Cloud Security for the Next Generation of Companies | A Conversation w/Taylor Hersom & Ashish Rajan

00:00:09:17 - 00:00:23:21

Speaker 1

Welcome to the intersection of technology, cybersecurity and society. Welcome to ITSP magazine. Knowledge is power.

00:00:24:12 - 00:00:40:01

Speaker 2

Now more than ever.

00:00:40:03 - 00:01:05:13

Speaker 3

All right. Here we are. Thanks, everybody, for joining me for another episode of Redefining Cyber Security here on ITSP magazine. I think we're all we're all coming from all over different parts of the world today to talk about the same topic. And that's that's cloud security. And where we are and kind of the future that I think is going to be super exciting conversation.

00:01:06:00 - 00:01:51:02

Speaker 3

Obviously, the cloud people were afraid to use the cloud years ago. Right. And now everything is the cloud and the cloud as clouds and containers and all kinds of stuff in it, which I'm sure will touch on a lot of possibilities. But going into it without some thought can put you in jeopardy. And the whole point of redefining cyber security, as my regular listeners know, is to help practitioners and their leaders and to do what's what's right or say or what's what's possible to grow the business with technology, but in a safe way and with all kinds of technology and processes and frameworks and everything coming at you from all different angles, that can be

00:01:51:02 - 00:02:06:10

Speaker 3

difficult sometimes. So the show is about bringing people together who know more than I do about about a topic. And we're getting to Cloud Security Day. I'm thrilled to have Ashish Rajan and Taylor Hirschmann. Thanks guys, for joining me.

00:02:07:22 - 00:02:09:22

Speaker 4

No problem. We are.

00:02:10:14 - 00:02:36:18

Speaker 3

Excited. Here we are. Here we are. So let's. Yeah, I'm going to whip out my first joke, which is even. Even if we just looked at your podcast. Podcast? Gee, I feel I feel like a security leader. I feel like a C. So looking at all the things coming at me and I have to build a cloud security program in 45 minutes, that's what I feel like.

00:02:36:18 - 00:02:57:07

Speaker 3

This conference, this conversation is going to be like. Just I was looking through your podcast, all those topics and all the people you've spoken with, even just that would be too much to cram into 45 minutes here and come out with something meaningful that I can turn into a product or a program. That said you have to start somewhere and their points within that.

00:02:57:07 - 00:03:11:23

Speaker 3

But before we get into any of that, I want to hear a bit about each of you. I love meeting new people and thrilled to have you both on. Sheesh. Tell us about you, your role. Tell us about your podcast and then we'll move over to Taylor.

00:03:12:17 - 00:03:39:23

Speaker 4

Yeah, thanks for having me. First of all, really awesome that you could be here. It's fun to talk about Cloud. So my name is Ashish and I've been in cybersecurity space for a little over 15 years, but the last seven or eight spent primarily in the cloud space. My last role was offices. So for that company and I say last word because as the last six months of moving into the whole Cloud Security podcast, it's literally called Start to give a podcast and full time place.

00:03:39:23 - 00:03:59:09

Speaker 4

I'm a host over there and we've been doing cloud security more often. And Sean, to your point, there's so much in the cloud security as a subset that you can basically spend. I've been spending three years in it, so I guess is there's a lot more to go still. But I definitely want to call out the fact that it doesn't have to be that long.

00:03:59:09 - 00:04:17:07

Speaker 4

It just that we are all trying to understand the cloud in our own way, and that's kind of where the time it takes to come from. But I mean, I definitely feel that what you said earlier about cloud being a scary place for a lot of people, it is still escapist for a lot of people if they don't make the right call.

00:04:17:07 - 00:04:21:07

Speaker 4

But there are definitely there is definitely a light at the end of the tunnel. So that's me.

00:04:23:10 - 00:04:24:12

Speaker 3

Done a lot of progress.

00:04:25:13 - 00:04:31:24

Speaker 5

I wish you would have let me go. Go first, because I could have set the bar low. Sheesh. As we all.

00:04:32:01 - 00:04:32:06

Speaker 3

Know.

00:04:32:15 - 00:04:33:09

Speaker 5

And try to follow it.

00:04:33:09 - 00:04:35:22

Speaker 3

Another hurdle, this one leap frog an.

00:04:37:04 - 00:05:03:23

Speaker 5

Awesome background is obviously, you know I have a ton of respect for you so to rehearse and founder of a company called Eden Data we have created essentially a security teams on subscription for cloud based organizations. So we work in security, compliance and privacy, taking over a lot of the leadership and governance of said programs for startups, scale ups, anybody based in the cloud trying to build a security program for the first time or maintain one.

00:05:04:15 - 00:05:22:22

Speaker 5

And it's been a been a cool journey. So I sold my soul to Deloitte, was there for a number of years. I mean that in a nice way possible if you're listening and you had employed me previously, but and I was a CSO as well and then transitioned into starting Eden Data.

00:05:22:22 - 00:05:46:07

Speaker 3

I love it. And I mean, yeah, one can, one can look at a one of the big four or whatever and say, oh, what did you do there? But you get so much experience, so many different views of different programs and different cultures and different technologies and drivers of different business outcomes, which all of that plays a role in how you actually deliver security, right?

00:05:46:07 - 00:06:14:21

Speaker 3

So there's no one size fits all security for all that stuff. So having that experience is huge. I want to it's not on the list of stuff we talked about or having have on the list to talk about. But I feel it's important to maybe start here. And the idea of what is the cloud, is it a cloud service provider or you're building your own stuff?

00:06:14:21 - 00:06:27:13

Speaker 3

Is it Office 365 or G6, GCP or is it Azure? Is it is it email? I mean, there's so many is it containers? Is Kubernetes what.

00:06:28:05 - 00:06:29:19

Speaker 4

Someone else is going to be? Maybe.

00:06:29:19 - 00:06:53:07

Speaker 3

And yeah, exactly. And I think it's important maybe to kind of paint a picture for folks of all the all the elements that we're talking about here, because even private cloud on prem is still cloud. Right. So I don't know who wants to maybe start painting, painting that picture. And then we're going to get into some fun stuff like chat in.

00:06:54:16 - 00:06:58:19

Speaker 4

And I'll tell you, do you want to go first. So happy for me to go from.

00:06:58:20 - 00:07:02:05

Speaker 5

Take It Away. You got a podcast called Clouds.

00:07:02:05 - 00:07:33:02

Speaker 4

I got to literally got a podcast. Definitely give it a stab first. I would probably say if you were to ask this question seven years ago, then the only cloud that existed, or maybe even three, ten years ago, the only cloud that existed was the public cloud, and that was Amazon Web service. Now you have offerings from Microsoft Azure or Google Cloud, but a lot of people would know these terms only if they work in the enterprise space or they product in like a tech space, but not only people also use an own people.

00:07:33:03 - 00:07:57:21

Speaker 4

Doesn't non-technical people also use a lot of cloud around them. Like usually people would say if people use Facebook dot com or Lincoln dot com or I mean, we don't have apps that right now they consider this to be cloud as well. But I think the easiest way to explain this is that majority times when people talk about cloud, they're primarily referring to say, I am an entrepreneur or I run a business and I want to have servers hosted somewhere.

00:07:58:05 - 00:08:21:18

Speaker 4

And usually back in the day it used to be you would have to pay a service for a physical building to get access to a machine and service. Nowadays you can just go to people like Amazon, Microsoft and Google to use one of their services. And now, because they've matured so much in the last ten, 11, 12 years, that instead of just asking for servers now, you're basically saying, hey, I don't want to get out of the server.

00:08:22:02 - 00:08:41:13

Speaker 4

Why don't you take a server or container or whatever else you want to do it? I just want to build applications that my customers love. I want to put that somewhere and you take care of the rest. So now we have that kind of a which people call a platform as a service as well as an offering. But for many people, so it depends on who you talk to.

00:08:41:13 - 00:09:04:21

Speaker 4

But primarily those three buckets that most of us are already using, something like a software service with Facebook, LinkedIn or any of the website that you log in and use for anything that you want to do that's technically classified as cloud, but I would not put them on the cloud these days. People are very clear in terms of cloud primarily being things like, Hey, I want to build an application, I want infrastructure to be hosted somewhere.

00:09:04:21 - 00:09:26:10

Speaker 4

And the hosting provider in the simplest way possible is either a public cloud or a private cloud. But if you're going public cloud, which basically public domain would mean any one on the Internet can access these, not just you, private just means you to have shown what you called out. It's in my data center. I've got a copy of it, but it may or may not hook on to something on the internet as well.

00:09:26:10 - 00:09:36:21

Speaker 4

So that's my simple explanation that can go into a lot more detail, but that's kind of now how I explain that word to people.

00:09:36:21 - 00:09:55:05

Speaker 5

I like it, and I, I don't think I could add too much to their show. And other than I look at cloud as if I can't physically walk over and put my hands on a server or I need to connect to a specific network in order to access something, then it's probably a cloud based service. As she said, I did a great summary of kind of what today's day and age is.

00:09:55:05 - 00:10:00:10

Speaker 5

It's mostly people building applications in a data center that they don't own somewhere else in the world.

00:10:00:23 - 00:10:38:05

Speaker 3

Yeah, and that's what I wanted to ask you, Taylor is how much do you think is cloud being used to build stuff versus hosting or buying a service or paying paying for a service that somebody has built for you already? And of course it has wide range between my my office. 365 mail that I just pay for every month for or you Google whatever it is versus I'm paying for some hosting and some databases and some containers and and whatever.

00:10:38:19 - 00:10:50:00

Speaker 3

How much is is it that because we often hear the phrase or the idea that every company is a technology company which leads me to believe everybody's building something for something. How true is it?

00:10:51:09 - 00:11:26:12

Speaker 5

I think I am a little biased because of the industry that I work in with startups, but I would say that for the most part, everybody and their mother is building applications these days, at least in the startup community. So now more than ever, if you you've got startups that are building their SaaS platforms and putting it in in something like eight of us or Azure GCP, and they're still responsible for their application layer, their database layer, their OS layer and their network layer, and then putting physical and environmental on, on the plates of their as a shared responsibility model for their cloud service providers.

00:11:26:12 - 00:11:45:24

Speaker 5

But then there's also people that are adopting like a she said that the platform as a service which is like I only have to manage an application that's all I'm in charge of. I just develop a great application and a vendor takes care of everything else. For me, there's a huge boon of that type of business model happening now more than ever before.

00:11:45:24 - 00:12:13:19

Speaker 5

However, to the regular person, like as she had mentioned before, like non-technical people, most people are using applications that are third party. So everybody that is an employee like we use ten times more applications than we develop for sure. 100 times, ten times isn't even enough, but we are all using a tremendous amount of third party SAS applications just to get by in our work lives, in our personal lives.

00:12:13:21 - 00:12:24:07

Speaker 5

She gave a couple of great examples like Facebook at the SAS platform, like there are the whole world teams that run on SAS these days.

00:12:24:07 - 00:12:39:11

Speaker 3

So is this your conversations that you have on your podcast? Well, tell us a little bit about the podcast. Is it for what are you trying to help them with or are you just are you trying to help them or you scary?

00:12:40:21 - 00:12:41:07

Speaker 4

Sure.

00:12:41:07 - 00:12:43:05

Speaker 3

So what do you what are you talking about there?

00:12:43:21 - 00:13:16:00

Speaker 4

Yeah. I mean, it's a good question because I think we've been talking about funny enough, I think maybe I should rewind the clock a bit. So the reason I started this was the start of the pandemic and Melbourne as a city was going into lockdown. We were not allowed to go beyond three miles from a house. So while it was started by people reaching out to others and saying, Hey, I hope you're okay, I talk about cloud, cloud security, those people and it got to a point where we just started saying, Hey, we should probably records and do a podcast and sort of just be reaching out to people because I'm just missing people, meeting

00:13:16:00 - 00:13:44:11

Speaker 4

people in person and initial conversation was primarily with CISOs who were trying to get into the whole cloud journey. What that's like and what are some the challenges they would face as we got to matured and I started as possibly the demand started growing and people wanted me to do more episodes. We started more talking about tactical engineering, a of architecture, basically imagine and this is worthwhile calling out that at the start of the pandemic, people didn't believe cloud security was a field.

00:13:44:22 - 00:14:07:00

Speaker 4

They just thought, yeah, cloud security, cyber security, same thing, right, by the way, by hybrid as a separate thing. But now it feels like it. I mean, 40 years into it, people feel that, oh, yeah, cloud security. It was always it. It should have always been that. So now I would probably say we try and educate the current generation of cloud security people who are already in the field.

00:14:07:00 - 00:14:24:01

Speaker 4

They get to learn from like the sea surfing ten. They like to see sort of Siemens or see of one or another discovery. They're going to coming in, talking about things like, Hey, this is why we're moving into cloud. This is how we secure it. This is what these are. What are the challenges that we face on a day to day basis?

00:14:24:12 - 00:14:44:01

Speaker 4

We also cater for the because I come from a venture setting only. Well, I want to say want to be fantastic background because I started working on it but didn't really think I had the I wasn't cut out for it. So I do have an offensive side of cloud security because there are a lot of vulnerabilities being discovered in the cloud space by researchers.

00:14:44:10 - 00:15:01:05

Speaker 4

And then there is the whole leadership angle where it's more for tech leaders and engineers who are trying to build applications in cloud. So we cater for everyone who's in the cloud security space. And I want to call our cloud security specifically because when I started just basically me talking to CISOs about what they're doing about cloud security.

00:15:01:05 - 00:15:19:09

Speaker 4

But these days there are specific roles that I clocked engineers classically architects, platform engineers. There's so many more roles. And this is basically I think someone said this a mile wide, an inch deep. That's pretty much how big cloud security has become as a topic, an area that people are focusing on.

00:15:20:21 - 00:15:22:05

Speaker 3

And site reliability.

00:15:22:05 - 00:15:24:23

Speaker 4

And yeah, yeah. Like you put everything in there, all.

00:15:25:04 - 00:15:29:16

Speaker 3

The noise and it's not necessarily security, but I don't know.

00:15:30:04 - 00:15:49:19

Speaker 4

You know, they're all coming into it like even Devsecops is becoming part of this as well. Like people like Amazon on their conference a couple of months ago at Reinforce Security and for Reinvent as well. They called out that the annual Security Champions Program, which is a difficult concept. Oh, even Amazon is coming out and saying and Azure is saying it.

00:15:49:19 - 00:16:01:16

Speaker 4

So it's becoming a thing of its own. And I think the prediction is it might just take over the word cybersecurity, but everything listen to cloud but hey, hopefully I'm alive to see that.

00:16:01:16 - 00:16:34:17

Speaker 3

So one of the boys so many places to go here just for me. So you talk about the journey of CISOs doing a journey from home on premise is to some cloud in some fashion, either driven by trying to find some efficiencies or some cost savings, or that's the only way they can they can transform some part of the business or actually create a new, new business.

00:16:34:17 - 00:17:11:15

Speaker 3

I don't know if either you have any thoughts on the necessity to train differently and learn differently just from a the cloud looks different than on premises, right? Different systems and configure differently and and a firewall in the cloud looks different than on premises and points and I don't know it's a you might be able to and I'm talking I'm going back to the the journey might be able to lift and shift systems on prem to the cloud, but not necessarily your people and their understanding of how the systems work when they when they land there.

00:17:12:03 - 00:17:24:08

Speaker 3

So how much of that is part of what you guys are involved with to really help you get a handle on what what needs to be secured and the better way to do that?

00:17:25:08 - 00:17:28:10

Speaker 4

I think Taylor does a good job of the other side, so I'll let Taylor go first.

00:17:29:05 - 00:17:49:04

Speaker 5

Yeah, I would say that security is just one of those weird industries where even the folks that have been in the industry for a while have had to reinvent themselves because it has changed and has essentially turned itself into an entirely new industry. So you've got security professional, Sean, you have a heck of a background, right? And cloud wasn't always a thing, but now cloud is everywhere.

00:17:49:04 - 00:18:14:22

Speaker 5

And most company opportunities right now are, at least in some form or fashion, having security professionals interact with cloud applications or cloud infrastructure. And so because of that, there is a tremendous need for people that have very specific cloud security knowledge. And every time I say that, it's just like given Ashish a shout out on the podcast here that it's just a great name.

00:18:14:22 - 00:18:46:18

Speaker 5

Ashish So the, the thing that we're seeing the most is that folks are that are entering into the security industry right now are coming from programs that have been created years ago and are even themselves a little bit outdated comparatively to where the market is at right now, simply because of how fast it's turning over. So today in my world, we have a tremendous amount of need for folks that can very specifically go into eight of us or Azure or GCP and configure a secure cloud environment.

00:18:46:23 - 00:19:12:23

Speaker 5

The reality is, with all of these breaches, most of them are happening because of the same reasons, right? It's cloud MISCONFIGURATIONS It's having inappropriate access somewhere and it's it's end points and slash human error. I combine those two because it's your people doing silly things. And so people just now in today's society and going into security for the first time need to focus on those fundamental areas.

00:19:12:23 - 00:19:26:19

Speaker 5

And surprisingly, because back to Ashish, his comment about cloud security being a mile wide, like a lot of people are focusing on these very niche areas, these niche problem areas, and there's just not enough need there comparatively to the critical areas I mentioned.

00:19:27:24 - 00:19:50:07

Speaker 4

Pretty awesome. I think I'll probably add a couple more things as like because I think he touched on something really interesting in the face of misconfiguration others. It's not really a complicated zero day attack that people are facing in in the cloud world. I mean, it's basically people like all three of us, it's just making sure the life, the lights can be done on and hopefully don't want to get electrocuted when they're done on the lights.

00:19:50:07 - 00:20:12:14

Speaker 4

Basically, that's kind of what we're trying to prevent over here. And the other challenge over here, I mean, I talk to a lot of enterprise is the fact that in how China kind of mentioned, give me the lift and shift. The other part is also bad. Some people in the organization and I've been a victim of this in the past where there's a credit card with a massive, I guess, credit line, for lack of a better word.

00:20:13:05 - 00:20:29:07

Speaker 4

It could be a bank, it could be a fintech or whatever the company may be an individual, a director may have access to a lot of funds. They can just start their own because security said, Hey, we should all go for one cloud provider. Let's just start, you know, muddy the water and have multiple cloud providers. But you know what?

00:20:29:21 - 00:20:48:11

Speaker 4

I've got my credit card. I don't like Asheesh. I'm trying to go and sign up for GCP, even though he says it is what the cloud should be for everyone. And that adds a layer of complexity as well. So imagine if all of three of us were and Taylor, the CFO and all of us work with Taylor. Now, he's been going, Hey, eight of us, this is kind of what we are.

00:20:48:11 - 00:21:07:14

Speaker 4

We are skill set. It'll be Amazon Web Services, basically. That's what we should be focusing on. Then you're yelling into the top of his wife in the business, but somewhere down the line, someone just pulls the credit card and goes, I just go GCP now when they go into production, starts making money. Suddenly they go to Taylor and Hey Taylor, by the way, you know how you said don't use another cloud.

00:21:07:20 - 00:21:29:07

Speaker 4

I don't know how to using it. I just walked out really well. Now the business wants to keep this and can you help me? Security. I mean, that's a very common conversation these days still. And then people and me who are already members of Taylor, we have only known it obviously on in our lives now. How do we train ourselves in GCP or whatever other new cloud to come in like nowadays?

00:21:29:07 - 00:21:45:13

Speaker 4

Even Oracle and IBM are coming up in conversation. So where? When does it start? I don't know. Like earlier, I was just happy to have like one of those NTSC certificate, Microsoft certified software engineer or whatever the certified used to be. You got a job and everyone's using Microsoft, but now it's like, oh I to know eight up.

00:21:45:13 - 00:22:14:13

Speaker 4

Yes, Microsoft, Google Cloud, Oracle Cloud, IBM Cloud. And on top of it, I had those services as well. I definitely feel it's a lot more complicated these days than it used to be. So as much as of a challenge it is for the the team and the business to move from on premise to the cloud space. The team still it's it's a whole different and there's not much like I'm running a cloud bootcamp chemical free cloud boot camp at the moment and we started a cloud security bootcamp.

00:22:14:13 - 00:22:34:13

Speaker 4

Just so many people have put our words into just thinking about how do I get into this cloud security feel? Because there's no content, there's nothing which trains them for, Hey, how do I do cloud security native? Yes, no one knows. So hopefully I can make a dent into it or the world can be running. But it's definitely something that is a challenge.

00:22:34:13 - 00:22:44:09

Speaker 4

I'm glad because called it I was and so people need to be aware that yeah, it's great to go into cloud, but please don't go into multiple cloud if you can help it. But unfortunately, many people have credit cards.

00:22:45:18 - 00:23:09:23

Speaker 3

And I want Taylor. I want I want to I'm I'm thrilled and intrigued by your role at Deloitte because I'm sure you've seen tons of stuff and I don't know, I mean, the yes. The credit card. Right. But it's it goes beyond that. When when we were setting up an infrastructure on premises, it had to go through procurement.

00:23:09:23 - 00:23:36:19

Speaker 3

And there was probably some risk assessments, third party risk assessment perhaps. And you kind of fitted into an environment that that that existed right now and spin up of cloud marketing can spin up a cloud sales can spin up a cloud legal can spin up a cloud. They can buy stuff, they can build stuff. And maybe it's connected at some point, maybe not.

00:23:37:17 - 00:24:11:13

Speaker 3

And some of them may be different providers, right? Different services, different data sets, multiple data sets. How how did some of your clients but how are the companies that you were engaged with? How did how did they get a handle on on some of that? Is there an overarching program or or did you insert yourself into the different departments out of or how do you suggest thinking we do that if you didn't act in.

00:24:11:13 - 00:24:33:11

Speaker 5

Spoiler alert the bigger companies don't have it figured out either so that I think I'm I think I'm far enough out of Deloitte so they can't come after me for making that statement. But now I in all seriousness, like even the enterprises, I mean, even 35% of the Fortune 500, I can't remember if it's 35% don't have a C so or do have a C so.

00:24:33:11 - 00:24:57:04

Speaker 5

But either way, that's awful. Of just the Fortune 500, you don't have a lot of ownership of security. And you there are some great tools out there that you can really get your arms wrapped around shadow it, which is what you're talking about. Sean, of having these unknowns in your environment that the team or the leadership team or the finance team don't know about because it's easier than ever to go sign up for a new service.

00:24:57:04 - 00:25:20:06

Speaker 5

There are some great tools out there, but the problem is, is that people are still we're still in a stage where, at least in the SMB market, people aren't taking security seriously enough. It's like it's like speed limits, right? Until they get pulled over, they're going to keep driving over the speed limit. They're not going to honor and they're not going to put on their seatbelt until something dramatic happens like that is the that's human nature.

00:25:20:06 - 00:25:45:21

Speaker 5

And we've been doing it forever. And so now you're starting to see in the U.S. and beyond regulations coming out and hopefully motivating people to invest a little bit more in security. But for the most part, even though there are great solutions to combat, the perfect problem that you just outlined, people don't give a darn right now for the most part, because security just still isn't prevalent enough, even in the biggest of organizations.

00:25:45:21 - 00:25:58:02

Speaker 5

And I know I just made like a huge blanket statement, but that is my $0.02. And based on what I see from my day to day job.

00:25:58:02 - 00:26:16:04

Speaker 4

I definitely feel security has to play a well. I'm going to rephrase it in a certain way, and I think I don't know how many people would like it. Security needs to be okay to let go of control. I think that's kind of where we are going with it in the future because we would never be enough in any organization to solve the problem.

00:26:16:05 - 00:26:37:21

Speaker 4

I think Taylor kind of mentioned it accurately. There were always be people who would want to go over a speed limit and they would always see people who would want to bend the rules fast enough so that they can push an application into life, so they can prove that their value in the company is worth it. So I'm a huge proponent of death squads and the whole security champions program.

00:26:37:21 - 00:27:06:15

Speaker 4

And when I mentioned earlier about aid abuse, Amazon kind of announced from the stage. I kind of loved it because ultimately I think there's a stat around the number of developers that for existing 20 million or 30 million developers by 2022 with an insane and just let to say the number of security people were not close to it at all so like the problem maybe way bigger than for us security people just to try and solve it by ourselves.

00:27:07:11 - 00:27:33:03

Speaker 4

And there is definitely a future where if we work with them and I definitely feel it, but it's worth it to spend some time for people who may be listening into this too, just to change the culture of security in their organization. And from a perspective of us being the guide of, Hey, this is a risk we should probably address it to, Hey, we should work together because tomorrow AKA Cloud is coming in and I clearly would not have any clue how.

00:27:33:03 - 00:28:03:18

Speaker 4

Think Starbucks, but you're probably spending your day in day out on it. So how are we work together in solving this new thing that is there and it's work? I would probably say there are quite a few examples. I mean, I've done it, but I don't think the industry who openly talk about the fact that security obviously need to evolve into this like collaborative effort where if you want to win, I think otherwise to what what Taylor mentioned, there's no system in most companies, so no one knows what you do.

00:28:04:02 - 00:28:25:12

Speaker 4

Maybe there are developers who feel responsible for security or whenever there's like a, I guess, speed ticket that's going to come in. Hey, we should never have done that or whatever maybe jeopardizes their existence. Suddenly people want to think about security. So my stand over there is a lot more around the fact that, yeah, I think it's a lot more collaborative culture that kind of leads to a win for security.

00:28:25:21 - 00:28:42:24

Speaker 4

And yeah, just to add on to what Taylor said, but I think that's pretty much where I'm coming from. But I see a lot of people initially really starting off that I would get the best tool in the in the company or best tool to solve my problem. You get a lot of addiction, you get a lot of alerts, but they find out actually, I can't solve any of these.

00:28:43:08 - 00:28:53:00

Speaker 4

I need to talk to a developer or I need an engineering person to solve these. So we're still going to them. It either way is like you can go either now or you can go much later. The choice is yours.

00:28:54:03 - 00:29:33:03

Speaker 3

Well, let's let's go to what might be the topic that we don't move off of. Now, and I'll just frame it with the technology. So on the show, I often end up at a point where I ask the guest the question about, Well, if you don't do it a certain way in the beginning, you eliminate the server, you eliminate or reduce the exposure, reduce the risk, and therefore you don't have to spend as much money securing things and plugging holes and fixing problems because you didn't get it all secure because a security is not possible.

00:29:33:24 - 00:30:02:04

Speaker 3

So don't set up that server that way. Don't install that app that way. Don't expose that port that way. Don't don't leave an open container open that way. Whatever it is. So and to your point, the security is not going to be able to solve all of those problems, especially as everything just blows out of the water scale wise and more cloud comes in more and more and more so security campaigns.

00:30:02:04 - 00:30:33:04

Speaker 3

I like that concept as well. It's still security, I believe there has to be a role of technology done in a certain way. And we can maybe, maybe look at Microsoft and some of the work they've done in their OS to kind of shore up the operating system. But again, not perfect, but this idea that technology could be developed and architected and deployed in a way that's more secure from the get go.

00:30:33:04 - 00:30:56:17

Speaker 3

So you're not trying to insert security in the mix too far down the line is important. So here's here's where it gets fun. Chat Getty That's that is a technology but I don't know where, where it fits in is it to your to your love she shows it to help with pen testing the cloud you know you can help them test the cloud.

00:30:56:17 - 00:31:16:05

Speaker 3

Can you use it? I know it can create code. So can we can we use it to the white box. The white box, the code before it gets built. Can and can we help developers learn how to code better as they're coding with it? And I'm just going to throw that out there. What are your thoughts?

00:31:16:08 - 00:31:36:14

Speaker 4

Yeah, I think Chad. GP It is an interesting one because for a couple of reasons. I did a video recently on the whole concept of whether it could be a great learning tool because I was hearing a lot of people talk about, hey, I was spending hours trying to connect this partial script I uploaded out to Chad CBT and found exactly what the problem was like.

00:31:36:14 - 00:31:57:07

Speaker 4

That was a very common phrase that I was hearing. A lot of engineering folks talk about developers using it to debug their chord widget. They could not figure out where the line was, and at the same time, a lot of people were using it to learn like. So the video that I made on our YouTube channel for the podcast was that on the whole concept of Can I use Chad CBT to say, prepare for interviews for cloud security?

00:31:57:14 - 00:32:16:01

Speaker 4

It gave me questions which I think would have asked this question. So it worked from that perspective. The other one I used it was I tried creating resources in AWP. I pretended to be a cloud security engineer, day one. I have no idea what I'm doing. Hey, I've been told I need to create an infrastructure for this web application.

00:32:16:01 - 00:32:47:07

Speaker 4

How do I do this? Can I do this? Automation, blah, blah, blah. It gave me all information. Now, the flip side, if you're going to go a bit more deeper into how Chad CBT works, every time you upload information, it's being uploaded to their server. And if you are someone who's basically doing what we have been doing for years and StackOverflow dot com, which is just copying copy based on actual code with the username password into Chad CBT, that's for probably worries me for it we don't even like oh yeah it's amazing it's doing solving our problem.

00:32:47:18 - 00:33:14:16

Speaker 4

But how many people are standardizing the data? Because clearly people are Chad CBT is the jam, so they basically have been uploading data. And the funny thing is it's my understanding is the way it works is that the way it understands context is that if you start a session, the first question that I asked all the way up to my most recent question, all of that is sent collectively as one I guess, one one box or one package back to Chad.

00:33:14:16 - 00:33:37:04

Speaker 4

Usually every time I ask a question, it just adds one to the same packet. So it that's how it knows the context of the now these are great from implementation people learning GitHub tried this comes in concept called GitHub copilot which is again to help developers code better and the problem with Chad CBT or GitHub copilot at least.

00:33:37:04 - 00:33:56:13

Speaker 4

And as as cynical as it may sound, it is learning of the data that they have and who's gone through the data from GitHub or Chad CBT to know if it actually is a killer code. Am I teaching my future developers the right way to do it as well, or am I just setting them the same problem that I had in Stack Overflow where multiple people came over the session?

00:33:56:22 - 00:34:27:17

Speaker 4

One of them worked but just happened to be a non-secure solution. And Chad simply said, Hey, use this. Because if you look at the the you kind of mentioned the whole configuration misconfiguration that Taylor mentioned before where hey, S3 bucket is opening the Internet. If you look at the code that is being created by Chad CBT for for developing resources and that's sometimes at Port Open as well and if the person doesn't know what that is, there's still a copy paste that same thing onto their Adobe or Azure and that'll be the end of it, I'm sure.

00:34:27:17 - 00:34:30:21

Speaker 4

Taylor You're saying if some of these is valid, your end?

00:34:30:21 - 00:34:57:24

Speaker 5

Absolutely. I think that for the most part, the whole fear mongering around Chad is going to replace all our jobs like I have. We not learned from history like 6000 times that new technology creates new opportunities. And of course, there's going to be people that are impacted. But I think the biggest thing that will happen with Chad, both in security and beyond, is it's going to cut through a lot of the B.S. that people have been putting out on the Internet historically.

00:34:57:24 - 00:35:31:09

Speaker 5

Like Chad, GPP can do a lot of basic functions. So the thing that it cannot replace is creativity. You can't replace that that strategic element that goes into security for certain, just like what she was talking about. Like it's not going to be able to pick up on a lot of even basic things that require something of any sort of creativity in so security, a lot of it is strategy and context and awareness, and none of those things have ever been executed well, even in all of the air movies that come out.

00:35:31:09 - 00:35:56:22

Speaker 5

So it's I think we're okay for right now. But with Chad specifically, it is cool to see like it's generating security policies, for example. It's it's developing or reviewing code. I've seen it do some great blog post ideas. It's just the goobers that take it and just posted on the internet. They don't use it for for inspiration. They use it to write their blogs for them.

00:35:56:22 - 00:36:01:02

Speaker 5

That's the stuff that's that's really frustrating right now in the in the security community.

00:36:01:21 - 00:36:24:21

Speaker 4

Oh, I've got an interesting one for you, Taylor. I like to I can become a user complains like in how a compliance activity a lot of them at least nowadays people are trying to give them a sorry Shawn didn't want jump on it but not to just disheartened maybe a good interesting conversation but you know so because I'm seeing the engineering side, the security side and all the other side as well, do you feel like compliance can also?

00:36:24:21 - 00:36:43:16

Speaker 4

It would be good to know it literally if you know of fedramp or you know ISO 27,001 or so too. They're all like and I'm humbly saying it. It's just a checklist that people have to compare nowadays. You will try and say, Hey, I've got to start from mission templates, from AWB. Is it compliant before too? Can we?

00:36:43:16 - 00:36:49:11

Speaker 4

I don't know. Has anyone done experiments that are in compliance and Chad good. If you can do security compliance.

00:36:49:11 - 00:37:14:16

Speaker 5

I haven't seen it yet, but it is absolutely something that I've been keeping my eye on. I think that compliance, a lot of it is so standardized that you can definitely figure out in certain use cases how to create automated controls from chatbots, for example, or even I see external auditors being potentially impacted because a lot of the work that they have to do in checking evidence is pretty rudimentary.

00:37:15:13 - 00:37:19:08

Speaker 4

So yeah, I mean, you're at a time CBD account.

00:37:20:03 - 00:37:20:13

Speaker 3

Yeah.

00:37:20:16 - 00:37:24:04

Speaker 5

Yeah, exactly. So yeah, that's.

00:37:29:17 - 00:37:58:05

Speaker 3

What we like. Co-Founder Marco and I, we have another show called Audio Signals where we just go wacky on stuff, right? And I mean, we end up either utopian and dystopian. That's kind of the it's kind of the scope of the conversations. And often when I when I look at automation and technology, I find that my brain leads me to a world of lowest common denominator.

00:37:58:20 - 00:38:26:16

Speaker 3

And I don't know almost all those conversations, even though I'm I feel I'm optimistic in the conversation, I still come up with this idea that we're going to end up with data that drives decisions, that drives culture, drives society, to a low, lowest common denominator. But now, having interacted with GBG, I feel that perhaps there's a way where one didn't know something.

00:38:27:12 - 00:38:58:02

Speaker 3

It's much easier to find out about that something or to, to your point, tailor to be inspired. Maybe not. Maybe not. The cheating the cheating and cutting corners is the low common denominator story for me. But to be inspired to learn something new and take that and build upon it to me actually raises the bar more to a higher watermark for for everybody, perhaps, of course, technology.

00:38:58:02 - 00:39:09:21

Speaker 3

It's it's how it's used, right? It can be used for good or nefarious reasons, but I don't know. Any thoughts on the high watermark versus low common denominator.

00:39:11:14 - 00:39:38:17

Speaker 5

I definitely take the side of hope and think that there's a lot of really cool things that you can do with changing it to optimize how you learn and how you grow. As a professional, I do worry that we will go in the direction like we have with cell phones where we're essentially walking cyborgs, where I can't remember my own birthday, let alone my immediate family members half the time anymore because you get so reliant on technology and oh, I can just go Google that.

00:39:38:17 - 00:40:04:22

Speaker 5

And, and now we're going into this era of I can just go hit tag with this. I hope that it doesn't make us increasingly more reliant and less, I guess less of of human beings. And I know that that's we're going like really stoic here now. So I don't want to go too far down the rabbit hole, but that is one worry I have, which in general, but especially in the security community, I hope it doesn't incite laziness.

00:40:05:23 - 00:40:24:18

Speaker 4

I think I'll proudly say I've got three words for this, and I've always felt that these three words probably have passed on from every new technology has come through, which is trust but verify. And I think it's LGBT is the same as well. You can trust it to at least do it do the right thing. Millions of people are using it.

00:40:25:00 - 00:40:48:16

Speaker 4

And if you I don't know if you believe the news, but the open, the I, the company that created child CBD, the founder is a doomsday prepper as well, but he believes he's going to take over. So that's the kind of person who created the A.I. in the first place. But the hope in this all content and I definitely believe people should not walk away from new technology with the cynical view that, hey, this would not help me.

00:40:48:23 - 00:41:09:19

Speaker 4

They should definitely try and go down the path of using anything and everything new that comes in just because just by the nature of it, whether you like it annoyed your close family members, your your best friend, people around you would start using it and then you become the guy with the Nokia 5600 or whatever the phone used to be that everyone else has an iPhone.

00:41:10:02 - 00:41:30:00

Speaker 4

And how long are you going to be on that Nokia 6600 or whatever that model used to be, that this would be like a brick until you go, okay, I know what, I'm just going to go for an iPhone now. So it's going to happen. All of us have we have stopped going on horse carts or whatever that the carriages, I guess now we all drive cars, so we have all evolved.

00:41:30:00 - 00:41:47:20

Speaker 4

It just a matter of time, but I'm sure people will then be bored. Oh actually the Hillary thing was I was reading somewhere when the first car was invented. All the horse carriage folks basically said also polluted is pollution everywhere. Why would you go for that? But ignore the fact that the hearts of shitting everywhere that's different. But it's okay.

00:41:48:11 - 00:42:08:18

Speaker 4

Evolution. But there will always be a resistance. That's why I know where I feel. I keep going back to trust but verify that if it goes really bad, humans or someone somewhere will definitely protest and someone would definitely change the way the rules of the industry work. Like nowadays, how many cars you see have no air pollution problem?

00:42:09:00 - 00:42:19:03

Speaker 4

Not that many. It takes time. It doesn't happen instantly. But trust but verify is my motto for that nature.

00:42:20:08 - 00:42:47:18

Speaker 3

Well, let's talk about trust. I know we're we're coming up on the toward the end here. But one of the points you you put in in the notes as we were preparing was building respect and I just look back on security over time and we never really had all the answers. Right. And sometimes we were thrown around in the FCC.

00:42:47:18 - 00:43:23:24

Speaker 3

I had a CNE that was all in on NetWare baby. Right, exactly. So there were things we did to one learn and to demonstrate that we did learn something and hopefully from that gained some credibility. But to me, the most important of of all of that was the critical thinking and the problem solving and looking at something we hadn't seen before, understanding enough about how it works to understand how it might be misused or not work as it's intended, and find ways to reduce exposure, minimize the risk.

00:43:24:14 - 00:44:00:07

Speaker 3

So how you bring it back to cloud security, we can we can keep getting in there if you want to. But how do we maintain that level of critical thinking and problem solving in a way that we also maintain a level of respect? And especially if we if we move down the path of of security champions, where we're now relying on others who don't have the same history and skills and learnings as broadly as perhaps some of the your career like me have in this space.

00:44:00:24 - 00:44:26:07

Speaker 4

Yeah, I think one thing that is never going to change and I'll go back to what I said earlier, I think security would need to be comfortable to lose control of maybe not everything because to what you called out specifically, developers were never trained to know how to secure a network, how to develop a security architecture, how to develop the right way to code something in Java or whatever other language that they were using.

00:44:26:07 - 00:44:48:03

Speaker 4

So they were never trained for it. And I would say to a large extent, people still believe that that is not part of their role. Their role is to develop quality code so that you can build applications around it. So to bring respect into a conversation where you have to work primarily with others to either solve problems that you've identified or to do the right thing.

00:44:48:03 - 00:45:09:19

Speaker 4

When they see a link from Hey, it's hard simply solving other problems, you should upload your code that like making the right calls over there. I think it's for me, it's culture. It's definitely is culture and not the culture that just the company is talking about. The culture that you create as a security team within an organization is what's going to give you the respect that is there.

00:45:09:19 - 00:45:32:20

Speaker 4

I'm a big fan of security champions program because that definitely humbles you as a person with how much you don't know you. I mean, at least for me personally, the first time I experienced it, I thought I knew everything about cybersecurity. And the moment someone threw a Java code at me because of there was an alert that came in the secret section and like I think I used to be a pen tester, but maybe not that much of a tester anymore.

00:45:33:00 - 00:45:48:21

Speaker 4

So can someone else help me explain what this is? So it definitely humbles you really quickly that to what you called out, how much you don't know this always a moment you would find that, oh my God, I have no idea. But I just need Sean to help me understand this so collectively we can make the right call.

00:45:48:21 - 00:46:12:17

Speaker 4

So for me, it's culture that would breed respect in an organization for both security. And it's a mutual thing as well. If you give them respect, they give you back respect as well. So for me, a cultural or a culture of transparency and collaborative ness is kind of where it's our technology. For me, it's definitely our technology. It's more the softer parts of the day to day.

00:46:12:17 - 00:46:45:24

Speaker 5

I think we're at a cool time in history where people are using security for for pretty much the first time to earn trust with their customers. And it's a really, really cool trend that I am seeing a lot of. But now more than ever as a startup, for example, it could be some guy and his dog selling to the likes of G.E. and we have these amazing opportunities to create companies essentially from our basement and go and sell to some of the biggest brands in the world.

00:46:45:24 - 00:47:08:05

Speaker 5

And because of that, there is this huge influx of security assessment questionnaires and security demands coming from customers. But at the end of the day, that's establishing trust between two parties. Yes, it's a legal contractual obligation as well. But brand is very much dependent on your ability to earn the trust of your customers. And I look at that synonymously with with respect, as you mentioned, John.

00:47:08:05 - 00:47:29:08

Speaker 5

So I think that being able to paint that picture for your customers is still going to be a skill set that is extremely valuable. And we certainly have been working on our ways of how can we use security as a sales engine for our customers and not just do the fear uncertainty down approach. I think there's a tremendous amount of opportunity to be creative and apply.

00:47:29:08 - 00:47:56:10

Speaker 5

A lot of those human elements that I mentioned before towards security as it relates to sales, combining security with business strategy, that's another huge thing. The NEST Cybersecurity Framework and Secure Controls Framework and all of these, they weren't meant to be one size fits all, and that's yet how we've treated them since inception. So being able to be a human that can go and take those things and really customize it for a specific i.t environment and use it to grow the business.

00:47:56:16 - 00:48:11:22

Speaker 5

Those are like the areas that I'm really seeing people earning respect on the security side as, as professionals that that deserve accolades and then also between businesses and other businesses or businesses and the consumers that they sell to earning trust.

00:48:12:19 - 00:48:30:12

Speaker 3

Yeah, I love it. And as I hear both of you talking, I'm just thinking back over time, there's still a bit of it. But I mean, kind of to the earlier point, we didn't have the answers, so we were kind of going through things as we knew how to list, how to solve a problem. We figured that out.

00:48:30:19 - 00:48:52:05

Speaker 3

You didn't know all the answers to the problems, but with that was a lot of unknown and uncertainty that we couldn't as security professionals communicate to our peers in the business. Right. And then on top of that, we had this a bit of an ego that we'd also hold on to where what we're doing is magic. All right?

00:48:52:05 - 00:49:21:03

Speaker 3

Nobody else can do it because only we know how this stuff works in that way. And I think over time, that's kind of to use the word soften like you put it. Sheesh. I think that's softened a bit. And we're seeing even with the likes of the security champions programs, we're kind of laying to bare what we know a bit more right now and asking others to join us on this journey of securing things.

00:49:22:02 - 00:49:31:03

Speaker 3

And so I think some of the stigmas leaving us a bit and and the trust is changing to be something different as well.

00:49:31:03 - 00:49:47:24

Speaker 4

100% thought it was an I think it's funny I you know and something here because a lot of people think oh I can't do security and only talk about the fact that when people walk out of their doors, they make sure that doors are logged, that physical security as well, like a lot of us do security without calling it security.

00:49:47:24 - 00:50:03:17

Speaker 4

And it just said we some of us had the title for security, but everyone's doing it. So pointing out, hey, you already are doing it. I'm just asking you to do the same thing that you do for your house code you create on the company laptop. That's pretty much it. I'm not asking you anything more if you do it.

00:50:03:22 - 00:50:21:13

Speaker 4

I'm not asking you to check your doors. You do it yourself. No one gave. You any security. I mean this training for it. You just watch a lot of videos or whatever it may be. You just don't want to be in a situation where you're compromised. So I'm just asking the same thing. Yeah, 100%. I just want to add that in because a lot of people may look at that and go, are these security people talking about security being important?

00:50:21:21 - 00:50:28:05

Speaker 4

But the reality is everyone's already doing it. It doesn't include security as well.

00:50:28:05 - 00:50:59:21

Speaker 3

So at some point, that's that's one of the reasons Marco and I joined forces and to the break out of security, talking to security, we still have to because we're we're always learning, but we also try to talk to others as well. And hopefully talk talk to others listening to the show. And with that said, I want to thank everybody for listening or watching if you happen to catch the video version of this and sheesh, Taylor, it's been incredible.

00:51:01:10 - 00:51:25:05

Speaker 3

Yeah, I feel we could keep going. Maybe. Maybe if you like, you can come back and talk about something else. Maybe we didn't get into containers too much. Yeah, platform engineering. We could talk about site reliability and pick your favorite topic, but if you guys have any resources you want to share that you think would help folks keep learning after they after they enjoy this episode.

00:51:25:05 - 00:51:35:09

Speaker 3

Definitely share those with us. And by all means, connect with Taylor and Asheesh and listen to the Cloud Security Podcast.

00:51:35:09 - 00:51:36:23

Speaker 4

Thank you. Thanks so much for having us.

00:51:37:11 - 00:51:45:12

Speaker 5

Thank you so much for the opportunity, John. And thank you to the listeners for taking the time.

00:51:45:12 - 00:52:09:19

Speaker 1

We hope you enjoyed this conversation. If you learned something new and the story made you think and share, it's Up magazine with your friends, family and colleagues. If you represent a company and wish to associate your brand with our conversations sponsor, one or more of our colleagues, we hope you will come back for more stories and follow us on our journey.

00:52:10:11 - 00:52:31:16

Speaker 1

You can always find us at the intersection of technology, cybersecurity and society.