10월 5, 2023

EP 37 – Cloud Transformation and the Art of Simplicity

Arati Chavan, Staff Vice President, Global Head of Identity and Access Management (IAM) at Elevance Health joins host David Puner for a conversation that sheds light on how federated identity solutions are pivotal in achieving efficient and secure access control across diverse entities. Chavan also explores the challenges and opportunities in cloud transformation, the evolving role of AI in healthcare and the delicate balance between customer simplicity and robust security measures. Listen in for a deep dive into the heart of identity security and its impact on the healthcare industry.

[00:00:00.270] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security.

[00:00:24.150] – David Puner
Keep it simple, stupid. That’s what’s referred to in the design world as the KISS principle, and it’s a thread that runs through today’s episode of Trust Issues. Steer clear of avoidable complexity, and let’s focus on the first three words: keep it simple, because really, there’s no need for name calling.

[00:00:44.030] – David Puner
The KISS principle can also be applied to business and really almost anything else that involves team effort. Complications are cumbersome and bog things down. In everyday life, simplicity is also something to strive for because, for starters, there are lots of inspirational quotes that say so. Who doesn’t love a good life hack meme?

[00:01:07.300] – David Puner
In the cyber world, where convolution often belies what users interact with, complexity is a common obstacle to success. Simple solutions and experiences typically win. Users must be distanced from the skeletal complexities that lie within their apps.

[00:01:25.570] – David Puner
Today’s guest, Arati Chavan, Staff Vice President, Global Head of Identity and Access Management at Elevance Health, discusses how simplifying identity management through federated identity solutions is key to achieving efficient and secure access control across diverse entities. And she stresses the need to streamline and simplify identity processes for effective security. We also talk about cloud transformation, AI, and leadership.

[00:01:56.350] – David Puner
Here’s my conversation with Arati Chavan.

[00:01:59.020] – David Puner
Thank you so much for coming on to Trust Issues, Arati Chavan, Staff VP, Global Head of Identity and Access Management at Elevance Health. How are you today?

[00:02:12.510] – Arati Chavan
Thank you, David. Pleasure to be here, and I’m really excited to do this podcast with you. I’m doing great, learning to navigate through a lot of the challenges that we all are facing through the security world and everything else that’s evolving.

[00:02:25.750] – David Puner
Excellent. To start things off, what’s the scope of your role as Elevance Health’s Global Head of Identity and Access Management? How large is your team and what’s it responsible for?

[00:02:38.220] – Arati Chavan
Sure. I joined Elevance Health about two years back. Elevance Health, being one of the big healthcare providers in United States, we provide services to approximately 45 million customers. My scope of the work, as part of the Identity Access Management Global Head, is to cater to all of our member needs to give them all the access that is required to navigate through our digital platforms, but also protect their identities and their healthcare data. At the same time, we also provide access to our 100,000 employees and contractors across the globe.

[00:03:14.380] – Arati Chavan
While doing so, my team manages everything from strategy to architecture, operational excellence, taking care of the audit compliance, and making sure we stay compliant with all of the healthcare regulations.

[00:03:26.590] – David Puner
250 folks on your team, considering the scope of both your customers and employees at the company, that seems actually lean and maybe nimble. Is that the way you see it?

[00:03:41.420] – Arati Chavan
I see it as a smart set of people who are doing things the way we have been doing for over the period of time. As I see opportunities, I think we can be even more nimble, efficient, and use those people to do lot more advanced things. With the evolution of AI and with how we are trying to do the cloud-first identity access management, we still have a lot of opportunities on how we can automate a lot of things, how we can fast track a lot of things.

[00:04:10.600] – Arati Chavan
Today, my team is spread across the globe in United States, India, Philippines, and Ireland. I see that we can do a lot more things faster, but at the same time, we can do things in a very efficient way.

[00:04:26.290] – David Puner
You are sitting in Atlanta, is that right?

[00:04:29.190] – Arati Chavan
That is right. I’m based out in Atlanta, Georgia, and my team is all over the world.

[00:04:33.250] – David Puner
The company is based in Indiana.

[00:04:35.930] – Arati Chavan
The company is headquartered in Indiana.

[00:04:38.000] – David Puner
How much of your focus and what you do is actually influenced by the healthcare industry? How does customer trust figure into what you do?

[00:04:49.780] – Arati Chavan
Healthcare industry, if you see in United States, as much as it’s evolving, from the customer perspective, it’s complex to navigate through all of the doctor appointments, to having access to your medical information, to really predicting what’s coming up, and navigating through the challenges that the life imposes. When I look at Elevance Health, as a family of different companies, we provide the whole health solutions for different stages of life. But at the same time, we also provide the clinical, behavioral, complex health type of health solutions.

[00:05:24.320] – Arati Chavan
The future of healthcare is where everybody wants things at the tip of their fingers, mainly on mobile phones. You want to have access to virtual appointments. You want to know if somebody else is going through the same situations as you are. In general, we are trying to make things simpler. Customers are wanting us to give them a simpler solution which has the best-in-class security.

[00:05:49.560] – Arati Chavan
If I keep that at heart, customer trust is extremely important, because in reality, customers have a choice to choose a different healthcare provider every year when open enrollment starts. Unless you gain their trust, give them a simplistic solution, it’s really, really hard for them to stick with you.

[00:06:07.420] – Arati Chavan
I try to employ the same mindset in how we are doing the identity and access because our customers need a simplistic way to access whatever they need to access. They also want to make sure their identities are not getting stolen. They also want to make sure their healthcare information is intact.

[00:06:27.510] – Arati Chavan
When I look at how we evolve the strategy, at the top of my priority list is keep it simple, which is the hardest part. Keep it central, that way, you have visibility. And keep it nimble.

[00:06:41.330] – David Puner
Do you have any a magic formula then for balancing the simplicity for the customer and security?

[00:06:51.140] – Arati Chavan
No magic formula, unfortunately. But I think going back to basics, when you know what are your basic principles in terms of people, process, technology, and budget, you try to keep those things in a way where you can innovate, but don’t lose sight on the basic things. Because sometimes while we are innovating, we are lacking behind in some of the basic controls that we need from the security perspective.

[00:07:16.850] – Arati Chavan
If I have to call out, while I really want to provide customers the simplistic way of login, multifactor authentication is essential, and that can create some customer abrasion. A lot of that comes with training. How do you communicate with the customers? How do you train them? How do you tell them what is the value of security you are bringing in?

[00:07:37.760] – Arati Chavan
Nowadays, being a security professional, as much as it is important for you to be the technical, savvy person who understands the technology and all the cool things that are happening, the soft skills of the security professionals are also very important. You need to be able to communicate that, train the people, and keep it simple from their perspective.

[00:07:58.440] – David Puner
How did you come to that realization, or is it something that just evolved as you went along?

[00:08:04.520] – Arati Chavan
I have come to a realization for this throughout my experiences. But one of the very important situation that I remember very vividly in my previous company, Synchrony Financial, the entire world hit by COVID, and all of a sudden, everybody wanted to get their workforce to work from home. We were the largest private-level credit card company catering to millions and of customers.

[00:08:31.480] – Arati Chavan
Our call center agents, people who used to work in offices, who have never used laptops for their work, were all of a sudden required to go and work on a computer, and they were really struggling. They were being challenged on how do they do the authenticator, how do they log into different system? When we were trying to roll it out, I couldn’t understand why is it so hard for somebody to just swipe a button on phone when they’re prompted.

[00:09:00.530] – Arati Chavan
I sat through one whole day with our customer service agent to understand what is a day in their life is looks like. Then I realized we had some really legacy mainframe technologies. We had the old-age black prompts where you have to do a lot of things that you can’t imagine doing these days.

[00:09:23.910] – Arati Chavan
Then I also realized we had some call center agents that were not able to see, and they were using the keyboards, and they were so used to typing and knowing where they’re supposed to put their credentials and passwords. To train those people, if you assume that it’s going to be just a piece of cake and they’re going to get it in one day, it was a wrong assumption.

[00:09:48.100] – Arati Chavan
Unless you put yourself in the user’s shoes or customer’s shoes, it’s really hard for you to visualize what their challenges are. That was a big wake-up call for me.

[00:09:58.200] – David Puner
This is, of course, when you were with Synchrony Financial a few years back, and then you’ve also spent time with General Electric, Citizen’s Bank. That’s just among others.

[00:10:08.370] – David Puner
When you come to this realization and realizing that it involves changing processes potentially for your customer service agents, how long from when you have that realization to actually changing the processes?

[00:10:24.810] – Arati Chavan
We had to actually change the processes pretty quickly because this was right in the middle of the COVID, and we really needed to get them working in a couple of days. We stood up the hyper-care teams where people were literally hand-holding some of these customer care agents that were really struggling. We also had very simplistic videos that we put together for people to understand step one, two, three of how do you log into your computer.

[00:10:51.060] – Arati Chavan
Those were the basic things we always took for granted. But when you are working in office, we always thought, “Hey, if somebody is not able to figure it out, there is someone from the help desk, contact center, they can just walk up to the person’s desk and help them.” We had to adapt to these changing things very quickly, which was another realization that, as leaders, as much as you want to plan out your multi-year strategies and everything else that you want to do, based on the situations, we have to adapt, and we have to flex our plans and change it on the fly. But when you have the strong teams who can support these type of plans, things become slightly less difficult.

[00:11:29.780] – David Puner
Speaking of changing things and things changing, and you’d already mentioned a little bit earlier in the conversation, the cloud and cloud transformation, what is your perspective on cloud transformation, and what have you learned from it along the way?

[00:11:44.520] – Arati Chavan
If we look at the basics of what is a cloud transformation, cloud is just somebody else’s computer, and you are hosting your things on somebody else’s computers, so that, one, you can manage less infrastructure. Second, you have the speed to market. You can launch the products fairly quickly, but you also don’t have the burden of operationalization of tons and tons of data sets, the infrastructure, the databases, things like that.

[00:12:13.260] – Arati Chavan
When we look at it from that perspective, it sounds simple. But when we start looking at it from what legacy tech depth that we have created… Because a lot of applications that we use today, they have been created maybe 30, 40 years back, some even before that.

[00:12:29.720] – Arati Chavan
Cloud transformation as a journey really is multistep process. First thing is why are you moving to cloud? Because of all these reasons. But then do you know what you have on-prem and how good of an inventory you have? Then what is your approach to transforming the applications and all the things that you want to do during this process?

[00:12:54.000] – Arati Chavan
I have seen a lot of organizations starting this cloud transformation journey and then really lifting and shifting the applications as it is. As leaders, we cannot think on-prem and start to implement that in cloud. We have to think cloud and implement it on cloud. Two very different concepts.

[00:13:13.510] – Arati Chavan
All of the things that we try to do on cloud today, they have very cool features. There are a lot of things that you can do if you use those capabilities accurately. But when we look at in the race of moving to cloud, a lot of organizations have invested a lot of money, but at the same time, because there is this rush to realize the value for the money, a lot of organizations take an easy approach of lift and shift, whatever is easy. Then the problem becomes how do you get rid of your legacy technical depth?

[00:13:50.680] – Arati Chavan
As I was referring before, a lot of organizations still use a lot of mainframe type of systems, legacy systems, and you cannot really rewrite those applications to be ready for cloud without heavy investment and the skills that you need. Those realizations coming towards the end or in the middle of that cloud transformation journey is a big challenge, and that’s what I’m facing, and that’s a challenge that a lot of organizations are facing as well.

[00:14:18.470] – Arati Chavan
Panning it properly and giving yourself time to do it right is the big thing as far as cloud transformation is concerned, and then securing your crown jewels in cloud. Because now whatever you were protecting before within your own infrastructure, your own data center, now suddenly, you are trusting somebody else to do all of that. When we try to put things on cloud, write security controls, write security assessments, having access to all the audit controls, and making sure you continuously have a good understanding of the security posture, those are the key things.

[00:14:54.720] – David Puner
How do you view your role as the business transforms to be more cloud-centric?

[00:14:59.820] – Arati Chavan
For sure. When I joined Elevance Health, I looked at all the things that we have here within the Identity Access Management team. We had a ton of tools. We still have a lot of tools. But when I looked at the tools that can help the organization to be the cloud-first organization, we had some work to do.

[00:15:20.650] – Arati Chavan
My first realization was, any decisions we are making, are we making those decisions for our current challenge, or are we making those decisions for future challenges? Keeping that in mind, we made some tough decisions halfway through, knowing it’s going to be a little more work for us, but it will set us up for success for next 10 years.

[00:15:42.820] – Arati Chavan
Having said that, we are moving away from legacy authentication platforms. We are trying to be a cloud-first authentication platform, so we can, one, have the right federated identity solutions. But also, if I look at our organizational leads, Elevance Health, aka Anthem, we grew by acquisitions and mergers. As we acquire more and more companies, this whole concept of federated identity and being able to connect the newer entities with the existing entities with the right trust, with the right security is at the core. Having a cloud-first identity solution for ourselves is helping us.

[00:16:23.590] – David Puner
You had mentioned federated identity. How do cloud-centric concepts like federated identity and the use of roles rather than accounts change your approach to identity security?

[00:16:33.630] – Arati Chavan
That’s a really good question. If I look at how the business has evolved, David, over the years, in the past, people would hesitate to trust other companies to do the business. They would want to do ton of things before somebody would want to allow somebody else’s websites to have connection to you.

[00:16:54.420] – Arati Chavan
If we see how the business has evolved, things have changed. Now you want to be a global partner. You want to have more connectivities to lot more companies, lot more organizations. You want to have business that works really well at the fast speed.

[00:17:10.760] – Arati Chavan
How we get there is by trust. Two entities need to trust each other for who you are, and then you need to pass on the right information, so you can provide access to whatever else is required during that transaction. That’s the whole concept of federated identity. It’s at the core. If you look at how the data centers worked in the past or how our security frameworks worked in the past, network was at the core.

[00:17:36.670] – Arati Chavan
With COVID, people working from home, things moving to cloud, now your identity is really the new perimeter. Your network used to be the perimeter, but now what Identity is doing, what access you have is the new perimeter. With that, as much as it’s important who you are, it’s also important that what do you trust and what access you need for what amount of time.

[00:18:00.130] – Arati Chavan
When your need is done, how do you even cut that access immediately? That’s the whole concept that is helping evolve in the cloud security and federated identity space.

[00:18:10.370] – David Puner
This is probably a pretty good segue into AI. What are some of the challenges and opportunities with AI that are unique to healthcare? How does that, the rise of generative AI, figure into the trust that you were talking about earlier?

[00:18:28.840] – Arati Chavan
The foundational building block for AI is the quality of data. You have to train your AI engine and all of your algorithms to use the right datasets, and having the right quality datasets is going to be crucial. When we look at the healthcare industry, the type of data that we have related to healthcare information, a lot of times that data is either incomplete, or inconsistent, or is something that you have used your human aspect to learn from the patient during that face-to-face interaction. Not having that type of a quality data set is a big challenge from the healthcare industry standpoint in adapting to AI.

[00:19:11.050] – Arati Chavan
Having said that, there are a lot of opportunities, too. For example, there are a ton of cases in the United States that happen because of not having the right prescription provided to a patient. If the AI data is trained appropriately, AI can audit those prescription issues fairly quickly. That’s the best use case.

[00:19:36.290] – Arati Chavan
Having said that, I think AI is here, and it’s not going to replace humans. At the same time, I would say finding the right use cases for AI and then testing those out is going to be crucial. But from the security perspective, as far as the healthcare industry is concerned, I would say data privacy is the biggest concern, because to train your AI models and engines, you need to be able to share large quantity of data.

[00:20:07.350] – Arati Chavan
A lot of times that data also consists of personal health information, which from one regulation standpoint, you cannot share, but also there is a bigger risk. What if that data gets breached, and it gets hacked, and it becomes available to somebody else? The harm it can cause to patient’s health is tremendous. That’s why having a really responsible approach to AI is crucial.

[00:20:36.010] – Arati Chavan
If I have to talk what we are doing at Elevance Health, we are definitely adapting to innovation. But while we are doing the innovation, we are trying to be more responsible. We do have effort to have a responsible AI committee, and that committee works from privacy, compliance, regulations, legal, security, and our innovation partners. Everybody working together to figure out a solution that works best.

[00:21:02.740] – David Puner
We’re recording this right now, mid to late September 2023. If I had talked to you about AI and generative AI in September 2022, what would your take be on where we are with it right now and how we’re looking at things as far as AI goes?

[00:21:18.880] – Arati Chavan
That’s a great question. I would say an eon back, AI was still at the horizon, but probably not at the speed at which everybody is talking and thinking about AI this year. With the evolution of ChatGPT, things have fast tracked. A lot of people, even their day-to-day use, everybody wants to try out things with ChatGPT. I have seen people writing their resumes with ChatGPT as well.

[00:21:43.010] – David Puner
How do you know?

[00:21:44.660] – Arati Chavan
How do I know? Because there are specific things that you can see on these resumes these days. When I’m trying to hire for my team, I see they’re more polished now. They are very much structured and organized.

[00:21:58.730] – Arati Chavan
In the past, it was not as well-structured and organized. There would be some that you can spot, maybe somebody who has spent tremendous time on their resumes. But there were occurrences where a lot of people were still unstructured resumes, unorganized resumes, things like that. Now there is a pattern.

[00:22:18.100] – David Puner
As a hiring manager at this point, is that a turn-off to you? Or do you appreciate the fact that they’re more organized, even though they might have a little bit of an artificial boost to them?

[00:22:29.540] – Arati Chavan
It’s a tricky question because it can go either ways. I have seen occurrences where somebody’s resume is extremely polished, and you think that this person is really well organized. But when you give them a situation in an interview and ask them, “How would you handle this,” their thought process itself is not organized.

[00:22:46.690] – Arati Chavan
Sometimes it can be misleading. But sometimes I have seen people who are really smart and intelligent people, but they just don’t spend enough time in projecting their brand, or they don’t spend enough time on their resume. That’s your first impression. If you don’t have a good resume, you are probably not calling that candidate for interview either. You miss out on that talent. It can go both ways.

[00:23:11.020] – David Puner
To go back to cloud transformation just for a moment or two, does how you measure success evolve along with cloud transformation?

[00:23:21.060] – Arati Chavan
It has. I think a lot of organizations have come to a realization that, as much as we want to achieve speed in cloud transformation, once we are in the journey, we are realizing that there are a lot more challenges. Instead of just looking at speed and getting rid of your legacy infrastructure as the success, I think how fast you are launching your new products with the cloud capabilities is also becoming one of the bigger success factors.

[00:23:48.980] – Arati Chavan
Cost was one of the big driver for organizations to start with the cloud transformation, and that was one of the success factors. I’m seeing a lot of organizations still struggle with getting rid of their legacy infrastructure because there are a handful of apps that you can’t transform, and you need to find a different place, or you still need to keep that data center active.

[00:24:12.850] – Arati Chavan
We have situations where there are maybe like three or four apps that are holding up your data center decommission. If you just try to measure the success of cloud transformation by how many data centers did you close, then that’s a misleading factor. The success criteria have changed, but it has become more towards, what are you achieving from the business standpoint, instead of just getting rid of your legacy things?

[00:24:41.680] – David Puner
Passwords. Is going passwordless something that’s on your radar? If so, what are the challenges that you face there?

[00:24:50.130] – Arati Chavan
Passwordless has been the topic of discussion and one of the important item on my wish list as well as our CISO’s wish list. We were wanting to do passwordless soon enough, but it’s a journey. It’s a journey to not only implement a technical solution, but also look at the different personas you cater to, and the types of personas that we cater to are very dispersed.

[00:25:16.590] – Arati Chavan
We have user population that can quickly adapt to a technological change. We have user population where you have a stricter clean room policies where people are not even allowed to take mobile phone type of authenticators. The struggle there is to even get them to use a two-factor authentication.

[00:25:36.240] – Arati Chavan
Where it stands today, from my perspective, is passwordless is definitely the way to go. Finding the right use cases and implementing it for that population first, learning from it, and then going forward is the way to go there. I’m very excited that eventually, I really want to implement passwordless for our computer logins where people don’t have to even worry about their cell phones for multifactor auth. Use your biometric and get it done.

[00:26:05.900] – Arati Chavan
But when we look at the regulations and the way auditors look at this information today, that landscape is still evolving, and our regulators and our auditors still digest the fact of how passwordless will work and how they will start auditing those things. This is a slow journey, but I’m hopeful that eventually, we will get there.

[00:26:28.360] – David Puner
How do you look at what it takes to be a strong security leader? I know this is personally a very near and dear subject to you.

[00:26:36.730] – Arati Chavan
Definitely. This is very near and dear subject to me. I’ll tell you a little bit about me. I never thought that I was wanting to get into the security field. I landed in a security field. I started with the business family, getting into an IT world. From IT, I landed into security. Then I built my career within security.

[00:26:59.490] – Arati Chavan
But when I look at the key qualities that security leaders need today or the people who are really doing extremely is one, your ability to simplify the messaging, and simplify the messaging for yourself, understand the concepts, but at the same time, simplify the messaging for your stakeholders. That can be your CIOs, COOs, it can be a CEO. It can be a board of director as well. How do you really tell the importance of a security initiative or what can go wrong without putting a fear into somebody else’s mind? That’s one of the thing.

[00:27:41.870] – Arati Chavan
The other thing that I would say is the security leaders today need to have a really good blend of business acumen, technology, and security, accompanied by a very, very strong soft skills, the communication skills, the interpersonal relationship skills. They need to know how to get things done.

[00:28:03.800] – Arati Chavan
One of my very favorite quotes that I always say is, “In this field, if you need to get things done, it’s not important to be right. It’s important to get it right.” As a security leader, I can say, “You need to get one, two, three things done.” But the business is going to come and tell me, “Hey, I can do those one, two, three things done. So what? What do I do from there?”

[00:28:25.470] – Arati Chavan
What am I trying to achieve? First and foremost is, what is my goal? If my goal is to reduce the risk for the organization, there are n number of ways by which you can reduce the risk for an organization. It does not have to be your way or their way.

[00:28:42.700] – Arati Chavan
How do you really understand their standpoint? Why business is so reluctant to make a change? What is it going to do for you if they don’t understand it? How do you still make them do things to secure the organization? Because at the end, it takes one attempt for the bad actors to cause harm to your organization. They have to be right only once. You have to be right every single time.

[00:29:10.540] – David Puner
Right. How do you live with that reality?

[00:29:15.310] – Arati Chavan
That reality is hard. To really get it right every single time, you need to have a very strong foundation. To get to a very strong foundation, you need to have a really strong team. When I look for hiring people, as much as I want them to have the really nice technical skills, we also need them to have the right mindset. When you get those right mindset, people who are passionate to solve for these complex problems, then they create magic.

[00:29:47.570] – David Puner
When you are hiring, what are you looking for when you hire to get into that mindset? How does the difference between being right and getting something right somehow figure into that hiring process when vetting candidates?

[00:30:02.150] – Arati Chavan
When I hire for candidates, the very first thing that I want to understand is, is this person open to learn? Because everything is changing every day and every night. If I’m good at a particular technology today, tomorrow that technology is going to change. Day after tomorrow, maybe the business is going to do something else.

[00:30:26.490] – Arati Chavan
We need to have people who have really good aptitude and the right attitude to learn. If there is a person that thinks that they already know a lot about a particular topic and they don’t have to learn anything, then that’s a red flag for me. I want people who are intellectually curious who can go and talk to people.

[00:30:47.570] – Arati Chavan
We also need people who can figure things out. You are going to be thrown into a situation where you probably have only bits and pieces of information, and you need to be able to make the complete story out of it. How do you get that done? You need to be able to, one, build relationship with a ton of other people that you need to talk to, and you need to let those people tell you that information. A lot of times, other people don’t want to tell you information. How do you still make that work?

[00:31:14.720] – Arati Chavan
In hiring, I look for people who are, one, very intellectually curious; second, who want to learn; third, who will work well with other people. It’s not about how great you are. It’s about how well you work with other people to get the results that you need. That’s exactly what I mean by getting it right versus being right.

[00:31:40.140] – David Puner
When you take your lens then and look at this, the highly reported and highly talked about cybersecurity skills gap, what’s your take on the cybersecurity skills gap? How do you think things have either changed or remain the same in recent months?

[00:31:58.200] – Arati Chavan
It’s a harsh reality. Every forum, every conference that I go to, and we all, as security leaders, talk about how hard it is to find the right security talent. But if you see LinkedIn or other forums, you see that there are a lot of people really wanting to get into the security field.

[00:32:18.040] – Arati Chavan
There is a gap because what happens is a lot of security leaders look for people with the expertise, or x number of experience, or a lot of security credentials, certifications, things like that. Then the candidates who are wanting to get into the security field, they don’t have that experience on their resume, or they don’t have all the credentials that you need, because a lot of times to get to those credentials, you need to have experience. It’s a [crosstalk 00:32:46].

[00:32:47.170] – Arati Chavan
My take on that is give opportunities to freshers, to people who don’t have that type of experience. Let them learn, give them the training, see how they can do, maybe not as critical roles initially, but give them an opportunity to have the exposure. Because as much as it’s important to have the right credentials, it’s also important to put them through the situations where they get to once see things, also learn from those situations, but also do things. It’s okay to make mistakes sometimes when you have somebody else who has your back, and they can still correct your mistakes. Giving people those type of opportunities is extremely important.

[00:33:31.280] – Arati Chavan
I have had a situation where my team and I went out for a dinner once in Indianapolis, and we had a really amazing waitress who was serving us for that night. She had all the qualities that we would look for in an analyst that day. Throughout that whole dinner conversation, my team and I were amazed at how she was customer-focused, how she was meticulous, how she was making sure every single thing that is said and told to her by every single person is taken care of, had a great memory, extremely well organized, had very good intellectual capabilities, and just did everything to the perfection.

[00:34:12.690] – Arati Chavan
When we ended that conversation, and at that time, we were really looking for a very good analyst to go through the data and organize things, we thought, “She can be a tremendous asset. If we can train her for 3-6 months, she’s going to just do wonders.” We did offer her that job towards the end.

[00:34:31.050] – David Puner
That’s great. Did she take the order down on a pad of paper, or did she keep it all in her head?

[00:34:37.990] – Arati Chavan
She was doing both. She was really being very meticulous about a smallest minute detail.

[00:34:45.480] – David Puner
I think one of the things that I did want to ask you about would be when you were talking about the aspects of your job and how you want to understand where everybody’s thinking going into that conversation, how important is it for you to understand when you’re in that boardroom where everybody stands and how they’re thinking?

[00:35:06.670] – Arati Chavan
You need to first understand your stakeholders. The first step in understanding your stakeholders is rationalize different types of stakeholders and what is important for them about your initiative. At the same time, you also need to somehow figure out what’s their background is, what’s their thought process is. Are they leaning towards being your champion? Are they going to be the critic? Are they going to be just sitting on the fence and see what you guys are going to do?

[00:35:39.900] – Arati Chavan
When you try to project your idea or try to get support from a various different executive leadership teams or, for that matter, board of directors, you need to be able to first connect to some of those one-off and make sure they have some familiarity with that idea. That concept I learned in my master’s education I got from Columbia University, and the concept there was strategic advocacy. This is one of my learning from there.

[00:36:13.620] – Arati Chavan
As much as you want to focus on giving a great surprise to people full of room and tell them this is my brand-new idea, the chance is that everybody will receive that differently based on their mood, day, their background, and what is in it for them is extremely high, and you don’t want to get into that types of situation.

[00:36:35.830] – Arati Chavan
If you are looking for a really quick results, if you want to go in that room, see if you can have at least 50% of those people at least somewhat familiar with what you’re trying to do and talk to them. At least there will be a couple of heads nodding when you’re projecting that idea. At least there will be somebody who can say, “Hey, that’s a great idea,” or they will ask some intelligent questions because they have heard about that quite before. Those are the things that I learned from some of the people that I met there.

[00:37:08.370] – David Puner
Really interesting. Arati Chavan, really fascinating how you’re bringing all of this knowledge from other industries and different perspectives into everything that you do. Really appreciate you coming on to the podcast. It’s been nice chatting with you.

[00:37:22.470] – Arati Chavan
Same here, David. Thank you. Pleasure to be here, and thank you for inviting me.

[00:37:26.320] – David Puner
Thanks for listening to Trust Issues. If you like this episode, please check out our back catalog for more conversations with cyber defenders and protectors. Don’t miss new episodes. Make sure you’re following us wherever you get your podcasts.

[00:37:50.540] – David Puner
Let’s see. Oh, drop us a line if you feel so inclined. Questions, comments, suggestions, which come to think of it, are comments. Our email address is [email protected]. See you next time.