Can Compliance Be Cool? Harness’s Andrew Spangler Thinks So

Raj Krishnamurthy (00:01.346)
Hey, welcome to Security and GRC Decoded. I’m Raj Krishnamurthy, your host, and we have the awesome Andrew Spangler with us today. Andrew has been a security practitioner for more than 10 years, and he’s currently the head of security and compliance at Harness. Andrew, welcome.

Andrew Spangler (00:17.993)
Thank you, Rush. Happy to be here and good to see you.

Raj Krishnamurthy (00:20.298)
Yes, absolutely same here. So, Andrew, I’m going to start with maybe something different, right? Let’s talk about maybe a controversial opinion or a hot take you have on security and GRC.

Andrew Spangler (00:34.291)
Yeah, I think my hot take for the last maybe 10 years or so has been that I think compliance does equal security. And I’ll caveat that by saying it doesn’t necessarily equal total security, but I do think that compliance in particular becomes a forcing function for a good security baseline.

Raj Krishnamurthy (01:00.046)
I think that is, in my opinion, an interesting take because you’ll hear the exact opposite from most people, right, when they say compliance does not equal security. And if somebody were to ask you this question, right, all the breaches that we have seen, and they all have, it’s not for the lack of compliance, you know, accreditations or attestations that they have, but they still got breached, what would you say something to that?

Andrew Spangler (01:27.539)
Yeah, I think that’s a great question. So when I think about compliance and its relationship to security, I often think of it as hygiene. Compliance is a way that we enforce good hygiene across the board. And you know this, oftentimes when you see the RCA of a data breach, I want to say the Verizon data breach report

stated that nearly 80 % of data breaches were a result of really what boils down to bad hygiene. It was social engineering or baseline cloud misconfiguration And I think that with security as a discipline, you can fudge things, you can take shortcuts, same with compliance. You can treat it as a checkbox activity. You can look at it as pure overhead. But I think if you take both of those disciplines seriously,

Not only do they play really well together, but they also help us establish a clean routine for security hygiene across our enterprise.

Raj Krishnamurthy (02:32.942)
Got it. Eat your vegetables, brush your teeth, may be boring, but keeps you healthy. Wash your hands, exactly. Got it. Let’s talk about you, Andrew. How did you get started with security and compliance, and what has been this journey thus far?

Andrew Spangler (02:36.285)
Wash your hands. Exactly right. Yep. Yep.

Andrew Spangler (02:48.361)
Yeah, so I started off back in 2007, 2008 in an IT role. was a help desk at a local school district, had the opportunity to do some interesting work there with students, and then I moved into more of a systems engineering role at a manufacturing company. And while I was there,

I took on some security responsibilities in the wake of some industry events. You may remember this was 2010, 2011 RSA’s poison ivy attack. And in the aftermath of that event, we had to go through and rebuild our

two factor authentication system with the hardware fobs. And I volunteered to take that on and also ended up getting some other security responsibilities along with it. So that was really my first foray into security as a part of my professional life. After that I did…

about a year and half, maybe just under two years at a company called Rapid7. This was back in the very early 2010s. My responsibility there was working with other systems engineers, systems administrators to build out security programs, vulnerability management, some internal penetration testing using Rapid7 software at the time.

And that was sort of my first full-time focus on security. And from there, I held a variety of roles. You asked about security and compliance. My first sort of exposure to compliance at an enterprise level was at an electric utility company in Washington state.

Andrew Spangler (04:43.785)
I was responsible for our vulnerability management program across the IT systems as well as the OT, the operations technology systems. And a lot of that work was really driven by NERC SIP compliance, which is really, you know, a sector specific interpretation of the NIST controls plus some critical infrastructure requirements that go into that. so,

While vulnerability management was and remains a good practice from a security perspective, this is really my first exposure to compliance being a principal driver for those activities. And then since then, I spent just about four years at Datadog and now four years at Harness where compliance has been part of my mandate at both of those organizations.

Raj Krishnamurthy (05:38.552)
So you spent a lot of time as a security practitioner and technical companies leading compliance teams. So what do you think is the role of GRC, especially in these tech forward companies? And how do you see others see that, particularly the leadership and the rest of the organization in security or engineering? How do they see that? So maybe that’s a two part question.

Andrew Spangler (06:02.569)
Yeah, let me take the second one first. So in my experience and observation in our industry, and I’ve spent most of the last 10 years in B2B SaaS. So a lot of my context approaches our industry from that perspective, which I think is a little bit different than B2C or.

maybe even just sort of a standalone business, I think the B2B space brings some unique challenges with it as well. So my observation has been that generally speaking, from a startup perspective, you really start looking at security and compliance at GRC.

right around your series C fundraising round, you’re really getting some traction, you found good product market fit, and you’re starting to engage with enterprise customers, whether they be large banks, other large tech firms, regulated industries who are able to consume your platform, but not without the caveats of requirements. so the folks that I’ve spoken to and the companies that I’ve worked at,

you know, will go as far as they can getting those compliance requirements ticked off before it just becomes too much for legal and IT and your product team and your executive team to try and handle by themselves. And so they’ll invest in a security function at that point. So when I think about how do leaders and other…

aspects of the business think about security. think first and foremost, there’s a cultural awareness that data security, data privacy is an important topic, that it’s important as a table stake for this business to business environment that we’re operating in. I also think it’s a little bit of delegation and toil relief for them.

Andrew Spangler (08:07.177)
If you’re focused on building products or you’re focused on building your company, something that you would probably want to delegate as quickly as possible is everything from security questionnaires to a SOC 2 report. So there’s a little bit of business enablement and toil reduction that I think goes into the evaluation process for GRC. And then how do I think about it? I think that

You know, first off, our obligation is to meet those business expectations. We need to understand where our role is in the business and where can we quickly relieve pain points for our colleagues and for the business itself. I also think that GRC in this business to business context plays an important role in revenue acceleration in helping us acquire

and retain customers. We play an important role in the establishment and cultivation of trust between both organizations. And then as you mature and your programs and practice begins to scale out, there’s, think, an equally important role in governance and accountability that a GRC team can bring to a company.

Raj Krishnamurthy (09:28.534)
Okay, when we briefly spoke last time Andrew, you used the word problem solvers. The way you said it is, you said GRC from a leader’s perspective, you are like problem solvers. Am I saying this right? And can you double click and expand on that a little

Andrew Spangler (09:46.676)
Yeah, I think that’s that’s right. You know, my experience with GRC as as a function is that. There’s. I think a healthy ambiguity to how this function fits in a business. It can be adaptable to the needs of of a company, so I’ve seen and and participated in GRC teams that you know do everything from.

your traditional compliance activities, engaging with customers, to shipping code and interacting with the infrastructure at a technical level, to developing new capabilities for the business, giving product feedback, understanding the requirements and expectations of our customers. And so there’s a fluidity that’s inherent to modern GRC teams.

that I think really lends itself well to solving problems that maybe don’t have a clear home in other organizations or in other parts of the business, whether it be legal or engineering or even the sales team to an extent.

Raj Krishnamurthy (11:04.12)
Okay, now you said something very interesting because you are saying that GRC is not just an inside the company function, which is typically how it is seen. think, and given your experience, particularly in these specific companies, you also see that it can contribute back into the feedback loop, right from a product perspective. Can you maybe expand on that a little bit? Maybe how does GRC help some of these companies build better products?

Andrew Spangler (11:33.386)
Yeah, that’s a great question. So two things stand out to me in my experience, especially at Datadog and then here at Harness. First off, think from an internal perspective, GRC is rapidly becoming consumers of technical products. So at Datadog, everything that falls under that observability

umbrella logs and infrastructure metrics and application insights. All of those things can be consumed by a GRC team and I think then providing that user feedback to the product team on maybe an edge case or sort of a novel use case can help shape and inform the features that we put out or the, you know,

use cases that we consider as we’re developing products. At Harness, as a software delivery company, we’ve become avid consumers of the platform in multiple different ways. This is everything from evaluating and helping contribute to the governance and configuration of our CI CD pipelines to providing input and feedback on our OPA.

policy enforcement within those pipelines. And then, you know, we have a couple of modules that have become a part of our workflow as well. Our security testing orchestration that maps different vulnerability scans across your estate and gives you a deduplicated list. We consume that as well as our supply chain security module. And so I think that by using those features, sort of being a customer zero as a security team, as a GRC function,

We partner very closely with the product management owners for those different products, as well as our engineering team to say, hey, when I’m thinking about S-bombs or when I’m thinking about salsa compliance and how I’m speaking to our customers about this, here are the features and the things that I think would be really useful as a part of that platform. So from an internal perspective, consuming the technology that

Andrew Spangler (13:57.588)
that our company is providing to customers has been a key part of how we’ve thought about GRC. And then from an external perspective to your point, you know, we have by necessity, by design, regular touch points with many different customers. Our large enterprise customers we speak to on a regular basis, mid-market and even small business, we have these regular touch points with, whether it’s through the procurement process and

building that customer trust through conversations about how we’re protecting their data to providing direct feedback to customers on how we’re using the product. I had a great series of conversations last year with one of our largest customers that was really more of a knowledge share, not really the audit or assessment you’d expect, but a, how we’re both in this industry together. How do we think about solving these problems? How are you guys using?

Raj Krishnamurthy (14:48.323)
Mm.

Andrew Spangler (14:57.701)
harness using your platform to solve these problems and then having some consultation around how they might be able to implement it as well. I think there’s that internal feedback loop where we can be involved early in the design process. And then we also have a unique perspective of our security peers at our customers and how they’re thinking about trying to solve these problems. So we get that sort of unique look at the field.

Raj Krishnamurthy (15:26.062)
I think that’s a brilliant way to put it, Andrew. I loved it. But as you talked about, for example, the OPPA rego rules, right? But when you talk about these things and when you evaluate these things, are you stepping on security’s Do you worry about stepping on security’s toes? How do you see it? When I say security, I’m talking about a security organization.

Andrew Spangler (15:44.904)
Yeah, yeah. So, you know, I’ve had the fortune to be a part of some really technical and collaborative security teams, especially over the last 10 years or so. And when I started at Harness, my mandate was build out security really from from scratch. Before I started, there were a couple of security engineers and there was efforts to move the ball forward. But

one of the mandates I was given was build a cohesive department that will work together and augment the needs of the business. And so the way that we’ve structured our security organization is really to be complimentary and to share a lot of those responsibilities. So I have seen in the past what you’re talking about where there’s maybe a silo or a demarcation between

our technical environment and our sort of business compliance environment. I really believe that a modern GRC team is a blend of both and works hand in glove with security engineering, with product security, with our infrastructure and architecture teams. And so that’s been part of our DNA since the inception.

Raj Krishnamurthy (17:01.526)
And that’s a good segue to my maybe next question. What do you see as the successful attributes of a GRCT?

Andrew Spangler (17:11.241)
So when I think about a GRC team, really the baseline for success is bringing it back to the business. So what are the business requirements? And in my context, business requirements are to establish and maintain our regulatory compliance certifications. So this is our SOC 2, this is ISO, this is GDPR, and all of the privacy regulations.

as well as new certifications to allow us to go into new markets in those heavily regulated sectors. It’s sort of a both a pre and a post sales security assurance where we can provide trust and transparency about our own security practices to our customers in this interconnected B2B space. And it’s then the

continuous operation of the programs that underpin those commitments. So from a table stakes perspective, think it’s establishing and maintaining compliance with requirements. It’s building and maintaining relationships with our customers. And then it’s actually doing the work of maintaining those security programs. I think from a maybe more granular perspective, if we take a look at things

Philosophically, I think that that trust and transparency piece is an attribute of a modern GRC team. I think accountability, both internal and around the business, is another important attribute or characteristic of a GRC team. And then empathy, understanding what our colleagues are working on, what challenges our customers have.

Raj Krishnamurthy (19:00.656)
you

Andrew Spangler (19:06.887)
and being able to help sequence priorities and new objectives in a way that takes those other work streams into consideration.

Raj Krishnamurthy (19:18.446)
Okay, and you talked about briefly also about the GRC team needing to understand the business context. And I think you actually eloquently spoke about the PLG and how that fits into the business context around the product-led growth and how that impacts the GRC teams. I would love our listeners to hear what you said during our brief discussion last time.

What is your view on the GRC team understanding the business context and how should they think about this?

Andrew Spangler (19:55.112)
Yeah, I I think that that business context is really the foundation of how we can build successful GRC programs. I think the temptation can be, especially when you’re coming in to either start something from the ground up or to come in and do some repair and scaling, that it’s easy to get tunnel vision and look at

you know, what are the criteria that I need to meet in order to achieve compliance with a certain certification or, or, you know, framework. And you get so focused on the letter of the law that you miss out on the spirit of the law and having these sort of risk-based discussions. You can’t really have risk-based discussions if you don’t understand what the business is trying to achieve.

And so I think that, first and foremost for myself, for our GRC team, for our other security teams, understanding what the business is doing, where we’re trying to go, who our customers are. You talked a little bit about the sales motion, whether that’s product led growth or sales led growth or a combination of the two. All of these things really do factor into how we want to build.

capabilities for the business, how we want to prioritize, where we spend our time. I know you and I and most of the folks listening to this will empathize with the fact that there’s a thousand priorities, but you only have the bandwidth for 10. So how do you make those decisions? I think it’s on those needs of the business. so, you know, maybe one example for harness was

When I started, we had a handful of customer contracts that were contingent on the successful achievement of a SOC 2 report. Now, a SOC 2 report is something that’s definitely doable. It does provide a good baseline, I think, of security controls, but it may not necessarily always give you the impetus

Andrew Spangler (22:19.283)
to focus on what you think are the highest risk areas. And so part of the balance of priorities is looking at the areas of security risk, looking at the expectations of the business and making some trade-offs. Maybe we put a bandaid on some of these higher risk areas to come back to later. We move the

business enablement forward, which then gives us the credibility and the leverage to come back and have those discussions about closing the gaps on risk.

Raj Krishnamurthy (22:57.39)
Okay, I’m going to take a slight detour because I would be remiss if I don’t ask you this question. There is this raging discussion around commoditization of SOC 2. What’s your take?

Andrew Spangler (23:10.221)
man.

Andrew Spangler (23:17.725)
I think again, goes back to how you decide to approach security and compliance as a business and then as a security organization. There are lots of different ways to achieve the objectives that you need. I think one of the challenges that we see with the commoditization of SOC 2

is maybe similar to what we see in the vendor risk space in general, right? We’re all throwing spreadsheets and questionnaires and SIG, you know, documents at each other. Very few of us, I think, are actually spending the time to read those. And it’s really more of a checkbox. And so from a vendor risk perspective, I think that there’s no substitute for having a

risk-based conversation with your key vendors about how is the data flowing through your infrastructure and your data stores and how are you managing access controls. But I also think that there’s still inherent value in being able to demonstrate a baseline of security controls that have been audited by a third party. Many different caveats in there, right? You want to make sure you have

third party and that the audit itself is is a little more than just security theater but I think that from a baseline expectations standpoint something like a sock to is is just expected and again from a purchasing perspective it’s a lot easier for me to get over that initial hurdle of doubt if

something like a SOC 2 exists from a reputable auditor than if there are no certifications at all. So pragmatically, I think there’s some value in it, but it doesn’t excuse us from doing the due diligence on companies that we’re sharing data

Raj Krishnamurthy (25:26.942)
In your opinion, Andrew, does this change on how you look at Socto based on the size of the company? Is there a certain size above which your perspective on this changes?

Andrew Spangler (25:43.785)
Yeah, that’s a good question.

Andrew Spangler (25:49.066)
When I think about company size and the efficacy of compliance, there’s certainly a certain critical mass that companies reach where a SOC 2 is just sort of a byproduct of the work that they’re already doing. I think for smaller companies or startups, a SOC 2 is a demonstration that, hey, we’re stretching our capabilities.

filling in some of these gaps or were adding in maturity to process that may have been a little fast and loose when we were, you know, earlier on in the company’s history. So that critical mass piece, I don’t know if I could give a certain number. I would say maybe if I had to say, you know, maybe a thousand, maybe fifteen hundred people. But a lot of that depends on the type of data that’s being processed by the organization.

I care a lot more about, you know, maybe a third party, Gen. AI company integrating with our business systems than I do, you know, maybe a swag shipping company that’s sending out, you know, coffee to people. So it really depends on the context there, but I feel like a thousand to 1500 gives you a good sense of the maturity of the business, at least as a starting point.

that you can use to spring off other conversations.

Raj Krishnamurthy (27:22.744)
Compliance is a forcing function, right? So is your, and you also talked about compliance equals security. I mean, that was your first heartache. Do you see GRC, is it about checking boxes with the spending the minimum amount necessary? Is it about managing it to minimum cost or do you see it beyond?

Andrew Spangler (27:43.646)
think that checking those boxes is the sort of MVP for GRC. And let me qualify that as well. So checking boxes can have a negative connotation in that it’s disingenuous or that there isn’t any, you know, that it’s a facade, Potemkin village of security. But

Raj Krishnamurthy (28:04.045)
Hmm.

Andrew Spangler (28:12.561)
I think that checking boxes can also be a good opportunity to go through and ensure that good hygiene that we were talking about earlier as well. Right. These are these are things like is single sign on enabled across our state. Are we enforcing two factor authentication on those identities. Do we have a process to scan for vulnerabilities in our software and then to.

address those vulnerabilities, right? These are the fundamentals of security that I really think are baked into these compliance requirements. So when I say checking boxes, it’s more alluding to that sort of establishment of a good security hygiene baseline and not really saying that having a facade is what we want.

I do think that compliance can be a forcing function because that’s where you run into revenue blockers, right? And so like with many things at a business, you’re looking to expand, you’re looking to grow. And when security or compliance becomes a blocker to that growth, that’s where you have the opportunity then to revisit how you’re thinking about security at large.

Raj Krishnamurthy (29:35.0)
Okay, how technical do you think the GRC team should be?

Andrew Spangler (29:40.818)
I think technical expertise has always been a requirement for GRC. I think that we’re seeing now the evolution of GRC into a new age, a new epoch, where technical expertise is really becoming a baseline expectation. So I don’t expect GRC professionals

to be able to sit down and have a night job as a software developer or as an SRE engineer. But I do expect that we can have intelligent, informed conversations about all aspects of our technical estate as a GRC team. One of the things I’ve been really proud of in my last two roles at Datadog and at Harness is

building that technical expertise and bringing people into our team who bring both different perspectives as well as different technical backgrounds. When I was at Datadog, one of the last projects that my team worked on was the internal development of a software delivery system. Very similar to Harness, this is what got me really excited about CI-CD is seeing that

hey, here’s a single point in our infrastructure where I can at least observe, if not govern, our infrastructure as code, our applications, and our cloud services. All in one place, get the visibility. I can start using policy to assert these compliance requirements or these security objectives that we have. And so,

when we were building out the team at Harness, that was really a top priority that we could leverage the technology that the company was building and bringing to the market to also then accelerate and really be a force multiplier for the GRC team. So I think that a baseline level of technical expertise is expected in that you can look at an architecture diagram, maybe read through

Andrew Spangler (32:06.077)
some GitHub repos, and have conversations with engineers about design and decisions that are being made in that technical estate. I don’t expect them to be able to sit down and write an application end to end, but I do think that strong familiarity with the technologies and use of the business is a must.

Raj Krishnamurthy (32:35.276)
The one interesting observation that I have is that when we go talk about

automated deployments, right? And when we talk about salsa, when we talk about open SSF, even within the security teams, there is a lack of understanding of how to bring all of these together, right? And how do you sort of effectively use these provenance across build systems and deployment systems and so on and so forth? How far away do you think the GRC teams are? And the argument I’m making is that if the security teams seem to be removed,

How far removed do you typically see the GRC teams? And what can leaders like you do to bridge that gap?

Andrew Spangler (33:24.073)
I think that my observation, Raj, has been security teams, at least the ones that I’m involved with and interact with, are both deeply interested and highly motivated to be engaged with engineering at that level. I think that, again, I’m coming at this from a cloud native

B2B perspective, recognizing there’s many different flavors of security in GRC. But I think that…

there’s a recognition that the closer you can be as a security professional, the closer you can be to engineering, the more opportunity to be effective you have. And the farther removed you are, the more friction you’re likely to introduce, the less context you have into decisions that are being made, and the less influence you have over those decisions. And so,

When I think about our GRC function at Harness, for example, we are by design tightly coupled with the things that you mentioned earlier, the Salsa compliance, both from a product perspective, giving feedback to our product and engineering teams on how we’re achieving Salsa compliance, but then also

operating and sort of helping to govern those capabilities inside the company as well so that we can provide those attestations externally. So how did we drive that? I think part of it is by making the right hiring decisions. I’ve again had the very good fortune of being able to work with a really world-class team here at Harness, having some folks.

Andrew Spangler (35:30.89)
join that have elevated our ability to interact with those technical systems and technical teams in some new ways. I also think that nurturing and encouraging curiosity is a really natural way to get security and GRC teams involved with some of these more technical systems. Back to the earlier point,

that we talked about, think at our core, GRC professionals are problem solvers. We like to take on ambiguous or maybe complex challenges and find a way to simplify them, find a way to make things work well. And one of the things that historically in our industry has not worked well is that relationship between compliance and engineering. And so…

Nurturing the curiosity about other systems and other teams and what they’re focused on and how things work has been an important part of how we’ve approached that at Harness.

Raj Krishnamurthy (36:43.434)
That is very interesting. so can I, can I, so is your opinion that GRC is an engineering discipline? Am I right to say that?

Andrew Spangler (36:54.227)
Yeah, think that it certainly can be. I think that it maybe sits in a similar spot as…

like a customer success engineering team or even like a good product manager, right? Will have some familiarity and expertise with software engineering, with systems engineering. Maybe it’s not what they spend 100 % or even 75 % of their time on, but there is that technical background. I think we’re seeing an evolution of GRC into that

into that space, you you see a lot of conversations on social media and in podcasts about GRC engineering. And I think that’s a very natural evolution of the GRC discipline to not only be interacting with and consuming the outputs of these technical systems, but also then to be contributing to the design and implementation of the systems themselves.

Raj Krishnamurthy (38:04.878)
Totally, and I want to actually do a shout out to Charles Nottow and Ayub Fondi and there are a whole bunch of others who have actually started this movement called GRC.Engineering, right? And I think they are trying to push the agenda to what you’re talking about as well. And I think they’ve been quite successful in my opinion. So I totally agree. As a leader, Andrew, one of the challenges that I typically see people facing, especially GRC,

is to build this business case on why automate GRC, why go beyond automation. What would your advice be to them? How can they build a business case for building an effective GRC program?

Andrew Spangler (38:49.331)
You know, I don’t remember who the quote is attributed to, but I think as a general piece of wisdom, something that stuck with me is what we measure, we can improve. so one of the things that has been really useful to me over the last 10 years has been having both quantity and quality measurements of the work that GRC is doing.

And man, I feel like that really tells the story almost by itself. The amount of, just the amount of hours that are spent both by other functions of the business as well as GRC lends itself immediately to automation, to making that investment into new tools or internal ways to automate manual process.

you look at something maybe as simple as user access reviews, right? So as a public company under Sarbanes-Oxley, you need to, on a periodic basis, recertify access and then privileged access to certain systems. Well, if you’re at a point where you’re public, you probably have a couple of thousand people at your company, hundreds of people with access to different systems.

and going through and manually justifying all of that access is a nightmare. There’s a whole cottage industry around automating this. so that as an example, I think is a good illustration of where we can really promote efficiency within a GRC and a compliance function, but then also look at ways to really champion innovation within our field. You mentioned

the GRC engineering movement. I’m a big fan of the things that they’re talking about. we’ve been implementing some of those principles at Datadog and certainly here at Harness. And I think that from a business case standpoint, showing not just the time back for GRC, but also showing the spirit of continuous improvement and continuous monitoring of our environment.

Andrew Spangler (41:14.323)
helps us build credibility when we want to have discussions based on risks or new investments because we’ve shown that there is that ability to innovate, there is that ability to automate that boring stuff.

Raj Krishnamurthy (41:31.432)
Totally. You build the compliance engineering program at Data Dog. How has hardness changed your perspective or enhanced your perspective?

Andrew Spangler (41:43.912)
Yeah, think it’s really the exposure to a software delivery platform has expanded my perspective on what’s possible. When I was at Datadog, the compliance engineering team was born out of really pain and necessity. So like what we talked about earlier, user access reviews. How do we…

get ourselves out of this business. And so that team was initially tasked to build out some automation for SOCs. And then that branched out into additional automation and monitoring for our FedRAMP programs and the rest of the compliance suite there. At Harness, my colleague Kevin Moy, who runs our GRC team at Harness

has really made a point to dive into the products and the capabilities of the Harness platform and then look at how can we either retrofit things that already exist to work with our software delivery platform or design that new process that gives us the ability to either reclaim time.

or have a more confident understanding of the operating effectiveness of our controls. So, you know, in the past, take vulnerability management as an example, needing to run on some sort of schedule, vulnerability scans against, you know, not just your infrastructure, but also your, all of your software components. That’s a full-time job for several people in and of itself.

By tapping into the orchestration of multiple scanners, SAS, DAS, container scans, secret scanning, and then orchestrating those throughout different points of our SDLC, we have a much more confident understanding of where software vulnerabilities and weaknesses are being introduced in the SDLC.

Andrew Spangler (44:06.601)
What are the themes and the classes of vulnerabilities that we’re seeing on a more consistent basis? And then that ties back around into developer education. Where do we want to put some focus on empowering our developers to move quickly and write secure code? So Harness has really helped expand that visibility. And I think being able to…

dog food or drink our own champagne by using the platform has been a real advantage for us.

Raj Krishnamurthy (44:39.374)
So that is great. What is your view of generative AI, large language models? I think we cannot have any podcast without talking about Gen.AI or LLF. So what is your view of generative AI and large language models in the world of security and GRC?

Andrew Spangler (44:59.347)
You know, I remember back when, chat GPT first came out, it felt like a lot of the buzz that I was seeing was around, the fear that the attackers toolkit just got that much stronger, right? Fishing messages are going to get way better. lots of those capabilities would become much more difficult to detect.

Raj Krishnamurthy (45:19.822)
Mm.

Andrew Spangler (45:29.649)
And one of the first things I thought about was, what about on the, what about the blue team side? What about the governance side? There’s, there’s an equal opportunity for us here as well. So I think that, you know, one of the, one of the goals that the, leadership team and I talked about last year and has continued into this year is we need to find ways to

not only say yes to the use of generative AI across our company, but also to use it as a part of our security workflow itself. So this, think, will continue to evolve over the coming months and years as we see more and more interesting use cases for generative AI. I use it for things as

as simple as reducing toil for something like an SBOM review. So I have a workflow in ChatGPT where I can upload a software build materials and I’ll ask it to analyze certain criteria. Let me know where the copyleft licenses are. Let me know where critical CVEs are and it’ll spit out a formatted report that I can use to help better understand.

And that saves me hours of of work just just right there. So I think there’s some simple use cases like that. I’m also really excited about the further integration of Gen.ai into the tools that we’re using already. So there’s I mentioned before that harness has a supply chain security module that we use. It’s something that we

we’ll generate SBOMs with and gives us that broad visibility across our security stack. Well, using generative AI to interrogate in natural language the composition and components of our entire technical estate is super powerful, especially when you start looking at maybe some more sophisticated or sort of multimode questions that we can

Andrew Spangler (47:55.23)
we can ask the system that historically would have required either manual research or digging through a bunch of logs or looking through different build outputs. Now we can just ask a system, hey, where do I have these components or where are these configurations not present and get back a fairly authoritative list of what things look like. And so I’m really excited about that aspect of.

of AI and LLMs.

Raj Krishnamurthy (48:25.068)
Very interesting. So you fundamentally democratize threat modeling with what Harness is doing around secure S-bombs.

Andrew Spangler (48:33.629)
That’s absolutely the plan. Yeah, I think more and more we’ll see security and compliance become democratized and SBOMs are an awesome place to start.

Raj Krishnamurthy (48:43.79)
Now I want to call out one of the things that you earlier said, which is about the feedback loop back into the product. I think this is a fantastic case in point and an example of how a GRC team can go back, help the product teams to better position, right? That module that you talked about just became super interesting now, right? To everybody else who is trying to consume it. So absolutely. To a person who is entering, graduating from college, entering the field, security, GRC.

What would your advice be to them?

Andrew Spangler (49:17.575)
think that one of the core character traits of a successful security professional is curiosity. You talk to a lot of people who have been in this field for a really long time and they got started in technology and security because I like to take things apart and put them back together again. I want to understand how things work.

And I think adopting or continuing to nurture that inherent characteristic is super valuable as someone entering into the security field. We can’t apply security principles if we don’t have a good understanding of the systems that we’re working with, the people that we’re working with, the process that we’re working with. And so I would encourage curiosity.

I regularly find my perspective grows by talking to my colleagues, by watching webinars and reading blogs. I subscribe to a number of newsletters that are outside the security field, right? what do finance people care about? What do product managers care about? How are they thinking about the world? And that gives you a better perspective on

Where do we maybe need to pay more attention from a security perspective, but then also simultaneously can help us build some empathy and understanding of what other parts of the business do.

Raj Krishnamurthy (50:57.39)
Okay, we are approaching the end of the program and Drew and what podcasts, audio books, books that you read, any shout out to our listeners that can gain value from this, from your sort of reading.

Andrew Spangler (51:13.897)
Well, aside from a great podcast called GRC Decoded, there’s maybe four that I would recommend. One is Risky Business by Patrick Gray. They have been around for a long time. It’s a good technical overview of some of the hot button issues in security. I listened to Risky Business for the last 15 years or so. There’s another.

Raj Krishnamurthy (51:17.295)
Andrew Spangler (51:43.53)
by David Spark and Mike Johnson called the CISO series. I like the perspective of industry leaders on sort of these leadership and thematic topics in the industry. I also listened to a podcast called the Security Podcast of Silicon Valley. This is published by a couple of friends of mine and really focuses on the practitioner’s perspective on security.

And then I would also say, wherever we can look outside of our industry for inspiration or or guidance. So I listen to a podcast called Stay Tuned with Preet. This is hosted by a guy named Preet Bharara, who is the U.S. attorney for the Southern District of New York. What what I really appreciate about this podcast, in addition to Preet’s perspective, is his way of asking questions. And so I’ve.

Raj Krishnamurthy (52:31.16)
No.

Andrew Spangler (52:42.397)
I’ve tried to learn from him how I can ask questions to get people to think about things differently or to maybe elicit answers that might be a little more nuanced. So those are the podcasts I would recommend.

Raj Krishnamurthy (53:02.414)
Okay, thank you very much, Andrew. With that, we have reached the end of the show. Andrew, thanks a ton for being with us today. This was fantastic conversation.

Andrew Spangler (53:11.507)
Thank you, Raj, really enjoyed it and great to see you.

Raj Krishnamurthy (53:17.24)
we can stay online for Eric to come on.