Sign up to save your podcasts
Or
Share Talking the language of business: Translating security into dollars with Terry O’Daniel of Amplitude
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Talking the language of business: Translating security into dollars with Terry O’Daniel of Amplitude
This episode features an interview with Terry O’Daniel, Acting Head of Security at Amplitude. Amplitude is a product analytics platform that helps businesses to track visitors with the help of collaborative analytics. Terry joined the company in October of 2022 as Head of GRC. Prior to Amplitude, he led Governance, Risk, and Compliance within Infrastructure Engineering at Instacart. On this episode, Terry and host Tim Chase discuss the failed promise of DevSecOps, aligning with business objectives, and how to translate security into dollars.
Key Quotes
*“I think at the end of the day, risk quantification is not very sexy. I understand. But we tie ourselves in knots in security doing this interpretive dance for the board of red, yellow, green, and ‘Here's what it means,’ and bibbety boo. And businesses don't run on interpretive dance. They run on dollars. And until we can come to the table like grownups with the rest of the grownups running our function and saying, ‘Here's the risk in dollars, here's the investment in dollars, here's the risk mitigation we're gonna realize in dollars,’ that's the key, right? We have to be able to talk the language of business to be successful and be taken seriously as business partners.”
*”There's a tax that's required in actually moving left. Shifting left involves having smaller pieces and smaller interruptions more frequently in the worst case, rather than having a single showstopping event at the end.”
*”Devs don't report to us. They have their own leaders and they have their own goals. We don't control engineering. But we can give them the context. We can help them understand the context for making better risk aware decisions.”
*“If you're a SaaS company, your CISO has to be technical. At the core, your CISO is not only protecting your people and your work systems and your SDLC, they also are inherently predicting the risk of your product and that B2B relationship. So I think traditional industries still can get a huge degree of value out of hiring a CISO who comes from a strong risk and governance background. But if you're an engineering-first company that's building neat stuff, if your CISO doesn't have the finger on the pulse of that, I think they're inherently hampered from their ability to help the company shift left.”
Time Stamps
[1:24] The failed promise of DevSecOps
[4:15] Why is shifting left so hard?
[8:39] Why is continuous improvement a key part of DevSecOps?
[11:30] How can security goals align with business objectives?
[13:49] How important is leadership in DevOps?
[17:32] How did Terry transition from engineering into security?
[22:28] Is it more effective for a CISO to come from a GRC background or an engineering background?
[26:08] What’s been Terry’s biggest learning of his career?
[34:05] What’s one tool Terry can’t live without?
Links
Connect with Terry on LinkedIn
Learn more about Amplitude
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.
View all episodes
By Lacework
5
3939 ratings
This episode features an interview with Terry O’Daniel, Acting Head of Security at Amplitude. Amplitude is a product analytics platform that helps businesses to track visitors with the help of collaborative analytics. Terry joined the company in October of 2022 as Head of GRC. Prior to Amplitude, he led Governance, Risk, and Compliance within Infrastructure Engineering at Instacart. On this episode, Terry and host Tim Chase discuss the failed promise of DevSecOps, aligning with business objectives, and how to translate security into dollars.
Key Quotes
*“I think at the end of the day, risk quantification is not very sexy. I understand. But we tie ourselves in knots in security doing this interpretive dance for the board of red, yellow, green, and ‘Here's what it means,’ and bibbety boo. And businesses don't run on interpretive dance. They run on dollars. And until we can come to the table like grownups with the rest of the grownups running our function and saying, ‘Here's the risk in dollars, here's the investment in dollars, here's the risk mitigation we're gonna realize in dollars,’ that's the key, right? We have to be able to talk the language of business to be successful and be taken seriously as business partners.”
*”There's a tax that's required in actually moving left. Shifting left involves having smaller pieces and smaller interruptions more frequently in the worst case, rather than having a single showstopping event at the end.”
*”Devs don't report to us. They have their own leaders and they have their own goals. We don't control engineering. But we can give them the context. We can help them understand the context for making better risk aware decisions.”
*“If you're a SaaS company, your CISO has to be technical. At the core, your CISO is not only protecting your people and your work systems and your SDLC, they also are inherently predicting the risk of your product and that B2B relationship. So I think traditional industries still can get a huge degree of value out of hiring a CISO who comes from a strong risk and governance background. But if you're an engineering-first company that's building neat stuff, if your CISO doesn't have the finger on the pulse of that, I think they're inherently hampered from their ability to help the company shift left.”
Time Stamps
[1:24] The failed promise of DevSecOps
[4:15] Why is shifting left so hard?
[8:39] Why is continuous improvement a key part of DevSecOps?
[11:30] How can security goals align with business objectives?
[13:49] How important is leadership in DevOps?
[17:32] How did Terry transition from engineering into security?
[22:28] Is it more effective for a CISO to come from a GRC background or an engineering background?
[26:08] What’s been Terry’s biggest learning of his career?
[34:05] What’s one tool Terry can’t live without?
Links
Connect with Terry on LinkedIn
Learn more about Amplitude
Learn more about Lacework
This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.