Audioboom

Transcript for The Importance of Humans in Cybersecurity with Brian Smith

00:00:02,940 → 00:00:05,820

Narrator: You're listening to the Humans of DevOps Podcast, a

00:00:05,820 → 00:00:09,450

podcast focused on advancing the humans of DevOps through skills,

00:00:09,480 → 00:00:13,800

knowledge, ideas and learning, or the SKIL Framework.

00:00:17,170 → 00:00:19,870

Brian Smith: In a lot of companies they see the CISOs.

00:00:19,870 → 00:00:23,260

They were doing all this, but there's this DevOps group over

00:00:23,260 → 00:00:26,620

here, and I'm not quite sure what they're doing, I fully

00:00:26,620 → 00:00:29,800

understand it and so bridging that gap, I think is sort of

00:00:29,800 → 00:00:31,840

where a lot of companies are fairly immature.

00:00:34,000 → 00:00:36,520

Eveline Oehrlich: Hello, all this is Eveline Oehrlich, Chief

00:00:36,520 → 00:00:39,370

Research Officer at DevOps Institute, and this is the

00:00:39,370 → 00:00:45,310

Humans of DevOps Podcast. We are excited to have a wonderful

00:00:45,310 → 00:00:50,230

gentleman with us today, Brian Smith. But before I introduce

00:00:50,230 → 00:00:54,040

Brian, to you, the title of our episode today is the Importance

00:00:54,070 → 00:00:58,810

of Humans in Cybersecurity. As you all know, we're focusing

00:00:59,110 → 00:01:03,670

much on the human angle within DevOps and and the greater

00:01:03,670 → 00:01:07,060

topic. So welcome, Brian. Hello, there.

00:01:07,660 → 00:01:10,750

Brian Smith: Hi, It's great to be here. Thanks for Thanks for

00:01:10,750 → 00:01:11,200

having me.

00:01:11,450 → 00:01:14,330

Eveline Oehrlich: Thanks for taking the time out of your busy

00:01:14,330 → 00:01:19,940

day to come to us and speak with us and me quizzing you on a

00:01:19,940 → 00:01:23,900

variety of things. So let me, to our audience, introduce Brian a

00:01:23,900 → 00:01:26,690

little bit here. There's a lot of things I will read because I

00:01:26,690 → 00:01:30,050

cannot remember them all. So Brian Smith is a 20 year

00:01:30,050 → 00:01:34,280

veteran, an entrepreneur in multimedia, cybersecurity, and

00:01:34,280 → 00:01:39,800

technologies alike. He is co founder and CTO at Spyderbat, an

00:01:39,800 → 00:01:42,710

automated runtime security platform, we'll talk a little

00:01:42,710 → 00:01:48,770

bit about Spyderbat in a minute. spider bit Just quickly, stops

00:01:48,770 → 00:01:51,530

attacks and automates root cause analysis on cloud native

00:01:51,530 → 00:01:55,100

environments by proactively recording cloud systems and

00:01:55,100 → 00:01:58,310

container activities into a living Google Map. That sounds

00:01:58,310 → 00:02:03,020

very intriguing. So Brian has some background here and

00:02:03,020 → 00:02:07,250

technologies in 2000, Brian founded in conjunction with

00:02:07,250 → 00:02:10,580

somebody else, tipping point technologies, which was acquired

00:02:10,580 → 00:02:17,660

by three come. Then in 2009. He founded click Security acquired

00:02:17,660 → 00:02:21,170

by alert logic. I remember those guys, that's exactly the time

00:02:21,170 → 00:02:23,960

when I was thinking about going into security, but I stayed in

00:02:23,960 → 00:02:26,840

doing infrastructure and operations at my former company.

00:02:27,620 → 00:02:30,560

Brian has a PhD in Computer Science from the University of

00:02:30,560 → 00:02:35,480

California at Berkeley, and in 1994, and was the Xerox

00:02:35,480 → 00:02:39,920

Professor of Computer Science at Cornell University until 1998.

00:02:39,950 → 00:02:43,010

I'm sure maybe there are some former students of yours, Brian,

00:02:43,010 → 00:02:48,680

who are listening in wouldn't that be super? And he holds 13.

00:02:48,710 → 00:02:52,730

One three patents and is a fellow of the Alfred P. Sloan

00:02:52,730 → 00:02:57,500

Foundation. Fantastic. This reads wonderful, Brian, we're

00:02:57,500 → 00:03:03,020

excited to have you here. My first question, I have to ask

00:03:03,020 → 00:03:08,360

this Spyderbat. That's quite a name of a company. So first, how

00:03:08,360 → 00:03:11,270

did you come up with this name? And second, tell us a little bit

00:03:11,270 → 00:03:12,350

more about Spyderbat?

00:03:12,690 → 00:03:15,900

Brian Smith: Yeah, so when you this is like you said, this is

00:03:15,900 → 00:03:20,400

my kind of my third startup that I've done. And when you are

00:03:20,400 → 00:03:23,310

coming up with names for startups, there's couple of

00:03:23,310 → 00:03:26,880

considerations. One is you want it to be memorable. One is it's

00:03:26,940 → 00:03:30,900

it needs to be not too cute or too tricky. These names where

00:03:31,530 → 00:03:34,980

you say them and you can never spell them and say can never

00:03:34,980 → 00:03:38,790

find a website. And so when we were coming out when we're

00:03:38,820 → 00:03:41,220

talking about names with a company, we wanted something

00:03:41,220 → 00:03:46,290

that was kind of fun. And we're from Austin. So Austin, I don't

00:03:46,290 → 00:03:50,550

know if you know it has this big bridge that goes across the the

00:03:50,580 → 00:03:53,940

Colorado River, that big lake there in central Los I have been

00:03:53,940 → 00:03:57,540

there. And it's the Congress Avenue Bridge, and underneath it

00:03:57,540 → 00:04:02,370

has the largest colony of bats, Mexican free tailed bats in the

00:04:02,970 → 00:04:07,020

North America, I believe. And they're like the million bats

00:04:07,020 → 00:04:10,230

live under there so often is known as bats. And the city has

00:04:10,230 → 00:04:13,740

that. So we there's a type of bat called the spider bat. And

00:04:13,740 → 00:04:17,430

so we decided to have that as the name but it's spelled SPI D

00:04:17,430 → 00:04:23,190

or that they expire. And so when we went to open up our bank

00:04:23,190 → 00:04:27,450

account, we're just getting started. The guy at the bank

00:04:27,480 → 00:04:30,990

misspelled the name with spyder, and we thought well that's

00:04:30,990 → 00:04:34,770

pretty cool. So we we hadn't actually fired the corporation

00:04:34,770 → 00:04:37,440

documents yet. So we read incorporated under under that

00:04:37,440 → 00:04:39,420

name. And that's it story.

00:04:39,600 → 00:04:42,540

Eveline Oehrlich: That is a great story and the banker has

00:04:42,540 → 00:04:46,380

done you a favor by making a spelling mistake. That's a great

00:04:46,380 → 00:04:50,760

story. And at some point you want it to be instead of you go

00:04:50,760 → 00:04:54,450

Google it you want to say you go spyder batted right. That's kind

00:04:54,450 → 00:04:58,920

of the goal. So when people say let's go Spyderbat, did what?

00:04:59,160 → 00:05:01,830

What does that mean? In what what? Tell me about this Google

00:05:01,830 → 00:05:05,700

map recording? Tell us myself, of course, I'm curious as I'm an

00:05:05,700 → 00:05:08,730

analyst. Tell us about Spyderbat a little bit.

00:05:09,000 → 00:05:10,830

Brian Smith: Yeah, we've been, you know, I've been working in

00:05:10,830 → 00:05:14,820

security for for 20 years now and one of the toughest problems

00:05:14,850 → 00:05:19,140

is, you'll usually get notified about a security incident when

00:05:19,140 → 00:05:23,520

sort of when it goes boom, when something goes boom. And then

00:05:23,520 → 00:05:27,030

the tricky problem is trying to root cause that trying to figure

00:05:27,030 → 00:05:29,700

out what actually happened, do you have a bunch of

00:05:29,730 → 00:05:33,630

considerations? Like, what is it still happening? What happened?

00:05:33,660 → 00:05:37,590

What was the impact? How do I how do I stop it right now, who

00:05:37,590 → 00:05:41,010

do I need to inform and how to prevent it in the future. And a

00:05:41,010 → 00:05:44,670

lot of that is trying to figure out what happened. And the

00:05:44,670 → 00:05:47,370

problem we have right now is the traditional way that people do

00:05:47,370 → 00:05:50,100

that is they start going through the logs and trying to figure

00:05:50,100 → 00:05:54,270

out, you know, just from from log analysis, it's painful. And

00:05:54,300 → 00:05:59,370

a lot of times the data that you need is not there in a box. But

00:05:59,460 → 00:06:03,990

we looked at that and said, you know, the, these things are all

00:06:03,990 → 00:06:07,410

just computers running. And so if we could record everything,

00:06:07,410 → 00:06:10,830

build this kind of DVR like capability of everything good,

00:06:10,860 → 00:06:15,900

bad and different that happened, and then use that data to flag

00:06:15,930 → 00:06:19,620

this is interesting, this is interesting. This was something

00:06:19,620 → 00:06:23,340

bad happening. Once you have the bad, you could trace back to

00:06:23,670 → 00:06:27,420

root cause where this thing started. So we started building

00:06:27,420 → 00:06:29,400

something that could record everything that happened like a

00:06:29,400 → 00:06:35,100

DVR for your entire network. It built this map, we put that raw

00:06:35,100 → 00:06:37,470

data is if you just looked at the raw data, you'd be kind of

00:06:37,470 → 00:06:41,970

sad. So it built an analytic system that turned that into a

00:06:42,030 → 00:06:44,970

amount that you could understand, have a world call a

00:06:44,970 → 00:06:47,730

causal map that for any instance, you can say this

00:06:47,730 → 00:06:50,520

caused all this stuff to happen. And this is the stuff that

00:06:50,520 → 00:06:53,430

caused it. And then if you can just attach a security incident

00:06:53,430 → 00:06:55,800

onto that, then you can go from that and say, Okay, this is all

00:06:55,800 → 00:06:59,340

the bad stuff that happened. As a side effect of that, and work

00:06:59,340 → 00:07:03,570

backwards to this is what caused it. When you have that base

00:07:03,570 → 00:07:07,260

capability, then it's not a long stretch to add in security

00:07:07,470 → 00:07:10,260

content on top of that, that says these are bad things

00:07:10,260 → 00:07:13,710

happening. And then pretty easy to add on top of that, well,

00:07:13,710 → 00:07:17,310

let's stop it dead in its tracks. Because what we find is

00:07:17,310 → 00:07:21,030

that when something the average industry time at I'm sure you

00:07:21,030 → 00:07:26,190

know this level is that when something bad has happened, it's

00:07:26,220 → 00:07:29,310

56 days that they've been in your network, because the what

00:07:29,310 → 00:07:34,590

they call the dwell time, and then it's 178 days to actually

00:07:34,890 → 00:07:37,890

inventory everything that happened and figure out of

00:07:37,890 → 00:07:42,180

investigation time and then 96 days to clean it up. That whole

00:07:42,180 → 00:07:46,920

process is this massive manual effort. And so we by having this

00:07:46,920 → 00:07:48,690

recording, we can really crush that time.

00:07:49,110 → 00:07:51,360

Eveline Oehrlich: So you really reducing MTTR quite

00:07:51,360 → 00:07:55,140

significantly, right. That's, that's I think, to me and

00:07:55,140 → 00:07:58,620

infrastructure and operations, which is what I come from, it

00:07:58,620 → 00:08:00,630

sounds like it is an application. It's almost like a

00:08:00,630 → 00:08:03,600

dependency map, right? As we sometimes have application

00:08:03,600 → 00:08:06,510

dependency maps, but with the focus on what's actually

00:08:06,510 → 00:08:10,410

happening from a security perspective, which then allows

00:08:10,410 → 00:08:15,840

me as a team member, not necessarily security, but maybe

00:08:15,930 → 00:08:19,080

others to kind of look at it, where we can collaborate and

00:08:19,080 → 00:08:22,230

say, Hey, here's something and this is where we need to hone in

00:08:22,230 → 00:08:25,470

and need to do something file. That sounds fantastic. Great. I

00:08:25,470 → 00:08:29,550

love the name spiral bad superduper. Well, thanks for

00:08:29,550 → 00:08:33,480

sharing that anybody out there? Go check out spinal bad. But

00:08:33,510 → 00:08:38,610

again, I wanted to focus on a few things here. Because when I

00:08:38,610 → 00:08:42,450

started at Forrester, I had a colleague, and I know your

00:08:42,450 → 00:08:46,500

LinkedIn with him a John Kinder bag. I know, you know, John, so

00:08:46,620 → 00:08:52,110

John, dear friend of mine. He told me once, Eveline, you know,

00:08:52,110 → 00:08:56,460

you have to remember insecurity, it's not really, it's not really

00:08:56,460 → 00:09:00,180

to technology, it's to humans. It's the people who make the

00:09:00,180 → 00:09:05,310

change. And challenges always have a head and into shoulders.

00:09:05,310 → 00:09:09,150

Right? And I never really, I never had the chance to do

00:09:09,150 → 00:09:14,070

research with him. But I was always intrigued. And I did some

00:09:14,070 → 00:09:16,890

research before this podcast. And there's a couple of

00:09:16,920 → 00:09:19,380

challenges and a couple of shifts were actually a few

00:09:19,380 → 00:09:23,010

shifts happening. This is from Gartner want to make sure I

00:09:23,010 → 00:09:26,610

shout out to two colleagues, Gartner. And I want to highlight

00:09:26,610 → 00:09:30,330

them quickly. So first of all, this role of the CFO, the chief

00:09:30,330 → 00:09:34,380

information security officer is reshaping. So Gartner saying

00:09:34,380 → 00:09:38,700

it's reshaping from preventing breaches to facilitating risk

00:09:38,730 → 00:09:41,640

management. So that's very different, a very different

00:09:41,640 → 00:09:46,800

role. second shift is from cyber risk is a security problem to

00:09:46,800 → 00:09:49,740

cyber risk is a business problem. And I think we've seen

00:09:49,740 → 00:09:54,120

that there's multiple headlines out there, which made to the to

00:09:54,120 → 00:09:58,530

the demise of those. And then third, from security being a

00:09:58,530 → 00:10:03,810

road plaque blog to say Speed. Security is actually an Abler of

00:10:03,810 → 00:10:07,050

agile and secure products. And that's the one for me in the

00:10:07,050 → 00:10:10,950

DevOps in the DevOps folks, which is, that's a great

00:10:11,220 → 00:10:16,140

statement of shifts. But if you think about so now, your

00:10:16,200 → 00:10:20,760

question for you, Brian, if you think about the three shifts,

00:10:22,110 → 00:10:25,530

and think about the clients and your connections and your

00:10:25,530 → 00:10:29,490

networks, and the folks you talk to and your experience of 20

00:10:29,520 → 00:10:31,560

years, and I don't believe that 20 years, I think you'll have

00:10:31,560 → 00:10:36,060

more than that. But we'll leave it at that. Where are we there?

00:10:36,120 → 00:10:40,050

We will somewhere in these three things? Are we somewhere at the

00:10:40,080 → 00:10:43,650

beginning? Are we already kind of if we think of a hype cycle,

00:10:43,650 → 00:10:45,660

right, are we somewhere at the beginning of those things? Are

00:10:45,660 → 00:10:49,200

we somewhere in the middle? Or have we already matured on to

00:10:50,550 → 00:10:54,540

organizations making these shifts from that, to that? What

00:10:54,570 → 00:10:55,800

What are your thoughts on that?

00:10:56,190 → 00:10:58,680

Brian Smith: Well, I think there's three, there's a lot to

00:10:58,680 → 00:11:01,350

unpack there. But there's, there's from the risk

00:11:01,350 → 00:11:05,460

standpoint, I think that the CISOs have been taking that

00:11:05,460 → 00:11:09,570

attitude for for a fair amount of time. So I think most

00:11:09,570 → 00:11:12,270

companies are fairly mature. And I think part of that is just,

00:11:12,540 → 00:11:17,940

it's an acknowledgement of just having a very pragmatic approach

00:11:17,940 → 00:11:24,180

to it. One way, that the sort of notion that you can prevent all

00:11:24,180 → 00:11:28,260

breaches through, you know, some magic bullet security project or

00:11:28,260 → 00:11:32,160

some magic bullet process is is just kind of fantasyland.

00:11:32,190 → 00:11:37,410

Honestly, it's the waste I best way I heard described as imagine

00:11:37,410 → 00:11:41,370

a castle, like a medieval castle. And so it's got it's out

00:11:41,370 → 00:11:43,950

on a plane, and there are, you know, hundreds of windows and

00:11:43,950 → 00:11:47,850

hundreds of doors. And it's and, and you're the defender of that,

00:11:48,300 → 00:11:51,780

you have all these different ways that, that an attacker can

00:11:51,780 → 00:11:55,110

come in, and you have to defend every single possible entry

00:11:55,110 → 00:11:58,950

point. And it's just kind of this impossible, impossible

00:11:58,950 → 00:12:04,500

task. So the pragmatic approach is, to certainly shore things

00:12:04,500 → 00:12:07,980

up, you don't want to leave just everything unlocked. But then

00:12:07,980 → 00:12:11,640

also have, you know, sort of patrols and guards and humans in

00:12:11,640 → 00:12:14,340

there that are, that are watching watching the fortress

00:12:14,340 → 00:12:16,560

and saying, that's a little weird and being able to

00:12:16,560 → 00:12:20,940

investigate. And so the risk management is focusing on those

00:12:20,940 → 00:12:23,850

areas that give you the most bang for your buck on those

00:12:23,850 → 00:12:26,370

things. Whereas if a breach happened here, it doesn't really

00:12:26,370 → 00:12:29,550

matter if a breach happens here, that's really, really bad. And

00:12:29,550 → 00:12:32,790

so the risk is, you know, assessing, assessing that

00:12:32,790 → 00:12:36,450

situation, it's fairly, depending on the organization

00:12:36,480 → 00:12:40,920

fairly mature. The, the agility part is really interesting part

00:12:40,920 → 00:12:47,310

to me. Because traditionally, the security opera, you know,

00:12:47,310 → 00:12:49,860

security was a bit of a roadblock. And part of that was

00:12:49,860 → 00:12:54,330

the developers bring in security as they're the main guys come in

00:12:54,330 → 00:12:56,610

at that the last minute, and then they're the guys that say,

00:12:56,610 → 00:13:00,570

Hey, wait, we need to make this secure. And it feels like it

00:13:00,570 → 00:13:03,930

slows things down. And by involving them earlier, earlier

00:13:03,930 → 00:13:06,900

in the cycle, which is a lot of the ship left stuff, that

00:13:06,900 → 00:13:12,780

opportunities that we've seen, you end up being able to, for

00:13:12,780 → 00:13:18,870

them to become enablers of having things go faster, but

00:13:18,870 → 00:13:21,840

still, we still have to be secure as we deploy these

00:13:21,840 → 00:13:28,170

things. And part of the reason for that is just that, if you if

00:13:28,170 → 00:13:31,350

you're not secure, if your application gets popped, you're

00:13:31,350 → 00:13:35,640

gonna have a really bad week, or really bad month while you try

00:13:35,640 → 00:13:38,550

to, you know, clean up and assess the damage and stuff as

00:13:38,550 → 00:13:42,420

as a developer or development manager, DevOps. So it's all in

00:13:42,420 → 00:13:46,350

all our interest to prevent that from happening also from from

00:13:46,350 → 00:13:49,320

the business standpoint, and I think the business side is just

00:13:49,320 → 00:13:52,920

the recognition of, of all the damage that these things do to

00:13:52,920 → 00:13:56,070

the business. And so it's gotten bored level attention at this

00:13:56,070 → 00:13:58,260

point. So it's not just the security group that says

00:13:58,260 → 00:14:01,890

isolated silo, but it's much more on the business side.

00:14:04,270 → 00:14:06,760

Ad: Are you looking to get DevOps certified? Demonstrate

00:14:06,760 → 00:14:08,770

your DevOps knowledge and advance your career with a

00:14:08,770 → 00:14:11,740

certification from DevOps Institute, get certified in

00:14:11,740 → 00:14:15,520

DevOps Leader, SRE or DevSEC Ops, just to name a few. Learn

00:14:15,520 → 00:14:19,270

anywhere, anytime. The choice is yours. Choose to get certified

00:14:19,270 → 00:14:22,720

through our vast partner network self study programs, or our new

00:14:22,720 → 00:14:25,720

skillup elearning videos. The exams are developed in

00:14:25,720 → 00:14:28,270

collaboration with industry thought leaders, and subject

00:14:28,270 → 00:14:30,910

matter experts in the DevOps space. Learn more at

00:14:30,970 → 00:14:33,190

DevOpsInstitute.com/certifications.

00:14:37,000 → 00:14:40,300

Eveline Oehrlich: So I've heard conversations, or I've

00:14:40,300 → 00:14:45,400

overheard, and I've heard at RSA or other places. Now, of course,

00:14:45,430 → 00:14:48,550

most of them might join virtually, hopefully soon, I can

00:14:48,550 → 00:14:53,140

go again, we can all travel again, where I've noticed that

00:14:53,770 → 00:14:57,580

I've actually seen more business people at those conventions and

00:14:57,580 → 00:15:02,080

joining so I an admin Many times I always wondered, so why is

00:15:02,080 → 00:15:05,950

business not wandering? In asking it more questions

00:15:05,950 → 00:15:09,220

relative to those types of things? What is your what are

00:15:09,220 → 00:15:11,740

your thinking? What's your thinking on the wise business,

00:15:12,010 → 00:15:15,670

they don't seem to chime up when things have happened. And then

00:15:15,670 → 00:15:19,810

they are all worried and now, but they haven't in the past

00:15:19,810 → 00:15:21,820

kind of worried about it. They're just like, Oh, you guys,

00:15:21,820 → 00:15:22,960

techies, you guys got it?

00:15:24,220 → 00:15:25,780

Brian Smith: Well, I think I mean, I think there's a couple

00:15:25,780 → 00:15:29,650

different things going on. One is, you know, I like the part of

00:15:29,650 → 00:15:34,060

the shift towards pragmatism is this realization that, it's,

00:15:34,090 → 00:15:38,440

it's really hard to make it make yourself completely bullet proof

00:15:38,530 → 00:15:41,620

for one of these things. If someone really wants to go after

00:15:41,620 → 00:15:45,430

you like a nation state, it's, it's very difficult to defend

00:15:45,430 → 00:15:50,320

against that practice, and to prevent the breach. But if you

00:15:50,320 → 00:15:55,480

can have a rapid response to it, then that involves people and

00:15:55,480 → 00:15:59,440

processes and technology. So you want you have to do a little bit

00:15:59,440 → 00:16:03,190

rehearsal. But that means it's not just a security only kind of

00:16:03,220 → 00:16:07,270

these guys, the guys in the security group, it really has to

00:16:07,270 → 00:16:11,950

be kind of everyone's business. And the other is that where we

00:16:11,950 → 00:16:15,460

get, you know, a lot of the breaches come in at is through

00:16:16,180 → 00:16:19,270

exploiting people, honestly, exploiting social engineering

00:16:19,270 → 00:16:23,830

attacks and things like that, which is why companies focus on

00:16:23,830 → 00:16:27,730

training the people is a good way. One of the one of the many

00:16:27,730 → 00:16:31,690

good ways to prevent breaches, but what I've seen is that, you

00:16:31,690 → 00:16:36,370

know, sort of the, their, this traditional security group has

00:16:36,370 → 00:16:43,750

been focused on securing sort of laptops and mobile devices, and

00:16:43,750 → 00:16:47,530

IT systems and things like that. And then as we've moved into

00:16:47,650 → 00:16:51,010

DevOps, and more cloud native world, those are often are,

00:16:51,310 → 00:16:54,670

especially in Kubernetes, those are Linux systems. And they're a

00:16:54,670 → 00:16:57,460

little outside of the expertise. So I must have seen these

00:16:57,460 → 00:17:01,510

bifurcation of the security responsibility falling on DevOps

00:17:01,510 → 00:17:07,120

dev SEC ops and sre. And this other group, on the side, LLC,

00:17:07,120 → 00:17:11,170

suicide in the traditional SEC ops group, sort of managing the

00:17:11,260 → 00:17:14,590

the people and processes over here, and bridging those two

00:17:14,590 → 00:17:18,220

gaps together, I think is a business thing, because it has

00:17:18,250 → 00:17:22,510

it. Otherwise, the two sides, sort of can fight each other.

00:17:22,870 → 00:17:27,250

And in a lot of companies, I see the CISOs say, We're doing all

00:17:27,250 → 00:17:30,700

this. But there's this DevOps group over here, and I'm not

00:17:30,700 → 00:17:33,820

quite sure what they're doing, and they don't fully understand

00:17:33,820 → 00:17:37,270

it. And so bridging that gap, I think, is sort of where a lot of

00:17:37,270 → 00:17:38,710

companies are fairly immature.

00:17:39,150 → 00:17:41,310

Eveline Oehrlich: Yeah, I would agree. I would agree with seeing

00:17:41,310 → 00:17:45,960

that in our research. And you'll be delighted to hear in our

00:17:45,990 → 00:17:52,140

latest upskilling, it 2022 Which report is out on our website,

00:17:52,590 → 00:17:56,490

security, and cybersecurity was the number one technical skill,

00:17:57,390 → 00:18:01,830

even before even above cloud, so that, you know, cloud computing

00:18:01,830 → 00:18:06,150

skills and things like that. So I think that's fantastic. So if

00:18:06,180 → 00:18:10,800

people are out there thinking about new careers, whatever

00:18:11,520 → 00:18:14,400

changes you want to make security, cybersecurity is one

00:18:14,400 → 00:18:18,600

of those I wish, I wish I would have followed John, way back

00:18:18,960 → 00:18:21,900

into into this field. And I tried to get my kids into it.

00:18:21,900 → 00:18:24,090

Unfortunately, one is an architect, the other one is a

00:18:24,120 → 00:18:27,180

psychologist. So they never really got interested in either.

00:18:27,930 → 00:18:30,330

Brian Smith: Now, one thing I heard along those lines is there

00:18:30,330 → 00:18:33,420

was my data was from a couple of years ago, but at that time,

00:18:33,420 → 00:18:36,000

there were something like half a million open jobs in

00:18:36,000 → 00:18:40,980

cybersecurity was forecast to grow by 2025 to over a million

00:18:41,010 → 00:18:47,550

open positions. And some of that is because at least at the time,

00:18:47,550 → 00:18:52,380

and still is the job is so manual. And so one of the ways

00:18:52,380 → 00:18:57,480

we have to look at is automating it, but not automating it away.

00:18:57,840 → 00:19:03,780

But automating it as in providing, making the computer

00:19:03,780 → 00:19:07,230

these automated systems, partners with humans that make

00:19:07,230 → 00:19:09,690

the there are force multipliers for the humans.

00:19:10,560 → 00:19:12,960

Eveline Oehrlich: That gets me to my next question, actually,

00:19:13,020 → 00:19:18,180

because there is behaviors and culture, right, which play into

00:19:18,180 → 00:19:23,160

all of that, you know, if I think of my family in terms of

00:19:23,190 → 00:19:26,760

their laptops and their devices, I probably could break in easily

00:19:26,760 → 00:19:30,660

to most of them because the passwords are, I can get them.

00:19:30,960 → 00:19:34,770

But there's also there's more than just on the client side.

00:19:34,770 → 00:19:40,080

But there's other challenges. So around humans and cultural

00:19:40,080 → 00:19:44,280

changes, what have you seen and what would what can you suggest

00:19:44,310 → 00:19:47,430

to our listeners, what should they do? What should they look

00:19:47,430 → 00:19:51,330

out for? What advice can you give folks how to respond and

00:19:51,330 → 00:19:55,800

how to work within this challenge of helping out in

00:19:55,920 → 00:19:59,190

around organizations and both in IT and business?

00:19:59,540 → 00:20:03,230

Brian Smith: Yes. So I, you know, I think, you know, part of

00:20:03,230 → 00:20:06,650

this is what I was saying before is that traditionally, this was

00:20:06,650 → 00:20:10,310

viewed as a SEC Ops problem. And so we could kind of

00:20:10,310 → 00:20:12,410

compartmentalize it and say that's their problem, I'm just

00:20:12,410 → 00:20:15,950

going to focus on what happened. And I think there's this growing

00:20:15,950 → 00:20:20,360

recognition. And this is, this is a good thing, that it is a

00:20:20,360 → 00:20:23,420

business problem, and so that everyone has a has a bit of a

00:20:23,420 → 00:20:27,110

role to play, because you don't want your laptop to be the entry

00:20:27,110 → 00:20:31,340

point for a giant breach of some sort. So some of this is just,

00:20:31,370 → 00:20:36,470

you know, go, if you're a leader, make sure you start

00:20:36,470 → 00:20:41,570

training, have company wide training on this. Because every

00:20:41,570 → 00:20:46,790

individual should know what the signs are of someone trying to

00:20:46,820 → 00:20:51,800

trying to break in or trying to fool you. Social engineering is

00:20:51,800 → 00:20:59,480

a big attack. But the the, the other that that sort of, from

00:20:59,480 → 00:21:03,020

the human standpoint, from the, from the, you know, frontline

00:21:03,020 → 00:21:06,770

workers, people and in non technical positions, for people

00:21:06,770 → 00:21:09,350

in technical positions, it started building those bridges

00:21:09,380 → 00:21:12,440

to the SEC Ops and not treating them as the enemy, but kind of

00:21:12,530 → 00:21:17,450

inviting them in to try to try to work together. And I think a

00:21:17,450 → 00:21:20,240

lot of the problem there is that we, we almost talk in different

00:21:20,240 → 00:21:26,480

worlds. And in those things, so finding ways that we can

00:21:26,480 → 00:21:30,830

communicate with each other so that we can, the developers, for

00:21:30,830 → 00:21:34,250

example, that are developing application can pass along

00:21:34,250 → 00:21:37,100

artifacts to sec ops to say, this is the way I expect my

00:21:37,100 → 00:21:41,210

application to behave. If it's not behaving, contact me be that

00:21:41,210 → 00:21:43,850

way. Because I want to know, because we're all you know,

00:21:43,850 → 00:21:47,660

DevOps, we're all responsible for keeping our piece up and

00:21:47,660 → 00:21:50,420

running, and we know our piece better than any anything else in

00:21:50,420 → 00:21:55,820

the world. So I see that kind of role of DevOps, if they can

00:21:56,570 → 00:22:00,110

establish those communications of this is what my piece is

00:22:00,110 → 00:22:03,140

supposed to be doing. That would be that would be awesome. And

00:22:03,170 → 00:22:06,350

we're kind of working on at about about, about developing

00:22:06,350 → 00:22:09,170

those artifacts that help automate those processes. But

00:22:09,170 → 00:22:13,400

then, in the the other parts of the roles are, you know, there's

00:22:13,400 → 00:22:18,170

typically like SRS or more kind of DevSEC Ops, which are

00:22:18,170 → 00:22:22,010

responsible for the full platform security, and as

00:22:22,010 → 00:22:26,810

opposed to individual component securities. And so I think all

00:22:26,810 → 00:22:31,160

of those have kind of roles to play within this. But there's

00:22:31,160 → 00:22:36,260

but it's, it's treating it not as the SEC ops problems, but SEC

00:22:36,260 → 00:22:39,920

Ops being more of a coordinator of how we how we deal with

00:22:39,920 → 00:22:44,240

responses and sort of best practices for longest, and then

00:22:44,240 → 00:22:46,820

facilitating communication and treat them as a partner.

00:22:47,330 → 00:22:50,240

Eveline Oehrlich: I love that when you said coordinator, I

00:22:50,240 → 00:22:54,020

would actually sometimes think that word means different

00:22:54,020 → 00:22:56,270

things. Maybe it's more of an orchestrator. But I think that's

00:22:56,270 → 00:22:59,090

the same idea, right? It's said orchestration, going out and

00:22:59,090 → 00:23:02,270

bringing those folks together because many of those folks have

00:23:02,270 → 00:23:07,250

their own roles. And they have their own projects and things to

00:23:07,310 → 00:23:11,210

do on a daily on a daily list on a daily the daily tasks.

00:23:11,240 → 00:23:15,560

whenever necessary. I'm responsible for whatever on call

00:23:15,560 → 00:23:18,590

plus I'm supposed to be also doing some development, but

00:23:18,590 → 00:23:21,290

really highlighting that and orchestrating what have we done

00:23:21,290 → 00:23:26,660

now, that makes me think of this is not something I have any done

00:23:26,660 → 00:23:31,220

any research, but metrics, sometimes. We don't, it seems

00:23:31,220 → 00:23:34,760

like we don't measure the right things. We don't incent people

00:23:35,540 → 00:23:38,930

to be reaching out and orchestrating right. Have you

00:23:38,930 → 00:23:43,370

seen any, any specific examples of organizations who say, Well,

00:23:43,400 → 00:23:45,680

we're going to go and do something completely different,

00:23:45,680 → 00:23:50,540

we're going to incent everybody on doing one security thing a

00:23:50,540 → 00:23:55,460

week, or having little jam sessions or little whatever

00:23:55,460 → 00:23:58,760

those things are called anything, anything creative.

00:23:58,760 → 00:24:01,430

You've seen on on humans getting together and saying we need to

00:24:01,430 → 00:24:02,300

change something.

00:24:03,149 → 00:24:06,809

Brian Smith: You know, the one thing I think about is there's

00:24:06,809 → 00:24:14,459

this this book called Thinking Fast and Slow. Oh, yes. And it's

00:24:14,459 → 00:24:18,509

about, you know, how did this sort of help? There's parts of

00:24:18,509 → 00:24:21,359

our brain where we really engage our brain and our rational

00:24:21,359 → 00:24:24,689

thought, and that's the thinking slow part. And then there's the,

00:24:24,989 → 00:24:27,749

I don't know, scrolling your social media feed. And that's

00:24:27,749 → 00:24:30,539

the thinking fast part, right? Where you just kind of you're,

00:24:30,569 → 00:24:35,339

you're doing what I think they call the information scavenging

00:24:35,939 → 00:24:38,879

where you're scrolling through and just looking around, and

00:24:38,879 → 00:24:44,819

that tends to be based on our biological. It's the information

00:24:44,819 → 00:24:48,389

equivalent of our biological version of scavenging for food.

00:24:48,689 → 00:24:53,009

And for us just looking around and trying to find pattern

00:24:53,009 → 00:24:55,169

matching. You're saying, Oh, this looks interesting to go get

00:24:55,169 → 00:25:01,889

or this is a threat. And what I Think once you there, one of the

00:25:01,889 → 00:25:04,439

most interesting things is trying to teach people about

00:25:04,439 → 00:25:11,159

that and use it to train that train the people not to kind of

00:25:11,159 → 00:25:15,209

just click on things mindlessly, because but actually spend it,

00:25:15,239 → 00:25:18,719

but sort of see the warning signs, train train them in that

00:25:18,719 → 00:25:21,569

information scavenging to see the warning signs and say, Well,

00:25:21,569 → 00:25:25,769

that looks like a threat and turn on the slope. And, and, and

00:25:25,859 → 00:25:31,229

and think before they click on that thing or do that, that I

00:25:31,229 → 00:25:34,319

haven't seen too much in the way of, you know, kind of what I

00:25:34,349 → 00:25:36,749

what I think about metrics of, you know, sort of dials on

00:25:36,749 → 00:25:39,299

gauges. Yeah, thanks.

00:25:39,000 → 00:25:41,610

Eveline Oehrlich: I think there is still there's still some work

00:25:41,610 → 00:25:46,170

to do in this in this notion of the safety culture, and shaping

00:25:46,170 → 00:25:49,530

that safety culture, as you said, first, just quickly

00:25:49,530 → 00:25:53,880

summarizing, so first, really not just sick ops, but really

00:25:53,880 → 00:25:58,740

the DevOps and the other side of, of security, to bridge

00:25:58,770 → 00:26:02,820

across to the SEC ops folks who do the normal things, and then

00:26:02,820 → 00:26:06,900

for business to ensure that they are aware of what's happening,

00:26:06,900 → 00:26:09,990

right. So if we do design thinking, for example, in that

00:26:09,990 → 00:26:12,870

stage, right, if we do development of products and

00:26:12,870 → 00:26:16,440

projects, that we have that awareness, and then for us, as

00:26:16,440 → 00:26:20,190

individuals, no matter if we're in it, and business in whatever,

00:26:20,820 → 00:26:24,360

then we have a safety culture and start helping ourselves and

00:26:24,360 → 00:26:27,900

training each other and helping each other out. So fantastic.

00:26:27,930 → 00:26:30,720

Anything, any other thoughts you want to share with us?

00:26:30,000 → 00:26:33,000

Brian Smith: Yeah, the one other thought is just, you know, in

00:26:33,000 → 00:26:37,710

general, security tends to have these trends. And one of the

00:26:37,710 → 00:26:42,120

more recent trends was in the ship love culture was we would

00:26:42,120 → 00:26:47,640

try to build, get everything to be invulnerable, before we

00:26:47,640 → 00:26:52,770

actually shifted ship. And that sort of, I've seen sometimes

00:26:50,190 → 00:27:44,820

Eveline Oehrlich: That is that is a that is great advice. I

00:26:52,770 → 00:26:57,060

that sort of great being the enemy of the good in the sense

00:26:57,060 → 00:27:00,150

of, Well, once I do that, I don't have to monitor anything.

00:27:00,240 → 00:27:03,150

It's sort of like I've built perfect locks on my house. So I

00:27:03,150 → 00:27:07,680

don't need an alarm system. And I think that's a not a pragmatic

00:27:07,680 → 00:27:14,490

approach. So I think as we as we go through this evolution

00:27:14,520 → 00:27:16,890

towards, you know, sort of understanding spirit, just try

00:27:16,890 → 00:27:21,000

to be pragmatic about it, don't try to vote and the focusing on

00:27:21,000 → 00:27:26,850

risk is a good part of that. And the focusing kind of what is

00:27:27,000 → 00:27:30,480

actually happening as opposed to what theoretically could happen.

00:27:30,930 → 00:27:37,980

Is a good general trend. And just don't let the the

00:27:38,250 → 00:27:40,800

perfection over here be the enemy of good.

00:27:44,820 → 00:27:48,840

remember, Diego and myself at Forrester talking about shift

00:27:48,840 → 00:27:51,720

left many, many years ago. I think we took too much of a

00:27:51,720 → 00:27:54,930

theoretical approach at the time. So what you just said,

00:27:54,930 → 00:27:57,810

really thinking about that in a programmatic way is great advice

00:27:57,810 → 00:28:01,440

to our listeners. Appreciate it. I have one more question has

00:28:01,440 → 00:28:06,060

nothing to do with security. What do you do it? And don't

00:28:06,060 → 00:28:08,670

tell me you're doing security things on the weekend. But what

00:28:08,670 → 00:28:10,020

do you do for fun, Brian?

00:28:10,000 → 00:28:13,600

Brian Smith: Oh, recently I've gotten into tennis see, I have

00:28:13,600 → 00:28:20,230

two boys. They're they're 18 and 21. Now, but my younger son had

00:28:20,230 → 00:28:23,980

gotten really into tennis, from about the age of nine. And I

00:28:23,980 → 00:28:27,430

started playing with him. And then he rapidly advanced and I

00:28:27,430 → 00:28:31,300

couldn't play with them anymore. So last year, I've been trying

00:28:31,330 → 00:28:34,030

the last three years, I've been playing tennis pretty

00:28:34,030 → 00:28:36,520

aggressively to try to get up the points just so I can play

00:28:36,520 → 00:28:37,120

with my boy.

00:28:38,430 → 00:28:40,170

Eveline Oehrlich: That sounds great. Well, maybe there's a

00:28:40,170 → 00:28:43,890

natural Roger Federer just retire. So maybe there was a

00:28:43,890 → 00:28:48,510

Roger Federer out there in one of your sons, who knows, never

00:28:48,510 → 00:28:52,140

know. Well, Brian, this has been wonderful. We learned a lot.

00:28:52,200 → 00:28:55,650

This was great meeting you great chatting with you. And thanks

00:28:55,650 → 00:29:01,050

for your time always interested in few points from the other

00:29:01,500 → 00:29:06,570

groups such as security. If folks want to learn more about

00:29:07,740 → 00:29:11,730

your spider bat company, I guess it's easy to find, but anything

00:29:11,730 → 00:29:14,670

else you want to point out to any white papers, any other

00:29:14,670 → 00:29:15,210

things?

00:29:16,290 → 00:29:19,860

Brian Smith: No, just it's one thing in I guess the one thing I

00:29:19,860 → 00:29:24,600

doubt in Spyderbat is that it's got a free mode. So one of the

00:29:24,600 → 00:29:26,910

things that's always annoyed me about companies is where they

00:29:27,060 → 00:29:30,690

you have to talk to a sales guy and sign away things I want

00:29:30,690 → 00:29:34,860

people just to try it, experience it. And then if it

00:29:34,920 → 00:29:38,700

turns out to be useful for you, let's talk but just getting

00:29:38,700 → 00:29:40,230

feedback is always good.

00:29:40,660 → 00:29:42,610

Eveline Oehrlich: Excellent and as an analyst I approve that

00:29:42,610 → 00:29:46,330

because that's exactly what we recommend to our vendors. Super.

00:29:46,630 → 00:29:50,710

Thank you Brian this was wonderful. Enjoy your upcoming

00:29:50,740 → 00:29:55,030

day for me. I will enjoy the rest of my day as well and

00:29:55,060 → 00:29:57,670

everybody else here listening into this is Eveline Oehrlichm

00:29:57,700 → 00:30:01,420

Chief Research Officer DevOps Institute with Brian Smith from

00:30:01,450 → 00:30:05,080

Spyderbat. Thank you, Brian. Have a great day everybody out

00:30:05,080 → 00:30:06,250

there. Thank you.

00:30:08,380 → 00:30:10,480

Narrator: Thanks for listening to this episode of the Humans of

00:30:10,480 → 00:30:14,020

DevOps Podcast. Don't forget to join our global community to get

00:30:14,020 → 00:30:17,380

access to even more great resources like this. Until next

00:30:17,380 → 00:30:20,680

time, remember, you are part of something bigger than yourself.

00:30:21,130 → 00:30:21,910

You belong.

Sorry, your browser isn't supported by Audioboom.

Page load failed