With more than 20 years of IT and security expertise, cybersecurity veteran Kavitha Srinivasulu has seen a lot of change. But one thing that hasn’t changed is her love for learning.
“I really believe the day you stop learning is the day you become outdated or rusted,” she says.
That desire to never stop learning inspired Srinivasulu to take on a variety of demanding assignments for various global employers — including Wipro, Bank of America, Verizon, AstraZeneca, and now Tata Consultancy Services (TCS).
At Mumbai-based TCS, she’s the Global Head of Cyber Risk and Data Privacy for the BFSI Risk and Compliance division where her focus is on making sure that risk and privacy solutions satisfy customers’ business requirements.
Adapting in times of flux
In the last year, Srinivasulu earned accolades for helping TCS establish and evolve its data privacy security posture in the wake of major industry developments from the last few years.
“First, there was GDPR which became effective in May of 2018, and that was a shock to the industry that forced us to rethink how to address privacy challenges. Then there was COVID, which — rest in peace — undid a lot of the work that had been developed to address GDPR as we all suddenly had no choice but to work in an open environment.”
Once a sense of normalcy returned, companies began seeing a significant increase in data breaches and cyber incidents. Where others might have found reason to despair, Srinivasulu saw an opportunity:
“I took this opportunity to build and establish this data privacy security posture in my organization, demonstrating how we can ensure that data is protected and that customers are satisfied with their level of data protection and governance.”
Having learned from GDPR’s impact on the industry, she turned her attention to another policy in the works. DORA, or the Digital Operational Resilience Act, is an up-and-coming EU regulation requiring BFSI organizations to implement new data standards in their systems by 2025.
With the new framework on the horizon, BFSI companies are already scrambling to identify gaps in their existing networks and look for solutions that can help with compliance. Anticipating the need, Srinivasulu went to work.
“To help overcome these challenges, I built an automated tool that will help customers not only identify the current maturity level of the organization, but also provide recommendations to mitigate the issues," she said. "When you’re doing an assessment, it will align with the DORA requirements — the standards and industry best practices — to identify and mitigate those gaps."
In turn, this reduces the human effort required and helps the customer make a better decision, she said. "It doesn’t require any brainstorming to think of the solution for the challenges they face.”
Paying it forward
These projects showcase two qualities that Srinivasulu has become well-known for — sharing what she’s learned to benefit others, and approaching cybersecurity as a shared responsibility:
“My measure for success isn’t KPIs or KRAs, it’s being able to impart my knowledge to others so they can better understand the security culture. Whatever I learn, I share. I never learn something and keep it to myself.”
By the same token, she sees cybersecurity as a joint operation:
“I really believe this isn’t a solo activity. Cybersecurity is an ocean, and there are so many domains and aspects involved. It’s a shared responsibility that needs to be on everyone’s mind, not the victim of a top-down or bottom-up approach,” she said.
While she now has many who support her philosophy, that hasn’t always been the case.
“I know that organizations are trying to improve diversity and have more women represented in the security space, but I’ve definitely faced lots of ups and downs. The assumption I encounter is that women will not be able to handle risk, and that technical aspects are better reserved for men whereas ladies are more fit for compliance or documentation or making presentations. Any initiatives that we take are definitely backlogged.”
She recalls a particular incident that tested her resolve.
“When I took the initiative in my own team, my manager didn’t accept my idea. But I didn’t give up,” she adds. “I went ahead and submitted my proposal to the enterprise level team who oversees initiatives and develops various projects. In an all-hands meeting, I was awarded by the CEO of the company for my initiative, which then led to my internal project team adopting the plan I put forth.”
Changing the mindset for women in IT
Srinivasulu believes there’s a mindset about women in professional industries that needs to change.
For many of us, she says, “our parents brought us up stating that we have to become a doctor or an engineer — or that, after finishing our university studies, we have to marry and settle down and that’s just life. But that mindset must change, because then women will grow up without having career goals or thinking that only men should work.”
Despite the biases they may face in the industry, she says women are a natural fit for her line of work.
“Women make for excellent risk management leaders – not only in the cybersecurity world, but in any aspect or area (including personal life) where women are natural multitaskers. That multitasking translates well into the security space.”
She says there’s no better time than now for other women to get involved.
“I like to tell the women and girls I mentor that if you fail to plan, you’re planning to fail. You have to plan for what you want to achieve. The research tells us that by 2025, there’s going to be a global shortage in cybersecurity resources specifically. So there’s a huge cybersecurity space out there that is just waiting for women like them. I challenge them to change their mindset so we can join hands together in building a security culture that protects ourselves and our environment in a more effective manner.”
