Alyssa Miller, Business Information Security Officer, S&P Global Ratings
This episode was originally streamed on Thu, 20-May-2021 to multiple platforms. You can watch the streams (along with the comments) on-demand on:
[00:05:09] Rik: We're back, yes, it's Episode One of season two of let's talk security, the network's have renewed our license. It's incredible. We started broadcasting this series of interviews, just I suppose as all of us were going into, or we'd recently entered, depending on where you were in the world, some kind of lockdown. And we thought, wouldn't it be a great time of the year to broadcast live from home and from our guests homes, where a lot of us have a lot of time in front of our computers, to listen to conversations. Little did we know, a year later that we would still be in largely the same position as regards all of that, but hopefully, the tail end of it, I say where I live, I certainly feel like we're coming out of it. I hope you've got those positive vibes to the sun is shining. The weather is good, and it's time to talk security. So Episode One, season two, I'm opening with an incredible guest, hacker, practitioner, evangelist, defender of privacy, cultivators of trust and self proclaimed Duchess of hakington. My guest is of course, Allison Miller. How you doing?
[00:06:26] Alyssa: Hello, I am good. But I can't I I gotta take issue with one thing you said right. Not self proclaimed. That title is given to me by lord cyber bottom.
[00:06:36] Rik: okay, okay, so you're a real Duchess. In that case?
[00:06:39] Alyssa: Apparently. I don't know. I mean, I guess the people will actually live in Hackington are like, wait, we don't have a Duchess. What are you talking about? Because I later found out that there is actually a town or something in Kent, that is actually called hackington. And so it's probably a little weird for some people in UK.
[00:06:56] Rik: It's time for you to purchase some land, I think?
[00:06:59] Alyssa: I think so.
[00:07:00] Rik: And to make that title official, welcome. Thank you very much for accepting my invitation to join me for this show today. We had a chat yesterday, new people watching you people watching you don't know that. But we had a chat yesterday last night. And I know that we have a ton of stuff to talk about. But I just want to remind all of you watching that. One large part of this is that you get to ask the questions, too. If you don't, I'm going to fill up an hour with stuff and it will be easy because I know how much Alyssa can talk. But if you want to join in, then please do. We are broadcasting on Trend Micro's YouTube, we're broadcasting on LinkedIn, and we're broadcasting on Twitter, any one of those platforms, drop your questions in, we have operators standing by to take your calls. First of all, Alyssa, let's you walked into a new role relatively recently, right? In the grand scheme of things. So you're s&p now and you are the BISO s&p. So as we said yesterday BISO as a job title as a role is something I guess that most people probably haven't come across. But I know that you were writing about it and blogging about it even before you took up this position. So what is it? What does it do?
[00:08:13] Alyssa: Yeah, so it is a very new role, right? And that's why I wrote that blog that I published on my website, and I shared it on social media, because I knew people were gonna ask, like, what is this BISO? this business information security officer, I've never heard of that before. It's it not a lot of organizations have gone down this path yet. So it's still kind of evolving. But I think for most organizations, what it is, is it's a person who's kind of put in what traditionally we would look at it as like maybe a divisional CISO role, where they're driving the security strategy for a specific business line or division within an organization. But the reason we use that business information security officer term, instead of calling them a divisional CISO is because typically, your divisional CISO then reports into a centralized CISO organization. That's not what happens in the case of a BISO, and certainly not in my case, I actually report into the CTOs organization. And that's a CTO within the division. So you know, someone, the whole point of my role is to bring business context to the security discussion, and to bring security discussions into the business. So you're providing sort of that bridge from this centralized security function that maybe doesn't have all the deep understanding of business needs and where security initiatives will connect with business value. And then the other way around your to obviously taking those initiatives that they're looking to accomplish and seeing how I can fit those into my business. So it's kind of a two way communication between.
[00:09:54] Rik: So what is the reporting to the CTO? What does that bring you over and above what you would have reporting to to the C side, because they're both still kind of technology focused roles, kind of by definition.
[00:10:04] Alyssa: Well, the difference is a divisional CTO, right. So it's within the division, which means everything I'm doing is connected with the business like I, you know, I, the, the executive committee I report to is the executive committee for our division, not for the global company. I mean, obviously, I report to them as well. But so everything that I do I have that more integrated focus on what what is our business about? What are the value drivers that I need to take these security initiatives that my centralized security team says we got to do? How do I do high those to value drivers within our, in our, in my case, the ratings division? So we're talking your credit ratings for large organizations and countries and so forth? How do I how do I tie that together? And then on the flip side, again, taking what we're doing what's important to us, we're heavily heavily regulated division. And, you know, we have a very specific focus on a really unique set of customers, how do I get my security infrastructure to understand that, you know, here's what is meaningful to us. So how can we drive better context from what you're doing, don't ask me to do this or that because it's not gonna create value from a risk or a business perspective. Let's, let's mesh those two together.
[00:11:28] Rik: And in your role, you got to straddle both, you got to understand the business drivers, the commercial drivers, and instead of being the Department of know, which I guess is like a traditional view of security, you're more the Department of how.
[00:11:39] Alyssa: Exactly, that's probably a great way to put it. And yeah, it's, it provides more cooperation, ol view of security for the business. And it also provides the security team with a little better liaison into the business. So they don't feel like they're, they're constantly pushing against business folks who maybe they feel like don't want to listen to them or do what they're asking for.
[00:12:05] Rik: So I call this episode transformational security. And that was actually based around some stuff that you had been writing in the in the recent past. But I know that a lot of what you're doing S&P for them, certainly, and I think, in terms of security, in general, is relatively cutting edge. And for them very transformational. So what, what are the short term goals? And how and why are you doing what you're doing, S&P?
[00:12:29] Alyssa: Yeah. So our ratings division right now in our technology group, within that radius division, we're going through some massive transformation, we're in, you know, a multi year plan that have really a lot of big strategic goals, everything from elimination of legacy systems to a big, big cloud transformation. And that cloud transformation, of course, includes things like you would expect with any cloud transformation, DevOps really building up in the CIC pipeline, um, we're, we're very heavy into container as a service and function as a service. And we're making those things a reality. And those are, you know, we set them as technology goals, and then our engineering teams are all working toward those. But really taking it even further, we've got some really lofty goals. How do we bring artificial intelligence and machine learning into this in a meaningful way? You know, those are buzzwords that get tossed around a lot. Everybody talks about the promise of AI and ml, but how do we really fit that into the business? And here's one that really trip people up blockchain, right? blockchain every blockchain is the answer to all the worlds.
[00:13:38] Rik: I got it, I got it.
[00:13:42] Alyssa: But the reality is we're actually we're making meaningful investments in things that will actually advance our business and using blockchain, for instance, in terms of file integrity, really building an entire file integrity infrastructure that is based in blockchain chain technology, so that we can you know, as we've got radians analysts working with data and information, that oftentimes they're releasing irradiance based on temporal information that can change over time. So we need to preserve what it was at the time that that rating was released. So when regulators or the market come to us and ask how did you how did you arrive at this rating for this organization or this government? We have that and we can credibly demonstrate that we know that this is truly what that was at the time.
[00:14:34] Rik: The whole season worthwhile, right? Because it's like, Hey, folks, you heard it here. First. blockchain has a use case.
[00:14:39] Alyssa: Beyond cryptocurrencies for something else, something that has business value, and that and that's a key. I mean, I know there's a few organizations that have kind of gone down this path. I've had some conversations and past panels with some CISOs about it, but yeah, it's really there's not I you don't see or hear a lot about it yet where people have actually been able to implement it in a meaningful way. And and we're in the throws of really releasing that infrastructure.
[00:15:09] Rik: So it's, you know, we're talking, obviously, with transformational security, we're talking about security systems and technologies that are cutting edge or certainly leading edge in terms of enterprise deployment across the board, and as a service, it's near serverless. And as a service and network functions definitely fit that brief. But I wanted address by referring to that, and I want to address a question that's coming from from Valerie, who is very new to the security arena, which is great, by the way, and welcome, who's saying what, you know, what are you talking about in terms of security? So I wanted to try and address that. That question by taking into account we're talking now in your career about things like blockchain functions, serverless, we're talking about cross pollination between business and security, which is also unfortunately, new. But you've been in the business a long time, I think you and I have been around for about the same amount of time in this industry. So maybe you could talk about the changes that you've seen. And I know, we only have an hour, so but you could talk about the changes that you've seen since you started in technology slash infosec. And where you are now, because that gives us an someone new to the space, an idea of not only what they're looking at now, but how they can expect it to evolve in the future.
[00:16:27] Alyssa: Sure. So I mean, I think back Yeah, when I got started, right, you know, 15, 16 years in security, but even longer ago than that I spent almost a decade as a developer first. So there you go. That's how old I am. Um, but info security was really very narrow, focused, it was, you know, well, we've, we've got to manage users. And then we got to manage our applications and our network. And, you know, then we started to bring in things like incident response. And Okay, so now, you know, we've got this application security thing where we make sure the software we develop is secure. We've got this network security thing, where we're defending our perimeters, and doing kind of more of the operational side of things with you know, scanning and pentesting. And then we have infrastructures, or our incident response, excuse me, which was focused on what do we do when we, you know, have problems and incident response at the time was also responsible for things like SOC, right, they were doing the day to day Security Operations Center and managing that. And then, you know, of course, you also had done just the really operational folks who were focused on day to day administration systems. So you kind of had like those pillars, it kind of gets like four pillars, says it. I mean, it's exploded right now. We've got cloud technologies that are brought in this massive array of different things that we need to worry about. We have this whole idea of threat intelligence, how do we analyze what's going on in the world so we can understand where potential threats are coming from, before we start to see that that was a very reactionary way back 15 years ago, when I was doing this, it was, you know, we maybe got updates from Secret Service or the FBI once in a while now we subscribe to all these different feeds from private companies from the FBI from
[00:18:13] Rik: You get stuff daily, right?
[00:18:16] Alyssa: Yeah, it's so it's wild. It's the whole just landscape of security has gotten so much broader and more specialized in different areas. So you have people who are like cloud security architect, and they know that cloud environment, some of them are very specific to us know, maybe just AWS, they know how to secure AWS, or they know secure Azure or GCP. And then you think about app sec. So Application Security isn't just running dynamic tests. It's not just running your code scans. It's now we're doing threat modeling. We're embedded in the development pipeline. So we're, you know, we've got automation that enables some of that we're working with our teams to enable them not just with technology, but with training and processes and culture that all fit around that. So we get into the ideas of like security champions and so security now especially in a dev sec ops world, span, so much broader and it becomes we were starting to get to that point which we dreamed of 15 years ago where people understand that security is everybody's job, right? There's no one in the organization who can say I don't have to worry about security, somebody else is doing that.
[00:19:34] Rik: That was my great frustration when you know in September this year I think it is I'll be 14 years at Trend Micro which looking at the rest of my career was totally unheard of. And I'm very pleasantly surprised that I still love it enough to be here and I do but my great frustration with security when I joined Trend is actually came from a systems integrator directly before Trend and I was Security and Privacy architecture, it's my job to secure systems things. A lot of it was government law enforcement type projects. And what my huge frustration was, is that everything was operating in its own silos. Like I said, we're talking about 14 years ago here, there was the desktop team, there was the desktop architecture team, there was the server architecture team, there was a data center architecture team. And actually, they would all get bites of the cherry, even before it got handed over to the security and privacy team. And they would build a thing. And they would say, Here you go, secure this. And it's like you're saying it's the one of the most important and most amazing and helpful things that's happened. My view anyway, in security over the last decade and a half, is that those silos have really rapidly been broken down. And we're seeing security embedded throughout the business in different functions and in different ways. Right?
[00:20:49] Alyssa: Yeah. Oh, you came about kind of that same way, though. Right. 2008 2009, Andrew Shafer and Patrick Dubois get together and they come up with this thing DevOps, right, and they throw it out there. And suddenly everybody wants to do DevOps like, this is great, awesome. We're gonna break down the silos between operations and, and developers and security was on the outside of that, you know, we're sitting there like, Oh, my gosh, wait, what? So finally, Josh Corman, Gene Kim, speak up at RSA in what 2012 and they're like, Hey, you know what security is dead. We got to get into this thing. We can't do security the way we used to. And so yeah, it was, again, we got something thrown at us, where we weren't expecting it. We weren't ready for it. And we didn't have the the right mindset, the right approach to be able to do it. So we've had to learn. And I mean, I still give talks today on In fact, I'm, I'm doing what I just did one last week on just how do we get security into that and in a meaningful way, because, you know, I still go to talks by security practitioners, we're talking about devstack Ops, and I'm listening to and I'm like, this just isn't gonna work. Your dev teams are not going to be patient, and they're not going to accept this, you know, this whole idea of, you know, security, driving the requirements into the, into the business like you have, thou must do this, thou must do that.
[00:22:15] Rik: That's the way it works. Right? That was the problem. That was that was how security was always seen in the past.
[00:22:20] Alyssa: Well, and what happens, I tell people this all the time, what happens when you have the business and you security butting heads, and the business is saying we're losing revenue, if we we do this right now, security, saying you can't go any further until you do this. It goes up the chain, and ultimately, the business wins 99.9% of the time. And so you know this is where and this will actually I'll answer Dwayne's question from Twitter on this, yes, security has to, everything has to mess with what's going on in the business. You cannot use FUD, fear, uncertainty and doubt, to drive the business to do what you want. You have to demonstrate to the business. Here's how we're adding value. By doing this security thing, this is how we're going to make your business better. Maybe we're going to reduce your regulatory exposure, because we're taking care of things your regulators gonna ask you about maybe that by implementing this particular technology, we can speed up your pipeline, or we can open up a new revenue stream for you. This sounds like wow, for some people, they're like, wow, no, you can't do that. Yes, you can I have done this, this happens, this can be done. But it takes a different mindset from security, than we're here to secure the world and we're gonna put all the gates in place. No, no, no, no, no, no gates have to go away, we have to do part of it.
[00:23:43] Rik: The other thing that strikes me is that actually security done properly. I was gonna say can but I'm confident if I think to say will security done properly, will result in a lower expenditure on security as well, if you if you're doing security properly, you can help the business not to buy all the things and only deploy half the things and only configure half of those correctly and then only monitor half of those, which is kind of the state that a lot of businesses find them in if you I know you've done a lot of work on threat modeling, which is definitely one part of doing security properly, right? Understanding what you have understanding who wants it, understanding what the vulnerabilities are understanding who's coming after you and how and putting all of that knowledge together. So you published along with 12 others? 13 others? The threat modeling Manifesto, right last year?
[00:24:28] Alyssa: Yep. November last year. I'm sorry?
[00:24:32] Rik: Tell us about that. The threat modelling manifesto.
[00:06:34] Alyssa: So, um, there were 14 of us who got together a lot of industry names that you would recognize. And we, we decided it was a lot of people, a lot of us who just had passion for threat modeling. And you I think of people who are involved like Avi Douglen and Adam Shostack, which I'm sure is the name most people recognize if they've ever dealt with threat modeling. Mark French, and just a whole host of really great characters, all who had a lot of experience with threat modeling, have a passion for it. And we decided it was time to really define what threat modeling is, and what what really makes threat modeling important. And why does it you know, why is this something that you want to be a part of your development practices? And, you know, what we didn't want to do was release another framework or design, right? I mean, we've got things like STRIDE and PASTA and OCTAVE. And by the way, in another hour or so I'm doing a talk at another conference on exactly this, right. So you had all these big frameworks, they're really heavy hitting, and, and a lot of methodologies that were defined that just honestly don't fit, especially now with modern devstack ops development, because you had to have big design cycles. And you had to create these huge diagrams and map out the whole system and do all this stuff. So we wanted to get back to the basics like, what really is it about threat modeling that makes it important? And how can we give people a set of values and practices, patterns and anti patterns that make for good or not so good threat modeling? What are those pitfalls? And so we put together the threat modeling Manifesto, which does exactly that. It defines what threat modeling is why it's important, what the values of good threat modeling are, what key practices are within threat modeling, and then patterns that are part of strong threat modeling, methodologies, and anti patterns, which are those things that we see occurring, when people's threat modeling methodologies maybe aren't as effective as they should be.
[00:26:47] Rik: So what is for the benefit of because there's going to be people watching and i know this happens in every industry, and not only industries, it happens in private conversations and conversations down the pub, but it happens all the time, just in real life. A lot of people are afraid to ask questions, a lot of people when confronted with terms that they don't immediately understand or even vocabulary that they don't immediately understand, will be scared of asking their and then for an explanation. So it's probably a bunch of people watching and a bunch of people who will watch in the future, who have heard the term threat modeling, and you have not felt confident enough to reveal the fact that they don't really understand it, or what it is. So what is it in a nutshell, what is threat modeling?
[00:27:27] Alyssa: So I can sum it up. And I do this in my talk. And I know some people love it. If you if you remember the show was a fairly oddparents with Timmy Turner. It's a picture of him. It's a meme where he's just saying, What could possibly go wrong? That is literally what threat modeling is. Threat modeling is I take my scope, whatever it is. And my recommendation these days is you do it at the user story level. So you've got a user, or you look at that user story and say, based on this functionality I'm modifying or creating, what could possibly go wrong? Could somebody come in and steal data? Could they attack this, and it's a critical function that my business needs to deliver with high availability, and they could attack it and make it unavailable. That could be, you know, something that could go wrong? So it's really identifying what are the key assets that I care about most in whatever the scope or the context is that I want to do it within? And then what are the threats or the things that could impact those assets. And so the other way I, I kind of put this into metaphors, we do threat modeling every single day in our lives, we just don't think about it in those terms. Think about your your you live in the suburbs, and you're going to travel down into the city. And you're going to an area you're not familiar with, you're going to sit there and you're probably going to think about Hmm, is this a high crime area is you know, do I know where I can go park when not get a ticket or get towed and get stranded down there? All the different things that could possibly go wrong. When you drive your car into the city. What happens if I get in a crash? You know, what am I going to do? all of those things, that that's threat modeling, you're thinking about all the possible things that could go wrong and then you're thinking about what am I going to do about it to make sure that I avoid that or if it happens, I can recover from it.
[00:29:18] Rik: Threat modeling is I liken it to because I have been a father for the fourth time now with my youngest is two years old. So for me threat modeling is when I'm packing new when we're going out somewhere during the day and I'm packing that bag and I'm thinking what do I need? What is this baby going to do? which end is going to explode? What are they going to draw on they're going to be hungry or thirsty? How many changes or clothes do I need? That's my that's my simile for threat modeling. Is that a little bag that you carry full of all that stuff?
[00:29:46] Alyssa: Exactly. So yeah, it's, you know what the threats are, you know, what could possibly go wrong? And you use those to inform the countermeasures that you're going to implement against those threats. And that is exactly how we apply it in the security and IT space is, Hey, I'm developing this thing, here's what could go wrong. So I know I need to put these controls and these recovery processes in place to make sure that I can either defend against the threat or if the threat becomes a reality, I can recover from it quickly and be resilient.
[00:30:18] Rik: So who does it? Who does? Who's responsible? Who should be responsible?
[00:30:21] Alyssa: Well, if you ask the threat modelling Manifesto, everyone, right? and that's truly the case. And that's where I tell people, you know, like, when I say, put it in the user story, that's because I want the business people involved, they understand those critical assets, and they understand the threats at a plain language perspective, right? You know, just, somebody's gonna steal our stuff. Are they going to, you know, commit fraud with our system? What are they going to do? And then you've got your devs, who can be there to add some of the context of how are we going to implement controls, you have your security people there to, to bring things into more of that technical perspective, you've got your Ops, your SREs there, who are there to, you know, really talk about, okay, how are we going to monitor this in production? And how are we going to make sure we have the necessary alerting and capabilities in place and your security team would be a part of that discussion along with the developers and the business, so everybody can share in not only understanding what those threats are but also then how are we going to handle it when we see those threats materialize?
[00:31:29] Rik: So one of the areas where I know that you have put those skills to work, and obviously, I'm sure you continue to do it in your current role, but you worked with Snyk for a significant period of time, before where you are right now. And I know threat modeling was definitely a part of the work at Snyk. So what are the biggest threats to cloud infrastructure and cloud deployments? How are threat actors abusing, misusing targeting exploiting cloud deployments? And how is that different to challenges that businesses have faced in the past?
[00:32:01] Alyssa: So there's a couple key things one is just this what I call the conflicting motions of that dev sec Ops, cloud native software deployment model, right? So you've got security, we've been talking about pushing left forever, right? I mean, as long as I can remember, it's been pushed left, push left, push left, how do we get security earlier in the life cycle, but with cloud technology, especially, we've got devs, who are pushing, right, like, you know, they're, they're influenced because of things like infrastructure is code containers, where they're defining their images on which their stuffs gonna run. In many cases, they have direct impact on that, essentially, the infrastructure. And then you've got your infrastructure folks, that are typical ops teams who can't just be focused on just bare metal servers and operating systems anymore, they've got to understand the code that drives this infrastructure and how all that's implemented. Now, on top of that, add the complexity of the cloud native world, if anybody's been to the cloud native computing Foundation's website, they have a map of all the cloud native technologies, I have a 36 inch screen back here, I can't fit it in a readable format on that monitor. It's so big and complex, it's insane. And so you think about it, because we have a lot of really cool technologies. But so many of them fit these little niche needs. And so as a result, you've got your developers chasing after the cool new technology that they want to implement. So they can really innovate and create awesome new products. But then we're stuck having to kind of react to that, just like you were talking about before, where we've always been kind of used to dev is bringing us new technology and say, here you go secure it. That is on a whole new scale. Now when we're talking cloud, because everything is brand new, I mean, think about how long has AWS been around, I mean, less than a decade. For all intents and purposes, I know it's a little longer than that in reality.
[00:34:11] Rik: The whole cloud virtualization thing. I mean, VMware bless them have been around for a very long time, but they had a very limited use case in terms of like testing things and doing her malware research. And that was about it right for the longest time. So that whole ecosystem, and then all the other stars twinkling in that that cloud and infrastructure and virtualization containerization sky, which is now a nebula of technology. it's astounding to see and actually is really heartening to see that that massive variety of organizations and the speed with which they continue to appear, has been maintained. Because what has historically always happened in those kinds of spaces is that you see, explosions to carry my galactic metaphor a little further. You see explosions of innovation and then you see great collapses of acquisition, and then another explosion of innovation and a lot more stars. And then suddenly, everything's a black hole of acquisition again, that's, I'm not seeing that the collapses, of course acquisitions are happening. But I think the rate of innovation is faster than the rate of acquisition in the cloud space right now, which is amazing and brilliant, but also part of the problem, right?
[00:35:20] Alyssa: Yes. And that's exactly yeah, you're exactly right. I mean, we haven't seen that level of consolidation, like we typically see yet. And we're Yeah, we do see a lot of acquisitions. But it's even a lot of the acquisition activity, are just small, niche players who are uniting right into into different. And so I think slowly, we're starting to see them grow into large players. But that's going to take some time. And like you said, cloud has opened up such a new world to us, in terms of what we can create an innovate with that it's just growing faster than those mergers and acquisitions can happen. And there's also a lot of uncertainty still, from that perspective, where I think especially a lot of large organizations aren't really convinced that today's top player is going to be there in a year. And so if I invest in m&a and go after this particular front runner today, cloud has set us up in this environment where that front runner is tomorrow's left behind, right? And so it's a lot harder to really pick and invest in the right technology, because no one wants to invest that money and then, you know, some new disruptive player comes through and builds on top of that idea, and innovates it further. And now you're stuck with something that's basically legacy.
[00:36:43] Rik: So I want to shift gears for a second for a minute I want I know, this will probably be a short answer, because I don't even know if I'm allowed to ask you it. But I'm going to
[00:36:52] Alyssa: Okay.
[00:36:54] Rik: Um, you your work on threat modeling we spoke about and the manifesto that was published. There's something else in the works.
[00:37:03] Alyssa: There is and yeah, I can't get too deep into it yet. They're actually meeting right now, while I'm here. So there's my day. Hi, everybody. So um, no, there is a working group that we've brought together. And we are working on this idea of security champions.
[00:37:22] Rik: And it's something you've spoken about a lot in the past, right? So
[00:37:26] Alyssa: I've done a lot of work with I haven't done a lot of speaking on it, quite honestly, from a public speaking perspective. But I've done a lot of work in the past in a couple different roles, building security champions programs within different organizations, I was in consulting for eight years. And so
[00:37:42] Rik: What is it the that is different to the way that security functions in a business right now?
[00:37:50] Alyssa: So really, security champions is entrusting and empowering your engineers and your business staff to be a part of the security solution and drive some of the things that traditionally we relied on security for. If you think in terms of where we do static code analysis, or things like that, in the past, it was all you know, info security would run those tools. And then, you know, they would have to probably do some level of false positive validation and whatnot, putting not only those tools, but the process and the responsibility for that into the hands of the engineering teams. And then letting these members, these champions within this, the engineering teams and within the business, kind of drive the security discussion. So they're accountable for the security of the software, but they're empowered to make decisions. And they're empowered to drive that awareness and ensure that the necessary steps are actually happening.
[00:38:47] Rik: Taking your role or like taking a BISO role and fragmenting it across the business almost.
[00:38:52] Alyssa: It's kind of taking like a federated model, essentially, toward application security. How do we already I mean, and in some cases, organizations leaving leverage if rather than leverage it into operational security as well. But in our case, at s&p, what we're looking to do is really build out this capability where we augment the function of our security teams, by bringing a lot of that work internally and putting it on the shoulders of key engineers who have that deep experience in our development teams and within our development processes and so forth within the business, but understand security and and are accountable for it, so that it ultimately drives efficiency, right? Because when I'm looking at things I think might be a false positive if I've got somebody who's familiar with the code, who can also be accountable for security, and and trusted to look at it and say, yes, that is a false positive or no, and here's why. I don't have to rely on a security team who's thinking in a much broader sense of a much larger organization and doesn't have the familiarity with that specific code base. That's what we're getting to.
[00:40:18] Rik: One of the questions that we had in is, what are the challenges of I mean, of your role in particular, but I guess even if that borg role, what are the challenges that you face when you're trying to do that translation? Either way, business to security, is the beauty of the business, what what are the big hurdles?
[00:40:32] Alyssa: So this is fun, right? So this is surprising to me. When I came into the roll, I was expecting that my biggest challenge would be driving the security discussion into the business, you know, I figured trying to how do I get this secured? How do I get the business teams to be receptive to it? The thing is, right now they actually are what I found is my my business, my engineering teams and so forth, are very receptive to the security discussion. So my biggest challenge there is right now, it's very reactionary, it's you know, it's something comes down from either a regulatory perspective from the security team from the risk management team something the and and it's okay, we have to go react to this, we have to spin up a project when we need to do this thing. So in that sense, it's driving a culture where we're more proactive, and we're really thinking ahead, and we're not thinking about individual controls, or individual requirements or things that we have to hit we're thinking about, if we do the right thing, architecturally, and strategically, it will then in turn, address all of those things. So that's tough. But where I'm having to spend a considerable amount of effort that I didn't think was going to be as big a challenge is going the other direction, and really elevating business context to my security team. That's a hard silo to break, because security teams are used to that model of, well, ultimately, we just say no, and they have to listen, well, it doesn't work that way. And so really helping them where they don't unfortunately, get the kind of visibility that they would like to have into the business, I'm having to have a lot more of those conversations, to really help them see how, okay, if you go this route, and you decide to do this thing this way, yes, from a security perspective, it's the right thing. But here's how it negatively impacts the business. And by negatively impacting the business, it's going to reduce the effectiveness of what you're trying to accomplish. So let's build this with the business context in mind in a way that the business can adopt it more effectively. And you'll be more successful in what you're trying to accomplish from that security perspective. So there's a lot of conversation there, that has to happen.
[00:42:47] Rik: Yeah, there's a question that kind of springs to mind immediately from that, obviously, you know, traditional security mindset is allow this deny this, right, that's, that's the old school mindset for secure these things are okay, they're allowed, these things are not okay, we're gonna block them that they're not allowed. And obviously, you're developing philosophy. And I apologize, because I know that it's a big marketing buzzword as well right now. But things don't get to be marketing buzzwords, unless there's some substance behind them that tends to view the reality. A lot of architectural conversation right now is focused around zero trust. So would you say with those conversations you were talking about, you're actually trying to shift the security mindset from being allow this deny this mentality, whatever you want to call it to more of a zero trust mentality, we must build this system. But we will just assume that anything using this system, this process, this, this part of our business, is totally untrusted. And we'll build security that's able to authenticate, able to investigate able to make decisions on a dynamic and ongoing basis, shifting the security mindset in that way.
[00:43:55] Alyssa: Yeah, I mean, if you look at zero trust, and that that whole model on how that really functions at its core, it is something that has to be implemented very strategically, like you don't just sort of start to do little tactical pieces of zero, Just here and there. Because if you do that, I mean, you break everything, you have to understand how your systems work together, where those boundaries are and how you drive them. Now, you may start by setting high level boundaries that are very broad, and you know, you've got big trust boundaries, and you slowly contract those down to individual systems, and then individual services and then individual resources. You know, that's the mode you want to move in. And that's exactly what we want to do from a security perspective, regardless of what we're talking about whether we're talking about application security, or anything else. It's how do we start by just doing something that we can handle today that's going to work, it's going to make us a little bit better, and then continuously improving over time. That's the big thing and I always tell my favorite term You know, people kind of give me a little crap for once in a while, but see other CI, right? So you got CI CD, continuous integration, continuous deployment. What about continuous improvement? Hmm, doesn't whether, you know, if we're talking CI CD, we should have that feedback where we're constantly improving our pipeline. But applying that to security, our goal really has to be we know we're not going to secure everything tomorrow. We are there is no end state for security. I think we've generally accepted that now that there's no point where I'm ever gonna stand up and say, I'm unhackable. And if we know
[00:45:34] Rik: You're secure, now, you can all go home.
[00:45:37] Alyssa: Yeah, exactly. I mean, my job secure, like, we're going to be doing this longer than I'm going to be alive. And that's, that's the thing that we you know, so our focus has to be just how do we keep pushing forward on that? How do we keep getting better tomorrow than we are today. And that's what our approach to security has to be. Because if we aim higher than that, we set unattainable goals. And that's where we lose credibility, we lose credibility with our executive committees, with our boards, with our businesses, because we say we're going to do this thing. And then we get breached. And we're not recoverable. And we spend millions and millions and millions of dollars, trying to get back to business as usual. And, you know, that's where that's the biggest threat to me from a security perspective is just that, that overstatement of what we're capable of. And then the lack of resiliency,
[00:46:32] Rik: Particularly the case with the current and ongoing for a number of years now. ransomware epidemic, right. I mean, that spending millions of dollars to get back to where we were yesterday. That's absolutely the state of affairs in operational security right now and it's a terrible place to be. One of another question I can see sitting over there on the right hand side of my screen, which is a nice, blunt one. And I guess it refers to the my introduction of you at the beginning of the show. Is that I said you were a defender of privacy. Do we have any? Is there anything left to defend?
[00:47:10] Alyssa: You know, not really, I mean, what, but what's sad about it is that we as consumers have allowed that to happen.
[00:47:20] Rik: Yeah, totally.
[00:47:22] Alyssa: We've, we've gotten to this point now, where we do you really truly have to rely on governments and regulations to, you know, try to cause some of it back and with varying degrees of success. And I mean, I don't mean to blame consumers, because quite honestly, the fact of the matter is, we had, you know, commercial environments that didn't care, who just wanted to get their products out as fast as they could. We had consumers who demanded those products as fast as they could get them. And we gobbled them up, because we just wanted the coolest, newest, greatest wonderful thing that was on the market. And as consumers...
[00:47:57] Rik: We wanted it for nothing as well, right? We wanted to use it for free, right? We don't want to pay for Facebook.
[00:48:04] Alyssa: Yeah. Oh, could you imagine? I mean, if we were told tomorrow, you'd have to pay $20 a month or you know, whatever, to subscribe to Facebook, people would would lose their mind. Yeah. And honestly, I still think unfortunately, even today, if you said that, you said in exchange for not giving up any of your personal data, like Facebook was going to sign off on collecting any personal data. If you paid $20 a month subscription, I would be willing to bet that 80 to 90% of the consumer base would still not pay for it and would still gladly give up their personal information.
[00:48:37] Rik: And the crazy thing is even at $20 a month Facebook are probably making a loss.
[00:48:41] Alyssa: What they put in advertising. Yeah, I they probably would. But but that's the thing. It's I think, as consumers, we get upset, we count on those organizations, and rightfully so quite honestly, that if you're going to collect my data, you're gonna protect my data. What we didn't understand as consumers was that most of these businesses, one weren't ready to do that. Two. Didn't care enough to really want to do that, because of the costs associated and so forth. And three, you know, they were even, you know, maybe overzealous themselves and what they thought they could accomplish in terms of protecting the data that they were collecting, and so forth. So there's, there's, there's no one cause I can't blame business. I can't blame consumers for privacy, in a traditional sense, is really lost. And even in the public sense, and we look at what I mean, look at the number of cameras, you've gotten London today, just monitoring the streets. And now we see facial recognition technologies coming into play and artificial intelligence is a part of that and it's a little terrifying that can I even walk out of the house anymore and then I voluntarily walk out of the house. With my personal locator device that you know, tells anyone who needs to know exactly where I'm at at all.
[00:50:07] Rik: I love that. For me, it's easy to laugh at conspiracy theories and conspiracy theorists. Because some of the inherent illogic in in the theories themselves and one of my favorite ones has been the government's the whole pandemic thing, right. And the government's are trying to make us wear masks and trying to get us used to wearing masks so that we have to wear masks all the time, when they also believe that conspiracy theories about the government surveillance of all of us and facial recognition, so you can't have both right? I got my phone doesn't know who I am when I'm wearing a mask, let alone the government. I mean,
[00:50:38] Alyssa: exactly. I mean, the whole mask thing is, like antithetical to what most governments are trying to do right now. Right terms of being able to trace people and all the rest.
[00:50:49] Rik: I mean, we see some great legislation. I know, there's some really good stuff in draft in the European Union about, about surveillance in general, as the privacy legislation regulation, which is really, really good. And there's a draft bill, or it's being drafted right now around where is it acceptable to use AI? And where is it not and in not only in what use cases, but on what kinds of data as well. And I really feel like, regulators and legislators are no, maybe not getting ahead of technology, but they're getting much better at staying only one step behind instead of several which is, which is really, because GDPR took a long time to come to come into fourths and to be to be built. And it's not perfect. It achieved a lot of really good things. It's obviously it needs an overhaul, and the privacy is going to be part of that. But I do I have some hope for privacy. And another thing that gives me some hope, and I'd be interested in your take on it is the multiple private enterprise initiatives to enable individuals to reassert control over their own data and be able to monetize it for themselves? Did you know what I'm referring to without?
[00:51:56] Alyssa: Yeah, I've seen a little bit of that activity. Um, you know, I admit to not being super familiar with it at this point. But I like just the whole concept in general is really where we need to go. And that's, I mean, you mentioned GDPR. Before that, that's actually one of the things I really like about GDPR. And I know a lot of people like GDPR is horrible. It's the worst thing in the world. I keep getting prompted every time I visit a website about cookies, and it drives me crazy, whatever. Yeah. Okay. So yeah, there's these little tactical implementation things that maybe don't work out so great. And it is hard for businesses, right? I mean, the whole idea of having to respond to a data subject request, um, you know, that's hard. Yeah. But that's what businesses should have been doing all the way along had business
[00:52:43] Rik: Course in good practice, right? It's making people putting put in place systems that they should like is it shouldn't happen.
[00:52:49] Alyssa: I know if I collect this piece of data from you, I know everywhere it traverses in my system, I know where it's stored, I know where to go to get it and where to destroy it. Yeah, EPR. And now in the states with CCPA, kind of following that same model, like you said, it brings back that control. And so now that we've got kind of a consortium of folks in the private sector, and I think what a lot of what's driven that, honestly, has been the fact that GDPR and CCPA are such a pain in the butt. Right? Because it you know, governments are now taking control, I think I'm slowly seeing that industry is getting smarter, they're realizing that if they don't get ahead and do the right thing, the government's gonna come down on them and force them to do it the governmental way. And that's not always the way that they want to do it. And I've been screaming this, you can go back to like, the Was it the early 2000s, when we were fighting over mp3 is with ERA, right? And I kept saying, like, Alright, hey, if you were smart, you would figure out how to release individual tracks in a digital format, where you control licensing, because what's going to happen is the consumer market is going to drive you into that anyway. And yet they fought it. They went after teenagers who had large libraries of music, and what they missed out on and they ended up having their hands forced, and Apple help them with iTunes was, hey, if we get ahead of this, and we start to say, yeah, you don't have to buy a whole 15 $20 cd full of a bunch of tracks you never want to listen to, you can buy the two or three songs you want. And then maybe listen to the others on demand or something like that, and decide if you want to buy them as well. You can preview those songs.
[00:54:34] Rik: Yeah, it strikes me the whole industrial transformation is a great allegory for the BISO role, actually, because you look at how the music industry used to work and how people used to purchase and consume and pirate on cassette tapes, music and then the transformational period that whole industry went through the Napster or the donkey time to where it is today where we don't even pay for music anymore. We pay for the right to access music, and if we stop paying, we don't have any more music anymore. I mean, people are okay with that. And security has to have been an has been a huge part of that transformation of the the entertainment industry in itself. And there must have been all of those conversations between the business and security, here's how we think we can still monetize music, here's how we think we can still have a business and the security of the guy, well, if you do it like that, then there's still going to be opportunities for piracy, there's still gonna be opportunities for theft and distribution. Here's how we secure the supply chain. Here's how we secure the technologies, and it's probably an ongoing conversation, I'm sure that the infancy of a BISO role was probably in that kind of industry, right? Because it's such a massive transformation.
[00:55:46] Alyssa: I mean, I think so in some degree, right? Because Sure, security teams, or the security practitioners had the knowledge of things like cryptography, and and you know, things like
[00:55:57] Rik: DRM
[00:55:58] Alyssa: necessary components just to make this thing happen. And so they had to work with the business to understand what are you trying to accomplish? Is this going to be sufficient? Okay, here's your threat model. Right? So you go down this path, and you you do this, you, you leverage the HDMI infrastructure in this way, and here's how people could still pirate things, or here's how you're going to have to protect certain components of that technology. Yeah, here's how you're gonna have the you know leverage licensing. So we're going beyond just traditional technology. But what are other ways that we can manage these threats? And yeah, I mean, it's all the same thing. It's that you can't have you can't run a business, where you have silos who are so focused on, this is all I care about, I don't want to see anything else to the sides, I'm just writing you're in my swim lane. That's all I care about
[00:56:49] Rik: challenge solution. And that's all I'm doing, I'm going from here to there, you will stay away from me,
[00:56:53] Alyssa: you need that specialized knowledge. But you also need the broader knowledge of what your business is actually trying to accomplish, and what's important. And everybody has to have that shared responsibility for making all of that work together. So when I think in terms of dev sec Ops, so I'll bring it back to the security discussion. I think in terms of dev sec Ops, I can't be in a dev sec ops world as a security practitioner and say, my job is making sure my software is secure. Right? Well, my job is making sure it's secure, I also have to make sure it gets to production quickly, I also have to make sure that when it's in production, it's stable and available. That's all on me. It's also on my ops teams, it's on my dev teams. But my dev teams are also responsible for making sure it's secure. My ops teams are making sure it's secure. We're all making sure it gets to production fast. We're all a part of that same shared goal.
[00:57:47] Rik: And that whole conversation that makes me think two things that's first, I remember living through the whole Napster thing. And if you've never heard of Camp chaos, and metalli greed, then go look for that on YouTube, because that's a great illustration of what was going on at the time, Camp chaos and metalli greed. And there's a whole series of those metalli greed things. The second thing, what you're talking about, everyone's responsible for everything. And we're not, you know, being blinkered and having individual challenges, individual skill sets. That leads really perfectly on to talking about skill shortage. And I know you have a lot to say in that area. And I have my own backstory there as well, where, you know, like I said to you yesterday, if I were trying to start my career today, as the person I was when I did start my career in 1994 I wouldn't get a job, I would not even get a foot on the ladder, I wouldn't get started industry, let alone a career that lasted for the rest of my life. So that's that's my my backstory you have something similar, but in general, your take on? Do we have a cybersecurity skill shortage? And if we do, is it solvable? And if we don't, what are people talking about?
[00:58:58] Alyssa: Hard to say the exact numbers we actually have a shortage but it is definitely way overblown from what we think it is. In the sense that we've created a shortage that we have, we've created ourselves, and we've created it because we don't we don't do a very good job hiring. Um, you know, our hiring model is unsustainable, and it's just wrong quite bluntly. You know, we think about what's going to make a candidate successful in a role. What do we think about what degree What experience do they have, what certs Do they have and what technologies have they worked with? And we see that in job descriptions, right? Yeah. Anyone who follows me on Twitter has seen you know me blast out once in a while these ridiculous job descriptions. In fact, I've got an RSA talk later today where I'll share some of them. You'll one that goes on for three pages, listing out all of the requirements and everything that that person is going to do and it's like, okay, who's this unicorn they don't exist and the reality Think about all the technologies we use, you're never gonna find that person that comes from one organization use the exact same technologies you did. Right? It doesn't happen. So we have to stop thinking about you know, the technology so much as more of those what I refer to as core transferable skills, people just shorten it to transferable skills, but what is it that you learn in your previous roles? What are those characteristics that would make you a good candidate in this role? So not? Yes, you need the technical aptitude, right? I mean, if you're not somebody who has that logical mindset that really fits well, in a technical role, you probably shouldn't be in a technical role, necessarily, you may also fit somewhere else in cybersecurity, and we need to recognize that too.
[01:00:45] Rik: Yeah.
[01:00:46] Alyssa: Um, but you know, we need to look at that. So the, the classic example I use, and people are going to kind of roll their eyes in the UK because unfortunately, the UK Government kind of screwed up this metaphor for me
[01:00:59] Rik: Surely not, surely not
[01:01:01] Alyssa: The idea of a barista, okay. And I know, there were the signs about it, and some campaign that people UK were not happy with. And it was awful. but bear with me for a second because I always use this as one illustration of how a barista fits well into a SOC analyst role. If you take a barista and think about, you know, think about Starbucks, or you know, some other very busy coffee shop like that, think about what they do all day. They're taking inputs from multiple sources, right? I mean, it's coming at them from all directions, they're having to process all of those inputs, translate them into tasks, and then prioritize those tasks in a way that they can execute them in the most efficient manner, and respond to it, and then deliver a result that's acceptable for their customer in the most efficient way possible.
[01:01:52] Rik: Every single time.
[01:01:53] Alyssa: Every single time. And all the while, they also have to be planning for things like maintenance activities, and all that sort of thing. Isn't that exactly what I want in a SOC analyst?
[01:02:02] Rik: Yeah, totally.
[01:02:04] Alyssa: So when you put it in those terms, you think about that way? It's like, okay, so as long as you have the technical aptitude to learn things, like, you know, SIM or Splunk, or whatever it is that I'm working with, you know, you know, whatever the tools are, if I'm using security onion or whatever monitoring tool, everything else, I can go on for days, all the technologies, but I can teach you those, how many times have you heard a hiring manager say that? Well, I can teach anybody they got to have passion or something like that? Yeah, well, passion is nebulous. Let's look at the real deal. What have they actually done in their past? How does their mind function. And oh, by the way, to someone who's worked in, say, a retail role, or a barista role, or has worked in architecture, like buildings, you know, physical architecture, they have really unique and diverse perspectives. That really helped me out from a security perspective, because security is all about problem solving.
[01:02:59] Rik: Yeah.
[01:03:00] Alyssa: And to truly do a good job of problem solving, I need people who look at the world very differently, we can't all be the same. And this is why diversity is so damn important. And the fact that we have so many underrepresented groups who could bring us strong perspectives, that, you know, sorry, us white folk just don't have right or male, don't, you know, male folks don't always have.
[01:03:26] Rik: We're all different, we all have a unique perspective, we will have a unique background, we all have something valuable to bring. And if we only focus on taking the value from people who are like us, then we're missing out on the vast majority of all the value that's available. It's the most ridiculous mindset in the world.
[01:03:43] Alyssa: And you can't just say diversity of thought, yes, you want diversity of thought. But how you get there is you have to be delivered to people experience, backgrounds and culture and so forth. You can't take a bunch of people who all grew up in suburban white America, and put them on a team and say, Oh, you're gonna be my diversity of thought.
[01:04:02] Rik: Yeah
[01:04:03] Alyssa: Doesn't happen.
[01:04:04] Rik: So it's a really, it's a striking and marking note to come to a close on. Because we have been talking, I've just checked, we have been talking for an hour. And it feels like it's been 15 minutes. But I wanted to ask you had this in the back of my mind at the beginning to have one like closing question. So as like, final thoughts, 2020 and the beginning of this year, as well has been quite a ride and completely unfamiliar territory for most of us. What's the biggest lesson you've taken from the last 18 months? What What is it taught you? It's taught all of us so much, what's your biggest takeaway from it?
[01:04:46] Alyssa: Honestly, the value of just human interaction in so many ways, right? So I mean, we can think about it tactically in terms of our business and you know, people not being in the office or being able to see each other and exchange ideas, but honestly, on a much grander sense just how much it impacts our ability to work. Right? And when we don't have that, that human connection, I mean, I know people are like, Oh, so this is what I've been working from home for the last nine years. And you know, people say to me, oh, listen, I understand what it's like to work from home. No, you don't. Because these last 18 months have not been the work from home experience, right? That it has been insane. We've had parents who are having to school their children and and deal with very young environments that aren't ready to work from home. I mean, I'm fortunate I've, like I said, nine years, I've got a great environment here to work from home. And not everybody does.
[01:05:45] Rik: Yeah.
[01:05:46] Alyssa: And so it's a very different experience, and then not being able to go inside the home being in various stages of lockdown, having to deal with all the uncertainty, the fear, everything else. That's not a normal work from home condition. And it's really impacted us. And I think it did two things. It gave us some very significant security challenges, right. I mean, we had just the idea of so many people being remote now, and, and that increased attack surface. But it also allowed us to really pivot and identify what is actually key to our business, especially from a security perspective, and where they're, I think the businesses that did the best in this, were the ones who took a look at it and said, we're not going to react to this, we're going to take advantage of this, we're going to take advantage of we've got this situation where offices are empty, where people are connecting with VPN, and we're leveraging cloud to a much greater degree than we ever thought we would have to before. So how do we take that and build models off of that, that we can use in the long term? And I mean, at S&P, that's what we've done, we've had to react. So things like where, you know, we have contractors who used to connect over, you know, maybe maybe have contractors to connect over like a private line or something. People are not leveraging things like AWS workspaces or VDI technologies, for those people who are outside your org, but you have to give access to your organization's network. How do you do that in a more secure way? Well, I look, we learned we can do this with cloud. So we're gonna leverage that going forward. Right?
[01:07:20] Rik: Yeah.
[01:07:21] Alyssa: Those are the kinds of things that I think, you know, like I said, the organizations who took advantage of that, who saw the, the chance to really innovate and improve, are going to see long term benefits and dividends paid by doing that. And it's going to improve some security posture in really meaningful ways.
[01:07:45] Rik: Fantastic, Alyssa, it's been an absolute pleasure. Thank you for taking so much time out of your day, and giving everyone who's watching so much valuable content, allowing all of us to benefit from your experience and your wisdom. It's been an absolute pleasure.
[01:07:59] Alyssa: Yeah, absolutely. I mean, it's an honor and a pleasure for me as well. I mean, I really appreciate you asking me to be on and let me kind of pontificate on a bunch of different topics today.
[01:08:09] Rik: It's all good. And hopefully, we'll catch up in person at some point probably next year.
[01:08:14] Alyssa: I hope so.
[01:08:15] Rik: See you thank you very much.
[01:08:18] Alyssa: Goodbye.
[01:08:20] Rik: So there you go. another hour gone by in the blink of an eye, just in time as well, because I can hear that my daughter has just arrived home here we are in the pandemic, in the pandemic world of working from home, if you heard her joining in the broadcast, so much the better. Please join us we have a whole series of these at least another five episodes in this season, who knows maybe more to use an English colloquialism. Next week's episode is also going to be a Corker. I will reveal who that guest is very shortly. For now. Enjoy the rest of your day. Thank you for joining us. I've been Ron Burgundy. You stay classy.