Avsnitt
-
This episode of Code to Cloud features a discussion with Immuta's CISO, Mike Scott, and Co-Founder and CTO, Steve Touw, hosted by Andy Schneider, Field CISO EMEA at Lacework. Mike is a highly experienced and accomplished leader in information and data security, real-time analysis of immediate threats, and IT and infrastructure designs. And Steve is known for his data science work with US Special Operations Command and the US Intelligence Community. The conversation centers around the importance of a 'shift left' culture in software development, emphasizing security from the start of the development process. Both guests share how this approach has enabled Immuta to move to a SaaS model, deliver features and security fixes more rapidly, and foster a strong security culture by bringing the CISO and CTO teams closer together. Practical insights include the adoption of communication tools like Slack, the significance of automation in maintaining a rapid release cadence, and the importance of understanding employee communication styles using the DISC assessment. The discussion also touches on overcoming conflicts and the critical role of setting realistic goals in achieving security and compliance milestones.
Key Quotes
*”Security is inevitable. And we can all look back and see where it's delayed us, when security was brought in at the end of the game. Versus if we can move our mindset to really thinking from ideation all the way through creation to delivery of software, we're going to meet a lot of those challenges early. And then what we've seen, I think the outcome is a more timely release and less of security being a roadblock and more just like a small speed bump along the way.” - Mike Scott
*”Shifting left has also allowed our teams to understand the security impact sooner. And so when a critical vulnerability comes out, the engineering team has already decided, ‘Are we vulnerable? What's the fix going to be?’ within hours of getting that notification versus responding to a customer's inquiry before.” - Mike Scott
*”We needed the security to be there so that we could change our release cadence, the shift left. And our architecture changed quite a bit too. Most of our customers are SaaS now, used to be self-managed on-prem type solution. And we've really tried to push the SaaS solution because it helps us with releasing faster, getting features in our customers hands faster, but also allows us to deploy security fixes more quickly as well. So, that forcing function of having to deliver more quickly, of providing it or making us do the shift left to be able to do that. it flipped it on its head and also allows us to fix problems more quickly as well.” - Steve Touw
*”I'm constantly reminding our governance committee, ‘Hey, we put a lot of stuff on this team to meet ISO requirements and slot 3 requirements.’ And for me, that's defending my partner, Steve, right? It's saying, ‘Hey, this is taking extra time. This is taking away from his ability to deliver product.’ And so when they're hearing Steve say it, and they're hearing Mike say it, and they're hearing other parts of the business say it, it's also helping get that justification for resources or at least changing prioritization.” - Mike Scott
Time Stamps
[0:40] Introducing the Special Episode with Immuta's CISO and CTO
[1:46] The Shift Left Culture: Enhancing Security and Efficiency
[3:24] Building a Security-Minded Engineering Culture at Immuta
[5:34] The Measurable Benefits of Shifting Left in Security
[10:04] Fostering Collaboration Between CISOs and CTOs
[14:43] Championing Security Through Engineering and Automation
[22:04] The Critical Role of Automation in Modern Software Development
[23:46] The Drive for Faster Feature Delivery
[24:16] Breaking Down Big Goals into Manageable Pieces
[24:36] The Journey to Compliance and Certification
[25:54] The Impact of SOC 2 Compliance and Beyond
[26:40] Collaboration and Strategy in Achieving Compliance
[29:37] Addressing Conflicts and Embracing Collaboration
[34:53] Leveraging DISC for Effective Communication
[39:28] Reflecting on Career Lessons and the Path to Leadership
[43:37] Essential Tools for Success and How to Connect
Links
Connect with Mike Scott on LinkedIn
Connect with Steve Touw on LinkedIn
Learn more about Immuta
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with Jenny Brinkley. Jenny is Director of Amazon Security at AWS. Prior to joining Amazon, she co-founded an artificial intelligence start-up called Harvest.ai focused on protecting highly sensitive data using behavior analytics to prevent data loss. Harvest.ai was then acquired by AWS in April 2016. Jenny has also been awarded a few patents focused on data loss prevention and the right to be digitally forgotten. And on this episode, Jenny and host Tim Chase discuss the value of personal data, the importance of security at the executive level, and diversification of the workforce.
Key Quotes
*”We're living in a really interesting time where people are just starting to understand the value of their interactions with different digital products and the different types of outputs that they get. But then couple in the fact of where we're seeing the future of how Gen AI related to still keeping me unique and special and different is important. And that's where I really am curious to see how this year is going to unfold related to individuals understanding the value of that data and how to stay not only safe as you're operating online, but how to also think about how you either get compensated for the use of your data, or how you get to set the parameters of what you want to see with the different type of data that can be used in training models.”
*”People don't necessarily understand what they create and how valuable that is, but then also how to protect themselves as they're operating within different technology stacks.”
*”I feel so blessed I was able to spend that time in thinking about how data classification at the scale of AWS really should operate and how it should think. But I think that there's still such an open space for someone to come in and solve for making it easy. Like, how do you really identify that type of data that's so important to your organization and who has access to it? And how do you turf up alerts in a way that can not only give you insight into how to take action, but that all should be automated for you. And that's where I really see the future of where generative AI is going to come into play.”
Time Stamps
[0:56] Jenny Brinkley's Journey: From AI Startup to Amazon Security
[1:30] The Evolution of Data Protection and Privacy
[2:46] Understanding the Value of Data in the Age of Generative AI
[5:02] The Role of Security in Business and Regulatory Compliance
[10:28] The Shift in Security Mindset: From Basement to Boardroom
[14:52] Redefining Data Loss Prevention and the Future of AI in Security
[23:31] Diversifying the Cybersecurity Workforce for the Future
[34:52] The Importance of Community Engagement
Links
Connect with Jenny on LinkedIn
Learn more about AWS
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
Saknas det avsnitt?
-
This episode features an interview with Sean Wright. Sean is Head of Application Security at Featurespace, the world leader in Enterprise Financial Crime prevention for fraud and Anti-Money Laundering. He is an experienced application security engineer, having started his career as a software developer. His expertise is in web based application security with a special interest in TLS related subjects. And on this episode, Sean and host Andy Schneider discuss navigating AppSec in the cloud age, finding and leveraging security champions, and Sean’s take on open source as it relates to supply chain risks with third party software libraries.
Key Quotes
*”The thing that really scares me, we've seen it already with Python packages, NPM packages, Ruby packages, is those who actually intentionally put malicious code in there. There's things to steal secrets, crypto miners, the whole shebang. And that to me is probably the biggest worry I have around open source. Because trying to catch that…it's just, how do you do it? And just the massive volume that's there.”
*”Break down barriers between the security teams and the engineering teams. I don't see why there needs to be this friction. At the end of the day, you're working for the same company. You're trying to achieve the same goal. Work together, support one another. See each others’. Issues or frustrations, problem points, and try to achieve the same goal. And at the end of the day, it'll work out for everyone.”
*”How can we expect people to write secure code if they don't even know what that is like? Universities need to have some elements of this in the bachelor of science, computer science degrees. Embed that in, make it part of the curriculum. It doesn't have to be sophisticated. It can cover the top level stuff, but at least make people aware of it. There's this fixation on some of the more glamorous stuff in the industry. So we kind of ignore some of the stuff that really needs to be tackled. Go look at SQL injection, go look at cross site scripting, those kinds of things. It's been around for decades, yet we still haven't solved those problems. And they're not difficult problems to solve.”
*”You got all these new technologies, these new languages coming out, and now you have to not only know how to use those technologies, but use them securely. And that's probably where we need to start looking at building secure by default into the technologies rather than as a bolt on or afterthought. It's kind of happened over the years as well.”
*”I'm not just focused on AppSec. I engage with other areas of a security team because the security department's pretty small. That means I get exposure to other things, or I can help provide outside influence or thoughts, opinions that could help. So don't just fixate in your bubble. Work with other people, share ideas. Get engaged, things like community, different groups, and learning.”
Time Stamps
[0:30] Introducing Sean Wright, Head of AppSec at Featurespace
[1:06] Sean Wright: From Developer to Application Security Expert
[1:39] The Evolution of Software Development: Pre-Cloud to Cloud Era
[4:06] The Transformation of Application Security in the Cloud Age
[6:07] Effective AppSec Measures: Frameworks, Training, and Collaboration
[12:09] Navigating the Risks of Open Source and Third-Party Libraries
[18:15] Strategies for Managing Open Source Security Risks
[20:18] Why Software Remains Vulnerable
[21:01] The Importance of Secure Coding Education
[21:32] Addressing Long-Standing Security Issues
[22:40] The Rapid Pace of Technological Advancement
[23:22] Language Choices in Security
[25:26] Industry's Struggle with Cybersecurity
[28:37] Advice for Aspiring Security Professionals
[31:26] The Potential of AI in Application Security
[34:24] Future Trends and Challenges in AppSec
Links
Connect with Sean on LinkedIn
Learn more about Featurespace
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with Jeff DeVerter, Chief Technology Evangelist managed cloud computing company Rackspace. He has over 25 years of experience in IT and technology, and has worked at Rackspace Technology since 2008. Over his career, Jeff has helped companies like American Express, Ralph Lauren, and Thomson Reuters create and execute against multi-year digital transformation strategies. And on this episode, Jeff and host Tim Chase discuss how to navigate an excessive amount of data due to the popular use of AI, why security by obscurity is ineffective, and aligning day-to-day security duties with business goals.
Key Quotes
*”In security, we're looking for that needle in the haystack. We're trying to find that one little bit of behavior that’s different today than it was yesterday and that could be an indicator. Well, there's so much data these days, it's like finding a needle in a needle stack. And I think that the only way for security professionals to be able to do their job in the future given the extreme amount of data that exists and is growing is through AI. Machine learning and AI.”
*”AI in 2024 becomes the co-employee. If we're doing it right, it really is filling that seat next to the brilliant security individual or whatever the department might be, who sits next to them to help them be better, more intelligent, more efficient at the things that they do.”
*”So much of security, especially as it related to the knowledge worker, was security by obscurity. It's over on this shared drive. It's 15 folders deep. Nobody even knows that it exists, let alone to go and parse it. And all of a sudden, some indexer goes and rolls through the thing and now you type in, for example, the year pay raises or reporting structure or something along these lines that they thought was very secure, but it wasn't secure and now it’s exposed. And now we have that problem on steroids as all of these groups start to bring together all of their data so that Gen AI can provide this value, we're finding that more and more of that security was by obscurity or other less efficient methods that ultimately then creates challenges.”
*”’The CISO has to have a relationship with every aspect of the business to understand what's happening. And they have to realize that they're not the scary people who have been hiding back in the SOC. And you'd never want to get an email from security because you only get an email when something bad has happened or you've done something accidentally bad. So you have to break that stigma. Same for the legal team, by the way, they've got to be in this as well, but it starts with amazing relationships. And if they don't exist, they've got to get built.“
*”IT leaders. Are you hands on keyboard? No. Do you need to know everything about that technology to know what's possible and capable of your people? Yes.”
Time Stamps
[0:32] Introducing Jeff DeVerter, Chief Technology Evangelist at Rackspace
[3:20] How is generative AI impacting cybersecurity?
[13:49] What are the risks posed by generative AI to cybersecurity?
[16:42] How can security professionals put limits on generative AI and secure it?
[22:21] How is security a business enabler
[26:56] What’s the most important habit an IT leader can have?
[28:52] How can listeners increase their cybersecurity?
Links
Connect with Jeff on LinkedIn
Learn more about Rackspace
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with Dr. Kevin Tham. Kevin is a CISO leader in the Australian Digital Banking sector and a seasoned information security veteran in the financial services industry. Most recently, he served as CISO at etika, a purpose-driven lender. And on this episode, Kevin and host Tim Chase discuss cryptography including how it’s changed over the last 25 years, and how quantum computing and AI will affect it. They also discuss handling cybersecurity incidents from first steps to when to notify the board.
Key Quotes
*”I think a lot of people focus on who's the nation status [in the event of an incident.] For me, I just need to know enough; what the motivation is for this particular attacker. Then it actually very quickly tells you what that next step is or what that one step plus one is so that you can actually hit them off and cut it off from a containment perspective.”
*”If you have an open source intelligence platform that is based on an LLM on a backend, for example, and it starts taking all this information that's on the internet and understanding cipher systems on websites and stuff. Then it becomes a very interesting sort of platform to go, ‘Okay. awesome platform, tell me which website has the TLS 1. 1 that's still running, etc. And it becomes really interesting because ‘someone's’ doing the job for you.”
*”If [an incident] hits a certain severity, absolutely, the CEO needs to come in. And the comms team needs to be part of that team so that you can shorten communication between the decision maker. and the action that needs to be taken. So it's a bit fluid in the sense, in that sense, but, you know, for me, it's more about how do I shorten any communications about decisions made versus what needs to be done.”
Time Stamps
[0:44] Introducing CISO leader Dr. Kevin Tham
[5:01] Kevin on cryptography
[7:21] How has cryptography changed over the years?
[10:27] How does quantum computing affect cryptography?
[15:44] How will AI affect cryptography?
[19:09] What’s Kevin’s action plan in the event of a security incident?
[26:21] Who’s in the response team?
[28:21] At what point do you need to notify the board of a security incident?
Links
Connect with Kevin on LinkedIn
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with Frank Wang, Lead Security Engineer at Headway, a new mental healthcare system that works to remove historic barriers faced by mental health providers, payers, and patients. Previously, Frank served as staff security engineer and the first hire in that function at dbt Labs. He has also dabbled in venture capital and academia. He holds a PhD from MIT focused on security and cryptography and a B.S. in computer science from Stanford. And on this episode, Frank and host Tim Chase discuss the benefits of on prem versus cloud storage, why getting complete visibility of the cloud is unlikely, and why partnering with engineers is critical to successful cybersecurity.
Key Quotes
*”People are challenging the idea that 100 percent cloud at scale works. Everything comes with a cost. And the cloud gives you elasticity. That's always what it's been for. If you don't know what your load is like, it doesn't make sense for you to buy infrastructure. That's a complete waste of resources. But if you know and have stable workloads, then it makes a ton of sense for you to put those workloads on prem just from a pure cost and engineering perspective. It's cheaper.”
*”We're never going to fully solve for visibility in the cloud. I think there's a number of reasons for it. AWS is coming out with new features. There's so many features you can't keep track of. What are developers doing? What new APIs are there? And so I think it's just much harder to keep track of all the changes that are happening in the cloud, let alone developers who are now using these. And then as your team expands, it compounds itself. So I think visibility is always going to be a pretty big problem. And then we have to just really decide at some point what matters most and what's the highest risk and what we really need visibility in. Because I don't think we're going to get complete visibility.”
*”You should focus on enablement instead of enforcement to start, which means like, ‘How do I enable people to have the best security practices in a sustainable way?’ And then push very hard until you exhaust all possible enablement and then go toward enforcement. That works better earlier on at a company.”
Time Stamps
[0:35] Introduction: Meet Frank Wang, Lead Security Engineer at Headway
[1:16] Problems with Cloud Security
[2:29] Visibility Problems in Cloud Security
[4:07] Improvements Needed in Cloud Security
[12:41] Cloud Security in the Business Context
[7:13] Shifting Back to Hybrid Infrastructure
[10:10] Building Trust as a Security Professional
[17:03] The Future of Cybersecurity
[21:17] Getting into the Cybersecurity Industry
[30:20] Addressing the Cybersecurity Shortage
Links
Connect with Frank
Learn more about Headway
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
In Season 2, you’ll hear from guests at companies like AWS, Headway and Rackspace as they bring you insights on the latest in cloud security. Hosts Tim Chase and Andy Schneider are talking with top CISOs and cybersecurity leaders about industry trends and challenges. What are their top priorities? What tools and techniques are they using to stay ahead of the curve? And how are they shifting left? We’re answering all of these questions and more. So keep an eye on your podcast player of choice for new episodes launching in the new year.
-
This episode we’re looking back at some highlights from past guests. Host Tim Chase is sharing quotes from leaders at companies like Okta, Deloitte and Deepwatch on security as a business enabler, leadership in cybersecurity, and what it takes to be successful in the modern security landscape.
Key Quotes
*”Trust is everything. So you know what I say is, ‘Business first, trust second and cyber third.’ That's the mantra I go with. Right after business, the trust has to come in. And without business, nothing exists. But trust is literally the next element that you have to focus on.” - Rohit Parchuri
*”You can do a great deal of work very early on, with very little team and budget. But the earlier you can set the foundations, the more dividends they will pay off over time. Because the rework of trying to implement security later on, both from a cultural perspective, but also from a technological and control perspective, it just gets exponentially harder.” - Sebastien Jeanquier
*”There's this whole thing that organizations do that I call ‘security theater.’ The easiest way of actually thinking about it is like when you go to the airports and there's that whole show of trying to make people feel safe. And I think traditional security practices give that sensation that you are safe. So, I bring that concept to my teams: ‘Is this really actually taking care of what we are trying to achieve? Or is this just for checking another box and saying that we are safe?’ - Alberto Silveira
Time Stamps
[0:41] Rohit Parchuri of Yext on trust in cybersecurity
[1:06] Craig Riddell of Netwrix Corporation on modern identity
[1:34] Sebastien Jeanquier of Upvest on starting a security practice
[2:04] Alberto Silveira of LawnStarter on “security theater”
[3:24] Gerald Beuchelt of Sprinklr of practicing effective cybersecurity
[4:04] Julie Chickillo of Guild on security as a business enabler
[4:29] Terry O’Daniel of Amplitude on speaking to the board
[5:14] Mark Settle, formerly of Okta, on understanding the business
[5:53] Wes Mullins of Deepwatch on security during the pandemic
[6:47] Emily Mossburg on Deloitte’s Global Future of Cybersecurity survey
[7:32] Fractional CISO Aruneesh Salhotra on threat awareness
[8:02] Greg Crowley of eSentire on alert fatigue
[8:50] Kelly Haydu of Cargurus on getting ahead of security breaches
[9:45] Bill Dougherty of Omada Health on building relationships with customers
[10:19] Billy Spears of Teradata on AI in cybersecurity
Links
Connect with:
Tim Chase
Rohit Parchuri
Craig Riddell
Sebastien Jeanquier
Alberto Silveira
Gerald Beuchelt
Julie Chickillo
Terry O’Daniel
Mark Settle
Wes Mullins
Emily Mossburg
Aruneesh Salhotra
Greg Crowley
Kelly Haydu
Bill Dougherty
Billy Spears
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with Kelly Haydu. Kelly is Vice President of Information Security and Technology at CarGurus, the most visited automotive shopping site in the US. Prior to CarGurus, she served as Senior Director of InfoSec at Salsify. Before her tenure in the security space, Kelly worked in Quality Assurance including lead automation roles across markets and verticals. On this episode, Kelly and host Tim Chase discuss sources for keeping up on the latest privacy laws, why there isn’t a national privacy law in the U.S., the benefits of micro training and more.
Key Quotes
*”If you get too technical, you'll lose your audience very fast. So if you can correlate it back to somebody's real life or an example of how it may relate back to a theme, it resonates more. As soon as you start getting into the technical jargon, you're going to lose people. Because people already think security is boring and complex and don't understand the jargon. So that's how I start with education.”
*”From an engineering perspective, building privacy by design into our pipeline starting with the product teams. But really explaining why it's important to do that up front. The cost of a breach is the cost of a breach. But just looking at a vulnerability that makes it into production, let's say it's a high vulnerability. The cost to remediate that vulnerability is more expensive after the fact than if you address it up front, before it gets into production. And so explaining that to engineers and making sure that you're partnering with them and providing them guidance on what's a go/no-go decision, and not being a blocker, will help drive adoption.”
*”Micro training is great. And make it fun. I received a LinkedIn message from an old coworker at a new organization now that said, ‘Hey, don't know if you remember me, but you gave this security training at a previous company, and I thought it was hilarious but it stuck with me.’ And that really got to my heart, because I said, ‘Yes, I got to that person. They remembered the security training.’ And if you're going to be boring about it, It's not going to resonate with people.”
Time Stamps
[0:39] Introducing Kelly Haydu, VP of InfoSec, Technology and Enterprise Applications at CarGurus
[1:40] Where do security and privacy overlap?
[3:41] How do you educate the executive team on compliance?
[5:42] How do you stay up to date on current privacy laws?
[9:23] Why has it been so difficult to get a national privacy law?
[14:48] How did Kelly first become involved in IT and security?
[16:57] What was Kelly’s path to CarGurus?
[20:35] What makes a good cybersecurity leader?
[22:43] How is cybersecurity a strategic partner to the business?
[24:53] How does Kelly build privacy by design into their pipeline?
[27:08] How does Kelly’s team train the entire company on cybersecurity?
[28:38] How do you make cybersecurity training fun?
Links
Connect with Kelly on LinkedIn
Learn more about CarGurus
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with Sebastien Jeanquier, Chief Security Officer at Upvest, a fintech startup that empowers other fintechs to provide their customers with seamless, reliable and secure access to the full range of investment opportunities. Sebastien has over 15 years of experience including security advisory consulting, penetration testing and incident management. On this episode, Sebastien and host Tim Chase discuss how to strike the perfect balance of functionality, process and education to build a security-first fintech ecosystem, what it means to take a bottom-up approach, and how to treat security as a first-class citizen.
Key Quotes
*”Security as a domain is now as wide as it is deep, and it's a very delicate balance; to have the sufficient depth but also breadth of knowledge to be able to go and have a conversation with the most technical person in your team and be a meaningful sparring partner for them, even if you're not going to be involved in this sort the details of how that thing gets implemented. “
*”Management has to make it clear that the expectation is for security to be taken as a top consideration, whether it's part of developing a product or as part of your back office operations and processes. It also means making someone responsible for that, not as a side job…putting someone, with the relevant skillset and experience in a position with their peers, with some of the other business leaders. For very small companies, this can be tricky because they may mean committing early on to hiring a senior security leader, which is not something that a lot of startups can feel like they can afford to do. But at the same time, that security leader can help lay the foundations for robust security culture and controls, whilst also helping to enable other teams.”
*”You can do a great deal of work very early on, with very little team and budget. But the earlier you can set the foundations, the more dividends they will pay off over time. Because, the rework of trying to implement security later on, both from a cultural perspective, but also from a technological and control perspective, it just gets exponentially harder…If you're at a stage where you do have a CISO, then effectively they should report to the CEO or a managing director, or in a larger organization directly to the board. That person needs to have the ability to disagree with their counterparts, and not just be overlooked and say, ‘No, the priority is to ship the product. But the priority is not compliance right now.’ You need to be able to have that constructive criticism between each other without fearing that you're stepping on your manager's toes.”
*”The traditional CISO of traditional or legacy organizations and a lot of top down or risk-focused security, they expect to put good sounding policies and standards in place, and expect those to get implemented as strong technical or procedural controls at the bottom. And I think that's overly optimistic. A modern CISO in the kind of space that we're in now has to have a strong grasp of the layers in between their strategy and the policies, all the way down to the kinds of threats that their kind of organization faces. And what does an effective control look like to counter those?”
*”Security is especially an enabler in regulated environments where a certain number of controls will be imposed on you regardless of what you're doing. And any number of controls poorly implemented will result in a drain on your company's resources over time.”
Time Stamps
[0:27] Introducing Sebastien Jeanquier, Chief Security Officer at Upvest
[1:41] What does it mean to treat security as a first class citizen?
[5:51] What advice would he give other companies to take security as a top consideration?
[9:09] How do you approach security from the bottom-up?
[12:30] How is security a business enabler?
[15:04] What makes a good cyber leader?
[17:56] How do you build trust with your team and with the board?
[27:27] What does Sebastien see as upcoming challenges in security?
[29:38] What’s the most important habit a security leader can have?
[30:46] What’s one thing people can do to increase their cybersecurity?
Links
Connect with Sebastien on LinkedIn
Learn more about Upvest
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with Emily Mossburg, Global Cyber Leader at Deloitte, a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax, and related services. She has more than 20 years of experience across both federal and private sectors in developing strategy and programs, and implementing technical solutions to manage cyber and associated risk, information security, data protection and privacy. And on this episode, Emily and host Tim Chase discuss the benefits of cyber spend on business outcomes, how the role of the CISO has expanded as the cybersecurity industry has matured, and how to appeal to a diverse set of candidates when hiring.
Key Quotes
*”Any real, fundamental shift to the underlying way in which an organization does business changes the threat landscape. You can't ignore that. You've got to address the fact that you're making changes that are potentially opening up new risks as you go.”
*”There is no magic number. The cyber risk will never be zero.”
Time Stamps
[0:32] Introducing Emily Mossburg, Global Cyber Leader at Deloitte
[1:17] How does Emily think about risk?
[3:45] How is security a business enabler?
[6:52] How is cyber a differentiator?
[7:52] How is Emily addressing security needs across borders?
[12:03] What were the findings of Deloitte’s Global Future of Cyber survey?
[16:05] Can you ever spend enough on cyber to bring risk to zero?
[17:32] Are companies increasing or decreasing cyber spend?
[19:34] How does diversity in cyber lead to better business resilience?
[24:28] What is Deloitte doing to bring more women into the cyber industry?
[30:15] What’s the biggest learning of Emily’s career?
[34:14] What advice would Emily give to someone wanting to get into the cybersecurity field?
Links
Connect with Emily on LinkedIn
Learn more about Deloitte
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with Bill Dougherty, CISO at Omada Health, a virtual-first, integrated care provider combining the latest clinical protocols with breakthrough behavior science to make it possible for people with chronic conditions to achieve long-term improvements in their health. Bill brings with him over 25 years of experience in IT and security at such companies as RagingWire, StubHub and Copart. And on this episode, Bill and host Tim Chase discuss the ins and outs of threat modeling, the cybersecurity basics every security leader should revisit, and why every IT or security leader should have another expertise within the business.
Key Quotes
*”If you've got the right relationships and you build the right risk model, you can get the resources you need. Not necessarily what you want, but the resources you need to do the job right.”
*”The best IT people and the best security people that I know have some other expertise within the business first.”
*”If you want to run Salesforce, run a commercial system. You should have some expertise in the sales side of the house and some affinity for what it's like to get up every morning and make 50 cold calls and get hung up on 50 times because that then gives you the knowledge you need to make the system better for the people who are going to actually use it. So I consider the fact that I didn't start out in IT or security actually a gift because it gives me empathy for my customers.”
Time Stamps
[0:16] Introducing Bill Dougherty, CISO at Omada Health
[0:51] How does Bill navigate HIPAA?
[2:26] How does Bill advocate for more budget?
[5:01] Does Bill add more regulations to those imposed by HIPAA?
[8:56] What’s the difference between following security regulations and compliance with the law?
[11:20] What’s threat modeling?
[13:15] How do you integrate threat modeling?
[16:47] What’s the INCLUDES NO DIRT threat model?
[19:41] Why is it important to revisit cybersecurity basics?
[24:27] How did Bill first get involved in IT and cybersecurity?
[28:46] Bill’s advice for other cybersecurity and IT professionals
Links
Connect with Bill on LinkedIn
Learn more about Omada Health
Read more about the INCLUDES NO DIRT threat model
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with Craig Riddell, Field CISO at Netwrix Corporation, a provider of data security solutions for on-premises, hybrid, and cloud infrastructures. Craig is also a multiple award-winning Director and Strategist in Identity and Access Management. Previously, Craig served as Director of Identity and Access Management at HP. He brings a wealth of knowledge and experience around modernizing identity solutions while reducing costs and improving security. On this episode, host Tim Chase and Craig discuss managing third party permissions, how your tools are only as good as your implementation of them, and why a single daily identity authentication isn’t enough.
Key Quotes
*”A modern identity practice really needs to look at truly reducing the risk to the business, not just managing the risk to the business. A heavy degree of automation, especially in the concepts of, like, movers, joiners, and leavers so that you can prevent snowballing permissions, and then also needs to look heavily at third parties.”
*”Just because you've spent money on something in the past doesn't mean it's still a worthy investment today.”
*”A heavy degree in automation means if I hire somebody, I shouldn't have to go into any other system than my hiring system.”
*”Just having a multifactor authentication check in the middle of the day, or at the beginning of the day, does not mean that your identity is now validated for the next 24 hours. We need to be looking at things like user behavior analytics. We need to be looking at things like adaptive authentication. If you move into a certain risk profile, all of those things. There is no silver bullet for identity.”
*”Identity touches everything from the end user to the most complicated critical application. We have to know how all of these different workflows work. So it's a very hard skillset to staff with and collapsing some of these tools down and making them to where you can have one engineer to run multiple things obviously helps.”
*”Your tools are only as good as the implementation. If it's super easy to bypass your PAM solution by, say, dropping in an SSH key and bypassing it every time instead of going through it, your engineers probably have the best of intentions. They're just trying to get their job done. But they just created a backdoor through a critical security tool.”
*”It doesn't matter how good you think you are, you can be in hot water really quick. It's important to double check. And now I do, I double check everything. I don't push enter on a text message without making sure that it's good to go. Linux will teach you the hard way.”Time Stamps
[0:26] Introducing Craig Riddell, Field CISO at Netwrix Corporation
[1:26] Why did COVID make identity a priority for businesses?
[2:53] What does modern identity look like?
[4:51] How can you automate identity?
[6:43] How do you navigate over-provisioning in identity management?
[9:58] What acronyms should you know in identity management?
[11:52] How will identity tools change in the future?
[14:16] How has cloud changed identity?
[16:40] What does zero trust mean to Craig, and how does it play into the future of identity?
[19:22] How did Craig get involved in identity?
[27:44] What advice would Craig give someone wanting to get into cyber?
[30:13] What was the biggest learning of Craig’s career?
[32:00] What’s the best habit an IT leader can have?
Links
Connect with Craig on LinkedIn
Learn more about Netwrix Corporation
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with Wes Mullins, Chief Technology Officer at Deepwatch, Deepwatch's innovative cloud platform and borderless SOC extends their customers’ cybersecurity teams and proactively protects their brand, reputation and digital assets. Wes has nearly 20 years of industry experience, having started his career as a developer, then working in networking and finally cybersecurity. Prior to Deepwatch, Wes was the VP of Global Cyber at Nielsen. On this episode, host Tim Chase and Wes discuss the factors he considers when selecting potential partners - and how they got a partnership with AWS - why you shouldn’t try to sell anything during the first customer engagement, and the one most important quality in a new hire.
Key Quotes
*”You can teach aptitude, but you can't teach attitude. So how do you find the right people that maybe don't have the experience that's on the job description, that maybe don't meet the requirements that the recruiters want or the hiring manager want, but know that they can still do the job and afford them the opportunity to do that and put people in tough positions to fail? Because if they're never put in those spots, they're never really gonna break the mold and succeed.”
*”Culture and people. We can talk about technology, AI and automation. I think any good leader, whether it's cyber or any other role, needs to have a good handle on culture in the people. They need to have a great relationship with the people team itself. The HR team or the people team, they're your advocates. They're there to help you protect you, and ensure that you're doing the right thing.”
*”If you don't have good relationships with the other parts of the business that you have to work with, it's gonna be a struggle. You need to get their buy-in. And having a great relationship across line of service, across BAU, BU, Opco, Subco, whatever they call it, things just become things on spreadsheets and swapping head count, and swapping budget and moving priorities up and back, become random phone calls on a Friday. And that's the type of relationships you want to have.”
*”Security shouldn't just be considered a call center. It's considered a business enabler. There are situations that will continue to happen where security is going to be your enabler to go as fast as you can go. Because they're gonna let you know the minimum level of acceptable risk to go ship those features and make those changes that you need.”
*”Any good first customer engagement is a fact finding session. Like not selling anything, not pitching anything, not comparing anything, most certainly not talking about competition. But really trying to find out what that individual wants, what they need, what they're trying to get, and what is their problem.”
Time Stamps
[03:30] Introducing Wes Mullins, CTO at Deepwatch
[1:18] How did Wes go from developing into security?
[5:08] From CISO to CTO
[6:28] How does Wes’ security knowledge serve him as a CTO?
[8:51] What are the critical qualities a security leader should have?
[13:20] How do you tailor your leadership approach to each customer?
[16:34] How do partnerships drive the business forward?
[18:26] What factors does Wes consider when selecting potential partners?
[20:43] How does Deepwatch coordinate communications to deliver MDR?
[27:40] What’s the one tool Wes can’t live without?
[28:18] What’s the most exciting security trend currently?
Links
Connect with Wes on LinkedIn
Learn more about Deepwatch
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with Terry O’Daniel, Acting Head of Security at Amplitude. Amplitude is a product analytics platform that helps businesses to track visitors with the help of collaborative analytics. Terry joined the company in October of 2022 as Head of GRC. Prior to Amplitude, he led Governance, Risk, and Compliance within Infrastructure Engineering at Instacart. On this episode, Terry and host Tim Chase discuss the failed promise of DevSecOps, aligning with business objectives, and how to translate security into dollars.
Key Quotes
*“I think at the end of the day, risk quantification is not very sexy. I understand. But we tie ourselves in knots in security doing this interpretive dance for the board of red, yellow, green, and ‘Here's what it means,’ and bibbety boo. And businesses don't run on interpretive dance. They run on dollars. And until we can come to the table like grownups with the rest of the grownups running our function and saying, ‘Here's the risk in dollars, here's the investment in dollars, here's the risk mitigation we're gonna realize in dollars,’ that's the key, right? We have to be able to talk the language of business to be successful and be taken seriously as business partners.”
*”There's a tax that's required in actually moving left. Shifting left involves having smaller pieces and smaller interruptions more frequently in the worst case, rather than having a single showstopping event at the end.”
*”Devs don't report to us. They have their own leaders and they have their own goals. We don't control engineering. But we can give them the context. We can help them understand the context for making better risk aware decisions.”
*“If you're a SaaS company, your CISO has to be technical. At the core, your CISO is not only protecting your people and your work systems and your SDLC, they also are inherently predicting the risk of your product and that B2B relationship. So I think traditional industries still can get a huge degree of value out of hiring a CISO who comes from a strong risk and governance background. But if you're an engineering-first company that's building neat stuff, if your CISO doesn't have the finger on the pulse of that, I think they're inherently hampered from their ability to help the company shift left.”
Time Stamps
[1:24] The failed promise of DevSecOps
[4:15] Why is shifting left so hard?
[8:39] Why is continuous improvement a key part of DevSecOps?
[11:30] How can security goals align with business objectives?
[13:49] How important is leadership in DevOps?
[17:32] How did Terry transition from engineering into security?
[22:28] Is it more effective for a CISO to come from a GRC background or an engineering background?
[26:08] What’s been Terry’s biggest learning of his career?
[34:05] What’s one tool Terry can’t live without?
Links
Connect with Terry on LinkedIn
Learn more about Amplitude
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with Alberto Silveira, Head of Engineering at LawnStarter, a marketplace for outdoor home services. He has more than 20 years of experience in software development, having served in leadership positions at companies like OnDeck, Amplify, and Kaplan. He’s also an author, and his book, Building and Managing High-Performance Distributed Teams is out now. On this episode, Alberto and host Tim Chase discuss organizing teams around the shared purpose of driving the business forward, infusing good security practices throughout the organization, and how to deliver more than just “security theater.”
Key Quotes
*“If we don't make security a top priority as building a new feature on the application, as automation, as CI/CD, how can we actually out succeed? Like building a new feature, but actually lacking customer data or network security, or what's the point if we're gonna be on the news tomorrow with a new security breach? And then we have the most shining feature.”
*”Traditional security practices give the sensation that you are safe. [But] is this really actually taking care of what we are trying to achieve? Or is this just us checking another box and saying that we are safe? So that's what I refer to as ‘security theater.’”
*”Security should not be seen as a separate group, as a separate initiative. All the concerns when building software - it could be architecture, it could be security, it could be automation, it could be building new features or taking care of tech debt, you name it - all of them are one single source of truth as you are building your roadmap and as you are actually working on it. And it's everyone's responsibility. It's not only for the security team.”
*“The fact that you're in the cloud doesn't mean that you're secure at all. That's just the beginning.”
Time Stamps
[1:17] What’s “security theater”?
[3:36] How do you do more than just “check the box” in security?
[7:27] What do security practitioners need to know about collaborating more effectively with development and engineering?
[11:23] The importance of educating the whole team on the repercussions of poor security management
[13:40] Does being in the cloud mean your information is secure?
[17:20] The role of the security practitioner as an educator
[19:20] Learn more about Alberto’s book, Building and Managing High-Performance Distributed Teams
[22:42] What makes a strong manager?
Links
Connect with Alberto on LinkedIn
Get Alberto’s book, Building and Managing High-Performance Distributed Teams
Learn more about LawnStarter
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with Fractional-CISO Aruneesh Salhotra. Aruneesh brings with him 22 years of experience across development, DevSecOps, security, containerization and more. He is also an award-winning presenter, panelist, and author. On this episode, Aruneesh and host Andy Schneider discuss protecting IP source code, what solution to pick based on your integrations, how he’s helping companies shift left, and much more.
Key Quotes
*”You can only protect what you know about. So cloud definitely has opened the doors for misconfigurations, and misconfigurations can lead to breaches. Cloud has changed the whole security landscape.”
*”IP source code is definitely your crown jewel. So you have to protect that with utmost importance. Even if you're storing your source code internally, there is always a threat of internal actors acting against your firm. Predictive branches is definitely a no-brainer. [And] you want to ensure access is configured properly.”
*”The skills and awareness of the CISO change manyfold with the cloud. So having that awareness of what can possibly go wrong, having an awareness of not just the field itself, but also understanding who are the key players. There’s a lot of pressure on security leaders and practitioners to not only realize the need for a particular control, but at the same time trying to figure out what solution actually fits the organization based on your culture and integrations.”
Time Stamps
[1:04] The rising challenges of securing the cloud
[2:40] How does Aruneesh protect source codes?
[6:41] What skills do security practitioners need today? Do they need to be able to write code?
[13:09] As someone whose background is in AppSec, what are security leaders missing today?
[15:48] What makes a good security leader?
[20:14] What was a lesson Aruneesh learned in his career?
[22:50] What is a Fractional-CISO?
[25:57] What’s the difference in responsibilities between a Fractional-CISO and an operational internal CISO?
Links
Connect with Aruneesh on LinkedIn
Connect with Andy on LinkedIn
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with Billy Spears, CISO at Teradata. Teradata is the connected multi-cloud data platform for enterprise analytics, solving data challenges from start to scale. Billy has more than 25 years of industry experience. He is an award-winning technology executive, author, speaker, and podcast host. He is also an adjunct professor of cybersecurity at Webster University. Prior to joining Teradata, Billy served as CISO at Alteryx. On this episode, Billy and host Andy Schneider discuss harnessing AI for better business intelligence while managing the risk posed by it, the push and pull of growing trust, and how to use security to drive the business forward.
Key Quotes
*”I don't want any of the listeners to listen to this and go, ‘Wow, Billy said whatever about generative AI.’ I think there's a lot of pros there. You know, creativity, innovation, what you use it for, right? The sky's the limit. And we have to do a really good job of making sure that whatever you're using it for has protections around it because it's a new capability. So we have to have some protections to make sure that we don't go in with a blind eye and create more risk as a result.”
*”You can also use [AI] for better business intelligence. When you start thinking about, ‘How do I get to the root of what I'm trying to solve in security?’ You have all of this data that comes in. How do you consume that data with any sort of consistency and then deliver out the maybe anomalous results or the spikes of risk at the appropriate point of time? And this is the future for us. You don't have unlimited humans that throw out the problem. So you're going to need to use technology or augment that technology to solve the need.”
*”A few things that we can do to continue to shape and evolve as a business leader. One, understand your business. Two, be able to read the financial sheets and understand what things like ARR and ACV and TCV are. Because when you're on calls with salespeople asking you for things, those are the kind of terms they're gonna use. Be able to translate the business and financial terms into your security portfolio and be able to tie your outcomes to business objectives, meaning it's not just about the security stuff you can deliver, but how does the security drive the business forward, whether it's through protections and mitigation outcomes, or whether it's from driving new business to your business by building trust and thinking about resiliency.”
*”The great security leaders that I run into in the business, they're also business enablers. And so there's lots of ways of doing that. Security acts as a business enabler by first protecting our assets. Second, building trust. We need to support digital transformation all around the business, which is constantly occurring anyway.”
*“I'm sure the audience is gonna look at their phone or devices or take their EarPods out and say, 'What did he just say?' But the way that you grow trust is you extend trust. In our business, we talk about a zero trust environment, meaning we wanna validate or verify before we allow things through. In human interaction, if you want to gain trust, you have to extend trust first.”
Time Stamps
[1:34] Understanding the current and emerging threat landscape
[3:00] Is phishing becoming more prevalent?
[5:19] What threat does generative AI propose to security?
[7:26] How can you harness AI for better security?
[9:33] How can CISOs be business enablers?
[11:44] When is something “secure enough”?
[13:14] What makes a great security leader?
[15:26] How do you build trust?
[17:40] How can you better give and accept criticism as a security leader?
[21:22] What has been Billy’s biggest learning of his career?
[25:02] What advice would Billy give someone wanting to enter the cybersecurity industry?
[28:57] What does the future of security look like?
Links
Connect with Billy on LinkedIn
Learn more about Teradata
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with Greg Crowley, CISO at eSentire. eSentire is the authority in managed detection and response services. They protect critical information for over two-thousand organizations across more than 80 countries from cyberthreats. Prior to joining eSentire, Greg served as VP of Cybersecurity and Network Infrastructure at WWE, where he spent over 17 years. On this episode, host Tim Chase and Greg discuss preventing alert fatigue within your organization, addressing the talent shortage in cybersecurity, and the benefits and challenges posed in the security industry by artificial intelligence.
Key Quotes
”It's always been the cat and mouse game in security. You have a neural network that is out there creating new content, and then you have the opposing network that is looking to detect the artificially created content. And so same thing as the good guys and the bad guys, or the threat actors and the defenders, the red team and the blue team. But in this case, it's actually making the AI stronger because the more we’re able to detect what's fake, then the AI learns and the AI will generate better fakes.”
*”Fishing has been a problem for a long time. [But] I think what AI is doing is lowering the bar of entry. So, whereas maybe the threat actors used to have to have a certain amount of technical capability, it's just going to become a lot easier for them to execute upon the nefarious activity.”
*”If there's constantly a false alert, false alert, false alert, and 99 percent of them are, then it is very likely that the true positives are gonna slip through because you see so few of them. So you're just getting lost in the noise. It's the needle in the haystack that's gonna get through, and that's the one that's gonna come back and bite you.”
*”What I look for is passion. If you're curious, if you like solving puzzles, if you like pulling out threads and doing some type of investigation, those are the qualities that I would look for. If you have that curiosity and passion, then you can learn the technical bits and bites after.”
*“I have this passion for protecting the good guys, protecting the little guy. I want to teach the little guy how to protect themselves. It's part of my DNA. I’ve always seen myself as a defender, as protecting the little guy as being on the side of good.”
Time Stamps
[1:19] What does the advent of Chat GPT and generative AI mean for the cybersecurity industry?
[4:35] What are the security downfalls of AI?
[8:44] What are best practices for addressing alerts and preventing alert fatigue?
[13:46] Addressing the talent void in cybersecurity
[17:24] What advice would Greg give someone just entering the cybersecurity field?
[24:33] How did Greg first get involved in cybersecurity? And what was his path to CISO?
Links
Connect with Greg on LinkedIn
Learn more about eSentire
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
-
This episode features an interview with author and 7-time CIO Mark Settle. Mark has served as CIO at companies like Okta, Visa and Arrow Electronics. And he has published two books: Truth from the Trenches: A Practical Guide to the Art of IT Management and Truth from the Valley: A Practical Primer on Future IT Management Trends. On this episode, host Tim Chase and Mark talk about the competencies you need to have if you want to be in an IT leadership role, how to communicate effectively with the board and the rest of the C-suite, and the lessons he’s learned as a 7-time CIO.
Key Quotes
*”If you really want to have an impact over time, and really start realizing your market equity, not your brand equity, but what you bring to that next job over time will be less and less about what you know about blockchain or large language models and more and more and more if you understand how do we really make money here? And like, where are the high leverage points for us to succeed?”
*If you're managing an IT team on a strategic basis and not just lurching from one budget to another or tactical crisis to another, you really want to think into the future two or three years. And I tell people it's instructive. Take a blank sheet of paper, a whiteboard or whatever, and sketch out the organization you think your company needs in two years from now or three years from now, and what skills you're going to need. Because otherwise, the tech debt that you have manifests itself in the skills of your team.”
*”I think AI is a perfect example of this. If you've gone through the last three or four budget cycles as a CIO and you've said to yourself, ‘Well, we really don't need any machine learning modeling capabilities within the company today, I can kick that can down the road another three or four budget cycles,’ then your CEO comes in and says, ‘What are we doing about generative AI?’”
Time Stamps
[1:08] What does it take to be an IT leader?
[2:53] What is the future of IT management?
[8:06] How to convey IT priorities to your CFO
[9:37] What are emerging security concerns?
[11:16] How is security a business enabler?
[13:32] How companies could benefit from adopting consumer-grade end user authentication procedures
[18:02] Why delegation is important as a CIO
Links
Connect with Mark on LinkedIn
Read Truth from the Trenches: A Practical Guide to the Art of IT Management
Read Truth from the Valley: A Practical Primer on Future IT Management Trends
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
- Visa fler
