Bipin: The other thing is I realize, as a security engineer, I've become a really good generalist. Now I think about it, like, a lot of security engineers are really good generalists because they need to think from very different perspectives and look at things from different lenses. For example, like, if you're talking to a developer, or product manager, or you're talking to a customer, or you're talking to a CISO, security leadership, or you're talking to engineering leadership, your conversation has to change so that you can communicate that effectively. The same technical problem that you're explaining to a developer, the conversation will be very different talking to same problem to a engineering leadership. So you need to develop those skills of explaining and breaking down problems into simpler form, as well as have the ability to go much deeper on technical side.
Caroline: From Cobalt at home, this is "Humans of InfoSec," a show about real people, their work, and its impact on the information security industry. Bipin Gajbhiye is a security professional with over 12 years of experience in InfoSec. Born and raised in India, he moved to the United States to pursue further education and got his Master of Science in Security Informatics from John Hopkins University. Bipin is a friend from back in the day when we worked together at Cigital where he started his security career. Since then, he's worked at some awesome places, acting as principal member of technical staff at Oracle, and later working on product security at Salesforce. He's now a product security partner at Stripe and an angel investor and cybersecurity advisor helping early-stage security startups with their strategies, direction, and networking. I am so excited to be here with Bipin to share his story with you and get his unique perspective on where security and business intertwine. Bipin, welcome to our show.
Bipin: Thank you. Thank you so much. Great to be here. I'm super excited.
Caroline: We are so excited. I am mostly just thrilled that I get to talk to you for a little bit. And we also happen to be pressing the recording button, and so, you know, the fun and the joy of our conversation gets to be shared so much further. Bipin, I'd like to start at the very beginning. Tell me your story, how did you join the information security industry?
Bipin: Sure, yeah. So, I didn't really plan to be in this field, it's a bit of luck actually. So I did my undergrad in electronics, which is completely different than what I'm doing right now. But I've always been interested in computers in general. By interested I mean, not learning or programming, I was more interested in using it as, like, a fun cool device to just play games or like talk to strangers on the internet, on Yahoo Messenger back in those days. But growing up, I think I've always been very curious. So I remember when I got my first computer, it was a deskstop, and was probably running like Windows' 19-year-old XP. And it was early 2000s or late '90s, around that time. And the storage space on this computers would be, like, very less. So what I would do is basically I'd just go and delete bunch of files just to, like, make more space.
And I had no idea about what I was doing, so I may end up deleting, like, system files or like libraries and whatnot, and the computer would stop working and then I'll get this blue screen the next time it'll restart. So I would go ahead and, like, find those installation series and they were freshly install the operating system. And I would do the same thing, like, after a few days, again and again, because I would try to figure out, okay, which files does what. So I really loved poking around things, and I would figure out...I would also play games on the computer. So I would go in that folder and try to see which files are responsible for, like, graphics or, like, which are images file, which are audio files and try to like poke around that and delete some and just play around with that.
So I really like doing those things, not as...I wasn't doing it to learn, I was just, like, trying to figure out how things work or, like, how do I make more storage space? And also the memory, the RAM, the random access memory, those days used to be like very less. So what we would do, a group of friends is, we just, like, you can actually take out those RAMs, especially in desktops, and you can put into, like, a different computer. So we would just...a couple of friends will bring our own RAM, put into one computer and, like, just play a, like, very high-resolution game, or the games which requires a lot memory and graphics and whatnot. So I didn't realize, like, just hacking those things back in the days as, like, in my early teenage years.
So, yeah, fast forward to when I graduated in electronics. I had no job, it was pretty difficult to get a job in electronics, and I kept hearing...it was about computer science. And so I thought I should check it out. So I took some classes, learned Java and C++, did some Cisco networking certification. I think I also did Oracle database certification. And then, okay, what are my options? Like, anywhere have limited options to decide. So I decided to like go for a graduate program in the U.S., and I applied for like a bunch of schools for a computer science program. But while I was doing that I also came across security programs, and that really sounded very exciting to me because it could, like, connect to my curious side of things, where I can, okay, hacking sounds so cool, so maybe I should go in this field and figure it out. So I just like...as a backup option, I applied to a couple of security programs and luckily got into a good school in an InfoSec program, and that's how I just got into this rabbit hole of security industry.
Caroline: It's so cool, I love it. And thank you so much for sharing that experience with us. You know, I can just imagine you as a young guy playing video games and just trying to get it to work. My daughter now is in grade school and she loves video games, and I find myself as her parent actually having to manage these things on her, like, gaming laptop. It's pretty wild today that actually there are gaming laptops with this amount of capacity. And you know, she'll come to me and she'll say, "Mom, I really want this mod. I really want this Minecraft mod. I really want this, you know, Slime Rancher mod," whatever it is. And I'm like trying to figure it out, and I kind of went into it pretty casually. And I was like, okay, like, if she wants a mod, I'll go find a YouTube video and try and do the mod for her. And every once in a while I just like totally mess her thing up, and then we just start over. And then I have to explain to her, you know, this little one who spent like thousands of hours of her life probably building these worlds that, like, mommy accidentally deleted her world because I was trying to get this mod to work. So anyway, it resonates. And I love just to...
Bipin: I think when you're young you try to figure...you're doing it for a different reason, but it's much more difficult right now in current gaming platforms, current computers to mess with things. But in those early days, it was super easy to just go into files and like figure out which file is responsible for a game score, and what if I delete this, and see what happens.
Caroline: It's really cool, you know, and I love learning about your curiosity and your persistence. Bipin, I'll invite you to jump in this, you know, time travel capsule with me and we'll zip forward to the present. You have held technical security roles at some really, like, global, interesting, important companies. Information security roles at Salesforce, Oracle, Stripe, I wonder if you would give us a little view into your experiences working there, particularly any interesting challenges that you might have come across and maybe any interesting lessons that you learned from your tenure there.
Bipin: Sure, yeah. So I've been at these companies for...like, combined all three companies, been about 12 years. And you know, like, a lot has changed in the last 10 years, there's so much advancement like adoption of cloud computing, mobile devices, a bunch of apps. So I've seen, like, all that happen and how that translates into the work that I've been doing with these companies. I started with consulting, you know, we worked together for Cigital. And then when I moved to a product company, that was Oracle, my first product company, there was a bit of a change in perspective, because in consulting you would just go in, do the engagement, 10, 12 days, 2 weeks, a month, and then get out. And then you don't really know what's happening after that. But on the product side, the things are very different, you have to own things. If you find something, you have to like, keep track of how do you wanna fix it. And the focus is mostly on solving problems, and how do you solve problems at scale?
So lessons learned I think on product companies, especially like some big tech companies like Oracle, Salesforce, and Stripe is they're a startup, bigger startup. So I would say is more on learning constantly, because there would be...there's no option to not learn because things will change very fast before you know it. This new product is coming, or before you know it, like new tech is coming, you're going to cloud, you're going to on-prem, you're taking this customer data or that customer data. So that stack is constantly changing, so you need to keep learning. I think with security engineering it's not an option to just focus on one thing because you have to understand how things come together, especially for a complex product, for something like Salesforce. And so that's one that's a good learning experience for me.
The other thing is I realize, as a security engineer, I've become a really good generalist. And now I think about it like a lot of security engineers are really good generalists because they need to think from very different perspectives and look at things from different lenses. For example, like if you're talking to a developer or product manager, or you're talking to a customer or you're talking to a CISO, security leadership, or you're talking to engineering leadership, your conversation has to change so that you can communicate that effectively. The same technical problem that you're explaining to a developer, the conversation will be very different talking the same problem to engineering leadership. So you need to develop those skills of explaining and breaking down problems into a simpler form as well as have the ability to go much deeper on the technical side.
It's also true, is just...so this is one of more of a soft skill part, but on the tech side also there is a different way to look at problems. Let's say you found a vulnerability, you need to see is it a web vulnerability, is it on an application, is it on a mobile device? How is it gonna impact your customers or user? What are the trade-offs to fix? Is it a standalone issue or it's gonna create long-term security debt, or does it affect multiple products, multiple applications? You need to really understand what's the impact of this across the suite of products that your company might have. And how do you deploy the fix at scale? If you're fixing this, just, is it a one-off instance or you need to...is it an opportunity to write a framework or a secure library or create a paved road? So I think this is more of a focus on product companies I've seen. You have to be ready to build things in-house. There's work portion automation and you need to be ready to, like, find gaps and identify opportunities for automation.
Caroline: It's so cool. Oh, my gosh, I'm just getting excited, like hearing you talk about this stuff. You know, I think that there is something so interesting about a person in a security consulting role that's different from a person in a practitioner role, you know? And I think that when you share with us about your experience, like, stuff at scale, right, stuff at scale and stuff with so many dependencies, with trade-offs, with different impacts. Thank you. So shifting from your practitioner experience to cybersecurity from a different perspective, which is you're not only an experienced cybersecurity professional -- you also support upcoming businesses as an angel investor. I would love to hear more about this. How does your perspective change with these two roles in combination?
Bipin: Sure, yeah. So, yeah, let me clarify, these are very small investments that I made in a couple of early-stage cybersecurity startups. And now I'm more like, more open to just investing in tech startups in general, but like small checks, so. The angel investor word seems like a very strong word. But yeah, talking about startups, I've always been fascinated with startups and really admire and have huge respect for entrepreneurs. I always wanted to, like, learn more about startups, especially how they go from just creating an idea to like a product-market fit. And I had no way to figure out how do I get that information. And even if you're searching on Google or if you're just reading case studies or following somebody on YouTube on their startup journey, you don't really get to see the like day-to-day experience, or the struggles that they do.
So I figured out that if I be an investor and an advisor, I can actually see all those problems and the journey from up-close. So I tried to figure out how do I do that. And fortunately, I found a couple of companies that I end up investing in, and that gives me an opportunity to actually give me a special lens to see things and actually see the struggles, see the small wins, and day-to-day problems, problems with hiring, finding customers. And since I'm in cybersecurity, that's the best expertise I can bring to the table. So if they have...and this is a cybersecurity startups, so they are solving a problem in the security space where I could definitely help them with brainstorming the product roadmap, identifying the gaps in the market or finding those initial customers or just in general, just with networking.
And my whole aim was to just see things as they go, especially in the early stage because this is really hard. Like, startups are very hard. I don't know if I could ever do that, but I still wanted to see how things work, and these investments allowed me the opportunity to see things very close without getting involved...without actively working for any of these companies. So that was my whole reason to get into this. And then I picked cybersecurity because there is like, you know, there's so many vendors in cybersecurity, there are so many problems to solve. The market is huge. I was reading something, there was, like, cybercrime losses, just like last year, this goes into trillions of dollar with a T.
So this space is pretty huge, and since I am more into apps hack all my professional life, this also gave me opportunity to learn about different problem spaces just within cybersecurity. Learn about what's happening in endpoint security, what's happening in threat detection, what's happening in GRC, governance and compliance and...like, the list is endless. So this has been, like, a super helpful experience for me because I get to learn more about security areas that I wouldn't ordinarily do in my day-to-day job.
Caroline: It's really cool. I also love and I'm pseudo-obsessed with cybersecurity startups. Startups in general, and then, of course, because of our background, cybersecurity. You know, one day you and I'll have to sit down together and I'll tell you the story of Cobalt. We started the company...well, I joined when the company was small, about 10 people, and today we're more than 200, and it's been such a fascinating journey. Very cool.
Bipin: Yeah, I would love that. I really love hearing about stories. In general, startup stories are always very much fun. And it's very different for everybody. You would hardly find two people have a similar story. Every sector or every industry or every entrepreneur brings a different perspective and different way of doing things.
Caroline: Yeah, there's like this grand adventure, you know? And there's like so many external factors that you have no control over, but what you do have control over is, like, what waves do you ride? You know? And then there's so much about strategy and execution and team building and this and that, and certainly very hard work, certainly a lot of luck. So it's just...it's super exciting, and I love that you pursued this interest in such a very concrete way.
Bipin, I wonder if you can share with our listeners how might you advise someone to talk to board members and investors about cybersecurity? You know, and I think there's really two different angles that you could take this, and I'll leave the choice up to you. One angle might be, as a security practitioner, an organization, how do I talk about cybersecurity posture to our board members, to our investors? You know, another way to look at it might be how do you talk to board members and investors if you are an entrepreneur developing a cybersecurity offering? Would love to hear your thoughts.
Bipin: Sure, yeah. I'll probably...yeah, let me take the "as an entrepreneur" angle first. So when you're talking to investors, giving your pitch in general, you need really to focus on what problem you're solving. And how do you put that very efficiently? You need to do a lot of homework. You really need to understand the problem space very deeply. You need to know, end to end, how things are working. What's the impact of this problem? What kind of problem are you solving? I'm gonna quote this book, "Crash Override," by Mark Curphey, and he puts it in a bit good way. He said, are you solving a gunshot-to-the-chest problem or are you solving a paper-cut problem? So that's a really...I really love the sentence.
If you're building a feature or a product, there's a big difference there. If you're really solving a big problem, then you need to understand the depth of it. What's the market? Who is buying it? And who does it impact? Is it a B2B or is it a B2C? Having all those, like, researched really gives you a competitive advantage over a competitor or be a differentiator. It also gives you perspective that once you start doing more and more research, you'll say, "Okay, this is probably a paper-cut problem." Maybe it's just a small feature you're building. And there's nothing wrong where you can even do that, like, it's just a small market. In the beginning, it's very difficult to figure that out, but doing your due diligence and clearly understanding the problem space, whatever it is, the security is outside security, is it just a tech startup in general? Talk to your customers. I used to think that it's difficult to talk to people and difficult to reach out to random strangers or random people on LinkedIn, but it's not. If you're an entrepreneur, you really need to, like, talk to a bunch of people who are your prospective customers and really understand the problem space.
And also the second thing with that is, if when...let's say you found a solution and you've built this really great product, but nobody knows that you have solution to this problem, so how do you communicate that to the user? How do somebody know that this guy over here is solving this X problem? You need to wait to advertise or communicate that, or you need to wait to figure out a way how to bring this in front of your buyers. That's important, the second point. And there's actually just...it's a good segue to get into the security program side where you're working for a big company, you are part of a security org.
Caroline: You know, Bipin, I think that your analogy and way of looking at it, like, is it a paper cut or is it a gunshot wound to the chest? You know, that just illustrates such an important aspect from the startup perspective. And I actually think that your response to one of our prior questions with regards to your experiences at places like Salesforce, Oracle, and Stripe, you know, you actually did talk about what it's like as a practitioner communicating to different stakeholders.
So, Bipin, you mentioned that you've seen so much change in both cybersecurity as well as technology over the past, you know, decade and more. How do you feel like the startup scene is adapting for increased customer demand for privacy and security? How might you advise tech startups to prioritize both security as well as growth?
Bipin: Yeah, I think so. Definitely, there is improved demand for privacy and security, especially privacy. We have seen some big changes in privacy space in recent past. GDPR is one example, California Privacy Act. So if you are building a solution or building a product or building a...even mobile, Apple has also put out their own privacy restrictions and the information that they share with the user. So if you're building anything around that, you need to be aware of all the regulation that applies to you. Is it a B2B? It totally depends on the type of business you are getting into. If it's a B2B, there is a different regulation apply...different set of compliance and regulation requirements. And if you're going for B2C, you are looking at more of an app space or a mobile space where there is a different set of data-gathering practices that you should be aware of. Privacy is a big topic and I think it can only...to solve this tech problem of privacy is this has to go from...it's a top-down approach. It has to be...it comes from regulation, putting companies through those government-mandatory regulations so that they don't abuse your information. So that's about privacy.
How do we prioritize security and growth? How do startup prioritize security and growth? I think in the beginning they don't really care about security. Growth is much more important because you need to survive. But if you're growing faster, if you're getting lot of users or initial good customers, B2B customers, then you have to think about security, there's no way to escape that. And the good thing with nowadays is, especially for tech startup, there is so many frameworks, there's so many existing off-the-shelf tech that you can use that also provides you with some security features and capabilities, and you just need to be aware of how to use them.
You just need to be like, turn it on. Like, if you're using AWS, or let's say you're, for example, using...putting information in an S3 bucket, you need to make sure it's not public. In startup, it's very common that you make it public just because you wanna share with your teammate in some of the geo locations. So you make it public, but you forget to turn it back to private or like forget to delete the data. So, I think having those, like, general security common sense, or at least keeping a log of things that if you think something, let's say you're sharing data with somebody within your teammate in a different geolocation in a S3 bucket, but if you click the log of that...okay, I did this, make a note to yourself, make a security log. Whereas you grow bigger and bigger, once in a while you can go back to that log and see, "Oh, I did this, which was a little gray area." I try to...and then you can go and fix it.
There's always a debate about security and features, right? And even in big companies there's always a trade off between, do you wanna do this? And at what cost? It's much harder for startup because they don't even have resources. So for startups, for tech startups in general, even though you're using all those frameworks and all those advanced tech that provide you some security out of the box, but there's always like a bunch of open-source software. Open-source culture is super huge at this time, you can use open-source scanners, you can use secret detection, you can try different things. Build some kind of a smaller open source practice, open source security program, or tooling in place, but the tooling depends on, like, what growth stage you are at.
So, in the beginning, they don't really care about security, they don't wanna...they wanna get customers, the focus is very different. I think it only comes in once you have the actual customers. And I think the lines get drawn when you have customer data. If it's B2B, the way you handle customer data is gonna be very different versus collecting consumer data. And that's where you need to start thinking about security. Because, yeah, they're opening doors for lawsuits and regulation if you do something if you screw up something. Like, the recent example of LastPass hack, although it's like a big company now, but once you have data from your customer, it's an obligation for you, and it's a liability as well as an opportunity. So finding the right balance to secure that and use it efficiently is probably a good way to go about it.
Caroline: I think, at the end of the day, security is about protecting value. And a very early-stage startup, frankly, doesn't have much value yet, you know? And as that organization grows, they accumulate and begin to create more and more value and therefore cybersecurity becomes more and more important. And definitely, customer and sensitive data, storing that data, processing that data, creating that data, puts an organization in a totally different place than when they were before that stage. Bipin, I wanna say thank you so much for spending this time with me today, it has been such a pleasure to chat with you about all of this stuff. And thank you so much for sharing your thoughts and your experiences with our listeners today.
Bipin: Sure. Yeah. I love the questions. I had a great time talking to you.
Caroline: "Humans of InfoSec" is brought to you by Cobalt, a Pentest as a Service company. You can find us on Twitter @humansofinfosec.