May 24, 2023

EP 28 – Safeguarding Data in the Cloud

In this episode of the Trust Issues podcast, host David Puner interviews Brad Jones, CISO and VP of Information Security at Seagate Technology. They delve into cloud security challenges, including protecting data in a constantly shifting technological landscape. Jones discusses the importance of establishing trust as a data company and implementing rigorous controls to safeguard sensitive information. Then, they take a deep dive into the evolving external threat landscape, the role of AI in security and Seagate’s cloud migration journey. Tune in to learn how to bridge security gaps, set your organization up for cloud security success and stay ahead of threat actors in the digital age.

[00:00:00.280] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in Identity Security. To scale, compete, and grow, companies are using cloud and web-based technology to modernize virtually every facet of their business. This shift is happening fast and security teams have the big and often unenviable job of protecting all the data wherever it lives.

[00:00:40.740] – David Puner
Doing this effectively means they have to understand the ins and outs of every cloud platform and service in play, and there are many. This places complex demands on hardworking cyber security teams that are already short on staff and time. Today’s guest is Brad Jones, who’s the CISO and VP of Information Security at Seagate Technology. Brad talks about the challenges of mastering cloud security on the fly, when the stakes are high and failure is the ultimate measuring stick.

[00:01:12.520] – David Puner
To go to a sports metaphor, there’s no tally of saves, just goals allowed. More than ever, security teams could use an assist with extra coverage, knowledge, and expertise to bridge gaps and set them up for cloud security success. Here’s my wide ranging conversation with a cloud security focus, with a guy who spent a lot of time in and around the cloud, who works for a company that protects and secures lots of customer data and data. Here’s Brad Jones. Brad, thanks a lot for coming on to the podcast.

[00:01:48.570] – Brad Jones
Thanks for having me, David.

[00:01:49.650] – David Puner
I guess to start things off, just to get everybody to know you a little bit, as the CISO and VP of Information Security at Seagate Technology, Seagate Technology builds data storage and management solutions, storage infrastructure really. Data, of course, seemingly drives everything. Maybe tell us a little bit about what Seagate does, in addition to what I already said, and a little bit about your team, and then how you may or may not see yourselves first and foremost as protectors of data.

[00:02:20.370] – Brad Jones
Sure. I think Seagate first and foremost is a data company. We may be mostly associated with hard drives that people may have in their personal desktops or SSD that are in their laptops, all the way up to being the primary OEM manufacturer of drives that go into other companies’ storage solutions or powering the cloud.

[00:02:45.120] – Brad Jones
At every level of it, we are providing that storage for data, and very much we believe that we are entrusted with protecting and securing the data of all of our customers, everywhere from consumers to the enterprise customers to those cloud providers, ensuring that we have products and services that are secure that protect data.

[00:03:07.070] – Brad Jones
In our products, and I should clarify that I manage probably every aspect of security, minus our physical products. Things are dealing with ASICs and interfaces. I have a peer that manages that, that has a background in that. But ensuring that everything that we do beyond the hardware is making sure there’s a focus on the people and process aspects of things to ensure that if we state that we do things a certain way, that we’re rigorous in enforcing that we do it that way. That’s how we establish that trust. That’s how we’ve maintained trust with our customers, that we are that data provider that is providing the security.

[00:03:46.430] – Brad Jones
If you look at it internally in our environments, obviously, we, like every other enterprise, generate a lot of data. A lot of that is sensitive or proprietary data, so we have to put, again, appropriate controls around that data. It really starts with… If you’re looking at data protection, it’s not a tool that you’re going to go by. It’s really a program that you have to establish. It starts with understanding what is your critical data, aligning it with a data classification standard, and then mapping those controls that you want to put in place to that different level of sensitivity of data, understanding what’s the risk of that data getting to different places or getting out in the external world.

[00:04:29.140] – Brad Jones
As we’ve established our data protection program, we first started with that data classification, understanding what our critical data was, what’s the sensitive data, be it internal Seagate or customer or employee data, and then really building our control program around that. I partner very directly with our legal team on our data protection. It has a clear blend towards data privacy, which is more governed by laws and regulations. I think one of the most important things is you have to have your stakeholders that are the data owners involved in this. It’s not something one team can go do for the rest of the company. It’s something that everyone has to be participating in to make it successful.

[00:05:07.730] – David Puner
How do you balance your focus on external and internal threats?

[00:05:12.160] – Brad Jones
Sure. I think we’re probably right around 15,000 knowledge workers. That probably jumps up to, say, 35,000 if we include our factory workers. When you have knowledge workers or maybe doing day to day, the traditional folks that you think are dealing with email or interfacing with your corporate systems, that’s a very different risk than if you have factory workers that are coming in and maybe have higher turnover rates but yet have to touch a piece of equipment in your factory.

[00:05:41.270] – Brad Jones
We have to look at different ways that we control or set boundaries or blast radius, if you will. What a corporate user is able to get to an environment is very different than what you can get to a factory environment. We’ve had to do a lot of segmentation and put those controls in place. The question about how we view the risks internally versus externally, I’d almost say you have to say it’s 50/50. Because your internal users, it may be malicious, but it may be inadvertent.

[00:06:09.710] – Brad Jones
Back in 2008, I believe, before I joined the company, we had our W2s that were sent out. A malicious actor sent in a phishing email and someone who had access to that sent it out. It’s not always the intentional malicious insider. It’s the unintentional one that can be just as difficult. If you look at the vast majority of breaches, it’s usually opportunistic that it’s an employee clicked on a link or fell for some scam where they actually called a phone number and downloaded something because they’re panicked that someone had their credit card. If you don’t put the right controls to limit what employees can do, basics of role-based access, limiting abilities, least privilege rights in the environment, you leave yourself open to that.

[00:06:56.200] – Brad Jones
On the external threat side, that’s a constant war that’s going on. The big topic at RSA last week was generative AI and how that’s going to be leveraged by the threat actors. It’s a constant arms race of constantly looking at what’s going on out there. Our threat hunting team is very focused on what’s out there in the news, taking that internally and saying, “Hey, would this apply to us? Do we have preventative controls in place? If not, would we be able to detect this activity going on?”

[00:07:25.300] – Brad Jones
I think the most important from the external side is you have to know your environment better than any threat actor can. You should know your environment better. You should know where your weaknesses are and know when there’s the next Log4j. You need to quickly know where that is in your environment to quickly make an assessment and quickly be able to take action.

[00:07:46.620] – David Puner
What takeaways did you come back from RSA as far as AI and security goes?

[00:07:53.420] – Brad Jones
At RSA, I was able to have a session with some of the folks at NVIDIA that run their AI program that works very closely with their security team. I think they see it as a force multiplier, something that we should be leaning into. I’m very much in that same mindset that something we should be leaning into rather than just putting up blocks, “Hey, it’s something new, different, throw up the firewall.”

[00:08:17.230] – Brad Jones
However, it does require, like everything, guardrails and guidelines to be put in place. Now, there’s some of it that may come through regulations. We’re working with our legal team right now to define what’s appropriate use of it. But I also have to stress to people, ChatGPT is a newer interface into something that’s been evolving over time. When you’re doing a Google search or you’re putting input in your phone, there’s machine learning and AI that’s built into many of the things that we do on a daily basis and don’t worry or think about. It’s just a new interface that’s packaged a number of things together.

[00:08:54.850] – Brad Jones
I think we are certainly in an inflection point with AI that I think it’s going to be the next revolution. I think it’s going to be helping people work smarter faster. But on the same train, the threat actors can work quicker, faster, more efficiently. I think one of the things, as security professionals, we have to do is to get into more of that mindset. The threat actors quickly adopt new technologies, new techniques, and we have to be thinking and be open minded to all of these things on a regular basis.

[00:09:28.210] – Brad Jones
One thing that we’ve already started using it for is things like, hey, if we need to write a new policy, we can get it 90% of the way there in 30 seconds, and then we just have to do the fine tweaks. I think it’s those opportunities. I think the concept of agents in the AI that you can start building pipelines and go off to different networks to get different pieces of enhancement of data along a pipeline is very interesting.

[00:09:57.290] – David Puner
As you said that legal teams across the world build one trillion hours dedicated to trying to figure all this out from their end, so yeah, really interesting. How have you seen the external threat landscape evolve over the last few years? How do you keep up with threat actor innovation, which, of course, we were just talking about in terms of AI?

[00:10:17.740] – Brad Jones
Security teams have to keep up and keep pace, which is hard, especially if you’re dealing with nation states. Now we’re seeing some of these criminal threat actors with as much funding and resources as traditionally we’d only see in nation states. Certainly it’s an evolving threat landscape that is difficult to keep up with. Security teams are not measured by how many times they blocked, it’s how many times they failed. Whereas on the other side, it’s how many times they were successful only.

[00:10:48.090] – Brad Jones
AI is something that we’re looking into of how we can leverage that internally. Going back to the concept of data, over the past two or three years, our team being the root of trust or source of truth for data in our environment of what’s connecting to the network, what’s the compliance status, checks and balances on controls other teams have stated are in place has been key. We have a team that’s dedicated to maintaining that data. The more data we collect, the more insights we can get. I think AI is one of those things that’s going to help us accelerate that learning out of that data that we collect.

[00:11:26.240] – David Puner
Before we move into cloud security, I have a very important question for you. It is this, is it data or data?

[00:11:35.610] – Brad Jones
[crosstalk 00:11:35] I think it’s data.

[00:11:36.400] – David Puner
Okay.

[00:11:36.430] – Brad Jones
I am originally from England, so my parents would probably say data, but I say data. I’ve lived most of my life in California, so that’s what I’ll stick with.

[00:11:47.020] – David Puner
Because I’m finding myself using it interchangeably without even thinking. I’m glad to have some guidance on that. Is it a Nevada, Nevada thing, and where do you stand on that?

[00:11:55.830] – Brad Jones
Nevada, I guess is what I would say.

[00:11:57.440] – David Puner
Okay. All right.

[00:11:58.500] – Brad Jones
There are certain words that I still get called out for saying so. I don’t say, been. Have you been there? I say, “Have you been there?” There are certain things that were ingrained in too early in my time in England that that’s how I say things.

[00:12:12.910] – David Puner
Okay, well, if you really want to get confused, you should come visit the Boston area and we’ll throw a whole bunch of new variables your way. Cloud security, why don’t we start here? What’s Seagate Technology’s cloud migration story? What does that look like from an attack surface standpoint, or how do you manage the intricacies of all of this?

[00:12:36.030] – Brad Jones
We’ve had a couple of different forays into the public cloud infrastructure. Right when I joined about five and a half years ago, my boss, we were on a big initiative to shut down a number of our data centers and move to the cloud. I think what we saw is, probably was somewhat predictable, that if you don’t optimize your workloads for the cloud, if you bring big monolithic boxes of applications over, the financial aspect doesn’t make sense. You have to be thinking more cloud native services, micro services, and really leveraging the resources in the cloud.

[00:13:10.610] – Brad Jones
Actually, that spurred… Getting out of the cloud and realizing the resistance that you get pulling your data out of the cloud actually led to us creating our live cloud object-based storage as a service. It was interesting that our foray into the cloud and getting out actually spurred a line of business for us. But we have presence in AWS, Azure, GCP, Oracle Cloud, the OCI. Maintaining controls around that really starts with establishing your base controls before you go into the cloud. You have to set up identity access management. You have to establish your roles. You have to establish guardrails and guidelines before you go in.

[00:13:53.780] – Brad Jones
In all of those environments, we’ve set that up and made… That is one of the prerequisites before opening that up to our IT or other developers to get into those environments, as well as establishing clear guiderails and guidelines. There’s like, hey, you can spin up a machine, but you can’t spin up an external machine without coming through us. You can’t change the network settings without coming through the security team, but you can leverage all the S3 storage you want in Amazon, for instance.

[00:14:21.030] – Brad Jones
As much as possible, we’ve been driving [inaudible 00:14:22] to get aligned with more infrastructure as code. The more that you document, here’s our standard, because we know it’s infrastructure of code, because we’re doing it through automated fashions, it’s done the same secure way every time. Now, that’s easier said than done. The good thing about clouds, it’s easy to spin something up and get something going. It’s also the bad thing because it’s easy to set it up the wrong way very easily, and it often takes a lot more work to do things the right way.

[00:14:50.760] – Brad Jones
I always encourage my team to do the right thing rather than the easy thing. Setting up lease privilege in something like an Amazon environment where they have a guide that says, “You need to enable these permissions to make this work.” Invariably, you’ll run to say, “It’s still not working.” Going through and trouble shooting what other small permission was missing out of their document versus, “Oh, we’ll just give it full admin rights and it will work.” It’s a very different amount of work and oftentimes teams go the easier path rather than the right path.

[00:15:22.350] – Brad Jones
Doing cloud is no less secure in my mind than an on premise data center. I think there are certain advantages to it. Some of the automation or visibility you get in a public cloud infrastructure is a lot better than you can do in an environment where people can go physically touch stuff or plug-in directly, take that foray into the cloud.

[00:15:41.720] – David Puner
You mentioned a lot of things that touch upon the blog post we recently published on the CyberArk blog called Cloud Identity Security: It Doesn’t Taste Like Chicken. In that article, the author, Charles Chew, who’s our GM of Cloud Security, he writes that we have to work hard to put aside our natural tendency to compare cloud security to securing on premises infrastructure, just like, okay, tofu may taste like chicken, but it’s not at all like chicken in reality, and that we must think about the cloud for what it is, rather than making assumptions from previous experience to design proper security controls. All this is a long way of asking, how do you approach securing your different infrastructure environments, both cloud and on premises, and do you take different approaches when it comes to securing access in the cloud?

[00:16:32.980] – Brad Jones
I guess I’ll differentiate between cloud services that are more infrastructure services versus SaaS applications. In our infrastructure services, where we’re spinning up machines that are only accessible internally to Seagate in Amazon or GCP, that we’re still managing the machines, it’s only exposed internally, a lot of the traditional controls still apply. Do we have the right endpoint protection? Do we have the right authentication, authorization mechanisms in place? Are we doing vulnerability scanning? Are we reporting out on compliance and making sure we’re keeping on top of that?

[00:17:07.320] – Brad Jones
As you get in more of the SaaS space, the identity starts getting less like person accessing machine to identity is being granted to different applications. Keeping a control on that is difficult because they’re not necessarily coming through our firewall to share information or get that access. It’s a couple of clicks in one console and you’ve opened up the access and granted rights to another application to act on behalf of a user or the entire organization. There’s a lot of danger there.

[00:17:40.640] – Brad Jones
On the traditional IAS space, we have the CSPM vendors that has got a little more commoditized that will let you know if you’ve done the dumb thing like expose an S3 share or you’ve got inbound SSH enabled. I think that is pretty well understood. I think in the SaaS security posture management, there’s a new market that’s opening up for that, that are vendors giving you that visibility of, “Hey, what are the security posture risks that you have there,” as well as getting a lot of data on activity.

[00:18:16.140] – Brad Jones
I think one of the challenge for security teams is a lot of these SaaS or even platform as a service plays, you have to be an expert in that platform to do it by yourself and understanding what’s good or bad. There are vendors now in this space that are giving you the easy button to say, “Hey, here are the known bad things that you have configured in your environment.”

[00:18:37.360] – Brad Jones
I’ll take Salesforce as an example. There’s people that their entire world and training is just on that platform. Just like every other platform, constant changes and nuances to implementation or new features coming out that you have to be abreast of. That’s the challenge for any security team, regardless of the size, to have the expertise in those areas. This is one of the areas where I think you have to look to third party vendors to help you out on that unless you have an unlimited budget of resources, which probably not every company or not many companies out there have that for their security teams.

[00:19:10.780] – David Puner
Is this similar to the difference between securely accessing the cloud versus secure access within the cloud?

[00:19:19.340] – Brad Jones
I think secure access to the cloud of how you think of users getting to applications is a different solution set and set of controls than thinking about how data flows between different cloud services. You can set up very easy conditional access controls for your users to say, “Hey, they must come through our VPN,” or, “They must have this certificate installed.”

[00:19:44.550] – Brad Jones
When you’re setting up, say, cloud to cloud data flows that could be between your HR system and a payroll system, you have to be looking at both ends of that to understand what controls on that data and those identities are in place. Every one of those services you add is another data point or environment that you need to have visibility, but not only into the controls and the posture, but the activity going on there to be able to detect if something bad is going wrong.

[00:20:13.500] – David Puner
When thinking about cloud security and both human and non-human identities, so services, micro services, or machine identities, what do you take into consideration when you think about securing the identity of human and non-human access in the cloud?

[00:20:27.900] – Brad Jones
I think it’s an easier one to get a grasp on that translates somewhat… I’m talking from our enterprise access into our cloud applications, that known identities are tied directly to a single user that we can put good controls around where and how and what time they can access those resources. We can tie things like multifactor authentication to that to ensure it is who they say they are and other sorts of check and balance controls there. If you get into this zero trust idea, you can continuously evaluate that identity and authorization to services or applications.

[00:21:09.050] – Brad Jones
The non-human aspect is more difficult to control. One, if you set up, say, your O365 environment and you don’t explicitly prevent people from adding those services, people can pull plug-ins and other services and start acting on their behalf. If you don’t have a tight visibility and controls around that, that can quickly snowball. Some of the breaches we’re hearing now are not from the end-user identity. It’s more of these machine or non-human identities where the bearer tokens have been stolen and they’re acting on behalf of that user and the user granted them, perhaps. There was some great little tool that helped them put a GIF image in their emails as it went out, yet it gave them read access to their entire mailbox and, hey, that was a pretty important person and now your sales figures or your financials are exposed as a result of it.

[00:22:03.690] – Brad Jones
It’s not always the volume of data. It’s the sensitivity of the data that could be accessed through that model. It could lead all the way to compromise of bigger things. If you had your Azure Active Directory or whatever your IDP compromise the result because that one user happened to be one of your domain admins, that could lead to catastrophic implications for a company.

[00:22:26.450] – David Puner
You recently wrote an article about cloud misconfiguration breaches. How is cloud misconfiguration a major data and security privacy challenge?

[00:22:35.430] – Brad Jones
The ease of getting into it with a credit card, and it may not even be managed through your corporate procurement perspective. It could be an employee just thinking, “Hey, I’m trying to optimize or be more efficient. I’ll spin this up,” and they start moving data off there. It can be a huge source of data breaches. It seems almost every month there’s some new person or new database that was found exposed.

[00:23:01.520] – Brad Jones
I think the most important thing that you can do is set those guardrails and guidelines, set up your role access appropriately. If you can automate and say, “Use cloud formation templates or what have you,” and you treat it more as your code and you make your decisions of what compliant, what good looks like, and you ensure that that happens, it’s way better than clickety clickly on a gooey and exposed thing. The more that you can take the human aspect out of it, the better.

[00:23:31.180] – David Puner
You’ve been in your CISO role with Seagate Technology for around five and a half years. How has your role of CISO evolved during that time? What were some of your biggest challenges then and what are some of your biggest challenges now?

[00:23:44.360] – Brad Jones
I always say five and a half years, but it feels like 10 or 15. Certainly, the role of a CISO is a stressful one. As I said earlier, we’re not measured on successes as much as we are on failures.

[00:23:57.300] – David Puner
Nobody sees those successes, really. That’s one of the rugs of the whole thing.

[00:24:02.330] – Brad Jones
It’s important to try and recognize, especially with your employees that are doing the work, to ensure that there is recognition on that. But I think one of the most important things coming in, I didn’t see it as a challenge. Before I came in, I had a sit down with the CEO and the CFO, and one of the most important things to me was that security was important and a priority for them. I didn’t want to come into an organization where I was trying to convince them that security was important. If anything, they’re pushing me to be more aggressive in implementing controls.

[00:24:32.530] – Brad Jones
The challenges at Seagate are probably similar to most manufacturing companies. We’re a technology company, we have labs and engineers, and we have production factory environments. Putting appropriate controls and finding the balance of productivity versus security controls is something that we’re continuing to evolve. In previous companies that I worked at, our IT group managed entire engineering environment. I tend to speak the language and understand what they want to do. I have a team of people that have been in similar roles. When we’re working with them, it’s not like we’re coming in with no understanding of how they write code or how they interface with a compute cluster or things like that.

[00:25:15.840] – Brad Jones
We speak their language and we can talk about, “Hey, here’s our goals, here’s what we’re trying to protect. How do we work together to define controls that allow you to do your job but also protect the environment?” Our manufacturing environment, like any other manufacturer, is challenging with operational technology. You buy very expensive equipment that has a lifespan of 20 years, the manufacturer is gone and it’s still got embedded Windows XP or older in it.

[00:25:44.300] – Brad Jones
Those are things that you traditionally say, “Hey, you’re going to buy the latest and greatest endpoint protection and it’s going to work on that.” You have to come up with compensating controls to say, “Hey, we’re going to allow these things to continue to work, but we have to put more rigid controls about what can access it, what it can access, to reduce that blast radius or put those compensating controls in place.”

[00:26:05.400] – David Puner
What does your team look like and how do you address fatigue and burnout among the team?

[00:26:12.660] – Brad Jones
My team is relatively small. We’re about 35 people. But as I tell people, most of the times, we’re not the one doing the things. We’re more influencers. My role is more of a risk advisor, risk educator. One of the most important things for a security team to do is ensuring that the company is nailing the basics. Things like your identity access management, your vulnerability management, keeping your software up to date is one of the most important things. It’s not sexy. You’re not bringing in some cool tool, but you have to continuously do it.

[00:26:47.360] – Brad Jones
Certainly there’s a fatigue that we see just on our operational folks outside of my team that we have to patch again this month. These are the basics. These are how people get compromised. My team is usually the ones interfacing with them. There is certainly a level of fatigue of constantly arguing or constantly being the one to give them bad news. It’s hard for us to be the solution provider or come up with some, “Hey, we’re going to make it easier for you to do your job.”

[00:27:17.920] – Brad Jones
The alert fatigue is a real problem. We talked about external threat actors. You have to be keeping up on a daily basis. What’s that new critical exploit out there or zero day? Does it apply to our environment? We do a lot of work on internal incident response and rotating people around different roles, such that, one, they’re familiar with different tool sets that we have or different data sources, but they’re always not doing the same thing every day.

[00:27:45.570] – Brad Jones
The retention in the security industry is a real problem. It’s a constant challenge to keep people motivated. We do a lot of interactive meetings where we recognize the work that this team is doing, we recognize the progress that we’re making, recognize that there seems to be always more work in front of us than behind it. I tell my team, I don’t know if it was my father or someone else told me, “Hey, you’re going to fail at something every day. You need to make sure it’s not the most important one.” There’s hundreds of things that we don’t get done every day, but it can’t be blocking that adversary from getting in or diving into that zero drain and understanding if we’re exposed or not.

[00:28:23.420] – David Puner
That’s a really interesting way of looking at it. As a CISO, what’s your view on how to build a strong relationship with the board? Are there steps CISOs can take to understand where the board is coming from, what they need to understand, the gravity or urgency of emerging threats?

[00:28:39.340] – Brad Jones
I report on a quarterly basis to our board, and we’ve established a pretty good cadence and format in which we report threats, risk, et cetera, for our environment. I’m lucky in that I have a technology leader, a CIO of another company that’s on our board that I’ve been able to partner with. He’s helped shape what we want to present, but also helped convince the other board members this is the right thing to be looking at. He’s my advocate when we’re in the meetings. Half the time before I can even explain something, he’s jumping in.

[00:29:14.730] – Brad Jones
I would advise the people is find that person on your board, reach out, have meetings outside of the board meetings. The most important meetings I have are the two or three meetings in between our quarterly board meetings. I have a 30-minute conversation with him. Most of the information is shared there. It’s almost like a formality when we read out to the full audit committee. Finding that peer or mentor on the board that can help shape and help be your advocate, I think, is one of the most important things.

[00:29:41.350] – Brad Jones
The challenge with any board, though, is you’re going to have people that are not technology experts, that don’t understand security, and you don’t have hours with them. Usually, you have anywhere from 15-45 minutes, and that’s not a lot of time to educate anyone on anything, let alone then give them a status on that and then give a summary at the end.

[00:30:00.180] – Brad Jones
I try and use a lot of out of band things, so we’ll prerecord. We use Brainshark to do prerecorded presentations where I’m dictating to it to say, “Hey, I’m going to tell you about four different technologies.” I’ll do eight minutes on each of them. We don’t need the in person time, but it will give you some education. That also helps if we have new board members coming on. I could say, “Hey, here’s a back catalog of things. If you want to learn about any of these, I’ve given an eight-minute quick talk about how we manage network access control or how we’re focusing on identity and access management protections and controls.”

[00:30:36.680] – David Puner
What about ROI? I assume that’s got to come up in these board meetings. What can other CISOs take from your experiences there?

[00:30:44.270] – Brad Jones
I think ROI is a very difficult thing to measure in the security world, much like insurance. Is your car insurance worth it? Yes, if you have a crash. If you don’t have a crash, the ROI maybe hasn’t been there. I think we look at a lot of things like benchmark data of what other companies are doing, what their spend is, and we have to put everything in the context of risk. If we don’t do this, this is the risk, and maybe the board can say, “We’re accepting of that risk and we’ll document it and move on.” But for the most part, when we come and say, “This is needed, this is important. We’ve prioritized what we need to do. These are the next most important things we need to work on,” generally, there’s not a push back on that. Oftentimes, it’s how do you do more faster, quicker?

[00:31:26.910] – David Puner
What do you see as the next big challenge for CISOs on the horizon when it comes to digital first business and ongoing modernization efforts?

[00:31:35.220] – Brad Jones
It’s important that you get involved early on in design architecture processes that you have the ability to put control gates in there. This is the old concept of shift left, but it’s very true in this exhilarating world that you can’t be everywhere. You need to be building the knowledge, education, and advising them of the, “Hey, these are the right things to do.” You should be validating your code right when it’s checked in, not when it’s about to be pushed to production. I think that’s one of the most important things is make those relationships in your different business organizations that you’re involved and seen as an advisor, not a roadblock to what they’re doing.

[00:32:16.840] – David Puner
Brad Jones, thanks for coming on to the podcast. It’s been really fun.

[00:32:20.800] – Brad Jones
It has been, David. I appreciate it.

[00:32:31.860] – David Puner
Thanks for listening to Trust Issues. If you like this episode, please check out our back catalog for more conversations with cyber defenders and protectors. Don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. Let’s see. Oh, yeah. Drop us a line if you feel so inclined, questions, comments, suggestions, which come to think of it are comments. Our email address is [email protected]. See you next time.