Show Intro
uhhuh uhh [Music]
Meet Carlos Batista
welcome to security and GRC decoder I’m your host Raj Krishna morti today we are excited to have the multifaceted Carlos
batitas with us Carlos has had an incredible journey um from serving the United States Marine to Leading security
teams as a two-time ceso and also transitioning into software engineering and development roles in uh in AWS caros
super excited to have you with us welcome hey thanks a lot Raj it’s really great to be here I’m excited to be a
part of the show thank you and so you are retired right now and how’s that going I’m more than
retired right now I’m retired Forever at least that’s the plan and it’s going it’s going fantastic Raj uh it’s been
Retirement, traveling, and picking up new hobbies
just over six months and so I am I’m having a great time traveling spending a
lot more time with my wife who also retired three months ago and we’re just having a blast doing again doing a lot
of traveling we love a number of hobbies which we’re really totally diving into like we’re playing more tennis and we’re
reading a lot more so it’s it’s been great Raj um it’s so far been the the
best decision professionally and personally in my life love it love it Carlos I’m I’m I’m going to start off
with something maybe let’s start something different something controversial what is your maybe unpopular opinion about security why
don’t we start with that oh man so you’re going to put me on the spot right at the Geto um okay unpopular opinion
okay so if one jumps out at me and yeah this might be a little controversial or
Carlos’s “unpopular opinion” on security awareness
provocative but I am not convinced that security awareness really delivers all
the value that I think we hope it should it it and so I think I think what I’m
saying is that maybe security awareness is a little overrated and that might be
I don’t know maybe that is a little provocative so let me sort of nuance that a little bit like what I’m what I’m not saying is that security awareness is
useless uh I think you absolutely have to tr have to teach your employees
certain critical things about how to work with your team so for example how to report security incidents because
email is still like very sort of like there’s very much a human factor there you have to sort of teach them how to
use email safely but I have I guess my perspective is that I I would almost
prefer to invest dollars that might have gone into having like a worldclass
security awareness program into actually making the technologies
that they that that your employees integrate with uh as safe as possible and the analogy I like to use is a light
switch so you know today like I fig I don’t think you can see the light switch in that’s right next to me here but
basically um I don’t have to receive training on how to use a light switch safely to prevent from electrocuting
myself engineers and folks who built them built these wonderful things called face plates that help ensure that you
don’t electrocute your yourself when you use them I would prefer to invest
security dollars that are very tight usually into making our tools and
Technologies laptops servers things of that nature safe by default so that
employees don’t have to think about that now you still like I said got to do security awareness because there’s some
things that you can’t put face plates on like email but I would my argument would be that I don’t know that it makes sense
to hire you know like to have like a a major production come in and run do a security skit for your employees and and
spend you know like 5 10 15% of your security budget when you can use those
assets or those Investments to harden your environment to keep your user safe by default does that does that does that
make sense that absolutely makes sense I um I think I’ve been one of those on the receiving head trying to take these
trainings and I you know it’s sort of very painful sometimes yeah and I mean some of them are actually pretty
entertaining I mean if you’ve seen some of them out there they’re really engaging uh they’re they’re almost like
right out of like the office or something like that and you literally wind up laughing but they’re not they’re
they’re not cheap either and so I I think there’s things that you minimally have to do either because it’s the right
thing to do but sometimes and more importantly because compliance or other regulatory regimes or even customer
contracts require that she do a certain base foundational set of security
awareness I would try to find out what that is make sure you do that and then
before you spend a dollar more ask yourself could that dollar be used to
better Harden the thing that you want to train your employees about so that they can’t make that mistake in the first
place that’s that’s my that makes sense makes sense what is something about um
what we are doing in the industry that has surprised you offet well good question like I’ve I I
have actually been out of like security as my full-time job for almost two and a
half years so I I left uh being a sizo when I joined AWS to go lead some of
their security engineering teams within their their AWS Services um but I think
Third-party risk management: why it’s still so fractured
the thing that really has surprised me the most and and not in a good way is
how fractured third party risk management continues to be I you know I
I still try to keep up with what’s going on and it’s still very evident that security questionnaires still are the
sou theour for how to largely assess a a vendor’s security Readiness to be a to
to be used within a particular company and when I left I it was right around the the very beginning of where I guess
trust centers were beginning to really take a hold as a means to sort of
provide that awareness in a more automated uh online way for poti buyers
to understand where you’re like where you are from an insurance perspective and while I think there is some Traction
in that space Raj I I don’t see it be having the the level of trust you know
unfortunately that I think I would have loved to have seen where whether you’re
a large bank or an energy company or a highly regulated customer of some kind you’re you’re generally able to sort of
absorb those artifacts out of a customer trust Center in some sort of automated fashion and make a an assessment without
sending a bespoke you know three four 500 question questionnaire which is
still I think I think is still you know pretty unfortunate got and and how do you how do you see this um across
Industries and how did you get this perspective um you know it’s funny I
I’ve been on sort of both both sides of the coin I spent the the early the the
earlier half or the first half and and plus of my career in these highly regulated
Industries I spent nearly 10 years over at sunrust Banks now called shist uh one
of the largest banks in the United States uh I also spent some time with GE energy again two highly regulated
businesses and anytime that they are out there to buy anything you have to like
go through a pretty rigorous and robust security regime to ensure that your product can assuredly do what it says it
can do and do it safely so as a buyer I I got to really sort of dive
into what are all the security controls that these vendors or potential vendors have are are they meeting the bar from a
security perspective and it’s when you’re a large company you’re able to sort of really poke these vendors to
make sure that they’re doing the right things and I think that’s a net positive for security on the other hand I spent
the latter part of my career of my security career as a buyer I’m sorry as a vendor working for startups and so
it’s a whole other side of the coin where you’re not a large company with a
high degree of I guess what I would call negotiating like Leverage to be able to
say do whatever you want and so you wind up being the recipient of all of these uh third party risk questionnaires which
if you’re doing enough business can drive your GRC teams wild having to respond to all of them in a bespoke
fashion and making sure that you’re answering of course truthfully but also consistently
across all of these different items and that you’re managing all of the the inevitable follow-up conversations with
each of these prospective buyers to ensure that they’re satisfied with how you’ve answered all those questions it’s a difficult problem to scale to and so
it’s you know again I’m hopeful that the third parties uh that third party risk management will get better I think
there’s a lot of interesting new players in that space who are trying to sort of tie that together to make that Journey
easier both both for buyers and sellers but it’s still a little bit surprising in me Raj that
it’s so fractured as it is today I mean like what’s what’s your perspective um no I I totally agree with
you and I think there’s a lot that needs to be done there I think there’s a lot more progress happening but more to more
to accomplish in that space and I think the large language models and some of the sort of the upcoming Technologies
are certainly going to help in in some of what you’re talking about yeah like I mean you mean like being able to like
use an llm to respond to questionnaires or also to digest and summarize
like okay absolutely yeah um you um you
have an illust had an illustrious career Carlos you’ve been a two-time ceso what do you see as the reality of being a
security leader that most others don’t see I think the thing that jumps out at me is most people don’t realize
how stress or the job that can be for every for everyone in the security organization
but I am speaking specifically towards the like the leaders of that security or
there’s a tremendous amount of pressure to ensure that you and the business are
doing all of the right things to prevent yourselves from having a a a disclosable
incident of some kind and so I think because of that I think unfortunately a
lot of Security leaders really struggle with the stress of being in that role
because it’s a role where in most cases you are you’re pushing a big snowball up
The stress of being a security leader (and tips to cope)
a hill to get the support that you need to make the changes and and the like the
implement the programs that are needed to in your estimation and your team’s estimation to properly protect the
business from a variety of different threats some of which you might control and some of which you don’t and so I I
know that I’ve I’ve gone to B wondering oh man this new threat is out there like what’s the impact to us are
we going to get hit you know like the ones that always jump out at me are these big sort of like third party
incidents or cdes that affect you know infrastructure that you might run and it’s like oh man like okay great I just
learned about this tonight we know that this is already being exploited in the wild am I hit like that’s a that’s
that’s stressful and it’s definitely something that every security leader
needs to learn to sort of accept you know that hey like you’re you’re in a role that you know has a a little bit of
a I guess of this sort of like risk of thinking through like this type of things that can happen to you to the to
the business and so and I think unfortunately another thing that’s sort of come of that is their you know
Security leaders particularly czos now have to consider the potential for
personal or legal liability from you know based on how like the decisions that you make or don’t make during an
incident or or leading up to one so that’s certainly something that you know every security leader needs to think about um there are obviously ways to
help mitigate that through things like dno insurance and other things but it’s
it’s certainly a stressful role that I’m not sure you know a lot of folks appreciate but it’s it’s something that
I I certainly have thought about and struggled with personally no thank you thank you you’re absolutely right um I
think I had an opportunity to read in Flight about the um uh the state of New
York versus Timothy Brown on solar winds it’s it’s unbelievable the level of stress that you like you talked about
that’s on Security leaders today yeah it’s see you know it kind of puts it puts some Security leaders in a
you know a position where they they need to ask questions that they never really had to think about before like hey like
what you know what legal protections do I have from the companies I work for do I need to consider my own personal
liability protection in case things go aride I mean the Tim Brown case is an obvious example there are others of
course so it’s it’s something to consider now do you see this varying the
stress levels varying across Industries you been in different Industries do they remind the same they go up or down
what’s your take I didn’t quite get the first part of your question Raj you the stress levels and the as as a
security um I mean so I I feel like
my my personal take is the overall stress level I don’t think changes I
think what changes is what you’re stressed about okay and so I you know in
some of like larger more highly regulated environments or financial services environments I was you know
there’s there’s a level of stress or kind of dealing with the constant the the audit and Regulatory Frameworks and
all of the various constituents that want to evaluate your security and so if
you work at a large bank you probably have to deal with internal Auditors external Auditors internal operational
risk Regulatory Compliance and Regulatory audits you’ll have to deal with your board and so and that’s to say
nothing about Finance or other groups that also want a perspective on your security program and so you have to
manage those relationships and and that work carefully because if not you you you run the risk of spending more time
talking to about your security program than actually leading the organization
and essentially delivering the program and so that’s that’s a challenge that a
lot of a lot of leaders um especially those in like in highly regulated environments have to struggle with on
the flip side and I’ll sort of be brief here when you don’t have that like really big like sort of regulatory
framework you probably don’t have the resources you don’t have as many resources at your disposal to affect a
strong sec program so you’re thinking more along the lines of hey are we doing all the right things to keep bad guys
out we’re trying to move super fast as a startup company you know I don’t want to say we’re taking shortcuts but we are
moving fast and so you need to like you’re also thinking very very
thoughtfully about how do I may help the the organization and the business make the right choices around
security without imposing a level of friction that essentially halts or slows
down the the ability to gain and retain business so it’s a whole other sort of thing to think about and how do you keep your
team motivated through this yeah you got to understand your team um this is just my opinion I I I
feel any good leader takes the time to get to know their team um and not
necessarily like being buddy buddy and like you know going out for drinks all that or at all but but understanding
what really sort of like makes them happy what are they driving to why are they in this job what do they want what
makes them happy and and that changes from person to person for some folks it’s you know hey I want to be
challenged I want to do complicated thoughtful like Innovative work for others it’s stability I want to be able
to just do it do a good job for a place that’s going to you know make sure that they take care of me because I have a family to feed and a family to take care
of for others it’s money and that’s okay you know we we kind of talk about oh you
know money shouldn’t be it’s okay to say I’m motivated by compensation that’s perfectly fine understanding what those
things are I think is really vital for a need effective leader sort of like drive
to keeping the team moving forward and so once you sort of have a sense of what
those things are you look for those things and opportunities that sort of appeal to those motivations to help
Inspire the team as a whole towards moving to whatever goal you’re you’re trying to get the team to towards moving
got it got it and how do you so I I think one uh in all this you’re not just talking about defending right you have
to also deliver value how do you how do you manage that Carlos and how do you know that you have arrived man that’s a
that’s a really like tough and tricky one um I think I learned so much more
about what it means to really deliver when I moved over to AWS and I I was now
expected to deliver product features product releases on a timeline so when
you have a big conference like AWS reinvent there’s
some certain releases that tend to happen around that time or before that time and so it’s a pretty clear line in
the road of where what you’re trying to deliver to so think so one of the things that I really sort of got to build some
some muscles on was sort of delivering on a very tight on very tight timelines
and and and through that in order to be able to do that effectively you’ve got to build and have engineering discipline
like really understanding what it takes Raj to build something and build it like
how long is it going to take to build this new API um and so in my pure
security days it might have been okay for a team to say yeah we think it’s going to take us you know couple Sprints
to build that API tested and and release it into prod and then you get into the weeds and it’s like oh my God it’s
really like eight weeks because I didn’t properly we didn’t really think about this particular dependency or this other
team that needs to review things before they anything gets loaded up on their API Gateway or what have you and so
that’s the I think that’s one of the things that I I I felt that I really had to sort of like figure out with my in my
time of AWS is really understanding and Diving deep into when Engineers say x
amount of time okay walk me through why we think that’s the right number because
there aren’t too many many opportunities to like add slack to a project you know
once you got things right now what I will say and I loved this about AWS was
that security was truly job zero okay you know what I mean by that is I mean
everything I just said about delivering things on a deadline super important no
one baded an eye if something needed to slip because of a security problem it
was it was always the best decision to make sure that hey we need to get that thing done securely and so that was um
that was great to see from my time there and I I I don’t necessarily want to turn this into a like an AWS love show but
that’s something that I definitely really admired and appreciated about AWS and how they think about security
engineering as it relates to security which is something that is candidly a bit of a you know can be a challenge in
other organizations where you know you will get tough questions or about like well can that can we fix that security
vulnerability in a followup release or a fast follow and the answer may still be no we have we have to wait but there’s a
lot you may have to sort of manage that conversation a little bit more actively got it and how do you
see the what do you see as the role of governance risk and compliance as we talk about this guy from a security
perspective as a sizo I always thought of GRC as the foundation of the entire
security program you you can’t yeah like you really can’t the whole point in my
opinion of GRC is you know first and foremost to set the bar to understand
what is the company’s risk tolerance as it relates to cyber security risks where
the business is in relation to managing those that those tolerances so putting
together a maturity assessment to understand like where you are compared to where you think you should be and if
you don’t have that like I I feel like a security program just sort of running around like the blind leaving the blind
a little bit you know like you’re you don’t know what’s good enough so then you’re going to have engineers and
others on one day or managers on one day just going of going you know hey I think this is what we should do from a
security perspective and then two weeks later for another project it’s oh I think it’s this thing over here and that
leads to confusion it leads to Lost trust across the engineering teams as a
whole because they see you as like sort of evaluating things with a different perspective you’re going to get asked
outright wait a second you just told this team over here that they didn’t have to do all that and now you’re
telling us that we’re doing basically the same thing you’re telling us that we have to go do that um that’s that’s not
right and so you’re going to wind up losing credibility with your stakeholders uh so to me governance is
kind of where the where it starts you know they’re the team that that UND you know again working with the technical
peers and security working with engineering and it and most importantly working with the business line as well
and top management to understand hey this is where we need to be and understanding that what was good enough
at one company may not be good enough at another or may be candidly too good at
this particular company and so that’s the that’s the job of a strong GRC leader is to help the sizo
and help the executive team understand what is the bar based on current threats
current risks and where the company’s sort of like what the estate looks like uh from a security perspective got no
that that absolutely make sense and so I I think I’m sure the listeners are the question that is running through their
mind is how do we Define this good enough is that any any advice it’s it’s
different from every other sort of like company or business and I I think again
it sort of boils back down to understanding what is the company’s
tolerance for for cyber risks so one thing that’s sort of helped me is rather
than walking into a meeting with a COO or a CFO or the CEO and saying hey what
do you think our cyber risis tolerance is probably I mean I don’t know maybe it goes far for those but I what I have
done instead of doing that is I’ve tried to come in with some understanding of what the business does into those
conversations so meeting with the cfo’s direct reports a couple of them or a few of the chief Revenue officers reports or
a few a few of the other CEO directs in engineering and it and try to understand
the business and understand the technology and have a perspective to walk into the the cfo’s office I’ll use
just pick on that for on that role for a bit and say hey look I’ve been here for 4 weeks 6 weeks whatever the number is
here is my sort of here’s how I think our views some of the most critical risks to this business what’s your
perspective on that and then kind of getting from that from that point of view hopefully by then you already have
some opinion on how the company’s security maturity is going so you’re doing you’re assessing what identity and
risk looks like what the governance program looks like you know sort of vulnerability Management program is in
place Etc incident response and it’s from that that I think you can come into
that conversation and say look okay great I think we’re aligned or maybe we’re not and that’s okay I from my
perspective I’m going to do some more digging because I do think that we have some you know potential gaps to what we
think those risk tolerances are and what I’d love to do is come back to you and the rest of the executive team and walk
you through that person perspective because as we look into the remainder of
this year or even next year if it’s budget season I want to make sure that I have your alignment on how we sort of
think about our security Investments and program to help align with those risks because um we we may need to make some
changes we may need to do some things that we’re not or stop some things that we are doing all right now and how do
you communicate those security needs to those Executives to those to the board
uh in addition to what whatever re talk to about yeah like um so I mean one one
of the things that I look for from my leaders is options you know so like it’s
very easy to come in and say hey this sucks right like I mean we’ve done it
before like that’s terrible why are we doing that great okay and it’s it’s less
easy to say here’s what we should do and that’s great that we that folks
do that too but what I like when it comes to like all right we need to spend money maybe a lot of money to fix this
or hire people what’s even better sometimes especially for the for the tougher problems that have more
ambiguity or greater cost is to come in and say here’s the problem that sucks
and here’s like the the best way the the Cadillac Escalade way to fix that
problem and here’s the you know perhaps maybe the the Lexus or mid tier uh and
then if we have to here’s the um you know Economy based vehicle way to fix
that issue and then we can also always just do nothing but then talk through like what are the benefits options the
pros and cons if you will yeah exactly of like what okay well this is what we get out of doing that this is what we
get out of doing that so that we can come in and make rational decisions
about what to do and then through that what I’ve what I’ve tried to do particularly in my in my two sizo roles
was I I try to sort of like figure out like how do we take these risks these
Topline sort of material fundamental what I you what I would call existential risks to the business from a
cyber perspective and how do I sort of model or quantify some of those risks I
mean it’s easy to say well the likelihood of that risk is low but the impact of that risk is high great that
Building a business case for GRC: data, options & credibility
works for a lot of folks what I prefer to do is try to model or quantify that a
step further can we even though there is some ambiguity it’s not perfect can we
somehow come up with a some some kind of a percentage around what that likelihood looks like can we identify based on you
know conversations with Finance conversations with legal can we identify a dollar value or a potential dollar
value of that bad thing happening and then through that you can then sort of
pivot off of how you feel about your controls around that thing and then do some you know some basic modeling you
know so you can do something like a like a Monte Carlo simulation to sort of take a thousand different scenarios of the
bad things happening and looking at all right are these are these risks really
fundamental and are they really low low likelihood high impact based on those
things and so at the executive team level I’ve I’ve always felt that Executives tend to
appreciate the that level of diligence or rigor around sort of how to how to think about
those risks rather than just coming in with a a nine box diagram um and so that’s that’s kind of
how I thought about it Raj um now having said that when I’ve talked to the board
I have found that it actually you actually do need to find a way to synthesize that back into something
that’s a little more quickly digestible by a board audience typically a sisso
most you know might get somewhere between 15 to 30 minutes a quarter maybe a month with the board point is it’s not
a lot of time to walk them through a complicated quantitative risk model listing out your risk register and all
these different possible things that can happen sort of like really speak to those big existential risks you know six
seven8 nine maybe and talk about those at the board level and yes perhaps using
some kind of nine box based on your quantitative model I think that’s
brilliant actually a brilliant to look at it so start with a quantitative model
but simplify it and bring a qualitative approach to this as well so that people across the broad can understand these
risks and relate to these risks beautiful I’m going to flip the question the other way as a sees so what
information do you want to be presented with and what typically do you see as the challenges when when you get this
information yeah I I I like I I think the thing that jumps out at me is the again making sure that you’ve thought
through multiple approaches to the problem so I mentioned different options
for different types of problems it sort of shows me that you have um you’ve sort
of like asked yourself the tough questions about like is this the right thing to do so it’s I’ve done it I’ve
I’ve seen a problem and said oh my God we have to fix this by doing this specific thing and it’s so it’s very
easy to arrive to that and there maybe a number of biases that sort of drive you to that I think sort of challenging
yourself with wait are there other ways to fix this issue I think is a is something that I particularly value from
my engineers and leaders and obviously coming with data so instead of just saying tprm is broken well okay great we
I think we know that tell me why how long is it taking us on average to respond to a customer questionnaire how
long is it taking our own diligence when we evaluate our own vendors um what can
we and then what can we do to bring that bring that number down what are some different options that that we have so I
tend to appreciate data and options when having uh when I when I think about the
the data or the things that come from my team because we are in the risk
management business not the risk avoidance business there’s no such thing
as that and so being able to be thought like thoughtful and critical about our own sort of perspectives and biases is
something that I’ve always appreciated from you again my team got and how do
you for a security manager or a GRC manager how can they go about building a
business case for budget and resources as they you know and as a leader what would your sort of can you give us some
tangible advice in terms of how we can think about it uh yeah so I think like I like I said earlier I think one of the
biggest most important jobs of a GRC function and a security team is to sort
of set the bar and so understanding all right these are the risks that we have this is where
we are in terms of managing those risks and here’s this Gap how do like the the
the GRC teams that I see that are really good at that are really Adept at describing what that Gap is and how this
thing helps close that Gap so in the you know some of the like the last couple
scissor roles that I held what we would try to do is illustrate how that
quantitatively and say hey look we take making up a number $100,000 and we spend
it towards solving this particular security problem with tools process people here is how we feel the
likelihood of that event might change or how the impact of that event might
change because we’re able to detect it sooner remediate it sooner so the blast radius is perhaps a little smaller
that’s the thing that I’ve I’ve noticed that I think GRC teams are that are good
at at sort of selling are really that the other thing that I think um is is I
be super gifted and um like I almost want to call out one of your previous
guests um mosy plot uh for doing this uh super well was really understanding the
voice of the customer so like mosy and I I had I had the privilege of working with mosy at a
company called bettercloud and mosy led all of GRC for for bettercloud and one
of the things that he was just brilliant at was uh talking to customers about what do they need and
and sort of fing that as a great feed feedback loop into the strategy the
security strategy of the company to sort of feed them like hey you know um we probably can you know we’re getting
really good feedback from customers and Prospects that we should really be think
thinking about Key Management perhaps in this way or logging and monitoring in
that way or identity in that way you know are these things worth considering
and so having customer signal I think is vital for for GRC teams to sort of add
as another sort of thing in the toolbox when you thinking about what to invest in or how to get um how to get support
for what that GRC function needs they feels they need to achieve their mission
or to enable the business no I I love what you’re saying I think basically I mean the idea that you can reinforce GRC
teams can reinforce the security team even in building a business case right and throughout the process I think it’s
a sort of a brilliant way to think about maybe how we can build a better business case how we can create much more
tangible outcomes yeah and it also it also increases credibility with the
business when you’re taking the time to understand customer
signal and so because it’s sort of like it positions the GRC function you mean
the compliance people the audit people like they’re actually talking to our customers and understanding like what
they need to adopt our product more or purchase us that’s pretty powerful and
it definitely opened a lot of doors not just for for mosy in the specific instance but also for for me and the
rest the our security team uh when the engineers knew that hey like you’re
somebody who who understands the technology is customer focused or
customer obsessed to use the Amazon uh speak that really speaks a lot to the um
Again The credibility of a GRC leader when they’re willing to sort of pick up the phone and talk to customers not a
lot of gr folks do that got you you um um so you have a very interesting set of
experiences Carlos you have been on the you have been a security practitioner you’ve been a c so you’ve also been a
security uh um sort of on the engineering side right software development and Engineering how do you
build trust with the engineering teams it takes time it’s a it’s it’s not
something that comes overnight engineering teams have a lot on their
plate they’ve got got they’ve got a ton of stuff to build not a lot of time to build it and and
they being a little provocative here they often don’t have the time to answer a bunch of security questions from the
governance and compliance team and so I I think like one of the things that
really jumps out at me in terms of how to build credability is transparency you
know like we we um there’s a lot of audits and things that come from the
various these various funnels right so customers and prospective customers you’re always going to get inspected by
your customers all the time in one way or another with a few exceptions but one
thing you’re always going to know especially if you’re in a B2B business or a SAS business is you’re probably
going to have pretty good line of sight to when you’re going to renew your sock 2 type 2 to when you’re going to uh when
it’s time to renew PCI compliance or when you’re going to have um a regulatory audit you know from the
Department of Financial Services in New York because you do business in New York you know when these things are going to
happen you might even know when some of your biggest customers are going to audit you because you can reach out to them and say hey for 2025 are you going
like can you tell me like roughly like your Rhythm for audits for next year and so with that one of the things that we
tried to put together back that which I thought was fairly successful was we put together a an audit calendar wow um for
the engineering team um and for ourselves so we understood like what the
you know like like the the Rhythm was going to come in from all these different types of audits but it’s super
helpful to understand what that Cadence is going to look like and when you share with the
engineers and you say look nine months from now I’m going to need like you know one of your engineers for a few hours a
week for for two or three weeks to help answer a lot of these questions that
that helps buy some credibility and some trust that you’ve you’ve got your back together and you’re not a GRC leader
running around like a chicken with with it head cut off doesn’t know what’s going on and is constantly just coming
in with the fire drill of the week on some audit that needs a question answered by Friday at 400 p.m. and
that’ll work a couple times but do it enough and you’ll start to lose friends in the engineering side so that’s one
thing that jumps out at me Raj uh the other thing is the GRC folks that I
think are really successful with engineering teams take the time to understand the
tech got it you know like take the time to understand hey like if you’re running
a microservices environment on Spring brute or something like that or on kubernetes that you take the time to
understand kubernetes fundamentals that you take the time to understand you know what a devops pipeline looks like and
how could a GRC function potentially integrate with that or ask questions of
that pipeline without having to go pick up the phone or slack and and ask someone a question those I I think in in my
experience or observation engineering teams appreciate when they don’t have to dump
things down or distill things you know at a super super high level and can speak to you on their terms and you get
it uh like you don’t have to I’m not saying you got a no jva and you’ve got to like like truly understand every
possible component of the k8s or kubernetes ecosystem system that’s not what I’m mean but like understanding
like what the fundamentals are in in in your whatever your your engineering
team’s stack happens to be boy you’re going to get you’re going to win a lot of points pretty quickly and it I I
think it helps to relate with Engineers fairly quick you know quickly as well right and understand their pain
points yeah it’s just it’s it’s it’s it just makes the conversation go smoother and I mean similarly like you
could almost make that same argument with uh AO speaking of Finance speaking
of marketing like no you don’t have to know how to like file the the the quarterly
statement you know for for the business but you do need to understand you know a basic balance sheet income statement you
got to understand like basic fundamental Financial questions about how the business brings in money and how they
think about that Revenue stream you know so you know basic concepts like ARR and whatnot it makes sense to understand
those things because it makes the conversation just go better absolutely absolutely um where do you see the the
industry heading and how should Security leaders you think should adapt to The Changing Times that’s a good one um oh
so I mean obviously AI is a thing we could probably have a whole other conversation about that I’m not going to
spend too much time there AI is changing everything including our space we got to
get smart about it full stop so moving along the the other thing that is sort of a minor thing that I think I think
folks are beginning to understand but let me not is what I call click Ops or
that’s not just my term it’s been around um is kind of going away and what I mean by click Ops is this sort of like it’s a
sort of like a jargon to say hey like doing things via like implementing changes in production via the console
via a graphic user interface or even the command line just you know popping open a shell and adding typing a command and
doing something that’s going to largely go away in favor of um infrastructure is
code policy is code where you’re actually creating a a PR or a CR that
gets reviewed by multiple folks and commented on and merg into some devops pipeline to implement that change
because especially as we continue to sort of shift towards the cloud or at least shift some workloads towards the
cloud that’s really the one of the best most fundamental ways to assert that
changes are or if not immutable less mutable because once that pipeline runs
again it get things get reverted and so the that’s sort of my take on that is if
you’re a someone in security who’s been doing this as long as I have you probably need to start understanding and
learning about how to automate changes to devices to infrastructure through
code um versus you know making changes in a console somewhere at better Cloud
even identity specific changes went through a PR like if you needed access to gcp nobody’s going to another console
and adding an I am user for you and adding you to some role like that’s we just didn’t do that um those changes
went through a you know PR process reviewed by at least one other person on the engineering team and merged in um
and so that’s you know just that’s just how I think the the industry from an infrastructure perspective and maybe
even from a GRC and identity and other point of view is going too no I think
that’s brilliant how do we from click Ops to getups is what I’m hearing that’s
brilliant right yes I love that that’s that’s exactly what I mean Raj I I I hope it’s
I think things are going in that direction and so I’m I’m I’m a big fan of it I’m going to use thats the good
Ops um I I’m going to ask you to we your dream hat on what would your dream
security solution look like maybe you can take a very specific example A Dream security solution so
like what do you mean like I I can I can just invent something and not worry about like anything like just money Mone
like money is No Object I can just man uh I think we’ll suspend reality for the
time being so yeah it’s like I’m trying to like okay let’s have um let’s think here I
think if there was one thing that jumps out at me is I’d love to be able in addition to like solving tprm but I
won’t get into that is I’d love to be able to solve vulnerability
management I I I just you know thinking back to when I was doing this stuff the amount of calories that my teams and I
and infrastructure engineers application Engineers governance folks would spend
responding to and remediating the constant plethora of vulnerabilities that would come in I think I try to
figure out a way to automatically like when a cve comes out just instantly
patch everything or reinstantiate everything running a like a um a
non-vulnerable version of the thing because we just spend so much time on patch management and and not just from a
perspective of patching the things but also talking about what we’re doing like
I the the one of the things that that drove me wild near the end of my pure security career was every time a like a
big sort of like new cycle vulnerability get got out there was the inevitable like 30 40 50 different inquiries from
various customers asking hey have you seen this vulnerability that just came out today can you tell us about what
your current exposure to that vulnerability is if you’re exposed like when are you going to be patched and what are the things that you’re doing to
Encryption and why we may not need to encrypt “everything”
mitigate your exposure while you’re waiting to be patched and can you let us know when you’re fully patched and then and so that’s a lot of
churn and Bing in the nice yeah I don’t know how how I would solve that um I I
think the it’s again I feel like just sort of throwing reality out the window if there are a way to either
magically uh patch or remediate things as soon as they came out without any impact any impact to uh production
availability I think that’d be pretty cool and interesting or if there are a way to at least immediately say all
right in my estate I I run open SSL whatever. blank but it’s this issue is
non- exploitable in my environment because at X Y and Z other mitigating
controls and I only need to worry about this small portion of my environment and I go patch that immediately that’s that
those are the things that would be interesting in me Raj um I’m curious what about you like what’s uh what would be your dream solution besides the one
that you’re building which no I I think some of what you talked about is very very close to our heart I so essentially
The “dream” security solution: magical patching & beyond
we believe that GRC is an observability layer for security some of what I mean and it’s a onew punch for us and if if
if we can automate infrastructure as code and we can do cloud formation templates and kubernetes manifest why
can’t we automate Services right whether it is GRC Services whether you’re running an assessment whether you’re
collecting evidence whether you’re creating a graph model whether you’re asking questions whatever they are right
why can’t they be automated as code as well right and why can’t they run through to your point from a click Ops
to a gitops model is I is something that we are very very passionate about that allows you to sort of make it much
faster reduce the cost the incremental cost of getting these things done and most important brings the team together
right whether they are Engineers working on their sort of job right and and to how do you sort of get all the way from
there to the Auditors for a much more effective risk assessment at the speed of devops um I I certainly would love to
live in that World um so it’s it’s a tough problem I I mean I I recognize
that it sounds like you do too it’s just I I just hen back to just the amount of energy that we would put into just
maintaining a a strong a strong posture from a vulnerability management perspective in light of the just the
bombardment of cves that just constantly come in it’s it’s a big absolutely you’re absolutely right um um we started
with a provocative question do you have any other uh unpopular opinions
that oh oh man so okay so I’m just going to be super like unpopular on this podcast and it’s fine um but the thing
that while I was thinking about the awareness question or the awar unpopular
opinion I H I don’t know I have I I almost want to think about this more but
I am I am not completely convinced that we
have to encrypt everything you know it’s a it’s sort of like one of
these you know it’s one of these being provocative yeah well it’s I mean think
about it like I mean so I mean there is a performance cost to encrypting everything but there’s another cost too
and that cost is around Key Management right like you’ve got to protect the keys you got to store them somewhere you
got to rotate them uh you’ve got to protect how you call them in your code
um and Sue and and not everybody does that and that’s just you know the way it is and so it’s like it’s it’s just easy
to say it’s just easier to encrypt everything right but it’s maybe not like
and so this is again where governance I think has a really good say here to say what the bar is yeah maybe maybe you do
need to encrypt uh all of your like customer data with pii do you need to
encrypt the pencil sharpening system or the lunch menu application or maybe not
because the cost to sort of manage all that encryption over time just may not be worth it and then also even if you
are encrypting make sure that that’s not like the fun like the the the only real
pillar of your security program because let’s face it in many breaches where the
bad guys get in they typically also get your keys uh not always but you know if they
have root in your like Cloud environment they might also have access to those
keys to decrypt everything uh now there’s there’s exceptions to that you know if you have a you know fips 41 you
know like fips 142 I mean level three uh HSM you you
hold you you you you control your own keys in your own on-prem environment maybe a different story uh but it’s just
you know you should be thoughtfully asking whether or not it’s worth it to
encrypt everything got it and and how do you convince if if we can extend that question how do you convince your
Auditors when you take a provocative stand like that it’s uh so again it boils down to
your your governance program Auditors aren’t there to necessarily tell you
exactly what to do in my experience Auditors are there to ensure that you’re doing what you say you’re
doing they’re auditing your program not necessarily the the veracity of the
controls you chose that’s that’s been my experience unless you’re doing something that is just completely Beyond The Pale
you know like uh well no we don’t give passwords to people we give admin to everybody and um we don’t really worry
about any of that that’s Auditors are going to have some like pointed questions about what are you doing but and so going back to your
question I think a a governance function with that point of view could say
something like well we have a security standard that said that classifies data based on certain types of risks and we
consider the pencil sharpening application to be non-public data and we
don’t require encryption on non-public data therefore this application doesn’t require
encryption that’s that’s one approach to sort of help defend why you wouldn’t do
that to an aor who would then come to M like audit your security program who would then look at these artifacts and
go oh yeah your policy says this your standard says that and you’re and what you’re actually doing it aligns with
that therefore you’re good to go um you are um an acious reader as I understand
uh uh I don’t know about that I’m read now that I that I stopped
working uh but I I don’t know that I’m not one of those like I think Bill Gates reads something like 50 or 60 books a
year maybe more um I’m closer to more like 15 or something not not not a
voracious reader but I will say that like being retired it makes it easier to
read more is there is there anything that you would recommend books podcast any
resources uh anything that you would recommend for our audience yeah like uh so today I just
finished the 3body problem by sishu um there’s a Netflix series on it
I actually saw it before I read this book The the book is fantastic I I’ve
already bought the the the other two books and they’re amazing uh but to and
there’s a lot of great books out there on cyber security and Leadership and um I won’t necessarily speak until like any
particular one but to answer your question more directly as it relates to security I think the thing that really
benefited me in my career was the was having a
network you know like but getting to know others in the industry getting out
there and building relationships with your peers with others that you may that
you see as aspirational peers with others that you can learn from that may be a little bit more Junior and I I’ve
to me that is the by far the most valuable thing that I ever had in my
career where I can reach out to my peers and say hey I I got this problem like
you know I’ll anonymize it to make to obviously protect confidentiality but the like how are you thinking through
this issue and there are a ton of uh slack groups Discord groups uh Reddit is
actually still I think fairly useful you know for a number of things in terms of
like understanding how others think through problems leverage those networks and build them you know on your own it’s
it’s going to become super valuable especially as you um uh I guess like uh
get promoted up the chain if you will at the sizzle level there are a number of
really good uh like you know closed slack groups out there that I still continue to be a part of that are
absolutely Tip Top in in thinking and being able to go to these groups with a fair degree of um
you know Charter House Rules or TLP protocol pick your confidentiality regime to be able to talk about things
fairly uh you know confident like like confidentially and get some really good
perspective on how to think about that problem that’s the thing that jumps to
me man is like build relationships build your network the problems that you’re dealing with someone else is dealing
with it totally no
absolutely no that’s brilliant how do you spend your retirement now Carlos um I so um you know it’s funny
like like I said I just H 6 months those first three months Raj I I got up like whenever I wanted to like at 10:00 in
the morning I’d like pour a big bowl of like frot Loops or Cocoa Puffs and just sit in front of the TV and just watch TV
all day and do nothing it was great uh now that I’m 6 months in I I definitely
find myself um wanting to sort of make sure that I’m staying busy and so what I
what I’ve fortunately i’ I’ve got a number of hobbies and things that I enjoy doing uh I enjoy like I said
tennis my wife and I we play a fair bit uh I enjoy trying to stay fit so
Must-have resources & the power of a strong security network
exercising I actually draw on my own uh so it’s um yeah I I I learned how to
draw as a kid and I picked it back up for real like in the last few years uh there are a couple other things I do I
you know I enjoy music I play a little piano or at least that’s what like that’s what I like to tell myself uh so
but yeah I it’s things like that that keep me engaged and keep my mind busy and going I I’ve also found that I still
I still love cyber security I still love technology and so I I I definitely still
you know find some time here and there to read about it stay on top of what’s going on I like experimenting and
playing with some of the tech that’s out there so you know I still maintain my uh my cloud accounts with AWS and I still
log in on occasion and puts around so I have plenty to keep me busy Raj um so
that’s that’s more or less what’s up to I’m super glad to get now do these Hobbies help you with your stress level
when you were when you were a ciso they did man um and that’s that’s
another sort of tidbit I would recommend anybody in in this business do is find
Outlets uh to sort of manage that stress because it’s very easy to uh you know
self-medicate or find other unhealthy ways to to manage you know through that
so for me it was always extremely therapeutic to to draw um when you know for example like
just to like it was just so relaxing and cathartic to just sit there and draw and then sometimes uh playing tennis you
know you’re mad at something or like frustrated about something at work you can get out there and just hit that ball as hard as you can and that’s another
way to relieve some some pent up stress so that’s that’s a that’s a I’m glad you
mentioned that because that’s a really I think important thing for anybody in security maybe even most Industries to
have is find an outlet find something that you love to do and and and find the
time to do that on your for yourself on the side got it got it and we almost at
the end of the segment Carlos and I I want to ask you any final advice words of wisdom for our audience and for
Security leaders out there I think what I just said might have been it um like really just sort of
finding that outlet uh for for what you’re doing I mean there’s a lot of things there’s a lot of sort of like
things you want to make sure that you’re doing around making sure that you’re you’re enabling the business you’re not
Life after CISO: hobbies, health, and staying curious
you know here here I guess I’ll put it this way the thing that I used to tell
my teams was that look the business has a choice in who and where they get their
security from it’s right now like they’re choosing to use us because we
are helping enable them to like grow the business achieve their mission
the the company’s purpose whatever that happens to be when we stop doing that
the company’s going to realize they have this choice and they can always choose differently they can CH they can choose
to have a a managed Services security provider provide all their security or Outsource the security team elsewhere or
just replace the team entirely um and that’s something that you know definitely a szo has to
consider I’ve seen SOS um walked out the door because
they’re considered blockers or just you know obstructionists is is the word I
use and so make sure that you think about that like the you know just consider that hey
the end of the day security is here to sort of help the business move forward
um not there for its own sake and I I think I think a lot of uh really smart
Security Professionals have gotten caught up in that trap in the past um um
to their detriment from defending to delivering as you as you said in the beginning
yeah I’m I’m super glad to have had this conversation Carlos thank you very much you have a great day no no thank you Raj
I really enjoyed this it was great to to catch up with you so I I appreciate it and uh thanks again thank you
[Music]
a
