
A Broader Cultural Perspective Of Cybersecurity And Digital Transformations With Steve White
In episode 59 of The Secure Developer, Guy Podjarny talks to Steve White, Field CISO at Pivotal. Steve spends his time helping organizations envision and implement new ways of integrating security into their software development, deployment, and operations life cycle. Most recently, his focus has been on cybersecurity, helping build a cybersecurity consulting practice for Microsoft and then leading security teams for companies such as Amazon, Sonos, and CenturyLink.
On today’s show we talk with Steve White, Field CISO for Pivotal, where he gets to regularly exercise his passion for working at the intersection of application security, development, infrastructure, and operations. Steve spends his time helping organizations envision and implement new ways of integrating security into their software development, deployment, and operations life cycle. Most recently, his focus has been on cybersecurity, helping build a cybersecurity consulting practice for Microsoft and then leading security teams for companies such as Amazon, Sonos, and CenturyLink. Prior to joining Pivotal, Steve was the Chief Security Officer at ForgeRock. In this episode we are going to get a broader perspective from Steve on digital transformation within organizations. We also hear from Steve why he recommends making small incremental changes, we discuss the idea of a security champion, as well as the best practices for helping developers understand the importance of cybersecurity work. Finally, Steve shares more about how to recognize when organizations are having challenges with digital transformation, and why it is key to focus only on the actual threats and not the imaginary ones. So don’t miss out on today’s enlightening conversation with Steve White of Pivotal.
Transcript
[00:01:32] Guy Podjarny: Hello, everyone. Welcome back to The Secure Developer. Today, we’re going to get a bit of a broader market perspective here from someone who works with a lot of security and development through the years across the enterprise, and that is Steve White who is a Field CISO at VMware.
Steve, welcome to the show. Thanks for coming on.
[00:01:49] Steve White: Thanks, Guy. Thanks for having me.
[00:01:50] Guy Podjarny: Steve, we’re going to go broad in a sec. But before we do that, tell us a little bit about yourself and your path to where you are today.
[00:01:58] Steve White: Absolutely. Well, the first thing I’ll say about my path was, like many, it was accidental in a lot of cases. I started my career really honestly back before security was even a profession, the early security practitioners. We were sys admins and network admins and the people running the systems. We didn’t have things like firewalls and we didn’t have things like anti-malware software. We kind of invented this space, trying to protect our systems. The first firewall I ever used was a bit of software running on a Sun server.
Fast-forward a career from there, I learned to really appreciate all facets of security during those early years. I moved into some application development roles. Ultimately, senior tech leader role and then moved into security full-time, trying to help build up a security consulting practice for Microsoft. Then from there, I’ve held a number of internal security roles at places like Amazon, CenturyLink Cloud, and Sonos. Then I was the Chief Security Officer at ForgeRock. Now, I’m a Field CISO at Pivotal VMware and spend my time really focusing on how can I best help organizations think through and strategize around this transformation into cloud native. How do we take what had become traditional enterprise security mechanisms and methods, and how do these change based on sort of this move to interesting things like containers and microservices and agile development? That’s why I spend my time thinking about and looking at today.
[00:03:35] Guy Podjarny: Who do you typically work with? Who’s the peer in the companies you work with or maybe the profile of the companies?
[00:03:42] Steve White: It has to be the larger global enterprises, so those companies who are primarily going through digital transformations. Companies who are writing a lot of their own custom code that they derive significant business value from, and they’re working to transform how they write that code from sort of the traditional monolithic waterfall method into now the microservice-oriented cloud native 12- factor apps, right? As those companies who are making that transformation because it brings business value to them.
I'm working primarily with their security leadership and security engineering and architecture organizations.
[00:04:29] Guy Podjarny: Within those organizations, within the enterprises that you work with, who is the sort of typical profile or role of a person who works with you on sort of understanding the security concerns? Is it more the CTO? There’s more security mind role.
[00:04:44] Steve White: It’s definitely the security organizations. I have a number of peers that I work with who spend more time on the application development organization side of things. I focus almost exclusively on the security organization, so I spend my time talking primarily with CISOs, with director of information security, or sort of the leadership in engineering security architecture kinds of spaces. I spend much of my time there.
Lately, I have been doing some more detailed hands-on security workshops with I would say representatives sort of from every security discipline in the company, so security operations, incident response, architecture and engineering. We’ll bring them all together in a room for a day and work through some of the implications of what cloud native security really means in each of those parts of the security team.
[00:05:36] Guy Podjarny: Thanks for that. It’s sort of the context.
[00:05:37] Steve White: Yup.
[00:05:37] Guy Podjarny: Just to dive right into it, like you’re helping these organizations kind of keep security or level up even security as they do this sort of digital transformation and embrace all of these exciting new technologies. What do you see as kind of the pillars or the core tenets of change that they need to do?
[00:05:55] Steve White: Well, it starts with – The first tenet of change in this space is that it's not just a technology change, although there is some technology shift that needs to happen. It’s a culture and a perspective change that ultimately is the larger piece of what’s to happen in information security, like it has happened in the rest of the business, right? We liken it to this change from security historically perhaps was perceived as providing perhaps gates, and you had to pass through the security gate to get to production or something like that.
The phrase I like to use is we’re moving from gates to guardrails, right? So security’s function in the enterprise moving forward should be to provide these – They’re like the safety net, right? There's a top and bottom guard rail that would protect you from sort of exceeding really bad parameters but within those guardrails. Development teams, operations teams have the flexibility to move around, to fluctuate, to flex, and to experiment frankly with what they need to do. That’s one big topic. It’s just that it’s that cultural shift, that mindset.
When you start to peel that back, how do you think about these culture changes, it really honestly comes down to – From my experience, it’s the idea of pairing, right? The key differentiator I believe these days in helping security transform into this kind of cloud native organization is pairing them with developers from application development teams and vice versa, right?
Let's expand our knowledge, let’s expand our relationships, and let's expand our understanding of how this work impacts the business. I think that's like one of the really key factors.
There’s a whole lot of technology that comes with that culture change too.
"But without the culture and perspective change, all the technology in the world isn't going to make a difference."
[00:07:55] Guy Podjarny: I’ve got like a whole like a series of questions now to just ask based on that aspect. I’ll start with that pairing comment. Pairing is a bit of a loaded term in the world of development you talked about sort of in those three program in pairing. When you talk about pairing developers and security people, are you literally talking about like two people watching the same screen and work together or pairing them to like a team?
[00:08:15] Steve White: In an ideal world. Yeah, both in an ideal world. So I am ingrained in the Pivotal culture. I know you’re familiar with Pivotal and what we created, right? Pivotal is very big on extreme programming and pair programming and test-driven development and all of the things that go with that. I'm here because I believe pretty strongly in the value of those things, but not every enterprise is there, right? Not every application development organization, for example, sees pair programming the same way.
When I speak of pairing, I would love to see it be in the true sense of paired programming where two heads sitting in front of one screen, working on solving one problem together. If one of those folks is a security engineer and one of them is a feature developer, they’re both learning a lot and adding a good chunk to the conversation. That doesn't necessarily work for every organization. If you're not an organization where pairing is a partic
Information
- Show
- FrequencyUpdated Biweekly
- PublishedMay 14, 2020 at 5:00 PM UTC
- Length39 min
- Season5
- Episode59
- RatingClean