And welcome back to security voices. We have quite a lineup this episode. Dave, who are you with today?
Oh, all right. So we've got a mix. Here we have Justin Dolly, who I think is our first ever repeat guest. You were Episode Three for your like first child. I'm pretty sure. I'm not sure. Yeah. It's great fun, though. Yeah. Welcome back. Thank
you very much.
And we have the one and only Mr. Fish coming to us from Seattle and formally Electronic Arts now curative. It's and you are officially cloud security architect,
director of security architecture are cloud based. So most of my work is cloud security. But I also somewhat oversee the endpoints and some other it line of business stuff that's not cloud based. Got it? Mostly.
All right. And we have Mike Lyons, who joins us out of Connecticut, out of Connecticut now, taking in some Los Angeles this week in between gigs, formerly collibra. Service Now, other things and in between and enjoying some la
I'm attempting to beta test my retirement.
Beta testing retirement Jack, how was the full test of retirement?
It's going great. Nice to just discovered that there's a Halloween cocktail lineup special at beach from berries in New Orleans. And so we looked at each other and said, Okay, let's go. So, you know, that's what it's like. It's like, oh, let's do drive. 600 miles to have a few drinks. Okay, let's do it. I look forward to
you flew to have dinner and sir. not that different.
Exactly. I just I had to do it in a reduced amount of time compared to Jaksta. Yeah, yours will have an end. Well, unfortunately, I don't think it'll be as long as I'd like it to be. Yeah,
you basically just feature flags your full time employees. Exactly. We're
gonna go back into a dark launch, too.
All right, Jack, you're at home today.
Yes, home today. After this. I will be firing up one or the forges maybe both forges I have on both running, starting to a little beaten and beaten in the blacksmith shop. It's cool day. So I get to do that. So yeah, home for a few days and then off and then you know, who knows? We'll see.
Well, before we get into the scary stuff, tell us what you're making on the forge. That sounds amazing.
I make scrap metal and rust and anything else is a bonus. What's gonna be made first are a handful of not even tools, I need to make a bunch of handles and pulls drawer pulls in a whole bunch of things, racks for tools, just utilitarian things so that the Forge is more functional. Like the giant barn door doesn't have a handle on it yet. And that's good, basic stuff. And then after that, who knows? Probably do some lighting stuff, probably make some candelabras, maybe a menorah or two for friends. But just ease into it. But like I said, Honestly, you put a piece of metal on the fire, you take it out your way on it with a hammer or treadle hammer. And if you got something good out of it great. If not, you got to take a piece of metal getting hot and wail on it. I mean, what more do you really need
the reward in transit? Sounds very bad.
Yeah, well, the opposite extreme is the guitar that I built. The Folk School is beginning the process of French polish. So they're, you know, probably only 20 more coats of shellac to go on to that. So that's a different level of precision on that. And the second guitar build is already started to. So I'm going back and forth between very crude and very fine work. And podcasting,
serious maker mode right now, that's awesome. The format of this show is going to be fairly free flow. As always, we put together questions. As always, the plan itself is useless. But the planning is absolutely essential, as I think someone really important said one time, about far more serious topics. So we were having a conversation at the beginning that why don't we resume and we don't need to necessarily name names. I suspect him a little bit. But it was generally what's the role of the channel. Historically, companies like CW and Shi and optive have provided services and also provided an objective voice and an ability to get transactions done easily because they held the paper so that you didn't have that paper with each vendor and negotiate it. There's value there for sure. But as they're still ongoing value today, and I'm just asking you guys, maybe it's easiest for you to start Mike since you're no longer at collibra But how did you use those come But he's did you use those companies? What do you perceive their value to be? Are they still relevant.
So my experience is on both sides of the house, right being a customer consuming services of one of those vendors for the other side being selling through, unfortunately, selling into the government, we've had to leverage channel because many cases aren't government customers couldn't buy it. I've had very mixed bag experiences, I would say with various ones, some have letters that you couldn't pronounce, and some have letters that you do pronounce, the experience that I've had with them as a customer has actually been pretty favorable with that drop ship to unique locations you can't possibly staff or can't put, you're not gonna send a laptop to Country A is you're gonna pay duties through the notes, right? They took care of shipping and logistics that you couldn't, yes. And also, you know, said vendor of laptop would also be able to do that for us. And so it was better that we could had a pretty reasonable experience there. I've always struggled with the software. So we've purchased software through one of those on our own struggled, it seems like the hardware is there, is there value, for my experience, at least
just shipping stuff, getting hardware there just shipping stuff, would you ever buy their services?
Nate? I don't know, I've seen it from both sides of the table. I was ESEA the reseller for a little while. And now my role is the guy who buys stuff. So looking at you know, I think they make sense, like the channel makes sense when you have like maybe a small business that doesn't have access to a lot of talent, and they need advisory services, that kind of thing, and what to get and how to, and things like that. But for larger companies that have like skilled, technical InfoSec departments that can implement these things, or it implements them or whatever, like, I think there's less value there. Other than like, you were saying before, you have one set like you don't have to go through legal review of an MSA every time you onboard a vendor, because you're grappling with resale, there's real value, there's speeds up the transaction. But in larger organizations, I don't see the value there because it's going to be accustomed voc, you're not just taking somebody's word that it's the right tool for the job, it's going to be customized to the environment, because larger environments are going to have interesting things and corner cases that, you know, smaller, more straightforward implementations might not. So yeah.
I think it makes bog as a good, you know, term to use, I get the logistical side of it, especially with the supply chain challenges we've had over the last couple of years, I've needed to get hardware, where it just wasn't around. And the vendor has been useful in sort of locating a certain type of networks wagers or something like that. So they have a little bit of usefulness when it comes to those sorts of things. And then obviously logistical shipping and so on. But I think with the emergence of things like marketplace, and the ability to buy software in these exchanges, is really coming, putting pressure on the software side of things.
Yeah, I would say I've had great experiences on that side. And there's even technologies helping do that just getting the humans that aren't necessarily value add. Yeah, that'll wait.
Yeah, I think you know, the point that was made earlier, I think for small medium businesses for not so large companies who maybe don't have the technical talent on board, maybe they have a need for services. But the service has been such a hard one anyway, I've never really gotten tremendous amount of value out of those types of services. So I mean, you're much better going for like boutique consulting firms, specialized in whatever it is you're trying to achieve, as opposed to the sort of the generic Oh, are people can help with that. So yeah, I think their value was probably waning. I haven't found it to be terribly valuable over the last few years.
That's kind of my sense as well. I mean, my experience that was just recounted before this where we had a one of those partners, quote, unquote, it's purely transactional, we don't have a relationship with them and their defense, kind of just marking something up because they wanted more margin on it, not coming back to us and saying, Hey, we want more points on this, but just marking it up and handing it off to the customer and creating friction. Really, really bad. And I can tell you to a point, we never have that experience with AWS Marketplace, to name one. And let's just assume that the others aren't that different, you know, your GCP and your Azure, although I think that they're probably not quite as good. I think AWS has just been doing it longer, and they've got a really good program. But I would never run into that problem. And you know, inside AWS as a vendor, first off, I have a very attentive salesperson, and defensive the rest of the channel. I'm not a customer of theirs, I'm just some vendor, but with AWS and treated like a customer because I am because they build the platform there. And then when we do it, we can actually issue a win wire afterwards, which kind of further it gets our message out there. And you know, our AWS rep high fives us afterwards. And the system is so well defined because they're operating at such a scale that they'd never dreamed to do anything weird and you'd never say, Oh, you're not big enough to deal with us. Why? Because I'm a customer. And then on the customer side, you get if you needed and seems like increasingly people don't, but you get credit towards your enterprise buying program, you know, and that you don't get that through these other programs as well. It just feels like to me that as more things cloudify, the classic channel is going to experience significant compression. And I'll tell you as an ISV, like, I hope that it comes as fast as possible, because it's freaking painful dealing with them,
actually just had a vendor want me to purchase through the marketplace, rather than do the traditional quote to Pio kind of model. And it sounds good in theory, like, fewer people involved, it's quicker, but then it's a trick I have in my organization, is our purchasing process doesn't work that we like to say, Oh, I'm just gonna add this to our AWS bill. They're gonna be like, What are you doing? And then I have to explain to everybody what the value is and why I'm doing it. And I think kind of getting that sort of cultural change to thinking outside of the traditional vendor management model is, really,
we've seen that multiple times where it's like, oh, this seems like it's so easy. No one explained anything to the procurement department.
But you know, it's funny, and I went through that exact same process as well. And I had to retrain the procurement team, but I don't need to do it once. I only had to explain to them that there's now this new method that we can buy through. And they were like, Well, wait, how does that work? And I said, well, it ends up on our AWS bill, but we can break it out. And we can show what it's going toward. And they were like, okay, yeah, that makes sense. It's for them, it's a little bit like something on a credit card versus Ach, right? It's just a little tweak in their process. And so I found that to be useful. The one part of it these groups, the resellers. So on is in EMEA, and APAC you have to buy through, you have to buy through the channel, right? So like, that's the challenge. I mean, for you, as you grow, and you're selling into those locations, and so on, it's going to be really, really difficult to try and break bucked that trend. But if anything can do it, it's the ability to buy through Amazon, and Google.
And that would be the whole. I mean, if we're having trouble here in the US getting procurement to wrap their heads around it, we are far more cloud mature. Sure, good lord, you know, dealing with Federica over in, you know, over in Paris, when you actually do manage to sell something in France, like, can you imagine? Yeah, I mean, it's slower. There
were years away from that, unless we
can move through. I will say, you know, despite me saying I wouldn't use a lot of those vendors services perspective, if they're in a specialized market, and that's their target. I definitely have some different experiences, some of the security specific VARs, if you will, that are also doing some services on top of it, that have a really good connection with one vendor in this space, one vendor that space as opposed to Oh, which one do you want? Pick it mix? Right? They're much more specialized? Yeah, I've had great experiences in that regard, and continue to leverage that for a variety of services to boutique
firms are valuable, for sure. But yeah, we can do everything. What do you want us to do? Engagements don't tend to have a lot of fun. And I've had
some good experience, even not in the security sector, where we were partnered with certain companies and had just massive success. And that's actually helped us when we were a smaller company, when I was at ServiceNow. We were specialized in working with certain narrow vendors that today are still flourishing, they didn't get picked up by the bigger groups that are just absolutely flourishing, top talent wholly focused on you as a business. So as an ISV, I think there's a lot of value to getting with one of these boutique firms and leveraging them as best you can. Because you're not gonna want to hire 10 services, people can give you a quick example of a boutique firm and what it did what its niche was so that people can wrap their head around it. Yeah, so we use a Kleberg is a company called San Francisco partners, and they are just, you know, a small firm dedicated to helping Kleber get off the ground at ServiceNow. That was probably 10 or 12. But there's Cask is one of those companies out and what exactly did San Francisco partners do for you, they take Libra talk to a customer turn their business problems into things that they can put into a collibra got it and get that customer in a much more boutique II way up and running. And we didn't have to staff the services through extension of your Salesforce and services to go with it. In many cases, our Salesforce was ours. And we would just hand them off to that vendor. In some cases, they were selling directly, and they would handle the deployment and the rest of it. Yeah, exactly. Yeah. Yeah, I think you would know where certain things were that you didn't want to publicize. But you knew were ways to get over. And there was a way around it. There's a workaround, they knew those things.
Yeah, I mean, it's a market. None of us are channel people here. And there's a huge demand channel world is huge, but at least we'll indulge ourselves at the outset or view, but it feels like there's the boutiques that provide services extension to sales and so forth. There's companies like optive, and trace three and so forth, that are really turning into manage security service providers. I mean, they want subscription revenue, and I don't even think they're really interested in the transactional model nearly as much as they used to be, you know, they're looking at their future as subscription services.
They're more than happy to write the paper on anything if they can take a rip. But yeah, I noticed during the brief Stay, I have it optimism, se, they were really focused on they were building up with Kansas City or someplace is huge, not getting out. So if you're into our sock, I mean, you downsize your entire sock to them, and they'll do well they'll do all of your incident response, do asset management, they'll do all you know, and basically be like, kind of outsource part of your organization. Yeah,
that was the fishnet side of it, right?
I mean, they're all pointing in the same direction, right? Like to say, all of these guys are going in there. And it's pretty logical, it's not a bad direction, then you've got your Shi is your CD, W's so forth, where it's, there's some value there, but it's questionable as to how it fits, especially with the larger enterprise. And then ultimately, you've got this disruptive force with the Cloud Marketplace, which can be awesome, you know, for all the reasons I mentioned, but it just doesn't fit for everyone yet. You know, it's, it's a weird time
to even think cloud in general. It's like that, right? Yeah. When folks, you know, in AWS first came out, every IT department Information Security Department is like, Oh, don't do anything in the cloud. You don't own those things, even though they probably did a better job of managing the organization would anyway, there was like this, you know, a lot of FUD around basically moving from an on prem model to a cloud. Well, now that it's become obvious what the benefits are, and push button provisioning, and not having to rack and stack on your own and things like that. It makes sense. And I think, as this marketplace model kind of proves this new right now, so everyone's like, Whoa, it's new. I can't, it's not my thing. But I think as as the benefits of it become obvious. I mean, it'll pick up people and become a larger force.
That's my sense, too. It's too compelling to ignore.
Yeah, no, I love the idea. And when another vendor found my current role, they were trying to sell us and have us use marketplace. And I'm like, Look, I can't be patient zero on this, like, you know, that will take me forever to convince everybody longer than just points to process.
Let's switch gears, let's switch over into the Joe Sullivan case. And what I don't want to do on this is say whether the conviction was right or wrong or so forth, or debate the relative merits of it. There's been about
we don't want to retry the case here.
Honestly, yeah. Step right up. No, I just think that that's been covered by so many people at this point. I think the more relevant question here is, as security leaders, how does it change your thinking? And then follow on question to that is will it change anything that you do, given the results of the case so far, and it's not done? But having said that, let's start with Justin this time, like, how does it alter your thinking? What happened? And or does it alter your thinking at all?
So my first job leading security was in the year 2000. So this is a long time ago. But I think I've always had this latent sense over my shoulder, if you like that. One of the things to do after something goes wrong from a security perspective is you get cut. It's always been there. There's always been that risk. So resume
generating event, as someone told me an RNG. Yeah.
And oftentimes, that event is beyond your control. Like you don't you didn't have the budget, or the people or the complaining or anything. But all departments, every initiative has this challenge, right? You've got certain amount of resources, you got to do your best. But insecurity, the stakes are a little bit higher. I mean, maybe not in sales sales, you don't make your number, then yeah, pretty simple. And you're compensated for it. That's true. Yeah. So I suppose that's changed my thinking, the sort of the fear has always been there. The one throat to choke aspect of it is always been there. But I think it probably is going to change everybody's calculus a little bit when it comes to private versus public companies.
Yeah, but even going back to that, and if that was kind of where I thought you'd go on it on back to previously that the fear is always that they're always known as part of the game. It's one thing to lose your job. It's another thing to basically face jail time, or, you know, fines and penalties from the court system. Right?
Yeah, we have a big challenge, I think in security in general, and also, privacy coming soon, right? All of the privacy legislation is coming in Europe, we already have the standards and so on. But German customers of ours and Swiss customers of ours are already talking about privacy requirements, and so on, are really aren't the requirements that are quite yet but they're coming very soon. And all of these penalties that are built into each of these regs, and one of the challenges that we have is the folks that are writing these rules, and coming up with these penalties. don't really understand how this stuff works. In a practical sense, all right. They don't get it. I don't look, Congress in the US has a long and storied history of passing laws that are just on implementable, right. They don't make any sense. They can't possibly make any sense. But this is an area where we're really struggling because that group has proven over and over and over again, they just don't understand technology. They just don't understand it. They don't understand security. I'm going to make sure that we're not falling back to this position where we say, well, we're all experts in this and you just don't understand it. We do explain it over and over and over again. I mean, half of my job is explaining things. And so I think the challenge that we have now is, is we don't know what Joe's ultimately going to face in that particular case to be specific for a moment. But like, having that sort of an outcome is pretty grave. I mean, and he's referred to patient zero, he's effectively patient zero for this process. Yeah, what happens to him is going to be the example. And then did we over rotate? Or did we underwrote whatever ends up happening at the end of the day? I mean, it's career ending stuff. It's not just job ending stuff, right? You
get convicted seaso. There you go, right. I mean,
seriously, we all know security professionals over the last 25 years who have run afoul of either a rule or maybe an ethics violation. Or maybe we all know the rules in security, there's things that you can do, and there's things that you shouldn't ever do. And we all know, people who've done things that you shouldn't ever do. And it follows you around. There's no question about it, it follows you around in your reputation. It's not written in your resume. We all know, because it's a we're a relatively small community, still, the grave outcome of fines or jail time and stuff like that. I mean, especially in that particular situation where by all accounts, he did have his CEO briefed, his legal team was in the loop. Like, what more can he do beyond briefing a CEO and his legal
only to find them testifying against him? Yeah, in the case
of the legal team, so is the question now, do we go directly to the board? Right, because ultimately, it's the board's responsibility to run the organization to make sure that the value continues to get provided to all of the investors. And the investors are usually sitting on the board anyway. But as the seaso, if you go around your CEO who you've already breached, and you go directly to the board, does that turn you into a whistleblower of sorts? Yeah, has much being treated right now. It's a really difficult situation. And we can all find ourselves in that situation, through no actions, or it could be completely,
it could be in here, I left last guys mess, and it just blows up while you're putting your hands on the wheel. I think the joke, when I first saw the Joseph Lubin case, I remember slacking my boss, CFO and saying, Hey, you should get paid more now you can go to jail for
maybe an outcome. But yeah,
so I mean, it'll be really interesting to see what the sentencing looks like electronics down, because I think you're right, I think it does. As security professionals, our entire job is risk management. Yeah. And we're gonna manage our own risk as well. And if it didn't, so now, maybe bypass an executive layer go right to the board, maybe now it's more desirable to work for a private company than a public ones, because there's fewer regulations.
I think it's an inherent challenges. Even in those though, I mean, many boards, very few ports, have people that understand the security components of a company at the software company at all. If their ISP, then there's a higher likelihood that you have people with software experience. But if you're not, you end up having if you're at a retail for there's not a lot of people that understand this technology at that level. So you can go to the board, and still maybe, you know, speaking about random things that don't make any sense that this is not an area of not that they're not risk experts, right? Because most board members are tend to be risk tolerance experts to some extent, but when it comes to the nuances of what a breaches is it 10,000 100,000 100 million thing, whatever it is dollars or records, or whatever the case may be, that's a scary prospect, because they might not be able to deliver it there. But I do think that determining who is the ultimate responsible party, within the business, that's something that needs to be hashed out better. As I'm thinking about my next phase of career. I'm, I'm contemplating things like Dino or you know, depending on how you're thinking about insurance, the game on my own personal insurance. Steve, own personal counsel, as I negotiate my next contract, I'll be thinking about it. And do I have counsel? Do I pay for the counsel? Does the company reimburse me for my counsel? Do I have the ability to have outside counsel at all times? If I'm responsible for making this call? Do I hire counsel to actually have my own internal counsel who doesn't work in that or that you that great
shuffling of paper that was hurled hurt around the globe? Was every seaso? loitering?
Yeah, but it's actually useful thing. So most legal teams inside of companies, they attain outside counsel for all variety of reasons, right? For intelligence purposes, or you do an m&a, you want to have a third party view and all that kind of stuff. I think security teams should seriously consider that an even a separate one to the one that the company is going to retain. Because if we really do want to have a truly independent view. Now, challenges legal teams tend to be risk averse to Mike's point about like, explaining things to boards and stuff that's on us. That's on us. If we get 15 minutes, a year or an hour a year, whatever it is, through the four official board meetings, whatever it is, and we get to brief them. It's on us to be able to guide them, if they don't know to say that. This million events actually has nothing to worry about, but this one over here is existential that is on us to explain to them. And it's one of the biggest improvements, I think that's occurred in cybersecurity is our ability to a get access to the board and senior leadership at companies. But secondarily, our ability to be able to explain to them a complex technical issue, we have to be able to break it down for them so that they can, they can actually make a decision, because ultimately, they are the risk managers. And we just have to work consultants effectively, which even more means that like, Joe's row to go back to that case was that of a consultant. And he provided the information to his leadership, and to the legal team and still got the decision went the other way.
So what about all of the I know that there are quite a few it's kind of like this latent font of risk that's sitting there all of the these companies that have possibly paid off the ransomware and tried to hush it up and try not to let things get public? What about if like past things started coming out, like, and now it's like, Are you now criminally liable? As well, as looking like you now you have for security or whatever, it's almost like hacked in the first place. You know, it's almost like your tweet from 12 years ago is this somebody going to discover your tweet,
may have been perfectly fine back then. Kevin Hart, the house was whatever, he made a bad joke. And then it came back to haunt and later in life, that's a tough situation that lots of times you, you take a role of an organization and bodies are very deep in that organization, there are issues that you may not be able to uncover. I personally took a role at a company. And there was an issue that was pretty deep. And I ended up discovering it on my own and running an incident because of the issue that I found. And then I ended up talking to general counsel who had Oh, yeah, we know about that. And I went, why didn't anyone tell me?
I don't know. I'm next on that one. I gotta say, I think I'd rather not know what I ended up discovering, of course, that's through your own diligence. And I would be perfectly comfortable discovering it as well. I want to discover it. Yeah. But I don't necessarily want to know that it's there. Because they do have that deniability does go away. In many regards, especially if you make your own determination that you found a reason that that issue existed, that you may not be able to have an be able to implement a change as a result of this thinking back earlier, we were discussing. We all know somebody who's maybe had a bit indiscretion in their past with regards to this. I remember interviewing candidates from Sony for non security roles. They were not in a security role at Sony. They were not coming to the firm that I was working with to take a security role. And they had a web where they then story related to the Sony breach. You had security people, every single one of them was involved with the security breach. They also they Oh, no, I came in having to run I ran all the non-security people were like, I have no idea where that was different group. I wasn't even in the building. I was out, I was sick that day, and my dog ate my homework. And I felt really bad. And these people are telling me this story. And I'm like, I get it. I didn't think you were the one who left the door wide open and everybody came rats hacking into the business.
All of a sudden, you're the priest in the confessional.
Funnily enough, so he's across the street.
And I was thinking when you were mentioning that, which one of us have Yes, there were five or six? Well, PlayStation was the timeline for mine,
I learned a really valuable lesson. Pre startup in my previous gig where I may or may not have met Jack, the lesson I learned as a leader coming in, like you're saying to a situation where a company has been around for a very long time, is you can completely screw yourself by not asking questions at the right level, and not asking enough questions. And I think it's a mistake that I made in hindsight. And I caught myself a little bit six years in, but really 12 months in. And I was asking questions at like the five foot level where I needed to be answering questions at the two foot level being far more detailed, far more wise, and so on. Because I couldn't afford not to know. And I interviewed like 2030 people because I started as a consultant. So it wasn't like I didn't do normal due diligence. But I think the reality is like if you're coming in, and in my situation, you're charted with getting a company that's been around for 12 years, you know, bootstrapped and then all of a sudden, you know, a quarter billion dollars of rocket fuel pouring in in the form of VC investments, you better ask questions at a super detailed latex glove level. And the failure of doing that meant I had a whole bunch of surprises, that in hindsight, I probably could have avoided and dealt with earlier. If you're a public company, see? So now I think one of the lessons to take away from this is what I learned is, you better ask like one foot two foot questions instead of stuff that's high level. You better have on your latex gloves and look for dust and problems so that you don't get surprised. You've got a period of time when it's not used. Tell me this before Justin, like, you have a short period of time, where it's the other guy's problem, right? But there's a window that you cross and it's invisible. There's a line, when all of a sudden, that's your problem. That's something that you did you were inattentive to or even negligent to use a loaded word. I don't know where it is. And I bet it varies. But I would make sure that I did an exhaustive entry period, you know, and maybe that even becomes like you're saying, one of the things that the lawyers provide, and the workout with your attorney, maybe it's a service opportunity, maybe freakin CD W does it?
Transcribed by https://otter.ai