Reimagining Cyber Reimagining Cyber

Taylor Hersom, CEO, and co-founder of Eden Data, an organization that provides startups and next-gen organizations with virtual CISO support and other services, shares his insights over the past two years in the start-up space. 

Ty Sbano, CISO for Vercel, shares his unique perspective on running the security business in the start-up space, from how to approach the interview process, how to gain trust early, and how to remain focused on the right priorities. 

Rob and Stan ask Ty:
- how he engages and makes  plan and prioritises
- the approaches he's  taken
- setting expectations
- metrics he works to
- how much time  is spent is on the organisational side versus what you're providing, as a service or product?
- instilling a positive culture
- how can we evolve what we've been doing for four decades on cybersecurity to address today and tomorrow's new threats.

John Keane, Software Angel of Death, discusses securing the supply chain, the important of contract language, and shares his unique perspective on the cyber space on the latest episode of Reimagining Cyber, “A discussion with the Software Angel of Death, John Keane.”

Chris Abramson, Senior Director of Cloud Security Engineering at Walgreens, and 20-year IT industry veteran shares what he learned from shifting from on-prem to Microsoft’s Azure Cloud on this week’s Reimagining Cyber episode, “Journey to securing the Cloud.”Abramson recommends adapting your strategy to your new environment. In on-prem, it’s all about firewalls and technology that’s wrapped around an environment, but in the Cloud, it’s how things communicate with each other, he cautions. By changing your thought process about how to work in this new environment, you’ll be able to better secure it.When changing IT infrastructures, security can get lost in the shuffle. To mitigate this, Abramson worked in lockstep with his Cloud Center of Excellence (COE), building security directly into the deployment model.“So, as our teams, whether it be an infrastructure team or even an application team, go to do that deployment, they're hitting the gates of security,” he says. “Not at the end, not after everything's deployed.”Security issues aren’t being discovered after the fact. Teams hit them as they come upon them, enabling them to make changes on the fly and deploy the appropriate fixes with the least amount of security risk in the environment.By checking out industry forums and CVE data on vulnerabilities in the Cloud that have been made public, learning from peers that have already been through it is key. This enables companies to bake the correct actions into the new Cloud environment.Abramson recommends working in lockstep with other teams, for example, deployment teams and security, to prevent any issues and enable reacting quickly when something happens.“This is one that fundamentally, really takes a lot of interaction between development teams and the security teams [to] make sure that they're thinking about what the impact is going to be if they pull from some rogue repository or just, you know, off the internet and things like that,” Abramson says.As the Cloud space evolves, so will the software development, deployment, and security space to adapt to the ever-changing Cloud environment.Many companies purchase software from a third party, embed it into their software, which gets embedded into yet another software. Enter the Russian Doll Syndrome.“[You’ve] got to think about software that you're buying from a third party. That now also embedded software from another third party, that likely embeds software from another third party. That's the Russian Doll Syndrome.”Abramson recommends considering how you’re connecting and the level of software integration to determine the level of risk. He also recommends implementing a strong vendor management program.“Talking with your partners, understanding their security practices, what they're doing, and how they're managing their code, their releases, their ingest of those same platforms, or same libraries, or same third-party integrations as well, too, [is helpful],” he says.Encrypting data offers its own challenges and isn’t always possible, but where it can be done, Abramson wholeheartedly recommends doing it.“Wrapping environments in a model that doesn't allow access to, or very limited access to, it's kind of, I'll call it the vaulted environment, you know, the no ability to touch, change, maneuver through or ingress or egress without somebody watching you do it. That stuff, it's expensive, and it's highly operational because there's a lot of eyeballs having to do that.”Encryption is the quickest and easiest way to protect your data, Abramson says. Abramson recommends partnering closely with the business and IT sides of the house to determine the best way to protect sensitive workloads shifting to the cloud and mitigating data exposure and privacy compliance risks. Sometimes, encryption just isn’t an option. In these cases, Abramson recommends bringing your own encryption keys and avoid reliance on key services provided by Cloud Se

Jim Reavis, co-founder and CEO of the Cloud Security Alliance (CSA) and a noted leader within the cloud computing community, sheds light on how to solve for cloud security complexities in this week’s Reimagining Cyber episode, “Solving the cloud security puzzle.

Bob Almond is the Chief Operating Officer of Full Armor Corporation, a software development firm he co-founded. Bob has watched the industry evolve from single machines to internal networks, to the present, where people work from anywhere, whenever they want to work and needing to have access to the resources, they need to get their jobs done. Bob has had a focus on helping IT Admins rein in the complexities of AD group policies and enable admins to really focus on security and protecting their organization from the inside out. This is more important than ever as IT Admins deal with policies in Linux and Unix devices, Apple Mac, MDM for mobile devices, and Windows devices that are in the wild and aren’t joined to the AD domain