#4: Aby Rao

September 23, 2015

Welcome to Episode 4 of the Building a Life and Career in Security Podcast.

Today’s guest is Aby Rao. Aby is currently the Director of Identity and Access Management Technology for a major insurance company.

Aby and I talk about his career journey from User Interface Designer to Identity Management Director. We talk about how his UI background still plays a role in his job today and how he is preparing to have a new baby in the house. Aby Rao [powerpress]

Links from the show:

[content_toggle style=”1" label=”Show%20Episode%20Transcript” hide_label=”Hide”] aby rao: I think that decision to go down the certification path and start being part of various professional associations helped me network with people, and I think that has paid off and I see that payoff now, 5 years later.

Speaker 3: From the jayschulman.com studio, this is the Building a Life and Career in Security Podcast. Now, your host, Jay Schulman.

jay schulman: Thanks, it’s Jay. Welcome to another episode of Building a Life and Career in Security Podcast, the podcast that lets you see how others grew their information security careers. Today’s guest is Aby Rao. Aby really provides some great guidance in today’s podcast. How his user interface background helps with his security job today, on making a career change from developer to security professional, and his experience at my alma mater, the University of Illinois or Urbana-Champagne. Here is Aby’s career journey in his own words.

aby rao: I’m a director at one of the top ten insurance companies. I work in the identity access management domain. Part of the IT security and risk. A little bit about my career starting in the security arena goes back to 2002, when I graduated from a college in India with computer science degree. As soon as I graduated, somehow I ended up on a plane to University of Illinois for my masters in information science, so that was a great experience up in Urbana-Champagne. Excellent school. Part of the information science program where I got a chance to work in areas such as data visualization, information visualization, did a lot of usability analysis and human-computer interaction kind of work.

My first job was actually related to UI design, nothing to do with security. I was part of a startup, where I did a lot of usability analysis, spoke to our end users, got a chance to meet various businesses and try to sell our product. Get an understanding of what users are looking for, so the whole user experience came into play and I was actively involved in the design of the software. I did that for about 3 years. It was really good from an end user perspective, because coming from a computer science degree it’s all about programming, and algorithms, and discreet math. I felt it was a great change to move to the other side of the computer and start looking at the computer from outwards.

I thought that was a time for me to try something else, so I took up computer programming, more precisely web programming, I worked at Drexel University, then I moved onto Duke University, where I was hired as a web programmer. Got a chance to work on HTML, [Ajax 00 = 03 = 08], Java scripting. Did some identity access management work with [inaudible 00 = 03 = 14]. That’s when I felt that security is something that really interests me, especially the web application security side of things, because being a programmer you’re so head down into coding, and making sure that your code works and meets the business requirement, but after I did a little bit of security, putting in security controls, I felt that this is something I want to explore.

What I did was entered off looking for a job in security. I went and got a couple of certifications that give me a better street cred. I got my CISSP, CISA, and put my resume out on linkedIn, which helped me get a job with KPMG in their information protection and business resiliency practice. Had some really good experience working with Fortune 500 companies there. Did things that I really enjoyed. Worked on projects that I was not a big fan of, but it was part of the growing pains. I really am excited to have gained that experience. I don’t think I would have been where I am now if I was not part of the KPMG family. In a nutshell, I think I can be a really good product manager, just because I have experience on the user design side of things.

I can code, and I can strengthen the program by working on the security side of things. Having this diverse work experience has helped me be a better professional, or at least that’s how I like to think.

jay schulman: There have to be a lot of developers out there that are interested in security, at least I hope so. We need more developers interested in security. Thinking back to your experience, do you have any tips for making that transition from development to security, or to application security?

aby rao: Yeah sure, yeah. One of the things that I feel programmers should start focusing on is injecting security as part of their developing life cycle. I know a lot of people talk about this, it’s easier said than done. I’ve been through that challenge of making security ingrain into your development practices, but I can’t stress enough how important that is. I feel that in a [inaudible 00 = 05 = 45] model, or you’re talking about agile programming, I’m pretty confident there are ways of tying in security practices, having reviews done. Just from coding perspective, there are many ways you can secure the code, have better error handling, monitoring and logging in place. I can talk about this at length, but at the end of the day, programmers start need to seriously think about security because it cannot be an afterthought.

I think that way too many applications out there where people are trying to figure out security after it’s been built and shipped to the clients, and it’s too late. It’s way too late. It should be a part of the development culture where risk and security is considered at every phase of the process.

jay schulman: Perfect. Along your career, you have such unique experiences along the way. Was there ever a point in time where you had a really tough decision to make, where it could go one way or the other, and you look back on it and say you’re really thankful for the decision you made, you really made the right decision?

aby rao: Yeah, absolutely. There was a point when I had spent about five years coding, and there was certainly job security. I don’t think I would have ever found it challenging to find a job in the development domain, development space. There’s always a need for web programmers, but security was something that I felt that is my growth edge. That’s one area that I really wanted to see if I can sustain and grow in that space. Five years ago when I was considering security and risk management, I applied to jobs without any background. I tried to highlight some of my web development security experience but didn’t really go too far. I think that’s when the decision to take certifications, not that certifications make you a better professional. That’s definitely not my approach, but it just gives you a little bit of more visibility when it comes to recruiters.

I think that decision to go down the certification path and start being part of various professional associations helped me network with people, and I think that as paid off, and I see that payoff now, five years later. I would recommend that to anyone out there. If you are a network designer, if you are a system administrator, and you want to make that transition, make it a slow transition. What I mean by that is, keep your skills, promote your skills, but at the same time gain some security experience within the boundaries you are a part of. If you’re a system administrator, see how you can make things a little more secure from what your responsibilities are. Tie down some of the controls to what you do on an operational basis, and that’s the first step.

You’re making that slow transition of getting into the mindset of protecting things. I think that’s key, and this way if you want to stay in your role of let’s say a system administrator, you can do that, but you’re slowly approaching to the other side, which could be more security centric.

jay schulman: That was fantastic advice, and thank you for bringing that up because a lot of people ask the question around when do you get a security certification. It’s great to hear about how that timing was so crucial to growing your career. Let’s take it a step further, I’m really curious because I like the idea of having a multi-disciplinary security person. You’re in identity and access management primarily today, how does your user interface experience come into play today? Does that come up a lot, do you still use that skill set with IAM?

aby rao: Absolutely. There’s no doubt that I still use my user experience. Let me give you a specific example. Right now we are in the process of revamping our identity governance and access program, and we are evaluating many different tools that are out there. One of the biggest complaints our end users have when it comes to certifying entitlements or users, is that it’s very hard to navigate. I don’t know what I’m looking at, pages look very cluttered. I cannot do my job. As a security professional, you want to see re-certification done, but at the same time you want to insure that there are very few hurdles for our end users to cross. One of my key focus is to make sure that the user interface of whatever product we end up with is simple enough, is less frustrating, and gets the work done.

I see a lot of such tie-ins throughout our process, be it identity access management, or any other domains of security. I think it’s key and just helps me go back to my early days, and put my UI user interface designer hat and say that, “What would our end users think or how would they evaluate this product?”

jay schulman: That’s spot on, because if you think about two highly trained identity management people, one with a career security experience and the other one with his UI experience to lay on top of it, you could really see how you probably had such a huge advantage going in there applying for this job, even if you’re competing against three or four other equally qualified identity individuals. You talked about product, and in the identity access management space, I think product comes up a lot. A lot of times I ask IAM people, “Hey what do you do?” “Oh, I’m an Oracle guy, I’m a CA guy, I’m a Salepoint guy.” How has product or tools played a role? Has it been central to what you do, or has it been ancillary?

aby rao: It’s definitely ancillary. A lot of businesses go out and tend to be more tool centric or technology centric. After a few years of working with a tool, businesses realize, organization realize that, “Hey, you know what? Tools can only do so much. You need to have solid processes, you need to have really good policies around how you go earn the tool, and at the end of the day you want to insure that the ways that the tools are leveraged correctly. What I mean by that is, these policies and procedures guide the tools. People process technology, right? This is the cliché triad you can think of, but it’s extremely important that people process are aligned with the tool, and if you make tool to be one big sphere within that triad, then it just loses balance.

I think it’s a good balance between those three things. I tend to as much as a technologist I think I am, I tend to focus on people and process.

jay schulman: So far we’ve talked about a lot of really positive things. I’m sure there are points in your career where things weren’t perfect for you. Think back, is there an example of something that if you had to do it all over again, you’d want to redo it?

aby rao: That’s a great question. One of the things I would have done slightly differently was especially during my graduate program, maybe take a little bit more courses in the security space. I think back in 2000, 2001, there’s not a whole lot of academic focus on security, which has changed now, which is really good. I would spend some time not just doing UI work, but I think investing time in security and understanding the security space would have really helped me. That’s probably one thing I would have changed if I were to redo some of the things from the past.

jay schulman: I was trying not to talk about our mutual experiences in Champagne-Urbana, but you brought it up. I’m very biased. I was at an outstanding school, I loved my experience there. It sounds like you had a great experience. I think it’s interesting today with the rise of these [Mooks 00 = 14 = 33] massively online courses where ten and twenty thousand people can all take a class on information to security through course era, did the university experience play a role besides just the classroom? Do you think if you were to do it all over again today, would you still go the bachelor’s and master’s route, that traditional education focus, or do you think there’s still a role for all of these online courses and taking a non-traditional approach to education?

aby rao: Yeah, I’m a little bit conservative when it comes to education. I think I tend to be a little bit more biased towards colleges and universities, because at the end of the day some of the skills I’ve gained going to the traditional route has not much to do with security or computers. The discipline that colleges bring in you, the interaction that you need with your peers and your teachers, those are invaluable. I think that’s something that you can only gain by attending a classroom with fifty other students, talking to your professors, getting involved in projects where you get to see your teammates face to face. I think that’s something that I cannot replace in a non-traditional classroom, although I know there have been attempts to change that. I would stick to the path that I have taken in the past. Maybe my choices would have been slightly different in terms of courses, but I think that has been immensely valuable to me.

jay schulman: We were talking before we started recording about some big news that you have. You’re going to be a father here in the fall. I have two kids of my own, age four and two, so I know what it’s like to be a father. I’m curious, I’ll ask you the question now, and maybe we can do this again in a year. What do you think it’s going to be like to manage life as both a father and your role in information security and running an identity management program?

aby rao: It’ll be a challenging one. To say the least, but I think that’s one of the things I’ve been thinking about, and I don’t have a straight answer. I think I’ll have to experience it before I can make a comment. I feel that what will be key the next few months will be to have a very strong family life. That’s one of the reasons why I decided to move away from the consulting world was spending more time with my wife. My in-laws are local as well, so they will play a significant role in raising the child. If you have a strong family background and it’s a close-knit family, I think as a team, as a unit, you can move mountains. That’s what I am relying on, is the fact that having a strong spouse who is very supportive of what you’re doing, having friends and family members who appreciate what you’re doing, all that adds up and only makes you a stronger person, which ties in with being a good dad as well as a good professional.

jay schulman: Yeah, at least for me it was amazing from if you read all of those tips on productivity and making meetings effective and all of that, it didn’t really mean anything until I was sitting in one of those wastes of a meeting, so to speak, where you could be spending time with your kids, or you could be listening to this very poorly managed meeting, I know for me it helped me manage my time much better, because it meant me getting out of work on time, getting home on time to see my kids, and especially in those first years it was just so important. Excellent. You’ve just given outstanding advice today. Anything we didn’t talk about that you want to cover before we finish up today?

aby rao: Yeah, at the end of the day for me as an individual, what’s key is to unwind and give yourself enough time. Everyone has a job we try our best every day to be a good husband, dad, professional, but make sure that you have your own space, enjoy what you’re doing outside work. I like to make independent films on the side, so once I’m outside work, I’m in my own filmmaking world, thinking about stories, what’s my next film about, and just enjoying what I’ve got. I’ve got a strong vent, creative vent which I like to flex as much as I can. Everything has its space in time, so make sure that you enjoy both, be it profession or your hobby. Just do your thing.

jay schulman: Excellent. If people are really fascinated by what you had to say, certainly I was, is there a good way to get in contact with you?

aby rao: Absolutely. You can email me, I’m on linkedIN. My email address is A-B-Y-R-A-O at gmail.com. I would love to be in touch with individuals who want to make transition to security, or just learn more about what this is all about. It’s still an emerging space, and there are a lot of questions. People think that security professionals are hackers, ethical hackers or otherwise. It’s a lot more than that. It’s really big, and I will be happy to share my experience and knowledge and help other people grow.

jay schulman: Thank you, appreciate that. I appreciate you being on today, and you’ve just given outstanding advice, so thanks again.

aby rao: Thanks, Jay.

jay schulman: Thanks to Aby for joining us today. A lot of the advice mirrors advice in my book that has the same title as this podcast, Building a Life and Career in Security. There’s a link to Aby’s linkedIn profile in the show notes, and make sure you know that you heard him here on the podcast. If you have comments or questions about today’s podcast or want to join me to talk about your security career, shoot me an email at podcast@jayschulman.com. If you found this podcast valuable, let me know by leaving a comment in iTunes. Thanks for listening to this episode of Building a Life and Career in Security Podcast. Please subscribe to the podcast on iTunes or at jayschulmancom/podcast.

Speaker 3: Thank you for listening to the Building a Life and Career in Security Podcast with Jay Schulman. For more information and to subscribe, go to jayschulman.com. [/content_toggle]