Talking with the expert- PATHIK PATEL
By Ashish Chhatani - Sep 04, 2018
Pathik Patel, a Security leader is currently active as a Principal Cloud Security Architect in Informatica LLC based in Redwood city, USA. Pathik comes with a rich experience of 14+years in the field of Information Security. It was an honor and pleasure talking with the gentleman where he expressed out his heart about his journey so far, the interesting incidents, thoughts on current and upcoming trends along with the advice for the young minds aspiring to do well in InfoSec field. Here're the questions which were asked to Pathik followed by a small rapid fire round.
1. Please tell our readers a little bit about yourself.
Yeah, So I did my engineering from Gujarat, India and later on went to University of southern california for my masters education in computer science.
After my masters studies, got an opportunity to work in Yahoo's abuse team which was responsible to protect the servers from malwares and various abuses. I was engaged in the firewall side as well. Later on, I jumped in Netflix which was quite challenging. It was a lerning curve for me as I lernt enterprise security, cloud security and how to operate in B2C environment. After netflix, I started working for a startup who was already active in InfoSec domain was a B2B startup. It was a novel experience as I was the first security engineer of the company which loaded me with all the responsibilities related to security. I got a chance to work on government compliance which was a massive opportunity for our company as we were the mid level company certified for it. It was an exhilarating experience where I had to work with various government agents to make them understand about the compliance policy. And then I joined Informatica. At Informatica, I take care of cloud security. Ensuring the security for the cloud products and infrastructure applications. Its been a fun journey so far.
2. Any specific reason to opt for Information security domain? Was it a planned move?
Ah, Good question. When I was doing my bachelors, during that time Yahoo introduced CAPTCHA to differntiate between the human and the machine. I found that very cool and thought I want to work for this tool in the coming time. That's what my goal was and how I started. Apart from that I always operated in the core of Operating Systems, so eventually wanted to know how to secure them. So yeah that's how it started and I came into this field.
3. As we see you’ve worked in leading product based organisations, How’s the experience so far? Which one’s better or let me rephrase it which one’s more challenging and competitive to work?
Yeah, so I'll start with the product based company experience. What I like about the product based company is Customers. The idea is to build a product then sell it and later on you have to provide the support, gain customer success. I like how the customers react and understand their needs. Based on that you plan and act accordingly. There's a purpose for the product teams to act on and whatever you do will impact the customers one way or another. While talking about my experience in the prodcut companies I've worked, Netflix was one of the best experience I had. The reason behind that is the freedom you get there. You don't have to abide by rules. You have to make the best decision available and get reward too.
4. We see you’ve got your hands on many areas. What’s your area of interest in InfoSec domain? Network part or Cloud or any emerging technology?
Since early days I really like the encryption technologies. How it works, understand how it can be useful to end user. This can help them to secure their private data. Actually they rely on us to protect their data but instead of relying on us they should be able to achieve this by themselves and control their own data. To achieve this, I think encryption is the answer. As a industry We've come a long way but I still feel that its in the initial stage, Encryption technology hasn't reached to all the users. I really like to explore various developments going on in the encryption field.
5. Your Views on GDPR and Cryptocurrency.
Talking about GDPR, its an eye opening moment for everybody. We were talking about securing customer data, personal data from long time.
Due to several laws. regulations and compliance policies, security was not enforced to that extent as GDPR has been implemented currently. The effective implementation behind this is the fines applied. Because of GDPR, not only the policy and compliance is in place but there's great amount of the knowledge is also available to every tech individual. The organizations have to understand that if we get the customer data we need to be very careful about it. That's what I really like about GDPR. While talking about cryptocurrency state in India, the goverment's stand on that, One way i would say cryptocurrency is exactly in the opposite side of the government.The government is the centralised authority and they follow the constituiton and worship the laws. While cryptocurrency is completely opposite to it. There's no centralised entity who controls the activities. So government had to make sure that the citizens of the nation must not be impacted by this unpredictable trend. The other part is the media coverage cryptocurrency has got, every jack and johny is going after it even they don't understand it properly, the risks assoicated with it. I think government has done a great job but I would expect from government is more education on this rather than more of a compliance.
6. Share your thoughts on transformation of InfoSec domain and where do you see it in the coming time?
InfoSec itself is going through the transformation and cloud domain is already being adopted in recent time. But what's lacking here is the talent. So, cloud is pretty new for most people even though cloud is there for past 10 years but I would say really selective group of people understand it at the core. Cloud certainly a shared responsibility model where end user and cloud provider both have to take part into securing the data. That being said, I think transformation is surely there but I feel it will take few more years to mature. Once its matured enough, I think we will see pretty good development and change in the InfoSec domain.
7. Do you feel the information security domain has got the recognition as it should have got?
No, It hasn't got. but at some level it has started to get recogniosed. For Example, When GDPR implementation came into the picture, everybody ran and came to information security people about it. When Information security team become less of a friction and more of a business driver, that's when you will get the acknowledgement and importance you seek.
8. Do you see any challenge that InfoSec domain is facing and that needs to be addressed?
The biggest challenge I see is quality of talent. Second is board level understanding of how security works and importance of it.The biggest challenge I see is quality of talent. Second is board level understanding of how security works and importance of it. Information security should be a topic in board level meetings. The lack of talent is something a bigger issue. Even people who don't know InfoSec, get into the field and pretend as an expert. I know there's a shortage of quality talent in our field, but yes these two are the main issues according to me.
9. What are your views on doing certifications in this domain. Is it worth to do or you can survive without it?
I don't think its mandatory to do certifications. Certification is a kind of split view problem. There are binary people in our industry. Some say its a must while some say it doesn't add any value. My perspective is that certification gives you an edge in the interview process. It showcases that the person has invested time in learning new things to hiring person. Being a ceritificate holder, I don't feel that you've more knowledge than the other. If you ask me, I'll prefer the guy with certificate as he is ready to learn.
10. Any incident you would like to share when you felt InfoSec is some serious thing to deal with. Any interesting incident?
Yeah, there are many infact. One of the fun incident I would to share here. It was in the start up.
Start ups always take risks. Their thinking is like let's take risks, whatever implementation is required, we will implement and will worry about security at later point. This incident is more about taking a business risk rather than implementation. Our solution architect went to client premises and client wanted an encryption technology. So that all the data in transit gets encrypted and secure. The original solution to this was an encryption technology sitting next to the data originating point. This way the data gets encrypted as soon as it is originated and then can be sent whereever it needs to be. Our Solution architect was not aware of this encryption device, implementation, where to put it etc. Client asked him to manage the encryption services and he agreed to as client demanded. So instead of putting encryption solution to client premise, he agreed to manage it which increased the chances of data being compromised. Because ideally data should be encrypted as soon as it gets originates. He sold the soultion to customer. They agreed and we started implementing it. When it came to the first question raised was if the data is compromised who will take the accountability of it? Once the client data leaves its premise and reach to our data center, it gets exposed in the internet and there are high chances of getting it compromised. So yeah this was one incident where security was put aside and felt its a must thing.
11. How do you reckon your journey so far? Satisfied or something still in the bucket to pursue or any other plans?
Yeah, There's still a lot to pursue I believe. As I mentioned in the earlier discussion, Encryption is something I like and which can be used for every day user and I think blockchain is one of the solution for it. So that's something I like and want to explore further in the coming time.
12. Any advice to the young minds planning to pursue InfoSec as a career?
I'm a big believer of 'Do what you like'. So I will say the same to the young minds. Decide a field, be an expert in it and that will make you successful.
Rapid Fire Questions
Vulnerability that caught your attention for long time.
2. What’s more dangerous? No knowledge or less knowledge?
3. Coolest thing you find in InfoSec
4. Which was the most severe incident in InfoSec according to you? Wannacry or Meltdown/Spectre? Or any.
5. The next big thing in Infosec will be….?