Twitter’s Rinki Sethi on why CISOs win when security is a shared responsibility

Starting a new job can be stressful at the best of times. During lockdown, it can be a real challenge.

Rinki Sethi joined Twitter as its chief information officer a year ago during the peak of the pandemic. Like most companies, Twitter had closed its offices, requiring its thousands of employees — and new hires — to work from home. For someone who thrives in the office, Sethi said going in as a new, entirely remote employee came with its own complexities.

“When you’re leading a security organization, one of the biggest things is trust, and one of the things you have to lean in on is building trust with the people that are driving security — your own team,” Sethi said during a wide-ranging virtual fireside interview at TechCrunch Disrupt 2021. Building those working relationships over video calls is much tougher, she said. “I’m used to doing that in person.”

Sethi is no stranger to cybersecurity and has previously held senior cybersecurity positions at IBM, Intuit, Palo Alto Networks, and most recently served as Rubrik’s CISO. Now as Twitter’s CISO, she oversees efforts to protect Twitter’s information and technology assets — entirely remotely for the time being. While that comes with its own challenges, there have also been upsides.

The pandemic didn’t just change how companies respond to cyber threats, it changed how we work. Remote work has broken down barriers to the global talent pool, once restricted by who could relocate to be near the office. We’re talking more about mental health in the workplace, and there’s a greater focus than ever on the people that keep companies running.

These factors don’t just make for a stronger workforce, they make for a more secure workforce. “There’s some ‘people-aspect’ to everything,” said Sethi. “Making sure your employees are feeling good; that they’re able to do their best work; that they’re mentally in a good space. I think that’s one of the most important things that tools, technology, applications and monitoring are not going to be able to solve for.”

Sethi drew on her decade-plus experience to talk about the role of the modern CISO and how the next-generation of CISOs can stay ahead.

This interview has been lightly edited for clarity and length.

The right time to hire a security lead

Security incidents are inevitable, and companies can spend millions on defenses to learn the hard way that there are no silver bullets, since a hacker only has to win once. But how you prepare can set your company apart. Startups can grow and scale at an unpredictable pace, so getting ahead is critical. When is the right time to hire someone to oversee a company’s security efforts?

People are thinking about this, because they’ve seen businesses break because of not having the right security practices, and a lot of folks turning to competitors or others because of that … There are trade-off decisions. I’m not going to be the security idealist and say you need to invest in security before the product or business features, but I think there’s a really strong balance. If you think about building security right from the beginning, I think you do have a really strong competitive advantage.

As you grow, your customers are going to start asking about how you’re securing your product, your services, your platform or your data. And so you have to have those answers.

Information security as a culture

Security succeeds when everyone at a company has a stake in it. It’s not just about incorporating new technologies that help fend off bad actors, it’s also about getting security into the culture of a company, and a lot of that comes down to building trust with employees. That comes down to education, awareness and training.

At the end of the day, CISOs win when you win the hearts and minds of people to take security as a shared responsibility. That it’s not just the CISO driving change, but also other business leaders are championing security … that’s a little bit more of an art than it is a science. You have to bring the data to them that makes sense to them, that can help them make better decisions, but also help them understand where the risks are… I’m on the “forever pursuit” of how do you get security into the DNA of a company.

The importance of diverse voices on your security team

Moving to remote work has helped companies like Twitter think outside the box when it comes to hiring talent.

Sethi said that remote work has vastly expanded the hiring pool by removing barriers and friction that made it difficult or impossible before. Having employees with diverse backgrounds and experience can make a real difference when time matters, she explained.

Having people that come from different backgrounds and with different experiences who have been brought up in different ways, you put them in the room with me and I promise we will come up with either two ways to solve the problem, a unique way to solve the problem … or an in-between … That’s the way you solve problems.

It’s not just one impactful decision; it can be the moments where you’re in a situation. I remember in this incident, there was an individual in the room that somehow knew Russian or something … [and] was able to use that as a clue and say, “Hey, I remember some other email that was completely out of scope of that incident, bring it in,” and we were able to tie things together to accelerate containing that incident and then begin investigating further.

You don’t see that unless you start thinking out of the box and how you’re trying to hire. People bring their experiences and they kind of try to do things in different ways.