Skip to main content

Scaling and Maturing the Security Function

Illustration of Swathi Joshi smiling. Swathi Joshi is VP, SaaS Cloud Security at Oracle. "Scaling and Maturing the Security Function"


Swathi Joshi is VP, SaaS Cloud Security at Oracle. Based in San Francisco, she was previously Security Engineering Manager (Detection and Response) at Netflix. Swathi received her Masters in Information Security and Assurance from George Mason University (US), and a Bachelor of Engineering, Computer Science from NMAM Institute of Technology (India). She is a board member of The Forte Group, Day of Shecurity and the Sahasra Deepika Foundation for Education.

This month, Swathi joined CyRise Elevate as a guest advisor. Below is an edited excerpt from our conversation, where she discussed how she approaches the scaling and maturing of companies’ security functions.

Scaling and Maturing the Security Function sketch of key points and illustration of Swathi Joshi

What are your foundational blocks of a security program? 

The way I’d like to describe it, there are three sections: 

  1. One is doing the actual work: management, risk compliance, interim response. 
  2. Then ‘How can you increase leverage and unblock your team? What are some of the aspects that you can use to get better leverage?’
  3. Then, measuring effectiveness. ‘How are we actually doing?’ 

It was Simon Wardley who had this concept of pioneers, town planners and settlers. Each of these people like doing different types of work:

  • Pioneers. They are very comfortable working with poorly understood problems. You need these people to go build stuff. 
  • Then there are settlers, who like maturing a product.
  • Then there are town planners who love standardising, who love stability. 

Quote You need people with different mindsets and different interests to come together.

So, I think in the security program – to increase your leverage – you need these three kinds of people. You need people with different mindsets and different interests to come together. 

There’s also efficiency-gain work we have to do. We’re often in this position of, ‘How do we balance all of the operations load that’s on us AND continue to improve?’ One way is through automation.

But a word of caution when it comes to automation: there is a certain point at which the return for the automation stabilises. Initially you’ll see huge gains. Let’s say you have case management or a source system. Initially you’ll say, “Oh great, our mean time to assemble everyone is getting shorter. Our mean time to resolve is getting shorter. Our time to schedule a post-mortem or a post-incident interview is shorter.” 

And then after that it becomes the norm and then it stabilises a little bit.

How much time do you spend thinking about your strategy for maturing? 

The reality is, if you don’t say, “Okay, we are going to have an offsite and we are going to think about this,” if you don’t carve out that time, day-to-day work just takes over. And generally, for me, what has worked is, Wednesdays and Fridays mornings I keep as my focus time. I try to really control my calendar and make it as productive as possible. 

I try to not schedule any meetings for Wednesdays and at least half a day Friday. So, I can get focus time to think about it. 

You’ve talked about ‘rightsizing’ a security investment. What does rightsizing practically mean for you? And when is it a ‘wrong size’, so to speak?

I think for rightsizing, there are multiple contributing factors: risk appetite, investment, revenue, which are driven by the business/company. Then there’s building a security strategy, hiring, resources allocation.

So, I think rightsizing, for me, means, ‘Okay, what are the company factors that impact you?’ That’s mainly informed by the appetite to invest in security, the risk threshold of the leadership team, the revenue of the company, and proportionality: the number of libraries in the stack, number of lines of code, number of applications, number of developers and engineers in the organisation. Those are some of the markers in my mind when you want to rightsize the security organisation.

What are the key focus areas for you in the next few years? Are you going to add in an extra team or is it just about expanding existing teams?

In the last couple of months or so, the economic climate has really shifted. I think we are at the inflection point, in terms of communicating the security return of investments… And I’m intentionally using ‘number of people’, and not ‘maturity’, because I don’t think you can equate that to be the same: more people doesn’t necessarily mean you’re mature. Last year I have been focussed on: ‘how can each of the security functions within my organisation operate effectively, how can GRC, detection and response, vulnerability management and red team each act as an efficient unit?’ 

Now that we are close to that goal, next year I want to spend time increasing the interconnectivity of the team. How can red team inform detection engineering better?’ How can we leverage lessons learned from our post-incident reviews?, etc. 

A common conversation at CyRise Elevate is about managing stakeholders and communicating with non-security teams. At Oracle, how much time do you personally spend with the non-security teams and stakeholders?

My non-engineering, non-technical interactions are mostly legal, policy, HR, and executive management. Large portions of my time is spent talking with application development teams and infrastructure teams. About 20 percent of my time is probably spent with non-technical stakeholders.

What’s your favourite part of the job?

I think when I step back and take a look at the scope of the organisation. The number of things that we do on a daily basis and the scope of things that we cover, it’s amazing. It’s humbling and exciting.

And the other thing at Oracle SaaS is the customer obsession. What can we do for our customers? How can we make this easy? How can we make this better? How can we make it more secure? Those are things that make this job really fun.

What’s a book we should all read?

Surrounded by Idiots: The Four Types of Human Behavior and How to Effectively Communicate With Each in Business – and in Life, by Thomas Erikson.

What’s a food we should all try?

Chicken biryani (a one-pot meal from wartime).

What’s a podcast we should all learn from?

Hidden Brain.

What’s a band or artist we should all listen to?

Beyoncé.

Thanks, Swathi, for chatting with us at CyRise Elevate.

Connect with Swathi: LinkedIn | Twitter

CyRise Elevate is our membership and development program for ambitious cybersecurity leaders. We’re currently recruiting members for our new CyRise Elevate tribes for GRC and technical security leaders and have limited spots available in our CyRise Elevate tribes for senior security leaders in scale-up organisations.

If you know an ambitious security leader you think might be a good fit, we’d love to meet them. For our new tribes, the perfect candidate is someone who has strategic responsibilities and (probably) reports to the CISO or the Head of Information Security. Is that you or someone you know? Send us an email at [email protected] and we can send you some more information.