We still struggle to identify and manage hardware once it reaches its point of usefulness or end of life (EOL). There’s often no stated expiration date upfront. After years of ownership, the manufacturers will let you know by no longer supporting with patch updates the now very vulnerable equipment. Do we need to change how cybersecurity sunsets hardware?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), partner, YL Ventures. Joining us is Yabing Wang, VP and CISO, Justworks.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Entro
Full Transcript
Intro
0:00.000
[Voiceover] What I love about cybersecurity. Go!
[Yabing Wang] What I love most is cybersecurity is not black and white. It’s not about right or wrong. It’s more of art than science because everything is about what fits into the company, what kind of a risk we can take, what kind of a risk we cannot take. It’s a decision based on many, many things.
It’s not black and white.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. And joining me as my co-host, who I saw just yesterday in person, and we had dinner the night before.
[Andy Ellis] It was awesome.
[David Spark] It was awesome. It’s Andy Ellis, partner with YL Ventures. Say hello to the audience, Andy.
[Andy Ellis] Erev tov, boker tov, ahar tzohoraim, laila tov. I was told I should try different languages.
[David Spark] Different languages, yes. Essentially, he is saying hello to you at whatever time it is during the day where you are listening to this very episode. So, that was in Hebrew, for which we have plenty of Israeli listeners, for that matter. We’re available at CISOseries.com where you can check out all of our wonderful programming.
In fact, our new show should be airing sometime soon. In fact, it’s around this time we’re beginning our recording of our new show, to come soon. Our sponsor for today’s episode is Entro, non-human identity and secret security platform. If you’re not clued into that, you’re going to be clued into it on this very episode.
Stay tuned for just that. But before we go on any further, Andy, where we just saw each other was in Philadelphia for the CyberMarketingCon, and this is the third one they’ve had. I’ve been at number two, I’ve been at number three, and this one, I think, was 40% bigger than the last one.
[Andy Ellis] Yeah.
[David Spark] You were at two and three too, were you?
[Andy Ellis] I was at two and three as well.
[David Spark] And you spoke with a panel of VCs. What was the highlight for you for what you did, anything else, your eagerness for next year?
[Andy Ellis] So, I think my highlight was we did all of this prep. It actually was not very much. We got on one call and we’re like, “Oh, we’ll do something like this,” and we had like 15 questions. Then we said, “What if we just asked the audience to give us questions right up front?” So, we introduced ourselves and we said, “Hey, before we get into the prepared questions, we’ll take your questions because those are more important.” We never got to the prepared questions.
[David Spark] Yeah, well, honestly, that’s how I also run the Super Cyber Friday event, I prepare a bunch of questions, but assuming that the audience has relevant, good questions, I always lean on those first. Always. And I have mine as a crutch.
[Andy Ellis] Yeah. What I hadn’t really thought through was we had four different VCs, all of whom have slightly different theses, and I hadn’t really considered how much that really affects our different outlooks. We’re all different sized funds. We work at different stages. And so I was learning from them.
[David Spark] Well, I liked how you talked about there is a different level of co-op-etition that you have.
[Andy Ellis] Right.
[David Spark] Well, I got a chance to do our game show there, which takes some of the games from this show, from our Super Cyber Friday show. The year before, I had done my business networking pickup lines, and I was saying I love the fact that we were asked to do this. We were also sponsors of the event.
We love to sponsor the event as well because we love supporting the community because that community is exactly who sponsors and supports us. So, we love giving back, for that matter.
[Andy Ellis] Mm-hmm.
[David Spark] But next year, I got to think of something else creative.
[Andy Ellis] Yeah.
[David Spark] If I’m going to get a chance to be on stage.
[Andy Ellis] So, the thing I want to think about, because I ran into one of my colleagues from one of our portfolio companies, she was speaking at the event, and she was so excited because all of the people marketing at the event wanted to talk to her. She’s like, “I feel like I’m getting the CISO treatment because everybody wants to talk to me and pitch me.”
[David Spark] She was getting wined and dined.
[Andy Ellis] Wined and dined. You love it your first time, and after a while, you’re like, “Oh, my God. I’m tired of this.” And I’m really wondering if there’s a nice sort of play on that because you’re going to have the marketers in the room, but they’re being marketed to as well, and I don’t know if there’s some interesting game show you could do around that one.
[David Spark] Getting the wining and dining, that’s a cool… Well, it could just be another game we could play.
[Andy Ellis] Yeah.
[David Spark] We could try to come up with a whole slew of new games too. That’s another possibility. All right. Enough of this. That’s to come next year. We’ve got a show to record right now, and we’ve got a great guest. Who, I ran into this woman who we’ve had on before, not on this show, on Defense in Depth, ran into her when we did a live show in Dallas at CIRSx Dataset Conference.
It is the VP CISO for Justworks and the brand-new author of 97 Things Every Application Security Professional Should Know, published by O’Reilly. None other than Yabing Wang. Yabing, thank you so much for joining us.
[Yabing Wang] Thank you for having me again.
Could this possibly work?
5:08.658
[David Spark] “We’re starting to see a crush of posture management tools, applications, identity, and so on, which risks blurring lines of what is really going on here,” said Gunnar Peterson, CISO, Forter, in a blog post trying to shed light on how cloud security and data security posture management, or DSPM tools can be complementary.
He said, by starting with data assets, DSPM offers capabilities outside of typical security tool scope, like data classification, scanning, and control mapping. The idea being to put a better defensive posture around the asset of data itself rather than the things transporting it or using it. So, if DSPM lives up to that promise, and I’ll start with you, Andy, what current categories does it disrupt, and how does it actually help to make security more manageable?
[Andy Ellis] Well, I think that one of the challenges the DSPM industry has, and there’s been a lot of consolidation out of that industry, of DSPM vendors being acquired by other vendors and some DSPM vendors buying others, is that at the end of the day, like the security posture management industry, which is just focused on, “We’ll scan and tell you what’s wrong.” Like, CISOs are looking for solutions, and it’s only a piece of the solution.
It’s sort of that core central dashboard.
[David Spark] By the way, we’ve harped on the, “Don’t tell me what’s wrong, I got it,” kind of problem.
[Andy Ellis] Right. Yeah. And I worry about that is that, like, there’s more and more security spaces, and as an investor, trust me, I see a lot of pitches from people like, “Well, I will collect all of this data, and I’ll tell you more about what’s wrong in your environment.” And I do love it. Just to be very clear, you have to know what’s wrong so you can fix it.
But if you’re not giving ways for people to fix a problem, then you’re not being a complete solution.
[David Spark] Right.
[Andy Ellis] So, a DSPM that includes a DLP, or a DLP that includes a DSPM, like, that becomes really interesting. Or a DSPM with tokenization. And so I love the data security focus. Just to be very clear, I made an investment in DSPM, and we already had an exit there. I’m a believer in this idea that we need to be very data-centric and not just platform-centric, which is a lot of what historical security strategies have been.
[David Spark] Yes. And by the way, we’ve had a few vendors in the past who have had different data security models that are very focused on data and not platform, as you just said. All right. I’m throwing this to you, Yabing. First of all, do you think it’s disrupting certain categories?
[Yabing Wang] It’s hard for me to answer that piece because I have a thought on this.
[David Spark] Go ahead.
[Yabing Wang] That is to say, I do agree data is the core of what we do for security, but data is not the only thing we do for security. There are some companies, and they may put the availability actually above data. Losing data is bad, but it’s even worse if you cannot function. So, from that perspective, I cannot imagine DSPM does everything.
So, I think the cloud and another part of the security posture management is still needed. It’s just not… I don’t think they should replace each other. I also don’t think a DSPM should be expanding and doing everything. So, that’s one thought.
The second one is I do agree with Andy. So, when I look for a DSPM, I should say like my expectation of a DSPM, I want them to answer me three questions as a CISO. Number one, where’s my data? So, that’s what I generally do, right? Data discovery, classification, tagging, blah, blah. The second one, I want to understand where’s my data going?
That’s more of a data lineage part of it. Not every DSPM vendor does that, but I think that will give us more context, more from a risk perspective of understanding the piece.
The third one that’s also very important is do I have enough protection for the data? Because I don’t want to use the word secure. In other words, a secure data is something like it’s blocking, stopping. But to me, the reason the data exists is for the business purpose. Therefore, our goal is for protection.
So, I’m looking for solutions, right? The third questions do that. What solutions can be part of it? So, to me that if a DSPM can do three things together, that will be a great interruption of the market.
What’s the motivation to do this?
9:25.535
[David Spark] On Cyber Security Headlines, we recently covered a story about D-Link disclosing the existence of a serious remote code execution bug on end-of-life VPN routers, flat-out telling people to throw out those routers and get a new one. Now, this struck one of our listeners, who left a comment on YouTube saying, “This reminds me of that end-of-life for devices should be taken as seriously as for software updates.” Now, that sounds like a great idea, but given the inherent cost of replacing hardware versus patching software, how can we bring these two processes more in line with each other, and where might this strategy fall down?
I will start with you, Andy.
[Andy Ellis] So, this is a really complicated issue, and I actually have it in my house with a home automation system that is so far beyond end-of-life that the manufacturer no longer has a test platform. Because you can’t actually build this hardware anymore. This is a really important thing for people to understand, that the chip fabs move on.
[David Spark] So, are you announcing to our audience that your home network is beyond end-of-life?
[Andy Ellis] Part of it is, and it’s disconnected from everything else.
[David Spark] Okay.
[Andy Ellis] It literally has its own network to run automations on, and nothing is connected to that. When I need to have a service call for it, a tech physically has to come out because I’m not going to let it connect to anything. This is an interesting challenge of you just can’t get software updates past a certain point.
Especially if it’s firmware, where you have to interact with hardware, the hardware isn’t manufacturable anymore because the fabs don’t exist, the fabs all moved on. They’re mass producing. We’ve got better technology now. I think that we should take a lesson from Apple, honestly, which is Apple treated iPhones as disposable objects, and they basically said past a certain point, “Have a nice day.
This thing is not going to work anymore.”
[David Spark] They kind of tell you at purchase, don’t they? Don’t they give you the timeline of purchase, sort of?
[Andy Ellis] Kind of, sort of, not really.
[David Spark] I mean, but what is it? But everyone knows it’s just like a few years and forget it. And wouldn’t you say operating systems, it’s the same way too?
[Andy Ellis] Right. But when they brought out the iPhone 1, and then all of a sudden they stopped supporting them, and then they basically made them not work, everybody freaked out. But that kind of is the model you have to do when software and hardware are so intertwined. At some point you have to say…
[David Spark] Now you’re politely saying you have to do. The rest of the market says they’re crooks forcing us to buy new stuff.
[Andy Ellis] Yep. But it means that because we don’t have to deal with backwards compatibility, we get some really cool things like over-the-air updates that just work.
[David Spark] All right.
[Andy Ellis] Whereas if they were still supporting iPhone 1’s, you wouldn’t be able to do that in iOS.
[David Spark] So, Yabing, what do you think about this situation where, like, just that piece of hardware, don’t trust it anymore, that it should be in landfill?
[Yabing Wang] I think in general, I do agree it’s too complicated. It probably works particularly for devices like your iPhone, right? Those portable, smaller devices. But if you look at some traditional industry, like a manufacturer or healthcare, huge equipment, right? If they have those kind of things…
[David Spark] Yeah. Well, yeah, there’s a big difference between D-Link router and an MRI machine. Yes.
[Yabing Wang] Exactly. So, I mean, the higher you go from the router, it’s more difficult, right?
[David Spark] Yes.
[Yabing Wang] The lower you go, it’s much easier.
[David Spark] Right. Exactly. But in this case, we’re not talking about the MRI machines and, yeah, that’s a whole different segment and story, but we’re talking about this D-Link router, which a single one, not that big a deal. But let’s say your whole freaking company’s got 100 of these darn things all over the place.
You’ve got probably a big problem, don’t you?
[Yabing Wang] Yes. That’s back to the point of there’s nothing black and white, right?
[David Spark] Mm-hmm.
[Yabing Wang] So, you got to assess in your situation, what matters? Yes, cost matters and compare the cost. Well, how about the risk, right? I think comparing everything, maybe my company will have a different decision than your company.
[Andy Ellis] The one thing I will say, which is if you’re going to say that this router is end-of-lifed, and you should throw it away, then you should not on your website have a way to say, “Oh, show me a reseller who will sell me one of them.”
[David Spark] Hold on, wait. You can buy this one?
[Andy Ellis] I literally went on D-Link’s website, put in the model number for one of them, it popped up and said, “Oh, if you want to find a reseller.” Now, what’s fascinating is no resellers in the United States. It’s mostly in Africa and the Middle East are the places that you can still buy these.
So, apparently there are certain communities that D-Link would like to have them sold to.
[David Spark] They have no problem making money from the thing they told you to stop using.
[Andy Ellis] I mean, it’s quite possible that these are resellers who bought a huge stockpile right when they went to go be end-of-life. Somebody should sort of look into that because it’s sort of awkward. I looked at the ones that were end-of-life this year.
[David Spark] I think the problem with the hardware is we are not getting the warning like we get with software. Because Microsoft gives you a warning like, “Hey, XP, we’re going to stop supporting this on this date a year from now.” So, you’re given a nice long runway. Routers, I don’t think we’re ever given that runway, they go, “Oh, my! Crap! We can’t deal with this anymore.
You’re on your own.”
[Andy Ellis] I mean, it’s possible that there was notification, but there’s no user interacting with the device in a way that you can get the notification. It’s very different when you have an operating system, the operating system tells you.
[David Spark] To a level you could register your device, have an email, that kind of a thing.
[Andy Ellis] Yep. So, it’s a fascinating problem of how do you go deal with it? And partly, I think this is D-Link’s response to all the people who said, “Well, you need to provide support and patches for the life cycle of the device,” and they’re saying, “Well, we define end-of-life as a date, not when the last device stops powering up.”
Sponsor – Entro Security
15:29.696
[David Spark] Our sponsor for today’s episode is Entro Security. Remember I told you about them at the beginning of the show, non-human identity and secrets security platform? Well, here’s a stat that might surprise you – 62% of all secrets are duplicated and stored in multiple locations, without most organizations even knowing.
This duplication creates an even bigger attack surface, leaving you vulnerable to leaks, breaches, and unauthorized access. Now, when it comes to protecting non-human identities and secrets, knowing where your sensitive data is stored is half the battle.
That’s why Entro Security has developed powerful discovery and inventory capabilities. With just one click, Entro seamlessly integrates with all your systems, mapping historical context of every place where secrets can be stored or potentially exposed. We’re talking about vaults, code repositories, and even collaboration tools.
Entro Security’s discovery and inventory tool identifies these overlaps and gives you complete visibility into where all your secrets live. With this level of insight, you can finally clean up, secure, and control your data in a way that’s never been easier or more efficient. Simplify your security with Entro Security and stay ahead of your non-human identities.
For more, go to entro.security.
It’s time to play “What’s Worse?”
16:57.455
[David Spark] All right. It is time to play “What’s Worse?” Yabing, I know you’re familiar with this because you saw us play this on stage and you’ve heard this show before, but you haven’t had a chance yet to play “What’s Worse?”, have you?
[Yabing Wang] No.
[David Spark] Well, stay tuned. I’m about to read this. First of all, know that Andy gets to answer first. That allows you more time to think about it and also decide whether you want to agree or disagree with Andy. I will tell you, I love it when people disagree with Andy. No pressure.
[Yabing Wang] [Laughter]
[Andy Ellis] I love it when people disagree with David and agree with me. No pressure.
[David Spark] All right. This comes from a regular guest of ours who I had on-stage live in Houston, Jerich Beason, who’s the CISO over at WM. Here we go. What’s worse? You’ve been breached by an attacker. That’s not it. [Laughter] What’s worse is, if they call your regulators and the SEC to explain exactly what they did and how they did it, or they call and email all your customers and explain exactly how they did it.
What’s worse, Andy? The SEC or your customers?
[Andy Ellis] This is a really interesting one to approach because if you’re an amazing company, you’re going to have that conversation in front of all of them. Now, the reality is you have to have that conversation in front of the SEC. That’s just part of your diligence. Like if it’s a serious breach, they’re going to come and say, “How exactly did this happen?” So, they’re just sort of preempting you.
Hopefully, you didn’t try to cover it up. They just beat you to the punch. With your customers, you get a little bit more control over the conversation. So, I’m going to go given that, that’s my take, which is they’re beating me to the punch either way. But on one side of it, there’s no new information.
On the other side, there is new information I’m not going to share.
[David Spark] Well, they could be lying to the SEC or expose other things that they shouldn’t.
[Andy Ellis] You cannot change the scenario. Jerich did not say that they lied. Jerich said…
[David Spark] You’re right. He explained exactly what they did. You’re right. There’s no lies in here.
[Andy Ellis] Right. So, they basically wrote up an incident report and they sent it to all your customers, or they sent it to the SEC.
[David Spark] The way I see it, they’re doing you a benefit here because you’d have to do it yourself.
[Andy Ellis] Right. In a sense, they’re forcing you to do the right thing. But I will say that what you tell to the SEC has to be really close to what the adversary hypothetically is telling them, and what you tell to your customers does not. It should, but there’s stuff you’re going to probably leave out in the interest of having a saner conversation.
[David Spark] So, I’m hearing a leaning towards the customer is far worse.
[Andy Ellis] I think them contacting your customers is worse than contacting the SEC.
[David Spark] All right. Yabing, I throw this to you. Do you agree or disagree? Which one is worse?
[Yabing Wang] I hate to agree with Andy. [Laughter]
[David Spark] Nobody likes to agree with Andy. [Laughter]
[Andy Ellis] Everybody loves to agree with Andy.
[Yabing Wang] Yeah, and just to add on one more thing here is that, at least from what I saw, that a really good intent from the companies is to make sure we actually let customers know as much as possible to show, “Yes, things happen, but really we care,” right? From that particular angle, that I’d rather to tell them first, not to hear from the bad actor directly.
[David Spark] Yeah. So, essentially, they’re ruining your customer relations if they come in. With the SEC, it’s just like, “Well…”
[Andy Ellis] The SEC is already an adversarial relationship in this case.
[David Spark] Yeah.
[Andy Ellis] And so they’re not making it much worse. I mean…
[David Spark] They don’t help you with your sales.
[Andy Ellis] They’re not helping.
[Laughter]
[Andy Ellis] And honestly, look, if they go to the customers, then the SEC gets whatever the customers get anyway. So, functionally, the SEC is included in notifying the customers because somebody will just send this to the SEC when the SEC asks.
[David Spark] All right. You’re fully behind this, Yabing?
[Yabing Wang] I am.
[David Spark] All right. Kudos to Jerich Beason on that one. It was good.
[Andy Ellis] But I love the scenario, Jerich. Even if it was more easy for us, I think this is a really fascinating scenario to think about.
They didn’t think that through all the way, did they?
21:10.741
[David Spark] We all know the immortal quote from philosopher George Santayana, “Those who cannot remember the past are condemned to repeat it.” But analyst Richard Stiennon of IT-Harvest recently pointed out that cybersecurity as an industry lacks any serious history of systems of record in the long term.
Heck, this is a good reference to the stories you’re talking about the end-of-life stuff here. He points out the company suffering for this with leadership lacking the shared memory of founders and buying into their own marketing around platformization. But is platformization designed for security vendors to consolidate and also vertically integrate, or is it designed for the needs of security professionals?
And inclusive of everyone, what bad behaviors in cybersecurity that we know are wrong are we still repeating? So, kind of a twofold question here for you, Yabing. First, who is platformization for? Let’s just answer that one, vendors or the customers?
[Yabing Wang] I’ve been [Inaudible 00:22:17] customers for so long, so I can definitely speak for that part. Yes, that’s kind of for us, but I do think it’s for both. The part for us is that as CISOs, as a security organization, that we really don’t want to handle too many tools. It’s like a lot of integration needed and then they are all solving individual problems, and it gives us more actual operational headache as well.
So, from our perspective, we definitely would prefer a single pane of glass. We would prefer a strong, solid platform can solve many problems. However, it’s a hard line to draw. The more you want to do, the more you claim you can do everything, the more I’m thinking you cannot do anything, right? So, it’s hard to be really good at everything.
[David Spark] Yes, yes. That’s a very, very good point. Hold on. I’m going to come back to the second question in a second. I want to go to you, Andy. What do you think about that last thing? Because the more you say you can do everything… Because this is the one thing we hear from CISOs all the time when they talk to a vendor, “Tell me what you can do, and please tell me what you cannot do.”
[Andy Ellis] “Tell me what problems you don’t solve well.” And I think the biggest challenge you run into in the vendor space, and having been a vendor before, it’s a challenge, is figure out what you’re really good at, and often you can solve 30 problems with adjacent solutions that all build on the same concept.
Like at Akamai, we were a CDN. We understood how HTTP worked better than anybody on the planet, and so we could just keep on bringing out products that were solve HTTP problems, whether it was performance, acceleration, security, everything. And it’s a platform, but it’s a platform that does the same thing over and over and over again, solving new problems.
That’s very different from, “Oh, like, I’m an infrastructure company and an AI company and a services company, and I’m doing very different things to be a platform.”
[David Spark] Very good point. Okay. Now let’s go to the second question that asks, what are the bad behaviors in cybersecurity that we know are wrong and we are still repeating? Yabing, do you have a good answer for this one?
[Yabing Wang] I thought one thing is, like, repeating is we know that phishing is a biggest entry point, and still, even 2024, you see new applications come out without MFA. It’s still relying on the ID/password, and I kind of like don’t understand how this one’s still repeating at this stage.
[David Spark] That’s a good point. New tools coming out with essentially verification that don’t have a mechanism that is beyond username and password.
[Yabing Wang] That’s right.
[David Spark] Yeah. All right. Andy, what is the stupid thing we keep repeating?
[Andy Ellis] Oh, there are so many of them. I’m only allowed to pick one?
[David Spark] Pick two, three, whichever ones you want to say.
[Andy Ellis] So, I was going to go right near where Yabing is, normally I go with the like, “We don’t use process. Instead, we use email.” Like, let’s just stop right there. Like, that’s the big problem. Phishing would not be a worry if we stopped trusting email or phone calls or whatever it’s going to be.
But instead, I’m actually going to go with security user interface. The security experience sucks. Every single product that comes out starts with, is not easy to be configured for the basic security features it has, and as they add more and more security features, they get harder and harder to use.
Whether it’s AWS who has more security features than anybody else, but nobody seems to know how to use them, or any other technology you’ve got. We actually need to make it that it’s not that it is secure by default, but it’s secure by usability, that you walk in like, “Oh, this is the obvious way to configure it.
We’ve got some things for you, but if you want to solve problem X, click here and it gets solved for you.” Not like, “Go watch a three-hour YouTube video and configure 85 screens,” and maybe you got it right, and now you have DKIM set up.
[David Spark] [Laughter]
[Andy Ellis] Not that I tried to do that recently.
Managing security changes for business optimization.
26:17.593
[David Spark] We talk all the time about ways CISOs can better speak to the business and look to drive value. Dan Roberts at CIO.com added to this conversation, noting that many successful CISOs embrace volatility, uncertainty, complexity, and ambiguity, or VUCA awareness, within their organization.
Leaders can’t settle for just acknowledging VUCA – again, volatility, uncertainty, complexity, and ambiguity – but they build strategies that cope with these challenges and foster a culture of resilience and future readiness with their teams. I’ll start with you, Andy, here. Can you think of an example where leaning into the realities of VUCA made for better security policy or helped inform the business about cybersecurity challenges?
[Andy Ellis] Okay, I just wanted to know, I had to go look up who, like, coined the term VUCA. This is the…
[David Spark] I had never heard it. This is my first time.
[Andy Ellis] I had never heard it. Apparently, it was first used in 1987.
[David Spark] Oh, really? It’s that old.
[Andy Ellis] It’s that old. Warren Bennis and Burt Nanu, some leadership folks I’ve actually never heard of. So, clearly, I need to create some acronyms, and in 30 years, nobody will remember I created them, but they might use them.
[David Spark] No, but that somebody on a podcast will look it up.
[Andy Ellis] So, actually, I’m a firm believer in this one, and it’s been a while since I said, “I have a chapter in my book,” so I’m going to use the, “I have a chapter in my book.” And the quote I use for this one is whether you jump out of an airplane or are thrown out, you need to have a parachute.
Right? And George Patton, or maybe it was Marshall, one of them, has a quote about junior officers and you have to be ready to seize opportunities. And the basic premise is the world is uncertain. You don’t know what is coming down the path, but you know the tools you need to assemble so that you’re ready to pivot in any direction.
So, you bake uncertainty in by saying, “Hey, like, I need to have MFA.” Why do I need to have MFA? Because we know passwords are bad. We don’t need to know what the attacks look like in the future to know that we need better authentication. That’s a tool to solve other problems. We know process is a tool.
There’s all of these things we can put together.
I go back to one, like, we built the zero-trust network access program at Akamai. The first one, we built it for ourselves. We then sold it to customers. And I will tell you, it started with us deploying X.509 certificates on every device because we implemented 802.1X on our corporate wired network.
Let me tell you, that was a waste of time to have 802.1X but having a way to get certificates to every device was valuable. It was a tool that we could use and pivot when we realized, “Oh, we can take away passwords.” Our multi-factor was the cert on your device and the smartphone app to authenticate you.
Like, we could pivot and put that in place when it was relevant because we were prepared for volatility in the environment.
[David Spark] All right. This embracing of pretty much the unknown, which is what sort of the summary of VUCA is, and like thriving on that, I guess, if you will. Has security policy improved, and can you point to an example of it, Yabing?
[Yabing Wang] I would say from my experience, first one, I do agree. This is kind of like guiding principle for us. To me, it’s really a philosophy and approach we adopt. That is, when you know there are so many things, the unknowns out there that you cannot predict, right, this VUCA whole concept, even though I don’t know the term either.
But it’s like to prepare for it, I think the two major things that kind of like embedded into our practice, the first one is highlighting cyber resilience, right? Old term is availability. The new term is really about what we can do when we know your defense, your protection may not work because there’s so much unknown out there, how can you quickly detect and respond?
And that part of resilience and the recovery steps and plans, practices are out there, and that’s one way for us to kind of like understanding the unknown and apply everything we can.
The second piece, I think Andy mentioned that as well, is you don’t know the techniques those threat actors do, but you know they will start with access. And we don’t have those old firewalls anymore, but you know what we have? We have the identity. So, if we do more things, right, around identity protection, identity controls, access controls, RBAC or entitlement, in a way, that flexibility will help to defend those kind of like VUCA.
[Inaudible 00:31:10] other words is more of our approach is assuming bad things and make your solution flexible enough to predict the future.
[David Spark] Excellent.
Closing
31:21.359
[David Spark] That brings us to the very end of this very show. I do want to thank our sponsor, and that’d be Entro Security. Remember, non-human identity and secrets security platform. Go check them out at their website, entro.security. Entro Security for more on just that. All right. But first I want to talk about, because I just briefly mentioned it at the top of the show, but you have published a brand-new book, Yabing, called 97 Things Every Application Security Professional Should Know, published by O’Reilly.
And Andy questioned whether you could actually pull off 97, and as I understand, you had a far larger number than that. Is that correct?
[Yabing Wang] Yes. So, I can imagine the question, if you are the solo author, coming up with 97 topics is hard, but this approach is different. We were seeking contributors to this book. So, we’re getting a lot of submissions to the book, and then we’re trying to pick the 97 things with great quality and relevance and depth for this application security.
[David Spark] But I’m assuming, because we’ve written stuff like this before, where you get a lot of advice. It’s not like you got 97 unique tips from 97 different people. There were, I’m sure, plenty of crossover, yes?
[Yabing Wang] Yes. So, what we started is we kind of categorized things in application security, like we would like to seek the topic vote, and they can talk about anything within the topic. If there’s any overlap, we will evaluate that, which one is more with quality and more of audience want to hear about.
And we also try to cover some topics that people don’t generally think about, but actually have a dependency or relevance to application security.
[David Spark] Now, Andy, this wasn’t your experience because you wrote your book by yourself, and you struggled on the last tips, didn’t you?
[Andy Ellis] Yeah. I will say, I have 54 chapters, each one’s independent, and there were some where I’m like, “I think I want to have a chapter about this.” And I will tell you that one of the very last chapters to get written did not get published because I wasn’t comfortable with it, and when my agent read it, he was like, “I don’t know about this.” And we sent it to the editor, and he was just like, “Yeah, yank it, and take the one paragraph that’s valuable and slide it into the chapter after it.”
[David Spark] So, it did get merged in with something else. It didn’t completely end.
[Andy Ellis] Yeah, so I had 55 chapters, and I ended up with 54.
[David Spark] Hold it. Did the 55th, any of the content get slipped into anything else, or not at all?
[Andy Ellis] Yeah. So, one of the paragraphs got slipped in and merged in because it was overlapping. It was sort of one of the things I didn’t want to do, which is it was a bridge because my chapters are all independent, and I had one that bridged. I forget which chapter number, I want to say it was in the 50s, it was like 52, 53, 54.
But 53 was like a little bit of 52, a little bit of 54 with something in between them. And we pulled that in between, slid it into 54, and we’re good.
[David Spark] If someone wants to buy either of your books, where would one go? I’m assuming O’Reilly.com, but I’m sure you can get it on Amazon as well, Yabing, yes?
[Yabing Wang] Yeah, so for this particular book, US did not do printout. But number one, you can get to the O’Reilly platform. Number two, you can get a Kindle from Amazon. On other side, they have a partner publisher in India actually printed out the book.
[David Spark] Okay.
[Yabing Wang] So, I bought a bunch of books from there.
[David Spark] So, just ask you to get a hard copy. [Laughter]
[Yabing Wang] Yes, I will bring you one next time I see you, for sure.
[David Spark] I’m not an application security professional. That’s my problem.
[Yabing Wang] [Laughter] Actually, on that note, this book particularly is for people who don’t have a background of application security and want to understand basic concepts.
[David Spark] Do those numbers go kind of sequentially, beginner to more advanced, I would hope?
[Yabing Wang] Good point. It’s not. It’s organized by the topic.
[David Spark] All right. Now then, Andy, your book is for any yahoo pretty much.
[Andy Ellis] Yeah, you can go… It’s not for any yahoo. It is for every leader, but I like to say that leadership is not authority. So, this is not just for people who are CEOs and C-level executives, but everybody who affects the work done by someone, including themselves.
[Yabing Wang] I need you to sign the book, Andy.
[Andy Ellis] Absolutely. Come find me at a conference and I’ll sign.
[Yabing Wang] [Laughter]
[Andy Ellis] Or have me come speak to your whole team and buy a set of books and I’ll sign them all.
[David Spark] We are talking all about books, but Andy, I’m sorry, this is a long close here because there’s a lot of big mentions, but you have The State of the Cyber Nation launching, the same day this comes out, correct?
[Andy Ellis] Same day this comes out. So, it should have either just dropped or it’ll drop in a few minutes, whatever. The State of the Cyber Nation is an annual report we do at YL Ventures which covers all of the funding rounds in the Israeli cybersecurity industry. Israel is basically one of the largest cybersecurity centers, basically, from a planetary perspective.
Like Silicon Valley is pretty big, is shortly after it. And we’re starting to see some signs that the investment economy is recovering ever since sort of the slowdown that started when the 2021 bubble burst. And 2022 ended up tailing off, ’23 wasn’t good. ’24 looks like we’re starting to come back. We see more seed rounds.
We see more C rounds. A and B still hasn’t completely recovered, but that’s sort of to be expected. But really interestingly, we’re starting to see global players, the really big funds starting to play in the seed round, which is very new and unusual for them.
[David Spark] Any rationalization for that?
[Andy Ellis] Well, we think that some of it is that when they do have successful companies, but if they came in at the A or B round, they want to hold like 20% of the company. And if there’s a seed or an investor who was leading, there’s no way for a later investor to get up past 20%. You really have to have started at the seed round to end up with that level of holding unless you want to buy out the seed or an investor.
Might not want to do that at C round prices.
[David Spark] With that being said, thank you very much. Please, please, you’ll give us a link to that so we can put it on the blog post page for that?
[Andy Ellis] Absolutely.
[David Spark] And I’m sorry, Yabing, same thing. Give me a link to your book as well and we’ll include it as well.
[Yabing Wang] Yep.
[David Spark] Thank you, everybody. We greatly appreciate your contribution. Send more “What’s Worse?” scenarios where people don’t agree with Andy. Would be appreciative if you could figure that out. I’d be greatly appreciative.
[Andy Ellis] So, maybe we should do a session where I give my advice on like, what are the tricks I do to sort of box it out so that somebody can’t really disagree with me? Happy to teach people how to beat me on this one.
[David Spark] [Laughter] Okay.
[Yabing Wang] Great session. Sign me up!
[David Spark] At the next CyberMarketingCon, let’s do it!
[Andy Ellis] Oh, that’s a brilliant idea.
[Yabing Wang] [Laughter]
[David Spark] All right. Thank you, everybody. We greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.