May 7, 2025

The Good and Lasting Cloud Security with Lalit Kumar

Host: Hi, everyone. This is Purusottam and thanks for tuning into ScaleToZero Podcast. Today's episode is with Lalit Kumar. Lalit is a visionary security leader with over 20 years of experience. He has transformed AWS India Security Division while collaborating with numerous CXOs across BFSI, digital native and government sectors. His rare combination of enterprise leadership and product innovation expertise has positioned him at the forefront of shaping cybersecurity policies with major regulatory bodies, including RBI and CERTE. Lalit is a pivotal figure in both identifying cutting edge security capabilities and also evaluating the security operations at scale. With that, Lalit, thank you so much for coming to the podcast

Lalit: Thank you, bro. Thank you for inviting me.

Host: Before we get started though, do you want to share anything about your journey? Like how did you get in? If you want to and what keeps you motivated even today?

Lalit: Sure, last 11 years has been with AWS. So out of 20 years, 11 years has been spent at Amazon. Before that, I did work with HP in their private cloud division, and as well as VMware. So I started from virtualization cloud and of course now with AWS.

In the initial years of my AWS initial years, I worked on almost everything because we operated like a startup. We didn't have much structure that point of time. Well, just very few people. I think I was the second person joining as a solution architect team in Delhi. And then we worked on some large scale distributed system, e-commerce. And then 2016 is when we opened a region in India.

And if you follow closely, a region has been opened in a country when FSI opens up. And that also marked my entry into security for AWS. I started working deeply on security and 2019, I started full time in security.

And what keeps me motivated? Well, As you know in security world, more than anyone and anything, it's the adversary that keeps you on your toes. So yeah, in a way it sounds very cynical but yeah, that keeps us motivated and it's damn interesting field.

Host: I echo that. before we get started into the security questions, what are the things that we ask every guest and we get unique answers? And I'm curious what will come out of that question. Every person has a different way of dealing with their day. I know that you work with customers, startups, and regulators. You work with multiple bodies.

So what does a day in your life look like?

Lalit: Well, largely people have consistent work. We do have consistent work. Our consistent work is revolving around helping our customer to remain secure. That means interacting with customers, conducting maybe a security assessment for them, or helping them understand new security controls. These are kind of consistent work. As an outcome of these consistent work, maybe writing a blog, creating security application, building solution, those kinds of things. Writing scale mechanism at AWS, we value scale mechanisms. So what are the new ways by which we can help our customer to scale their security operation? So these are my consistent work.

But on the other hand, which is also very exciting at times is random events. Random events could be a vulnerability just being disclosed.

Now, a regulator got concerned about certain situation. These are not random, but regulatory is not random. customer calling out, hey, I need, I'm getting through this audit and everything. For us, it becomes a kind of event where a customer need our support. And then apart from adversaries, some customer might have bad day.

So it feels like working in a know, firehouse, firefighting mode, where we don't want somebody to burn, but if there's a fire, we go and address that. It has both the things, consistent work, increasing our skill, creating patterns, building mechanism to help our customer to be more secure, help our partners to be more secure, and on the other hand, addressing any urgent situation with a customer or upskilling ourselves with the advancement of technology or any new thing that comes up. That's how it looks like.

Host: Sounds very similar to others, but the scale is very big for you because you are working with multiple organizations, startups, and regulators and things like that. So we'll touch on some of those areas in the podcast. So let's dive in.

So I had the pleasure of meeting you in person last year. And one of the things that fascinated me was your unique or minimalistic living. Would you like to share with our audience how is that different from let's say someone like me? And I'll connect that to security in a second, but yeah, if you want to share anything with our audience.

Lalit: I was not expecting this. if you're talking about lifestyle, essentially we all are trying to do things to support our lifestyle. I have a very outdoor lifestyle. And as you know, and by the way, it's pleasure meeting you as well.

I decided in 2021 that I will be on the road and I'll try to live as minimal as possible. So I have a pickup truck, which I made a camper and I go around the country. There has been situations like COVID and all, after which largely we have been working from home. I was working from road.

So I got a chance to visit my colleagues, coworkers, customers, much more than other people. And plus I've always been an outdoor person camping, going to mountains, beaches and driving. So yeah, that's what I realized that you need very few things to really survive. There is so much more. I'll you a very simple example, which probably all of us in IT will relate to.

I could not imagine in 2019, 20 that I can work without two monitors. People in tech who do coding and build stuff, we always like to have an external monitor. And I was like, like, how could I work without a desk? How could I work without two monitors? Very, very simple thing, right? We want a comfort of an environment where we could be productive.

I realized, no, that's not really required. I have been on the road and done the full day event from a roadside eating joint. So those kind of things that happened. That's a different part of this that keeps me humble plus keep me grounded that hey you don't really need and also add to the thing that I could survive without much. So yeah.

Host: So thank you for that example. It certainly matches with a lot of engineers' Engineers generally like to have multiple, they have their own setup, Have a custom keyboard which makes noise. Everyone has their own preference when it comes to that. So thank you for that example.

So the reason I brought that up is, I'm trying to see does that impact, not impact, like does that influence how you look at security or how you function as a security leader?

Lalit: Absolutely, The very first thing that we do is the foundation is we build a threat model Okay, so when I started I started with a pickup truck with a soft top on On the back of a pickup truck and this is not very secure then I made a hard top different versions different functionalities. I figured out that Organizations and I used to give this example people as well and by the way on outdoor, one of my favorite activity has been horse riding. I used to tell my startup customers as well, and that's how startup operates, they are on a galloping horse.

And they have to correct their security posture when we go to them. They cannot stop the horse. They have to correct their stirrups, their posture while riding that horse, while galloping on it. Because you can't stop the business. So you see, so here's the thing. One of the key things in AWS is that everyone has to be a builder. And everyone needs to build some kind of a tooling. So we build internal tooling on incident response, on building a threat model using AI. All these things are being done.

These also come as a reflection from outside IT or computer or security world where I have to build things with hand. So I build my camper by myself. I've done end-to-end thing. know if something breaks, I know how to fix it.

Now, here's the thing. What I learned is that the basics, if you do the basics right, and this I echo with the question of a lot of our customers ask, hey, what are the basics I need to be doing. And I say largely the pattern that I see in attacks. And by the way, I also been part of our global response team where like for three, four years I have responded to incidents across the world. So I used to be on call for once a week and I responded to many security incidents, security events at our customers.

Largely, we have noticed that it's, and this is by researchers as well, that these are basic things like access, access keys, secrets, credentials, and small, small misconfigurations which lead to this. So while building, you keep in basics, right? And you keep on adding things on top of it.

And that's how I also see the journey of a customer, that the first goal is to achieve their product, their innovation. Don't get me wrong, but the world is built on vulnerable software. We made a business logic, we figure out a business, we make it run. Every startup or every organization, every bank, they first want to understand the business case and then have security. However, our core messaging or our core effort is to bake security in every stage and that's where we are moving to and it's not bad at all if a customer has not and I'm saying it very responsibly a customer have not considered security because that's how the business required it and that's where our job comes in to help them to bake in security and have those kinds of control.

The best customer would be, or the most secure customer would be the one that have baked in security controls early on. Yeah, of course, your lifestyle outside this force you to think about not just security, but security is also, I just want to add a little bit more. I'm going a little bit on tangent, but;

Building requires considering people. So while you are building a truck or a camper, you also understand your environment. What kind of thread you need, a hard top, need lockable things, mechanism, but people can easily override that. It's very easy. Break the glass and you get control of everything. Always consider people. While we're talking a lot about and we're building tools around AI and I'm seeing a lot of startups building AI-based tooling with security data.

But we can't eliminate people thinking about things. So the most important asset for anyone is people. The reliance on people. There are tooling available. Let me be upfront on this and be very clear that there are tooling available for our customers. However, sometimes it's the lack of skills or lack of people. It's not the lack of tooling.

And I want to connect it to just one last thing is when you are thinking about this, also think about law enforcement agencies.

Can't they afford the newest technology? They can. They can very well afford that. However, how does from a ground up investigation happens and what controls they need? The reason I brought in this investigation angle is because I was discussing this with somebody last night building an intelligence system for investigative agencies.

So the problem is people who are writing the first information report and collecting data, they need very basic things to be upfront. And we don't want to come in there with the whole idea of security is not to come in the way of what developers are trying to build, but rather accelerate it, enable it. But it's a little bit longer, but yeah.

Host: No, I see the relation between both of the worlds. And there are so many threads that we can get into. One of the things that I want to touch on is you mentioned basics, doing the basics. I'll touch on the people aspect in a second. So when it comes to basics, AWS does provide the infrastructure. We have a shared responsibility, which I'm guessing most of the customers understand. And there are some security baseline controls also, their foundational controls which customers can leverage as well.

Do you see those being adopted or those being understood adopted that well? Is there any gap in knowledge sharing in that area which customers can get benefit from?

Lalit: See, I would not say adoption because adoption means different things for different businesses. Some businesses are more mature and some are in early stages trying to figure out or fix new things. They may have a priority of acquiring more customers versus securing system.

However, However, at the same time, I'm totally being empathetic to all our customers who suffer a security incident just because of pure misconfiguration, because their focus is somewhere else. Our job is to help them to get these controls. If I talk about basics, largely the picture is very clear.

With AWS as a cloud service provider. Specifically, I'll talk about that. For example, a customer is not meaningfully secure if they do not have an operational landing zone. And a landing zone, I quickly define it in like 10 seconds.

There you have an account structure, where production UAT test. These are separate accounts. have a micro-segmentation in the form of first account boundary under an organization, organization unit, accounts, account boundary, and then VPC boundary, then the subnet boundary. So this micro-segmentation with network control is a must. Then second thing, which is the most important thing we all understand today, is more than network, it's the identity centric approach.

And largely, if you look at from last three years, it has been an identity center because identity has become the perimeter in the cloud. To focus on identity, for example, the very first thing is single sign-on. So when I say operational lending zone means that, hey, customer might have a single sign-on, but they might have residual partner login or their own login access keys being created despite single sign-on. these kind of things really impact landing zone.

What is the mechanism to achieve a landing zone in AWS PowerLens is control tower. One could go and engineer and deploy their own landing zone that of these kind of boundaries or leverage something as simple as control tower and leverage all the controls which are best practices which are already being defined. So that becomes your first foundation.

The second foundation comes in, I need to know all my misconfigurations. And that's where our CSPM comes in picture. Now, CSPM, what CSPM typically does, it tells me all the misconfigurations bases on already identified best practices. It's an It's a manifestation of best practices of PCI, CIS, NIST. Simple things like lack of tagging comes in a landing zone in guardrail. I just missed one part, essential part in control tower is guardrails.

Guardrail is something that something like I block a region. I am operating in Mumbai, for example, regulated workload. I say only Mumbai region is allowed. Only these 20 services are allowed. Only these configurations are allowed. Those kind of guardrails need to be put in and that becomes your baseline. Control tower kind of things help you to deploy these guardrails in an easier manner rather than writing service control policies.

Service control policies are nothing but a large deny condition that, this kind of thing should not happen. For example, nobody should be able to alter, terminate, disable my CloudTrail, or delete my logs. That's as simple as that. This condition should never occur. So those kind of things could be deployed in an easier fashion with a control tower kind of thing.

Then comes the CSPM, and then what we talk about nowadays is a CNAPP, which includes various other factor of data security, posture management module, application security, Kubernetes as well, and then drive toxic combination out of it, and then monitor everything. And then there's a TDR layer, Cloud Detection Response Layer. Where we see SIM, SOAR capabilities, well as XDR, those kind of things comes in. If I have to tell a customer to do three basic steps, one is of course control tower, guardrails, the bare minimum CSPM, to at least know what are the misconfiguration there, and the best investment in security is actually doing threat modeling.

One key metric I want share with you, you asked me, so I joined in 2014. And when I joined in, the attack pattern in security was 22% were application level attack, layer seven attacks. And 78% were infrastructure.

largely largly DDoS and you might remember back in the day AWS stating, we have blocked this big attack, terabytes of attack, Microsoft coming in, they say, so the whole world was around infrastructure based attack, FlowLoreis, TCP, SYNFLUD, all those kinds of things were happening.

But now that has completely reversed. 80% attacks are on application. We see API based, the question that we have to ask is adversaries, as I initially mentioned, what they lack? Do they lack access? No, they don't lack access because just a simple script and it can identify so many vulnerable resources which are there or API keys. It's become easier. The ratio has flipped. Now application attacks are more prevalent than infrastructure.

We also need to bake in controls earlier on and bring in threat modeling at the forefront.

Host: Yeah. No, I love how you structured it, right? Like all the way from foundation to what are all the areas that you should focus when it comes to your cloud security.

One question that comes to my mind is, like you work with startups, mid-market, enterprise, all types of customers, right? When it comes to security as a priority or budgeting for security. One thing you highlighted earlier is the goal of any business is to build more capabilities or make money and things like that.

Often security takes a back, is not prioritized enough. When you work with customers, how do you make them see the value of investing early in security?

Lalit: So I think there's a technology conversation which gets into the details of what are the controls every customer should implement, what are the basic controls and then how they can keep on building. Now there are two categories here or two kind of large things. I operate with large banks, regulated entities, as well as startups.

One that comes with a legacy of security tooling and one comes in a very bomb the hey, we have nothing kind of a thing. So both are actually challenges. And I tell you why both are challenges and they mirror each other because a large enterprise may have a huge list of investment in tooling and they would like to utilize the same tooling.

Which does not work, by the way, in cloud because cloud environment are different. There is an auto-scaling, Resources are dynamic in nature, Kubernetes, things have not been the traditional firewalls and other controls have not been built for Kubernetes. There has not been a paradigm of, well, there has been data security products, but a DSPM kind of controls will not present.

On the other side, on a startup, we have to start building and baking more in the operation. We have to understand that there will be less number of people who would be responsible for security or they have less number of resources. They would go for more native and bacon security controls while an enterprise might think of a bull tone because that's what their legacy have been.

Now, coming to the question, apart from the basics, how do I tell business? I think probably the business conversation is more focused around three things.

One, adoption of a new security control, does it drive down my cost?

Second, does it help me to achieve some compliances? If you don't relate it to achieving certain compliances in a large organization, it does not fly practically. While it may be good or everything.

The other thing is, is there a productivity increase? So can security be shown as an enabler? For example, when we talk about threat modeling to a customer, the cost of fixing a misconfiguration or fixing the bug exponentially increases as we go from development to production. If I can identify at a system design review stage where we are just drawn an architecture written PRD document, at that point of time, if you can identify, it cost me way less

And at the second stage is code to cloud. So from design, I have an architecture, I have a data flow, I understand how the different components are going to integrate. At that point of time, if I can match it with InfoSec policies, compliances, the security requirements, and then start doing the coding, and then code to cloud where secure pipeline and running my security check while the code is being written.

Those are the most rewarding exercises and most basic foundational control apart from setting up the landing zone in a cloud environment.

Host: Yeah. And it makes sense. And I have seen similar conversations. Of course, you must have seen it at a much grander scale. yeah, like when we speak with our customers also, we hear something similar, right? That how does it help me move fast, which ties back to productivity, right? Or like if I am going through an audit, how can you help? So, absolutely.

Speaking of security challenges, one thing when we met and when we spoke and even like when we have spoken, one of the things that I have gathered is Indian security ecosystem has its own set of challenges as well. While you have to cater to global needs, there are some geography specific needs as well. As part of, let's say, a global organization like AWS, how do you stay focused to resolve not only the local challenges, also the global challenges.

Let's say you're working with a custom, with a bank. They might have to cater to both, right? So how do you balance that?

Lalit: In fact, so I do get visibility across our customers and other geos as well. APJ is my primary region where I look after the business in India, but I do get visibility on APJ plus our other countries, Europe and US as well.

My reading, when we compare regulatory bodies in India, they've done an amazing job. And the reason for that is because now if we look at SEBI or RBI, well SEBI is way more detailed even with a cyber capability index.

So they're driving measurement of security. I would put it this way, that they're defining or they're creating frameworks for the ease of business. Now, I also have this conversation with my customers and I get their point as well that, if a new regulation comes up, then it becomes difficult for us to implement all those kinds of controls.

Essentially, what we're talking about is moving away from traditional security controls, which were static in nature, to something that aligns with cloud, which is dynamic in nature. For example, if you look at now security vendors, all security vendors typically today are talking about platformization. Plus, they do not have a fixed kind of a server license, but they have a subscription as well. They factor in Lambda function.

Which are serverless, they factor in container workload. So things have improved drastically.

And let me say this, In the journey, will, while adversaries and competition drives the market, there's two very big force, adversary and competition. And adversary, I still say the number one force because that drives everyone.

The second factor is security startups. More than the established security organizations, it's the security startups that address the need and build solutions because we individually enterprise customers, regulator, or a large security organization, they probably don't have an incentive or to innovate much without these security startups.

The adversity did something, security startup built something for it or bring in a new capability. There are some around 20, 22 category in security for Gartner. And Gartner, we do see in security, are a new category defining things are coming up.

Like threat modeling is going to be a new category itself. DSPM has become a separate category in itself. So these kind of things comes from startups. So who drives actually security controls our startups? And then other organizations take notice of it, like just in time access. This has come from startup like Cloudanix does that. Other large security organizations with notice of that.

Lalit: The point, yeah, go ahead, please.

Host: Make sense. yeah, no, why don't you finish your thought then I have a follow up.

Lalit: What I was mentioning is that one is where it is coming from and the regulatory has make it easier because regulatory will always be here in the curve while adversaries, startups, large security organizations, customers, and then the regulatory. Because the regulatory need to be not looking at just technology but safeguarding everyone's interest. what I think, as you mentioned, the question was around the challenges that India see.

I think the challenges that we are seeing, my customer probably will complain and that's the right complaint from them is, hey, we have to do so much now on security, but the business has moved, our life has moved, our assets, we do have a shared digital fate.

The biggest challenge would be it's no longer bank robberies right nobody's gonna wear a mask take a gun out and rob a bank in the past we have seen what has been a bank robbery now this is just a hack is much more than that. So the threat vector has changed and we need to respond to that and it's our customer understand that they're super worried about it let me tell you upfront.

My customers are super worried about it. Regulators are worried about it because it's a citizen data. All our data, medical, if you're going to conduct a test, food deliveries, your dating profile, your LinkedIn profile, everything is in public domain now, almost out there.

And it's important to, and that's where we are seeing a lot more focus coming on privacy architecture now.

So yes, we do have certain challenges because like we have now DPDP Act as well. We do have SEBI framework. We have RBI guidelines. So it's a highly, it seems like a regulatory heavy controls. However, at the same time, if we follow those, it help us to secure the business which are serving the interest of people.

So I do see it as a natural progression and compared to my own understanding, my own interpretation, we do have a very well defined regulatory and it could at times be sometimes could seem way too much, but that's how things evolve. So I'm not complaining about it.

Host: So the follow-up question that I have on this is, you mentioned, like generally these banks or these large organizations in the VHSI sector, they are looking for, if there is a new threat vector or a new adversary attack happening, then maybe they are looking for a solution and startups jump in and then build something.

But generally, these organizations are not seen as, or they do not have a reputation of early adopters when it comes to new tech or trends. How do you, and this is where I want to see, like I want to hear from both the lenses, both from AWS lens and also from a startup lens. While working with some of these organizations, how do you get in front of them? Like how do you make yourself visible and, how do you present your solution or even how do you get in through the doors?

Lalit: Okay, so I'm going to put my lens off or head off because I at AWS, while I work with customers, I also work with startups and also mentor startups, help them to with their GTM, build their product, roll out their product, take it in front of customers. You're absolutely right that it becomes an uphill task to introduce a new solution to a large enterprise or a bank.

The right fitment market for that is for every security startup is to actually start with a fintech. While fintech have the same regulation applied to them, they do not have legacy of large enterprise. First.

Second, they do look for solution that can integrate with them, with their solution, with their offerings in the market. Plus they need more probability, more different kind of control. So if the pattern I have seen,

First the fintechs has adopted a security control, maybe if you ask me who's the one which have adopted threat modeling early on. Banks do have it, threat modeling. However, that could be a very manual process. Who's the first one to adopt an automated threat modeling? Probably, Fintech because they are resource constraint.

Now, when going to a large enterprise, now to address your question in a structured manner, a couple of things. The first three questions, how does it reduce my cost? Answer may be no. Most of the time, answer is no. The second question, which is the bigger question is, does it solve a need of compliance and evidence of me being compliant and a proof, provable security control?

And the practical example for this is, for example, just-in-time access. It's a provable security control that nobody have hard-coded credential or long-running access to the system. Zero standing privileges. That's a proof.

The other aspect is when a startup go and tell an enterprise, hey, I have a cloudformation, I have a Terraform, and I just deploy it. For me, it's a 15-minute job.

However, now I'm speaking on behalf of my customers, however, an enterprise, okay, how many people I need? Who will be owning this from my team? What I need to upskill them on? What are my integration points? Who's going to integrate them? Who's going to provide support me for those integration? And these are very valid questions for them.

The cost that you are seeing versus a cost that an enterprise see are very different. At times I've seen there's a gap there because you all like to believe that we are changing the world and we are in a way.

But at the same time, we also need to understand what has come before us and how it integrates. Sometimes it's very challenging, and sometimes the customers are very much... If they see the value in our provability of security controls, compliances, and sometimes even cost reduction as well, I've seen cases where we have reduced the cost by adopting a different kind of a control or eliminating.

I give you an example here with micro segmentation. We have eliminated a need of putting firewall everywhere because the earlier practice was I put firewall everywhere. If you follow the right micro segmentation, probably you don't need it everywhere. would you eliminate the need completely?

Host: Mm-hmm. So, again, I like how you structured your response and also how you tied to the goals, right? How businesses look at any new technology or any vendor, when it comes to security, how do they evaluate, in a way, right?

Going back to the previous question about local requirements, regional requirements and the challenges that you bring in. As you said, you have visibility at a global level and also at the local level.

How do you, let's say, educate or convince global leaders to work based on India-centric requirements? I'll give an example. Let's say there is startup which has been mostly catering to US customers. Now they want to enter into India region as well. How do you educate them that what should they look at and how should they serve Indian customers?

Lalit: Here's the thing. For example, let's say somebody is working with SEC in US. And now they want to come and address customers which are equivalent to SEC is SEBI here in India. Now they have certain guidelines, they have certain responses. Here, somebody has to work, they have to align with the provability of a SEBI cloud.

This is called a CSCRF cloud security cloud resilience framework It has something called a cyber capability index it has certain provability elements Now while the same controls are also present. I'm not debating that though controls are missing. No, no, it's an interpretation as well a mapping as well, it's though the entire premises of security It's not changing. We see similar kind of threat.

When we keep on saying that, every customer is different, one size does not fit all, we understand that totally. However, I think AI has broken that myth for a lot of people as well, that there is so much pattern everywhere, even in security, what we're trying to do is understand patterns. There's so much pattern in the application built in.

In a country, there would be a of SIs, a couple of application provider that has written applications in certain manner, and they've chosen certain technologies. It's not very different from a overall framework. Now this need to be tuned to a customer and relating back to your question earlier.

If I have one solution and just deploy that solution for every one, it will not work. For example, let me give you a practical example from the industry. So let's say cyber risk. Across the world, a FAIR, which is a well-known model for assessing cyber risk, I can't just take that model and apply everywhere.

For example, Indian BFSI have probably a different framework and they do have on assessing the risk. What is a risky behavior for nuances around it? I'll just give you a pretty simple nuance. And in the medical field, for example, natal determination, determining sex of an unborn child is a crime in India. Simple thing. other places, so that data and even that practice become a crime in India versus some of the things.

Now, if we look at the structure of a business, I'm giving a little bit of business lens here. If there is a fund being created in India market versus in a US market, the SEC controls many A's, B's and C's are there in terms of what kind of backing is there on those funds versus there's a very different regulatory here. What could be the percentage of double A's, triple A's in a fund in India? There different regulations plus liabilities. Government, of course, have a responsibility for certain businesses to work.

It went in a very much in a business side, but now how these controls are being defined are by regulation. Some of these regulations will be completely non-tech business practice, and then there are security practices around it. For example, SEC, think last I checked had some four business days to report. Here we have a six hour to report. So that changes my selection of tooling, my reporting pattern.

So understanding the local patterns is of course very important. However, the overarching capability remains same. It's just a tweaking and messaging. It's just like, how do you tell a story in India versus how you tell a story in US? When I was in VMware, we got very first time pets versus cattle theory.

When we talk about microservices and all and now like in India, people would like to protect their cattle first rather than pet. So it's a very contextual thing but from a control perspective as well, which are more aligned to the local government policies.

Host: Yeah, makes sense. So I think what I'm getting from your answer is like some of the basics that you have been suggesting stays the same, right? Setting up your environment or looking at different tooling, most of those stay same, but the local nuances you have to be aware of and also you have to work with them, right? So that you are compliant to let's say local region, regional regulatory requirements, things like that. So yeah, makes sense.

One pattern that I'm noticing from our conversation today is you have a lot of interest in startups. When I say interest, like for them to succeed in a way, right? Like you collaborate, you mentor them and things like that. For startups, what's the best way that you think they can work with AWS or they can work with, let's say, your team or you. What have you seen in the past? What patents work and how can they like get the most value?

Lalit: First and foremost, it needs to be very clear. I'm going to align it from a business perspective.

What are you solving? Are you solving something which has already been as a defined category? Let's say a Gartner Quadrant. Is it already a defined category? Now, some solution, for example, we keep on seeing new solution coming for, let's say, email scanning. That has been solution from ages. So there has to be a new innovation if it's coming from detecting threats from email, 90% malware through phishing attempts through email.

So while there are solutions, there are existing solutions, but what new value bring in? If you're operating in a defined category, what are the new differentiator you come in? Everyone understand that.

Or are you able to create a new category at all? For example, when WAF came in or DAM came in, PIMPAM solution came in, they were all new category. Cloud PAM or Privilege Access Manager is still a very new category.

Threat modeling is a new category. On a CDR layer, on incident response, hyper automation platforms like Torque and other platforms, they are largely, while SOAR existed, that has not worked as we all wanted it to work in cloud. I'm talking about legacy SOAR systems.

So a new kind of a capability coming in. So what are the, whether it's an existing category, what are you innovating on? If it's a new category, how does it align back to the same questions of how difficult for me to define the cost of that? Will it reduce some cost? Will it have an impact on my existing tooling? Are we eliminating some existing tooling or operational practice? Maybe it's a human practice, operational practice. Are we eliminating that? Because where I'm going to adjust the cost.

Second part would be what kind of attack vectors it's addressing. That hey, this is eliminating these kind of challenges. Are these challenges making customer worried as well as regulator worried about? It's a new threat coming in. Both customer and regulator are worried about essentially tying it back to compliances. It may not be defined as a compliance regulatory requirement, but a customer regulator both might be worried in future that something like this will be coming.

The other aspect is how does it help me enable the business? Can I take it up with my board and explain around this how it's helping me solve my problems? Now, that's a very difficult problem because there are various kinds of situations, various kinds of boards. But essentially, how a CSO will defend that cost or adoption of a new tooling where it's not solving. That's one, but then from an operational perspective, three things.

One, if you're building a very well-defined problem and all those kinds of things are there, but working any cloud service provider with AWS specifically, getting a listing on Marketplace. That's one.

Now when you list on Marketplace, our customer consumed from a Marketplace is it has to be easy to deploy. Ideal time is less than 15 minutes. So if we can deploy in less than 15 minutes with something like a Terraform or CloudFormation.

Host: CloudFormation,

Lalit: Yeah. The third one is that you have robust practice on integrating. The biggest challenge and while, and now here is a dichotomy in this as well. While everyone is talking about platformization, the large security vendor will push for platformization, but there's always a scope for startups because they bring in a new capability, but they have to also consider their integration with the existing or prevalent or most common security tooling because you can't operate in isolation.

Customers are trying to understand and that they are trying to consolidate everything while security when the safe platformization customer would say consolidation of security tools. It's exactly the same thing. But will they just stick to one platform?

Well, Adversaries make sure that something new comes up. That means there is a response from our security startups as well, something new being built, and adopt those capabilities. Integration is super important. I have seen, in my experience, where majority things fail, is they become an island. If it's an island, then it's not very scalable for customers. It's an operational burden for them. And people just fall off.

Host: Yeah, no, I totally agree on the integration part because you like as a security vendor, are sort of joining or sort of connecting to the existing ecosystem, right? You are not going to replace everything and you are the new system that everybody is going to use. So you go one step at a time. So you provide a solution, you integrate with it and slowly maybe expand to other areas, but you cannot just live in isolation. Yeah, absolutely.

One last question that I have is around, again, startups catering to security from India region. So today, India is not seen as a leader in the cyberspace, right? I'm curious to hear your thoughts. Like, how can India win in the cyberspace? And do you have any guidance for founders?

Lalit: That's a very big question. I may not have a very good answer for it, but let me try this.

When industry is moving towards consolidation, there is also, and I'm going to relate it to the last question. I'm going to address a few things from that is, when do I say integration? One is how other tools integrate with you, plus how you're fitting the output. How somebody is going to consume those output, you should be consumable as an API.

The security tool should act as an API. That means essentially you also want to pivot on standardization as per the industry, the most prevalent. For example, OCSF, Open Cybersecurity Schema Format, is one such standard where AWS has pivoted on built a service called Security Lake. Where it transform all the security data into a CSF, which is compressed format and all.

But for a startup, writing and data means two things. One, they have a ready integration and consumability. The second aspect is where I do see more and more AI startup will come in. What they will say is, hey, you know what? There's already many tools. You do have signals. You do have data. All I'm going to do is help you to build AI based application to work on the data. I'll extract the key metric, key measurements from the data. And I build an AI app for you where you can just build the kind of view and understand what's happening in your environment.

So application built to just understand security data. That's also going to be another category. Now, how could somebody from, let's say, India take it forward? One is, of course, alignment with a large global CSP or with all the major CSPs. Because cloud is consumed and the model of marketplaces such that once you're listed, it's not just you, India region, from other region, some customer use, can easily deploy that solution. It becomes easier to consume. You're reducing all the friction to get adopted. Plus, you're aligned with the CSP, plus working on something novel.

For example, I'm seeing a lot of engineering now done on GRC space. Everyone trying to make sense of all security data and making an audit easier, compliance reporting, evidence collection easier.

So as I said, I may not have a great answer for it, but aligning to these things plus, the other aspect is also to okay, so and and it's with a stage it comes as In events like RSA and black hat, B sides. These are the great events where if you could get a space and get attention because it's also the game of attention and being at the right point, plus getting the right funding and VC and more less it's about building the right GTM.

In a GTM, you should have a very clear picture on who's your competition, while I would say always be more customer obsessed than competition obsessed. What I really mean by that is that if you have worked with a customer and you've deployed your solution, run regular customer advisory board. Let them go deeper into your product. a startup, why would a, now a question, why would somebody would go and adopt a startup solution? There's also one thought that CTO or CSO, CISO, CXO have in their head is that, hey, they're going to invest their time to solve my specific challenges. It's a cool build. It's an Ikea effect.

That hey, okay, so for I have this challenge and we are going to see if I have something. like what's IKF, right? We all know that, that I get a satisfaction of building something. I, with a startup, have that liberty, that leverage. I would say that go deeper with customers and the best advocates are customers, of course. So yeah, that's what I would say.

Host: I think co-build is an amazing tool, Where you not only are showing value of your solution, you're also helping customers achieve maybe their goals. The reason I highlight that is you cannot just like buy a tool and let's say deploy it and you are done, right?

Every customer has some unique use cases. So that means that you have to have partners with whom you can work. And often startups have that, like I'll use the same term as you said, liberty to work with customers with their use cases to make them successful. And that helps you further get in front of maybe more such customers.

So I think. Cobuild is amazing, absolutely. The other thing is with startups also there is the speed element that comes into picture, right? That startups can move fast and build things and cater to some of the use cases.

Lalit: Can I add something to this from a business lens?

Is the timing right? That means what I'm building, that's required from a compliance perspective, from evidence collection perspective, from solving a current challenge. Timing is right.

Second is, do I have right set of channel partners? How do I scale my business? Do I have the right set of channel partners and how well I have enabled my channel partners to identify and take me to the market?

The third thing probably could be, and it matters a lot is what's a demand in the market? If a market is demanding something, for example, I keep coming back to the example of CNAPP and threat modeling because these are the term which has been popularized plus, for example, threat modeling has been called out in compliance documents. It's required.

So timing is right. Your timing is right. Your market fitment is right. You have funding to identify all the right use cases before you run out of your fund. Then what comes is your channel partners. You have the right distribution mechanism. Then your discipline of at least run with first 50 to 100 customers to run customer advisory board.

Host: Yeah, so that's the second part I wanted to touch on as well, like after you mentioned advisory plays a major role, right? Because you're working with the customer building, co-building with them, and you're also becoming their trusted advisor, right? So that definitely helps as well. So yeah, that's an amazing point that you highlighted.

Anything else that you want to add before, like this is a great way to end the podcast, but yeah, anything else that you want to add?

Lalit: Just one thing, there are certain problems which are easier and largely solved. There are certain challenges which requires a consistent, of course everything requires consistent visibility and, but then there certain problems which are largely solved. For example, encryption at scale.

So while there is a post quantum cryptography remains a challenge, I do hear from customer lot. And it's not just AWS, other CSPs have also. Other CSPs have also invested into cryptography.

We have to come cases where because of cryptography controls or somebody has bypassed. So leveraging the right encryption and these are baked in into CSP platform. That's one solved problem. The second solved problem is irrespective of the CSP investment into landing zone and guardrails goes a long way. And then Code to cloud. then, of course, bases on the appetite and the resources that you have, you invest into ruling capabilities around CNAPP, components of CNAPP. Let me put it this way, the components of CNAP.

But then, always, three four things which are always basics are like write vulnerability assessment practice, simple patching practice around identity, if we can close things around identity, it becomes super, super expensive for an adversary. We have to also consider the economy of adversaries. So you make it difficult for somebody if you are controlling the identity, plus if you have the right guardrails. Then of course, there are way many capabilities and way more things that you could do in terms of third intelligent analyzing logs and all. But the right investment into these foundational controls are a must and largely what we see is some foundational control missing at the end of the day.

Yeah, so that's what I would advise that solve problems, leverage the solutions which are already there and build your own engineering capability on top of it as per your application environment.

Host: Yeah, that's spot on. like before we end, one thing that I want to highlight is like the, we started with basics and we ended with basics as well, right? Like doing the basics in a right way. Of course you can have many add-ons on top of it, but doing the basics pays or like rewards you a lot in the longer run.

Before we end the podcast, one last question for you is, you have any reading recommendations for our audience? Like it could be a blog or a book or a podcast or anything like that.

Lalit: So, okay. On security, I always recommend my team to do a bedtime reading for incidents, like hacker news and all those. So that's one. The second is Daniel Missler's podcast, Unsupervised Learning. He's doing, I'm learning a lot from on AI. So that's one area. The second area is actually leveraging now. Build your own tooling more than reading. So one is a podcast, second is this. One of the book that I always recommend is Dr. Atul Gawande's book, Checklist Manifesto. It's still a very good book to read to understand the mindset. then I like to read incident reports. tell so much about how things have gone bad and what kind of exploits have been done. that you could find.

Then I would say more of a, I keep going back to distributed architecture system design patterns. While it's, people in security would say it's not related to security, but that's the most important part, I think. And that has helped me a lot to understand various application building mechanisms. All the modern day application are being written. So I keep on going back to system design concept.

One more thing, just one last thing to mention to everyone is invest time in understanding graph databases. That's a core and foundation for any kind of a forensic investigation and all. So understand more and more around graph databases. They are going to be the backend component for lot of security, driving toxic traits, toxic combination, mapping things. yeah, understanding of that plus, of course, the basic skills are Python SQL, but so I invest my time understanding these technology. There are various books around it, there are various podcasts around it. Yeah.

Host: Like I was looking for books or blogs, but you shared so many. These are super helpful. So what I will do is, what we'll do is when we publish the episode, we'll add them to the show notes so that our audience can go in and learn from there as well. So yeah, with that, we come to the end of the podcast. Thank you so much, Lalit, for coming to the podcast and sharing your knowledge and how you work with customers. How customers can work with you or even vendors can, or like security vendors can work with you as well. So yeah, thank you so much for taking the time.

Lalit: Thank you, Puru. Thank you for inviting me. It's a privilege and honor that you called me up on this. I enjoyed it thoroughly. Thank you.

Host: Same here, same here. Thank you.