Pratik Roychowdhury 
Chiradeep Vittal 
Podcast Interview with Aftab Banth
Pratik Roychowdhury: Hello, and welcome back to another episode of ProdSec Decoded, the podcast where we explore how product security and AI are reshaping fast moving enterprises. I’m Pratik Roychowdhury.
Chiradeep Vittal: And I’m Chiradeep Vittal. Today, we’re excited to talk with Aftab Banth, a cybersecurity executive with almost two decades of experience leading security initiatives across a wide range of industries. Aftab currently serves as global head of enterprise security and also hosts his own podcast, the CISO Circle Podcast.
He’s built security programs at scale across companies like Medallia, Sephora, and Fortinet, and serves as an advisor to multiple security startups.
Pratik Roychowdhury: In today’s conversation, we dive into how security has evolved across different industries, the art of balancing security with fast moving development teams, and what effective dev -sec collaboration actually looks like when it’s working well. We also explored the emerging security landscape around AI and agentic systems, discuss why remediation flows often make or break product security programs, and talk about proactive approaches like threat modeling that can shift teams from reactive to strategic thinking. Let’s jump in.
Chiradeep Vittal: Aftab, welcome to ProdSec Decoded. Great to have you on the show.
Aftab Banth: Great to be here. Thanks for having me.
Chiradeep Vittal: Before we dive into the technical deep side let’s talk about your podcasting experience. You have your own podcast, the CISO Circle, and well we are relatively new at it, but how did you get into it and what kind of conversations are you trying to surface that maybe aren’t happening in elsewhere in the security community?
Aftab Banth: Yeah. Great. Great question. It’s interesting.
I actually was asked to do it a while ago, and initially I was very hesitant. Not hesitant in a sense to, I didn’t wanna draw the attention to myself.
I was super, very conscious of that. Probably a little more nervous than anything, but, so I I wasn’t initially up to do it. And so I had shared the story with my wife and I told her that, “Hey, have an opportunity to do this, but I passed on it”. And she kind of gave me, and actually a very a weird face. And anyone who’s married would kind of know, like she probably wants to say something, but, but didn’t. So fast forward I don’t know, maybe a week or two later, I’m actually washing the dishes and I’m actually ironically enough, listening to a security podcast, and she walks over to me.
She says, “you know, for someone who prides himself on being logical and someone who prides himself on being someone who helps people you’re kind of a hypocrite, right now”. And, and I leaned over to her and I said, “well, what do you mean?” She goes, “you know, you, for your own insecurities, feels not to do the podcast, but yet you’re here consuming them. So I think that’s a little bit hypocritical. And, you know, for whatever it’s worth, I think you should reconsider”.
I literally stopped what I was doing. I text the gentleman who asked me to be, be a host, and I said, let’s do it. So so that’s how it all came to fruition.
In terms of the podcast, I think, you know, it, it’s the hope is that it can be something fun. You know, I’m very much a person who beliefs and just laughter and just enjoying life and all the beauties that it’s brings upon us. And so you can bring some joy and teach people about experiences that we’ve gone through, be raw about them.
And I, I think that that was the goal. Now, whether we will achieve that or not, it’s a different story, but, but the hope is that, that’s what the podcast would be. And, you know, it’s still evolving. I think we’ve, we’ve done few seasons and hopefully we’ve learned a lot and we’ll continue to just iterate on it.
Pratik Roychowdhury: Yeah, I listened to your podcast. It’s quite informative, so I will encourage our listeners to go to ‘The CISO Circle’ - we’ll provide in the show notes. But talking about podcast, Chiradeep and I, we started this podcast, as he said, quite recently, and I think the main thought behind was that, hey, we looked up some product security related podcast - we could not find anything, which talks to experts such as yourself and security leaders such as yourself. So we thought, why not start something? So that’s our backstory.
Aftab Banth: It’s all, it’s a lot harder than you think. As much as you think it’s easy. Yeah. It’s
Pratik Roychowdhury: It is.
Aftab Banth: a lot of preparation, and
Pratik Roychowdhury: That’s right. There’s a, there’s a lot of post-processing. Pre-processing, but yeah, it’s, it’s fun. So, so maybe,
Aftab Banth: So long you’re enjoying it it.
Pratik Roychowdhury: Yeah. Absolutely. . So, , maybe what we’ll do is we’ll just get started with your career journey. And looking at your background you have led security at various companies, which are remarkably different from each other, retail, legal, high tech, SaaS, and so on. So walk us through your journey. What pulled you into cybersecurity? What’s kept you here? And as you went from one industry to another, how did you see security evolving as you navigated through these worlds?
Would be great to hear that.
Aftab Banth: I, that’s a great question. And you know, sometimes you look back you find yourself where you are, you’re like, well, how did I get here? And even, I’m puzzled at times, but I think,, the two guiding principles that I’ve always had is follow the problems.
I fall in love with challenging problems. And not to say that you can solve ‘em, but just be mentally challenged and be uncomfortable is a place that I enjoy. So that was number one. And not necessarily like live in your box. So it’s very easy to join an organization and say that, “Hey, your role is X”, which is great. We all have to service the business and do what’s needed. But, don’t limit yourself to that. There are problems that fall outside the scope of what you’re quote, unquote supposed to do. There’s no reason why you can’t provide a helping hand.
And I think that’s ultimately what led me to security. I was kind of hired to do security at one of the roles that I was first brought into, but it wasn’t the main focus because we saw a need we saw that we had telemetry that can support our business.
And it just happened to be security telemetry that ultimately what ended up being how I got probably my first opportunity to lead a formal security function. And then in terms of just what I’ve learned across the different industry, I think - you have to understand the business, which is an easy statement to make.
But as you said, what’s important in retail is vastly different to what’s important to SaaS or even legal. And it’s not to say that any one of them has it correct or incorrect. It’s just having an intimate understanding what the business values and really thinking about how your function could accentuate that - how your your function could support that. And when you talk about security specifically, I think the biggest takeaway that I’ve gotten is to align whatever we’re doing as close to what the business needs as possible, and support it, not necessarily hinder it. But that’s the big takeaway that I’ve had in terms of my career.
And not sure if it’s it’s right takeaways, but it’s helped me rev.
Pratik Roychowdhury: I think that makes. And talking about following the problems. One of the things that obviously we are kind of focused on in this podcast is about product security. So
Aftab Banth: right.
Pratik Roychowdhury: that perspective how do you view product security? How do you define it? Because there are obviously different definitions and it would vary also with the different industries.
So keeping that in mind, how do you look at product security?
Aftab Banth: Yeah. And that’s a great question, and I think it goes back to my first premise is that understanding what the business values. I, I had a, I had a mentor in my early twenties who said, I have to have, when you choose what roles to take on, if you find what the company does to make revenue, and you pick a role that is close to that as possible, typically, you’ll get treated well. And I look at product security very similar. Like the product isn’t necessarily like, Hey, this is the SaaS application that we’re supporting or if you’re in insurance. It’s really look at how the business generates revenue. And then specifically work backwards from that.
So that’s the way I’d quote-unquote coin product security. Now, in the tech centric world that we all live in, product security has a very specific viewpoint and it’s an application or service that’s being offered that’s technical in nature. So how do you enhance that?
How do you support that? How do you ensure that it’s done in a very trustworthy manner? How do you build trust across, not just your partners internally, but more importantly your customers and your external partners. So that’s the way I would coin it. In the different industries that I’ve been in, it may look somewhat different, but in general, the overarching theme would be that.
Pratik Roychowdhury: Got it. And in the context of product security, again, there are, there is a lot of talk about proactive versus reactive. Obviously you need all the reactive, you know, monitoring and all of that, but what’s your take on proactive product security versus reactive, like things like, you know, threat modeling, red teaming, and more offensive kind of things.
Aftab Banth: Yeah. No. Well, I learned this early in my career, proactive security is very expensive. And as much as we’d like to be as proactive as you are, but there’s a reality of it. So if you can so to speak, shift the problem on this head it’s important. But you hit the nail right on the head. When you talk about securing a SaaS App, say for example, the proactive nature of it, we use this term shift left and I’ve always found that term to be interesting because I never really know what that means.
We all have a general idea that it means that you take the work that’s supposed to be here and move it this way, but how do you do that? What’s the reality of that? And more importantly, what’s the implications of it? And that’s what I find most fascinating because when you talk about proactive, the shift left ideology’s heart is in the right place. You want to make it to where security is done as close to the development of the product as possible. But if not done correctly, then you’re just essentially shifting work from one place to the other. And I’m a big proponent of empathetic security where you’re very empathetic of the teams that you work with, very empathetic of what you’re asking of them. And I guide my teams to be as supportive as possible.
So proactive security is just that. When you talk about threat modeling, when you talk about any of these proactive things in nature, it’s not only about providing them with the tooling, providing them with the visibility, providing them with the knowledge to execute on something, but it’s the support that you provide - proactively supporting them. So for example, not showing up when the product’s ready to be delivered, but are you in the, architectural conversations? Are you in line with product? If you are doing red teaming, with the artifacts that come out of those exercises, what exactly do you do with them?
Do you use ‘em as ‘Hey, this is a ticket you need to fix’? Or you’re looking at broader themes around the red teaming exercises to say , Hey, our team is deficient in application logic. There’s a lot of deficiency that we see here or our SCA or third party program around what open source packages we’re doing.
There’s a theme that resonates from all of it. That, I think, helps you a lot more than just, ‘Hey, we see something, go fix it’, cause you can do that forever and not really make any progress.
Chiradeep Vittal: Yeah, the the shift left strikes a note here because been at the receiving end of that. It’s just adding more work on the developer side without much context is what my experience has been.
Aftab Banth: right.
Chiradeep Vittal: And so that’s always, , loaded question because the developers being at the center of the whole product lifecycle, how do you actually balance getting the security right while keeping those fast-moving software teams productive and happy? What does that look in practice?
Aftab Banth: Yeah, this is easier said than done, but I think the number one thing that I’ve learned is listening. And it sounds odd, but the first meeting that I’ve ever had, try to have, or looked at whenever I join an organization is walk to every leader that will take a meeting with me and ask. How is the security ? And not what we’re doing well, but what are your intimate pain points? And you find that you’ll start seeing a very unique theme to it. And I think Chiradeep, what you highlighted is exactly that. My experience has been that where. Hey, the teams just show up, tell us to do some stuff, and they come back when there’s an audit happening. There’s not really a partnership there. And I hear , let’s not have a versus mindset. So it’s not security versus you. That doesn’t lead you anywhere. And it sounds odd because security people want to think of security as controls and technical. Security is a people’s problem. And when you start thinking about it from that lens, then getting things right ends up being easy. Because now if we think of it like a partnership or if we think of it as like, how do we change behavior? what are the things that we can do to do that? And so you partner with the different organizations.
It could be something as simple as. I don’t know there are metrics, right? Metrics that you and I both agree are important to us. They may have some operational bend to them and they may have some security bend to ‘em, but collectively, if we believe we’re doing the right things, these metrics should move in the direction that we both agree upon. I think that’s important and I think that’s the only way that it works because you can have short term wins outside of that. But if you want to build a long lasting program that will do the right security things over time, that’s the only way it works.
Chiradeep Vittal: Yeah, certainly. The other reputation, security has is for saying ‘no’.
Aftab Banth: Yeah, yeah, yeah, yeah. 100 percent.
Chiradeep Vittal: yeah.
Aftab Banth: Yeah. It’s easy to say no. Right? And I, and look, we’re living in that now. I can’t tell you how many CISOs I’ve spoken to who talk about AI and AI enablement, and, well, it’s easier for us to just say ‘no’, because the risk is too high. That’s definitely an answer and I don’t necessarily think it’s the wrong answer. I would do it differently, but it’s a reasonable place to be, but it’s easier to just say ‘no’. That’s why I think that we need to challenge, at least security teams myself, including need to challenge ourselves.
How do we uplevel this? Alright. that’s, it’s not easy.
Chiradeep Vittal: It’s not easy. Yeah, definitely.
So, you’ve mentioned AI. So that’s another topic dear to this podcast’s heart. And that’s clearly on everybody’s radar. AI agents - AI agents this, AI agents that, vibe coding this, vibe coding that, and, everybody’s declaring that, you know, this age of the software engineer’s dead and everybody’s gonna be vibe coding . It’s obviously over-hyped, but there’s some truth to it. I certainly use AI Assistants in my day-to-day coding. What about you? What security risks do you see that emerge from this kind of phenomenon?
Aftab Banth: On the coding portion of it, or just AI in general
Chiradeep Vittal: yeah. Coding portion? Yeah.
Aftab Banth: I, I think it’s a force multiplier, so I think that’s a good thing, and I look at AI as just that. Yeah, there are going to be some casualties along the way. And I think that anytime there’s a disruption in any area that there’s an opportunity to generate value, you, it, it’s hard to say no to that.
And done responsibly, I think it’s, it’s a net positive. But the vibe coding specifically, I think it’s a force multiplier. I think I heard this on an Andressen podcast that I was listening to some months ago, and he said that, code or software is the one thing that we can’t get enough of . So there’s a lot of things that we, that we create as human software is something that we can always do more of. So the ability for us to now have a technology provides us more of that, it’s a good thing. Now from a security standpoint, it does create tons of challenges.
And I think the first one that most of the models that people are using are generated via open source code. So what does that mean? Well, if we know statistically, like certain percentage of open source code is vulnerable or right, then you’re just now the problem that may have been small becomes exponentially larger. . So if an average, a mid-tier software developer generates a hundred lines of code per eight hours and with vibe code he or she is now some multiplier of that, then the percentage of vulnerable code increases exponentially as well. So what does that mean? Or like how do we put some support around that or guardrails to, to help there?
I don’t think we should limit it, yet we should acknowledge the problem and then say , well okay, what are some things that we can do help, right? Does that mean working closely with the LLM providers to provide ‘em better or more secure code? Or does it mean to leverage AI to support this portion of the business?
Do we then do red teaming more frequently? , There’s a whole host of ways that you can solve this, but putting your head in the sand and saying, this is not a good thing, I don’t think is the right approach at all. So I think the AI is going to provide a tremendous amount of opportunity, tremendous amount of growth. Innovation is a good thing and, but I think the biggest thing we need to think about is, let’s support the innovation with the proper guardrails. Now, what those guardrails are, and what technology is needed for that, I think we’ll see that more and more in the coming quarters. This space is moving as fast, but there, there is a tremendous amount of challenges here and but I’m excited about it. I think that the more and more we can get these things to a place where the productionizing folks are using it, the better.
Chiradeep Vittal: Yeah, that brings an interesting point because you know there’s more code that means there’s more securing to be done.
Aftab Banth: Yes.
Chiradeep Vittal: And I’m pretty sure nobody’s approving more budget to you to hire more people.
Aftab Banth: Yeah, yeah, yeah. No, you’re right. You’re right. And nor should you.
. I’ve never been a part of a team where I haven’t been asked for more head count. And I always joke with my wife, I said, you know, I can guarantee you two problems anywhere I go. Everyone wants to get paid more. And every leader who reports into me wants more head count. But that problem never gets solved. So the question always is, , what exactly do we need it for? And when we question ourselves that way, and I’ve posed it to everyone who comes to me with that question. If I give you 10 people tomorrow, what are they gonna do for the next 12 to 16 months or 18 months? No one’s ever had a really clear month by month systematic approach to it. And to your point, Chiradeep, just because we have more, more and more of these security challenges because there’s more code written, you can hire tons and tons of security researchers. I don’t think that’ll help. I think there’s technology that can help and I think that’s where working with the right security partners finding startups that you think have a chance to really help build your, your program, right? Taking a risk on some of ‘em, not all of ‘em work is a viable path forward. Maybe it works, maybe it doesn’t, but I think that that’s the way you solve this problem and there’ll be new type of roles that come up. But I think that’s the way to look at it, if you were to ask me.
Chiradeep Vittal: And some of that tooling from the vendors are no doubt AI themselves. AI agents that help you not only put those guardrails that you’re talking about, but also do the security the increased security work that comes with more code.
Aftab Banth: absolutely. I mean, and, and, and that’s the only way you solve it, more technology. The, the solution to it from security standpoint is, you know, leverage technology for it. I mean, that’s, that’s kinda the way it works. And so just because AI is being used on the development side of the house, like it just naturally makes sense that the security team should double down on it.
Now, what that solution is or what those solutions are, I don’t that, a great opportunity for a lot of builders, but I think there’s a tremendous amount of problems that are gonna come from this. Some that we know of. Now, and a lot of ‘em we don’t, it’s exciting times, at least.
Pratik Roychowdhury: Yeah. So switching gears a little bit into a topic that after we have spoken quite a bit, and you have I would say passionately said that this is something that is absolutely required is remediation. I remember our first conversation where, hey, remediation has to be a key pillar of any product security.
So do you want to expand on that a little bit more?
Aftab Banth: Absolutely.
And I believe this strongly, and I’m glad you remember because I’ve met with a lot of amazing teams and a lot have seen a lot of vendors, products, and then not to say that any of ‘em are bad. Everyone has their area that they excel in. And tip my hat to any company that builds a meaningful value driven product. The problem I’ve always had is I, I don’t necessarily need to know what’s wrong. I, I need your help to fix it. And I think that, 18 months ago, that was a bigger challenge. But I think with the technology and as fast as AI has now matured, I think it’s a very reasonable expectation to have for any one to say, Hey, if you wanna partner with us, like remediation is key.
Don’t tell me what’s wrong, fix it. I don’t need you to go out and actually do the work, but get me 80, 90% there. And I believe that to my core because as you highlighted earlier, if you gimme more visibility and my head count doesn’t increase, like, what, what does that do? From a compliance standpoint, in some cases, could be really bad.
We can, be very much in, a very bad place with that. So that’s why I believe it’s important. Like I have enough tools, I have enough dashboards, I have tremendous amount of telemetry, a lot I can’t even look at. So that doesn’t really help me. But if you are gonna highlight or bubble up, a concern, you’re gonna share with me a risk, at minimum, the expectation from my perspective would be. You need help you, not only do you identify, you need to help me remediate it. So that can mean a lot of different things. You can remediate it from blocking it, you can remediate it from giving me a fix to it. Then there’s a lot of tools that I’m seeing now are doing just that, and I think if we elevate the conversation to be that I think we can get the best out of both sides. Our expectations could be, we can now, as security teams, move at the speed of business, not say no. And then as vendors we can challenge ourselves to say , Hey, can we do better? And so that’s why I strongly believe in it.
And I’m pretty strong about this. It’d be difficult for me to work with a vendor that doesn’t have some capability to remediate.
Pratik Roychowdhury: Yeah, that makes complete sense, but one of the things about remediation where you could potentially provide remediation recommendations or you could use AI or automation to actually remediate, like you said, 80 to 90%. And there are different organizations that are on the different sides of the spectrum.
What is your general take on that? Use AI to remediate or just provide recommendation and leave it to the operators to actually do the remediation.
Aftab Banth: I know. Yeah. Until I see accuracy rates go higher, , I think that’s the biggest challenge that I’ve seen. Like I’ve met a lot of companies who can do a lot of things, but when you get down to the, brass tacks of it, the accuracy is very low. So until I see, is that inch up closer. I, I’m fine with the remediation and then the human in the loop. I think that’s, that’s fine. And I think that that’s what I guide towards, but that’s the minimum bar. And I wouldn’t necessarily allow, you know, product to then go out and make like, you know, structural changes or config changes just yet, unless we get an accuracy level of like 95, 99% higher. So, I’m fine with that, but at least that’s part of the conversation. And whether that’s the roadmap item today or tomorrow, but that’s what we want to go to, because otherwise, as the security challenges can increase, there’s no way the security teams could keep up.
I mean, they’re not keeping up now when the velocity is fast. Imagine with the use of AI what it would be.
Chiradeep Vittal: Yeah, absolutely. Somebody who has seen, Claude code, fix a test so that it would pass rather than fix the code to make it pass.
Aftab Banth: Yeah, yeah, yeah, yeah. Absolutely.
Chiradeep Vittal: So, yeah. And it’s still not so trustworthy. It still needs that human, hand guiding it.
Aftab Banth: Correct.
That’s
Chiradeep Vittal: and as we,
Aftab Banth: What you just
Chiradeep Vittal: yeah.
Aftab Banth: just saying, this is wrong, versus this is wrong. This is what, this is our opinion of the fix. We may disagree with the fix,
Chiradeep Vittal: Yeah.
Aftab Banth: but at least you give us a starting point.
I,
Chiradeep Vittal: Yeah. As we start, wrapping up what advice would you give organizations that are just trying to figure out their product security journey? I know a lot of them focus on just AppSec but maybe they’re early stage or they just really realizing that they need to get more expansive or more serious about it.
What would be your top guidance?
Aftab Banth: so if you’re starting to build a program from zero to one or even getting it to a place where I think it can have meaningful impact, the first thing to do is build trust, or excuse me, influence and trust. That’s number one. And I think that if you don’t have influence and trust, then your ability to partner with the engineering organization is severely limited. I, can go scan your code, I can show up to you and say, Hey, these are the things that we found. And . the reality of it is I say, okay, well thank you, but you know, we’re gonna keep building features and helping generate revenue. So the influence and trust has to start first. And I tell folks, don’t go on and buy anything, but make sure you have that established. And so start there. Then as you start thinking about what are the areas that the business needs, then pick a handful of ‘em and do that very well. Okay. Don’t boil the ocean. Build the trust, build that cadence with the organization the engineering teams and then pick a few things that you believe that you can partner really strongly with.
So, you know, maybe it’s threat modeling. Okay. That’s the first area we’re gonna focus on. So let’s just focus in on that and make that an OKR for a couple of quarters or maybe even a year, depending on the size of the organization. move to, okay, let’s secure the SDLC in general. And then let’s get SAST right. So whatever that may be, but, build the trust, build the influence first, and that’s at the right leadership level. And then, pick and choose specific areas to, to go deep in and really partner. and, and we, when you talk about partner is, and I equated to teaching, folks always look at me very odd when I share that word, but , a lot of times security is being a good teacher. And so when you’re starting to pick these areas of like, Hey, why is threat model is important when you do an exercise and the artifacts that come out of it, teaching these teams like this is why maybe your business logic was flawed this is why when you didn’t sanitize this input, what, what the downstream effect that is, or this is why this specific vulnerability in this open source package is in fact something that we should be mindful of. Another one that comes up has come up a lot where education is important is, and I, I’m just shocked, but licensing, like open source, what licensing they have and a lot of developers like, oh, I never thought about that.
Yeah. ‘cause certain licenses have certain limitations, so if you do pull ‘em into your code. And you’re selling a product in maybe a certain geography or a certain area, or you’re doing something with that code and you don’t properly identify it or what. That can have a business impact. So influence, trust. pick specific areas to, to partner with. You know, don’t boil the ocean and then , think of yourself as a teacher. I, I think that formula, that recipe over time will lead you with a very harmonious program. And I think both sides would appreciate it because you can make marginal, you know, step-by-step improvements instead of this friction that I’ve, that I’ve always seemed to come across and find it just odd.
Chiradeep Vittal: Yeah. Yeah. Compliance is another area where I find developers are like, huh, really?
Aftab Banth: Yeah, yeah.
Chiradeep Vittal: I never thought of that.
Aftab Banth: that, that’s a great point. Yeah. And compliance. Yeah,
Chiradeep Vittal: Yeah.
Aftab Banth: And, and you know, another thing is compliance, like different areas, different regions of the world have different requirements
Chiradeep Vittal: Yeah,
Aftab Banth: right? And so think how to think about that. and, and, and most people that I’ve come across, if you’re teaching them something, if you’re helping ‘em grow, they’ll lend you their ear anytime of the day. Right. And they’re
Chiradeep Vittal: that’s right. Yeah.
Aftab Banth: but I think it takes a philosophical approach to that as a leader to share like, Hey guys, this is how I’m going to view you. This is how I’m going from a security leadership perspective, judge you, grade you. And I think that if you, if you can start building that type of culture, it, it does resonate.
It, it does filter down. And it does have, I, I’ve seen it have, you know, a 180 effect.
Chiradeep Vittal: Maybe one final question more from your podcasting experience. What do you think security leaders should be talking about more publicly, but just aren’t? What conversations are we missing that we should really be having?
Aftab Banth: That’s a great question. Yeah. So I grew up in a very,
can’t show your emotions background. And, , I always found it odd. , you couldn’t cry and that stuff, like my dad would like be really disappointed if he saw me. But then as I get older, I always. think about where were my moments that I grew the most? And it was my failures. It was those moments where, you, I give you, I have countless examples where, , my team myself worked our tails off and we still failed. And I think that far too often, we don’t talk about our failures enough. , And not that it’s an indictment , on our work, or us being professionals.
I know in security if you fail, like it’s looked upon us, well, , you didn’t do your job. But I reject that premise, I think that we should talk more about our failures, right? How do we learn from it? It helps when I, I’ve heard someone with me that, Hey, you know what? did this in our program and we still got, a breached, okay, cool. Then that makes me feel better about myself. So I think that’s an area that I think collectively as an industry we can do more of because it’s easy to say it, you know, people say like, you learn from your failures, but I don’t think we emit ours enough now in security.
It’s a little bit nuanced. There’s some compliance things or like, you know, I can’t talk. There’s some confidentiality things that , you have to be mindful of. But I think where it’s applicable and where it’s reasonable, I think it’s okay. And we should, double down on our failures.
‘Cause at the end of the day, that that’s how we grow. When I find that at least for me as a leader it has brought me closer to my teams. When they see, myself, , in an all hands meeting, shared like, Hey, my strategy for last quarter , was, or last year was bad.
And this is, we failed because I had the wrong strategy. They appreciate that. And I find that, they’ll go to bat even more for you. So that would be the one that I would highlight. , It’s easier to go through some technical stuff, but I think that, , just the confidence to admit when you fail is I think something we should talk more about.
And, in our podcast, , we will, , just obviously within reason can’t really share everything, but but that would be an area that I think it would, it would help a lot.
Pratik Roychowdhury: Well Aftab that was a great piece of advice. I think people talk about failure also in the entrepreneurship world because a lot of times when you go talk to, investors, they want to know which areas you have failed and what you have learned from them. So I think that’s a great, great piece of advice.
Aftab Banth: yeah. easy to say it too, right? Like
Pratik Roychowdhury: Yeah.
Aftab Banth: everyone, you know, embrace your failures, embrace your failures, and you look around. No one admits there. Is
Pratik Roychowdhury: All right. Right.
Aftab Banth: And I think that it’s a kind of, but if you’re young, you know, and , I can tell you from a lot of folks that I mentor, they may look at someone like, wow, he or she has done this in their career or they achieve X or Y. But they don’t realize, like that achievement and that success is the building block forward with these thousands of failures. Right. And I’m, and it, it helps not only just like you said, as an entrepreneur, but I think it helps folks who are going through the trenches now.
Pratik Roychowdhury: Absolutely. Well Aftab, this was a incredibly insightful discussion. Thank you so much for your time. Love the conversation.
Aftab Banth: You’re welcome. Thank you for having me. I really appreciate it and I enjoyed it. Thank you.
Pratik Roychowdhury: Thank you.
Chiradeep Vittal: And to our listeners, if you enjoyed this episode, don’t forget to subscribe, share it with your team, and check out more conversations on prodsec.tv We’ll be back soon with more real world insights at the intersection of product security and AI. Until then, keep building fast and stay secure.