Adopting Zero Trust
Adopting Zero Trust
Adopting Zero Trust: Philosophy of Prevention with iHeartMedia’s Janet Heins

Adopting Zero Trust: Philosophy of Prevention with iHeartMedia’s Janet Heins

Season two, episode 13: Cybersecurity prevention on a global scale with Janey Heins, Global CISO for iHeartMedia.

Catch this episode on YouTube, iHeartAppleSpotifyAmazon, or GoogleYou can read the show notes here.

At the heart of Zero Trust is the idea of prevention. If you don’t trust anything or any person, you are playing in the same pool as risk avoidance. While total risk avoidance isn’t feasible, Zero Trust gets us closer to reality. Now, map this up to an organization with a global footprint, with significant infrastructure sprawl, and you’ve got one very complex scenario on your hands.

This brings us to this week’s guest, Janet Heins, iHeartMedia’s Global CISO, who will help us navigate the philosophy of cybersecurity prevention on a global scale.

Editors Note

If today is July 27, then I (Elliot) will be doing a live interview/podcast discussing brand building at 3 p.m. ET. While AZT has been a labor of love, it’s time to build something even more impactful, and I’ll probably end up spilling the beans on some of that. Don’t worry, we’re not going away, but you may see a few more voices on different channels in the future. I still need to kick Neal’s ass a bit to get him to commit to the cybersecurity career-building podcast though.

We have two more episodes coming up, and they are big. BIG BIG. Feel free to head over to our publishing schedule if you want to spoil the surprise. We will also be working on a little giveaway for the next episode, and I know you’ll dig it.

Lastly, I am going to likely take most of September off from publishing since I am expecting my first kid to show up literally any day now. Assuming the little one lets us record some interviews, we should be back in October (or sooner, who knows).

Putting The Conversation Into Context

With more than a decade behind her as a CISO, Heins’ experience stems from working with some massive brands. As a leader, she’s particularly passionate about translating business needs into technology processes or solutions, while at the same time bridging the language barriers that often stem between IT, cybersecurity, and the other adjacent areas.

iHeartMedia has over 11,000 employees and a vast physical and digital footprint. With 860 radio stations across the US and 20,000 events annually, the company is part of the emergency broadcast system and has to be ready to respond to threats quickly.

At a global level, Heins makes it clear that strong detection and response capabilities, as well as prevention measures, are critical elements of prevention. And while prevention can take many forms, in the context of today’s episode, we dig into security tools, hiring security professionals, and the basics, such as providing security awareness training to employees.

One challenge of securing a large organization like iHeartMedia is consolidating the tech stack. iHeartMedia has a blended architecture of OT and IT, with legacy hardware and systems that need to be secured. Heins stresses the importance of communication and collaboration between the IT and OT teams, as well as being open to new tools and automation.

Key Takeaways

  • Prevention is crucial in cybersecurity, but strong detection and response capabilities are also necessary.

  • Bridging the gap between IT talk and non-IT talk is important for effective cybersecurity, as it ensures that cybersecurity measures align with business goals.

  • Communication and collaboration between IT and OT teams are necessary for securing blended architectures.

  • Automation and new tools can be helpful in preventing cyber threats.

  • Investing in security awareness training for employees is an effective prevention measure.

Bridging the gap between IT and non-IT talk is important

Heins’ passion for bridging the gap between IT talk and non-IT talk highlights the importance of translating business needs into technology processes. This is crucial for effective cybersecurity, as it ensures that cybersecurity measures align with business goals.

For example, we all know that everyone in a company plays a role in securing the business. However, beyond the standard security awareness training, putting this into context can have just as much benefit, if not more.

“Some of it's just understanding the impact, knowing how they can help. I think the really important thing is building that trust and understanding that I know what it is that's important to you,” said Heins.

Communication and collaboration between IT and OT teams are crucial for securing blended architectures

iHeartMedia's blended architecture of OT and IT presents a unique challenge for cybersecurity. Communication and collaboration between IT and OT teams are necessary for securing legacy systems and being open to new tools and automation.

Automation and new tools can be helpful in preventing cyber threats

Heins stresses the importance of being open to new tools and automation in securing iHeartMedia's blended architecture. Automation can help prevent cyber threats and streamline security processes.

“…depending on what the automation will do for us, it can also undo some stuff, right? So what I mean by that is it can build up a very strong partnership with IT and with our OT team and also the business in general, and you can really flush that down the toilet in one error in automation,” said Heins.

Though this may seem harsh on the surface, it’s a simple risk-based approach to ensure that while human-prone errors are expected, machine-created processes can still do the same. There are no silver bullets, bugs are very much a thing, and it’s important to still have humans looped into automation.


This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Hello, everyone, and welcome to another episode of AZT, or Adopting Zero Trust. I'm your producer, Elliot Volkman, alongside our currently munching on, I don't know what, something terrible at the airport, Neal Dennis alongside our wonderful guest, Janet, who will in just a moment, introduce herself.

So as with our typical format we do have a theme in mind, and this is going to be one of those really excellent episodes that. Neal and I have honestly just been waiting to lock in with you all zero trust as a concept. It may be like philosophy. It definitely aligns with this idea that prevention has more impact than being in this reactive state where, you know, as things arise, you're knocking them out.

The idea is you're supposed to get ahead of those threats. So we have an expert who works at an organization of. Significant size to say the least But with that being said yeah, I figure maybe we'll just hand it off to you instead of me Just trying to read off your LinkedIn resume so to speak Maybe we can chat about where you're at and what led you to where you are today

Janet Heins: Yeah, so I'm currently the CISO at iHeartMedia. And I've been here almost three years now. And I've been in the CISO role for over almost maybe a dozen years at various companies, different industries, and I'm kind of gravitate towards learning new industries. So that's, you know, you know, and how they how they operate and how security is the same or different.

at the different companies I've worked at.

Elliot: Very cool. And I know that you have also worked at some pretty large organizations, not just at I heart radio. So you're no stranger to handling these at just magnanimous levels. Plus, I suspect, since you work at where you work, you're probably tolerant of people like Neal and myself being a little more obnoxious and goofy of this.

So fortunately, we're not very structured. So I appreciate you coming on and bearing with us as, Neal's in the airport, so we'll see how that all turns out. It's new for us. New territory. That all said you know, I, again, I just want to look a little bit more into your background. Obviously, you didn't wake up 1 day and become see.

So, a giant organization. It, there was a pathway that kind of led you towards that. Some people stick towards being in the weeds and practitioner being strategy being Intel. You're kind of the. You know, combination of everything, including that business element that organizations absolutely need that top down person that can speak towards these different elements.

So I'd love to know what led you towards that business perspective of cybersecurity.

Janet Heins: Sure. Yeah. I mean, it's something that I've always gravitated towards as far as I call it bridging the gap between IT talk and non IT talk and being able to really translate business needs into technology processes or solutions. And that's something that I've kind of always I guess I call it a knack for and I've started out in it, you know, early in my career as a programmer moved into, you know, leadership management roles.

And I got into a role at when I worked at Merck pharmaceutical company doing leading an organization and they called it e learning. So that was when learning was You know, used to be in classroom. And then we moved it all to being able to do synchronous or asynchronous online learning. And I moved in that same company.

I moved from e learning into e discovery, which is the collection preservation of of data in preparation for legal matters. Right. And that was as a pharmaceutical company, exactly what you'd Obviously, they have some legal matters as any pharmaceutical company does. And so that was a pretty big organization.

And that kind of folded me under into the the then leader of security at Merck. And I got exposed to a lot of my peers and what they were doing in security. And a lot of it was it's like the information life cycle, right? It's the things we were doing in e discovery, where we were capturing data and preserving data, but we had all this data that maybe, you know, we didn't need to have because people aren't good at throwing away data.

And it kind of led into that, that whole You know, my, my interest and desire to get into security. And now I kind of call it like I'm in e security, right? Cause I've been e learning and e discovery and now e security.

Elliot: Very cool. Yeah, that absolutely. That's like a very interesting journey. You know, I, I feel like a lot of the people that we may have chatted with are not necessarily on the. In the weeds programming perspective, maybe Neal kind of lines more towards that world. But yeah, it's very cool to see that that perspective, but let's shift over towards the elephant in the room, which is being able to, I guess, secure an organization with, I think it is at least 11, 000 employees.

I can only imagine the physical footprint and the digital footprint that gets involved, but maybe you can give us a little bit of. Perspective to help us conceptualize just how vast the amount of information and people that you have to secure is in your role.

Janet Heins: Yeah. I mean, I can give you some background on on iHeart as a company, just because I think people, people know the app, the iHeartRadio app, I think that's. Like everyone connects to that when I, when I say iHeart and they call the company iHeart Radio, even though the company's iHeart Media. So it's, you know, that's obviously what they relate to, right, is the app.

And we have, you know, the largest number of downloads and streams on the app for, as compared to, you know, any of our peers. We do, so that's a kind of our digital side, the live streaming of live stations and podcasts and all that. And then we have the radio side. And in the U. S. we have about 860 radio stations across the country in what we call 160 U.

S. markets. So, if you pick like Miami, that's a market, and they have five or six radio stations there. And all the cities that, you know, so you do the multiplication, right, of 160 times five or six radio stations, a little more in some. So you get 860 radio stations, live broadcast, and then we do events.

So we'd have we just did the iHeart Country Festival here in Austin in San Antonio. So Austin's right up the road. We do the annual iHeart Music Festival, iHeart Radio Music Festival, which is a two day event in Las Vegas. 20, 000 events annually. So just kind of giving you the perspective of, you know, all the different things we do as a company.

Elliot: Yeah, that that is quite a footprint to say you need to cover just absolutely everything. So, I mean, well, I hope you don't let me ask you this, but obviously that probably comes with quite a bit of pressure then.

Janet Heins: Yeah, I mean, there's definitely you know, one of the other things I didn't mention is because we're in radio, we're actually you know, part of the emergency broadcast system. So there is that's another just, you know, added, you called it pressure, right? On another

Elliot: just a little bit.

Janet Heins: Yeah. And it's, but there are, there are things that are.

I think a lot of it is you were talking about the proactive, you know, proactive nature, and I always said if I could build an IT organization from the ground up, right, and then you could build security in by design. Right. So you have security by design especially as a security practitioner. That would be a priority for me.

Right. As I built, you know, had the opportunity to build an IT organization brand new company, kind of Greenfield thing. It's my, you know, my fantasy, my dream to be able to do that, but we all have legacy. Every company has legacy. Every company has systems that have to be up all the time. You know, whether that's.

Back when I was in biotech and we had, you know, we were actually, you know, their biological products that grow. And so you can't turn off anything off because they're actually growing and living organisms all the way to, you know, the cruise ships that have to be, you know, out at sea all the time.

There's no, there's always something that's, you can't turn off. And so I think there's some common challenges. And then I think each company in the different industries. I think has their own kind of unique, unique challenges when it comes to being, to moving to a more proactive state.

Elliot: Yeah. And I, I think you nailed the the matter on the head where I was kind of going with this is that, you know, I, I could only imagine so being in your shoes is probably pretty stressful, but that means a reactive state is never going to be, you know, Spot that you want to be in. So prevention is, you know, probably that most critical aspect.

I assume as like, again, as a business leader, that's just the nature of the beast that you have to find ways to constantly get ahead of threats. Any kind of issues, not even just necessarily on the cybersecurity side. But yeah I, I think that just kind of pivots very well into the theme at hand, which is prevention.

But I'd love to just know maybe your philosophy. Thank you. Between prevention as it relates to cyber security, or just in general like, you know, maybe maybe I'm off that base and making too many assumptions there, but I'd love to just know your perspective on the role of prevention plays.

Janet Heins: Yeah. I mean, I think the first thing I like to make sure happens or the company that I, you know, work for has in place is really strong detection and response, right? So if you look at, you know, the NISC cybersecurity framework, right? The detection and response, components I think you have to have in place.

They have to be your most mature options because everybody's going to get hit with something and being able to detect it early and respond quickly. Those are your two, you know, the best, the best way you can be ready. I wouldn't say proactive, but ready, right? And then the prevention piece, which, you know, prevent is is also one of the five NIST categories.

That is I think it's like almost like a never ending investment opportunity when it comes to what you can do to prevent bad things from happening. In a couple of ways, right? It's not just in tools, right? It's in people and you can call the people, divide people up into the people you need to hire on your security team and the awareness that you need to give your employees in an organization so that they can help you prevent bad things from happening.

And then You know, looking around at all the different aspects of I. T. from, you know, application development where you are in the cloud. What your network looks like. There's just so many different opportunities to have visibility into what's happening there. And, you know, there's a tool, there's a tool for everything in security right now, right?

There's lots of tools, so it's balancing, you know, what you, you know, your priorities, what you have to have versus the maybe, you know, you can get this some other way or you don't, you know, down to the bottom, kind of like you can push that off a little bit. Because you could spend, you know, all the security dollars and probably all of IT dollars.

Investing in security tools if, if for prevention, I mean, there's just so much out there.

Elliot: Yeah, that absolutely makes sense. And in fact, I'm going to hand this over to Neal, because there's a conversation that I think we've had. For, I don't know, the last three episodes, it's, there's that common theme of, yeah, absolutely spot on there is a tool for everything, and now there's probably a tool for a few too many things, but Neal, let's let's get you to add some color into this conversation of the consolidation and

Neal: I have a couple of curiosity questions, actually, maybe to preface this with. So given that, that you are a media. conglomerate, right? You mentioned the market spaces and the scope of what that is. I, I imagine nowadays in the digital world, a lot of this is probably being recorded more like what we're doing today in a sense, right, and then broadcast out maybe through some kind of digital gateway, then up through the antenna, all this other fun stuff.

Aside from all that fun stuff that goes on to actually get the signals out to everybody, I think that, to me, seems kind of fun to think about from a unique situation where You blatantly have to have an open, at least one way, for both a digital consumption path on the internet, as well as through the phone platforms and the apps, so that's a whole nother thing, AppSec versus WebAppSec, as well as the all the tools that go into making that a reality, right?

So, normal companies, even at Merck, yes, they've got gateways for updates for tools and things like that, but those are very focused things. You've got, you've got a literal nationwide, gateway thing. I'm sure there's some things y'all have done maybe to focus on that. But I'm, all I have to say, I'm just intrinsically curious about that footprint and how you've kind of considered that footprint or if that's even something that's even worth considering nowadays.

Have y'all been able to like consolidate these endpoints and these footprints down to a manageable aspect as you build this preventative mentality around things?

Janet Heins: So the, there's a couple different technologies involved in, so radio broadcast, right, is different than the iHeartRadio app, for example, right? And so, the radio broadcast you know, transmits from the radio station to the towers out to the radio waves, right? To the transmission waves and I, I consider that to be the operational technology side, the OT side of, of the business, if you will, every, every company I work for has the OT and the What I say is it's not as interesting or susceptible in some ways as other apps might be, other things that might be like apps.

And then we have the iHeartRadio app, which is available, you know, in a lot of different technology platforms. And so that's, that's, you know, an app that we obviously want to ensure is secure. And because it is. Out there as, as it is, like, as our, just our regular website, our iHeart Media iHeartRadio website where you can sign in and listen to podcasts and radio as well.

So they're, they're kind of two different animals, if you will. And I think that the iHeartRadio app is probably much more visible.

Neal: Yeah, it makes a lot of sense. So, I used to work in the OT side of the house, so I'm always just kind of intrinsically curious about the blending of OT and IT aspects of things, because we've come such a long way with this, right? And, you know, even ten years ago, if you talked to someone who was setting up any kind of OT network, and they saw a Cat5 cable on the back of it, the first curiosity point was to find a Cat5 cable, plug it in, and then forget to remove it.

And then realized that it was plugged into something it shouldn't have been for however long it was, right? And that, I mean, that was only 10, 15 years ago. So I always find it very interesting to think about security where we finally got into a more blended architecture where people understand OT and IT and playing together.

And now, obviously, we have IoT as a mainstream construct, right? So that's awesome. So, from from Security perspective and moving this forward, like Elliot mentioned, there's a lot of tech stacks out there. There's a lot of growth that people went over the last couple of years, courtesy of COVID.

And in your case, like you mentioned earlier on, there's a lot of legacy hardware that you just already intrinsically have, probably some of it because of how the OT systems work. I imagine some of it because of different iterations around, you know, web app and app security, mobile app security, stuff like that.

How are y'all approaching kind of the... the potential consolidation aspect. How are y'all looking at this larger tech stack that you've likely adopted over the last few years, more so than anything, and, and trying to think about, you know, approaching that, either A, securing it or maybe whittling away at it as part of the security process?

You know, kind of what are your thoughts around those process flows for that?

Janet Heins: Yeah. And I think when you. When you go back a few years and you think of OT the folks that traditionally have, you know, run that, right, whatever, and again, whatever industry you're in, there's that, that group of people that are, you know, whether they're engineers, technicians, whatever, right. They're not, maybe weren't part of and they, you know, they tend to be for right, for all the right reasons, protective of their systems, right.

And so getting including them into trying out some of the new tools that are out there that actually, you know, they can protect my laptop and they can protect your OT server as well, right? So getting kind of, getting over that barrier, if you will, of, you know, we won't, it won't, you know, we can install endpoint protection on your OT device.

It won't bring it down, you know, it won't shut it down. It won't cause all this, you know, all these problems and just really working together. as part of a team to start to make inroads into that. That's what I found to be the most helpful and actually you know, kind of helps with the momentum as well.

And you're right, you do uncover things, you know, and I, this is kind of a broad statement wherever I've worked, right? You do uncover things that You know, aren't aren't compatible, aren't going to work with whatever you're trying to do to secure it and you have to come up with some, depending on what it is, you might have to come up with a workaround or, or some other mitigation that gives you visibility into what's happening, but doesn't necessarily end up with you installing something on it.

Because, you know, there is there's legacy and then there's legacy. Legacy, right? just doesn't, you know, doesn't operate the same way,

Neal: No, no worries. That's, that's very true. They man, gosh, I still break things that I'm not supposed to break when I go on site with certain clients, but that's a different thing. That being said, you know, I think echoing this a little bit, you know, communication is obviously always key, right?

There's, there's overly, I think the OT side of the house, no matter where they're at in this journey, they're always the most protective of their infrastructure. period than any other engineer on either, on the IT side will ever be. And so I, I, I think that's awesome. You know, just have an open comms line with them.

Let them know that you're not here to destroy them. You're here to hopefully keep them from getting destroyed. And then see if you can get them to tag along with the new toys. So on that note though, are y'all... From a tech stack perspective, are y'all looking at or already are planning to leverage any kind of like intrinsic automation Beyond just the security team itself because I know we've got soar that's been around for a while But you know, there's kind of some fun trends courtesy of this tech boom Growth or tech purchase boom rather there's been some decent trends I think with people finally getting on board with the automation beyond incident response Is that something that y'all are starting to maybe consider already have for helping with some of this more preventative structure flow?

Janet Heins: the team likes to stay abreast of everything that's going on. And you know, one of the characteristics I look for in a, in my team's mates are curiosity is curiosity and learning, right? And so, We are constantly looking at what's going and what the future trends are and building that into our roadmap where it makes sense.

The there's some concerns. I, you know, I wouldn't say I have concerns, but I have maybe proceed with caution about automation. A lot of the. And why I say that is because they're you know, depending on what the automation will can do for us, it can also undo some stuff, right? So what I mean by that is it can, you know, we build up a, a very strong partnership with I.

T. and with our, with our O. T. team and also just, you know, the general, the business in general, and you can really flush that down the toilet in one error in automation. Right? And so, we want to proceed with caution with that. But definitely want to take advantage of it where it makes sense.

Neal: Awesome. Awesome. So I think from a thematics perspective, when we start thinking about. Action items, both preventative and, and reactive. So I'm, I'm, as an Intel analyst, I'm always pushing people to be more proactive in their, their efforts, both on the SOC side and everything else, right? So one of the big things I harp on is more of a intrinsic value of what Intel brings to a company as a whole, not just a SOC.

That's kind of why I kind of go down the rabbit hole with the automation piece a little bit. But I think you're kind of also echoing my sentiment here just in general with what, what I can bring to the table as a whole from an Intel perspective is what I think most orgs are trying to get to is just that communications bridge period, right?

Finding pathways to have that good conversation. And I, I think Perspectively, if like you alluded to a few seconds ago, if you've got the right people chatting about the Anything really the right conversation is going to probably happen to get things moving forward, right?

Janet Heins: Yes, and I think most people want to, you know, be more secure for sure regardless of their role and where they sit in the organization. Some of it's just, you know, understanding the impact, knowing how they can help and making sure. I think the real important thing is building that trust and understanding that I know what it is that's important to you, right?

It's not like security, security, security, let's just go hammer it in everywhere. Right? It's, it's got to be in partnership and have joint and aligned goals to make it happen.

Neal: I think we've kind of hit the jackpot elliot the last couple weeks. We've had two wonderful Personas here in the c suite level here that have both Very very up front and very blunt said we need to talk We got to have communications if we don't then why are we even doing the job?

Basically, why what you know, we're not going to get enough stuff done. I think this is awesome I think this is also a growth over the last 10, 15 years where most C suite people were, you know, they would, they would talk, obviously, to themselves, but then there wasn't a lot of conversation downstream, or there wasn't a lot of involvement, and I think that's kind of neat to see, and you talk about, you know, you know you've got curious people on your team that are looking at new things, you know that the people are talking with one another, and those are not conversations I would have had with my C suite.

You know, I don't know, maybe right before COVID, it would have been more like, Oh, you're Neal. Hi. I don't know who you are. I'm the manager of your Intel department. Yeah, I don't know what that is. So no, I think this is awesome. It's good stuff. So on the preventative perspectives, you know, from a zero trust mentality, and you look at your larger orchid, your, your larger architecture that you're personally dealing with, how far down the hole have y'all gone with from the The Zero Trust mentality from like access controls and whether for the, the tooling or for the personnel and how important is it for you to see that kind of wrap up as part of that preventative mentality to make sure that, you know, limited exposure, limited access, especially, you know, web app and all that other fun stuff that you have to manage.

Janet Heins: Yeah. And I think the wording that you used makes a lot of sense, right? It's talking about that preventative. Positioning versus the, you know, I can't get very far into my organization talking about zero trust, right? Because it's, you know, it's a great term and we all understand what it means. But it's really just, you know, preventing openings that don't need to have exist, right?

It's what you're trying to do is you're trying to just We used to, you know, make everything easier for everything, everybody. But now that's also easier for the bad guys. So when we've got to kind of close, I always say it's like we closed the front door, but the back window is open. Right. So your bad guy's going to crawl in the back window.

So yeah, you know, that's the analogy, one of the analogies I use to kind of help describe what that preventative position is that you want to be in. Right. I mean, I think companies in general are, you know, the security organizations within companies in general are all heading down this zero trust path in some way, shape or form. I think it varies depending on the company's priorities. Quite frankly, the economy that we're in right now is a little challenging for everybody.

And so things may have, you know, companies may have slowed down a little bit. But I think you know, the days of Oh, you know, do we have multifactor authentication? Like some of the stuff is just table stakes and you're expected to have it. Especially if you've ever been through the getting cybersecurity, I'm sorry, cybersecurity insurance.

That's always a fun endeavor. And they're, you know, it's changed with just that, just insurers have changed over the past, I'd say five or so years, right now that they've had to make some payouts and they're asking tougher questions. So kind of circling back, I think. Everybody's on that journey.

And it's just a matter of whether you're a government agency, a financial institution, healthcare, right? Pick all these different industries that probably have you know, they're, they're regulated or they're very interesting to the bad guys.

Neal: No, that makes a lot of sense. Thank you. I was just kind of very curious about, about the the blending from the blending of technologies, right? And then having this large global, well, potentially global footprint because I know for a fact when I went overseas, I was listening to I heart. But this larger global footprint combined with the traditional aspects of what you're doing, what that's done from like a prioritization of how y'all approached.

The, the security structure in a sense, like what, what have y'all maybe prioritized over other things in a sense of high level, you know, identity access management from a personal perspective, web app security from a X, Y, Z, like engineering perspective, or, you know, just that general kind of aspect of that large footprint that you really do have.

Janet Heins: Yeah. I mean, I think again, it's, it's, it's probably not uncommon just for us, but you know, the cloud has definitely grown immensely in the past. I'm going to pick a number, maybe four years I've seen, you know, exponentially just again, peer companies, you know, colleagues that I, you know, that work at different companies.

It's just the way companies are going right. And I think that the class of cloud security, I think, is really a number one priority for a lot of organizations. Because they're they may have gone cloud first and security last as kind of like a, I say that jokingly, but maybe not so jokingly. And again, seeing that just from, you know, what's been done you know, organizations I've been at the patent in the past as well.

It's, it's an area that I don't think the cloud providers really did assert, you know, I wouldn't say they did a disservice, but they maybe didn't do as good of a service as they could have done when it came to, hey, bring all your workloads over to the cloud, everything will be great, it'll be cheaper, it'll be more secure, it'll be this, it'll be that, right?

Well, I'm not sure what there has actually held true.

Neal: I like that. I think we just talked with someone a little bit more about cloud security ownership and who. Who really should be responsible, you know, in some, some layers, pick your flavor of cloud. But some of those layers, you know, they provide an elevated service, but it's obviously at a premium. And it's a very limited amount of people who go all the way through with that premium offering.

I do know from personal exposure. That at a base level that there's a decent amount of things that go on through like the cloud security alliance and a few other organizations, but they're not worried about your open server. They're not worried about making sure that you, you know, have a secure password or lock this down or have MFA or whatever else it is, right?

All they care about is. Way up here. If someone very bad is doing very bad things or way down at the very, very bottom is someone's trying to take out some very minor things that tends to be trending. They don't care about the middle road stuff too much just because very various reasons won't go into that.

But I think that's, that's kind of an intriguing question. Do you see yourself now with the cloud security side? And I think this is once again another generic kind of trends piece here. Do you see the trend leaning more towards pushing the AWS's, Google's, and Azure's of the world to be more intrinsically involved with the larger security component outside of the additional, like, expensive services that they sometimes offer?

Do you see that kind of push to make them be a little more supportive of just making sure things Aren't intrinsically just broken by proxy.

Janet Heins: I have not. I mean, I, I do know that they... offer their own kind of tooling for security, right? They're kind of native tool sets that come with, you know, to your point, pick the cloud, you know, whichever cloud service provider you're talking about. They do offer tools. I think that they could come, they would, they could offer more, I guess is what I would say, but it, the responsibility is clearly on the Customer, right?

And that's, that's the point that I don't think everybody got when they decided, you know, when companies decided to go to the cloud, I don't think that's something that's thought of. That's kind of goes back to my, I wish I could build an IT organization from scratch, right? Because there'd be so many places that you couldn't do that without this piece of security.

You can do that without this other piece of security. You know, it's just, you need to have them coupled together. And so what we're faced with is for security professionals is, you know, kind of backpedaling and trying to, you know, trying to catch up. They're running ahead in the cloud and we're trying to catch up to them, right?

And we're finding along the way we get stopped with all these like, Ooh, we got this thing over here. We got credentials over there. We've got this, you know, there's three bucket open. So we're kind of getting derailed as we're trying to catch up to them. So that's, it's kind of like a parallel path that we're on, which is like, how do we repair, fix, change what's already happening in the cloud?

And then we stop it from continuing to happen as they, you know, as, you know, companies go deeper and deeper into the cloud.

Neal: Ah, so you hit on another fun one. So, do you find that you're faced with a lot of potentially net new, like, rogue IT things going on? I know, once again, pre cloud, or pre official push in the cloud, you had an IT department, and they took care of everything, from the respectful of, you know, deployment, and the actual operalizational, yeah, the O word, of things.

So, you know, IT used to build things, manage things, maybe help secure things, but more or less they were there. They knew what was readily accessible. And now, courtesy of cloud, courtesy of COVID, do you find yourself battling a constant fight of, Wow, I didn't know we bought this. Wow, I didn't know we put things in GitHub yesterday with this new GitHub server.

Or whatever, stuff to that effect.

Janet Heins: Yeah, I mean, I think what helps with that is, is again, the employee side of it, right? The people side of it is really having a good awareness. I call it campaign, but it can, you know, it's really communication about why you should or shouldn't do things. Getting embedded in the procurement process. Follow, I call it follow the money, right?

Who are we paying? And then follow that back to what, what are we paying them for? And, you know, who in the company is, is, you know, engaged with them to pay them in the first place. That certainly helps getting again, if you've got less people kind of going out on their own, doing these things. I mean, the one thing I would mention is SAS, right?

SAS has really made it, you know, you show up with your credit card, you, you know, you're good to go. And I, I think that the, the, it really gets down to the process and the awareness of, of, to being able to kind of, nip that in the bud, if you will, right? And again, it's visibility, right? So if you can see where you're, and there's tools for that, if you can see where your employees are going, you can see, you can get really good visibility into, What, what sites are going to, what SAS apps are going to what kind of sites they are what kind of apps they are, and then kind of understand exactly what the business purpose is.

Or not. And then prioritize from there, you know, does it have a big, would it have any big impact or is it really, you know, low impact on the company potentially, right? Because you don't know.

Neal: Yeah, I think that's awesome, because that's... I do honestly feel like that's something that a lot of leadership forgets nowadays is that they need to be actively engaged in trying to find Those potential rogue assets. I wouldn't know not an assets, but rogue toolings or procurements, especially in the SAS world And so I think that's to your point.

It's it's important to have a process flow to identify that and have that conversation one way or another and on that same vein are y'all are y'all faced with a Like a mix of remote and on prem staff nowadays. Do you have, do you have like a recording studio in someone's basement that you have to worry about just as much as you do a corporate studio kind of thing as well?

Is that part of y'all's

Janet Heins: we have a mix. I mean, when COVID hit, you know, certainly we went remote and still broadcast live and some talent prefers to be in the studio in the office and some talent, you know, can do it remotely. But that was certainly just having a remote workforce in general, right, is is a switching from an awful in office, you know, workforce to a remote workforce, regardless of what business you're in was.

That was, you know, super challenging during COVID. I was still at Royal Caribbean at the time when we, when we made the, when COVID hit and we all kind of went home that March in 2020. Yeah, it's, it's, there's so many factors that go into it that are including security and then even beyond that.

Neal: So out of curiosity, what's what would you consider maybe a key starting place when we start moving down the preventative piece? Where would you suggest people maybe start their looks into building into that more proactive effort?

Janet Heins: Yeah. I mean, I think it kind of depends on where you are and maturity wise. There's, you know, the, the, the big ones are, you know, single sign on MFA. Right. So if you can get SSO and MFA in place, that's. super helpful, especially for those what you call rogue apps, right? So people aren't, you know, after they leave the company, they didn't, we didn't know they even had that app and then maybe they still have access to it.

So that certainly helps from that aspect. And then the, and again, it depends on your company and your own priorities for your individual industry that you're in. I think visibility into what's going on in your end points. And there's a lot of good tools out there for that to you know, that doesn't just look for bad you know, bad files or bad hashes or whatever.

They also look at behavior, right? So the computer is operating in a way that Neverland normally would operate and, and having all of that data aggregated into a sim so that you can make heads or tails of it. Because, you know, you know, you don't want security folks burned out by responding to the, I don't know, the false positives, right?

So there's a lot of tuning that has to go on, but I think those are kind of the first couple of things I would recommend. Because gaining visibility is hard and by that I mean, people don't typically measure or even know how to get. Metrics to measure how we're doing and how far we've gotten tools and implemented and you know those kind of things and I think Understanding understanding what your footprint is as a whole on from you know What are all our assets that we actually own and do I have protection on all of them?

And if I don't know what they all are how can I have protection? How do I know if they're all protected? so that's I think visibility is definitely I foundational step in in prevention

Neal: Yeah, definitely. Yeah, I like that one. I, once again, 20 years ago doing this stuff, trying to find things before cloud was a pain in the butt. Finding things now with cloud is obviously a bigger pain in the butt. But I, I feel like, I feel like there's a lot of cool companies that have come along with, you know, not naming names on them at all.

But I feel like there's a lot of decent Headway that's been made over the last template. I know COVID has definitely skyrocketed this a little bit But you know used to be good luck go do a port scan in map Network capture whatever and hope that you could figure out what was going on where right?

Maybe just a large dump and wire shark 15 years ago Used to run something called net monkey and backtrack back in the day that would do all the protocol captures But it was never obviously a complete picture, but now I think that that The discovery phase of what's going on has definitely come a lot further, thankfully.

I, I would love on a separate discussion, offline perhaps or later on, to talk with you about your procedures for doing exactly that, because I think that in and of itself is a wonderful, whether it's ten minutes of, no I just use this and we're done, or if it's, you know, an hour of, I've done this, we've worked this way, we've done that, I think that would be an amazing discussion to talk about how you've done just the discovery phase of stuff, planning and

Janet Heins: definitely a journey. It definitely is an evolving journey. It's, I don't think you're ever done. Something new always pops up.

Neal: No kidding. Having the right tools in play to hopefully monitor for all that stuff I hope and things like that. That's awesome. So I think on the last note here when we think about, you know, the, the, the identity access management piece, SSO, SAML, things of that nature MFA, you know, I, just to iterate some of the things we've heard on prior episodes, I think that That even though it's obviously, there's a lot of ways to get around it from a threat actor perspective, most of the threat actors that take the time to do that are usually a slightly step ahead of your traditional just cybercrime oriented basics that most of us deal with every day.

So I, I personally iterate how important it is just to start off with MFA as well. And that alone, you know, goes towards that, you know, ounce of prevention worth a ton of whatever, whatever the phrase is. My Texas Marine Corps brain doesn't want me to remember the phrases here, but it is what it is.

Elliot: Mean, I can fill it in for you. It is

Neal: Yeah, cause you're...

Elliot: and it was Benjamin Franklin.

Neal: Thank you. I would expect someone who lives five minutes away

Elliot: It's because I put it in a document before this. Otherwise, it's because I put this in a document before you showed up. I had no idea before that, so.

Neal: ha!

Elliot: But it does make me feel good to make you think I'm a little smarter for once.

Neal: Oh, I know you're way smarter than me. Otherwise, we wouldn't have this podcast. So, that's just how it goes. Don't let Elliot sell himself short. He says he's a producer, but what he really is is Chief Wrangler, Chief Intelligence Officer, and a bunch of other things right now. So, I'll tell you what, with that, I'm going to throw it back over to Elliot, because I know we're coming up close to time.

I know we can go over a little bit, but I just want to go ahead and give it back to Elliot and see if he's got any more curiosity points. And see where we go.

Elliot: I think one of those areas that you indicated is that you're in a position right now where you sort of get a pave and create a story out of like this cyber security system, so to speak. And removing yourself from this particular equation, so you don't actually have to walk through the seat you're in today, but let's say budget was an issue, which obviously we know that that will never be a reality but in a, you know, a wonderful land with a candy that doesn't make us gain weight and all that stuff if you had unlimited budget, And you are trying to build that dream team.

I'd love to know from like the person perspective, not even the technology perspective, what are some of those critical, you know, hires that you feel are absolutely must that you have to build in to maybe focus on that preventative piece.

Janet Heins: Good question. as security professional, you kind of, you need to always ask why. So you need to be really curious. And when you get an answer, you have to like ask the next question, right?

So, I think one of the, colleagues I work with outside of you know, it's an outside company that I work with that uses it like run it, run to ground. You need to run everything to ground. Right. And I don't think, I don't think that's natural for everybody. I think people get an answer and they take it and they're like, okay, got my answer.

And so I think that's something that people either have or don't have. And so that's one, you know, I can't keep on a skill set, but it's really just kind of a way of being. And I, I mentioned the, you know, wants people who want to be a constant learner. So curiosity and learning are certainly big.

For the kind of roles, if I take like the individual people out of it and just say like, what do we need in people roles and security? I think it kind of depends on what part of security you're in. So if you're doing, I'll just pick on, you know, cloud security, application security, you need And I think the reason being is you need to be able to immediately build trust and confidence so that the people that you're working with and, you know, reporting to them on their.

Findings that you know, the findings that you come up with, whether it's based on their code base, if it's an application security or how they have their, you know, their infrastructure configured in the cloud. So you're credible, right? You have to have that credibility. So I think those are important.

If you're in kind of the governance, risk and compliance area, you really need to understand who your audience is and what matters to them. I mean, I think you need that in general anyway, just as an I. T. Professional. But yeah. If you're, you know, setting policies and running awareness campaigns and, you know, assessing the risk of third parties and all those things that the governance risk and compliance people do you have to be able to wear, you know, walk in their shoes and understand exactly what it is that they care about because they don't wake up every morning and care about security.

I mean, they may care that the company is secure, right, as a whole. That's a general kind of way of being, but they don't wake up to do it every day. And so you got to kind of latch on to what it is that they do. And then the kind of the other pieces of the organization, it's a security function, you know, I call like the security operations piece, the incident response slash Intel organization.

They well, they're not as, you know, wouldn't call them back office kind of IT folks, you know, or security folks, but they are definitely, you know, running the tools and they're mostly security operations in general. They're mostly working with other technologists for the most part. And so having, you know, having a background in infrastructure or you know, networking or any of those, I think is really important because people don't, I don't, you know, it's, it's not as rare now.

As it was before, but rarely did people come out of college and go right into security, right? They're doing, I think that's more happening a little bit more now, because obviously there's actual degrees in cyber security and, and, and that there weren't before. And so I think people are coming out of school now and going into cyber.

And I think that those curriculums have, you know, the ones that we have a university of Texas, San Antonio here, UTSA, and they do an awesome job of, of really well rounded education for the people that are going through those programs.

Neal: I'm gonna shout out someone at UTSA, Dr. White. Amazing dude, amazing program. Completely agree. NSA affiliated and accredited program for those listening.

Janet Heins: Awesome.

Elliot: I, I just have to say, I think you actually ended up answering this in a much better way than I anticipated, which is not trying to drill down into the different aspects of cybersecurity, which obviously you can break that apart in way too many ways, but really looking more at this from like a cultural perspective and like those elements that is like, you know, so Neal and I have a passion for helping people like break into this space.

There are. Some what needless barriers of entry for a lot of people, but I think the way that you'd position is those qualities that are missing, like on paper. Yeah. Oh, okay. I've got S plus M plus eventually you want to get all that good stuff. And it's very granular, but like, those other elements that you just stated are generally missing.

Like, you know, you can't say it's like bedside manner and all that and conversational, but like, you know, the curiosity elements are generally missing. And if that's the kind of things that. Okay. People with your stature are looking for that is so important for people to understand. So I, I just want to point that out that that's I, I really appreciate that you share that instead of just the aspects of, oh yeah, clearly you've got to get X, Y, and C on paper.

Janet Heins: Yeah. I think that people who say they want to get into cybersecurity, I always wonder like there's so many different roles in cybersecurity and they're very different from each other, right? Just like all IT practitioners are not the same. You've got people that work on apps, people that work on infrastructure, people that work in project management, you know, all different, you know, architecture, right?

So I think it's understanding that there's not like a single cybersecurity role, but there's. Many different ones. And some people will work with their heads down and don't need to talk to people every day. And some people only talk to people every day in that role, you know, so it's really understanding that and gravitating towards, you know, what your skill set is and what your interests are and where your passion is.

Elliot: Love it. Yeah, that is just fantastic perspective. You know, I think that's just more fuel for that podcast that I know you want to eventually spin off into. But that all said again, I, I just want to thank you for joining in and providing your perspective. Where. We've already monopolized quite a bit of your time.

So thank you so much for taking some time again to chat about prevention and just your background and of course, how you were able to wrangle such a monstrosity of a system with so many different you know, points involved. So again, we just really appreciate you coming in and kind of sharing that perspective with our listeners and occasional viewers.

Janet Heins: Thanks for having me.

Adopting Zero Trust
Adopting Zero Trust
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology.
We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.