Student Spotlight

Kavitha Mariappan

Executive Vice President, Zscaler
Class of 2022

“Cybersecurity is no longer relegated to the domain of IT security. Cyber risk is business risk, and companies that cannot manage that risk threaten their own reputation and viability. The companies that have learned to manage risk do so by prioritizing cybersecurity in the boardroom, the C-suite, and even in individual business units”

1. Given your extensive technical background, what motivated you to apply for this program, rather than a standard MBA or an MS in engineering?

The NYU School of Law and NYU Tandon School of Engineering joint Master of Science in Cybersecurity Risk and Strategy offered me a unique opportunity to round out my skills. At Zscaler, one of my mandates is to run the office of the CISO. For the sake of the organization’s success (and also my own), I recognized that it was critical for me to augment my legal skills in addition to my technical background. As a business leader, it’s imperative that I am continuously developing my knowledge of cybersecurity privacy methodologies, legal statutes, and regulatory frameworks. The MSCRS program provides the deeper learning in policy, risk management, and governance that I sought.

2. How has the program measured up so far?

I came into the program with high expectations, and my MSCRS experience has exceeded them. First, the faculty is stellar – as instructors, advisors, and researchers. Second, I greatly benefit from the diverse perspectives and expertise of my fellow students. The breadth of experience in my cohort – with leaders from government, law enforcement, financial services, and other private sector industries – makes for an enriching class dynamic. It’s a bit of a cliché, but I’ve learned much from my own classmates. Finally, cybersecurity crosses boundaries…between organizational divisions, disciplines, verticals, industries, and geographies. The integrated curricula shared between engineering and law examine deeper issues in cybersecurity, breaking down barriers between information technology and business with an enlightening mix of both legal and engineering perspectives.

3. Have your views on cybersecurity evolved as a result of your learning in the program?

I work for a cybersecurity company and see first-hand the impacts cybersecurity can have on business operations, continuity, and growth potential. The MSCRS program has helped me understand the sobering reality of how much work there is left to do. The United States has an esteemed legal system, but it’s built upon the legacy foundation of protecting physical entities. What’s reasonable when it comes to digital asset protection? How do we as business leaders counter the ongoing cyber threat to privacy? We’re not yet set up as a global community to answer those questions. The internet crosses borders, and so do threat actors. Cybersecurity enforcement encompasses functions that include threat detection, threat identification, law enforcement, forensics, attribution, and even bringing criminals to justice. But there’s no defined global framework for that. The challenges of cybersecurity cannot be solved in isolation, but will instead require collaboration between governments, corporations, and communities.

4. What are companies doing right when it comes to cybersecurity, and how could they do better?

Cybersecurity is no longer relegated to the domain of IT security. Cyber risk is business risk, and companies that cannot manage that risk threaten their own reputation and viability. The companies that have learned to manage risk do so by prioritizing cybersecurity in the boardroom, the C-suite, and even in individual business units. Importantly, they are investing in Zero Trust security architectures. But there’s still far to go.

The companies that are “doing cybersecurity right” are applying new cybersecurity best practices, including:

  • Minimizing attack surface
  • Employing a cloud- and mobile-first Zero Trust architecture solution
  • Designing security around the new way of work (rather than the other way around)
  • Letting go of legacy mindsets
  • Breaking down organizational silos between network, security, and business teams
  • Educating the C-suite about security budgeting and investment
  • Training employees in information security awareness

With the right solutions in place (read: Zero Trust), these organizations are setting up their globally distributed workforce (and, subsequently, the organizations themselves) for success.

5. Is the US doing as much as it can in the way of incentives when it comes to training workers with the right skillset?

No. In the private sector, too many organizations cling to outdated legacy infrastructure approaches. Often the aversion to change is cultural – leaders are more comfortable with “the way it’s always been done.” Whatever the rationalizations may be – cost, complexity, comfort – they threaten to sink the organizational ship with cyberattack vulnerabilities.

In the public sector, the US government has taken great strides – codifying Zero Trust Architecture in a new NIST standard, for instance – but can do more. Federal agencies (in the US and abroad) must create regulatory mandates coupled with financial incentives to drive enterprise adoption of Zero Trust cybersecurity solutions. (It’s worth noting that ethical hacking, noble as it might be, will never be as lucrative as “turning to the nefarious side” of adversarial activity…at least until public- and private-sector leaders incentivize “doing the right thing.”) Also, we need to create a cyber-native workforce, and develop cybersecurity awareness through education…at the K-12, secondary, and university levels. The MSCRS program notwithstanding, there are few academic or industry certifications for cybersecurity. That has to change.

Finally, we must amplify underrepresented voices in cybersecurity. We must upend the “Old Boys’ Club” mentality of legacy security culture and invest in diversity, equity, and inclusion initiatives. The more perspectives we can engender, the better and more effective cybersecurity policy will become.