EP 20 — Naomi Buckwalter: Closing the Demand Gap in Cybersecurity and Building Diverse Teams


In this episode, Harshil is joined by Naomi Buckwalter, Director of Product Security at Contrast Security. Contrast Security is an application security platform that helps developers and security teams write secure code and protects business applications against targeted cybersecurity attacks. The Contrast platform is able to effectively identify actual vulnerabilities from false positives, resulting in faster remediation.

With more than two decades of experience in IT and Security, Naomi shares some tips on how to run a product security program, how to build a diverse team, and how to refine the hiring process to empower managers to choose the right candidates.

Topics discussed:

  • How Naomi came to lead the product security team at Contrast Security
  • The story behind Cybersecurity Gatebreakers, Naomi’s nonprofit foundation advocating for and supporting the next generation of cybersecurity professionals
  • The supposed talent shortage in cybersecurity,  and the challenges in finding and hiring the right talent
  • How to choose the right questions during an interview and what to prioritize during the hiring process
  • Naomi’s Linkedin course that’s providing valuable educational content on how to be better security leaders
  • Naomi’s book recommendation for cybersecurity leaders
  • How to come up with a reprioritizing plan to counter the effects of a workforce reduction 

Harshil: Hello, everyone. Welcome back to The Future of Application Security. Today, I have a fantastic guest with me. Naomi, welcome to the podcast.

Naomi: Oh, my gosh, it's so cool to be here, Harshil. Thank you so much for having me.

Harshil: Naomi, I am so excited to talk about so many things with you on this podcast. I was just looking at all the things, refreshing myself on the things that you've been talking about that you've been educating the industry on. There's just so many topics, I can't wait. Before we go too far, I would love to have you introduce yourself for the guests who might not be familiar with your background and your thought leadership. Could you please talk about where you are, what you do today?

Naomi: Yeah, sure. Hey, everyone. Thanks for joining us. My name is Naomi Buckwalter. I've been in IT security for over 20 years now. I won't say how old I am, but I'm definitely getting up there in age. And let's see, I started a nonprofit called Cybersecurity Gatebreakers Foundation. And what we do is try to x, and show them how to train and find entry level professionals for our cybersecurity industry because we are all burned out and we are trying to fill in the pipeline behind us as we retire. So it's one of my missions here on Earth, it’s the longest time I have here, is to help build up the next generation of cybersecurity professionals. Other things in my personal life, I guess I do also have a full time job. I'm the director of Product Security at an awesome company called Contrast Security, where we do application security software. Our mission is to build secure code, help developers write secure code faster, and I’ve been there since July, Harshil. So only about four or five months now.

Harshil: Wow, that's awesome. Just four or five months. That's pretty cool. I'm guessing Contrast is very lucky to have you.

Naomi: Well, I'm also lucky to be there. It's a fantastic company. It's started by a man named Jeff Williams, I don't know if you've heard of him, but he started OWASP, a big name in the industry. And yeah, we do a lot of great things for the community, too. If you guys aren't familiar with Contrast Security, definitely check it out. We have some developer friendly tools that are free for everyone to use. One of them is called Code Sec, and it integrates with our platform really well, and it is 100% free. So take a look at that. We can help you write secure code starting today.

Harshil: That's fantastic. Thanks for sharing that to me. Now I'm very intrigued about earlier, the nonprofit you mentioned. Tell me a little bit more about when did you start it? Why did you start it?

Naomi: Well, I started it last year, I think, April of 2021. So it's about a year and a half now. And it's because when the pandemic started, Harshil, I don't know if you had the same reaction, but when the pandemic started, I was so bored. And this has nothing to do with the nonprofit, but when I was just going online and like, hey, I wonder what the industry is up to? I started asking people like, “Hey, does anybody want to do a call? Just a mentorship call. I'm looking to take on some new mentees”. I had a bunch of people sign up. I think I had like 30 people sign up, right? And I met every single one of them, and it seemed like mind blowing at the time. I'm like, “Oh, yeah, you guys are going to be able to find jobs, no problem”. And every single one of them is like, “No, it's impossible. It's really really hard”. But then the more I talked to them, Harshil, they were like amazing people. They had the qualifications in terms of what they knew, book knowledge wise, and all they needed was someone to give them a chance. And so the more I talked about this, the more I thought about them, like, hey, wait a second, when I started security like 20 years ago, I feel like everyone could have just gotten it. And yes, I had an IT background and I had a degree in computer engineering, but it was just so easy, and I couldn't understand what had changed. And I didn't know this because really my head was just down doing security. I hadn't even looked around to see what the industry was up to until the pandemic started. So right when the pandemic started, I started posting a little bit on LinkedIn about like, “Hey, what's going on here? What the heck? I've been mentoring all these people, and they have issues trying to break into the industry. Why is this? Because when I started, it was super easy. I can literally just ask for a job, and I got one. Why is it different? Why is it different?”. So it really started challenging the way I was thinking too, because as a hiring manager at the time, I was like, yeah, you do need some sort of background but then I gave a kid a chance, some kid with just a high school education, gave him an internship on IT help desk, and he blew it out of the water. And from that moment, I realized, no, you do not need three years of experience just to do IT help desk. You could just be smart, you can be resourceful, you can have critical thinking skills. And from there it's just been this crazy rollercoaster ride of me understanding what it actually takes to be in cybersecurity. And so what the Cybersecurity Gatebreakers Foundation is, it's kind of a stretch from that. It's like, hey, can other people also become believers? Because I definitely was a gatekeeper at one point, because to me I was like, “No, you have to be super smart. You have to be like a genius to be in cybersecurity”. And that's just not true, Harshil. I've come to this realization that maybe I have definitely faults, I have major faults. And people in cybersecurity are human, they're going to have faults too. So give people a chance. Like, give these entry level folks a chance because it's only going to help everybody. And that's what Cybersecurity Gatebreakers does.

Harshil: I 100% agree, that's such a fantastic mission. What I've also realized being in the industry for a couple of decades now, is that we all like to complain about how the talent shortage is so huge in cybersecurity and we can't find talent and so on and so forth, but the reality is that's the exact same problem in every other industry. There's no industry where that says, “Oh, we have too many people and not enough jobs”, at least not in the tech world that we live in every day. But the reality is I've seen so many cybersecurity hiring managers, they just don't know how to hire. And as an industry, I think we need to do better to learn how to hire, to be more open, rather than just look for technical specifics or technical skills. We need to be more understanding of what makes a good security engineer or security analyst. And it's not just the technology. Obviously technology is very important, but that's not the end all, be all. We got to understand how to really look for the right talent. They may not have the specific number of years of experience, but drive and motivation and passion does more than just the specific technology skills. One of the things that I used to have when I used to run a security team, I used to tell all the managers reporting to me, especially the new managers, to read this book on hiring. It's called “Who”. It's by Jeff Smart and Randy Street. And it's a phenomenal book that teaches you how to actually look for the right talent, and what types of questions to ask in the interview. And I felt like as I talked about this book and some of these similar books to my peers in the industry, most people I talk to, they don't have a structured process of training newer hiring managers on how to hire. So I feel like we're promoting people to management and hiding leadership positions quickly without actually empowering them or training them on how to hire people. I think that's one of the big gaps of why we are seeing so much reluctance in hiring newer younger engineers who might not have the right technical skills.

Naomi: Yeah, I mean, that's what Cybersecurity Gatebreakers is doing. We're trying to provide that education to security leaders on how to train and build up that next generation. So I also created a LinkedIn course called “Building the Next Generation: How to Hire and Train the Next Generation”. And it really just this, like, how do you write a good job description? How do you ask great interview questions? How do you find people? What do you look for? What is it beyond technical skills that you're looking for for entry level? And so far, so good. Like, I haven't gotten any crazy feedback, but the folks who are taking the course are saying, like, “Hey, I can actually use this. This is actually really applicable to my job. Thank you”. And it's kind of a labor of love. Definitely did not make a whole ton of money on it. I think you just can make the baseline LinkedIn whatever, $1,000 it is, but it's definitely a labor of love. And jthe Cybersecurity Gatebreakers isthe same way. We want to provide amazing educational content out there for security leaders just so we can stop this whole posturing thing of like, you need three years of experience. It's time for us to grow up a little bit and understand that we are not perfect ourselves and here is the way to get better. And also, I just want to say we are not blaming anybody. Like the fact that we're here, we're trying to do the right thing. The security leaders, we aren't good at hiring the next generation because we're not trained to do it. Like, nobody told us we had to learn. Nobody made it as part of our personal OKRs or anything, right? Like growing up in the industry, you're just an individual contributor, and by the time you became a leader, it's like, “Yeah, I'm just going to continue doing the same thing that got me here”. So it's not anyone's fault that we're in the position that we're in, but what we can do is just get a little better. And since that we're now thinking critically about the problem, here are some solutions. Like, let's get better ourselves instead of putting the onus on the people trying to get in, let's see if we can get better as security leaders.

Harshil: 100%. Since you've spent so much time building this course and thinking about this topic a lot, which a lot of people haven't, tell me about maybe one or two non obvious things that hiring managers should do, especially when looking at newer talent or people who don't have a lot of security experience who would want to break into it.

Naomi: Yeah, for sure. One of the major issues that we have currently is like, you have one person trying to do three jobs. So if you take a look at the average job description and I've done this, I analyzed a thousand LinkedIn jobs - not manually, by the way. That would be terrible. But I analyzed the, you know, job description of a thousand cyber security security jobs out there, and they ranged all the way from Senior Director level to the inter and entry level. And I realized most of the jobs - I forget what the statistic was, it's like 70 or 80% of them - require three or four years of experience just to do entry level. But then also it does like 20 different bullet points of things in terms of job responsibilities. So one thing that hiring managers really overlook are your job descriptions. The way that they're written include way too many responsibilities. And then from there, you're taking a look at all your responsibilities, and then you're saying, “Okay, you do need 15 different skills in order to fulfill these responsibilities”. Yeah, that makes sense. But the fact that your job description is so long winded and it's just definitely, it's not going to happen. You're not going to find one person to be able to do three jobs. Really start paring down these job descriptions to the core business needs that you need this person to do. So take a look at the 20 or so bullets on your job description and narrow it down to seven. There's some other statistics out there that says you will have more parity in terms of the types of quality candidates that you're getting if you have seven or fewer bullet points on your job description. Equality, meeting, like an equal number of men and women. So if you're looking to build up a diverse team, it's a really good way of doing it. Limit the number of the bullets in your job description to seven or fewer, and you're going to end up getting amazing candidates because you're actually looking for a hiring manager who knows what they're asking for. So it kind of goes hand in hand. That's definitely one of the things that hiring managers can do.

Harshil: That's awesome. Do you think actually, is it because hiring managers don't know that they should have a smaller and precise or concise job description, or they don't have enough budget so they're hiring one person who can do multiple things? Or is it just because of lack of a voice?

Naomi: Oh, my gosh, great question. All right, so here's the problem with cybersecurity. We have way too much on our plates. So it's almost an organizational fault where cybersecurity is managed by one team or one department, and maybe it's staffed by like you mentioned earlier, one security engineer to every 200 developers. Yeah, I've seen that, I've definitely seen that. I've also heard of Fortune 500 companies with, like, seven people on their entire security team, right? So we are aware of this, it's a problem. So the problem is, in cybersecurity, we're focused on way too much. And what we don't do well, surprisingly, are all those basic things like asset management, configuration management, change management, data identity, and access management, data security, some of these things that we just need to do better, we don't. We do stuff like very basic things. We open all the internets - 0-0-0/0 - to the entire world, the entire world can access our application. Like, little things like that, where we're just like, all right, to all the ports that are open on the server. We need to start being better at the basics. So one thing hiring managers could do is start looking at what actually reduces risk to an organization and remember security is just risk management, managing risk for an organization. What we can do is start looking at that core set of things that manage the most amount of risk, that limits the most amount of impact to an organization and then build job descriptions based off of that. So say like instead of doing 25 different domains like you've got with data privacy and compliance and kind of like these outside things that really don't do as much return on investment in terms of impact, reducing risk to an organization, really going to focus on those four or five really core domains, which is knowing what you have out there on the public internet, securing what you have based off of that and then doing those basic things first. And once we're good at those basic things, then you could start doing things like red teaming and, you know, internal pen testing and all these kinds of different things that we think are important, but in reality it isn't reducing the amount of risk to an organization. So one thing hiring managers can do, just to summarize, is to write those job descriptions based off of the core domains that you definitely need for your security posture to be good in your organization, and then hire based off of those core job description skills for the domains.

Harshil: That's great. So hopefully if you are hiring managers trying to do that, that will also drive this person to think very clearly in terms of what exactly do you need this person to do, what exactly will the first three months look like, right? Those are some important questions because everyone wants to jump straight into hiring and start interviewing people and so on and so forth, but a lot of times I realize that we don't actually understand what do we need this person to do? And if we don't truly understand what are the three or four core things that the person needs to do, the interview is not done correctly, we have the wrong panel of interviewers, and then when we have to make a decision of yay or nay, it ends up being either yes for the wrong person or no for the right person, because we don't really understand what that person needs to do and what we need to look for.

Naomi: Oh yeah, absolutely. And I think it's almost like this snowball effect issue because here in our current jobs we don't have that focus either. As security people, sometimes we just fight fires and whenever it comes down the line, we're just trying to put it out. That is so true in a majority of organizations that don't have that very mature security program. Definitely one of the smaller mid-size issues. Even larger organizations that's part of a huge company, I won't say where, but a large financial company, and we were struggling with the same problem. It's like really understanding what brings impact to the business first and focusing on those core activities for security and then really branching out from there. If there is a larger problem that needs to be solved, like yeah, then focus on those things. But don't throw one whole person or a whole full time employee on threat intelligence when you can't even use that threat intelligence to begin with because your security operations is so bad. So like, what's the point of building that function within your security program when you can't even support it? It's the same thing about purchasing tools. Like, you and I are both in software, security software, and we understand this. Like if you're going to purchase the tool, you need somebody to be able to support it. It's not all going to be automated away. You need someone to configure it, someone to stand it up, someone to monitor, someone to tune it, like someone to make sure it's still being used correctly. I think I heard another stat, Harshil. It's like 15% of all security software is used to its peak ability, right? Like 85% of security software is never used the way it's intended. Like, people purchase it and they think it's going to solve some sort of issue. Meanwhile, they forgot they had to hire somebody to actually run the whole thing. So it's like it's a major problem. We think tools are going to solve everything. Meanwhile, we're not even focused on the right things. We don't have the right people in the seats, we're not doing anything correctly. It's just such a frustration. And then meanwhile, we see the burnout happening, we see the breaches happening. Like, what are we doing wrong? Well, have we even started considering thinking that maybe we're focusing on the wrong things?

Harshil: Right. Yeah, and hiring the wrong person is so much of a drain on everyone, right? Because if you hire the wrong person or it's the right person but for the wrong job, you end up spending months and months on hiring and onboarding and the person stays frustrated and creates this rift within the team. And then you have to let the person go or the person departs and you start the process all over again. You're wasting so much time with one wrong decision. So it makes sense to focus effort upfront on being crystal clear and who you're hiring and why you're hiring that person. One of the things actually I used to have my team do is have them write out two things. one is what will the person do in the first three months and what does the long term job responsibility look like for this person? Like, in actual projects or in actual outcomes, right? And when they start writing, what are the clear outcomes, not the job description, which is high level, but like an actual outcome or maybe reference a specific project and then send it out to every single person who's going to interview that candidate. So then everyone is on the same page in terms of understanding what this person will be actually working on. It's like “Hey, we have an active threat intel initiative, and we want this person to be delivering these three things in the next three months”. So that gives a very clear understanding of what skills you need for it, and how to interview this person, and so on and so forth.

Naomi: Yeah, beautiful. I wish more people would think that way, Harshil. Honestly. Like, you probably came to this conclusion after hiring people that maybe you saw it in the past were awesome because they're like good technical folks, but then you realize, like, wait, I need them to get to these goals in order to do that… you step back and you talk critically about it. I definitely appreciate that, Harshil. I wish you would share your knowledge with the world. We could definitely learn from it.

Harshil: Oh my God, I made so many mistakes. There are some people who are just good at interviewing, you know? But when they actually have to do the work, it doesn't really happen, you know? So you got to separate that. But there are some people who are just good interviewers.

Naomi: Yeah, absolutely. That's why I really am a big fan of not just technical questions during the technical interview, but asking them why something is. If you start with, “okay, why would you use public key authentication? What is the reason for it?”. Not just “How would you do it? Like, “How would you generate a public / private key?” , right? Don't ask that, you could just look that up on Google, but ask why. And then you keep asking why questions and they'll answer. They’ll give you a good first question. You want to secure communications or whatever for public key, at least encryption, right? And then you go, “Okay, so why would you do that?” And then be like, “Tell me how it actually works”. Like, “what are the functions between public and private? What's the relationship? How would you actually do that?”. And they'll start to stumble after a while. Like, if you keep asking the why questions, then you know how deep their knowledge is. Then you'll know how experienced they are in implementing certain things. You don't have to just ask them trick questions like, “What port is SSH?” or whatever. That's not even a trick question. Like, “what port is ping on?” I hate that one.

Harshil: Hahaha.

Naomi: Like stupid, stupid, stupid stuff like that, which you would just like, cringe if you think about it, because, you know, we've all been there. I've been in interviews where I've been asked that and just be like, “Come on, really?” It doesn't help.

Harshil: Yeah. So Naomi, do you have a book that you would recommend to the audience on how to hire great talent?

Naomi: You know, that's the problem, I don't think, for cybersecurity, that does not yet exist. I think that is a major gap. I'm hoping to actually write one for that. I'm trying to interview a bunch of CISOs and get their best practices on that. So that's in the works, but probably not anytime soon. In general, I think a really good book for building empathy and understanding the core problem that lies within ourselves. There's a book called “The Smartest Person in the Room”. You know, why we're losing the war on security or cybercrime. It's by a guy named Chris Espinosa, I think his last name is. Super super good. You can find it on Amazon and really any kind of bookstore. It’s called “The Smartest Person in the Room”. It's got like a blue cover with kind of a brain on it or a face on it. It's not the best looking cover but it's a really good read because the first two chapters, I just find myself, like, nodding. I was like, “Yeah, that's a problem. That's a problem”. And it really just turns into, like, here's the problems in cybersecurity. It really starts with empathy and the emotional intelligence of the people in security. And it's all the way from the security engineers at the lowest levels to the security leaders at the top like CISOs, et cetera. And like, all up and down the chain we have this, like, very smart group of people, and we’re very very smart, and we let people know it. We walk into the room, we're like, “Yeah, we actually know everything about security. Sorry, you don't know anything”. And it turns off so many people. Like, it's not even funny. Like, if you work with developers, they're going to know. By the way, your developers probably hate you if you're a security person, if you come in and you start telling them what's wrong with their code and how did you develop it correctly, they're going to hate you. Because they're the ones who are closest to the code. They're the ones who wrote it. They're going to be very very… they’re gonna take it personally like if we attack them and stuff like that. So you need to really build empathy and build relationships and trust you to your developers.

Harshil: Naomi, the developers love me when I send them 375 tickets in their Jira.

Naomi: Oh, do they? They do Jira tickets even, right? And they're all automated to just say, “Update your libraries”. All right, so that's a good one to go on. What if you do have outdated libraries? Okay, so first of all, are those libraries being used? Are they just being referenced in, like, your build files? Like, that's not going to be helpful for your developers. You want to show impact. So you take a look at your outdated libraries and see which one of these actually is being used. And I guarantee you we've run the numbers here in Contrast, it's literally like in the single digits of percentage. Like 90% of all application code that's run, that actually hits, that's actually built and hits and used during runtime is like 90% of that is custom code and like 10% of its application third party libraries and stuff like that. So when you take a look at it in those 10% of code that's actually being touched during your runtime, you want to see what is actually vulnerable. So you take a look at that and you're like, okay, what percentage is this 10% that's actually being run is actually vulnerable? Is there a vulnerable library that needs to be updated? And then is that part of the vulnerable library actually also being used? Is there a function within the class that's actually vulnerable within this vulnerable library? Find it down to that function level or the class level. If you only have the binaries, take a look at the actual class level and see if it's being used. If it's being used, then, yeah, you should update that library, make sure the updated version is patched and everything else. But if it's not, like if you have an outdated library and the function in the class isn't even being touched, that the vulnerable class isn't even being touched, don't put that on a ticket because you're now inundating your developers with, like, thousands of vulnerabilities, hundreds and thousands of vulnerabilities, and they're not going to know which ones to prioritize because you didn't give them that level of insight in that data. And I will tell you, like, Contrast does a really good job with that. You can actually show what libraries are being used and what vulnerable functions are being touched. Like, that is helpful for your developers.

Harshil: Yeah.

Naomi: So give your developers that kind of level of data because then when you open a ticket, then they'll be like, “Oh yeah, we really trust Naomi's team because they've done the due diligence. We definitely know this could be popped and exploited. Let's fix this right away. This is definitely a high” or whatever it is, and then they'll build it into their sprint.

Harshil: Yeah, that definitely is such an important thing. But people don't pay attention to it, right? They just expect that you should maintain hygiene in every single library. Like, why do you have an outdated library?

Naomi: No, that’s stupid. No, don't do that. They're going to hate you. Same thing with docker containers. You want to point them to something like, if you have an outdated open SSL, yeah, maybe patch that because you're going to be using open SSL quite a lot. But if you have some sort of dumb, dinky little package that you're running, don't worry about that one. That's not even being touched, don't even worry about it yet. Like yeah, if you're going to be running within your docker container and you're going to be touching that package, like, yeah, you want to update it, but don't be like, “Here's 50 different packages that need to be updated in your baseline image”. That doesn't help them. They're going to hate you for it. They really hate you, I will say that. They really do.

Harshil: Naomi, one of the things that I've seen, I think it was a podcast or a video or maybe both, I don't know. But it was on the topic of winning hearts and minds for security, if you can tell me a little bit about why should we even care about winning hearts and minds?

Naomi: Oh, my gosh. Okay, so the problem with security, not a lot of people think of this. It's like they just think it's just data. They're like, “Oh, yeah, someone has my personal data. So what?”. Well, here's the real problem. There's a whole world that nobody knows about. It's called, like, the cybercrime or criminal underground criminal gangs. And they use cybercrime in order to fund their operations. So something like, you know, selling stolen credit card data. Like, I watched this movie yesterday on Netflix, “Emily the Criminal”. It's a hilarious thing, but it exactly gives you a glimpse into what's happening. So Emily is basically in this credit card theft ring, and you know, she's into selling TVs at first, but then she'll eventually get into these worse crimes. And it's essentially like a microcosm of what's happening in the criminal world is that they sell this data that's stolen from poorly written applications or poorly secured organizations, and they sell this to criminals. And the criminals are using it to hurt people and to buy the worst things like guns and trafficking humans. And you end up affecting real lives of real people. It's not just credit card data. You use that data for something else. It actually hurts real people, and a lot of people don't understand this. So when we say winning hearts and minds, it's like literally making that connection for them and just be like, “Hey, if you turn on your two factor authentication, that means you're protected from all these things. And also people around you are going to be protected, and all your friends and family are going to be protected because you're all doing the same thing, you're protecting your accounts. And then the criminals can't get to you. They can't affect your personal life, they can't steal your bank account information and start routing your money off to different accounts. You will be protected from these things”, right? And so you show them the tie, the relationship between what they're doing for security and then like, how it affects their personal life. People start figuring it out quickly like, “Oh, yeah, I should be doing this because it helps me. It helps me, not just the company”. And once that happens, a lot more people start doing security. And what we do need in security is like, security is everyone's responsibility. We need everyone doing security, not just the security team. And the more people who are doing security, the better it is for everybody.

Harshil: That's such a brilliant way to connect the implications of lacks security, right? Because most people, when we talk to non-security people in a company, most people want to do the right thing generally, but it's just like, yeah, it's not their top priority, so they just don't pay attention to it in a lot of cases. But if you can connect with them in this whole different emotional level, like, “Hey guys, look, everyone, if you don't follow these things or if you get compromised for so and so reason, your credit card data gets stolen. And it's actually causing a lot of real world harm in other aspects of the world that you might not be familiar with”, that helps people just understand the implications of it and maybe they'll start doing the right thing, paying more attention to it.

Naomi: Oh yeah, absolutely. And you could even hear the most basic stories and be like, “Oh yeah, someone hacked my account, they locked me out of my email or whatever, or they rerouted my bank”. And then they are fighting this whole thing for years. It really wrecks their life. It takes them offline for like two or three years while they try to get their life back together. Like, it really messes people up. Not to mention like stalkers, people like that that could really, really hurt you physically in the real world. But a lot of people don't see that, Hashil. They're just like, “Oh, it's just data. I don't care who has my personal data”. It's like, actually you do, you just don't know this yet. And then the more people who understand this, the better it is for everyone, for society.

Harshil: Now, putting my security person hat on one of the things that's been happening at least in this year is a lot of security teams are being asked to cut down on their head count, their budget and so on and so forth. And as you mentioned earlier, as a security team, we have to do a lot of different things in the organization. So we always like to think and believe that we are always understaffed and under-resourced. And now in this day and age, we are being asked to cut down on even more. Do you have any thoughts or suggestions on how we should handle those types of conversations with the company leadership?

Naomi: Yeah, the best CISOs right now are having this thought too, because a lot of people are having layoffs, and the new year is coming around, so here's the perfect time to do this. But you want to take a look at what your priorities are. It really comes down to those fundamentals. What are those fundamental things you should be doing as a security leader within your security team, your security program? What's the most beneficial thing that you can be doing for your company and then focusing on that. So your strategic plan for next year, starting in January, is reprioritizing all the efforts that you have and maybe some of those smaller things, the things that don't have a great benefit to the company, maybe those things are going to start falling off to the wayside. Like maybe you're not going to do a lot more threat intelligence anymore, or maybe you're not going to use this other tool or whatever. Like some things you;re going to have to cut out because your focus should be on that 90%. If you know about the Pareto rule, it's like the 80/20 rule, you want to focus 80% of your energy on the things that actually matter, because if you spend 80% on the 20% of things that matter, like, that is a waste of your energy. Like you want to be focused on the stuff that brings the most amount of benefit and impact to your business. So refocus and reprioritize your plan, the things that you're doing within your team. And that will really help with your team's burnout and with your overworking, you feel understaffed, because you're no longer overworked, you're only focusing on those right things. And so now that you know this, you can very much move in to be like, okay, June comes along, do we have bandwidth to take on this? One other thing that we need to do, say it needs to be something for product security. For example, “Can we take on this new thing? Okay, great. Yes, we can build it in because we've automated this other thing”. So your goal is to get more efficient over time, but really start on those basics. If you have just laid off some team members, I definitely implore you to take a look at your priorities for next year. Start in January and baseline off of the things that bring the most benefit and value to your company. And from there you're going to build out job descriptions, help your team members build out their OKRs and their goals for the year. Really start with the basics.

Harshil: So I think one of the challenges is just to truly understand what is that absolute minimum. Because if you're a really good security practitioner, you probably think a lot of things are absolute minimums. Like you know, of course you should have a red team, of course you should do bug bounty, of course you should do all kinds of different, you know, seven different types of testing on your code before it goes into production, of course you should do all of these things, but in a lot of cases, not all of that is really, really necessary, right? So do you have any thoughts on like, what framework can be used to understand what the absolute bare bones minimum is and how to think about step by step improvements?

Naomi: I love this question. It's so good and so funny because we also have a bug bounty and it's so hard to keep up with that, right? It's just like, oh my gosh. So definitely you can't protect what you don't know about. So asset management is the core thing here. So starting with what you do know, make sure you understand what everything is. You have all your endpoints, all your public facing things on the internet, like all your servers or anything that's public facing, and literally all your integrations that might be passing through your sensitive data. Like any GitHub integrations, you've got GitHub workflows in action, make sure that you at least understand what the heck is going on there. Get a good asset inventory, and from there you could start understanding what kind of threats and attacks those assets are having today. Because hopefully you have some sort of security logging, some assembly out there that you're monitoring and capturing logs. You want to take that data then and parse it down to each asset. So say you have a web application on the public Internet and you know the types of attacks that are coming in there. Okay, great. You know the types of attacks that are coming to your web app, now you can start understanding what protections you need to have in place. What are the right mitigations to protect that web app? That means maybe you do need to do different code reviews because the public pages are being attacked 50,000 times a day since you understand where the attackers are coming from, what they're trying to do. Now you know what kind of protections you need to be putting in place, what kind of monitoring, what kind of response that you might need to build to protect that piece. Because why would you protect something if an attacker isn't even attacking that? Why protect one side of your house that isn't even being looked at, whereas the front door is being attacked 50,000 times a day? Like, protect your front door, not the back door. Put all your resources to that, into protecting that, because that's where the attacks are coming in. And you're going to be doing this for every single different type of endpoint or different asset. So think about your remote workers, your laptops, what kind of things are they falling for? For phishing, right? What kind of things are they downloading off the internet? Do you have that kind of insight, first of all? if you do, great. Because now you're going to use that data to inform your mitigating controls, your security controls for that because you're protecting against the threat. You are protecting against the threat for those assets that you do know about. If you don't know about your assets, start there. Get a great asset inventory and then understand what kind of threat or attacks are coming into those assets and protect it from that. So for every organization, it's going to be slightly different. Some organizations are going to have different types of assets, different types of controls. But you want to really align those two. Make sure the attacks that are coming in are being detected and responded to and prevented. Because if you don't do that, you're going to let them through, that's when the problems start happening. Oh, and by the way, here's another one. You got your asset inventory, you got your threats and your attacks coming in, you got your security controls, now you also want to monitor for things that are coming out of your infrastructure or your systems, because we don't understand what's actually being exfiltrated. That's a problem too. I see a ton of people spending a lot of time on that first half of the CSF. It's like preventing, right?. But what you want to do is make sure you're detecting things that are coming out of your environment. Otherwise you're in trouble if you don't understand what's actually coming out. I’ll stop there.

Harshil: Right. That's fantastic.

Naomi: That’s a lot. That was a lot.

Harshil: That's a two year roadmap, Naomi.

Naomi: There you go. There you go.

Harshil: Yeah. Fantastic. Naomi, this was such a fantastic conversation. I love that we touched on different topics of how to let more diverse people with different backgrounds into the cybersecurity industry, how to enable and empower cybersecurity hiring managers to hire the right candidates with the right backgrounds and skill set, how to interview. We talked about a bunch of things on how to run the security program. This is phenomenal.

Naomi: Oh yeah, it is.

Harshil: Thank you so much for spending time here on this.

Naomi: Thanks for having me. Sorry, I was just blabbing away. Can't get me to shut up.

Harshil: No, this is great. This is all your decades of experience speaking.

Naomi: There you go. Haha.

Harshil: Fantastic. Thank you so much, Naomi.

Naomi: Thank you.

Rate this article

Recent articles

Solving the Challenges of Engaging with Developers

On a recent episode of the Future of Application Security podcast, Chad Girouard, AVP Application Security at LPL Financial, talked about some of the challenges to overcome...

Read more
What’s Caused the Need for Software Supply Chain Security

On a recent episode of the Future of Application Security podcast, Dave Ferguson, Director of Technical Product Management, Software Supply Chain Security at ReversingLabs, explained why the...

Read more

Ready to Scale Your Application Security Program?

Sign up for a personalized one-on-one walkthrough.

Request a demo

[email protected]

Request a demo