Redefining CyberSecurity

Cloud Security for the Next Generation of Companies | A Conversation with Taylor Hersom and Ashish Rajan | Redefining CyberSecurity Podcast With Sean Martin

Episode Summary

Join Sean Martin as guests Ashish and Taylor discuss the latest trends and challenges in cloud security and the importance of collaboration and adaptation. Tune in to learn about the role of ChatGPT in the security community and how a security champions program can bridge knowledge gaps and build trust.

Episode Notes

Guests: Taylor Hersom, Founder at Eden Data [@edendatainc]

On LinkedIn | https://linkedin.com/taylorhersom

On Twitter | https://twitter.com/taylorhersom

Ashish Rajan, CISO, CyberSecurity Influencer, SANS [@SANSInstitute] Trainer for Cloud Security, and Host of the Cloud Security Podcast [@CloudSecPod]

On LinkedIn | https://www.linkedin.com/in/ashishrajan/

On Twitter | https://twitter.com/hashishrajan

On TikTok | https://www.tiktok.com/@hashishrajan

On YouTube | https://www.youtube.com/channel/UCRrWf6aQnFbdS7WRlv_o0Tw

____________________________

Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________

This Episode’s Sponsors

Imperva | https://itspm.ag/imperva277117988

Edgescan | https://itspm.ag/itspegweb

___________________________

Episode Notes

Join Sean, Ashish, and Taylor, as they discuss the evolution of cloud computing, cloud security, and their experiences in the field. The conversation explores the different types of cloud services, the shift from on-premises to cloud infrastructure, and the growing need for professionals with specific cloud security knowledge.

The guests address the challenge of shadow IT, where people within an organization use cloud services without the knowledge of the IT team or leadership. They stress the importance of collaboration, focusing on a "security champions" program that bridges the gap between security professionals and developers. They emphasize building security from the beginning rather than patching holes later and highlight the importance of adapting to the ever-changing landscape of cloud security.

They also discuss the use of ChatGPT as a learning tool, its potential impact on the security community, and its potential benefits and risks, exploring the possibility of using ChatGPT for compliance and its impact on external auditors. While acknowledging the potential benefits of ChatGPT, they caution against overreliance on technology and stress the importance of maintaining critical thinking, problem-solving, and respect within the security community.

The podcast concludes with an emphasis on the importance of culture, collaboration, and trust in cybersecurity. The guests note the role of security champions programs in bridging knowledge gaps and highlight the need to customize security frameworks like NIST for specific IT environments. They touch on the softening stigma around cybersecurity and point out that people already practice security in their daily lives, encouraging them to apply the same mindset to their digital work.

Listen up and comment on this episode to share your thoughts with the community.

____________________________

Resources

Cloud Security Podcast: https://www.cloudsecuritypodcast.tv

____________________________

To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast

Watch the webcast version on-demand on YouTube: https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq

Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network

Episode Transcription

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.

_________________________________________

SUMMARY KEYWORDS

security, cloud, people, aws, problem, secure, technology, gbt, gpt, taylor, gcp, feel, chat, gpd, build, podcast, applications, create, ashish, ciso

SPEAKERS

Taylor Hersom, Sean Martin, Ashish Rajan

 

Sean Martin00:02

All right, here we are. Thanks, everybody for joining me for another episode of redefining cybersecurity here on itsp. Magazine. I think we're all coming from all over different parts of the world today to talk about the same topic. And that's, that's cloud security and where we are and kind of the future that I think it's gonna be super exciting conversation. Obviously, the cloud, people were afraid to use a cloud years ago, right. And now everything is the cloud, and the cloud as clouds and containers and all kinds of stuff in it, which I'm sure will touch on a lot of possibilities. But going into it, without some thoughts can put you in jeopardy. And the whole point of redefining cybersecurity, as my regular listeners know, is to help practitioners and their leaders. And to do what's, what's right, I'll say, or what's what's possible to grow the business with technology, but in a safe way. And with all kinds of technology and processes and frameworks and everything coming at you from all different angles, that can be difficult sometimes. So the show is about bringing people together who know more than I do. about a topic and we're getting into cloud security today. I'm thrilled to have Ashish region and Taylor hearse Amman thanks, guys for joining me. No problem. Excited, here we are. Here we are. So let's Yeah, I'm gonna I'm gonna whip out my first joke, which is, even even if we just look to your podcast, podcast, I feel I feel like a security leader. I feel like a CISO. Looking at all the things coming at me, and I have to build a cloud security program in 45 minutes. That's what I feel like this conference is quiches conversation is going to be like, just I was looking through your pocket, all those topics and all the people you've spoken with even just that be too much to cram into 45 minutes here and come out with something meaningful that I can turn into a product or program. That said, you have to start somewhere. And there are points within that. But before we get into any of that, I want to hear a bit about each of you. I love meeting new people and thrilled to have you both on. Sheesh, tell us about you your role. Tell us about your podcast, and then we'll move over to Taylor.

 

Ashish Rajan02:35

Yeah, thanks for having me. First of all, really awesome that we could be here. It's fun to talk about cloud. So my name is Ashish. And I've been in cybersecurity space for a little over 15 years with the last seven or eight spent primarily in the cloud space. My last role was officer for a tech company. And I say last year, because as of last six months, I've moved into the whole cloud security podcast. Yes, it's literally called Cloud recovery podcast. In full time place, I'm a host over there. And we've been doing cloud security more often. And hence, Shawn, to your point, there's so much in the cloud security as a subset that you can basically spend, I've been spending three years in it. So I guess it's there's a lot more to cover still. But I definitely want to call out the fact that it doesn't have to be that long. It just that we are all trying to understand cloud in our own way. And that's kind of where the time it takes to come from. But I mean, I definitely feel that what you said earlier about cloud being a scary place for a lot of people. It is still a scary place for a lot of people if they don't make the right call, but there are definitely there's definitely a light at the end of the tunnel. That's me.

 

Sean Martin03:45

Done a lot of progress.

 

Taylor Hersom03:47

I wish you would have let me go go first because I could have set the bar low she should try to follow hurdle this frog. Awesome background Ashish, obviously you know, I have a ton of respect for you. So Taylor Hersman founder of a company called Eden data, we've created essentially a security teams on subscription for cloud based organizations. So we work in security compliance and privacy taking over a lot of the leadership and governance of said programs for startups scale ups, anybody based in the cloud, trying to build a security program for the first time or maintain one and it's been a been a cool journey. So sold my soul to Deloitte was there for a number of years. I mean that in the nicest way possible if you're listening and you had employed me previously, but and I was a CISO as well and then transitioned into starting Eaton data.

 

Sean Martin04:45

I love it then. I mean, yeah, one can one can look at a one of the big four whatever and say, What did what did you do there but you get you get so much experience so many different views of different programs and different culture. As in different technologies and drivers have different business outcomes, which all of that plays a role in how you actually deliver security, right? So there's no one size fits all security for all that stuff. So having that experience is huge. I want to it's not on the list of stuff we talked about, or haven't have on the list to talk about, but I feel it's important to maybe start here. And the idea of, what is the cloud? Is it a cloud service provider? Are you building your own stuff? Is it office 365? Or GCS? GCP? Or is it Azure? Is it? Is it email? I mean, there's so many as it containers.

 

Ashish Rajan05:49

What someone else is gonna do, maybe?

 

Sean Martin05:52

Yeah, exactly. I think it's important maybe to kind of paint a picture for folks of all the all the elements that we're talking about here, because even private cloud on prem is still cloud, right? So I don't know who wants to maybe start painting, painting that picture. And then we're gonna get into some fun stuff like, chat GTP and tell you do you wanna go first or happy for me to go?

 

Taylor Hersom06:21

Take it away, you got a podcast called Clouds?

 

Ashish Rajan06:25

Literally got a podcast called Start. Definitely give it a stop. First, I would probably say if you were to ask this question seven years ago, then the only cloud that existed, or maybe even actually, 10 years ago, the only cloud that existed was public cloud. And that was Amazon Web Service. Now you have offerings from Microsoft Azure, or Google Cloud. But a lot of people would know these terms only if they work in the enterprise space, or the product in like a tech space. But normal people also use and when I say normal people doesn't non technical people also use a lot of cloud around them. Like usually people would say if people use facebook.com, or linkedin.com, or I mean, we don't know website right now, they consider this to be cloud as well. But I think the easiest way to explain this is that majority times when people talk about cloud, they're primarily referring to say, I'm an entrepreneur, or I run a business, and I want to have service hosted somewhere. And usually back in the day, it used to be you would have to pay a service for a physical building to get access to machine and service. Nowadays, you just go to people like Amazon, Microsoft and Google to use one of their services. And now because we've matured so much in the last 1011 12 years, that instead of just asking for servers, now you're basically saying, Hey, I don't want to care about the server, why don't you take a server or container, or whatever else you want to do it, I just want to build application that my customers love, I'm gonna put that somewhere and you take care of the rest. So now we have that kind of which people call platform as a service, as well as an offering for many people. So it depends on who you talk to. But primarily, those three buckets were, most of us are already using something like a software service with Facebook, LinkedIn, or any website that you log in and use for anything that you want to do. That's technically classified as cloud, but I would not put them in the cloud. These days, people are very clear in terms of cloud primarily being things like, hey, I want to build an application. I want infrastructure to be hosted somewhere. And the hosting provider in the simplest way possible, is either a public cloud or private cloud. But if you're going public cloud, which basically public with the me word mean, any one on the internet can access is not just you, private just means you to Sean, what do you call that? It's in my data center, I've got a copy of it. But it may or may not hook on to something on the internet as well. So that's my simple explanation that can go in a lot more detail. But that's kind of now how I explain that word to people.

 

Taylor Hersom08:59

I like it. And I don't think I could add too much they're showing other than I look at cloud as if I can't physically walk over and put my hands on a server or I need to connect to a specific network in order to access something, then it's probably a cloud based service, as she said, did a great summary of kind of what today's day and age is it's mostly people building applications in a data center that they don't own somewhere else in the world.

 

Sean Martin09:24

And that's where I wanted to ask you Taylor is how much do you think is cloud being used to build stuff versus hosting or buying a service or paying paying for a service that somebody is built for you already. And of course, there's a wide range between my my office 365 mail that I just pay for every month for or Google whatever it is, versus I'm paying for some hosting and some databases and some containers and and whatever, how much is it that because we often hear the phrase or the idea that every company is a technology company, which leads me to believe everybody's building something for something. How true is it?

 

Taylor Hersom10:13

I think I am a little biased because of the industry that I work in with startups. But I would say that, for the most part, everybody, and their mother is building applications these days, at least in the startup community. So now more than ever, if you, you've got startups that are building their SaaS platforms and putting it in something like AWS, or Azure, or GCP. And they're they're still responsible for their application layer, their database layer, their OS layer, and their network layer, and then putting physical and environmental on on the plates of their as a shared responsibility model for their cloud service providers. But then there's also people that are adopting, like Ashish said, the platform as a service, which is like, I only have to manage an application. That's all I'm in charge of, I just develop a great application, and a vendor takes care of everything else. For me, there's a huge boon of that type of business model happening. Now more than ever before, however, to the regular person, like Ashish had mentioned before, like non technical people. Most people are using applications that are third party. So everybody that is an employee, like, we use 10 times more applications than we develop for sure. 100 times 10 times isn't even enough. But we are all using a tremendous amount of third party SaaS applications just to get by in our work lives in our personal lives. Ashish gave a couple great examples like Facebook, that's a SASS platform like there are, the whole world seems to run on SAS these days.

 

Sean Martin11:46

So as your conversations that you have on your podcast, it'll tell us a little bit about the podcast, who is it for? What are you trying to help them with? Or are you just are you trying to help them? Sure, so what do you what are you talking about there?

 

Ashish Rajan12:06

Yeah, I mean, it's a good question. Because I think we've been talking about, funnily enough, actually, maybe I should rewind the clock a bit. So the reason I started this was the start of the pandemic. And Melbourne as a city was going to lock down, we were not allowed to go beyond three miles from our house. So while the it was started by people reaching out to others, and saying, Hey, hope you're okay, on talking about cloud cloud security with people. And it got to a point where we just start saying, Hey, we should probably record this and do a podcast instead of just me reaching out to people, because I'm just missing people meeting people in person. And initially, conversation was primarily with CISOs, who were trying to get into the whole cloud journey, what that's like, and what some of the challenges they will face. As we kind of matured, and as far as possibly the demand side growing, and people wanted me to do more episodes. We started more talking about cloud security, engineering, philosophy, architecture, basically, imagine, and this is what while calling out that, at the start of the pandemic, people didn't believe Cloud security was a field. They just thought Yeah, cloud security, cybersecurity, same thing, right? Why am I why do I have it as a separate thing, but now it feels like it means 40 years into it. People just feel that oh, yeah, chart security, I was always there, it should have always been there. So now I would probably say we try and educate the current generation of cloud security people who are already in the field, they get to learn from like the seaso thing. 10 they like to see CIO of Siemens or CSO of Warner Brothers discovery, they're going to be coming in talking about things like, Hey, this is why we moving into Cloud, this is how we secure it. This is what these are, what the challenges are that we face on a day to day basis. We also cater for the because I come from a pentesting. Early Well, I want to say one of the pentesting background because I started working on it but didn't really think I had the I wasn't cut out for it. So I do have an offensive side of cloud security because a lot of vulnerability has been discovered in the cloud space by researchers. And then there is the whole leadership angle where it's more for tech leaders and engineers who are trying to build applications in clouds. So we can cater for everyone who's in the cloud security space. And I want to call our cloud security specifically because when I started just basically, me talking to CISOs, about what they're doing what cloud security, but these days, there are specific roles. There are clouds, cloud engineers, classically architects, platform engineers, there's so many more rolls in this is basically like someone said this, a mile wide and an inch deep. That's pretty much how big cloud security has become as a topic and area that people are focusing on.

 

Sean Martin14:43

Site Reliability and

 

Ashish Rajan14:45

yeah, yeah, like you can put everything in there. 

 

Sean Martin14:49

Likethat's not necessarily security. 

 

Ashish Rajan14:52

Butyeah, they're all coming into like even dev SEC ops and becoming part of the sales as well like people like Amazon on the conference. A couple of months ago at Dreamforce. So in order to enforce reinvent as well, they call out that you need a security champions program, which is a devsecops concept. Even Amazon is coming out and saying, and Azure is saying it's so it's becoming a thing of its own. And I think the prediction is, it might just take over the word cybersecurity when everything goes in the cloud. But hey, hopefully, I'm alive to see that.

 

Sean Martin15:24

So one of the boys, so many places to go here, just from a, you talked about the journey of CISOs, doing a journey from from on premise is to some cloud in some fashion. Driven by trying to find some efficiencies or some cost savings, or that's the only way they can, they can transform some part of the business or actually create a new new business. Don't know if he either you have any thoughts on the necessity to train differently and learn differently. Just from a cloud looks different than on premises, right? Different systems configured differently, and and firewall in the cloud looks different than on premises and points in the note. So you might be able to listen in, I'm talking, going back to the journey might be able to lift and shift systems on prem to the cloud, but not necessarily your people in there. And understanding how the systems work when they when they land there. So how much of that is part of what you guys are involved with? To really help you get a handle on what what needs to be secured. And the better way to do that?

 

Ashish Rajan16:47

Think data does a good job of the other side. So I'll let Kayla go forth.

 

Taylor Hersom16:51

Yeah, I would say that security is just one of those weird industries where even the folks that have been in the industry for a while have had to reinvent themselves because it has changed and is essentially turned itself and into an entirely new industry. So you've got security professional Shaun, you have a heck of a background, right. And Cloud wasn't always a thing. But now cloud is everywhere. And most company opportunities right now are at least in some form, or fashion, having security professionals interact with cloud applications, or cloud infrastructure. And so because of that, there is a tremendous need for people that have very specific cloud security knowledge. Man, every time I say that, it's just like given a shisha shout out on the podcast here. The it's just a great name, Ashish. So the thing that we're seeing the most is that folks are that are entering into the security industry right now are coming from programs that have been created years ago, and are even themselves a little bit outdated, comparatively to where the market is at right now simply because of how fast it's turning over. So today, in my world, we have a tremendous amount of need for folks that can very specifically go into AWS or Azure or GCP, and configure a secure cloud environment. The reality is, with all of these breaches, most of them are happening because of the same reasons, right? It's cloud misconfigurations, it's having inappropriate access somewhere. And its endpoints and slash human error, I combine those two. So because it's your your people doing silly things. And so people just now in today's society, and going into security, for the first time need to focus on those fundamental areas. And surprisingly, because back to a shishas comment about cloud security, being a mile wide, like a lot of people are focusing on these very niche areas, these niche problem areas, and there's just not enough need there comparatively to the critical areas I mentioned.

 

Ashish Rajan18:50

It's pretty awesome. I think I'll probably add a couple more things as well, because I think he touched on something really interesting in the face of misconfiguration. Others, it's not really a complicated zero day attack that people are facing in, in the cloud world. It's basically people like all three of us, it's just making sure the life the lights can be turned on and hopefully don't get electrocuted when they turn on the lights. Basically, that's kind of what we're trying to prevent over here. And the other challenge over here when I'm talking to a lot of enterprise, is the fact that in how shiny kinda mentioned people do lift and shift. The other part is also where some people in the organization and I've been a victim of this in the past where there's a credit card with a massive, I guess, credit line, for lack of a better word. It could be a bank, it could be a FinTech, or whatever company, maybe an individual, a director may have access to a lot of funds, they can just start their own. Because Security said, Hey, we should all go for one cloud provider. Let's just start, you know, muddy the water and have multiple cloud providers. But you know what? I've got my credit card. I don't like Ashish. I'm sure to go and sign up for GCP even though he says AWS is what the cloud should be for everyone and And that adds a layer of complexity as well. So imagine if all of three of us were tailor the seaso. And all of us work with a tailor. Now, he's been going, Hey, AWS, this is kind of what we are we our skill set is AWS, Amazon Web Services, basically, that's what we should be focusing on, telling you yelling into the top of his virtual business. But somewhere down the line, someone just puts a credit card and goes, I just go GCP. Now, when they go into production starts making money, suddenly they call Taylor and hey, Taylor, by the way, you know how you said, don't use another cloud, I ended up actually using it, it just works out really well. Now, the business wants to keep this, and can you help me secure it? That's a very common conversation these days still. And then people channel and me who are probably team members or tailor, we've only known AWS for our entire lives. Now, how do we train ourselves in GCP, or whatever other new cloud that comes in, like nowadays, even Oracle and IBM are coming up in conversation. So when does it stop? I don't know. Like earlier, I was just happy to have like one of those MCSE certificates, Microsoft certified software engineer or whatever the thought of it used to be, you get a job, and everyone's using Microsoft. But now it's like, oh, I need to know AWS, Microsoft, Google Cloud, Oracle, cloud, IBM Cloud. And on top of it Ayato SaaS services? Well, I definitely feel it's a lot more complicated these days than what it used to be. So as much as of a challenge it is for the team and the business to move from on premise to the cloud space. The team skill is, it's a whole different chat. And there's not much like we're running a cloud boot camp, a free cloud boot camp at the moment. And we started the whole cloud security bootcamp, just so many people have put hours into just thinking about how do I get into this cloud security field? Because there's no content? There's nothing which trains them for, hey, how do I do cloud security in AWS? No one knows. So hopefully, I can make a dent into it. The boot can be running, but it's definitely something that is a challenge. I'm glad they caught it. I was not shown. So people need to be aware that yeah, it's great to go into cloud. But please don't go into multiple cloud if you can help it. But unfortunately, many people have credit cards.

 

Sean Martin22:08

And I want Taylor, I want I want to I'm thrilled and intrigued by your your role at Deloitte. Because I'm sure you've seen tons of stuff. And I don't know, I mean, the yes, the credit card, right. But it's it goes beyond that when when we were setting up an infrastructure on premises that go through procurement. And there was probably some risk assessment, third party risk assessment, perhaps. And you kind of fit it into an environment that didn't, that existed right? Now, HR can spin up a cloud marketing can spin up a cloud sales can spin up a cloud legal can spin up a cloud, they can buy stuff, they can build stuff. And maybe it's connected at some point, maybe not. And some of them may be multiple different providers, right? Different services, different datasets, multiple data sets. How, how did some of your clients been how did the companies that you were engaged with? How did? How did they get a handle on on some of that? Is there an overarching program? Or? Or did you insert yourself into the different departments? Or how do you suggest thinking we do that? 

 

Taylor Hersom23:33

If you didn't, yeah, spoiler alert, the bigger companies don't have it figured out either. So that I think I'm, I think I'm far enough out of Deloitte. So they can't come after me for making that statement. But no, I, in all seriousness, like even the enterprises, I mean, even 35% of the Fortune 500, I can't remember if it's 35%, don't have a CISO or do have a CFO, but either way, that's awful of just the fortune 500, you don't have a lot of ownership of security. And you there are some great tools out there that you can really get your arms wrapped around shadow IT, which is what you're talking about Shawn, of having these unknowns in your environment that the IT team or the leadership team or the finance team don't know about because it's easier than ever to go sign up for a new service. There are some great tools out there. But the problem is, is that people are still we're still in the stage where at least in the SMB market, people aren't taking security seriously enough, it's like, it's like speed limits, right until they get pulled over. They're gonna keep driving over the speed limit. They're not going to honor it, they're not gonna put on their seatbelt till something dramatic happens like that is that's human nature. And we've been doing it forever. And so now you're starting to see in the US and beyond regulations coming out and hopefully, motivating people to invest a little bit more in security. But for the most part, even though there are great solutions to combat the perfect problem that you just outlined. People don't give a darn And right now for the most part, because security just still isn't prevalent enough, even in the biggest of organizations. And I know I just made like a huge blanket statement. But that is my two cents. And based on what I see from my day to day job she

 

Ashish Rajan25:20

I definitely feel security has to play a well, I'm gonna rephrase it in a certain way. And I think I don't know how many people would like it, security needs to be okay to let go of control. Like, that's kind of where we're going with you in the future, because we would never be enough in any organization to solve the problem. And I think Taylor kind of mentioned that accurately, there will always be people who would want to go over speed limit. And there will always be people who would want to bend the rules, just enough so that they can push application into life. So they can prove that their value in the company's worth it. So I'm a huge proponent of DevStack ops and the whole security champions program. And when I mentioned earlier, where AWS and Amazon kind of announced on stage, I kind of loved it. Because ultimately, I think the there's a stat around the number of developers that would existing 20 million or 30 million developers by 2022 was an insane. And let's just say the number of security people were not close to it at all. So like the problem may be way bigger than for us security people just to try and solve it by ourselves. There is definitely a future where if we work with them, and I definitely feel it's bad, it's worth it to spend some time for people who may be listening into this to just to change the culture or security in their organization. And from a perspective of, hey, us being the guide of hey, this is a risk, we should probably address it to Hey, we should work together because tomorrow Oracle Cloud is coming in. And I clearly would not have any clue how architecture works. But you're probably spending your day in day out on it. So how about we work together in solving this new thing that is there. And it's work? I would probably say there are quite a few examples. I think we have done it. But I know some people in industry who openly talk about the fact that security obviously need to evolve into this, like collaborative effort. Where if you want to win, otherwise, do what what Taylor mentioned, there is no CISOs. And in most companies, so no one knows what to do. Maybe there are developers who feel responsible for security, or whenever there's like a speeding ticket that kind of come in, Hey, we should not have done that, or whatever, maybe jeopardizes their existence, suddenly, people want to think about security. So my stand over there a lot more around the fact that, yeah, I think it's a lot more collaborative culture, that kind of leads to a win for security. And, yeah, just to add on to what Taylor said. But I think that's pretty much where I'm coming from where I see a lot of people initially starting off with, I would get the best tool in the in the company or best tool to solve my problem, you get a lot of traction, you get a lot of alerts. But then you find out actually, I can't solve any of these, I need to talk to a developer or I need to talk to an engineering person to solve these. So we're still going into them. And either way, it's like we can go either now or you can go much later with the choice is yours.

 

Sean Martin28:16

Well, let's go to what might be the topic that we don't move off of them. And I'll just frame it with technology. So on the show, I often end up at a point where I asked the guests the question about, well, if you don't do it a certain way in the beginning, you eliminate the security, reduce, eliminate or reduce the exposure, reduce the risk, and therefore you don't have to spend as much money securing things and plugging holes and fixing problems because you didn't get it all secure, because you understand that security is not possible. So don't set up that server that way. Don't install that app that way, don't expose that port that way, don't don't leave an open container open that way, whatever it is. So do your point, security is not gonna be able to solve all those problems, especially as everything just blows out of the water scale wise and more cloud comes and more more and more and more. So security champions, I like that concept as well. It's still security. I believe there has to be a roll of technology done in a certain way. And we can maybe maybe look at Microsoft and some of the work they've done noroeste to kind of shore shore up the operating system, but again, not perfect. But this idea that technology could be developed and architected and deployed in a way that's more secure from the get go. So you're not trying to insert security in the mix. too far down. line is important. So here's here's where it gets fun. Chat GBT. That's it is a technology but I don't know where where it fits in. Is it to your, to your love? She shows it to help with pentesting the cloud on the cloud can you use? I know it can create code. So can we can we use it to white box, the white box the code before it gets built? Can? Can we help developers learn how to code better as their coding with it? I'm just gonna throw that out there. What are your thoughts?

 

Ashish Rajan30:38

Yeah, I think Chad CBT is an interesting one. Because for a couple of reasons, I did a video recently on the whole concept of whether you can it could be a great learning tool, because I was hearing a lot of people talk about, hey, I was spending hours trying to correct this partial script, I have loaded up to charge GPD and found exactly what the problem was. Like, that was a very common phrase that I was hearing a lot of engineering folks talk about developers use, we're using it to debug the cord, which they could not figure out where the line was. And at the same time, a lot of people were using it to learn like so the video that I made on our YouTube channel for Category podcasts was around the whole concept of, can I use chat GPD to say prepare for interview for cloud security. It gave me questions, which I technically would have asked this question. So it worked from that perspective. The other one I use it was I tried creating resources in AWS, I pretended to be a cloud security engineer at day one, I've no idea what I'm doing, Hey, I've been told I need to create an infrastructure for this web application. How do I do this? Can I do this automation, blah, blah, it gave me all the information. Now, the flip side, if you kind of go a bit more deeper into how Chad GPD works, every time you upload information is being uploaded to the server. And if you are someone who's basically doing what we have been doing for years on stackoverflow.com, which is just copying, copy pasting our actual code with a username password into chat, GBT. That's what probably worries me for it. We don't even like oh, yes, amazing. It's doing solving our problem. But how many people are different dicing the data because clearly people who are charged CPD is is the jam. So they basically have it uploading data. And the funny thing is, it is my understanding is the way it works is that the way it understands context, is that if you start a session, the first question that I asked all the way up to my most recent question, all of that is sent collectively as one. Like it's one one box or one package back to chargeability. Every time I ask a question, it just adds on to the same packet. So it therefore it knows the context of it. The now these are great from implementation people earning GitHub tried this comes in concept called co pilot, which is again, to help developers code better and the problem with Chad GBT, or get a co pilot, at least. And as as cynical as it may sound, it is learning of the data that they have. And who's gone through the data from GitHub or charged up didn't know if it actually secure code? And am I teaching my future developers the right way to do code as well? Or am I just sharing them? The same problem that I had a stack overflow where multiple people came up with a session, one of them worked with just happened to be a non secure solution. And Chad CPT said, Hey, use this. Because if you look at the the ukata mentioned the whole configuration misconfiguration that Taylor mentioned before, where a s3 bucket is over the internet, if you look at the code that is being created by charge GPT for, for developing resources in AWS, that sometimes have port open as well. And where if the person doesn't know what that is digital copy, paste that same thing onto the AWS or Azure, and that'd be the end of it. I'm sure Taylor using it some few days as well, your end?

 

Taylor Hersom33:53

Absolutely. I think that for the most part, the whole fear mongering around Chet GPT is going to replace all our jobs like, have we not learned from history, like 6000 times that new technology creates new opportunities. And of course, there's going to be people that are impacted. But I think the biggest thing that will happen with Chad GPT both in security and beyond is it's going to cut through a lot of the BS that people have been putting out on the internet historically, like Chad GPT can do a lot of basic functions. So the the thing that it cannot replace his creativity, can't replace that that strategic element that goes into security for certain like just like what she was talking about, like, it's not going to be able to pick up on a lot of even basic things that require something of any sort of creativity. And so security, a lot of it is strategy and context and awareness. And none of those things have ever been executed well even in all of the AI movies that come out so it's I think we're okay for right now but with chat GPP specifically, it is cool to see like it's generating security policies for example, it's it's developing or reviewing code. I've seen it do some great blog post ideas. It's just the the goobers that, take it and just post it on the internet. They don't use it for For Inspiration. They use it to write their blogs for them. That's the stuff that's, that's really frustrating right now in the in the security community.

 

Ashish Rajan35:24

Oh, I've got an interesting one for you, Taylor. Like, if you have a use for compliance, like and how compliance activity A lot of them, at least nowadays, people are trying to give them a sorry, Chandran one, jump on it, but not to just follow maybe a good interesting conversation. But so because I'm seeing the engineering side, the security side and all the other side as well, do you feel like compliance can also to be because literally, if you know, FedRAMP, or you know, ISO 27,001, or saw two, they're all like, I'm humbly thing is just a checklist that people have to compare. Nowadays, people try and say, Hey, I've got this CloudFormation template from AWS. Is it compliant to salt you? Can we I don't know. Has anyone done experiments around compliance and charge GPD? If you can do security compliance?

 

Taylor Hersom36:11

I haven't seen it yet. But it is absolutely something that I've been keeping my eye on. I think that compliance, a lot of it is so standardized that you could definitely figure out in certain use cases, how to create automated controls from chat, GBT, for example. Or even I see external auditors being potentially impacted because a lot of the work that they have to do and checking evidence is pretty rudimentary. So

 

Ashish Rajan36:41

TBD account,

 

Sean Martin36:42

yeah, yeah, exactly. Exactly. So yeah, that's it. We, my co founder, Marco and I have another show called audio signals, where we just go wacky on stuff. And, I mean, we ended up either utopian or dystopian. That's kind of the that's kind of the scope of the conversations. And often, when I when I look at automation and technology, I find that my brain leads me to a world of lowest common denominator. And I don't know ever almost all those conversations even though I'm feel I'm optimistic in the conversation, I still come up with this idea that we're going to end up with data that drives decisions that drives culture that drives society to a low, lowest common denominator. But now having interacted with chat, GBT, I feel that perhaps there's a way where one didn't know something, it's much easier to find out about that something. Or to to your point tailor to be inspired. Maybe not, maybe not the cheating, the cheating and cutting corners, is the low common denominator story for me. But to be inspired, to learn something new, and take that and build upon it, to me actually raises the bar more to a higher watermark for for everybody, perhaps, of course, technology. It's it's how it's used, right? It can be used for good or nefarious reasons. But I don't know any thoughts on the the high watermark versus low common denominator,

 

Taylor Hersom38:34

I definitely take the side of hope. And to think that there's a lot of really cool things that you can do with jeje BTS to optimize how you learn and how you grow as a professional. I do worry that we will go in the direction like we have with cell phones, where we're essentially walking cyborgs where I can't remember my own birthday, let alone my immediate family members half the time anymore, because you get so reliant on technology, and oh, I can just go Google that and, and now we're going into this era of I can just go hit Chad GPT with this, I hope that it doesn't make us increasingly more reliant and less I guess less of human beings. And and I know that that's a we're going like really still a cure now. So I don't want to go too far down the rabbit hole. But that is one worry I have with chat GPT in general, but especially in the security community. I hope it doesn't incite laziness.

 

Ashish Rajan39:28

I think I'd probably say I've got three words for this. And I've always felt that these three words probably have passed on from every new technology that's come through, which is trust, but verify. And I think chargeability is the same as well, you can trust it to at least do it throughout do the right thing. Millions of people are using it. And if you I don't know if you believe the news, but the open AI the company that created charge GPD the founder is a doomsday prepper as well, but he believes AI is gonna take over so that's the kind of person Who created the AI in the first place? But the hope in this context, and I definitely believe people should not walk away from new technology with a cynical view that hey, this would not help me, they should definitely try and go down the path of using anything and everything new that comes in, just because just by the nature of it, whether you like it nor your close family members, your your best friend, people around the world, start using it, and then you become the guy with the Nokia 6600, or whatever the phone used to be. Whereas everyone else has an iPhone. And how long are you going to be on that Nokia? 6600 or whatever that model used to be? That needs to be like a break? Until you go okay, you know what, I'm just gonna go for an iPhone now. So it's going to happen, all of us. Have we have stopped going on horse carts or whatever that the carriages I guess. Now we all drive cars. So we have all evolved it just a matter of time. But I'm sure people were men, people with Oh, actually, the hilarious thing was I was reading somewhere. When the first car was invented all the horse carriage folks bases are also polluted. With pollution everywhere, why would you go for it, but ignore the fact that the horse is shedding everywhere. That's different. But it's evolution. But there will always be resistance. That's kind of where I feel I keep going back to trust but verify that, hey, if it goes really bad humans, were someone somewhere will definitely protest and someone would definitely change the way the rules of the industry work like nowadays, how many cars you see have air I mean, air pollution problem, not that many. It takes time doesn't happen instantly. But transport verify is my motto for that. Very true.

 

Sean Martin41:42

Well, let's let's talk about trust. I know we're coming up on the towards the end here. But one of the points you, you put in the notes, as we were preparing was building respect. And I just looked back on security over time, and we never really had all the answers. Right. And sometimes, you're thrown around in the MCSE, I had a CNE, I was all in on NetWare, baby. So there were things we did to one learn and to demonstrate that we did learn something and hopefully from that gained some credibility. But to me, the most important of of all of that was the critical thinking, and the problem solving, and looking at something we hadn't seen before, understanding enough about how it works to understand how it might be misused or not work as its intended, and find ways to reduce exposure and minimize the risk. So how to bring it back to cloud security. We can we can keep jet GBT in there if you want to. But how do we maintain that level of critical thinking and problem solving, in a way that we also maintain a level of respect. And especially if we if we move down the path of of security champions, where we're now relying on others, who don't have the same history and skills and learnings as broadly as perhaps some of the old codgers like me have this face.

 

Ashish Rajan43:23

I think one thing that is never going to change, and may I'll go back to what I said earlier, I think security would need to be comfortable to lose control of maybe not everything, because to what you called out specifically, developers were never trained to know how to secure network, how to develop a security architecture, how to develop the right way to code something in Java, whatever the language that they were using, so they were never trained for it. And I would say, to a large extent, people still believe that that is not part of their role. Their role is to develop quality code so that you can build applications around it. So to bring respect into a conversation where you have to work primarily with others to either solve problems that you've identified, or to do the right thing, when they see a link from HR typically solving other problems, you should applaud the record, they're, like making the right calls over there. I think it's, for me, it's culture. It definitely is culture, and not the culture that just the company is talking about the culture that you create as a security team within an organization is when a horse gonna give you the respect. That is where I'm a big fan of security champions program, because that definitely humbles you as a person. Where how much you don't know. You. I mean, at least for me, personally, the first time I experienced it, I thought I knew everything about cybersecurity. And the moment someone threw a Java code at me because of there's an alert that came in SQL injection and like, I used to be a pen tester, but maybe not that much of a pen tester anymore. So can someone else help me explain what this is? So it definitely humbles You really quickly that to what you called out how much you don't know, there's always a moment you will find that, oh my god, I have no idea. But I just need Shawn to help me understand this. So collectively we can make the right call. So for me, it's culture that would breed respect in an organization for both security. And it's a mutual thing as well. If you give them respect, they give you back respect as well. So for me, a cultural or a culture of transparency. And collaborative ness is kind of where it's not technology. For me, it's definitely not technology, it's more the softer parts of the day to day.

 

Taylor Hersom45:35

I think we're at a cool time in history where people are using security for pretty much the first time to earn trust with their customers. And it's a really, really cool trend that I'm seeing a lot of, but now more than ever, as a startup, for example, it could be some guy in his dog selling to the likes of GE. And we have these amazing opportunities to create companies essentially from our basement, and go and sell to some of the biggest brands in the world. And because of that, there is this huge influx of security assessment questionnaires and security demands coming from customers. But at the end of the day, that's establishing trust between two parties. Yes, it's a legal contractual obligation as well. But brand is very much dependent on your ability to earn the trust of your customers. And I look at that synonymously with with respect, as you mentioned, John. So I think that being able to paint that picture for your customers is still going to be a skill set that is extremely valuable. And we certainly have been working on our ways of how can we use security as a sales engine for our customers, and not just do the fear, uncertainty, doubt approach, I think there's a tremendous amount of opportunity to be creative and apply a lot of those human elements that I mentioned before, towards security as it relates to sales, combining security with business strategy, that's another huge thing, the NIST cybersecurity framework and secure controls framework. And all of these, they weren't meant to be one size fits all. And that's yet how we've treated them since inception. So being able to be a human that can go and take those things, and really customize it for a specific IT environment and use it to grow the business. Those are like the areas that I'm really seeing people earning respect on the security side as as professionals that deserve accolades, and then also between businesses and other businesses or businesses in the consumers that they sell to earning trust.

 

Sean Martin47:35

Yeah, I love it. And as I hear both of you talking, I'm just thinking back over time, there's still a bit of it. But I mean, kind of to the earlier point, we didn't have the answers. So we were kind of going through things as we knew how to do least how to solve a problem. He figured that out, you didn't know the answers to the problems. But with that was a lot of unknown and uncertainty that we couldn't, as security professionals communicate to our peers in the business, right. And then on top of that, we had this bit of an ego, that we need to also hold on to where what we're doing is magic, right, nobody else can do it. Because only we know how this stuff works in that way. And I think over time, that's kind of do use the word soften like you put it, Ashish, I think that softened a bit. And we're seeing even with the likes of the security champions programs, we're kind of laying to bear what we know a bit more, right? And asking others to join us on this journey of securing things. And I think some of the stigma is leaving us a bit and, and the trust is changing to be something different, as well.

 

Ashish Rajan48:55

I think it's funny, I'm gonna add something here, because a lot of people think, Oh, I can't do security. I normally talk about the fact that when people walk out the doors, they make sure the doors are locked. That physical security as well. Like a lot of us do security without calling it security. And it just said we some of us have the title for security, but everyone's doing it it just pointing out, Hey, you already are doing it. I'm just asking you to do the same thing that you do for your house, to the code you create on the company laptop. That's pretty much it. I'm not asking anything more. If you do it. No, I'm not asking you to check your doors. You do it yourself. No one gave you any security awareness training for you just watched a lot of videos or whatever. Maybe you just don't want to be in a situation where you're compromised. So I'm just asking the same thing. Yeah. 100%. I just wanted to add that in because a lot of people may look at that and go are these three security people talking about security being important, but the reality is everyone's already doing it. We just don't call it security.

 

Sean Martin49:50

Wilson Excellent point. That's, that's one of the reasons Marco and I joined forces to break out of secure At talking to security, we still have to because we're always learning. But we also tried to talk to others as well. And hopefully talk, talk to others listening to the show. And with that said, I want to thank everybody for listening or watching if you happen to catch the video version of this. And she Taylor, it's been incredible. Yeah, I feel we could keep going. Maybe, maybe, if you like, come back and talk about something else. Maybe we didn't get into containers, too much. Platform engineering, we could talk about Site Reliability and pick your favorite topic. But if you guys have any resources you want to share that you think would help folks, keep learning after the after the enjoy this episode. Definitely share those with us. And by all means, connect with Taylor and Ashish, and listen to the cloud security podcast.

 

Ashish Rajan50:57

Thank you. Thanks so much for having us.

 

Taylor Hersom50:59

Thank you so much for the opportunity, Sean and thank you to the listeners for taking the time.

 

Sean Martin51:06

Absolutely, and stay tuned for more on redefining cybersecurity here on ITSPmagazine.