Focusing On Cloud Vulnerability With Ray Espinoza

Host: Hi everyone. Thanks for tuning into our Scale to Zero show. I am Purusottam , co founder and CTO of Cloudanix.  Scale to Zero is a forum where we collect questions from curious security professionals and invite security experts to learn about their journey and also to get their questions answered. Our goal is to build a community where we can learn about security together and leave no security questions unanswered. With that, let’s get into it. For today’s episode we have Ray Espinoza.

Ray is the CISO at Inspectiv, where he leaves everything related to security as well as overseas service, delivery of the inspectors, bug, bounty business and security research community. He also contributes to product innovation of the platform Inspective has built. Prior to Inspector, Ray has had various security leadership roles and was most recently VP of Cloud Security at Medallia and CISO at Cobalt IO as well. He has been in security space for over 20 years and in various roles as well, and over five years as Cecil at various organizations. It’s wonderful to have you here. Thanks for joining me in the show.

Ray: Absolutely, thank you for having me.

Host: Sounds great.

So the way we do the recording is we have two sections. The first one is the security questions, and the second one, which is the more fun one, is the Rapid fires section.

So let’s get into the first section, the security questions, in that I want to start with a topic which is very close to my heart, which is culture, right? Most of the organizations have a culture, like whether it’s engineering driven or sales driven or security driven.

So as a security leader, what methods would you recommend to bring awareness and develop a security centric culture and mindset in an organization?

Ray: Well, first I’m going to say I’m glad to hear that this is close to your heart, because it is also close to my heart as well. And I’ve learned a ton over the years, a lot of which has been some, I don’t want to say catastrophic failures, but they definitely weren’t wins. But they helped me become just a little bit better as I continue to grow and as I revisit and try to find more success as we go.

But I really find that especially for security leaders coming in, it’s ridiculously important to understand the current culture and how things work. How do people digest information, what’s the appetite for information, how often, etc. Is great context when you’re first trying to figure out your overall path. The first time I was leading security, I had the honor and privilege of being the global head of security at Proofpoint and leading security there. I came in like a bull in a china shop of like, I know what this company needs and how to build security culture and this is a security company, so this is what we’re going to do and had a pretty tough time at first until I was able to really take a step back and get a good idea of what the playing field was that I was working with and then try to go at that again and once I found that I took that time to better understand that was enabled me to have some success. So I would say that the biggest piece is to make sure that you understand what type of culture you’re stepping into.

Now that doesn’t mean that you can’t positively impact culture and really drive that change because ultimately that’s what I look for, that’s what excites me, that’s what gets me up in the morning. But there’s so many things that go into that. Having the ability to say maybe all of your experience with security has been negative, it’s been the annual compliance that you get bugged about or you report something and then everybody treats you differently like you did something wrong. How do we turn some of those things on their heads? And so it becomes more about a positive outcome and I’ve done so many different things there as we go. I would say the biggest piece and I hit on it a little bit is just leading with empathy and understanding that many of the folks in a company, they’re just trying to do their job and they genuinely want to do the right thing.

But many times if you ask yourself can you learn a foreign language by taking training one time a year? Probably not. But we expect folks to make the right decision hugely impactful and having the ability to negatively impact an organization, we expect them to know exactly what to do with minimal amount of training. So I felt like that is crux a root of an issue but creating a safe space where folks can ask questions or say hey, I did something wrong and now I don’t know what to do. And treating them with respect and support and thinking about them like their customer. Not like what years pass of what I’ve heard others say, of like another dumb employee making a dumb decision. Just that alone of treating folks with respect and support and dare I say love to a degree. It makes it much easier for them to lean in and say, hey, now I want to be a part of this because I feel like I’m able to really grow.

I mean we could probably have a whole talk on just this topic alone because I’m so passionate about it. But I will say the one other piece that I feel drives positively security culture at an organization is recognizing that folks learn differently as well. It’s not just about the once a year training or it’s not about the brown bags that the security team will do, but it’s putting out content. It’s getting your face in front, using your voice and hitting them with a bunch of different angles that I’ve also found targeted training to be hugely valuable. When I talk to an accounting and finance team, These are the threats that you specifically will be likely to face. It’s much more impactful than talking to them about secure coding and how that fits because we have a single deck that affects all of them. So all of those things put together and all those learnings over the years continue to come back to, if I want to drive culture, I got to get folks to buy in.

And that means I need to be human. I need to be warm with them, and I need to treat them like a customer so that they can continue to come back and ask questions.

Host: I like couple of things that you highlighted. Like the first thing is understanding the culture, right? Sometimes leaders, when they get into a new position, they’re like, yeah, I know how things are done. This is how we’ll do, even before they understand how the current team has been working. And the other thing that you mentioned is empathy, right? And I don’t think it applies only to security. It applies to any team because that allows your team to be vulnerable in front of you, right? And that’s how you build trust.

So yeah, great points. I want to double-click on that a little bit. So as part of security often works with other teams as well, right? And security always competes with sort of business growth as well because sometimes security is seen as a roadblock. So in those scenarios,

How can security teams work with other business units so that they can improve the awareness, so that they can make them security focus and also help in improving the overall revenue or improving the bottom line?

Ray: It starts with treating the same folks with empathy and instead of going in and saying this is what I need and this is what I want you to do, it starts with going in and saying how do things work in your org? And when folks ask for when somebody comes to your and says, hey, I need these things done, what’s the best way to get those in front of decision makers so that we can figure out and resource and do all of those things? So there’s that piece of better understanding the playing field of that and where the security most naturally fit in. So it’s not completely interrupt driven. We’re not coming with the compliance stick and saying you need to do these things and I expect them done by 05:00. But it’s more so of building a relationship.

What worries you? I mean, I’ve spent plenty of time investing and just building genuine relationships with other leaders and other business units. What are you worried about? What are you held accountable to? What sort of metrics do you need to report on? When I understand those, it makes it easier for me to position some of my assets in a way that feels natural or that can support them in what they’re trying to roll up. If I can find alignment, that’s like the Holy Grail of, well, you need to hit this thing. Well, I can help you hit this thing. Here’s the things that we can do together.

It all comes back down to building trust, building respect, and building those relationships and listening. But that’s what I found because I’ve stepped into the trap of like, well, this is just the thing that the business needs. And then having learned over the years and being able to when I can come with a few other GMs as well as the CFO and somebody else and we’re all united on the front of what we’re trying to accomplish. It enables me to put a much stronger foot forward of how security is positively enabling the business, rather than trying to do all of these things just because we feel like we have to. Because there’s times where I’ve gone to the business and said, there’s a compliance driver behind this, and this is the leeway that we have, or this is a real risk driver, and here’s the impact if we don’t. And it becomes less of a this is what you need to do, but here’s a few options, and there could be a negative outcome associated with it. But my role as a CISO is less to say, this is what the business needs to do, is to understand the risk, help inform the rest of my executive team, and say, this is what I recommend that we do.

With the context that I have, am I missing any context? And are there other ways that we can possibly mitigate this risk, etc. It’s to drive education for business decisions to be made. All of those enabled me to have a seat at the table and be like, okay, you can come and sit with the adults now and have the conversation about how we manage this business. And so it ends up being a lot of that to really get that buy in to get things done.

Host: Yeah. So, again, I like two points that you highlighted here. Like, one is, again, it goes back to culture, right? Like building long-lasting relationship with other parts of the organization.

And one of the things that you highlighted I really liked is the alignment. Sometimes we see that teams are not aligned in terms of what the business is trying to achieve, and that affects a lot. So having that alignment will definitely help our organizations. Awesome. I want to switch to risk management a little bit.

Nowadays, we hear about a lot of vulnerabilities, like, especially in cloud, let’s say cloud or misconfigurations or in containers. We hear about in Kubernetes, where we hear a zero day vulnerabilities or data encryption related or insider threats. So,

How should security leaders stay on top of this, particularly a first time security leader? And how should they ensure that they’re focusing on the right or highest priority vulnerability?

Ray: Again, I think we could probably have just a conversation on vulnerability management because it’s so huge. But what I’ll say is there are tons of vulnerabilities. Every single day we buy new tools that help tell me there’s more bad things that we need to be worried about, that we need to address. With the finite amount of resources used available to really drive change and remediate those, it does become of what are the most important things that we can solve. And so I think it starts with understanding that not all vulnerabilities are the same, but we can’t just continue to sweep under the rug vulnerabilities that we feel like don’t meet a specific threshold.

I know in previous conversations that we’ve had and we kick around this idea, it’s this concept of growing tech debt and whatnot and that can contribute to it. It comes down to do we have enough information to better understand this vulnerability and how it applies to our organization. Just because a vulnerability comes out as critical does not mean that it’s a critical vulnerability for us as an organization. I’ll give you an example. There’s a critical vulnerability in an open source library that’s used in code here at the organization. Maybe it’s only exploitable if you’re using that library in a front end facing application. We happen to be using this in a back end application.

Now, does that mean we don’t need to do remediation? I mean, absolutely not. Of course we do. But that does change the time scale to which we have to work through to be able to do that. And so understanding vulnerabilities is hugely impactful because again, I’ve made the mistake as an early security leader of well, this is critical, folks. Like we really have to do this and it’s got to be done by 05:00 today, being challenged to be able to share why this is impactful to the business. And again, it comes back to kind of my previous point of well, what happens if we don’t if a customer needs a critical feature that’s really going to enable them to grow and we can manage the risk in some way, does that lead to a better outcome? Not that we’re not going to address vulnerabilities because how crazy would that be? A security guy saying don’t worry about your vulnerabilities. It comes down to making sure you have enough information to make some of those decisions.

So context about how that vulnerability applies is huge. A reclassification of vulnerabilities is also huge. And then you get to this list of like, okay, well, we’ve looked at all these vulnerabilities, here’s the thousands of vulnerabilities we know about and here’s the hundred that are all critical that apply to organization. Now where do we start? And that’s where some of that stack ranking work comes through. And thankfully there’s lots of tools there’s, organizations that help drive better enrichment of well, is this actively being exploited in the wild? If so, that’s another point that would kind of push it up in the remediation stack or is exploit theoretical at this point, okay, we can move that down a little bit and maybe that buys us a little bit more time. So all of that context and building helps to figure out how do you manage some of that. But that’s part of the picture.

The other part is for the things that we know about, how do we build a routine cadence to address some of that consistently. It goes back to those relationships. You know, it’s the culture that we have here in the organization. What I’ve learned is if I can pre-negotiate a specific amount of time that I’m going to need from teams who drive remediation like your traditional It engineering DevOps, et cetera, I have a way to work through getting that work in a pipeline that’s not interrupting the business from trying to get good work done that we need to stay alive. And if I do that in that way, that’s great, that’s easy. We continue to manage that based off of the resources that we have allocated. But we both know there are critical zero day vulnerabilities that we find out the day of and then they have a marketing name and a marketing website and all of a sudden there’s tons of urgency to get some of those things done.

You need to have a process for that as well. And that’s where it comes down to, well, maybe we run this through our instant response process because we have a communications component. We have the ability to bring the right stakeholders to the table to again make some of these decisions and then chart a path forward. And so having the ability to think through those of what can we routinely continue to burn down and knowing that there’s going to be emergencies and how do we work through those without anybody freaking out, that’s what leads to, again, much better outcomes. Nobody’s guessing who’s driving this or who’s doing this work and are we doing enough? Does this affect our environment? Build that structure, build that cadence regularly, communicate and you remove what I typically hear is armchair quarterbacking others trying to do the right thing and then freaking out about it and more so like, okay, the security team has this, we have a process for this. We know what the outcome is going to be and how they’re going to report whether we’re successful and we’ve mitigated the risk or if this is something that we don’t have a great answer for.

Host: Yeah, I like that like you highlighted that you should have a process in place so that you don’t freak out, right. If there is a news of zero day vulnerability or not, like you’re focusing on that vulnerability the entire week. So that is one and also sort of evaluating whether what is the exploitability, whether it’s active or not, the context right? Whether it affects our primary workload or maybe one of the services which is hardly used once a year, maybe it’s not that high priority. Right. So keeping the context in mind, that definitely helps a lot.

So I want to dig a little deeper into it. So most of the organizations, when they have a defined process, when they do the evaluation, critical and high severity items or high priority items are often addressed first. Medium, minor, or low, they often fall into a debt, like a security debt, right? So we received this question from a growing fintech startup. So they’re curious

How should they sort of think about security debt? How should they define it? How should they measure the security debt and how should they use the data with the vulnerability information to prioritize that, let’s say patching servers or fixing misconfigurations in the cloud.

Ray: I’ve experienced this at many organizations that I’ve been a part of, and it’s not because it’s a bad thing. It still comes down to a finite amount of resources that are required to do a number of different things. Where security is just one part of that. I think it still comes down to how do I drive education to the rest of the business and our business leaders of what the risk is of maintaining or carrying this tech debt and at what point does it become unmanageable for us? Every organization has some level of risk tolerance and they’re managing that. But it really is up to me and my staff to drive education on what that really means. And not just in, oh, we have a thousand medium severity and 50 low, because that’s not meaningful to a CFO or to really many folks on the executive leadership team to say, okay, well now I understand the tangible risk to our organization if this continues to grow. There are times where I’ve had to show if you chain these three medium severity vulnerabilities together, you can get access to customer data.

Oh, holy cow, that becomes quite a different story.

Part of that is driving education and understanding to the business of what it means to not only carry tech debt, but to add to it and build. And it becomes more like the national debt here in the US. Where it just grows ridiculous over time. At some point you just hope it doesn’t fall apart. The other piece is working with business units and working with teams that drive remediation for those buckets of time that we have allocated to do security work. We work through and figure out do we have the ability to true up at times to get fully patched and then get that through the testing cycle and drive remediation from there. Containers have been almost a life saver in being able to say, well, we can update the image and we can add these security fixes and then run it through its natural course.

And then hopefully many folks are using containers that are ephemeral and so it gives them an opportunity to be able to get some of the reap, the rewards of having a good and better patch management, vulnerability management process. But not everybody’s there. Some folks are kind of using it but maybe not everywhere, etcetera. It still comes back down to can I articulate the risk, can we work together to find a process? Because most folks that I’ve found and I come from an operations background being a Windows and Unix, this admin at Ebay, early in my career site availability was number one. It’s what folks bonuses are based off of.

It’s a big deal of making sure that we don’t bring production down. And so many folks that’s their primary concern. If I introduced this change is there the ability of a negative outcome and if so, how do we manage that? So working with teams to try to build a good testing process so they feel good, etc. Etc. Has helped. If we figure out how do you typically test and how do we streamline that? Can my team drive automation? Is there information that we can provide to make this easy to plug into that pipeline? And then where you walk into a situation where they’re like we don’t know what we should do, let’s figure it out together and then that becomes all green fields of like great, let’s make security easy and just part of what we do now and then it doesn’t become a heartache down the road. So being able to have some of those has helped.

I will say sometimes a compliance driver of the stick there does help when there’s some pushback of like oh, it’s tough and I have other things to do. Well, maybe we have FedRAMP and FedRAMP requires us to manage vulnerabilities in these ways and so it can be used as a forcing function at time. I try not to use that because I feel like that’s not the best way for you and I to understand what the value is. I use that as a point of context around why this needs to be done or why it should be prioritized.

Host: Yeah. So it makes a lot of sense. I think in all of your answers I see culture as one of the factors like how you work with other teams in the organization and particularly in this you highlighted like working with other teams when they are, let’s say, doing their grooming, maybe add some security related tasks, educate them that what is the value of it? As you highlighted. If I can sort of connect three mediums to a critical vulnerability then we need to address that, right? Like showing the value of it. I love that. So I want to sort of as a last question, I want to talk about data privacy a little bit because nowadays we hear a lot about phishing attacks, social engineering attacks and many security analysts claim that human error is the biggest factor for data privacy issues. And we have seen recently there were attacks on Twilio and Cloudflare as well.

So,

According to you, what steps would you recommend organizations so that they can prepare for such attacks?

And once they address the attack, how should they react once the attack is resolved?

Ray: There’s a few different pieces to that. I think the first part is really the education piece. You want to address this risk with technology as much as possible. If I can limit the potential for an employee to receive a phishing email or put them in a position that could add risk to the organization, that is money well served, that is time well served technology, that’s really what’s there for. But we know it’s not bulletproof. And so we need to then say, well, once technology fails, what’s the next area we need to focus on, rely on? And that goes back to strong security culture, strong training, continuous training and opportunities for folks to understand what these risks are. I learned in the past that if I can do security, education and more so what I call kind of security theater, a little bit of making it fun and a little bit sexy, but tied to really what a real risk today, and not just fear based.

I’m using that to tie here’s something that happened to insert your large company or wellknown brand here. And here’s what we’ve learned about it and here’s what it means to us and what we would do to try to mitigate some of these risks. And now here’s what we need from you. And by doing these briefings as well and tying it to real life situations, that gives folks the ability to be like, well, I just saw something, this is weird, I think you guys should check it out or react in a more positive way from there. I mean, the human IDs intrusion detection system is strong everywhere and it needs to be cultivated. So that piece is really how do you try to prevent as much as possible and then knowing that incidents are inevitable, how do you make sure that you respond? Is really that next step. And I think one of the things that we found, I remember years back, it was if we have zero data incidents and zero data breaches, that is success and it’s not a realistic target to go to now.

Organizations are now judged on how well do you respond, how transparently do you respond, and you see the folks that really come out, you know, looking better than before. It’s because they were just transparent. Here’s what we, what happened, here’s what we know, here’s what we’re doing, and here’s our path forward and what this means to you. That is now the new playbook of really how you continue to drive and carry some of that forward. And that starts with a good incident response program, testing that, and then as a security leader, or an incident manager. Really. It’s that calm voice in the room of I’m in command, I know what we need here’s how we’re going to drive some of this.

But it’s funny, I end up telling my kids, my dog, or even in the workplace if I’m freaking out, then maybe it’s okay for you to freak out. But if I’m calm, should be calm. And that’s something I’ve had to kind of nurture and build. But that’s core to who I am is if we know what we’re doing and we built some muscle memory and how we’re going to respond to some of these things and how we’re going to communicate these things. No one’s freaking out, we’re just working through this. Is it high stress? Absolutely. But if we have a plan, we stick to the plan.

We know what we’re doing and we can drive communication and even take some information back in and build that feedback loop that tends to end much better. And I’m thankful at least I also come. I earned my chops and security going through the incident response side. So I will say I’m heavily biased to a great IR program. But in the age where everybody has incidents, that’s the consistency. The brands that we continue to trust treat us like we should be made aware of what’s going on and allow me to make a decision or follow up on an action because I got all the real information.

I would never name companies, but there are years back where I can think of where you’re working with maybe the legal team or somebody on the executive team to be like, well, do we have to say anything? And what’s that sort of gray area? Thankfully, a lot of what we’ve seen now is the folks that are transparent in their communication tend to be looked at better because incidents have a funny way of being found out down the road even. And then it becomes, well, I’m not even mad about the incident. I’m mad that I was kept in the dark and the tangible impact that I have that I’ve experienced now because of it. So it’s a really interesting concept of how things have changed but goes back down to know what you’re doing, get those folks who are players in this process involved so they know what to expect, and then drive operational excellence from there. We will continue to get better on our IR process because we know one day it’s down the road and it’s waiting for us and we want to make sure that we’re ready.

Host: Yeah. So I like two points that you highlighted.

You were very clear, right? One for internal and one for external communication, for internal team, maybe continuous education, like how they can identify these attacks and they can bring it to the security team and during or after the attack is done, transparent communication.

We have seen, as you highlighted that we have seen many. Companies who did not do a proper job with the communication, lose customers, lose the trust. Versus an organization who has been very transparent gives those customers back. Right. Because they have built that trust because of transparent communication. Yeah.

That is awesome. So, yeah. Thank you so much for these insights. There were many things that I learned as part of the episode and I’m hoping our viewers will learn few things as well.

Summary:

Host: Here are a few things which stood out.

  1. To build and improve security culture in an organization, lead with empathy. Understand current culture and processes before introducing new ones.
  2. Alignment is a key factor in improving collaboration between the security team and other teams in an organization. Continuous learning and engagement is a must.
  3. In case of an incident like, let’s say, phishing attack or zero-day vulnerability. It’s utmost important to be calm. Transparent communication is critical for internal and external stakeholders.

Let’s go to the rapid-fire section now.

Rapid Fire:

Host: So the first question is one liner quote that keeps you going.

Ray: My father, who passed away about ten years ago, would always tell me when I was growing up and I didn’t appreciate it at the time, but he would always say, son, you need to have balance, balance in your life, balance with all things. That’s what will help you continue to be the best version of yourself. So that one line and I found myself pairing it to my kids sometimes even in the work setting as well, is to work towards and find having balance and finding a way to be able to achieve that in life. So that to me is still that keeps me going. One, because it reminds me of the huge impact that my father had on me. But what a gold nugget of guidance that I wish I would have appreciated sooner.

Host: I love that the balance is so key nowadays with remote work culture and everything, it becomes very challenging to find that. So. Yeah, I love that. The next question is if you were a superhero of cybersecurity, which power would you choose to have in you?

Ray: I would argue and say I have one native superpower and that’s being able to communicate well and build relationships. But if I were going to choose something else that maybe is possibly fictional, I would love to be able to look forward in the future so that when that issue that I know is coming gets here, that we are as prepared as we can be, that would be fantastic.

Host: Who would not want that? The last one is what’s the biggest lie you have heard in cybersecurity?

Ray: Wow, I’ve heard so many, but I would say probably the constant thing that I’ve heard in all the years that I’ve done security has been that there’s one solution to address an entire category of problems. If you buy this one tool, you know, you don’t have to worry about risks. And, you know, I’m working at a security organization now, having a voice in the room, and we’re thinking about messaging to our customers. Folks, let’s make sure that we’re clear, that we are never saying, use us, buy us, and you will have no issues, no risk. And I have seen that time over time of, you know, buy our solution and you will be secure. We’ll never be secure. And thankfully for myself, I think that means and for folks in the industry who might be listening, there’s an air of job security in that of looking for folks who are battle hardened to have experienced some of these issues and can help folks navigate through it.

There’s no silver bullet. I mentioned it before and I’ve heard it so many times and I can’t help but push back when I hear it from a vendor who’s trying to pitch me and they’re like, this is all you need. It better be great then, because there’s a lot.

Host: Yeah, I totally agree. There is no silver bullet to security, right. Even though you have more tools, at the end of the day, you have to work with those to improve your security posture. That’s a great way to end the recording. So thank you so much, Ray. It was wonderful to chat with you and talk about the risk management culture specifically. We will look forward to learn more from you in the future.

Ray: Thank you very much for having me. I appreciate you giving me an opportunity to have a voice and share a bit of my perspective. I will say that I’m constantly learning from myself, my team, my mentors, my peers, folks that I have the privilege of managing. And so I try to give back as much as possible. But I love that I constantly learn and I would encourage anybody who is taking on a security leadership role and wants to consider their career grow. You can learn from everybody in almost every situation and be able to apply it. So thank you for giving me that voice to be able to share.

Host: Absolutely. And that’s one of our goals of this show as well. So thank you for coming and to our viewers, thank you for watching. Hope you have learned something new. If you have any questions around on security, share those at scaletozero.com. We’ll get those answered by an expert in the security space. See you in our next episode. Thank you so much.

Get the latest episodes directly in your inbox