Ravi Kiran Nizampatnam Podcast Transcript
Ravi Kiran Nizampatnam joins host Brian Thomas on The Digital Executive Podcast.
Brian Thomas: Welcome to Coruzant Technologies, Home of The Digital Executive Podcast.
Do you work in emerging tech, working on something innovative? Maybe an entrepreneur? Apply to be a guest at www.coruzant.com/brand.
Welcome to The Digital Executive. Today’s guest is Dr. Ravi Kiran Nizampatnam. Dr. Ravi Kiran Nizampatnam is an internationally recognized expert in network security and enterprise cybersecurity architecture.
With over a decade of sustained leadership, protecting large scale mission critical digital infrastructure for globally integrated enterprises, his career reflects a rare combination of deep technical mastery, original innovation, scholarly contribution, and demonstrable real world impact across regulated industries, including finance, healthcare, and data-driven media platforms.
Well, good afternoon, Ravi. Welcome to the show.
Ravi Kiran Nizampatnam: Thanks for having me. Good afternoon.
Brian Thomas: Absolutely, my friend. I appreciate it. You’re hailing out of Austin, Texas today. I’m in Kansas City, so we’re in the same time zone. I appreciate that. I know sometimes it’s hard to traverse these schedules, calendars, and time zones, so thank you.
And Ravi, jumping into your first question. You’ve spent over a decade securing mission critical global digital infrastructure across finance, healthcare, and media. How has the threat landscape evolved during that time, and what risks are enterprises still underestimating today?
Ravi Kiran Nizampatnam: That’s a great question.
Thank you. The biggest shift I have seen over the last decade is that attackers no longer break. I would say they simply log in. earlier in my career, attackers were noisy. Uh, they were like, you would see the perimeter scans, you will see the attempts exploiting, and you would see the malware signatures everywhere.
But things changed Today, most major attacks. Don’t like breaches at all. They don’t look like breaches at all. They just look like a normal activity. You will see a valid user, a valid token, and a trusted API call. What really changed is how we trust people and how we trust businesses. We have moved from perimeter attacks into the internal abuse that could be identity compromise, API misuse, or really supply chain access.
The attacker’s first goal is always no longer entry. It’s persistence. Once they have their food landed, they move quietly throughout our systems that were never designed to question internal trust. What enterprises still underestimate is how fragile we are. There are machine identities, there are service accounts.
There are CICD pipelines, third party integrations. You name it, we have more than dozens of systems that we interact every day. So, organizations mostly abscess over malware detection, but it’s simple credential that could cause a lot of damage with lateral movement. So, the next ticket of breaches won’t come from.
Like traditional exploits, but they come from over trusted or paths that were no longer revalidated. So that’s the uncomfortable truth. So, we just need to make sure that we bring our designs with much more defensive mechanism and our remission should be challenged.
Brian Thomas: That’s, I really appreciate you highlighting some of that. I think people think that it’s still kind of the old way where it’s you know, again, brute force breaches, that sort of thing which can still happen. But you’re absolutely right. It’s more of a login. You know, most attacks today just look like regular activity on your network.
Um, it’s how we trust people, companies, as you mentioned, but they’re getting in because of that persistence. And again, we need to move to that zero trust thinking, right, zero trust, architecture, those sorts of things so that we are always on alert. So, I appreciate that. I really do. Ravi, you’re a strong advocate and practitioner of Zero Trust architecture, which I just mentioned.
What does Zero Trust done right look like in real enterprise and where do organizations most often get it wrong?
Ravi Kiran Nizampatnam: Oh, yeah. Oh yeah. So, Zero Trust done Right is very uncomfortable to be honest with you because it for it forces organizations to admit that their beliefs are no longer upholded. They’re really outdated.
It means that really no access is permanent. No identity is simply trusted, and also no network path is considered safe at all, even though it’s internal. So every access request, whether it’s human request, machine request, API, or any workload, should be evaluated continuously. That could be based on their identity or their behavior.
Or their device Health and context, not just once, not just at the login, but it should be at all the time. So, organizations are going mostly wrong in treating Zero Trust. They treat it as a product, but it’s not a product, it’s an architecture. So, they should not think like they’re buying a tool and they’re just putting a label on it.
They just follow the same old principles like having a flat network. Having overprivileged roles or there is no visibility into lateral movement or east west traffic at all. That’s not zero trust at all. That’s just branding. I would feel so real. Zero Trust is an architectural change. It should redesign your access path.
It should minimize the blast radius. It should assume the compromises will happen. I feel there is a key point to it. Zero trust isn’t about preventing every breach that’s unrealistic. It’s about making breaches boring and they should be contained and it should be non catastrophic. So if an attacker gets in and eventually someone will, for sure, the damage should be measured in minutes and scoped out, and that, that’s what I feel, the zero trust.
Should look like. That’s what a real zero trust should be done in such a way that it should be scoped in within minutes or seconds.
Brian Thomas: Thank you. I really appreciate that. And time is of, of the essence. You mentioned that minutes, seconds, even to minimize that damage. But zero trust architecture is certainly uncomfortable.
You know, you talked about that no longer is an identity, it’s. Not trusted, right? It’s, you gotta move into that mindset and people aren’t ready for that. But you always have to evaluate this continuously. Security is definitely moving to a different place in time the way we have to move to this zero trust architecture.
So, I appreciate that. And Ravi, you’re the inventor on multiple international cybersecurity patents addressing iot security, dynamic network allocation, and real-time threat detection. What gaps in existing security tools inspire these innovations?
Ravi Kiran Nizampatnam: Honestly necessity and frustration, I would say. I kept seeing the same failures repeat themselves at scale.
That could be different organizations that I work in or I partnered with. I see issues with different industries, different tools, but the pattern was always the same. Many tools that were designed work in silos, for example, network tools don’t understand identity and identity. Systems don’t understand behavior.
And sometimes iot and non-human devices, they are often. Separately with no visibility. So that fragmentation created a lot of blind spots, and attackers live in blind spots, as we know. So, I realized that adding more tools wasn’t solving the problem. We aren’t lacking alerts. We are lacking context. So my focus, as I said, shifted to architecture and zero trust.
I started designing systems which were accessible based on the adaptability in the real time. I followed the telemetry, I followed the behavior, and I understood the risk, continuously influenced the trust. What I really observed was identity isn’t static. It should never think identity stays the same, so we should not give the access and grant them the full access at once, but we need to do, is it as a process?
The goal was never to block everything. Zero trust is not blocking everything. So, over blocking break businesses, right? So, the goal was to earn the trust continuously. So that’s what led to my patents. I would say. It’s not just theoretical invention, it’s more of like a practical architecture built to survive real world problems and real challenges.
So, innovation and insecurity for me. It isn’t about more dashboards or just more alerts. It’s assuming fewer stuff and implementing more stuff.
Brian Thomas: Thank you. I really appreciate that. You talked about, uh, you created these innovations and ultimately patents outta the necessity and frustration that you saw across the spectrum here.
And that’s why you moved into that zero trust architecture. And as you mentioned, many of these design tools, they work in silos unfortunately, and create, have created blind spots, which obviously created some frustration there. And I’m glad that you did jump in and tackle this and, and again, trying to make the world a better place from your vantage point.
So, thank you. And Ravi, the last question of the day, looking ahead in the future, how do you see enterprise network security evolving over the next five to 10 years, especially with AI driven threats, cloud native infrastructure and increasing regulatory pressure?
Ravi Kiran Nizampatnam: Yeah, everything is AI these days, right?
So, we are moving towards continuous AI assisted trust evaluation. We are seeing AI across users, their workloads, APIs, and their devices. So, AI will absolutely help us to see the patterns that human scanned, so it’ll correlate the signals at scale, and a will detect anomalies faster. And they’ll respond more intelligently, but there is a caution to it, right?
So, AI without architecture just automates the bad decisions faster. We should avoid that. If your access model is broken. AI will reinforce that broken logic at the machine speed. That’s why architecture matters more than just the algorithms. So, you should understand the architecture in in depth. At the same time, regulation is changing the game.
So, organizations won’t be asked if they are secure anymore. They’ll be asked to prove resilience. They should be asked to show the containment. That’s what they’ll do, and they should show the governance, and our agriculture should show the intent and the design about the trust. So, the winners. The winners, I would say over the last decade will be the organizations that invest early in identity centric designs and also systems that adapt to reside and have an adaptive architectures.
If you are not following the early trends, you would still do the same patching. You’ll keep patching the symptoms. You will react instead of being proactive in nature. Your cost becomes essential.
Brian Thomas: Thank you. I really appreciate that. You know, just to highlight a few things, obviously AI can be a great game changer. Can level the playing field assist humans with a lot of the mundane and repetitive massive review of data, right. But, as you mentioned, without the frameworks, without the zero trust architecture AI is really just gonna automate those bad decisions faster, as you said at machine speed.
It’s important. I did highlight those organizations that adopt identity centric designs early on are gonna be more prepared and more apt to succeed in this environment that we live in today. So, I appreciate that and all your insights. And Ravi, it was such a pleasure having you on today and I look forward to speaking with you real soon.
Ravi Kiran Nizampatnam: Yeah, thank you. I really appreciate the depth of this conversation. I would definitely say that these are the discussions that are needed if security is going towards the right place. As I said, it is not about the tools anymore. We should have these kind of conversations. I enjoyed it very much. Thank you.
Brian Thomas: Bye for now.
Ravi Kiran Nizampatnam Podcast Transcript. Listen to the audio on the guest’s Podcast Page.
