Cloud Security Today

AI agents are moving from answering questions to taking action. That changes everything for identity and access management.In this episode, Ken Huang joins Matt to break down why traditional IAM was not built for agentic AI, where service accounts and OAuth scopes fall short, and what CISOs should do now to govern agents before they hit production at scale.Episode LinksKen's substackKen's paper from 2011 on AI (he was way ahead!)NIST AI RMF

Send a textNate Lee discusses his transition from a CISO role to fractional CISO work, emphasizing the importance of variety and exposure in his career. He delves into the rise of AI, particularly large language models (LLMs), and the associated security concerns, including prompt injection risks. Nate highlights the critical role of orchestrators in managing AI interactions and the need for security practitioners to adapt to the evolving landscape. He shares insights from his 20 years in cybersecurity and offers recommendations for practitioners to engage with AI responsibly and effectively.TakeawaysNate transitioned to fractional CISO work for variety and exposure.Prompt injection is a major vulnerability in LLM systems.Orchestrators are essential for managing AI interactions securely.Security practitioners must understand how LLMs work to mitigate risks.Nate emphasizes the importance of human oversight in AI systems.Link to Nate's research with the Cloud Security Alliance.The future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Send a textMeg Anderson, the CISO at Principal Financial Group, discusses her 17-year tenure as a CISO and the factors contributing to her long-term success. She attributes her longevity to her passion for the job and the opportunities for growth and development at Principal. Meg emphasizes the importance of understanding the business impact of cybersecurity and holding people accountable. She also highlights the significance of focusing on the basics of cybersecurity and not getting caught up in the latest trends. Meg shares her experience with mentorship and its role in her career. She also discusses the programs implemented at Principal to attract and retain cyber talent, such as a formal mentorship program and a robust internship program.TakeawaysPassion for the job and naivete can contribute to long-term success as a CISO.Understanding the business impact of cybersecurity and holding people accountable is crucial.Focusing on the basics of cybersecurity is essential, rather than getting caught up in the latest trends.Mentorship plays a significant role in career development.Taking time away from work is essential for personal growth and avoiding burnout.Chapters00:00 Introduction and Long-Term Success as a CISO03:15 The Importance of Naivete and Passion06:34 The Role of Mentorship10:54 Attracting and Retaining Cyber Talent12:50 Organizing a Cyber Youth Summit21:13 Building a Cyber Program Around Company Culture28:07 Focusing on the Basics of Cybersecurity36:19 Personal Growth and Parting WordsThe future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Send a textEpisode SummaryOn this episode, Global Head of InfoSec and GRC Strategy at VMWare, Ashish Suri, joins the show to discuss data security and AI. Ashish has over 20 years of experience in business transformation, cybersecurity, data privacy, and enterprise risk management. He has served in numerous roles, including Head for Data Risk, Privacy, and Cybersecurity at Apple, Head of Technology Process and Controls at PayPal, and Senior Director of Finance Internal Controls at Visa.Today, Ashish talks about the distinction between data secrecy and data security, data security in the Cloud, and the business benefits of investing in data security. How does AI fit into security? Hear about cost-effective risk mitigation strategies and the evolving DSPM space, and get Ashish’s formula for personal growth. Timestamp Segments· [01:33] Ashish’s role at Apple.· [04:27] Data secrecy vs data security.· [07:20] Data security in the Cloud.· [09:30] Ashish’s approach to data security.· [13:53] What does a business get out of data security?· [17:34] The CIA Triad.· [21:39] AI and Cloud security.· [24:24] AI in cybersecurity products.· [27:59] Cost-effective risk mitigation strategies.· [30:49] Wading through the DSPM space.· [35:15] Ashish’s growth formula.· [37:06] Being humble.· [38:00] Ashish’s parting words. Notable Quotes· “The more we are out there in the Cloud, the larger our footprint becomes, and the risk continues multiplying in different directions.”· “Speed, accuracy, and automation will also get complimented with people, process, and technology.”· “Keep learning and keep listening.” Relevant LinksWebsite: Bedrock Security

Send a textEpisode SummaryOn this episode, Best Selling author of Cyber for Builders and blogger Ross Haleliuk joins the show to talk about his writing on the cybersecurity industry. Ross is active in the cybersecurity ecosystem as a startup advisor and angel investor, currently leading the VIS Angel Syndicate. He often writes about cybersecurity, security investment, growth, and building security startups on TechCrunch, in other leading industry media, and in his blog, Venture in Security, read by tens of thousands of security leaders every month.Today, Ross talks about the usefulness of apprenticeship programs and the impact of AI on the talent shortage. What makes the talent shortage a qualitative issue? Hear about AI and cybersecurity problem-solving, Ross’s recently released book, and how Ross stays sharp (and fit). Timestamp Segments· [02:23] Pivoting into cybersecurity.· [08:20] The role of project manager.· [11:24] The BISO role.· [13:41] The talent shortage as a qualitative issue.· [23:58] Apprenticeship programs.· [30:51] Qualitative vs quantitative talent shortage.· [33:15] The impact of AI.· [39:06] AI in cybersecurity.· [41:54] What is Ross writing about next?· [43:12] How Ross stays sharp. Notable Quotes· “A lot of problems in cybersecurity are not unique to the space.”· “It is difficult to find an entry-level job in the technology space, period.”· “There is a shortage of senior talent, but there is also an oversupply of junior talent.” Relevant LinksLinkedIn: Ross Haleliuk Resources:ventureinsecurity.netThe future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Send a textEpisode SummaryOn today’s episode, Senior Advisor and Strategist at the Cybersecurity and Infrastructure Security Agency, Allan Friedman, joins Matt to discuss SBOMs. As Senior Advisor and Strategist at CISA, Allan coordinates the global cross-sector community efforts around software bill of materials (SBOM). He was previously the Director of Cybersecurity Initiatives at NTIA, leading pioneering work on vulnerability disclosure, SBOM, and other security topics.Before joining the Federal government, Friedman spent over a decade as a noted information security and technology policy scholar at Harvard’s Computer Science Department, the Brookings Institution, and George Washington University’s Engineering School.He is the co-author of the popular text Cybersecurity and Cyberwar: What Everyone Needs to Know, has a C.S. degree from Swarthmore College, and a Ph.D. from Harvard University.Today, Allan talks about SBOMs and their adoption in non-security industries, Secure by design and secure by default tactics, and how to make software security second nature. What, exactly, is the SBOM? Hear about how SBOMs could’ve helped against significant attacks, the concept of antifragility, and why vulnerability disclosure programs are so important. Timestamp Segments· [02:27] Allan’s career path.· [05:10] Allan’s day-to-day.· [06:15] What has been most rewarding?· [08:00] SBOMs in non-security startups.· [10:50] Real-world examples of Secure by Design tactics.· [17:30] Will software security ever seem obvious to us?· [19:30] What is the SBOM, and will it solve all our problems?· [23:41] Could an SBOM have helped against the SolarWinds attack?· [27:52] Memory-safe programming languages.· [30:16] Misconceptions around Secure by Design, Secure by Default.· [32:00] The importance of vulnerability disclosure programs.· [35:37] Antifragility in cybersecurity.· [41:47] VEX.· [44:29] How to get involved with CISA.· [48:00] How does Allan stay sharp? Notable Quotes· “Sometimes, organizations need a good excuse to do the right thing.”· “It is bananas that software that we use, and pay for, still delivers with it not just the occasional vulnerability, but very real risks that require massive investments from customers.”· “When tech vendors make important logging information available for free, everyone wins.”· “The SB in SBOM doesn’t stand for Silver Bullet.” Relevant LinksEmail: sbom@cisa.dhs.govWebsite: www.cisa.govLinkedIn: Allan Friedman Resources:Open Source Security PodcastRisky Business PodcastThe future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Send a textOn this episode, the Founder of CISO Evolution LLC, Matthew Sharp, joins Matt to talk about his book, CISO Evolution. Prior to founding CISO Evolution LLC, Matt served as a strategic advisor to CISOs of Fortune 500 and global institutions. He holds a Bachelor of Science (BS) in Electrical and Computer Engineering from the University of Colorado and a Master of Business Administration (MBA) from Colorado State University. Matt is a co-author of "The CISO Evolution: Business Knowledge for Cybersecurity Executives."Today, Matthew talks about his 2012 sabbatical, walking the Camino de Santiago, and the CISO Evolution book. Why does process matter more than analysis? Hear about value creation, business negotiations, and Matthew’s formula for personal growth.Timestamp Segments· [02:06] A bit about Matthew.· [04:30] Matthew’s sabbatical & the Camino de Santiago.· [09:21] What prompted the book?· [12:23] Why does process matter more than analysis?· [19:08] Did Matthew’s MBA lead him down this path?· [24:22] Value creation.· [27:40] Standard metrics.· [31:23] Why is it important for a CISO to know terms?· [33:32] Negotiations and decision-making.· [37:19] What’s Matthew’s formula for personal growth?· [41:12] Matthew’s words of wisdom. Notable Quotes· “If you want to be in the room where it happens, then you have to be equipped to participate in the conversation.”· “Ask the questions that go unasked.”· “Don’t be afraid to go and look like an idiot in front of another business stakeholder.”The future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Send a textWhat Serverless Can Do For You? With Mark GouldEpisode SummaryOn this episode, Cloud Security Engineer at Manhattan Associates, Mark Gould, joins Matt to talk about serverless computing. Mark is a Cybersecurity specialist, with a focus on the Google Cloud Platform, and is a Certified Google Architect.Today, Mark talks about serverless computing, the security risk to consider, and working with DevOps teams. What are the top three metrics to start with for automation and security? Hear about cloud automation, Mark’s NSG alerting system, and his greatest accomplishments in recent years. Timestamp Segments· [01:22] About Mark.· [02:49] About Manhattan Associates.· [04:46] How does cloud fit in?· [06:16] Automation in the cloud.· [09:03] Modernization at Manhattan Associates.· [10:18] Serverless computing.· [14:39] Security risks with using serverless functions.· [17:58] Mark’s NSG alerting system.· [21:27] Three metrics for automation and security.· [23:33] What should security teams be doing differently when working with DevOps?· [25:43] What is Mark most proud of?· [27:45] How does Mark continue to learn?· [30:31] Is Manhattan Associates hiring? Notable Quotes· “You definitely have to pick what kind of processes you want to automate and make sure that you’re willing to put in the work to maintain them.”· “Sometimes serverless isn’t always the cheapest option.”· “Leaders are learners.” Relevant LinksManhattan Associates: https://www.manh.comLinkedIn: https://www.linkedin.com/in/mark-gould-15a7a3149The future of cloud security.Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.