Episode Summary

It's been more than a decade since the cloud emerged as a new concept. And it's safe to say that it has practically become the new normal, especially since the COVID-19 outbreak.

However, when it comes to improving cyber security and risk management in the cloud, we still have a long way to go.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Sameer Sait, an information security expert and the former CISO of Amazon's Whole Foods Market. They talk about the shift in security mechanisms due to the explosion of the cloud, the importance of shared responsibility, and what we can learn from highly regulated industries. Tune into this episode to hear some insightful observations about the future of cybersecurity.

##

Guest-at-a-Glance

💡 Name: Sameer Sait

💡 Formerly CISO of Amazon / Whole Foods Market

💡 Currently Co-Founder and CRO, BalkanID

💡 Noteworthy: He's an information security and risk executive with 16+ years of global leadership experience at Fortune 100 firms.

💡 Where to find Sameer: LinkedIn

##

Key Insights

⚡ We need a playbook for unexpected outcomes in the cloud. Although we expect the cloud world to move fast and smoothly, sometimes there are some unexpected scenarios. That's why we need to get better at how we manage ownership of assets and processes. Sameer explains: "In the non-cloud native world, there is a kind of alignment of accountability, responsibility, ownership, and influence. I think in the cloud world because we expect to just move really, really fast, and we expect things to get taken care of by a certain set of individuals that are working in DevOps, you just sprinkle on some security and expect it to kind of magically get taken care of. I think there's a little bit of the ‘who owns what’ and [we should be] finding ways to align on the exceptions so that even the exception process has accountability and responsibility."

⚡ Since the explosion of cloud usage, engineers no longer need a policeman; they need a steward. It's safe to say that the cloud has changed the way we do everything, including security. According to Sameer, one thing that stands out is how engineers and builders think about security. He says, "I've been pleasantly surprised, and it's probably a combination of the industry itself having exploded, there being a lot more awareness, and technologies being built to enable secure software development and deployment maintenance. And so, with the explosion of cloud usage, I've been pleasantly surprised that engineers don't really need a policeman anymore. They just need guidance."

⚡We should aim for shared responsibility. According to Sameer, the cloud has created a good opportunity for shared responsibility. Instead of building large, slow-moving organizations, we should move towards small agile teams. Sameer shares his predictions and hopes for the future of security. "I think part of it is also security being built into the cloud. I hope to see more and more big tech companies [...]embracing partnerships with tech security companies to make it so seamless that it becomes part and parcel of how we operate in the cloud. I'm seeing that happen, and that's getting me super excited because I care as much about the usability of a product as I should , and the product manager should care as much about the security of that product. And if we both have those shared outcomes, I think we'll do very well."

##

Episode Highlights

Highly regulated industries set a high bar for cybersecurity

"I think the financial services industry really set me up well, given that there was a higher level of awareness and expectations around cyber risks and the impact of those risks. There were already working groups, like the ISAC; there was an FS-ISAC back then. We didn't have that level of maturity outside of, let's say, financial services and potentially, healthcare. I haven't been in healthcare, but I can say that coming out of those highly regulated, well-managed and risk-managed industries taught me a lot about what a good bar or a high bar for a cybersecurity program looks like."

The physical store space is not always open to changes

"There's been a little bit of hesitation to change, and I don't know if technology or security has actually been an enabler for that or more of, 'Hold on a second, how do we make sure connectivity is good? How do we make sure our data is centralized in terms of storage? How do we move off of systems that we've built for 20 years and have worked fine for us?' So a little bit of the 'If it isn't broken, why fix it?' was what I saw in the physical store space."

Hire for the long term and automate for the short term

"What is something we've always done that maybe doesn't apply in this new world? I would say throwing more people at the problem. My experience has always been that we tend to go and sign up with more consulting services, and we'll just say, 'Well, this is a problem. We need support.' And we'll use that excuse, and I've used this excuse, too. So I'm as much at fault for saying, ‘It's really hard to hire in this hyper-competitive security market. Let's just get some consultants.’ I think we should start thinking like those very smart engineers who are building cloud-native solutions, and about how we can automate discovery, remediation, and things that we know, with a high degree of probability, to be problems that can be solved via X, Y, and Z protocols."

This podcast is hosted by Orca Security

Episode Summary

It's been more than a decade since the cloud emerged as a new concept. And it's safe to say that it has practically become the new normal, especially since the COVID-19 outbreak.

However, when it comes to improving cyber security and risk management in the cloud, we still have a long way to go.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Sameer Sait, an information security expert and the former CISO of Amazon's Whole Foods Market. They talk about the shift in security mechanisms due to the explosion of the cloud, the importance of shared responsibility, and what we can learn from highly regulated industries. Tune into this episode to hear some insightful observations about the future of cybersecurity.

##

Guest-at-a-Glance

💡 Name: Sameer Sait

💡 What he does: He's the former CISO of Amazon's Whole Foods Market.

💡 Company: N/A

💡 Noteworthy: He's an information security and risk executive with 16+ years of global leadership experience at Fortune 100 firms.

💡 Where to find Sameer: LinkedIn

##

Key Insights

⚡ We need a playbook for unexpected outcomes in the cloud. Although we expect the cloud world to move fast and smoothly, sometimes there are some unexpected scenarios. That's why we need to get better at how we manage ownership of assets and processes. Sameer explains: "In the non-cloud native world, there is a kind of alignment of accountability, responsibility, ownership, and influence. I think in the cloud world because we expect to just move really, really fast, and we expect things to get taken care of by a certain set of individuals that are working in DevOps, you just sprinkle on some security and expect it to kind of magically get taken care of. I think there's a little bit of the ‘who owns what’ and [we should be] finding ways to align on the exceptions so that even the exception process has accountability and responsibility."

⚡ Since the explosion of cloud usage, engineers no longer need a policeman; they need a steward. It's safe to say that the cloud has changed the way we do everything, including security. According to Sameer, one thing that stands out is how engineers and builders think about security. He says, "I've been pleasantly surprised, and it's probably a combination of the industry itself having exploded, there being a lot more awareness, and technologies being built to enable secure software development and deployment maintenance. And so, with the explosion of cloud usage, I've been pleasantly surprised that engineers don't really need a policeman anymore. They just need guidance."

⚡We should aim for shared responsibility. According to Sameer, the cloud has created a good opportunity for shared responsibility. Instead of building large, slow-moving organizations, we should move towards small agile teams. Sameer shares his predictions and hopes for the future of security. "I think part of it is also security being built into the cloud. I hope to see more and more big tech companies [...]embracing partnerships with tech security companies to make it so seamless that it becomes part and parcel of how we operate in the cloud. I'm seeing that happen, and that's getting me super excited because I care as much about the usability of a product as I should , and the product manager should care as much about the security of that product. And if we both have those shared outcomes, I think we'll do very well."

##

Episode Highlights

Highly regulated industries set a high bar for cybersecurity

"I think the financial services industry really set me up well, given that there was a higher level of awareness and expectations around cyber risks and the impact of those risks. There were already working groups, like the ISAC; there was an FS-ISAC back then. We didn't have that level of maturity outside of, let's say, financial services and potentially, healthcare. I haven't been in healthcare, but I can say that coming out of those highly regulated, well-managed and risk-managed industries taught me a lot about what a good bar or a high bar for a cybersecurity program looks like."

The physical store space is not always open to changes

"There's been a little bit of hesitation to change, and I don't know if technology or security has actually been an enabler for that or more of, 'Hold on a second, how do we make sure connectivity is good? How do we make sure our data is centralized in terms of storage? How do we move off of systems that we've built for 20 years and have worked fine for us?' So a little bit of the 'If it isn't broken, why fix it?' was what I saw in the physical store space."

Hire for the long term and automate for the short term

"What is something we've always done that maybe doesn't apply in this new world? I would say throwing more people at the problem. My experience has always been that we tend to go and sign up with more consulting services, and we'll just say, 'Well, this is a problem. We need support.' And we'll use that excuse, and I've used this excuse, too. So I'm as much at fault for saying, ‘It's really hard to hire in this hyper-competitive security market. Let's just get some consultants.’ I think we should start thinking like those very smart engineers who are building cloud-native solutions, and about how we can automate discovery, remediation, and things that we know, with a high degree of probability, to be problems that can be solved via X, Y, and Z protocols."

Episode Summary

Cloud security looks a lot different to an outside observer than to an insider. And everyone thinks that some companies are further along in their cloud maturity journey than they really are.

But there's still a lot of work to be done regarding cybersecurity, so organizations should focus more on becoming cloud-native rather than going for the less-demanding "lift-and-shift" migration method.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Nick Vigier, CISO at Talend. They discuss the downsides of using the forklift migration method, the importance of shifting perspective, and why there is no security career ladder.

Nick has a history of innovation as a CISO in cloud hosting (DigitalOcean) and identity verifcation (ID.me) as well as a CIO in financial services (Gemini Trust Company) with over 20 years of experience in the security industry. He’s now the CISO at Talend, a strategic advisor, and a student of how to make security a strategic partner to the business while giving his teams and organization the safety to innovate quickly.

##

Guest-at-a-Glance

💡 Name: Nick Vigier

💡 What he does: CISO at Talend

💡 Noteworthy: Former CISO at ID.me & DigitalOcean.

💡 Where to find Nick: LinkedIn

##

Key Insights

⚡ Using a forklift migration approach is tempting, but it's not always ideal. The "lift-and-shift" migration method appeals to most organizations, as it's the easiest to employ. But some potential issues may arise with this strategy. Nick and Andy touch upon some of them in this episode. Nick says, "From what I've seen in the field, from a CSO perspective, you have a lot of companies that have forklifted from more physical infrastructures straight into the cloud, and it just doesn't work that way. You can get away with it, but it's going to cost you a lot more. It's going to be a lot more inefficient, and getting cloud-native is really what organizations should be focusing on in a very real sense — which requires a very different set of skills."

⚡ A perspective shift can go a long way. Instead of spending too much of your energy on convincing others to see things your way, you can focus on helping them make better decisions. It's just a matter of shifting your perspective. Nick explains, "That's not my job. My job is to give them an understanding of GroundTruth and help them make an informed decision. And their decision isn't right or wrong — it's just different. And so that allowed me to take a step back from feeling like the decision was personal and more of just everybody comes to the table with different perspectives. And as long as I can give them the facts and help them understand the risk that they're taking, it's neither right nor wrong; it's just different."

⚡ There's no security career ladder; it's a jungle gym. Security is a broad field with massive potential for specialization in different areas. Nick says, "If you look at security in a broad enough sense, it is everything from your engineering work to your product security, application security work, your investigations, your incident response, your governance risk and compliance, privacy, and even physical security, and there are roles in there for everyone. And I think it's key to understand that security isn't just pen testing — a number of people who are early in their career say, 'I just want to be a pen tester.' Well, as someone who had to go through that for a year to realize that it wasn't for me, I’m trying to help people understand where they fit into that journey or what they might have aptitude for."

##

Episode Highlights

Why CISOs should reach out to their communities

"In that type of role, it really allows you to touch a variety of industries and mindsets, but in my experience, only about 20% of the CSOs that you interact with want to engage. [...] I would encourage CISOs to reach out to their communities and partner with people and especially when they are people that are not trying to sell you but are literally just there to try and help to take them up on it. It can't hurt. What do you have to lose?"

The ability to rethink things has changed

"As the cloud changed and networking changed, and other organizations moved to the cloud, some of these considerations that led to, 'Oh, we have to be on-prem,' have gone away. It's been really good to see regulators warming up to the cloud because that's always been a hindrance. Even CMS on the Medicare, Medicaid side has always been very anti-cloud and is now finally coming around. And that eliminates a lot of those hurdles, a lot of those intellectual gut reactions or fight-or-flight type of conversations around the cloud, and you can have a much more objective conversation around what is the best approach. And the feature sets are obviously a lot more complete and mature. So, the ability to rethink things is great from a cloud perspective."

Let's leave automation to the machines and let humans innovate

"There are things that machines do really well, and there are things that people do exceedingly well. People are great at things like pattern recognition, but they just have to be presented in the right way. And so, being able to let the machines do what they do well and automate those things, and then letting the humans be the creative entities that allow the business to innovate versus just doing busywork, or just working harder, is the real promise and what I'm really excited about."

This podcast is hosted by Orca Security

Episode Summary

Security and privacy are burning topics in the cloud era. But not many companies have professionals dealing with these issues. Therefore, it's critical to make the topic of cybersecurity more accessible to business owners and board members.

In this episode of Cloud Security Reinvented, we get to hear from Justin Somaini, the Chief Security Officer of Unity Technologies. Justin and our host Andy Ellis discuss cloud security and how companies in the iGaming industry approach it.

They also discuss the past and present of cybersecurity and share predictions regarding the cloud's future. Justin also shares a valuable piece of advice anyone interested in becoming part of the security industry could benefit from.

Guest-at-a-Glance

💡 Name: Justin Somaini

💡 What he does: Justin is the Chief Security Officer of Unity Technologies.

💡 Website: Unity Technologies

💡 Noteworthy: Before joining Unity Technologies, Justin worked at PricewaterhouseCoopers and Charles Schwab.

💡 Where to find Justin: LinkedIn

Key Insights

⚡ Cloud security is pretty much the same in all industries. Most people believe working in the gaming industry must be fun. As our guest says, the rumors are true. It's exciting, but it carries many challenges. Here's what Justin says about cloud security in the gaming industry. ''In a lot of ways, it's pretty typical. The difference, I would say, is corporate. You're working in the gaming industry; it's different from financial institutions or otherwise. You have a very energized and technical base culture to work for or work with. However, when you secure SaaS, it's agile. When you start driving the CI/CD pipeline security capabilities and when you're starting to, or not starting but trying to deal with the infrastructure, a multi-cloud concept scales up and scales down.''

⚡ Security theory has remained the same in the cloud era. The switch from on-premise to the cloud has been tremendous in how companies operate and use technology. Automation has become a priority, especially in the SaaS industry. Companies that aspire to grow must embrace changes. However, as Justin explains, some things didn't change regardless of the shift, mainly from a security perspective. ''Security theory has not changed. Confidentiality, integrity, and availability, or if you want to use one of the other models — they are still the same. It's how we apply that to the technology that we have today. So that basic concept of what we do and why we do it is the same.''

⚡ Today's technology allows us to tackle complex challenges. The cloud is here to stay, and technology will continue developing. We’re yet to see what the future holds for the SaaS space and generally, every industry, considering we can't imagine working without technology. ''We have an amazing opportunity to solve some very difficult problems. Let's take patch management or asset management, which has always been a problem in every company. If you're in a multi-cloud space, you have those APIs to be able to identify and an asset management system to be able to change the model and how you do patches. Patch each system, but go back to gold and then do a refresh and have it be scaled. Those are amazing opportunities for core fundamental problems that we've had for well over 25-30 years.''

Episode Highlights

Being an Advisor in the Security Industry

''I find the security industry incredibly fascinating and challenging. And what I came to realize is that there are three legs of the stool. You've got the operator, the CSO, and others in the company. You also have individuals building security solutions for the security vendor community. It's predominantly startups versus larger public companies. And then the third is the investment — VCs.

And so, to stretch your legs a little bit and get more involved in the security apparatus, for lack of a better word, the advisor functions and roles for very early stage [companies], which is a lot of fun for me — getting back to basics, what are the security challenges we need to solve?

That requires solutions that we still really endeavor to provide. And how you can provide real guidance to these companies versus the stereotypical marketing and market demands that go on and make solutions that solve real problems.''

Security Challenges for a Company Such as Unity Technologies

''Unity is fascinating. It's very much a SaaS company, for lack of a better word. We make a real-time 3D engine, which enables creators to create games and a lot of other things on our platform.

When you look at the infrastructure we need to secure, there are two things. One, SaaS company services, et cetera, need to be done. Of course, I have been there and done that and know those challenges. But the scale of the engines sitting on phones, consoles, and PCs is one of the biggest things that attracted me. It has a scale problem that needs to be secured at the end of the day.

Then lastly, when you look at the future. We have unsolved problems: how do we enable privacy, for example, in an AR & VR world, when those mechanisms haven't been put in place yet? I think there are a lot of interesting challenges for the future.''

We Must Stop Chasing Buzzwords in the Industry

''Having a proper risk management process of identifying the issues — what are the things we need to do to solve them versus changing what we are being told that we need to do from marketing and sales and otherwise. [...]

We don't slow down, and take time, and focus on the really important things that are not sexy; they're hard versus focusing on the latest buzzword in threat intel feeds.''

A Piece of Advice for Security Officers

''Don't be afraid to pick up the phone and call other people in the company to have coffee and learn what they do. I spent a fair amount of time later on in my career learning what marketing is. What they do is more than just send out spam. What does the sales team do? How does it work — the funnel? Those things enabled me to learn what's going on in the organization where I work.

And I don't think that a lot of security people know the processes of sales, marketing, or anything else, for that matter, like legal and finance. The more you know about those processes, the better you are able to communicate, influence, and drive alignment and execute.''

This podcast is hosted by Orca Security

Episode Summary

Security and privacy are burning topics in the cloud era. But not many companies have professionals dealing with these issues. Therefore, it's critical to make the topic of cybersecurity more accessible to business owners and board members.

In this episode of Cloud Security Reinvented, we get to hear from Justin Somaini, the Chief Security Officer of Unity Technologies. Justin and our host Andy Ellis discuss cloud security and how companies in the iGaming industry approach it.

They also discuss the past and present of cybersecurity and share predictions regarding the cloud's future. Justin also shares a valuable piece of advice anyone interested in becoming part of the security industry could benefit from.

Guest-at-a-Glance

💡 Name: Justin Somaini

💡 What he does: Justin is the Chief Security Officer of Unity Technologies.

💡 Website: Unity Technologies

💡 Noteworthy: Before joining Unity Technologies, Justin worked at PricewaterhouseCoopers and Charles Schwab.

💡 Where to find Justin: LinkedIn

Key Insights

⚡ Cloud security is pretty much the same in all industries. Most people believe working in the gaming industry must be fun. As our guest says, the rumors are true. It's exciting, but it carries many challenges. Here's what Justin says about cloud security in the gaming industry. ''In a lot of ways, it's pretty typical. The difference, I would say, is corporate. You're working in the gaming industry; it's different from financial institutions or otherwise. You have a very energized and technical base culture to work for or work with. However, when you secure SaaS, it's agile. When you start driving the CI/CD pipeline security capabilities and when you're starting to, or not starting but trying to deal with the infrastructure, a multi-cloud concept scales up and scales down.''

⚡ Security theory has remained the same in the cloud era. The switch from on-premise to the cloud has been tremendous in how companies operate and use technology. Automation has become a priority, especially in the SaaS industry. Companies that aspire to grow must embrace changes. However, as Justin explains, some things didn't change regardless of the shift, mainly from a security perspective. ''Security theory has not changed. Confidentiality, integrity, and availability, or if you want to use one of the other models — they are still the same. It's how we apply that to the technology that we have today. So that basic concept of what we do and why we do it is the same.''

⚡ Today's technology allows us to tackle complex challenges. The cloud is here to stay, and technology will continue developing. We’re yet to see what the future holds for the SaaS space and generally, every industry, considering we can't imagine working without technology. ''We have an amazing opportunity to solve some very difficult problems. Let's take patch management or asset management, which has always been a problem in every company. If you're in a multi-cloud space, you have those APIs to be able to identify and an asset management system to be able to change the model and how you do patches. Patch each system, but go back to gold and then do a refresh and have it be scaled. Those are amazing opportunities for core fundamental problems that we've had for well over 25-30 years.''

Episode Highlights

Being an Advisor in the Security Industry

''I find the security industry incredibly fascinating and challenging. And what I came to realize is that there are three legs of the stool. You've got the operator, the CSO, and others in the company. You also have individuals building security solutions for the security vendor community. It's predominantly startups versus larger public companies. And then the third is the investment — VCs.

And so, to stretch your legs a little bit and get more involved in the security apparatus, for lack of a better word, the advisor functions and roles for very early stage [companies], which is a lot of fun for me — getting back to basics, what are the security challenges we need to solve?

That requires solutions that we still really endeavor to provide. And how you can provide real guidance to these companies versus the stereotypical marketing and market demands that go on and make solutions that solve real problems.''

Security Challenges for a Company Such as Unity Technologies

''Unity is fascinating. It's very much a SaaS company, for lack of a better word. We make a real-time 3D engine, which enables creators to create games and a lot of other things on our platform.

When you look at the infrastructure we need to secure, there are two things. One, SaaS company services, et cetera, need to be done. Of course, I have been there and done that and know those challenges. But the scale of the engines sitting on phones, consoles, and PCs is one of the biggest things that attracted me. It has a scale problem that needs to be secured at the end of the day.

Then lastly, when you look at the future. We have unsolved problems: how do we enable privacy, for example, in an AR & VR world, when those mechanisms haven't been put in place yet? I think there are a lot of interesting challenges for the future.''

We Must Stop Chasing Buzzwords in the Industry

''Having a proper risk management process of identifying the issues — what are the things we need to do to solve them versus changing what we are being told that we need to do from marketing and sales and otherwise. [...]

We don't slow down, and take time, and focus on the really important things that are not sexy; they're hard versus focusing on the latest buzzword in threat intel feeds.''

A Piece of Advice for Security Officers

''Don't be afraid to pick up the phone and call other people in the company to have coffee and learn what they do. I spent a fair amount of time later on in my career learning what marketing is. What they do is more than just send out spam. What does the sales team do? How does it work — the funnel? Those things enabled me to learn what's going on in the organization where I work.

And I don't think that a lot of security people know the processes of sales, marketing, or anything else, for that matter, like legal and finance. The more you know about those processes, the better you are able to communicate, influence, and drive alignment and execute.''

Episode Summary

Cloud security looks a lot different to an outside observer than to an insider. And everyone thinks that some companies are further along in their cloud maturity journey than they really are.

But there's still a lot of work to be done regarding cybersecurity, so organizations should focus more on becoming cloud-native rather than going for the less-demanding "lift-and-shift" migration method.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Nick Vigier, a CISO and the owner of Rising Tide Security, LLC. They discuss the downsides of using the forklift migration method, the importance of shifting perspective, and why there is no security career ladder.

##

Guest-at-a-Glance

💡 Name: Nick Vigier

💡 What he does: He's the Former CISO at ID.me & DigitalOcean.

💡 Company: Rising Tide Security

💡 Noteworthy: Nick was a founding member of the "FDSecE" role at Palantir. The FDSecE team was part of the Business Development team. It consisted of information security experts responsible for acting as thought leaders with clients in topics ranging from security strategy to forensics.

💡 Where to find Nick: LinkedIn

##

Key Insights

⚡ Using a forklift migration approach is tempting, but it's not always ideal. The "lift-and-shift" migration method appeals to most organizations, as it's the easiest to employ. But some potential issues may arise with this strategy. Nick and Andy touch upon some of them in this episode. Nick says, "From what I've seen in the field, from a CSO perspective, you have a lot of companies that have forklifted from more physical infrastructures straight into the cloud, and it just doesn't work that way. You can get away with it, but it's going to cost you a lot more. It's going to be a lot more inefficient, and getting cloud-native is really what organizations should be focusing on in a very real sense — which requires a very different set of skills."

⚡ A perspective shift can go a long way. Instead of spending too much of your energy on convincing others to see things your way, you can focus on helping them make better decisions. It's just a matter of shifting your perspective. Nick explains, "That's not my job. My job is to give them an understanding of GroundTruth and help them make an informed decision. And their decision isn't right or wrong — it's just different. And so that allowed me to take a step back from feeling like the decision was personal and more of just everybody comes to the table with different perspectives. And as long as I can give them the facts and help them understand the risk that they're taking, it's neither right nor wrong; it's just different."

⚡ There's no security career ladder; it's a jungle gym. Security is a broad field with massive potential for specialization in different areas. Nick says, "If you look at security in a broad enough sense, it is everything from your engineering work to your product security, application security work, your investigations, your incident response, your governance risk and compliance, privacy, and even physical security, and there are roles in there for everyone. And I think it's key to understand that security isn't just pen testing — a number of people who are early in their career say, 'I just want to be a pen tester.' Well, as someone who had to go through that for a year to realize that it wasn't for me, I’m trying to help people understand where they fit into that journey or what they might have aptitude for."

##

Episode Highlights

Why CISOs should reach out to their communities

"In that type of role, it really allows you to touch a variety of industries and mindsets, but in my experience, only about 20% of the CSOs that you interact with want to engage. [...] I would encourage CISOs to reach out to their communities and partner with people and especially when they are people that are not trying to sell you but are literally just there to try and help to take them up on it. It can't hurt. What do you have to lose?"

The ability to rethink things has changed

"As the cloud changed and networking changed, and other organizations moved to the cloud, some of these considerations that led to, 'Oh, we have to be on-prem,' have gone away. It's been really good to see regulators warming up to the cloud because that's always been a hindrance. Even CMS on the Medicare, Medicaid side has always been very anti-cloud and is now finally coming around. And that eliminates a lot of those hurdles, a lot of those intellectual gut reactions or fight-or-flight type of conversations around the cloud, and you can have a much more objective conversation around what is the best approach. And the feature sets are obviously a lot more complete and mature. So, the ability to rethink things is great from a cloud perspective."

Let's leave automation to the machines and let humans innovate

"There are things that machines do really well, and there are things that people do exceedingly well. People are great at things like pattern recognition, but they just have to be presented in the right way. And so, being able to let the machines do what they do well and automate those things, and then letting the humans be the creative entities that allow the business to innovate versus just doing busywork, or just working harder, is the real promise and what I'm really excited about."

Episode Summary

There's no universal rule for breaking into a new industry. And the same goes for starting a career in the information security field.

But one thing's for sure — if you let your passion guide you and you're willing to work hard, there's no limit to what you can accomplish.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Nick Selby, the Director, Software Assurance Practice at Trail of Bits. They talk about what it's like working in cloud security, why attention to detail is crucial, and how cloud technology is democratizing innovation.

##

Guest-at-a-Glance

💡 Name: Nick Selby

💡 What he does: He's the Director, Software Assurance Practice at Trail of Bits.

💡 Company: Trail of Bits

💡 Noteworthy: He is the author and co-author of several books, including "Cyber Crime: A Basic Primer" and "Cyber Survival Manual: From Identity Theft to The Digital Apocalypse and Everything in Between."

💡 Where to find Nick: LinkedIn

##

Key Insights

⚡ Let your passion be the guide in your career. Nick has had quite an exciting career path, from being the NYPD Intelligence Bureau's Director of Cyber Intelligence and Investigations to the Director of Software Assurance Practice at Trail of Bits. He says the key to success is to be willing to roll up your sleeves. "If you are willing to go in and do the hard work and get things moving, then you are usually able to do it. Because, often, it's something that either people don't understand or it makes them feel icky. Or they understand, and they just don't want to do it because they know that it's going to be a lot of work. If you're willing to do that and let your passion be the guide and not worry too much about, 'Well, where's my bonus coming from this year?' — If you're willing to just forego the sort of normal things that people are unwilling to forego in a career, then you really can forge a new way forward."

⚡ Attention to detail is critical in cloud security. Nick talks about what it's like working in cloud security and shares the most valuable lessons he learned along the way. He says that even when everything works well, you have to keep your head in the game at all times. "The biggest thing for me, I think, has been that even when you do everything right, attention to detail and questioning your assumptions at every stage become even more important. I fly airplanes. In most accidents while flying airplanes, there are a series of bad mistakes. It's never just one, but almost all of those mistakes come from people being fat, dumb, and happy, just thinking that everything is going along fine."

⚡ Cloud technology is democratizing innovation. Nick says the number one surprise in the cloud security field is the democratizing effect of the cloud on innovation. With more companies having access to the newest technological tools, bringing innovative ideas to life makes it much easier. "But this does come with a wicked and awesome responsibility that we just have to deal with. These things aren't free, and they aren't free from decision-making and responsibility and especially strategic architecture, because when you can do it that [easily], the temptation to take my very well-functioning prototype and turn it into a production application is almost overwhelming. You have to resist that overwhelming temptation."

##

Episode Highlights

The importance of constantly questioning yourself

"If you are not constantly correcting, questioning, looking around for your escape plan, and thinking about what could go wrong, you will get behind the airplane. You will get behind the technology. And once you're behind the technology, you're no longer a leader; you're just on for the ride. And I think the biggest lesson that I've learned is that this even affects the finest companies in the world. And I'm just thrilled that I get to see them."

We should get rid of passwords and embrace automation

"It's such low-hanging fruit. I know that in the Google SRE book, Carla Geisser said, 'Something has gone terribly wrong when an engineer has to touch a process because everything should be automated,' which, by the way, speaks to what we should be doing. We should be automating absolutely everything because if you're not automating it, you don't have control over it. If you cannot understand what you are building to the point that you can push it from start to finish in five minutes and have it up and running, pull it back if you need to, but get it out there. And if you're not understanding what it is that you're doing to the point that you can automate every step of that, then you don't understand you're behind your technology."

Why you should avoid making mistakes in the cloud

"A lot of the people who are making those decisions about scaling up operations are the same people who grew up in an on-prem space where the data center was in the basement. And those people, no matter what they do, still have this bias toward the way we used to do things. And that doesn't fly in the cloud world. And I've said before that when you make mistakes in the cloud, you are being stupid at cloud speed, and stupid at cloud speed is really fast. So configuration becomes absolutely essential."

This podcast is hosted by Orca Security

Episode Summary

There's no universal rule for breaking into a new industry. And the same goes for starting a career in the information security field.

But one thing's for sure — if you let your passion guide you and you're willing to work hard, there's no limit to what you can accomplish.

In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Nick Selby, the Director, Software Assurance Practice at Trail of Bits. They talk about what it's like working in cloud security, why attention to detail is crucial, and how cloud technology is democratizing innovation.

##

Guest-at-a-Glance

💡 Name: Nick Selby

💡 What he does: He's the Director, Software Assurance Practice at Trail of Bits.

💡 Company: Trail of Bits

💡 Noteworthy: He is the author and co-author of several books, including "Cyber Crime: A Basic Primer" and "Cyber Survival Manual: From Identity Theft to The Digital Apocalypse and Everything in Between."

💡 Where to find Nick: LinkedIn

##

Key Insights

⚡ Let your passion be the guide in your career. Nick has had quite an exciting career path, from being the NYPD Intelligence Bureau's Director of Cyber Intelligence and Investigations to the Director of Software Assurance Practice at Trail of Bits. He says the key to success is to be willing to roll up your sleeves. "If you are willing to go in and do the hard work and get things moving, then you are usually able to do it. Because, often, it's something that either people don't understand or it makes them feel icky. Or they understand, and they just don't want to do it because they know that it's going to be a lot of work. If you're willing to do that and let your passion be the guide and not worry too much about, 'Well, where's my bonus coming from this year?' — If you're willing to just forego the sort of normal things that people are unwilling to forego in a career, then you really can forge a new way forward."

⚡ Attention to detail is critical in cloud security. Nick talks about what it's like working in cloud security and shares the most valuable lessons he learned along the way. He says that even when everything works well, you have to keep your head in the game at all times. "The biggest thing for me, I think, has been that even when you do everything right, attention to detail and questioning your assumptions at every stage become even more important. I fly airplanes. In most accidents while flying airplanes, there are a series of bad mistakes. It's never just one, but almost all of those mistakes come from people being fat, dumb, and happy, just thinking that everything is going along fine."

⚡ Cloud technology is democratizing innovation. Nick says the number one surprise in the cloud security field is the democratizing effect of the cloud on innovation. With more companies having access to the newest technological tools, bringing innovative ideas to life makes it much easier. "But this does come with a wicked and awesome responsibility that we just have to deal with. These things aren't free, and they aren't free from decision-making and responsibility and especially strategic architecture, because when you can do it that [easily], the temptation to take my very well-functioning prototype and turn it into a production application is almost overwhelming. You have to resist that overwhelming temptation."

##

Episode Highlights

The importance of constantly questioning yourself

"If you are not constantly correcting, questioning, looking around for your escape plan, and thinking about what could go wrong, you will get behind the airplane. You will get behind the technology. And once you're behind the technology, you're no longer a leader; you're just on for the ride. And I think the biggest lesson that I've learned is that this even affects the finest companies in the world. And I'm just thrilled that I get to see them."

We should get rid of passwords and embrace automation

"It's such low-hanging fruit. I know that in the Google SRE book, Carla Geisser said, 'Something has gone terribly wrong when an engineer has to touch a process because everything should be automated,' which, by the way, speaks to what we should be doing. We should be automating absolutely everything because if you're not automating it, you don't have control over it. If you cannot understand what you are building to the point that you can push it from start to finish in five minutes and have it up and running, pull it back if you need to, but get it out there. And if you're not understanding what it is that you're doing to the point that you can automate every step of that, then you don't understand you're behind your technology."

Why you should avoid making mistakes in the cloud

"A lot of the people who are making those decisions about scaling up operations are the same people who grew up in an on-prem space where the data center was in the basement. And those people, no matter what they do, still have this bias toward the way we used to do things. And that doesn't fly in the cloud world. And I've said before that when you make mistakes in the cloud, you are being stupid at cloud speed, and stupid at cloud speed is really fast. So configuration becomes absolutely essential."

Episode Summary

Over a long security career, not only do professionals grow and change, but the world they're operating within also changes. And talking about security, we are witnesses to the transition from local software to cloud security.

The cloud brought new trends in solving security problems. But certain practices from the pre-cloud era still resonate and are in use. At the same time, we still do some things that we should stop.

In this episode of Cloud Security Reinvented, Andy Ellis welcomes Renee Guttmann, a transformational leader in cybersecurity. Andy and Renee get into how building an on-premise model is blended with how the cloud could be leveraged, how security protocols have been modified for the cloud, and how the cloud has changed the approach to cybersecurity.

##

Guest-at-a-Glance

💡 Name: Renee Guttmann

💡 What she does: Chief Information Security/IT Executive.

💡 Company: Cydome Security

💡 Noteworthy: Renee has delivered world-class global information security programs for Coca-Cola, Time Warner, Royal Caribbean, Campbell, and Capital One, and helped establish the office of the CISO at Optiv. She advises startups on defining their products, services, and go-to-market strategies. On the community front, she partners with other CISOs on cybersecurity training and mentorship. She has been active as a Board Member and Advisor at a large children's mental health facility for almost a decade.

💡 Where to find Renee: LinkedIn | Website

##

Key Insights

⚡ The cloud has changed the mental model for security. Renee Guttmann started getting involved with the cloud in 2011 and worked with people looking at newer trends when the cloud was supposed to solve all security problems. According to her, people are multi-cloud today. "Your teams have to know a little about everything because they're all different. They all have different capabilities. [...] I find that now you're basically in multiple clouds. You've got several service providers; you might have somebody doing operations for you. And one of the things that I think is extremely difficult right now is figuring out who's on first."

⚡It is necessary to dump Change Control Boards. In transitioning from an on-premise world to cloud security, there are practices from before that we need to double down on and things that we should have buried a long time ago. As Renee notes, Change Control Boards must be dumped. "You go to a Change Control Board, you've got one purpose for being there, and that's to get your change approved. However, you can manage to get your change approved. [...] The other thing is, I don't think the dependencies are well understood. And so, I think we're overly reliant on something that is probably not relevant. Plus, I know the changes I'm making. I don't know the changes that my cloud providers are making. They're not coming to me and running their stuff through a Change Control Board. So, I just questioned the time and the value of that exercise, and that it needs a bit of a refresh. And then the other thing that I think has to be improved is if you touch it three times, you need to automate it and be done with it."

⚡ On-premise is still relevant in the cloud era. When we look at the cloud era and where we are today, experts could probably have predicted some things about it. But there are some things they did not hope for. For Renee, the biggest surprise from the cloud era is how much on-premise there is. "I don't know how many people are still running data centers; I would've thought that all of that would have already left the building. That's a little bit of a surprise to me that we're not further along. The other thing is resiliency. I think that we haven't done a good job with figuring out how to be more resilient."

##

Episode Highlights

The Exciting Career Journey of Renee Guttmann

"Before I became a research analyst at Gartner, I started a security program with a global healthcare company based out of London. And we were protecting clinical trial data and research material, and after that, I took the Gartner job.

[...] I left Gartner and became the security architect for building online statement platforms at Capital One and applying for credit cards online. And back when I did that, people didn't do it. So we were one of the very first companies to actually make it possible for people to go and look at their statements. After Capital One, I went to Time Inc. and Time Warner.

[...] And then I got recruited to Coke, built their program from scratch, and joined Royal Caribbean later. And my most recent opportunity was the Campbell Soup Company, where I was working specifically on manufacturing OT security."

What Cloud Security Looks Like Inside the Industry

"There [at Renee's last two positions] was a lot of OT, there was either manufacturing, but on a ship or in maritime in general. There are a lot of systems like satellite navigation that are really on the ship, and the way that you talk to them is through satellite. Your bandwidth is a little bit constrained because you're basically taking it away from the crew and the passengers, mainly the paying passengers. So it wasn't that easy to figure out how we were going to leverage the cloud in some of these environments. And to that point, I still think that building that on-premise model blended with how the cloud could still be leveraged. I don't think we're there yet, but I think that's an opportunity for people to really go in and address. The other problem is that these systems that I'm talking about are generally run by IT people. They're outside the span of IT. So you've got somebody that runs a manufacturing system, and they could be buying cameras from who knows where."

"The More Things Change, the More They Stay the Same"

"We still need to focus on privilege, administrative access, and protecting the keys to the kingdom. [...] We don't know what our footprint is, and we have to resurrect whatever we were doing better and get that kind of understanding of our current environments. And then the third thing is, I think that we had really good IR plans, and we got better at them, especially because of the accountability issues. So we need to up-level those procedures, do better training with more of our partners, and they need to be in the room."

Knowing the People Around You is Extremely Important

"You've got to start with who they are before they care about what you're doing and why you're there. [...] You don't want to be seen as the cop. You actually want to create a persona that people will feel comfortable coming to , and asking for help. And what I really need them to do is to tell me when the garbage cans are on fire before the building burns down.

[...] I don't think you can really be effective until A: you know the people, and B: the culture and everything else goes along with it. But you've got to know people, and you have got to put yourself out there in a way that people get comfortable with you, and they want to be in the same room as you."

Episode Summary

Over a long security career, not only do professionals grow and change, but the world they're operating within also changes. And talking about security, we are witnesses to the transition from local software to cloud security.

The cloud brought new trends in solving security problems. But certain practices from the pre-cloud era still resonate and are in use. At the same time, we still do some things that we should stop.

In this episode of Cloud Security Reinvented, Andy Ellis welcomes Renee Guttmann, a transformational leader in cybersecurity. Andy and Renee get into how building an on-premise model is blended with how the cloud could be leveraged, how security protocols have been modified for the cloud, and how the cloud has changed the approach to cybersecurity.

##

Guest-at-a-Glance

💡 Name: Renee Guttmann

💡 What she does: Chief Information Security/IT Executive.

💡 Company: Cydome Security

💡 Noteworthy: Renee has delivered world-class global information security programs for Coca-Cola, Time Warner, Royal Caribbean, Campbell, and Capital One, and helped establish the office of the CISO at Optiv. She advises startups on defining their products, services, and go-to-market strategies. On the community front, she partners with other CISOs on cybersecurity training and mentorship. She has been active as a Board Member and Advisor at a large children's mental health facility for almost a decade.

💡 Where to find Renee: LinkedIn | Website

##

Key Insights

⚡ The cloud has changed the mental model for security. Renee Guttmann started getting involved with the cloud in 2011 and worked with people looking at newer trends when the cloud was supposed to solve all security problems. According to her, people are multi-cloud today. "Your teams have to know a little about everything because they're all different. They all have different capabilities. [...] I find that now you're basically in multiple clouds. You've got several service providers; you might have somebody doing operations for you. And one of the things that I think is extremely difficult right now is figuring out who's on first."

⚡It is necessary to dump Change Control Boards. In transitioning from an on-premise world to cloud security, there are practices from before that we need to double down on and things that we should have buried a long time ago. As Renee notes, Change Control Boards must be dumped. "You go to a Change Control Board, you've got one purpose for being there, and that's to get your change approved. However, you can manage to get your change approved. [...] The other thing is, I don't think the dependencies are well understood. And so, I think we're overly reliant on something that is probably not relevant. Plus, I know the changes I'm making. I don't know the changes that my cloud providers are making. They're not coming to me and running their stuff through a Change Control Board. So, I just questioned the time and the value of that exercise, and that it needs a bit of a refresh. And then the other thing that I think has to be improved is if you touch it three times, you need to automate it and be done with it."

⚡ On-premise is still relevant in the cloud era. When we look at the cloud era and where we are today, experts could probably have predicted some things about it. But there are some things they did not hope for. For Renee, the biggest surprise from the cloud era is how much on-premise there is. "I don't know how many people are still running data centers; I would've thought that all of that would have already left the building. That's a little bit of a surprise to me that we're not further along. The other thing is resiliency. I think that we haven't done a good job with figuring out how to be more resilient."

##

Episode Highlights

The Exciting Career Journey of Renee Guttmann

"Before I became a research analyst at Gartner, I started a security program with a global healthcare company based out of London. And we were protecting clinical trial data and research material, and after that, I took the Gartner job.

[...] I left Gartner and became the security architect for building online statement platforms at Capital One and applying for credit cards online. And back when I did that, people didn't do it. So we were one of the very first companies to actually make it possible for people to go and look at their statements. After Capital One, I went to Time Inc. and Time Warner.

[...] And then I got recruited to Coke, built their program from scratch, and joined Royal Caribbean later. And my most recent opportunity was the Campbell Soup Company, where I was working specifically on manufacturing OT security."

What Cloud Security Looks Like Inside the Industry

"There [at Renee's last two positions] was a lot of OT, there was either manufacturing, but on a ship or in maritime in general. There are a lot of systems like satellite navigation that are really on the ship, and the way that you talk to them is through satellite. Your bandwidth is a little bit constrained because you're basically taking it away from the crew and the passengers, mainly the paying passengers. So it wasn't that easy to figure out how we were going to leverage the cloud in some of these environments. And to that point, I still think that building that on-premise model blended with how the cloud could still be leveraged. I don't think we're there yet, but I think that's an opportunity for people to really go in and address. The other problem is that these systems that I'm talking about are generally run by IT people. They're outside the span of IT. So you've got somebody that runs a manufacturing system, and they could be buying cameras from who knows where."

"The More Things Change, the More They Stay the Same"

"We still need to focus on privilege, administrative access, and protecting the keys to the kingdom. [...] We don't know what our footprint is, and we have to resurrect whatever we were doing better and get that kind of understanding of our current environments. And then the third thing is, I think that we had really good IR plans, and we got better at them, especially because of the accountability issues. So we need to up-level those procedures, do better training with more of our partners, and they need to be in the room."

Knowing the People Around You is Extremely Important

"You've got to start with who they are before they care about what you're doing and why you're there. [...] You don't want to be seen as the cop. You actually want to create a persona that people will feel comfortable coming to , and asking for help. And what I really need them to do is to tell me when the garbage cans are on fire before the building burns down.

[...] I don't think you can really be effective until A: you know the people, and B: the culture and everything else goes along with it. But you've got to know people, and you have got to put yourself out there in a way that people get comfortable with you, and they want to be in the same room as you."

This podcast is hosted by Orca Security