Code to Cloud

This episode of Code to Cloud features a discussion with the EY Consulting Partner in Cybersecurity, Koen Machilsen. There, Koen is responsible for delivery and innovation of the EY Consulting Cybersecurity and privacy service offering, and has been with the company for over 16 years. Prior to joining EY, Koen held various roles in IT operations. Koen and host Tim Chase, Global Field CISO at Lacework, discuss the significance of integrating cybersecurity into business resilience strategies. The conversation covers how to respond to cybersecurity incidents, the importance of preparation and regular training, and the necessity of understanding business impact when developing cyber crisis management plans. They also delve into the European Union’s NIS2 and Cyber Resilience Act regulations, explaining how they aim to enhance cyber resilience across organizations by mandating stringent cybersecurity practices and reporting requirements. The discussion underscores the need for local transpositions of these directives and the challenges they introduce. Finally, they emphasize the importance of cyber resilience as an integral part of overall business resilience in the digital age.

Key Quotes

*”In today's digital world, you cannot have decent business resilience without having cyber in there. And why is this? Because technology is embedded in the heart of many organizations. That technology is interconnected with clouds and based on internet technology. So it makes it inherently vulnerable to cyber attacks. So if you want to have a good business resilience strategy, to me, cyber is a vital part of that.”

*”The overall objective of incident reporting is not to get organizations fined. It's to be able to do early sharing of those incidents or those indicators of compromise potentially to other organizations within or across different member states. All again, to make sure that whatever impact there is, that it does not get bigger from a member state or from a European Union perspective.”

*”A lot of organizations are prepared to handle crise -, the traditional ones - but do not really fully understand yet what it takes to handle a cyber crisis specifically. I think one of the biggest benefits that NIS2 will bring is creating that awareness and making sure that decent cyber crisis management is adopted.”

*”The key question here is to really understand the impact of an incident from a few angles. I think understanding the impact of that incident is, is that really in the area that falls in scope of NIS2 for that organization? In what local European market is this impact cost? And to what extent is this impact significant? Because that's again at the discretion of the organization to determine. And I feel that those three elements really can help you decide how and where and when you need to report those incidents. So capturing all that information as part of your Security Incident Management process is key.”

Time Stamps

[0:30] Meet Koen Machilsen, EY Consulting Partner in Cybersecurity

[1:00] Handling a Cyber Incident: First Steps

[2:03] Understanding the Impact of an Incident and Communication

[3:45] The Importance of Regular Exercises

[6:26] Threat Modeling and Business Impact

[8:27] Regulation Insights: NIS2 Explained

[11:05] Incident Reporting Challenges

[20:24] Cyber Resilience Act Overview

[26:39] Rapid Fire Questions with Koen Machilsen

[30:13] Conclusion and Final Thoughts

Links

Connect with Koen on LinkedIn

Learn more about EY

Read EY’s article on how to prepare for NIS2

Learn more about Lacework

This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.

This episode of Code to Cloud features a discussion with the Global CISO at Church and Dwight Co., the parent company of brands like Arm & Hammer and OxiClean. And at Church & Dwight Co., David transformed the global enterprise-wide information security program key areas of strategy, risk management, and compliance, among others. Prior to joining the company in 2020, David spent over 22 years in security at Bed, Bath & Beyond. David and host Andy Schneider, Field CISO EMEA at Lacework, discuss the primary cyber threats facing the manufacturing sector, with a specific focus on ransomware, and the strategies utilized by Church & Dwight to mitigate these threats, including a robust third-party vendor assessment process. Ortiz highlights the importance of adaptability in cybersecurity, the role of leadership qualities such as empathy, accountability, and urgency, and underscores the significance of identity management, preparedness, and swift response in enhancing cyber resilience. The conversation also covers the benefits and considerations of moving services to the cloud, reflecting on the necessity of collaboration between cybersecurity teams, manufacturing units, and other stakeholders to safeguard against an ever-changing threat landscape.

Key Quotes

*”Technology is getting more and more complex every single day. What we may have viewed years ago as a simple firewall rule has become much more complex with our connected ecosystems across multiple clouds, multiple sites, multiple networks. So the complexity is going to continue to grow, but our mission hasn't really changed with what we need to do to protect it. We just need to adapt and keep up with the changing threat landscape.“

*”Everybody has a role in cyber and protecting our people, our technology, our processes. I want to instill that mindset of accountability and ownership so that everybody understands that they have a part in reducing cyber risk.”

*”From the vendor community, my ask would be: Help us install foundational cybersecurity, help us understand where we're potentially oversharing data. And let's have a little less hype on AI in general. Let's really surface all the good that's going to come out of AI and derive it from that conversation versus a hype conversation and I think that would really benefit everybody substantially so that we could get ahead of the bad actors out there and really use AI to its full potential for good.”

*”You can teach technical skills. You can't teach drive and passion. And that sense of urgency that I mentioned early on, Those are some of the characteristics that you need in this field. So, as a company is interviewing and looking for people in the cyber or the IT risk management field, look past the certifications, look past some of those requirement bullet points that you may see on a job description and really get to know the person and explain the role that they're interviewing for to them and see if they're really a fit for that role. And again, knowing that you could teach people technical skills, but you want to really hire the person, not what's on their resume.“

Time Stamps

[0:32] Introducing David Ortiz: Global CISO at Church & Dwight Co.

[1:05] Transforming Cloud Security in Manufacturing

[1:15] Ransomware: The Persistent Threat

[1:58] Vendor Assessment and Cloud Adoption Strategies

[3:44] Cybersecurity Incident Response in Manufacturing

[6:15] Leadership Qualities in Cybersecurity

[7:58] Building Trust and Accountability in Teams

[11:04] The Role of Technology in Cybersecurity

[15:51] The Future of Cybersecurity and AI

[18:47] Career Insights and Advice in Cybersecurity

Links

Connect with David on LinkedIn

Learn more about Church & Dwight Co.

Learn more about Lacework

This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.

This episode of Code to Cloud features a discussion with Immuta's CISO, Mike Scott, and Co-Founder and CTO, Steve Touw, hosted by Andy Schneider, Field CISO EMEA at Lacework. Mike is a highly experienced and accomplished leader in information and data security, real-time analysis of immediate threats, and IT and infrastructure designs. And Steve is known for his data science work with US Special Operations Command and the US Intelligence Community. The conversation centers around the importance of a 'shift left' culture in software development, emphasizing security from the start of the development process. Both guests share how this approach has enabled Immuta to move to a SaaS model, deliver features and security fixes more rapidly, and foster a strong security culture by bringing the CISO and CTO teams closer together. Practical insights include the adoption of communication tools like Slack, the significance of automation in maintaining a rapid release cadence, and the importance of understanding employee communication styles using the DISC assessment. The discussion also touches on overcoming conflicts and the critical role of setting realistic goals in achieving security and compliance milestones.

Key Quotes

*”Security is inevitable. And we can all look back and see where it's delayed us, when security was brought in at the end of the game. Versus if we can move our mindset to really thinking from ideation all the way through creation to delivery of software, we're going to meet a lot of those challenges early. And then what we've seen, I think the outcome is a more timely release and less of security being a roadblock and more just like a small speed bump along the way.” - Mike Scott

*”Shifting left has also allowed our teams to understand the security impact sooner. And so when a critical vulnerability comes out, the engineering team has already decided, ‘Are we vulnerable? What's the fix going to be?’ within hours of getting that notification versus responding to a customer's inquiry before.” - Mike Scott

*”We needed the security to be there so that we could change our release cadence, the shift left. And our architecture changed quite a bit too. Most of our customers are SaaS now, used to be self-managed on-prem type solution. And we've really tried to push the SaaS solution because it helps us with releasing faster, getting features in our customers hands faster, but also allows us to deploy security fixes more quickly as well. So, that forcing function of having to deliver more quickly, of providing it or making us do the shift left to be able to do that. it flipped it on its head and also allows us to fix problems more quickly as well.” - Steve Touw

*”I'm constantly reminding our governance committee, ‘Hey, we put a lot of stuff on this team to meet ISO requirements and slot 3 requirements.’ And for me, that's defending my partner, Steve, right? It's saying, ‘Hey, this is taking extra time. This is taking away from his ability to deliver product.’ And so when they're hearing Steve say it, and they're hearing Mike say it, and they're hearing other parts of the business say it, it's also helping get that justification for resources or at least changing prioritization.” - Mike Scott

Time Stamps

[0:40] Introducing the Special Episode with Immuta's CISO and CTO

[1:46] The Shift Left Culture: Enhancing Security and Efficiency

[3:24] Building a Security-Minded Engineering Culture at Immuta

[5:34] The Measurable Benefits of Shifting Left in Security

[10:04] Fostering Collaboration Between CISOs and CTOs

[14:43] Championing Security Through Engineering and Automation

[22:04] The Critical Role of Automation in Modern Software Development

[23:46] The Drive for Faster Feature Delivery

[24:16] Breaking Down Big Goals into Manageable Pieces

[24:36] The Journey to Compliance and Certification

[25:54] The Impact of SOC 2 Compliance and Beyond

[26:40] Collaboration and Strategy in Achieving Compliance

[29:37] Addressing Conflicts and Embracing Collaboration

[34:53] Leveraging DISC for Effective Communication

[39:28] Reflecting on Career Lessons and the Path to Leadership

[43:37] Essential Tools for Success and How to Connect

Links

Connect with Mike Scott on LinkedIn

Connect with Steve Touw on LinkedIn

Learn more about Immuta

Learn more about Lacework

This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.

This episode features an interview with Jenny Brinkley. Jenny is Director of Amazon Security at AWS. Prior to joining Amazon, she co-founded an artificial intelligence start-up called Harvest.ai focused on protecting highly sensitive data using behavior analytics to prevent data loss. Harvest.ai was then acquired by AWS in April 2016. Jenny has also been awarded a few patents focused on data loss prevention and the right to be digitally forgotten. And on this episode, Jenny and host Tim Chase discuss the value of personal data, the importance of security at the executive level, and diversification of the workforce.

Key Quotes

*”We're living in a really interesting time where people are just starting to understand the value of their interactions with different digital products and the different types of outputs that they get. But then couple in the fact of where we're seeing the future of how Gen AI related to still keeping me unique and special and different is important. And that's where I really am curious to see how this year is going to unfold related to individuals understanding the value of that data and how to stay not only safe as you're operating online, but  how to also think about how you either get compensated for the use of your data, or how you get to set the parameters of what you want to see with the different type of data that can be used in training models.”

*”People don't necessarily understand what they create and how valuable that is, but then also how to protect themselves as they're operating within different technology stacks.”

*”I feel so blessed I was able to spend that time in thinking about how data classification at the scale of AWS really should operate and how it should think. But I think that there's still such an open space for someone to come in and solve for making it easy. Like, how do you really identify that type of data that's so important to your organization and who has access to it? And how do you turf up alerts in a way that can not only give you insight into how to take action, but that all should be automated for you. And that's where I really see the future of where generative AI is going to come into play.”

Time Stamps

[0:56] Jenny Brinkley's Journey: From AI Startup to Amazon Security

[1:30] The Evolution of Data Protection and Privacy

[2:46] Understanding the Value of Data in the Age of Generative AI

[5:02] The Role of Security in Business and Regulatory Compliance

[10:28] The Shift in Security Mindset: From Basement to Boardroom

[14:52] Redefining Data Loss Prevention and the Future of AI in Security

[23:31] Diversifying the Cybersecurity Workforce for the Future

[34:52] The Importance of Community Engagement

Links

Connect with Jenny on LinkedIn

Learn more about AWS

Learn more about Lacework

This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.

This episode features an interview with Sean Wright. Sean is Head of Application Security at Featurespace, the world leader in Enterprise Financial Crime prevention for fraud and Anti-Money Laundering. He is an experienced application security engineer, having started his career as a software developer. His expertise is in web based application security with a special interest in TLS related subjects. And on this episode, Sean and host Andy Schneider discuss navigating AppSec in the cloud age, finding and leveraging security champions, and Sean’s take on open source as it relates to supply chain risks with third party software libraries.

Key Quotes

*”The thing that really scares me, we've seen it already with Python packages, NPM packages, Ruby packages, is those who actually intentionally put malicious code in there. There's things to steal secrets, crypto miners, the whole shebang. And that to me is probably the biggest worry I have around open source. Because trying to catch that…it's just, how do you do it? And just the massive volume that's there.”

*”Break down barriers between the security teams and the engineering teams. I don't see why there needs to be this friction. At the end of the day, you're working for the same company. You're trying to achieve the same goal. Work together, support one another. See each others’. Issues or frustrations, problem points, and try to achieve the same goal. And at the end of the day, it'll work out for everyone.”

*”How can we expect people to write secure code if they don't even know what that is like? Universities need to have some elements of this in the bachelor of science, computer science degrees. Embed that in, make it part of the curriculum. It doesn't have to be sophisticated. It can cover the top level stuff, but at least make people aware of it. There's this fixation on some of the more glamorous stuff in the industry. So we kind of ignore some of the stuff that really needs to be tackled. Go look at SQL injection, go look at cross site scripting, those kinds of things. It's been around for decades, yet we still haven't solved those problems. And they're not difficult problems to solve.”

*”You got all these new technologies, these new languages coming out, and now you have to not only know how to use those technologies, but use them securely. And that's probably where we need to start looking at building secure by default into the technologies rather than as a bolt on or afterthought. It's kind of happened over the years as well.”

*”I'm not just focused on AppSec. I engage with other areas of a security team because the security department's pretty small. That means I get exposure to other things, or I can help provide outside influence or thoughts, opinions that could help. So don't just fixate in your bubble. Work with other people, share ideas. Get engaged, things like community, different groups, and learning.”

Time Stamps

[0:30] Introducing Sean Wright, Head of AppSec at Featurespace

[1:06] Sean Wright: From Developer to Application Security Expert

[1:39] The Evolution of Software Development: Pre-Cloud to Cloud Era

[4:06] The Transformation of Application Security in the Cloud Age

[6:07] Effective AppSec Measures: Frameworks, Training, and Collaboration

[12:09] Navigating the Risks of Open Source and Third-Party Libraries

[18:15] Strategies for Managing Open Source Security Risks

[20:18] Why Software Remains Vulnerable

[21:01] The Importance of Secure Coding Education

[21:32] Addressing Long-Standing Security Issues

[22:40] The Rapid Pace of Technological Advancement

[23:22] Language Choices in Security

[25:26] Industry's Struggle with Cybersecurity

[28:37] Advice for Aspiring Security Professionals

[31:26] The Potential of AI in Application Security

[34:24] Future Trends and Challenges in AppSec

Links

Connect with Sean on LinkedIn

Learn more about Featurespace

Learn more about Lacework

This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.

This episode features an interview with Jeff DeVerter, Chief Technology Evangelist managed cloud computing company Rackspace. He has over 25 years of experience in IT and technology, and has worked at Rackspace Technology since 2008.  Over his career, Jeff has helped companies like American Express, Ralph Lauren, and Thomson Reuters create and execute against multi-year digital transformation strategies. And on this episode, Jeff and host Tim Chase discuss how to navigate an excessive amount of data due to the popular use of AI, why security by obscurity is ineffective, and aligning day-to-day security duties with business goals.

Key Quotes

*”In security, we're looking for that needle in the haystack. We're trying to find that one little bit of behavior that’s different today than it was yesterday and that could be an indicator. Well, there's so much data these days, it's like finding a needle in a needle stack. And I think that the only way for security professionals to be able to do their job in the future given the extreme amount of data that exists and is growing is through AI. Machine learning and AI.”

*”AI in 2024 becomes the co-employee. If we're doing it right, it really is filling that seat next to the brilliant security individual or whatever the department might be, who sits next to them to help them be better, more intelligent, more efficient at the things that they do.”

*”So much of security, especially as it related to the knowledge worker, was security by obscurity. It's over on this shared drive. It's 15 folders deep. Nobody even knows that it exists, let alone to go and parse it. And all of a sudden, some indexer goes and rolls through the thing and now you type in, for example, the year pay raises or reporting structure or something along these lines that they thought was very secure, but it wasn't secure and now it’s exposed. And now we have that problem on steroids as all of these groups start to bring together all of their data so that Gen AI can provide this value, we're finding that more and more of that security was by obscurity or other less efficient methods that ultimately then creates challenges.”

*”’The CISO has to have a relationship with every aspect of the business to understand what's happening. And they have to realize that they're not the scary people who have been hiding back in the SOC. And you'd never want to get an email from security because you only get an email when something bad has happened or you've done something accidentally bad. So you have to break that stigma. Same for the legal team, by the way, they've got to be in this as well, but it starts with amazing relationships. And if they don't exist, they've got to get built.“

*”IT leaders. Are you hands on keyboard? No. Do you need to know everything about that technology to know what's possible and capable of your people? Yes.”

Time Stamps

[0:32] Introducing Jeff DeVerter, Chief Technology Evangelist at Rackspace

[3:20] How is generative AI impacting cybersecurity?

[13:49] What are the risks posed by generative AI to cybersecurity?

[16:42] How can security professionals put limits on generative AI and secure it?

[22:21] How is security a business enabler

[26:56] What’s the most important habit an IT leader can have?

[28:52] How can listeners increase their cybersecurity?

Links

Connect with Jeff on LinkedIn

Learn more about Rackspace

Learn more about Lacework

This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.

This episode features an interview with Dr. Kevin Tham. Kevin is a CISO leader in the Australian Digital Banking sector and a seasoned information security veteran in the financial services industry. Most recently, he served as CISO at etika, a purpose-driven lender. And on this episode, Kevin and host Tim Chase discuss cryptography including how it’s changed over the last 25 years, and how quantum computing and AI will affect it. They also discuss handling cybersecurity incidents from first steps to when to notify the board.

Key Quotes

*”I think a lot of people focus on who's the nation status [in the event of an incident.] For me, I just need to know enough; what the motivation is for this particular attacker. Then it actually very quickly tells you what that next step is or what that one step plus one is so that you can actually hit them off and cut it off from a containment perspective.”

*”If you have an open source intelligence platform that is based on an LLM on a backend, for example, and it starts taking all this information that's on the internet and understanding cipher systems on websites and stuff. Then it becomes a very interesting sort of platform to go, ‘Okay. awesome platform, tell me which website has the TLS 1. 1 that's still running, etc. And it becomes really interesting because ‘someone's’ doing the job for you.”

*”If [an incident] hits a certain severity, absolutely, the CEO needs to come in. And the comms team needs to be part of that team so that you can shorten communication between the decision maker. and the action that needs to be taken. So it's a bit fluid in the sense, in that sense, but, you know, for me, it's more about how do I shorten any communications about decisions made versus what needs to be done.”

Time Stamps

[0:44] Introducing CISO leader Dr. Kevin Tham

[5:01] Kevin on cryptography

[7:21] How has cryptography changed over the years?

[10:27] How does quantum computing affect cryptography?

[15:44] How will AI affect cryptography?

[19:09] What’s Kevin’s action plan in the event of a security incident?

[26:21] Who’s in the response team?

[28:21] At what point do you need to notify the board of a security incident?

Links

Connect with Kevin on LinkedIn

Learn more about Lacework

This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.

This episode features an interview with Frank Wang, Lead Security Engineer at Headway, a new mental healthcare system that works to remove historic barriers faced by mental health providers, payers, and patients. Previously, Frank served as staff security engineer and the first hire in that function at dbt Labs. He has also dabbled in venture capital and academia. He holds a PhD from MIT focused on security and cryptography and a B.S. in computer science from Stanford. And on this episode, Frank and host Tim Chase discuss the benefits of on prem versus cloud storage, why getting complete visibility of the cloud is unlikely, and why partnering with engineers is critical to successful cybersecurity.

Key Quotes

*”People are challenging the idea that 100 percent cloud at scale works. Everything comes with a cost. And the cloud gives you elasticity. That's always what it's been for. If you don't know what your load is like, it doesn't make sense for you to buy infrastructure. That's a complete waste of resources. But if you know and have stable workloads, then it makes a ton of sense for you to put those workloads on prem just from a pure cost and engineering perspective. It's cheaper.”

*”We're never going to fully solve for visibility in the cloud. I think there's a number of reasons for it. AWS is coming out with new features. There's so many features you can't keep track of. What are developers doing? What new APIs are there? And so I think it's just much harder to keep track of all the changes that are happening in the cloud, let alone developers who are now using these. And then as your team expands, it compounds itself. So I think visibility is always going to be a pretty big problem. And then we have to just really decide at some point what matters most and what's the highest risk and what we really need visibility in. Because I don't think we're going to get complete visibility.”

*”You should focus on enablement instead of enforcement to start, which means like, ‘How do I enable people to have the best security practices in a sustainable way?’ And then push very hard until you exhaust all possible enablement and then go toward enforcement. That works better earlier on at a company.”

Time Stamps

[0:35] Introduction: Meet Frank Wang, Lead Security Engineer at Headway

[1:16] Problems with Cloud Security

[2:29] Visibility Problems in Cloud Security

[4:07] Improvements Needed in Cloud Security

[12:41] Cloud Security in the Business Context

[7:13] Shifting Back to Hybrid Infrastructure

[10:10] Building Trust as a Security Professional

[17:03] The Future of Cybersecurity

[21:17] Getting into the Cybersecurity Industry

[30:20] Addressing the Cybersecurity Shortage

Links

Connect with Frank

Learn more about Headway

Learn more about Lacework

This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.

In Season 2, you’ll hear from guests at companies like AWS, Headway and Rackspace as they bring you insights on the latest in cloud security. Hosts Tim Chase and Andy Schneider are talking with top CISOs and cybersecurity leaders about industry trends and challenges. What are their top priorities? What tools and techniques are they using to stay ahead of the curve? And how are they shifting left? We’re answering all of these questions and more. So keep an eye on your podcast player of choice for new episodes launching in the new year.

This episode we’re looking back at some highlights from past guests. Host Tim Chase is sharing quotes from leaders at companies like Okta, Deloitte and Deepwatch on security as a business enabler,  leadership in cybersecurity, and what it takes to be successful in the modern security landscape.

Key Quotes

*”Trust is everything. So you know what I say is, ‘Business first, trust second and cyber third.’ That's the mantra I go with. Right after business, the trust has to come in. And without business, nothing exists. But trust is literally the next element that you have to focus on.” - Rohit Parchuri

*”You can do a great deal of work very early on, with very little team and budget. But the earlier you can set the foundations, the more dividends they will pay off over time. Because the rework of trying to implement security later on, both from a cultural perspective, but also from a technological and control perspective, it just gets exponentially harder.” - Sebastien Jeanquier

*”There's this whole thing that organizations do that I call ‘security theater.’ The easiest way of actually thinking about it is like when you go to the airports and there's that whole show of trying to make people feel safe. And I think traditional security practices give that sensation that you are safe. So, I bring that concept to my teams: ‘Is this really actually taking care of what we are trying to achieve? Or is this just for checking another box and saying that we are safe?’ - Alberto Silveira

Time Stamps

[0:41] Rohit Parchuri of Yext on trust in cybersecurity

[1:06] Craig Riddell of Netwrix Corporation on modern identity

[1:34] Sebastien Jeanquier of Upvest on starting a security practice

[2:04] Alberto Silveira of LawnStarter on “security theater”

[3:24] Gerald Beuchelt of Sprinklr of practicing effective cybersecurity

[4:04] Julie Chickillo of Guild on security as a business enabler

[4:29] Terry O’Daniel of Amplitude on speaking to the board

[5:14] Mark Settle, formerly of Okta, on understanding the business

[5:53] Wes Mullins of Deepwatch on security during the pandemic

[6:47] Emily Mossburg on Deloitte’s Global Future of Cybersecurity survey

[7:32] Fractional CISO Aruneesh Salhotra on threat awareness

[8:02] Greg Crowley of eSentire on alert fatigue

[8:50] Kelly Haydu of Cargurus on getting ahead of security breaches

[9:45] Bill Dougherty of Omada Health on building relationships with customers

[10:19] Billy Spears of Teradata on AI in cybersecurity

Links

Connect with:

Tim Chase

Rohit Parchuri

Craig Riddell

Sebastien Jeanquier

Alberto Silveira

Gerald Beuchelt

Julie Chickillo

Terry O’Daniel

Mark Settle

Wes Mullins

Emily Mossburg

Aruneesh Salhotra

Greg Crowley

Kelly Haydu

Bill Dougherty

Billy Spears

Learn more about Lacework

This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.