Subscribe
Share
Share
Embed
Honest conversations with the engineering leaders, CTOs, founders, and engineers building real software with real teams. No fluff, no hype — just the messy, human side of getting great products out the door.
Zhenya Rozinskiy - Mirigos (00:06)
Hello, welcome to this episode of Build by Humans, where we talk about the human side of things, what it takes to build products, what it takes to deliver those products to customers, not from the tools and technology point of view, but really from people working together, working between oftentimes around the world, talking to each other, getting to know each other, and still moving forward and getting things done.
Today our guest is Yash. I'll turn it over to you. Please introduce yourself and then we'll talk about your experience and we'll talk about things that work and didn't work for you.
Yash (00:39)
Hello, everyone. My name is Yash. I'm the Chief Information Security Officer at Sennbert. I've been doing security for well over a decade now. And just for context, Sennbert is a company that's building AI agents for customer experience.
Zhenya Rozinskiy - Mirigos (00:52)
Cool. So you're a security person and I'm actually going to jump right into that because a lot of people I talk to, they're developer leaders, they're technologists, engineers, et cetera. And one thing that a lot of times we hear from ⁓ HR, from legal, from executives, we don't want to hire people for... So what our company does, and I should probably mention that, so I run a company called Mirigos So we are a team augmentation company.
We help our clients hire really good, strong engineering talent from Latin America and Eastern Europe. Not doing outsourcing, we really focus on people, getting the right people, getting the right alignment, what we call the right fit. And then they work as part of the team, part of the core team, just as any employee would. And this is where the security question comes up. Well, we don't want to hire overseas because we don't trust them. How do you run somebody's background check? How do you know they're not going to steal our data?
What's your take on it? And I'll share mine later, but I'm curious. What's your take on it? Because you're there. Like this is what you do.
Yash (01:53)
All right, it's a pretty loaded question if you look into it. It depends on a lot of aspects. One, what's the appetite of the company, right? Like what's the secret sauce? What are you protecting most? Where does it reside? How mature is the company? Do you have enough tooling in place to be able to say, can go hire anywhere in the world and have enough controls to be comfortable with the data that the staff is working with? Two, do you have enough...
⁓ processes and procedures in place to be able to run background checks and do the due diligence before you hire. We do hire in a lot of places. We have contractors, we have full-time employees in multiple countries and we do that. But again, at this point, we have enough security controls in place that we are comfortable doing it. So for a small company, five, 10 people, it'd be really hard to pull that off. But as you grow and mature and have enough
things in place which make you comfortable, branching off into different geographies and being able to hire and get good talent from there, it's doable.
Zhenya Rozinskiy - Mirigos (02:55)
Finally, you say this, if you're a small company, 5, 10 people, you're probably not even thinking about it, right? That's not the companies that bring that up as a concern. It's more 100, 200, people. That's where that gets in. Funny enough, so I've spent 35 years in IT and before running this company, I ran engineering departments for startups and larger companies. And I've worked with teams, people, and literally every content.
Yash (03:05)
Yeah.
Zhenya Rozinskiy - Mirigos (03:20)
Okay, fair, no Antarctica, but ⁓ every other one. And the only time that I experienced a serious data breach, and I'm talking about somebody downloading the entire code base before leaving, was in the US from a US citizen, somebody sitting in our local office.
Yash (03:38)
That is, I mean, I'm not surprised. I've rarely heard of a breach that happened because the company hired an employee in a different non-US country and that employee turned out to be malicious. You do have insider thread, but I don't think that's amplified based on the geography you hired from.
Zhenya Rozinskiy - Mirigos (03:56)
Okay. Do you find or would you think again, being an expert and this is your day in day out life, would you, I mean, we hear, this is, I'm basing this on feedback that I get from clients and potential clients. You know, we don't want to hire from this region or from this country because we hear in the news that there's a lot of hackers, hackers in that country, right? All the news we hear, everybody breaks our banking system. They're from country acts. I won't name names, but do you see any
like coloration between the two or is it more unrelated?
Yash (04:27)
I mean, I'm a security person. I do hire hackers on my teams. If there's a country that has a lot of hackers and we are legally and from an HR perspective, you have an entity to hire there, I would probably try and hire those expert hackers in the place. But again, to your specific questions, there isn't a correlation. mean, those hackers can still target anybody, anywhere, anytime. It doesn't really depend on where an individual is located.
most of the breaches happen through the internet, right? Like there's rarely an instance where you see in the news where a hacker walked up to an employee, their laptop or YubiKey and then proceeded with the hack. Like physical presence correlating to a breach rarely happens.
Zhenya Rozinskiy - Mirigos (05:10)
So I'm gonna move on a bit to my favorite subject, culture, right? And a lot of times I talk about culture between different countries because, let's be honest, not everybody is the same and somebody in Latin America has different approaches to many things than somebody living in the US versus somebody living in Europe, et cetera. But it you actually wanna touch on different culture question. You're in security. Your job is to make things slow.
in a good way slow, right? Not a bad way slow, but a good way slow. Let's not give access to production to everybody in the company. It's probably not a good idea. And then you've got engineering, especially if you're looking at smaller organizations. What do you mean I don't have access? There's a bug. I can just go in and fix it, right? Like you just log into production, I'll fix it. So how do you manage that from a cultural point of view from, you don't want to be hated by everybody, but yet you want to sort of protect that.
Yash (06:01)
You
Zhenya Rozinskiy - Mirigos (06:03)
lion of no, you're not going to do this.
Yash (06:06)
So I'll start off by saying my team isn't hated by the company today. We work very closely with engineering and other departments, and it is a part of the culture where we work fairly closely. And a big part of it is my team doesn't go implement controls and then tell engineering, you cannot do this from today. We go to them saying, hey, what are the problems you're trying to solve? And here's a problem we are trying to solve. How do we make this work for the both of us? How do we keep our data secure?
And how do we enable you to do your job fairly quickly? So, and we try and find a middle ground, right? It's a risk management exercise. We're not going, we're not trying to solve for everything. We're trying to make the risk of the company low enough that it's acceptable for where we are today. And that has worked really well for us.
Zhenya Rozinskiy - Mirigos (06:46)
Mm-hmm.
Do you see the different regions, different countries, different people being receptive to this differently? Because in some cultures, control is more ingrained than in some cultures. The cowboy style is what they're used to. You can feel I have this pain of a relationship with security folks in the past, right?
Yash (07:07)
Yes.
I don't think how they work with this depends. Well, I'll take that back. You're right, there is a cultural aspect to it. But the way I look at it is people say in the US are much more open to giving us the feedback, the good, bad and ugly saying, this isn't really working for us, right? Let's fix this. And that makes our lives easier. In Asia, however, and a big part of our company is Korean and I love South Korea at this point, they...
don't open up as quickly until and unless you build a strong relationship with them. So the first six months of my journey at Sandbird, I wouldn't get a lot of negative feedback. But once I sort of traveled to South Korea, sit with the people, get to know them, they get to know me, that's when they started opening up, saying, by the way, here's something, can you fix this for us? And as that relationship starts growing and maturing over time today, they're
Zhenya Rozinskiy - Mirigos (07:41)
Mm-hmm.
Yash (08:06)
fairly open with us. So you can get there, but different cultures, takes different times to sort of build that relation and sort of get to a place where you could get things done quickly.
Zhenya Rozinskiy - Mirigos (08:17)
Yeah, I find that very true in different cultures. And I've worked with many, worked in the past and work now with many different cultures. The feedback is difficult in some cases, right? One thing that I've learned in American culture, we don't have a problem for the most part arguing with our superior, right? So it's our manager. Like, I can tell my manager, you're wrong. I in fact, encourage my employees to tell me when I'm wrong, right? Because I don't want to make a mistake.
Yash (08:38)
Yes.
Zhenya Rozinskiy - Mirigos (08:45)
And in some other cultures, you never question your boss, right? You just don't. And so that makes it for an interesting experience.
Yash (08:48)
Yes.
And that's a very Asian thing where you silently just go do what the boss says, right? And don't question his or her authority, just execute. And I think that's something we have worked very hard as a company to build a very different sort of American Korean mixed culture. So it's not like swayed one way or the other, and it's the right balance of feedback going both ways.
Zhenya Rozinskiy - Mirigos (09:07)
Bye.
Yeah, I remember I was a VP of engineering for a very large company and we moved our offshore team from where to in India in China and we moved it to Ukraine. And so as we were hiring, we were just growing this team and I kept going there a lot to make sure we build the culture. Now I speak the language, I understand the culture. was originally born in Ukraine, so it was a little bit easier for me to do that. And I remember getting through like basic things. I'm not even talking about giving feedback.
somebody comes over, I'm in the office when I was there, somebody comes over and says, hey, I need to 15 minutes early, can I leave 15 minutes early? And I'm looking at them, you assume I know when you leave on any other day? Like, what if you 15 minutes early, I don't know when you leave. I don't know when you get in, I'm not watching. And in their mind, because that's culturally different in their mind, well, if I'm leaving,
15 minutes early, I have to ask my boss. And I kept telling them, the only time you need to tell, not even ask, tell your bosses, you think you're not gonna hit the deadline. That's all I care about. I don't care what time you showed up from work or what time you left. It's a deadline that motivates me. The only thing that...
Yash (10:19)
Yeah, it's very different. So when I joined this company, all the team was in South Korea, the team that I manage and run today. And I was the only one in the US in the first team meeting. I still remember it. Nobody except me spoke. They're like, he's the boss. He's the boss from the US. Let's just listen to what he has to say. And I'm so grateful now that it's a much more better.
Zhenya Rozinskiy - Mirigos (10:34)
Yeah.
Yash (10:42)
cohesive team and there's a lot of cross communication that goes, but that first meeting that will stay with me for a long time.
Zhenya Rozinskiy - Mirigos (10:48)
I had a team, and I won't name the country, but you'll probably guess, I had a team that was, that's culturally very hierarchical, right? So there's very much, you know, the, and I kept asking them questions and they would always say yes. And then things wouldn't go the way they are. It was an outsourcing team and I went to the manager. So they had an account manager here in the U.S. and they had a manager over there. And I said, so let me understand this.
They have, so there's an engineer, they have a local team lead. Local team lead has the local manager and the local manager has the local project manager. And then you, they have you as an account manager. And then here I am, who is a senior VP, who is older, age-wise older, and I'm an American. How do I break through that?
And he just started laughing. was American, he lived here. I mean, culturally, he was from there, but he knew he was American. And he started laughing and he goes, you don't. You just don't. I'm like, yeah, and that's what I figured. That's about it. All right. So, you know, something else I want to ask you. You lived, have very interesting background. You've lived through early stage chaos.
and then you live through very fast-paced growth chaos. What do you like? What worked for you? What didn't? I mean, it's different, but it's different adrenaline, but still, it's there.
Yash (12:13)
is different. I don't think I'd say one word better than the other. It depends on the impact that you get to have and the size of the impact. And that's what kind of keeps me going. I've seen Twilio grow from, I think, about 1,500 people to about 8,000 in four years that I was there. And at Sandbird, we are a fast-moving startup. So you're right. It's very different scenarios, but the growth is fast, right? So again, hiring is difficult, building a team, building a culture.
Zhenya Rozinskiy - Mirigos (12:33)
Mm-hmm.
Yash (12:40)
with all the different moving pieces. Those are interesting challenges, but again, for me, it always comes back to impact, right? Like what, and it's two different types of impact. Impact on the company as a program that we have, like as a security program, what is the impact on the customer data that you have had for the company? And for me personally, the other big thing is I have a team that I am responsible for. What has been my impact on their career trajectories? I think a combination of both is what I look for.
Zhenya Rozinskiy - Mirigos (13:10)
Cool. I guess I have one more question as a technology leader, as a people leader, as a leader. What do you think the big risks of technology companies down the road, let's say in five years, because they're spending so much time right now on AI and they're dropping the ball on so many other things? What do you think's gonna
Yash (13:33)
So from a security perspective, there's a lot of chatter of AI and security, right? How do we use AI? How does AI affect the different tools we have? But I always keep going back to the basics. Breaches don't happen because AI made some... Well, AI will make things easier, but breaches still happen due to lack of MFA, lack of strong passwords, right? The very basics of authentication and authorization and stuff like that. guess...
Zhenya Rozinskiy - Mirigos (13:40)
Mm-hmm.
night.
Yash (14:01)
expanding on that to all of technology, I think we would move away from the basics that we still need to get right in order to get somewhere that AI is trying to take us. So that might be a big thing eventually where we would have to remember doing the basics right before moving on.
Zhenya Rozinskiy - Mirigos (14:18)
Yeah, I don't know if it's true or not. You probably know better, but I read that the security system password for Louv was Louv.
Yash (14:26)
Yes,
you are.
Zhenya Rozinskiy - Mirigos (14:27)
Yeah, that's don't need AI.
Yash (14:31)
Yeah.
Zhenya Rozinskiy - Mirigos (14:31)
I actually have this very complex password that I use. So two things, right? It's really long. It's, don't know, 20 some characters long and it's never the same. No two sites ever use the same. Yet there is a logic to how my password is set up. So I don't have to remember all the, I just have to remember one, but the rest I know how to get to every single one of them. And people laugh at me. Like.
Yash (14:49)
Right. What?
Zhenya Rozinskiy - Mirigos (14:56)
you when they see me typing that password, like they don't see the password, but they see the number of characters they love. They're like, what are you doing? Like, do you realize, you know, it's my Gmail, my entire life is tied to Gmail, like every two effects is tied to Gmail. Like, no, I don't want you to break into my Gmail.
Yash (14:58)
Right.
Have you had the instance where one of the older and bigger banks will tell you your password's too long?
Zhenya Rozinskiy - Mirigos (15:18)
Yes, I have one, it's a bink and it's no more than seven characters. No more than seven characters. Seven characters. And I'm like, okay, one, two, three, four, five, six. Like, is that good enough for you? Yeah, no.
Yash (15:20)
Yes.
no more than 7.
I've had banks
that say your password needs to be between 8 and 16 characters or something similar.
Zhenya Rozinskiy - Mirigos (15:37)
Right. Now I actually like the ones that say it has to be minimum of this, but then it can be long because you don't want it. You don't want anybody to know how long it is. Not only what it is like, okay, eight to 16. I only have to guess between eight to 16. I don't have to do anything else. Like it's the, no. My, my favorite one is Wells Fargo. have an account at Wells Fargo. Thankful. I don't use it much. They still use the old RSA token. I'm like, ah, seriously, do you think I'm going to carry it with me? Like,
Yash (16:00)
token. Nice.
Zhenya Rozinskiy - Mirigos (16:05)
How about 2FA? Can we just use the 2FA? Nope, it's sitting on my drawer somewhere. sometimes if I'm traveling, I call my wife and go to my office, open the drawer, take this thing, get ready, wait for it to change the number. I change it because you only have 30 seconds. So don't read it to me now. Wait, wait, wait, wait, go.
Yash (16:10)
Yep, fiscal too, yeah.
No.
So
that's three factor authentication for you. Password, the token and the location of the token in itself.
Zhenya Rozinskiy - Mirigos (16:32)
Exactly. That's pretty much it. Yeah, no, it's crazy. All right. Well, Yash, thank you so much. It's fun. I loved it. I knew we were going to have a good conversation because to me, security is the number one concern right now, and it should be number one concern for every company and every human being, even individuals. But
I don't believe dealing with security by virtue of let's unplug from the internet and pray that that's probably not the best way to do it. And some people try to do that, right? That's exactly what they try to do. we're not going to do that.
Yash (16:56)
Yeah.
Yes,
there's a balance. There's always a balance, but finding the balance gets tricky.
Zhenya Rozinskiy - Mirigos (17:06)
Yeah.
Absolutely. All right. Thank you so much.
Yash (17:11)
Thanks for having me. Cheers.