimate goal that we should try to achieve as CSOs and security practitioners. Let’s move on to, uh, another topic. It’s still related to risk, but, we have a huge talent shortage in, in the security industry. Do you feel that talent shortage on your side?

[00:12:13] Rohit: I’ve been hearing about this misalignment between supply and demand. I don’t think that there is actually misalignment. At least not personally. I feel there’s misalignment in the roles with duties. I feel the way that we’re trying to define the roles and not being prescriptive about what exactly is this person gonna be helping out, is actually driving that. Because you, when you’re not quite clear about what exactly that you need, or you’re not setting realistic guidelines around the leveling of the role itself, then yes, you are bound to have some shortage. Because you’re not looking for the right people, you’re not tapping into the right groups. I, I feel that’s what’s happening. So for example, I don’t wanna toot my own horn here, or my team’s horn, but last year, the same time we were around three people, across cybersecurity, and now we are 17 people. So that itself, it, it clearly shows that it’s not really the misalignment, uh, in supply and demand. It’s just more how do you, you know, think about the roles and you know, how realistic you are in terms of addressing certain gaps and this gap being talent here.

[00:13:15] Andy: Do you, do you think it’s really that we um, don’t allow entry level security jobs? Because I rarely see entry level security jobs, or is it something else? I think it’s one of the issues that we have.

[00:13:27] Rohit: It absolutely is. Unfortunately, you know, it’s, it’s funny how, again, I’m not trying to discredit any roles out there, not trying to demean anything, that’s out there. But what I do feel is that we label roles as entry, entry level security jobs, but the responsibilities and duties thereof don’t represent that. We’re still asking for something that an entry level security person could never do. So how can you find the person? You can only find senior and staff engineers if you’re looking for entry level security engineer. Because the duties are saying so. So it’s, it’s really kind of, aligning your title with the job, job role and responsibilities I think would be really, really helpful so that you can set the course in the right direction and know, if that’s what you’re looking at, like, let’s be straight, right? If you’re looking for an entry level, let’s be straight aboutany experience here. We’re looking for a passion for some person to actually come in and help us out in certain things. And also will also help this person evolve into the next stage you know, of his career or her career or whatever that may be. I think not being prescriptive is what’s driving that down. The other thing I’ll also say, you know, just in terms of staffing, look for organic growth. Essentially hiring, you know, from your, if you already have like a Chick Security Champions or a security partners program, you know, look for people who are naturally inclined towards security stuff. And this could be, you know, maybe you found these people more inclined in the hackathons or maybe they’re reporting certain security things above and beyond their job, of course. Look for them. And also I think, you know, when you do that, you are promoting your internal staffing and there’s more internal mobility that’s happening, and you are also gaining a lot of context, the, the business context from these people rather than you know, hiring from outside. They’re fit right into the role. The only thing that you have to teach them is the common sense around security. That’s what I feel. 

[00:15:14] Andy: You said you, you were growing from three to 17. That’s really massive. Having such a team, it really means working in security is a very trust oriented work. You have to trust each other. AndHow do you do that?

[00:15:28] Rohit: Oh my God. Trust is, trust is everything. Right? So you know what I say is like you, your business first, trust second and cyber third. That’s the mantra I go with. And without that trust, like right after business, the trust has to come in. And without business, nothing exists, of course, but the trust is literally the next element that you have to focus on. And I think really being out there and prioritizing the communication and having a storytelling mindset. To help educate people and what is it that you are really trying to accomplish? That goes a . Long way. And I’m just fortunate enough to have a team that actually embraces that, espouses that, and we are out there. One of the biggest prerequisites we have before we build out anything or request for somebody to do something is trying to be as transparent as possible about the program logistics. If we’re trying to tackle vulnerability management, we’ll talk about all the things that happen when a certain vulnerability’s out there. Uh, we’ll also talk about all the work that we are doing as a team before we actually surface those to the developers. Rather than you’re simply running a tool, getting the findings and throwing it out there. That’s not trust. That’s neither transparency, right? I think really talking about the criteria, the prioritization, how does this fall back into your business? As an enabler, I think that definitely is something, we all do collectively. Ultimately trust is not something you talk about, right? It has to become evident in your actions. If it doesn’t, then technically you’re not really doing a lot. You’re just talking about trust. Of course transparency right there. It’s one of the, you know, uh, older siblings to trust, I guess. Where without transparency, you can also go too far. Like as security professionals, we have we have a lot of access, right? Rightly so, because we need that access to enable, you know, certain things either protect or detect, you know, certain things from happening. And with, you know, with the greater power comes greater responsibility. So that responsibility has to translate in a way that you talk about these things and also what you are, and most importantly, what you’re not doing, in the current pusher of things.

[00:17:28] Andy: So listeners, you have to write down that mantra on a paper. So business first, trust second, and third comes cybersecurity. Put it under your pillow and it has to be the ultimate driver. Everything that you do as a CSO. If CSOs would act like that, I think we would not think about how can security become a business enabler and all the other questions I did. So this, thank you for that. That’s a brilliant mantra for CSOs. I think you mentioned the MSPs, that’s also trust. You have, like, they are an extension to your team, so trust is essential and it’s the same for the board. I think you mentioned that in the beginning. You, you have to have that trust relationship with, uh, with them. Let’s move on a little bit. So, as a CSO, you are the security leader, but you are a leader like other leaders in your company. What is a good leader? So what makes a good leader today?

[00:18:27] Rohit: I don’t think there’s a single definition for being an effective or good leader, which is because the, the flag post keeps changing, based on the environment you’re in, based on the macro economical situations you’re in. Socioeconomical situations you’re in. I kind of evolved into this myself, like, how do I think about, you know, the broader team? How do I think about my peers, not my direct team, my peers as my extended team? So we can think about figuring out the risk for the company and how should we even treat them? So really I think what came out of that as an outcome is developing the shared understanding with, you know, with other business leaders, right? So I’m a business leader. You know, There are other business leaders, so we’re, we’re acting as a team, we’re acting as a collective front to think about the business strategy and what are the factors that drive the business strategy forward. And then enabling like a healthy balance, right. Between your modernization, cause as a company you have to, you know, evolve and you have to become modern. And also the elements of modernization means hydro transformation, cloud transformation, whatever that is. Then there’s technical debt, right? You always have some level of debt that you have to fix. And this is not just security, right? There’s elements within your IT infrastructure, product, you name it, and ultimately cyber needs. So three things, right? So modernization, technical debt, and cyber needs. Like how do you manage that healthy balance between them and you know, kind of surface them up to a place where we can take collective decisions. Not, not in haste, but thinking about this long term and also how does this directly affect, you know, either positively or negatively to the company that you’re working for. And the other thing I would say is collaboration, right? Collaboration is such a key for any business leader. Like without that, you’re kind of acting in a silo. And if you’re acting in a silo, technically you’re not benefiting the company. You’re benefiting your, you know, your own vertical. And technically that doesn’t have a direct correlation with the business you’re in. But within cybersecurity, I think, you know, going back to the original mantra, like let’s think about business first. If business doesn’t exist, cyber doesn’t. All your investment, all your energy has to, has to go towards how do you think about business and how do you relate that back to your cybersecurity initiatives. And each of the initiative you have, let’s make sure there’s a measure on how you are thinking about the success of that. And one thing I would also benefit from, I, I benefited from in the past is to have a very prescriptive success criteria for each of the initiative. And if I don’t meet that technically I’m not making a dent in the program and thereby not making a dent in the business impact. 

[00:20:54] Andy: how did you become a CSO, and where did your journey start becoming a CSO or, getting in touch with technology.

[00:21:02] Rohit: Yeah, so technology, I think it’s been in my educational DNA from the get go. This was even back when I was still doing my bachelor’s. But technology on, you know, on that front was mostly on the electronics and communication. That’s where I was majoring in. But my security journey went parallel to that. Uh, this all began when, uh, one of my buddies actually gave me a book called Ethical Hacking. And this book kind of introduced me to different things. One is manipulating programs and, and also how can we tamper with systems, window systems specifically. And, I was very intrigued by that. And I was very amused by that. So, and then I took up a degree in a formal cybersecurity program. And back then there were only a few handful universities that were actually giving out the degree in cybersecurity. So I was fortunate enough to lead myself into DePaul University for a cybersecurity degree. After I graduated the program, I joined Rackspace hosting to begin with. And I joined as a network and system security engineer. This kind of helped me build a strong foundation, within the networking and computing from a security lens. So, from an OSI layer, layer one through layer four is something I was able to be able to build out. And then later on I moved on to ServiceNow until the State Service now happens to be one of the longest 10 years in my career. And there I was brought in as a network security and vulnerability analyst. Soon after that I figured you know, there was a pretty big gap when it came to application security, which was pretty brand new back then, and it wouldn’t really have a practice or a program for that matter. And we were seeing a lot of requests from our customer base requesting for how do we even think about and how do we approach application security? And I, I raised my hand saying that we need something like that. I was the founding engineer for apps and then, then I was able to, you know, uh, become the manager from then on and, uh, build the team there. Also ServiceNow kind of gave me this access and opportunity, I think, for various other disciplines within cyber. And given the program itself was so brand new, I was like fifth person in the program. That gave me access to different domains. So I was able to go into security operations, GRC, field security, product security, which is an older cousin to application security. In turn what happened was I, I kind of, built these different skill sets within these different domains. And that helped me look at my, you know, both the role as a cyber person and also how the, the cyber program has to tie back into the business in some form. And from then on I was able to go into a company called Collective Health. It was a startup in healthcare space. For me, I think it was just the, the change of the scenery that I was wanting after being at ServiceNow for for a long time. And then I was, I think I, yeah, I made my way into Collective Health as a director of information security, overseeing, uh, the cybersecurity program. And then became their first CSO after a little while, and then made my way into Yext a couple years ago. And that’s where I’m at right now. 

[00:24:04] Andy: That’s super interesting. So it really sounds like you moved up layers. So the OSI layers. So from the network security part up to application security. And then from a career perspective as well, something, it just came into my mind. How long did that journey take from, let’s say, taking the book, Ethical Hacking until you actually became a CSO?

[00:24:28] Rohit: I would say in, in and about 12 ish years, 

[00:24:31] Andy: my personal experience is very similar. It really takes time. You have to build up your foundation and it really sounds like you did it really well.

[00:24:39] Andy: Yeah, and I think, you know, becoming a CSO itself, at least for me, it’s not the CSO title itself is not important. What you gain along the journey, which is why I was, saying the journey itself was super interesting cuz you see bits and pieces of disciplines and practices that you were either part of or you helped build it and you are taking all those learnings to, sit, sit at a CSO level and, uh, see how that works out. I think the learnings and challenges and approaches that you take is what’s gonna define you, not as a cso, but more of an as effective security leader at a company. Fully agree. Let’s, let’s fast forward to your current role and your current position at Yext. So what is the real scope of your role and what are your responsibilities?

[00:25:21] Rohit: I’ll say my primary responsibility is to keep company safe and be prepared in case there’s, there’s some, something bad that’s gonna happen if and when it happens. I just wanna make sure we’re prepared. So that’s my primary responsibility. But what kind of entails all that is all things cybersecurity, right? Risk and compliance, financial audits, which is also a part of my role. Compliance, which is more broader in sense of certifications and cybersecurity regulations specifically. Uh, security Operations Center, something we currently have that and distributed across the world. Product, application, and cloud security. Which is kind of housed in the, in the same practice. Field enablement or field security as you may call. And lastly, third party risk and enterprise security also fits into that. I also partner on our internal audit, uh, especially on the risk management element, and then also partner on the data privacy, data security with my general counsel. Like I said, all these, you know, kind of functions roll into me. But, I think the biggest things that me and my team are proud of right now, are having built a security conscious culture, which kind of enables others to put a security mindset, even though their day-to-day job is not security, but having a backdrop of security itself helps put the company and ourselves. So at least, you know, to a point where we’re involved when they’re critical decisions being taken at a company level.

[00:26:41] Rohit: So one thing that I will do is I will, I will share things in every episode. I will share something that really went, went south in my career. And you can share something if you want, for the others. Just a fun thing. So mine one is, is more a fun thing. So I once got to a hacking conference and there was an audience of four to 800 people and I had a brand new Mac M one. So I really like these Apple computers and I plugged it in. I had a, I had my, my, let’s say my keynote. And plugging it in caused crashing the whole conference system. So I retried it and I, I was already over time, so we decided to switch computers and I took the computer from the organizers, a hacking company. And I, and I logged in with my Google account and clicked on save password. So I as a CSO in front of the audience of more than 400 hackers, stored my password on a, on a foreign computer. Logged in. And actually they then, had access to all my files. I could do the, I could do the conference, but I, I really felt bad about this. Is there something that happened to you? Oh, wow. Thanks for sharing that story, Andy. Makes me think the next time I’m at the keynote, I’ll have to think about that too. 

[00:28:02] Andy: Yeah, I forgot the USB stick.

[00:28:06] Rohit: No, there you go. For me, I think, uh, I’ll, I’ll just maybe talk about one thing. When I was at ServiceNow, we tried to implement this championship program. This was literally, I think the first manager role that I took up and I was like, okay, we need to get running on this. And, you know, this is intended for us to kind of build that whole DevSecOps approach. And that was the very first time we were doing it. It was very new in the industry. So I was like, okay, let’s, let’s start with Security Champions program. And some break dreams, right? It, fell short pretty bad. One of the biggest reasons why it did, is because I’ve never taken the people’s thoughts, feedback, or emotions to in context before we started running around, you know, with the project and venturing into the charter. This clearly shows like, you know, my, my weakness was know, kind of putting the emotional intelligence into effect and also, thinking about all the factors that drive a program forward. This is also what I mean by criteria. I think you need to have a good balance about, what kind of people are you interacting with? Do you already have existing processes in play that you can, you can leverage, possibly without creating new ones? And ultimately, does this even make sense? Right? I think that was the biggest key element that I was missing because it did not make sense back then. We were at a stage where on the scale of one to five we’re possibly between one and two, and I was implementing something that is supposed to be implemented when we’re at like possibly four. So yeah, it kind of terribly failed. Very interesting lessons that came out of that though.

[00:29:35] Andy: Yeah. Never forget the people around it. They are everywhere. So cybersecurity would be so easy without people out there. Just kidding. Just kidding. So we come to an end. So it, it was really fantastic. Maybe one last advice. If, if, if we have listeners out there that just start in their career, what would be the one advice you would give them?

[00:29:57] Rohit: In the role that we are right now, as cybersecurity practitioners and professionals. Being very empathetic is, is the most important thing. Uh, having the service-oriented mindset. I often hear that security is everyone’s job. I . Don’t think it is, it, it is part of their jobs. It’s part of their job to have a security mindset going into it. But we’re the ones with security jobs. So I think when we’re thinking about rolling out the program, just like what I shared about the weakness right now is that I wasn’t empathetic, right? I wasn’t thinking about what the other person feels or what exactly am I expecting of the other person. I think being, yeah, going into the other person’s, you know, perspective and thinking about the, the world from that perspective, I think would be really helpful as you build out, either a program or a project, you know, for your, you know, for your own company. I think that would be hugely beneficial. I would say that lead by that and don’t confine yourself to cybersecurity knowledge. That’s the last thing you should do. Yes, I think skill as cyber is super important, but there’s a lot of periphery around cyber without which you cannot accomplish cybersecurity practice. Just as simple as that. So definitely, be keen on continuous learning and make sure anything that’s around cybersecurity, you also have maybe an inch deep understanding of that and how that relates back into cyber is, of course, is the most important thing you’ll have to learn. Lastly, build the networks. Networking is such a, such a big component of cybersecurity. There are a lot of great people out there. Network with them, connect with them. This would ultimately become your support system. When you’re looking out for a job, when you’re looking to, you know, excel at your career, upskill, whatever that is, that support system is key. So make sure you do that. One thing I’ll also say for aspiring CSOs is that, develop the cyber, non-cyber skills such as your soft skills, financial skills, operational skills, and ultimately, you know, at least be able to read the balance sheet. Be able togo through your profit law statements. But it just gives you a great perspective when you’re thinking about how can you relate your cybersecurity objectives back into the business, because those are the defining factors. That’s what your CEO is looking at. That’s what your board is looking at. So if you don’t have a good expertise in that, then you know, there, there are gonna be some gaps.

[00:32:11] Andy: Thanks so much Rohit. This was such a wonderful discussion. We are sadly at an end. But you mentioned an important, word. Networking. So you can reach out to us and, what would be the best way for you? Is it LinkedIn, Twitter? What’s, what’s what you use most?

[00:32:26] Rohit: LinkedIn is the best. I’m pretty active in LinkedIn, so please reach out to me. Uh, I should, should just say, Rohit Parchuri, you should be able to find me.

[00:32:34] Andy: And if you reach out first, note down the mantra, that’s what I will do. Business first, trust second, cybersecurity last. Thank you very much, Ro 

[00:32:43] Andy: hit.

[00:32:43] Andy: hit. 

[00:32:43] Rohit: Thank you guys. Thanks Andy.

This episode features an interview with Rohit Parchuri, SVP and CISO at Yext, masters of online brand management trusted by thousands of companies around the globe, including Verizon, Campbell’s, and Cox. Rohit is a trusted information security executive who currently heads a global security program at Yext. He is responsible for building and executing their cyber security governance and also educates both the board of directors and executive management on cyber security affairs. And in this episode, Rohit discusses how to convey cybersecurity maturity and risk to the board, collaborating as a key to success, and building a robust, comprehensive cybersecurity program.

Time Stamps

[0:54] What are Rohit’s top cybersecurity priorities?
[2:39] How does he address risk?
[5:33] How does he convey cybersecurity concerns to the board?
[12:13] Is there a misalignment between talent supply and demand?
[15:28] How do you build trust as a cybersecurity professional?
[18:27] What makes a good cybersecurity leader?
[21:00] What was Rohit’s path to becoming a CISO?
[25:19] What is the scope of Rohit’s role as CISO at Yext?
[27:56] Rohit shares a story of a lesson he learned as a young cybersecurity professional
[29:55] What’s one piece of advice Rohit would give someone starting a career in cybersecurity?

About The Guest:

Rohit Parchuri
Rohit Parchuri is an accomplished Information Security executive with an established record-building, structuring, and institutionalizing Information Security disciplines in a variety of organizational domains. He is currently leading a Global Security program at Yext, a bleeding-edge AI Search platform. In this role, Rohit is responsible for building and executing the company’s cyber security governance while advocating for the security benefits of Yext technology in customer environments. Continuing in this role, Rohit educates the Board of directors and executive management on Cybersecurity matters on a quarterly cadence.
Connect with Rohit on LinkedIn
Check out Yext