ITSP Magazine Podcast: Embracing Adaptation & Innovation

Join FireTail CEO Jeremy Snyder and ITSP Magazine founder Sean Martin to discuss the role of the CISO in cybersecurity's rapidly changing landscape. This episode will offer actionable steps for CISOs to navigate the complexities and pressures of their job and continue to innovate securely.

ITSP Magazine Podcast: Embracing Adaptation & Innovation

The CISO Role is at the Forefront of Cyber Resilience

In this episode, Jeremy shares his journey into the cybersecurity industry and what his various experiences have taught him being a CISO from tackling challenges such as regulatory compliance, to threat management and more.

Listen in to learn about the integration of IT and security functions, the role of Ai and other emerging technologies in cybersecurity, and actionable steps all CISOs should take for their security postures.

This talk answers questions such as:

  • How has the role of a CISO evolved in today’s cybersecurity landscape?
  • How can CISOs navigate the changing threat environment?
  • What impact do emerging technologies have on cybersecurity?
  • What level of responsibility do CISOs hold for their companies and teams?

Podcast Transcript

Sean Martin: 

Hello everybody. You're very welcome to a new episode of Redefining Cybersecurity here on the ITSP Magazine Podcast Network. This is Sean Martin, your host, where I get to chat with all kinds of folks about all kinds of things. Cybersecurity, the ultimate goal of, uh, helping businesses not just protect what they have, but, uh, do generate growth in a safe and secure way, hopefully. 

 

And, uh, at the helm. Of that effort, uh, oftentimes is the CISO, the chief Information Security officer, responsible for looking at risk and communicating that risk and building a team to mitigate the risk and all this stuff around that. I said risk a lot of times there. Who knows? Maybe we'll talk a bit about that today. 

I'm thrilled to have Jeremy Snyder on today, uh, to, we're gonna be looking at the role of the CISO and, and its current state and. How we arrived here and what's going on. Certainly no lack of news. Yeah. Uh, with, with things around the role. So Jeremy, it's a, it's a pleasure to have you on. Thanks for, thanks for joining me. 

 

We finally made it. Yeah, absolutely. To get, to get things going. Yeah. How are things, what's going on?  

 

Jeremy Snyder: 

Look, things are good and weather is better in my part of the world than where you are. And you know, thankfully, uh, we'll, we'll hope that that continues to be the case. We did get hit with a bunch of snow, uh, recently, but that seems to be melting. 

 

But look, you know, what's going on is, um, a lot, as you said, the state of how things look for the CISO right now is probably one of the most murky states that we've seen in the last. 10, 15 years since the role of see, so kind of started to become a thing. It's the kind of thing where, you know, we've got a see so on our advisory board who says, I don't know if this role is going to continue to exist for a while, because I don't know why you would take it. 

 

And you know, there is a lot that we can go into as to why that's the case, but that is the case right now.  

 

Sean Martin: 

A bit of, uh, ignorance is bliss. I mean, people grew up into the role defining it as they go along. Um, tell me a bit about why this is important to you as a topic, uh, and maybe I suspect some of it's rooted in some of the stuff that you've done leading up to your current role. 

 

So give us a bit of background on, uh, how you've entered into this world of cyber and what you're up to now.  

Jeremy Snyder: 

Yeah, actually. The question for me is not how I got into the world of cyber, but why I stayed in it. And, and I'll come to that in a second. But, you know, to kind of answer your question, look, I started my career as basically an IT practitioner. 

Um, I joined a software company, age twenty-two-ish or something, uh, with a degree in computational linguistics thinking I was gonna be a software developer. And turns out, once I got into the real world, actually, I was not good enough. Um, I was, you know, strong technical background, a lot of fundamental understandings, newnetworking, new systems in general, but couldn't write code very well, and certainly not like high level code. 

 

You know, we had a number of PhDs on our team and like we were maybe an outlier in the sense that what we were doing had some very, uh, very heavy statistical algorithms that I just couldn't keep pace with. And so, uh. The lucky thing for me was that the company liked me and I liked the company and we were growing really fast and there was this opportunity to just do all this cool new networking and infrastructure and security stuff for us. 

And so for like the first kind of ten-ish years of my career, 10, 12 years of my career, I was really hands-on keyboard practitioner. But you know, as a non-developer, really building that works running systems, yes. Sometimes also answering help desk calls and fixing printer issues and whatnot. But you may or may not remember if you're old enough to have been around in it. 

 

In those days, there wasn't really a separation of it and cybersecurity. It was all one thing. Fast forward, you know, twelve-ish years into my career and I got an opportunity with this little startup called AWS that was recruiting people like me to go explain to people what this cloud thing was gonna be all about. 

 

And I did that for a number of years and partway through that time. This company came knocking in the cloud security space and they were like, Hey, we've got something here. It's the fragment of something that is gonna be a strong cloud security product. Which by the way, I will a hundred percent echo something that you said was an enabler of business innovation and. 

 

You know, long story short, we, we grew very rapidly for about four years there as cloud adoption really started to hit mainstream between like 2016 and 2020. Uh, when we were ultimately acquired at the end of that journey, I actually thought, okay, you know, I've done the security thing pretty deep for like five years now, and I think it's time for something else, and, and security is like, it's really challenging. 

 

It's super thankless. You know, you, it's one of those jobs where you don't get thanked when everything is secure, but you get blamed when things you know go wrong when there is a breach or an incident or whatnot. So I thought, you know, enough of this stress, enough of this craziness. Then the pandemic happened, and this is kind of what I alluded to earlier. 

 

This is why I stayed in cyber. During that time, you know, when we're all kind of locked up at home and, and bunker down and figuring out like, how are we gonna ride this thing out and oh crap, what's gonna actually happen to the world and the world's population and all of us humans? It so happened that at the time some of the companies that were working on the vaccine were also using our software to protect their cloud environments. 

We were hearing from them that they were just getting hit with attack after attack. And you know, some of these were very sophisticated nation-state actors who were trying to steal the intellectual property of all the research and development that they were putting into the vaccine development. And then you realize two things that I realized at least. 

 

One, actually, the security allowed them to keep innovating. They needed these cloud, cloud platforms to run the simulations. It was the only place that they had access to during, you know, this kind of lockdown and remote work and scientists collaborating from various parts of the world remotely on running model designs and simulations and, you know, all of these things that got us the vaccine in such a record time. 

And two for me, was that like, okay, I'm never gonna be that scientist. Whether it's in vaccine development or space exploration, or electric cars or climate tech or whatnot, you know, maybe that's not how my brain works, but I understand the security thing and I do see that the security of those platforms enabled the other people to innovate and move forward. 

And so that's why I stayed in security and that's really kind of what led me to where I am today. And to co-found Firetail with my co-founder Riley and, and you know, try to tackle the problems that we're tackling. Sorry that was a long-winded response, but hopefully that kind of tells you like, you know, where I came from. 

Sean Martin: 

Uh, absolutely. Absolutely. And, uh, a fellow, uh, engineer. I used to sling code as well early, early days, and I. Likewise, uh, realized, yeah, I'm not, I I can do it, but not at, not at the level that, uh, others can. So let, let me figure out what else, what else there is to do. I never, yeah. Never took the, uh, the CISO path. 

 

And I, I've actually said, I don't know, hundreds of times, maybe on, on episodes that I probably could never be a CISO. Um, even if I. Wanted to, which I probably don't. Um, and I, yeah. But I always followed it by, I have tremendous respect for those who take that seat and take those reins. Yeah. Uh, because of Yeah, 'cause of the work and, and the, and the, the weight that's on the shoulders for them. 

 

Um, yeah. Yeah. So, I don't know. Thoughts on that.  

Jeremy Snyder: 

Look, it's a hot seat and like probably never hotter than right now. When you literally have regulatory compliance agencies filing charges against CISOs for I I something that I would argue, and, you know, probably neither one of us has all the facts on this, on the, on the situations, but I look at the situations where charges have been brought and it's very hard for me to say that person individually looks to be at fault. 

 

And it is justified to bring charges against him. I just don't think that's the case from everything that I know. 

 

Sean Martin: 

Yep. Yep. And, uh, yeah, that, that person's a good friend and, uh, I, I, I stand with him as well for, for those reasons and others. And, um, but I think the, it, and I kind of alluded to it earlier, and I, I'd like your thoughts on this. 

 

As cybersecurity matured, we kind of began to figure out, well, what does that mean? It did, it did start to separate from traditional IT and systems management, network management and those types of things. And, and I come from a QA engineering background. So QA was kind of similar role, right? They're, they run in parallel, hopefully toward the same objective. 

 

Um, yep. But not always. Not always in, in, uh, lockstep, but not always. Uh. As friends. Um, but I guess the point is that over time the role matured and, and with it, uh, the program's matured and I guess I. Those early days, there were very little, uh, visibility. Right? Or, or, or a sense of here, yeah, here's where I need to go. 

 

I'm just gonna go and define it as I go now, now I feel with this shakeup, we know where we are and taking that next step, we know what it means with respect to some of these challenges we face in that role. Yeah. That's why I was kind of joking that, uh, that ignorance is bliss if you don't know where you're heading.  

If it's just a big black hole and you're okay with the unknown and that the next step may, may smart a little bit, it might, it might hurt a little bit, but you know you're gonna be able to take another next step. Now you see. The next step is a brick wall, perhaps. Yeah. And, uh, it, it makes things different.  

So I'm interested in your thoughts on that. And because you made another point on whether or not this role will even exist and Yeah. What, what happens there? So your thoughts on both of those, I guess?   

Jeremy Snyder: 

Yeah. I mean, look, two things. So on the ignorance is bliss point, I think like a lot of organizations have lived with that.  

And I think for a long time it really was bliss and for the past, you know, several years, it probably has been bliss there. There's a couple problems that I see with that approach going forward. First is that you have regular regulatory requirements kicking in for the first time, and these are going to be applied like pretty universally, whether you're a small company, medium sized, large company, services company, product company. 

Regulated industry, non-regulated industry, whatever, you know you're going to be, you're going to have to face this requirement that if you do have a breach, you have to do reporting, and that reporting has to be within a certain timeframe, and that reporting has to include certain data and that information needs to be as accurate as it possibly can be. 

 

And I don't think the ignorance is, bliss excuse is going to last very much longer on that point. So to some extent, just as every company is becoming a software company in one way, shape, or form, as that transformation happens, every company has to have a security function around the data that they're collecting, manipulating, using, et cetera to enable their business. 

 

So that's one thought. The other thought around it is, um, unfortunately, like we used to live in an age where only good targets got targeted. The problem is, I like to tell people is that hackers have automation too. And we see in our own testing labs, we create APIs for testing purposes. 'cause API security is what we do and we create them all the time and we're launching them and we stand them up and we bang on them and so on. 

But guess now we're not the only ones banging on them. Every API that we put live typically within three to four minutes, it's starting to see traffic. That traffic is super random. It's coming from all over the world. It's not only the quote unquote bad actors that you would think of, so it's not only coming from, you know, Russia, Iran, North Korea, et cetera. 

 

It's coming from anywhere. 'cause also hackers have proxy servers. So you know, they're sending their traffic from anywhere around the world. And we see interesting patterns. And those patterns are, oh, did I get a response? Yes. Awesome. Well, like, not right away, but soon I'll send some follow up traffic. And what am I doing with that follow up traffic?  

I'm trying to establish what runs there. Once I establish what runs there, I'm gonna send some actual malicious traffic to try to exploit vulnerabilities that are known in those systems. So an example of this is like, oh, I, I got a response. Awesome. Let me check if WordPress is running there. Oh, WordPress is running.  

Great. Let me try to hit the admin, uh, interface of WordPress and try to see if I can find. Usernames passwords, access credentials, or let me try to use this like injection attack that's known, uh, to be a vulnerability in WordPress, right? And so previously you might've said, ah, nobody cares about us. We're a. 

 

I don't know, a dry cleaner in Chicago who would ever care about us. All we have is an online reservation system where you can tell us that you're gonna drop off your clothes on a certain day and you want 'em back by a certain other day. Once you put that system online, it's going to get scraped, it's going to get pinged, it's going to get pro, uh, probed and prodded, so that ignorance is bliss. 

I just don't think it's a sufficient answer going forward. Now on the other side of your question around kind of the organizational aspect of like what's happening with the CISO and will it continue to exist? We talked about kind of the charges side of it, but I think there's also something that like those of us in the cybersecurity community need to be a little bit honest about ourselves, uh, honest about with ourselves. 

 

And that is like as that separation from it happened, uh, we didn't manage it well. And I think this is true in many, many organizations. And specifically what I mean is that like how many companies do you go into or how many times have you heard the joke that the security team is just the department of No. 

 

And you know, you said something in the intro to the episode, which was about risk and, and you know, the number of times that you said risk and like ultimately cybersecurity is kind of a risk management question and exercise, you know, what level of risk is acceptable to our organization. Um, we, you can't mitigate everything.  

You can't lock down everything perfectly or nobody can use it, right. It becomes unfunctional. Um, and so that's really like a, a situation that I think has created this like cultural friction. I. Inside organizations that also adds to that. Like why would you want to take on a CISO function when you're coming in, heading up a team that has a bad reputation inside the organization?  

Might be adversarial, there might be a lot of friction. And then the third thing that I'll add on there, and like, you know, we're, we're really getting down the rabbit hole a little bit on the, on the innards of some, like how a lot of companies work. Um, how many times have you gone into an organization where the, the CISO actually is a C-level executive? 

You know, owns their own budget, has their own, you know, approval capabilities to everything. Many, many security teams, whether it's CISO on down, you ask them like, well, what do you need to solve for? Oh, we have, you know, these 50 problems that we know about and probably some that we don't know about. Well, how are you tackling all 50?  

Oh, no way. We, no way that we can, because our budget is this and it extends to 10 of those 50 problems. I. You know, so there's, there's all kinds of challenges around this, and I think like, to some extent, one of the things that I really wonder if it's going to happen is whether IT and security reconverge, because in many organizations what you're seeing is that, like the importance of it from the infrastructure perspective is actually decreasing.  

Why? Because it's cloud infrastructure. And as you get deeper into the cloud and your engineers get more sophisticated with it, it's a lot of automated cloud infrastructure that manifests as infrastructure, as code Hardware management is a thing of the past in those situations. And then even internal application management is often going to external SaaS vendors. 

 

And so really from a IT perspective, what does the IT team have to do? Well, yes, they need to deliver you an endpoint device. Laptop, whatever. This is not nearly as complicated as it used to be. There's all kinds of MO mobile device management tools. We don't really use like Office-based desktop computers very much anymore, anywhere, whether SMB or enterprise. 

 

It's pretty much all laptops. Uh, you know, there's Jamf and X number of other solutions for managing devices, rolling them out, updating, patching, etc. Etc. Um, and then if, you know, most of what we're doing from a server side is in the cloud, like what infrastructure is the IT team managing? And so you can, you know, take those same individuals, the same set of resources and reallocate them towards security or just, you know, recombine those teams. 

 

So I'll be interested to see like how much that plays out. Um. Yeah, I think, you know, it's a challenging time in security. And then, yeah. By the way, none of this is to even get into like, what are all the new emerging threats that people are facing, right?  

 

Sean Martin: 

Yeah. Maybe we will get there, uh, as well. I wanna, I wanna steer slightly, I don't know if it's different direction or, or a deeper dive. 

 

I see how this comes out, so I, um. I think this idea of IT and security kind of coming back together says to me that that systems, be it networking and endpoints and and things like that. Yeah. Have a role and the two teams can come together to kind of, kind of shore things up there. I mean, I don't know, whatever. 

 

Fix patch management and that kind stuff. Yeah, yeah, yeah. I know. Yeah. Um, but where I think. The, the future challenges for me sit in, not even app AppSec, I mean every company's building apps now, but I really, and maybe touches on the API point that you, that you brought up earlier where I really see, I. The real risk to the business. 

 

Sitting in the business logic. Yeah. So not not the system. Yeah. Yes. These things don't go away, but it, it's not necessarily the system. Not necessarily the network. Not even necessarily the app and app. It's, yeah. The workflow and the logic within that that touches all these things, which yeah, I think ultimately is the, the holy grail. 

 

If you can, if you can run the workflows and business logic however you want, um, yeah. You don't have to touch the system silent know what and what's the see-saw role in that, in that world?  

 

Jeremy Snyder: 

Yeah. Look, I mean, I think the See-saw role is generally the same. What's different is understanding what all goes into it.  

Typically, like when we think about it or security, we're very often thinking of a lot of infrastructure. And by the way, like especially on the security side, a lot of network, so many, and I, I don't know if this is just like a representation of the security people that I've known over my career, but so many security people come from such a, like a heavy TCP, IP networking background and there's just like heavy, super, super heavy focus on networking.  

But also when we move into the cloud world, what network are you really worried about? Like, is it the internet? Because, you know, remote work, SaaS solutions, cloud solutions, I, I don't know what network you're really concerned about. You know, I'm not sitting on a land that you, you manage on a day-to-day basis or anything like that. 

So let's put that aside for a second and come back to this question about like, what's the CISO's role and responsibility in this kind of world? So if it's not infrastructure, it's not network, et cetera. It is to your point, it's the business logic. And then I think importantly along with the business logic is the data flows and what data is flowing from system A to system B.  

I'll give you an example that I like to use and, and you know, not to get too deep into API security or API specifically, but like this is kind of, I do think this example is kind of representative of how a lot of the modern internet works. Think about the time when you order food delivery from one of these like mobile apps, right? 

 

Uh, DoorDash, Uber, Eats, Deliveroo, delivery, Hero, whatever it is, wherever you live in the world, right? So let's think about a little bit of the data flows that go into that, right? So I pull out my phone, my phone gets my GPS coordinates, sends that to some server in the cloud over an API by the way, I get back a list of menus and services that are available for me where I am. 

So it knows that I'm in the Washington DC area, these are the restaurants that are available. I do or don't have grocery delivery. I might or might not have alcohol delivery. 'cause that's geographically regulated typically. Right? So I've got like this array of services available to me and if it on the restaurant side, which restaurants are available. 

 

So I go through, I place my order, et cetera. Awesome. So I fire off this order again over an API to some service that living in the cloud. But then what happens, this is where it gets super complicated and interesting, so. You know, turns out Uber Eats doesn't run a bunch of stores. They don't run a bunch of restaurants.  

They don't run payment processing, and they don't do the delivery themselves. So now we're thinking about all these third parties that we're coordinating in order to deliver one transaction. So there's the business logic that you mentioned, right? But in those communication paths we've got. Jeremy's home address that's going out to the delivery service. 

 

We've got Jeremy's order that's going to the restaurant. We've got Jeremy's payment, uh, credentials that are going out to the payment provider, right? And so we've got like all these sensitive data crossing wires between third parties that have some types of agreements or relationships that might or might not be brokered by a third party like Stripe or, or, you know, Visa or somebody like that who's kind of re uh, mediating this transaction. 

 

And so the CSOs role, I think as it evolves, you know, is gonna have to evolve along with this type of technical paradigm where your understanding has to be, to your point, understanding what are all the business logic flows that we have and that we execute, that we as a company deliver. You know, are we a consumer facing app like this? 

 

Are we a research organization? Whatever it is, the chances are very, very high. That you are not doing everything within this silo. That is your organization. You've got all these third-party interactions. You probably have any number of vendors that you're using or subcontractors that you're using for these things. 

You're sending data back and forth, which is easier than it ever has been before. You at the end of the day, are responsible for your organization's handling of that data, and you have a liability to your customers for how you treat that data, protect that data, etc. You have to understand the big picture around all of that. 

 

What are the risks implied? What are the controls and mitigations that you have that you can put that guarantee forward? That's where I see the role of the CISO evolving, and it really is involved, as you said, Sean, with the business flows, and, you know, kind of how, or the business logic and how all of this data flows in these ecosystems. 

 

Yeah. And I think that's something that people are just now waking up to.  

Sean Martin: 

Yeah. Yeah. And my, uh, I, I, I tend to jam all of that stuff into my head and put it in a picture and come up with this unwieldy. I'll just say, uh, what was the, uh, what was that? The old, old app you put all your network diagrams in? Um, anyway, it doesn't matter. 

Uh, I have this weird complex picture in my head, and, and with that then I map, I. Risk management to it. And I just think, ugh, what a, what a mess. But yeah, I'm, I'm, I'm inspired by this conversation. I'm gonna take it to a positive view here. Yeah. Um, and, and I'm looking at it through the lens of all, let's say platform engineering. 

 

Uh, where Yeah, perhaps in an uncontrolled fashion, all these abstractions and all these layers and connections can be. A real mess to deal with. But if, if you, if one takes a step back perhaps and says, starting with the flow, what's the business logic? What is the flow, what's going from where to where, and understanding that, that that is probably a much more simple view than all the stuff underneath it. 

 

Yeah. And I could get negative again once I start thinking about third-party risk management. But if. We can find a way to get all these abstractive layers secure by the people who build them. Then the CISO is less concerned with securing all of those things and more concerned with just securing. Logic with some attestation and proof that, that the pieces parts actually are secure. 

 

I don't know. I, I'm feeling inspired. I dunno. Yeah, yeah. I'm articulating, uh, that view well, but-

 

Jeremy Snyder: 

I don't know. No, but I think you're interesting.  

 

Sean Martin:

I think one interesting way we can get away, away from some of the challenges we have.  

 

Jeremy Snyder: 

Yeah, for sure. And I think you're absolutely onto something. 'cause you're right, if you, if you map out those flows right, and you map out the communication paths and the data elements that are crossing the wires and you, you can then like pretty quickly get kind of an inventory on where your, your risk points are. 

Understand what you are doing internally as an organization. And then one of the other big trends that, like, you didn't mention it explicitly, but we're definitely feeling it in the cyber security world, is kind of this, um, what you would've called in the past, kind of a BAA of business associates agreement. 

Where, you know, we as a subcontractor to you inherit your standards, requirements and so on. This is becoming super commonplace and one of the positives on this side is that it's also becoming way easier to go through a certification process as well as an evaluation process for a lot of the most common, you know, business controls and security controls around this. 

And I'll, I'll give you an example of what I mean is like, it has never been easier. To do a SOC two certification, like never in my career. And I've gone through it a few times at different stops along the way. We went through it for our own company, and granted we're a small company in the past. First of all, you would've said you're crazy to go through it. 

 

As a small company, you need a level of maturity. You need enough people, you need, uh, uh, you know, a bunch of resources. It's gonna cost you like three people, six months and an external auditor. And I'll tell you, you know, we got through it with tooling. A half person and yes, we had an external auditor. 

Because you do need one to get that, you know, external view and, and to question you and challenge you and so on. And make sure that you guys are, are also doing all the things that you say that you're doing right. And check the data, check but verify trust, but verify rather. Um, but we got through that whole process in about three and a half months, you know, and, and it didn't take, it didn't take a team of people. 

 

It took one person half time. Monitoring the process, closely managing, etc. And then a whole bunch of product integrations to connect all the things that we use. Now, maybe it's easier for us because we are one of these kind of board in the cloud companies where all of our systems are external and, and one of the positives that comes out of this, which again you didn't mention, but is definitely true. 

 

When you think about this kind of modern organization that's born in the cloud and you, and you try to capture all of those, um, business logic and data flows and whatnot, everything is software defined. The fact that it's software defined also means it can be software examined. I. All of the security controls are software defined. 

 

All of the data passes over software-defined network, uh, connections and so on. It makes it easier than ever to kind of audit and have real-time, continuous visibility of how these interactions are going. You know, is encryption in place, is multi-factor in place. Like all of those things that you really need to do to cover the basics. 

 

So on this line, I would absolutely agree with you. Like there's a lot of positive to be said about this cloud first world that we're in today and what you can do about it. It's just a different set of things.  

 

Sean Martin: 

And, uh, the BAA that's born in the, uh, the healthcare world, of course, Hippohitech. And I think the, the, the current is shared responsibility, right? 

 

If we look at the cloud, right? Like all, all the major cloud providers offer that, where they're not gonna let you see in, but you can, they can attest to, uh, that they have Yeah. These parts of the puzzle safe for you. Um,  

 

Jeremy Snyder: 

Yeah. Yeah.  

 

Sean Martin: 

Did, does that mean? So I, I went to the platform, I. Uh, place. Um, and you went to the software place. 

 

I'm, I'm just wondering is, is that direct the direction or is it, does it both, do you think? Do we, do we need to, I, I don't know. Do we get away from traditional systems and networks?  

 

Jeremy Snyder: 

No. Or off the top?  

 

Sean Martin:

Off the top of the CISO roller.  

Jeremy Snyder:

 Yeah, sure. But, you know, but I, I just think they're distributed. And, um, and, and they're a different set of systems and networks, like they're mostly distributed at this point. 

 

And, you know, it's, it's, let's just take like one, one business function as an example, right? Like, uh, building a payments processing system. You know, in the past you might have actually built that yourself nowadays, you never would. It's, you know, it's too much hassle. It's available, it's inexpensive. 

 

Integrating it takes, you know, 5% of the time or 2% of the time of trying to build it yourself. And then by the way, it comes with all of the assurances and all of the security and all everything else built in and the contractual guarantees and so on and so on. And so like, that's what I mean when I say, you know, it's distributed. 

 

And so these systems and these networks, first of all, the networks are primarily the internet and the systems are just, you know. Uh, a di a distributed network of providers of various business functions. You know, on the API side, like when we, we talk to software companies, large and small, you know, it could be anything from a mobile app provider to an IoT or connected device provider or whatever. 

 

When we talk to them, they've all got. A huge range of external providers that they're using. Nobody builds the full stack themselves. Nobody runs the full stack themselves. They're all incorporating these third party relationships that provide a particular specialized piece of functionality, data processing, what have you. 

 

And I think that's just the nature of the modern internet. It's a set of building blocks that you can, you know, stitch together and kind of do almost anything.  

 

Sean Martin: 

Yeah, I harken back to a time when, uh, how many 15 years maybe ago. I, I built, uh, built, uh, Groupon competitive offering. Yeah. Yeah. And the amount of, the amount of junk that I had to build. 

 

To get it to work. Yeah. That, that I'm sure is just all service enabled now. And I could focus on guess what? The business logic. Yeah. I, I, I don't know if I'd wanna do it again, but anyway, just Yeah, yeah, yeah. The way the world has changed since, since that time. It's really, really interesting. Um, yeah. Yeah. 

 

We're, we're coming up to the end here. Let me shift back to the, the CISO. Is there anything that we didn't touch on that you think, um. We should, uh, some of the things that came to mind were the, the role in different regions, uh, around the world, the role in different industries. You kind of touched on with the, with the notification. 

 

That's kind of kinda level sets everybody right, in terms of that Yeah, yeah, yeah. Reach notification. But do, do you see any nuances or any other things that, that you think look in in the past? 

 

Jeremy Snyder:

In the past, I think the regional differences were a lot worse and I think they've actually become more easy to navigate. 

It's not necessarily that they've gone away because you know, Europe has GDPR and NIST two and the US has. You know, NIST cybersecurity frameworks and Australia has their Essential eight and like everywhere has, you know, kind of their own flavor of thing. At the end of the day, two things have happened that I think make that less of a challenge. 

 

First is that like new standards as they're getting rolled out, they tend to be derived from, from some common source very often. You know, it's like a NIST cybersecurity framework is kind of the master document, or maybe it's ISO 27,001 or whatever. But it's a pretty well known international standard that something derives from. 

 

And so a lot of organizations are already doing some flavor of it anyway. Maybe just as like an organizational exercise, uh, excellence exercise or who knows what the, I. Other thing is like so many of these providers in in the tech world have just gotten big and they've gone international. And so they understand like, oh, you're connecting for payments processing in Singapore.  

No problem. We have the MAS standard, here's the attestation, etc. And you know, some of the, the fact that some of these providers have gotten bigger has actually made it easier. Um, 'cause they've grown internationally and, and supported these standards with them. Two other things that are on my radar that I do think about from the CISO perspective, one is.  

Just the range of new and emerging threats technologies, whatever, you know, certainly like the last six, seven months, all, all, you know, all the air in the room is sucked up by AI and talk about ai and we were, we were so close the challenge that I to, to getting away with an episode where we didn't talk about it. 

 

Yeah, yeah. So yeah, look, I'm sorry, go for it. I had to bring it up, but, but you know, it'll be quick. I mean, look. The thing is right, it grew so fast and you know, I think the, the pressure from many, many boards and or, and or C suites is how is this going to impact our business? We need to figure it out now. 

 

And so there's this like huge push to like, go experiment, go figure out does it have an impact? Are we, are all of our jobs at risk, whatever it may be, right? And so there's just like this massive push to go over to this thing. With no understanding about what the risks are. And then as always happens with new technologies, a lot of confusion around it. 

 

I remember the early days of the cloud, and it was like, oh, you know, the cloud providers can read all your data. Well, no they can't. There's encryption and there's account keys and blah, blah, blah, blah, blah. But that was a common misconception. And similarly with ai right now, there's a lot of, oh, you know, if you put your company's intellectual property in any AI model, it's out there for anybody to go. 

 

Right? And like. There's back and forth and back and forth on all of these things. So I always think that like any new emerging technology creates a challenge for a new CISO to navigate as to what risks are real, how real are those risks, and then specifically how real are those risks to my organization?  

And unfortunately, that always takes time. And, and like, nobody knows the answer to that on day one or on week one of a new technology emerging. So that's always challenging. The second thing that I think is, is a challenge for CISOs is like along with all these new technologies, there's new companies that pop up in all of these spaces to try to help manage risk in those and figuring out which of them are real. 

 

Which of them have an approach that actually mitigates the risk for the way your organization is using that technology is a very challenging prospect. And I'll, I'll admit that. Like, you know, for me as somebody who runs a security software company, I know that there have been times when we've also been guilty of putting out a message that is very much, you know, like APIs are super dangerous. 

 

You know, the sky's on fire, like watch out. And, you know, for some organizations I, I do think that that is really true and we've seen some terrible APIs that leak data all over the place. But then for other organizations, you know, your level of API adoption is probably tiny. You may have almost no risk exposure, um, but when you, but navigating that sea of messages and things that you hear can be very challenging for any security organization and figuring out what's the right prioritization, what's the right approach, and then again, with all of these new technologies. 

There are people who are gonna come with different ways of looking at it outside in, inside out, identity based, infrastructure based, network based, whatever. And then figuring out like which of those solutions aligns to the way you are using a technology can be very challenging. So I don't envy our customers on trying to navigate just the, the sea of messages and, and emails that they're getting every day. 

Sean Martin: 

Yeah. As you, as you say that, I'm thinking how many are we gonna add to the 50 that we, that we have Budget of? 10 for 10. Yeah. Only. Yeah. That you mentioned earlier on. Yeah. Um, yeah. So. I think the other, the other thing I'll, I'll say here in that regard, and it might sound a little cheesy, but uh, challenges are opportunities.  

So I, I still stand by and I respect those in the role. Um, I don't know that I would, I would be, uh, successful in the role maybe as an advisor to see so, but I guess what does or would excite me is kind of going back to that. I don't know where this is going. Yeah. And it could be really super fun trying to figure out Yeah. 

 

What this means. Um, yeah. So those challenges is the cheesy part. Challenges are opportunities, right? Um, yeah. Yeah. So, and maybe, I don't know, maybe that's the mindset that helps CISOs get through the day, having, having that fun bit to do.  

 

Jeremy Snyder: 

Yeah, absolutely. And actually I'll go back to something we said earlier in the conversation, and this is like a super positive sign that I've started to see from more and more organizations is that the CISO is actually now seen as a business enabler and a business critical function and a business partner.

It's not just a technical function, it is something that actually helps the organization move forward. And in those organizations where you have leaders of other divisions working hand in hand with CISOs to figure out how are we gonna navigate things going forward together. That's where I think I've seen the most progress. 

 

And finally, a recognition that security is this key central function for, you know, all these, all these organizations moving forward. And those that recognize the importance of security as an enabling and as a partnering function quickest and support it that way, they're going to have the earliest and the best success. 

 

Sean Martin: 

I agree. I agree. Well, Jeremy, this has been delightful. Super fun conversation. Uh, an important one. Of course. Uh, I. I don't wanna see the role go away. I wanna see, I agree, I wanna see it succeed and, uh, with IT companies, companies grow and, uh, do so safely and securely. Um, I think absolutely ultimately we, we, we all rely on that to be the case, for society's sake. 

 

So I think we should all be rooting for the CISO to be successful. Um, absolutely. Yep. So thanks, thanks so much for. For taking the time and, uh, and chatting with me and, and sharing your insights with the audience. And for those listening, of course, uh, please do subscribe and share and, uh, stay tuned for many, many more. 

 

I have tons of episodes and topics lined up. Uh, take a look at. Redefining cyber security and ITSB Magazine for all the topics and future guests, Jeremy. Thanks again and uh, we'll see you, uh, one side of the pond or another at some point, hopefully.  

 

Jeremy Snyder: 

Sounds good. Sean. Thanks so much for having me.

Schedule a demo

To learn more about API security, and see how FireTail can help you secure your APIs, schedule a free 30-minute demo with us.