Cloud Security Reinvented

Episode Summary

The cloud has made many processes straightforward. The pace of expansion and the ease of introducing new services make it attractive. But, these advantages come with complexity, especially from a security standpoint.

Therefore, it is critical to make everyone's activities in the digital space as secure as possible. Consequently, companies must focus on mitigating security risks and building trust with their clients and consumers.

In this episode of Cloud Security Reinvented, our host Andy Ellis welcomes Allison Miller, the VP of Trust at Reddit. Allison and Andy discuss the differences between the on-premise and cloud era, the best and worst practices of on-premise, and the opportunities for growth in the cloud.

Guest-at-a-Glance

💡 Name: Allison Miller

💡 What she does: Allison is the VP of Trust at Reddit.

💡 Websites: Reddit

💡 Noteworthy: Allison was in marketing before dedicating her career to cybersecurity.

💡 Where to find Allison: LinkedIn

Episode Summary

The cloud has made many processes straightforward. The pace of expansion and the ease of introducing new services make it attractive. But, these advantages come with complexity, especially from a security standpoint.

Therefore, it is critical to make everyone's activities in the digital space as secure as possible. Consequently, companies must focus on mitigating security risks and building trust with their clients and consumers.

In this episode of Cloud Security Reinvented, our host Andy Ellis welcomes Allison Miller, the VP of Trust at Reddit. Allison and Andy discuss the differences between the on-premise and cloud era, the best and worst practices of on-premise, and the opportunities for growth in the cloud.

Guest-at-a-Glance

💡 Name: Allison Miller

💡 What she does: Allison is the VP of Trust at Reddit.

💡 Websites: Reddit

💡 Noteworthy: Allison was in marketing before dedicating her career to cybersecurity.

💡 Where to find Allison: LinkedIn

Episode Summary

There's an overwhelming amount of information coming at us every single day. And from a risk management and security point of view, it's become even more challenging to deal with zero-day vulnerabilities.

The key is to not be reactive; you have to take a more proactive approach to zero-day vulnerabilities.

In this episode of the Cloud Security Reinvented podcast, host Andy Ellis welcomes Amanda Fennell, the CIO and CSO at Relativity. They chat about her dual CIO-CSO role, why different priorities mean different cloud experiences, and the importance of investing in preventive solutions before it's too late.

Guest-at-a-Glance

💡 Name: Amanda Fennell

💡 What she does: She's the CIO and CSO at Relativity.

💡 Company: Relativity

💡 Noteworthy: Amanda joined the Relativity team in 2018 as the CSO, and her responsibilities expanded to include the role of the CIO in 2021. She's responsible for championing and directing security strategy in risk management and compliance practices, as well as building and supporting Relativity's information technology. Amanda also hosts Relativity's Security Sandbox podcast, which explores and explains the unique links between non-security topics and the security realm.

💡 Where to find Amanda: LinkedIn

Episode Summary

There's an overwhelming amount of information coming at us every single day. And from a risk management and security point of view, it's become even more challenging to deal with zero-day vulnerabilities.

The key is to not be reactive; you have to take a more proactive approach to zero-day vulnerabilities.

In this episode of the Cloud Security Reinvented podcast, host Andy Ellis welcomes Amanda Fennell, the CIO and CSO at Relativity. They chat about her dual CIO-CSO role, why different priorities mean different cloud experiences, and the importance of investing in preventive solutions before it's too late.

Guest-at-a-Glance

💡 Name: Amanda Fennell

💡 What she does: She's the CIO and CSO at Relativity.

💡 Company: Relativity

💡 Noteworthy: Amanda joined the Relativity team in 2018 as the CSO, and her responsibilities expanded to include the role of the CIO in 2021. She's responsible for championing and directing security strategy in risk management and compliance practices, as well as building and supporting Relativity's information technology. Amanda also hosts Relativity's Security Sandbox podcast, which explores and explains the unique links between non-security topics and the security realm.

💡 Where to find Amanda: LinkedIn

Episode Summary

Cybersecurity is an ever-changing field. And since the emergence of the cloud, social media networks, and machine learning algorithms, the security space has continued to evolve to respond to the market's needs.

But some things never change — the willingness to learn, adapt, and improve remains the golden standard of cybersecurity.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Roland Cloutier, the Global Chief Security Officer at TikTok. They talk about the most significant changes since the emergence of cloud computing, what it's like to work at TikTok, and why technologists should always keep learning.

##

Guest-at-a-Glance

💡 Name: Roland Cloutier

💡 What he does: He's the Global Chief Security Officer at TikTok.

💡 Company: TikTok

💡 Noteworthy: As Global Chief Security Officer of TikTok, Roland Cloutier brings an unprecedented understanding and knowledge of global protection and security leadership to one of the world's leading media, social, and technology companies. He oversees the company's information protection, risk, workforce protection, crisis management, and investigative security operations worldwide.

💡 Where to find Roland: LinkedIn

##

Key Insights

⚡ Overseeing the security and risk program for TikTok is an exciting learning experience. Coming from law enforcement and the military, Roland experienced a major shift in his career when he entered the competitive technology space and joined the world's fastest-growing social media giant, TikTok. So, what has this experience been like? According to Roland, it's been an enormous learning opportunity. He explains, "You've got to be ready for that speed and feed. You've got to be ready for that high level of operational tempo that we have, and adjusting my leadership style and capability to ensure that I enable that for the team has been one of the biggest learning opportunities for me."

⚡ Always keep learning. While there are many pre-cloud norms and practices that we should leave behind us, some things should never change, such as the willingness to learn. Roland explains, "Always keep learning. Folks that are static in this environment are going to wither away. On a daily basis, these amazing companies and technology platforms are delivering net new capability. Sometimes I'm embarrassed when my teams are talking, and I did not know that was actually even possible. As practitioners, as professionals, as leaders, you have to keep up on it, especially as technologists; you have to continue to learn. So I don't think that ever changes."

⚡ Speed and scale are the biggest perks of cloud computing. Cloud computing has certainly made everything easier, especially cybersecurity. Roland shares what he believes are the greatest benefits of the cloud. "Remember when you had to think about how many boxes do I need to order it with, how many cores, and how much memory in order to support that? Whereas today, we might have a dynamic attack issue, and in less than an hour, I can spin up an environment that has six times the data center capability that I was protecting before. The speed and the scale are just insane. I also think that with that comes the pace of innovation."

##

Episode Highlights

There are significant differences in security language and focus across different industries

"I do a lot of transition work with people coming out of law enforcement, government, and the military — to help them through that transition because the language is different, and the focus is different. When you're in global protection and in law enforcement organizations, you're outside of companies — you're dealing with people all over the world regarding critical global issues. And then, all of a sudden, you're inside, and you're trying to use the same language."

The level of scale and security at TikTok might be surprising to some people

"I think what people forget when they migrate to the cloud, and they start putting production operations into that environment, is the level of scale that takes to accomplish it. I was at a CSO meeting in West Palm Beach this week with a bunch of really amazing CSOs and CISOs from across the industry, and we were talking about the scalability concept and the ability to deliver assurance like we were talking about a minute ago. The technologies that drive that also give us the capability to do really great security."

Cloud has brought a new pace of innovation

"If you think about TikTok — and we truly move at the speed of culture here — we're always saying that culture starts at TikTok; therefore, our product has to be at the speed of culture. You've got to keep up that pace, and so you have to be able to create new products, new environments, new production capabilities, and everything that supports it has to be in place. So the ability to keep up with culture has been really, really interesting to me."

Machine learning and artificial intelligence can solve problems for us

"Now with the speed and feed, some of these attacks we see in some of these organized criminal capabilities that are operating out of data centers globally — that have entire data centers, not like a box that they ripped off somewhere else, and they're doing something — and have such massive data environments that they're targeting organizations and being able to do it in such unique, subversive ways. AI and ML will give us insight into these massive capabilities across so many different parts of our stack."

Understand the entirety of the business

"How do we imagine a product, how do we develop it, and how do we market it? How do we build it? How do we sell it, deliver it, monetize it, and how do we service it? And how do you do it all over again? That entire value chain. How do you look at the entirety of the business? It's the ecosystem — that business with internal and external partners."

Episode Summary

Cybersecurity is an ever-changing field. And since the emergence of the cloud, social media networks, and machine learning algorithms, the security space has continued to evolve to respond to the market's needs.

But some things never change — the willingness to learn, adapt, and improve remains the golden standard of cybersecurity.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Roland Cloutier, the Global Chief Security Officer at TikTok. They talk about the most significant changes since the emergence of cloud computing, what it's like to work at TikTok, and why technologists should always keep learning.

##

Guest-at-a-Glance

💡 Name: Roland Cloutier

💡 What he does: He's the Global Chief Security Officer at TikTok.

💡 Company: TikTok

💡 Noteworthy: As Global Chief Security Officer of TikTok, Roland Cloutier brings an unprecedented understanding and knowledge of global protection and security leadership to one of the world's leading media, social, and technology companies. He oversees the company's information protection, risk, workforce protection, crisis management, and investigative security operations worldwide.

💡 Where to find Roland: LinkedIn

##

Key Insights

⚡ Overseeing the security and risk program for TikTok is an exciting learning experience. Coming from law enforcement and the military, Roland experienced a major shift in his career when he entered the competitive technology space and joined the world's fastest-growing social media giant, TikTok. So, what has this experience been like? According to Roland, it's been an enormous learning opportunity. He explains, "You've got to be ready for that speed and feed. You've got to be ready for that high level of operational tempo that we have, and adjusting my leadership style and capability to ensure that I enable that for the team has been one of the biggest learning opportunities for me."

⚡ Always keep learning. While there are many pre-cloud norms and practices that we should leave behind us, some things should never change, such as the willingness to learn. Roland explains, "Always keep learning. Folks that are static in this environment are going to wither away. On a daily basis, these amazing companies and technology platforms are delivering net new capability. Sometimes I'm embarrassed when my teams are talking, and I did not know that was actually even possible. As practitioners, as professionals, as leaders, you have to keep up on it, especially as technologists; you have to continue to learn. So I don't think that ever changes."

⚡ Speed and scale are the biggest perks of cloud computing. Cloud computing has certainly made everything easier, especially cybersecurity. Roland shares what he believes are the greatest benefits of the cloud. "Remember when you had to think about how many boxes do I need to order it with, how many cores, and how much memory in order to support that? Whereas today, we might have a dynamic attack issue, and in less than an hour, I can spin up an environment that has six times the data center capability that I was protecting before. The speed and the scale are just insane. I also think that with that comes the pace of innovation."

##

Episode Highlights

There are significant differences in security language and focus across different industries

"I do a lot of transition work with people coming out of law enforcement, government, and the military — to help them through that transition because the language is different, and the focus is different. When you're in global protection and in law enforcement organizations, you're outside of companies — you're dealing with people all over the world regarding critical global issues. And then, all of a sudden, you're inside, and you're trying to use the same language."

The level of scale and security at TikTok might be surprising to some people

"I think what people forget when they migrate to the cloud, and they start putting production operations into that environment, is the level of scale that takes to accomplish it. I was at a CSO meeting in West Palm Beach this week with a bunch of really amazing CSOs and CISOs from across the industry, and we were talking about the scalability concept and the ability to deliver assurance like we were talking about a minute ago. The technologies that drive that also give us the capability to do really great security."

Cloud has brought a new pace of innovation

"If you think about TikTok — and we truly move at the speed of culture here — we're always saying that culture starts at TikTok; therefore, our product has to be at the speed of culture. You've got to keep up that pace, and so you have to be able to create new products, new environments, new production capabilities, and everything that supports it has to be in place. So the ability to keep up with culture has been really, really interesting to me."

Machine learning and artificial intelligence can solve problems for us

"Now with the speed and feed, some of these attacks we see in some of these organized criminal capabilities that are operating out of data centers globally — that have entire data centers, not like a box that they ripped off somewhere else, and they're doing something — and have such massive data environments that they're targeting organizations and being able to do it in such unique, subversive ways. AI and ML will give us insight into these massive capabilities across so many different parts of our stack."

Understand the entirety of the business

"How do we imagine a product, how do we develop it, and how do we market it? How do we build it? How do we sell it, deliver it, monetize it, and how do we service it? And how do you do it all over again? That entire value chain. How do you look at the entirety of the business? It's the ecosystem — that business with internal and external partners."

Episode Summary

When someone says Pinterest, the first thing that comes to mind is a social platform and a place to seek inspiration. But for the people working behind the scenes, it's more than that.

In February 2021, Pinterest had 459 million active monthly users. That's a lot of data and traffic, and security measures must be put in place for an exceptional user experience. So how do they do it?

In this episode of Cloud Security Reinvented, our host Andy Ellis chats with Andy Steingruebl, the Chief Security Officer at Pinterest. The two discuss the difference between the on-premise and cloud era and what differentiates Pinterest from companies like PayPal. They also touch upon the best and worst on-premise practices and the future of technology.

Guest-at-a-Glance

💡 Name: Andy Steingruebl

💡 What he does: Andy is the Chief Security Officer at Pinterest.

💡 Websites: Pinterest

💡Noteworthy: Andy is an Information Security professional with more than 25 years of experience. He has extensive experience in most security management and architecture areas, including Policy, Compliance, Communication, Infrastructure, and Incident Response. He is an excellent communicator with the ability to communicate with all levels of the organization, customers, policymakers, and regulators. He has a track record of significantly contributing toward making the internet a safer, more secure place for users and companies.

💡 Where to find Andy: LinkedIn

Key Insights

⚡ Transitioning to the cloud was challenging. With all the cloud's benefits, it's hard to understand how we functioned without it. However, as Andy explains, even professionals in the security field had to adjust to it. ''Now, the big issue is trying to come up with policies for yourself on what stuff you need to have your arms tied around and what are the principles. How do you set the right security bar for an outsourced vendor who's going to have access to your stuff or provide some key business function? [...] We're long past, 'I'm not putting some of my really sensitive stuff in the cloud.' You use Workday, Google for mail, and so on.''

⚡ It's all about efficiency, but we must have the right people in the right positions. Technology today is all about making resources and tools accessible to as many people as possible to enable faster solution development or problem-solving. But is this a good thing? ''The blessing and the curse of the cloud is that because you can deploy so many resources to a problem, sometimes you don't get as focused on how much it is costing you, or if this is the best way to use the technology? [...] So a really interesting perspective is how we've pushed around some of the work. The work doesn't go away; it either doesn't get done, or people who aren't specialized at it are doing it. The same can happen with security, where you let everybody be responsible for certain rules instead of letting a few people try to set a definitive posture like that firewall. I'm not suggesting it's the exact right model, but having some things you can have certainty around is nice, and we've moved away from that. And it's hard to function in that world.''

⚡ Focus more on people. A piece of advice Andy gives to his young colleagues is to develop healthy relationships with teammates. Yes, everyone will focus on growing professionally, but sometimes it is more challenging to develop high-quality social skills than technical ones. ''As you try to move upwards in your career, it's not just the technical stuff because pretty soon you will outgrow the problems you can solve all by yourself. And once you outgrow problems you can solve by yourself, you need to collaborate with others and how well you can do that is important.''

Episode Highlights

How Has Our Perspective of Security Changed in the Cloud Era?

''I was an on-prem guy, and I remember doing vulnerability management. We would buy some bit of vuln scanning stuff to put inside our environment because one, the network access required was pretty scary, and two, vulnerabilities are really serious. So who wants other people to know about your vulnerabilities?

So, Qualis comes out with a product. They say, 'We're going to do this vuln scanning thing, but from the cloud, and you put it up on our website.' And I remember being freaked out about that. Like, 'Oh my gosh. You're crazy. I'm not going to do that.'

[But in the] new world where you don't have to do it yourself, and in most cases, you probably don't want to. And in many cases, we tell people, 'Don't do it yourself. Don't run your mail system. Pay somebody else to do that. It's too big a pain in the butt with too many risks. That's sensitive stuff, but don't keep that in house. You're not going to do it as well as you can pay somebody else like Google or Microsoft to do it for you.'''

Companies Differ by Traffic Volume Online

''It's a little bit industry-specific; you deal with lots of traffic [...] It was a big adjustment when I got to PayPal to realize. If you've been working at a lot of businesses that aren't internet-scale businesses, you don't understand traffic volumes and the torture testing that you put systems through. [...] It's the traffic volume difference between a business with a browser, an interaction component, and just a transaction piece.''

What Does the Future Holds for Technology

''In the pure security space, I think unification. Trying to unify things into simpler policies that we can have — we can go back to having a declarative security policy. [...] I'm a big fan of protocols and declarative security policies — not the things that are enforced by code, but things that you can look at in a policy and reason about. [...]

And the other one is that slowly but surely we're moving managed code and programming languages that make it harder to make mistakes or at least some of the security mistakes of the past. So, like that, that's going to be a pretty foundational change as well. I think at least in the security of taking the burden off lots of folks and eliminating a whole bunch of attacks.''

Episode Summary

When someone says Pinterest, the first thing that comes to mind is a social platform and a place to seek inspiration. But for the people working behind the scenes, it's more than that.

In February 2021, Pinterest had 459 million active monthly users. That's a lot of data and traffic, and security measures must be put in place for an exceptional user experience. So how do they do it?

In this episode of Cloud Security Reinvented, our host Andy Ellis chats with Andy Steingruebl, the Chief Security Officer at Pinterest. The two discuss the difference between the on-premise and cloud era and what differentiates Pinterest from companies like PayPal. They also touch upon the best and worst on-premise practices and the future of technology.

Guest-at-a-Glance

💡 Name: Andy Steingruebl

💡 What he does: Andy is the Chief Security Officer at Pinterest.

💡 Websites: Pinterest

💡Noteworthy: Andy is an Information Security professional with more than 25 years of experience. He has extensive experience in most security management and architecture areas, including Policy, Compliance, Communication, Infrastructure, and Incident Response. He is an excellent communicator with the ability to communicate with all levels of the organization, customers, policymakers, and regulators. He has a track record of significantly contributing toward making the internet a safer, more secure place for users and companies.

💡 Where to find Andy: LinkedIn

Key Insights

⚡ Transitioning to the cloud was challenging. With all the cloud's benefits, it's hard to understand how we functioned without it. However, as Andy explains, even professionals in the security field had to adjust to it. ''Now, the big issue is trying to come up with policies for yourself on what stuff you need to have your arms tied around and what are the principles. How do you set the right security bar for an outsourced vendor who's going to have access to your stuff or provide some key business function? [...] We're long past, 'I'm not putting some of my really sensitive stuff in the cloud.' You use Workday, Google for mail, and so on.''

⚡ It's all about efficiency, but we must have the right people in the right positions. Technology today is all about making resources and tools accessible to as many people as possible to enable faster solution development or problem-solving. But is this a good thing? ''The blessing and the curse of the cloud is that because you can deploy so many resources to a problem, sometimes you don't get as focused on how much it is costing you, or if this is the best way to use the technology? [...] So a really interesting perspective is how we've pushed around some of the work. The work doesn't go away; it either doesn't get done, or people who aren't specialized at it are doing it. The same can happen with security, where you let everybody be responsible for certain rules instead of letting a few people try to set a definitive posture like that firewall. I'm not suggesting it's the exact right model, but having some things you can have certainty around is nice, and we've moved away from that. And it's hard to function in that world.''

⚡ Focus more on people. A piece of advice Andy gives to his young colleagues is to develop healthy relationships with teammates. Yes, everyone will focus on growing professionally, but sometimes it is more challenging to develop high-quality social skills than technical ones. ''As you try to move upwards in your career, it's not just the technical stuff because pretty soon you will outgrow the problems you can solve all by yourself. And once you outgrow problems you can solve by yourself, you need to collaborate with others and how well you can do that is important.''

Episode Highlights

How Has Our Perspective of Security Changed in the Cloud Era?

''I was an on-prem guy, and I remember doing vulnerability management. We would buy some bit of vuln scanning stuff to put inside our environment because one, the network access required was pretty scary, and two, vulnerabilities are really serious. So who wants other people to know about your vulnerabilities?

So, Qualis comes out with a product. They say, 'We're going to do this vuln scanning thing, but from the cloud, and you put it up on our website.' And I remember being freaked out about that. Like, 'Oh my gosh. You're crazy. I'm not going to do that.'

[But in the] new world where you don't have to do it yourself, and in most cases, you probably don't want to. And in many cases, we tell people, 'Don't do it yourself. Don't run your mail system. Pay somebody else to do that. It's too big a pain in the butt with too many risks. That's sensitive stuff, but don't keep that in house. You're not going to do it as well as you can pay somebody else like Google or Microsoft to do it for you.'''

Companies Differ by Traffic Volume Online

''It's a little bit industry-specific; you deal with lots of traffic [...] It was a big adjustment when I got to PayPal to realize. If you've been working at a lot of businesses that aren't internet-scale businesses, you don't understand traffic volumes and the torture testing that you put systems through. [...] It's the traffic volume difference between a business with a browser, an interaction component, and just a transaction piece.''

What Does the Future Holds for Technology

''In the pure security space, I think unification. Trying to unify things into simpler policies that we can have — we can go back to having a declarative security policy. [...] I'm a big fan of protocols and declarative security policies — not the things that are enforced by code, but things that you can look at in a policy and reason about. [...]

And the other one is that slowly but surely we're moving managed code and programming languages that make it harder to make mistakes or at least some of the security mistakes of the past. So, like that, that's going to be a pretty foundational change as well. I think at least in the security of taking the burden off lots of folks and eliminating a whole bunch of attacks.''

Episode Summary

The cloud has been around for a while now. And ever since it emerged — two decades ago — it has brought in new ways to think about security, identity, and access management.

But at the end of the day, we still need to make sure that the right people have the right information at the right time.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Meg Anderson, the VP - CISO at Principal Financial Group. They talk about the changes in cloud security since the emergence of the cloud, some of the best and worst practices, and what the future holds for cloud security.

##

Guest-at-a-Glance

💡 Name: Meg Anderson

💡 What she does: She's the VP - CISO at Principal Financial Group.

💡 Company: Principal Financial Group

💡 Noteworthy: Meg participates in a number of CISO councils. She is a board member of the Financial Services Information Sharing and Analysis Center (FS-ISAC), where she chairs the Strategy Committee and is on the FinCyber Advisory Group for the Carnegie Endowment for International Peace. Before the role of VP - CISO, Meg acquired over twenty years of technical and leadership experience in application development.

💡 Where to find Meg: LinkedIn

##

Key Insights

⚡ Adversarial relationships within a company can hinder security. There's no room for adversarial relationships in cloud security. We need to embrace collaboration and partnership. Meg talks about Principal Financial Group's culture, "At Principal, what I think is different when I think about cloud security is that there are no adversarial relationships. We're all learning; we're all respectful. And obviously, I say all, but sometimes, there are conflicts. However, we get through them. And I think that that culture is really important."

⚡ Access control and data protection are essential. As we expand in the cloud, we need to keep prioritizing access control and data protection. Meg explains, "They have to be very intentionally thought about and architected. The cloud brings new ways, of course, to think about identity and access management. There are new tools to do it with, but then, in the end, we still really need to make sure that the right people have access to the right information at the right time, and we can't lose sight of that. And our customers trust that we'll protect their information and money no matter where we're doing our computing. So it's not a choice."

⚡ You need to have a strategy. If you want to move forward and adopt the cloud, you need to put a strategy in place first. Meg explains, "If you start with the strategy, it'll pay dividends. You'll reduce risk. You'll increase efficiency. You're probably going to save time and money. It's probably going to turn out better. You're not going to be creating tech debt. So really, stepping into the cloud with a plan is just much better than playing around and looking at it as an opportunity to experiment and try new things."

##

Episode Highlights

Automation is critical for security integration

"There's definitely more ownership by the cloud team and the cloud engineers as compared to relying on specialists that were previously in the infrastructure team. So I think some of the ‘shifting security left’ conversation that we've had over the last decade or more is something that we really need to keep our eye on, because that automation is critical to integrating security into the deployment pipelines and allowing engineers to own their code and its security. That's a change that I think we are, at least, in the midst of here at Principal."

We need to stop oversimplifying the cloud

"Software as a service is very different from platform as a service or infrastructure as a service. So when we simply talk about the cloud, I think it gets to the point of oversimplification that's probably doing more harm than good, especially at the higher levels of companies, at the board regulators. Everyone's asking, 'How are you securing the cloud?' Period. And so, I think that oversimplification might be an opportunity for growth and for us to really be talking about the various components of the cloud a little bit differently in the future."

Don't be afraid to ask for support

"It sounds pretty basic, but early in my career, there were times where I assumed that, 'Well, they're my leader, they should know, and eventually, they'll figure out what I need and what I want.' And while I've never been called shy, I would say that I probably wasted too much time thinking about why they weren't figuring it out. How should I ask them? When should I ask them? And now I see the value in not just asking for investment or the tangible things that you might need, but in asking for support and finding out who will be your advocates in the organization. If you want to make a change and really ask for what you need to get something completed, get somebody to help you across the organization."

Episode Summary

The cloud has been around for a while now. And ever since it emerged — two decades ago — it has brought in new ways to think about security, identity, and access management.

But at the end of the day, we still need to make sure that the right people have the right information at the right time.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Meg Anderson, the VP - CISO at Principal Financial Group. They talk about the changes in cloud security since the emergence of the cloud, some of the best and worst practices, and what the future holds for cloud security.

##

Guest-at-a-Glance

💡 Name: Meg Anderson

💡 What she does: She's the VP - CISO at Principal Financial Group.

💡 Company: Principal Financial Group

💡 Noteworthy: Meg participates in a number of CISO councils. She is a board member of the Financial Services Information Sharing and Analysis Center (FS-ISAC), where she chairs the Strategy Committee and is on the FinCyber Advisory Group for the Carnegie Endowment for International Peace. Before the role of VP - CISO, Meg acquired over twenty years of technical and leadership experience in application development.

💡 Where to find Meg: LinkedIn

##

Key Insights

⚡ Adversarial relationships within a company can hinder security. There's no room for adversarial relationships in cloud security. We need to embrace collaboration and partnership. Meg talks about Principal Financial Group's culture, "At Principal, what I think is different when I think about cloud security is that there are no adversarial relationships. We're all learning; we're all respectful. And obviously, I say all, but sometimes, there are conflicts. However, we get through them. And I think that that culture is really important."

⚡ Access control and data protection are essential. As we expand in the cloud, we need to keep prioritizing access control and data protection. Meg explains, "They have to be very intentionally thought about and architected. The cloud brings new ways, of course, to think about identity and access management. There are new tools to do it with, but then, in the end, we still really need to make sure that the right people have access to the right information at the right time, and we can't lose sight of that. And our customers trust that we'll protect their information and money no matter where we're doing our computing. So it's not a choice."

⚡ You need to have a strategy. If you want to move forward and adopt the cloud, you need to put a strategy in place first. Meg explains, "If you start with the strategy, it'll pay dividends. You'll reduce risk. You'll increase efficiency. You're probably going to save time and money. It's probably going to turn out better. You're not going to be creating tech debt. So really, stepping into the cloud with a plan is just much better than playing around and looking at it as an opportunity to experiment and try new things."

##

Episode Highlights

Automation is critical for security integration

"There's definitely more ownership by the cloud team and the cloud engineers as compared to relying on specialists that were previously in the infrastructure team. So I think some of the ‘shifting security left’ conversation that we've had over the last decade or more is something that we really need to keep our eye on, because that automation is critical to integrating security into the deployment pipelines and allowing engineers to own their code and its security. That's a change that I think we are, at least, in the midst of here at Principal."

We need to stop oversimplifying the cloud

"Software as a service is very different from platform as a service or infrastructure as a service. So when we simply talk about the cloud, I think it gets to the point of oversimplification that's probably doing more harm than good, especially at the higher levels of companies, at the board regulators. Everyone's asking, 'How are you securing the cloud?' Period. And so, I think that oversimplification might be an opportunity for growth and for us to really be talking about the various components of the cloud a little bit differently in the future."

Don't be afraid to ask for support

"It sounds pretty basic, but early in my career, there were times where I assumed that, 'Well, they're my leader, they should know, and eventually, they'll figure out what I need and what I want.' And while I've never been called shy, I would say that I probably wasted too much time thinking about why they weren't figuring it out. How should I ask them? When should I ask them? And now I see the value in not just asking for investment or the tangible things that you might need, but in asking for support and finding out who will be your advocates in the organization. If you want to make a change and really ask for what you need to get something completed, get somebody to help you across the organization."

Episode Summary

It's been more than a decade since the cloud emerged as a new concept. And it's safe to say that it has practically become the new normal, especially since the COVID-19 outbreak.

However, when it comes to improving cyber security and risk management in the cloud, we still have a long way to go.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Sameer Sait, an information security expert and the former CISO of Amazon's Whole Foods Market. They talk about the shift in security mechanisms due to the explosion of the cloud, the importance of shared responsibility, and what we can learn from highly regulated industries. Tune into this episode to hear some insightful observations about the future of cybersecurity.

##

Guest-at-a-Glance

💡 Name: Sameer Sait

💡 Formerly CISO of Amazon / Whole Foods Market

💡 Currently Co-Founder and CRO, BalkanID

💡 Noteworthy: He's an information security and risk executive with 16+ years of global leadership experience at Fortune 100 firms.

💡 Where to find Sameer: LinkedIn

##

Key Insights

⚡ We need a playbook for unexpected outcomes in the cloud. Although we expect the cloud world to move fast and smoothly, sometimes there are some unexpected scenarios. That's why we need to get better at how we manage ownership of assets and processes. Sameer explains: "In the non-cloud native world, there is a kind of alignment of accountability, responsibility, ownership, and influence. I think in the cloud world because we expect to just move really, really fast, and we expect things to get taken care of by a certain set of individuals that are working in DevOps, you just sprinkle on some security and expect it to kind of magically get taken care of. I think there's a little bit of the ‘who owns what’ and [we should be] finding ways to align on the exceptions so that even the exception process has accountability and responsibility."

⚡ Since the explosion of cloud usage, engineers no longer need a policeman; they need a steward. It's safe to say that the cloud has changed the way we do everything, including security. According to Sameer, one thing that stands out is how engineers and builders think about security. He says, "I've been pleasantly surprised, and it's probably a combination of the industry itself having exploded, there being a lot more awareness, and technologies being built to enable secure software development and deployment maintenance. And so, with the explosion of cloud usage, I've been pleasantly surprised that engineers don't really need a policeman anymore. They just need guidance."

⚡We should aim for shared responsibility. According to Sameer, the cloud has created a good opportunity for shared responsibility. Instead of building large, slow-moving organizations, we should move towards small agile teams. Sameer shares his predictions and hopes for the future of security. "I think part of it is also security being built into the cloud. I hope to see more and more big tech companies [...]embracing partnerships with tech security companies to make it so seamless that it becomes part and parcel of how we operate in the cloud. I'm seeing that happen, and that's getting me super excited because I care as much about the usability of a product as I should , and the product manager should care as much about the security of that product. And if we both have those shared outcomes, I think we'll do very well."

##

Episode Highlights

Highly regulated industries set a high bar for cybersecurity

"I think the financial services industry really set me up well, given that there was a higher level of awareness and expectations around cyber risks and the impact of those risks. There were already working groups, like the ISAC; there was an FS-ISAC back then. We didn't have that level of maturity outside of, let's say, financial services and potentially, healthcare. I haven't been in healthcare, but I can say that coming out of those highly regulated, well-managed and risk-managed industries taught me a lot about what a good bar or a high bar for a cybersecurity program looks like."

The physical store space is not always open to changes

"There's been a little bit of hesitation to change, and I don't know if technology or security has actually been an enabler for that or more of, 'Hold on a second, how do we make sure connectivity is good? How do we make sure our data is centralized in terms of storage? How do we move off of systems that we've built for 20 years and have worked fine for us?' So a little bit of the 'If it isn't broken, why fix it?' was what I saw in the physical store space."

Hire for the long term and automate for the short term

"What is something we've always done that maybe doesn't apply in this new world? I would say throwing more people at the problem. My experience has always been that we tend to go and sign up with more consulting services, and we'll just say, 'Well, this is a problem. We need support.' And we'll use that excuse, and I've used this excuse, too. So I'm as much at fault for saying, ‘It's really hard to hire in this hyper-competitive security market. Let's just get some consultants.’ I think we should start thinking like those very smart engineers who are building cloud-native solutions, and about how we can automate discovery, remediation, and things that we know, with a high degree of probability, to be problems that can be solved via X, Y, and Z protocols."

Episode Summary

It's been more than a decade since the cloud emerged as a new concept. And it's safe to say that it has practically become the new normal, especially since the COVID-19 outbreak.

However, when it comes to improving cyber security and risk management in the cloud, we still have a long way to go.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Sameer Sait, an information security expert and the former CISO of Amazon's Whole Foods Market. They talk about the shift in security mechanisms due to the explosion of the cloud, the importance of shared responsibility, and what we can learn from highly regulated industries. Tune into this episode to hear some insightful observations about the future of cybersecurity.

##

Guest-at-a-Glance

💡 Name: Sameer Sait

💡 What he does: He's the former CISO of Amazon's Whole Foods Market.

💡 Company: N/A

💡 Noteworthy: He's an information security and risk executive with 16+ years of global leadership experience at Fortune 100 firms.

💡 Where to find Sameer: LinkedIn

##

Key Insights

⚡ We need a playbook for unexpected outcomes in the cloud. Although we expect the cloud world to move fast and smoothly, sometimes there are some unexpected scenarios. That's why we need to get better at how we manage ownership of assets and processes. Sameer explains: "In the non-cloud native world, there is a kind of alignment of accountability, responsibility, ownership, and influence. I think in the cloud world because we expect to just move really, really fast, and we expect things to get taken care of by a certain set of individuals that are working in DevOps, you just sprinkle on some security and expect it to kind of magically get taken care of. I think there's a little bit of the ‘who owns what’ and [we should be] finding ways to align on the exceptions so that even the exception process has accountability and responsibility."

⚡ Since the explosion of cloud usage, engineers no longer need a policeman; they need a steward. It's safe to say that the cloud has changed the way we do everything, including security. According to Sameer, one thing that stands out is how engineers and builders think about security. He says, "I've been pleasantly surprised, and it's probably a combination of the industry itself having exploded, there being a lot more awareness, and technologies being built to enable secure software development and deployment maintenance. And so, with the explosion of cloud usage, I've been pleasantly surprised that engineers don't really need a policeman anymore. They just need guidance."

⚡We should aim for shared responsibility. According to Sameer, the cloud has created a good opportunity for shared responsibility. Instead of building large, slow-moving organizations, we should move towards small agile teams. Sameer shares his predictions and hopes for the future of security. "I think part of it is also security being built into the cloud. I hope to see more and more big tech companies [...]embracing partnerships with tech security companies to make it so seamless that it becomes part and parcel of how we operate in the cloud. I'm seeing that happen, and that's getting me super excited because I care as much about the usability of a product as I should , and the product manager should care as much about the security of that product. And if we both have those shared outcomes, I think we'll do very well."

##

Episode Highlights

Highly regulated industries set a high bar for cybersecurity

"I think the financial services industry really set me up well, given that there was a higher level of awareness and expectations around cyber risks and the impact of those risks. There were already working groups, like the ISAC; there was an FS-ISAC back then. We didn't have that level of maturity outside of, let's say, financial services and potentially, healthcare. I haven't been in healthcare, but I can say that coming out of those highly regulated, well-managed and risk-managed industries taught me a lot about what a good bar or a high bar for a cybersecurity program looks like."

The physical store space is not always open to changes

"There's been a little bit of hesitation to change, and I don't know if technology or security has actually been an enabler for that or more of, 'Hold on a second, how do we make sure connectivity is good? How do we make sure our data is centralized in terms of storage? How do we move off of systems that we've built for 20 years and have worked fine for us?' So a little bit of the 'If it isn't broken, why fix it?' was what I saw in the physical store space."

Hire for the long term and automate for the short term

"What is something we've always done that maybe doesn't apply in this new world? I would say throwing more people at the problem. My experience has always been that we tend to go and sign up with more consulting services, and we'll just say, 'Well, this is a problem. We need support.' And we'll use that excuse, and I've used this excuse, too. So I'm as much at fault for saying, ‘It's really hard to hire in this hyper-competitive security market. Let's just get some consultants.’ I think we should start thinking like those very smart engineers who are building cloud-native solutions, and about how we can automate discovery, remediation, and things that we know, with a high degree of probability, to be problems that can be solved via X, Y, and Z protocols."

Episode Summary

Security and privacy are burning topics in the cloud era. But not many companies have professionals dealing with these issues. Therefore, it's critical to make the topic of cybersecurity more accessible to business owners and board members.

In this episode of Cloud Security Reinvented, we get to hear from Justin Somaini, the Chief Security Officer of Unity Technologies. Justin and our host Andy Ellis discuss cloud security and how companies in the iGaming industry approach it.

They also discuss the past and present of cybersecurity and share predictions regarding the cloud's future. Justin also shares a valuable piece of advice anyone interested in becoming part of the security industry could benefit from.

Guest-at-a-Glance

💡 Name: Justin Somaini

💡 What he does: Justin is the Chief Security Officer of Unity Technologies.

💡 Website: Unity Technologies

💡 Noteworthy: Before joining Unity Technologies, Justin worked at PricewaterhouseCoopers and Charles Schwab.

💡 Where to find Justin: LinkedIn

Key Insights

⚡ Cloud security is pretty much the same in all industries. Most people believe working in the gaming industry must be fun. As our guest says, the rumors are true. It's exciting, but it carries many challenges. Here's what Justin says about cloud security in the gaming industry. ''In a lot of ways, it's pretty typical. The difference, I would say, is corporate. You're working in the gaming industry; it's different from financial institutions or otherwise. You have a very energized and technical base culture to work for or work with. However, when you secure SaaS, it's agile. When you start driving the CI/CD pipeline security capabilities and when you're starting to, or not starting but trying to deal with the infrastructure, a multi-cloud concept scales up and scales down.''

⚡ Security theory has remained the same in the cloud era. The switch from on-premise to the cloud has been tremendous in how companies operate and use technology. Automation has become a priority, especially in the SaaS industry. Companies that aspire to grow must embrace changes. However, as Justin explains, some things didn't change regardless of the shift, mainly from a security perspective. ''Security theory has not changed. Confidentiality, integrity, and availability, or if you want to use one of the other models — they are still the same. It's how we apply that to the technology that we have today. So that basic concept of what we do and why we do it is the same.''

⚡ Today's technology allows us to tackle complex challenges. The cloud is here to stay, and technology will continue developing. We’re yet to see what the future holds for the SaaS space and generally, every industry, considering we can't imagine working without technology. ''We have an amazing opportunity to solve some very difficult problems. Let's take patch management or asset management, which has always been a problem in every company. If you're in a multi-cloud space, you have those APIs to be able to identify and an asset management system to be able to change the model and how you do patches. Patch each system, but go back to gold and then do a refresh and have it be scaled. Those are amazing opportunities for core fundamental problems that we've had for well over 25-30 years.''

Episode Highlights

Being an Advisor in the Security Industry

''I find the security industry incredibly fascinating and challenging. And what I came to realize is that there are three legs of the stool. You've got the operator, the CSO, and others in the company. You also have individuals building security solutions for the security vendor community. It's predominantly startups versus larger public companies. And then the third is the investment — VCs.

And so, to stretch your legs a little bit and get more involved in the security apparatus, for lack of a better word, the advisor functions and roles for very early stage [companies], which is a lot of fun for me — getting back to basics, what are the security challenges we need to solve?

That requires solutions that we still really endeavor to provide. And how you can provide real guidance to these companies versus the stereotypical marketing and market demands that go on and make solutions that solve real problems.''

Security Challenges for a Company Such as Unity Technologies

''Unity is fascinating. It's very much a SaaS company, for lack of a better word. We make a real-time 3D engine, which enables creators to create games and a lot of other things on our platform.

When you look at the infrastructure we need to secure, there are two things. One, SaaS company services, et cetera, need to be done. Of course, I have been there and done that and know those challenges. But the scale of the engines sitting on phones, consoles, and PCs is one of the biggest things that attracted me. It has a scale problem that needs to be secured at the end of the day.

Then lastly, when you look at the future. We have unsolved problems: how do we enable privacy, for example, in an AR & VR world, when those mechanisms haven't been put in place yet? I think there are a lot of interesting challenges for the future.''

We Must Stop Chasing Buzzwords in the Industry

''Having a proper risk management process of identifying the issues — what are the things we need to do to solve them versus changing what we are being told that we need to do from marketing and sales and otherwise. [...]

We don't slow down, and take time, and focus on the really important things that are not sexy; they're hard versus focusing on the latest buzzword in threat intel feeds.''

A Piece of Advice for Security Officers

''Don't be afraid to pick up the phone and call other people in the company to have coffee and learn what they do. I spent a fair amount of time later on in my career learning what marketing is. What they do is more than just send out spam. What does the sales team do? How does it work — the funnel? Those things enabled me to learn what's going on in the organization where I work.

And I don't think that a lot of security people know the processes of sales, marketing, or anything else, for that matter, like legal and finance. The more you know about those processes, the better you are able to communicate, influence, and drive alignment and execute.''

Episode Summary

Security and privacy are burning topics in the cloud era. But not many companies have professionals dealing with these issues. Therefore, it's critical to make the topic of cybersecurity more accessible to business owners and board members.

In this episode of Cloud Security Reinvented, we get to hear from Justin Somaini, the Chief Security Officer of Unity Technologies. Justin and our host Andy Ellis discuss cloud security and how companies in the iGaming industry approach it.

They also discuss the past and present of cybersecurity and share predictions regarding the cloud's future. Justin also shares a valuable piece of advice anyone interested in becoming part of the security industry could benefit from.

Guest-at-a-Glance

💡 Name: Justin Somaini

💡 What he does: Justin is the Chief Security Officer of Unity Technologies.

💡 Website: Unity Technologies

💡 Noteworthy: Before joining Unity Technologies, Justin worked at PricewaterhouseCoopers and Charles Schwab.

💡 Where to find Justin: LinkedIn

Key Insights

⚡ Cloud security is pretty much the same in all industries. Most people believe working in the gaming industry must be fun. As our guest says, the rumors are true. It's exciting, but it carries many challenges. Here's what Justin says about cloud security in the gaming industry. ''In a lot of ways, it's pretty typical. The difference, I would say, is corporate. You're working in the gaming industry; it's different from financial institutions or otherwise. You have a very energized and technical base culture to work for or work with. However, when you secure SaaS, it's agile. When you start driving the CI/CD pipeline security capabilities and when you're starting to, or not starting but trying to deal with the infrastructure, a multi-cloud concept scales up and scales down.''

⚡ Security theory has remained the same in the cloud era. The switch from on-premise to the cloud has been tremendous in how companies operate and use technology. Automation has become a priority, especially in the SaaS industry. Companies that aspire to grow must embrace changes. However, as Justin explains, some things didn't change regardless of the shift, mainly from a security perspective. ''Security theory has not changed. Confidentiality, integrity, and availability, or if you want to use one of the other models — they are still the same. It's how we apply that to the technology that we have today. So that basic concept of what we do and why we do it is the same.''

⚡ Today's technology allows us to tackle complex challenges. The cloud is here to stay, and technology will continue developing. We’re yet to see what the future holds for the SaaS space and generally, every industry, considering we can't imagine working without technology. ''We have an amazing opportunity to solve some very difficult problems. Let's take patch management or asset management, which has always been a problem in every company. If you're in a multi-cloud space, you have those APIs to be able to identify and an asset management system to be able to change the model and how you do patches. Patch each system, but go back to gold and then do a refresh and have it be scaled. Those are amazing opportunities for core fundamental problems that we've had for well over 25-30 years.''

Episode Highlights

Being an Advisor in the Security Industry

''I find the security industry incredibly fascinating and challenging. And what I came to realize is that there are three legs of the stool. You've got the operator, the CSO, and others in the company. You also have individuals building security solutions for the security vendor community. It's predominantly startups versus larger public companies. And then the third is the investment — VCs.

And so, to stretch your legs a little bit and get more involved in the security apparatus, for lack of a better word, the advisor functions and roles for very early stage [companies], which is a lot of fun for me — getting back to basics, what are the security challenges we need to solve?

That requires solutions that we still really endeavor to provide. And how you can provide real guidance to these companies versus the stereotypical marketing and market demands that go on and make solutions that solve real problems.''

Security Challenges for a Company Such as Unity Technologies

''Unity is fascinating. It's very much a SaaS company, for lack of a better word. We make a real-time 3D engine, which enables creators to create games and a lot of other things on our platform.

When you look at the infrastructure we need to secure, there are two things. One, SaaS company services, et cetera, need to be done. Of course, I have been there and done that and know those challenges. But the scale of the engines sitting on phones, consoles, and PCs is one of the biggest things that attracted me. It has a scale problem that needs to be secured at the end of the day.

Then lastly, when you look at the future. We have unsolved problems: how do we enable privacy, for example, in an AR & VR world, when those mechanisms haven't been put in place yet? I think there are a lot of interesting challenges for the future.''

We Must Stop Chasing Buzzwords in the Industry

''Having a proper risk management process of identifying the issues — what are the things we need to do to solve them versus changing what we are being told that we need to do from marketing and sales and otherwise. [...]

We don't slow down, and take time, and focus on the really important things that are not sexy; they're hard versus focusing on the latest buzzword in threat intel feeds.''

A Piece of Advice for Security Officers

''Don't be afraid to pick up the phone and call other people in the company to have coffee and learn what they do. I spent a fair amount of time later on in my career learning what marketing is. What they do is more than just send out spam. What does the sales team do? How does it work — the funnel? Those things enabled me to learn what's going on in the organization where I work.

And I don't think that a lot of security people know the processes of sales, marketing, or anything else, for that matter, like legal and finance. The more you know about those processes, the better you are able to communicate, influence, and drive alignment and execute.''

Episode Summary

Cloud security looks a lot different to an outside observer than to an insider. And everyone thinks that some companies are further along in their cloud maturity journey than they really are.

But there's still a lot of work to be done regarding cybersecurity, so organizations should focus more on becoming cloud-native rather than going for the less-demanding "lift-and-shift" migration method.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Nick Vigier, CISO at Talend. They discuss the downsides of using the forklift migration method, the importance of shifting perspective, and why there is no security career ladder.

Nick has a history of innovation as a CISO in cloud hosting (DigitalOcean) and identity verifcation (ID.me) as well as a CIO in financial services (Gemini Trust Company) with over 20 years of experience in the security industry. He’s now the CISO at Talend, a strategic advisor, and a student of how to make security a strategic partner to the business while giving his teams and organization the safety to innovate quickly.

##

Guest-at-a-Glance

💡 Name: Nick Vigier

💡 What he does: CISO at Talend

💡 Noteworthy: Former CISO at ID.me & DigitalOcean.

💡 Where to find Nick: LinkedIn

##

Key Insights

⚡ Using a forklift migration approach is tempting, but it's not always ideal. The "lift-and-shift" migration method appeals to most organizations, as it's the easiest to employ. But some potential issues may arise with this strategy. Nick and Andy touch upon some of them in this episode. Nick says, "From what I've seen in the field, from a CSO perspective, you have a lot of companies that have forklifted from more physical infrastructures straight into the cloud, and it just doesn't work that way. You can get away with it, but it's going to cost you a lot more. It's going to be a lot more inefficient, and getting cloud-native is really what organizations should be focusing on in a very real sense — which requires a very different set of skills."

⚡ A perspective shift can go a long way. Instead of spending too much of your energy on convincing others to see things your way, you can focus on helping them make better decisions. It's just a matter of shifting your perspective. Nick explains, "That's not my job. My job is to give them an understanding of GroundTruth and help them make an informed decision. And their decision isn't right or wrong — it's just different. And so that allowed me to take a step back from feeling like the decision was personal and more of just everybody comes to the table with different perspectives. And as long as I can give them the facts and help them understand the risk that they're taking, it's neither right nor wrong; it's just different."

⚡ There's no security career ladder; it's a jungle gym. Security is a broad field with massive potential for specialization in different areas. Nick says, "If you look at security in a broad enough sense, it is everything from your engineering work to your product security, application security work, your investigations, your incident response, your governance risk and compliance, privacy, and even physical security, and there are roles in there for everyone. And I think it's key to understand that security isn't just pen testing — a number of people who are early in their career say, 'I just want to be a pen tester.' Well, as someone who had to go through that for a year to realize that it wasn't for me, I’m trying to help people understand where they fit into that journey or what they might have aptitude for."

##

Episode Highlights

Why CISOs should reach out to their communities

"In that type of role, it really allows you to touch a variety of industries and mindsets, but in my experience, only about 20% of the CSOs that you interact with want to engage. [...] I would encourage CISOs to reach out to their communities and partner with people and especially when they are people that are not trying to sell you but are literally just there to try and help to take them up on it. It can't hurt. What do you have to lose?"

The ability to rethink things has changed

"As the cloud changed and networking changed, and other organizations moved to the cloud, some of these considerations that led to, 'Oh, we have to be on-prem,' have gone away. It's been really good to see regulators warming up to the cloud because that's always been a hindrance. Even CMS on the Medicare, Medicaid side has always been very anti-cloud and is now finally coming around. And that eliminates a lot of those hurdles, a lot of those intellectual gut reactions or fight-or-flight type of conversations around the cloud, and you can have a much more objective conversation around what is the best approach. And the feature sets are obviously a lot more complete and mature. So, the ability to rethink things is great from a cloud perspective."

Let's leave automation to the machines and let humans innovate

"There are things that machines do really well, and there are things that people do exceedingly well. People are great at things like pattern recognition, but they just have to be presented in the right way. And so, being able to let the machines do what they do well and automate those things, and then letting the humans be the creative entities that allow the business to innovate versus just doing busywork, or just working harder, is the real promise and what I'm really excited about."

Episode Summary

Cloud security looks a lot different to an outside observer than to an insider. And everyone thinks that some companies are further along in their cloud maturity journey than they really are.

But there's still a lot of work to be done regarding cybersecurity, so organizations should focus more on becoming cloud-native rather than going for the less-demanding "lift-and-shift" migration method.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Nick Vigier, a CISO and the owner of Rising Tide Security, LLC. They discuss the downsides of using the forklift migration method, the importance of shifting perspective, and why there is no security career ladder.

##

Guest-at-a-Glance

💡 Name: Nick Vigier

💡 What he does: He's the Former CISO at ID.me & DigitalOcean.

💡 Company: Rising Tide Security

💡 Noteworthy: Nick was a founding member of the "FDSecE" role at Palantir. The FDSecE team was part of the Business Development team. It consisted of information security experts responsible for acting as thought leaders with clients in topics ranging from security strategy to forensics.

💡 Where to find Nick: LinkedIn

##

Key Insights

⚡ Using a forklift migration approach is tempting, but it's not always ideal. The "lift-and-shift" migration method appeals to most organizations, as it's the easiest to employ. But some potential issues may arise with this strategy. Nick and Andy touch upon some of them in this episode. Nick says, "From what I've seen in the field, from a CSO perspective, you have a lot of companies that have forklifted from more physical infrastructures straight into the cloud, and it just doesn't work that way. You can get away with it, but it's going to cost you a lot more. It's going to be a lot more inefficient, and getting cloud-native is really what organizations should be focusing on in a very real sense — which requires a very different set of skills."

⚡ A perspective shift can go a long way. Instead of spending too much of your energy on convincing others to see things your way, you can focus on helping them make better decisions. It's just a matter of shifting your perspective. Nick explains, "That's not my job. My job is to give them an understanding of GroundTruth and help them make an informed decision. And their decision isn't right or wrong — it's just different. And so that allowed me to take a step back from feeling like the decision was personal and more of just everybody comes to the table with different perspectives. And as long as I can give them the facts and help them understand the risk that they're taking, it's neither right nor wrong; it's just different."

⚡ There's no security career ladder; it's a jungle gym. Security is a broad field with massive potential for specialization in different areas. Nick says, "If you look at security in a broad enough sense, it is everything from your engineering work to your product security, application security work, your investigations, your incident response, your governance risk and compliance, privacy, and even physical security, and there are roles in there for everyone. And I think it's key to understand that security isn't just pen testing — a number of people who are early in their career say, 'I just want to be a pen tester.' Well, as someone who had to go through that for a year to realize that it wasn't for me, I’m trying to help people understand where they fit into that journey or what they might have aptitude for."

##

Episode Highlights

Why CISOs should reach out to their communities

"In that type of role, it really allows you to touch a variety of industries and mindsets, but in my experience, only about 20% of the CSOs that you interact with want to engage. [...] I would encourage CISOs to reach out to their communities and partner with people and especially when they are people that are not trying to sell you but are literally just there to try and help to take them up on it. It can't hurt. What do you have to lose?"

The ability to rethink things has changed

"As the cloud changed and networking changed, and other organizations moved to the cloud, some of these considerations that led to, 'Oh, we have to be on-prem,' have gone away. It's been really good to see regulators warming up to the cloud because that's always been a hindrance. Even CMS on the Medicare, Medicaid side has always been very anti-cloud and is now finally coming around. And that eliminates a lot of those hurdles, a lot of those intellectual gut reactions or fight-or-flight type of conversations around the cloud, and you can have a much more objective conversation around what is the best approach. And the feature sets are obviously a lot more complete and mature. So, the ability to rethink things is great from a cloud perspective."

Let's leave automation to the machines and let humans innovate

"There are things that machines do really well, and there are things that people do exceedingly well. People are great at things like pattern recognition, but they just have to be presented in the right way. And so, being able to let the machines do what they do well and automate those things, and then letting the humans be the creative entities that allow the business to innovate versus just doing busywork, or just working harder, is the real promise and what I'm really excited about."

Episode Summary

There's no universal rule for breaking into a new industry. And the same goes for starting a career in the information security field.

But one thing's for sure — if you let your passion guide you and you're willing to work hard, there's no limit to what you can accomplish.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Nick Selby, the Director, Software Assurance Practice at Trail of Bits. They talk about what it's like working in cloud security, why attention to detail is crucial, and how cloud technology is democratizing innovation.

##

Guest-at-a-Glance

💡 Name: Nick Selby

💡 What he does: He's the Director, Software Assurance Practice at Trail of Bits.

💡 Company: Trail of Bits

💡 Noteworthy: He is the author and co-author of several books, including "Cyber Crime: A Basic Primer" and "Cyber Survival Manual: From Identity Theft to The Digital Apocalypse and Everything in Between."

💡 Where to find Nick: LinkedIn

##

Key Insights

⚡ Let your passion be the guide in your career. Nick has had quite an exciting career path, from being the NYPD Intelligence Bureau's Director of Cyber Intelligence and Investigations to the Director of Software Assurance Practice at Trail of Bits. He says the key to success is to be willing to roll up your sleeves. "If you are willing to go in and do the hard work and get things moving, then you are usually able to do it. Because, often, it's something that either people don't understand or it makes them feel icky. Or they understand, and they just don't want to do it because they know that it's going to be a lot of work. If you're willing to do that and let your passion be the guide and not worry too much about, 'Well, where's my bonus coming from this year?' — If you're willing to just forego the sort of normal things that people are unwilling to forego in a career, then you really can forge a new way forward."

⚡ Attention to detail is critical in cloud security. Nick talks about what it's like working in cloud security and shares the most valuable lessons he learned along the way. He says that even when everything works well, you have to keep your head in the game at all times. "The biggest thing for me, I think, has been that even when you do everything right, attention to detail and questioning your assumptions at every stage become even more important. I fly airplanes. In most accidents while flying airplanes, there are a series of bad mistakes. It's never just one, but almost all of those mistakes come from people being fat, dumb, and happy, just thinking that everything is going along fine."

⚡ Cloud technology is democratizing innovation. Nick says the number one surprise in the cloud security field is the democratizing effect of the cloud on innovation. With more companies having access to the newest technological tools, bringing innovative ideas to life makes it much easier. "But this does come with a wicked and awesome responsibility that we just have to deal with. These things aren't free, and they aren't free from decision-making and responsibility and especially strategic architecture, because when you can do it that [easily], the temptation to take my very well-functioning prototype and turn it into a production application is almost overwhelming. You have to resist that overwhelming temptation."

##

Episode Highlights

The importance of constantly questioning yourself

"If you are not constantly correcting, questioning, looking around for your escape plan, and thinking about what could go wrong, you will get behind the airplane. You will get behind the technology. And once you're behind the technology, you're no longer a leader; you're just on for the ride. And I think the biggest lesson that I've learned is that this even affects the finest companies in the world. And I'm just thrilled that I get to see them."

We should get rid of passwords and embrace automation

"It's such low-hanging fruit. I know that in the Google SRE book, Carla Geisser said, 'Something has gone terribly wrong when an engineer has to touch a process because everything should be automated,' which, by the way, speaks to what we should be doing. We should be automating absolutely everything because if you're not automating it, you don't have control over it. If you cannot understand what you are building to the point that you can push it from start to finish in five minutes and have it up and running, pull it back if you need to, but get it out there. And if you're not understanding what it is that you're doing to the point that you can automate every step of that, then you don't understand you're behind your technology."

Why you should avoid making mistakes in the cloud

"A lot of the people who are making those decisions about scaling up operations are the same people who grew up in an on-prem space where the data center was in the basement. And those people, no matter what they do, still have this bias toward the way we used to do things. And that doesn't fly in the cloud world. And I've said before that when you make mistakes in the cloud, you are being stupid at cloud speed, and stupid at cloud speed is really fast. So configuration becomes absolutely essential."

Episode Summary

There's no universal rule for breaking into a new industry. And the same goes for starting a career in the information security field.

But one thing's for sure — if you let your passion guide you and you're willing to work hard, there's no limit to what you can accomplish.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Nick Selby, the Director, Software Assurance Practice at Trail of Bits. They talk about what it's like working in cloud security, why attention to detail is crucial, and how cloud technology is democratizing innovation.

##

Guest-at-a-Glance

💡 Name: Nick Selby

💡 What he does: He's the Director, Software Assurance Practice at Trail of Bits.

💡 Company: Trail of Bits

💡 Noteworthy: He is the author and co-author of several books, including "Cyber Crime: A Basic Primer" and "Cyber Survival Manual: From Identity Theft to The Digital Apocalypse and Everything in Between."

💡 Where to find Nick: LinkedIn

##

Key Insights

⚡ Let your passion be the guide in your career. Nick has had quite an exciting career path, from being the NYPD Intelligence Bureau's Director of Cyber Intelligence and Investigations to the Director of Software Assurance Practice at Trail of Bits. He says the key to success is to be willing to roll up your sleeves. "If you are willing to go in and do the hard work and get things moving, then you are usually able to do it. Because, often, it's something that either people don't understand or it makes them feel icky. Or they understand, and they just don't want to do it because they know that it's going to be a lot of work. If you're willing to do that and let your passion be the guide and not worry too much about, 'Well, where's my bonus coming from this year?' — If you're willing to just forego the sort of normal things that people are unwilling to forego in a career, then you really can forge a new way forward."

⚡ Attention to detail is critical in cloud security. Nick talks about what it's like working in cloud security and shares the most valuable lessons he learned along the way. He says that even when everything works well, you have to keep your head in the game at all times. "The biggest thing for me, I think, has been that even when you do everything right, attention to detail and questioning your assumptions at every stage become even more important. I fly airplanes. In most accidents while flying airplanes, there are a series of bad mistakes. It's never just one, but almost all of those mistakes come from people being fat, dumb, and happy, just thinking that everything is going along fine."

⚡ Cloud technology is democratizing innovation. Nick says the number one surprise in the cloud security field is the democratizing effect of the cloud on innovation. With more companies having access to the newest technological tools, bringing innovative ideas to life makes it much easier. "But this does come with a wicked and awesome responsibility that we just have to deal with. These things aren't free, and they aren't free from decision-making and responsibility and especially strategic architecture, because when you can do it that [easily], the temptation to take my very well-functioning prototype and turn it into a production application is almost overwhelming. You have to resist that overwhelming temptation."

##

Episode Highlights

The importance of constantly questioning yourself

"If you are not constantly correcting, questioning, looking around for your escape plan, and thinking about what could go wrong, you will get behind the airplane. You will get behind the technology. And once you're behind the technology, you're no longer a leader; you're just on for the ride. And I think the biggest lesson that I've learned is that this even affects the finest companies in the world. And I'm just thrilled that I get to see them."

We should get rid of passwords and embrace automation

"It's such low-hanging fruit. I know that in the Google SRE book, Carla Geisser said, 'Something has gone terribly wrong when an engineer has to touch a process because everything should be automated,' which, by the way, speaks to what we should be doing. We should be automating absolutely everything because if you're not automating it, you don't have control over it. If you cannot understand what you are building to the point that you can push it from start to finish in five minutes and have it up and running, pull it back if you need to, but get it out there. And if you're not understanding what it is that you're doing to the point that you can automate every step of that, then you don't understand you're behind your technology."

Why you should avoid making mistakes in the cloud

"A lot of the people who are making those decisions about scaling up operations are the same people who grew up in an on-prem space where the data center was in the basement. And those people, no matter what they do, still have this bias toward the way we used to do things. And that doesn't fly in the cloud world. And I've said before that when you make mistakes in the cloud, you are being stupid at cloud speed, and stupid at cloud speed is really fast. So configuration becomes absolutely essential."

Episode Summary

Over a long security career, not only do professionals grow and change, but the world they're operating within also changes. And talking about security, we are witnesses to the transition from local software to cloud security.

The cloud brought new trends in solving security problems. But certain practices from the pre-cloud era still resonate and are in use. At the same time, we still do some things that we should stop.

In this episode of Cloud Security Reinvented, Andy Ellis welcomes Renee Guttmann, a transformational leader in cybersecurity. Andy and Renee get into how building an on-premise model is blended with how the cloud could be leveraged, how security protocols have been modified for the cloud, and how the cloud has changed the approach to cybersecurity.

##

Guest-at-a-Glance

💡 Name: Renee Guttmann

💡 What she does: Chief Information Security/IT Executive.

💡 Company: Cydome Security

💡 Noteworthy: Renee has delivered world-class global information security programs for Coca-Cola, Time Warner, Royal Caribbean, Campbell, and Capital One, and helped establish the office of the CISO at Optiv. She advises startups on defining their products, services, and go-to-market strategies. On the community front, she partners with other CISOs on cybersecurity training and mentorship. She has been active as a Board Member and Advisor at a large children's mental health facility for almost a decade.

💡 Where to find Renee: LinkedIn | Website

##

Key Insights

⚡ The cloud has changed the mental model for security. Renee Guttmann started getting involved with the cloud in 2011 and worked with people looking at newer trends when the cloud was supposed to solve all security problems. According to her, people are multi-cloud today. "Your teams have to know a little about everything because they're all different. They all have different capabilities. [...] I find that now you're basically in multiple clouds. You've got several service providers; you might have somebody doing operations for you. And one of the things that I think is extremely difficult right now is figuring out who's on first."

⚡It is necessary to dump Change Control Boards. In transitioning from an on-premise world to cloud security, there are practices from before that we need to double down on and things that we should have buried a long time ago. As Renee notes, Change Control Boards must be dumped. "You go to a Change Control Board, you've got one purpose for being there, and that's to get your change approved. However, you can manage to get your change approved. [...] The other thing is, I don't think the dependencies are well understood. And so, I think we're overly reliant on something that is probably not relevant. Plus, I know the changes I'm making. I don't know the changes that my cloud providers are making. They're not coming to me and running their stuff through a Change Control Board. So, I just questioned the time and the value of that exercise, and that it needs a bit of a refresh. And then the other thing that I think has to be improved is if you touch it three times, you need to automate it and be done with it."

⚡ On-premise is still relevant in the cloud era. When we look at the cloud era and where we are today, experts could probably have predicted some things about it. But there are some things they did not hope for. For Renee, the biggest surprise from the cloud era is how much on-premise there is. "I don't know how many people are still running data centers; I would've thought that all of that would have already left the building. That's a little bit of a surprise to me that we're not further along. The other thing is resiliency. I think that we haven't done a good job with figuring out how to be more resilient."

##

Episode Highlights

The Exciting Career Journey of Renee Guttmann

"Before I became a research analyst at Gartner, I started a security program with a global healthcare company based out of London. And we were protecting clinical trial data and research material, and after that, I took the Gartner job.

[...] I left Gartner and became the security architect for building online statement platforms at Capital One and applying for credit cards online. And back when I did that, people didn't do it. So we were one of the very first companies to actually make it possible for people to go and look at their statements. After Capital One, I went to Time Inc. and Time Warner.

[...] And then I got recruited to Coke, built their program from scratch, and joined Royal Caribbean later. And my most recent opportunity was the Campbell Soup Company, where I was working specifically on manufacturing OT security."

What Cloud Security Looks Like Inside the Industry

"There [at Renee's last two positions] was a lot of OT, there was either manufacturing, but on a ship or in maritime in general. There are a lot of systems like satellite navigation that are really on the ship, and the way that you talk to them is through satellite. Your bandwidth is a little bit constrained because you're basically taking it away from the crew and the passengers, mainly the paying passengers. So it wasn't that easy to figure out how we were going to leverage the cloud in some of these environments. And to that point, I still think that building that on-premise model blended with how the cloud could still be leveraged. I don't think we're there yet, but I think that's an opportunity for people to really go in and address. The other problem is that these systems that I'm talking about are generally run by IT people. They're outside the span of IT. So you've got somebody that runs a manufacturing system, and they could be buying cameras from who knows where."

"The More Things Change, the More They Stay the Same"

"We still need to focus on privilege, administrative access, and protecting the keys to the kingdom. [...] We don't know what our footprint is, and we have to resurrect whatever we were doing better and get that kind of understanding of our current environments. And then the third thing is, I think that we had really good IR plans, and we got better at them, especially because of the accountability issues. So we need to up-level those procedures, do better training with more of our partners, and they need to be in the room."

Knowing the People Around You is Extremely Important

"You've got to start with who they are before they care about what you're doing and why you're there. [...] You don't want to be seen as the cop. You actually want to create a persona that people will feel comfortable coming to , and asking for help. And what I really need them to do is to tell me when the garbage cans are on fire before the building burns down.

[...] I don't think you can really be effective until A: you know the people, and B: the culture and everything else goes along with it. But you've got to know people, and you have got to put yourself out there in a way that people get comfortable with you, and they want to be in the same room as you."

Episode Summary

Over a long security career, not only do professionals grow and change, but the world they're operating within also changes. And talking about security, we are witnesses to the transition from local software to cloud security.

The cloud brought new trends in solving security problems. But certain practices from the pre-cloud era still resonate and are in use. At the same time, we still do some things that we should stop.

In this episode of Cloud Security Reinvented, Andy Ellis welcomes Renee Guttmann, a transformational leader in cybersecurity. Andy and Renee get into how building an on-premise model is blended with how the cloud could be leveraged, how security protocols have been modified for the cloud, and how the cloud has changed the approach to cybersecurity.

##

Guest-at-a-Glance

💡 Name: Renee Guttmann

💡 What she does: Chief Information Security/IT Executive.

💡 Company: Cydome Security

💡 Noteworthy: Renee has delivered world-class global information security programs for Coca-Cola, Time Warner, Royal Caribbean, Campbell, and Capital One, and helped establish the office of the CISO at Optiv. She advises startups on defining their products, services, and go-to-market strategies. On the community front, she partners with other CISOs on cybersecurity training and mentorship. She has been active as a Board Member and Advisor at a large children's mental health facility for almost a decade.

💡 Where to find Renee: LinkedIn | Website

##

Key Insights

⚡ The cloud has changed the mental model for security. Renee Guttmann started getting involved with the cloud in 2011 and worked with people looking at newer trends when the cloud was supposed to solve all security problems. According to her, people are multi-cloud today. "Your teams have to know a little about everything because they're all different. They all have different capabilities. [...] I find that now you're basically in multiple clouds. You've got several service providers; you might have somebody doing operations for you. And one of the things that I think is extremely difficult right now is figuring out who's on first."

⚡It is necessary to dump Change Control Boards. In transitioning from an on-premise world to cloud security, there are practices from before that we need to double down on and things that we should have buried a long time ago. As Renee notes, Change Control Boards must be dumped. "You go to a Change Control Board, you've got one purpose for being there, and that's to get your change approved. However, you can manage to get your change approved. [...] The other thing is, I don't think the dependencies are well understood. And so, I think we're overly reliant on something that is probably not relevant. Plus, I know the changes I'm making. I don't know the changes that my cloud providers are making. They're not coming to me and running their stuff through a Change Control Board. So, I just questioned the time and the value of that exercise, and that it needs a bit of a refresh. And then the other thing that I think has to be improved is if you touch it three times, you need to automate it and be done with it."

⚡ On-premise is still relevant in the cloud era. When we look at the cloud era and where we are today, experts could probably have predicted some things about it. But there are some things they did not hope for. For Renee, the biggest surprise from the cloud era is how much on-premise there is. "I don't know how many people are still running data centers; I would've thought that all of that would have already left the building. That's a little bit of a surprise to me that we're not further along. The other thing is resiliency. I think that we haven't done a good job with figuring out how to be more resilient."

##

Episode Highlights

The Exciting Career Journey of Renee Guttmann

"Before I became a research analyst at Gartner, I started a security program with a global healthcare company based out of London. And we were protecting clinical trial data and research material, and after that, I took the Gartner job.

[...] I left Gartner and became the security architect for building online statement platforms at Capital One and applying for credit cards online. And back when I did that, people didn't do it. So we were one of the very first companies to actually make it possible for people to go and look at their statements. After Capital One, I went to Time Inc. and Time Warner.

[...] And then I got recruited to Coke, built their program from scratch, and joined Royal Caribbean later. And my most recent opportunity was the Campbell Soup Company, where I was working specifically on manufacturing OT security."

What Cloud Security Looks Like Inside the Industry

"There [at Renee's last two positions] was a lot of OT, there was either manufacturing, but on a ship or in maritime in general. There are a lot of systems like satellite navigation that are really on the ship, and the way that you talk to them is through satellite. Your bandwidth is a little bit constrained because you're basically taking it away from the crew and the passengers, mainly the paying passengers. So it wasn't that easy to figure out how we were going to leverage the cloud in some of these environments. And to that point, I still think that building that on-premise model blended with how the cloud could still be leveraged. I don't think we're there yet, but I think that's an opportunity for people to really go in and address. The other problem is that these systems that I'm talking about are generally run by IT people. They're outside the span of IT. So you've got somebody that runs a manufacturing system, and they could be buying cameras from who knows where."

"The More Things Change, the More They Stay the Same"

"We still need to focus on privilege, administrative access, and protecting the keys to the kingdom. [...] We don't know what our footprint is, and we have to resurrect whatever we were doing better and get that kind of understanding of our current environments. And then the third thing is, I think that we had really good IR plans, and we got better at them, especially because of the accountability issues. So we need to up-level those procedures, do better training with more of our partners, and they need to be in the room."

Knowing the People Around You is Extremely Important

"You've got to start with who they are before they care about what you're doing and why you're there. [...] You don't want to be seen as the cop. You actually want to create a persona that people will feel comfortable coming to , and asking for help. And what I really need them to do is to tell me when the garbage cans are on fire before the building burns down.

[...] I don't think you can really be effective until A: you know the people, and B: the culture and everything else goes along with it. But you've got to know people, and you have got to put yourself out there in a way that people get comfortable with you, and they want to be in the same room as you."

Episode Summary

Implementing an effective security program has become a necessity over the past decade. And without a doubt, all businesses need to level up their security game to mitigate risks and protect their information.

But small- and mid-market companies are somehow left behind when it comes to security guidance and realistic capabilities.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis introduces Brian Haugli, the Managing Partner at SideChannel. They talk about the increasing demand for cybersecurity for all organizations, why the black-and-white view won't get us far in security, and the future of technology.

##

Guest-at-a-Glance

💡 Name: Brian Haugli

💡 What he does: He's the Managing Partner at SideChannel.

💡 Company: SideChannel

💡 Noteworthy: Brain is the co-author of "Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework."

💡 Where to find Brian: LinkedIn

##

Key Insights

⚡ There's an increasing need for security programs in the middle market. We often forget about small businesses and mid-market companies when discussing cybersecurity, risk management, and privacy. But Brian believes that all organizations deserve to have adequate security programs and that these programs are equally as important as other business segments. He explains, "There are a lot of companies — hundreds of thousands of companies — outside the Fortune 2000, and most, if not all of them, require some diligence on what their security program looks like. And the question is, 'Who's going to lead that? Who can lead that? And can they afford it?' The market is actually very hot when it comes to this space. We've grown tremendously over the last two-plus years, and it's an area that people are genuinely looking at. It's not just because of what's in the news but also because people are realizing, 'Hey, we should be doing our own diligence and security practices the same way we put wrappers and guidelines and posts around financials and sales and marketing.'"

⚡ Even when you move to the cloud, you still have responsibilities as the owner. Contrary to what many organizations think, you still have responsibilities even after you move to the cloud. Brian says this is one of the most common misconceptions in the field. "People are just thinking, 'Oh, all of this is done by the cloud or the provider or the SaaS platform.' And that's just not true. It seems to happen across just about every sector we touch. And again, especially with the middle market, which is traditionally both underserved and doesn’t have the expertise — it's an area where they're a bit naive about who's responsible for what."

⚡ We need to forget about the black-and-white mindset because it's not helping anyone. If you want to make progress in your organization regarding security, you need to let go of the "gotcha" mentality, as Brian calls it. "Black-and-white" thinking won't get you far. "Honestly, as security practitioners and as an industry, we really need to not just bury, but we need to completely kill this 'gotcha' mentality that stems out of old-school audit thinking or GRC analyst policy wonks or whoever's managing a system where their entire thing is, 'Well, I need these things managed. And if it's not exactly as this says, you don't get credit.' We need to move to risk management, where there is gray. There is the ability to accept risk as long as it's appropriate, but this pure black-and-white view and this 'gotcha' mentality that exists within security professionals — we just need to get rid of that. It's not helping anyone at all."

##

Episode Highlights

You need to test what you're training on in security training.

"I've always truly believed that you have to test what you're training on; it's like school. You study material, you then take a test. Are people actually understanding the material? Great. Move on to the next thing. We need to do that with security training as well. Maybe phishing tests are not part of that, but something else, maybe it's surveys. Maybe it's just more granular testing, not ‘gotchas.’ So, I don't know if we need to bury the whole thing, but we need to bury the aspects of this that don't seem to be really working but still seem to be getting much more play."

Learn what is going on within policy.

"That was the biggest change for me going from a real technical guy to somebody who could actually shape an information security program as a whole. So, the advice really is that even if you're a SOC analyst, even if you are a pen tester or you're in a hunt team or whatever, learn what is going on within policy because it'll help you a lot more than [others]. Conversely, if you've always been an auditor or a policy person, really try to understand what the actual technical components of those policies mean to the folks who are reading them, using them, and have to abide by them."

Ease of use is the future of technology.

"These seem like simple things, but you know how people interact with apps and everything. That is how people are operating and interacting with technology. We need to move those types of technologies to look and feel like that because that's what people are comfortable with, and the more people are comfortable with it, the less they're questioning the technicalities. So it's just ease of use."

Episode Summary

Implementing an effective security program has become a necessity over the past decade. And without a doubt, all businesses need to level up their security game to mitigate risks and protect their information.

But small- and mid-market companies are somehow left behind when it comes to security guidance and realistic capabilities.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis introduces Brian Haugli, the Managing Partner at SideChannel. They talk about the increasing demand for cybersecurity for all organizations, why the black-and-white view won't get us far in security, and the future of technology.

##

Guest-at-a-Glance

💡 Name: Brian Haugli

💡 What he does: He's the Managing Partner at SideChannel.

💡 Company: SideChannel

💡 Noteworthy: Brian is the co-author of "Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework."

💡 Where to find Brian: LinkedIn

##

Key Insights

⚡ There's an increasing need for security programs in the middle market. We often forget about small businesses and mid-market companies when discussing cybersecurity, risk management, and privacy. But Brian believes that all organizations deserve to have adequate security programs and that these programs are equally as important as other business segments. He explains, "There are a lot of companies — hundreds of thousands of companies — outside the Fortune 2000, and most, if not all of them, require some diligence on what their security program looks like. And the question is, 'Who's going to lead that? Who can lead that? And can they afford it?' The market is actually very hot when it comes to this space. We've grown tremendously over the last two-plus years, and it's an area that people are genuinely looking at. It's not just because of what's in the news but also because people are realizing, 'Hey, we should be doing our own diligence and security practices the same way we put wrappers and guidelines and posts around financials and sales and marketing.'"

⚡ Even when you move to the cloud, you still have responsibilities as the owner. Contrary to what many organizations think, you still have responsibilities even after you move to the cloud. Brian says this is one of the most common misconceptions in the field. "People are just thinking, 'Oh, all of this is done by the cloud or the provider or the SaaS platform.' And that's just not true. It seems to happen across just about every sector we touch. And again, especially with the middle market, which is traditionally both underserved and doesn’t have the expertise — it's an area where they're a bit naive about who's responsible for what."

⚡ We need to forget about the black-and-white mindset because it's not helping anyone. If you want to make progress in your organization regarding security, you need to let go of the "gotcha" mentality, as Brian calls it. "Black-and-white" thinking won't get you far. "Honestly, as security practitioners and as an industry, we really need to not just bury, but we need to completely kill this 'gotcha' mentality that stems out of old-school audit thinking or GRC analyst policy wonks or whoever's managing a system where their entire thing is, 'Well, I need these things managed. And if it's not exactly as this says, you don't get credit.' We need to move to risk management, where there is gray. There is the ability to accept risk as long as it's appropriate, but this pure black-and-white view and this 'gotcha' mentality that exists within security professionals — we just need to get rid of that. It's not helping anyone at all."

##

Episode Highlights

You need to test what you're training on in security training.

"I've always truly believed that you have to test what you're training on; it's like school. You study material, you then take a test. Are people actually understanding the material? Great. Move on to the next thing. We need to do that with security training as well. Maybe phishing tests are not part of that, but something else, maybe it's surveys. Maybe it's just more granular testing, not ‘gotchas.’ So, I don't know if we need to bury the whole thing, but we need to bury the aspects of this that don't seem to be really working but still seem to be getting much more play."

Learn what is going on within policy.

"That was the biggest change for me going from a real technical guy to somebody who could actually shape an information security program as a whole. So, the advice really is that even if you're a SOC analyst, even if you are a pen tester or you're in a hunt team or whatever, learn what is going on within policy because it'll help you a lot more than [others]. Conversely, if you've always been an auditor or a policy person, really try to understand what the actual technical components of those policies mean to the folks who are reading them, using them, and have to abide by them."

Ease of use is the future of technology.

"These seem like simple things, but you know how people interact with apps and everything. That is how people are operating and interacting with technology. We need to move those types of technologies to look and feel like that because that's what people are comfortable with, and the more people are comfortable with it, the less they're questioning the technicalities. So it's just ease of use."

Episode Summary

The cloud is the future for a reason. Besides its massive impact on security and more convenient file storage options, the cloud has fostered the creation of an environment where you can have all the information in the palm of your hand. And speaking of the cloud and technology, the best is yet to come.

However, its ability to deliver tons of information to users worldwide is a double-edged sword. The cloud has a blend of both true and false information, which makes you doubt the credibility of any source you read, whether it's Wikipedia or a random webpage.

In the new episode of Cloud Security Reinvented, Andy Ellis chats with Morey Haber, the Chief Security Officer at BeyondTrust. They get into the significance of the cloud compared to on-premise solutions, the most significant tech opportunities in the future, and the security loopholes that should have been eliminated a long time ago.

##

Guest-at-a-Glance

💡 Name: Morey Haber

💡 What he does: Morey is the Chief Security Officer at BeyondTrust.

💡 Company: BeyondTrust

💡 Noteworthy: Besides his role as a CSO, Morey is also a prolific writer. So far, he's published three books — Identity Attack Vectors, Privileged Attack Vectors, and Asset Attack Vectors.

💡 Where to find Morey: LinkedIn

##

Key Insights

⚡ Reliability is the core of the business. For Morey, reliability represents one of the most significant aspects of how he does business. "My parents had a jewelry store in Brooklyn, New York, and its name was Haber's Reliable Jewelry. The word 'reliable' was in the name, and reliability is a personal trait that I hold dear today. I believe in being reliable all the way through. The fact that my career started as a reliability engineer, and I ended up as a CSO, I still hold that word very dear."

⚡ You don't need agents to do things in the cloud. Morey believes that the cloud is superior to on-premise solutions in many ways, which is why he prefers it when doing his business. "I did not want traditional scanning technologies and agent technologies to do it. I wanted a modern approach to getting there, and that's how I've seen the evolution of the cloud. Because you don't need agents in the cloud to do the things that you used to have to do on-premise."

⚡The power of the cloud lies in the information it brings. According to Morey, one of the most significant advantages of the cloud is its ability to bring a ton of information to the user and allow them to access it at any time. However, it has its disadvantages as well. "What the power of the cloud has brought to me is that information, regardless of my job, my role, my location, my vacation, etc. I would never have thought that the cloud could bring so many different types of information together to you in a mobile fashion. And I think the key to protecting all that information is to make sure it's accurate. Fake news has been one of the biggest challenges of the cloud."

##

Episode Highlights

The Cloud Has Brought More Security

"Why would you put your data in someone else's data center that potentially could leak to a hacker that knows how to breach your environment? That lasted for a little while, and then we realized it's safe enough to do that. Then we started storing PII, etc. And in the privileged world, why would you store your passwords in the cloud? If that got leaked, it would be game over. But we've got the security good enough, so it's not a concern to do things like that. As the cloud has matured, the security of the cloud has matured. People are willing to put more PII and sensitive information there and operate their businesses."

Morey Haber: One Baseball Cap, Two Essential Roles

"It's a baseball cap. One direction on the CSO is that I'm overseeing internal resources and cloud resources. Flip my baseball cap around, and I'm the vendor. I use my own products. We use every product we make internally. But I am still a CSO, and I have the same challenges with patching, vulnerability management, ransomware and digital transformation and cyber insurance that everybody else does.

So, I try very hard to make sure that people know which hat I'm wearing. And when I am excluded from going to a conference or something because I'm a vendor, I let them know that they're not going to hear me talk about my products. I'm just trying to solve the same problems, and that doesn't always come across the way I would hope. [...] As a vendor, I have to protect what I'm selling. Let me wear my CSO hat, and I promise that I will not talk about my products unless someone specifically asks me to."

The Transition from the Pre-Cloud World

"What most resonate today are the two primary attack vectors — vulnerability and exploits and privileged accounts. It doesn't matter where the software is running; you still have to be able to identify a mistake, flaw, or vulnerability, if it is exploitable, and how you are going to correct it. Secondly, any type of privileges that can allow authentication — how are those being managed, governed, and monitored are the biggest disciplines. On the other hand, the one that I wish would go away is patch management. Vendors that have solutions where you have to use third parties to deploy patches drive me nuts. Every solution that's out there, either cloud or on-premise, should be able to auto-update itself. [...] Almost all infiltration happens because an account was compromised or something wasn't patched. Why can't vendors just patch themselves?"

The Cloud Does Bring Information. But Google Tree Octopus and John Titor

"Fake news has been one of the biggest challenges of the cloud. [...] I use two examples. One is the Tree Octopus. If you've never heard of it, google it. Google John Titor. It is a rat hole. You will go on for endless hours. That's where the cloud becomes a problem. [...] It's lore. There's no better way to state it. But if anybody wants to go down a rat hole, just google it, and you'll understand. That's the negative side of the cloud — conspiracy theories, problems, and bad information that shouldn't be there in the first place.

Unfortunately, it's just a part of the day and age that we live in, where a single statement can become fact and is supported by the internet with all that data in the cloud. You have to trust yourself to state whether that's true or not."

A Piece of Advice: Listen and Shut Up

"Listen, or just shut up. You're in a conversation to process information and formulate an opinion, but your opinion right up front is not necessarily the right answer. It is so important to be able to not talk but listen and not respond, just so you can respond.

Your voice is very important in a security aspect, but your answers have got to be reliable. They've got to be accurate. They've got to be to the point. [...] Try to speak about once every 15 to 20 minutes in a large room setting because people are more apt to listen to you when you talk less frequently with concise answers and affirm opinions."

Words of Wisdom for Future Authors

"If you have all of these ideas built in your head, start with a basic outline, something that you learned in high school. Take an outline and start writing it out. Take each bullet and break it out even further. Then start writing sentences for each bullet. Sooner or later, you're going to have 30, 40, 50, 100 pages, and you've written a book. Break it down into manageable chunks, and I think anybody could be an author."

Episode Summary

The cloud is the future for a reason. Besides its massive impact on security and more convenient file storage options, the cloud has fostered the creation of an environment where you can have all the information in the palm of your hand. And speaking of the cloud and technology, the best is yet to come.

However, its ability to deliver tons of information to users worldwide is a double-edged sword. The cloud has a blend of both true and false information, which makes you doubt the credibility of any source you read, whether it's Wikipedia or a random webpage.

In the new episode of Cloud Security Reinvented, Andy Ellis chats with Morey Haber, the Chief Security Officer at BeyondTrust. They get into the significance of the cloud compared to on-premise solutions, the most significant tech opportunities in the future, and the security loopholes that should have been eliminated a long time ago.

##

Guest-at-a-Glance

💡 Name: Morey Haber

💡 What he does: Morey is the Chief Security Officer at BeyondTrust.

💡 Company: BeyondTrust

💡 Noteworthy: Besides his role as a CSO, Morey is also a prolific writer. So far, he's published three books — Identity Attack Vectors, Privileged Attack Vectors, and Asset Attack Vectors.

💡 Where to find Morey: LinkedIn

##

Key Insights

⚡ Reliability is the core of the business. For Morey, reliability represents one of the most significant aspects of how he does business. "My parents had a jewelry store in Brooklyn, New York, and its name was Haber's Reliable Jewelry. The word 'reliable' was in the name, and reliability is a personal trait that I hold dear today. I believe in being reliable all the way through. The fact that my career started as a reliability engineer, and I ended up as a CSO, I still hold that word very dear."

⚡ You don't need agents to do things in the cloud. Morey believes that the cloud is superior to on-premise solutions in many ways, which is why he prefers it when doing his business. "I did not want traditional scanning technologies and agent technologies to do it. I wanted a modern approach to getting there, and that's how I've seen the evolution of the cloud. Because you don't need agents in the cloud to do the things that you used to have to do on-premise."

⚡The power of the cloud lies in the information it brings. According to Morey, one of the most significant advantages of the cloud is its ability to bring a ton of information to the user and allow them to access it at any time. However, it has its disadvantages as well. "What the power of the cloud has brought to me is that information, regardless of my job, my role, my location, my vacation, etc. I would never have thought that the cloud could bring so many different types of information together to you in a mobile fashion. And I think the key to protecting all that information is to make sure it's accurate. Fake news has been one of the biggest challenges of the cloud."

##

Episode Highlights

The Cloud Has Brought More Security

"Why would you put your data in someone else's data center that potentially could leak to a hacker that knows how to breach your environment? That lasted for a little while, and then we realized it's safe enough to do that. Then we started storing PII, etc. And in the privileged world, why would you store your passwords in the cloud? If that got leaked, it would be game over. But we've got the security good enough, so it's not a concern to do things like that. As the cloud has matured, the security of the cloud has matured. People are willing to put more PII and sensitive information there and operate their businesses."

Morey Haber: One Baseball Cap, Two Essential Roles

"It's a baseball cap. One direction on the CSO is that I'm overseeing internal resources and cloud resources. Flip my baseball cap around, and I'm the vendor. I use my own products. We use every product we make internally. But I am still a CSO, and I have the same challenges with patching, vulnerability management, ransomware and digital transformation and cyber insurance that everybody else does.

So, I try very hard to make sure that people know which hat I'm wearing. And when I am excluded from going to a conference or something because I'm a vendor, I let them know that they're not going to hear me talk about my products. I'm just trying to solve the same problems, and that doesn't always come across the way I would hope. [...] As a vendor, I have to protect what I'm selling. Let me wear my CSO hat, and I promise that I will not talk about my products unless someone specifically asks me to."

The Transition from the Pre-Cloud World

"What most resonate today are the two primary attack vectors — vulnerability and exploits and privileged accounts. It doesn't matter where the software is running; you still have to be able to identify a mistake, flaw, or vulnerability, if it is exploitable, and how you are going to correct it. Secondly, any type of privileges that can allow authentication — how are those being managed, governed, and monitored are the biggest disciplines. On the other hand, the one that I wish would go away is patch management. Vendors that have solutions where you have to use third parties to deploy patches drive me nuts. Every solution that's out there, either cloud or on-premise, should be able to auto-update itself. [...] Almost all infiltration happens because an account was compromised or something wasn't patched. Why can't vendors just patch themselves?"

The Cloud Does Bring Information. But Google Tree Octopus and John Titor

"Fake news has been one of the biggest challenges of the cloud. [...] I use two examples. One is the Tree Octopus. If you've never heard of it, google it. Google John Titor. It is a rat hole. You will go on for endless hours. That's where the cloud becomes a problem. [...] It's lore. There's no better way to state it. But if anybody wants to go down a rat hole, just google it, and you'll understand. That's the negative side of the cloud — conspiracy theories, problems, and bad information that shouldn't be there in the first place.

Unfortunately, it's just a part of the day and age that we live in, where a single statement can become fact and is supported by the internet with all that data in the cloud. You have to trust yourself to state whether that's true or not."

A Piece of Advice: Listen and Shut Up

"Listen, or just shut up. You're in a conversation to process information and formulate an opinion, but your opinion right up front is not necessarily the right answer. It is so important to be able to not talk but listen and not respond, just so you can respond.

Your voice is very important in a security aspect, but your answers have got to be reliable. They've got to be accurate. They've got to be to the point. [...] Try to speak about once every 15 to 20 minutes in a large room setting because people are more apt to listen to you when you talk less frequently with concise answers and affirm opinions."

Words of Wisdom for Future Authors

"If you have all of these ideas built in your head, start with a basic outline, something that you learned in high school. Take an outline and start writing it out. Take each bullet and break it out even further. Then start writing sentences for each bullet. Sooner or later, you're going to have 30, 40, 50, 100 pages, and you've written a book. Break it down into manageable chunks, and I think anybody could be an author."

Episode Summary

Cloud-based solutions are the future of technological advancement. The cloud has gone through various phases, and these changes have made it one of the most potent inventions of today.

Thanks to a broad range of cloud-based tools, even founders without a development background can start a company and release a product. But that's not the only advantage of the cloud. Technological development, alongside the cloud, could significantly reduce one of the most critical issues faced by the world — poverty.

In this episode of Cloud Security Reinvented, Andy Ellis welcomes Ryan Gurney, the CISO-in-Residence at YL Ventures. They have an interesting chat about the cloud, its benefits, the exhausting role of the CISOs, and the tech practices that no longer work.

Guest-at-a-Glance

💡 Name: Ryan Gurney

💡 What he does: Ryan is the CISO-in-Residence at YL Ventures.

💡 Company: YL Ventures

💡 Noteworthy: Before joining YL Ventures, Ryan held security leadership positions at Looker, Google, eBay, and Zendesk.

💡 Where to find Ryan: LinkedIn

##

Key Insights

⚡ Your cloud provider’s weaknesses can become your problem. Since the cloud has become more prevalent, many companies have switched to it. However, Ryan believes that users must be careful when choosing their third-party cloud provider since their weaknesses may become the user's problem. "I've seen us go from attempts to keep all the data inside the borders of the company to utilizing private clouds, public clouds, and the explosion of right third-party SaaS apps and mobile apps. [...] It means that there are more environments where customer company data is being housed. Accessing that and understanding your assets is supercritical."

⚡ Security training needs to be short and to the point. According to Ryan, long-winded security training for employees is highly ineffective. Instead, it should be more precise and company-centered. "Security training needs to be short, to the point, frequent, contextual, and specific to the company and its culture. And that includes how you sign up for SaaS applications and how you manage your cloud environment. You should discuss only the areas that are important to the security company, security in their culture, and give people tips on how they can do things in their personal lives and help their family and friends. So, the old stuff around these long-winded four-hour-long training needs to go away."

⚡ I'm excited about technology being able to reduce poverty. Ryan strongly believes that we can do a lot with technology, including solving the world's most critical issues. "I'm excited about technology being able to reduce poverty and bring conveniences to people around the world. We've seen examples of it — easier access to water, bringing the Internet to everyone, and helping with sanitization. These are massive gaps in people's living conditions around the world."

##

Episode Highlights

Ryan Gurney's Career Path as a CISO in a Nutshell

"Currently, I'm the CISO-in-Residence at YL Ventures, a position that has been held by two predecessors. Prior to my current role, I held security leadership positions at Google, Looker, Zendesk, and eBay. So, I spent a lot of time in the cloud. Today, my role is really interesting. I'm not as much an operational CISO as a strict, strategic person who's helping founders and portfolios figure out their product and security story.

[...]

My industry is now investing in helping founders understand the security landscape horizontally and not just vertically. As I'm a CISO-in-Residence, it's a little bit of a broader picture, but speaking about ideation, founders need to consider the completeness of what they're doing. It's not good enough to say, 'Hey, we cover AWS.' They need to cover all the major public clouds and ideally the hybrid clouds, as well. That is where the world is."

Basic Practices Always Matter in Security

"What [security practices] should we have kept? Well, I think the basics still matter. Whether you're in a cloud environment, in the private cloud, or an on-premise deployment, being able to establish policies, identify vulnerabilities, and patch still matter, and they're always going to matter. And in some cases, with our cloud providers, we have to hold them accountable and work closely with them to do those things."

Technology Gives Us a Lot of Opportunities to Make the World a Better Place

"I think we have opportunities to do a lot with technology. We've seen examples of it for easier access to water, bringing the internet to everyone, and helping with sanitization. These are massive gaps in people's living conditions around the world. I'm interested in the security space specifically. I'm fascinated about abstraction at the cloud layer around security controls, how we can make things quicker and easier for the CISO and bang them over the head about things that need their attention, especially when we consider the challenges we have with hiring security professionals today."

Quick Takeaway: Security is Non-Binary

"CISO is a tough career, and there are a couple of things I've learned that I like to pass on. One of them is that security is non-binary. I would often have CEOs come to me in passing, and they would say, 'Hey, are we secure?' Perhaps that was just small talk, but I took it seriously. I feel an effective CISO should be able to say, 'Hey, listen, I'm aware of our key assets. I know how they're protected, and I know our key risks. We actively monitor it, and we're managing it.'

The term CISO is a bit of a misnomer. Perhaps Chief Cyber Risk Officer would be the better term. Secondly, it's important that CISOs understand their strengths and weaknesses, surround themselves with the right team, and empower others in the organization to take security responsibly and seriously for themselves. They need to be transparent, approachable, and business-focused. You need to demonstrate empathy for others because if you're coming to them, you're likely asking them to do something. So, you've got to be able to demonstrate that empathy."

Episode Summary

Cloud-based solutions are the future of technological advancement. The cloud has gone through various phases, and these changes have made it one of the most potent inventions of today.

Thanks to a broad range of cloud-based tools, even founders without a development background can start a company and release a product. But that's not the only advantage of the cloud. Technological development, alongside the cloud, could significantly reduce one of the most critical issues faced by the world — poverty.

In this episode of Cloud Security Reinvented, Andy Ellis welcomes Ryan Gurney, the CISO-in-Residence at YL Ventures. They have an interesting chat about the cloud, its benefits, the exhausting role of the CISOs, and the tech practices that no longer work.

Guest-at-a-Glance

💡 Name: Ryan Gurney

💡 What he does: Ryan is the CISO-in-Residence at YL Ventures.

💡 Company: YL Ventures

💡 Noteworthy: Before joining YL Ventures, Ryan held security leadership positions at Looker, Google, eBay, and Zendesk.

💡 Where to find Ryan: LinkedIn

##

Key Insights

⚡ Your cloud provider’s weaknesses can become your problem. Since the cloud has become more prevalent, many companies have switched to it. However, Ryan believes that users must be careful when choosing their third-party cloud provider since their weaknesses may become the user's problem. "I've seen us go from attempts to keep all the data inside the borders of the company to utilizing private clouds, public clouds, and the explosion of right third-party SaaS apps and mobile apps. [...] It means that there are more environments where customer company data is being housed. Accessing that and understanding your assets is supercritical."

⚡ Security training needs to be short and to the point. According to Ryan, long-winded security training for employees is highly ineffective. Instead, it should be more precise and company-centered. "Security training needs to be short, to the point, frequent, contextual, and specific to the company and its culture. And that includes how you sign up for SaaS applications and how you manage your cloud environment. You should discuss only the areas that are important to the security company, security in their culture, and give people tips on how they can do things in their personal lives and help their family and friends. So, the old stuff around these long-winded four-hour-long training needs to go away."

⚡ I'm excited about technology being able to reduce poverty. Ryan strongly believes that we can do a lot with technology, including solving the world's most critical issues. "I'm excited about technology being able to reduce poverty and bring conveniences to people around the world. We've seen examples of it — easier access to water, bringing the Internet to everyone, and helping with sanitization. These are massive gaps in people's living conditions around the world."

##

Episode Highlights

Ryan Gurney's Career Path as a CISO in a Nutshell

"Currently, I'm the CISO-in-Residence at YL Ventures, a position that has been held by two predecessors. Prior to my current role, I held security leadership positions at Google, Looker, Zendesk, and eBay. So, I spent a lot of time in the cloud. Today, my role is really interesting. I'm not as much an operational CISO as a strict, strategic person who's helping founders and portfolios figure out their product and security story.

[...]

My industry is now investing in helping founders understand the security landscape horizontally and not just vertically. As I'm a CISO-in-Residence, it's a little bit of a broader picture, but speaking about ideation, founders need to consider the completeness of what they're doing. It's not good enough to say, 'Hey, we cover AWS.' They need to cover all the major public clouds and ideally the hybrid clouds, as well. That is where the world is."

Basic Practices Always Matter in Security

"What [security practices] should we have kept? Well, I think the basics still matter. Whether you're in a cloud environment, in the private cloud, or an on-premise deployment, being able to establish policies, identify vulnerabilities, and patch still matter, and they're always going to matter. And in some cases, with our cloud providers, we have to hold them accountable and work closely with them to do those things."

Technology Gives Us a Lot of Opportunities to Make the World a Better Place

"I think we have opportunities to do a lot with technology. We've seen examples of it for easier access to water, bringing the internet to everyone, and helping with sanitization. These are massive gaps in people's living conditions around the world. I'm interested in the security space specifically. I'm fascinated about abstraction at the cloud layer around security controls, how we can make things quicker and easier for the CISO and bang them over the head about things that need their attention, especially when we consider the challenges we have with hiring security professionals today."

Quick Takeaway: Security is Non-Binary

"CISO is a tough career, and there are a couple of things I've learned that I like to pass on. One of them is that security is non-binary. I would often have CEOs come to me in passing, and they would say, 'Hey, are we secure?' Perhaps that was just small talk, but I took it seriously. I feel an effective CISO should be able to say, 'Hey, listen, I'm aware of our key assets. I know how they're protected, and I know our key risks. We actively monitor it, and we're managing it.'

The term CISO is a bit of a misnomer. Perhaps Chief Cyber Risk Officer would be the better term. Secondly, it's important that CISOs understand their strengths and weaknesses, surround themselves with the right team, and empower others in the organization to take security responsibly and seriously for themselves. They need to be transparent, approachable, and business-focused. You need to demonstrate empathy for others because if you're coming to them, you're likely asking them to do something. So, you've got to be able to demonstrate that empathy."

Episode Summary

The information security field is changing as fast as the rest of the world, and it’s safe to assume that it will grow rapidly in the years to come.

If we look at the last decade, and particularly after the emergence of the cloud, we can't help but notice how much the security field has evolved.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Dan Walsh, the Chief Information Security Officer at VillageMD. They get into the best and worst practices in information security, the importance of building trust, and share their predictions for the future.

##

Guest-at-a-Glance

💡 Name: Dan Walsh

💡 What he does: He's the Chief Information Security Officer at VillageMD.

💡 Company: VillageMD

💡 Noteworthy: Dan used to work at Vanguard in business operations, but then he made both a career and industry transition and moved into information security at UnitedHealth Group.

💡 Where to find Dan: LinkedIn| Twitter

##

Key Insights

⚡ Bring good security people on to your team to improve your capabilities. Dan talks about his career transition from business operations to security. "I was always very passionate about making sure that the applications we developed were secure, which caught the attention of our security team, and then, I transitioned into working on the security team at UnitedHealth Group, which kicked off my security career."

He shares his point of view on pulling good security people into your team. Rather than pushing security people inside the organization, we should think about bringing people in to improve our capabilities. "If I can find an engineering team that scans their source code for open source vulnerabilities and that makes sure that their cloud infrastructure access and vulnerabilities are managed very well, I'm going to pull those people into my [team]; I want them."

⚡ The healthcare industry has come a long way with its security investments, but there's still room to grow and improve. We often look at healthcare as a slow adopter regarding the newest developments in information security. Having spent some time in healthcare, Dan gets our hopes up that the field is open to improvements. "I would also say that healthcare has been a bit of a low or slow adopter to the cloud as compared to some of the other industries, but I do think that because of the focus on rising costs and trying to keep them down, it's inevitable, and it is happening. In my opinion — not scientifically — we're easily over halfway there. I would say that in order to run a large health care company at scale, these days, you have to start in the cloud. You can't start on-premise. Just financially, that doesn't make any sense."

⚡ Security is all about trust. You have to build relationships with people. They have to trust you, so be excellent but also trustworthy.

"A lot of people complained, 'How do I get into security? They just hired their friend, and I really wish they would have hired me, because I think I might be more qualified.' And I think what people miss is that trust. You don't trust in them. And since we're in the business of trust, that's why it might sometimes feel like it's a club when, in reality, it's not."

##

Episode Highlights

As we move into the cloud, we shouldn't forget about access control and asset inventory

"For me, access control and asset inventory are the top two. I know that, obviously, vulnerability management is important as well. In my experience, I've seen more problems with cloud incidents, with knowing what is in my cloud infrastructure and knowing who has access to it than because something wasn't patched in the cloud."

What long-time security practice should we have gotten rid of by now?

"One thing that we still see pop up from companies in the healthcare system is, 'We want the right to inspect or the right to be notified when you're moving to the cloud infrastructure.' Well, it's like, 'You're not going to inspect GCP’s or Azure AWS’s server building, wherever that's located.' I also don't think that it's really necessary to notify them when they're making a change like that. Because I just don't know what value that adds other than creating overhead for the team. So that's definitely one, even if it's a very specific one."

The importance of trust in the security field

"Cecelia, my first manager at UnitedHealth Group, taught me how to be direct, how to get to the brass tacks and the bottom line. I remember when I first started with her, she would say, 'You have to have coins in the bank with me,' meaning, 'You have to earn my trust.' And so that was a huge lesson — to build trust with people. Because that's what security is all about. […]

It's important to build relationships prior to there being a problem. The one thing that I've just done as good practice, which has benefited me tremendously and that I would advise people to do is, 'You don't have to be the expert in the domain that you're managing, but I would say that you need to get more than an inch deep in it in order to make sure you hire the right person for it.'"

Episode Summary

The information security field is changing as fast as the rest of the world, and it’s safe to assume that it will grow rapidly in the years to come.

If we look at the last decade, and particularly after the emergence of the cloud, we can't help but notice how much the security field has evolved.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Dan Walsh, the Chief Information Security Officer at VillageMD. They get into the best and worst practices in information security, the importance of building trust, and share their predictions for the future.

##

Guest-at-a-Glance

💡 Name: Dan Walsh

💡 What he does: He's the Chief Information Security Officer at VillageMD.

💡 Company: VillageMD

💡 Noteworthy: Dan used to work at Vanguard in business operations, but then he made both a career and industry transition and moved into information security at UnitedHealth Group.

💡 Where to find Dan: LinkedIn| Twitter

##

Key Insights

⚡ Bring good security people on to your team to improve your capabilities. Dan talks about his career transition from business operations to security. "I was always very passionate about making sure that the applications we developed were secure, which caught the attention of our security team, and then, I transitioned into working on the security team at UnitedHealth Group, which kicked off my security career."

He shares his point of view on pulling good security people into your team. Rather than pushing security people inside the organization, we should think about bringing people in to improve our capabilities. "If I can find an engineering team that scans their source code for open source vulnerabilities and that makes sure that their cloud infrastructure access and vulnerabilities are managed very well, I'm going to pull those people into my [team]; I want them."

⚡ The healthcare industry has come a long way with its security investments, but there's still room to grow and improve. We often look at healthcare as a slow adopter regarding the newest developments in information security. Having spent some time in healthcare, Dan gets our hopes up that the field is open to improvements. "I would also say that healthcare has been a bit of a low or slow adopter to the cloud as compared to some of the other industries, but I do think that because of the focus on rising costs and trying to keep them down, it's inevitable, and it is happening. In my opinion — not scientifically — we're easily over halfway there. I would say that in order to run a large health care company at scale, these days, you have to start in the cloud. You can't start on-premise. Just financially, that doesn't make any sense."

⚡ Security is all about trust. You have to build relationships with people. They have to trust you, so be excellent but also trustworthy.

"A lot of people complained, 'How do I get into security? They just hired their friend, and I really wish they would have hired me, because I think I might be more qualified.' And I think what people miss is that trust. You don't trust in them. And since we're in the business of trust, that's why it might sometimes feel like it's a club when, in reality, it's not."

##

Episode Highlights

As we move into the cloud, we shouldn't forget about access control and asset inventory

"For me, access control and asset inventory are the top two. I know that, obviously, vulnerability management is important as well. In my experience, I've seen more problems with cloud incidents, with knowing what is in my cloud infrastructure and knowing who has access to it than because something wasn't patched in the cloud."

What long-time security practice should we have gotten rid of by now?

"One thing that we still see pop up from companies in the healthcare system is, 'We want the right to inspect or the right to be notified when you're moving to the cloud infrastructure.' Well, it's like, 'You're not going to inspect GCP’s or Azure AWS’s server building, wherever that's located.' I also don't think that it's really necessary to notify them when they're making a change like that. Because I just don't know what value that adds other than creating overhead for the team. So that's definitely one, even if it's a very specific one."

The importance of trust in the security field

"Cecelia, my first manager at UnitedHealth Group, taught me how to be direct, how to get to the brass tacks and the bottom line. I remember when I first started with her, she would say, 'You have to have coins in the bank with me,' meaning, 'You have to earn my trust.' And so that was a huge lesson — to build trust with people. Because that's what security is all about. […]

It's important to build relationships prior to there being a problem. The one thing that I've just done as good practice, which has benefited me tremendously and that I would advise people to do is, 'You don't have to be the expert in the domain that you're managing, but I would say that you need to get more than an inch deep in it in order to make sure you hire the right person for it.'"

Episode Summary

If you've ever thought of pursuing a career in cybersecurity, we have an episode for you! Today's guest is a career coach and a podcast co-host, and he's here to talk to us about cybersecurity in the post-cloud era.

Chris Foulon is the co-host of Breaking Into CyberSecurity, a Cybersecurity Strategist, and a noted career coach. He says his goal is to give back by producing a podcast focused on helping people who are trying to get into cybersecurity. In addition, Chris helps professionals looking to level up their cybersecurity careers, achieve amazing results, and complete their larger goals.

In this episode of the Cloud Security Reinvented, Chris and our host Andy touch upon some interesting topics. From learning about the impact of the cloud on security to understanding a lack of diversity in the industry, you'll have a lot of information to sink in after this episode.

##

Guest-at-a-Glance

💡 Name: Chris Foulon

💡 What he does: He's the co-host of Breaking Into CyberSecurity, a Cybersecurity Strategist, and a noted career coach.

💡 Noteworthy: After 15+ years as an experienced Information Security Manager, Adjunct Professor, Author, and Cybersecurity Strategist, Chris realized he wanted to help others start their career in cybersecurity. Now he's a coach and a podcast show with a mission to mentor future cybersecurity generations.

💡 Where to find Chris: LinkedIn | Podcast

##

Key Insights

⚡ You don't have to be a programmer to understand cybersecurity. Chris is debunking some common myths of cybersecurity in this episode. Despite popular belief, you don't have to know how to code or necessarily be a programmer to understand the security implications. "I think there's still that expectation that everything is coding, programming. I would say today there are so many different verticals within security that you don't have to be that programmer. You don't have to be a coder. You can understand how to design an architect or a well-architected cloud framework without being in the YAML file for that infrastructure as code."

⚡ Be careful what you automate. Chris is excited to see how the future of automation unravels, but at the same time, he has his doubts. People will certainly be able to focus more on the creative side of things thanks to automation, but there are certain risks to it. "The flip side to that is if you automate without thinking through the process, you end up adding more complexity and more risk to your business."

He shares another interesting point of view. "I was in a recent talk with Sounil Yu, and one of the things that he mentions is that the more you automate, the more people you tend to have to maintain that automation. So be careful what you're automating and make sure you do it."

⚡ Let's increase diversity in cybersecurity. As a reputable coach in the industry, Chris concludes that diversity is one of the challenges that we are yet to overcome. He says that anyone can get into security even if they don't have a degree in it. "We need to increase the diversity of thought, diversity of background, diversity of people included in this industry. And part of that is driving that awareness younger in the education cycle so that people are both aware of the pros and cons of technology, and then that they can see themselves in the technology role as they grow up."

##

Episode Highlights

The world of security has improved due to the growth of cloud

"Traditionally in the past, you had to be almost an expert in networking, in infrastructure, in OS in order to get to those high levels where you're working, you're architecting a data center. Now with cloud service providers, all looking to drive on adaptation of their framework, they're putting out free resources, they're providing free content, and to drive that adaptation of their cloud, that now someone who's really interested in it could go access all of these three resources and become very knowledgeable in cloud without having to understand a legacy infrastructure."

What is the pre-cloud practice we should get rid of?

"I think that the biggest thing is when you think of digital transformations and driving to the cloud, this idea that you can just pick up and drop your old infrastructure and your old designs that you had on-premise, even if you had them virtualized and bring them into the cloud. Because A) you're not taking advantage of the design architecture in the cloud and B) you're just really moving your risk from on-premise to cloud. And in some ways, because people. I have a set of false expectations because they don't properly understand the shared responsibility model. They increase their risk by going to the cloud. They increase their costs by going to the cloud with these simple lift and shift transformations that you're doing and then realize, 'Wow, we're spending too much money.'"

Don't choose money over passion

I think for me it is really finding what you're passionate about and driving towards that. Your passions will change throughout your career, but don't go chasing a paycheck. I think all too often, especially when you're younger, you might go, 'Oh, Wow. They're getting six-figure salaries in cybersecurity. Let me go do that.' But if you pick a role and it doesn't align with your skill sets or your passion, and you feel like you're always pushing a stone uphill, you're going to burn yourself out, and then you're going to end up regretting that decision."

Episode Summary

If you've ever thought of pursuing a career in cybersecurity, we have an episode for you! Today's guest is a career coach and a podcast co-host, and he's here to talk to us about cybersecurity in the post-cloud era.

Chris Foulon is the co-host of Breaking Into CyberSecurity, a Cybersecurity Strategist, and a noted career coach. He says his goal is to give back by producing a podcast focused on helping people who are trying to get into cybersecurity. In addition, Chris helps professionals looking to level up their cybersecurity careers, achieve amazing results, and complete their larger goals.

In this episode of the Cloud Security Reinvented, Chris and our host Andy touch upon some interesting topics. From learning about the impact of the cloud on security to understanding a lack of diversity in the industry, you'll have a lot of information to sink in after this episode.

##

Guest-at-a-Glance

💡 Name: Chris Foulon

💡 What he does: He's the co-host of Breaking Into CyberSecurity, a Cybersecurity Strategist, and a noted career coach.

💡 Noteworthy: After 15+ years as an experienced Information Security Manager, Adjunct Professor, Author, and Cybersecurity Strategist, Chris realized he wanted to help others start their career in cybersecurity. Now he's a coach and a podcast show with a mission to mentor future cybersecurity generations.

💡 Where to find Chris: LinkedIn | Podcast

##

Key Insights

⚡ You don't have to be a programmer to understand cybersecurity. Chris is debunking some common myths of cybersecurity in this episode. Despite popular belief, you don't have to know how to code or necessarily be a programmer to understand the security implications. "I think there's still that expectation that everything is coding, programming. I would say today there are so many different verticals within security that you don't have to be that programmer. You don't have to be a coder. You can understand how to design an architect or a well-architected cloud framework without being in the YAML file for that infrastructure as code."

⚡ Be careful what you automate. Chris is excited to see how the future of automation unravels, but at the same time, he has his doubts. People will certainly be able to focus more on the creative side of things thanks to automation, but there are certain risks to it. "The flip side to that is if you automate without thinking through the process, you end up adding more complexity and more risk to your business."

He shares another interesting point of view. "I was in a recent talk with Sounil Yu, and one of the things that he mentions is that the more you automate, the more people you tend to have to maintain that automation. So be careful what you're automating and make sure you do it."

⚡ Let's increase diversity in cybersecurity. As a reputable coach in the industry, Chris concludes that diversity is one of the challenges that we are yet to overcome. He says that anyone can get into security even if they don't have a degree in it. "We need to increase the diversity of thought, diversity of background, diversity of people included in this industry. And part of that is driving that awareness younger in the education cycle so that people are both aware of the pros and cons of technology, and then that they can see themselves in the technology role as they grow up."

##

Episode Highlights

The world of security has improved due to the growth of cloud

"Traditionally in the past, you had to be almost an expert in networking, in infrastructure, in OS in order to get to those high levels where you're working, you're architecting a data center. Now with cloud service providers, all looking to drive on adaptation of their framework, they're putting out free resources, they're providing free content, and to drive that adaptation of their cloud, that now someone who's really interested in it could go access all of these three resources and become very knowledgeable in cloud without having to understand a legacy infrastructure."

What is the pre-cloud practice we should get rid of?

"I think that the biggest thing is when you think of digital transformations and driving to the cloud, this idea that you can just pick up and drop your old infrastructure and your old designs that you had on-premise, even if you had them virtualized and bring them into the cloud. Because A) you're not taking advantage of the design architecture in the cloud and B) you're just really moving your risk from on-premise to cloud. And in some ways, because people. I have a set of false expectations because they don't properly understand the shared responsibility model. They increase their risk by going to the cloud. They increase their costs by going to the cloud with these simple lift and shift transformations that you're doing and then realize, 'Wow, we're spending too much money.'"

Don't choose money over passion

I think for me it is really finding what you're passionate about and driving towards that. Your passions will change throughout your career, but don't go chasing a paycheck. I think all too often, especially when you're younger, you might go, 'Oh, Wow. They're getting six-figure salaries in cybersecurity. Let me go do that.' But if you pick a role and it doesn't align with your skill sets or your passion, and you feel like you're always pushing a stone uphill, you're going to burn yourself out, and then you're going to end up regretting that decision."

Cloud computing is changing the world as we know it. So what impact does it have on the world of security?

Jonathan Jaffe is the Chief Information Security Officer at Lemonade, a full-service consumer insurance company powered by artificial intelligence and behavioral economics and driven by social good. After years of experience in information security and cybersecurity, he made the transition to the cloud through a San Francisco startup in 2018, and then in 2020 landed at Lemonade, where it's all cloud and technology.

In this episode of the Cloud Security Reinvented podcast, host Andy Ellis and Jonathan Jaffe discuss how the world has changed since the rise of technology and the prevalence of the cloud. They also talk about growth opportunities in the security industry and the power of automation. Tune in to find out more about the post-cloud security era.

Cloud computing is changing the world as we know it. So what impact does it have on the world of security?

Jonathan Jaffe is the Chief Information Security Officer at Lemonade, a full-service consumer insurance company powered by artificial intelligence and behavioral economics and driven by social good. After years of experience in information security and cybersecurity, he made the transition to the cloud through a San Francisco startup in 2018, and then in 2020 landed at Lemonade, where it's all cloud and technology.

In this episode of the Cloud Security Reinvented podcast, host Andy Ellis and Jonathan Jaffe discuss how the world has changed since the rise of technology and the prevalence of the cloud. They also talk about growth opportunities in the security industry and the power of automation. Tune in to find out more about the post-cloud security era.

_______________________________

Guest-at-a-Glance

💡 Name: Jonathan Jaffe

💡 What he does: He's the Chief Information Security Officer at Lemonade, a full-stack insurance company powered by AI and behavioral economics and driven by social good.

💡 Company: Lemonade

💡 Noteworthy: Jonathan's career in security started in 1997 with doing deployments of Netscape servers, LDAP servers, email servers. Then he did about 20 years of Identity and Access Management consulting until he finally landed at Lemonade in 2020.

💡 Where to find Jonathan: LinkedIn

_______________________________

Key Insights

⚡ Cloud has made the world of security more fun. Jonathan is excited to see new technologies emerging in the world of security, and the cloud is certainly responsible for this new era coming to light. He says cloud security is now more complex but, at the same time, more fun. "Cloud has made going from standing in data centers late at night and plugging in cables to now working with really cool technologies that are changing regularly. Much, much more fun!"

⚡ Don't be afraid to play with technology. Jonathan has been in the security industry for a long time and certainly knows his way around it. So what piece of advice would he give to someone who's just starting out? He says to embrace technology. "Encouragement to play with as much new technology as soon as possible to be familiar with the things that are going to stick and the things that aren't, certainly gives you a competitive advantage in your career."

⚡ Automation is the future. According to Jonathan, automation will continue to play a major role in the field of security in the years to come. Not only does it represent our future, but it's also a huge growth opportunity. "I wasn't expecting automation before I got into cloud, but it's pretty often, pretty obvious that you need it once you start dealing with the scale."

Regardless of the industry, most people agree that the cloud era has taken business processes to a whole new level. However, not all industries, including the airline industry, take advantage of cloud technologies as they should.

In today's episode of Cloud Security Reinvented, it is our pleasure to welcome Deneen DeFiore. Deneen is the VP and CISO at United Airlines. She is here today to talk about the importance of using cloud technologies and share her thoughts about the future of technology in general.

Deneen and our host, Andy Ellis, also discuss the best and worst practices from the pre-could era, emphasizing the importance of Identity and Access Management.

Deneen shares a valuable piece of advice to anyone at the beginning of their career. She says skills and knowledge are crucial; expertise brings credibility, but nothing is more important than building solid relationships.

💡 Name: Deneen DeFiore

💡 What she does: Deneen is the VP and CISO at United Airlines.

💡 Websites: United Airlines

💡 Noteworthy: Prior to joining United Airlines, Deneen was part of General Electric (GE). The first half of her career was based on technology and infrastructure process improvement roles. And then, she focused on building the cybersecurity program at GE from a corporate standpoint and then at the aviation business.

💡 Where to find Deneen: LinkedIn

__________________________________________________

Key Insights

⚡ Cloud technologies can help us be more efficient in real-time. According to our guest, cloud technologies have made data available. Now, people who work with data can, if needed, access it anytime, anywhere. However, not all industries, including the airline industry, enjoy the benefits of cloud technologies. ''I don't think we're taking advantage of that as much as we can. I think if you're on the line and you're trying to do maintenance, and you need a piece of information on a standard operating procedure, we're making strides there. And in other industries, it's closer, but not so much in aviation.''

⚡ Building relationships matters. When you are at the beginning of your career, you try to gain as many skills as possible. However, as our guest states, the skills and knowledge you possess are crucial but don't forget true success comes from relationships you build. ''One of the things I think early on in my career is I depended on skill sets and knowledge; I needed to be the expert. And that was great because you do gain countability around the knowledge; you bring in the skills to whatever situation or problem you're trying to solve. But the other flip part of that is, yes, you have to have the skillset, but relationships matter so much as well too. You have to be able to not only get confidence because you know what you're doing, but the how you're doing, and people trust you to do the right thing.''

⚡ It's all about gaining customer trust. Regardless of the industry, customer expectations and experiences should be your number one priority. The core mission of every airline company is to connect the world and ensure people arrive safely from point A to point B. ''As you think about how business models are evolving, not only in my business where customers implicitly trust you to get them from point A to point B safely without any service disruptions. So that means managing that customer experience and expectation is part of your job. I would encourage people as they think about getting into cybersecurity or do their job, how do they relate it to the mission and purpose, and vision of whatever company they're at because it makes it a lot more fulfilling and a lot more exciting to do that way.''

We live in an era where cloud systems have beaten on-premise services. Most businesses have switched to the cloud infrastructure due to its advanced security and other useful features, but what about healthcare? How do they choose to protect and manage their systems?

Meet Ben Waugh, the Chief Security Officer at Redox, a cloud-native medical platform for people who are building healthcare applications. Throughout his career, Ben has been helping different organizations move to the cloud, and cloud migration is the field he specializes in. Therefore, he can provide significant insights into the role of the cloud in the industries such as healthcare, the field that still abides by the traditional technology rules.

Tune in to the new episode of Cloud Security Reinvented to hear Ben Waugh and Andy Ellis discuss the great role the cloud plays today, the opportunities it provides, and the importance of not forgetting the basics when trying to solve more sophisticated threats.

When it comes to information security and technology, Drew Daniels is the person to talk to. After over two decades of experience in the industry, Drew is now in charge of information technology and security as both the CIO and CISO at Druva. He believes information security can be a business driver as important as providing strong leadership.

Having been in the industry before cloud computing, he's also knowledgeable about the best pre and post-cloud practices. However, despite his long experience and large expertise, Drew is no stranger to struggles at work.

___________________________

Guest-at-a-Glance

💡 Name: Drew Daniels

💡 What he does: Drew is the Chief Information Officer (CIO) & Chief Information Security Officer (CISO) at Druva, the global leader in Cloud Data Protection and Management.

💡 Company: Druva

💡 Noteworthy: He has been in information security for about 21 years, and he's also an angel investor, independent board member, advisor to companies on funding, security to help them get off the ground successfully.

💡 Where to find Drew: LinkedIn

___________________________

Key Insights

⚡ Balancing between the CIO and CISO roles is a challenge. Drew says that though these two roles don't always align, they present an interesting challenge. According to him, it's fun wearing both hats. "I have to be responsible for service delivery at Druva and making sure that our employees and our applications are running, available, and enabling the business. But at the same time, thinking about how I secure those things so that those end-users, customers, and the data that resides in those applications are secure and protected. It's a really interesting challenge some days. I have to think about it from an availability standpoint. Other days, I have to think about it from a security standpoint, and there are still days where I have to be keeping both things in my head."

⚡ Change control process has persistently hung on even in the post-cloud era. Drew struggled the most with the change control process as both the CISO and CIO. He says he expected it to go away because it didn't make sense in such an ephemeral world, but it has persisted nonetheless. "I fight with auditors, and I fight with traditional IT personnel around change control because they're like every time I see a policy on change control, it talks about change control, approval board, and things like that. And I'm like, 'We can't do that. Things are moving too fast.'"

⚡ Collaboration is key. When people don't communicate, they risk compromising the quality of their work. Drew talks about the challenges people in security face when it comes to consistent collaboration. "People I know in the industry, engineers, and developers, what I hear from them over and over again is when that happens, they work to get around, avoid, ignore the advice of those security teams, which makes the security team's job so much harder."

Regardless of the industry, most people agree that the cloud era has taken business processes to a whole new level. However, not all industries, including the airline industry, take advantage of cloud technologies as they should.

In today's episode of Cloud Security Reinvented, it is our pleasure to welcome Deneen DeFiore. Deneen is the VP and CISO at United Airlines. She is here today to talk about the importance of using cloud technologies and share her thoughts about the future of technology in general.

Deneen and our host, Andy Ellis, also discuss the best and worst practices from the pre-cloud era, emphasizing the importance of Identity and Access Management.

Deneen shares a valuable piece of advice to anyone at the beginning of their career. She says skills and knowledge are crucial; expertise brings credibility, but nothing is more important than building solid relationships.

_________________________

Guest-at-a-Glance

💡 Name: Deneen DeFiore

💡 What she does: Deneen is the VP and CISO at United Airlines.

💡 Websites: United Airlines

💡 Noteworthy: Prior to joining United Airlines, Deneen was part of General Electric (GE). The first half of her career was based on technology and infrastructure process improvement roles. And then, she focused on building the cybersecurity program at GE from a corporate standpoint and then at the aviation business.

💡 Where to find Deneen: LinkedIn

_________________________

Key Insights

⚡ Cloud technologies can help us be more efficient in real-time. According to our guest, cloud technologies have made data available. Now, people who work with data can, if needed, access it anytime, anywhere. However, not all industries, including the airline industry, enjoy the benefits of cloud technologies. ''I don't think we're taking advantage of that as much as we can. I think if you're on the line and you're trying to do maintenance, and you need a piece of information on a standard operating procedure, we're making strides there. And in other industries, it's closer, but not so much in aviation.''

⚡ Building relationships matters. When you are at the beginning of your career, you try to gain as many skills as possible. However, as our guest states, the skills and knowledge you possess are crucial but don't forget true success comes from relationships you build. ''One of the things I think early on in my career is I depended on skill sets and knowledge; I needed to be the expert. And that was great because you do gain countability around the knowledge; you bring in the skills to whatever situation or problem you're trying to solve. But the other flip part of that is, yes, you have to have the skillset, but relationships matter so much as well too. You have to be able to not only get confidence because you know what you're doing, but the how you're doing, and people trust you to do the right thing.''

⚡ It's all about gaining customer trust. Regardless of the industry, customer expectations and experiences should be your number one priority. The core mission of every airline company is to connect the world and ensure people arrive safely from point A to point B. ''As you think about how business models are evolving, not only in my business where customers implicitly trust you to get them from point A to point B safely without any service disruptions. So that means managing that customer experience and expectation is part of your job. I would encourage people as they think about getting into cybersecurity or do their job, how do they relate it to the mission and purpose, and vision of whatever company they're at because it makes it a lot more fulfilling and a lot more exciting to do that way.''

One of the aspects where we can see how much the technology has progressed is the cloud system. Cloud has become more prevalent than on-premise IT infrastructure, mainly since it is more secure and more reliable than it used to be at its very first beginnings. But how is it like to be a part of cloud security systems, or, better said, a CSO?

Ty Sbano is the Chief Security and Trust Officer at Sisense. His career journey has been pretty rich and interesting and has helped him determine his end goal: becoming a CSO. Being CSO can be stressful, which is why Ty suggests that one must be ready for the stress before committing to cybersecurity. Aside from coping with all the stress and challenges that come with cloud security, it is fundamental to have a strong mentor who will help you go through the entire process.

In this episode of Cloud Security Reinvented, Ty Sbano and Andy Ellis have an insightful conversation about the basic concepts of cloud security, data analytics, risk management, and other essential aspects future CSOs will find incredibly handy.