Cloud Security Reviewed With Ski

TLDR;

  • To build a security centric culture, Transparency with teams, getting Executive Support and Investing in Regular Training are utmost important.
  • In order to improve working relationships with other teams, Security Teams should Start interacting early in the journey and define Go To Market Security Strategy along with the teams.
  • Regarding Certifications, always start with security controls. Set the proper controls, baselines and have frequent monitoring in place. Align it with the Vision of the organization. Certification would be easier if controls are defined properly.

Transcript

Host: Hi everyone. Thanks for tuning into our Scale to Zero show. I am Purusottam, Co-founder and CTO of Cloudanix. Scale to Zero is a forum where we collect questions from curious security professionals and invite security experts to learn about their journey and also to get questions answered. Our goal is simple we want to build a community where we learn about security together and leave no security questions unanswered.

With that, let’s get started.

So for today’s episode, we have Ski. Thanks for joining our Scale to Zero show.

As an introduction, Ski has around 12 years of experience in information security with initial 8 years in the Tata Consultancy Services Corporate Information Security team, handling security and compliance for 100+ banking and financial service industry enterprise customers. Ski has been working with Freshworks for the past 4 years, where he was a founding member of the Go-To-Market Information Security Team responsible for customer assurance, Workforce Training & Awareness, and Global Go-To-Market Cybersecurity Strategy and Branding, and Information Security Program Management. Ski also offers pro bono mentorship via ADPLIST.org and MentorDial on Information Security Strategy for Startups.

It’s my pleasure to have you here today.

Ski: Thank you, Purusottam, for the opportunity. I think it’s super happy to be here and share the insights.

Host: Thank you.

So let’s get started with the questions.

So often, security teams are seen as roadblocks to business growth.

So how can security teams work with other business units in an organization to increase revenue or improve the overall bottom line?

Ski: All right. I think security should be considered at every level and department. So I think security teams should work with the business teams together to figure out what is needed for both ends. So that’s the best start. So that’s one, and considering security at the very earliest stage, we call it a shift left. That approach is something that every business unit or organization should follow so that there will not be any roadblocks at the latter stage because you end up talking about the security stuff on the early stage, both teams share their insights and figure out so that’s one and understanding the market asks and the customer needs is something that should also be done along with whatever we are trying to do.

And one other reason for the sales and marketing teams to go out without having any roadblocks is having a go-to-market security strategy. I think these are some of the things that will clear roadblocks both on the engineering side and also in the sales and marketing side.

Host: That’s that makes a lot of sense.

One of the things that we might have noticed, right, every company has a specific culture, either it’s engineering-driven or sales driven, etc, etc. Right?

So As a Security Leader, What methods would you recommend to bring awareness and develop security-centric culture and mindset in an organization?

Ski: All right, I think that was a good question that is something that every company is also trying to do.

So I think there are multiple ways to foster a security culture or an environment which brings that the very first one is I think being transparent in what we are trying to do. Highlighting the risks, real-world examples and scenarios of each and every small items that we handle. It could be related to your devices, it could be related to the way you structure your infrastructure or the security control. Be very transparent, that is one and get the executive support. That’s very key because you might come up with a lot of plans, but I think that should be aligned with the organization vision and you should win the executive support.

Highlighting the risks and the costs that are involved on these trainings which will also help us to prevent cyber threats because end of the day it’s people who are the very first factor which is considered for all the cybersecurity threats that are happening. Then technology and all the other factors obviously invest in training. It could be because the training has been evolved over the years.

Nowadays gamification having them engaged is something that’s very important. Gone are those days where you just take classroom sessions and send some videos. So we should engage all type of audiences by investing in a lot of trainings apart from all these things. I think enabling an environment where everybody is encouraged to ask questions on why these things are done, I think that’s the best way to develop the culture because end of the day it’s not about one group of team trying to enable security.

It’s everybody’s responsibility and it is something that everyone should learn and adapt on a day to day basis.

Host: So it’s more of a team game rather than an individual or executive game, right? Makes sense. So that’s a perfect segue to the next question.

Let’s say like for startups, Early hires generally define the culture and growth of the company, right? So keeping that in mind for a growing startup, What security roles should be hired first and why?

Ski: Typically you need someone who is having hands on because the very founding member or the very early person in the security team should be able to do everything right from strategy, operations, implementing controls, writing scripts and whatnot.

But my take or my experience is having a combination of leadership and strategy plus a hands on and technical ops person. So if you have to say give me the two members who would require to start a cyber security for an organization. Someone who is good with leadership and strategy, who can think across the board, like convincing the leaders, also the sales team and also the engineering team and someone who is closely to support the leadership in implementing all the controls that are required.

I think these are the two perfect hires to start for a startup.

Host: Okay, that makes a lot of sense.

So now let’s say the startup hired a few security roles, right? One of the earliest activities that is done is goal setting, right? So in that case, What metrics or KPIs would you recommend to use to define their success criteria? Let’s say when you are defining their three months or six months or twelve months or even 24 months plan?

Ski: All right, I think I’ll put it into two segments here.

If it’s for twelve months or 24 months plan that is something to do with the leadership team, it could be the security leadership team or the overall leadership team that is involved. I think it should align with the vision of the organization. Security is not something like irrespective of the organization, security can be built just like that. I think it should align with the organization’s vision and business and that’s where the type of security and security culture comes in. So for a leader it’s very important that to define or see what is the vision and how we are going to align and what are the things that we are going to do once that is done. I think it boils down to the specifics where you come up with three important categories.

One is from the governance perspective, what are the things that we have to do? It could be metrics related to risks, training and awareness. What are the list of people that we need and how many vendors that we require? These are some of the risk related metrics that it should be handled from a technical security standpoint. It’s all about securing the applications. What are the incidents and vulnerabilities, what are the threats that we are blocking? What are the number of incidences that we have? What is the frequency, time taken to detect, time taken to resolve, and time taken to respond?

These are some of the key metrics that would be required. Core and core, out and out technically. But the third important metric that many of them miss or often see is what is the revenue that we are preventing or enabling? What are the costs that we are cutting down? Are we really enabling revenue by doing all these things or just acting as like security guardians of that sort? That is something that’s more often missed. So a metric should also involve what is the cost involved and what is the revenue enabled?

Host: That makes a lot of sense.

Now, in terms of the impact like whether the cost to the business growth, one of the things that we have seen that as part of their jobs, like sales teams, when they are working with enterprise customers, they generally look for certifications because enterprise customers ask for certifications like SOC2 or ISO or PCI et cetera, et cetera. Right? There are so many. So the question here is, is that enough?

Like, is getting certification enough from an overall security standpoint? What’s your take on that?

Ski: All right, so I would say certifications are just an additional trust and assurance for customers irrespective of enterprise or mid market. And it is not only for the customers. These are like a guarantee and assurance for customers, investors, shareholders, and even for general public who are following a company. It’s like more of a testimony from a third party. So having a certification doesn’t mean that it’s all enough. So say someone like ISO and SOC2 are baselines to start with. At the end of the day, depending on business, I would say a company should keep asking if we have the required controls.

So certification comes at the very later stage because if you have the controls, certification is just about inviting a third party, asking them to review and verify and give an attestation. So if you have the accessory controls, that is just one step to show to the world and give a more greater assurance that hey, we are also aligned with industry standard certifications and complaints. So yes, it is important, certifications are important because that’s going to add press. But again, more than certification, what lies on the base is continuous reviewing of all these controls to see if we are up to date. I think that defines that’s my take on controls and security certification.

So, security certifications are for the sales side, while the actual controls are for the engineering side.

Host: Right.

All right, so it’s more around setting the right controls and setting proper procedures to monitor them on a regular basis. More than just having a certification that matters the most. Yeah, makes sense.

Ski: Correct.

Rapid Fire

Host: Okay. So now let’s move to the rapid fire section. So the first question is

What’s your persona animal?

Ski: Sure.

Okay. So I think I would be best described as sealion, based on whatever test that I have taken, but I would agree to it based on my character personalities and the time I get aggressive or being open-minded. So yeah, Sea lion would be the best one.

Host: That’s an interesting one.

The next one is, assuming you are hiring,

What stands out in a candidate’s resume for you? what do you look for?

Ski: I think more than a rescue, I would be interested in having a conversation to see how passionate the candidate is because information security is never ending or ever-growing feed.

So unless someone is not having the passion to know what is happening day to day, I think that’s the base. So learning security stuff or learning the skill set that comes along the road once you have the passion, so I personally believe in it. So I do see for that in the candidate how interested or passionate the candidate is.

Host: That makes a lot of sense. And I believe passion plays a major role in pretty much every industry, right. Not just security, but security, it has utmost importance because you are looking out for your company or organization. Right. So it makes sense.

Ski: Exactly

Host: What’s the biggest lie you have heard in cybersecurity?

Ski: Okay, it would be a funny one. So the very light that I used to hear is MacBooks doesn’t require antivirus, the MacBooks are safe and secure. So that’s not at all.

That’s one of the biggest lies that I’ve heard. But if you haven’t even given the security knowledge, even today, some would believe that.

Host: I can relate to that. So the next one is,

What advice would you give to your 25-year-old self starting in cybersecurity and why?

Ski: To my 25 year old self, I think keep following your passion would be that way. Because personally I chose information Security because of the interest and the passion drove me all the way. Whatever I learned, whatever I acquired in this field so far, I think I would just go out and follow the passion, learn more, don’t run beyond certifications. That’s something that I see very much in the market.

So people go after certifications telling that okay, if I complete the certification, I’m entitled. So I think I would keep that secondary. That would be the biggest advice.

Host: Right, okay. Makes sense. A one-liner quote that keeps you going?

Ski: Okay, so one line of code. I have something on my regional language. So it’s called, ‘ennam pol vazhkai’.

So it’s like you live your life based on your thoughts. So I personally believe in that. So what you think is what you become. So that’s one of the quote that keeps me moving.

Host: Oh, that’s awesome. That makes a lot of sense, right? In today’s world especially.

Ski: Yeah

Host: Thank you for sharing that. So thank you, Ski. It was so insightful to speak to you, learn about the culture, learn about what should companies look for in a candidate and what should they set as their goals and stuff like that. So looking forward to learn more from you in future.

Ski: Yeah. It was a super awesome session. Thanks, beta as well, for getting this organized. So super happy to be here and share my insights

Host: And to our viewers, thanks for watching. Hope you have learned something new. If you have any questions around security, share those @scaletozero.com. We’ll will get those answered by an expert in the security space.

See you in our next episode. Thank you so much!