Cloud Security Reinvented

Episode Highlights:Making Board Members Aware of the Significance of Cybersecurity Is of the Utmost ImportanceAccess and Vulnerability Management Are Hot Topics for CSOs and Security TeamsAiming for the Unification of Security PoliciesShaping and Influencing Policies

Episode Highlights:Making Board Members Aware of the Significance of Cybersecurity Is of the Utmost ImportanceAccess and Vulnerability Management Are Hot Topics for CSOs and Security TeamsAiming for the Unification of Security PoliciesShaping and Influencing PoliciesThis podcast is hosted by Orca Security

Key insights from this episode featuring Jeremy Turner, Deputy CISO at Paidy:⚡ Security without passwords. "In a market like Japan, things are quite different. Thinking out of the box is probably the most critical skill we need. When we think about the consumer experience, they don't have to deal with [passwords], and that really does remove a lot of friction from the typical flow," Jeremy says.⚡ There's so much potential in the cloud. "Now you can just whip out a prepaid card, get an account, and replicate a whole enterprise. Thanks to infrastructure as code, a lot of things can be consistent. So I think that is the biggest potential for growth — more people having access to the technology."⚡ Understand your assets and data. "Sometimes, it feels like you are trying to fix a plane while it's in flight without it crashing, and it could be very delicate. It really can get complex if you don't understand your critical assets, especially data because we don't want to lose our data."This podcast is hosted by Orca Security

Key insights from this episode featuring Jeremy Turner, Deputy CISO at Paidy:⚡ Security without passwords. "In a market like Japan, things are quite different. Thinking out of the box is probably the most critical skill we need. When we think about the consumer experience, they don't have to deal with [passwords], and that really does remove a lot of friction from the typical flow," Jeremy says.⚡ There's so much potential in the cloud. "Now you can just whip out a prepaid card, get an account, and replicate a whole enterprise. Thanks to infrastructure as code, a lot of things can be consistent. So I think that is the biggest potential for growth — more people having access to the technology."⚡ Understand your assets and data. "Sometimes, it feels like you are trying to fix a plane while it's in flight without it crashing, and it could be very delicate. It really can get complex if you don't understand your critical assets, especially data because we don't want to lose our data."

Guest-at-a-Glance💡 Name: Jay Thoden van Velzen💡 What he does: He's the Strategic Advisor to the CSO at SAP.💡 Noteworthy: SAP is one of the world's leading producers of software for the management of business processes and a company on a mission to help the world run better and improve people's lives.

Guest-at-a-Glance💡 Name: Jay Thoden van Velzen💡 What he does: He's the Strategic Advisor to the CSO at SAP.💡 Noteworthy: SAP is one of the world's leading producers of software for the management of business processes and a company on a mission to help the world run better and improve people's lives.This podcast is hosted by Orca Security

Guest-at-a-Glance💡 Name: Jadee Hanson💡 What she does: She's the CIO and CISO at Code42.💡 Company: Code42💡 Noteworthy: As CIO and CISO at Code42, Jadee Hanson leads global risk and compliance, security operations, incident response, and insider threat monitoring and investigations. She brings more than 17 years of experience in information security and a proven track record of building security programs. Before Code42, Jadee held several senior leadership roles in the security department of Target Corporation.##Key Insights ⚡ The world of security is always changing. Technology is rapidly changing and evolving. And cloud security is following along. Jadee explains what this means for the security industry. She says, "For security practitioners, we've always had to be really good at being resilient and adaptable. So, in our world, things always change. Technology is changing, the risk landscape is changing, and threat actors change. And as the cloud has become more prevalent, we had to flex our resilient and adaptable muscles and learn something new. And I would argue that the fundamental controls that we need to have in place for the cloud really haven't changed. What's changed is the 'how'; it's the 'how we meet those controls,' and that's it."⚡ Bad actors use cloud services as much as security practitioners. Bad actors are early adopters when it comes to cloud security. Jadee talks about this significant challenge for security practitioners. She says, "One thing that has really surprised me is that when you think of the cloud movement, there are so many features and functionalities within a cloud architecture. We know this as security practitioners, but bad actors also know this, and they know this very well. So I think my biggest surprise is to see bad actors and bad APT groups use cloud services, just like we do every day."⚡ Let your people be the heroes of the organization. When building security teams, it's essential to let them be heroes and give them exciting opportunities to grow. Jadee explains, "I think it's really all about the people. So my advice would be to find really great people who deliver quality work, continue to challenge them, and give them really interesting opportunities. It's funny. Lots of security practitioners aren't really motivated by tons of money. They're motivated by interesting opportunities. I also think it's really important that you don't make them adversaries in the organization."

Guest-at-a-Glance💡 Name: Jadee Hanson💡 What she does: She's the CIO and CISO at Code42.💡 Company: Code42💡 Noteworthy: As CIO and CISO at Code42, Jadee Hanson leads global risk and compliance, security operations, incident response, and insider threat monitoring and investigations. She brings more than 17 years of experience in information security and a proven track record of building security programs. Before Code42, Jadee held several senior leadership roles in the security department of Target Corporation.##Key Insights ⚡ The world of security is always changing. Technology is rapidly changing and evolving. And cloud security is following along. Jadee explains what this means for the security industry. She says, "For security practitioners, we've always had to be really good at being resilient and adaptable. So, in our world, things always change. Technology is changing, the risk landscape is changing, and threat actors change. And as the cloud has become more prevalent, we had to flex our resilient and adaptable muscles and learn something new. And I would argue that the fundamental controls that we need to have in place for the cloud really haven't changed. What's changed is the 'how'; it's the 'how we meet those controls,' and that's it."⚡ Bad actors use cloud services as much as security practitioners. Bad actors are early adopters when it comes to cloud security. Jadee talks about this significant challenge for security practitioners. She says, "One thing that has really surprised me is that when you think of the cloud movement, there are so many features and functionalities within a cloud architecture. We know this as security practitioners, but bad actors also know this, and they know this very well. So I think my biggest surprise is to see bad actors and bad APT groups use cloud services, just like we do every day."⚡ Let your people be the heroes of the organization. When building security teams, it's essential to let them be heroes and give them exciting opportunities to grow. Jadee explains, "I think it's really all about the people. So my advice would be to find really great people who deliver quality work, continue to challenge them, and give them really interesting opportunities. It's funny. Lots of security practitioners aren't really motivated by tons of money. They're motivated by interesting opportunities. I also think it's really important that you don't make them adversaries in the organization."This podcast is hosted by Orca Security

💡 Guest: Kathy Wang, Chief Security Officer at Discord💡 Company: Discord💡 Noteworthy: Kathy is a security executive and leader with a strong background in project management, research, and business development. She has worked in government, commercial, and technology startup environments and currently advises startups that offer security services/products.##Key Insights ⚡ The importance of access control in security. Improving access control is one of the best ways to prevent potential security problems. Kathy says, "If I think about this from a security perspective, and you look at it from a public cloud SaaS environment perspective, there are so many organizations right now where there are far too many people who have more access than they need in production environments. And so we're always looking for ways to understand, audit, and reduce all of those accesses, and this is super important for improving security posture because if you can't control or understand what access people have, then you've got all sorts of problems like insider threat as well as takeover or breach type of issues."⚡ Security is a hard sell. Even though the number of cyber threats increases every year, security is still hard to sell. Kathy explains, "GitLab was even less of a security product company. They've built security features and security capabilities, which I was super happy to help contribute to from a CSO perspective, as in, ‘Would I use this; would I buy this?’ However, it's not the same thing as talking to customers constantly about, 'Hey, we've detected this for you. What do you think?' And then getting a response, 'You know what? Yeah, it's true. You did, but I'm not sure I want to pay for that kind of detection, though.' This is exactly what makes security such a hard sell. You could be accurate. You could be technically good, but what is that other factor that will make people want to spend money on the product? That's hard."⚡ Think outside the box when building your security teams. The key to building highly effective security teams is to differentiate yourself. Kathy says, "Building security teams is not an easy thing to do, as you know, and we're always competing for talent with a whole bunch of other companies. So what can you do to really differentiate yourself? One of the things I learned is that you can actually go looking for talent outside of the normal pools of talent that people look for. And GitLab was really great for reinforcing that."This podcast is hosted by Orca Security

💡 Guest: Kathy Wang, Chief Security Officer at Discord💡 Company: Discord💡 Noteworthy: Kathy is a security executive and leader with a strong background in project management, research, and business development. She has worked in government, commercial, and technology startup environments and currently advises startups that offer security services/products.##Key Insights ⚡ The importance of access control in security. Improving access control is one of the best ways to prevent potential security problems. Kathy says, "If I think about this from a security perspective, and you look at it from a public cloud SaaS environment perspective, there are so many organizations right now where there are far too many people who have more access than they need in production environments. And so we're always looking for ways to understand, audit, and reduce all of those accesses, and this is super important for improving security posture because if you can't control or understand what access people have, then you've got all sorts of problems like insider threat as well as takeover or breach type of issues."⚡ Security is a hard sell. Even though the number of cyber threats increases every year, security is still hard to sell. Kathy explains, "GitLab was even less of a security product company. They've built security features and security capabilities, which I was super happy to help contribute to from a CSO perspective, as in, ‘Would I use this; would I buy this?’ However, it's not the same thing as talking to customers constantly about, 'Hey, we've detected this for you. What do you think?' And then getting a response, 'You know what? Yeah, it's true. You did, but I'm not sure I want to pay for that kind of detection, though.' This is exactly what makes security such a hard sell. You could be accurate. You could be technically good, but what is that other factor that will make people want to spend money on the product? That's hard."⚡ Think outside the box when building your security teams. The key to building highly effective security teams is to differentiate yourself. Kathy says, "Building security teams is not an easy thing to do, as you know, and we're always competing for talent with a whole bunch of other companies. So what can you do to really differentiate yourself? One of the things I learned is that you can actually go looking for talent outside of the normal pools of talent that people look for. And GitLab was really great for reinforcing that."

Episode SummaryThe cloud has made many processes straightforward. The pace of expansion and the ease of introducing new services make it attractive. But, these advantages come with complexity, especially from a security standpoint. Therefore, it is critical to make everyone's activities in the digital space as secure as possible. Consequently, companies must focus on mitigating security risks and building trust with their clients and consumers. In this episode of Cloud Security Reinvented, our host Andy Ellis welcomes Allison Miller, the VP of Trust at Reddit. Allison and Andy discuss the differences between the on-premise and cloud era, the best and worst practices of on-premise, and the opportunities for growth in the cloud. Guest-at-a-Glance💡 Name: Allison Miller💡 What she does: Allison is the VP of Trust at Reddit.💡 Websites: Reddit💡 Noteworthy: Allison was in marketing before dedicating her career to cybersecurity. 💡 Where to find Allison: LinkedInThis podcast is hosted by Orca Security

Episode SummaryThe cloud has made many processes straightforward. The pace of expansion and the ease of introducing new services make it attractive. But, these advantages come with complexity, especially from a security standpoint. Therefore, it is critical to make everyone's activities in the digital space as secure as possible. Consequently, companies must focus on mitigating security risks and building trust with their clients and consumers. In this episode of Cloud Security Reinvented, our host Andy Ellis welcomes Allison Miller, the VP of Trust at Reddit. Allison and Andy discuss the differences between the on-premise and cloud era, the best and worst practices of on-premise, and the opportunities for growth in the cloud. Guest-at-a-Glance💡 Name: Allison Miller💡 What she does: Allison is the VP of Trust at Reddit.💡 Websites: Reddit💡 Noteworthy: Allison was in marketing before dedicating her career to cybersecurity. 💡 Where to find Allison: LinkedIn

Episode SummaryThere's an overwhelming amount of information coming at us every single day. And from a risk management and security point of view, it's become even more challenging to deal with zero-day vulnerabilities.The key is to not be reactive; you have to take a more proactive approach to zero-day vulnerabilities.In this episode of the Cloud Security Reinvented podcast, host Andy Ellis welcomes Amanda Fennell, the CIO and CSO at Relativity. They chat about her dual CIO-CSO role, why different priorities mean different cloud experiences, and the importance of investing in preventive solutions before it's too late.Guest-at-a-Glance💡 Name: Amanda Fennell💡 What she does: She's the CIO and CSO at Relativity.💡 Company: Relativity💡 Noteworthy: Amanda joined the Relativity team in 2018 as the CSO, and her responsibilities expanded to include the role of the CIO in 2021. She's responsible for championing and directing security strategy in risk management and compliance practices, as well as building and supporting Relativity's information technology. Amanda also hosts Relativity's Security Sandbox podcast, which explores and explains the unique links between non-security topics and the security realm.💡 Where to find Amanda: LinkedInThis podcast is hosted by Orca Security

Episode SummaryThere's an overwhelming amount of information coming at us every single day. And from a risk management and security point of view, it's become even more challenging to deal with zero-day vulnerabilities.The key is to not be reactive; you have to take a more proactive approach to zero-day vulnerabilities.In this episode of the Cloud Security Reinvented podcast, host Andy Ellis welcomes Amanda Fennell, the CIO and CSO at Relativity. They chat about her dual CIO-CSO role, why different priorities mean different cloud experiences, and the importance of investing in preventive solutions before it's too late.Guest-at-a-Glance💡 Name: Amanda Fennell💡 What she does: She's the CIO and CSO at Relativity.💡 Company: Relativity💡 Noteworthy: Amanda joined the Relativity team in 2018 as the CSO, and her responsibilities expanded to include the role of the CIO in 2021. She's responsible for championing and directing security strategy in risk management and compliance practices, as well as building and supporting Relativity's information technology. Amanda also hosts Relativity's Security Sandbox podcast, which explores and explains the unique links between non-security topics and the security realm.💡 Where to find Amanda: LinkedIn

Episode SummaryCybersecurity is an ever-changing field. And since the emergence of the cloud, social media networks, and machine learning algorithms, the security space has continued to evolve to respond to the market's needs.But some things never change — the willingness to learn, adapt, and improve remains the golden standard of cybersecurity. In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Roland Cloutier, the Global Chief Security Officer at TikTok. They talk about the most significant changes since the emergence of cloud computing, what it's like to work at TikTok, and why technologists should always keep learning.##Guest-at-a-Glance💡 Name: Roland Cloutier💡 What he does: He's the Global Chief Security Officer at TikTok.💡 Company: TikTok💡 Noteworthy: As Global Chief Security Officer of TikTok, Roland Cloutier brings an unprecedented understanding and knowledge of global protection and security leadership to one of the world's leading media, social, and technology companies. He oversees the company's information protection, risk, workforce protection, crisis management, and investigative security operations worldwide.💡 Where to find Roland: LinkedIn##Key Insights ⚡ Overseeing the security and risk program for TikTok is an exciting learning experience. Coming from law enforcement and the military, Roland experienced a major shift in his career when he entered the competitive technology space and joined the world's fastest-growing social media giant, TikTok. So, what has this experience been like? According to Roland, it's been an enormous learning opportunity. He explains, "You've got to be ready for that speed and feed. You've got to be ready for that high level of operational tempo that we have, and adjusting my leadership style and capability to ensure that I enable that for the team has been one of the biggest learning opportunities for me."⚡ Always keep learning. While there are many pre-cloud norms and practices that we should leave behind us, some things should never change, such as the willingness to learn. Roland explains, "Always keep learning. Folks that are static in this environment are going to wither away. On a daily basis, these amazing companies and technology platforms are delivering net new capability. Sometimes I'm embarrassed when my teams are talking, and I did not know that was actually even possible. As practitioners, as professionals, as leaders, you have to keep up on it, especially as technologists; you have to continue to learn. So I don't think that ever changes."⚡ Speed and scale are the biggest perks of cloud computing. Cloud computing has certainly made everything easier, especially cybersecurity. Roland shares what he believes are the greatest benefits of the cloud. "Remember when you had to think about how many boxes do I need to order it with, how many cores, and how much memory in order to support that? Whereas today, we might have a dynamic attack issue, and in less than an hour, I can spin up an environment that has six times the data center capability that I was protecting before. The speed and the scale are just insane. I also think that with that comes the pace of innovation."##Episode HighlightsThere are significant differences in security language and focus across different industries "I do a lot of transition work with people coming out of law enforcement, government, and the military — to help them through that transition because the language is different, and the focus is different. When you're in global protection and in law enforcement organizations, you're outside of companies — you're dealing with people all over the world regarding critical global issues. And then, all of a sudden, you're inside, and you're trying to use the same language."The level of scale and security at TikTok might be surprising to some people"I think what people forget when they migrate to the cloud, and they start putting production operations into that environment, is the level of scale that takes to accomplish it. I was at a CSO meeting in West Palm Beach this week with a bunch of really amazing CSOs and CISOs from across the industry, and we were talking about the scalability concept and the ability to deliver assurance like we were talking about a minute ago. The technologies that drive that also give us the capability to do really great security."Cloud has brought a new pace of innovation"If you think about TikTok — and we truly move at the speed of culture here — we're always saying that culture starts at TikTok; therefore, our product has to be at the speed of culture. You've got to keep up that pace, and so you have to be able to create new products, new environments, new production capabilities, and everything that supports it has to be in place. So the ability to keep up with culture has been really, really interesting to me."Machine learning and artificial intelligence can solve problems for us"Now with the speed and feed, some of these attacks we see in some of these organized criminal capabilities that are operating out of data centers globally — that have entire data centers, not like a box that they ripped off somewhere else, and they're doing something — and have such massive data environments that they're targeting organizations and being able to do it in such unique, subversive ways. AI and ML will give us insight into these massive capabilities across so many different parts of our stack."Understand the entirety of the business"How do we imagine a product, how do we develop it, and how do we market it? How do we build it? How do we sell it, deliver it, monetize it, and how do we service it? And how do you do it all over again? That entire value chain. How do you look at the entirety of the business? It's the ecosystem — that business with internal and external partners."This podcast is hosted by Orca Security

Episode SummaryCybersecurity is an ever-changing field. And since the emergence of the cloud, social media networks, and machine learning algorithms, the security space has continued to evolve to respond to the market's needs.But some things never change — the willingness to learn, adapt, and improve remains the golden standard of cybersecurity. In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Roland Cloutier, the Global Chief Security Officer at TikTok. They talk about the most significant changes since the emergence of cloud computing, what it's like to work at TikTok, and why technologists should always keep learning.##Guest-at-a-Glance💡 Name: Roland Cloutier💡 What he does: He's the Global Chief Security Officer at TikTok.💡 Company: TikTok💡 Noteworthy: As Global Chief Security Officer of TikTok, Roland Cloutier brings an unprecedented understanding and knowledge of global protection and security leadership to one of the world's leading media, social, and technology companies. He oversees the company's information protection, risk, workforce protection, crisis management, and investigative security operations worldwide.💡 Where to find Roland: LinkedIn##Key Insights ⚡ Overseeing the security and risk program for TikTok is an exciting learning experience. Coming from law enforcement and the military, Roland experienced a major shift in his career when he entered the competitive technology space and joined the world's fastest-growing social media giant, TikTok. So, what has this experience been like? According to Roland, it's been an enormous learning opportunity. He explains, "You've got to be ready for that speed and feed. You've got to be ready for that high level of operational tempo that we have, and adjusting my leadership style and capability to ensure that I enable that for the team has been one of the biggest learning opportunities for me."⚡ Always keep learning. While there are many pre-cloud norms and practices that we should leave behind us, some things should never change, such as the willingness to learn. Roland explains, "Always keep learning. Folks that are static in this environment are going to wither away. On a daily basis, these amazing companies and technology platforms are delivering net new capability. Sometimes I'm embarrassed when my teams are talking, and I did not know that was actually even possible. As practitioners, as professionals, as leaders, you have to keep up on it, especially as technologists; you have to continue to learn. So I don't think that ever changes."⚡ Speed and scale are the biggest perks of cloud computing. Cloud computing has certainly made everything easier, especially cybersecurity. Roland shares what he believes are the greatest benefits of the cloud. "Remember when you had to think about how many boxes do I need to order it with, how many cores, and how much memory in order to support that? Whereas today, we might have a dynamic attack issue, and in less than an hour, I can spin up an environment that has six times the data center capability that I was protecting before. The speed and the scale are just insane. I also think that with that comes the pace of innovation."##Episode HighlightsThere are significant differences in security language and focus across different industries "I do a lot of transition work with people coming out of law enforcement, government, and the military — to help them through that transition because the language is different, and the focus is different. When you're in global protection and in law enforcement organizations, you're outside of companies — you're dealing with people all over the world regarding critical global issues. And then, all of a sudden, you're inside, and you're trying to use the same language."The level of scale and security at TikTok might be surprising to some people"I think what people forget when they migrate to the cloud, and they start putting production operations into that environment, is the level of scale that takes to accomplish it. I was at a CSO meeting in West Palm Beach this week with a bunch of really amazing CSOs and CISOs from across the industry, and we were talking about the scalability concept and the ability to deliver assurance like we were talking about a minute ago. The technologies that drive that also give us the capability to do really great security."Cloud has brought a new pace of innovation"If you think about TikTok — and we truly move at the speed of culture here — we're always saying that culture starts at TikTok; therefore, our product has to be at the speed of culture. You've got to keep up that pace, and so you have to be able to create new products, new environments, new production capabilities, and everything that supports it has to be in place. So the ability to keep up with culture has been really, really interesting to me."Machine learning and artificial intelligence can solve problems for us"Now with the speed and feed, some of these attacks we see in some of these organized criminal capabilities that are operating out of data centers globally — that have entire data centers, not like a box that they ripped off somewhere else, and they're doing something — and have such massive data environments that they're targeting organizations and being able to do it in such unique, subversive ways. AI and ML will give us insight into these massive capabilities across so many different parts of our stack."Understand the entirety of the business"How do we imagine a product, how do we develop it, and how do we market it? How do we build it? How do we sell it, deliver it, monetize it, and how do we service it? And how do you do it all over again? That entire value chain. How do you look at the entirety of the business? It's the ecosystem — that business with internal and external partners."

Episode SummaryWhen someone says Pinterest, the first thing that comes to mind is a social platform and a place to seek inspiration. But for the people working behind the scenes, it's more than that.In February 2021, Pinterest had 459 million active monthly users. That's a lot of data and traffic, and security measures must be put in place for an exceptional user experience. So how do they do it?In this episode of Cloud Security Reinvented, our host Andy Ellis chats with Andy Steingruebl, the Chief Security Officer at Pinterest. The two discuss the difference between the on-premise and cloud era and what differentiates Pinterest from companies like PayPal. They also touch upon the best and worst on-premise practices and the future of technology. Guest-at-a-Glance💡 Name: Andy Steingruebl💡 What he does: Andy is the Chief Security Officer at Pinterest.💡 Websites: Pinterest💡Noteworthy: Andy is an Information Security professional with more than 25 years of experience. He has extensive experience in most security management and architecture areas, including Policy, Compliance, Communication, Infrastructure, and Incident Response. He is an excellent communicator with the ability to communicate with all levels of the organization, customers, policymakers, and regulators. He has a track record of significantly contributing toward making the internet a safer, more secure place for users and companies.💡 Where to find Andy: LinkedInKey Insights⚡ Transitioning to the cloud was challenging. With all the cloud's benefits, it's hard to understand how we functioned without it. However, as Andy explains, even professionals in the security field had to adjust to it. ''Now, the big issue is trying to come up with policies for yourself on what stuff you need to have your arms tied around and what are the principles. How do you set the right security bar for an outsourced vendor who's going to have access to your stuff or provide some key business function? [...] We're long past, 'I'm not putting some of my really sensitive stuff in the cloud.' You use Workday, Google for mail, and so on.''⚡ It's all about efficiency, but we must have the right people in the right positions. Technology today is all about making resources and tools accessible to as many people as possible to enable faster solution development or problem-solving. But is this a good thing? ''The blessing and the curse of the cloud is that because you can deploy so many resources to a problem, sometimes you don't get as focused on how much it is costing you, or if this is the best way to use the technology? [...] So a really interesting perspective is how we've pushed around some of the work. The work doesn't go away; it either doesn't get done, or people who aren't specialized at it are doing it. The same can happen with security, where you let everybody be responsible for certain rules instead of letting a few people try to set a definitive posture like that firewall. I'm not suggesting it's the exact right model, but having some things you can have certainty around is nice, and we've moved away from that. And it's hard to function in that world.''⚡ Focus more on people. A piece of advice Andy gives to his young colleagues is to develop healthy relationships with teammates. Yes, everyone will focus on growing professionally, but sometimes it is more challenging to develop high-quality social skills than technical ones. ''As you try to move upwards in your career, it's not just the technical stuff because pretty soon you will outgrow the problems you can solve all by yourself. And once you outgrow problems you can solve by yourself, you need to collaborate with others and how well you can do that is important.''Episode HighlightsHow Has Our Perspective of Security Changed in the Cloud Era?''I was an on-prem guy, and I remember doing vulnerability management. We would buy some bit of vuln scanning stuff to put inside our environment because one, the network access required was pretty scary, and two, vulnerabilities are really serious. So who wants other people to know about your vulnerabilities? So, Qualis comes out with a product. They say, 'We're going to do this vuln scanning thing, but from the cloud, and you put it up on our website.' And I remember being freaked out about that. Like, 'Oh my gosh. You're crazy. I'm not going to do that.' [But in the] new world where you don't have to do it yourself, and in most cases, you probably don't want to. And in many cases, we tell people, 'Don't do it yourself. Don't run your mail system. Pay somebody else to do that. It's too big a pain in the butt with too many risks. That's sensitive stuff, but don't keep that in house. You're not going to do it as well as you can pay somebody else like Google or Microsoft to do it for you.'''Companies Differ by Traffic Volume Online''It's a little bit industry-specific; you deal with lots of traffic [...] It was a big adjustment when I got to PayPal to realize. If you've been working at a lot of businesses that aren't internet-scale businesses, you don't understand traffic volumes and the torture testing that you put systems through. [...] It's the traffic volume difference between a business with a browser, an interaction component, and just a transaction piece.''What Does the Future Holds for Technology''In the pure security space, I think unification. Trying to unify things into simpler policies that we can have — we can go back to having a declarative security policy. [...] I'm a big fan of protocols and declarative security policies — not the things that are enforced by code, but things that you can look at in a policy and reason about. [...]And the other one is that slowly but surely we're moving managed code and programming languages that make it harder to make mistakes or at least some of the security mistakes of the past. So, like that, that's going to be a pretty foundational change as well. I think at least in the security of taking the burden off lots of folks and eliminating a whole bunch of attacks.''This podcast is hosted by Orca Security

Episode SummaryWhen someone says Pinterest, the first thing that comes to mind is a social platform and a place to seek inspiration. But for the people working behind the scenes, it's more than that.In February 2021, Pinterest had 459 million active monthly users. That's a lot of data and traffic, and security measures must be put in place for an exceptional user experience. So how do they do it?In this episode of Cloud Security Reinvented, our host Andy Ellis chats with Andy Steingruebl, the Chief Security Officer at Pinterest. The two discuss the difference between the on-premise and cloud era and what differentiates Pinterest from companies like PayPal. They also touch upon the best and worst on-premise practices and the future of technology. Guest-at-a-Glance💡 Name: Andy Steingruebl💡 What he does: Andy is the Chief Security Officer at Pinterest.💡 Websites: Pinterest💡Noteworthy: Andy is an Information Security professional with more than 25 years of experience. He has extensive experience in most security management and architecture areas, including Policy, Compliance, Communication, Infrastructure, and Incident Response. He is an excellent communicator with the ability to communicate with all levels of the organization, customers, policymakers, and regulators. He has a track record of significantly contributing toward making the internet a safer, more secure place for users and companies.💡 Where to find Andy: LinkedInKey Insights⚡ Transitioning to the cloud was challenging. With all the cloud's benefits, it's hard to understand how we functioned without it. However, as Andy explains, even professionals in the security field had to adjust to it. ''Now, the big issue is trying to come up with policies for yourself on what stuff you need to have your arms tied around and what are the principles. How do you set the right security bar for an outsourced vendor who's going to have access to your stuff or provide some key business function? [...] We're long past, 'I'm not putting some of my really sensitive stuff in the cloud.' You use Workday, Google for mail, and so on.''⚡ It's all about efficiency, but we must have the right people in the right positions. Technology today is all about making resources and tools accessible to as many people as possible to enable faster solution development or problem-solving. But is this a good thing? ''The blessing and the curse of the cloud is that because you can deploy so many resources to a problem, sometimes you don't get as focused on how much it is costing you, or if this is the best way to use the technology? [...] So a really interesting perspective is how we've pushed around some of the work. The work doesn't go away; it either doesn't get done, or people who aren't specialized at it are doing it. The same can happen with security, where you let everybody be responsible for certain rules instead of letting a few people try to set a definitive posture like that firewall. I'm not suggesting it's the exact right model, but having some things you can have certainty around is nice, and we've moved away from that. And it's hard to function in that world.''⚡ Focus more on people. A piece of advice Andy gives to his young colleagues is to develop healthy relationships with teammates. Yes, everyone will focus on growing professionally, but sometimes it is more challenging to develop high-quality social skills than technical ones. ''As you try to move upwards in your career, it's not just the technical stuff because pretty soon you will outgrow the problems you can solve all by yourself. And once you outgrow problems you can solve by yourself, you need to collaborate with others and how well you can do that is important.''Episode HighlightsHow Has Our Perspective of Security Changed in the Cloud Era?''I was an on-prem guy, and I remember doing vulnerability management. We would buy some bit of vuln scanning stuff to put inside our environment because one, the network access required was pretty scary, and two, vulnerabilities are really serious. So who wants other people to know about your vulnerabilities? So, Qualis comes out with a product. They say, 'We're going to do this vuln scanning thing, but from the cloud, and you put it up on our website.' And I remember being freaked out about that. Like, 'Oh my gosh. You're crazy. I'm not going to do that.' [But in the] new world where you don't have to do it yourself, and in most cases, you probably don't want to. And in many cases, we tell people, 'Don't do it yourself. Don't run your mail system. Pay somebody else to do that. It's too big a pain in the butt with too many risks. That's sensitive stuff, but don't keep that in house. You're not going to do it as well as you can pay somebody else like Google or Microsoft to do it for you.'''Companies Differ by Traffic Volume Online''It's a little bit industry-specific; you deal with lots of traffic [...] It was a big adjustment when I got to PayPal to realize. If you've been working at a lot of businesses that aren't internet-scale businesses, you don't understand traffic volumes and the torture testing that you put systems through. [...] It's the traffic volume difference between a business with a browser, an interaction component, and just a transaction piece.''What Does the Future Holds for Technology''In the pure security space, I think unification. Trying to unify things into simpler policies that we can have — we can go back to having a declarative security policy. [...] I'm a big fan of protocols and declarative security policies — not the things that are enforced by code, but things that you can look at in a policy and reason about. [...]And the other one is that slowly but surely we're moving managed code and programming languages that make it harder to make mistakes or at least some of the security mistakes of the past. So, like that, that's going to be a pretty foundational change as well. I think at least in the security of taking the burden off lots of folks and eliminating a whole bunch of attacks.''

Episode SummaryThe cloud has been around for a while now. And ever since it emerged — two decades ago — it has brought in new ways to think about security, identity, and access management. But at the end of the day, we still need to make sure that the right people have the right information at the right time.In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Meg Anderson, the VP - CISO at Principal Financial Group. They talk about the changes in cloud security since the emergence of the cloud, some of the best and worst practices, and what the future holds for cloud security.##Guest-at-a-Glance💡 Name: Meg Anderson💡 What she does: She's the VP - CISO at Principal Financial Group.💡 Company: Principal Financial Group💡 Noteworthy: Meg participates in a number of CISO councils. She is a board member of the Financial Services Information Sharing and Analysis Center (FS-ISAC), where she chairs the Strategy Committee and is on the FinCyber Advisory Group for the Carnegie Endowment for International Peace. Before the role of VP - CISO, Meg acquired over twenty years of technical and leadership experience in application development.💡 Where to find Meg: LinkedIn##Key Insights ⚡ Adversarial relationships within a company can hinder security. There's no room for adversarial relationships in cloud security. We need to embrace collaboration and partnership. Meg talks about Principal Financial Group's culture, "At Principal, what I think is different when I think about cloud security is that there are no adversarial relationships. We're all learning; we're all respectful. And obviously, I say all, but sometimes, there are conflicts. However, we get through them. And I think that that culture is really important."⚡ Access control and data protection are essential. As we expand in the cloud, we need to keep prioritizing access control and data protection. Meg explains, "They have to be very intentionally thought about and architected. The cloud brings new ways, of course, to think about identity and access management. There are new tools to do it with, but then, in the end, we still really need to make sure that the right people have access to the right information at the right time, and we can't lose sight of that. And our customers trust that we'll protect their information and money no matter where we're doing our computing. So it's not a choice."⚡ You need to have a strategy. If you want to move forward and adopt the cloud, you need to put a strategy in place first. Meg explains, "If you start with the strategy, it'll pay dividends. You'll reduce risk. You'll increase efficiency. You're probably going to save time and money. It's probably going to turn out better. You're not going to be creating tech debt. So really, stepping into the cloud with a plan is just much better than playing around and looking at it as an opportunity to experiment and try new things."##Episode HighlightsAutomation is critical for security integration"There's definitely more ownership by the cloud team and the cloud engineers as compared to relying on specialists that were previously in the infrastructure team. So I think some of the ‘shifting security left’ conversation that we've had over the last decade or more is something that we really need to keep our eye on, because that automation is critical to integrating security into the deployment pipelines and allowing engineers to own their code and its security. That's a change that I think we are, at least, in the midst of here at Principal."We need to stop oversimplifying the cloud"Software as a service is very different from platform as a service or infrastructure as a service. So when we simply talk about the cloud, I think it gets to the point of oversimplification that's probably doing more harm than good, especially at the higher levels of companies, at the board regulators. Everyone's asking, 'How are you securing the cloud?' Period. And so, I think that oversimplification might be an opportunity for growth and for us to really be talking about the various components of the cloud a little bit differently in the future."Don't be afraid to ask for support"It sounds pretty basic, but early in my career, there were times where I assumed that, 'Well, they're my leader, they should know, and eventually, they'll figure out what I need and what I want.' And while I've never been called shy, I would say that I probably wasted too much time thinking about why they weren't figuring it out. How should I ask them? When should I ask them? And now I see the value in not just asking for investment or the tangible things that you might need, but in asking for support and finding out who will be your advocates in the organization. If you want to make a change and really ask for what you need to get something completed, get somebody to help you across the organization."This podcast is hosted by Orca Security

Episode SummaryThe cloud has been around for a while now. And ever since it emerged — two decades ago — it has brought in new ways to think about security, identity, and access management. But at the end of the day, we still need to make sure that the right people have the right information at the right time.In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Meg Anderson, the VP - CISO at Principal Financial Group. They talk about the changes in cloud security since the emergence of the cloud, some of the best and worst practices, and what the future holds for cloud security.##Guest-at-a-Glance💡 Name: Meg Anderson💡 What she does: She's the VP - CISO at Principal Financial Group.💡 Company: Principal Financial Group💡 Noteworthy: Meg participates in a number of CISO councils. She is a board member of the Financial Services Information Sharing and Analysis Center (FS-ISAC), where she chairs the Strategy Committee and is on the FinCyber Advisory Group for the Carnegie Endowment for International Peace. Before the role of VP - CISO, Meg acquired over twenty years of technical and leadership experience in application development.💡 Where to find Meg: LinkedIn##Key Insights ⚡ Adversarial relationships within a company can hinder security. There's no room for adversarial relationships in cloud security. We need to embrace collaboration and partnership. Meg talks about Principal Financial Group's culture, "At Principal, what I think is different when I think about cloud security is that there are no adversarial relationships. We're all learning; we're all respectful. And obviously, I say all, but sometimes, there are conflicts. However, we get through them. And I think that that culture is really important."⚡ Access control and data protection are essential. As we expand in the cloud, we need to keep prioritizing access control and data protection. Meg explains, "They have to be very intentionally thought about and architected. The cloud brings new ways, of course, to think about identity and access management. There are new tools to do it with, but then, in the end, we still really need to make sure that the right people have access to the right information at the right time, and we can't lose sight of that. And our customers trust that we'll protect their information and money no matter where we're doing our computing. So it's not a choice."⚡ You need to have a strategy. If you want to move forward and adopt the cloud, you need to put a strategy in place first. Meg explains, "If you start with the strategy, it'll pay dividends. You'll reduce risk. You'll increase efficiency. You're probably going to save time and money. It's probably going to turn out better. You're not going to be creating tech debt. So really, stepping into the cloud with a plan is just much better than playing around and looking at it as an opportunity to experiment and try new things."##Episode HighlightsAutomation is critical for security integration"There's definitely more ownership by the cloud team and the cloud engineers as compared to relying on specialists that were previously in the infrastructure team. So I think some of the ‘shifting security left’ conversation that we've had over the last decade or more is something that we really need to keep our eye on, because that automation is critical to integrating security into the deployment pipelines and allowing engineers to own their code and its security. That's a change that I think we are, at least, in the midst of here at Principal."We need to stop oversimplifying the cloud"Software as a service is very different from platform as a service or infrastructure as a service. So when we simply talk about the cloud, I think it gets to the point of oversimplification that's probably doing more harm than good, especially at the higher levels of companies, at the board regulators. Everyone's asking, 'How are you securing the cloud?' Period. And so, I think that oversimplification might be an opportunity for growth and for us to really be talking about the various components of the cloud a little bit differently in the future."Don't be afraid to ask for support"It sounds pretty basic, but early in my career, there were times where I assumed that, 'Well, they're my leader, they should know, and eventually, they'll figure out what I need and what I want.' And while I've never been called shy, I would say that I probably wasted too much time thinking about why they weren't figuring it out. How should I ask them? When should I ask them? And now I see the value in not just asking for investment or the tangible things that you might need, but in asking for support and finding out who will be your advocates in the organization. If you want to make a change and really ask for what you need to get something completed, get somebody to help you across the organization."