Sign up to save your podcasts
Or
Share Learning Why Security is Non-Binary with Ryan Gurney, the CISO-in-Residence at YL Ventures
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Learning Why Security is Non-Binary with Ryan Gurney, the CISO-in-Residence at YL Ventures
Episode Summary
Cloud-based solutions are the future of technological advancement. The cloud has gone through various phases, and these changes have made it one of the most potent inventions of today.
Thanks to a broad range of cloud-based tools, even founders without a development background can start a company and release a product. But that's not the only advantage of the cloud. Technological development, alongside the cloud, could significantly reduce one of the most critical issues faced by the world — poverty.
In this episode of Cloud Security Reinvented, Andy Ellis welcomes Ryan Gurney, the CISO-in-Residence at YL Ventures. They have an interesting chat about the cloud, its benefits, the exhausting role of the CISOs, and the tech practices that no longer work.
Guest-at-a-Glance
💡 Name: Ryan Gurney
💡 What he does: Ryan is the CISO-in-Residence at YL Ventures.
💡 Company: YL Ventures
💡 Noteworthy: Before joining YL Ventures, Ryan held security leadership positions at Looker, Google, eBay, and Zendesk.
💡 Where to find Ryan: LinkedIn
##
Key Insights
⚡ Your cloud provider’s weaknesses can become your problem. Since the cloud has become more prevalent, many companies have switched to it. However, Ryan believes that users must be careful when choosing their third-party cloud provider since their weaknesses may become the user's problem. "I've seen us go from attempts to keep all the data inside the borders of the company to utilizing private clouds, public clouds, and the explosion of right third-party SaaS apps and mobile apps. [...] It means that there are more environments where customer company data is being housed. Accessing that and understanding your assets is supercritical."
⚡ Security training needs to be short and to the point. According to Ryan, long-winded security training for employees is highly ineffective. Instead, it should be more precise and company-centered. "Security training needs to be short, to the point, frequent, contextual, and specific to the company and its culture. And that includes how you sign up for SaaS applications and how you manage your cloud environment. You should discuss only the areas that are important to the security company, security in their culture, and give people tips on how they can do things in their personal lives and help their family and friends. So, the old stuff around these long-winded four-hour-long training needs to go away."
⚡ I'm excited about technology being able to reduce poverty. Ryan strongly believes that we can do a lot with technology, including solving the world's most critical issues. "I'm excited about technology being able to reduce poverty and bring conveniences to people around the world. We've seen examples of it — easier access to water, bringing the Internet to everyone, and helping with sanitization. These are massive gaps in people's living conditions around the world."
##
Episode Highlights
Ryan Gurney's Career Path as a CISO in a Nutshell
"Currently, I'm the CISO-in-Residence at YL Ventures, a position that has been held by two predecessors. Prior to my current role, I held security leadership positions at Google, Looker, Zendesk, and eBay. So, I spent a lot of time in the cloud. Today, my role is really interesting. I'm not as much an operational CISO as a strict, strategic person who's helping founders and portfolios figure out their product and security story.
[...]
My industry is now investing in helping founders understand the security landscape horizontally and not just vertically. As I'm a CISO-in-Residence, it's a little bit of a broader picture, but speaking about ideation, founders need to consider the completeness of what they're doing. It's not good enough to say, 'Hey, we cover AWS.' They need to cover all the major public clouds and ideally the hybrid clouds, as well. That is where the world is."
Basic Practices Always Matter in Security
"What [security practices] should we have kept? Well, I think the basics still matter. Whether you're in a cloud environment, in the private cloud, or an on-premise deployment, being able to establish policies, identify vulnerabilities, and patch still matter, and they're always going to matter. And in some cases, with our cloud providers, we have to hold them accountable and work closely with them to do those things."
Technology Gives Us a Lot of Opportunities to Make the World a Better Place
"I think we have opportunities to do a lot with technology. We've seen examples of it for easier access to water, bringing the internet to everyone, and helping with sanitization. These are massive gaps in people's living conditions around the world. I'm interested in the security space specifically. I'm fascinated about abstraction at the cloud layer around security controls, how we can make things quicker and easier for the CISO and bang them over the head about things that need their attention, especially when we consider the challenges we have with hiring security professionals today."
Quick Takeaway: Security is Non-Binary
"CISO is a tough career, and there are a couple of things I've learned that I like to pass on. One of them is that security is non-binary. I would often have CEOs come to me in passing, and they would say, 'Hey, are we secure?' Perhaps that was just small talk, but I took it seriously. I feel an effective CISO should be able to say, 'Hey, listen, I'm aware of our key assets. I know how they're protected, and I know our key risks. We actively monitor it, and we're managing it.'
The term CISO is a bit of a misnomer. Perhaps Chief Cyber Risk Officer would be the better term. Secondly, it's important that CISOs understand their strengths and weaknesses, surround themselves with the right team, and empower others in the organization to take security responsibly and seriously for themselves. They need to be transparent, approachable, and business-focused. You need to demonstrate empathy for others because if you're coming to them, you're likely asking them to do something. So, you've got to be able to demonstrate that empathy."
View all episodes
By Orca Security
5
88 ratings
Episode Summary
Cloud-based solutions are the future of technological advancement. The cloud has gone through various phases, and these changes have made it one of the most potent inventions of today.
Thanks to a broad range of cloud-based tools, even founders without a development background can start a company and release a product. But that's not the only advantage of the cloud. Technological development, alongside the cloud, could significantly reduce one of the most critical issues faced by the world — poverty.
In this episode of Cloud Security Reinvented, Andy Ellis welcomes Ryan Gurney, the CISO-in-Residence at YL Ventures. They have an interesting chat about the cloud, its benefits, the exhausting role of the CISOs, and the tech practices that no longer work.
Guest-at-a-Glance
💡 Name: Ryan Gurney
💡 What he does: Ryan is the CISO-in-Residence at YL Ventures.
💡 Company: YL Ventures
💡 Noteworthy: Before joining YL Ventures, Ryan held security leadership positions at Looker, Google, eBay, and Zendesk.
💡 Where to find Ryan: LinkedIn
##
Key Insights
⚡ Your cloud provider’s weaknesses can become your problem. Since the cloud has become more prevalent, many companies have switched to it. However, Ryan believes that users must be careful when choosing their third-party cloud provider since their weaknesses may become the user's problem. "I've seen us go from attempts to keep all the data inside the borders of the company to utilizing private clouds, public clouds, and the explosion of right third-party SaaS apps and mobile apps. [...] It means that there are more environments where customer company data is being housed. Accessing that and understanding your assets is supercritical."
⚡ Security training needs to be short and to the point. According to Ryan, long-winded security training for employees is highly ineffective. Instead, it should be more precise and company-centered. "Security training needs to be short, to the point, frequent, contextual, and specific to the company and its culture. And that includes how you sign up for SaaS applications and how you manage your cloud environment. You should discuss only the areas that are important to the security company, security in their culture, and give people tips on how they can do things in their personal lives and help their family and friends. So, the old stuff around these long-winded four-hour-long training needs to go away."
⚡ I'm excited about technology being able to reduce poverty. Ryan strongly believes that we can do a lot with technology, including solving the world's most critical issues. "I'm excited about technology being able to reduce poverty and bring conveniences to people around the world. We've seen examples of it — easier access to water, bringing the Internet to everyone, and helping with sanitization. These are massive gaps in people's living conditions around the world."
##
Episode Highlights
Ryan Gurney's Career Path as a CISO in a Nutshell
"Currently, I'm the CISO-in-Residence at YL Ventures, a position that has been held by two predecessors. Prior to my current role, I held security leadership positions at Google, Looker, Zendesk, and eBay. So, I spent a lot of time in the cloud. Today, my role is really interesting. I'm not as much an operational CISO as a strict, strategic person who's helping founders and portfolios figure out their product and security story.
[...]
My industry is now investing in helping founders understand the security landscape horizontally and not just vertically. As I'm a CISO-in-Residence, it's a little bit of a broader picture, but speaking about ideation, founders need to consider the completeness of what they're doing. It's not good enough to say, 'Hey, we cover AWS.' They need to cover all the major public clouds and ideally the hybrid clouds, as well. That is where the world is."
Basic Practices Always Matter in Security
"What [security practices] should we have kept? Well, I think the basics still matter. Whether you're in a cloud environment, in the private cloud, or an on-premise deployment, being able to establish policies, identify vulnerabilities, and patch still matter, and they're always going to matter. And in some cases, with our cloud providers, we have to hold them accountable and work closely with them to do those things."
Technology Gives Us a Lot of Opportunities to Make the World a Better Place
"I think we have opportunities to do a lot with technology. We've seen examples of it for easier access to water, bringing the internet to everyone, and helping with sanitization. These are massive gaps in people's living conditions around the world. I'm interested in the security space specifically. I'm fascinated about abstraction at the cloud layer around security controls, how we can make things quicker and easier for the CISO and bang them over the head about things that need their attention, especially when we consider the challenges we have with hiring security professionals today."
Quick Takeaway: Security is Non-Binary
"CISO is a tough career, and there are a couple of things I've learned that I like to pass on. One of them is that security is non-binary. I would often have CEOs come to me in passing, and they would say, 'Hey, are we secure?' Perhaps that was just small talk, but I took it seriously. I feel an effective CISO should be able to say, 'Hey, listen, I'm aware of our key assets. I know how they're protected, and I know our key risks. We actively monitor it, and we're managing it.'
The term CISO is a bit of a misnomer. Perhaps Chief Cyber Risk Officer would be the better term. Secondly, it's important that CISOs understand their strengths and weaknesses, surround themselves with the right team, and empower others in the organization to take security responsibly and seriously for themselves. They need to be transparent, approachable, and business-focused. You need to demonstrate empathy for others because if you're coming to them, you're likely asking them to do something. So, you've got to be able to demonstrate that empathy."