Summary
YL Ventures and Scale Venture Partners hosted a Cyber Week 2021 Fireside chat where Wendy Nather, Sounil Yu, Ryan Gurney, and Ariel Tseitlin discussed the cyber industry challenges and trends. They talked about the burning challenges and the basics that CSOs are still struggling with, and how ransomware attacks undermine our ability to recover. Other topics discussed include new approaches to dealing with ransomware and startups focused on compliance and identity.
Highlights
- π Burning challenges for CSOs are the same basics that arenβt easy to carry out.
- π€ Ransomware undermines our ability to recover and poses a catastrophic threat that requires new approaches.
- π‘ Startups focused on compliance and identity are the exciting areas for investment and addressing core security problems.
- π Startups must be passionate about what they do, and their solutions must solve a core cybersecurity problem.
- π GRC compliance security issue is still a challenge, even today.
Transcript (raw)
(00:00) [Music] crazy here all over the world it’s been also a crazy year for us in wild ventures and the entire cyber security community i think i don’t have to tell anybody is here what a crazy year the cyber security industry experienced i can tell you from our perspective uh been super busy we’ve done three new investments um
(00:28) i think that all of our all of our new uh portfolio founders are here so thank you uh for joining us um our existing portfolio companies grew significantly lots of follow-on rounds so uh it’s been a very good year for wild ventures for us and it wouldn’t have been possible without you the israeli ecosystem and
(00:51) our partners in the u.s including the panelists that uh you’re gonna hear about soon so uh i would like to express our gratitude uh and thank you everybody for being here and for uh for supporting us all right so uh without further ado let’s start the panel and i would like to hand over the mic to uh mr andy alice
(01:13) operating partner in our firm former uh cso of akamai andy take it from here thanks zelfair and i’m gonna bring up my panel and so i don’t botch everybody’s names we’ll have everybody come up at once so thank you all for coming out today i’m going to start by having each of our panelists introduce themselves with just
(01:33) a brief bio no like 20 minutes sunil uh and that way you’ll have a feel for where their answers are coming from as we talk about some of the challenges that are in the security market today so uh we’ll begin with sunil sure so hi i’m sunil yu i’m the former cso in residence at wyo ventures as a wonderful job and a well
(01:57) known for opportunity i’m currently the cso at jupiter one and before that i was the chief security sorry chief security scientist for bank of america and remind us what jupiter 1 does jupiter 1 is a cyber asset management platform thanks wendy hi i’m wendy nather i use stop that i i started as a cso i worked for a
(02:22) swiss bank and then for uh state government in texas i’ve been an analyst for five years i ran the security practice at 451 research where i met a lot of you i think uh last time i helped to stand up the retail isac the intelligence sharing and analysis center and now i lead a team of advisory csos at cisco and for those of us who aren’t
(02:44) familiar with cisco remind us what they do we make the bits go hi there uh i’m ryan gurney i’m the new cso in residence for a while i took sunil’s job um i was formerly a cso at google in a division of google uh cso at looker which is a data analytics platform and then uh the first cso at zendesk which is a
(03:07) customer support platform thank you hey everybody ariel zeitlin i’m a partner at scale venture partners um we’re thrilled to be co-hosting this with uh yl and this for very first at least for me and maybe for you conference since rsa in 2020 which is awesome um scale venture partners is an investor that’s um based in the
(03:31) san francisco bay area we invest in early in revenue enterprise software companies that are ready to scale hence the name my own background is largely on the operating side i won’t bore you with all the details but my last role was at netflix where i was in charge of building out the cloud platform team and the streaming
(03:50) operations group and then got recruited into scale to invest into infrastructure and i thought it was going to be just infrastructure but then i made the mistake of telling them that i know a little bit about security and then i became the security guy at scale too so a lot of my investments have been
(04:06) security but i don’t pretend to be a cso excellent but you are a chaos monkey that’s right excellent so so wendy i want to start with tossing you a question because you talk to a lot of csos probably more than the rest of us combined on a regular basis so what do you find to be the most burning challenges that csos are
(04:23) currently facing wow the most burning challenges um you know a lot it sounds like you would think that there would be new challenges but as far as i can tell a lot of them are struggling with the same things the same classic things things that we call the basics that actually aren’t very easy and uh of course you know things have
(04:43) been more difficult to carry those out in the last year or so but there’s no real science project that you know they’re they’re turning their attention to they’re still trying to do the basics okay anyone got a commentary on that difference agreement no i think if you look at all the kind of the ransomware stuff that we’ve seen
(05:05) it kind of highlights that some of the basics are still not in place right which is pretty depressing for what we spend on security actually well i want to take that ransomware question then let’s let’s run with that you know because ransomware campaigns today feel a lot like ddos did about 10 years ago you just ran somewhere with
(05:24) that [Laughter] well done so how doomed are we and not just from ransomware but from wendy’s puns and uh so what should csos be focused on to tackle this challenge so your question is um how is ransomware different than ddos i would say categorically they’re actually not in that the way i characterize a
(05:47) ransomware attack it’s a recovery oriented attack something that undermines our ability to recover a denial of service is also one that hinders our ability to recover one operates on the network domain adidas another one operates on the data domain ransomware i think we’re basically seeing the uh first signs of recovery-oriented
(06:11) attacks that undermine our ability to recover so beyond just data oriented and networking oriented attacks we’re going to have situations where we can’t recover our endpoints because our firmware is bricked we’re going to have situations where applications can’t be recreated or rather it’s gotten to a point where
(06:30) we can’t reboot deploy our application again because our code has been completely wiped out okay so i think there’s going to be situations where there’s additional escalation on this front to get to us get to a point where we have trouble respon recovering from these types of catastrophic irreversible events
(06:49) that sounds pretty pretty doom and gloom there i’m an optimist and you’re the uh well actually i think arielle has to be the optimist so we’re gonna i wanna see if ariel’s got a solution for us like is there something you’re excited about in this space from an investment and scale perspective or is there something else you think
(07:10) that startups should be focused on from a science project perspective you’re asking my ransomware specifically if you’ve got a ransomware or if you want to just dodge that and go to somewhere else i’m not going to hold you hostage i mean i i can tell you an interesting you know a couple of interesting
(07:24) companies i ran across that deal with ransomware specifically um and um you know i won’t share the names but but their approach was actually fairly novel where what they were doing was taking every endpoint and um treating it as a slash 32 network so essentially isolating every endpoint on its own and
(07:43) obviously you can imagine the management nightmare of dealing with all of those subnets and that’s their magic and so their claim is um even if you get ransomware on any of your endpoints it’s not going to be able to travel anywhere because it’ll have to talk to them in order to move and they’ll be able to
(08:00) identify that so that was an interesting clever solution but then in terms of you know broader themes uh in security that i’m i’m excited about um you know there’s a couple there’s a couple of areas that i’ve been spending time that i think are are interesting um one is there’s been a crazy amount of startups that have been
(08:19) founded in the last couple of years that trying to deal with the compliance problem in any way where you know a lot of the companies that probably you know founders here are our founding you know need to get that sock to stamp in order in order to have validation and approval from customers and you know now there’s a whole bunch of
(08:36) companies that um that give that to them that i don’t think is very interesting or exciting because that i think that’s going to be commoditized but then taking that and then thinking about how that expands into what the next version of grc looks like where you’re actually able to bridge what the compliance needs are with what
(08:50) the security needs are in a single platform which i know you you laugh but that’s been you know that’s been the promise for decades and i think you know in the next decade i’m hopeful i’ll deliver on it um so that’s one area that’s really interesting and then another area that’s very interesting is identity
(09:06) and specifically around managing you know i think authentication you know duo kudos um and and you know octa and others i think did a wonderful job with authentication uh problem but the authorization piece is still you know very very complex and it’s not just because it’s a complex problem it’s because we don’t have
(09:24) frameworks or platforms to build that on top of so that’s another it’s really interesting area within identity i only laugh about the grc compliance security issue because i had to build my own technology to do it only for us and so i’m still waiting for someone to sell that yeah so uh ryan like when you’re talking to startups
(09:45) because you’ve probably have been the most cso places like what what is the filter that you use when talking to them either from a product or a people perspective that makes you say like this is a startup that i’m interested in working with yeah i think it first comes down to how they approach me and my team but
(10:04) also the founders their passion for what they’re doing and is it going to solve a core problem that i have so i think about it from a can i replace a tool or multiple tools with this do i need to hire more people to manage this or is this going to allow me to to reduce potentially my head count and then is it is it something that’s
(10:26) innovative that i can scale with the companies i was i was with were very sas oriented it has to scale it has to be able to manage to that scale and growth we’re experiencing mine’s easy yeah i use the cyber defense matrix for those of you not familiar sunil is the author of the cyber defense matrix
(10:48) so i’m glad at least he uses it but there was something you said in there ryan you said it depends on how they approach me that i actually do want to tease a park we have a lot of people who are startups here and so i’m going to ask everybody because all of us have been buyers so i want everybody to give me
(11:05) one thing that a startup should never do in approaching a potential buyer what’s the worst thing or the one thing you tell people don’t ever do this i would say go above my head i don’t appreciate that when they go to the ceo and then or the board and i get pressured from the board or the ceo to use the product
(11:24) yeah when i was an analyst i would talk with startups and i i okay i’m gonna have to be honest here uh because most of the israeli startups that i would talk to said we are the first or we are the only to do something and that just made me want to prove you wrong and nine times out of ten i could so don’t approach with that line yes let
(11:45) let me decide either as the analyst or as the buyer whether i’ve never seen this before and i’ll be honest if i do i would say my number one would be don’t claim that i will get breached if i don’t use your product i hate that one yeah and i have i mean a twist on that which is don’t show me my you know where my
(12:08) breaches are without me giving you permission right so don’t go and scan everything and tell me here’s where you know everything is broken because that generally doesn’t work i was going to go with a variant of that one which is don’t tell me you’ve done it but that you’ll only show me if i take the meeting like
(12:25) if you’re gonna tell me i’ve got a problem just tell me what it is okay thanks that’s because that’s an important one like startups need to get their foot in the door and not slam it on them uh so let’s let’s come back over to wendy and and you know arielle talked about sort of automating grc down which means there is some
(12:43) innovation to be had there but what are the other places when you think about automation that in cyber security operations should really move out of the people space and into the technology space oh that’s a good question uh it’s my feeling that automation works best when it is um when it is specific
(13:04) when it’s transparent and uh when when it it has commitment in other words you have to be very very specific as to what you want the automation to do and you’ve got to be very sure that you wanted to do it all the time you can’t you know go in and say no no we didn’t want it to do that and there are a lot of there’s a lot of
(13:25) exceptions that have to be handled in a real world organization and it has to be transparent everybody has to be able to understand what that automation is supposed to do what inputs it’s taking what it’s basing its decisions on and then you have to have commitment you have to be able to set it and let it
(13:42) run because if you’re coming back to mess with it every couple of weeks it’s not really automation yeah to add to that i i actually proposed an automation like a decision framework for when it’s okay to automate so it has several of the points that wendy had the way i just stated it is it’s tightly scoped um
(14:00) it’s the transparent piece uh in terms of just knowing what you’re automating in the terms in the in the context of being very deterministic you know what’s going to happen and what the decision points are there’s accountability if something goes wrong um and anyway there’s all these different pieces that i have captured to
(14:19) talk about when is it okay to automate uh and one of the other key pieces that would also add is it needs to be reversible so if you’re going to automate something make sure you have something that allows you to reverse it as quickly as possible hang on i got to take some notes here just look at the cyber defense matrix
(14:35) and you’ll you’ll be good so yeah 2020 was an interesting year in a lot of different ways and i think some people think it was very transformational and some people think it was just a pause so for each of you what’s your take on that like you know sunil we saw you know ransomware big breaches solar
(14:55) winds like do you think that’s going to cause a change you know ariel do you think there’s a change in what people are going to invest in and what scaling needs are out there so sort of everybody sort of take their their pivot on how does 2020 2020 affect the rest of the decade well i think what have we seen right i
(15:14) think we’re starting to see people come back to work a little bit but work is going to be different um this idea of remote work is going to stick around for a while and from a cso standpoint that’s probably a good thing we need to move to that direction i think you’re all probably challenged by recruiting talent
(15:33) if we can disperse talent it’s probably better for technology in general but i think that’s an area of remote worker and remote locations and broader locations where our data is that we’re going to have to tackle more i um i don’t think it changed anything honestly i don’t think um like i don’t think anything new is
(15:56) happening now that wasn’t happening before but i think that certain trends got accelerated massively that’s one right that you mentioned which is the remote work and you know you’ve had companies like google for example right that was already doing um you know zero trust and and all that for you know many years now everybody’s
(16:14) got to deal with it you’ve had digital transformation that every cio was tasked with for the last decade and they were kind of taking their slow time doing it and after covert that just like shot through the roof because they couldn’t access their data centers anymore and they had to like you know most of them moved to the cloud
(16:31) and so i don’t think any new trends were created but certainly the acceleration of those ones that have been you know going on for some time happened then i think is going to is that’s something that’s going to stay i think there’s going i think there’s a massive change underway simply because of the fact that
(16:50) everybody had to go home and work remotely almost all the network security controls used to be in the data center and you would assume that all almost all traffic started there now everything is tromboning from wherever the end user is into that data center and then back out again to a sas application
(17:07) and that’s just too much latency and so sassy was born the idea that okay let’s take these same controls and the network service and let’s move it out to the cloud so we can move it to pops that are closer to where our users are i have a feeling that’s still not going to be enough because organizations that want to
(17:26) control the entire network stream and all the security are still going to be seeing latency but that you don’t have to do that with everything you can um you know perform end checks without having to control the network and if you let that part go then the latency is not as much of a problem so i think we’re going to see
(17:47) architectural changes that are based on this problem so about six years ago i made a prediction that the 2020s would be the age of recover or the age of resiliency um this was six years ago so 2020s one of the first things we face is a worldwide business continuity and disaster response activity that fortunately wasn’t as catastrophic
(18:15) as it could have been and so i believe that we are all stronger as a result of this recovery-oriented activity that we’ve done and whether it’s ransomware whether it’s coronavirus whether it’s ddos every time that we face these types of uh opportunities to learn from how do we respond sorry how do we
(18:37) recover from these types of events we all get stronger okay so i think one of the things we sort of ducked around in talking about that was the third party risk and i think solar winds you know i think every cso i know had to go tell their board if you know we don’t use solar winds right that was the audit everybody did
(18:56) and i remember asking at the time i said solar winds isn’t the big risk it’s the other vendor just like solarwinds that you’re not asking about cassella corsaia so third-party risk management clearly a problem that clearly nobody has a good model yet at least i don’t think so feel free to tell me if you think i’m
(19:14) wrong is that a space where there’s some innovation to be had here is that a problem that’s tacklable with technology i think so because it is not a supply chain it is a supply mesh it’s a supply ecosystem there are interdependencies all over the place and so i think uh you know if you want to work on dependency mapping and places
(19:38) where you can consolidate uh some kind of governance or or compliance efforts within shared you know and heavily dependent or linchpin vendors you know that’s certainly an opportunity so one of the buzzwords of the era is zero trust but we don’t apply the concept of zero trust to our vendors we actually
(20:02) trust our vendors and the responses that they give us in the questionnaires those customers that chose to not have trust in solar winds and bounded the conditions upon which it can operate had a compromised solarwinds orion instance but did not suffer the impact of that i think there’s a tremendous lesson learned here in terms
(20:25) of how do you create those guardrails a zero trust mindset of a vendor product so that i know exactly what it’s supposed to do and nothing else is allowed and i was having a conversation this morning with my one of my former colleagues and that’s essentially a dmz but one that is hard for us to implement and design
(20:47) because those things are ever-changing and very dynamic so an opportunity here is really to say how do i apply the principles with zero trust but make that so much much much easier to implement and orchestrate and automate so that defenders can easily apply zero trust to their vendors as well yeah i mean i think there is absolutely
(21:08) a ton of innovation that can happen here um and i you know i’ll go back to what i said earlier about the the convergence between compliance and risk um a lot of the third-party risk activities are today driven by compliance right you have to audit your vendors you have to do a certain amount of risk assessments
(21:25) you know periodically and those are kind of very much checkbox items that you you know you send out the vendor questionnaire you get the response back and and you know you shove it somewhere um the ability to actually measure the real risk of a third party doesn’t really exist yet right so the ability to continuously verify
(21:43) what you think the vendor said they do in a real world environment or the ability to get real-time alerts when a vendor is down which is also a risk you know security risk but but also an operational risk like that doesn’t really exist today and i think the the company or product that will solve third party risk is the one that’s going
(22:05) to be able to leverage what’s happening on the compliance side while actually capturing the risk element of it yeah i think the point about you know it’s just a checklist of check boxes is important if you’re out if your company is given one of these questionnaires the important thing is to say yes to
(22:21) every question because the only thing they don’t just get put in a box if you say no somebody wants to know why their control wasn’t satisfied they don’t care what you’re actually doing they just want a yes to their pet control so let’s talk a little bit about clouds i think we haven’t been you know as focused on that and i think
(22:41) there is some change to how people operate when they go cloud native or go cloud transformation what do you see as the sort of coming challenges for companies in the cloud security environments at the companies i’ve been at the part of the challenge leaving google aside was how do we avoid getting lock-in into the security layer of a
(23:04) certain cloud provider right and so you might choose to be on aws first well aws has its own security model and doesn’t always translate if you want to be on a multi-cloud environment so i see the coming challenges as more people move workloads to the cloud they want to have the ability not to be stuck in on one cloud provider so we
(23:23) need security tools that abstract that layer right i think that’s really key as you think about that actually i want to challenge that a little bit because i don’t know that i’ve found very many companies that have actually implemented multi-cloud they all talk about it like they want it but the exact problem you’re talking about
(23:44) is not just security controls it’s every control is bespoke to that cloud yeah i i think there’s two sides to that one is we may not know that there’s a shadow i.t group that’s implemented something right and if we include sas in that it’s even even even bigger and and i think the the second thing is
(24:02) they may not realize that there’s tools available and they’re stuck they they hire people to be aws security experts in their company well you want to have the ability to move outside of aws if you want to for cost reasons and they feel stuck so so i think that problem space is a mirror of what we see for example
(24:22) in windows and mac it would be wonderful if everyone just used macs or everyone just used windows but life is not like that life is not as simple as that um you just as much as we want endpoint management tools that can abstract out the differences between the two os’s we’re going to have that constant
(24:42) challenge when it comes to multi-cloud now the problem is also we have monocultures right there’s a whole bunch of dangers in having a monoculture with windows being a monoculture but we also have potential threat vectors that we have to account for if we have one orchestration system that covers all our
(25:00) tools right so if there’s one orchestration for all our cloud then we’re creating additional we can we’re creating potential attack vectors that lose the benefit of actually the diversity that we might want so there’s a trade-off and i think ultimately that trade-off is something that a business has to
(25:16) has to commit to saying you know what we’re gonna we may have to have two sets of people that understand uh two different cloud environments because that’s what we need from a resiliency standpoint so ariel i want to toss this one to you relatedly which is how should a startup be thinking about a multi-cloud strategy both as a
(25:34) consumer of cloud but certainly if they’re in the cloud security space what are the things you tend to look for that says this is a company that understands cloud and multi-cloud in the environment oh that’s an interesting question um i mean so as a consumer of cloud i um look very skeptically at companies
(25:55) that say that they are running on multiple clouds because that likely means that they’ve over invested in their infrastructure because as a young startup you rarely have the uh the resources or time you know until you get to a much later stage uh to to be consumer of multiple clouds um in terms of um you know in terms of
(26:14) supporting multiple clouds that’s i mean that feels like that’s table stakes it’s it’s you know you’re not going to be able to have a a scalable company if you’re only going to pick one cloud ecosystem and so you have to i mean it’s perfectly fine to start from one and you know typically you start from the biggest one which is aws and
(26:32) then you go to azure and then you go to gcp because that’s kind of where they rank but there has to be the ability to support multiple clouds and there you know as you know there are many customers who refuse to run on certain clouds you know particularly if they’re in e-commerce and they don’t like amazon right so you have
(26:50) to be able to at some point run on multiple clouds and from you know from early on to support multiple clouds but very dangerous to do from day one so earlier ryan made a great comment about looking for solutions that covered multiple things broad-based security solutions but sometimes we see success in very
(27:11) narrow focused things i think wendy i think duo was probably a great example of did one thing amazingly well and so cisco bought you so how do you now look across you know companies your own portfolio between balancing do you know several things really well so you can replace solutions versus find a niche that
(27:32) nobody has yet nailed and do that one better than everybody else i think that more than just looking at what is you know best of breed or you know if you’re looking to add something to a portfolio it’s more and this is harder to describe but it’s important to look at the way they think about the problem and whether it’s
(27:55) it aligns with the way you think about other problems and i find that that thought process is going to play out in the design and the implementation of an offering and at that point you you can say you know is this going to be compatible with what i want to do i think it’s the the more abstract compatibility
(28:18) that is important rather than you know something just being really really good if you can’t integrate it into your portfolio it’s you know it’s not going to be for good for either side so when i was at bank of america i asked a whole bunch of companies security companies i want platforms not point products um what do you think
(28:37) happened you got a lot of point products at bank of america if i recall all of a sudden all those point products are now platforms all right um at the end of the day if you’re a vc you you want them to sell product not platforms as a buyer i want platforms not point products and there’s a tension there that i being
(28:57) at yl i had trouble resolving i kept telling offer and john i need platforms and i want specific i mean i don’t you know having a startup focus on a specific problem while nice and can go deep as a buyer if i have a whole bunch of point products i have to integrate them and the integration is a huge challenge
(29:18) so you startups if you’re gonna have a platform mindset but still have to build product that’s great just have a mindset of how am i going to integrate with all these other products so that i don’t have to do that for for myself yeah that’s not so much of a conflict in my mind um like when i when i hear companies at
(29:35) an early stage say that they’re selling platforms that’s a pretty fast disqualifier because as much as you wanted platforms in bank of america i don’t think you know you people buy platforms because that you know you’re gonna you’re gonna buy a specific product that solves your need and what you want and what you want to
(29:55) see in a startup is that they build a product that addresses you know a killer need that has the opportunity and the potential to then be expanded into multiple offerings in similar ways that can be you know eventually expanded into a platform and then you get your platform when you grow up because i i i think you i end up with
(30:14) multiple overlapping platforms yeah well you you the way i think about it is if you’re successful with the product you’re given the option and the opportunity to build a platform but you can’t get there unless you have the first yeah you’re too young to be a platform wait until you grow up so we’ve covered a lot of buzzwords
(30:35) already so i’m going to throw in another one which is devsecops is devsecops even yeah oh that come on you’re one question ahead of me already um so i think we talk about shift left we talk about devops and to me devops is often just like ought to be make the developer realize how badly they’ve screwed up operations
(30:55) so that there’s a fast life cycle that they can fix it that’s not always what developers want how do you see the space of devsecops like is that a space of its own right is it just security engineering applied to devops like how do you think about that space i’ll take that um so the hardest folks to recruit in security
(31:18) in my opinion are people that are deep in application and product security right we’re all fighting over that same talent as csos so it’s also the area that some cisos aren’t always comfortable talking to developers right you might not be a coder yourself believe it or not as the cso and so this idea of shift left and
(31:38) devsecops i think it’s just empowering and enabling some tools to go have good conversations and allow the developers to govern themselves as the csos you allow the policies to be created you come up with the policies and then the tool set will help drive those policies to an action and you’ll be able to monitor that um and so i like
(32:01) the idea of shift left and devsec ops but it’s ultimately empowering the developer with you to be able to provide some oversight yeah i think i think some of this is pretty funny because back in the olden days you know assisted men would do all the layers they would address everything from pulling cables to helping
(32:20) uh helping to troubleshoot software so they did everything and now that devsecops is trying to smush that back together again i’m finding that there are a lot of developers who you know call themselves full stack but if you go to them and say can you pull this cable they’re like well no not like that
(32:38) so i find that they are pushing a lot of operations onto sres and i think sres are going to be the new ops for everything that the developers never really wanted to address you know to begin with i think it’s it’s an evolution that’s been you know in the making for for decades developers used to only write software
(32:59) they didn’t test their software you had qa for that then developers realized that well they should probably be doing unit tests and testing and so developers started testing as well and so you know qa kind of got folded into development then we got sas and then developers had to be responsible for what happens in
(33:16) the runtime of their software because before that you used to have sys admins that did it all for you so then you got devops which is developers starting to think about and care about the operations and how it actually performs okay so that happened and now security well security is a separate function but
(33:32) a lot of what needs to happen to secure software it needs to happen at development time and so developers are now being tasked with those responsibilities so devsecops i think it’s just you know lower and lower layers of responsibility that kind of keep getting pushed into developers as well they should because
(33:49) that’s the lowest cost place to fix them i don’t think it obviates the responsibility of the of any of the other functions but it certainly changes them right like sysadmins become sres uh you know security operations and engineers become well something other than actually securing code so i have a team of four people now
(34:08) supposed to go to six out of 70 people it’s a pretty good number ratio-wise all of us know how to develop so there is no devsecops we’re all part of the same development team and i think that um in terms of how people would sell to us you have to sell to us as if we are developers and i think that’s
(34:29) what’s going to make devsecops this whole notion of this definite sec ops actually work so i want to bring it back to the automation question though because arielle just suggested or maybe i’m reading between the lines that there’s sort of a way to take technology directly to the developer and so you can replace that security
(34:48) engineer with devsecops technology or maybe you can augment but often that’s a space we were failing at before the devsecops world engineers built stuff and then security discovered it was broken in production and if we’re trying to get that fixed earlier we don’t have a model that works but earlier we said oh when you build
(35:07) tools and you automate you should be tightly scoped so how do those challenges resolve each other and what should companies be looking at to make this a successful space that’s i mean that’s a great question um i don’t know that i have a good answer other than to say that i’ve a lot of the companies that
(35:29) i’ve seen in you know in in in rasp and in das are are trying to do a lot of that vulnerability detection and code earlier in the process where they’ll allow developers to run unit tests that will also see if they can highlight uh vulnerabilities and you can you know scan all of the software and the open source
(35:48) components that you’re using in order to identify potential vulnerabilities there before they ever make it into production so i think you know i think it’s happening in very specific discrete use cases it’s not a panacea that you’re all of a sudden going to have developers writing secure code which is why i don’t think you’re
(36:04) going to get rid of the the security engineers you still need that audit function and that you know that certification function but you know as you discover more and more failure patterns you can then build those into the process and the workflow in order for developers to to fix it i’ll offer a counter to that which is
(36:20) speed trump’s security so there’s a concept that we have embraced recently called moving target defense which is have your environment changed so frequently that the attackers have to keep up and not the defenders if the defenders are having to keep up with the development teams then they won’t lose anyway but if we can as
(36:42) develop as the as the security team if we can actually help accelerate the business they become that moving target that makes uh that makes it a much harder target to be able to compromise so i can for example have a vulnerable piece of software uh using vulnerable code base but if that code base changes
(37:01) daily very fast then i would have a greater confidence that that’s going to be harder to attack than one where it’s moving slowly because i’ve implemented a whole bunch of security controls that slows down the business it’s a trade-off and again it’s a counterpoint but one that i would argue i would rather invest in speed and
(37:21) as a security team i would rather invest in speed than slowing down the the team purely for the sake of security yeah no i totally agree with that i don’t think that you need to that’s a that’s a that’s a false trade-off sometimes false trade-offs are only three are the only trade-offs we get in a few moments i’ll be taking
(37:42) questions from the crowd so you can start thinking about what topics we haven’t yet addressed um but before we get to that we’ve got some first-time entrepreneurs here in the crowd so what are the things that first-time entrepreneurs uh need to do to stand out or don’t need to do because you know they don’t necessarily
(38:00) have a reputation as an entrepreneur yet and so when you’re working with a startup how do you approach that are you meaning what the startup needs to do yeah to distinguish themselves in your eyes so that you’re willing to do a design partnership or take a risk on this business yeah i think it’s really key like in the presentation
(38:19) that you do you only got about five minutes before the cso starts tuning out frankly and so having a really tight presentation not talking about all your accolades but getting down to what the problem space is and what your innovative solution is is super key for me um and then we can have that discussion and then we can get into
(38:41) diagramming but i want to know that you understand the problem yeah i mean the funny thing is it’s exactly the same answer from an investment standpoint is you know when when i hear you know 10 minutes describing here’s the market size and the opportunity and why this is a 20 kg or that would be 30 billion you know
(38:58) 10 years from now like it’s already lost you know what i need to understand is exactly what is that pain point for the buyer that’s being solved and how you’re going to solve it in a way that’s different from everybody else and different from the incumbents that are there and if you can do that succinctly
(39:12) then yeah i was going to say and i’m going to say this again on wednesday so you can skip my talk on wednesday at cyber week um but are you trying to solve a problem or are you trying to capture a market because those are two very different things and they can often come in conflict especially as you
(39:32) look to the future towards going public if your pitch is around we’re going to capture this much of the market what trade-offs are you going to have to make business-wise to be able to do that so on the other hand if you are trying to solve a problem you have the luxury of focusing on it for a long time you know for years if
(39:51) you have to to be able to come up with that but just be able to describe that when you come to the table which of those two things you’re trying to do and don’t don’t try to say both i i might present a counterpoint to that which is that unless you’re solving a problem like whatever your plans are for capturing our market
(40:10) are pipe dreams like you have to be able to show why you’re why the buyers are going to buy you today right rather than why you’re going to be a billion dollar company a year from now yeah that’s fair i just find that a lot of pitches tend to conflate the two and and they’re making trade-offs in their design that
(40:27) are geared towards okay we want to optimize our go to market right yeah the pitch that you use to sell yourself to a venture capital fund is not the pitch you use to sell yourselves to a ciso right you’re selling to the venture capital fund that you’ll have a market and of course you have a product the ciso doesn’t care
(40:46) they don’t care that you’re in shimona matayam we all assume that because you’re in israel um we don’t need five minutes on that although i must say after having served the csr in residence i now have a deeper appreciation for all these other numbers like 81 7149 all these other like everyone just says i’m 8200 because us
(41:06) we americans we have no idea what you do but uh now i actually know and i think it sets a different bar um all that said i spoke i’ve speaking i’ve spoken with probably close to thousands of vendors just during my time at bank of america and since then um i love learning okay and so if there’s an opportunity
(41:27) for me to learn then i would love to have that opportunity and what i learned what i found to be most useful in learning is whatever experience you’ve come come away with in serving in 81 7149 8300 blah blah blah if there’s something novel there um teach us that that’s really fascinating for us that’s a really good point cindy i
(41:52) really i like that um yeah every cso loves to learn although many of them don’t like to be taught so you have to be careful about walking and saying i’m going to teach you this thing because no they don’t try to tell them their job okay so one last question before you go to the audience participation
(42:11) uh you know as a startup a lot of times you’re looking for a design partnership with one or more of your vend customers but what are the red flags that they should watch out for the startups in talking to a cso who’s like very excited about a design partnership but this is not going to be a good relationship for the startup
(42:32) what are your red flags if it’s bank of america you got to be careful no i’m kidding um kenny not kidding if it’s if it’s very large you know institutions that move a glacial pace that will take 24 months to make a decision they might not be the best design partner because you’ll build something that’s specific for their needs that
(42:50) might not be useful for the broader market yeah and then the other side of that is if they’re really small and high growth they may not be able to put the resources at it to see it through the right way sunil does not want to take that one no i i 100 uh bank of america any large bank is not a good design partner thank you
(43:14) all for coming out tonight enjoy the party and uh meet some people [Music] you