Sign up to save your podcasts
Or
Share How to Create a Culture of Shared Responsibility in Cybersecurity with Sameer Sait
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
How to Create a Culture of Shared Responsibility in Cybersecurity with Sameer Sait
Episode Summary
It's been more than a decade since the cloud emerged as a new concept. And it's safe to say that it has practically become the new normal, especially since the COVID-19 outbreak.
However, when it comes to improving cyber security and risk management in the cloud, we still have a long way to go.
In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Sameer Sait, an information security expert and the former CISO of Amazon's Whole Foods Market. They talk about the shift in security mechanisms due to the explosion of the cloud, the importance of shared responsibility, and what we can learn from highly regulated industries. Tune into this episode to hear some insightful observations about the future of cybersecurity.
##
Guest-at-a-Glance
💡 Name: Sameer Sait
💡 What he does: He's the former CISO of Amazon's Whole Foods Market.
💡 Company: N/A
💡 Noteworthy: He's an information security and risk executive with 16+ years of global leadership experience at Fortune 100 firms.
💡 Where to find Sameer: LinkedIn
##
Key Insights
⚡ We need a playbook for unexpected outcomes in the cloud. Although we expect the cloud world to move fast and smoothly, sometimes there are some unexpected scenarios. That's why we need to get better at how we manage ownership of assets and processes. Sameer explains: "In the non-cloud native world, there is a kind of alignment of accountability, responsibility, ownership, and influence. I think in the cloud world because we expect to just move really, really fast, and we expect things to get taken care of by a certain set of individuals that are working in DevOps, you just sprinkle on some security and expect it to kind of magically get taken care of. I think there's a little bit of the ‘who owns what’ and [we should be] finding ways to align on the exceptions so that even the exception process has accountability and responsibility."
âš¡ Since the explosion of cloud usage, engineers no longer need a policeman; they need a steward. It's safe to say that the cloud has changed the way we do everything, including security. According to Sameer, one thing that stands out is how engineers and builders think about security. He says, "I've been pleasantly surprised, and it's probably a combination of the industry itself having exploded, there being a lot more awareness, and technologies being built to enable secure software development and deployment maintenance. And so, with the explosion of cloud usage, I've been pleasantly surprised that engineers don't really need a policeman anymore. They just need guidance."
âš¡We should aim for shared responsibility. According to Sameer, the cloud has created a good opportunity for shared responsibility. Instead of building large, slow-moving organizations, we should move towards small agile teams. Sameer shares his predictions and hopes for the future of security. "I think part of it is also security being built into the cloud. I hope to see more and more big tech companies [...]embracing partnerships with tech security companies to make it so seamless that it becomes part and parcel of how we operate in the cloud. I'm seeing that happen, and that's getting me super excited because I care as much about the usability of a product as I should , and the product manager should care as much about the security of that product. And if we both have those shared outcomes, I think we'll do very well."
##
Episode Highlights
Highly regulated industries set a high bar for cybersecurity
"I think the financial services industry really set me up well, given that there was a higher level of awareness and expectations around cyber risks and the impact of those risks. There were already working groups, like the ISAC; there was an FS-ISAC back then. We didn't have that level of maturity outside of, let's say, financial services and potentially, healthcare. I haven't been in healthcare, but I can say that coming out of those highly regulated, well-managed and risk-managed industries taught me a lot about what a good bar or a high bar for a cybersecurity program looks like."
The physical store space is not always open to changes
"There's been a little bit of hesitation to change, and I don't know if technology or security has actually been an enabler for that or more of, 'Hold on a second, how do we make sure connectivity is good? How do we make sure our data is centralized in terms of storage? How do we move off of systems that we've built for 20 years and have worked fine for us?' So a little bit of the 'If it isn't broken, why fix it?' was what I saw in the physical store space."
Hire for the long term and automate for the short term
"What is something we've always done that maybe doesn't apply in this new world? I would say throwing more people at the problem. My experience has always been that we tend to go and sign up with more consulting services, and we'll just say, 'Well, this is a problem. We need support.' And we'll use that excuse, and I've used this excuse, too. So I'm as much at fault for saying, ‘It's really hard to hire in this hyper-competitive security market. Let's just get some consultants.’ I think we should start thinking like those very smart engineers who are building cloud-native solutions, and about how we can automate discovery, remediation, and things that we know, with a high degree of probability, to be problems that can be solved via X, Y, and Z protocols."
View all episodes
By Orca Security
5
88 ratings
Episode Summary
It's been more than a decade since the cloud emerged as a new concept. And it's safe to say that it has practically become the new normal, especially since the COVID-19 outbreak.
However, when it comes to improving cyber security and risk management in the cloud, we still have a long way to go.
In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Sameer Sait, an information security expert and the former CISO of Amazon's Whole Foods Market. They talk about the shift in security mechanisms due to the explosion of the cloud, the importance of shared responsibility, and what we can learn from highly regulated industries. Tune into this episode to hear some insightful observations about the future of cybersecurity.
##
Guest-at-a-Glance
💡 Name: Sameer Sait
💡 What he does: He's the former CISO of Amazon's Whole Foods Market.
💡 Company: N/A
💡 Noteworthy: He's an information security and risk executive with 16+ years of global leadership experience at Fortune 100 firms.
💡 Where to find Sameer: LinkedIn
##
Key Insights
⚡ We need a playbook for unexpected outcomes in the cloud. Although we expect the cloud world to move fast and smoothly, sometimes there are some unexpected scenarios. That's why we need to get better at how we manage ownership of assets and processes. Sameer explains: "In the non-cloud native world, there is a kind of alignment of accountability, responsibility, ownership, and influence. I think in the cloud world because we expect to just move really, really fast, and we expect things to get taken care of by a certain set of individuals that are working in DevOps, you just sprinkle on some security and expect it to kind of magically get taken care of. I think there's a little bit of the ‘who owns what’ and [we should be] finding ways to align on the exceptions so that even the exception process has accountability and responsibility."
âš¡ Since the explosion of cloud usage, engineers no longer need a policeman; they need a steward. It's safe to say that the cloud has changed the way we do everything, including security. According to Sameer, one thing that stands out is how engineers and builders think about security. He says, "I've been pleasantly surprised, and it's probably a combination of the industry itself having exploded, there being a lot more awareness, and technologies being built to enable secure software development and deployment maintenance. And so, with the explosion of cloud usage, I've been pleasantly surprised that engineers don't really need a policeman anymore. They just need guidance."
âš¡We should aim for shared responsibility. According to Sameer, the cloud has created a good opportunity for shared responsibility. Instead of building large, slow-moving organizations, we should move towards small agile teams. Sameer shares his predictions and hopes for the future of security. "I think part of it is also security being built into the cloud. I hope to see more and more big tech companies [...]embracing partnerships with tech security companies to make it so seamless that it becomes part and parcel of how we operate in the cloud. I'm seeing that happen, and that's getting me super excited because I care as much about the usability of a product as I should , and the product manager should care as much about the security of that product. And if we both have those shared outcomes, I think we'll do very well."
##
Episode Highlights
Highly regulated industries set a high bar for cybersecurity
"I think the financial services industry really set me up well, given that there was a higher level of awareness and expectations around cyber risks and the impact of those risks. There were already working groups, like the ISAC; there was an FS-ISAC back then. We didn't have that level of maturity outside of, let's say, financial services and potentially, healthcare. I haven't been in healthcare, but I can say that coming out of those highly regulated, well-managed and risk-managed industries taught me a lot about what a good bar or a high bar for a cybersecurity program looks like."
The physical store space is not always open to changes
"There's been a little bit of hesitation to change, and I don't know if technology or security has actually been an enabler for that or more of, 'Hold on a second, how do we make sure connectivity is good? How do we make sure our data is centralized in terms of storage? How do we move off of systems that we've built for 20 years and have worked fine for us?' So a little bit of the 'If it isn't broken, why fix it?' was what I saw in the physical store space."
Hire for the long term and automate for the short term
"What is something we've always done that maybe doesn't apply in this new world? I would say throwing more people at the problem. My experience has always been that we tend to go and sign up with more consulting services, and we'll just say, 'Well, this is a problem. We need support.' And we'll use that excuse, and I've used this excuse, too. So I'm as much at fault for saying, ‘It's really hard to hire in this hyper-competitive security market. Let's just get some consultants.’ I think we should start thinking like those very smart engineers who are building cloud-native solutions, and about how we can automate discovery, remediation, and things that we know, with a high degree of probability, to be problems that can be solved via X, Y, and Z protocols."