Flexibility and security can co-exist for the Red Cross

American Red Cross CISO Vikas Mahajan discusses flexible security strategies for front-line operations and his roadmap for moving toward a SASE model.

Network Disrupted podcast Season 2 Episode 1 promo featuring Vikas Mahajan, CISO at American Red Cross
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

This article summarizes an interview with Vikas Mahajan, Chief Security and Information Officer at the American Red Cross, about balancing mission-critical operations with modern cybersecurity. It describes the real-world problem of protecting a large volunteer-driven humanitarian organization that also supplies 40–50% of the nation’s blood while ensuring security controls do not impede rapid access to systems during disasters. The piece outlines Mahajan’s operational approach: intuitive, adaptive authentication, stakeholder collaboration, a shift from data-center centric defenses to zero-trust and SASE principles, and incremental, cost-conscious IT transitions supported by nonprofit pricing and phased refreshes.

How does the Red Cross implement two-factor authentication without slowing down volunteers during disaster response?

The Red Cross deployed an adaptive two-factor authentication model that evaluates contextual signals before requiring an extra authentication step. Instead of mandatory hardware tokens or manual code entry for every login, the system checks whether a user is on a new device, a new network, or in a new location and triggers additional verification only when risk factors are present. This intelligent policy reduces friction for volunteers who need rapid access while still providing stronger assurance when the context indicates potential risk, increasing user acceptance and operational effectiveness during missions.

What does Mahajan mean by flipping the security model, and why is SASE relevant to the Red Cross?

Flipping the security model means moving away from protecting a centralized, walled data center toward securing data wherever it resides—on endpoints, in cloud services, and while in transit. Mahajan emphasizes zero-trust principles that assume no implicit trust based on network location and focus on identity, real-time context, and policy. SASE (Secure Access Service Edge) is relevant because it converges network and security functions—such as SWG, CASB, FWaaS, ZTNA, and SD-WAN—delivered as-a-service to meet dynamic access needs, aligning with the Red Cross goal of securing distributed ‘‘islands of data’’ without impeding mission operations.

How does the Red Cross manage the financial constraints of upgrading cybersecurity technology?

Given that most funds at the Red Cross are devoted to the mission, Mahajan’s team evaluates cybersecurity spend carefully and adopts an incremental upgrade approach. They leverage generous nonprofit pricing from technology partners and use refresh cycle timing to evaluate and adopt new generations of solutions that implement proven controls like strong encryption and multi-factor authentication. This phased strategy extends technology turnover timelines, which reduces immediate capital demands while providing stability and deliberation time to align security investments with operational priorities.

The American Red Cross and its massive network of workers and volunteers are the nation’s premier second responders, arriving right behind first responders when disaster strikes to help people rebuild their lives. They also collect and supply 40-50% of the nation’s blood supply.

At the same time, the American Red Cross is a natural, high-profile target for nefarious actors.

For Vikas Mahajan, the organization’s Chief Security and Information Officer, finding a way to empower his organization to do the work it does while keeping networks and data secure is a worthwhile challenge.

He joins BlueCat Chief Security Officer Andrew Wertkin on the Network Disrupted podcast to talk about his strategies for deploying solutions that don’t burden those on the front lines, and his roadmap for moving security towards a Secure Access Service Edge (SASE) model.

Remember security serves the mission, not the other way around

At the Red Cross, locking a volunteer out of a necessary application because the network they’re on “isn’t up to snuff” can mean the difference between life and death. So, Vikas and his team have implemented a number of intuitive, lightweight security mechanisms that allow the Red Cross’ volunteer base to quickly access services they need for their missions.

Last year, Mahajan’s team rolled out two-factor authentication for the Red Cross’ devices and computers. Only, Vikas didn’t want this to be the 2FA that required everyone to carry around a hardware token or to have to enter a code—he wanted this to be a smart, adaptive method.

So, now, when a user logs in, the system intelligently looks at different aspects of the user before deciding whether to trigger an extra check. Are they using a new computer? Are they on a new network? Are they in a new location? This more flexible policy for authentication has increased the acceptance of 2FA by users and allows them to move quickly when it matters most.

How does Mahajan’s team create solutions like this? By engaging a variety of stakeholders and teams, like the volunteers themselves, the legal department, and others using the technology infrastructure, to learn what they need.

It all boils down to Mahajan’s approach to security, which is done in partnership with others across the organization.

It just goes back to the entire way we approach security. It has to be in tandem, in partnership with others. I can’t do it in a black box and I can’t just build it and say everyone follow these rules. It’s just not going to work, especially in an organization like ours where it requires us to be open.

Flip your security model

The biggest shift Mahajan is working on right now? Moving from a data center-centric model, in which data is a protected asset in a walled garden, to one in which you must secure data wherever it happens to be—in the cloud, en route somewhere, etc. Today’s security leader is challenged not with keeping bad things outside the firewall but instead securing the “islands of data” out on the internet.

Enter: zero-trust, and the SASE security model.

According to Gartner, “SASE combines network security functions (such as SWG, CASB, FWaaS and ZTNA), with WAN capabilities (i.e., SDWAN) to support the dynamic secure access needs of organizations. These capabilities are delivered primarily aaS and based upon the identity of the entity, real time context and security/compliance policies.

Currently, Mahajan’s team is operating on a zero-trust model and working on building policies and governance around the company’s usage of the cloud, networks, and data centers. He is also looking to build out the Red Cross’ SASE strategy and roadmap, knowing there are a number of challenges with embracing it.

Manage expensive IT transitions incrementally

In certain sectors, a lot of resources and funding can be allocated towards cybersecurity. I.e., the spend can be quite high per employee in the finance industry. But for non-profits, the majority of funds go towards supporting the mission of the organization. For the Red Cross, 90 cents of every dollar goes towards the mission, prompting IT to critically evaluate every additional bit of spend against the question:

“Should we spend another dollar towards securing our organization, or towards our humanitarian services?”

This context challenges Mahajan and his team to do a number of things differently.

First, they take advantage of generous pricing offers from technology partners, who support non-profits.

Second, Mahajan focuses on an incremental process for upgrading technology and solutions. Towards the end of a refresh cycle, he takes the opportunity to evaluate a new generation of solutions—in this case, ones that support proven, common-sense controls like strong encryption, identity verification, multi-factor authentication, etc. While it means that the time horizon for technology turnover is long, it also injects an element of stability and time for deliberation into the overall technology strategy.

If you’d like to hear the full episode with the American Red Cross CISO Vikas Mahajan, you can listen to it below.


Published in:


An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

BlueCat and Cisco graphic stating “Get DDI data from BlueCat in Cisco Cloud Control” for AI-driven network operations

BlueCat DDI data boosts Cisco Cloud Control AI-driven operations

BlueCat’s integration with Cisco Cloud Control provides AI agents with access to trusted DDI data for network investigation and remediation.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more

📣  Now live: Explore BlueCat Horizon, our SaaS-first Intelligent NetOps platform.