Cloud Security Today

Cloud Native Security: A Year in Review

April 21, 2023 Matthew Chiodi Season 3 Episode 4
Cloud Security Today
Cloud Native Security: A Year in Review
Show Notes Transcript

On this episode, the Chief Security Officer of Cloud at Palo Alto Networks, Bob West, joins Matt to discuss Palo Alto Network's latest State of Cloud Native Security Report. Bob joined Palo Alto Networks after more than 20 years in leadership roles with banks, product companies, and professional services organizations. Before joining Palo Alto Networks, Bob served as managing partner at West Strategy Group, managing director in Deloitte’s cyber risk services practice, managing director for CISO for York Risk Services, Chief Trust Officer at CipherCloud, CEO at Echelon One, Chief Information Security Officer (CISO) at Fifth Third Bank, and Information Security Officer at Bank One.

Today, Bob talks about the latest installment of the State of Cloud Native Security Report, the severe shortcomings in Cloud Security, and the elevated cost of Cloud Security. Why is it essential to think about security upfront? Hear about the daily mindset shift required to deploy quality code, minimizing complexity to maximize efficiency, and the significant delay in threat management.

Timestamp Segments

·       [01:46] Bob’s career-changing experiences.

·       [04:17] Bob’s advice.

·       [11:10] The 10,000-ft view.

·       [16:23] The elevated costs of Cloud security.

·       [22:36] Increased deployment frequency.

·       [24:54] How do security teams keep up?

·       [30:44] Security tooling in the Cloud.

·       [35:46] Holistic Cloud security.

·       [41:18] There will always be issues.


Notable Quotes

·       “Be nice to your vendors.” - Bob

·       “You never know who’s going to be able to help you out at any point.” - Bob

·       “You’ve got to build bridges before you need them.” - Matt

·       “Common sense isn’t necessarily common practice.” - Bob

Relevant Links


LinkedIn:  Bob West


Out of the Crisis

Secure applications from code to cloud.
Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Intro: This is the Cloud Security Today podcast, where leaders learn how to get Cloud security done. And now, your host, Matt Chiodi.

[00:14] Matt Chiodi: What is The State of Cloud Native Security? Well, if you've wondered about that, or you're just curious what's been going on with Cloud over the last year, then today's podcast is for you. So, on today's podcast, I have Bob West. He is the chief security officer of Cloud at Palo Alto Networks. Yes, that is the role that I had previously. So, Bob took over the role after I left, so this was especially sweet for me to be able to chat with him. We're going to go through Palo Alto Networks’ latest State of Cloud Native Security. So, I think you'll enjoy this podcast because, for me, I was curious what's changed over the last year. One of the things I remember talking about when I was at Palo Alto Networks was, we would do the threat research every six months, but we would also do, on a yearly basis, more of a survey-based approach around the State of Cloud Native, and that's what we're going to cover on today's program. As usual, I dig into Bob's background, because he has been in the world of cybersecurity for over 30 years, I dig a little bit into his background, how he started off in financial services, and then we talked about his time with advising startups. So, you'll hear me mention this in the interview. Bob is prolific when it comes to his advising work. He's advised over 10 different startups. So, if you find that interesting, I think you will enjoy both that as well as how the usage of Cloud, and how The State of Cloud Native Security, has changed so much over the last year. Enjoy the podcast.

Bob, thanks for joining us today.


[01:45] Bob West: Thanks for having me.


[01:46] Matt: Awesome. So, Bob, you've had an impressive career in cybersecurity spanning over 30 years. I'm just curious, that's a big question, so hopefully, you've had a minute or two to think about it, but looking back, was there one experience that maybe radically changed the trajectory of your career that maybe you'd want to share with the audience?


[02:07] Bob: Yeah, I'll give you a couple. So, first of all, I took the logical path from being a German major in undergrad to technology, and then, security. Okay, maybe it's not quite that logical.


[02:19] Matt: We might have to talk about that.


[02:21] Bob: But, in all seriousness, my liberal arts background has actually helped me quite a bit in terms of being able to communicate better than average, which becomes really important when you're speaking to a leadership team or board of directors. There's a lot of people in technology and security that are brilliant but get hung up in their technology and security vocabulary, where I claim to be a better communicator than average. I would say, one of the pivot points for me in my career, I joined Bank One, one of JPMorgan Chase’s predecessor banks, in ’97, and my boss that hired me ended up being my mentor, and his boss was my sponsor, and we laid out a three-year development plan for me, not only to be able to benefit from the bank's leadership program, but also look at the basics. So, for example, we were big believers of the Seven Habits of Highly Effective People by Stephen Covey. It was something that was just part of the leadership's culture. So, there were a number of things like that, that I had the opportunity to accelerate my growth. I think very few people have that opportunity.


[03:49] Matt: Absolutely. It's funny, you mentioned Seven Habits. I remember when I was first starting out from university, I was at Johnson & Johnson, also big proponents of Seven Habits. You could sign up and go to the course, and 20+ years later, I still have the coursework here. About six months ago, I started going through it again. So, it's funny to see how your responses change when you're 23 years older than the first time you did it.


[04:12] Bob: Absolutely. Begin with the end in mind.


[04:17] Matt: Absolutely. So, let's just dig a little bit more into your background, because I just find it really interesting. You transitioned from financial services to startup advisory work, and I looked at your LinkedIn profile. It looks like you've done at least 10 of these, and that's, I'm guessing, probably not capturing everything as well. So, you did this transition in financial services, to startup advisory work, and also consulting. What was maybe the biggest surprise, and how would you maybe counsel someone who is maybe considering a similar move or just thinking about, “how can I get from where I am today to being able to do that in the future?”


[04:55] Bob: Yeah, for sure. So, let me start by the background about how all this came about. So, I met Alberto Yepez, who's now one of the co-founders of Forgepoint Capital, and I met him when he was CEO at Thor Technologies. I was CISO at Fifth Third Bank at the time, and we were an early identity implemented specifically in Federation, so we were upgrading our identity suite, and in some cases, there were no identity products that the bank was using. It wasn't using web Single Sign On or had problematic provisioning, and Alberto's company, Thor Technologies was best in class provisioning solution. So, we got to know each other, he introduced me to his investors, and when I left Fifth Third Bank, reconnected with his investors. Peter Meekin was his predecessor. Peter was a brilliant guy. He was lead investor for Thor Technologies and he volunteered me to be on my first advisory board. I would say, in terms of general advice, a couple of things. Be nice to your vendors.


[06:20] Matt: That's a good one.


[06:21] Bob: I can think of a number of people that are less than diplomatic with the vendor community. That's advice in general, that holds true. It doesn't matter who you're dealing with, as you never know who's going to be able to help you out at any point. So, I'd think that's number one. Just looking back, in terms of my habits, I was always curious about emerging technologies. I remember, going back to 1990 or so, back in my technology days where I was looking at what was next, from email systems and operating systems, keeping an ear to the ground in terms of the emerging threats and changes in technology, and then I think the final piece would be to get to know the venture funds, and that's where a lot of my advisory boards have come out of. In addition to Alberta, I've had the opportunity to work closely with Matt Howard, who runs Norwest Ventures to McAdam, at Technology Crossover Ventures, to Shin Chan at Greylock, etc., and not only can they facilitate advisory boards, but they're good people, in general, and they also have a really good sense of what companies tend best in. If you put in the combination of all those things, I think that leads to the smooth path to getting on advisory boards, if that's one of your goals.


[07:58] Matt: I love that. I love that. All those things, I think, are spot on, but I love your first one, being nice to the vendor community. I think we've all experienced either being on both sides, right? I remember being a consumer, and it's funny you say that, because I won't get into specifics of who, but there was a vendor that was a startup at the time, which today is a behemoth, who I had a great relationship with the CEO, I still talk to him almost 10 years later, and that was really transformational for me because, at the time when I first met them, I wasn't in a role that I could really help them. But, yeah, 7, 10 years later, I always tell people, you’ve got to build bridges before you need them.


[08:37] Bob: Yeah. Oh, for sure. For sure. And in fact, I remember I met Barmak Meftah when he was incubating Fortify Software, with Ted Schlein at Kleiner Perkins. Ted's running Kleiner now, but I was CISO at Fifth Third Bank at the time and he reached out to me, and I think the reason that I took a meeting with him is because he said, “I'm not selling you anything.” Okay. Great. Pretty interesting. And he kept his word because he didn't have a product. He was trying to get a sense of how big the application security issue was in enterprises, what our maturity was, all those good things, and Barmak and I, we've stayed in touch, well, gosh, since 2004. So, yeah, yeah. Did I say be kind to the vendors?


[09:28] Matt: You did. That's a good point. I always remind people of that. I see a lot of snarky comments on LinkedIn about vendors, and obviously, a lot of them are accurate, alright. Even though I'm on the vendor side right now, I also receive quite a bit of SDRs trying to come after me to buy services, and I see a lot of just what I consider poor marketing, not being professional. But I think those kinds of antics aside, people are people, and people move throughout the course of their career. Just see if you can help someone and they're not trying to waste your time. Just help people.


[10:08] Bob: Yeah, and I'm always pretty direct with people that reach out like that I have a need or I don't. But I always try and be polite because it's the right thing to do, and you just never know where people are going to end up. I mean, I could be talking to an entry level salesperson who ends up on an executive team at some point, right? I mean, you never know.


[10:36] Matt: Absolutely, absolutely. Well, one of the things you said was, is that when you were making that transition, is you always like to keep your ear to the ground in terms of emerging technology, threats, and risks, and certainly at Palo Alto Networks, in your role as Chief Security Officer of Cloud, you're still doing that, working with the different teams there. Palo is absolutely known for its world class research, and I think it was earlier this year, in 2023, you guys released the latest installment of The State of Cloud Native Security. I'm curious, Bob, again, you've been at this game for a while. Give us the 10,000-foot view. What was the biggest takeaway for you, personally?


[11:19] Bob: Yeah, there's a couple of things. One of them is that because the journey of the Cloud has accelerated, whether it's the pandemic keeping budgets in check, or otherwise, we're starting to see that people are adopting build quality, if you will, from square one, translate, build security, and we've got the buzzword bingo term shift left, and it's common sense, going back to Covey, common sense isn't necessarily common practice, but I think one of the things that people need to understand is that developers, in general, were never taught how to code securely, so what happens is, if you as an organization don't take the time to educate them, and they start coding for you, whether it's line by line, or putting modules together, ultimately, they have a significant series of security issues in their code, and now, as we move to the Cloud, going beyond code, it's workloads and containers, all the infrastructure that you have to manage. So, I think the good news is that there's a trend of building security in and integrating security testing tightly into the DevOps world. We're also still seeing that there's a shortage of people that understand Cloud security, and that's a subset of the broader issue of there aren’t enough security people to go around. I remember the statistic I saw recently is there's about three and a half million jobs that can't be filled around the world because there aren't enough security people. So, that problem still exists, and you marry that with the fact that the number of threats are increasing, the aggressiveness of threats are increasing. It’s something that needs to be addressed.


[13:30] Matt: I love it. So, I looked through the report, I pulled a couple of specific findings out that I want to get your thoughts on. So, here's one that I thought was interesting. It said “53% of Cloud workloads are hosted on public Clouds, an increase of 8% in the past year.” Okay, that one's fine. Now, this is what I found interesting. “Platform as a Service, PAS, and serverless were the dominant application execution environments.” I found this interesting because containers have been so hot the last few years. Are you seeing a trend away from containers to serverless? Or are you including containers in PAS? Help me to break that apart a little bit.


[14:12] Bob: Yeah, we're including containers and PAS. When you think of going to AWS or Google Cloud or Azure, one of the first things that enterprises do is they'll move their testing environments into the Cloud, dipping their toe in the water, if you will, and more likely than not, one of the first things they're doing is they're spinning containers upright. So, it's part and parcel. Containers, in fact, are part of PAS in our study.


[14:47] Matt: That's good. It's good, because when I was looking at this research, probably a year, maybe even more than a year ago, the majority of workloads, it was very distributed, still, between traditional VMs, containers, and there was a little bit of serverless. But I assume you guys are seeing a pickup in serverless now, because obviously to go serverless, you can't just pick up an app, you can't do lift and shift with serverless. You've got to completely redesign.


[15:13] Bob: Well, you can, it's just not a very pleasant experience. One of the things I find interesting is said, so go back to around February of 2020, when the pandemic was on the uptick, we did a study last year, and at the beginning of 2020, about 30% of enterprises had more than half of their workloads in the Cloud. In the middle of last year, about 70% had more than half of their workloads in the Cloud. So, there's definitely an acceleration in terms of Cloud adoption, and the big thing that you want to get right, going back to something that you just mentioned, is you can lift and shift and sometimes it makes sense. I know we have a couple of customers whose data centers are being shut down and they have a hard deadline, but that is not the ideal way to move to the Cloud. Re-architecting applications is step number one, and if you don't do that, the benefits of moving to the Cloud really are not achieved.


[16:23] Matt: That may actually fit really well with the with the next finding that I wanted to pull out, and that was this one that a greater number of C-Suite respondents calculate TCO, or total cost of ownership, as higher than expected, that 70 plus percent, versus practitioner level respondents, at 63%, and it says, related to this, almost 60% of C-Suite respondents reported higher than expected security costs, as compared to less than 50% of practitioners. So, following up on what you said, maybe there's a little bit of disconnect here between the two, but the C-Suite sees costs for Cloud being higher than frontline workers, which tells me perhaps practitioners need to do a better job setting expectations when it comes to what results Cloud will provide, and what maybe they'll need, either tool wise or timewise, to maintain and elevate their security game. So, a lot packed in there, but did you find this disconnect significant? And what are maybe some of the impacts?


[17:25] Bob: Well, it is significant. There are a number of dynamics in play here. One of them is there's a number of security organizations and enterprises that, at least historically, were viewed as the Business Prevention Unit. They're the guys and gals that say no. So, put your business hat on, you're going to go to the security people, and more likely than not, they're going to say, no. Do you really want to deal with them? Probably not. So, you will get security involved at the end of an implementation, if at all, if that's the mindset. So, I think that's one of the dynamics in terms of why organizations perceived that it's more expensive, because they generally don't do the upfront calculation of security in traditional environments. I think the other major dynamic that's in play is the major Cloud service providers know everyone's moving to the Cloud and there's a limited number of them. I mean, you pick the big three or four. They can effectively set their prices, maybe not at will, but there just aren't a lot of competitors that are out there, so a consequence is costs have gone up. So, when you marry it with not calculating in security upfront, and the fact that there's a limited number of vendors, that doesn't surprise me that security and the cost of managing infrastructure in the Cloud have gone up.


[19:04] Matt: I think that getting back to what you were saying earlier, I have worked with a number of organizations over my career, last decade or so, that have gone through this process and most of the time, maybe not quite as much anymore, because Cloud has just become a default playbook for most, if not, I won't say all, but most organizations at this point in time, that move to Cloud was almost always led by the CIO and sometimes before it was even led by the CIO, it was led by individual business units, and you've had this, I think we're in the third wave of Cloud now. As part of that, I think that there is still that disconnect that happens when like, “Hey, we're going to go to the Cloud and we're going to save money,” but unless you do the work up front, which is looking at how do I actually take advantage of things that are truly Cloud native, like you said, serverless containers, refactoring my application, you're not typically going to see those cost savings that were talked about so much, maybe not so much today, but that maybe two, three years ago was talked about.


[20:07] Bob: Yeah. So, I like to use quality as an analogy. So, think of, in manufacturing, when a car rolls off the assembly line, you don't say let's add quality now, [inaudible] the manufacturing process, and if you don't have the right level of quality, you start having defects, and if they're severe enough, you have recalls, which are expensive. But the big costs to a manufacturing company is damage to brand and reputation. So, I see security breaches as being analogous to recalls where they're expensive, taken a lot of effort to address, but when you have one, the big damage is to brand and reputation, and you have to make a concerted effort as a manufacturer to say, “quality is important to me.” So, you've got to build the systems in upfront. But ultimately, it becomes something that you can use as a competitive advantage. Think of customer satisfaction. So, I'm on my fifth Honda Accord right now, and my 2003 accord, I had about 330,000 miles on it. I could have driven it another couple 100,000 Miles, easily. But I wanted a new car because I'm a spoiled brat but think of the loyalty that I have to Honda because of quality being important to them. So, think of it in the business world and security. If I'm buying a product, and I'm comparing two companies, one of them takes it seriously, the other one doesn't. All things being equal, the decision is pretty easy.


[21:49] Matt: It's funny that you mentioned Honda Accords. I have an ’04 Accord that I love, I keep driving it, I don't have as many miles on it as you do. I don't even think I've broken 200,000 yet. But I love the car because it's bulletproof. It just always runs. You change tires and brakes, and you're pretty much good to go, and like you said, the affinity that that has generated for me is, eventually I'm going to get a new car just because, like you said, I want a new car, but there's nothing wrong with it, and from a security perspective, I think there's some very good parallels that go with that as well, which ties in really well, actually, to the next findings. Amazing how these are all fitting together very well. This has to do with deployment frequency. So, that's one of the things that you looked at, and I think the conversation around quality fits in here. So, you found that two thirds of all enterprises say that deployment frequency has increased or significantly increased over the past year, and that 38% of enterprises deploy code to production, or release to end users every day. I don't know if you have any historical numbers on this. I don’t know if the question was asked last year, but I assume that this is a massive jump in terms of deployment frequency.


[23:04] Bob: It is a big jump, especially when you compare it to traditional waterfall approaches. Let me make a couple of observations. I think one of the things is that developers in general are incented to crank code out, and it doesn't matter whether they're writing line by line, which happens infrequently now, or they're putting together modules of code. They're incented to crank out code, as opposed to cranking out quality code, and it requires a shift in mindset, and especially as you're releasing software on a daily basis, in a lot of cases, it becomes that much more important to pay attention to security because as I was saying earlier, if developers don't understand good security hygiene, and they're cranking out an incredible amount of volume, what do you think is going to happen?


[24:04] Matt: Yeah, a lot of defects.


[24:05] Bob: Yeah, exactly.


[24:06] Ad.


[24:54] Matt: So, 38% deploy at least once a day and 17% deploy multiple times a day. That's a significant percentage at high velocity and that's awesome from a time to market perspective, being able to get those features and functionality out. Like you said, in the waterfall world, this wasn't really possible. But when you think about it being good, you know, from the speed to market perspective, the question I have is how do security teams keep up with that pace? You can't do a manual security review when someone's pushing one or more times per day. We're not talking about the old case where it used to be companies like SAP used to do their annual update. This is at least once a day. So, how do security teams keep up with that pace?


[25:41] Bob: Well, the answer is, it's hard. But the most important thing is teaching people how to fish. So, you have to teach the developers what good security hygiene is, number one. The next thing is integrate as tightly as you can into the development environment. So, that's one of the things that we do and traditionally, if you look at traditional application security testing tools, developers would have one screen with pick your favorite testing tool, and another one where they're doing their development. Number one, it's not efficient, and secondly, developers hate that, so integrating security into the same screen. As an example, I'm a developer. I'm putting some modules of code together. The ideal scenario is that you have a message come up and say, “hey, you've got a security issue here. Do you want to address it?” and having the ability to do that in real-time. In conjunction with teaching developers good security hygiene is the way you scale. We did a study last year, and I think the ratio was 10 developers for one security person. So, if you think of how is security going to keep up with the developers? You can't, and nor should it be security's job to test all the code that goes out. Does it make sense to do spot checking? Absolutely. But doing testing on a one-to-one ratio just doesn't make sense and it just doesn't scale for security organizations.


[27:28] Matt: This has got to be at this pace. You talked about how this was analogous to manufacturing and I think there are a lot of parallels. I've talked in the past about Deming’s work on total quality management. Now obviously, he never intended it to be applied to software development, but it's completely applicable. So, I point a lot of people towards Deming’s work on total quality management, because I think, I might butcher this, but one of his things was that quality isn't something that you do at certain points. You just embed it into the overall process, and I think if I hear what you're saying correctly, that's exactly what you're saying. It's got to be something where the problems are being created is where you need to really embed. So, obviously, there's developer education, which is part of that, but there's also then being able to do those real-time checks while the developer’s actively writing their code. 


[28:25] Bob: Yeah. So, I think this is a reflection of how enlightened I am. You can take issue with that, but when I was working on my master's, total quality management was one of my favorite classes. In fact, I was consulting with DNY at the time, and I was able to apply a lot of the lessons from there into our security customers. To your point, what Deming came up with in the late 50s, I think it was, is absolutely applicable to us in the security industry.


[29:00] Matt: I love it. So, I'll put this in the show notes, but the book itself I've read a couple times is Deming’s book. W. Edwards Deming, for those of you who aren't familiar, the book is called Out of the Crisis, and it is a really good book, maybe don't even read the whole thing, but there's some, I forget how many points he has. I don’t know if you remember, Bob, but there's five or 10 points that he goes through in the book, and it is amazing, the parallels, that you would think that he wrote it for CI/CD and all that, but it fits really well. So, I'll put the link to that in the show notes. But definitely check that out. It's a great book.


[29:35] Bob: Yeah, for sure. One of the interesting things I remember is that Deming approached American automobile companies first in the 50s, and they said, “don’t bother us.” The Japanese just absolutely ate it up. A change in mind and a change in culture takes time. So, if you think of Nissan came to the Americas around 1960, and Honda sold its first car in the United States around ‘74/75. The original Nissans were not great quality and American car companies laughed at the Japanese ones, and who would think that the companies that are really high quality, going back to the reason why I have a Honda Accord, is because they took it so seriously.


[30:40] Matt: Absolutely. It's all part of that quality equation. Now, one of the things I want to point out from the research that I found interesting was when you talk about quality, we talked about educating your developers, we're talking about being as close as possible to where the source of the problems may typically be created, and one of those things is security tools, and one of the findings that I pulled out was that 76% of respondents say the number of Cloud security tools they use create blind spots. It goes on to say, on average, organizations rely on 30+ tools for overall security, and then getting specific to Cloud, six to 10 tools dedicated to Cloud security. So, 10 tools just for Cloud security means that teams are looking at 10 different dashboards, 10 different reports, 10 different signal sources. Why so many tools? And how can security leaders get this to a manageable state so their teams are actually effective?


[31:47] Bob: Yeah. I think there's a lot of organizations that historically have bought best of breed tools, and historically, that's made sense. But it does create complexity for sure, and now you start taking a look at Cloud environments. So, the Cloud service providers and SaaS providers in general, have pretty good security tools. The problem is, if you go down that path, and you use native tools, you end up with what you're describing. You have this large number of tools, which makes managing the overall environment problematic because, going back to your point, if you have 10 dashboards, and you're looking at everything, not only does it take more time, but the probability of things slipping through the cracks goes way up. So, back in my CISO days, we managed a buy-hold-sell list of security tools. We would look at, what are the tools that make sense for us right now? What are the tools that we've been using that no longer makes sense? And then what's coming down the pike? And what do we need to prepare for? So, if you manage the security tool portfolio, that's going to help simplify things. The other thing is, if you're using a platform approach, where you have more than one set of tools on one platform that you can use as broadly as possible, that's the ideal scenario because then you reduce complexity, you have one place where you set policy, and in theory, you should be able to see what's unusual and then address it as it comes up.


[33:37] Matt: I want to go back to the analogy because I just think it's so apt, when we talk about manufacturing, and specifically auto manufacturing, and again, this will go back to Deming. I think all things do at the end of the day.


[33:50] Bob: Demings and Covey.


[33:52] Matt: Demings and Covey, exactly. One of the things that I remember on this was that when he went to the Japanese automakers, one of the things he said was you have to reduce the number of inputs, you have to simplify, and if you looked at, for example, the parts that were common between Nissan, Honda, etc., versus Ford GM, Ford GM had, I'm not using specific numbers, but literally 1000s of different parts that were going in, where the commonalities in the Japanese cars were so much lower, and that allowed them to have a lot better quality because they were controlling the inputs. I think that's a useful analogy when we think about security tooling in the Cloud, would you agree?


[34:37] Bob: Absolutely. Even just think of the time that it takes the more tools that you have, just from a contractual perspective, the number of contracts that you have to keep up with. I mean, it's not just the fact that you're using a large set of tools, which, oh, by the way, takes more time, takes more people, and that is inefficient. So, there's a lot of benefit for making a concerted efforts to minimize the complexity in the security ecosystem. I also go back to architecture, where, think in the physical world, when you build a structure, one of the first things you do is you engage an architect, and if you skip that step, and you go and build the structure, the chances of that having the right level of integrity go way down, and in technology, technology, in general is much more complex,  so paying attention to technology and security architecture, especially in light of the digital transformation that we're going through, becomes critical.


[35:46] Matt: One of the other findings, and I think this is interesting how this fits with what we were just talking about, but 90% of respondents say their organization cannot detect, contain, and resolve threats within an hour. So, I'm curious, where does this fit in with other findings such as IBM? So, what they found was, they found that the average breach lifecycle takes 287 days, with organizations taking 212 days to initially detect a breach, and 75 days to contain it. So, where does this finding, specifically with Cloud, where does it fit in with these broader industry findings around that?


[36:24] Bob: So, an hour is a long time. You think of think of an adversary, whether it's a nation state, ransomware gangs, whoever the adversary is, think of what you can do in an hour. You get in the door, you could do lateral movement, you can try and understand what accounts are not protected properly, can I escalate privileges, and then do whatever my mission is, fulfill the mission. So, if you can't understand that there's an issue for an hour, that's a problem, and to your point, there, there are a lot of organizations that will go weeks or months without being able to detect something. So, it's a massive issue, and there's a number of reasons for it. Part of it is complexity. Part of it is not having enough people. I go back to Target's breach in 2013, where they had some really good tools, but no one was monitoring the intrusion detection systems. So, it wasn't until after the fact that they were able to understand the magnitude of the issue they had, and for those of you not familiar, the bad actors stole about 100 million credit and debit cards after planting point of sale malware on the point-of-sale systems within Target’s infrastructure. So, we've got a challenge, but it's stepping back, and I think that's one of the things that most organizations, most security organizations, either don't do or don't have the time to do, is sometimes you have to take a breath and step back and see what's the state of affairs? And what am I doing well? What am I not doing well? And if you take the time, periodically, to see where you are, it makes it that much easier to protect information on a go forward basis.


[38:29] Matt: So, how does how does a security leader do that? I mean, you've worked with hundreds of customers, helping them to secure their Cloud environments. How do they step back? Maybe boil it down to a top three, top five, how should a leader or how could a leader go about stepping back to really address Cloud security, holistically?


[38:49] Bob: So, the first thing is having proper governance in place. One of the things that is important is to really understand, where's the business going? So, you think of, the pandemic happens in February, March of 2020. The conversation that was happening between CEOs and CFOs was, “we don't know how long this is going to last. How much cash do we have on hand? What are our fixed expenses?” And based on asking those questions, organizations transitioned to the Cloud much more quickly. Going back to the perceived cost savings, and if you do it right, that absolutely holds true. So, as a security organization, you have to pay attention to those dynamics. Think of the conflict in Ukraine right now. If you go beyond just doing business in Eastern Europe, there are related attacks coming from Russia towards the west, and it's not because we're directly involved in the conflict. It's because we're guilty by association. We're supplying Ukraine with weapons and intelligence and everything else. So, understanding the business climate, understanding where the business is going, and once you understand that, then you can start making decisions in terms of “what does the business need to achieve this? Is one Cloud platform sufficient? Do I need more than one? What types of tools do I need to protect the environment?” and having all the stakeholders at the table from the business to technology to audit compliance, legal, human resources, that allows you to come up with a holistic strategy and get the input from everyone, and getting the input is something that's particularly important because you can make really good decisions in terms of how you protect environments, but if you don't have a dialogue, the chances of those decisions being right, go way down.


[41:02] Matt: I love that. A lot of wisdom there. So, Bob, I've enjoyed this conversation. This has been truly insightful. Is there anything else that I should have asked you about that you want to maybe bring up before we before we close? Anything that stood out to you?


[41:17] Bob: Yeah, I think the last thing that we haven't talked about is there are a number of organizations that think “if I move to the Cloud, I'm getting rid of my security problem,” And there's a perception that Amazon or Microsoft, or Google, or IBM, are going to take care of all my security issues, and that's not the reality. To their credit, they do some baseline things in protecting the environment, but you need to understand what activities are happening and determine what the gap is and fill it in with the right set of security tools, and then the other thing is that you're always going to have issues and even the largest companies have issues. I mean, Amazon's had their outages, Microsoft has had their security breaches, as has Google. So, you have to make the assumption that there's going to be problems, and you need to be prepared for them, and the final thing is that when there are problems, it's your responsibility as an organization to protect the information that you're putting in the Cloud. When you have a problem, your customers aren’t going to go to the Cloud service provider. They know they're doing business with you. So, if there's litigation, you're going to be the recipient of pick your favorite phone call from inside counsel, outside counsel for your customers, it's going to happen. So, you have to make sure that you're doing what's commercially reasonable, and if you can make the case that what you're doing is commercially reasonable, then the cost of litigation and regulatory fines and loss of customers will go down.


[43:03] Matt: I love it. Love it. Bob, this has been fun. It's been great to catch up. Let me ask you this. So, one of the questions I often get from the audience is “well, how do I reach out, Bob?” So, the question for you is what's the best way, if someone wants to stay in contact with you, if they want to follow you, what's the best place to do that?


[43:22] Bob: Yeah, so I think the best place would be on LinkedIn. LinkedIn is my Bible in general for keeping in touch with people, but I tend to I tend to post a fair amount and LinkedIn is universally accessible.


[43:39] Matt: I love it. Love it. We'll put a link to your bio in the show notes. Thank you so much for joining us. This has been awesome. Thanks, Bob.


[43:46] Bob: Thanks for having me, Matt.


Outro: Thank you for joining us for today's episode. To find out more, please visit us at