Rinki Sethi is a cybersecurity executive, board director, and investor whose career has spanned nearly 25 years across some of the most recognized names in tech and security.
Sethi has served as CISO at Rubrik, Twitter, BILL, and now Upwind Security. Earlier in her career, she held senior security roles at Pacific Gas and Electric, Walmart, eBay, Intuit, Palo Alto Networks, and IBM.
Today, Sethi is Chief Security and Strategy Officer at Upwind Security, where she focuses on cloud and runtime security. She is also Founding Partner at Lockstep Venture, her cybersecurity-focused VC firm, and has held board director roles at StrongDM, ForgeRock, and Vaultree.
We spoke to Sethi as part of our ongoing series interviewing cybersecurity professionals to bring you their unique insights into cybersecurity today, the challenges they are facing and the realities of what it takes to defend complex global environments.
To start, could you tell me a little bit about yourself and your background?
My first CISO role was at Rubrik, where I was their first security hire. I helped them build out their team globally and get IPO-ready. Unfortunately, the pandemic hit and their plans had to be scaled back. I was excited about taking the company public, so I started looking for my next challenge.
That ended up being Twitter. I joined to rescue them out of a security breach. I was there during the chaotic election period and the Capitol attack, and I left before the Elon Musk takeover. Then I joined Bill.com, where I spent three years as both CISO and CIO, scaling and growing the team and leading a massive transformation. I joined Upwind about a year and a half ago.
On the board side, ForgeRock went from private to public and back to private again during my time. I was on Vaultree’s board in the data encryption space, and on StrongDM’s while they were private, before they were acquired by Delinea. I also run Lockstep Venture. We’ve made about 15 investments, and although it’s a small fund, we also run a pretty large community as part of it.
What cybersecurity challenges are you and your team at Upwind focused on right now?
One of the most important things in cybersecurity right now is something everyone is talking about today but wasn’t when Upwind first got started in 2022: the human eye can no longer process the amount of data and alerts coming out of existing tools. I believe we were ahead of our time on this. AI is only accelerating it.
The challenge we’re focused on is runtime security. How do we provide a comprehensive cloud security product that’s built on top of best-in-class runtime security? We’re helping organizations build security into every aspect of their cloud, making sure attacks are being seen as they’rehappening in real time.
When you think about security programs and IT programs right now, literally everything is up for disruption. Entire businesses are. So being really strategic about how we use AI in our security program, and also how we leverage AI for security across the company, is going to be key.
That means looking at processes, fixing broken ones, and finding different ways of doing things. It’s a really fun time because you get to rethink everything and find solutions that can do what we haven’t been able to scale to do before, while making sure we’re doing them more precisely than before.
It’s also an interesting time for how we transform and train our security organizations to leverage AI in every way possible without amplifying the dysfunction. You have to be strategic about it, applying it in ways that are actually going to drive more productivity and more gain.
What impact do you see new technologies like AI having on your day-to-day? Do you see AI having a long-term impact?
The biggest challenge is that we’ve been preaching for years that attackers are going to have tools that leverage AI to move fast and at scale, and we’re starting to see the beginning innovations around that. We saw a lot of marketing hype around Mythos, but the reality is the threat is real.
What that means is we have to be able to fix the issues we know about at a faster pace. Patching hasn’t worked historically, and waiting for patching as a whole strategy needs to be rethought. That challenge is going to continue, and we don’t have years to build out a strategy. We’vegot to do it right now. There are great cybersecurity companies innovating and helping practitioners get something in place to tackle things and fix them now, making sure the highest-priority issues are getting taken care of.
That means influence and communication with key stakeholders across the company, ensuring they’re owning risk and driving risk down, is going to be more important than ever. And having the tooling to support fixing issues quickly, automating where you can, leveraging AI to give you context to fix things faster, all of that is more important now than ever. The strategy has to include that, because with AI everything is going to move fast, and it’s only going to be more challenging if you don’t have something in place today.
The way I think about it is: the attacker only has to find one issue and expose it. We, the defenders, have to know about hundreds of risks within our organization and protect against all of them. The equation is unfairly weighted toward the attacker. What we’ve got to do is make sure prevention is solid, but also fix the highest-critical issues once and for all and keep that cycle going automatically. We’re now living in a day and age where it’s possible to do that. So why not? Why not reduce the burden of all the manual efforts and hours it takes to even get to an outcome?
The other thing is, the attackers don’t have to worry about org structures, influence, and communications. We have to worry about that to make sure the security team isn’t the only one reducing risk. You need that partnership to move fast. AI doesn’t change that. AI only helps you get to the solution faster, but you still need the organizational support. That’s still very hard to do, and more important than ever.
As a four-time CISO across very different companies (from Rubrik to Twitter to BILL to Upwind), how has your approach to the role changed with each iteration, and what did the earlier ones teach you that you still carry today?
Over four CISO roles, my perspective has shifted from being primarily focused on security expertise to being focused on leadership, business outcomes, and influence. Early on, I believed my value came from having the answers and solving technical problems.
Today, I see the role as helping organizations make better decisions about risk, align stakeholders, and build trust. The lessons that have stayed constant are that relationships matter more than org charts, communication is often more important than technical brilliance, and security is most effective when it enables the business rather than slowing it down.
You wrote in CyberScoop that the AI era demands a different kind of CISO. What does that CISO look like in practice, and how should security leaders be adapting right now?
I’ve written about this a lot. I’m very passionate about it. I was talking to a VC firm recently that was starting to get asked to help with placements of Chief AI Officers. I said, why aren’t you looking at CISOs?
CISOs come in different shapes and forms depending on the company and what stage they’re at. But when you think about large enterprise and the CISO role, you have to communicate well. You have to be able to influence the organization. And if you think about how AI is going to be successful in an organization (because every company is asking how we leverage AI and how we become more efficient), that relies on understanding all your data, having really good guiding principles around trust and ethics, securing your data in the right way because everything will be placed on top of that, and understanding how you’re going to protect models.
When you think about all of that, the CISO is really amazingly positioned to help drive and accelerate AI transformation across an organization. That’s the next-gen CISO. You hear more and more CISOs reporting to CEOs, CISOs taking on IT, and when you think about all of those things, that is the foundation for driving this type of transformation around AI. The next-gen CISO is the business enabler driving the right foundations, with the right relationships across the organization, and being looked at for acceleration. They’re the ones developing the next version of the safety brakes to move faster and enable the entire transformation. Those are the companies that are going to win.
The flip side, though, is what I see happening to CISOs right now. I meet with security leaders all the time, and there’s a small percentage who are amazingly supported. But more and more feel like the CISO has become a dumping ground for all the things that don’t fit anywhere else in the company, whether that’s privacy engineering, trust, or data governance. They’re taking on all this stuff that goes beyond the scope of a CISO. They don’t know where to put it, so they just give it to the CISO. Let’s turn that page. Let’s say, yes, the CISO owns everything, because they are the trust builder with the consumer at the end of the day. That has to become the foundation of successful AI transformations.
That’s also why there’s so much burnout happening. We talk about this a lot in the industry. When I started in security over two decades ago, most people didn’t even know what cybersecurity was. A decade later, we had some massive, world-known breaches, and even family members who weren’t tech-savvy knew what identity theft or a breach was.
Now in this last decade, especially with the AI transformation, we’re relearning what this means for a company. There’s been a few years where we’ve been struggling to figure it out. CISOs feel burned out. There aren’t budgets to solve all the problems that need solving. There’s a communication gap between boards and exec teams, and conversations like this are what’s going to force companies to think about it the right way. We need to move from CISOs feeling burned out to CISOs being the advisors and transformational leaders for organizations. Organizations need to put that lens on when they’re looking for their security leader.
As someone who’s held board positions alongside CISO roles, what do you think most boards still get wrong about cybersecurity, and what would you change about how security is represented at board level?
For most companies out there now, the number one risk when you look at their public filings is cybersecurity. And yet there’s nobody on the board with the knowledge to guide on it. Let’s be real: the board is not responsible for operations of the company. They’re responsible for governance, hiring and firing the CEO, and ensuring appropriate governance. But how are you going to have that without expertise?
Traditionally, security has gone up to the audit committee, with a head of audit chairing it, who is usually very financially driven. There hasn’t been cybersecurity expertise at the board level. I’ve been fortunate to work with companies that get it, who say, we’re going to add cybersecurity expertise to our board. I’ve been on more cybersecurity-focused companies as a board member, but they get it. It’s about helping them think through, partnering with the CISO, bringing that outside-in voice on what might be supportive, and having the board and executive team support that person in the right way.
If cybersecurity is your number one risk, do you have the right folks on your board to make decisions around it and be the right governance model? That could help a lot. It’s about executives knowing they want to bring in the right person to advise the company on the things they should be thinking about, someone who’s also business savvy and understands not every choice can be in favor of security, because you’re running a business at the end of the day.
But that person is just a strong advisor; the entire executive team is responsible for security, not just the security team. And the cybersecurity leader has to be equipped with the communication skills and the command to drive that culture within the company too. So it’s twofold.
What’s a widely held belief in the cybersecurity industry that you disagree with, or think needs to be challenged?
Whether it’s a company hiring for their first security leader, a small company thinking early about security, or a public company, there’s still no standardization. There’s no common understanding, and very few companies are getting it right when it comes to what they need from a CISO.
I can go in and tell a company exactly what they need from their security leader, but they often think they need someone very technical who understands the technology. I look at those companies and think, that’s not what you need. What you need is someone strategic, who can hire the right talent, but who is also a good leader, can make decisions, help move strategy forward, and is plugged in.
There’s still this myth around what companies want from a security leader versus who they actually need. I see it all the time, and they end up struggling. That’s where the burnout conversation comes from. This is why there’s such a challenge right now.
We’re at this place where security is core and central to everything every company is doing. It’s the highest-risk item, and yet we haven’t focused on getting the structure right. There are still so many misunderstandings about what people think they need versus what they actually need. I’m doing everything I can to break that and make noise in the industry for companies to think about this in the right way.
What advice would you give to fellow CISOs and industry practitioners?
This is the time that everybody needs to become a builder again. We need to stay leaders, we need to stay on top of strategy, but we also need to go back to building a little bit to understand the power of agents and AI. It’s a really fun time to be a builder.
About six months ago, I decided to build my own agents to help with the work I do, and I was mind-blown at the power and the speed at which I was able to get things done. A whole weekend went by and I realized I had been vibe-coding the entire time, probably building things that were silly and insecure. But it really gives you a sense of how fast things can go, and how you can build pretty insecure things that need hardening. It gives you a view into how you need to lead this next generation of cyber in the new world we’re living in.
This is literally a revolution at a speed we’ve never seen before. We don’t want to just keep up. We want to stay ahead of this and be able to lead through it. The only way to do that is going back to that builder mindset. So that’s my advice: embrace it, have fun with it, go build again, understand the risks, and then go protect against them.
