Cloud Security Today

Episode SummaryOn this episode, CISO at Palo Alto Networks, Niall Browne, joins the show to talk about Security, Cloud, and AI. Before joining Palo Alto Networks, he served as the CSO of Cloud platforms for the past sixteen years, including as the CSO and CTO at Workday.Today, Niall talks about his journey starting in the early days of the Internet, his work during Palo Alto’s shift to Cloud and now AI, and how to keep track of risk with automation. How can teams do more with less? Hear about how to communicate risk to company board members, the usefulness of Gen AI, and the cyber skills shortage. Timestamp Segments·       [01:39] Niall’s Bank of Ireland experience.·       [05:07] How did the early internet catch Niall’s attention?·       [08:56] What is Niall most proud of?·       [11:34] Palo Alto’s shift to Cloud.·       [16:43] Overcoming resistance to the shift.·       [22:53] Keeping a pulse on risk.·       [28:07] Communicating risk to boards.·       [33:46] Doing More With Less.·       [38:00] How does Gen AI make processes better?·       [41:27] The cyber skills shortage.·       [47:04] Niall’s personal growth formula. Notable Quotes·       “More with less is key.”·       “Hiring the right skill set is very difficult.” Relevant LinksWebsite:          www.paloaltonetworks.comLinkedIn:         Niall Browne Resources:Doing More with Less: The Case for SOC Consolidation.Secure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Episode SummaryIn this episode, Jerich Beason, CISO at WM, joins the show to discuss becoming a CISO. Before joining WM, Jerich served in various roles at Lockheed Martin, RSA, Capital One, AECOM, and Deloitte.Jerich talks about how he tailored his roles throughout his career, learning communication soft skills and his passion for sharing with others. Hear about how AI affects leadership, how Jerich would change the cybersecurity industry, and the true value of vendors (it's positive!).Timestamp Segments·       [02:51] When Jerich knew he wanted to be a CISO.·       [04:52] Tailoring the roles.·       [06:02] What is Jerich most proud of?·       [07:17] Jerich’s best advice.·       [13:22] Transitioning away from geek-speak.·       [17:29] When Jerich developed the passion.·       [20:28] The PRIME framework.·       [25:20] What should be talked about with AI?·       [29:09] What would Jerich change about the cybersecurity industry?·       [30:33] Hiring the right people.·       [33:37] How Jerich stays sharp.·       [35:06] The value of vendors. Notable Quotes·       “Not every issue warrants a ‘sky is falling’ alert.”·       “When it comes time to leave, leave a legend.”·       “We don’t exist without vendors.” Relevant LinksWebsite:          www.wm.comLinkedIn:         Jerich BeasonSecure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Episode SummaryOn this episode, Co-Founder and CTO of Gutsy, John Morello, joins Matt to talk about Process Mining in Cybersecurity. Before co-founding Gutsy, John served as the CTO of Twistlock and VP of Product for Prisma Cloud.John holds multiple cybersecurity patents and is an author of NIST SP 800-190, the Container Security Guide. Before Twistlock, he was the CISO of an S&P 500 global chemical company. Before that, he spent 14 years at Microsoft, working on security technologies in Windows and Azure and consulting on security projects across the DoD, intelligence community, and at the White House. John graduated summa cum laude from LSU and lives in Baton Rouge with his wife and two sons. A lifelong outdoorsman and NAUI Master Diver and Rescue Diver, he's the former board chair of the Coalition to Restore Coastal Louisiana and a current Coastal Conservation Association board member.Today, John talks about governance challenges in cybersecurity, the importance of security as a process, and how to apply process mining. How is process mining useful in cybersecurity? Hear about process mining human actions and unstructured sources, and how John manages to stay sharp. Timestamp Segments·       [02:20] John’s cybersecurity journey.·       [07:43] Pivotal moments in John’s career.·       [10:23] The most pressing governance challenges.·       [14:07] What is process mining?·       [19:03] How process mining can benefit certain functions.·       [21:09] Security as a process, not a product.·       [25:37] Why there’s not more focus on process.·       [32:03] Applying process mining.·       [38:07] Filling in the gaps.·       [42:03] How John stays sharp. Notable Quotes·       “Security is a process, not a product.”·       “In security, inefficiency and inconsistency are highly correlated with risk.”·       “Almost everything in security is about process.” Relevant LinksWebsite:          gutsy.com.LinkedIn:         www.linkedin.com/in/john-morello.Secure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Episode SummaryOn this episode, Best Selling author of Cyber for Builders and blogger Ross Haleliuk joins the show to talk about his writing on the cybersecurity industry. Ross is active in the cybersecurity ecosystem as a startup advisor and angel investor, currently leading the VIS Angel Syndicate. He often writes about cybersecurity, security investment, growth, and building security startups on TechCrunch, in other leading industry media, and in his blog, Venture in Security, read by tens of thousands of security leaders every month.Today, Ross talks about the usefulness of apprenticeship programs and the impact of AI on the talent shortage. What makes the talent shortage a qualitative issue? Hear about AI and cybersecurity problem-solving, Ross’s recently released book, and how Ross stays sharp (and fit). Timestamp Segments·       [02:23] Pivoting into cybersecurity.·       [08:20] The role of project manager.·       [11:24] The BISO role.·       [13:41] The talent shortage as a qualitative issue.·       [23:58] Apprenticeship programs.·       [30:51] Qualitative vs quantitative talent shortage.·       [33:15] The impact of AI.·       [39:06] AI in cybersecurity.·       [41:54] What is Ross writing about next?·       [43:12] How Ross stays sharp. Notable Quotes·       “A lot of problems in cybersecurity are not unique to the space.”·       “It is difficult to find an entry-level job in the technology space, period.”·       “There is a shortage of senior talent, but there is also an oversupply of junior talent.” Relevant LinksLinkedIn:         Ross Haleliuk Resources:ventureinsecurity.netSecure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Episode SummaryOn this episode, InfoSec veteran, Aaron Turner, joins the show to talk about everything from Cloud to AI. Over the past three decades, Aaron has served as Security Strategist at Microsoft, Co-Founder and CEO of RFinity, Co-Founder and CEO of Terreo, VP of Security Products R&D at Verizon, Founder and CEO of Hotshot Technologies, Founder and CEO of Siriux, Faculty Member of IANS, Board Member at HighSide, President and Board Member of IntegriCell, and most recently as CISO at a large infrastructure player.Today, Aaron talks about the critical decisions that led to his success, the findings in his IANS research, and the importance of physical vs logical separation in home networks. What are the things that are lacking in current AI services? Hear about the security applications of behavioral AI, Aaron’s approach as he gets back into industry, and what it takes for Aaron to remain sharp. Timestamp Segments·       [02:49] Getting started.·       [10:53] Aaron’s keys to success.·       [16:40] Aaron’s IANS research.·       [20:42] Physical vs logical separation.·       [24:19] Top mistakes that customers make.·       [26:56] Real-world AI applications.·       [32:13] Thinking about AI and risk.·       [36:15] What’s missing in the current AI services?·       [40:46] Getting back into the industry.·       [45:22] How does Aaron stay sharp? Notable Quotes·       “Get deep in something.”·       “Make sure you put yourself in situations where people expect you to be sharp.” Relevant LinksLinkedIn:  Aaron Turner. Resources:www.iansresearch.comSecure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Episode SummaryIn this episode, Special Advisor for Cyber Risk at the NACD, Christopher Hetner, returns to the show to discuss the new SEC cybersecurity rules. Chris has over 25 years of experience in cybersecurity, helping protect industries, infrastructures, and economies, serving in roles including as SVP of Information Security at Citi, Senior Cybersecurity Advisor to the Chairman of the US SEC, Executive Member of IANS, the National Board Director of the Society of Hispanic Professional Engineers, Senior Advisor for the Chertoff Group, Senior Advisor to the CEO of Stuart Levine & Associates, and Co-Chair of Nasdaq Cybersecurity and Privacy.Today, Chris talks about the developments since January 2023, the timeframe requirements in practice, and normalizing cybersecurity incidents as business-as-usual. What is Inline XBRL? Learn how startups could prepare themselves for these changes, the scope of disclosure, and how risk management strategies might evolve to address Cloud-specific threats. Timestamp Segments·       [02:36] What has changed since January?·       [06:49] Why things changed.·       [08:51] Was it a good move?·       [12:27] Determining the materiality of cybersecurity incidents “without unreasonable delay.”·       [17:49] Is 4 days enough?·       [22:19] The scope of disclosure.·       [24:09] Normalizing cybersecurity incidents.·       [26:24] Moving toward real-time monitoring.·       [28:52] Is insurance becoming a forcing function?·       [32:18] Evolving risk management strategies.·       [36:05] Third-party disclosure requirements·       [39:51] How do startups prepare?·       [41:52] What is Inline XBRL?·       [42:54] Inline XBRL to 8-k.·       [43:30] How the tagging requirement impact the disclosure process. Notable Quotes·       “The magnitude of these events is the percentage of the event relative to revenue.”·       “We’re going to see market forces drive these safety standards within our enterprises.” Relevant LinksLinkedIn:         Christopher Hetner Resources:https://www.sec.gov/news/press-release/2023-139.Secure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Episode SummaryIn today’s episode, AI Safety Initiative Chair at Cloud Security Alliance, Caleb Sima, joins Matt to talk about some of the myths surrounding the quickly evolving world of AI. With two decades of experience in the cybersecurity industry, Caleb has held many high-level roles, including VP of Information Security at Databricks, CSO at Robinhood, Managing VP at CapitalOne, and Founder of both SPI Dynamics and Bluebox Security.Today, Caleb talks about his inspiring career after dropping out of high school, dealing with imposter syndrome, and becoming the Chair of the CSA’s AI Safety Initiative. Is AI and Machine Learning the threat that we think it is? Hear about the different kinds of LLMs, the poisoning of LLMs, and how AI can be used to improve security. Timestamp Segments·       [01:31] Why Caleb dropped out high school·       [06:16] Dealing with imposter syndrome.·       [11:43] The hype around AI and Machine Learning.·       [14:55] AI 101 terminology.·       [17:42] Open source LLMs.·       [20:31] Where to start as a security practitioner.·       [24:46] What risks should people be thinking about?·       [28:24] Taking advantage of AI in cybersecurity.·       [32:32] How AI will affect different SOC functions.·       [35:00] Is it too late to get involved?·       [36:29] CSA’s AI Safety Initiative.·       [38:52] What’s next? Notable Quotes·       “There is no way this thing is not going to change the world.”·       “The benefit that you're going to get out of LLMs internally is going to be phenomenal.”·       “It doesn't matter whether you get in now or in six months.” Relevant LinksLinkedIn:         Caleb Sima Resources:Skipping College Pays Off For Few Teen Techiesllm-attacks.orgSecure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Episode SummaryOn today’s episode, Senior Advisor and Strategist at the Cybersecurity and Infrastructure Security Agency, Allan Friedman, joins Matt to discuss SBOMs. As Senior Advisor and Strategist at CISA, Allan coordinates the global cross-sector community efforts around software bill of materials (SBOM). He was previously the Director of Cybersecurity Initiatives at NTIA, leading pioneering work on vulnerability disclosure, SBOM, and other security topics.Before joining the Federal government, Friedman spent over a decade as a noted information security and technology policy scholar at Harvard’s Computer Science Department, the Brookings Institution, and George Washington University’s Engineering School.He is the co-author of the popular text Cybersecurity and Cyberwar: What Everyone Needs to Know, has a C.S. degree from Swarthmore College, and a Ph.D. from Harvard University.Today, Allan talks about SBOMs and their adoption in non-security industries, Secure by design and secure by default tactics, and how to make software security second nature. What, exactly, is the SBOM? Hear about how SBOMs could’ve helped against significant attacks, the concept of antifragility, and why vulnerability disclosure programs are so important. Timestamp Segments·       [02:27] Allan’s career path.·       [05:10] Allan’s day-to-day.·       [06:15] What has been most rewarding?·       [08:00] SBOMs in non-security startups.·       [10:50] Real-world examples of Secure by Design tactics.·       [17:30] Will software security ever seem obvious to us?·       [19:30] What is the SBOM, and will it solve all our problems?·       [23:41] Could an SBOM have helped against the SolarWinds attack?·       [27:52] Memory-safe programming languages.·       [30:16] Misconceptions around Secure by Design, Secure by Default.·       [32:00] The importance of vulnerability disclosure programs.·       [35:37] Antifragility in cybersecurity.·       [41:47] VEX.·       [44:29] How to get involved with CISA.·       [48:00] How does Allan stay sharp? Notable Quotes·       “Sometimes, organizations need a good excuse to do the right thing.”·       “It is bananas that software that we use, and pay for, still delivers with it not just the occasional vulnerability, but very real risks that require massive investments from customers.”·       “When tech vendors make important logging information available for free, everyone wins.”·       “The SB in SBOM doesn’t stand for Silver Bullet.” Relevant LinksEmail:              sbom@cisa.dhs.govWebsite:          www.cisa.govLinkedIn:         Allan Friedman Resources:Open Source Security PodcastRisky Business PodcastSecure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Episode SummaryIn today’s episode, AppSec CTO at Palo Alto Networks, Daniel Krivelevich, joins Matt to talk about AppSec for the modern engineering ecosystem. Daniel is a Cybersecurity expert and problem solver with a proven track record from working with numerous enterprises across several different industries, with a focus on Application and Cloud Security. He has served in the Intelligence Corps of the IDF, 8200, as a Security Specialist at LivePerson, and as the Cloud & Application Security Lead at Sygnia. He is also the Co-Founder of Cider Security, which was acquired by Palo Alto Networks in December 2022.Today, Daniel talks about how his views have been shaped by his experience on both sides of the equation, the rapid pace of software development, and the role of codification. Why is visibility such a vital part of mitigating threats? Hear about the changing role of security, the struggle with maintaining cybersecurity 101, and Daniel’s recommended sources to stay up to date. Timestamp Segments·       [02:43] How Daniel’s experiences have shaped his AppSec views.·       [09:27] The software engineering paradigm shift.·       [12:24] The role of security.·       [16:42] Is it realistic for security to keep up with software development?·       [20:27] How the engineers’ freedom of choice impacts security.·       [26:14] The role of codification to reduce the attack surface.·       [30:21] Tools as targets.·       [34:47] How to mitigate threats of the increasingly complex ecosystems.·       [39:21] What’s next?·       [44:40] The struggle with cybersecurity 101.·       [47:03] How Daniel stays sharp. Notable Quotes·       “The attacks that abuse the engineering ecosystem, they’re not theory anymore.”·       “The challenge is helping defenders focus on what matters.”·       “Attackers always choose the path of least resistance.”·       “Once you have that visibility, you are usually capable of significantly reducing your attack surface.”·       “It’s not the zero days that are what’s leading.” Relevant LinksWebsite:          www.paloaltonetworks.com.LinkedIn:         Daniel Krivelevich. Resources:AppSec for the Modern Engineering Ecosystem.Secure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

On today’s episode, CSO at the Democratic National Committee, Steve Tran, joins Matt to talk about magic, AI, and cybersecurity. As the CSO for the DNC, Steve leads their IT, physical, and cybersecurity strategy. When not defending against dedicated adversaries, Steve can be found doing “off the cuffs” performances at the World-Famous Magic Castle in Hollywood.Today, Steve talks about how he incorporates magic into cybersecurity, his transition from law enforcement to cybersecurity, and how to mitigate risk in a fast-moving environment. What are the potential risks of using generative AI? Hear about our susceptibility to mental malware, thinking strategically versus tactically to solve problems, and how Steve manages to stay sharp day-to-day. Timestamp Segments·       [01:21] Steve, the magician.·       [05:14] Parallels between magic and cybersecurity.·       [07:21] Transitioning from law enforcement to cybersecurity.·       [16:26] Using magic to manage mental health.·       [21:25] The DNC.·       [22:19] Decentralization and security.·       [24:59] Getting buy-in.·       [27:42] Thinking strategically.·       [29:09] Mitigating risk in a fast-moving environment.·       [36:00] AI and cyberattacks.·       [43:25] Potential issues with AI.·       [50:46] How Steve stays sharp. Notable Quotes·       “Mental health can really affect cybersecurity professionals.”·       “Business isn’t meant to be just transactional.”·       “One of the biggest barriers to why people don’t buy into it at first is because they don’t understand it.”·       “Security issues don’t care if you don’t have a budget or don’t have a team.”·       “Once you get people to feel a certain way, you can’t undo that.”·       “There’s no better way to learn than to have to teach material yourself.”Secure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Episode SummaryOn this episode, the Co-Founder and CEO of Endor Labs, Varun Badhwar, joins Matt to talk about software supply chain security. Varun has a proven track record of building and leading enterprise security companies across Product Strategy, Marketing, Technical Sales, and Customer Success functions. He serves as a Member of the Forbes Technology Council, a Board Member of Cowbell, a Board Advisor of ArmorCode, and the former Founder and CEO of RedLock.Today, Varun talks about open source risks, how to identify and mitigate risks, and how to incentivize the use of security tools. Where can organizations start? Hear about SBOMs, security in the Cloud, and software security best practices. Timestamp Segments·       [01:42] A bit about Varun.·       [04:48] Identifying and mitigating risk.·       [10:32] Where should organizations start?·       [14:42] The SBOM.·       [19:51] Industry standards and best practices.·       [22:26] Cloud security.·       [25:50] Endor Labs.·       [29:52] Incentivizing using security tools. Notable Quotes·       “Select, secure, maintain, comply.”·       “The first thing that drives a lot of security shifts is compliance.” Relevant LinksWebsite:          www.endorlabs.comLinkedIn:         Varun BadhwarSecure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Episode SummaryOn this episode, AWS Security Practice Manager, Chad Lorenc, joins Matt to talk about Cloud Security. Chad has spent over 20 years building and implementing security programs for numerous organizations, ranging from global Fortune 500 infrastructure teams to billion-dollar financial institutions. He has previously served as Senior Infrastructure Security Architect at Keysight Technologies, President of Montana Chapter, and Information Security and Risk Management Infrastructure Architect at Agilent Technologies.Today, Chad talks about the roadmap to security maturity, security best practices, and benchmarking assessments. Why doesn’t AWS necessarily hire people with Cloud skills? Hear about The Five Pillars, when Cloud security goes wrong, CISO reporting Cloud security, and Chad’s formula for personal growth. Timestamp Segments·       [01:24] A bit about Chad.·       [03:13] Chad’s role at AWS.·       [04:03] Transitioning to AWS.·       [08:30] AWS doesn’t hire for Cloud skills.·       [10:41] Where to start.·       [13:54] Assessment benchmarking.·       [15:09] Getting to security maturity.·       [19:17] The Five Pillars.·       [24:21] Cloud security gone wrong.·       [32:14] The Cloud Center of Excellence.·       [35:15] Reporting Cloud security maturity.·       [40:54] Chad’s formula for personal growth.·       [44:50] Chad’s words of wisdom. Notable Quotes·       “There’s no algorithm for compressing security experience.”·       “Figuring out how to integrate Cloud into your operational processes and technology is key.”·       “The key to growing fast is to prioritize ruthlessly.” Relevant LinksWebsite: aws.amazon.com Resources:awsfundamentals.comSecure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

On this episode, the Chief Security Officer of Cloud at Palo Alto Networks, Bob West, joins Matt to discuss Palo Alto Network's latest State of Cloud Native Security Report. Bob joined Palo Alto Networks after more than 20 years in leadership roles with banks, product companies, and professional services organizations. Before joining Palo Alto Networks, Bob served as managing partner at West Strategy Group, managing director in Deloitte’s cyber risk services practice, managing director for CISO for York Risk Services, Chief Trust Officer at CipherCloud, CEO at Echelon One, Chief Information Security Officer (CISO) at Fifth Third Bank, and Information Security Officer at Bank One.Today, Bob talks about the latest installment of the State of Cloud Native Security Report, the severe shortcomings in Cloud Security, and the elevated cost of Cloud Security. Why is it essential to think about security upfront? Hear about the daily mindset shift required to deploy quality code, minimizing complexity to maximize efficiency, and the significant delay in threat management.Timestamp Segments·       [01:46] Bob’s career-changing experiences.·       [04:17] Bob’s advice.·       [11:10] The 10,000-ft view.·       [16:23] The elevated costs of Cloud security.·       [22:36] Increased deployment frequency.·       [24:54] How do security teams keep up?·       [30:44] Security tooling in the Cloud.·       [35:46] Holistic Cloud security.·       [41:18] There will always be issues. Notable Quotes·       “Be nice to your vendors.” - Bob·       “You never know who’s going to be able to help you out at any point.” - Bob·       “You’ve got to build bridges before you need them.” - Matt·       “Common sense isn’t necessarily common practice.” - BobRelevant LinksWebsite:   www.paloaltonetworks.comLinkedIn:  Bob WestResources:Out of the CrisisSecure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

On this episode, the Founder of CISO Evolution LLC, Matthew Sharp, joins Matt to talk about his book, CISO Evolution. Prior to founding CISO Evolution LLC, Matt served as a strategic advisor to CISOs of Fortune 500 and global institutions. He holds a Bachelor of Science (BS) in Electrical and Computer Engineering from the University of Colorado and a Master of Business Administration (MBA) from Colorado State University. Matt is a co-author of "The CISO Evolution: Business Knowledge for Cybersecurity Executives."Today, Matthew talks about his 2012 sabbatical, walking the Camino de Santiago, and the CISO Evolution book. Why does process matter more than analysis? Hear about value creation, business negotiations, and Matthew’s formula for personal growth.Timestamp Segments·       [02:06] A bit about Matthew.·       [04:30] Matthew’s sabbatical & the Camino de Santiago.·       [09:21] What prompted the book?·       [12:23] Why does process matter more than analysis?·       [19:08] Did Matthew’s MBA lead him down this path?·       [24:22] Value creation.·       [27:40] Standard metrics.·       [31:23] Why is it important for a CISO to know terms?·       [33:32] Negotiations and decision-making.·       [37:19] What’s Matthew’s formula for personal growth?·       [41:12] Matthew’s words of wisdom. Notable Quotes·       “If you want to be in the room where it happens, then you have to be equipped to participate in the conversation.”·       “Ask the questions that go unasked.”·       “Don’t be afraid to go and look like an idiot in front of another business stakeholder.”Secure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

On this episode, co-founder and CEO of Cerby, Belsasar Lepe, joins Matt to talk about unmanageable applications (apps that don't support critical security standards like SSO and SCIM). Belsasar was previously the Head of Product at Impira, where he led the company's product life cycle, helping drive a 4x increase in revenue. Before his role at Impira, Bel was co-founder and CTO at Ooyala, where he led a global product, design, and engineering team of 300+ Ooyalans spanning five countries and seven offices. Ooyala achieved two successful exits totaling over $440M.Belsasar talks about unmanageable applications, Shadow IT, and why password managers should be considered legacy tech.  Timestamp Segments·       [02:14] A bit about Belsasar.·       [04:57] Unmanageable Applications.·       [07:07] Shadow IT.·       [11:04] Quantifying the risk.·       [14:50] How to identify Unmanageable Apps.·       [17:46] Using different tools.·       [21:03] Where do password managers fall in?·       [22:53] Is passwordless the future?·       [25:29] How Cerby solves the problem.·       [27:11] A Cerby success story.·       [30:48] The future of the market.·       [32:35] Migration to Cloud.·       [35:03] How Belsasar stays fresh. Notable Quotes·       “The first task is understanding the size of the problem.”·       “The initial point of entry is often an unmanageable application.”·       “More businesses will rely on end users for their security.”Cerby's websiteSecure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Episode SummaryOn this episode, Matt speaks with Senior Executive, Board Director, and leader in Cybersecurity, risk management, and regulatory compliance, Chris Hetner about cybersecurity and the newly-proposed SEC cybersecurity rules. With over 25 years of experience in the cybersecurity space, Chris has served in roles including as Senior Cybersecurity Advisor to the Chairman at the SEC, Managing Director of Information Security Operations at GE Capital, and SVP Information Security at Citi.Today, Chris talks about understanding the proposed cybersecurity rules, defining materiality, and the importance of focusing on cyber-resilience. Where does the Cloud come into it? Hear about the cost of cyberattacks, the core risk exposures, and Chris’s formula to personal growth. Timestamp Segments·       [02:47] Chris’s proudest moments.·       [10:00] The new proposed rules.·       [14:26] Defining materiality.·       [23:56] Bridging the language gap.·       [32:14] Focusing on cyber-resilience.·       [35:36] Cybersecurity expertise on the board.·       [41:27] The cloud.·       [45:32] The formula to personal growth. Notable Quotes·       “Ransomware extortion is relatively insignificant relative to the overall cost of the event.”·       “You can’t outsource the risk.”·       “Realize that you’re not always the smartest person in the room.”·       “We don’t know it all, and we never will.”Secure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

This episode of the Cloud Security Today podcast welcomes back favorite special guests Jay Chen and Nathaniel “Q” Quist to unpack the latest Cloud Threat Report. Join host Matt Chiodi as he shares insights from the report and analyzes the current state of cloud security.Beginning with an in-depth look at Identity and Access Management (IAM) in cloud security, the guests talk about the latest changes in cloud security. They discuss the report’s findings on permissions and what cloud systems providers are currently doing (or not doing) to help keep cloud data secure. At the end of the episode, Jay and Q give tips on how to stay up-to-date on developments in the cloud security landscape and reveal the next projects that they’re working on. If you enjoyed this episode, you can show your support for the podcast by rating and reviewing it and by subscribing to Cloud Security Today wherever you listen to podcasts.  Show Notes/Timestamps[2:11] Matt welcomes repeat guests Jay and Q onto the show[3:36] So, what’s changed for Identity and Access Management over the last year? [8:05] Jay lays out what makes good cloud governance so difficult[11:50] Complicating factors in cloud security[14:22] What does the research show about permissions and over permissions on cloud systems? [17:28] “When you can’t figure out what to do, you add more permissions:” How permissions multiply[20:19] Are cloud service providers helping or hindering cloud security?[24:03] Debating the Infrastructure as Code framework[28:13] Q breaks down the Cloud Threat Actor Index [31:32] Q’s top five bad actors on the cloud security landscape[35:11] Jay gives his recommendations for IAM[39:55] How you can stay up-to-date on the latest developments in cloud security[42:10] The next projects that Jay and Q are working onLinksCheck out this episode’s sponsor, Prisma CloudUnit 42 reportsIAM-Deescalate ToolCloud Sec ListSecure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Pockets of Innovation with John ChavanneEpisode SummaryOn this episode, Solutions Architect at Palo Alto Networks, John Chavanne, joins Matt to talk about his career of innovation. John’s career spans over 20 years at HSBC before transitioning into DevOps and Cloud Solutions at Palo Alto Networks.Today, John talks about his career arc, transitioning to cloud, and the value of communities of practice groups. Where should organizations start with deploying a CNAP? Hear about the challenges with deploying cloud platforms, and John’s greatest accomplishments. Timestamp Segments·       [01:30] About John.·       [02:54] John’s career.·       [05:47] What is something that cloud makes easier?·       [07:09] Transitioning from network to DevOps and Cloud.·       [10:15] Starting the move to cloud at HSBC.·       [13:15] Cloud communities of practice.·       [18:47] Sharing code.·       [21:27] John’s biggest accomplishment.·       [23:23] Prisma Cloud.·       [26:25] Organizational challenges with deploying cloud platforms.·       [29:41] Where to start with deploying a CNAP.·       [33:54] How does John stay fresh? Notable Quotes·       “You can test things out in the cloud and the price of failure is almost zero.”·       “Innovation happens in pockets.”·       “Reduce waste and build habits that reduce waste.” Relevant LinksRecommended reading:         The Toyota Way.                                                Kubernetes - An Enterprise Guide.KodeKloud:     https://kodekloud.comTwitter:            https://twitter.com/jjchavanneSecure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

What Serverless Can Do For You? With Mark GouldEpisode SummaryOn this episode, Cloud Security Engineer at Manhattan Associates, Mark Gould, joins Matt to talk about serverless computing. Mark is a Cybersecurity specialist, with a focus on the Google Cloud Platform, and is a Certified Google Architect.Today, Mark talks about serverless computing, the security risk to consider, and working with DevOps teams. What are the top three metrics to start with for automation and security? Hear about cloud automation, Mark’s NSG alerting system, and his greatest accomplishments in recent years. Timestamp Segments·       [01:22] About Mark.·       [02:49] About Manhattan Associates.·       [04:46] How does cloud fit in?·       [06:16] Automation in the cloud.·       [09:03] Modernization at Manhattan Associates.·       [10:18] Serverless computing.·       [14:39] Security risks with using serverless functions.·       [17:58] Mark’s NSG alerting system.·       [21:27] Three metrics for automation and security.·       [23:33] What should security teams be doing differently when working with DevOps?·       [25:43] What is Mark most proud of?·       [27:45] How does Mark continue to learn?·       [30:31] Is Manhattan Associates hiring? Notable Quotes·       “You definitely have to pick what kind of processes you want to automate and make sure that you’re willing to put in the work to maintain them.”·       “Sometimes serverless isn’t always the cheapest option.”·       “Leaders are learners.” Relevant LinksManhattan Associates:           https://www.manh.comLinkedIn:         https://www.linkedin.com/in/mark-gould-15a7a3149Secure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Book Review: Startup Secure with Chris CastaldoEpisode SummaryOn this episode, CISO at Crossbeam and Author of Startup Secure: Baking Cybersecurity into your Company from Founding to Exit, Chris Castaldo, joins Matt to talk about startups and security. Chris is an industry-wide recognized CISO, having over 20 years of experience in cybersecurity.Today, Chris talks about his book, Startup Secure, his move to startups from the public sector, and the different startup development phases. What should startups focus on during the different development phases? Hear about security trust centers, the top startup security sins, and get Chris’s formula for personal growth. Timestamp Segments·       [02:03] What prompted Chris to write Startup Secure?·       [04:57] What has changed during the writing process?·       [06:47] Critical decisions throughout Chris’s career.·       [11:17] Moving from public sector to startups.·       [15:39] Startup development phases.·       [20:16] When certifications don’t make sense.·       [26:09] Mistakes in communicating to customers.·       [30:16] Security trust centers.·       [32:45] Startup security sins.·       [35:38] Chris’s formula for personal growth.·       [39:06] Chris’s parting words. Notable Quotes·       “You’re not the target. You’re just the jumping point to that target.”·       “I don’t need to review the security of a company we’re buying desks from.”·       “You just can’t expect everyone to be a cybersecurity expert.” Relevant LinksBuy the Book: https://www.amazon.com/Start-Up-Secure-Cybersecurity-Company-Founding/dp/1119700736LinkedIn:         https://www.linkedin.com/in/chriscastaldoSecure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.