Data Loss, DevOps, and More!

Cloud Security Podcast | Data Loss, DevOps, GRC | Scale to Zero 

TLDR;

  • Threat modeling is key for incorporating security in each phase of SDLC. More importantly, training the team to look out for gaps in security and then using that for threat modeling will have the highest return for organizations.
  • When working with other teams and execs show how security can bring in value and use the language that resonates with them instead of showing off the capabilities or dashboards from different security tools.
  • No one size fits all approach when it comes to security or DevSecOps. It always depends on the industry regulations, budget, resource availability, and many more factors.

Transcript

Host: Hi, everyone. Thanks for tuning into another episode of Scale to Zero. This is our first episode. For season two. I'm Purusottam Co-founder and CTO of Cloudanix.Today's episode is focused on cyber, risk management, DevSecOps, and to talk more about this, we have Chris Hodson in the podcast.

Chris is a CSO for Cyberhaven, where he oversees all facets of security to protect cyberhaven customers and employees, including like cloud and application security, security operations, and risk management. In addition, Chris also serves as a board advisor at workforce development platform Cybridi and is a fellow of Chartered Institute of Information Security. Prior to joining Cyberhaven, chris held CSAW positions with Contentful, Zscaler and Tanium. Chris is also an author of Cyber Risk Management Book, the number one bestseller in Amazon UK. Chris, it's wonderful to have you in the show. For our viewers who may not be familiar with you, do you want to briefly share about your journey?

Chris: Yeah. Thank you, Puru. And hello, everyone this afternoon or morning or whichever time zone everyone's on. Yeah, it's a great introduction. So you covered most things there been in the technology game for around 20 is it really 22 years? I think so, yeah, around 22 years now. Most of those majority of those spent in information and cybersecurity. So everything from kind of security, engineering, operations, design, architecture, spent a ton of time in financial services, which I think, anyway, is where kind of the passion for risk management kind of came from financial services very early in terms of kind of the cyber and information security lifecycle and tenure. Anyway, yeah, got it. They got it nice and early. So I spent a lot of time there.

Yeah. And these days, I think the last ten years or so, I've been in the tech space. So working for vendors, as we were talking before the call, largely West Coast, Bay Area employers, but I enjoy it. So I work with product security, it security, legal privacy, you name it. So, yeah, really looking forward to the conversation today.

Host: Definitely, yeah, same here. You have a ton of experience and we want to learn from you so that our audience can learn something from that as well. So thank you for coming to the show. The way we do the podcast is we have two sections. The first section focuses on security questions, and second section is around rating security practices.

So let's start with the security questions. And I want to start with DevOps environments and how those are set up. Right. So typically DevOps environments are dynamic and teams are constantly changing, so aligning roles and responsibility is a challenge.

From your experience,

Dig Deeper on DevOps, DevSecOps | Cloud Security | ScaletoZero
Unlock the power of DevOps & DevSecOps! Kyle Fossum takes us into detailed discussions on transforming software development and security practices.

How can organizations effectively align the roles and responsibility in these environments so that particularly security practices are set in properly and teams understand what their responsibilities are and how do they mitigate the risks?

Chris: Great question. Can I say? It depends. It does. Company size, vertical culture. Culture plays an enormous part in this. Most DevSecOps or DevOps or even just straight-up engineering teams. They're global these days.

They're hybrid working, they're remote working. As we said before, they're remote-friendly, whatever it is. So I think that's a massive part of it. Clear communication, cross-functional communication that people appreciate, people's backgrounds, people's ways of working, where they live, challenges, benefits, et cetera. I think, speaking from my experience, I've done this quite well. I've done this very poorly. And I can give kind of different, I can compare and contrast those points. The most important thing is that you strive for kind of almost semi-autonomous engineering work okay? So what I mean by that is trying to go to your CFO and your board and saying, hey, for every new engineer, I want a new security person, or for every two, I want a new security person. I mean, that's not going to fly, is it? You're going to get laughed out of the room. So the only way that you can provide a level of coverage for security-related topics in an SRE team and a dev team, whatever, is to help them understand the importance of security. And I think I'd love to hear from your kind of viewers and listeners, but I'd hope that in 2023 most teams are security conscious and do put security first, but having the security function there to define sort of artifacts and processes that teams can then go and look at themselves and we don't have to make those up.

I remember when I was early in this game, I mentioned financial services. I remember very early on there wasn't as much stuff out there in terms of good practice recommendations, or how you threat model, or which standards do you need for session handling or encryption, et cetera, et cetera. But there's so much stuff out there today. I had a conversation yesterday with someone just about GitHub just saying, going on and looking at security designs for Kubernetes. There's just tons of stuff out there. So this is a really long answer. So I apologize, but it's important that the security team acts as a consultant. They're there. Yes, you will have occasions where you'll join daily stand-ups. You may join Retros.

But broadly speaking, if you can create a set of documents and a set of working practices so that engineers say, hey, we're doing something with authentication or encryption, we need to go and ensure that we've covered these six or seven things. Or here's a sample threat model, or some user stories or misuse case stories, potentially, and getting engineering to start to feel comfortable with having I always say, have a go. Like, do you know what I mean? Have a go. Go and enumerate the threats that you think are in scope. Go and qualify those vulnerabilities and kind of go from there. I know that the default answer to this is, hey, you need a security champions program and then everything's fine. But that depends.

One Champions program in Company A is very different to One in Company B. But yeah, getting some security minded and you'll find these in every company. Like, even if you're just going through engineers, you'll find three or four, generally. Who, hey, they've had Kali Linux, and they've played around with things in their own time, or they used to attend I Wasp meetings, and they've worked on ASVs or whatever it is, finding those diamonds for us anyway and starting to train and develop them. I think that's the best way of doing it. And of course, I know I mentioned very briefly threat modeling, but that means many things to many different people. But just getting people to think in terms of what could go wrong, I don't always think that engineering teams think like that. I think, hey, the world's a great place. We need to get this thing live. And yeah, we have a different mindset. I know we both do.

Host: There are a few things that you highlighted are key, right? One is there is no one size fits all solution. It always depends on your infrastructure, your environment, your, your vertical that you are serving. And that and then also communication plays a major role, right? As you highlighted, like working with the security team, working with the engineering team, working with the, let's say, Execs.

So I want to dig a little deeper on that. So most of the companies set some security programs, like for governance, risk management, and compliance. And it's often difficult to set it up because again, as you highlighted, there are communication challenges, there are budget challenges. You cannot just hire an infinite number of security team members.

Right?

Security debt and prioritizing risks with Aakash Yadav
Host: Hi everyone. Thanks for tuning into our Scale to Zero show. I am Purusottam, co-founder and CTO of Cloudanix. Scale to Zero is a forum where we collect questions from curious security professionals and invite security experts to the show so that we can learn about their journey and
Discussing GRC, Data Privacy, Cloud compliance | Scaletozero
While discussing, Our guest Alyssa Ahmann will guide you through some best practices and concepts for various cloud compliance standards. Check full episode

So what are some of the challenges that organizations face when setting up security programs?

Chris: It's a great question. It's hard to prove a security negative, isn't it, in the world we live in today? The macroeconomic challenges that I think every organization, not just organizations people have at home, security is under a lot more scrutiny than it was two or three years ago. Two or three years ago, companies and I'm generalizing like 20 industries here, but had more disposable money for operational costs like, like security. So now it's really, it's just really difficult. Like the, the CSO has to have like new tools in their toolkit. And one of the key tools at the moment is almost being like a mini CFO. So being like financial officer for their own organization. So saying, hey, these are my budget versus my actuals for this quarter.

And this is almost quantifying, which is very hard for us to do a security pros, but quantifying why we need these things. So the challenges come when you're fighting for resources, when you talk about building a security program. I'm trying not to say trite things today, but it's people first, isn't it? So the most important thing if you find the right people with the right kind of cultural fit and the right appetite you can teach them the technologies that are out there fairly quickly especially in the modern world. So getting budget for people I think is your biggest challenge. And yeah, like I said, especially in organizations where security sits in the more technical side of the business. So it might tons of friends who are CISOs where they're within it organizations or end organizations and there's some intrinsic benefits to the end side as we just talked about with DevSecOps, but it does mean you're constantly fighting for headcount budget with SREs and front end developers and whatnot right and product designers. So that's a big challenge.

The other one I think as well I could be here for an hour talking just about this. But another major challenge is knowing what the priorities are for that security function. Like priorities in terms of you as the incoming CSO have identified that these things need fixing like they're either egregious or they're just stuff that you need to fix but then also the stuff that the business cares about and I think getting a combination of confluence, whatever of those things helps overcome some of those challenges. But to wrap up I suppose in the modern world, yeah, it's fighting for headcount and it's getting other people in the business to care. I work for a data protection and cybersecurity company so I can go to my boss, go to my board, my leadership team. They kind of get it like hey, here's why we need security for our container architecture. Or hey here's why incident response is super important. You work for a supermarket, you work for I don't know, maybe not FS but you work for a retail organization you may get an inertia there or inertia more broadly there on hey, we need to do these things, let's do a business project instead I think.

Host: Right, so you highlighted two key things, right? One is the budget and the second thing is around prioritization because you cannot sort of solve everything, right? So how do you overcome these challenges, let's say as a security leader when you are facing these two challenges,

how do you overcome them so that any security leader who is going through it right now or might go in future can get help from it?

Chris: I'm just going to say the first thing it comes into my head which is kind of stop talking about process injection and DDoS, I mean outside of your security audience and start talking about the impact of those particular threats or in some cases vulnerabilities manifesting in your environment. Sorry, anybody listening? But no one outside of the security world kind of cares about the how they care about the what. And I'm generalizing enormously here but if you can align those things back to business challenges and business objectives and it isn't always quantifiable, right? You can't always put a dollar value on things but you can a lot of the time as well. If you're a public company, quarterly results, you can align things back to those. If you're a cross-functional C. So you're working with HR, you're working with Legal, you're working with Finance. So hopefully you can say, hey, we need to do this thing because this is the business project that you want out the door in six months time, three months time. You've all agreed that security needs to be involved at these points.

We can't do that without procuring this solution or hiring this person, whatever it is. So I think that answers your question. Candidly, I forgot what your question was. That's how I would go about doing stops. I'll give you an example. In my career, and I wrote about this in my book, I used to use some quite technical performance and risk indicators, which I thought were great. So you go into your EDR tool or you go into wherever's front in your web applications, and you can get tons of graphs and like pew charts and all this stuff. And I would go and talk about how successful those solutions were at blocking stuff or identifying stuff. No one cared. That's what they'd paid the money for. So going and telling an executive audience, hey, this firewall blocked 200,000 potential, I don't know whatever attacks they're not really I'm trying to think of the actual example I gave, but it was very esoteric and technical. I think it was to do with like layer seven flags or something and just no one's really interested. So that's something definitely to avoid. Go and talk about business problems and business challenges. And if you can't do that, then you probably want to go back and think about your prioritization. Like, seriously.

Host: I think the takeaway for me is the language. How do you communicate with other team members? Not just execs, but other team members, right? As technical folks, we make that mistake, and you highlighted it really well, right? We feel proud that, hey, we have installed a vendor and the application is able to stop these attacks. But how does it translate to business value?

Chris: Definitely

Host: You present it the way the other person can better understand so that they can help you in a way, right? If you are looking for prioritization, if they understand it better, they can help you with prioritization. Yeah, that's absolutely accurate. So now a follow up question is now let's say you have the language in place, but you must have some metrics, right, so that you can report up to your, let's say, leadership, see your board of directors or other team members as well.

So,

How do you communicate your overall security posture, gaps and plans for improvement with those groups?

Chris: It's a good question. So I started to talk about it in the previous point of where I've messed up. So KRIs and KPIs, they have their place, but for an executive audience. They're not brilliant. Something I've been doing over the past few years is focusing much more on OKRs. And a few people may sign out and go, but I find it's a much better way of identifying there's two things, right? It's a much better way of getting executive resonance, like obtaining input and buy in from a broader audience, but it also gives me an opportunity to tailor. So OKRs are objectives and key results, sorry, I'm assuming a level of subjectives and key results.

So defining kind of the very almost big ticket items that you want to do, I try and do them for a financial year. So we're in our FY 24. So broad set of handful of things. I actually have six for FY 24. And it's everything from how can we satisfy our compliance requirements to how can I help my product organization develop compelling solutions, real, kind of not moonshot stuff, but overarching things and then under that have a series of key results. So rather than just having an annualized set of key results, do things quarterly or monthly. Like have some phrases I'm a big believer in, like marginal gains. Like I've seen, I've seen and I've had conversations in the pub with, with friends who are CSOs, where this has failed, where they have these real gold plated awesome objectives like achieve 99% agent health on all Mac corporate endpoints. Now, they're never going to get that because you have people on vacation or people who just straight up don't listen to security and regardless of the technical tool you have, you're not going to get that. Right. So have things which make incremental improvements and make sure that those improvements are aligned with the leadership in the company. So that's kind of how I try to do it. An aspect of that giving away all my secrets now, an aspect of that is to make sure that your executive team buy into the compliance regime in your company. So SoC two type two as a great example, sock two type two as a security vendor is something that I'm asked for, I don't say daily, but certainly weekly.

There will be a customer, there will be someone I'm talking to will say, hey, give me your sub two report or talk me through the status of your sub two. So using metrics associated with that, because that's pretty stringent in terms of how you test, it's pretty stringent in how you do access management. It's pretty stringent in a number of areas, right? So that's the bit that your business care about. We know we need to because it's a differentiator for our company. As an example or a legal team are going to be particularly interested in the number of privacy. Depends where privacy sits, right? But in my organization, I'm very close to privacy. So how many of these requests are we receiving or how quickly are we responding to supplier due diligence requests now? They're all things which people can immediately associate with revenue and company health. They're the things that make security-relevant and interesting and I suppose give us a seat at the top table. So that's another really long answer. So apologies, but that's how I would go about tackling that. I'm now thinking,

Host: No, you're accurate in that. Right? It makes a lot of sense that it's an interesting way. Like OKRs are interesting way because most folks have, let's say, look at either, let's say, risk core or either look at have a predefined dashboard. They just look at that to define what the security posture is. But having a clear set of OKRs at least gives you visibility into not just current, but also what are you trying to achieve in a year, right?

Chris: Definitely, yeah. I just want to touch on that because things like that good. Having risk scores, it's something that we're working on at night, but within products, having risk scores is great. My EDR tool gives me a risk score. That's a security metric though, right? In fact, I pay per view. The conversation where you go and tell a CFO your risk score has changed by 7% because you closed this CVE that's publicly exploitable in this ecosystem. No one's going to care, are they? They're going to care how that risk score translates to your SOP two posture or your ISO certification or how quickly you can respond to a security incident. That's like a GDPR requirement. They're the things. So, yeah, I don't want to throw the baby out at the bathwater. I think that those things that you're saying are totally yeah, people should use them, but the security team should use them as part of their IR processes and as part of their SEC ops and volume management and whatnot. So, yeah, it's a combination, I think.

Host: Yeah, absolutely makes sense. So I have one question. You earlier highlighted about threat modeling and understanding your threat exposure, like how vulnerable you are, right? So cyber risk management is extremely important both for small and larger organizations to understand what are the cyber threats and how can they address them? Right. So from your experience, what have you seen?

Incident Response, Digital Forensics, Threat Intelligence
Knowledge-led information shared by experts to understand what is Incident response, Digital forensics, and Threat intelligence. Don’t miss this gem

How can organizations effectively establish and implement cyber risk management strategies to not just detect, but also to address them, mitigate them?

Chris: I'm going to be really boring and give quite a same or a consistent response in terms of it's back to language, isn't it? I know others in the threat modeling space, friends and people I admire kind of have this view as well. But having commonality of your language is really important. So if you're going to that executive committee, getting them to understand, and I definitely don't want to contradict myself here, but getting them to understand a lexicon of cyber is super important. Now, that doesn't mean process injection and it doesn't mean polymorphic malware or sea surf, but it does mean understanding the difference between a threat actor a vulnerability exploitability, possibly, but certainly an actor initiates an event, that event has to exploit a vulnerability. If there are no vulnerabilities, no one cares. You can initiate events all day long, right? And then the associated business impact of those events. So that's something that's been quite successful for me over the years is to look at the different components that we can help within those areas but then also that other business units need to be involved in, right? So let's look at, say for example, if you take that of actors initiate events, exploit vulnerabilities, they cause business impact. Sitting down with your business units, do your different executives and saying, right, who's in scope for my organization? And there's a lot on the cyber team at that point because you don't want to go in and I'll rephrase it, actually. You can't design your security architecture based on nation state adversaries if you're not defending against nation state adversaries and it's totally easy to do, right? Say, oh my gosh, hypothetically this thing could happen. So we need seven layers of malware sandboxes at our perimeter and each endpoint has to be zero trust to all these environments.

That's great, but if you only have a million dollars a year for your entire security budget, that might not be the best place to start. Right? So looking at the actors and the different campaigns and the types of events that are in scope starting there, that's the way I would start to start on the left hand side, start on these are the things we care about and I write about this in my book. So just having a this is the prioritized order of the types of events and the types of people and campaigns that we're worried about. So if you're a company that's working in pharma or you're working in growth tech and first to market is so critically important, then probably intellectual property theft is going to be your number one. Oh my gosh, the business cares so much about this. So look at the active, look at the different kind of techniques associated with that. If you know that you can then work on, right, what are the sort of things that they look to exploit in an environment? Is it a user trust? Is it a particular type of vulnerability? Is it misconfiguration? I hope this is helpful, by the way.

And so building that out because if you don't know that side of it, then how can you possibly back to your point earlier, peru around, prioritization, how can you prioritize? So doing that is that bit is largely ours to do and to kind of walk our leadership teams and walk our business units through the bit where we need a massive amount of help is on the right hand side. It's business impact, right? It's on what in your environment is important. There are certain things that across all companies you can go and say quarterly forecast or quarterly results information before it's made public. Everyone knows that's super important. You can kind of manipulate markets based on that or personal information or payment information. You know that those categories of things are really, really vital but where do they exist in your environment? Who has access to them? Blah, blah, blah that side of it. You need your business stakeholders, your data owners.

Let's hope everyone has data owners are involved in participating, right? So that's how I think you work on cyber risk management. You go in and every board presentation you do, I think there's a real benefit in it being consistent of having those categories, having those business risks of adversaries, call them what you want, but just having those risks with those common components. And there are tons of frameworks, tons of risk management methodologies that work and start slow as well. I'm thinking of this off the top of my head, but it's true. Start with something that sets the foundations for a wider program because going in and again, another failing of mine over the years going in with what you think is the right answer because it might be the right answer, it might be the right end. The right end state might be something like actually no less than the same names because people may say, oh, we've made that work early. But I don't think going in on day one and when you look at likelihood, looking at the difference between likelihood of initiation and likelihood of success and getting very acutely detailed on the specifics of that, I think you might lose an audience early on. Just getting common language, getting everyone. That's why I think threat modeling is really good because it helps so much with that early stage of things.

Host: Yeah, so I love your answer and the example that also you gave for the healthcare industry, right? So you cannot pretty much boil the ocean and fix everything. You cannot go after every single vulnerability, right? But rather understand where are you vulnerable the most? Like who are the adversities, what are they looking for? And try to secure that first and then do a prioritization according to that, right? You cannot just go by hey, there is a CV in one of the virtual machines, it's critical, let's just fix it, right? If that is in a private subnet then maybe nobody can get to it, right? Maybe that's not the highest priority. So yeah, that's absolutely spot on. One question that comes to mind is all of this comes down to your access to your data or data loss, right? And when it comes to securing data loss anyway, we are generating a lot of data nowadays, right, with social media, with working with different across the globe and then working remotely. There are so many areas how we are generating a lot of data.

So what metrics do you put in place when you are trying to monitor and let's say measure and monitor any data loss. And how are you thinking about that?

Chris: And this isn't I'm going to try and not have like a cyber haven product pitch for 15 minutes. But I mean, it is one of the reasons I'm there, though, because I believe what I'm about to say. But dealing is broken, isn't it? Like genuinely being able to qualify all the ingress and egress vectors for data loss in an organization using regex and static pattern matching. I've been in large financial organizations where companies are spending, I don't know, hundreds of thousands, if not millions of dollars a year on data protection, and they're not making themselves any more secure now they're satisfying, potentially, they're satisfying compliance requirements. PC says you must have DLP, but understanding how information flows across your company, I don't think DLP does a particularly good job of that. That's my experience. There's other anecdotal and more measured kind of feedback, right? So it's much more about having an insider risk program, like understanding how data flows, categories of data as well. So being able to define that, hey, you don't want source code to leave your environment. That's the objective, isn't it? You don't want to be saying, hey, I need to know, very prescriptively every file that is moving or every file that someone is trying to access, because it's impossible. Like someone's going to put something somewhere that you don't potentially know about.

You want to kind of categorize kind of risky behaviors. That's what you want to understand and be able to be able to report on that as well. I've seen so many people try and implement kind of like legacy DLP projects, but people change file names. People copy and paste information out of file. They encrypt it, they move it somewhere, they archive it. They do all these different things that evade. It's a bit like the evolution. I'm going slightly off on a tangent here, but be very quick. It's almost like the evolution of AV, isn't it? So you think 15 years ago, we had static signature based AV, and it satisfied every compliance requirement, and everyone's like, yeah, this is how we do security. But EDR kind of came off the back of some quite sensible people saying we can't protect or prevent everything anymore. Like, we need the ability to detect and respond incredibly quickly because that's how we're going to make ourselves feel better. It's a combination. I think that's where the market's going. So I'm a big believer in data detection and response, data lineage understanding. Puru downloaded this file. He then archived it. He sent it to Chris, chris then sent it out to WeChat. A DLP solution isn't really going to stop that sort of activity, and it's certainly not going to give the incident response. So, again, incident responder, anything to go on. So I think that's how we can approach it. I think it's still. Important in classifying data. Like, if you're not classifying your data, you're not then going to know the types of repos that you want to monitor for this sort of stuff. But we need to move away from thinking that we can categorize individual files and also because if someone's maliciously inclined, then defining that I can't put something on a USB stick, for example, a specific they're going to find other means and ways of exfiltrating that information, aren't they?

People are industrious, ingenious beings. So, yeah, it's another long answer, but that's kind of how I see it going. And I mean, there's going to be a plug here that isn't vendor specific. So I'm heavily involved with DSMM, which is the Data Security Maturity Model. So we were chatting before we recorded about RSA next week. So I'm going over to RSA to talk about DSMM, to talk about having a maturity model. It's aligned to Nisscsf, but having a maturity model where data is no longer like a second class citizen, it's the reason that we've created it. So, yeah, trdr everyone should read DSMM and get involved.

Host: Thank you for sharing that. What we'll do is when we post the video, we'll tag so that folks, our audience can learn from that. One of the things that you highlighted is you cannot use, let's say, one tool, depending on the evolution of technology, you have to change the technology that you're using to secure your data as well. Right? Like as you highlighted from static AV to EDR, I have not a follow up question, but somewhat related question.

So now if you look at news, right, every day we talk about LLMs. That's like the newest technology in the market. OpenAI has chatGPT and everyone is sort of loving it. Google has recently launched Bard to compete with it. So I have two questions here.

The first question is, can I use chat GPT and does that solve all of my security problems? Can I use it to generate security policies? Can I ask it to give me the security programs which I should implement in my organization? How do you see that ?

Chris: As a blessing and a curse? Genuinely, if I think about, and I don't want to, everyone just fixates, don't they, on chat GPT? And if you think about generative apps and you think about LLMs, they've been around before chat GPT, I think it's just the explosion and the utility of that particular LLM that everyone's gone, wow, this is a new thing. So I can't remember the question was, do I think that it can certainly help security teams? No question going out. I'm seeing now, in fact, I was talking to actually two of my founders this afternoon about the use of AI, specifically GPT Four for static code analysis, like helping with false positive, being able to use it from a vault management perspective to qualify, like exploitability or context in your environment. Yeah, definitely.

Also, as a CISO, helping with strategy documentation as well. Literally, if you need a preamble to a document, various different maybe not a Chat GPT, but various different GPT based utility for security where it becomes a real problem. And though I ran like a webinar a few weeks ago on this subject, very well received, it comes much more of a problem around sort of data privacy does well. I mean, it becomes a problem actually around data quality as well. So garbage in, garbage out. If there are enough people poisoning a large language model with incorrect data, how can you qualify? Especially when you're thinking of things like code review, like if you're using it as your exclusive mechanism to review some code, but then assuming you're comfortable with that, like I said, you then have the challenge with privacy. So are people uploading sensitive documents? Like, if they are, which and again, not every language model is the same.

So how do you know which are then training that language model with your information? Like, unknowing to you, someone in your organization is uploading company documentation because they quickly need a new PowerPoint deck or a response to a customer ask. Suddenly they copy and paste the entire kind of customer email in there. Or like a healthcare example. Like you're looking for kind of patient documentation and welfare information. You upload that and suddenly you have a HIPAA breach. There are so many issues there. I think people at the moment see it as the silver bullet to all forms of work, which I don't agree with.

I think it has enormous utility but a ton of risk as well. So I think it's going to affect the GRC teams. I think user acceptance policies, I think the way that you can identify and we've done some great research at Cyber haven one very small plug very quickly, but around the volume of confidential information or information from a company more broadly that is being put into chat GPT and it's blowing CISOs and privacy offices away. They're like, wow, we had no idea. So it's going to be a tough one. I'd like to see how it kind of evolves and how companies make this trade off of their users want to be productive, but you have information to protect. So it's going to be a fun ride. Definitely.

Host: Yeah. It's funny that you highlight that, right? There were some reports of the same activity happening. Like some employee in the organization uploaded some of their very sort of organization specific data to train the model so that they can get some output. But once you start training, it becomes public, right? So you have to be very careful. That's where the data privacy and all challenges will come in. One follow up question to this is,

as you said, you can use it to, let's say, preamble your strategy, or you can use it to generate policies, do the code review, do you think these will take away jobs from security professionals in future?

Chris: It's my honest opinion. I think if, if Chat GPT can take away a security analyst or a security engineer's job, then it probably wasn't a particularly well defined job in that organization. I certainly think that it can make an engineer or an analyst more effective. We talked there around, let's take Proactive threat hunting as an example, identifying activity within your environment that needs further investigation. Yeah, definitely it can help there. So maybe you need fewer, you need fewer analysts because then I have you a big fan of the funnel of fidelity. But I certainly am so early on in that life cycle of kind of collection and triage. If you have AI, and we're largely talking about ML here, right? If you have ML algorithms that can take some of that early triage away, that level one, level one and a half, level two, then fewer people maybe.

Same with code review. It's going to be interesting to see how that goes, but you can almost get into it. I can almost see a situation where you're in a cyclical loop of AI or ML, almost marking AI and ML's homework. So you've got code like code automatically generated using GitHub, like what is it, copilot? It's being generated by copilot being reviewed by Chat GPT like that. Where does the authority come in a situation like that? So I think it can help, but I don't see it replacing roles. I'm sure someone will tweet me and say, oh, you haven't thought about whatever. But no, I think it can help.

Like many other things, many other forms of automation that we've had in the past, it enriches and it augments what we've, what we've already got.

Host: Yeah, no, I totally agree on the point that if you think that you will lose job, that means that job, that responsibility is not properly defined, right? It can help a security engineer be more productive. That's a great way to look at it and that's a great way to end the security question section as well.

Rating Security Practices:

Host: So now let's go to the next section, which is rating the security practices. So the way it works is I'll share what the practice is and you need to rate it between one to five.

So the first practice is conducting periodic security audits to identify vulnerabilities, threats and weaknesses in your system and applications. How would you rate it?

Chris: Well, in terms of how important that is for an organization, pretty important. We talked about prioritization before. Right. And security has to be contextual. Right. But you need to find important things quickly. Let me just be clear, it was vulnerability management specifically, right? Yeah, really important. Like focusing on finding bad stuff. Be that software, be that misconfigurations. People like to watch Mr. Robot and they like to watch films with lines of code where people are furiously looking for zero days. But it's generally commonly known vulnerabilities, it's generally misconfigurations that are tacked. So, yeah, I would say that that is super important. I'm guessing everything you're going to ask me now is going to be important. Having a mechanism to identify not just vulnerabilities in your systems, but also vulnerabilities in your supply chain as well. So be that dependency management, like from a very technical, like, dependable others are available or actually like speaking with those vendors or those suppliers. So, yeah, really important.

Host: Makes sense. So the next one is providing training and awareness programs for employees so that they can identify and respond to potential security threats.

Chris: Yeah, well, this is a great way to almost wrap things up, right, because at the top of the call I talked about how important it is for Eng is an example to be semi autonomous.

It's equally important for everyone in your business to know where to go if they see something suspicious or oh, I accidentally clicked on this link. Oh, I won't tell anyone because I don't want to get in trouble. Like, getting rid of that culture through training and awareness is really important because I know we like to think we're super special in security, but 70% of 60% quote me on this, but I don't know, a majority of things we do, we could probably train other teams to certainly help with some of it. So, yeah, another massively important one. Like training programs, awareness programs, I try and get those established and hire for those traits as well. Like security people comfortable communicating with the business, providing brownback sessions like lunch and learns, email topics for Sages. Yeah, I will say this, not just the annual computer based sock two and ISO say you have to do this training.

Everyone just puts it on, goes and gets a cup of coffee, comes back, press next, next, next. Proper training and awareness is super important.

Host: Yeah. So continuous training and a proper training is important. Makes sense. And that's a great way to end the recording. Thank you, Chris, for coming to the show and sharing your knowledge with our audience.

Chris: Great stuff, really enjoyed it. Puru, thank you for having me. And yeah, look forward to receiving the feedback. Yeah, great yeah, it was fun on my side as well. As well. So thank so thank you so much. And to our viewers, thank you for watching. Hope you have learned something new. If you have any questions around security, share those@scaletozero.com and we'll get those answered by an expert in the security space. See you in the next episode. Thank you.