Bill CISO: ‘Cybersecurity should be on every leader’s mind nowadays’

2 Jun 2023

Image: Rinki Sethi

Rinki Sethi, VP and CISO at Bill, discusses her role and the importance of maintaining a strong cybersecurity strategy in today’s landscape.

Rinki Sethi is vice-president and CISO at Bill, a cloud-based software company that digitises and automates back-office financial processes for small and medium enterprises.

Prior to her role at Bill, Sethi held positions in various tech companies. She was a VP and CISO of Twitter and Rubrik, and also held the position of vice-president of information security at IBM.

As part of her role at Bill, she leads the global information technology functions, advances efforts to protect Bill’s information and technology assets, and provides advice on the company’s work in the security space.

Sethi also serves on the board of ForgeRock, a public company in the identity and access management space, as well as on the board of Vaultree, the data-in-use encryption company. She is on the advisory council for ISACA, a professional organisation for members who work in digital trust fields.

‘Cybersecurity needs to be at the core of any digital transformation journey. Continuing to evolve and strengthen security controls is critical for success’

What are some of the biggest challenges you’re facing in the current IT landscape and how are you addressing them?

Working with third-party vendors is essential for getting business done, achieving enterprise objectives and continuing an organisation’s growth trajectory. But this increase in access to data, operations and facilities may introduce a degree of risk. The impact of unmanaged risks has the potential to be severe – ranging from service disruptions, reputational damage, regulatory fines, to data breaches. This is where comprehensive third-party risk management (TPRM) programmes come in. By maintaining a strong TPRM programme, CISOs and their teams are able to arm an organisation to effectively identify and mitigate risks that come with the onboarding of new vendors and monitoring of current ones.

I am very excited about working with Vaultree and how data-in-use encryption will unleash the power of data by processing encrypted data. The near future is one where every human will have ‘privacy traces’ online, making data security a real-world issue that needs to be harnessed.

What are your thoughts on digital transformation in a broad sense within your industry?

Cybersecurity needs to be at the core of any digital transformation journey, and continuing to evolve and strengthen security controls to reduce risk and build on a culture of security is critical for success. To be prepared, organisations now must be very proactive and make significant investments in their cybersecurity programme – this includes people, technology and processes. Regularly test the cybersecurity programme and go through rigorous audits and checks.

Have multiple layers of security controls in place designed to quickly detect and protect systems against exploitation by vulnerabilities. In addition, maintain a vulnerability management programme that promptly reviews and addresses issues in accordance with internal policies. Most importantly is understanding all the data that a company has to enable powerful new business use cases and also appropriately protect that data with the utmost care.

Sustainability has become a key objective for businesses in recent years. What are your thoughts on how this can be addressed from an IT perspective?

An important part of the technology and development lifecycle is building in sustainability from the start. The IT team definitely owns a big part of that. From choosing sustainable vendors and partners to selecting equipment, hardware and software, to creating awareness around reuse and recycle programmes, we can move the needle on sustainability efforts in a big way before it’s too late.

What big tech trends do you believe are changing the world and your industry specifically?

Cybersecurity should be on every leader’s mind nowadays. The threat actors are using any and every point of tension and uncertainty – including the pandemic and political tensions – to take advantage of individuals and organisations.

CISOs and security teams see thousands of attempted attacks daily. We know the best defense is to be prepared and to assess the situation thoroughly and to verify before taking action. We know threat actors are methodically setting their traps and patiently waiting for someone to take the bait. Organisations can adopt the same methodical behaviors when evaluating for unexpected or out-of-the-ordinary messages and requests.

The role of CISOs is much more strategic and elevated than it was even a decade ago. In addition to technical experience and knowledge, it’s now a requirement to have leadership, communications and business acumen.

What are your thoughts on how we can address the security challenges currently facing your industry?

Cybersecurity continues to be in the front and centre of discussions around the world. The importance of security is now leading to cybersecurity executive orders by governments as well as the banning of applications by countries due to the lack of perceived security and privacy controls. The importance of the CISO role and responsibilities have been elevated significantly in just the past few years. One of the game changers in CISO responsibilities is presenting consistently to the board of directors and relevant committees, in a meaningful and more thorough way that shows actual cybersecurity metrics, and how the security team is moving the needle on those metrics in the long and short term. Cybersecurity expertise at the board level is a requirement for public companies, which only emphasises the levels of accountability expected around security in an organisation.

Regulatory requirements in addition to the increase in cybersecurity attacks have forced companies to start looking at actually adding CISOs to their boards and many are creating cybersecurity and risk committees to cover the important topic of information security in depth. CISOs now have a seat at the table to bring their unique experience and knowledge at a time when it’s absolutely critical.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.