[0:24] Navigating Security Challenges with Sudhakar Ramakrishna

Rachael: I am so excited, like beyond excited to welcome back to the podcast Sudhakar Ramakrishna. He's the CEO and President at SolarWinds, and I can't wait to catch up with you. Sudhakar, welcome.

Sudhakar: Thank you, Rachel. Great to be back here.

Rachael: Yes. I think it's been about two years since we caught up with you last, and you were maybe six months on the job at that point, it was a very busy time for you. 

Sudhakar: It was busy, exciting, nerve-wracking, and making progress. 

Rachael: Wonderful. And I knew that was going to happen after our conversation. You were doing all the best practices. I think you've used gold-plated for some of your recent languages. And I think it's absolutely the path you were taking, and I was so excited people got to hear that because it's a great lesson for others to learn from.

To that point, I mean, since the discovery of Sunburst, what are some of the most impactful actions that SolarWinds has taken to make the company well in the industry at large, more secure? There are so many learning lessons here. 

 

Sudhakar Ramakrishna on Secure by Design and Industry-wide Collaboration

Sudhakar: As I said, a very exciting but also a journey that has been laden with progress. We spoke about our Secure by Design initiative when we first met two years ago. Secure by design is a term that I have used for the better part of 10 years. And I always looked at security similar to quality. So when we are building products and delivering to customers, we want to make sure that they're of great quality and the customers get a great experience. 

So in my mind, security was always in line with quality, delivering a great security experience. And the best way you do that is at design time, not after the fact. Things like, as an example, penetration testing is important to perform after the product is built, but they don't replace the focus and the goals that you have at design time. So that is the reason for Secure by Design. And I'm glad to say two years later, more and more people, including CISA, for instance, are using the phrase secure by design. So I think that's a validation of our approach. 

I wouldn't call it only our approach, because I truly believe secure by design needs to be an industry-wide approach. And yes, while I may have instigated it, it's important for everyone to adapt it, and then proliferate it. So the last two years have been a journey of security by design. And I call it a journey, Rachel because I don't really believe we will ever be done. I don't think our job is done. The threat actors are becoming smarter. Which we can talk about in more detail, is helping them as it is helping us, and threat surface and threat vectors are growing every day.

 

Building a Collaborative Defense with Sudhakar Ramakrishna

Audrey: Absolutely. So I know that you're saying that this is a journey and you're saying that you've seen a lot of improvement along the way. But what are you still seeing that's lacking out there in terms of the industry adoption, the approaches, and even with what you're doing yourselves as SolarWinds? 

Sudhakar: One of the main things that we started doing when Sunburst impacted us, let's say, was the notion of how can we come out and be transparent about what happened and what we are doing about it. Having made progress as an industry in the last two years, I believe.

So relation to transparency and efforts, I also introduced the phrase community vigil, which is no one company can protect itself, and we all need to work together as a community and create a vigil. 
What happens, let's say, in our neighborhood, if something happens, we as neighbors will form a vigil around it, right? And so the same thing needs to happen at a larger scale.

I'll say there is an appreciation of those concepts, but I don't believe either the practices from us as software creators, vendors, and so on. Or for that matter, the public entities, regulators, government, and so on, have a deep enough appreciation of it, for the single fact that I keep referring to this term of asymmetry in threats. 

Whereas as a company, we have to be right and defend ourselves every single time, a threat actor has to be right only once to break through once. So there's an agreement with that significance, and I don't believe any one company, no matter how good you are, how smart you are. You've likely seen the recent news about Microsoft and Office 365.

 

Sudhakar Ramakrishna on Building Resilience and Fostering Collaboration

Sudhakar: It happened just last week. They're an incredible company with a tremendous number of resources and lots of real research, but they're not immune. The humility to accept that nobody's immune is important. What has not happened yet, and I say "yet" because I remain optimistic, is the level of public and private partnerships needed to take us to the next level of defense. We are far from it. 

Rachael: Because there's just no silver bullet, right? With technology evolving so quickly, particularly AI, and then I think there's the aspect of quantum computing ahead as well, right? There's always going to be something that's creating these cracks in the system. How could you ever cover all of them at any one point in time or even know all the ones that exist? It's crazy.

Sudhakar: You're absolutely right, Rachel. I go back to basics and first principles. We're all in business and know that running a good business is about doing basic things right consistently. The same applies to security and security posture as well. What are your design principles? What are the value systems you want to proliferate? Regarding the private and public partnerships you mentioned, if you victimize victims, then their ability to be transparent and talk about this diminishes. 

We've seen this in our social circles too. If you make it a stigma, people won't step forward. Every time people don't step forward, we lose. The threat is big. That's why I believe what we did two and a half years ago was unconventional, perhaps a bit foolish in terms of transparency. But I firmly believe we did the right things the right way, hopefully. We're being recognized for it, even though there's a lot of work left to be done.

 

[7:53] Sudhakar Ramakrishna on Collaborative Cybersecurity Initiatives

Audrey: So I actually think your approach was brave. Some might not want to hear that, but sometimes standing up and taking ownership for things that happen and how you're gonna fix them is the right way. A lot of people won't; they always want to blame someone else. You're just like, this has happened. This is what we're gonna do about it. I thought it was an excellent way of approaching it.

Sudhakar: Our teams did a fantastic job, and they continue to do so in terms of the bastion, so to speak, evolving to secure software design. I'm sure you're familiar with all the new developments happening there. We're leading the way, contributing, and learning about what we can improve.

Audrey: Excellent. So you talked a bit about the need for public and private partnerships. Could you elaborate more on how SolarWinds partners with the government and industry members to enhance our nation's cybersecurity?

Sudhakar: Absolutely. We're close partners with CISA. The work that Jen, Eric, and their team are doing, I'm a big fan and believer in it. We've done everything we can to share, especially from a design standpoint. Jen also mentions secure by design and by default, extending these concepts.

That's a huge positive for us. CISA is working on enabling government agencies to collaborate and share real-time information, an area where we've honestly not been able to assist much. But we're closely collaborating with them on secure software design principles.

We contribute significantly to these efforts' creation. For items like self-attestation, which could be challenging for some companies to support, we're ready to say yes. We started working on these with transparency, urgency, and collaboration. 

 

Forging a Unified Defense

Sudhakar: I believe such principles shouldn't be proprietary and should benefit the industry, not just individual companies. Hopefully, this approach benefits us in the long run. The government comprises various regulators and agencies, and we're still working on progress with some of them.

Rachael: That was kind of my next question, Sudhakar. How do we manage with so many regulatory bodies and other agencies? Trying to align everyone seems like an uphill task, almost like Sisyphus. Is it even possible?

Sudhakar: I want to believe it's possible. Rachel, I'll reiterate, call it a pledge I made to CISA. Because CISA, like every other company and entity, is also resource-strapped. So if we put a huge burden on them to be the cyber defense for the nation, we need to ensure they're properly resourced as well. Yes, one of the thoughts I proposed was, "What if SolarWinds were to give CISA a full-time equivalent from us, contributing to CISA?" And each one of us, let's say two, three, 4,000 companies can do the same. 

But the effort of that community should be security research, understanding threats, and guiding all of us proactively to have collective defenses better than any other threat actors' activities. We can achieve that. I truly believe that as an industry, we'll become more efficient, secure, productive, cost-effective, and as a result, more competitive. I realize there are many bridges to cross to get to that state. But if we can together have the conviction and commitment to do that with CISA, then I think the rest of the industry and regulators will benefit and come along as well.

 

Fostering Information Sharing

Audrey: So how do you think you can make that collaboration happen, that sort of information sharing?

Rachael: I love it. I love this idea though. I mean, I really love this.

Audrey: Absolutely.

Sudhakar: I mean, this again, goes back to basics. One is if I continue to believe as a software company or a vendor that why should I share this information with anyone else, then I've already lost the game at that point in time. And I've actually increased my threat surface, so to speak, because I'm not learning from the world. But if there is a way for CISA and the government to facilitate the contribution, as there might be others, call them legal issues, procedural issues, etc. 

We need to commit ourselves to breaking those barriers because the time spent on processes, legalities, etc., gives time for others to attack us harder and faster. So a simple framework, I'd say CISA should be given the authority to collect the pool of resources, and we should all be asked to, let's say companies above a certain size since the largest companies already have committed teams doing their work, but even they're not immune to security threats as discussed earlier. 

So what about based on company size? You can exclude resource-strapped or smaller companies but yet commit to the spirit of community vigil. Whatever information is distilled and gathered by CISA in terms of guidance and guidelines is contributed to or distributed among all of us. Which will lead us to a level of maturity and the ability to have collective defenses much better than any one of us can achieve. 

 

Sudhakar Ramakrishna Envisions a Collaborative Cyber Guard

Sudhakar: Then we can use marginal dollars for more productive uses like supporting customers better, innovating faster, and being more cost-efficient. Yet we're losing a lot of money by repeatedly doing the same thing in every company in the name of protection rather than creation. That's the bridge we need to cross. 

Rachael: Yes, it's almost like the US version of a cyber army, if you will. 

Audrey: Exactly. 

Rachael: Yes, a public-private cyber army. I love that. In fact, all boats rise too.

Sudhakar: In fact, we were in Washington DC a couple of weeks ago. We did an event, and we had bipartisan support with Congressman Dar Eliza, as well as Congressman Raja Krishna Mutti joining us. I think it was Raja Krishna Mutti who used the term "cyber guard". He was talking about the notion of a cyber cloud when I described this note. I believe we need to do things like that to be different going forward, rather than trying to do more of the same. 

Audrey: So do you think there is any concern about being part of this around the whole thing of when these attacks take place or people believe they're happening and reporting them? Is there any discussion on it, similar to being a whistleblower and having protection in the UK? I don't know if it's the same in the US, but you have a level of protection.

Is there any discussion around sharing this kind of information to make the industry stronger and safer as a whole, without going after the whistleblowers who are saying this is happening or has happened? 

 

[16:43] Embracing AI Ops for Enhanced Customer Productivity: Insights from Sudhakar Ramakrishna

Sudhakar: Yes, since you mentioned the UK as part of the Sunburst investigation and subsequent efforts, I got to know the UK Cyber Security Centre's director, Paul Chichester, as Chick, as he likes to be called, quite well. I felt that their practices in the UK are more mature and consistent with the notion of community vigil and not victimizing the victim. 

There are lessons we can learn from one of our Five Eyes partners in the context of what's happening in the UK. But you're absolutely right. Taking some of their best practices and seeing how they might be applicable here or globally would be very appropriate. 

Audrey: Excellent. Very good. Now I have a complete tangent that I do when I ask because everyone's talking about AI at the moment and trying to work out how to use it, how to protect against it, and that sort of thing. Can I ask you what your plans are around embracing the things you want and maybe keeping some things out? I'd love to hear your thoughts on that.

Sudhakar: A couple of years ago, in fact, almost around the time I joined SolarWinds, we started an AI ops team within SolarWinds. The idea was more about getting deeper into our customers' productivity cycle. Just for context, the purpose of SolarWinds, as I defined it, is to enrich the lives of the people we serve. That's how we define SolarWinds. It's not about software or cloud; none of that stuff. 

Our purpose is to enrich the lives of the people we serve. So when I think about customers in that context, my belief system, which has been there for a long time, is focused on how we can improve their productivity. 

 

Embracing Ethical AI: Insights from Sudhakar Ramakrishna

Sudhakar: And every time I get an opportunity to act on that belief and get paid for it, we get excited to do it. Enriching a customer's life, in our context, means improving their productivity. Because what's one thing all of us say we need more of or don't have enough of? It's time. So how do we help them resolve issues faster, identify problems more quickly, and remediate them quicker? 

That was the initial idea based on our foundations of monitoring, observability, service management, and so on. So in that context, we built AIOps with the express purpose of eliminating alert fatigue, which has become a common phrase in our industry. We're bombarded with alerts. Then we progressed to pinpointing root causes for situations, aiding in fault isolation. And now, increasingly, we are also focusing on remediation. That's the broad focus of AIOps within our company. We've been working on it for about two and a half years. 

I'm also part of a group that promotes ethical AI. I believe that AI can cause negative damage as well. So having ethical principles for AI is important. Just like how we addressed Sunburst with a set of basic principles, we should also support a basic set of principles for ethical AI. Rachel, that could be a topic we revisit and discuss with the audience in a podcast. What does ethical AI mean? What are the principles around it? Yes, and so on. Doing justice to the topic. 

Rachael: That would be amazing. It's such a divisive issue seemingly too.

 

Navigating the Ethics and Potentials of AI

Audrey: Absolutely, but because everyone's trying everything out, it's a bit like when the internet first arrived. Every way that people, the academics thought it would be used, was not what it ended up used for, right? So every new thing that's come out, it's like, well, how can I use this to do different things? I mean, it's a very interesting tool to be looking at how we apply it. 

But I think there are some concerns in my mind about AI. It's only as good as what you train it for and what methods you're using and all of that sort of thing. Because I'm always like, well if you feed it loaded garbage, it'll give you loaded garbage back, which is finally making it in the news at the moment. But if you feed it smartly, you will get good results. 

Sudhakar: Absolutely. And we are seeing that in action, whether it be writing code, writing an article, or doing something even more esoteric than that. But even for these basic things, there can be a lot of positives. You can write code in a fraction of the time it takes today, let's say. But equally, as you said, if you don't train it properly, you can load it with a lot of bugs or worse, a lot of security challenges. 

A lot of misfires, let's say. Especially when you think about critical infrastructure, you need to be extremely careful about what you train and how you build. So we are in the very early stages of that journey, but I'm happy that there is an equal voice, at least on the ethical aspects of AI. So, going back to my optimism, I'm sure we'll find a happy medium and balance. 

Audrey: Excellent. Thank you. 

 

Fostering Collaboration Amidst Cyber Asymmetry with Sudhakar Ramakrishna

Rachael: I love your optimism. I think it's so critical for this industry in particular. There's a way forward. We can get there. We just have to sometimes get creative and we need a lot of help and a lot of partners to get there. Let me know your perspective, but it kind of feels like the tide is turning too. I think that more and more of the security industry is wanting to collaborate, and wanna get into that partnership because you just can't go it alone anymore. 

Sudhakar: I am seeing glimmers of hope on that front, Rachel. Given the asymmetry that we spoke about, there is a lot more to be done. I don't want to take it to an extreme step, but we should be able to say certain levels of security information, security knowledge, and security information dissemination is that it needs to be available to everybody. 

Rachael: Right? 

Sudhakar: I don't think we are there yet. Just like there is asymmetry in terms of the threat actors and us, I think there's a lot of asymmetry in terms of the level of knowledge, level of sharing, and level of transparency amongst us. Some of us think that not sharing is a competitive advantage, and I believe it is a collective disadvantage. 

Rachael: Absolutely. And I think on the asymmetry front, we were talking about, what was the term, Audrey? Was it cyber debt? Or, when you look at the cascade of companies out there, kind of, there are the ones, 

Audrey: It was cyber poverty, 

Rachael: Cyber poverty. 

Audrey: That was the term, which I think it's an excellent term for it.

 

[24:28] Exploring Cyber Challenges with Sudhakar Ramakrishna

Rachael: Exactly. Because they're the haves and have-nots, if you will, and they all have to kind of work together. Yes, there's no level playing field. I guess when it comes to this stuff. And how do you accommodate that? Particularly when you look at things like your regulatory bodies trying to set up disclosure rules. I know the SEC announced something back in March, and they've been working on it, and I don't know how you can clearly define something that you don't have all the answers on day one. 

So you have 48 hours to tell me everything, depending on the size. I just don't know how you can be so definitive on these things. Are there any kind of things coming up in the next two years or so, Sudhakar, that you're excited about? 

Sudhakar: From a SolarWinds standpoint, I'm very excited about the work that we are doing on this arc of enriching the lives of the people we serve, obviously our customers. In this context, we have evolved our product portfolio, the solution portfolio, from what was largely a monitoring set of tools to now a company that does best in class. I would say, mean time to detect or help customers detect issues, mean time to repair or remediate them at the same time.

And we are doing this in the context of what we call the SolarWinds platform, where we are creating the ability for customers to first and foremost automate their environments. We spoke about AI for a bit. There's a role that it plays in terms of automating their environments. When you automate them, you observe them, you create the ability to observe the environment. 

 

A Vision for the Future with Sudhakar Ramakrishna

Sudhakar: And the reason why I say environment is it's not just about networks. It's about networks, it's about applications, it's about databases, it's about cloud services, people like us, and things. So create the ability to observe them. And now that you've observed them, why not help the customer visualize it such that they're not getting hit with alert fatigue and other things, right? And then once you're able to detect it, you might as well help them remediate it. 

So we are doing some very unique things in terms of combining our portfolio of monitoring to observability to then service management to create this value proposition. And the underlying foundation is simple, secure, and powerful. Those are the three underlying foundations. Make it simple for customers, make it secure, and make them powerful. This is what excites me as we come to work every day because we are trying and striving to do everything possible to enrich the lives of our customers. 

Rachael: I love that it's customer-centricity, but also this, trying to simplify what's been so complex for so long.

Audrey: But I also like the fact that you have a philosophy rather than necessarily just being like, we're a software company. Yes. We have a philosophy that just kind of go throughout your culture in terms of how people work and what they work towards. 

 

Navigating a Journey of Evolution and Empowerment

Sudhakar: It's a journey. Again, Rachael, right? More than 50% of our employee base was hired since 2020. And so we are constantly training and constantly learning. In fact, later today, speaking of QS and other things, I have a session for our people team or our HR team, which is to record a few videos about our continuing SolaWind journey. So we onboard them, we continue them, we evolve them, and so on. So this is a process. This is a journey. 

Rachael: I love that. It's kind of like you're, you don't get to set it and forget it. Right? It's continuously evolving, which is just so critical. 

Audrey: I have to admit, so, as of, I believe it's last week, I've been at Forcepoint for six years. And when I describe the company to other people, I go, Forcepoint isn't a job, it's a lifestyle. And I think you have made SolarWinds very much. It's a way of working, a way of thinking, a philosophy that probably goes an awful lot further than your software. 

Sudhakar: Oh, for sure. And that has been the case for SolarWinds well before I joined as well. It's just that I've been mixing things up a little bit and continuing to evolve it. 

Rachael: That's wonderful. And they're called Solarian? Is that, is that the internal I love that. 

 

Enriching Lives Through Innovation and Collaboration in Cybersecurity

Sudhakar: I love that we call them Solarian. 

Audrey: Excellent. It's better, sorry, I should be careful, but it's better than Googlers or, or RS that are new Googlers. I think it's better. I like Solarian.

Rachael: Well, I've really enjoyed having you back, Sudhakar Ramakrishna. Thank you so much. This is again, inspiring. It's wonderful to know that folks like you are out there in the industry, trying to affect change, kind of going about it the right way. I mean, there are so many opportunities out there, and we just need folks to say, "I'm gonna be accountable, and I'm gonna help drive this forward." 'Cause together we can really accomplish a lot, as we know. 

Sudhakar: Awesome. Thank you, Rachael. Audrey, you have been doing great work in proliferating these messages because it's also very important to get those messages out. Hopefully, we can continue doing it and improve the security posture or productivity posture for all of us. So let me know how I can help, and I'm looking forward to next time. 

Audrey: Awesome. Thank you. We should definitely discuss ethical AI. Let's get it on the agenda.

 

About Our Guest

 

Sudhakar Ramakrishna joined SolarWinds as President and Chief Executive Officer in January 2021. He is a global technology leader with nearly 25 years of experience across cloud, mobility, networking, security, and collaboration markets. He most recently served as the CEO of Pulse Secure®, a leading provider of secure and zero-trust access solutions for Hybrid IT environments, where he was responsible for all aspects of business strategy and execution.

Prior to Pulse Secure, Mr. Ramakrishna served as the Senior Vice President and General Manager for the Enterprise and Service Provider Division at Citrix®, where he had responsibility for Citrix’s portfolio of virtualization, cloud networking, mobile platforms, and cloud services solutions. Mr. Ramakrishna also has held senior leadership roles at Polycom, Motorola, and 3Com. Mr. Ramakrishna is an experienced public and private company board member.

Mr. Ramakrishna is a partner at Benhamou Global Ventures, a leading venture capital firm investing in emerging startups in the fields of security, analytics, and applications. Mr. Ramakrishna earned a master’s degree in computer science from Kansas State University and a Masters of Management degree from Northwestern University’s Kellogg School of Management.