Student Profile
Source: https://cybersecurity-strategy-masters.nyu.edu/student-spotlight/kavitha-mariappan/ Parent: https://cybersecurity-strategy-masters.nyu.edu/admissions/student-spotlight/
Kavitha Mariappan
CTO , Rubrik
Class of 2022
“Cybersecurity is no longer relegated to the domain of IT security. Cyber risk is business risk, and companies that cannot manage that risk threaten their own reputation and viability. The companies that have learned to manage risk do so by prioritizing cybersecurity in the boardroom, the C-suite, and even in individual business units”
1. Given your extensive technical background, what motivated you to apply for this program, rather than a standard MBA or an MS in engineering?
The NYU School of Law and NYU Tandon School of Engineering joint Master of Science in Cybersecurity Risk and Strategy offered me a unique opportunity to round out my skills. At Zscaler, one of my mandates is to run the office of the CISO. For the sake of the organization’s success (and also my own), I recognized that it was critical for me to augment my legal skills in addition to my technical background. As a business leader, it’s imperative that I am continuously developing my knowledge of cybersecurity privacy methodologies, legal statutes, and regulatory frameworks. The MSCRS program provides the deeper learning in policy, risk management, and governance that I sought.
2. How has the program measured up so far?
I came into the program with high expectations, and my MSCRS experience has exceeded them. First, the faculty is stellar – as instructors, advisors, and researchers. Second, I greatly benefit from the diverse perspectives and expertise of my fellow students. The breadth of experience in my cohort – with leaders from government, law enforcement, financial services, and other private sector industries – makes for an enriching class dynamic. It’s a bit of a cliché, but I’ve learned much from my own classmates. Finally, cybersecurity crosses boundaries…between organizational divisions, disciplines, verticals, industries, and geographies. The integrated curricula shared between engineering and law examine deeper issues in cybersecurity, breaking down barriers between information technology and business with an enlightening mix of both legal and engineering perspectives.
3. Have your views on cybersecurity evolved as a result of your learning in the program?
I work for a cybersecurity company and see first-hand the impacts cybersecurity can have on business operations, continuity, and growth potential. The MSCRS program has helped me understand the sobering reality of how much work there is left to do. The United States has an esteemed legal system, but it’s built upon the legacy foundation of protecting physical entities. What’s reasonable when it comes to digital asset protection? How do we as business leaders counter the ongoing cyber threat to privacy? We’re not yet set up as a global community to answer those questions. The internet crosses borders, and so do threat actors. Cybersecurity enforcement encompasses functions that include threat detection, threat identification, law enforcement, forensics, attribution, and even bringing criminals to justice. But there’s no defined global framework for that. The challenges of cybersecurity cannot be solved in isolation, but will instead require collaboration between governments, corporations, and communities.
4. What are companies doing right when it comes to cybersecurity, and how could they do better?
Cybersecurity is no longer relegated to the domain of IT security. Cyber risk is business risk, and companies that cannot manage that risk threaten their own reputation and viability. The companies that have learned to manage risk do so by prioritizing cybersecurity in the boardroom, the C-suite, and even in individual business units. Importantly, they are investing in Zero Trust security architectures. But there’s still far to go.
The companies that are “doing cybersecurity right” are applying new cybersecurity best practices, including:
- Minimizing attack surface
- Employing a cloud- and mobile-first Zero Trust architecture solution
- Designing security around the new way of work (rather than the other way around)
- Letting go of legacy mindsets
- Breaking down organizational silos between network, security, and business teams
- Educating the C-suite about security budgeting and investment
- Training employees in information security awareness
With the right solutions in place (read: Zero Trust), these organizations are setting up their globally distributed workforce (and, subsequently, the organizations themselves) for success.
5. Is the US doing as much as it can in the way of incentives when it comes to training workers with the right skillset?
No. In the private sector, too many organizations cling to outdated legacy infrastructure approaches. Often the aversion to change is cultural – leaders are more comfortable with “the way it’s always been done.” Whatever the rationalizations may be – cost, complexity, comfort – they threaten to sink the organizational ship with cyberattack vulnerabilities.
In the public sector, the US government has taken great strides – codifying Zero Trust Architecture in a new NIST standard, for instance – but can do more. Federal agencies (in the US and abroad) must create regulatory mandates coupled with financial incentives to drive enterprise adoption of Zero Trust cybersecurity solutions. (It’s worth noting that ethical hacking, noble as it might be, will never be as lucrative as “turning to the nefarious side” of adversarial activity…at least until public- and private-sector leaders incentivize “doing the right thing.”) Also, we need to create a cyber-native workforce, and develop cybersecurity awareness through education…at the K-12, secondary, and university levels. The MSCRS program notwithstanding, there are few academic or industry certifications for cybersecurity. That has to change.
Finally, we must amplify underrepresented voices in cybersecurity. We must upend the “Old Boys’ Club” mentality of legacy security culture and invest in diversity, equity, and inclusion initiatives. The more perspectives we can engender, the better and more effective cybersecurity policy will become.
Note: this profile was written while Kavitha Mariappan was EVP, Customer Experience & Transformation, ZScaler.
‹ Back to \ Student Spotlight Page
Student List
Technology
- Andrea AzzolinaTeraWulf
- Radhika BajpaiRussell Investments
- Ni'Ko BostonStealth Mode
- Hong Hua ChinDatadog
- Chris FarrStrider Technologies
- Melanie GerstenMastercard
- Colin JenkelAmazon
- Kavitha MariappanRubrik
- Bethany MayerFormer CEO: Ixia (Acquired by Keysight Technologies); Independent Board Director: Box, Lam Research, Marvell Semiconductor, Sempra Energy
- Sangeetha NatarajanJuume AI
- Tim NelsonMeta
- Ken Nguyenenstructure
- Ana PinczukSentinelOne
- Lauren PullyDemocratic National Committee (DNC)
- Aaron SawchukBlackberry
- Erica SwainsonSalesforce
- Lawrence TanTelenor Group
- Wade WardenApple
Government, Public Service, & Non-Profit
- Michael FitzpatrickCity of New York
- Paula GrangerNYS Division of Homeland Security & Emergency Services
- Jacob HelbergUnited States
- Khalil JacksonFederal Reserve Bank of New York
- Pouya LavianU.S. Environmental Protection Agency (EPA)
- Rico LucentiFormer Senior Cybersecurity Manager, U.S. Navy
- Jessica Yoo PerryGrid Deployment Office (GDO), U.S. Department of Energy
- William TimmonsUS Congressman
Financial Services
- Stephanie BrodyGoldman Sachs
- Ricky DavisSynchrony Financial
- Young HongS2 Analytical Solutions
- Kelly KeiterBank of America
- Brian KennyBNY
- Michael MattioliCitadel
- Ebony SmithBNY
- James WilkinsonMitsubishi UFJ Financial Group (MUFG Bank)
Military, Intelligence, & Law Enforcment
- Tenoch AguilarFBI
- Jarrod LynnHarbor Sentinel
- Jessica MooreNaval Criminal Investigative Service (NCIS)