EP 30 — C.H. Robsinson’s Jason Espone on Building Business Resiliency Through Application Security

In this episode of the Future of Application Security, Harshil speaks with Jason Espone, Global Head — Application Security Engineering | Cybersecurity at C.H. Robinson, the world’s most powerful logistics platform allowing customers to ship goods around the world. They discuss the challenges of addressing tech debt at a 117-year-old company, strategies to manage a vast application portfolio, and the importance of being able to articulate risk to leadership. They also discuss how application security plays a part in business resiliency, and how to think about data-driven application security.

Topics discussed:

• Jason’s career evolution, from starting as a Java developer, to moving to software configuration management at Motorola Labs, to building and scaling DevSecOps platforms, to becoming the Global Head of Application Security Engineering and Cybersecurity at C.H. Robinson.
• The challenges of application security at a 117-year-old company, including how to solve the tech debt that’s accumulated over the organization’s history.
• The importance of not only understanding the risk to your business, but being able to articulate that risk to leadership for better prioritization.
• Understanding the landscape of applications by building a portfolio of applications, ranking by risk and other factors, and using a tool like Backstage to manage and prioritize it all.
• How C.H. Robinson uses metrics to evaluate each product line and its security posture to create an overall risk score of the organization and improve business resiliency.
• Why it’s important to have data drive your application security strategy.
• What the future of application security looks like, including how security will integrate AI, the rising importance of threat modeling, and why IAM is the future of security. 

Guest Quotes: 

“Application security or the product security, the cyber in general is becoming more critical than ever before. The increasing reliance on the digital technologies, geopolitical instability across the globe, and growing number of the cyber threats — applications and systems becoming a very prime target. So I wouldn’t really underestimate the application security. So this is super critical right now, given where we are really trending in the world today.” (27:53)

“So one of the challenges that we see is solving the tech debts. So when you are that many years in the industry, you obviously bring your historical debts, which at times is hard to solve the problem. But in C.H. Robinson, the technology evolved over the course of the last 20 years or so. And our strategy is to really focus on your system of record applications, basically. So that is your bread and butter, and making sure that is solid and safe and secure. And then see how can you really modularize.” (6:32)

“The twist we are doing here is really have the more closer and tighter engagement with the security champions and product management or product managers to really empower them and unleash the potential to them and provide the capabilities that they want. So the feedback loop they receive is not so reactive. … It is a more proactive way of seeing things and doing things. And we are also making the security champions accountable for their own products and their own business line. Otherwise it is very hard for the application team to really scale across thousands of employees.” (20:25)

“Because as you rightly stated, we are living in the advent of AI and ML, right? That being said, I envision the application security trending towards more automation and machine learning way of doing things, which would really influence application security. So we may see the organizations using an automated tool to even scan vulnerabilities or even identify potential threats and respond to those threats almost in near real time. So that is where I see the industry as going.” (29:42)