We Are Windmill… Meet Khushali Solanki
We Are Windmill is a series that profiles Windmill’s employees, digging into their philosophies, experiences, and passions. In this post, we spoke to Khushali Solanki, our Pune-based Information Security Officer, who makes sure that Windmill’s assets and technologies are protected. Khushali joined Windmill in 2020. In her free time, you can find Khushali going trekking, crafting and exploring spirituality.
Firstly, can you tell us a bit about your professional background, Khushali? What was your path to becoming an Information Security Officer?
I come from a computer science and software engineering background. I studied computer science at university and worked in software engineering at an automotive manufacturing company for almost seven years after graduation. Being in the IT department of a manufacturing company, I got to work as an end-to-end web application developer, right from requirement gathering to deployment and end-user training. My manager at that company was head of security and encouraged me to try my hand at information security. It was a whole different type of challenge, giving me exposure to the commercial operation and communication with top management. Thankfully, I had a good mentor who taught me how to handle certain situations, the importance of being upfront about any security holes, and how to be proactive in communication.
That was my induction into the world of information security! I have now been in the industry for eight years. Do I miss software engineering? Not really! I’m too far behind in terms of frameworks and programming languages now to go back. However, I’m still fond of SQL Programming!
What soft skills should an Information Security Officer have? How necessary is a technical background to the job?
Communication and implementation skills are the most important.
You have to be an effective communicator, which also includes being an active listener. Information Security is a business enabler so it is very important to understand how to communicate with internal as well as external stakeholders.
By implementation I mean the skills of not only understanding best practices but how we align them with our environment infrastructure. We have to understand our infrastructure, team capabilities and needs.
I do think technical skills are vital, yes, despite the importance of soft skills. You need to understand different systems, types of architecture and networks, on-site server management, cloud and virtual software. We need to understand what the setup is, or what client requirements are as they affect how we apply and implement security controls on it.
What resources do you rely on when you encounter a problem you aren’t sure how to resolve?
Google of course! However, it really depends on the project. A major project I led and delivered at Windmill was achieving ISO27001 certification, for which I relied mostly on ISO as well as regulatory standards and best practices as the first sources of information to get an overview and ensure the consistency of security measures. Nowadays, I mostly work with systems and programs that have extensive documentation—G-Suite, Atlassian, Azure and AWS—so problems can normally be resolved by sifting through it. Sometimes I encounter a problem that feels like I’m the first person to encounter, in which case it’s a matter of looking for clues or having peer interactions, or even talking to the DevOps team, as they may have exposure if they have encountered such an issue.
How do you help create and maintain a culture of information security at Windmill?
We achieved ISO/IEC 27001:2013 at our locations in India and Ukraine this year, which is foundational to creating a culture of information security. The certification is demanded by our clients in core sectors of banking/finance, pharmaceuticals/healthcare and data analytics. Obtaining ISO/IEC 27001:2013 certification was a strategic decision to meet our client needs and underlines Windmill’s dedication to building the highest standard of security and transparency into our security practices and controls.
What two pieces of advice can you give to recent university leavers interested in a career in Information Security?
One—stay up to date with cybersecurity domains. It’s fast-evolving, with constantly emerging technologies and threats. Go for security certifications based on your interests and current trends! Decide which area within security you would like to follow i.e. governance and compliance-focused or technically oriented.
Two—have passion and patience. Understand the fact that experts don’t appear out of thin air! A lot of security threats are handled by existing solutions, but the actual challenge is when you need to investigate something to identify a proper solution and close that security hole. Research is required, and, because you might have to read through pages and pages of documentation, patience is required, too.
To be precise I would say “Keep refreshing your knowledge, be adaptive to change”.
How has your current role changed what you thought about your profession before?
I was not aware of how deep or vast this field would be, just that the role of Information Security Officer is very crucial because you have to be accountable for whatever decisions you make and the direction you give to the team. And to achieve that you have to invest so much effort in learning. I knew it was going to be crucial beforehand and still feel the same way. Also, you have to take responsibility—as I have discovered, a lot of my work is towards research, review, providing recommendations and setting up processes, which may not be considered business-as-usual.
Which three qualities would you look for in a candidate to be your teammate, and which three qualities would immediately disqualify someone from being considered?
Firstly, problem-solving. On a daily basis, directly or indirectly we are working towards problem-solving. This is the problem, these are the solutions. A complaining mindset must be avoided.
Secondly, eagerness to learn. Someone has to be willing to expand their competencies or no one will willingly help them grow.
Thirdly, active listening. If someone is not actively listening they will not understand what is required, and if they don’t understand they will work accordingly. Listening and understanding is critical to the proper functioning of the company.
As for the disqualifications, I would say people who are not honest and people who are not flexible. Honesty is a key value in Windmill and is one of the things I like most about the company. And it is important that someone must recognize that there is not going to be the same routine day in, day out — client requirements, changes or unforeseen circumstances mean sometimes there is a need to work different hours.
Bio: Malcolm Gledhill is Windmill’s Content Marketing Manager. He holds a BA from Southampton University and joined Windmill in 2021 following five years working as an editor at a major US data company.