Profile: Ravi Thatavarthy, CISO, Rite Aid

Ravi was featured in the March 2022 Feats of Strength magazine. 

Ravi Thatavarthy is a seasoned information security professional with over twenty years of experience. He began his career in Senior Architect roles, working in many verticals including healthcare and banking. He took on his first leadership role as Information Security Officer at Kronos, where he was responsible for establishing a security strategy and executing on the security and regulatory compliance programs from the ground-up. He had an opportunity to develop a clear strategic plan that aligned with industry standard frameworks to define the future security-state based on regulatory and environmental security trends. He also built a dedicated team for regulatory compliance.

Ravi then moved on as CISO at Haemonetics, where he was responsible for the successful delivery of enterprise and product security, policy, risk management and compliance programs to 34 countries globally. During his tenure there, he transformed and uplifted the security program to prevent next generation threats while focusing on governance, security architecture and business alignment with multi-year roadmaps.

His next role was the CISO for iRobot, an opportunity that allowed him to establish the vision, strategy and successful delivery of a global information security program. This included a heavy focus on connected products and customer privacy.

After working at iRobot for four years, Ravi began working at BJ’s Wholesale Club as their VP and CISO. While at BJ’s Ravi helped with digital transformation by focusing on business value and customer delight. He held this role for three years before taking on his most recent position.

Currently, Ravi is the VP and CISO at Rite Aid, a role he has had for seven months. Ravi comments, “I went from iRobot, a smaller public company to BJ’s, a public retail organization and now I am working at Rite Aid, an organization that delivers healthcare services and retail products to millions of Americans each day. The mission of Rite Aid was very attractive to me, it is focused on providing trusted and accessible care that helps customer achieve Whole Health. They empower pharmacists to engage with more customers and also are good neighbors in the community which drives commitment and passion. We have more than 2,400 retail pharmacies locations across 17 states.”

Ravi’s responsibilities are those of a typical CISO, with a heavy focus on protecting customer and employee data. He also oversees any compliance-driven security requirements to ensure all controls are in place.

FOCUSING ON COMBATTING THREATS
Ravi says historically security was focused on not getting breached, however it has shifted recently with a predominant focus on preventing ransomware attacks. He explains, “Ransomware is a significant focus not just for me, but for every CISO because of the level of damage it can cause. Five to ten years ago we were very focused on protecting our data and network so we would not get breached. We didn’t want anyone to get inside, steal our data, and take it with them. But in recent years, ransomware has proven to cause significant damage that can cost companies a lot of money because they can take down your entire network in a matter of minutes or even seconds.”

Another area of focus for the security industry is more proactive security monitoring, something Ravi believes has continued to evolve in response to ransomware. Ravi explains, “When focusing on ransomware you wanted to make sure that you stay ahead of the game rather than noticing it after the fact. We are now at a place where we are engaging in blue, red, and purple team exercises to continually test instead of waiting until an annual penetration test to happen. Also, by testing on a regular basis, you can constantly check to see if your defenses are good enough. I believe threat hunting has evolved and will continue to do so.”

ARTICULATING RISK WITH STRONG DATA POINTS
Ravi suggests avoiding scare tactics when discussing budget with both business leaders and the board, something that might demonstrate immaturity and hinder security initiatives. He believes in clearly articulating risk while leveraging data points to back-up any key goals. He explains, “An example would be discussing the value of a multi-factor authentication (MFA) solution with the board. If you have an MFA installed, you should know how many credential stuffing attacks can be reduced. In board meetings, you should bring up those data points when talking and let them know how you were able to stop attacks. Implementation technology doesn’t really mean anything to them, but how many negative things you avoided shows progress and provides measurement.”

For budget discussions related to adding headcount, Ravi suggests looking at any available industry data that provides overviews on how many security employees are required in relation to the size of an organization. He comments, “There are metrics available through multiple research firms. For example it may say that if you are a $100 million company with 10,000 employees, your security team should be 25 people. These types of data metrics are important because you can also see if you need to outsource any responsibilities through contractors or consultants. It’s important to look at your security program mapped to the NIST CSF Framework to see where alignment and gaps exist. You can then see the minimum number of team members needed to ensure you are covering critical functions.”

HIRING PASSIONATE LEADERS
The most important thing Ravi looks for in security team members is passion. He explains, “Someone’s ability to succeed is often based on if they are flexible and if they are a team player. I don’t always look at technical skills, I instead look at their attitude, if they are interested in learning, and if they are passionate about their work. These types of people change the environment for me. Technical skills can be taught, but people skills combined with high energy and high passion are most important.”

Ravi also encourages his team members to attend conferences, whether in-person or virtual, as well as achieve relevant certifications. He believes in matching tools and technology to an individual’s responsibilities to make sure their career goals are aligned to help them advance.

To grow as a leader, Ravi attends conferences and sees a lot of value learning about niche topics. He says, “I like attending conferences focused on specific topics with groups of like-minded CISOs.”

He continues, “Security is getting more and more challenging, and it can be difficult to keep up, but I love the work that I do. It is not for the faint of heart, it is for people who are ready for a challenge. It doesn’t get easier, but the field of security will always be interesting.”