Introduction
I make it a habit to learn as much as I can from others, so every week I listen to an assortment of podcasts covering topics such as leadership, communication, techology, security and more.
Here are some recent podcasts that I found interesting and worth a listen, along with some of my own thoughts, based on nearly two decades of experience as a military officer, IT leader, and CISO.
Topics for this post include:
- Challenges in Cloud Security
- Strategy and Architecture for Digital Transformation
- XSS From A Backend Engineer’s Perspective
Challenges in Cloud Security
LISTEN: Cloud Security Podcast: CISO Challenges in Cloud Security - Caleb Sima, VP of Security at Databricks
In addition to having a successful security career that includes several startups, Caleb was at Capital One during its major push to move infrastructure/systems to AWS. The experience he describes – one of lots of people working against a self-imposed deadline to lift-and-shift a minimum percentage of applications – is one that I’m sure others have heard before. As he saw first-hand, these rushed moves can lead to misconfigurations because people aren’t sufficiently educated about the cloud technologies they are now tasked with configuing. Networking is nuanced, IAM is complex, and other technologies
I can certainly see some use cases that warrant moving a system as-is to the cloud makes sense (e.g. a handful of legacy system that can’t be refactored and will be retired soon), but it doesn’t mean you don’t have to have a good understanding of the cloud environment to which its moving. While every project needs a deadline, it must be realistic. If you can’t wait until your internal resources get properly trained, you might consider leveraging an implementation partner. While it can be a good stop-gap, it’s not replacement for training because when that partner leaves, they have to turn the system over to someone who needs to understand how to manage it.
Ideally, rather than say it must shift X% of systems to the cloud (rehost) and, assuming it can’t retain any applications on-prem, I think an organization should take the time to figure out which can be replatformed, repurchased, refactored, or retired. All are viable options that may net much better results vs a wholesale lift and shift. The challenge is that replatforming, repurchasing, and refactoring required expertise and can be time consuming and costly in the short term, so rehosting may appear to be the quickest and easiest route.
During the discussion Caleb also mentioned the challenge of visibility. Visibility and Influence happen to be two of my favorite metrics for measuring the capability of a security program (more on that in a future post on measuring a security program). Cloud certainly presents challenges for visibility, but as he points out, it also presents opportunities. AWS, Azure, Google, and others build their pricing model around usage and they can’t measure what they can’t see … so they see everything! That’s good for us, provided we can somehow make sense of that data. I try not to push products (Caleb mentions one and I happen to use another) but the point is, migrating to the cloud may be a good chance for some to finally get end-to-end visibility of systems and applications.
He also talks about the challenges of a security culture, how security will never be the #1 priority and if it’s top 10 in the org you’re doing pretty well. I fully agree and don’t ever think it should be #1. While I do consider myself a security professional I’m not in the security business. Unless you’re a CISO that is actually working for a security vendor, your culture is driven by your business and that requires CISOs to be business focused just as much (if not more) than they are security focused.
I also liked his discussion on the technical vs. managerial career paths in security. I agree that all security leaders should be technical enough to get it. To me that means being able to talk intelligently to subject matter experts and see through BS. How far you take that technical path is up to you. I concur with him that some are simply better suited to remain technical individual contributors for their entire careers. As he says, you don’t need to manage someone to be successful. As a CISO I see it as my responsibility to establish career paths and progression opportunities for such technical leaders.
I also couldn’t agree more with Caleb that if you’re looking to get into security and don’t know where to begin, considering exploring pentesting. I think I learned more about the ins and outs of various technologies and getting into the mind of an attacker from years of penetration testing than probably anything else in my career. And his advice to leverage bug bounties is one that I’ve espoused for several years. What better way to learn than to get paid for it (and not get arrested!).
In addition to the above topics, Caleb also talks about the use of managed security services and his experience with startups. This was a good episode so I recommend giving it a listen.
Strategy and Architecture for Digital Transformation
LISTEN: Embracing Digital Transformation - Episode 24: Darren Pulsipher
Darren Pulsipher is the Chief Solutions Architect, Public Sector, at Intel and in this podcast he talks about effective digital strategy and architecture for successful transformation.
He gives his perspective on the importance and relationships between the IT, Development, Security, and Data groups all working towards a common architecture, which ideally provides key features like self-service, self-healing, self-management and policy-driven enforcement. He mentions the importance of identity management, code ruseuse of containers and the need to focus on data orchestration for management vs. data storage.
I agree that some of these are difficult to implement and simply not a reality for many but I also think that hybrid cloud gives us the opportunity to do much of it. I think whether or not to make multi-cloud a key component of a transformation should come down to differentiating capabilties cloud program maturity but that’s a topic for another post. In the meantime, you may find this episode relevant if you are undergoing or about to embark on a transformation journey.
XSS From A Backend Engineer’s Perspective
LISTEN: Relating to DevSecOps - Episode #013: How a backend engineer looks at XSS
It’s so interesting to hear the different perspectives between back-end and front-end developers when it comes to dealing with something like Cross Site Scripting (XSS). Sometimes XSS gets oversimplified when it comes to prevention recommendations … input validation, output endcoding. Great, but where is that applied, whose responsibility is it, and what impact will it have on functionality? As security professionals it’s very important to understand and appreciate these complexities in order to best advise on how to properly prevent such vulnerabilities.
It’s also important to think through these decisions during design and leverage automated security testing in the pipeline to identifty defects and avoid having to rely on manual reviews by security engineers to identify them.
Whether you’re a security professional or a developer/ engineer, you should give this a listen.
Continue the Conversation
I enjoy connecting with and learning from others, so reach out to me on LinkedIn and Twitter.
