POPULARITY
In this episode of Life of a CISO, Dr. Eric Cole welcomes a true cybersecurity trailblazer: Dan Lohrmann. With a career that spans the NSA, Lockheed Martin, the State of Michigan, and now Presidio, Dan brings a rare depth of experience in both government and the private sector. As the first Chief Security Officer for an entire U.S. state and now a Field CISO advising public sector clients across the country, Dan shares practical wisdom and compelling stories about navigating the evolving CISO landscape. Together, Dr. Cole and Dan explore what it takes to build lasting trust as a security leader, the importance of strengthening your personal brand, and how to overcome barriers when leadership resists public visibility. Dan emphasizes the power of public speaking, blogging, and storytelling—not just to elevate your own profile, but to position cybersecurity as a strategic business enabler. They also dive into the value of setting clear non-negotiables when evaluating job opportunities, the role of culture and leadership alignment in long-term success, and tactical advice for those trying to land their first CISO role. Whether you're in government, the private sector, or somewhere in between, this episode is a masterclass in influence, resilience, and leadership at the highest level.
In this week's episode of The Future of Security Operations podcast, Thomas is joined by Matt Muller, Field CISO at Tines. With over a decade of experience at companies like Material Security, Coinbase, and Inflection, Matt's got a strong track record of scaling SecOps teams, building threat detection and mitigation programs, and driving trust and safety initiatives. His knowledge impressed Thomas and the Tines team so much that they invited him to become the company's first Field CISO. In this episode: [02:41] The origins of Matt's insatiable appetite for all things security [04:05] Matt's path from business degree to Director of Trust at Inflection [07:07] Scaling Coinbase's security team from 3 to 50 [08:41] Addressing security's long-standing communication problem [10:55] Why “failure wasn't an option” when managing risk at Coinbase [14:14] What led Matt to a product role on Material Security's phishing protection team [17:31] Building what customers ask for vs. actually solving their problems [21:14] How Matt stays up to date with industry developments [22:35] Matt's favorite use cases for security automation [25:25] Matt's go-to automation best practices [27:33] Cutting through AI hype to drive meaningful adoption [30:32] How Matt keeps himself honest as a Field CISO [32:21] Why the traditional SOC is broken - and what needs to change [35:30] The role of diverse hiring in building a resilient security strategy [39:00] What security teams will look like in 2030 [41:35] How CISOs are evolving to become chief risk advisors to the business [43:30] Connect with Matt Where to find Matt: LinkedIn Building SecOps newsletter Where to find Thomas Kinsella: LinkedIn Tines Resources mentioned: Blue Team Con Material Security's Ryan Noon on the Future of Security Operations podcast
Send us a text In this episode, Joe sits down with John Carse, Field CISO at SquareX, to dive into the often-overlooked world of browser security and the evolving landscape of cybersecurity. Recorded despite a 12-hour time difference (Singapore to the US!), John shares:The Browser Security Gap: Why 85% of user time in browsers is a growing risk for SaaS and cloud environments .SquareX's Solution: How SquareX acts as an EDR for browsers, detecting and responding to threats like polymorphic extensions .Career Journey: From early IT days to field CISO, John reveals how foundational IT skills (help desk, field services) make better cyber professionals .Real-World Insights: Lessons from working with the US Navy and the importance of understanding IT systems for effective cybersecurity . Check Your Browser Security: Visit SquareX Browser Security to assess your controls. Learn More About SquareX: Explore their solution at sqrx.com. Connect with John: Find him on X @JohnCarseChapters00:00 Introduction and Time Zone Challenges02:54 John Carse's Journey into IT06:05 Transitioning to Cybersecurity08:46 The Importance of Customer Service in IT11:36 Formative Experiences in Help Desk and Field Services14:35 Understanding IT Systems for Cybersecurity23:51 The Interplay Between IT Skills and Cybersecurity24:41 The Role of Security Engineers in IT28:43 Understanding the Complexity of Cybersecurity29:33 Exploring the Field CISO Role32:55 The Browser as a Security Frontier42:07 Challenges in SaaS Security46:20 The Importance of Browser Security AwarenessSubscribe for more cybersecurity insights and career tips! Share your thoughts in the comments—how are you securing your browser? Digital Disruption with Geoff Nielson Discover how technology is reshaping our lives and livelihoods.Listen on: Apple Podcasts SpotifySupport the showFollow the Podcast on Social Media! Tesla Referral Code: https://ts.la/joseph675128 YouTube: https://www.youtube.com/@securityunfilteredpodcast Instagram: https://www.instagram.com/secunfpodcast/Twitter: https://twitter.com/SecUnfPodcast
#SecurityConfidential #DarkRhiinoSecurityJohn Carse is the Field CISO at SquareX and a seasoned cybersecurity leader with over 20 years of experience spanning the U.S. Navy, JPMorgan, Expedia, Dyson, and Rakuten. With a background in securing critical naval systems during his 14 years in the Navy, John has since built and led global security programs across finance, tech, and e-commerce. He holds multiple cloud security patents and is currently helping develop the industry's first Browser Detection and Response (BDR) solution. With hands-on expertise and a global perspective from roles in the U.S., Japan, Singapore, Bahrain, and Europe, John is passionate about tackling emerging threats and sharing real-world insights that blend innovation with practical defense. 00:00 Introduction03:00 Protecting Intellectual Property 10:37 Understand the business, then look at the controls14:18 How different is cybersecurity across the country22:16 Browser Detection Response32:19 Does BDR replace other tools?36:10 What about virtual environments?39:30 More from John---------------------------------------------------------------To learn more about Dark Rhiino Security visit https://www.darkrhiinosecurity.com---------------------------------------------------------------
John Carse is the Field CISO at SquareX and a seasoned cybersecurity leader with over 20 years of experience spanning the U.S. Navy, JPMorgan, Expedia, Dyson, and Rakuten. With a background in securing critical naval systems during his 14 years in the Navy, John has since built and led global security programs across finance, tech, and e-commerce. He holds multiple cloud security patents and is currently helping develop the industry's first Browser Detection and Response (BDR) solution. With hands-on expertise and a global perspective from roles in the U.S., Japan, Singapore, Bahrain, and Europe, John is passionate about tackling emerging threats and sharing real-world insights that blend innovation with practical defense.
A special episode this week, featuring an interview with John Carse, Chief Information Security Officer (CISO) of SquareX. John speaks about his background in the security industry, grants insight into attacks on browsers, and talks about the work his team at SquareX is doing to detect and mitigate browser-based attacks.
This week, it's double AI interview Monday! In our first interview, we discuss how to balance AI opportunities vs. risk. Artificial Intelligence (AI) has the potential to revolutionize how businesses operate. But with this exciting advancement comes new challenges that cannot be ignored. For proactive security and IT leaders, how do you balance the need of security and privacy in AI with the opportunities that come with accelerating adoption? Matt Muller, Field CISO at Tines, joins Business Security Weekly to discuss the unprecedented challenges facing Chief Information Security Officers (CISOs) and approaches to mitigate AI's security and privacy risks. In this interview, we'll discuss ways to mitigate AI's security and privacy risks and strategies to help ease AI stress on security teams. Segment Resources: - https://www.tines.com/blog/cisos-report-addressing-ai-pressures/ - https://www.tines.com/blog/ai-enterprise-mitigate-security-privacy-risks/ In our second interview, we dig into the challenges of securing Artificial Intelligence. Are you being asked to secure AI initiatives? What questions should you be asking your developers or vendors to validate security and privacy concerns? Who better to ask than Summer Fowler, CISO at Torc Robotics, a self-driving trucking company. Summer will guide us on her AI security journey to help us understand: Regulatory requirements regarding AI Build vs. buy decisions Security considerations for both build and buy scenarios Resources to help guide you Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-390
This week, it's double AI interview Monday! In our first interview, we discuss how to balance AI opportunities vs. risk. Artificial Intelligence (AI) has the potential to revolutionize how businesses operate. But with this exciting advancement comes new challenges that cannot be ignored. For proactive security and IT leaders, how do you balance the need of security and privacy in AI with the opportunities that come with accelerating adoption? Matt Muller, Field CISO at Tines, joins Business Security Weekly to discuss the unprecedented challenges facing Chief Information Security Officers (CISOs) and approaches to mitigate AI's security and privacy risks. In this interview, we'll discuss ways to mitigate AI's security and privacy risks and strategies to help ease AI stress on security teams. Segment Resources: - https://www.tines.com/blog/cisos-report-addressing-ai-pressures/ - https://www.tines.com/blog/ai-enterprise-mitigate-security-privacy-risks/ In our second interview, we dig into the challenges of securing Artificial Intelligence. Are you being asked to secure AI initiatives? What questions should you be asking your developers or vendors to validate security and privacy concerns? Who better to ask than Summer Fowler, CISO at Torc Robotics, a self-driving trucking company. Summer will guide us on her AI security journey to help us understand: Regulatory requirements regarding AI Build vs. buy decisions Security considerations for both build and buy scenarios Resources to help guide you Show Notes: https://securityweekly.com/bsw-390
This week, it's double AI interview Monday! In our first interview, we discuss how to balance AI opportunities vs. risk. Artificial Intelligence (AI) has the potential to revolutionize how businesses operate. But with this exciting advancement comes new challenges that cannot be ignored. For proactive security and IT leaders, how do you balance the need of security and privacy in AI with the opportunities that come with accelerating adoption? Matt Muller, Field CISO at Tines, joins Business Security Weekly to discuss the unprecedented challenges facing Chief Information Security Officers (CISOs) and approaches to mitigate AI's security and privacy risks. In this interview, we'll discuss ways to mitigate AI's security and privacy risks and strategies to help ease AI stress on security teams. Segment Resources: - https://www.tines.com/blog/cisos-report-addressing-ai-pressures/ - https://www.tines.com/blog/ai-enterprise-mitigate-security-privacy-risks/ In our second interview, we dig into the challenges of securing Artificial Intelligence. Are you being asked to secure AI initiatives? What questions should you be asking your developers or vendors to validate security and privacy concerns? Who better to ask than Summer Fowler, CISO at Torc Robotics, a self-driving trucking company. Summer will guide us on her AI security journey to help us understand: Regulatory requirements regarding AI Build vs. buy decisions Security considerations for both build and buy scenarios Resources to help guide you Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-390
This week, it's double AI interview Monday! In our first interview, we discuss how to balance AI opportunities vs. risk. Artificial Intelligence (AI) has the potential to revolutionize how businesses operate. But with this exciting advancement comes new challenges that cannot be ignored. For proactive security and IT leaders, how do you balance the need of security and privacy in AI with the opportunities that come with accelerating adoption? Matt Muller, Field CISO at Tines, joins Business Security Weekly to discuss the unprecedented challenges facing Chief Information Security Officers (CISOs) and approaches to mitigate AI's security and privacy risks. In this interview, we'll discuss ways to mitigate AI's security and privacy risks and strategies to help ease AI stress on security teams. Segment Resources: - https://www.tines.com/blog/cisos-report-addressing-ai-pressures/ - https://www.tines.com/blog/ai-enterprise-mitigate-security-privacy-risks/ In our second interview, we dig into the challenges of securing Artificial Intelligence. Are you being asked to secure AI initiatives? What questions should you be asking your developers or vendors to validate security and privacy concerns? Who better to ask than Summer Fowler, CISO at Torc Robotics, a self-driving trucking company. Summer will guide us on her AI security journey to help us understand: Regulatory requirements regarding AI Build vs. buy decisions Security considerations for both build and buy scenarios Resources to help guide you Show Notes: https://securityweekly.com/bsw-390
Automating SecOps processes and procedures - free your people, improve retention and increase productivityWhere creativity and diversity is keeping your SecOps one step ahead of the attackersMatching your effectiveness to organisational objectives - aligning your internal SOC metrics with those required by the boardThis episode is hosted by Thom Langford:https://www.linkedin.com/in/thomlangford/Prince Adu, Board Member - ISACA Accra Chapter, ISACAhttps://www.linkedin.com/in/prince-adu-ccsp-cisa-crisc-3759a520/Garrett Smiley, Chief of Staff to CDIO / Vice President of Digital Infrastructure and Technology Strategy, Maximushttps://www.linkedin.com/in/garrettsmiley/Matt Muller, Field CISO, Tines https://www.linkedin.com/in/matthewrmuller/
While cybercriminals can (and do) infiltrate organizations by exploiting software vulnerabilities and launching brute force attacks, the most direct—and often the most effective—route is via the inbox. As the front door of an enterprise and the gateway upon which employees rely to do their jobs, the inbox represents an ideal access point for attackers.And it seems that, unfortunately, cybercriminals aren't lacking when it comes to identifying new ways to sneak in. Abnormal Security's Field CISO, Mick Leach, will discuss some of the sophisticated threats we anticipate escalating in the coming year—including cryptocurrency fraud, AI-generated business email compromise, and more.Mick and I dove into a lot of great topics, including:The evolution of email based attacks and why traditional tooling may fall shortHow attackers are leveraging GenAI and LLM's to make more compelling email-based attacksHow defenders can utilize AI to improve their defensive capabilitiesThe role of tooling such as Secure Email Gateways and more, and how they still play a role but fail to meet the latest threat landscapeHow Abnormal is tacking email-based attacks and the outcomes they are helping customers achieve with streamlined integration and use
In this episode, we sit down with Rajan Kapoor, Field CISO of Material Security, to discuss the security risks and shortcomings of native cloud workspace security offerings and the role of modern platforms for email security, data governance, and posture management.Email and Cloud Collaboration Workspace Security continues to be one of the most pervasive and challenging security environments, and Rajan provided a TON of excellent insights. We covered:Why email and cloud workspaces are some of the most highly targeted environments by cyber criminals, what they can do once they do compromise the email environment, and the broad implications.The lack of security features and capabilities of native cloud workspaces such as M365 and Google Workspaces and the technical and resource constraints that drive teams to seek out innovative products such as Material Security.The tug of war between security and productivity and how Material Security helps address challenges of the native workspaces that often make it hard for people to do their work and lead to security being sidestepped.Particularly industries that are targeted and impacted the most, such as healthcare, where there is highly sensitive data, regulatory challenges, and more.Common patterns among threats, attacks, and vulnerabilities and how organizations can work to bolster the security of their cloud workspace environments.This is a fascinating area of security. We often hear “identity is the new perimeter” and see identity play a key role in trends such as zero trust. But, so often, that identity starts with your email, and it can lead to lateral movement, capturing MFA codes, accessing sensitive data, impacting business partners, phishing others in the organization, and more, all of which can have massive consequences for the organizations impacted.Raja brought his expertise as a Field CISO and longtime security practitioner to drop a ton of gems in this one, so be sure to check it out!
Most people think cybersecurity training is about knowledge, but what if motivation is the real key to success? David Shipley, CEO and Field CISO at Beauceron Security, shares how psychology and neuroscience reshape how we approach security awareness, reducing risks in ways tech alone never could. In this episode, Ron and David examine why people, not technology, are at the core of effective cybersecurity. David teaches us about the SCARF model, warns us about the dangers of overconfidence in training, and explains how gamification can drive meaningful behavior change when it comes to cybersecurity awareness and risk reduction. Impactful Moments: 00:00 – Introduction 02:00 – David Shipley's journey from journalist to cybersecurity leader 06:10 – Why motivation outshines knowledge in security training 08:20 – The Dunning-Kruger effect: Overconfidence in cybersecurity 11:17 – How overreliance on tech increases click rates 17:03 – Cybercriminals' evolving tactics and emotional manipulation 25:00 – Gamification in cybersecurity: Changing security behaviors 30:56 – Using the SCARF model to enhance security culture 39:45 – Emotional intelligence as a defense against AI threats Links: Connect with our guest, David Shipley: https://www.linkedin.com/in/dbshipley/ Learn more about Beauceron Security here: www.beauceronsecurity.com/partner Check out our upcoming events: https://www.hackervalley.com/livestreams Join our creative mastermind and stand out as a cybersecurity professional: https://www.patreon.com/hackervalleystudio Love Hacker Valley Studio? Pick up some swag: https://store.hackervalley.com Continue the conversation by joining our Discord: https://hackervalley.com/discord Become a sponsor of the show to amplify your brand: https://hackervalley.com/work-with-us/
In this episode of the Security Podcast of Silicon Valley, a YSecurity Production, Jon and Sasha sit down with Jacob Berry, Field CISO at Clumio, to explore the intricate balance between security and business growth. Jacob shares his journey from a "punk hacker" to leading security for a cutting-edge cloud data protection company. We delve into the evolving role of the CISO, the complexities of managing security for cloud-based services, and the importance of balancing confidentiality, integrity, and availability. Jacob also discusses the human side of security, from customer conversations to the challenges and opportunities in the fast-paced world of startups. Tune in to learn how Jacob navigates the intersection of technology, privacy, and business strategy.
Jason Mar-Tang is the AVP, Field CISO at Pentera. In this episode, he joins host Heather Engel to discuss measuring ROI in cybersecurity, including some of the biggest challenges, the preparations organizations will need to take, cost-effective methods, and more. Cyber Strong is a Cybercrime Magazine podcast series brought to you by Pentera, the leader in automated security validation. Learn more about our sponsor at https://pentera.io.
Join us in this episode of the Security Podcast in Silicon Valley, where host Jon McLachlan sits down with Kayne McGladrey, Field CISO at Hyperproof. Kayne shares his unique journey from theater to cybersecurity, offering insights into risk management, regulatory compliance, and the evolving landscape of cyber threats. Discover how his background in improv and theater has shaped his approach to cybersecurity, the importance of SEC 10-K disclosures, and practical advice for startups and security professionals. Don't miss this engaging and informative conversation! #Cybersecurity #CISO #RiskManagement #TheaterToTech #Hyperproof #SecurityLeadership #Podcast #Ysecurity
In this episode of Breaking Badness, we dive into the rapidly evolving world of cybersecurity with three industry leaders: Raymond Dijkxhoorn, CEO of SURBL; Nabil Hannan, Field CISO at NetSPI; and Jason Mar-Tang, Field CISO at Pentera. They explore the critical role of domain reputation in combating phishing and spam, how AI is reshaping both offensive and defensive cybersecurity strategies, and the growing threat of ransomware in today's digital landscape. With insights from BlackHat and beyond, we discuss everything from the future of phishing defense to the challenges AI poses in securing sensitive data, as well as how ransomware continues to evolve. Tune in to gain actionable insights on staying ahead of cyber threats and protecting your digital domain.
Have you ever lost something important, only to find out someone moved it without telling you? The same thing happens with our personal and business data. But what if you could see what the adversary sees? In this episode, Jason Haddix, Field CISO at Flare, shares his experiences in red teaming, accessing dark web credentials, and protecting against malicious actors. Whether you're curious about data exposure or how threat actors operate, this conversation offers insights into the constant changes in cybersecurity. Impactful Moments: 00:00 - Introduction 01:11 - The Basics of the Dark Web and How Criminals Operate 07:16 - Flare's Role in Cybersecurity 11:14 - Common Security Mistakes 20:04 - Pen Testing with Flare 21:33 - Exploiting Exposed Credentials 22:19 - Reconnaissance Tools and Techniques 24:38 - Email Security Concerns 28:43 - The Power of Stealer Logs 38:21 - Dark Web Tactics and AI 39:33 - Advice for Cybersecurity Leaders 42:04 - Exploring Flare's Platform for Threat Intelligence 44:26 - Conclusion and Final Thoughts Links: Connect with our guest, Jason Haddix: https://www.linkedin.com/in/jhaddix/ Check out Flare here: https://flare.io Check out Arcanum here: https://www.arcanum-sec.com/ Check out our upcoming events: https://www.hackervalley.com/livestreams Join our creative mastermind and stand out as a cybersecurity professional: https://www.patreon.com/hackervalleystudio Love Hacker Valley Studio? Pick up some swag: https://store.hackervalley.com Continue the conversation by joining our Discord: https://hackervalley.com/discord Become a sponsor of the show to amplify your brand: https://hackervalley.com/work-with-us/
In this episode of Brass Tacks - Talking Cybersecurity, Daniele Mancini, Field CISO at #Fortinet explains the three main drivers of change for #cybersecurity and the challenges these present for the #CISO: ➡️ The explosion in data volumes ➡️ The increasing speed of innovation ➡️ The growing interconnection of the digital ecosystem Tune in for a discussion on the importance of balancing technological innovation and business strategy and creating resilience to a broad range of cybersecurity incidents through a joined-up strategy supported by the three essential pillars of people, processes, and technology. Learn more: https://www.fortinet.com/blog/ciso-collective/building-cyber-resilience?utm_source=Social&utm_medium=YouTube&utm_campaign=BrassTacks-GLOBAL-Global&utm_content=BG-YouTubeGlobal-U&utm_term=Org-Social&lsci=7012H0000021nOIQAY&UID=ftnt-5649-736091 More about Fortinet: https://ftnt.net/6056oiHQE Read our blog: https://ftnt.net/60529liW2 Follow us on LinkedIn: https://ftnt.net/60549liW4
#SecurityConfidential #DarkRhiinoSecurity Dan Lohrmann is an internationally recognized cybersecurity leader, keynote speaker, and author with over 30 years of experience. He served as Chief Security Officer, CTO, and CISO for Michigan's government and received numerous national awards, including CSO of the Year and Computerworld Premier 100 IT Leader. He has advised top-level government and business leaders, including at the White House and U.S. Department of Homeland Security. Currently, Dan is the Field CISO for Presidio and co-author of Cyber Mayday and the Day After, a guide for managing business disruptions. 00:00 Snippet 01:59 Our Guest 09:13 Was Cybersecurity a term back then? 13:05 Everybody keeps getting breached, Why? 19:00 Creating a culture 32:50 Trust but Verify mentality 45:53 Stopping Online Fraud 52:13 Bring your own AI 57:05 Cyber Mayday ---------------------------------------------------------------------- To read about Dan visit https://www.govtech.com/authors/dan-lohrmann.html To learn more about Dark Rhiino Security visit https://www.darkrhiinosecurity.com ---------------------------------------------------------------------- SOCIAL MEDIA: Stay connected with us on our social media pages where we'll give you snippets, alerts for new podcasts, and even behind the scenes of our studio! Instagram: @securityconfidential and @Darkrhiinosecurity Facebook: @Dark-Rhiino-Security-Inc Twitter: @darkrhiinosec LinkedIn: @dark-rhiino-security Youtube: @DarkRhiinoSecurity
Ever wondered how the best defenders become unstoppable? They think like the attackers. In this episode with Jason Haddix, we reveal the strategies hackers don't want you to know about and show you how to use them to your advantage. Jason, CEO of Arcanum Information Security and Field CISO at Flare, helps us step into the mind of a hacker. With stories and insights that will change how you think about cybersecurity, he talks about the tactics that can turn any security program into a fortress. From exploiting the overlooked to using AI for unbeatable defense, this conversation will revolutionize your approach to cybersecurity. 00:00 Introduction 01:29 Jason Haddix, CEO at Arcanum and Field CISO for Flare 04:48 Origins of Arcanum 07:04 Recon in Cybersecurity 12:22 Recon Discoveries 27:41 Flare's Role in Credential Management 33:47 Tooling for Small Businesses 35:47 Using AI for Cybersecurity 41:23 Flare Platform Deep Dive 43:20 Conclusion Links: Connect with our guest, Jason Haddix: https://www.linkedin.com/in/jhaddix/ Check out Flare here: https://flare.io Check out Arcanum here: https://www.arcanum-sec.com/ Check out our upcoming events: https://www.hackervalley.com/livestreams Join our creative mastermind and stand out as a cybersecurity professional: https://www.patreon.com/hackervalleystudio Love Hacker Valley Studio? Pick up some swag: https://store.hackervalley.com Continue the conversation by joining our Discord: https://hackervalley.com/discord Become a sponsor of the show to amplify your brand: https://hackervalley.com/work-with-us/
On this episode of The Cybersecurity Defenders Podcast, we unpack the hacker mindset with Ken Westin, Senior Solutions Engineer at LimaCharlie.Ken is a seasoned thought leader in cybersecurity who has spent years analyzing and understanding the intricacies of cyber threats and the methods behind them. Ken has a unique ability to identify emerging trends in the industry and for figuring out how businesses can protect themselves before they fall victim to attacks. Previous to his current role, Ken was the Field CISO at Panther, where he developed workshops and delivered them around the world. His career also includes significant contributions at Cybereason, Elastic, and Splunk, where he drove security growth, developed innovative tools, and shaped industry conversations on cybersecurity. Ken has been a key spokesperson in the industry, frequently quoted in the media and featured at major conferences like Black Hat and DEF CON.Ken recently joined the team at LimaCharlie as a Senior Solutions Engineer, with the intent to use his deep expertise to help organizations build robust security strategies.Ken's reading list:“Daemon” - Daniel Suarez“Cryptonomicon” - Neal Stephenson“The Myth of Normal” - Gabor Maté“Threats: What Every Engineer Should Learn From Star Wars” - Adam Shostack“The Mitrokhin Archive” Christopher Andrew & Vasili Mitrokhin“The Road” - Cormac McCarthyThe song at the end of the podcast:Decrypted Savant - Mercator Misconceptions
About the CISO Circuit SeriesSean Martin and Michael Piacente will join forces roughly once per month to discuss everything from looking for a new job, entering the field, finding the right work/life balance, examining the risks and rewards in the role, building and supporting your team, the value of the community, relevant newsworthy items, and so much more. Join us to help us understand the role of the CISO so that we can collectively find a path to Redefining CyberSecurity. If you have a topic idea or a comment on an episode, feel free to contact Sean Martin.____________________________Guest: Michael Piacente, Managing Partner and Cofounder of Hitch PartnersOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/michael-piacente____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsLevelBlue: https://itspm.ag/levelblue266f6cCoro: https://itspm.ag/coronet-30deSquareX: https://itspm.ag/sqrx-l91Britive: https://itspm.ag/britive-3fa6AppDome: https://itspm.ag/appdome-neuv___________________________Episode NotesIn the latest episode of the CISO Circuit Series on the Redefining CyberSecurity Podcast, Sean Martin and Michael Piacente join forces in Las Vegas during the Black Hat USA 2024 Conference to engage in an insightful conversation about the evolving role of the Field CISO. Sean Martin is joined by Michael Piacente, Managing Partner and Co-Founder at Hitch Partners, as they dissect the significance and responsibilities of Field CISOs in today's cybersecurity landscape.A primary focus of the episode is understanding what a Field CISO actually entails. Michael Piacente explains that the role of Field CISO varies widely across organizations, but it generally falls into two categories: customer engagement and sales enablement. Companies might hire Field CISOs to build operational risk assessments and customer relationships, or to drive the technical sales process. For instance, Field CISOs play a pivotal role in product companies by acting as trusted advisors who help communicate complex technical topics in a digestible manner to potential clients.Michael also highlights key attributes that make a Field CISO successful, such as genuine cybersecurity experience, deep technical knowledge, a reputable name in the community, and robust networking skills. Successful Field CISOs can seamlessly transition between discussing technical details and broader strategic goals with stakeholders. Their role often includes influencing product development by bringing practical insights from customers back to the engineering teams.One crucial point raised during the discussion is the integrity and trustworthiness required for a Field CISO. Sean and Michael emphasize that maintaining trust within the CISO community is paramount. Field CISOs should avoid crossing lines between promotional activities and genuine advisory roles. They assert that integrity and transparency remain foremost in these roles, as they are often looked to for unbiased, independent advice.Another topic discussed is how organizations should approach hiring for the Field CISO role. Michael Piacente points out the importance of setting clear expectations, understanding the balance between operational duties and sales enablement, and ensuring that the Field CISO is genuinely aligned with the company's mission and capable of maintaining community trust.Overall, this episode sheds light on the nuanced nature of the Field CISO role, providing valuable insights for both aspiring Field CISOs and organizations looking to hire one. As the role continues to evolve, Michael and Sean underscore the need for a thoughtful approach to defining responsibilities and fostering an environment where integrity and expertise thrive.____________________________Follow our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegasOn YouTube:
About the CISO Circuit SeriesSean Martin and Michael Piacente will join forces roughly once per month to discuss everything from looking for a new job, entering the field, finding the right work/life balance, examining the risks and rewards in the role, building and supporting your team, the value of the community, relevant newsworthy items, and so much more. Join us to help us understand the role of the CISO so that we can collectively find a path to Redefining CyberSecurity. If you have a topic idea or a comment on an episode, feel free to contact Sean Martin.____________________________Guest: Michael Piacente, Managing Partner and Cofounder of Hitch PartnersOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/michael-piacente____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsLevelBlue: https://itspm.ag/levelblue266f6cCoro: https://itspm.ag/coronet-30deSquareX: https://itspm.ag/sqrx-l91Britive: https://itspm.ag/britive-3fa6AppDome: https://itspm.ag/appdome-neuv___________________________Episode NotesIn the latest episode of the CISO Circuit Series on the Redefining CyberSecurity Podcast, Sean Martin and Michael Piacente join forces in Las Vegas during the Black Hat USA 2024 Conference to engage in an insightful conversation about the evolving role of the Field CISO. Sean Martin is joined by Michael Piacente, Managing Partner and Co-Founder at Hitch Partners, as they dissect the significance and responsibilities of Field CISOs in today's cybersecurity landscape.A primary focus of the episode is understanding what a Field CISO actually entails. Michael Piacente explains that the role of Field CISO varies widely across organizations, but it generally falls into two categories: customer engagement and sales enablement. Companies might hire Field CISOs to build operational risk assessments and customer relationships, or to drive the technical sales process. For instance, Field CISOs play a pivotal role in product companies by acting as trusted advisors who help communicate complex technical topics in a digestible manner to potential clients.Michael also highlights key attributes that make a Field CISO successful, such as genuine cybersecurity experience, deep technical knowledge, a reputable name in the community, and robust networking skills. Successful Field CISOs can seamlessly transition between discussing technical details and broader strategic goals with stakeholders. Their role often includes influencing product development by bringing practical insights from customers back to the engineering teams.One crucial point raised during the discussion is the integrity and trustworthiness required for a Field CISO. Sean and Michael emphasize that maintaining trust within the CISO community is paramount. Field CISOs should avoid crossing lines between promotional activities and genuine advisory roles. They assert that integrity and transparency remain foremost in these roles, as they are often looked to for unbiased, independent advice.Another topic discussed is how organizations should approach hiring for the Field CISO role. Michael Piacente points out the importance of setting clear expectations, understanding the balance between operational duties and sales enablement, and ensuring that the Field CISO is genuinely aligned with the company's mission and capable of maintaining community trust.Overall, this episode sheds light on the nuanced nature of the Field CISO role, providing valuable insights for both aspiring Field CISOs and organizations looking to hire one. As the role continues to evolve, Michael and Sean underscore the need for a thoughtful approach to defining responsibilities and fostering an environment where integrity and expertise thrive.____________________________Follow our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegasOn YouTube:
All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap). Joining us is Bil Harmer, operating partner and CISO, Craft Ventures. In this episode: A time and a place for Field CISOs This isn't a new role Consulting the Field CISO Words mean things Thanks to our podcast sponsor, Cyera Cyera's AI-powered data security platform gives companies visibility over their sensitive data, context over the risk it represents, and actionable, prioritized remediation guidance. As a cloud-native, agentless platform, Cyera provides holistic data security coverage across SaaS, PaaS, IaaS and On-premise environments. Visit www.cyera.io to learn more.
Jeremiah Roe has held many roles in cybersecurity: Field CISO, Red Teamer, Advisor, Consultant, Etc. He currently advises for OffSec, who provide quality cybersecurity training. Drew Simonis and Allan Alford determined that Jeremiah would be a great guest for launching a 3-part mini series - each of the three shows exploring People, Process and Technology respectively. The three cover the following topics in a lively conversation that journeys into several aspects of People as they relate to cybersecurity: People, Process, and Technology - Which is most important? If they knew what we knew about cybersecurity, would they behave differently? How to leverage training budges for a win-win-win. People gonna peop, businesses gonna biz. Incentivization, Positive Reinforcement and Deputization Enabling camaraderie - not just good culture Groupthink and Tribalism Join the three as they ride the cyber trails of "People" in the PPT triad! Y'all be good now!
"How do you drive trust in a digital first or software first world?" This is the question that Francis Ofungwu, Global Field CISO at GitLab, helps customers answer every day. Securing software development is unlike enterprise security, where CISOs have strong visibility into the environment and can exercise direct control. To secure software, leaders must convince those outside of their department to buy-in on their strategy and implement needed changes. Learn Francis' secrets for winning support and securing the SDLC in this episode of The CISO's Gambit.
Jake Bernardes, Field CISO of Anecdotes, joins the Breaking Badness Cybersecurity Podcast in this week's episode! We're sharing Jake's background and path within infosec along with what's intriguing him about the industry currently, how conferences and in-person events can still play a role in community involvement, and we'll touch briefly on American history.
Break through? No, PUNCH through the AI hype in cybersecurity this week's guest, Mani Keerthi, Field CISO.George K and George A talk to Mani about:
Welcome to a new episode of the Security Podcast in Silicon Valley, a YSecurity production, where we delve into the ever-evolving landscape of cybersecurity, with Clea Ostendorf, Field CISO at Code42, as our distinguished guest. Clea's journey from an aspiring diplomat to a front-runner in cybersecurity offers profound insights into her unique approach that is reshaping the realm of data protection. Join us as our host Jon McLachlan, a seasoned expert in the field, engages Clea in a deep dive into how she merges traditional security methods with the pressing challenges of today's digital world. Discover how Clea advocates for a collaborative security community and navigates the complex balance of work-life harmony in a demanding field. Tune in to uncover Clea's strategies for fostering a culture of security that supports growth and innovation while protecting against insider threats. This episode is a must-listen for anyone interested in the intersections of technology, security, and corporate culture.
In this episode of the BetterTech podcast, host Haseeb Khan interviews Beth Miller, Field CISO at Code42 and co-owner of Resilience Consulting Group. Beth discusses her 20-year career in cybersecurity, highlighting her transition from government roles to her current position. She emphasizes the importance of a proactive security culture and shares how Code42's tools, like Insider and Instructor, help manage risks effectively. Beth also addresses data security challenges in the age of AI and offers advice for those pursuing careers in cybersecurity. She underscores the value of integrating risk management into corporate culture and the critical role of continuous education. This episode provides insights into building a strong security culture and navigating modern cybersecurity challenges. --- Send in a voice message: https://podcasters.spotify.com/pod/show/bettertech/message
“If you think about it from a cybersecurity perspective, how do you defend as an organization what you don't thoroughly understand?” asks Stephen Aiello, Field CISO at AHEAD. “For most organizations, when you think about the age of a lot of large-scale organizations, they've grown, they have developed over time. A lot of them have grown through acquisition and just the legacy infrastructure and the size and complexity of the infrastructure is really, really challenging for most organizations to manage. You build and build and build over time. And then people retire, people move. It just worked with a large insurance firm, a global insurance firm. And they were talking about one of their cloud environments. And they said, you know, none of the people that built this environment work here anymore. Like nobody really knows how it was stood up.” Steven Aiello In this podcast, a frontline CISO and an active member of the Cisco Advisory Board, describes the challenge from the inside out, including the real-world challenge of kit-bashed networks, assembled over time and different IT leadership teams, along with the ongoing challenge of a cybersecurity threat that changes by the hour. Stephen Aiello walks us through the issues and discusses Cisco Hypershield. “We've been saying that we want to get security as close to the asset or as close to the data as possible.” We discuss how Cisco Hypershield answers that need, especially in light of industries that not only have special IoT needs, but also operate under a rigorous regulatory structure. Visit www.cisco.com
Jason Mar-Tang is the AVP, Field CISO at Pentera. In this episode, he joins host Charlie Osbourne to discuss Pentera's annual pentesting report, "The State Of Pentesting 2024." Findings including that 51 percent of enterprises admitted to being compromised by a cyberattack over the past 2 years, the frequency gap between the rate of security testing and the rate of organizational change, and more. Cyber Strong is a Cybercrime Magazine podcast series brought to you by Pentera, the leader in automated security validation. Learn more about our sponsor at https://pentera.io.
We hope you enjoy this conversation with Rob as much as we did. Rob discusses the evolution of cyber threats, ransomware gangs, and the increasing importance of cyber security for businesses. He highlights the importance of collaboration between cybersecurity professionals and different company departments. He also mentioned the positive trends of organizations adopting Security Operations Center (SOC) services and a renewed focus on compliance driven to limit potential litigation costs. Connect with Rob: https://www.linkedin.com/in/robfitzgerald/ Visit Blue Mantis: https://www.bluemantis.com/ Visit Shortarms website: https://www.shortarmsolutions.com/ You can follow us at: Linked In: https://www.linkedin.com/company/shortarmsolutions YouTube: https://www.youtube.com/@shortarmsolutions Twitter/X: https://twitter.com/ShortArmSAS
We hope you enjoy this conversation with Rob as much as we did. Rob discusses the evolution of cyber threats, ransomware gangs, and the increasing importance of cyber security for businesses. He highlights the importance of collaboration between cybersecurity professionals and different company departments. He also mentioned the positive trends of organizations adopting Security Operations Center (SOC) services and a renewed focus on compliance driven to limit potential litigation costs. Connect with Rob: https://www.linkedin.com/in/robfitzgerald/ Visit Blue Mantis: https://www.bluemantis.com/ Visit Shortarms website: https://www.shortarmsolutions.com/ You can follow us at: Linked In: https://www.linkedin.com/company/shortarmsolutions YouTube: https://www.youtube.com/@shortarmsolutions Twitter/X: https://twitter.com/ShortArmSAS
This episode is filled with so much gold, we should charge you Big 4 consulting fees just to listen to it! Industry leader Merritt Baer talks about the role of the Field CISO, and how she advises young companies. But in between those topics is so much fire.George K and George A talk to Merritt about:
In this episode of InTechnology, Camille gets into what CISOs should be focusing on this year with Jonathan Nguyen-Duy, Field CISO at Intel. They talk about the security insights from Verizon's annual breach report, why cybersecurity is still struggling as an industry despite more spending and more jobs than ever before, new regulations on reporting cyberattacks, the ever-increasing importance of zero trust, improving user experiences while increasing data privacy, protecting critical national infrastructure, converging vendors to platforms and automating around that, the role of AI and generative AI in security, and more. The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.
Richard LaTulip, Field CISO at Recorded Future, is a former Special Agent in the U.S. Secret Service, Cyber Intelligence Section. In this episode, he joins host Charlie Osborne to discuss his experience hunting down cybercriminals, which required him to go undercover to locate, identify, and unmask the threat actors wreaking havoc in the digital world, as well as how this experience will give him new perspectives as a CISO. • For more on cybersecurity, visit us at https://cybersecurityventures.com
In this Risky Business News sponsor interview Tom Uren talks to Ken Westin, Field CISO at Panther about how the rise of cloud and hybrid IT architectures requires a new type of SIEM.
In this Risky Business News sponsor interview Tom Uren talks to Ken Westin, Field CISO at Panther about how the rise of cloud and hybrid IT architectures requires a new type of SIEM.
About the CISO Circuit SeriesSean Martin and Michael Piacente will join forces roughly once per month to discuss everything from looking for a new job, entering the field, finding the right work/life balance, examining the risks and rewards in the role, building and supporting your team, the value of the community, relevant newsworthy items, and so much more. Join us to help us understand the role of the CISO so that we can collectively find a path to Redefining CyberSecurity. If you have a topic idea or a comment on an episode, feel free to contact Sean Martin.____________________________Guests: Michael Piacente, Managing Partner and Cofounder of Hitch PartnersOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/michael-piacenteOmar Khawaja, VP Security, Field CISO at Databricks [@databricks]On LinkedIn | https://www.linkedin.com/in/smallersecurity/On Twitter | https://twitter.com/smallersecurity____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsImperva | https://itspm.ag/imperva277117988Pentera | https://itspm.ag/penteri67a___________________________Episode NotesIn this special CISO Circuit Series edition of the Redefining CyberSecurity podcast episode, Sean Martin and Michael Piacente engage in a thought-provoking conversation with Omar Khawaja, VP of Security and Field CISO at Databricks. Driven by a conversation with 75 of his CISO peers, Omar brings his unique perspective to the table, discussing the evolving role of a CISO and the importance of aligning security efforts with business needs.Drawing on his experiences transitioning from a CISO at a large healthcare organization to a Field CISO, Omar shares insights on how he assists other CISOs, particularly in managing their data and implementing AI. He emphasizes the necessity of effective communication, audience awareness, and collaboration. Using the metaphor of a plane journey, Omar illustrates the importance of delivering a clear, simplified view of security efforts to stakeholders.A significant part of the conversation revolves around the importance of building strong relationships with other executives and being open about vulnerabilities. Omar stresses the value of maintaining a relentless curiosity and refraining from judgment to foster better relationships and collaboration. He also shares some practical techniques for CISOs, encouraging them to continuously work on the craft of asking the right questions and demonstrating curiosity.This episode serves as a valuable resource for anyone interested in the ever-changing role of the CISO and the critical task of aligning security efforts with business needs. With its blend of practical advice, insightful metaphors, and real-world experiences, it's a must-listen for those looking to understand the complexities and challenges in the world of cybersecurity.____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
About the CISO Circuit SeriesSean Martin and Michael Piacente will join forces roughly once per month to discuss everything from looking for a new job, entering the field, finding the right work/life balance, examining the risks and rewards in the role, building and supporting your team, the value of the community, relevant newsworthy items, and so much more. Join us to help us understand the role of the CISO so that we can collectively find a path to Redefining CyberSecurity. If you have a topic idea or a comment on an episode, feel free to contact Sean Martin.____________________________Guests: Michael Piacente, Managing Partner and Cofounder of Hitch PartnersOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/michael-piacenteOmar Khawaja, VP Security, Field CISO at Databricks [@databricks]On LinkedIn | https://www.linkedin.com/in/smallersecurity/On Twitter | https://twitter.com/smallersecurity____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsImperva | https://itspm.ag/imperva277117988Pentera | https://itspm.ag/penteri67a___________________________Episode NotesIn this special CISO Circuit Series edition of the Redefining CyberSecurity podcast episode, Sean Martin and Michael Piacente engage in a thought-provoking conversation with Omar Khawaja, VP of Security and Field CISO at Databricks. Driven by a conversation with 75 of his CISO peers, Omar brings his unique perspective to the table, discussing the evolving role of a CISO and the importance of aligning security efforts with business needs.Drawing on his experiences transitioning from a CISO at a large healthcare organization to a Field CISO, Omar shares insights on how he assists other CISOs, particularly in managing their data and implementing AI. He emphasizes the necessity of effective communication, audience awareness, and collaboration. Using the metaphor of a plane journey, Omar illustrates the importance of delivering a clear, simplified view of security efforts to stakeholders.A significant part of the conversation revolves around the importance of building strong relationships with other executives and being open about vulnerabilities. Omar stresses the value of maintaining a relentless curiosity and refraining from judgment to foster better relationships and collaboration. He also shares some practical techniques for CISOs, encouraging them to continuously work on the craft of asking the right questions and demonstrating curiosity.This episode serves as a valuable resource for anyone interested in the ever-changing role of the CISO and the critical task of aligning security efforts with business needs. With its blend of practical advice, insightful metaphors, and real-world experiences, it's a must-listen for those looking to understand the complexities and challenges in the world of cybersecurity.____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
This year at AWS re:Invent we are going to interview conference attendees, AWS Heroes, and AWS employees. We're asking them what they are excited about at re:Invent and what they are working on! Join us to hear the answer to these questions from some of the top minds in the industry! Resources: https://www.linkedin.com/in/merrittbaer/ https://www.lacework.com/ https://twitter.com/MerrittBaer #reinvent #ciso #awsreinvent Intro music attribution: Artist - MaxKoMusic
The Mindful Business Security Show is a call-in radio style podcast for small business leaders. In this episode, Accidental CISO is accompanied by guest host Robert Wagner. Robert is a long-time cybersecurity professional. Over the years, he has held roles from Security Operations Center Analyst to Field CISO. He is a presenter, trainer, speaker, community organizer, and co-founder of the Hack4Kids organization, a non-profit that teaches kids about cybersecurity. Join them as they take questions from callers about secure collaboration and password managers live from the Focivity booth at the Securing Sexuality conference in Detroit. You can find Robert online on LInkedIn. Are you struggling with how to deal with Cybersecurity, Information Security, or Risk Management in your organization? Be a caller on a future episode of the show. Visit our podcast page and sign up now! Website: https://www.focivity.com/podcast Show Store: https://shop.mindfulsmbshow.com/ Twitter: @mindfulsmbshow Hosted by: @AccidentalCISO Produced by: @Focivity Music by Michael Korbin from Pixabay
Mick Leach is Field CISO of Abnormal Security, an AI-native email security company that uses behavioral AI to prevent business email compromise, vendor fraud, and other socially-engineered attacks. At Abnormal, he is responsible for threat hunting and analysis, engaging with customers, and is a featured speaker at global industry conferences and events. Previously, he led security operations organizations at Abnormal, Alliance Data, and Nationwide Insurance, and also spent more than 8 years serving in the US Army's famed Cavalry Regiments. A passionate information security practitioner, Mick holds 7 SANS/GIAC certifications, coupled with 20+ years of experience in the IT and security industries. When not digging through logs or discussing operational metrics, Mick can typically be found on a soccer field, coaching one of his 13 kids.Abnormal Security: https://abnormalsecurity.com/unfilteredAbnormal Security Abnormal Security provides the leading behavioral AI-based email security platform Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.Support the showAffiliate Links:NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902 Follow the Podcast on Social Media!Instagram: https://www.instagram.com/secunfpodcast/Twitter: https://twitter.com/SecUnfPodcastPatreon: https://www.patreon.com/SecurityUnfilteredPodcastYouTube: https://www.youtube.com/@securityunfilteredpodcastTikTok: Not today China! Not today
Alex Lawrence, Field CISO at Sysdig, joins Corey on Screaming in the Cloud to discuss how he went from studying bioluminescence and mycology to working in tech, and his stance on why open source is the future of cloud security. Alex draws an interesting parallel between the creative culture at companies like Pixar and the iterative and collaborative culture of open-source software development, and explains why iteration speed is crucial in cloud security. Corey and Alex also discuss the pros and cons of having so many specialized tools that tackle specific functions in cloud security, and the different postures companies take towards their cloud security practices. About AlexAlex Lawrence is a Field CISO at Sysdig. Alex has an extensive history working in the datacenter as well as with the world of DevOps. Prior to moving into a solutions role, Alex spent a majority of his time working in the world of OSS on identity, authentication, user management and security. Alex's educational background has nothing to do with his day-to-day career; however, if you'd like to have a spirited conversation on bioluminescence or fungus, he'd be happy to oblige.Links Referenced: Sysdig: https://sysdig.com/ sysdig.com/opensource: https://sysdig.com/opensource falco.org: https://falco.org TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. This promoted guest episode is brought to us by our friends over at Sysdig, and they have brought to me Alexander Lawrence, who's a principal security architect over at Sysdig. Alexander, thank you for joining me.Alex: Hey, thanks for having me, Corey.Corey: So, we all have fascinating origin stories. Invariably you talk to someone, no one in tech emerged fully-formed from the forehead of some God. Most of us wound up starting off doing this as a hobby, late at night, sitting in the dark, rarely emerging. You, on the other hand, studied mycology, so watching the rest of us sit in the dark and growing mushrooms was basically how you started, is my understanding of your origin story. Accurate, not accurate at all, or something in between?Alex: Yeah, decently accurate. So, I was in school during the wonderful tech bubble burst, right, high school era, and I always told everybody, there's no way I'm going to go into technology. There's tons of people out there looking for a job. Why would I do that? And let's face it, everybody expected me to, so being an angsty teenager, I couldn't have that. So, I went into college looking into whatever I thought was interesting, and it turned out I had a predilection to go towards fungus and plants.Corey: Then you realized some of them glow and that wound up being too bright for you, so all right, we're done with this; time to move into tech?Alex: [laugh]. Strangely enough, my thesis, my capstone, was on the coevolution of bioluminescence across aquatic and terrestrial organisms. And so, did a lot of focused work on specifically bioluminescent fungus and bioluminescing fish, like Photoblepharon palpebratus and things like that.Corey: When I talk to people who are trying to figure out, okay, I don't like what's going on in my career, I want to do something different, and their assumption is, oh, I have to start over at square one. It's no, find the job that's halfway between what you're doing now and what you want to be doing, and make lateral moves rather than starting over five years in or whatnot. But I have to wonder, how on earth did you go from A to B in this context?Alex: Yeah, so I had always done tech. My first job really was in tech at the school districts that I went to in high school. And so, I went into college doing tech. I volunteered at the ELCA and other organizations doing tech, and so it basically funded my college career. And by the time I finished up through grad school, I realized my life was going to be writing papers so that other people could do the research that I was coming up with, and I thought that sounded like a pretty miserable life.And so, it became a hobby, and the thing I had done throughout my entire college career was technology, and so that became my new career and vocation. So, I was kind of doing both, and then ended up landing in tech for the job market.Corey: And you've effectively moved through the industry to the point where you're now in security architecture over at Sysdig, which, when I first saw Sysdig launch many years ago, it was, this is an interesting tool. I can see observability stories, I can see understanding what's going on at a deep level. I liked it as a learning tool, frankly. And it makes sense, with the benefit of hindsight, that oh, yeah, I suppose it does make some sense that there are security implications thereof. But one of the things that you've said that I really want to dig into that I'm honestly in full support of because it'll irritate just the absolute worst kinds of people is—one of the core beliefs that you espouse is that security when it comes to cloud is inherently open-source-based or at least derived. I don't want to misstate your position on this. How do you view it?Alex: Yeah. Yeah, so basically, the stance I have here is that the future of security in cloud is open-source. And the reason I say that is that it's a bunch of open standards that have basically produced a lot of the technologies that we're using in that stack, right, your web servers, your automation tooling, all of your different components are built on open stacks, and people are looking to other open tools to augment those things. And the reality is, is that the security environment that we're in is changing drastically in the cloud as opposed to what it was like in the on-premises world. On-prem was great—it still is great; a lot of folks still use it and thrive on it—but as we look at the way software is built and the way we interface with infrastructure, the cloud has changed that dramatically.Basically, things are a lot faster than they used to be. The model we have to use in order to make sure our security is good has dramatically changed, right, and all that comes down to speed and how quickly things evolve. I tend to take a position that one single brain—one entity, so to speak—can't keep up with that rapid evolution of things. Like, a good example is Log4j, right? When Log4j hit this last year, that was a pretty broad attack that affected a lot of people. You saw open tooling out there, like Falco and others, they had a policy to detect and help triage that within a couple of hours of it hitting the internet. Other proprietary tooling, it took much longer than two hours.Corey: Part of me wonders what the root cause behind that delay is because it's not that the engineers working at these companies are somehow worse than folks in the open communities. In some cases, they're the same people. It feels like it's almost corporate process ossification of, “Okay, we built a thing. Now, we need to make sure it goes through branding and legal and marketing and we need to bring in 16 other teams to make this work.” Whereas in the open-source world, it feels like there's much more of a, “I push the deploy button and it's up. The end.” There is no step two.Alex: [laugh]. Yeah, so there is certainly a certain element of that. And I think it's just the way different paradigms work. There's a fantastic book out there called Creativity, Inc., and it's basically a book about how Pixar manages itself, right? How do they deal with creating movies? How do they deal with doing what they do, well?And really, what it comes down to is fostering a culture of creativity. And that typically revolves around being able to fail fast, take risks, see if it sticks, see if it works. And it's not that corporate entities don't do that. They certainly do, but again, if you think about the way the open-source world works, people are submitting, you know, PRs, pull requests, they're putting out different solutions, different fixes to problems, and the ones that end up solving it the best are often the ones that end up coming to the top, right? And so, it's just—the way you iterate is much more akin to that kind of creativity-based mindset that I think you get out of traditional organizations and corporations.Corey: There's also, I think—I don't know if this is necessarily the exact point, but it feels like it's at least aligned with it—where there was for a long time—by which I mean, pretty much 40 years at this point—a debate between open disclosure and telling people of things that you have found in vendors products versus closed disclosure; you only wind—or whatever the term is where you tell the vendor, give them time to fix it, and it gets out the door. But we've seen again and again and again, where researchers find something, report it, and then it sits there, in some cases for years, but then when it goes public and the company looks bad as a result, they scramble to fix it. I wish it were not this way, but it seems that in some cases, public shaming is the only thing that works to get companies to secure their stuff.Alex: Yeah, and I don't know if it's public shaming, per se, that does it, or it's just priorities, or it's just, you know, however it might go, there's always been this notion of, “Okay, we found a breach. Let's disclose appropriately, you know, between two entities, give time to remediate.” Because there is a potential risk that if you disclose publicly that it can be abused and used in very malicious ways—and we certainly don't want that—but there also is a certain level of onus once the disclosure happens privately that we got to go and take care of those things. And so, it's a balancing act.I don't know what the right solution is. I mean, if I did, I think everybody would benefit from things like that, but we just don't know the proper answer. The workflow is complex, it is difficult, and I think doing our due diligence to make sure that we disclose appropriately is the right path to go down. When we get those disclosures we need to take them seriously is when it comes down to.Corey: What I find interesting is your premise that the future of cloud security is open-source. Like, I could make a strong argument that today, we definitely have an open-source culture around cloud security and need to, but you're talking about that shifting along the fourth dimension. What's the change? What do you see evolving?Alex: Yeah, I think for me, it's about the collaboration. I think there are segments of industries that communicate with each other very, very well, and I think there's others who do a decent job, you know, behind closed doors, and I think there's others, again, that don't communicate at all. So, all of my background predominantly has been in higher-ed, K-12, academia, and I find that a lot of those organizations do an extremely good job of partnering together, working together to move towards, kind of, a greater good, a greater goal. An example of that would be a group out in the Pacific Northwest called NWACC—the NorthWest Academic Computing Consortium. And so, it's every university in the Northwest all come together to have CIO Summits, to have Security Summits, to trade knowledge, to work together, basically, to have a better overall security posture.And they do it pretty much out in the open and collaborating with each other, even though they are also direct competitors, right? They all want the same students. It's a little bit of a different way of thinking, and they've been doing it for years. And I'm finding that to be a trend that's happening more and more outside of just academia. And so, when I say the future is open, if you think about the tooling academia typically uses, it is very open-source-oriented, it is very collaborative.There's no specifications on things like eduPerson to be able to go and define what a user looks like. There's things like, you know, CAS and Shibboleth to do account authorization and things like that. They all collaborate on tooling in that regard. We're seeing more of that in the commercial space as well. And so, when I say the future of security in cloud is open-source, it's models like this that I think are becoming more and more effective, right?It's not just the larger entities talking to each other. It's everybody talking with each other, everybody collaborating with each other, and having an overall better security posture. The reality is, is that the folks we're defending ourselves against, they already are communicating, they already are using that model to work together to take down who they view as their targets: us, right? We need to do the same to be able to keep up. We need to be able to have those conversations openly, work together openly, and be able to set that security posture across that kind of overall space.Corey: There's definitely a concern that if okay, you have all these companies and community collaborating around security aspects in public, that well won't the bad actors be able to see what they're looking at and how they're approaching it and, in some cases, move faster than they can or, in other cases, effectively wind up polluting the conversation by claiming to be good actors when they're not. And there's so many different ways that this can manifest. It feels like fear is always the thing that stops people from going down this path, but there is some instance of validity to that I would imagine.Alex: Yeah, no. And I think that certainly is true, right? People are afraid to let go of, quote-unquote, “The keys to their kingdom,” their security posture, their things like that. And it makes sense, right? There's certain things that you would want to not necessarily talk about openly, like, specifically, you know, what Diffie–Hellman key exchange you're using or something like that, but there are ways to have these conversations about risks and posture and tooling and, you know, ways you approach it that help everybody else out, right?If someone finds a particularly novel way to do a detection with some sort of piece of tooling, they probably should be sharing that, right? Let's not keep it to ourselves. Traditionally, just because you know the tool doesn't necessarily mean that you're going to have a way in. Certainly, you know, it can give you a path or a vector to go after, but if we can at least have open standards about how we implement and how we can go about some of these different concepts, we can all gain from that, so to speak.Corey: Part of me wonders if the existing things that the large companies are collaborating on lead to a culture that specifically pushes back against this. A classic example from my misspent youth is that an awful lot of the anti-abuse departments at these large companies are in constant communication. Because if you work at Microsoft, or Google or Amazon, your adversary, as you see it, in the Trust and Safety Group is not those other companies. It's bad actors attempting to commit fraud. So, when you start seeing particular bad actors emerging from certain parts of the network, sharing that makes everything better because there's an understanding there that it's not, “Oh, Microsoft has bad security this week,” or, “Google will wind up approving fraudulent accounts that start spamming everyone.”Because the takeaway by theby the customers is not that this one company is bad; it's oh, the cloud isn't safe. We shouldn't use cloud. And that leads to worse outcomes for basically everyone. But they're als—one of the most carefully guarded secrets at all these companies is how they do fraud prevention and spam detection because if adversaries find that out, working around them becomes a heck of a lot easier. I don't know, for example, how AWS determines whether a massive account overage in a free-tier account is considered to be a bad actor or someone who made a legitimate mistake. I can guess, but the actual signal that they use is something that they would never in a million years tell me. They probably won't even tell each other specifics of that.Alex: Certainly, and I'm not advocating that they let all of the details out, per se, but I think it would be good to be able to have more of an open posture in terms of, like, you know what tooling do they use? How do they accomplish that feat? Like, are they looking at a particular metric? How do they basically handle that posture going forward? Like, what can I do to replicate a similar concept?I don't need to know all the details, but would be nice if they embrace, you know, open tooling, like say a Trivy or a Falco or whatever the thing is, right, they're using to do this process and then contribute back to that project to make it better for everybody. When you kind of keep that stuff closed-source, that's when you start running into that issue where, you know, they have that, quote-unquote, “Advantage,” that other folks aren't getting. Maybe there's something we can do better in the community, and if we can all be better, it's better for everybody.Corey: There's a constant customer pain in the fact that every cloud provider, for example, has its own security perspective—the way that identity is managed, the way that security boundaries exist, the way that telemetry from these things winds up getting represented—where a number of companies that are looking at doing things that have to work across cloud for a variety of reasons—some good, some not so good—have decided that, okay, we're just going to basically treat all these providers as, more or less, dumb pipes and dumb infrastructure. Great, we're just going to run Kubernetes on all these things, and then once it's inside of our cluster, then we'll build our own security overlay around all of these things. They shouldn't have to do that. There should be a unified set of approaches to these things. At least, I wish there were.Alex: Yeah, and I think that's where you see a lot of the open standards evolving. A lot of the different CNCF projects out there are basically built on that concept. Like, okay, we've got Kubernetes. We've got a particular pipeline, we've got a particular type of implementation of a security measure or whatever it might be. And so, there's a lot of projects built around how do we standardize those things and make them work cross-functionally, regardless of where they're running.It's actually one of the things I quite like about Kubernetes: it makes it be a little more abstract for the developers or the infrastructure folks. At one point in time, you had your on-premises stuff and you built your stuff towards how your on-prem looked. Then you went to the cloud and started building yourself to look like what that cloud look like. And then another cloud showed up and you had to go use that one. Got to go refactor your application to now work in that cloud.Kubernetes has basically become, like, this gigantic API ball to interface with the clouds, and you don't have to build an application four different ways anymore. You can build it one way and it can work on-prem, it can work in Google, Azure, IBM, Oracle, you know, whoever, Amazon, whatever it needs to be. And then that also enables us to have a standard set of tools. So, we can use things like, you know, Rego or we can use things like Falco or we can use things that allow us to build tooling to secure those things the same way everywhere we go. And the benefit of most of those tools is that they're also configured, you know, via some level of codification, and so we can have a repository that contains our posture: apply that posture to that cluster, apply it to the other cluster in the other environment. It allows us to automate these things, go quicker, build the posture at the very beginning, along with that application.Corey: One of the problems I feel as a customer is that so many of these companies have a model for interacting with security issues that's frankly obnoxious. I am exhausted by the amount of chest-thumping, you'll see on keynote stages, all of the theme, “We're the best at security.” And whenever a vulnerability researcher reports something of a wide variety of different levels of severity, it always feels like the first concern from the company is not fix the issue, but rather, control the messaging around it.Whenever there's an issue, it's very clear that they will lean on people to rephrase things, not use certain words. It's, I don't know if the words used to describe this cross-tenant vulnerability are the biggest problem you should be focusing on right now. Yes, I understand that you can walk and chew gum at the same time as a big company, but it almost feels like the researchers are first screaming into a void, and then they're finally getting attention, but from all the people they don't want to get the attention from. It feels like this is not a welcoming environment for folks to report these things in good faith.Alex: [sigh]. Yeah, it's not. And I don't know what the solution is to that particular problem. I have opinions about why that exists. I won't go into those here, but it's cumbersome. It's difficult. I don't envy a lot of those research organizations.They're fantastic people coming up with great findings, they find really interesting stuff that comes out, but when you have to report and do that due diligence, that portion is not that fun. And then doing, you know, the fallout component, right: okay, now we have this thing we have to report, we have to go do something to fix it, you're right. I mean, people do often get really spun up on the verbiage or the implications and not just go fix the problem. And so again, if you have ways to mitigate that are more standards-based, that aren't specific to a particular cloud, like, you can use an open-source tool to mitigate, that can be quite the advantage.Corey: One of the challenges that I see across a wide swath of tooling and approaches to it have been that when I was trying to get some stuff to analyze CloudTrail logs in my own environment, I was really facing a bimodal distribution of options. On one end of the spectrum, it's a bunch of crappy stuff—or good stuff; hard to say—but it's all coming off of GitHub, open-source, build it yourself, et cetera. Good luck. And that's okay, awesome, but there's business value here and I'm thrilled to pay experts to make this problem go away.The other end of the spectrum is commercial security tooling, and it is almost impossible in my experience to find anything that costs less than $1,000 a month to start providing insight from a security perspective. Now, I understand the market forces that drive this. Truly I do, and I'm sympathetic to them. It is just as easy to sell $50,000 worth of software as it is five to an awful lot of companies, so yeah, go where the money is. But it also means that the small end of the market as hobbyists, as startups are just getting started, there is a price barrier to engaging in the quote-unquote, “Proper way,” to do security.So, the posture suffers. We'll bolt security on later when it becomes important is the philosophy, and we've all seen how well that plays out in the fullness of time. How do you square that circle? I think the answer has to be open-source improving to the point where it's not just random scripts, but renowned projects.Alex: Correct, yeah, and I'd agree with that. And so, we're kind of in this interesting phase. So, if you think about, like, raw Linux applications, right, Linux, always is the tenant that you build an application to do one thing, does that one thing really, really, really well. And then you ended up with this thing called, like, you know, the Cacti monitoring stack. And so, you ended up having, like, 600 tools you strung together to get this one monitoring function done.We're kind of in a similar spot in a lot of ways right now, in the open-source security world where, like, if you want to do scanning, you can do, like, Clair or you can do Trivy or you have a couple different choices, right? If you want to do posture, you've got things like Qbench that are out there. If you want to go do runtime security stuff, you've got something like Falco. So, you've got all these tools to string together, right, to give you all of these different components. And if you want, you can build it yourself, and you can run it yourself and it can be very fun and effective.But at some point in your life, you probably don't want to be care-and-feeding your child that you built, right? It's 18 years later now, and you want to go back to having your life, and so you end up buying a tool, right? That's why Gartner made this whole CNAP category, right? It's this humongous category of products that are putting all of these different components together into one gigantic package. And the whole goal there is just to make lives a little bit easier because running all the tools yourself, it's fun, I love it, I did it myself for a long time, but eventually, you know, you want to try to work on some other stuff, too.Corey: At one point, I wound up running the numbers of all of the first-party security offerings that AWS offered, and for most use cases of significant scale, the cost for those security services was more than the cost of the theoretical breach that they'd be guarding against. And I think that there's a very dangerous incentive that arises when you start turning security observability into your own platform as a profit center. Because it's, well, we could make a lot of money if we don't actually fix the root issue and just sell tools to address and mitigate some of it—not that I think that's the intentional direction that these companies are taking these things and I don't want to ascribe malice to them, but you can feel that start to be the trend that some decisions get pushed in.Alex: Yeah, I mean, everything comes down to data, right? It has to be stored somewhere, processed somewhere, analyzed somewhere. That always has a cost with it. And so, that's always this notion of the shared security model, right? We have to have someone have ownership over that data, and most of the time, that's the end-user, right? It's their data, it's their responsibility.And so, these offerings become things that they have that you can tie into to work within the ecosystem, work within their infrastructure to get that value out of your data, right? You know, where is the security model going? Where do I have issues? Where do I have misconfigurations? But again, someone has to pay for that processing time. And so, that ends up having a pretty extreme cost to it.And so, it ends up being a hard problem to solve. And it gets even harder if you're multi-cloud, right? You can't necessarily use the tooling of AWS inside of Azure or inside of Google. And other products are trying to do that, right? They're trying to be able to let you integrate their security center with other clouds as well.And it's kind of created this really interesting dichotomy where you almost have frenemies, right, where you've got, you know, a big Azure customer who's also a big AWS customer. Well, they want to go use Defender on all of their infrastructure, and Microsoft is trying to do their best to allow you to do that. Conversely, not all clouds operate in that same capacity. And you're correct, they all come at extremely different costs, they have different price models, they have different ways of going about it. And it becomes really difficult to figure out what is the best path forward.Generally, my stance is anything is better than nothing, right? So, if your only choice is using Defender to do all your stuff and it cost you an arm or leg, unfortunate, but great; at least you got something. If the path is, you know, go use this random open-source thing, great. Go do that. Early on, when I'd been at—was at Sysdig about five years ago, my big message was, you know, I don't care what you do. At least scan your containers. If you're doing nothing else in life, use Clair; scan the darn things. Don't do nothing.That's not really a problem these days, thankfully, but now we're more to a world where it's like, well, okay, you've got your containers, you've got your applications running in production. You've scanned them, that's great, but you're doing nothing at runtime. You're doing nothing in your posture world, right? Do something about it. So, maybe that is buy the enterprise tool from the cloud you're working in, buy it from some other vendor, use the open-source tool, do something.Thankfully, we live in a world where there are plenty of open tools out there we can adopt and leverage. You used the example of CloudTrail earlier. I don't know if you saw it, but there was a really, really cool talk at SharkFest last year from Gerald Combs where they leveraged Wireshark to be able to read CloudTrail logs. Which I thought was awesome.Corey: That feels more than a little bit ridiculous, just because it's—I mean I guess you could extract the JSON object across the wire then reassemble it. But, yeah, I need to think on that one.Alex: Yeah. So, it's actually really cool. They took the plugins from Falco that exist and they rewired Wireshark to leverage those plugins to read the JSON data from the CloudTrail and then wired it into the Wireshark interface to be able to do a visual inspect of CloudTrail logs. So, just like you could do, like, a follow this IP with a PCAP, you could do the same concept inside of your cloud log. So, if you look up Logray, you'll find it on the internet out there. You'll see demos of Gerald showing it off. It was a pretty darn cool way to use a visualization, let's be honest, most security professionals already know how to use in a more modern infrastructure.Corey: One last topic that I want to go into with you before we call this an episode is something that's been bugging me more and more over the years—and it annoyed me a lot when I had to deal with this stuff as a SOC 2 control owner and it's gotten exponentially worse every time I've had to deal with it ever since—and that is the seeming view of compliance and security as being one and the same, to the point where in one of my accounts that I secured rather well, I thought, I installed security hub and finally jumped through all those hoops and paid the taxes and the rest and then waited 24 hours to gather some data, then 24 hours to gather more. Awesome. Applied the AWS-approved a foundational security benchmark to it and it started shrieking its bloody head off about all of the things that were insecure and not configured properly. One of them, okay, great, it complained that the ‘Block all S3 Public Access' setting was not turned on for the account. So, I turned that on. Great.Now, it's still complaining that I have not gone through and also enabled the ‘Block Public Access Setting' on each and every S3 bucket within it. That is not improving your security posture in any meaningful way. That is box-checking so that someone in a compliance role can check that off and move on to the next thing on the clipboard. Now, originally, they started off being good-intentioned, but the result is I'm besieged by these things that don't actually matter and that means I'm not going to have time to focus on the things that actually do. Please tell me I'm wrong on some of this.Alex: [laugh].Corey: I really need to hear that.Alex: I can't. Unfortunately, I agree with you that a lot of that seems erroneous. But let's be honest, auditors have a job for a reason.Corey: Oh, I'm not besmirching the role of the auditor. Far from it. The problem I run into is that it's the Human Nessus report that dumps out, “Here's the 700 things to go fix in your environment,” as opposed to, “Here's the five things you can do right now that will meaningfully improve your security posture.”Alex: Yeah. And so, I think that's a place we see a lot of vendors moving, and I think that is the right path forward. Because we are in a world where we generate reports that are miles and miles long, we throw them over a wall to somebody, and that person says, “Are you crazy?” Like, “You want me to go do what with my time?” Like, “No. I can't. No. This is way too much.”And so, if we can narrow these things down to what matters the most today, and then what can we get rid of tomorrow, that makes life better for everybody. There are certainly ways to accomplish that across a lot of different dimensions, be that vulnerability management, or configuration management stuff, runtime stuff, and that is certainly the way we should approach it. Unfortunately, not all frameworks allow us to look at it that way.Corey: I mean, even AWS's thing here is yelling at me for a number of services not having encryption-at-rest turned on, like CloudTrail logs, or SNS topics. It's okay, let's be very clear what that is defending against: someone stealing drives out of a data center and taking them off to view the data. Is that something that I need to worry about in a public cloud provider context? Not unless I'm the CIA or something pretty close to that. I mean, if you can get my data out of an AWS data center and survive, congratulations, I kind of feel like you've earned it at this point. But that obscures things I need to be doing that I'm not.Alex: Back in the day, I had a customer who used to have—they had storage arrays and their storage arrays' logins were the default login that they came with the array. They never changed it. You just logged in with admin and no password. And I was like, “You know, you should probably fix that.” And he sent a message back saying, “Yeah, you know, maybe I should, but my feeling is that if it got that far into my infrastructure where they can get to that interface, I'm already screwed, so it doesn't really matter to me if I set that admin password or not.”Corey: Yeah, there is a defense-in-depth argument to be made. I am not disputing that, but the Cisco world is melting down right now because of a bunch of very severe vulnerabilities that have been disclosed. But everything to exploit these things always requires, well you need access to the management interface. Back when I was a network administrator at Chapman University in 2006, even then, I knew, “Well, we certainly don't want to put the management interfaces on the same VLAN that's passing traffic.”So, is it good that there's an unpatched vulnerability there? No, but Shodan, the security vulnerability search engine shows over 80,000 instances that are affected on the public internet. It would never have occurred to me to put the management interface of important network gear on the public internet. That just is… I don't understand that.Alex: Yeah.Corey: So, on some level, I think the lesson here is that there's always someone who has something else to focus on at a given moment, and… where it's a spectrum: no one is fully secure, but ideally, you don't want to be the lowest of low-hanging fruit.Alex: Right, right. I mean, if you were fully secure, you'd just turn it off, but unfortunately, we can't do that. We have to have it be accessible because that's our jobs. And so, if we're having it be accessible, we got to do the best we can. And I think that is a good point, right? Not being the worst should be your goal, at the very, very least.Doing bare minimums, looking at those checks, deciding if they're relevant for you or not, just because it says the configuration is required, you know, is it required in your use case? Is it required for your requirements? Like, you know, are you a FedRAMP customer? Okay, yeah, it's probably a requirement because, you know, it's FedRAMP. They're going to tell you got to do it. But is it your dev environment? Is it your demo stuff? You know, where does it exist, right? There's certain areas where it makes sense to deal with it and certain areas where it makes sense to take care of it.Corey: I really want to thank you for taking the time to talk me through your thoughts on all this. If people want to learn more, where's the best place for them to find you?Alex: Yeah, so they can either go to sysdig.com/opensource. A bunch of open-source resources there. They can go to falco.org, read about the stuff on that site, as well. Lots of different ways to kind of go and get yourself educated on stuff in this space.Corey: And we will, of course, put links to that into the show notes. Thank you so much for being so generous with your time. I appreciate it.Alex: Yeah, thanks for having me. I appreciate it.Corey: Alexander Lawrence, principal security architect at Sysdig. I'm Cloud Economist Corey Quinn, and this episode has been brought to us by our friends, also at Sysdig. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an insulting comment that I will then read later when I pick it off the wire using Wireshark.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
Guest: Ira Winkler, Field CISO for CYE security, Keynote Speaker, Bestselling AuthorOn LinkedIn | https://www.linkedin.com/in/irawinkler/Host: Matthew RosenquistOn ITSPmagazine
Merritt Baer is the Field CISO for Lacework and previously worked for AWS as a Principal in the Office of the CISO. She is a double Harvard graduate and also has experience in all three branches of government. In this conversation we discuss the evolving market segment for cloud security tools and then we jump into Enterprise culture and strategy.Where to find MerrittLinkedIn: https://www.linkedin.com/in/merrittbaer/Twitter: https://twitter.com/MerrittBaerWebsite: https://www.merrittrachelbaer.com/Lacework: https://www.lacework.com/Follow, Like, and Subscribe!Podcast: https://www.thecloudgambit.com/YouTube: https://www.youtube.com/@TheCloudGambitLinkedIn: https://www.linkedin.com/company/thecloudgambitTwitter: https://twitter.com/TheCloudGambitTikTok: https://www.tiktok.com/@thecloudgambit
With organizations facing an ever-evolving threat landscape, how safe is it to equip your knowledge workers with Macs?This week, Victoria and Kevin put Field CISO, Brad Bowers, in the hot seat. The trio meticulously dissects the impact of Apple's growing market share on its vulnerability to cyber threats and explore the nuanced reasons why organizations opt for Macs not just for status but for enhanced security. Brad provides helpful insights on Mac's operating system and hardware security, and a comprehensive overview of the distinct elements in the Mac security ecosystem.Discussed in this episode:The implications of Apple's rising market share on its susceptibility to cyber threatsDebunking misconceptions about Mac's impervious security and revealing the driving factors behind organizations' adoption of Mac systemsAnalyzing the nuanced differences between Mac and Windows vulnerabilities, and exploring the unique security measures integrated into Mac's operating system and hardware.
Are you a founder, CEO, leader, or salesperson in the cybersecurity industry? Are you looking to grow your sales and revenue faster? In this episode of the Cybersecurity Startup Revenue Podcast, we dive into one way to avoid having your deals stalled out.
With the global cost of cybercrime expected to reach $10.5 trillion by 2025, cybersecurity has become a board-level imperative. According to the Diligent Institute survey 'What Directors Think,' board members ranked cybersecurity as the most challenging issue to oversee. Even though boards say cybersecurity is a priority, they have a long way to go to help their organizations become resilient to cyberattacks. Kayne McGladrey, Field CISO at Hyperproof and a senior IEEE member, sheds light on this important aspect of cybersecurity governance. The driving question being: How informed is the Board of Directors to provide effective oversight of cybersecurity governance?Time Stamps00:02 -- Introduction03:06 -- Kayne McGladrey's professional highlights04:01 -- 2023 Global CISO Survey Findings -- Do the Board of Directors have the necessary expertise to provide cybersecurity governance oversight?07:24 -- CISO and Board of Directors Relationship 14:22 -- Effectively Empowering the CISO20:07 -- Reasons for Board of Directors' Lack of Involvement 26:35 -- Board Members Cybersecurity Education and Training 45:27 -- Final ThoughtsMemorable Kayne McGladrey Quotes/Statements"Interestingly enough, fewer than half of the board members regularly interact with their CISOs. This is an indicator of a communication gap, and potential alignment issues between board members and CISOs, which is really hindering progress in cybersecurity.""I know a lot of businesses still see cybersecurity as a cost center. They don't see it as a strategic advantage.""I can think of a CISO who I was just chatting with at Blackhat this year, who turned down a job they matched on salary expectations. But, they matched on job expectations, and they matched culturally. They will be reporting as the CISO to the Director of IT, not to the CIO, not to the CEO, but they're going to report to some down-level director, and they wouldn't be offered directors and officers insurance either. So effectively, they'd only be a CISO in title and C-level executive in title only, but not in practice. They recognize they were being hired in as a scapegoat. I think that's a persistent problem that we've seen associated with how companies are recruiting CISOs.""I think CISOs should ideally report to the CEO or another C-level executive like the chief operating officer or chief financial officer. And that really allows for a direct line of communications to the top-level management and that emphasizes and underscores the importance of cybersecurity and strategic decisions.""Cyber risk is a business risk. Cyber is just an influence.""Boards think in terms of business risks. CISOs, unfortunately, don't often communicate in terms of business risks. CISOs often communicate a technical risk, like a risk of ransomware, or the risks associated with generative AI; those aren't risks; that's driving the communications gap. Literally how we talk as CISOs is part of what causes a lack of oversight on the part of the board because the board doesn't understand what it is that they should actually care about. And so, they disengage.""Don't go to the board and say I have a problem, because they're not there to solve your problem. They want to know what you're doing about the problem. Also, they want to know if it's going to materially affect the business, I think if you go there with a problem, a solution and a proposal, you're probably going to have a much better time."
This week our guest is Merritt Baer, a Field CISO from Lacework, and a cloud security unicorn, sits down to share her incredible story working through the ranks to get to where she is today. Before working at Lacework Merritt served in the Office of the CISO at Amazon Web Services, as part of a small elite team that formed a Deputy CISO. She provided technical cloud security guidance to AWS' largest customers, like the Fortune 100, on security as a bottom line proposition. She also has experience in all three branches of government and the private sector and served as Lead Cyber Advisor to the Federal Communications Commission. Merritt shares some amazing advice for up and comers into the field, saying "my personal philosophy is that no one has to go down for you to go up. I'm always encouraging my colleagues, um, and other executives to be thinking about how we can, you know, steal, sharpen, steal, how we can be good for each other, how we can collaborate, how we can, um, create more strengths in one another." We thank Merritt for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
This week our guest is Merritt Baer, a Field CISO from Lacework, and a cloud security unicorn, sits down to share her incredible story working through the ranks to get to where she is today. Before working at Lacework Merritt served in the Office of the CISO at Amazon Web Services, as part of a small elite team that formed a Deputy CISO. She provided technical cloud security guidance to AWS' largest customers, like the Fortune 100, on security as a bottom line proposition. She also has experience in all three branches of government and the private sector and served as Lead Cyber Advisor to the Federal Communications Commission. Merritt shares some amazing advice for up and comers into the field, saying "my personal philosophy is that no one has to go down for you to go up. I'm always encouraging my colleagues, um, and other executives to be thinking about how we can, you know, steal, sharpen, steal, how we can be good for each other, how we can collaborate, how we can, um, create more strengths in one another." We thank Merritt for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
This week on Ask A CISSP, we have an interview with Kayne McGladrey, Field CISO at Hyperproof. In this very entertaining episode, we'll learn Kayne's amazing cybersecurity "origin story" and discuss the need for more diversity of culture and thought within cybersecurity. We'll also go into upcoming Federal and State policy and how he and his team have developed the tools necessary to keep up with the future of Governance, Risk, and Compliance. Don't miss out! Please LISTEN
This episode of the ADCG Privacy and Cybersecurity Podcast features Ken Westin, Field CISO for Panther Labs. Ken has been in the cybersecurity field for over 15 years, working with companies to improve their security posture through threat hunting, insider threat programs, and vulnerability research. We discuss how the lack of good application and data inventories impact incident response. When data is spread across data centers, clouds, and SaaS providers, it becomes difficult to track and trace an incident and understand its impact, but it becomes especially hard if the data involves confidential or proprietary business data that is not tracked by privacy officers or if it includes sensitive data that may involve regulators. The recent MOVEit breach, which involved software used to transfer sensitive data between servers, systems, and applications, provided rich lessons in the need for data asset inventories and SIEMs that can correlate data across providers and platforms.
In this episode, we dive into the realm of cloud security with Merritt Baer, Field CISO of Lacework. Together, we look at the complex tapestry of perceptions surrounding on-premises security versus the cloud, shedding light on why some still view on-prem as the safer option. Merritt lends her expertise to dissect the trade-offs that companies face by remaining in the traditional on-premises sphere rather than embracing the potential of the cloud. We explore the security considerations unique to the cloud-native world, offering insights into what it takes to navigate this transformation securely. Whether you're a seasoned professional or just beginning your cloud journey, this episode will expand your understanding of cloud security, uncovering the pros, cons, and crucial factors to ponder when venturing into the realm of cloud computing. Topics: Why do people think on-prem is more secure? What are the tradeoffs a company is making when they refuse to move to the cloud? What are the new challenges facing a company once they've moved to the cloud from a security perspective that perhaps they didn't face in the on-prem world? Does the cloud reduce or increase your security risk footprint? Does the type of talent and team look different? How are cloud-native security tools and platforms different from traditional on-premises security solutions? How do you manage security at this kind of scale? As organizations adopt multi-cloud and hybrid cloud strategies, how do you recommend they maintain consistent security measures across different cloud environments? What are some emerging security threats in the cloud landscape, and how can organizations proactively defend against them? What is keeping CISOs up at night?
Jeremy Ventura, Director of Security Strategy & Field CISO at ThreatX, discusses challenges associated with the use of generative AI in cybersecurity, and more in this episode of The Security Podcast.
On today's episode of Tech Talks Daily, we're diving deep into the world of cyber resilience with Deryck Mitchelson, Field CISO at Check Point Software. The number is staggering: organisations lost over $2.7 billion in email fraud last year. But should this continue? In our dynamic conversation, Deryck and I explore why many CISOs may be underestimating the threat of email security breaches and how the right security measures can lead to significant cost savings for companies. Amidst the rising tide of cyberattacks and the socio-political turmoil, it's evident that traditional cybersecurity measures are no longer sufficient. Instead, Deryck introduces us to the concept of cyber resilience, where organizations strive to anticipate, withstand, and bounce back from cyber onslaughts. We also discuss the pressing need for organizations to transition from a detection-focused mindset to a prevention-first approach. Central to our conversation is the three C's vital for enhanced cyber resilience: Comprehensive measures, Consolidation of tools, and Collaboration within the cybersecurity ecosystem. Deryck emphasizes the role of Checkpoint Software in pioneering this shift, offering solutions to ensure businesses stay one step ahead of cyber adversaries. Referencing his insightful article, "How Does Your Board Measure Cyber Resilience?", Deryck further delves into the frameworks that businesses can adopt to bolster their security and why resilience is the cornerstone of any modern cybersecurity strategy. As threats grow and evolve, resilience becomes more critical than ever, and Deryck offers a roadmap on how businesses can navigate this complex landscape.
This episode was recorded on 8/9/2023 Welcome to the Take Five Podcast from Fortinet where we provide five cybersecurity tips and best practices for today's technology leaders. This podcast series taps into the experience of our Fortinet Field CISO team and the work being done with and through our ecosystem of partners, customers, and industry experts. In this episode, Ricardo Ferreira, Fortinet's Field CISO for EMEA, and Jim Richberg, Field CISO for the Public Sector, delve into the present significance of artificial intelligence (AI) and machine learning (ML) in the public sector. The conversation will encompass the utilization of AI and ML in public sector applications, along with an analysis of the risks, limitations, and challenges it may present. For more information about service providers visit our website, www.fortinet.com/government?utm_source=social&utm_medium=linkedin-org&utm_campaign=sprinklr Read key findings from the 2023 Global Ransomware Report, brought to you by Fortinet: https://www.fortinet.com/blog/industry-trends/ransomware-protection-survey-for-organizational-prevention?utm_source=social&utm_medium=linkedin-org&utm_campaign=sprinklr
Podcast: Fortinet Cybersecurity Podcast (LS 25 · TOP 10% what is this?)Episode: Take Five #69 - Predictive Analytics, AI, and Machine Learning: OT ManufacturingPub date: 2023-07-25This episode was recorded on 7/25/2023 Welcome to the Take Five Podcast from Fortinet where we provide five cybersecurity tips and best practices for today's technology leaders. This podcast series taps into the experience of our Fortinet Field CISO team and the work being done with and through our ecosystem of partners, customers, and industry experts. In this episode, Jim Richberg, Fortinet's Vice President of Information Security and Field CISO for the Public Sector, teams up with Ricardo Ferreira, Fortinet's EMEA Field CISO, to delve into the present significance of artificial intelligence (AI) and machine learning (ML) in OT manufacturing. The discussion will cover various topics, such as the potential risks associated with adopting AI and ML, how AI/ML can help OT manufacturing industries ensure accuracy and reliability, and advice for CISOs looking to implement AI/ML in their organizations. For more information about OT manufacturing, visit our website, www.fortinet.com/manufacturing?utm_source=social&utm_medium=linkedin-org&utm_campaign=sprinklr Read key findings from the 2023 Global Ransomware Report, brought to you by Fortinet: https://www.fortinet.com/blog/industry-trends/ransomware-protection-survey-for-organizational-prevention?utm_source=social&utm_medium=linkedin-org&utm_campaign=sprinklrThe podcast and artwork embedded on this page are from Fortinet Cybersecurity Podcast, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
This episode was recorded on 7/25/2023 Welcome to the Take Five Podcast from Fortinet where we provide five cybersecurity tips and best practices for today's technology leaders. This podcast series taps into the experience of our Fortinet Field CISO team and the work being done with and through our ecosystem of partners, customers, and industry experts. In this episode, Jim Richberg, Fortinet's Vice President of Information Security and Field CISO for the Public Sector, teams up with Ricardo Ferreira, Fortinet's EMEA Field CISO, to delve into the present significance of artificial intelligence (AI) and machine learning (ML) in OT manufacturing. The discussion will cover various topics, such as the potential risks associated with adopting AI and ML, how AI/ML can help OT manufacturing industries ensure accuracy and reliability, and advice for CISOs looking to implement AI/ML in their organizations. For more information about OT manufacturing, visit our website, www.fortinet.com/manufacturing?utm_source=social&utm_medium=linkedin-org&utm_campaign=sprinklr Read key findings from the 2023 Global Ransomware Report, brought to you by Fortinet: https://www.fortinet.com/blog/industry-trends/ransomware-protection-survey-for-organizational-prevention?utm_source=social&utm_medium=linkedin-org&utm_campaign=sprinklr
Jonathan Nguyen-Duy, Field CISO at Fortinet and former Security CTO at Verizon Enterprise Solutions, is a highly respected voice in the cybersecurity field. His extensive experience navigating intricate security scenarios and pioneering in the industry's leading Managed Security Services Provider, Verizon, imparts him with unique insights. With academic qualifications from George Washington University, Jonathan's expertise spans beyond practical experiences, deep into theoretical frameworks. In this compelling episode of "Let's Talk About SecurIT" podcast, Jonathan and host Philip de Souza embark on an insightful journey through the labyrinth of cybersecurity. They touch on key issues such as the menace of ransomware, critical questions arising in the aftermath of data breaches, and the pivotal role of automated posture checks in fortifying security structures. They highlight the multifaceted role of CISOs, responsible for both cybersecurity and business risk management, and explore the transforming digital ecosystem where data equals currency and is a source of wealth creation for the connected individual. As they navigate through the convergence of networking and security, they also discuss the intriguing rise of female threat actors and the imminent future of a decentralized and continually vulnerable digital landscape. The discussion also underscores the need for managing risk in hybrid computing environments and proposes a shift in perspective towards incentivizing CISOs rather than resorting to punitive measures. With a wealth of insights, stats, and compelling narratives, this episode stands as an essential resource for anyone seeking a comprehensive understanding of the evolving cybersecurity landscape.
This episode was recorded on 6/7/2023 Welcome to the Take Five Podcast from Fortinet where we provide five cybersecurity tips and best practices for today's technology leaders. This podcast series taps into the experience of our Fortinet Field CISO team and the work being done with and through our ecosystem of partners, customers, and industry experts. In this episode, Jonathan Nguyen-Duy, Fortinet VP and Field CISO joins Renee Tarun, Fortinet's Deputy CISO, to explore cybersecurity strategies for addressing cyber risk with service providers. Some of the topics they will cover include the top threats facing service providers today, advice for leaders looking to improve cyber readiness, and actionable measures organizations can take to mitigate potential risks. For more information about security for service providers, visit our website, https://www.fortinet.com/solutions/service-provider/communications-service-provider/mssp?utm_source=social&utm_medium=linkedin-org&utm_campaign=sprinklr Read key findings from the 2023 Global Ransomware Report, brought to you by Fortinet: https://www.fortinet.com/blog/industry-trends/ransomware-protection-survey-for-organizational-prevention?utm_source=social&utm_medium=linkedin-org&utm_campaign=sprinklr
This episode was recorded on 5/30/2023 Welcome to the Take Five Podcast from Fortinet where we provide five cybersecurity tips and best practices for today's technology leaders. This podcast series taps into the experience of our Fortinet Field CISO team and the work being done with and through our ecosystem of partners, customers, and industry experts. In this episode, Jonathan Nguyen-Duy, Fortinet VP and Field CISO joins Renee Tarun, Fortinet's Deputy CISO, to explore cybersecurity strategies aimed at tackling cloud-based cyber risks. Some of the topics they will cover include ways to reduce the attack surface, actionable measures organizations can take to mitigate potential risks, and the role that staff training and education can play in diminishing overall risk. For more information about cloud security, visit our website, www.fortinet.com/cloudsecurity?utm_source=social&utm_medium=linkedin-org&utm_campaign=sprinklr Read key findings from the 2023 Global Ransomware Report, brought to you by Fortinet: https://www.fortinet.com/blog/industry-trends/ransomware-protection-survey-for-organizational-prevention?utm_source=social&utm_medium=linkedin-org&utm_campaign=sprinklr
Join hosts Ron and Chris as they dive into the world of Attack Surface Management (ASM) in this episode recorded live at RSAC 2023. Special guest Nabil Hannan, a seasoned industry expert and Field CISO at NetSPI, shares his wealth of knowledge and expertise in this critical field. Together, they explore the evolving landscape of ASM, highlighting NetSPI's unique approach compared to other solution providers and shedding light on the state of ASM to empower listeners to enhance their security posture. NetSPI has a team of skilled pen-testers that can help you find those critical vulnerabilities and become your partner in creating the right remediation game plan for you. Check them out at https://www.netspi.com/HVM Links: Connect with Nabil Hannan on LinkedIn: https://www.linkedin.com/in/nhannan/ Connect with us on LinkedIn: https://www.linkedin.com/company/hackervalleystudio Love Hacker Valley Studio? Pick up some swag: https://store.hackervalley.com Continue the conversation by joining our Discord: https://hackervalley.com/discord Impactful Moments: 01:08 - Introducing Nabil Hannan 01:25 - Relationship-building through play 04:39 - The power of authenticity 05:39 - What is a Field CISO? 07:02 - The rise of attack surface management 09:17 - What makes NetSPI different? 11:26 - A word from our sponsor 12:17 - Attack surface management for SMBs 15:15 - ASM solutions & false positives 17:16 - An ASM case study 21:15 - Red teaming influence on ASM 24:12 - Where do I get started with ASM?
In this podcast episode, we talk about why generative AI apps and integrations without guardrails risk exposing data to the internet. Our guest is Dale Zabriskie also known as Dr. Z, Field CISO at Cohesity.
This episode was recorded on 4/18/2023 Welcome to the Take Five Podcast from Fortinet where we provide five cybersecurity tips and best practices for today's technology leaders. This podcast series taps into the experience of our Fortinet Field CISO team and the work being done with and through our ecosystem of partners, customers, and industry experts. Tune in to hear Fortinet's Alain Sanchez, EMEA's Field CISO, and Jaime Chanaga, Field CISO for LATAM, Canada and the Caribbean discuss cybersecurity strategies for addressing cyber risk in these regions. They will talk through what is at risk should there be a cyberattack in these regions, why cyber readiness is key to managing and combatting risk, as well as effective strategies to reduce complexity given the challenges these regions face today. For more information about strategies for addressing cyber risk, visit our website, www.fortinet.com. Read key findings from the 2H 2022 FortiGuard Labs Threat Report to discover how security professionals can protect their organizations: https://www.fortinet.com/blog/threat-research/fortiguard-labs-threat-report-key-findings-2h-2022?utm_source=social&utm_medium=linkedin-org&utm_campaign=sprinklr
Kayne McGladrey, CISSP, is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member, and focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation. Hyperproof's mission is to help organizations demonstrate their commitment to upholding laws, standards, and ethical conduct to their communities through compliance operations software. Scott Schober is a #cybersecurity and wireless technology expert, author of Hacked Again and Cybersecurity is Everybody's Business, host of 2 Minute CyberSecurity Briefing video podcast and CEO of Berkeley Varitronics Systems who appears regularly on Bloomberg TV, Fox Business & Fox News, CGTN America, Canadian TV News, as well as CNN, CBS Morning Show, MSNBC, CNBC, The Blaze, WPIX as well as local and syndicated Radio including Sirius/XM & Bloomberg Radio and NPR. Subscribe and follow: Apple Podcasts: https://podcasts.apple.com/us/podcast... Google Podcasts: https://podcasts.google.com/feed/aHR0... iHeart Podcasts: https://www.iheart.com/podcast/70626340/ Amazon Music Podcasts: https://scottschober.com/wp-content/u... YouTube: https://www.youtube.com/channel/UCxqx... Twitter: @ScottBVS Instagram: https://www.instagram.com/scott_schober/ LinkedIn: https://www.linkedin.com/in/snschober Website: www.ScottSchober.com
Kayne McGladrey, CISSP, is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member, and focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation. Hyperproof's mission is to help organizations demonstrate their commitment to upholding laws, standards, and ethical conduct to their communities through compliance operations software. Scott Schober is a #cybersecurity and wireless technology expert, author of Hacked Again and Cybersecurity is Everybody's Business, host of 2 Minute CyberSecurity Briefing video podcast and CEO of Berkeley Varitronics Systems who appears regularly on Bloomberg TV, Fox Business & Fox News, CGTN America, Canadian TV News, as well as CNN, CBS Morning Show, MSNBC, CNBC, The Blaze, WPIX as well as local and syndicated Radio including Sirius/XM & Bloomberg Radio and NPR. Subscribe and follow: Apple Podcasts: https://podcasts.apple.com/us/podcast... Google Podcasts: https://podcasts.google.com/feed/aHR0... iHeart Podcasts: https://www.iheart.com/podcast/70626340/ Amazon Music Podcasts: https://scottschober.com/wp-content/u... YouTube: https://www.youtube.com/channel/UCxqx... Twitter: @ScottBVS Instagram: https://www.instagram.com/scott_schober/ LinkedIn: https://www.linkedin.com/in/snschober Website: www.ScottSchober.com
Podcast: (CS)²AI Podcast Show: Control System Cyber SecurityEpisode: 71: Leadership and Executive Development in the Cybersecurity Industry with Willi NelsonPub date: 2023-02-28Derek Harp interviews Willi Nelson in this episode. Willi is currently the Field CISO of Operation Technology at Fortinet, one of the oldest and longest-standing sponsors of the (CS)²AI organization.Willi is a Security/Technology/Visionary who focuses on thought leadership and executive influence for Fortinet. He is responsible for developing security thought leadership, strategy, threat, vulnerability & mitigation insights, and world-class practices for the cybersecurity community and business executives.Willi is a technologist, military veteran, woodworker, bee-keeper, outdoorsman, fisherman, metal artist, hunter, cyclist, husband, and father. In this episode, he shares his backstory and unpacks what he does for the industry. He also offers valuable nuggets of advice for people with an OT and engineering background who don't know cyber and those with a cybersecurity background with no knowledge of control systems and OT.Show highlights:Willi joined the US Army immediately after graduating high school. He gets into what he learned there and why he left.Why resiliency is essential.How Willi got into computers.Willi discusses the importance of education and explains what prompted him to return to college at 27.The power of being humble, having a thirst for knowledge, and a work ethic in the workforce.Qualities Willi looks for when recruiting people.Where OT and cybersecurity first intersected with Willi's career.How he got the opportunity to step into leadership while spending some time working in financials.The difference between influential and mandatory leadership.What operational technology means in the context of Willi's current line of work.What makes Willi optimistic about the future?Mentioned in this episode:Join CS2AIJoin the largest organization for cybersecurity professionals. Membership has its benefits! We keep you up to date on the latest cybersecurity news and education. Preroll MembershipOur Sponsors:We'd like to thank our sponsors for their faithful support of this podcast. Without their support we would not be able to bring you this valuable content. We'd appreciate it if you would support these companies because they support us! Network Perception Waterfall Security Tripwire KPMG CyberThe podcast and artwork embedded on this page are from Derek Harp, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
Control System Cyber Security Association International: (CS)²AI
Derek Harp interviews Willi Nelson in this episode. Willi is currently the Field CISO of Operation Technology at Fortinet, one of the oldest and longest-standing sponsors of the (CS)²AI organization.Willi is a Security/Technology/Visionary who focuses on thought leadership and executive influence for Fortinet. He is responsible for developing security thought leadership, strategy, threat, vulnerability & mitigation insights, and world-class practices for the cybersecurity community and business executives.Willi is a technologist, military veteran, woodworker, bee-keeper, outdoorsman, fisherman, metal artist, hunter, cyclist, husband, and father. In this episode, he shares his backstory and unpacks what he does for the industry. He also offers valuable nuggets of advice for people with an OT and engineering background who don't know cyber and those with a cybersecurity background with no knowledge of control systems and OT.Show highlights:Willi joined the US Army immediately after graduating high school. He gets into what he learned there and why he left.Why resiliency is essential.How Willi got into computers.Willi discusses the importance of education and explains what prompted him to return to college at 27.The power of being humble, having a thirst for knowledge, and a work ethic in the workforce.Qualities Willi looks for when recruiting people.Where OT and cybersecurity first intersected with Willi's career.How he got the opportunity to step into leadership while spending some time working in financials.The difference between influential and mandatory leadership.What operational technology means in the context of Willi's current line of work.What makes Willi optimistic about the future?
Automating compliance controls refers to the use of technology to manage and monitor compliance with regulations and laws. The purpose of automating compliance controls is to ensure that organizations meet their obligations in a consistent and efficient manner, while reducing the risk of non-compliance.Automating these controls can provide significant benefits to organizations. It can help to reduce the risk of non-compliance, increase efficiency and consistency, and save time and resources. However, it's essential that automation should not be seen as a replacement for human oversight.In this episode of the EM360 Podcast, Analyst Richard Stiennon speaks to Kayne McGladrey, Field CISO at Hyperproof to explore:Automating compliance controls vs SOAR automation Helping CISOsCan one master set of controls cover multiple frameworks
This week on the Simply Cyber Report:Scores of Redis servers infested by sophisticated custom-built malware.Oktapus hackers are back and targeting tech and gaming companies.Russian hackers using new Graphiron information stealer in Ukraine.New QakNote attacks push QBot malware via Microsoft OneNote files.Fresh, buggy Clop ransomware variant targets Linux systems.We also sit down with Ira Winkler, Field CISO and Vice President of CYE. Ira shares a wide range of thoughts and experiences garnered from an exceptional career. You can find the various books that Ira has written, which are mentioned in the podcast, at the following links:You CAN Stop StupidAdvanced Persistent SecuritySecurity Awareness for DummiesCybersecurity All-in-one For DummiesThe Cybersecurity Defenders Podcast: a show about cybersecurity and the people that defend the internet.
Would you pay the ransom if you were hit with ransomware? Leaders and their companies are targets. Cyberthreats are on the rise and many companies have fallen victim. They can actually reflect what our weaknesses are when it comes to leading people and how you react under pressure. For most people, this is a really stressful time but it can also be a great opportunity to see how you handle difficult situations.I host Dan Lohrmann, Field CISO for Presidio, who shares a vital strategy for how to respond to a cyber ransom threat.Presideo is a global digital solutions and services provider delivering software-defined cloud, collaboration and security solutions to customers.Dan started his career at the National Security Agency (NSA), and has over 30 years of professional experience – including Chief Security Officer and Chief Technology Officer roles.He's also an award winning blogger and global speaker on a wide range of technology and cybersecurity topics. Best selling author of “Cyber Mayday and the Day After Dan: A Leader's Guide to Preparing, Managing and Recovering From Inevitable Business Disruption.” LinkedIn Profile https://www.linkedin.com/in/danlohrmann/Company Link: https://www.presidio.com/Link to Dan's Book: “Cyber Mayday and the Day After Dan: A Leader's Guide to Preparing, Managing and Recovering From Inevitable Business Disruption.” https://www.amazon.com/Cyber-Mayday-Day-After-Disruptions/dp/1119835305 What You'll Discover in this Episode:The story of the turning point of his career.How he accelerated his learning as a writer.A vital cybersecurity tip for leaders.How to be prepared for AI and cyber risks.The first step you should take if you receive a cyber ransom note.The role of cybersecurity for the next five years.What happened with the $28.75M ransom note.-----Connect with the Host, #1 bestselling author Ben FanningSpeaking and Training inquiresSubscribe to my Youtube channelLinkedInInstagramTwitter
By Adam Turteltaub The Gramm-Leach-Bliley Act (GLBA) is typically referred to in the context of financial institutions. It requires offerers of consumer financial products to explain how they share information and protect sensitive data. It's not, however, only banks that fall under GLBA's umbrella. New rules will affect retailers offering credit terms to their customers, higher education institutions that administer federal student aid and others a well, explains Kayne McGladrey, Field CISO for Hyperproof. The FTC, has set June 2023 as the deadline for compliance with the revised GLBA Safeguards Rule. It requires that affected organizations: Have a qualified individual to implement and enforce an information security plan Conduct a periodic cybersecurity risk assessment Implement cybersecurity controls to manage those risk Document who has access to customer data Assess the risks of applications that can access the data Securely destroy old data Periodically test the controls to verify their effectiveness In addition, staff needs to be trained, there must be a written incidence response plan and ongoing testing. It is a considerable commitment, Kayne points out, but since it overlaps with the requirements of the European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), many organizations may already have significant structures in place. Even so, it's important to conduct a gap analysis, he advises, to ensure all the requirements are being met. Listen in to learn more about what Gramm-Leach-Bliley now requires for your organization.
This episode was recorded on: 1/4/2022 Welcome to the Take Five Podcast from Fortinet where we provide five cybersecurity tips and best practices for today's technology leaders. This podcast series taps into the experience of our Fortinet field CISO team and the work being done with and through our ecosystem of partners, customers, and industry experts. Join Fortinet's Jonathan Nguyen-Duy, Field CISO for Strategic Services, and Jim Richberg, Field CISO for the Public Sector, as they discuss the challenges CISOs faced in 2022 related to the public sector, provide tips to prepare for the year ahead, and relevant cybersecurity products and solutions that will be beneficial in 2023. Read our blog to learn some of the top cybersecurity challenges for CISOs to address in 2023: https://www.fortinet.com/blog/ciso-collective/top-cybersecurity-challenges-for-cisos-to-address-in-2023?utm_source=soundcloud&utm_medium=social&utm_campaign=sprinklr
What were the biggest cybersecurity trends of 2022, and which types of threats do experts predict we should prepare for in 2023? Dan Lohrmann, Field CISO with Presidio, returns to the 401 Access Denied Podcast to provide a consolidated perspective on all the trends from an eventful year. From the war in Ukraine to the rise in cyber mercenary attacks, hacktivism, cloud hacks, and deepfakes, we're welcoming 2023 with a careful review of all the most memorable topics! Read Dan's article on "The Top 23 Security Predictions for 2023" ~The Top 23 Security Predictions for 2023 Part 1 Follow us on Social!! ~Cybrary Twitter ~Delinea Twitter ~Instagram ~Facebook ~YouTube Jump-start you cybersecurity career today at Cybrary!
In today's Podcast, we Have Jason Hicks, Field CISO at Coalfire. Jason Hicks has worked on the Technical and Business side at CISO. Mr. Hicks helps people transition from being a technical CISO to being a business leader with skills he has learned and delivers business strategies back to his community and other businesses. Enjoy today's Podcast of New Cyber Frontier. Visit our sponsors: BlockFrame Inc. IEEE Digital Privacy Murray Security Services
Ira Winkler, Field CISO and Vice President at CYE, joins host Alissa (Dr Jay) Abdullah, PhD, SVP & Deputy CSO at Mastercard, in this episode of the CISO 500. Together, they discuss Winkler's journey to becoming a CISO, whether technology will ever fully resolve many of the cybersecurity challenges we face, and more. To learn more about our sponsor, Mastercard, visit https://mastercard.us/en-us.html • For more on cybersecurity, visit us at https://cybersecurityventures.com
Michael Piacente, Managing Partner & Cofounder at Hitch Partners, answers the essential question on many cybersecurity professionals' minds: Where do CISOs find CISO jobs? As it turns out, Michael helps many cybersecurity teams find their perfect CISO match with the assistance of his own team at Hitch Partners. In this episode, Michael clarifies what the role of a CISO really is, explains the compensation and benefits, and reveals the many responsibilities a CISO may take on during their team in the role. Timecoded Guide: [00:00] Defining the role of CISO & finding the right homes for each CISO [05:21] VCISO & fractional CISO as an alternative to a full-time CISO [11:49] CISO annual income, benefits, & non-monetary incentives [16:37] Explaining additional responsibilities & tasks taken on by the CISO [25:11] Giving advice to future CISOs looking for the next cyber executive opportunity Sponsor Links: Thank you to our sponsor Axonius and NetSPIfor bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley In your own definition and experience, what is a CISO? Although there's many definitions of the role, Michael clarifies that defining CISO should always include being an executive. To have a CISO who makes a positive impact and fulfills an organization's needs, that CISO has to be properly placed, properly sponsored, and be in an environment where they have the proper reporting processes. Michael also believes the CISO should always be looking over their shoulder to be diligent of the next threat. “In my version of it, a CISO is the executive— and that's the key term here— that has been properly placed, properly sponsored to handle all of the business information and data risk policy execution and operations in the company.” What is the difference between a fractional CISO and a VCISO? In Michael's opinion, a VCISO (virtual CISO) and fractional CISO can be used interchangeably in a situation where a company does not need a full-time CISO executive. Unless they're looking to support a strong security program, Michael understands that many companies don't need a full-time CISO in order to be successful. A VCISO makes an impact on an organization's security without being an overwhelming role in a smaller organization. “Bringing in your starter package to implement the baseline or foundational building blocks of what will become a security program, in the form of a consultant or consulting firm, is often a wiser choice than going in building a security program around a full-time CISO role.” Are there different types of CISOs, and have those types changed over time? Previously, Michael defined 3 different types of CISOs in his search for CISOs with Hitch Partners. However, a fourth type has emerged in recent years: the BISO, or Field CISO. This fourth type joins the ranks alongside other impactful CISO types, including the client (or governance) facing CISO, highly technical CISO, the IT-focused CISO, and now, our fourth type, the BISO, who focuses on the business side of the risk. “It's amazing that all of our CISO searches contain all these different types of CISOs. The fun part of that we get to figure out is: What's the priority [for the role]? What's the order? What does everyone in the organization think the priority should be?” How would you direct someone to take that first step after realizing they want to be a CISO? Discovering the CISO role exists and being the right person for the role is an important distinction, and Michael encourages potential CISOs to take some time to research the job before getting involved in a job search. However, once someone knows they want to be a CISO, Michael advises finding a CISO mentor and diving into a passion. Each type of CISO needs an expertise and passion to propel them into the superpower status needed to be a CISO. “I think it's about finding a passion. I'm a big believer that you just have to know where your superpower is, or what your superpower wants to be. In other words, that thing that's passionate to you, that you probably know better than 99% of the population out there.” --------------- Links: Keep up with our guest Michael Piacente on LinkedIn Learn more about Hitch Partners on their website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio
This year has seen several significant shifts within the security space. World events have left tensions high. This has been a stress-test for many security systems as bad actors take advantage of any cracks that have formed. In this episode, Dave Trader, Field CISO at Presidio, and Dan Lohrmann, Field Chi ef Information Security Officer, share their insights into how the recent conflicts abroad have shaped global security. He also shares his predictions of how ransomware and cyber attacks may evolve in the last quarter of this year. Join us as we discuss - Zero-trust authentication systems - An uptick in malicious DDoS events - Possible effects of an incoming recession To hear more interviews like this one, subscribe to The Digital Decode Podcast on Apple Podcasts,Spotify, or your preferred podcast platform. To look back on the 2022 predictions for cybersecurity, read The Top 22 Security Predictions for 2022.
Acompaña a nuestros expertos Jaime Chanagá, Field CISO de Fortinet América Latina y el Caribe; y Arturo Torres, estratega de FortiGuard Labs para América Latina y el Caribe en esta edición de #FortiGuardLIVE en español, en donde hablamos sobre los ciberataques actuales y las amenazas que estaremos enfrentando en 2022.
On this episode of CISO Tradecraft, John Hellickson from Coalfire talks about his career as a CISO. Listen and learn about: The evolving role of the CISO How John got started as a CISO Whis is a Field CISO and how does it differ from a traditional CISO role Tips on getting your career to the next level by attending the right conferences and getting an executive coach How to get Business Alignment How the Security Advisor Alliance is helping the next generation of cyber talent
#SecurityConfidential #DarkRhinoSecurity Tim Chase joins host Manoj Tandon on this episode of Security Confidential. Tim Chase is a Field CISO, Professional Speaker, Author, Ethical Hacker, Certified Application Security Engineer, etc. He is also a LinkedIn Learning Instructor who writes training modules about DevOps and DevSecOp. Tim is an expert at resolving challenging security incidents with a short turnaround time. He is a graduate of Tennessee Tech and the University of Phoenix. 00:00 Introduction 01:13 The problem of Ransomware, how do you see it evolving over in the near future? 05:17 Third-Party Risk 06:21 Applications built on open source code and how to ensure their security? 11:45 What do you see as the Top 3 root causes of security incidents? 14:40 Deep Provisioning 22:22 Step-by-step on how to build a cybersecurity program for SMB 32:05 How to make Cybersecurity logical when coaching a young cybersecurity team. What foundational elements do you emphasize? 37:30 Companies use Cybersecurity as a revenue 40:48 Outro To learn more about Tim Chase visit https://www.linkedin.com/in/timchase2/ To see Tim's Course on DevOps and DevSecOps visit https://www.linkedin.com/learning/devops-foundations-devsecops/welcome?autoplay=true To learn more about Dark Rhino Security visit https://www.darkrhinosecurity.com
On this episode of the Arraya Insights Vodcast, Scott Brion, Arraya's Cyber Security Director, welcomes special guest Jonathan Nguyen-Duy, Vice President and Global Field CISO at Fortinet. As a global security advisor and executive lead for strategy and analytics, Jonathan's work at Fortinet is focused on strategy, data analytics and helping enterprises with digital transformation for security from the IoT edge, across enterprise networks, to hybrid clouds. He is a widely published security expert and frequent speaker at industry events with unique global commercial and public sector experience as well as a deep understanding of threats, technology, compliance, and business issues. The discussion covers a wide range of topics facing organizations today including vulnerability management, hybrid work models and their effect on cyber security, current challenges such as staffing, supply chain, cyber insurance, and more.
As cybersecurity teams seek to enhance their defenses in the wake of worldwide ransomware attacks and the spread of wiper malware in Ukraine, what predictions can we make about the evolution of global information wars? Acclaimed security leader and Field CISO at Presidio, Dan Lohrmann, discusses emerging trends in cyber insurance, cyber incident reporting, and incident response planning. Learn more about the potential impact of the Shields Up advisory published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Amidst growing risk and uncertainty, hear Dan's advice on how you can develop best practices for training and preparing your security team. Connect with Dan! ~ LinkedIn ~ Twitter Check out Dan's Book: ~Cyber Mayday and the Day After Read Dan's Blog Post on Cyber Insurance: ~Where Next for Government in the Cyber Insurance Market? Read More on Cybersecurity and the Invasion of Ukraine: ~What the Newly Signed US Cyber-Incident Law Means for Security ~‘For the first time in history anyone can join a war': Volunteers join Russia-Ukraine cyber fight Follow us on Social!! ~Cybrary Twitter ~Delinea Twitter ~Instagram ~Facebook ~YouTube ~Cybrary LinkedIn ~Delinea LinkedIn
This was recorded live on 03/15/2022 Tune into another edition of FortinetLIVE with #Fortinet's Rick Peters, Field CISO for Operational Technology, and Tony Parrillo, Global Head of Cybersecurity for Schneider Electric as they discuss #OTsecurity trends and challenges. Watch the recording on YouTube: https://youtu.be/8Ta2tUR9v5s
The shift in the workforce landscape has made upgrading and improving network infrastructure a necessity. In a new podcast, Cisco and Presidio discuss how state and local agencies confront the digital divide across communities in the U.S. and ensure constituents can access resources with reliable broadband connectivity. Guests: Meghan Steele, Senior Director, U.S. Public Sector East, Cisco and Dan Lohrmann, Field CISO, Public Sector, Presidio Look for more coverage of “IT Modernization in Government” on www.statescoop.com/listen
This episode features an interview with Dan Lohrmann, Field CISO of Presidio, a global digital services and solutions provider accelerating business transformation through secured technology modernization. Dan has more than 30 years of experience in the computer industry and is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.On this episode, Dan covers why every security leader needs to check out his new book, the biggest vulnerability that the government potentially isn't aware of, and his top advice for a 1st-time CISO. -------------------“The idea here is to marry up three parts: before, during and after an incident. So what can you do before, four chapters of the book is about, preparing everything from having playbooks and doing exercises, tabletop exercises, real true stories, what people learned and the good, the bad ugly. Then during incidents in the middle, real stories about that. And then at the end, what about afterwards? What, like the last chapter is turning cyber lemons into organizational lemonade. So really the idea of how can we take what we learned and then roll it back into our plan, into our playbooks, in our scenarios, and to get better and improve.” — Dan Lohrmann-------------------Episode Timestamps:*(2:54) - Dan's first job in security*(4:42) - Dan's current role as Field CISO of Presidio *(5:44) - Dan's perspective on the changing speed of the government*(7:19) - The biggest vulnerability that the government potentially isn't aware of *(11:43) - Segment: The Deep Dive*(25:44) - Dan's predictions for the future*(30:12) - Dan's favorite security domain*(34:16) - Top advice for a 1st time CISO*(37:01) - If Dan could go back in time what he'd do differently-------------------LinksConnect with Dan on LinkedInFollow Dan on TwitterCheck out Dan's new book! Jason Clark's LinkedInwww.netskope.com
Jason Hicks, who recently joined Coalfire as a Field CISO and cybersecurity executive advisor, sat down with the Technado team to talk about his new role. He also shared his predictions for the AppSec industry in 2022. Then, the guys discussed last week's AWS US-EAST-1 outage, mouse movers for sneaky remote workers, SIP phones adding Microsoft Teams support, and the Log4j Log4Shell zero-day. Finally, in WTF, they talked about the racist blockchain record tied to 'McDonalds McRib NFT.
Jason Hicks, who recently joined Coalfire as a Field CISO and cybersecurity executive advisor, sat down with the Technado team to talk about his new role. He also shared his predictions for the AppSec industry in 2022. Then, the guys discussed last week's AWS US-EAST-1 outage, mouse movers for sneaky remote workers, SIP phones adding Microsoft Teams support, and the Log4j Log4Shell zero-day. Finally, in WTF, they talked about the racist blockchain record tied to McDonald's McRib NFT.
In this week's episode of CISO's Secret, Cyber Security Evangelist Grant Asplund hosts Cindi Carter, Field CISO at Check Point Software Technologies
Podcast host, James Richberg, Field CISO and Trusted Security Advisor at Fortinet, interviews Information Security Professional at CISA, Branko Bokan. Time stamps: - Intros and mission of CISA (1 Min) - What are some lessons learned from the pandemic? (2:40) - Center of Excellence for telework at CISA (4 mins) - Cyber Monday (8 mins) - Bandwidth challenges (10:40) - Trusted Internet Connection and TIC 3.0 (12 mins) - Connectivity and Security in a remote work environment (15 mins) - IoT devices (18 mins) - Most notable cybersecurity events from the past (22 mins) - Ransomware (29 mins) - Protection, detection, and response (33:50) - Tabletop exercises (36 mins) - Zero Trust and the Executive Order (37:30) - Protective DNS for agencies (42:20) - CISA.gov/telework (43:30)
The proliferation of ransomware attacks is a hot topic in the news lately. But if you've never experienced one, you may not be properly prepared to respond to one — and you really need to be. Because when it comes to ransomware, it's not if, it's when. On today's episode host, Andy Richter and guest, Dave Trader , Field CISO at Presidio, talk about who to call when you're in the midst of a ransomware crisis. Andy and Dave join the show to share their expertise in ransomware recovery and help you prepare to weather any attack that comes your way. In this episode, we discuss: The technical aspects of ransomware recovery Why communications are critical to successful ransomware recovery The timeline you should expect from an attack to a successful recovery To hear more interviews like this one, subscribe to The Digital Decode Podcast on Apple Podcasts, Spotify, or your preferred podcast platform.
Sean Sweeney is a frequent author and speaker on cybersecurity. In this episode of Security Confidential Sean talks about cloud security. He has a deep background in cloud security. Sean currently leads the Field CISO and Cloud Security Advisor group within Oracle North America Cloud Engineering. In his prior role Sean was with Microsoft where he was the Global Chief Security Advisor. Sean is a previous Chief Information Security Officer at the University of Pittsburgh, and Litigation Support Applications Manager for the U.S. Department of Justice. Sean began his career as a Database Administrator for ExxonMobil and the U.S. Department of the Interior. 00:09 Sean Sweeney's Background 01:38 From DB Admin to CISO 05:00 Helping Dave Hickton prosecute cyber criminals 06:52 The future of cybersecurity 07:20 SAS, PAS, IAS-Your responsibilities in cloud cybersecurity 13:33 If IP is exfiltrated from the cloud app, whose responsible? 14:30 What gets popped in the cloud environment! 15:23 What is the difference between zero trust and SASE? 19:45 What is the order of implementing elements of SASE or Zero Trust 23:10 The role of MDM in BYOD 26:54 Too much friction is a risk 32:27 Should the CISO work for the CIO? 36:58 How do you secure hybrid cloud environment? 42:34 Accelerator Program at Oracle 45:49 Dealing with Ransomware 50:26 Struggling with vulnerability management To learn more about Dark Rhino Security
Welcome to the first episode in a series where we reflect on the lessons given to us by our previous guests. This episode is a deep focus on security champions — developers with extra training who provide input from the security side of things. Our first perspective comes from episode 59 featuring Steve White, Field CISO of Pivotal, now a part of VMware. Steve shares his enthusiasm for security champion programs and speaks about their role in helping their teams make incremental security changes. After talking about why we should be moving security into the early development cycle, Steve gives advice on giving developers one security problem to focus on at a time. From Steve, we dive into episode 42 where we spoke to Kate Whalen from The Guardian. She highlights the value of organizing meetings for developers who are interested in security. These spaces, she explains, are for engineers to ask questions and come to an understanding that security is a shared responsibility. Next, we listen to Omer Levi Hevroni from episode 24, who was a maven for Asurion — their version of a security champion. He talks about the productivity challenges of being a security champion and needing to complete your tasks. Mirroring Kate's points, Omer emphasizes the importance of having a community to share your experiences with and how conferences and online channels like Slack can serve this need. Our last perspective is provided by Yashvier Kosaraju from episode 66. Yashvier discusses having a security partner on a security team to complement having a security champion on the development team. We talk about the advantages of this system as it allows you to perform a security review on a project as it's being created, ensuring that timelines aren't affected. Our guest's experiences are filled with insight and wisdom. Tune in for more on how you can develop your own security champion program.
In episode 59 of The Secure Developer, Guy Podjarny talks to Steve White, Field CISO at Pivotal. Steve spends his time helping organizations envision and implement new ways of integrating security into their software development, deployment, and operations life cycle. Most recently, his focus has been on cybersecurity, helping build a cybersecurity consulting practice for Microsoft and then leading security teams for companies such as Amazon, Sonos, and CenturyLink.On today's show we talk with Steve White, Field CISO for Pivotal, where he gets to regularly exercise his passion for working at the intersection of application security, development, infrastructure, and operations. Steve spends his time helping organizations envision and implement new ways of integrating security into their software development, deployment, and operations life cycle. Most recently, his focus has been on cybersecurity, helping build a cybersecurity consulting practice for Microsoft and then leading security teams for companies such as Amazon, Sonos, and CenturyLink. Prior to joining Pivotal, Steve was the Chief Security Officer at ForgeRock. In this episode we are going to get a broader perspective from Steve on digital transformation within organizations. We also hear from Steve why he recommends making small incremental changes, we discuss the idea of a security champion, as well as the best practices for helping developers understand the importance of cybersecurity work. Finally, Steve shares more about how to recognize when organizations are having challenges with digital transformation, and why it is key to focus only on the actual threats and not the imaginary ones. So don't miss out on today's enlightening conversation with Steve White of Pivotal.Transcript[00:01:32] Guy Podjarny: Hello, everyone. Welcome back to The Secure Developer. Today, we're going to get a bit of a broader market perspective here from someone who works with a lot of security and development through the years across the enterprise, and that is Steve White who is a Field CISO at VMware.Steve, welcome to the show. Thanks for coming on.[00:01:49] Steve White: Thanks, Guy. Thanks for having me.[00:01:50] Guy Podjarny: Steve, we're going to go broad in a sec. But before we do that, tell us a little bit about yourself and your path to where you are today.[00:01:58] Steve White: Absolutely. Well, the first thing I'll say about my path was, like many, it was accidental in a lot of cases. I started my career really honestly back before security was even a profession, the early security practitioners. We were sys admins and network admins and the people running the systems. We didn't have things like firewalls and we didn't have things like anti-malware software. We kind of invented this space, trying to protect our systems. The first firewall I ever used was a bit of software running on a Sun server.Fast-forward a career from there, I learned to really appreciate all facets of security during those early years. I moved into some application development roles. Ultimately, senior tech leader role and then moved into security full-time, trying to help build up a security consulting practice for Microsoft. Then from there, I've held a number of internal security roles at places like Amazon, CenturyLink Cloud, and Sonos. Then I was the Chief Security Officer at ForgeRock. Now, I'm a Field CISO at Pivotal VMware and spend my time really focusing on how can I best help organizations think through and strategize around this transformation into cloud native. How do we take what had become traditional enterprise security mechanisms and methods, and how do these change based on sort of this move to interesting things like containers and microservices and agile development? That's why I spend my time thinking about and looking at today.[00:03:35] Guy Podjarny: Who do you typically work with? Who's the peer in the companies you work with or maybe the profile of the companies?[00:03:42] Steve White: It has to be the larger global enterprises, so those companies who are primarily going through digital transformations. Companies who are writing a lot of their own custom code that they derive significant business value from, and they're working to transform how they write that code from sort of the traditional monolithic waterfall method into now the microservice-oriented cloud native 12- factor apps, right? As those companies who are making that transformation because it brings business value to them.I'm working primarily with their security leadership and security engineering and architecture organizations.[00:04:29] Guy Podjarny: Within those organizations, within the enterprises that you work with, who is the sort of typical profile or role of a person who works with you on sort of understanding the security concerns? Is it more the CTO? There's more security mind role. [00:04:44] Steve White: It's definitely the security organizations. I have a number of peers that I work with who spend more time on the application development organization side of things. I focus almost exclusively on the security organization, so I spend my time talking primarily with CISOs, with director of information security, or sort of the leadership in engineering security architecture kinds of spaces. I spend much of my time there.Lately, I have been doing some more detailed hands-on security workshops with I would say representatives sort of from every security discipline in the company, so security operations, incident response, architecture and engineering. We'll bring them all together in a room for a day and work through some of the implications of what cloud native security really means in each of those parts of the security team.[00:05:36] Guy Podjarny: Thanks for that. It's sort of the context.[00:05:37] Steve White: Yup.[00:05:37] Guy Podjarny: Just to dive right into it, like you're helping these organizations kind of keep security or level up even security as they do this sort of digital transformation and embrace all of these exciting new technologies. What do you see as kind of the pillars or the core tenets of change that they need to do?[00:05:55] Steve White: Well, it starts with – The first tenet of change in this space is that it's not just a technology change, although there is some technology shift that needs to happen. It's a culture and a perspective change that ultimately is the larger piece of what's to happen in information security, like it has happened in the rest of the business, right? We liken it to this change from security historically perhaps was perceived as providing perhaps gates, and you had to pass through the security gate to get to production or something like that.The phrase I like to use is we're moving from gates to guardrails, right? So security's function in the enterprise moving forward should be to provide these – They're like the safety net, right? There's a top and bottom guard rail that would protect you from sort of exceeding really bad parameters but within those guardrails. Development teams, operations teams have the flexibility to move around, to fluctuate, to flex, and to experiment frankly with what they need to do. That's one big topic. It's just that it's that cultural shift, that mindset.When you start to peel that back, how do you think about these culture changes, it really honestly comes down to – From my experience, it's the idea of pairing, right? The key differentiator I believe these days in helping security transform into this kind of cloud native organization is pairing them with developers from application development teams and vice versa, right?Let's expand our knowledge, let's expand our relationships, and let's expand our understanding of how this work impacts the business. I think that's like one of the really key factors.There's a whole lot of technology that comes with that culture change too. "But without the culture and perspective change, all the technology in the world isn't going to make a difference."[00:07:55] Guy Podjarny: I've got like a whole like a series of questions now to just ask based on that aspect. I'll start with that pairing comment. Pairing is a bit of a loaded term in the world of development you talked about sort of in those three program in pairing. When you talk about pairing developers and security people, are you literally talking about like two people watching the same screen and work together or pairing them to like a team?[00:08:15] Steve White: In an ideal world. Yeah, both in an ideal world. So I am ingrained in the Pivotal culture. I know you're familiar with Pivotal and what we created, right? Pivotal is very big on extreme programming and pair programming and test-driven development and all of the things that go with that. I'm here because I believe pretty strongly in the value of those things, but not every enterprise is there, right? Not every application development organization, for example, sees pair programming the same way.When I speak of pairing, I would love to see it be in the true sense of paired programming where two heads sitting in front of one screen, working on solving one problem together. If one of those folks is a security engineer and one of them is a feature developer, they're both learning a lot and adding a good chunk to the conversation. That doesn't necessarily work for every organization. If you're not an organization where pairing is a particular practice that you use, then you go along the line of things like rotations, right? Take a security engineer out of security. Put them into a feature development team for 90 days or let them be a part of that team and participate at whatever level they can and write code at whatever level they can and vice versa, right? Take a feature developer. Embed them in the security organization for 90 days or 180 days, whatever you can do.Pairing can look like a lot of different things depending on the what's appropriate to that enterprise. But it's pairing these folks who would not necessarily have been working together side-by-side. Give them common shared goals and outcomes for a period of time and let them learn from each other, right? That connectedness in that relationship I think is a really important part of that.[00:10:03] Guy Podjarny: I love the analogy to sort of extreme programming pairings. I think organizational pairing, that makes a lot of sense to me as well. That visual of sort of working together is beautiful one for the cases where that works.[00:10:14] Steve White: It is.[00:10:16] Guy Podjarny: Unpacking another piece that you said over there was this notion of guardrails. I'm a firm believer, right? Guardrails, you basically want to say, basically paint out the extremes about general paths kind of between past those elements. How do you help developers go make the right decisions in-between the guardrails? There's still a range of security and decisions that you make.[00:10:36] Steve White: That's right, yes. This is another key thing I think that's enabled by this idea of cross team sharing that I described, and that's in the modern sort of cloud native security organization. I say a good chunk of time used to be spent writing tools, writing code that the rest of the organization can adopt. Whether those tools be things like – Whether those are code blocks that enforce identity, authentication, and authorization in a particular way for the languages used by your company, right? That's one idea. There's a lot of other ways that security teams can write code, and that's typically in the realm of either reusable objects that developers can embed in their project and use or it's in the realm of tools that help them integrate their methods and their procedures better with the tools that exist in the rest of the organization, where having security focused on writing code in those spaces I think pays big dividends in that question. How do you help developers navigate the guardrails ? You give them tools to do that. The security organization should spend a good chunk of its time creating tools and listening to the developers and making them better, so those tools better fit how the developers do their work.[00:11:57] Guy Podjarny: Yeah, for sure. I guess when you work, like you work with secure organizations that might not have had that approach before they started. I imagine like many times they're not necessarily like the skills in the team without necessarily letting themselves doing such so coding activities. How do you see or maybe how do you guide organizations to sort of navigate that expansion or transition of skills? Actually, if you have any opinions on which skills can they actually invest less in as we move to this world?[00:12:29] Steve White: Yeah. I'll maybe start with the first part of that question. I absolutely have thoughts on that. Everything goes back to agile. It's about incremental change. The first thing I would speak to organizations making that transition is don't try to do the whole thing at once, right? Pick a particular area where you can make an impact, and you don't want it to be a low, quiet, non-visible area. Some people try to do incremental change. They'll pick this little quiet part of the business that doesn't have a lot of visibility and impact. That's actually not the right way.The right way is to pick a small piece of what you do that has lots of visibility, lots of impact and make a change there, right? Pick a marquee application that's being developed and have one of your security engineers working with that team or vice versa. Pick a particular problem area. So if you do a survey across your development organizations, if there's a particular problem let's say with how SQL authentication has happened with backend databases, that's visible and it often will cause security vulnerability alarms. So pick that one problem, and now go and write some code to solve for that problem.If you don't have any folks in the security organization who are developers, borrow some. This is back to that pairing idea. Bring a couple in from the application development organization and have them help you write tools that they and their peers would want to use, right? But do it in a paired programming model. So even if you're not big on paired programming, in this scenario bring one of your security engineers who's eager to learn new things. Pair them with that developer in whatever way works in your organization. Let them learn from that effort. That's like how an organization can get started like right away.The other thing I would be doing for any enterprise organization doing security today is I'd be hiring for these skill sets. As you're hiring new people into the organization, this is a place you can hire junior people into security. Maybe they don't know a lot about security but they're pretty good. They've got some good development skills behind them. You can hire them into the organization, as most enterprise size security organizations regularly have openings that they're trying to fill. Rethink about some of those open positions. Repurpose one or two of them. Bring in a developer heavy or even a developer with little security experience and then train them over time.The last piece of that that I would say is training, right? Find individuals inside your security organization who raise their hands and say, “Hey, I want to learn this new thing. I want to be part of this change,” and give them some training, right? You can invest in your people and sending a security engineer to training to learn some development skills that creates loyalty. It creates energy. It creates enthusiasm. It creates a whole lot of positive side effects that they can then bring to the organization. Those are like three straightforward things you can do. There's a variety of others.[00:15:37] Guy Podjarny: Yeah, I know. But those are great advice, both on kind of where you focus, which is pick one that matters and not the kind of hidden that you care about. It's sort of the transitional sort of change and the pairing once again. I think that's definitely kind of a strong theme and a powerful one in kind of the human aspect of sort of [inaudible 00:15:54]. All sound like really good suggestions. It's going to be like a transition. We're going to make a bit of a transition towards the world of dev, right? This is security, and they're building and they're building those kind of skills and tools with different approaches. How do you then advise that they engage with dev? I mean, how do you see the collaboration happening in terms of process and steps?[00:16:19] Steve White: There's a lot of different ways you get after that. I'm a big fan. I've seen a lot of success in what I have historically called the security champions program, right? Security champions tend to be – It's like a way you help the development teams get invested and take ownership of security for their code, the stuff that they're creating. It's difficult to try to train everyone all the time and get them really enthusiastic about security things, right? I think that's not effective for most organizations. It's to try to get an entire development team jazzed about security.It's like pick same ideas. I have one on the security side and on the developer side. Pick a person, one person that's part of the team who has some enthusiasm for security, who has some understanding or some background in why it's important, and invest in them, right? Give them some additional training. Delegate to them some responsibility that perhaps the security team might've held within their arms previously. Find a security champion. Say, “Hey, we're going to invest in some training and we're going to invest in some responsibility, right? That now because you're on the team, we're going to take off the reins somewhat. We're going to take off some controls, loosen the guardrails, and give them more flexibility within this operating framework, because you now have a security voice embedded within the team.”That person, because they are a day-to-day functioning member of the team, can find incremental ways to help the team make small changes or do small things a little better. I'm a big fan of that natural growth of security awareness inside of a team.The second part of that is frankly is to move security tooling and security validation earlier in their process, right? Well, I like to talk about this shift left thing with security. Although if you ever look at the DevOps lifecycle, it's a continuous loop, so how you shift left in the loop is beyond me. But nonetheless, we still use that terminology. For me, it's simply where do I provide security feedback to developers in a more timely fashion and in a way that's consistent with the way they work. That's always been one of the challenges is in security we'll like run our SaaS and our desk tools somewhere down in the pipeline, and all we do is send them a report of a thousand probabilities in their code, and we're done.That's just not how you build those bridges, right? It's not how you build awareness, and so finding ways to give those developers actionable real-time feedback as close to the time they write the code as possible and then making sure that when you're providing security-related findings or feedback or what have you, that it really actually truly is actionable. It's not fanciful. We have this tendency in security to sort of take the high ground, right? It's like all the vulnerabilities have to be gone. There can't be a single line of misplaced code. That's not really where we need to be, right?One of the advice I've heard from others who I respected in this space is pick a particular security problem you're going to focus on, say, for a month and have all the development teams focus on that one class of vulnerability like SQL injection. We like to pick on that, because that's a pretty bad one. It's like all the teams focused on – We're going to focus on SQL injection this month, and so we're going to turn the knob up. We're going to turn the noise level up on SQL injection this month, and we're going to do everything we can. Then next month, we'll look at something else. But engage the teams in that conversation about what it should be, how they should receive the feedback, what's best for them. If you actually engage the developers in that conversation, I think you will ultimately get better results. Those are some of the keys, yeah.[00:20:20] Guy Podjarny: All great advice and I very much resonate with some of the whole shift left on it to say it's not shift left. It's top to bottom, it's to go from central governance to central controls and sort of bottom up and power teams.The question about the practicality of the security champions program, I mean, lots of good things to say about it. One of the pushbacks is that organizations don't always acknowledge this developer, the person in the development team who's now been sort of added in some form of authority, might have a different job. I mean, how do you recommend or sort of how do you see work best for organizations that do that security champion in terms of the role description for the security champion? Is it a percentage, less work that they do on the product side? I mean, how does that relate to their day job?[00:21:08] Steve White: Well, that's a really interesting question, and I think is also in some ways a cultural question, right? If you are trying to measure output of individual developers down to the level where they if they've spent two hours on security champion work, it would show up in some developer productivity metric. I think you need to question the cultural approach to that, because frankly, "output of development organizations should be focused minimally on the team output, right? There is very little external measure I would argue that is effective in measuring explicit individual developer productivity and especially in organizations where you're pairing, because now it's like, “Well, am I measuring the pair?”"Frankly, I would first say if you're trying to measure individual developer productivity at that level, I think you'd need to ask some tough questions about is that really effective and is that really the culture you want drive. If you take that up a level and you're measuring productivity and impact, it's really more about impact and feature flow and team metrics, right? Are they getting impactful things to the customers? Do the customers love what they deliver? Do they deliver frequently? Those kinds of metrics are what's important. I would argue that you're not going to see a big change in that by having one person spend some time on security champion types of duties.The other thing is that once trained – So there is a training period. Then during that training period, there may be some reduction in flow, but the responsibilities of the security champion are really just to speak up during planning or speak up during design sessions to ask the questions of the team. Did you think about this or did we include this or is this something that really should go through a deeper security review? It doesn't take a lot of work, right? It's not a big investment of time. It's like a focus versus amount of effort kind of thing, so it shouldn't take a lot of time.[00:23:14] Guy Podjarny: That's some great aspect. It kind of leads me to sort of another question I wanted to ask, which is like this measure. That team is also supposed to produce secure software and presumably whatever low [inaudible 00:23:26] provided by this sort of individual that might be helping also take some off or like helping others do their work more effectively. We're going to kind of take that last step into the world of dev and ask some questions there. How do you see, again, kind of best practices around helping the dev side of the fence appreciate security work, sort of time times spent, effort made in security, in terms of like measurements, mandates? I mean, like these are enterprises [inaudible 00:23:57] small organization sometimes or small [inaudible 00:24:00] in values in change suffice. It tends to be that in the enterprise it needs something a little bit more structured. What works best?[00:24:09] Steve White: First off, I don't think that I've seen a one-size-fits-all for every enterprise, because honestly it is a very cultural perspective. Even within enterprises, there's a big variety in culture. But I will say that I think the most effective thing I have seen in terms of helping the developers understand the impacts and the importance of security is frankly the value of something like a pen test, but a pen test specific to the code they're writing, because really a penetration test or a testing like that comes from the attacker mindset. What we're really trying to do in this scenario is to help the developers really adopt an attacker mindset. It's like if I was attacking this code, number one, why would I? Give them some really good illustration like if I break ‘this', then I got to ‘this'. Now, all of a sudden, I copied a thousand credit card numbers or healthcare or health record pieces of information.Nothing I think reinforces that message better than that kind of effort, and that's true from the executive tier and down, right? Like a good penetration test that demonstrates a chain of vulnerabilities carries powerful illustration.[00:25:26] Guy Podjarny: A sobering moment too. [00:25:27] Steve White: It does. Those things don't have to be external, so the other really interesting thing here is if you're building this kind of culture, is you can actually build a pen testing or a vulnerability assessing kind of mindset even within the application development organization, right? There's nothing that says that you might not take a Sprint and attack your own code or attack your neighbor's code and have them attack yours. Actually, you spend some time having folks go out actually purposefully attempt to exploit their own code or the other team's code. It really reinforces these things of, A, thinking like an attacker, understanding how these things can chain together and more importantly leading back to what's really important to the business.Every developer I've ever worked with, they care about the business. They care about what's important to the business. They care about their code doing good things for the business. If you can always tie these back to what data is being protected, how their code fits into that story, and if you can make this connection very visceral through pen testing and those kinds of things, I find that carries a lot of emotional value for the organizations.[00:26:42] Guy Podjarny: I love that as well. I mean, it's like security to an extent is sobering, as well as fun. So security and risk is – This other one's boring but sort of –[00:26:51] Steve White: I will tell people like the most fun I ever had in security is red teaming, right? That was my most fun assignment ever in security was being a red teamer or a black hat hacker.[00:27:02] Guy Podjarny: One more question on the dev side. We're going to level up a little bit. What you suggested right now is good for like getting them engaged, kind of getting them alive. How do you measure if they're doing a good job? I guess that's just not the developer's job but security as a whole. But how do you know that it's working?[00:27:21] Steve White: There are I think various ways to answer that question. But ultimately, it comes down to me. Number one, are the risk metrics that you use as an enterprise, are they improving? Every enterprise has a set of risk metrics that they're tracking as it relates to all parts of the organization, and so the way to look at this from the app developer side is a set of those metrics that apply to the custom developed applications and the platforms on which they're running. One way of looking at this is simply talking about are those risk metrics going down or up. Whichever way they're going, having a pretty open honest conversation about what it is that's driving those metrics down or up. So that's one way.Another way to look at that would be in the – I'm thinking of the relational metrics of it, right? I'm big on actually having people who are working together, basically kind of rating that experience or rating their collective collaboration. I'm looking for a word here, but it's like how do I rate the effectiveness of my collaboration. That's ultimately what I'm after. I think –[00:28:34] Guy Podjarny: Almost like a sentiment element – [00:28:36] Steve White: Yes. It's almost like an NPS. It's like a net promoter score but it's internal, and so I would say you're seeing success in this scenario if you ask the app development organization, “Hey, how good of a partner is security? How easy is it to follow the guardrails? What roadblocks are you seeing in the security processes,” and vice versa. You marry that up with similar questions from the security organization. Hey, how receptive do you find the app development teams? How collaborative is your relationship with them? How is the quality of the security in the custom-built applications going? Ask these questions on both sides of that equation and focus on sort of the collaborative aspects of it more than the “are the desk tools results going up or down in terms of vulnerability”. That's sort of an irrelevant metric to me, frankly.The number of vulnerabilities found in the source code, well, that can change just as I release a new tool into the environment, and it skyrockets, right? So I think more about metrics that are more about collaboration, effectiveness, and then ultimately like what really is getting through like flow. How easy is the flow of applications through my security pipeline? If it's easy to flow things through that are secure, great. If it's not so easy to flow things through, even if they're secure, that's a red flag, and you can put metrics around that. You can measure it.[00:30:07] Guy Podjarny: That's awesome. I definitely agree with kind of the sentiment of like it's people first, and you do those sorts of just the metrics. But there's a lot. I haven't heard this sort of the survey idea or this notion of ask people thing if they are collaborating well or not.Before I kind of ask you for your bit of advice, just one overlaying question. You've been in security for a while and you've kind of seen it transition. You're also advising organizations specifically on that transition from pre-imposed cloud native. It must have sort of developed more of a sort of – beyond the frameworks and all that, some crunch, some sort of sniff test about you're coming in, some properties that you're sort of seeing indicate, hey this company is probably not or is very effective in security. What would you say are like the key highlights that really kind of triggered that alert and how has that changed between kind pre-cloud native I guess, which arbitrarily affects the worlds into pre-cloud, post-cloud? [00:31:06] Steve White: There's a lot of things I would say around that one. The first and most important I would go back to - is there an ongoing collaborative relationship between security and the application development teams? Is that relationship through service desk tickets or is there an actual conversation happening on a regular basis? That, to me, is the key indicator of a problem. If there is not an active ongoing like daily or weekly conversation happening with active participation from security and app dev, then I think you need to dig deeper because I think that's indicative of a challenge. If all communication is through service desk tickets and those service desk tickets take three weeks to solve, I mean that's an indication of an organization that may have some challenges in these kinds of digital transformations. That's the point of it, right. These kinds of digital transformations are all about speed and agility, so you only get speed and agility if you're having active conversation versus trying to communicate sort of asynchronously. That's number one to me.Number two comes down to that conversation about gates versus guardrails. If I look at an organization, I can pretty quickly determine “do the application development teams have some guardrails to function within or do they have a bunch of gates they have to get through that I have to toss things over a silo wall to get security approvals.” That's really another really big indicator, right? Those are two key ones, and then there's a whole ton other ones like how you're giving feedback on your security testing, how effective is your security testing and how well tuned is it, are you providing developer feedback to keyboard entry layer, etc. etc. All of those are indicators, but the first two always come back to that. How do they communicate? How do they collaborate?[00:32:56] Guy Podjarny: They're both great. Would you say like are they just as important in the sort of the pre-cloud era as they are post? Is it – How they're useful here like when you actually not even recommend them if you're sort of developing some [inaudible 00:33:12] applications.[00:33:14] Steve White: Yeah, but I'll be careful. It's not so much about the word ‘cloud', because the word ‘cloud' can imply a move to the public cloud. It can imply a lot of things. I use the term cloud native, which is I like to define four key things. Cloud native architecture and organizations are defined by microservices. They're writing all their apps as microservices. They're defined by automated CICD pipelines. They're doing SRE/DevOps kinds of things and they're doing containers.Those four things really make up a cloud native organization. I would say that traditional enterprises who are not defined by those four things, if they're not doing containers, if they're not doing micro services, they're not doing automated CICD, and they're not doing agile DevOps, the existing security mechanisms may work fine for what they're trying to achieve, because the existing security mechanisms kind of grew up and were developed in that world, and they work fine if you weren't trying to make those kinds of transformations.But those are the exact things that put the existing security measures in a lot of pressure on them, right? When you're doing automated microservice agile code development, trying to release features to production, say, daily, the traditional code review, code testing feedback cycle just doesn't work. The short answer is it can work for traditional enterprise to continue to do security the way they have done it. Most enterprises that are writing custom code, they don't have the luxury to stay there. They have to move into this cloud native world in order to compete. They'll become irrelevant if they don't.[00:35:00] Guy Podjarny: Yeah. No, absolutely. Fully aligned, and you're right about this. I am sometimes kind of lazy and say cloud where they really mean cloud native in their approach but just the challenge of it. In that one, it's like – For most enterprises, the switch to cloud native is hardly a one-time thing, they will have a for a long period of time a portion of their assets or kind of their technology stacks be cloud native and a portion remain in that traditional surrounding. Would you advocate using kind of those, if you will, cloud native approaches to security across the board or would you actually kind of bifurcate the organization to say it's actually better for the sort of the traditional enterprises sort of stay where it was?[00:35:44] Steve White: Well, I would definitely suggest that it's best long-term to get the entire approach to security aligned with what I've described for cloud native. But if you have a bifurcated – Most enterprises are as you said. We've got a lot of existing things that we have to keep up and running and maintain in those kinds of pieces. For most organizations, this is not an overnight transition on the security side either, right? So I would suggest that it's best for those organizations to start the transition now. Get moving on transforming security just like you've got moving, transforming application development and have a plan and a strategy to make that transformation universal across all of security. But you don't have to do it overnight, just like you don't have to transform all of the application development overnight, right? Make it sensible for your organization. Make the right pace of change, something that the larger organization can consume, and do it in a planful way.Ultimate answer is you – I mean, this kind of transformation is great for all of security, but you don't have to artificially rush it to get there immediately for the whole organization. Do it incrementally, just like everything else.[00:37:04] Guy Podjarny: A nice kind of full circle as well is one of your first bits of advice. It's kind of pick the area you're going to start first. It's very clear. This has been some jam-packed with great advice I think for the whole journey. But I'll ask you for one more. As you know, I like to ask every guest that sort of come to the show if you have kind of one bit of advice or even like a pet peeve or something that kind of annoys you when people start doing if you'd like to give sort of a team that is looking to kind of level up their security too, what would that be?[00:37:33] Steve White: That would be focus on the actual threats to your organization, not the science lab projects that your neighbor has dreamed up. Keep your organization focused on combating those threats. That, to me, is like "my number one advised any security team. Focus on the real threats, not necessarily all of the imaginary ones."[00:38:02] Guy Podjarny: Excellent spoken like a person who's had many conversation with enterprise security teams with advanced [inaudible 00:38:09] threat and nightmares –[00:38:10] Steve White: I've had lots of conversations with lots of really brilliant people. To be clear, there are organizations under some very, very sophisticated threats. I have a pretty long military career in cyber, and there are lots of really interesting threats out there. But a lot of enterprises out there today aren't going to see those threats.[00:38:29] Guy Podjarny: That's great advice. Steve, this has been a pleasure. Thanks a lot for coming on the show.[00:38:33] Steve White: Absolutely. Thanks for having me.[00:38:33] Guy Podjarny: Thanks, everybody, for tuning in. I hope you join us for the next one.[END OF INTERVIEW]