Sign up to save your podcasts
Or
Share Going from On-premise to Cloud Security with Renee Guttmann
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Going from On-premise to Cloud Security with Renee Guttmann
Episode Summary
Over a long security career, not only do professionals grow and change, but the world they're operating within also changes. And talking about security, we are witnesses to the transition from local software to cloud security.
The cloud brought new trends in solving security problems. But certain practices from the pre-cloud era still resonate and are in use. At the same time, we still do some things that we should stop.
In this episode of Cloud Security Reinvented, Andy Ellis welcomes Renee Guttmann, a transformational leader in cybersecurity. Andy and Renee get into how building an on-premise model is blended with how the cloud could be leveraged, how security protocols have been modified for the cloud, and how the cloud has changed the approach to cybersecurity.
##
Guest-at-a-Glance
π‘ Name: Renee Guttmann
π‘ What she does: Chief Information Security/IT Executive.
π‘ Company: Cydome Security
π‘ Noteworthy: Renee has delivered world-class global information security programs for Coca-Cola, Time Warner, Royal Caribbean, Campbell, and Capital One, and helped establish the office of the CISO at Optiv. She advises startups on defining their products, services, and go-to-market strategies. On the community front, she partners with other CISOs on cybersecurity training and mentorship. She has been active as a Board Member and Advisor at a large children's mental health facility for almost a decade.
π‘ Where to find Renee: LinkedIn | Website
##
Key Insights
β‘ The cloud has changed the mental model for security. Renee Guttmann started getting involved with the cloud in 2011 and worked with people looking at newer trends when the cloud was supposed to solve all security problems. According to her, people are multi-cloud today. "Your teams have to know a little about everything because they're all different. They all have different capabilities. [...] I find that now you're basically in multiple clouds. You've got several service providers; you might have somebody doing operations for you. And one of the things that I think is extremely difficult right now is figuring out who's on first."
β‘It is necessary to dump Change Control Boards. In transitioning from an on-premise world to cloud security, there are practices from before that we need to double down on and things that we should have buried a long time ago. As Renee notes, Change Control Boards must be dumped. "You go to a Change Control Board, you've got one purpose for being there, and that's to get your change approved. However, you can manage to get your change approved. [...] The other thing is, I don't think the dependencies are well understood. And so, I think we're overly reliant on something that is probably not relevant. Plus, I know the changes I'm making. I don't know the changes that my cloud providers are making. They're not coming to me and running their stuff through a Change Control Board. So, I just questioned the time and the value of that exercise, and that it needs a bit of a refresh. And then the other thing that I think has to be improved is if you touch it three times, you need to automate it and be done with it."
β‘ On-premise is still relevant in the cloud era. When we look at the cloud era and where we are today, experts could probably have predicted some things about it. But there are some things they did not hope for. For Renee, the biggest surprise from the cloud era is how much on-premise there is. "I don't know how many people are still running data centers; I would've thought that all of that would have already left the building. That's a little bit of a surprise to me that we're not further along. The other thing is resiliency. I think that we haven't done a good job with figuring out how to be more resilient."
##
Episode Highlights
The Exciting Career Journey of Renee Guttmann
"Before I became a research analyst at Gartner, I started a security program with a global healthcare company based out of London. And we were protecting clinical trial data and research material, and after that, I took the Gartner job.
[...] I left Gartner and became the security architect for building online statement platforms at Capital One and applying for credit cards online. And back when I did that, people didn't do it. So we were one of the very first companies to actually make it possible for people to go and look at their statements. After Capital One, I went to Time Inc. and Time Warner.
[...] And then I got recruited to Coke, built their program from scratch, and joined Royal Caribbean later. And my most recent opportunity was the Campbell Soup Company, where I was working specifically on manufacturing OT security."
What Cloud Security Looks Like Inside the Industry
"There [at Renee's last two positions] was a lot of OT, there was either manufacturing, but on a ship or in maritime in general. There are a lot of systems like satellite navigation that are really on the ship, and the way that you talk to them is through satellite. Your bandwidth is a little bit constrained because you're basically taking it away from the crew and the passengers, mainly the paying passengers. So it wasn't that easy to figure out how we were going to leverage the cloud in some of these environments. And to that point, I still think that building that on-premise model blended with how the cloud could still be leveraged. I don't think we're there yet, but I think that's an opportunity for people to really go in and address. The other problem is that these systems that I'm talking about are generally run by IT people. They're outside the span of IT. So you've got somebody that runs a manufacturing system, and they could be buying cameras from who knows where."
"The More Things Change, the More They Stay the Same"
"We still need to focus on privilege, administrative access, and protecting the keys to the kingdom. [...] We don't know what our footprint is, and we have to resurrect whatever we were doing better and get that kind of understanding of our current environments. And then the third thing is, I think that we had really good IR plans, and we got better at them, especially because of the accountability issues. So we need to up-level those procedures, do better training with more of our partners, and they need to be in the room."
Knowing the People Around You is Extremely Important
"You've got to start with who they are before they care about what you're doing and why you're there. [...] You don't want to be seen as the cop. You actually want to create a persona that people will feel comfortable coming to , and asking for help. And what I really need them to do is to tell me when the garbage cans are on fire before the building burns down.
[...] I don't think you can really be effective until A: you know the people, and B: the culture and everything else goes along with it. But you've got to know people, and you have got to put yourself out there in a way that people get comfortable with you, and they want to be in the same room as you."
View all episodes
By Orca Security
5
88 ratings
Episode Summary
Over a long security career, not only do professionals grow and change, but the world they're operating within also changes. And talking about security, we are witnesses to the transition from local software to cloud security.
The cloud brought new trends in solving security problems. But certain practices from the pre-cloud era still resonate and are in use. At the same time, we still do some things that we should stop.
In this episode of Cloud Security Reinvented, Andy Ellis welcomes Renee Guttmann, a transformational leader in cybersecurity. Andy and Renee get into how building an on-premise model is blended with how the cloud could be leveraged, how security protocols have been modified for the cloud, and how the cloud has changed the approach to cybersecurity.
##
Guest-at-a-Glance
π‘ Name: Renee Guttmann
π‘ What she does: Chief Information Security/IT Executive.
π‘ Company: Cydome Security
π‘ Noteworthy: Renee has delivered world-class global information security programs for Coca-Cola, Time Warner, Royal Caribbean, Campbell, and Capital One, and helped establish the office of the CISO at Optiv. She advises startups on defining their products, services, and go-to-market strategies. On the community front, she partners with other CISOs on cybersecurity training and mentorship. She has been active as a Board Member and Advisor at a large children's mental health facility for almost a decade.
π‘ Where to find Renee: LinkedIn | Website
##
Key Insights
β‘ The cloud has changed the mental model for security. Renee Guttmann started getting involved with the cloud in 2011 and worked with people looking at newer trends when the cloud was supposed to solve all security problems. According to her, people are multi-cloud today. "Your teams have to know a little about everything because they're all different. They all have different capabilities. [...] I find that now you're basically in multiple clouds. You've got several service providers; you might have somebody doing operations for you. And one of the things that I think is extremely difficult right now is figuring out who's on first."
β‘It is necessary to dump Change Control Boards. In transitioning from an on-premise world to cloud security, there are practices from before that we need to double down on and things that we should have buried a long time ago. As Renee notes, Change Control Boards must be dumped. "You go to a Change Control Board, you've got one purpose for being there, and that's to get your change approved. However, you can manage to get your change approved. [...] The other thing is, I don't think the dependencies are well understood. And so, I think we're overly reliant on something that is probably not relevant. Plus, I know the changes I'm making. I don't know the changes that my cloud providers are making. They're not coming to me and running their stuff through a Change Control Board. So, I just questioned the time and the value of that exercise, and that it needs a bit of a refresh. And then the other thing that I think has to be improved is if you touch it three times, you need to automate it and be done with it."
β‘ On-premise is still relevant in the cloud era. When we look at the cloud era and where we are today, experts could probably have predicted some things about it. But there are some things they did not hope for. For Renee, the biggest surprise from the cloud era is how much on-premise there is. "I don't know how many people are still running data centers; I would've thought that all of that would have already left the building. That's a little bit of a surprise to me that we're not further along. The other thing is resiliency. I think that we haven't done a good job with figuring out how to be more resilient."
##
Episode Highlights
The Exciting Career Journey of Renee Guttmann
"Before I became a research analyst at Gartner, I started a security program with a global healthcare company based out of London. And we were protecting clinical trial data and research material, and after that, I took the Gartner job.
[...] I left Gartner and became the security architect for building online statement platforms at Capital One and applying for credit cards online. And back when I did that, people didn't do it. So we were one of the very first companies to actually make it possible for people to go and look at their statements. After Capital One, I went to Time Inc. and Time Warner.
[...] And then I got recruited to Coke, built their program from scratch, and joined Royal Caribbean later. And my most recent opportunity was the Campbell Soup Company, where I was working specifically on manufacturing OT security."
What Cloud Security Looks Like Inside the Industry
"There [at Renee's last two positions] was a lot of OT, there was either manufacturing, but on a ship or in maritime in general. There are a lot of systems like satellite navigation that are really on the ship, and the way that you talk to them is through satellite. Your bandwidth is a little bit constrained because you're basically taking it away from the crew and the passengers, mainly the paying passengers. So it wasn't that easy to figure out how we were going to leverage the cloud in some of these environments. And to that point, I still think that building that on-premise model blended with how the cloud could still be leveraged. I don't think we're there yet, but I think that's an opportunity for people to really go in and address. The other problem is that these systems that I'm talking about are generally run by IT people. They're outside the span of IT. So you've got somebody that runs a manufacturing system, and they could be buying cameras from who knows where."
"The More Things Change, the More They Stay the Same"
"We still need to focus on privilege, administrative access, and protecting the keys to the kingdom. [...] We don't know what our footprint is, and we have to resurrect whatever we were doing better and get that kind of understanding of our current environments. And then the third thing is, I think that we had really good IR plans, and we got better at them, especially because of the accountability issues. So we need to up-level those procedures, do better training with more of our partners, and they need to be in the room."
Knowing the People Around You is Extremely Important
"You've got to start with who they are before they care about what you're doing and why you're there. [...] You don't want to be seen as the cop. You actually want to create a persona that people will feel comfortable coming to , and asking for help. And what I really need them to do is to tell me when the garbage cans are on fire before the building burns down.
[...] I don't think you can really be effective until A: you know the people, and B: the culture and everything else goes along with it. But you've got to know people, and you have got to put yourself out there in a way that people get comfortable with you, and they want to be in the same room as you."