Adopting Zero Trust

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google. You can read the show notes here.

Over the past two years, we’ve explored the ins and outs of Zero Trust, ranging from the concept as a strategy down to the more technical components, such as how it impacts the physical world as found in IoT devices. However, what is often missed in these conversations, is at what point an organization can actually build trust.

Not just crawling up from the baseline of zero but achieving continuous trust. The short answer? Defense in depth, building security in layers, and ensuring every 1 and 0 is secure at the offset while continuously monitored through automation.

And this is where we get to introduce this week’s guests, who were kind enough to be pulled away from a busy conference. This is also a special episode for us, too, as it’s the first in-person interview we’ve done since launching this series. Live (June 22, 2023) from Drataverse, we have Daniel Marashlian, the co-founder and CTO of Drata, Ty Sbano, the CISO for Vercel and an angel investor at Silicon Valley CISO Investment Group (SVCI), and Matt Hilary, the Vice President of Security and CISO at Drata.

Key Takeaways

• What worked yesterday may not work today - Continuous trust means continuous verification

• Zero Trust is about establishing knowns between two entities that may not know each other

• Security and layers: It is just as important to have the right infrastructure set up externally as are considerations made regarding internal systems.

• Security should be included from the outset when building products, and it's important to include security in discussions about new architectures and methodologies.

Editor’s Note

Who would have guessed it only took building a risk and compliance summit, having a direct need for a threat intelligence expert to present on ISO 27001, and a Flipper Zero as a bribe to finally get Neal and I in the same room. We’ll also certainly look at bringing these guests on for a longer conversation in the future, as the concept of building trust needs a closer look. Anyways, we’re officially back up and running at full steam, and our show notes will have our standard flavor again. We also just wrapped a whale of a round table discussion, but we’ll be saving that for late August. Hint? John Kindervag, Chase Cunningham, and Richard Bird.

The Security Onion

In theory, you can start a Zero Trust journey anywhere. So how do you narrow down what makes the most sense for your organization? In past episodes (a lot of them), we often hear from experts that inventorying information, assets, objects, and identities are crucial elements.

If we look at George Finney’s book, Project Zero Trust, he suggests a more approachable strategy starting with non-business critical area that can be improved. From there, it’s anything from improving identity access to securing how users are accessing information and ditching VPNs.

“Security is in layers, Defense in Depth, right? And I'd usually have an onion layer chart that said, Hey, this is your perimeter, and as your inside and your cloud service provider be a layer, your third party could be a layer. Gosh, your database is another layer,” said Hillary. “And people are like, wait, you're still taking a perimeter-based mentality? I'm like, no. Tactically speaking, to start with zero trust, you gotta start somewhere, right? So why not harden that external piece and then move in if you really are limited on resources?

Continuous trust plays a critical role in shaping how a company builds their cybersecurity strategy. Building trust between two entities that may not know each other is at the core of Zero Trust. This means breaking down the technical components of a network not to trust every component as we did before. It also means implementing security in layers, both externally and internally, and continuously evaluating and updating these layers to ensure they hold up against new and emerging threats.

“So let's talk about our threat model. When it comes back to this kingdom, right, this castle that we're building and where we keep the crown jewels, the reality your moat might fail. Your bridge might fail, your security gate will fail. You know, there's a lot of things that will fail, but in, in the, the, the actual practical implementation of a lot of what we end up doing is continuous trust, right? So those layers, while they worked today, or they worked yesterday, Are they gonna work tomorrow? Will they hold up to the DDoS attacks that are happening at petaflops and terabyte? Like, it's just crazy how much speed that we're seeing now, and it's, it's a challenge that we get to partner with businesses to establish this ideology of, of risk-based discussion,” said Sbano.

A Culture of Security (With a Dash of Healthy Paranoia)

If you listen to our show there is a high probability that you’ve gone through security awareness training at some point, and nearly as likely to have been the willing recipient of a phishing simulation. You may even be involved with deploying them. For these administrative controls to be effective, the content alone will only allow you to check a box. To truly enable organizational-wide vigilance and reduce the impacts of social engineering, you need a culture of security.

“Our security team has like built this army of I think we're about five, 600 people now of like paranoid people. Like they, they keep asking security people, can I click on this link? Like, is this email okay? Can I, can I use this vendor? And, and it's just part of that culture that even if you're a marketing specialist, and you came into Drata in a security industry for the first time.”

Speaking first-hand to Marashlian’s point, when it comes to phishing simulation day, the alarm bells go off immediately internally. But even beyond that, if this team even catches wind of an unexpected email, alert, and most certainly a text message asking for gift cards, this 600-strong paranoid army will not hesitate to verify its status. Having been in other companies that tried to do the same, but in an overly extreme manner, it can also go too far. Healthy paranoid? Excellent. Terrifying your employees with a phishing simulation that is a bit too personal and almost results in calls to 911? You may be going too far.

This is all to say that to build a culture of security, you need it ingrained in your culture, fueled by appropriate levels of awareness and education, and it has to be a priority.

Episode Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Hello and welcome to another episode of a AZT or adopting Zero Trust. I am your producer Elliot Volkman. And today we truly do have something very special in unique for you. To the extent that this episode's gonna be a little bit shorter, because we did have a pretty small window of time to record.

But that being said, this was about three years in the making a year and a half ago. Neal and I have started off on this journey to build a podcast together. Three years in total. We worked together, but we finally got to actually meet in person. So all it took was building a user conference for Drata which took about six months or so and an opportunity to talk about threat intelligence to finally get him in the same room as myself.

However, this is not about us. This is about three amazing guests that we were able to pull out of a very busy conference who gave us a little bit of time, and of course, their insight into zero trust. So in just a moment, you'll be properly introduced to Daniel Marashlian, which is the co-founder and CTO of Drata.

Also a successful exit from an ed tech company. Ty Sbano. The CISO for Vercel is also an angel investor at S V C I and Matt Hilary, who is the new CISO for Drata. So with that being said, Neal, off to you.

Neal: Thank y'all for joining us today. We're gonna have a pretty open and candid discussion about Zero Trust and what it means to y'all, and then we'll kind of go back and forth, have some good q and a, hopefully, and we'll kind of figure out where it goes.

This is very open, very informal, and we just wanna keep it as pretty, you know, candid as possible. Appreciate it. So if y'all wanna go ahead and throw out an intro real fast and then we'll, we'll get moving.

Daniel Marashlian: Sounds good. This is Danny Oshley and c t o and co-founder of Drata.

Ty Sbano: Cool. My name's Ty Sbano. I am the Chief Information Security Officer at Vercel.

Also Angel Investor at Silicone Valley CISO Investment Groups. I've been in the game for about 18 years.

Matt Hilliary: And I'm Matt Hilary. I'm our Vice President of Security and CISO here at Drata. Oh, you're

Neal: gonna get picked on a lot. Yeah. Awesome. Well, so once again, thank you all again for joining us on this adventure here.

And so I, I guess I'll just go ahead and get kicked off real fast. If y'all want to take a couple of seconds, minutes, whatever, to kind of define what y'all feel. Zero. Trust is positive and negative. That's the whole intent of the podcast to go on the journey and just kind give us what your high level thoughts are on it first, and then we'll see where we go.

Ty Sbano: Yeah, so I feel Zero Trust has been one of the names that has stuck pretty well for security. I know it's originated from a fair amount of Netflix play, but in the reality of when we think of where we start, it is at Zero Trust or how do you establish trust? The early part of my career was in banking, so I dealt with a lot of F F I C occ, like all these acronyms, they don't actually matter to anyone listening unless they work in the banking industry and they feel my pain.

But the, the reality check is that when we think about authentication or we think about systems, how do we establish trust or communication? It's no different than you leaving the dmv. With a driver's license that says you can drive cuz you got it from that place. It's no different than going to a website and reading the certificate, SSL certificate to say that this is legit because they went through a certificate authority.

For me, zero trust ends up becoming, how do we establish known knowns between two entities that may not know each other. So if we're showing up and I meet Daniel for the first time, like how do I know this is actually him? Does his profile look the same as it does on LinkedIn? Is it the same person on Twitter, or is this a fake persona and someone that's been masquerading as the, you know, co-founder of Strata for the longest time?

Probably not. But again, that, that comes through time. And as I've gotten to know Daniel for a couple of years, it's, it's cool to understand how you develop deeper trust as well. So going from no or zero trust to deep Trust or trusting someone, I think that allows us to take that narrative to the other side.

But most security practitioners, we start with zero. Or negative sometimes, depending on some of the luggage we carry.

Neal: So I wanna make sure we come back to the deep trust discussion here down the road. I, I like that terminology. I like the thought around that. So we're gonna revisit Daniel, please.

Daniel Marashlian: Alright.

From my lens, I think zero trust is about, I mean, again, starting with with, with Zero trust, but, but it's about trust but verify. So as you implement authentication tools and who this person is, there's so many layers you can add on top of that to eventually gain and build that trust. So whether it's from a browser or a device or a network you know, how did, how did this person log in in California and within 40 minutes, log in from Amsterdam.

So not, you know, not just layering a password, but you know, actual distance to, to device authentication. And so I think there's just these like multi-layers of trust again, there that, that no trust. Then there's these verification chains up. That's how I view it. Nice.

Neal: Let's throw it over to the actual security guy for a minute.

He's the

Matt Hilliary: actual security guy. Damn. I like Ty's opinion. No. In fact, I think the.

Ty Sbano: I'm a stand, I'm a stand-in. I'm not this guy you mentioned, they just found me at Dread Averse. I don't know what I'm doing here.

Matt Hilliary: We haven't yet verified your identity. I think most of us think about zero trust from the progression standpoint into how we started talking about this.

Many of us have secured organizations where we thought, Hey, the perimeter is the most important thing. And once you're through the perimeter, we're generally trusted internally. And so as a result people realize, oh my gosh, like the internal network is just as important to secure. From point to point and network to network and user to user and level of authentication for those users inside is just as important as outside.

I think previously, a long time ago, we'd usually think, Hey, you know, if I have a VPN service and that will just connect me into our internal network. And an internal network I think would sometimes comprise of your office network. In addition to your AWS network or whatever your cloud service provider network are, your production network.

And, and sometimes they may have delineations there between the networks to trust that and giving, you know, certain folks the access to your production environment versus your corporate environment. But in reality, I think it became pretty apparent that we needed to secure internally. The only thing I would add there is, I think it was just even at reinforced last week, AWS just claimed like, Hey, we were doing zero trust before.

Zero trust was a thing, right? I think was what CJ was talking about at reinforce. And the main thing there, they're. Purpose in bringing that up was talking about how they've broken down the actual technical components of the hypervisor that they've used internally to really not trust every component like we did explicitly before.

Cuz originally you know, once they found a vulnerability in the hypervisor, all of their dom, you know, do Dom U units or Dom zeros, like they had to go basically patch all of those across the whole cloud and, and that was painful, but, When they started breaking out those components, they were able to then trust those components separately so that we could have that more firm kind of trust across the board.

But I think it's just breaking it down to the component, to the network, to the user, and then trusting all those separately at the point of au

Neal: No, that, that's definitely fair pieces. So I think that's a lot of things that people forget about. It is, You can have the right infrastructure set up externally, right?

Even zero trust, whatever, but internet facing things. But what do you do internally? And I, I honestly believe that's a piece that no matter what security posture we're doing, it's kind of a net new concept for unfortunately the security and layers approach. We see people talk about security and layers.

We hear people talk about defense in depth from the military perspective. And when we start to apply that from the technical perspective on our network, people go, well, I've got my, my dmz. I've got the next layer past the dmz, whoop de do about everything else. Right. And I, I still think today people miss that picture.

So the defense and death mentality, which gets us into your key phrase over here with deep trust a little bit and what that implies. So I kinda wanna dive into this a little bit about the importance of, of that security and layers approach within zero trust and, and security in general. So, you know, let's kind of go within that rabbit hole for a few minutes around why the importance

Matt Hilliary: of that.

Yeah, no, I, I'm glad you talked about the layers because I used to talk about, hey, security is in layers, Defense in Depth, right? And I'd usually have an onion layer chart that said, Hey, is your perimeter and as your inside and your cloud service provider be a layer, your third party could be a layer. Gosh, your database is another layer.

All the various pieces are different layers, and you. I would say that, and people are like, wait, you're still taking a perimeter-based mentality? I'm like, no. Tactically speaking, to start with zero trust, you gotta start somewhere, right? So why not harden that external piece and then move in if you really are limited on resources?

And so generally, tactically speaking, I still have focused on the perimeter on the outside to make sure, like literally, I. Logically walk the perimeter to say, Hey, how many ports do we have open? What services are we running there? Are they vulnerable to known vulnerabilities that are out there? And just know that that is generally known, hardened.

And then move internal to the next layer, and then move internal to next layer. And it ends up being a. Yeah, quite a bit of work, but you know, again, I've been at companies where we've had limited resources and so starting there and then moving in has been helpful. Granted, I wish, you know, an ideal world, we would treat all of them truly separately and then focus 'em all at the same time.

But we only have so many, you know, people to attack it. I think that's the main thing that I was gonna mention there.

Ty Sbano: Yeah, I, I appreciate the security onion, and I think that gets lost sometimes on people when you talk about onions. But the idea of having multiple controls, for me, the, the narrative, especially with training like early engineers 10, 20 years ago on security concepts or secure coding training for me it starts with a castle and the crown jewels.

I think it's a little bit more. Easier to consume with understanding a tax surface. So when we start from the outside in, what's on the perimeter is a really important conversation versus what's inside the data center. But the trade offs that we talk about is like, do I deeply trust everything in my dc I, I don't know.

And, and I think that's always a conversation to understand the history of the company, but if there are some tribal agreements, Handshake deals that say, this is how we operate with one way SSL in the dc. And you're like, I don't know if I would agree with that approach, but if that's how we've done it historically, I'm not gonna just change that overnight because there's a lot of underlying factors that I can't get to deep trust from my stance.

So let's talk about our threat model. When it comes back to this kingdom, right, this castle that we're building and where we keep the crown jewels, the reality your moat might fail. Your bridge might fail, your security gate will fail. You know, there's a lot of things that will fail, but in, in the, the, the actual practical implementation of a lot of what we end up doing is continuous trust, right?

So those layers, while they worked today, or they worked yesterday, Are they gonna work tomorrow? Will they hold up to the DDoS attacks that are happening at petaflops and terabyte? Like, it's just crazy how much speed that we're seeing now, and it's, it's a challenge that we get to partner with businesses to establish this ideology of, of risk-based discussion.

So for me, that's how I always orient that narrative of like, when we think of operational security or we think of layers, how much are we willing to invest? Or how much engineering time are we willing to invest? But in the reality of fast shipping, when you look at companies like ADA and how quickly they got to this point, if you wait too long and it's perfect and there's no attack surface, I bet you the product's not good anymore.

So MVP or minimal viable product are going out the door when it's, you're a little uncomfortable. As a security practitioner, I wanna be a little uncomfortable cause I know we're doing the right thing for the

Neal: business. That makes a lot of sense. So Daniel, I'm well, I'd like to hear you painted on, on the security Yeah.

And layers. But because you're a CTO at a product company Sure. I know there's some unique perspectives since I work at a product company right now. So I'm kind of curious what, we'll start off with that piece, the security and layers piece and deep trust construct, but then I want to harass you a little bit about what that means at a product layer.

Sure. Perspective cuz it, it is a unique perspective in my opinion

Daniel Marashlian: on how that goes. Yeah, the, the deep trust. Hmm. You know, I have so many hats, I guess, in my career at the business. It almost starts at I guess to be a little boring at policy. And, and the culture. And, and if you're And I actually heard it from some, the members here at, at, at Draw Deverse today.

It was security practitioners, compliance practitioners here saying, I wanna do this, but how do I convince leadership to, to do this? Like, how do I defend my position and my job and doing the right thing? And, and if you don't have the right buy-in from leadership, which sometimes means the culture or the.

Policy of the business that everyone will buy into, then you can't ever build that to start. So, you know, at Drata when we started it, it was all about trust. And so if we're building this product eventually to help our customers not only trust us, but to build a tool for, for their prospects and customers to trust them we gotta do everything from.

From almost the inside out, talking about an onion layer. It was you know, from, from day zero, every single layer from the code to the network, to the internal processing of, of storage and everything. It was, how do we do this Right from the start to, which took a little bit of extra time and thought but, but hopefully that what it did is it kind of, It, it really baked into the culture of security first, and we were building a product company for security, but internally, our security program, our security policies, they're not just for the engineers, it's not just for the security team to defend against everyone else.

It's. It's everyone. I always say it's kind of a funny thing. Our security team has like built this army of I think we're about five, 600 people now of like paranoid people. Like they, they keep asking security people, can I click on this link? Like, is this email okay? Can I, can I use this vendor? And, and it's just part of that culture that even if you're a marketing specialist, and you came into Drata in a security industry for the first time. We just, this culture that you just jump into, it's like very security aware and very defensive, which, which you know, is good. It protects the company. So that's how I've, that's how I view it from the, kind of the security lens, from the product lens, and especially more on the application development side which is definitely where my background is, is.

Well, I guess I, again, I have maybe unique, a unique thought cuz I'm usually the first engineer as the founder. So you always have to be a security engineer. But, but as in a larger team, it's about truly partnering with security and not treating them as an afterthought. Which I think is in the, in the software development life cycle.

You know, you don't just throw it over the wall to qa. Like you include them from the beginning. Same with design, same with product. And, and I think same with security. It's not just, Hey, I've finally done with this product. You guys go test it. It's about hey, we're we're doing this new architecture.

What do you guys think? Like, do we need new infrastructure for this? Like, we're doing this new methodology. Let's, let's maybe explore what we're doing before we write one line of code. So that's, that's kind of the approach. We've, we've, we've taken at the, in the build out of Jada, on the product side.

Matt Hilliary: Okay.

Yeah, please. No, I just wanted, wanna add one thing? I mean, started several security programs from the ground up and what I've found is the most talented technology people like we just heard from Daniel, are that. Kind of inherent security minded person where they really are thinking about the different ways to include things.

Even from your first startup, right? Like security was included from the outset. I mean, sure, there may be some deviations from what you expected originally, but at least you knew that you were saying, Hey, we are making this risk calculated. Letting this go out, but we plan to retrofit this later with this capability.

But you're still in a very wise way going about it. Some of the best technology owners that I've worked with have inherently had that thought process. And so coming as a security person after the fact, cuz generally the CISO sometimes is much layer higher it, it has been awesome to pair with folks like Daniel, like the other team members internally who have that from the outset to build upon and celebrate versus feeling like you have to retroactively.

And so it's been really cool to see that here as well as at other companies.

Neal: No, those are great, unique, excuse me, good perspectives on that. So I'm, I'm gonna pick on you next time. So, Once I remember what it was I was gonna say. But so when we think about this, so y'all both have really good insights from a product, company perspective and ground floor up.

So I kind of want to come back to this, the deep trust thought flow around this. So we think from a product perspective, there's two echelons. It's external and internal, what we have to deal with every day. And having worked at a product company, you know, our DevOps team, we're, we're DevOps SEC focused as a whole now, right?

That, that's the goal. So from Ty, from your perspective, thinking about this, when you think about how you interact with something like Drta and what that means to you around how they've done maybe a security first approach to things, how, how important is this for you from a perspective external

Ty Sbano: for you?

Question. When, when we think of companies like Drta, they're selling to buyers like myself, security professionals, so they have to inherently understand. And again, I think today was a really good example of the keynote from Adam, the founder, the co-founder where the team waited a few extra months to get SOC two certified before they went out the door.

Because the perception in our community as practitioners is like, cool, sell me a security capability and you don't even meet the requirements that you're trying to tell us we need. So it's really confusing sometimes. And I can tell you in, in my experience of software security, I've found companies that.

Weren't running their own static analysis engines against their product, weren't performing their own dynamic scans against their product and their website. And they're like, how? Why would you ever expect us to do this? And it's like, you expect us to trust your tool to embed security in our sdlc, but you aren't embedding security into your sdlc.

What a conundrum we have And, and I think the reality is trust. Trust is hard. To earn with folks, especially if you come with luggage, you've been battle hardened, you've been through some stuff. And the reality on the other side is it's really easy to lose. It's no different than we have to get it right every time.

As CISOs, as security practitioners, the hackers, the bad guys, the script kitty one time, right? So I, I think when it comes to trust, like it's a continuous effort, so, When I hear someone with the proper narrative and the inspiration behind why they're building something I can align with that ideal. And if they don't have it right today, guess what?

They're gonna keep working on it. And that's the right mantra when it comes to risk management.

Neal: Anything to add, guys? Awesome. So I, I will say, I, I think that that's actually a really fun, unique perspective cuz Ada doing compliance and risk and all this other fun stuff, you, you obviously don't wanna buy from a company if they're not eating their own cereal, right?

So that, that, that's, that's a very smart perspective. Right? So I kind of want to maybe dive into this a little bit around maybe some of the actual compliance side and, and highlight what Rada is actually doing a little bit to make. Make someone like Ty a little more comfortable with what's going on, right?

So compliance and risk driven modalities are, are important. We went I think accordion style late nineties, early two thousands. Everybody was exclusively focused on compliance and they forgot about the security piece. Then everybody's like, oh my God, we forgot about the security piece. Look at all these breaches in the mid two thousands, 2000 10, 11, 12 target.

Thank you for your job. All that fun stuff like that. Yeah, so I was, I was a consultant with Boo Allen Post-breach, so I got brought in for that wonderful timeframe to be alive as a consultant because that was a lot of money. So I appreciate this compliance driven mentality back in the early two thousands.

It allowed me a lot of stakes. But we've, we've learned from that, I feel. Right. And I think companies like Drta and the rest that are kind of helping fill this void have come to an understanding that. Compliance versus security is no longer a versus thing. There's, there's a happy road, right? Oh, it's together.

Yeah. So let's kind of hit on that a little bit around this growth over the last, I really think it's really maybe started pre covid by a year or two when that became an important thing. And then maybe hit a little bit on ADA as far as like, you know, why y'all got started down

Daniel Marashlian: this rabbit hole. Sure.

Yeah. I think There's a Venn diagram of security compliance and there's definitely an intersection of the two. Nevertheless, just because you're secure doesn't mean you're compliant and just cuz you're compliant doesn't mean you're secure. So there, there, there needs to be this intersection where those two departments, those two philosophies crossover.

I kind of, you could look at it from either direction but my philosophy is you, you look at it at a compliance. First and that leads to a better security program. I think you can do proper security practices, but to run a security program, not just code something right, or protect your database right, or whatnot.

It's about a program. And, and therefore being able to communicate that story of trust. And so I think that starts with compliance. I think compliance though, is really. It's a setup to run that security program. So just cuz you're compliant in, you know, whatever framework you choose, it's, it's saying, Hey, I have a foundation.

I've put serious thought into this, I've implemented it, we are running a well-oiled machine. And now guess what? I earned the right to go build a security program and to expand that un or whatever. Whether you wanna go in or out or, or out or in. Like I, I, I earned the right to go build. This security program at every layer of the onion.

So that's, that's that's really how adas built. It was, it was, let's go make it as easy as possible to automate this, this process of compliance. I'll be the first to say the process of compliance and then, you know, you know, whether it's 10 years ago or, or a lot of companies are still doing it manually is like, it sucks.

Like it's very painful, it's mundane. It's, it's a lot of hours. And, and living through that a few times in my career that was. Really the spark of the idea of the company was let's, let's automate this for everyone and make it as easy as possible. I view it as an ascent tote. Like we'll never get there.

We'll never get to a hundred percent for everybody, but my goal is how close can I get to that line of a hundred percent automation and just make it simple for people. So, The culture then adopts it, and the culture accepts it, and it's not this big burden on everyone. And therefore that unlocks the door to the security program and it unlocks putting security into people's cultures of their business.

I would say that's the number one favorite thing. Even though ev DRTA we've, we've had very, very great success over the past two and a half years since we've started. But I would say the, the number one thing that I've Felt most at wholeheartedness of, as the founder or one of the founders was?

What is the, I've seen it so many times now, across our thousands of customers, is all of a sudden, security is now a core value of that business. Where before it was seen as this thing in the corner, this cost center, this scary thing either that I. Knew how to do and I didn't want to do it, or I, I just don't know how to approach it cuz it's, it's too technical or it's too big.

And so now, you know, showing them and shepherding them through this process of compliance, it unlocked the door to build a security program and now they go, whoa, that was pretty easy. This is pretty cool. I see the value of doing this. And now everyone in the company's buying into it. So that's been amazing.

Neal: So we're gonna harass the security guy. Drager, real quick. One more time. Oh

Matt Hilliary: yeah. Can I answer the same question or do you have

Neal: question? Yes, can. No, I want you to answer the same question cuz we've got the co-founder and CTO perspective. I want the in the trenches a little bit more and then Ty. I'm gonna, I'm gonna berate you for a few seconds on this question to kind of take us home, but yes, please.

No, I

Matt Hilliary: like this trick question a lot of people ask me. Hey, Which is better? Which is more important, or can you have compliance with security, or can you have security outta compliance? Honestly, I think it's an integrity thing. You really want both. Like you said, it is a Venn diagram. They do intersect in many ways.

Honestly, I feel like it's an ecosystem that you really need both to feed off of each other. As I've come in and started security programs, the first question I'll usually ask is, Man, where do we start? There are so many things I think at some companies I've joined. It's like that whole idea of like, I dunno if you've heard the poem where there's like a bunch of starfish on the beach and you're like, Hey, you walk up and I threw a starfish back in the ocean.

And people are like, what are you doing? There's thousands of 'em out here. Like, why? You know, I made a difference in that starfish. And you, can you go Like, I feel like that's been a case that some companies would've had a number of risks. That's been wild. And so really you are making a difference little by little, but.

Honestly compliance I think gives you a very broad perspective when I think of ISO 27,001, a very broad but good place to start where you talk about all the different domains and a good framework to build upon from like, Policy all the way to a good suite of controls to start from, to then operate and then continue to improve upon year over year is, is an example.

Right. And so with that, you then build in security on top of that or in addition to the best programs that I've been a part of have been such that. Compliance has always improved security, not just the purpose of, Hey, I wanna move forward just to get this cert though I also have been in situations where it's like, we gotta sell.

We gotta get a SOC two tomorrow. How are you gonna get there as quickly as possible? And you really have a different mentality, which is like, cool. What is the minimum set of controls to get there? I do love that Drta is modular to help cater to both spectrums. Again, back to the integrity piece. Whenever I've joined a company and we have moved into the space of we want to comply with X framework, it's an integrity thing.

You've made a commitment as a company to then continue to comply with that going forward, and usually that means is. You're not only stopping there, you're continuing to improve, you're continuing to operate all the controls in addition to building the security program. I tell people the two things that keep me up at night.

Number one, you know, breaches, security incidents. So first dashboard up is usually all of my alerts that come from like our sim. The second is, Am I gonna pass the audit? Right. And so you have like your, your, your ADA dashboard saying, cool, like what are our control status as of last night? Andrada gives me that view every morning saying, Hey, we ran tests last night.

The latest infrastructure shows this. These are the things that are out, out of what we would expect compliance wise. And having that collect the entire year versus literally the anxiety attack that I experienced six weeks before the auditors come on site of we're not gonna pass or we are gonna pass.

I've always wanted favorable, predictable audits because of the essence of wanting to maintain integrity and demonstrate to customers that we truly are doing what we're saying we're doing. And having that continuous collection and monitor and display of that has been just as valuable to me as it has been.

All of my security alerts that come through to say, Hey, has, you know, as a breach happening right now? Or, you know, are we hardened against the same vector that that company just got breached by last month? So it, it's helped both, both spectrums unite.

Neal: Awesome. No, I appreciate that. So I said we're gonna, we're gonna throw it back to Thai for kind of the final word as the consumer side of the fence here.

But, you know, talking, obviously compliance versus security, but for your perspective, whether it's working with someone like Drdo or something in general, period, how important is it for you when you're looking at this perspective to to choose the right side of the fence that understands that it is truly a merriment, one way or the other?

Or, you know, starting baby steps, throwing the starfish back in the ocean. Yeah, I mean that's, that's a really good analogy. To be fair. You start somewhere and make a difference somewhere, right? So, yeah. I'll, I'll leave you kind of the final word before we wrap up here as the

Ty Sbano: consumer side. I don't know, I think it was just said really well, and I don't really have too much else to add, but my, my simple mantra when it comes to security versus compliance, it's not that it's, if I do security really well, compliance is actually easy.

But you know, when you work with different audit firms and teams, those controls can be perceived in a different way. So again, goes back to you. As the translation tier, the CISO or the head of compliance, the head of grc, whatever your title is, you're helping with controls. And in the reality of understanding auditability and having a history of attractive evidence, we did what we said we were supposed to do.

So if you look at other larger compliance frameworks like ISO 27,001, it's no different than SOC two. Here's what our policy says, but ISO expects a little bit more now, everything that's written there, Did you do it so that trust but verify mentality is at the core of it. But you know, I think it's, it's very straightforward.

You know, if, if you're good at what you do as a security practitioner, you're bringing value to the business by guiding them, not being too stressed out, but also remediating and between. So it's not. A chaotic show when they're not gonna give you your SOC two report because you have to remediate X, Y, and Z finding versus cool.

We have some nonconformities. It's part of our risk management process, goes right in. You know, if, if you have a perfect audit every year, and I used to be able to say that it was comforting sometimes, but then I'm like, ah, you know, what's better? Getting some findings that make sense for me to then prioritize with the business and educating, because that's part of the process of review.

And then I educate the leadership team. In intaking this information as well. So now good security equals I have educated not only my leadership, but my board as well in why we're investing in security and why this is an actual business enablement function that differentiates how we. Embed security as part of our business flow.

So I think those motions are really important, building in with your sales team and the rest of the organization as well. But this has been really fun. I did not know about the Starfish thing until today, but I'm totally gonna think about that in the future when I go to the beach.

Neal: I, I, we appreciate you, gentlemen.

Obviously coming in on, on what is a legitimately impromptu podcast right now. So, and, and fair disclosure wrap up, obviously compliance and risk mitigation strategies and especially the closer you can get to automating the key pieces that are repeatable, are very impactful for building any kind of policies, zero trust or otherwise.

So, thank y'all for sharing y'all's experiences. Thank y'all for coming on real fast with us and hope y'all obviously enjoy the rest of the day here at the conference. While Elliot goes out and bust his ass off, so I

Elliot: I don't know what you're talking about.

Ty Sbano: Thanks for what you do, Elliot. Thanks. Cheers.

Matt Hilliary: Thanks