EP 15 – Prabhath Karanth from Navan

Hello and welcome to Get IT Started, Get IT Done, the Banyan Security podcast, covering the security industry and beyond. In this episode, our host and Banyan’s Chief Security Officer, Den Jones, speaks with PK, Global Head of Security and Trust at Navan. We hope you enjoy this discussion between Adobe alums, about the state of security as an industry, as a career, and more.

Hey, everybody. Welcome to another episode of Get IT Started, Get IT Done. I am your host, Den Jones. This is Banyan’s, I guess, lame attempt at podcasting. If we don’t sell software, then I guess we’ve got to fall back on something, right? So maybe this is it. Anyway, every episode, I’ve got an awesome guest. And this week is no different. We’ve got PK from a company that used to be called TripActions, but PK is going to tell us what it’s now called and introduce himself. PK, over to you, big guy.

Hey, Den, good to see you. Thanks for having me. It’s great to be here. Hey, folks, this is Prabhath, I go by PK. I’m the Head of Security and Trust at Navan, the company that Den was mentioning was called TripActions earlier. We rebranded to Navan a few weeks back. So I run a full spectrum security team here with my kind of primary objectives being that I make sure that we meet our security and privacy obligations to our customers, investors, stakeholders, and regulators. So yeah. Thanks for having me, Den.

Awesome. And your employees, I’m guessing, as well, because when I describe security programs, I’m like, “We’ve got employee data to protect, we’ve got customer data to protect, and we’ve also got intellectual property to protect”. Right, so. All-

Yeah, 100%. And even stakeholders, so everybody else is part of that.

Everyone’s in that big bucket. We’re like, “Hey, stakeholders, just pay attention. Pay attention and do your security training one more time, if you don’t mind.” Hey, so you and I, we’ve met before. We are both ex-Adobe, so the Adobe alumni. And you were in the RGRC, our audit kind of team. So why didn’t you explain that function and what was it you were doing there and how did we meet and what was the interaction between our teams?

Yeah, yeah, for sure. Yeah. I’m feeling very nostalgic here, taking me 10 years backwards then, right? So yeah. I think I spent a good nine plus years of my career at Adobe. It was a very unique opportunity to be part of that business transformation at Adobe when Adobe was moving from a desktop services product kind of go-to-market offering to a cloud services model. So that kind of created a very unique opportunity from a security perspective, I think because the way we had to think about security had to change. There are a lot of these global regulations, both from a commercial and a regulatory perspective that applied in order to do business. So that kind of created a need. I think, back when I remember around 2012, ’13-ish to actually formulate a formal function around governance, risk and compliance.

(03:28)
So I was kind of well positioned to be there, early days of cloud security. Up there, we were actually… Our primary mission at that point was to ensure that we enable market access for Adobe products by building security controls in a uniform manner across the cloud offerings to get all of these security compliance certifications like SOC 2, ISO, PCI, HIPAA, FedRAMP and all of that stuff. So that’s how things started. And then one thing led to another. After that function kind of matured, I had this unique opportunity to run a very strategic function for Adobe’s CISO at that point, which gave me an opportunity to work closely with you, Den, and the product security organization and the rest of the leadership there in Brad Arkin’s staff. So yeah. Pretty much feel like that was a great, great school where I really saw how security is done right at that scale. And with that knowledge, it just feels like I can go do this in any business. So yeah. That’s the background.

Yeah. It’s funny, right? Because enterprise security, the organization that I ran, we were delivering a lot of security for the workforce and engineering and functions like that. And obviously, everything that we’re doing is under a lot of scrutinies, certainly as part of compliance. So even when we deployed our zero trust program, it’s like, “Well, what about this zero trust?” We called it Zen there. So what about Zen would even benefit from a compliance perspective, not just in benefit employees, but benefit compliance. And now roll on a few years later, we are now applying our trades at two different companies. You’re in Navan and I’m at Banyan.

(05:26)
So with that, one of the things for me, I get to now engage with a lot of executives in your position where it’s like, “Hey, what do you think a good security program is? Or what’s your struggles? What keeps you up at night?” So I got a few of these little gem questions, and I think most people commonly ask, so I’m going to ask a couple of these ones then we’ll diverge a little bit. So security program, obviously we join companies and we inherit an existing program of some nature regardless whether it’s good, bad, or indifferent. So in your role, what is it you’ve been trying to do that you think is bringing, a world-class program to Navan?

Yeah. Yeah. So the way I think about this then… And this goes back to the way we did this in Adobe and the way the business expansion and all that. Whatever you are doing from a security perspective, tech perspective, it needs to be aligned with the business because if there is no revenue, what are you building security for? It doesn’t really matter. So your number one objective I feel is to align with the business. What that means is you got to really understand what your customers are expecting. The next piece is what your investors are expecting based on who they are. In our case, it’s mostly VC funded, hyper growth startup, and in public companies it’s different. And then lastly, your other stakeholders like employees and regulators and all of that. Now, when you think about it from that mindset, you’ll probably think of three main things that you need to do in each of those buckets. And that’s how I drive security overall.

(07:14)
Just to give some examples, customers are expecting us to build a secure product and enable customer trust. So product security becomes extremely important to make sure that especially in these microservices based distributed architecture, how you’re deploying code into through a CI/CD pipeline and all of that. That becomes very critical. Your application security piece becomes very critical. So you double down on that. And then of course, if you look at all the recent breaches, it’s mostly happening through… The common trend is an MFA bypass business email compromise. So of course your investors are expecting you to protect the company. So you got to think about, “Okay, how do you protect against that?” That’s where you’re… You don’t trust peace comes into play. And then lastly, the regulators, all the compliance certifications and all that side of the house.

(08:04)
So it all revolves around these stakeholders, and that’s how I derive various functions. I primarily have three buckets. That’s how I categorize it. One is GRC and trust which is all the field enablement and compliance. Product platform security which is the function that closely works with the engineering side of the house, the CTOs organization, building product security, platform security, cloud security. And lastly, enterprise security detection and response function, which is working with the IT organization with all the endpoint, email, zero trust, all that stuff and then the detection and the response pieces as well and threat hunting. So that’s how I kind of logically segregate it in my mind. And-

Awesome. Yeah. And I was just thinking it’s like… So Navan is a really disruptive but hyper growth company. So you’re disruptive in the market, you’re growing really fast. And you and I know this from our Adobe days is one day you’re not really a target because you’re not in anybody’s mind and the next day you feel like you’re everybody’s target. So as you go through that, how do you think or do you think that changes your approach or your risk profile as you’re trying to make sure you keep the company safe?

No, absolutely. I mean, the way at which this company has grown during… I’ve been here for a couple of years. So the business… The company’s grown from around 700 employees to 3000 employees. Right now, the valuation was around $3.4 billion or something like that when I joined. Now it’s nine plus billion dollars. We have 10,000 plus customers at this scale. Every time I do a risk assessment that’s outdated in a few days because the business priorities are constantly changing. We are innovating, we’re disrupting, bringing in new functionality features into the product. So it’s extremely critical to keep a close pulse on the business side of things, what the business strategy is and what the product strategy is. And then constantly do a continuous risk assessment. It’s almost like it needs to be running on the back of my mind and my leader’s mind for their respective areas all the time. I call it as an agile risk assessment.

(10:24)
You can’t really use a framework for that. It’s a very pragmatic, agile risk assessment that you need to do and pivot to the strategy based on where the business wants to go to protect the company. Yeah.

Yeah. No, that’s awesome. And then… Okay, so one thing, it’s been really hard to nail you down because you’re a very busy character, so you’ve been traveling a lot. I think, was YL, was that the last trip you’re on? And I don’t know if everybody knows really what that is. So can you explain a little bit about what that event is?

Yeah. So I was actually in Tel Aviv, so we have a lot of business operations in Tel Aviv. Navan has a site in Tel Aviv where we do a lot of R&D work. So I’m actually trying to build some presents there as well, especially on the product security side of the house. So I was there primarily for that, but I did get invited. There was a cyber tech conference that was going on when I was there, so I just got invited to do this panel with the Wild Ventures and a few other venture capitalists, security VCs like SYN Ventures, NightDragon. And the beauty of it was there was Brad Arkin there who we worked with in the past in Adobe. So it was a fun time. It was a great panel between VCs and Brad there and a bunch of startup CEOs in the audience asking questions. It was a lot of fun.

(11:46)
And Tel Aviv is just an amazing place to end the [inaudible 00:11:50] mindset and especially for on the security side of the house, the problem solvers, the entrepreneurial mindset. Any problem you can think of, there’s a company there, a lot of them, multiple solutions in some cases, they’re trying to compete with each other. The spirit there is just incredible. Yeah, yeah.

Yeah. They’ve got a huge… I mean, from a security perspective and the startup scene and everything like that. And I’ve worked especially more of my Adobe days with a lot of the teams and… Team A is a group that come to mind that are based out there, and it’s like the… They’re doing some fantastic work. So it’s great to see that. And I’ve never been there. I was meant to have gone just before COVID and then that fell through. So hopefully next year or so I’ll make it out. Yeah. Now you’ve gone through… I mean, you and I have gone through this kind of aspiring career journey and we were blessed at Adobe to be given lots of opportunities for growth and learning and stuff and career movements, so that was awesome. But if you’re going to give one piece of advice to people if they’re trying to go through a career path similar to ours where they end up landing like a CISO level job, what would that one bit of advice be?

Yeah. I think CISO role these days, Den, and you will probably agree to this, is becoming more of a business role than a tech role. I mean, we all come from a deep technical background. I come from an engineering background. You come from a deep tech background as well, which really helps us. But end of the day, when you’re running security in companies, it’s mostly a business role. You got to run your organization, how you are running your business in terms of what the risk profile is, what kind of security posterior building, the relationships with all the key executives of the company, relationships with the board CEO and all of that. So I think what really helped me to be honest, is that when I was actually kind of climbing the ladder in Adobe and gaining all that experience. I watched a lot of these executives very, very closely. How they behave, how they conduct, how they actually kind of navigate through some of these challenges, even though in some cases I may not been having direct impact on some of those decisions, but I would observe.

(14:07)
And all those observations now I feel are reaping really, really, really high benefits because I watched a lot of these executives there doing things the right way that worked because the business… The business outcome was amazing. I think the company grew from what, $30 billion to $300 billion during our tenure, the stock 20X10 and all of that, the whole transformation. So that’s what I would advise, I think identify some people that are successful in the role that you aspire to be and closely observe them, even though… I mean, I know these folks are probably very busy and you probably won’t get a lot of time. If you get time and mentorship, that’s amazing. Nothing like that. Always approach. Don’t be shy. I always approached. Sometimes I’ve been rejected. But every time I’ve been accepted, it’s been a tremendous, tremendous exposure for me. So yeah. That’s what I would say. I think that’s the way to do it. Yeah.

And it’s funny because I’ve told people over the years, when you think of your career path, if you see people in the path that you want to be on then I was always like, “Don’t look at the person who’s the next job that you want. Look at the person above that person. If that’s the journey you’re on. You’ve got to realize that you should already be acting and behaving and modeling what that person above you is like. And you should start to look at the one above that and start to model and learn.” And like you say, observe. And yeah. One great thing you mentioned there was if you don’t ask for something, you’re not going to get something. So you got to make your intentions clear. You’ve got to be bold and have those conversations and say, “Hey, what do you want in the future? Well, I want your job.” It’s like [inaudible 00:15:53]. Don’t be scared to say that.

(15:56)
And if you’re looking for mentorship, I think a lot of executives, first of all, they’re very busy, so we’re all busy. But the reality is, if someone reaches out to you and says, “Hey, I’d love some coaching from you.” I’ve very rarely been turned down. Most people, they might not all give me hours and hours, but they might give me five minutes every couple of weeks, every now and again. Grab coffee, grab lunch. So yeah. Now-

As long as you know exactly what you’re looking for, I think that part they appreciate because time is valuable, but as long as exactly what you’re looking for, even those executives appreciate that time because sometimes it just becomes… It’s a two-way thing sometimes. It’s not just a one-way thing. I think it’s a two-way thing. Yeah.

Yeah. Exactly. And the one thing I told people as well, “If you’re ever going to set up a skip level one on one with my boss, make sure you’re going in knowing exactly what you want to discuss. Go and prepare. Don’t go ahead just do a skip level one on one to show your face and ask how they’re doing.” They’re going to be really pissed at you pretty quickly if you’re going in there with no real agenda. So make sure you got that. Yeah. Now, where do you go to keep up with security topics and educate yourself?

So then, fortunately, living here in the Valley, it’s been extremely fortunate to have an amazing community of security leaders here like you and other folks. So once you get to this role, you get invited to a lot of Slack channels where there’s a lot of communication that happens on this. And some of those Slack channels are extremely valuable, where all the key information that you need to know always gets exchanged and shared. So that’s where I feel like I get most of my insights from these days. I don’t go looking for it. It usually pops up in some of these three or four Slack channels that I watch carefully. And then the other one is LinkedIn feeds. I’m pretty active on LinkedIn. I mean, whatever that happens is usually out there on LinkedIn with that is the level. So these are two of my sources. And lastly, the community, the security leadership community in here in the valley is awesome. People organize a lot of get togethers for us to hang out, sometimes events, sometimes talk about problems, talk about solutions, talk about life. So this is how I get my knowledge these days.

I mean, I’m trying to do regurgitate what I used to do in Adobe, which was my monthly happy hours where you’re just try and get random people to come along and hang out and build on… I mean, it’s really all about networking, right?

Yeah.

Because you kind of mentioned that… LinkedIn, I think it’s really important for people aspiring in their career to recognize that if you want to be an executive anywhere, nobody wants an executive that has no reputation, no brand, not validated, especially if it’s a C-level position. They want to grab people that have got some form of reputation and influence, right?

Yeah. A hundred percent.

Now when you’re not working, let’s talk about that. You and I have one thing in common, which is a passion for music and especially the electronic sort. So when you’re not working, what do you to relax and recover and energize yourself?

Yeah. I think that is definitely one avenue, very much into electronic music these days. It’s been techno, but yeah. I mean, all kinds of stuff like house, modern house and electronic that is melodic house, all that kind of stuff. So I listen to a lot of that. My wife gives me a hard time about this sometimes. I’m sometimes eating dinner and just listening to a set rather than watching a movie or something. She’s like, “What’s wrong with you?” But it relaxes me. That’s what I like. But other than that, I also do yoga. I’m into yoga and some mindfulness work, some yoga and meditation. Try and make sure I get a bit of that three or four times a week and do some walking and running whenever I can. So this is what I do. Yeah.

Yeah. No, I mean, it’s funny, right? Because I’ve been a preacher of work-life balance my whole career. And not to say that I’ve always been the best student at it, that term, the pot calling the kettle black. It’s like… I’ve always preached and I’ve always tried within my organization to instill that in the culture, but I’m probably the world’s worst when it comes to… I remember a coach once said to me, I need to meditate. Yeah. Victoria, she was a brilliant coach for me. And she’s like, “Oh, you need to meditate every day, try and find five minutes.” And the life of me, 20 years later, I’m still not bloody doing it, but I know I should do it. I know I should do a bunch of stuff.

So then I think the way I think about it is, you may not agree with this, but there’s no work-life balance in this role. It’s all work, right? There’s not a lot of work… You got to be on, right? You’ve got to be on at any moment you might need to be on. So for me, that 10 minutes of meditation or that 30 minutes of yoga is like a mini vacation. That’s how I treat it, so.

It is, yeah. So I’m blessed, right? Because the roles I’ve done in Adobe, I ran a lot of critical infrastructure over the years. My teams, I mean, at one point I was running all the computer, I was running lab services, I was doing all the directory in DNS and all the critical components. And in those days, man, I couldn’t go a day without being in some incident, not a security incident, but an availability of service incident. And I’d be done a barbecue the weekend with my friends over and I’d still be on a call and try to cook for the barbecue and shit. So yeah. But now I’ve done two huge mega companies and now I work for a small series B startup where there are security and IT organizations internally for a small companies, really, me twiddling thumbs.

(22:28)
I do a lot of evangelism and stuff like this. So my life right now, my work-life balance is as good as it’s ever been and probably going to get. Because as Banyan takes off, then I’m going to be kind of catching back up with you on the whole pill and my hair out and the world’s on fire all the time.

Congratulations. I think that’s a huge achievement, man. Congratulations on that.

Well, it’s quite funny. It’s quite funny because… Well, I was talking with one of my buddies, Richard Bird, who I’ve met through IDSA and other things. And we were just talking about this life as, “Well, do you want to go back to being a pure CISO, CSO, hard role, always dealing with the risk or is this advisory kind of evangelist role a better role?” And I’m like, “I never thought of that. I just thought of this as being a CISO role, but I never really…” I mean, know about 60, 70% of my life is actually more the fun stuff really. But that will change over time, I’m guessing. But anyway, yeah. So for me-

What do you for fun these days? Still into… Yeah.

Music. [inaudible 00:23:41]. I just finished a song last week working on another one this week. I don’t have as much studio. I’ve got an amazing studio behind me, but I don’t have as much studio time as I’d like. I was going to say on the whole music thing, some of my friends got me into a YouTube channel called Cercle, which is C-E-R-C-L-E. And it’s brilliant, on location.

Yeah. I know that. [inaudible 00:24:11] It’s awesome. [inaudible 00:24:13]. Yeah. It’s amazing.

I’d never heard of it before. I’m like, “Oh. Shit.” So I’ve been watching a lot of that stuff now. I still love to cook. I mean, I think, like you say, right, there’s a physical aspect to surviving this career where you need to maybe go for a walk, you need to get some fresh air, do a trail, meditate, yoga, go to the gym. I mean, whatever your jam is, but it can’t be on a device in front of a computer or your phone and stuff. And then social be with friends. And for me, even during the happy hours, there’s a business element to it. But there’s also a friendship and building friends and just being social. Because I’m a sociable guy, right? So I love that shit. Now as we’re kind of getting close on time, I’m mindful of time now. I appreciate you joining when you’re under the weather because for people that don’t know PK, normally he doesn’t sound like he’s swallowing a small sand paper.

No, I’m actually really [inaudible 00:25:16]. And maybe it’s… I’m talking to you, it’s feeling great definitely.

Some happy, fun conversation. Or maybe you’ve just got gin inside that cup of yours. I don’t know. Yeah. So I think when you’re not working and you’re in dinner parties and people ask what you do for a living, how do you explain your job to people who are not technical? They’re not in our world.

Yeah. I think the analogy I give is… I mean, I take it back to physical security. If you look at security guards, their job is to kind of protect a facility. But now people who really want to get into something for whatever reason they want get into, don’t really want to spend the time and effort to getting through the front door, because everything is tech, right? Everything is tech. So from that perspective, I give that analogy on the tech side. I do what these people do on the physical security side of the house for the tech side of the house. I try to protect critical infrastructure, data, privacy, all that stuff. That’s the analogy. Easiest analogy, which can relate to non-tech audience. Yeah. That’s how I [inaudible 00:26:33] it. Yeah.

No, that’s awesome. See, me being in California, I learned years ago in Scotland that many [inaudible 00:26:39] you said you’d done IT or computers. Everybody was like, “Okay, I’ve got a problem. Can you come fix blah, blah, blah?” Back in those days, I’m like, “No, I don’t know how to play doom or do blah.” I can’t get… I’m not the laptop guy. So when I moved here, because San Jose… I don’t know if you know this about San Jose, I think you do, because you live here too, right? There’s not a lot of igloos in San Jose. So I would tell people I’m an igloo repair man.

Oh wow. Okay.

Yeah. Because I’m like, I don’t want anybody to really… And also everybody in the Valley… Most people in the Valley are tech nerds anyway, right? It’s like, “Hey, what do you do? I work at Adobe. What do you do there? I’m an igloo repair man.” And then instantly people will be like, “Oh God, this guy’s full of shit.” So yeah. I used to say that.

[inaudible 00:27:30] back to those hallway conversations then. I know we were office neighbors and I-

I know, right?

[inaudible 00:27:35] I would went and talk shop. I would come and speak these kind of things and I’d be energized back to work to the…

And the funny thing from my Adobe days was I had the beer fridge. So I used to have a beer fridge on wheels and with wheel around with beer and stuff. And I just remember one day, I think it was like the network team had borrowed it. They were doing some event and they were wheeling it back up and they were putting in the elevator and the whole thing fell over and the door fell open, the beer fell out in the elevator and the bottles smashed. And I just remember there was a bit of shit and trouble for that, I guess after that. No more wheeling the beer fridge around. So look, hey, thank you for your time. Really appreciate catching up, having you on the podcast. I know I want to catch up in person and grab drinks and stuff, but great having you on the show. I would love you to give the audience one piece of advice, one take away from our discussion. What do you want them to leave with?

Yeah. I think that’s a good question. In the context of security or general?

Yeah. In security life. I mean, you can talk about unicorns sort of like here.

Yeah. I mean, I think what I would say is not to take yourself too seriously, right? That’s one advice I would give. I think nobody is invincible in this world. I know sometimes we get too passionate about stuff and too into stuff, which is good. That’s why we are in this profession or whatever we are doing. But remember that end of the day, don’t take yourself too seriously. Have a little fun. That’s what I would say. Yeah.

Awesome. Awesome. Appreciate it. Thank you very much for being on the show. Appreciate it. And everyone, hope you enjoyed it and we’ll catch you next time. Thanks.

Yes. Thanks for having me Den. It was a pleasure.

Of course. Pleasure, man.

Thanks for listening. To learn more about Banyan security and find future episodes of the podcast, please visit us @banyansecurity.io. Special thanks to Urban Punks for providing the music for this episode. You can find their track, Summer Silk and all their music @urbanpunks.com.