Navigating Digital Transformation, Security Needs in Interconnected Workflows, and Preventing Transaction-Level Risks with Zero Trust 

TechNadu brings insights shared by the Chief Executive Officer of Pathlock, Piyush Pandey, who recounted his journey, beginning with asking ‘How's’ about competitiveness, companies, and growth. This led him to pursue an education that changed his career path.

He found his passion in building and running companies, and then delved deep into strategic thinking and value creation. 

This interview explains the impact of the increased digital modernization that, while bolstering speed, also creates complex interconnectivity, urging the demystification of security needs.  

We detail transaction-level access risks, mainly during mergers and acquisitions, and dynamic access controls for safeguarding business-critical applications like SAP that store sensitive information.

Learn more from a CEO’s transition from being a software engineer to a global leader in identity and application governance, who addressed insider threats, zero trust, phishing emails, and more.

Vishwa: Please tell us about your journey from completing your MBA to leading your first company as a CEO. What are your strengths, and how different is a student's perspective from the reality of the business world? 

Piyush: I started my career as a software engineer, writing code and leading tech projects. But as time went on, I became curious about the bigger picture: how companies work, how they grow, and how they stay competitive. That curiosity led me to pursue an MBA and move to investment banking on Wall Street.

Working in M&A and IPOs as a banker gave me knowledge of how businesses are built and scaled. I was advising companies across various industries—from cybersecurity and infrastructure to analytics and internet technologies. I learned a lot about strategic thinking and how value is created.

Over time, I realized that my true passion is building and running companies. So, I joined a private equity-backed analytics software company in an operational leadership role. Eventually, I became CEO of a small tech firm, which I scaled over the years to later become Pathlock.

I would say that a business leader's biggest strength is a problem-solving mindset. Each challenge, whether technical, business, or operational, is an opportunity to learn and grow. The difference between a student's perspective and business reality is significant. 

In school, we often deal with structured problems that have clear-cut answers. In the real world, there is no single "right" answer. You're dealing with people, changing market conditions, and limited resources. To succeed, you must navigate complexity, align teams, and make decisions with incomplete information. 

That's where real learning happens. 

Vishwa: What is your perspective on digital modernization initiatives, migration to cloud-based platforms, and the interconnected workflows spanning procurement, finance, and HR systems? 

Piyush: Digital transformation can bring huge advantages to companies—it makes them more agile, speeds up decision-making, and opens the door to using the best tools available. 

However, as systems in these business functions become more connected, things can also get more complex. 

If we speak about cloud migration of business and ERP applications, it's essential to take a proactive approach to governance, risk, and compliance (GRC) to fully realize its benefits. 

Otherwise, you might overlook critical gaps and expose an organization to compliance and security risks.

Vishwa: Please share your observations about the interconnected nature of modern workflows that create blind spots in identity governance. How does it expose an organization to fraud and security breaches? 

Piyush: As enterprises add more interconnected business applications, it becomes difficult for them to detect and prevent transaction-level access risks. These risks often arise when users' roles and permissions evolve over time. 

And should a company go through transitions like mergers and acquisitions, it grows even more significant. 

What may seem like minor mistakes or oversights in access provisioning can create scenarios that open an organization to devastating consequences. 

For example, an employee with permission to maintain a purchase order in SAP ERP may inadvertently obtain requisitions release capabilities in a connected SAP Ariba system. 

Such access rights introduce transaction-level risk. They violate SoD principles, as they allow an employee to independently approve the purchase request, bypassing internal controls. 

A stark example of the consequences of inadequate risk management is the case of an Amazon operations manager who orchestrated a $10 million fraud scheme by exploiting her position to create fake vendors and approve fictitious invoices. 

This incident underscores the need for robust internal controls to prevent such fraudulent activities and potential security breaches. 

Vishwa: What are the complexities of digital business risks? Can you shed light on the implications of inadequate risk management on today's enterprises?  

Piyush: Digital business risk encompasses a wide range of concerns, from cybersecurity threats and data privacy to compliance requirements and access provisioning. Among these, transaction-level risk often remains one of the most overlooked. 

Business-critical applications like SAP are treasure troves of sensitive information and house vital processes. Without dynamic access controls, these regulated applications become vulnerable, exposing enterprises to fraud, data breaches, and compliance violations—all of which can be costly and damaging. 

Vishwa: What actionable advice would you give on how to strengthen an organization's security posture to avoid the risk of financial loss, reputational damage, and operational disruptions? 

Piyush: First, shift your mindset to Zero Trust. Don't assume anything or anyone is safe by default. Always verify, always monitor. That's foundational. 

Second, know where your critical data and regulated business processes are—and protect them carefully. Access controls, classification, and monitoring are essential. 

Use automation, eliminate human error. Also, don't underestimate your third-party exposure. Your vendors, your partners—if their defenses are weak, that's your risk too. Vet them rigorously. 

And here's one that's often underestimated: your people. Employees can be the weakest link—not just through accidental clicks on phishing emails, but, in rare cases, through malicious intent. To mitigate this, implement the right technology and internal controls to detect and prevent insider threats. 

Finally, assume something will eventually go wrong. Be prepared. Have an incident response playbook. Know how you'll act and communicate if the worst scenario breaks out. 

In today's environment, business leaders must treat security as a strategic priority.