Cloud Security

Podcast: Cloud Security and the Road to Transformation

Play the latest episode
|
Sep 10, 2019
35 minutes

Subscribe

Listen to the Security Intelligence Podcast wherever you get your podcasts.

Podcast: Cloud Security and the Road to Transformation
September 10, 2019
| |
22 min read

Listen to this podcast on Apple Podcasts, SoundCloud or wherever you find your favorite audio content.

Migration matters. Moving to the cloud is now a priority for organizations, but how do they make this transition smooth, seamless and — most importantly — secure? Pam Cobb and David Moulton aim to find out in this week’s cloud podcast, where they pick the brain of IBM’s global director of offering management and strategy for the cloud and infrastructure, Vikram Chhabra.

Cloud Is the Road, Not the Destination

Chhabra puts it simply: “Cloud is the road to a destination. It is not the destination, and the destination is either transformation to help you innovate or drive modern experiences for your customers.”

As a result, organizations typically make a choice about the cloud road best taken. Some opt for substantial public cloud investment, while others prefer private cloud deployments.

Add in the native control now offered by each and every cloud provider, and Chhabra sees cloud migration as “a combination of these private workloads, these public clouds and a mix of SaaS applications.” Effectively navigating the road to competitive compute performance demands oversight around critical asset protection to ensure users, data and services are secure.

Cloud Migration Challenges Are Stacking Up

Historically, data centers were secured by local IT teams using custom-built or proprietary protection solutions. But as Chhabra points out, “As you go up the stack, now you have more control on the stack given to the provider.” Tools such as firewalls, distributed denial-of-service (DDoS) protection and VAS all come packaged with cloud deployments, but include new APIs and user interfaces to configure and secure.

According to Chhabra, this leads to multiple challenges:

  • Talent shortages — The cyber skills gap continues to grow — not just in terms of security experts, but also cloud professionals. As a result, organizations often face a talent shortfall for cloud migration projects.
  • Finding the baseline — More security choices in the cloud mean more options for protection. But as Chhabra points out, this requires chief information security officers (CISOs) to “rationalize across those choices to see what makes best sense.” Which controls offer measurable benefits? What’s your industry baseline for effective security?
  • Compliance — Once services and data move into the cloud, compliance becomes a key issue. CISOs now realize the need for a centralized, unified approach to security policy that embraces a shared defense model while also recognizing that organizations, not cloud providers, bear the ultimate responsibility for data security.

Make Security an Enabler for the Cloud

According to Chhabra, companies need to ask a key question about cloud security: “How do we make security an enabler for the cloud?” This reframes the question of migration security as something positive rather than negative, allowing businesses to brainstorm about ways they can enable effective cloud migration instead of simply avoiding potential pitfalls.

The starting point is automation. The cloud is built on the principles of automation, and applying this approach to security tools can help reduce the time IT teams spend chasing false positives or dealing with low-value alerts.

Strategic partnerships are also critical: CISOs need strong ties with IT teams, procurement teams and chief risk officers (CROs) to ensure that security is top-of-mind at every step of the cloud migration process.

Finally, Chhabra recommends evaluating native security tools to determine “the cost and efficiencies you can get out of [them] and the level of maturity.” For example, while every provider may offer its own brand of encryption, it often makes more sense to bring this process in house and centralize it for maximum protection.

The final word in cloud migration is that it’s never final. “Cloud security strategy is not a one-time thing,” says Chhabra. His best advice? “Define your north star, use a reference model. If you need help, engage with a provider who can give you help — and then march on that journey.”

Episode Transcript

David: Pam, when you think of the challenges inherent in migrating to the cloud securely, what comes to mind?

Pam: I think about what it’s like to set up a new phone. And, A, you have to transfer the stuff from your old phone to your new phone, but then you also realize, all of a sudden, everything was backed up to the cloud already and I didn’t know about it. And that’s a little scary. I mean, there’s nothing much risqué about all the cat pictures and the pictures of desserts that I might have taken, but I don’t really necessarily grok what all got put out there without me knowing.

David: Yeah. I kinda have the same thing. I actually tried to do an inventory of all the ways that I use cloud here at IBM and personally, and it turned out to be a bit of a crazy exercise. The things that you can obviously see, backups to your phone, even if you don’t fully understand it, you had to have a setting and the pictures went off to wherever you store them, and that’s great.

But then there are other things that have become somewhat seamless, where you’re consuming from the cloud, so music and movies and your digital artifacts, and then there are the parts that are invisible that are sort of wrapped around and you’re not fully aware. So you go, you have a transaction, you pay for something, and that data is then whisked off to cloud storage. And of course, the folks at the coffee shop aren’t talking to you about how they’re putting your personal data or your, you know, financial data over to some other place, but that’s essentially what’s going on invisible to you.

And as I thought through this, I couldn’t fully complete the cloud audit for myself, and I imagine that, as a CISO, you’re looking at that and you need a lot of help to understand, “Where’s all my data? What are all the folks in my business doing? How am I exposed? And what sort of third-party risks am I running into when a cloud service is using a cloud service?” You know, with these deconstructed architectures, you end up with your data everywhere, and you’ve got to figure out how to control identity and access to protect yourself. And how do you do that if you don’t even know it’s there?

Pam: This is the Security Intelligence Podcast, where we discuss cybersecurity industry analysis, tips, and success stories. I’m Pam Cobb.

David: And I’m David Moulton. And this week, I was put at ease after I talked with Vikram Chhabra. He’s our global director of offering management and strategy for cloud and infrastructure security at IBM. Vikram has worked with many, many clients across so many industries, helping them migrate to the cloud. Here’s our conversation.

Vikram: Greetings, everyone, and I’m glad to be here. My name is Vikram Chhabra. I lead product management for IBM Security Services, with a focus on cloud and infrastructure security. I work with our customers, CISOs, IT leaders, engage with their engineering teams who are building solutions or delivery leaders who provide, deliver these capabilities. And we bring it all together for our clients, our customers who were going through this journey to cloud, especially around the Global 2000, but of course, the much larger mid-tier enterprise as well.

David: So, Vikram, I would wonder if you could talk to us a little bit about how your cloud model impacts what you’re going to do for cloud security.

Vikram: Okay. So let’s think about what cloud models we are seeing, right. The idea of cloud is to get you a modern architecture, and cloud is the road to a destination. It is not the destination, and the destination is either transformation to help you innovate and drive modern experiences for your end customers.

Now, the way you could do it is you could adopt to multiple public clouds or private clouds, which offer you both modern architectures. If you think about public clouds, the one big benefit you get out of that is consumption-based, it’s flexible, it’s elastic. You could create similar experiences in private cloud as well, however, you’re still managing the underlying data center. The other benefit of being in public cloud, of course, is that you get advantage of the innovation that all these cloud vendors are bringing to market, which is fantastic. We want that. We want that innovation. It helps you drive faster.

But what does it mean from a security lens, right? You have this new challenge where you have your existing set of controls, which you’ll be using for your on-premises data center, and now you have these new set of controls that you have to think about and these modern architectures, be it container-based technologies, be it serverless.

And to make the equation a little bit more complex, the native control is being offered by each and every cloud provider, which leads into the problem of how do you rationalize between the two? So those are the two big models that we’ve seen, which is a combination. And what’s going to happen in the enterprise world is going to be a combination of these private workloads, these public clouds, and of a mix of SaaS applications. And you have to really bring it all together thinking about which critical data assets are you going to secure across these three different workloads to protect your critical data, your critical users, your critical assets.

David: What impact does infrastructure as a service versus platform as a service and, finally, you mentioned that the SaaS or the software as a service have on security — when to involve it, where to involve it? Could you talk about those three lenses of the challenges customers face?

Vikram: Absolutely. So let’s talk about at the infrastructure level. Historically, if you think about data centers, the IT team was responsible for locking it down or keeping it secure. As you move to the cloud, if you’re using infrastructure services, you’ve entered the beautiful world of shared responsibility model.

Now, there is somebody else who is responsible for that stack, but that stack comes with a new set of controls, for example, your security service, your firewall capabilities, your DDoS, your VAS. Those are being provided by your infrastructure provider. So the tools that we are used to previously managing yourself, they’ve changed, they are embedded into the infrastructure, but provided to you as APIs and new UIs that you have to configure.

As you go up the stack, now you have more control on the stack given to the provider. They’re responsible for ensuring that they are building a robust stack; however, you as the organization are responsible for turning the knobs and dials to lock down that stack. And as you further go up in a SaaS world, it really boils down to the data, how are you protecting data.

In all three cases, one element that flows through them is cloud vendors have far more focus, and more and more they’re adding capabilities, to help you secure your data, your applications, and your infrastructure. But the responsibility lies on you, on the organization, to make best use of those controls to lock down the infrastructure. Data is no longer sitting within your premise. It’s out there in the wild. And by wild, I mean it’s across different applications. So you have to change the way you think about networks. It’s no longer a flat network.

David: So some of the basics of security but now applied in a new and unique way as we see customers moving to cloud. Vikram, what are some of the key challenges CISOs face as their organizations adopt to cloud?

Vikram: There are three or four challenges that come to mind. The number one that we hear the most is in terms of talent. It is extremely hard to find the right talent who knows security and cloud. Try to look up a job description of cloud security, and there are several positions open. The reason is there aren’t many people who have deep security as well as cloud proficiency, and that’s global. We’ve seen this across the globe. We see it in North America. We see it in Europe. We’ve heard that on EMEA markets. It’s very hard to find people.

Now, as a reaction to that, as I’ve spoken with many CISOs, what they are doing is they’re taking their security personnel and they’re sending them to take cloud training or vice versa, they’re taking their cloud people and they’re educating them on security. But talent remains one of the top concerns. And we see a reflection of that in some of the high profile data breaches we’ve seen, where your cloud data storage bucket was left wide open and now you’ve lost data, just because that maturity didn’t exist in terms of the practice.

Which leads me to my second point, and we kind of touched about it during the introduction, is the layers of the stack, etc. There are new set of controls on every public cloud vendor. So often when I talk to CISOs, you know, I make the statement, in your on-prem, you had a set of security products in your enterprise, and then you’re going to cloud and it came with more security products. So now you need the skill set to understand this ever-changing landscape of these new security controls that are being offered by cloud vendors at a very fast pace.

Now, there’s good news in there which is you have more choices, and there’s bad news in there, you have more choices. So now you have to rationalize across those choices to see what makes the best sense, which goes back to my earlier point, to your first question, which was where do you begin? And it begins with your cloud security strategy. What does good look like in your industry? Where is your current baseline? And how will you get there? So if encryption control is provided by the vendor, is that good enough for you? And very likely, it might be. But you may come back and say, “No, that’s great, but I’m gonna do my own team management,” and these are the kind of decisions you have to make, but they can’t be different decisions across lines of business. So understanding your native control and having a cloud security strategy continues to be our top concern.

When you talk to CISOs, one of the challenges they have is cloud is organically growing in different lines of businesses, which means a security program across each line of business is fragmented. And these CISOs are looking to build a centralized policy that applies across all. So that is no longer fragmented, not only it helps them to drive a mature security program but also a mature compliance program, ensuring that they have the same level of coverage across all the lines of business.

Which brings me to my final point, which is compliance. Compliance continues to remain top of mind. And especially in these high-profile cases that we’ve seen lately, just raising more awareness as well as concern around it. The shared responsibility model is extremely important to understand. Just because somebody else is doing it, that doesn’t mean that you’ve passed on the risk. The responsibility, the risk is still on the organization to protect their customer’s data.

So understanding what the native controls provide, understand what they need on top to lock it down, and then make sure their security program meets their compliance requirement, versus not their compliance being a checkbox for their security. You always want your security to help you drive your compliance. You can’t have your compliance help you meet checkboxes around security. So just to recap, right, we talked about four things. One was talent, second was new set of controls from cloud and how do I rationalize it, third was around disparate policies across all lines on business, so building a centralized strategy to bring it all together, and the fourth one was around ensuring that their security program is helping you meet your compliance.

David: I would imagine that if you think about a business that has an unevenness in their cloud adoption, part of that is then exacerbated by which cloud they adopt. And so you may have one provider and a part of the business together, a different provider or two in another part of the business, and the tool rationalization that you talked about starts to double or triple. And then the talent that you have doesn’t double or triple, right, the skills gap just becomes more of a challenge for CISOs. So certainly an interesting thing to think about cross-training, right, the security expert with the cloud expert and vice versa.

Those all sound like really big challenges for business. I would wonder if we could flip it though and think about, where is security acting as an enabler for an organization to adopt cloud?

Vikram: I really like the way you frame it, right, how do we make security as an enabler for cloud? And the one thing that is absolutely marvelous about cloud is automation. Cloud is built on the principles of automation, right? That’s what led to the scalability, the elasticity that we get out of it.

And here’s another important aspect, because you are secure, you don’t drive for revenue, but if you have a breach, you made the headlines, right. So you don’t get security budgets, and it’s unfortunate, but you are not going to get security budgets to go do it proactively. So it’s a difficult job to be a CISO to get these budgets around it. So how do you make security as an enabler in these conversations? And it begins with really automation, right, if you become part of the cloud fabric.

So let’s gear into the conversation around what does cloud provide us, right? It’s providing us speed, automation, flexibility. Okay. So as we are deploying applications in cloud, there are mature practices around it, and DevOps and CI/CD, these are the standard practices around deploying workloads in cloud. Well, people talk about DevSecOps. How many actually truly do that? How many are actually gearing security into your CI/CD pipeline? Yes, you may have a threat modeling exercise, but are you truly embedding the tools into your security, into your application development pipeline? As somebody who’s writing the code, are there code checks embedded into your development life cycle? Are there SaaS and DaaS tools embedded in your life cycle?

And more importantly, let’s say your application is ready to go, before it gets deployed, who ensures that there are security controls? It could be as simple as our security policy that says, “There must be an endpoint on every application,” or our security policy says that, “It should allow access to only this segment of the network.” That can be an afterthought and that cannot be a manual process. So how do you make security an enabler? What if you baked those security controls into the cloud application development pipeline?

So now, as a CISO and the IT office, you’re the single voice that says, “We are deploying with speed, we are elastic, and guess what, nothing comes out of our factory without the security policy deployed on it on day zero.” And that would be our base model. You can go to any modern DevSecOps workshop, that is one thing they preach, to embed security via automation. That’s one.

Let me go a little further from a compliance angle. Historically, think about how compliance has been met, right. You have these GRC tools which help you map your process and your tools together. All right. In the new world, sure, you’re gonna have that, but can you pivot? Instead of showing real documents and processes, which very likely you will be doing to a certain extent, can you show your automation as a way to prove compliance?

And that’s where security starts becoming an enabler and a different share, frankly.

David: So you’re able to move quick, pivot, and take a business risk as you try something new, but you’re not taking a security risk because you’re not waiting until later to pull the security close to what you want to protect, whether that’s your data or your users or what have you.

Vikram: Absolutely. This is something we still see as a gap. So yes, they have defined their data security practice, yes, they have defined their identity practice, how they’re going to normalize across three different public clouds and use certain technologies on top, but limited embedding of that via automation. If we can automate it through the factory, one, you’re reducing cost, two, you’re driving a compliance, and three, you’re reassuring that nothing gets pushed out of the factory without a certain base policy that the CISO would have blessed. But now, the CISO is being looked as an enabler and not as the one who’s saying, “You’re slowing me down.”

David: Yeah. So, Vikram, one of the questions that I have is CISOs are supporting their business’s adoption of cloud, right. Those new business models are coming along, cloud is the critical or the key piece that allows you to move and scale and have that advantage. Who else does the CISO need to partner with to influence to bring security into that DevSecOps process and into the mature cloud delivery model?

Vikram: That’s an excellent question, right. So there are some very key strategic partners that CISO will partner with, and one is, of course, the IT. Partnering with them goes back to my earlier point, showing them how security can be an enabler, can be a differentiator, and help them meet compliance via automation. So now, you’re speaking the same language. That’s one.

The other one is on the procurement side. Helping them, the CISO could give a framework to the procurement team on how to make certain decisions around, be it making engagements with a certain cloud vendor, could be even SaaS properties, etc.

And the third is, of course, on the risk side. Taking a risk definition approach, so just cyber risk, our chief risk officers, enterprise risk have to be brought together. Cyber risk is one of the top concerns from a global risk perspective, right. So having a tight partnership between the risk office, the IT office, and the procurement office, are gonna be essential to embed security into the factory in a mature fashion.

David: Yeah. I remember talking to a CISO, and they talked about their role as the chief security marketing officer within their business, and their number one customer was the CRO. And I thought that was a really interesting way of framing that relationship, right. The CRO became the person that validated, “This was the best option for us overall as a business, because security shrunk the overall risk that we’re going to see. And now, we want to definitely pursue that because of its business advantage.” That’s awesome that there are CISOs that know who they can partner with and how to help drive a business to go faster or be more innovative.

And you’ve talked about some of the concerns that organizations have from the security point of view, whether it was staffing or this unevenness as they adopt different cloud providers, that sort of a thing. I would wonder if there are some key concerns that the organization has as they look in the security lens around cloud, or has that shifted where people are, you know, or businesses are maybe more comfortable adopting cloud.

Vikram: We see more and more of the latter. I think there’s far more comfort, not just among organizations, but even regulators are far more accepting of it. So even the guys that are some of the most regulated industries, like finance, right, we see clients moving forward, making decisions to adopt cloud, because they know they need to. They know they have to go through the digital transformation to provide modern experiences.

Again, I repeat, cloud is not the destination, it’s the road that takes you to your digital transformation, right. There’s more than experiences that you want to drive. It helps you drive speed and innovation. So businesses know they have to do it. The good news is there are more choices out there.

David: So I want to talk about native security tools. All the major cloud vendors are providing and offering, as you just mentioned, so many different capabilities. And I would wonder, how do you go about evaluating those different tools, how do you evaluate them from multiple vendors and compare them? And then maybe the most important is how do you map those into your security strategy and understand the tools that are provided and your ability to run them are going to give you the security that you’re looking for?

Vikram: That’s a great question and it’s a hard one as well, right, because the landscape changes every month. So first and foremost, having a baseline of where you are today and where you wanna be. If you don’t have that, even not defined, then it’s a challenge.

David: Sure.

Vikram: Let’s talk about data, for example. Knowing where your critical data is and being able to classify and understand what level of controls you need on it. So let’s say you’ve done that, okay, now you’re gonna start looking under the native controls. Every storage option available out there provides some level of encryption and some level of team management.

David: Okay.

Vikram: The question you have to ask yourself is cost and efficiencies that you can get out of it and the level of maturity. That goes back to the original road map and strategy that you had built. So the answer in this specific example might be that it’s okay to use a native encryption across three different vendors that’s sharing a multicloud environment, and you are going to use three different encryptions. But why not you brought the keys in your house and have a centralized way to manage keys? So what you’ve done is you embraced some of the native capabilities to reduce your cost and drive some efficiencies for some of the more essential tasks. Therefore, more critical tasks, like managing keys, you’ve decided to centralize it, bring it in-house.

So long story short, again, not an easy part of this all. Why? It’s a changing landscape, it varies from one to the other, you have to constantly upscale your teams to keep up with it. So for some of the more essentials, this is where the state of the control today is. For some of the more essentials, like encryption, etc., it might make sense to use the native ones. For some of the more critical aspects like managing policies across multiple different cloud environments or managing trees across multiple kind of workloads, you may still want to do it in a centralized manner using third party technologies, be it key management or be it third party firewalls, etc.

Like I said, every time I’ve told CISO this statement, I get a nod. You had security products, you went to cloud, it came with more security products. It’s good news you have more choices, it’s bad news you have more choices.

David: So you’re almost talking about this idea of continuous delivery around security and not a journey with a destination, but it’s a continuous process that’s embedded. I think that that is reflective of cloud as a whole.

Vikram: A hundred percent, a hundred percent. Couldn’t have said it better. And you have to constantly reevaluate, because here’s one more interesting aspect and a way to look at it. In your traditional IT data center, the underlying stack wasn’t changing. You’ve built something, and you would have kept it the same for a decade, and nothing would happen

Cloud security strategy is not a one-time thing. You build a baseline and you have to go back and revisit and say, “Okay, wait a minute, the underlying stack changed. Does this still make sense? Am I still relevant?” And it may seem like a lot, but if you balance that with automation, then you just have to go tweak your bells and whistles in your scripts to take advantage of those surveys. And if you wait till the end, then what happens is now you have this big automation built that’s gonna be impossible.

So back to your earlier question around DevSecOps, if you weave it in, that anytime somebody’s writing a line of code, they’re thinking of it, “Oh, wait a minute, I also have to think from a security lens as well, very much like how I did think about scalability, serviceability.” These are the principles of writing good code security has made to be part of that culture as well.

David: That’s right. So thinking about this really fast-paced environment, I would wonder how you’re seeing clients manage threats, and then maybe with that, and you’ve touched on it a bit, how they’re driving this idea of continuous compliance with the cloud environment.

Vikram: Some of the best practices that we’ve had in the traditional world still apply. Understanding your use cases, building your threat model around it, they still apply. So basic hygiene and life cycle approach, whichever practice you follow, be it things like the NIST framework, I’m a big fan of, that totally makes sense.

But more from a threat management perspective as well, two or three things come to mind. Number one, cloud provides an awesome capability which is you have asset information. Go back to your traditional world, you don’t have the asset information, or if you have, that was data. So cloud provides you the asset information. Bringing it all together in a single pane of glass and that could be a tool of your choice, whichever you use. It could be the same environment, it could be the security consoles that you’re getting from each cloud vendor, bringing it all together, having that visibility is so important.

Second, being able to have technologies that can respond through orchestration tools. So as you detect a threat, how are you going to plan to respond to it? Is this a Wiki that somebody wrote down, is it a Word document, or do you have orchestration tool that can detect a certain behavior and respond through automation?

So let me give you a workflow example. Let’s say you detect a threat that one of the laptops that you have on the enterprise has been infected with a malware. Great. What is the policy? Are you going call in IT, and is IT going to quarantine that machine? Or do you have orchestration tools in there which can detect it, send your IT team or your security team a message, and send back a message to that machine to shut it down and quarantine it? Also, instruct your firewalls to watch for it, share the signatures.

And there are technologies out there that will help you do that, connect your endpoints to your network devices to your threat intel. And then you will be subscribing to a threat intel or maybe you’re working through a provider which provides with threat intel. But connecting the two, or connecting the three rather, the threat intel, your network policies, and your endpoints together is gonna be a huge play.

The third thing is, how exactly are you gonna recover from it? So that goes back to your DDoS strategy, your incident response strategy. Ensuring that you have an automated process, I think you’re gonna get tired hearing the word automation from me again and again, but that’s the premise of this whole cloud conversation, which is how can you quickly reengage that laptop, that workload, that server, using tooling. These things have to be planned ahead of time as far as your incident planning and incident response practice.

That’s one. The second thing that comes to my mind is understand the shared responsibility model. As you are looking at threats, and you need to go look at some of the logs, what is the arrangement between you and your cloud provider? Is it going to be that their turnaround time is 24 hours, 2 hours? If you need certain logs from them, are they gonna charge you for a higher SLA? Ensuring that your procurement team understands these artifacts of engagement while you’re making decisions with your cloud vendors, the SLAs you’re gonna have.

So these are several things that you have to plan ahead in this fast-paced model, and the last, we have to talk about compliance. Drive compliance through automation. We hear this more and more now around show auditors your automated pipelines on how you are delivering compliance, rather than just relying on the processes and the reports that you generate as artifacts as an afterthought.

David: So I’m gonna sum that up as automation with a side of automation and maybe a touch more automation.

No, it’s interesting, Vikram, when you talk about this idea of automation and the differences in speed. You know, one of the things we’re looking at is how do you compare an old rules model and a new rules model and the speed piece that you get from automation and the ability to wrap security around and infuse it into cloud and then deal with something like a data breach or a data leak. It’s not even comparable once you’re able to run those automations on it. So that’s really a fascinating shift to be able to leverage the same speed is attractive to business, right, to the lines of business to go faster and to be able to scale and do more and to apply that directly into what you’re doing with security.

One last question for you. For anyone whose organization is right on that cusp of a cloud migration, what’s the one piece of advice that you would wanna leave them with?

Vikram: It’s about defining your north star. So if you don’t have a north star, if you don’t know where you’re headed, what you will lead up with is fragmented cloud security policies. So step back and define, “We need a segmented network,” and the way we’re gonna approach across cloud is, well, our business requires us to classify data at a certain level, and this is what controls require on data.

From a threat management perspective, here are the response times we need to have. So this is how we’re gonna reengage with our cloud vendors. So this is a standard contract or SLAs we need. So there’s a procurement team, and you’d go do that, make sure you negotiate for these terms or make sure you ask for these terms. But if you haven’t defined that north star, then you don’t know what you’re asking for. And what’s gonna happen is you’re gonna build these siloed cloud security things.

So that is the number one thing we see as a challenge, and I would leave this audience as my best advice is to define your north star, use a reference model. If you need help, engage with a provider who can give you help, and then march on that journey. Working with your partners in IT, in procurement, in risk, leveraging the benefits of automations and orchestration tools, in APIs. The whole landscape has changed. It’s much fast-paced. And invest in the talent and the team you’ll need to keep up with this ever-changing landscape. And the outcome, the beauty of it is you’re gonna be in a much…you’re going to be living and breathing a much faster pace of environment, which your business is gonna appreciate, that is going to drive innovation and more business outcomes for your organization.

David: Got it, I like it. Starting a strategy makes a lot of sense to me, and then understanding your gaps between where you are and where you wanna go, and certainly, understanding that this is in part, a technology shift, but a culture shift as you implement new relationships across the business. You know, you talk about those SLAs, you wouldn’t wanna have the turnaround time from one vendor be a couple of hours and the next would be a couple of weeks as you’re trying to deal with the breach. So having that advisor that can help you with this and is going through it, certainly, great advice, Vikram. Thank you so much.

Vikram: It’s been a true pleasure. Thank you.

Pam: So one of the things I really love about the conversation that you had with Vikram was the idea of cloud security as this positive driver of change, an enabler of growth, and it’s letting organizations really explore and take a fresh look at how they’re managing data and access and all of the things that make up IT infrastructure, but very much in a way that supports and enables growth, which I think is a nice shift in how security’s typically been viewed by the organization. So, David, do you have any good news for us this week?

David: So yeah, Pam. Chris Krebs, over at DHS, did an experiment where he showed how you could use something as delicious as pineapple pizza to start a flame war and prove out how vulnerable we are to foreign influence. Within 24 hours of a tweet that he had, it was trending and it became a war on social media. And it mirrors some of the things that we’re seeing in the election right now, and it’s nice to see somebody using something that we can all have a rational conversation about, like pizza. And…

Pam: Can we?

David: We can.

Pam: I have some thoughts, David.

David: Pineapple pizza’s delicious. I know those are your thoughts.

Pam: Those are not my thoughts at all. In fact, my thoughts are the opposite of those thoughts, because pineapple on pizza is disgusting.

David: It broke up. I think you said delicious. A little ham, a little jalapeño, a little pineapple — getting hungry just thinking about it.

Pam: So gross.

David: What I liked about this story is that it really helps anyone out there understand how a misinformation campaign could work on something that, obviously, we can’t all agree on, even though I’m right here. You know, it’s pizza, people. In the end, it’s not that big of a deal, but it’s funny how you can have somebody, in a sense, hack your brain.

Pam: Yeah. I think there’s a lot of examples that apply, and I do like that we went with a relatively inoffensive topic, like pizza. And it’s kind of like people that love Neil Diamond and people that are dead to me.

David: Yeah, Neil Diamond’s awesome.

Pam: Yeah, he is totally awesome. So that’s all we have for this episode. Thanks to Vikram Chhabra for joining us as a guest.

David: Subscribe to this podcast on Apple Podcasts or on SoundCloud to make sure you never miss an episode. And thanks for listening.

Douglas Bonderud
Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and innovation. In addition to working for...
read more

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
Press play to continue listening
00:00 00:00