From boardrooms to breakthroughs: The journey of a CISO

Cybersecurity leader Rinki Sethi – ex-Twitter CISO and now CSO at Upwind – speaks with Assistant Editor, Eve Goode, about tech, leadership and her journey in the industry.

What are some of the key experiences that have encouraged you to develop a career in security?

I started my career in cybersecurity after leaving college. I was a developer with a computer science and engineering degree, and I jumped straight into the cybersecurity space.

It was during my time at Palo Alto Networks that I started thinking seriously about pursuing the CISO path. My first step in that direction came when I took on the enterprise CISO role at IBM.

From there, I moved into my first official CISO position at Rubrik, and then to Twitter [known as X since 2023], followed by BILL.

Now, I’m at Upwind. What drove me throughout this journey was a desire to change how security is managed within organisations.

One thing I’m passionate about is driving cultural change around security by embedding it into the DNA of a company.

That’s been my mission since the beginning. The experiences that led up to my first CISO role – the battle scars, as I call them – came from running incident responses, training teams; going through the real-life challenges of cybersecurity.

All of that has fuelled my passion for making meaningful change.

What obstacles did you face when transitioning from technical roles to leadership positions?

It’s been an interesting journey. Taking on my first CISO role was daunting. It’s one thing to have experience creating content or being part of conversations, but presenting to the board, especially for the first time, can be intimidating when you’re in that room alone.

What made it more challenging was that I stepped into that first CISO role right when the pandemic hit.

I then took on my second CISO role during the pandemic at Twitter. This was when the company was going through a particularly critical time.

It was also during the US election, right after the company had experienced a breach, during the 2021 Capitol attack and before the highly publicised takeover.

One of the biggest things I learned during that time is how essential it is to build trust with your security team; while that’s already difficult, doing it virtually makes it harder.

When you can’t meet in person, it’s a challenge to form genuine relationships. Leading with empathy and authenticity becomes essential and that’s something I had to lean into, both at Rubrik and Twitter.

Another challenge and one of the most exciting aspects of the role has been keeping pace with the constantly evolving technology and security landscape.

The questions are always: “How do you stay ahead of the curve? How do you lead with innovation and ensure you’re not falling behind in what you’re implementing across your organisation?” It’s important to be a thought leader – anticipating what’s next and preparing your teams for where the threats are going is crucial.

You must think about the future, not just the position of the threats now.

With advancements in AI, what are the risks and benefits of using it to tackle cyber-threats?

There’s still so much about AI that we haven’t fully figured out, especially when it comes to securing AI itself.

We’re integrating AI into security products, but we haven’t yet nailed down how to effectively secure those AI systems.

There’s a lot of innovation happening in this space, which is exciting but also highlights just how early we are in addressing these challenges.

I’m actually more excited about the opportunities AI presents, particularly the new capabilities and the productivity gains it can deliver.

In cybersecurity, we already have a significant talent shortage and it’s difficult to do everything we want or need to do with the resources available.

AI-powered tools can help us scale in ways that weren’t possible before.

This is one of the reasons I joined Upwind. We’ve been an AI-native company from the beginning and we’re really leading the way in how AI is being applied to cybersecurity.

When I think about the future, I see a massive explosion of data on the horizon, driven by AI agents and automation. The traditional ways of doing security just won’t scale in that environment.

Things like dashboards might not hold the same importance when intelligent agents are actively doing the work on your behalf but if those agents have runtime access to data, then security practitioners can make faster, better-informed decisions.

That’s how we’ll be able to scale effectively. That’s been part of Upwind’s story from the start and it’s a big reason why I joined the company.

I truly believe this is not just the future of cybersecurity but of many other industries as well.

How have you seen cybersecurity change within the last five years?

There have been a lot of changes over the years. For example, we used to and still do champion the concept of Zero Trust, which is about treating identity as the new perimeter.

That idea has become a central focus. Now, we’re hearing a lot more about both human and non-human identities and about building the next generation of identity platforms focused on governance.

This is something CISOs were advocating for under the umbrella of Zero Trust and now it’s become foundational to everything we’re doing.

Over the last five years, we’ve also seen the early stages of AI and machine learning adoption in security.

Security teams were among the first to adopt these technologies because we had to use them to stay ahead of increasingly sophisticated attackers.

Today, the conversation has evolved. Now, everyone is being asked: “How can you do more with less? How can you drive greater outcomes using AI?” It’s been amazing to watch AI-native companies, particularly those focused on runtime, begin to really lead the way.

That focus on runtime has also been a shift. I remember first hearing the term “runtime” about three years ago and thinking it sounded like another buzzword, one which I didn’t quite understand at the time; as time has passed, it’s become clear, with more security leaders now recognising that we do need to prioritise runtime.

Another challenge is the human element. Despite the technological advancements we’ve made, human error continues to be the number one cause of breaches.

There’s only so much technology can do to prevent that. The question becomes: “How do we continue to raise awareness and reduce the human errors that lead to breaches?” That’s something we haven’t completely figured out.

What are you hoping to achieve at Upwind? How does the company’s vision align with your own?

There are a few things that led me here: I’ve helped fill major CISO roles, served on boards and was just about to take on another public company CISO position – but then Upwind’s opportunity came up.

I had been an early customer of Upwind and what drew me to the company was the thought leadership. It stood out to me immediately.

It’s rare, but every now and then you meet someone who sparks something in you. That happened when I met the CEO [Amiram Shachar].

We had this conversation where he said: “There’s going to be a data explosion. AI agents are going to completely change everything.”

At the time, it sounded a bit like science fiction but here we are, just a few years later, and we’re living in a totally different world.

One thing he said that stuck with me was: “If you’re not in runtime, you’re not doing security right.” That idea made me pause and reflect, and I came to believe in it.

When I was thinking about my next role, I knew I wanted to be part of something that could drive change.

I wanted to build something security practitioners wanted, something that moved the industry forward in the right way. That’s what I hope to do with Upwind.

This team built and sold a company to NetApp for nearly $500m, yet they are all so humble. Even more impressively, the entire founding team came back together to build Upwind – that says a lot about who they are as leaders.

Startup life is tough and the fact they all wanted to go through it together again speaks volumes about their culture and trust in each other. To me, that is exactly the kind of team I wanted to be a part of.