Podcast Transcript

Introduction:
You're listening to the RSA Conference Podcast, where the world talks' security.

Kacy Zurkus:
Hello listeners, welcome to this edition of our RSAC 365 podcast series. Thank you for tuning in. I'm your host, Kacy Zurkus, content strategist with RSA Conference, and today I am joined by our guests James Binford and Ashish Rajan, who will be talking about The Cloud-First ESO. Today's podcast is sponsored by Acronis. Acronis unifies data protection, cybersecurity, and endpoint protection management for IT professionals and service providers, delivering integrated cyber protection that solves the modern digital world's challenges. With Acronis you not only ensure proven threat protection, but enable faster return to productivity in case of incidents. Learn more at acronis.com. Also, I want to remind our listeners that here at RSAC, we host podcasts twice a month, and I encourage you to subscribe, rate and review us on your preferred podcast app, so you can be notified when new tracks are posted. Now, I'd like to ask James and Ashish to take a moment to introduce themselves before we dive into today's topic. James, let's start with you.


James Binford:
Absolutely. I'm James Binford, I'm director in BISO at Humana, supporting a very cloud and AI/ML forward business line. My background's in cloud security, I've spent the last five years focused at places like Google, Amazon Web Services, and KPMG. I'm really glad to be here, thank you for the opportunity.


Kacy Zurkus:
Welcome. And Ashish.


Ashish Rajan:
Thanks for having me Kacy, and really glad to have a conversation with James as well. My name is Ashish Rajan, and I am a BISO by the day. As I like to call myself, Batman, or a live streamer over the weekend for a podcast called Cloud Security Podcast, which gets over 16,000 views per episode, but that's our humble brag for what we can do for the community. Apart from that, I love being part of community events and love having conversation like these. So, I'm really looking forward to a great conversation between all of us.


Kacy Zurkus:
I am as well and I'm so glad that you both can be here to join me today. I think one important place to start for us is this role of the BISO. We say it as if everybody knows what it is, but what is the BISO exactly? And how is it different from VISO?


James Binford:
Yeah, I'll take that first part of the question. The BISO, the Business Information Security Officer, is the bridge between their security organization and the business they support. On that bridge, a BISO will represent the security to the business. So, communicating, requirements, policies, providing security perspective and expertise, and they represent the business's needs back into the security organization. So, challenges, concerns, and issues.


Ashish Rajan:
I think for me personally, the B in the BISO stands for bridge between security and the business. Pretty much what James said, I just like to call it Bridge Information Security, that's my version of it, but that's pretty much what James called out.


James Binford:
I like how we both put out that acronym differently.


Kacy Zurkus:
It is funny with acronyms, right? Like the CISO, the CISO... Who knows what we're calling it?


Ashish Rajan:
Definitely-


Kacy Zurkus:
Do we call it BISO, is that the correct pronunciation?


James Binford:
I think it depends on the organization that you're in.


Kacy Zurkus:
Right.


James Binford:
I don't know that there is a correct... Exactly. Tomato, tomato, right Ashish?


Kacy Zurkus:
Sure.


Ashish Rajan:
Yeah, that's right. CISO, CISO, BISO, BISO, same thing.


Kacy Zurkus:
Okay. I'm going to go with BISO, because I like that. How do BIZO's support CISO's as they build a cloud security roadmap for migrations?


James Binford:
I'll put my bid in on this one. I think in a cloud migration, the BISO's role first and foremost is to help their CISO's and the security organization see through the fog that's really inherent with fast moving migrations. The fact is, security will never have the time to perfect things before the business begins migrating workloads into the cloud. So, the BISO has to be there to help the CISO and the security organization focus on what's important, based on what's being migrated, right? If you've got, public facing assets, maybe you're more worried about the edge than you would be if you're just putting a bunch of data into lab storage buckets. The role is also to help balance security needs with business needs. The business needs to experiment, because that's why the business is going into the cloud in the first place. With experimentation come trade offs. So, the BISO needs to help the security organization make appropriate trade offs.


James Binford:
If you think about serverless, when Serverless first came out, security organizations were very concerned about their inability to see into these servers underpinning this ephemeral infrastructure. But, it still made a lot of sense for the [inaudible 00:04:53] and a BISO... That's where the BISO comes in, to step in, help the security and business lines understand the pros and cons and help them come to a decision.


Ashish Rajan:
Just to add to what James is mentioning as well, I think traditionally, it's what I'm calling out, a role of a BISO or a BISO hasn't really existed for more than two, three years now, at least publicly. There has always been a space for this, and usually what used to happen is the CISO is under the pressure to do this part as well. So, it's definitely valuable to see that the industry's trying to recognize that there is a need for a separate role, specifically calling out the... I guess, as I was saying earlier, the bridge between the business as well as the technology side and the security side. I can probably give an example for what it used to be before a BISO became a thing, where like myself would work with the business, while trying to stay technical for the technical team that I manage as well.


Ashish Rajan:
The importance of that role only highlighted, was when you kind of grow the scale of the organization. After a point to what James was saying, there are certain divisions which just need special attention. It is super important, even if you might think, how big a division could be, you still could be talking about hundreds of millions of dollars coming from a particular business unit. But, if they work on a project which is valuable from a technology perspective, but it's not meeting the business goals, it's kind of pointless. Another reason for the importance of this role is to have an understanding for what would be approved from a budget perspective by the board and by the business. Technically, I might want, to James's point, the best serverless security solution out there; but if the application that we're producing is, say traditional, doesn't work really well serverless, they would not approve a budget which is not really aligned with the business value.


Ashish Rajan:
A BISO or a BISO definitely helps in having alignment move from a strategic perspective from the business, but also helps them feedback into the business, why is it certain project more important for a budget approval and a team skill approval as well, considering they're moving more into a world where cloud migrations are quite complex. It's not just a matter of say, someone lifting and shifting into our cloud organization. There are also organizations where people are talking about multiple cloud providers. At the moment, I work with teams where they require to be scaled in Amazon, Google, Azure. Some of them are even skilled in Oracle, IBM, the list doesn't end. So, keeping up to date with just the cloud migration piece itself is a big job. The BISO definitely fills that role quite well for us to keeping us in depth with what's the business requirement, what's the driver for this financial aid that we can actually work toward instead of thinking something we need and building it and finding out that actually the business doesn't really care about this. So, quite a crucial role.


James Binford:
Yeah, I wonder how much the BISO role... And like you said, actually its just a brand new role, but over the next 5, 10 years, looking back, I wonder how much credit the BISO role will get for reducing the rate of CISO burnout. Just by being that place to sort of...


Ashish Rajan:
Yeah.


James Binford:
... Offload a little bit, to get a little bit of perspective, so CISO can stay holistic, right?


Ashish Rajan:
Definitely. I think [inaudible 00:08:18] calling out, another role that seems to be popping up is people are thinking of having CISO's specifically for the cloud space as well, just because... the examples that I gave earlier, IBM Cloud, Oracle Cloud, Google, AWS, these are big companies and these are all, if you think about from a traditional context, they're all big data centers that you're building slowly. Over time, to what you're saying as well, in another six years, a BISO is able to help bridge that gap between the business, but from a CISO perspective as well, there needs to be someone who's bridging the technical gap between all these cloud providers as well, because one cloud provider is completely different to the other cloud provider. I think burnout and possibly if they create a role for a cloud-based feature as well, which is for a particular cloud that they're specializing in one particular cloud, I think that would definitely be helping in preventing all the burnouts that CISO's have talked about.


James Binford:
Absolutely.


Kacy Zurkus:
That's really interesting. As I'm listening to you, I'm thinking, the fact that there are so many different providers that organizations are using, that in and of itself presents challenges. That doesn't even scratch the surface of some of the challenges that an organization is going to face during cloud migration. So, I wanted to number one, talk about what are some of the other challenges that should be on people's radars. I'm also just curious, in dealing with those challenges, where does finding the solution to those challenges sit when you've got this BISO supporting the CISO, how do you define those roles and whose role it is to deal with what?


Ashish Rajan:
How much time do we have-


James Binford:
Yeah. You know I...


James Binford:
Right. We can go deep in this. I think one important piece of perspective though, the BISO is not a security organization unto itself. As a BISO, you're going to work across your security organization, not just with the CISO. That's what we've been talking about mostly, but really the BISO relationships across its security organization are going to be incredibly important, because it's in that security organization, that tooling decisions are made, the funding typically gets allocated. So, it's going to be very key for the BISO to not only have great relationships with their business and understand what the business is trying to do, have great relationships with the CISO and understand exactly what strategy that CISO is trying to implement across the organization, but they have to have outstanding relationships with their peers across the organization. I think that's one of the things that actually makes the role so fascinating and complex.


Ashish Rajan:
I would probably say I would not be surprised if at over time, a BISO and a CISO sit together in a board conversation, where it's not just a conversation about, what the business is doing, to kind of what James mentioned, having that relationship across the business and not just technology, may seem quite valuable. One of the challenges that would come across is, would the board understand the complexity of what some someone is trying to achieve? I guess, BISO can definitely fill that gap from a business perspective. Most traditional CISO's and traditional organizations have always filled that role for making security simple enough, that a risk conversation is easier to digest by a board member, but sometimes we've always been accused of not having it simple enough to say... Using something as simple as an MFA, which sounds like... A multifactor authentication is understood by everything.


Ashish Rajan:
But, we have been in conversations in the past where a board just doesn't understand what that is, what's the value of it. A lot of people just bang their head about it, but having that business context for, "Hey, this is the compliance requirement. Compliance number 1, 2, 3, 4, has this as a requirement for the business and for us to have more sales for the product we required to be compliant." Usually the CISO had to do this job and manage this across multiple business units, so that particular challenge is something that's definitely being solved by BISO. Especially if you have a large enough organization with multiple BISO's as well, where it's basically a large enough complex... I think the examples that I've seen in the past are usually FinTech organizations, which are global. They have one BISO across Asia, one BISO across Asia Pacific as well, and kind of go across the Americas and Europe.


Ashish Rajan:
It's a really complex and very scalable role as well, to the number of relationships a BISO has to maintain. Outside of it, the other challenge I would probably say is coming from a technical background is definitely beneficial. They don't have to be a programmer or a developer, but having a bit of technical understanding to understand or empathize with the technical problems that the CISO and the security may be coming through is also a challenge that may come across.


Ashish Rajan:
Even today, there are a lot of roles that are provided in security leadership to people without a technical background. If you treat it like a project management exercise, that's definitely not going to be a successful security team. The same way, well at least James is technical, that really helps coming from a such an exciting background of AWS and other companies that he's worked for. If other BISO's and BISO's are similar, they would definitely help in making the relationship a lot more easier to work with and a lot more productive as well. I see that would be a challenge as we kind of go down the path of making more BISO's available for people to work together with.


James Binford:
Absolutely. One thing I really like about the BISO role just generally, you do I believe have to have a security background, a security leadership background, but you can come from anywhere in security and be successful in this role. [inaudible 00:14:04] You can lead an endpoint protection team and be successful in the BISO role because you'll have built the empathy and sort of the security context necessary, to really communicate security requirements to the business and to build that bridge between the business and security.


Kacy Zurkus:
I want to switch gears a little bit here and talk about the specific challenges of old legacy stuff, and building teams with appropriate skill sets, and budget constraints, as it relates to cloud migration and what that all means for security.


Ashish Rajan:
I think the biggest challenge at this point in time and a bit embarrassing story as well. If you would've spoken to me five years ago, I would've said, "I would never let an organization go into multiple cloud providers." Because as I was saying earlier, each cloud provider in itself is accepting that you have a new data center that you're managing, potentially equally large as a traditional data center that you were to manage. Now, the complexity of that challenge is, every organization is growing, and as organizations grow... You may have started by saying, "I'm not going to go work with any other cloud provider except for Amazon." But as the business expanded, say into the Europe region, they acquired a couple of companies and those companies are in the Google Cloud region, or in the Google Cloud space.


Ashish Rajan:
If it makes sense from a business perspective, there is nothing you can say from a technical aspect that makes sense for not to accept that Google Cloud space or even Azure or any other cloud provider. The number one challenge these days for organizations that are dealing with cloud or cloud migration is going to be sticking to the one cloud provider, that's definitely challenge number one. It's a few that the monopoly that they can have at least in their organization, I feel that is slowly disappearing, especially with the need for data, big data projects, and a lot of other things where you want the best of the breed. Sometimes the individual cloud provider may not be the best answer for... Just because you have everything else in there, they may not be the best answer for it. The second thing I would normally call out is, it's a big challenge for the team that are being built by the people as well.


Ashish Rajan:
Individual is expected to have real good knowledge, at least in one cloud provider, but they're also expected to have some kind of a good understanding of security challenges in multiple cloud providers if that's what they're working in an organization. I was talking to some of the people, I believe it's in Netflix and Block. [inaudible 00:16:42] Netflix is a great example where they've been really good with keeping all AWS, but I believe now they're seeing... At least based upon the interview that I've heard, they're trying to see other cloud providers slowly come in. Square was an interesting one, or I think they're called The Block now, those folks have individuals who are specializing in particular cloud provider in their security team for cloud, where one or two people are specialized in Azure, one or two people specialize only in AWS, only in Google Cloud. That is going to be a challenge because, how many companies out there would have the budget to have multiple people just focus on, say, one cloud provider, and not have the-


James Binford:
If you can even find them.


Ashish Rajan:
Spread across my... Yeah, that's right. You're looking for unicorns at this point in time.


James Binford:
Right. I think the BISO role, there's an opportunity for the BISO to play a role there, mostly as an advisor. It's like you were saying earlier, it's ultimately up to the business to determine what acquisitions they make and how they grow the organization. Just like you said, the cloud provider the potential acquisition is in, it doesn't really come up I'm sure in most of those merger and acquisition discussions. So the BISO role-


Ashish Rajan:
How much money are you going to make? Oh, a billion dollars. Yeah sure, go for it.


James Binford:
Exactly. So the BISO role can help the business prioritize, after those decisions have been made, by making it clear where the security pain points are going to be, where the gaps are, and they can do the same thing for the security organization. If the BISO stays close to the business and has a good understanding of what's coming in, in terms of mergers and acquisitions, they can do a good job of helping the CISO and the security organization strategize to prepare for that upcoming change.


Ashish Rajan:
Yeah. I think the simplest example or the analogy that comes to mind is, it's for people who may be non-technical and leaders, and just trying to understand the complexity of this, it's like driving a car, but also knowing how to drive a truck. It sounds similar, but very different.


James Binford:
Two different licenses.


Ashish Rajan:
Yeah, definitely, two different licenses and way different kind of vehicles.


Kacy Zurkus:
That's interesting, I like that analogy. We have another webcast coming up that is focusing on building cloud security leaders of the future, and some might look at that and say, "Well, security is security, what's different about building cloud security professionals?" I know that the skills gap and finding talent is one of the challenges of cloud security. What are the skillsets that are needed? Can you talk a little bit about the ways that you could potentially upscale your team? And then maybe what are some other appropriate ways to find talent to fill those gaps where you can't upscale?


James Binford:
I've got a take on the difference between, I guess what you would call traditional security versus cloud security. I think the difference is that cloud security, it requires almost more of a software development in the systems design mindset. A large part, you're going to be working with API's, so you need to understand how API's work. You're going to be writing code for infrastructure, so you have to understand at the very least how to structure code, how to make it modular and reusable. A lot of the disciplines that you see in software development are beginning to apply or do apply very heavily to cloud security. I'm not sure that traditionally the security skillset has been built around software developers. I think today the security engineer is more focused on hardware and operating systems.


James Binford:
I think in the future, they're going to need to be more focused on systems design and understanding how API's interact and the consequences of it. And the up-skilling, you can certainly take people who have traditional security experience, help them learn more about systems design, help them learn more about cloud, and up-skill your current workforce. In fact, just given the talent marketing cloud today, that is really the only option. You can't wait for the cloud market to become saturated with talent, your migrations will be well behind you by then.


Ashish Rajan:
I'd probably say a hundred percent of the money there, James, and I'll add a couple more things from there. The traditional roles that have existed for people who may be coming in from a traditional background, the whole admin role, that doesn't really exist in cloud anymore, because there's no point in having that role because of the automation and the whole idea that you want deploy and produce software features on a daily, weekly, sometimes hourly basis. That admin role, where you just let someone know, "Hey, I need access to a server." They remember the IP address... Just so I can be a bit more technical, they need to remember the IP address or the server that they want to get on and they tell you, "Hey, 1, 2, 3, 4," and they log in and it used to be a thing. That does not happen anymore in the Cloud World.


Ashish Rajan:
In fact, IP addresses themselves are becoming quite obsolete in the Cloud World. The traditional security model that used to exist, even the traditional security product that used to exist are failing in the Cloud World, because they're still trying to work off what they used to do in the past. This has been quite frustrating for companies that are trying to be cloud-first and trying to find a position which is cloud ready or cloud-first, as they call it. Now, there is hope and people can be upskilled. The softwares can be upgraded. They're all working towards... There's a video that I did for the four generations of cloud security portion managers, and the complexity that becomes with scale and a cloud environment, it definitely adds to the reality that we definitely need a change in not just the kind of security products, but also the kind of skills that we have in our organization as well.


Ashish Rajan:
I mentioned earlier that individuals, need to be at least in a state that they're comfortable to have some understanding between at least one or two cloud service providers. Now, as James and I said earlier, you're looking for a unicorn at this stage in time, at this point in time, but hopefully in the future, it would become so easy enough that you only have to deal with one problem. It shouldn't be obstructed enough to the point that we are not talking about difference between, say, driving a car and a truck, you're just talking about driving skills. If someone has taken over the obstruction of whether it's a truck or whether it's a van or a car, doesn't really matter, it's been obstructed to the point that all you care about is, "I have an application that I want to move into the cloud, and this is how I'm going to do it."


Ashish Rajan:
I think its funny, we were talking about Serverless earlier as well. Some people claim Serverless and Kubernetes are the two examples where it just doesn't really matter which cloud you're in. As long as you know those individual technologies, you should be able to go anywhere. There is a possibility that a company may go down the path of using technology that is already catering for a more agnostic kind of approach. But until that happens, I think, that was one of the reasons we started Cloud Security Podcast, just to do a plug, if I can do that, because if you try searching for cloud security resources, there are not that many. The cloud providers themselves are only starting to do this now, there's Amazon... I think if anyone's interested, Amazon has a conference called Reinforce that's happening in July. In fact, they're the only cloud provider at the moment running a cloud security specific conference.


Ashish Rajan:
There is no other resource out there for people to go in and understand from other people. Actually, there's another one called Forward Cloud Effects, which is happening the day before Reinforce. That's run by independent community members that I got huge support of, so I would try those two. There's not a lot of learning resources as well. I think it's definitely a uphill battle for people who are trying to learn cloud security. And my hope is for clouds sake and hopefully more cloud service providers creating more cloud security conferences and cloud [inaudible 00:24:40] customer help fill that gap as well. So yeah, it's a long uphill battle, but there is definitely hope.


James Binford:
Absolutely.


Kacy Zurkus:
Well, and then you obviously have the cloud security track at RSA Conference in June as well.


Ashish Rajan:
Oh yeah, that's good. Yeah. Yeah.Great cloud case made.


Kacy Zurkus:
So I'd love to hear from each of you, what does success look like for a cloud-first security program?


Ashish Rajan:
My approach to this is a bit controversial because it goes against the traditional model and it can be quite expensive for the organization, I think initially. I'll explain, the Cloud6 First model that is successful in my mind is if a project is using more cloud native features where you're more in the ecosystem of the cloud service provider that you're working with, because let's face the reality of this, they have a possible solution, which is catering for organizations like Netflix, Facebook, Dropbox, all these massive organizations. You have access to a data center of that size, but it is all pointless if you still want to go down the path of doing your traditional admin IP address. So the number one criteria for success for me is the adoption for the security features and the services from the cloud provider are more in use. That's definitely a successful criteria, from my perspective.


Ashish Rajan:
The second one being from a security perspective, how much of the team is involved in the engineering site, that's also because there have been organizations in the past that I've spoken to where one half of the organization, the engineering half is already in the cloud, they're building platforms, but the security team is still traditional and they're still asking for traditional change management processes to be implemented in a Cloud World. Now I was talking about deploying new features into your product on hourly, weekly, monthly basis. The reason why we could not do this in the past is because we never had the capability like cloud, which was more software defined to those before, but now we have the feature and if you still ask them to kind of go down the path of using traditional change management processes. That would definitely be a negative.


Ashish Rajan:
So anyone who's probably gone beyond that and figured out a way to deploy features more frequently. I think it's the second big criteria. The third one, which is why I feel it's a bit expensive is that business has to make a decision for what applications are not good enough for cloud and make a call whether they transform them in the cloud space for being more cloud native quote unquote, where they're using more cloud features, or maybe they're actually using cloud native technology and making a call for, "This is going to be an expensive exercise in the beginning. But over the long term, it is going to save money and it's going to be cheaper as well for the organization to scale easily without hurting the wallet." So those three are my favorite at the moment.


Kacy Zurkus:
That sounds simple.


James Binford:
I love it. Yeah, No. Right. Very, very simple. I especially like the usage of cloud native security and I'm going to talk about a KPI related to that, that I think is really underused if it's used at all. We've talked several times just in this conversation about the ephemerality, if that's how you say that, of cloud assets. But I have not seen many organizations measure how good of a job they're doing, taking advantage of the elasticity of the cloud and maintaining their cloud hygiene. Organizations should be asking themselves, "How good of a job am I doing tearing on assets I'm not using? How good of a job am I doing closing AWS accounts, Google Cloud projects, Azure subscriptions, that I'm not using anymore?" CIO should care about that, because that ties directly into their bottom line. Closing things, shutting things down that you're not using is going to save you money.


James Binford:
And then CISO's, BISO's and the security organization should care about that because that is an easy way to shrink your attack surface. And if you are hitting the metric, that Ashish just mentioned, using a lot of cloud native services, then you should be able to take advantage of the elasticity of the cloud to reduce cost and reduce your attack surface. Another thing that I think is important to measure for a successful cloud, for a security program is talent. We've talked also just in this chat about the talent shortages that there is in cloud and the need to up-skill your current organization. I think you need to measure how that looks at the top.


James Binford:
How many of my leaders have cloud certifications? And then from there, how am I incentivizing the builders in my organization, the people that are actually in the cloud, building things, securing things and how are those incentives working? And then I think you should be measuring as a cloud-first organization, what opportunities I'm actually giving my newly certified builders to make it real by getting their hands dirty in the cloud. I haven't seen those metrics, but I think they're very important to a cloud-first organization.


Kacy Zurkus:
And I want to point out James, that you're not only a cloud-first BISO but you're also wordsmith, if ephemerality is indeed a word. So kudos-


James Binford:
Nailed it.


Kacy Zurkus:
... To you for bringing that into the conversation. James and Ashish, it has really been such a pleasure to have you here with me today. Thank you so much for joining us. Listeners, thank you for tuning in.


Kacy Zurkus:
To find products and solutions related to cloud security. We invite you to visit rsaconference.com/marketplace. Here, you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist with your specific needs. Thanks for tuning in and we'll talk to you soon.


Introduction:
(Music).