AiThority Interview with Setu Kulkarni, VP, Strategy at WhiteHat Security

Please tell us about your current role at WhiteHat Security and the team/ technology you handle in the company.

At WhiteHat, I have been responsible for establishing and leading WhiteHat’s corporate strategy & development function during critical growth years, resulting in successful exit to NTT Security. Post-acquisition, I am focused on integrating the two companies and at the same time incorporating a corporate strategy function within NTT Security to support NTT Security’s growth objectives in the coming years to become the pre-eminent full-stack cybersecurity solution provider globally. I am honored to work with a globally distributed team comprising of strategists and cyber security experts to develop and execute our business yearly plan and among other things help me in putting together our flagship yearly “State of Application Security” report and now the monthly podcast that supports the effort.

What is WhiteHat’s latest AppSec Stats Flash report all about and how can organizations benefit from the findings of the latest report?

When I spend time with our customers and security leaders – one thing always comes up. How do we know we have a good program or have ample security implemented in the organization? While this is a broad ask – I believe that we have so much data here at WhiteHat that we can put in service of answering that question. That is the thinking behind producing a monthly Stats flash.

We feel that the threat landscape is evolving quite rapidly and we need a more frequent analysis of the state of application security. And at the same time organizations are pushing more applications into production than ever before. In the light of these two trends, we want to be able to help the community out there with a continuous and contemporary look at the detailed appsec data we are generating with every passing day. We have a handful of metrics that we track on an ongoing basis and in each episode we bring forward the most important metrics and our observations. Organizations can start benchmarking their security programs against these monthly trends and metrics to periodically examine the success of their program.

At the same time, I feel it is important to get expert opinion on aspects of Application Security beyond these metrics to provide the Security community experiential insights that experts have accumulated over their many years in the industry. I have tremendously benefitted from expert insight throughout my career. In my interactions with these experts we often end up taking a deep dive into a topic that they are passionate about – be it the shared responsibility model for security, or the role of product management in security, or for that matter how security is becoming a key deal influencer in business development/M&A. And by bringing on these experts on to the podcast in its second half, it is my goal to combine the objective (metrics) with the subjective (experience) and propagate the experiential insights the experts have to the listeners of the podcast.

Also Read: AiThority Interview with John Bishop, CEO at Librestream

How is the data is compiled for the AppSec Stats Flash reports?

WhiteHat Security has the world’s largest curated application security attack-vector dataset that continues to grow as we scan tens of thousands of applications every year and examine over a million vulnerabilities every year. WhiteHat’s authoritative State of Application Security report, and recently launched podcast, are based on the analysis done on this dataset.

Mobile apps have become the new surface points for cyber security attacks. How does WhiteHat secure assets from such attacks?

Mobile apps are now an integral part of the application ecosystem that our customers and their customers use to conduct business. Just think about how even in our personal lives we move from a web-app to a mobile app without blinking an eye. It is just natural now. So as we have become increasingly comfortable conducting our lives and business using a combination of application form-factors, we have inadvertently become more exposed than ever to cyber security attacks through web, mobile and API-based applications. WhiteHat provides our customers the ability to scan the application ecosystem in production as well as pre-production to find the real vulnerabilities that plague applications. We prioritize accuracy and coverage to make sure that our customers have the benefit of the most actionable insight to protect their business from application based attacks.

What are your AI/ML innovations? How do you use these applications in your offerings?

We are leveraging AI/ML to enhance our security capabilities (like detection) as well as security operations (like results verification, safely & automatically filling forms). The key is having a relevant and in most cases a growing data-set, which is typically possible with cloud based service and managed service based offerings. At WhiteHat and our parent company NTT Security, there is a tremendous focus on combining automation, artificial and human intelligence to solve some of the biggest challenges in the security market today – an acute shortage of security professionals, an exponential expansion of the attack surface and the ever evolving threat landscape. These factors compound the challenge of securing any business today. Automation and AI provide the scalability required to protect business in this complex environment. A great example of Automation and AI working together is automating the interaction between detection (ex. Continuous AppSec monitoring powered by AI/ML) and mitigation (web application firewalls) technologies to provide real-time risk mitigation.

Also Read: AiThority Interview with Matt Coppinger, Director AR/VR at VMware

How is WhiteHat helping to drive the future of application security?

The future of application security in a way has been brought forward with the events of last year. The pandemic has forced a massive migration of many aspects of our physical lives and businesses to become online – and likely much of this migration is permanent. I have lately been using this example of how my car maintenance is now contact-free. An activity that was hugely human interaction oriented now is fully application interaction oriented. The service-person showed up at the appointed time, accessed the vehicle through an app on his computer, serviced the car, sent me an update and processed the payment – all through apps. In all of this, trust and security are make or break factors to conduct our lives and business.

The future of appsec, hence, is really our ability to build & certify apps to be secure and trustworthy – not just point in time but throughout time. And while there are many steps to take to make that possible, we fundamentally believe that we need to double down on securing applications in production – afterall that is where they are most at risk of being breached. We are driving that future by ensuring our capabilities are production safe and hence can be used to continuously monitor in production applications. Combining that with our hyper-automation (human intelligence + AI/ML subsystem) to drive accuracy at scale is critical to help our customers take the best action possible to protect their applications.

Finally, providing full lifecycle support for application security scanning – starting with production and going back all the way to development – that is how we are ensuring that all stakeholders from dev to sec to ops participate in the effort to secure applications.

Tell us a little bit about WhiteHat’s partnership community. How does it benefit your current product roadmap?

WhiteHat’s is a one of the handful of focal points in any organizations cyber security strategy rollout. As such, our customers seek to integrate our solutions with adjacent cybersecurity solutions. I look at our partnerships through a few different lenses.

First, we have key technology partners like that help us deliver unique capabilities in areas like mobile application security. Second, we have key solutions partners who help us extend our core-solutions by offering unique services like remediation and continuous penetration testing. Third, we have cybersecurity domain-partners with whom we provide larger cross-domain solutions like closed loop detection and protection of web applications and GRC type solutions. Lastly, but importantly, we have integrations built into a modern developer and SDLC tools. With these 4 kinds of partnerships we are able to offer our customers the ability to have Secure Applications – an outcome our customers desire.

On the GTM side, we have strategic VAR partnerships globally. Post-acquisition, we have integrated our offerings in to the global NTT sales & GTM channel that has now given us access to prospects and customers in over a 100 countries.

What is one prediction you have for the industry in 2021?

In the near future, I expect customers to significantly increase the number of applications they have to serve their customers as well as to support their increasingly digitized operations. At the same time, I do not expect the security skill shortage in the industry to abate, on the contrary, I expect it to become more acute.

The race between security providers and adversaries will become heated as AI/ML & RPA will become even more accessible and commoditized.  And we will see both security providers as well as adversaries leverage AI/ML & RPA techniques increasingly.

Customers will demand outcomes and accountability from their security providers. After all, when customers spend millions of dollars with security vendors, they expect more than just best-effort cybersecurity.

What is one piece of advice you would like to give to every CEO/CIO in the industry?

While it will be disingenuous of me to offer advice to CEOs and CIOs as I have never served in those capacities, I can offer a summary of what I have learnt over the last few years as I led the acquisition of WhiteHat to NTT Security. I learnt that it is as important to “working on the business” as it is to “work in the business”. As a matter of fact, I have found that “working in the business” is an easy excuse to not “work on the business”. I also learned that ruthless prioritization is the difference between success and failure. Until you develop a framework or an abstraction to view all the part pieces of your business you can’t ruthlessly prioritize. Working on the business is therefore key to ruthless prioritization which is in turn key to execution. This hard-learnt lesson continues to hold me in good stead not only in my involvement at WhiteHat & NTT but also in other non-work ventures.

Also Read: AiThority Interview with Or Lenchner, CEO at Luminati Networks

Thank you, Setu! That was fun and we hope to see you back on AiThority.com soon.