Gordon Draper (00:02):
On today's episode of the Cyber Consulting Room podcast, we are joined by Akshaye Kalkura, a seasoned cybersecurity leader with a passion for both solving complex client problems and making security concepts accessible to everyone. With extensive experience across large organisations, Akshaye brings a unique blend of real world knowledge and cutting edge industry trends to the table, ensuring the best possible outcomes for clients. Akshaye doesn't just understand the technical side of security, Akshaye gets the business too. This translates into pragmatic solutions and strategic advice that truly benefits organisations. Whether organisations are facing cloud, security challenges, vulnerability management, woes or need a comprehensive security roadmap, Akshaye has the expertise to guide them. Plus Akshaye possesses a deep understanding of frameworks like ISO 27,001 and nist. Ensuring organisations security posture is future-proof. But Akshaye isn't just about technical prowess. Akshaye thrives on sharing knowledge both within the industry and with up and coming professionals. Whether it's developing new consulting solutions or mentoring junior colleagues, Akshaye is passionate about fostering a thriving cybersecurity community. Buckle up and get ready to learn from the best. Let's dive into the world of cybersecurity in the cyber consulting room with Akshaye Kalkura. Welcome. Akshaye, it is great to have you here today.

Akshaye Kalkura (01:24):
Likewise, Gordon. It's such a pleasure to be part of this.

Gordon Draper (01:28):
Awesome. I'm going to start off with the first question. How did you get into cybersecurity slash information security?

Akshaye Kalkura (01:34):
I started my career as a network engineer probably like 20 ish years back. My first job was configuring switches, routers, firewalls, and security was kind of integral part of it. And then my second job was actually with a startup and a bunch of techniques out there, people with expertise on Linux, Solaris, and we played a lot with Linux hardening kernels, lots of security tools, and that's how I started my career in cybersecurity.

Gordon Draper (02:05):
Oh, that's awesome. So started out in networking and then went to startups and I mean, you've been surrounded by people that really know what they're doing. And I worked with Akshaye at Macquarie Bank a couple of years ago. Great to see you out and about and in the consulting space. So did you always want to be in cybersecurity information security? Did you start off as wanting to just be a network engineer or,

Akshaye Kalkura (02:30):
This is an interesting question, Gordon. So while I was at school and uni, et cetera, so I was kind of addicted to anything related to spy espionage, war movies and also books like Frederick Forsythe, Robert Ludlum, Jack Higgins, et cetera. And when I transitioned through my first two jobs, security was already kind of embedded in me by default. I was just enjoying it thoroughly and it became a part of me automatically. So I didn't have any aspirations that I need to get into cybersecurity. It just came through automatically, I would say.

Gordon Draper (03:07):
Did you want to be a spy reading up on these books?

Akshaye Kalkura (03:11):
Oh, I was. Yeah. I was enthralled by on the spy and how people get information and so on. Yeah, I was quite excited about that.

Gordon Draper (03:21):
When I first started getting deeper into cybersecurity or information security at the time, I was fascinated by some of the talks by people that were involved in red teams and red team activities, and it just sounded like the coming out of a spy movie with clandestine cameras taking shots of pieces of paper during Cold War and things like that. So it just sounds like something that'll be straight out of a movie.

Akshaye Kalkura (03:49):
Exactly. Got it.

Gordon Draper (03:50):
What education qualifications and industry certifications do you have?

Akshaye Kalkura (03:55):
I did my graduation in electronics and communication, and then I also have a postgraduate diploma in business administration. And apart from that, I have SSA then AWS, security specialty, et cetera. But all these certifications governance's more from gaining knowledge perspective rather than having it on my CV or showcasing it to people because continuous learning is something which I really embrace and it is something very important while you are in cybersecurity.

Gordon Draper (04:27):
Yeah, it's a never ending journey, the learning curve. It's eventually you get to the point that you can float above it all, but you're still constantly learning. It's expanding at a great rate.

Akshaye Kalkura (04:38):
It is. It is. Exactly. It's like learning, thinking, speaking. Sometimes I think my family kind of like, oh, stop. I mean, you just keep thinking about cyber all the time, but I can't help it. I mean, I think it's just coming naturally.

Gordon Draper (04:53):
Well, that's awesome. What challenges do you come across in the hiring of the right consultant for the right position

Akshaye Kalkura (04:59):
With hiring? I mean, for me, the main thing, getting the person with the right mindset who has that fire in the belly is someone who I keep looking out for Gordon. It doesn't matter how experienced they are or less experienced they are, but if they don't show that passion during the interviews or if they don't show that basic logic of approaching a problem when asked, yeah, I personally find those two things like a must have because the tech part is always secondary. I mean, if you don't have the logic, the tech part kind of becomes a moot point. So for me, a security mindset also is very, very important. And it is a bit challenging. Sometimes you come across good candidates, sometimes you do not.

Gordon Draper (05:48):
Yeah, I find it's the people that really want to be curious about how things work. They really just want to open up. It's not necessarily the, I mean some do put the work in and study and it may not necessarily come as passionate naturally to them, but it's still something of interest and there's certainly a skill shortage around the world in cybersecurity. So I don't see myself as a very large gatekeeper of keeping people out of cybersecurity. So look at what aspects you look for that you really want, encourage and enhance, being able to dive deeper into problems. There's so much work going on that you need to learn how to pull back from that too. You can't spend a lot of time in a rabbit hole.

Akshaye Kalkura (06:29):
Yeah, exactly. Gordon. So having said that, I mean if I see some certifications on a person's cv, I mean I don't automatically say that the person is pretty good, but at the same time, what it allows me to determine is, okay, that person has the learning mindset. So that kind of shows that, okay, this person is interested in learning and is able to do something about it. So that's one of the other quality which I kind of look for in a candidate.

Gordon Draper (06:56):
Did you spend any time as a information security consultant? You are one right now, and which countries have you been in consultant in?

Akshaye Kalkura (07:06):
Yeah, I mean I worked in several companies, Gordon, so while I was back in the big four consulting form, I mean I've travelled to Africa, Dubai, Singapore, Hong Kong, and in my initial years I spent some time in the US as well. So yeah, it's different countries, different culture. Yeah, it's very different and it's quite exciting to work with different people.

Gordon Draper (07:29):
How did you find the comparing Africa to the USA to Hong Kong? I think you mentioned as well consulting in those spaces.

Akshaye Kalkura (07:37):
Yeah, it was very different because I think in Africa, for example, I've been to Uganda, the people were very friendly and nice. You can easily see the cultural difference in that place. I mean, US is of course it is very good, had a good experience there too. Singapore and Hong Kong people are quite busy. It's quite a busy life there, but at the same time, whomever I worked with were quite professional. So yeah, it has been a very exciting, yeah, it it's a bit of an eyeopener more from a cultural perspective garden.

Gordon Draper (08:09):
Wow, that's awesome. You've been to so many places and worked in different countries. Has it all been within the same consulting information security, GRC related consulting or

Akshaye Kalkura (08:21):
It was a bit of a GRC in one case it was more of a network kind of thing, but otherwise it's been audit or consulting or network. And I think what is important, especially when you're consulting, you need to understand the temperament of the people in that particular country and you need to align yourself with them, Gordon. Otherwise you might end up being in a situation where they will not listen to you. So yeah, it is very important that you get that part right.

Gordon Draper (08:51):
Yeah, buy-in is very important. So you've got such a wide experience. What is one of your most memorable experiences with consulting in cybersecurity?

Akshaye Kalkura (09:01):
It has been a very exciting ride, I would say. But there is one situation while I was in KPMG, I mean I did really learn a lot. It was like 10 years of experience being squeezed into five and all that experience. I mean, of course it is working out to be super useful now at Razilio because I'm still able to take what I learned from that time and then apply it now. And currently I'm enjoying consulting for the small medium business space. I need to do more with less and there are lots of problems and challenges, which I just love to solve and gives me a lot of satisfaction, I would say.

Gordon Draper (09:39):
Does anything stick in your mind as to I've got to share this story?

Akshaye Kalkura (09:43):
Yeah, I mean I can give you a recent experience. So in terms, for example, for one of our client where there is a constraint on budget, so had to really work out what are in terms of strategy, what is the most important thing from them based on the threat and risk assessment. And then help them guide to say, Hey, these are the top three things you need to do rather than everything in cybersecurity because it is very, very difficult for them to digest that or even actually implement it. So those are the things which I really enjoyed and I found it very meaningful because the senior stakeholders could see value in it rather than someone coming and telling them that, hey, these are the list of 20 things you need to do right now. So it doesn't work that way in the small medium business space.

Gordon Draper (10:31):
So you are consulting at the moment. Would you consider consulting at a higher level than you are now? So in the future, would you consider being a virtual CO or an advisor to the board or even to run your own consultancy one day?

Akshaye Kalkura (10:46):
Yeah, currently I am actually playing the role of a vciso for a couple of my clients and I'm really enjoying that. But again, when you are in the consulting space, when you're doing the vciso role, there's always this thought of what next, which comes in your mind. So two things. One is I want to be an entrepreneur from a long time, so whether I run my own consulting or something completely different is something I'm yet to decide. But the other thing is being part of a board is something which I'm really keen to do and hopefully soon because cyber market is, cybersecurity is good in that space and the board really needs someone with cyber expertise.

Gordon Draper (11:30):
Are you finding that you are reporting or delivering to the board in some of those engagements?

Akshaye Kalkura (11:36):
Oh yes. So I am responsible for writing the reports for the board and of course giving them a very concise view of what the current status from a cybersecurity perspective and what is the plan for the next quarter end of the day for the board, it's like it needs to be concise and again in a clear manner. So that is what I'm helping my clients with.

Gordon Draper (11:58):
That's important to make sure that it's clear and concise. They don't have a lot of time and cybersecurity is just one of many different aspects to businesses. Have you been to any conferences recently? What have you seen or heard that really stands out?

Akshaye Kalkura (12:12):
Yeah, just last week, Gordon, I went to Hack Sydney and then also part of CSO Connect. Actually one of the things which kind of stands out is AI. I think that's the kind of buzzword which is going out in the industry. Everyone is talking about AI. So business is talking about how to embrace AI within their organisation to help improve their services and products. And cybersecurity is also talking about how to use AI within the security operations, for example. And again, if business is keen on AI, how will cyber enable them to embrace it? That is another topic which is quite hot at the moment for me as I saw, the first thing which comes to my mind from an AI perspective is how do I use it to detect and respond to incidents in a super smart way? I don't want the analyst to be spending minutes or us on analysing an incident. I just want to make it more smarter by the use of ai. So I think AI is quite a hot topic at the moment.

Gordon Draper (13:14):
Have you been discussing how AI LLMs, a lot of them refresh to have a feedback loop back into the base updated knowledge base, and so you'll actually have a situation where you are asking for potentially confidential advice and you're effectively giving this information away?

Akshaye Kalkura (13:36):
Yes, Gordon, that's a problem I think with many organisations which they're grappling with. So it's not a simple problem to solve because one is you need to have a policy in the first place from say, risk and compliance, et cetera, and then once you have the policy, okay, that's fine, but then how do you implement it in a secure manner? So from a security perspective, how do you make sure developers don't upload any source code or people don't upload any sensitive information, et cetera. So that is the second part, and then it's also the cultural buy-in from different teams. The problem is, I mean if you allow it to go in full stream, then people will start using it, sending data out without thinking twice. So that's an issue. So there are, interestingly, I was just having conversation with a Security vendor a couple of weeks back, and interestingly Security vendors are having the ability to prevent, for example, copy and paste from chatGPT for example. So ah I'm seeing technical controls also being implemented, which I mean at least we have the ability to implement that. I think we'll get there. I think it's sooner than later we get there. So that security becomes an enabler rather than preventing people from using ai.

Gordon Draper (14:48):
I've seen chatGPT has come out with smaller GPTs that you can basically just models that you can effectively copy and paste and have it tuned to your own businesses documents, and I think other large model companies as well do it as well. So the future I think is going to be a company will actually have a copy, a model trained on their own data and on their own intranet. It won't be linking back to the generic chat GPT-4, et cetera.

Akshaye Kalkura (15:21):
Yeah, exactly. Gordon, I think most of them might embrace at least the large organisations, but you still have this small medium segment, which will always depend on something external and that is the area where I'm keen to address.

Gordon Draper (15:36):
That's definitely an interesting topic, and I think that definitely covers the question regarding trends or directions at the leading edge of cybersecurity. And it's interesting to see what I'm sure the size of connect. I saw it at Black Hat this year. There was a lot of, pretty much every booth had an AI function.

Akshaye Kalkura (15:56):
So from that perspective, yeah, I am super happy that products are embracing ai, but at the same time I'm a bit hesitant because everyone throws a word AI, but I actually need to see what it does in a smart way. If there is no real value, then yeah, I mean what purpose is going to serve? So

Gordon Draper (16:13):
What's one thing in your consulting history that consultancy did that you didn't expect and what did you learn from it?

Akshaye Kalkura (16:21):
Traditionally, right from my beginning of my career, I've been known as a tech guy until I joined KPMG into consulting, which kind of put a bit of consulting spin to my career where I had to think beyond technology, think beyond network security, et cetera. So I ended up playing a role of a global programme manager for a network transformation programme. It was for a large FMCG client, and I played the role for one and a half years, and I learned a lot from that Gordon. I mean, it was more from stakeholder management, people management, thinking beyond technology and getting that understanding of big picture and why are we running the programme, what problem it's going to solve. I was also reporting to a person who was super solid, so it gave me a completely different view of things. I mean, it took me out of my comfort level essentially. Then yeah, it was a very good experience. So I think some way or the other, even now when I think back, this is one thing which comes to our mind. Gordon,

Gordon Draper (17:25):
When you first joined that company, did you see yourself potentially being leading a global programme?

Akshaye Kalkura (17:32):
No, this was part of my consulting engagement with KPMG, so the client interviewed me, et cetera, and so on. Like I said, it was nothing to do with hardcore networks, so it was more of something beyond and above that.

Gordon Draper (17:47):
So I'm gathering you learned a lot from about how to be in the management positions and express and communicate to facilitate getting the programme underway?

Akshaye Kalkura (17:58):
Exactly, exactly, Gordon. So I had to speak to the programme managers within specific countries, the leaders of the specific countries communicate in a clear manner and to keep it as simple as possible. So we did some interesting stuff there when I look back and think, oh wow, that was pretty awesome. So yeah, that learned quite a lot there.

Gordon Draper (18:22):
What would you say is one common myth about the consulting industry?

Akshaye Kalkura (18:27):
This is not a myth. I mean one is hard work, it is not a myth, but there is quite a bit of hard work in consulting industry in general, but at the same time, some people think it is an easy job because they just consult or do a piece of work for a particular client and then move on. That's not the case. Gordon, especially currently with Razilio, for us, each job is important and it's important for us to do it properly because it'll give us repeatable work. So that myth of people saying it's an easy job, I think that is definitely a myth. It is not an easy or it's not something you can just do once and then forget about it. Clients will remember what you've delivered. If they like your work, they'll come back to you. If they don't like, they'll of course go to someone else. So yeah, it is very important.

Gordon Draper (19:17):
Yeah, you're right, and effectively clients remember you and how you performed, and one aspect is did they have a positive experience? Did you provide a warm feeling for successfully doing things the right way?

Akshaye Kalkura (19:33):
Exactly, Gordon, exactly. It is just not the technical part. Again, it is the technical, definitely very important, and then it's how you communicate to your client, and third, how do you report status? Then how do you manage your time? All this becomes very important because you don't realise end of the day, I mean once the engagement is over, when you go and ask for feedback, et cetera, people do come back with this. They do remember. So it is important that you cover all those aspects and not just the security or technical aspect of it.

Gordon Draper (20:04):
It's fundamentally about building trust and reputation and every little bit counts and it'll grow over time. What is the most important lesson you've learned over your career?

Akshaye Kalkura (20:14):
One of the most important thing is you might have many mentors or you might have many leaders or managers, et cetera, and then potentially you'll see someone else progressing or doing something different. I would say you don't necessarily have to emulate them end of the day, you need to write your own script, Gordon. I mean you are the author of your life, so you need to enjoy a hundred percent what you're doing and sometimes go with your gut feel. There's always people passing comments or kind of pulling you down, but if there is something very strong in your heart, which you need to do, I mean, I think just follow that and keep yourself unique. I mean, you don't have to copy anyone, just be yourself, and I think that is something which I learned over the years.

Gordon Draper (21:01):
I think that's some very good advice. One of the areas that I've been working in emphasises belonging and inclusion, the sense that you're in the right place at the right time for what you need to do. Culture of an organisation is one of the highest things that I consider to be important.

Akshaye Kalkura (21:21):
Yeah, exactly. And sometimes it's all about sometimes being what's unique about you and what you bring to the table. That is also important.

Gordon Draper (21:29):
What is one piece of advice you'd give to someone starting out in cybersecurity?

Akshaye Kalkura (21:33):
One piece of advice. I mean, I think probably I can give a couple or more, but for me the main important thing is in cyber, you need to get your hands dirty. So anyone getting into cyber, I would recommend dabble into always spin up a Linux box or Windows, whatever. Do some networking stuff or application security, application security, user interest. You need to get your hands dirty. I mean, it is possible to get into cyber without doing that, but if someone comes to me talking about cybersecurity and if they don't have that hands-on experience, I wouldn't really have the comfort that that person actually knows cyber. So it is important for someone to get their hands dirty and of course to have that cybersecurity mindset and continues learning, they need to keep reading, learning, do new stuff, think like an attacker all the time, because once you think like an attacker, then you'll know how to solve the problem. If you don't think like an attacker, you'll just be thinking in one particular direction, which will not solve the problem.

Gordon Draper (22:34):
That's some good advice. The constant learning, I'm mentoring someone, I'm going to be helping them through some early stages of penetration testing. They've got a few academic degrees under their belt, but they've been more in GRC than pen testing, and so I'm going to show them a bit about some of the tools so at least they can see what it is and be able to be familiar with it. If a pen test report comes in and they need to communicate that, they can explain it. If they don't understand it, then all they're doing is just spreading words for whatever, a better description. They're just talking around the topic at

Akshaye Kalkura (23:12):
A high level, this is what I did, but when you go to the depth, go into details. If you're not able to respond, you'll never get that confidence from your stakeholder.

Gordon Draper (23:23):
You're doing some virtual CISO jobs and you are communicating with the board and you are helping small to medium businesses with some of the other types of consulting work for cybersecurity. What tools or frameworks are underrated in your opinion, and they're really actually indispensable for your job

Akshaye Kalkura (23:43):
In terms of tools, collaboration tools, and you know what I mean? We talk about so much of technology, et cetera, but end of the day it comes to Microsoft PowerPoint, Excel, it still proves to be quite useful in many ways.

Gordon Draper (23:58):
I framed this, so that could mean standards as well. What framework in GRC would you stand behind and say this is the most important?

Akshaye Kalkura (24:09):
Yeah, so we do a lot of work on based out of NIST CSF, and Gordon, and we also use IO 27001 because some of the customers are, I mean, they're keen to get that certification is the essentially to some extent, but for our small medium business, sometimes in NIST CSF also becomes a bit of a stretch. So we have kind of used that and we have our own assessment framework, which is more suitable for a smaller organisation, but at the same time covering all aspects of the CSF.

Gordon Draper (24:43):
That's interesting. You've done some work in that space to come up with a relatively unique solution.

Akshaye Kalkura (24:50):
Yeah, that's right, Gordon.

Gordon Draper (24:51):
So what's the last hacker or cybersecurity movie that you've seen?

Akshaye Kalkura (24:55):
I think the last one I saw was something called Cyber Hell on, I think it was on Netflix. It was more of a sex crime kind of thing. I mean impacting teenage girls and stuff. So the reason I saw that, I mean I do have a teenage daughter, so I thought it might be useful for her to just have a glimpse of it and see what people out there actually do, because the human element end of the day, if it impacts a human, I think that is very important in my aspect.

Gordon Draper (25:23):
So something like a black mirror of scaring your teenage daughter?

Akshaye Kalkura (25:28):
Yeah, that's right. Sometime back. I also, I think it was long time back actually a series on anonymous. I think that was pretty good. I forgot now from where I saw that, but that was pretty interesting too.

Gordon Draper (25:41):
Do you keep up to date with books? Do you have recommendations for three cybersecurity books that you would recommend to our listeners?

Akshaye Kalkura (25:50):
Yeah, I do Gordon, but nowadays I listen to podcasts and LinkedIn post something, which is shorter because what I realised is earlier you used to read 500 pages of book and stuff easily, but currently with so much information going around, I find it hard to finish a full book actually. So I prefer all shorter ones, short reads, et cetera, which gives me the required info. But having said that, I have some books in my mind. This is a classic one Ghost in the Wires by Kevin Menick. That was pretty awesome. Again, it was the things you can do without being too technical is something which is like, yeah, really good. I mean, especially from the social engineering perspective. So again, that helps in the mindset, I would say. Then the second one was Gideon Spies. It is the Secret of Mosad by Gordon Thomas. That was an awesome read. Again, it's from a mindset perspective. Then the third one, recently what I read was how to hack like a Ghost by Spark Flow. I thought that was pretty cool because he, I mean, kind of touched a lot of the modern issues on Kubernetes and APIs and things like that. I think it was pretty solid, I would say.

Gordon Draper (27:06):
Oh, that's awesome. During one of my studies, there was a story about if you were to do a operation, there's a hypothetical as a bad guy or as a for government agency. If you were a bad guy and you would go and get a laptop from the marketplace and pay cash and then you'd wipe it, you'd have that as a tool and then drive around and you'd find a wifi network from that wifi, you then go and hack a server, which you could then use to launch your attacks on your actual target and you'd choose a server in a country that doesn't have an extradition policy. There's an interesting hypothetical that we were discussing. How would you actually go about it?

Akshaye Kalkura (27:50):
From my view Gordon is have a very minimal version of OS probably running on A USB stick, which you can spin up and then have your tools out there, do your stuff. I mean, I think, yeah, I did try some of them. I've forgotten the name now, but it is interesting.

Gordon Draper (28:08):
There's one called Tails, which runs everything through Tor, and if you unplug the USB, it's all running memory and

Akshaye Kalkura (28:16):
It's all running on memory. Exactly, yeah. It just fails and then you get onto your Tor and VPN and multiple servers and stuff. Yeah, it's interesting to know how it works so that you can determine how to prevent it. You

Gordon Draper (28:29):
Have to think like an attacker. You have to know what different bad guys are up to. That was a few years ago, so it's changed slightly now.

Akshaye Kalkura (28:36):
Yeah, probably there's something more modern. There's something more modern now. I dunno.

Gordon Draper (28:40):
Well, if you could live anywhere in the world, where would it be?

Akshaye Kalkura (28:43):
For some reason, Gordon, so many of the Mediterranean Sea dunno why probably I just had a discussion at someone recently around Egypt and Mediterranean Sea, maybe because of that, but I just find it nice. Yeah,

Gordon Draper (28:56):
It's a very nice area of the world to finish up, thank you very much for your time. We've had a great talk. Where can listeners find you online?

Akshaye Kalkura (29:04):
Pretty much on LinkedIn.

Gordon Draper (29:06):
Awesome, so Akshaye Kalkura on LinkedIn. Thank you very much for your time today. Thank you very much for sharing all those wonderful stories.

Akshaye Kalkura (29:14):
Thank you so much, Gordon. This was pretty amazing and a good experience for me as well. Really enjoyed it. Thank you so much.

Gordon Draper (29:22):
A huge thank you to Akshaye Kalkura for joining us on the Cyber Consulting Room podcast today and sharing their invaluable expertise. Whether you are a seasoned security professional or just starting out there were definitely some key takeaways from this conversation To stay up to date on the latest cybersecurity trends and insights. Be sure to our podcast wherever you listen to your shows and remember, if you have any questions or topics you'd like us to cover in the future, don't hesitate to reach out. Until next time, stay safe and cyber secure.