Cloud Security Reinvented

Episode Highlights:

Episode Highlights:

Key insights from this episode featuring Jeremy Turner, Deputy CISO at Paidy: ⚡ Security without passwords. "In a market like Japan, things are quite different. Thinking out of the box is probably the most critical skill we need. When we think about the consumer experience, they don't have to deal with [passwords], and that really does remove a lot of friction from the typical flow," Jeremy says. ⚡ There's so much potential in the cloud. "Now you can just whip out a prepaid card, get an account, and replicate a whole enterprise. Thanks to infrastructure as code, a lot of things can be consistent. So I think that is the biggest potential for growth — more people having access to the technology." ⚡ Understand your assets and data. "Sometimes, it feels like you are trying to fix a plane while it's in flight without it crashing, and it could be very delicate. It really can get complex if you don't understand your critical assets, especially data because we don't want to lose our data."

Guest-at-a-Glance 💡 Name: Jay Thoden van Velzen 💡 What he does: He's the Strategic Advisor to the CSO at SAP. 💡 Noteworthy: SAP is one of the world's leading producers of software for the management of business processes and a company on a mission to help the world run better and improve people's lives.

Guest-at-a-Glance 💡 Name: Jay Thoden van Velzen 💡 What he does: He's the Strategic Advisor to the CSO at SAP. 💡 Noteworthy: SAP is one of the world's leading producers of software for the management of business processes and a company on a mission to help the world run better and improve people's lives.

Guest-at-a-Glance 💡 Name: Jadee Hanson 💡 What she does: She's the CIO and CISO at Code42. 💡 Company: Code42 💡 Noteworthy: As CIO and CISO at Code42, Jadee Hanson leads global risk and compliance, security operations, incident response, and insider threat monitoring and investigations. She brings more than 17 years of experience in information security and a proven track record of building security programs. Before Code42, Jadee held several senior leadership roles in the security department of Target Corporation. ## Key Insights ⚡ The world of security is always changing. Technology is rapidly changing and evolving. And cloud security is following along. Jadee explains what this means for the security industry. She says, "For security practitioners, we've always had to be really good at being resilient and adaptable. So, in our world, things always change. Technology is changing, the risk landscape is changing, and threat actors change. And as the cloud has become more prevalent, we had to flex our resilient and adaptable muscles and learn something new. And I would argue that the fundamental controls that we need to have in place for the cloud really haven't changed. What's changed is the 'how'; it's the 'how we meet those controls,' and that's it." ⚡ Bad actors use cloud services as much as security practitioners. Bad actors are early adopters when it comes to cloud security. Jadee talks about this significant challenge for security practitioners. She says, "One thing that has really surprised me is that when you think of the cloud movement, there are so many features and functionalities within a cloud architecture. We know this as security practitioners, but bad actors also know this, and they know this very well. So I think my biggest surprise is to see bad actors and bad APT groups use cloud services, just like we do every day." ⚡ Let your people be the heroes of the organization. When building security teams, it's essential to let them be heroes and give them exciting opportunities to grow. Jadee explains, "I think it's really all about the people. So my advice would be to find really great people who deliver quality work, continue to challenge them, and give them really interesting opportunities. It's funny. Lots of security practitioners aren't really motivated by tons of money. They're motivated by interesting opportunities. I also think it's really important that you don't make them adversaries in the organization."

💡 Guest: Kathy Wang, Chief Security Officer at Discord 💡 Company: Discord 💡 Noteworthy: Kathy is a security executive and leader with a strong background in project management, research, and business development. She has worked in government, commercial, and technology startup environments and currently advises startups that offer security services/products. ## Key Insights ⚡ The importance of access control in security. Improving access control is one of the best ways to prevent potential security problems. Kathy says, "If I think about this from a security perspective, and you look at it from a public cloud SaaS environment perspective, there are so many organizations right now where there are far too many people who have more access than they need in production environments. And so we're always looking for ways to understand, audit, and reduce all of those accesses, and this is super important for improving security posture because if you can't control or understand what access people have, then you've got all sorts of problems like insider threat as well as takeover or breach type of issues." ⚡ Security is a hard sell. Even though the number of cyber threats increases every year, security is still hard to sell. Kathy explains, "GitLab was even less of a security product company. They've built security features and security capabilities, which I was super happy to help contribute to from a CSO perspective, as in, ‘Would I use this; would I buy this?’ However, it's not the same thing as talking to customers constantly about, 'Hey, we've detected this for you. What do you think?' And then getting a response, 'You know what? Yeah, it's true. You did, but I'm not sure I want to pay for that kind of detection, though.' This is exactly what makes security such a hard sell. You could be accurate. You could be technically good, but what is that other factor that will make people want to spend money on the product? That's hard." ⚡ Think outside the box when building your security teams. The key to building highly effective security teams is to differentiate yourself. Kathy says, "Building security teams is not an easy thing to do, as you know, and we're always competing for talent with a whole bunch of other companies. So what can you do to really differentiate yourself? One of the things I learned is that you can actually go looking for talent outside of the normal pools of talent that people look for. And GitLab was really great for reinforcing that."

💡 Guest: Kathy Wang, Chief Security Officer at Discord 💡 Company: Discord 💡 Noteworthy: Kathy is a security executive and leader with a strong background in project management, research, and business development. She has worked in government, commercial, and technology startup environments and currently advises startups that offer security services/products. ## Key Insights ⚡ The importance of access control in security. Improving access control is one of the best ways to prevent potential security problems. Kathy says, "If I think about this from a security perspective, and you look at it from a public cloud SaaS environment perspective, there are so many organizations right now where there are far too many people who have more access than they need in production environments. And so we're always looking for ways to understand, audit, and reduce all of those accesses, and this is super important for improving security posture because if you can't control or understand what access people have, then you've got all sorts of problems like insider threat as well as takeover or breach type of issues." ⚡ Security is a hard sell. Even though the number of cyber threats increases every year, security is still hard to sell. Kathy explains, "GitLab was even less of a security product company. They've built security features and security capabilities, which I was super happy to help contribute to from a CSO perspective, as in, ‘Would I use this; would I buy this?’ However, it's not the same thing as talking to customers constantly about, 'Hey, we've detected this for you. What do you think?' And then getting a response, 'You know what? Yeah, it's true. You did, but I'm not sure I want to pay for that kind of detection, though.' This is exactly what makes security such a hard sell. You could be accurate. You could be technically good, but what is that other factor that will make people want to spend money on the product? That's hard." ⚡ Think outside the box when building your security teams. The key to building highly effective security teams is to differentiate yourself. Kathy says, "Building security teams is not an easy thing to do, as you know, and we're always competing for talent with a whole bunch of other companies. So what can you do to really differentiate yourself? One of the things I learned is that you can actually go looking for talent outside of the normal pools of talent that people look for. And GitLab was really great for reinforcing that."

Episode Summary The cloud has made many processes straightforward. The pace of expansion and the ease of introducing new services make it attractive. But, these advantages come with complexity, especially from a security standpoint. Therefore, it is critical to make everyone's activities in the digital space as secure as possible. Consequently, companies must focus on mitigating security risks and building trust with their clients and consumers. In this episode of Cloud Security Reinvented, our host Andy Ellis welcomes Allison Miller, the VP of Trust at Reddit. Allison and Andy discuss the differences between the on-premise and cloud era, the best and worst practices of on-premise, and the opportunities for growth in the cloud. Guest-at-a-Glance 💡 Name: Allison Miller 💡 What she does: Allison is the VP of Trust at Reddit. 💡 Websites: Reddit 💡 Noteworthy: Allison was in marketing before dedicating her career to cybersecurity. 💡 Where to find Allison: LinkedIn

Episode Summary The cloud has made many processes straightforward. The pace of expansion and the ease of introducing new services make it attractive. But, these advantages come with complexity, especially from a security standpoint. Therefore, it is critical to make everyone's activities in the digital space as secure as possible. Consequently, companies must focus on mitigating security risks and building trust with their clients and consumers. In this episode of Cloud Security Reinvented, our host Andy Ellis welcomes Allison Miller, the VP of Trust at Reddit. Allison and Andy discuss the differences between the on-premise and cloud era, the best and worst practices of on-premise, and the opportunities for growth in the cloud. Guest-at-a-Glance 💡 Name: Allison Miller 💡 What she does: Allison is the VP of Trust at Reddit. 💡 Websites: Reddit 💡 Noteworthy: Allison was in marketing before dedicating her career to cybersecurity. 💡 Where to find Allison: LinkedIn

Episode Summary There's an overwhelming amount of information coming at us every single day. And from a risk management and security point of view, it's become even more challenging to deal with zero-day vulnerabilities. The key is to not be reactive; you have to take a more proactive approach to zero-day vulnerabilities. In this episode of the Cloud Security Reinvented podcast, host Andy Ellis welcomes Amanda Fennell, the CIO and CSO at Relativity. They chat about her dual CIO-CSO role, why different priorities mean different cloud experiences, and the importance of investing in preventive solutions before it's too late. Guest-at-a-Glance 💡 Name: Amanda Fennell 💡 What she does: She's the CIO and CSO at Relativity. 💡 Company: Relativity 💡 Noteworthy: Amanda joined the Relativity team in 2018 as the CSO, and her responsibilities expanded to include the role of the CIO in 2021. She's responsible for championing and directing security strategy in risk management and compliance practices, as well as building and supporting Relativity's information technology. Amanda also hosts Relativity's Security Sandbox podcast, which explores and explains the unique links between non-security topics and the security realm. 💡 Where to find Amanda: LinkedIn

Episode Summary There's an overwhelming amount of information coming at us every single day. And from a risk management and security point of view, it's become even more challenging to deal with zero-day vulnerabilities. The key is to not be reactive; you have to take a more proactive approach to zero-day vulnerabilities. In this episode of the Cloud Security Reinvented podcast, host Andy Ellis welcomes Amanda Fennell, the CIO and CSO at Relativity. They chat about her dual CIO-CSO role, why different priorities mean different cloud experiences, and the importance of investing in preventive solutions before it's too late. Guest-at-a-Glance 💡 Name: Amanda Fennell 💡 What she does: She's the CIO and CSO at Relativity. 💡 Company: Relativity 💡 Noteworthy: Amanda joined the Relativity team in 2018 as the CSO, and her responsibilities expanded to include the role of the CIO in 2021. She's responsible for championing and directing security strategy in risk management and compliance practices, as well as building and supporting Relativity's information technology. Amanda also hosts Relativity's Security Sandbox podcast, which explores and explains the unique links between non-security topics and the security realm. 💡 Where to find Amanda: LinkedIn

Episode Summary Cybersecurity is an ever-changing field. And since the emergence of the cloud, social media networks, and machine learning algorithms, the security space has continued to evolve to respond to the market's needs. But some things never change — the willingness to learn, adapt, and improve remains the golden standard of cybersecurity. In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Roland Cloutier, the Global Chief Security Officer at TikTok. They talk about the most significant changes since the emergence of cloud computing, what it's like to work at TikTok, and why technologists should always keep learning. ## Guest-at-a-Glance 💡 Name: Roland Cloutier 💡 What he does: He's the Global Chief Security Officer at TikTok. 💡 Company: TikTok 💡 Noteworthy: As Global Chief Security Officer of TikTok, Roland Cloutier brings an unprecedented understanding and knowledge of global protection and security leadership to one of the world's leading media, social, and technology companies. He oversees the company's information protection, risk, workforce protection, crisis management, and investigative security operations worldwide. 💡 Where to find Roland: LinkedIn ## Key Insights ⚡ Overseeing the security and risk program for TikTok is an exciting learning experience. Coming from law enforcement and the military, Roland experienced a major shift in his career when he entered the competitive technology space and joined the world's fastest-growing social media giant, TikTok. So, what has this experience been like? According to Roland, it's been an enormous learning opportunity. He explains, "You've got to be ready for that speed and feed. You've got to be ready for that high level of operational tempo that we have, and adjusting my leadership style and capability to ensure that I enable that for the team has been one of the biggest learning opportunities for me." ⚡ Always keep learning. While there are many pre-cloud norms and practices that we should leave behind us, some things should never change, such as the willingness to learn. Roland explains, "Always keep learning. Folks that are static in this environment are going to wither away. On a daily basis, these amazing companies and technology platforms are delivering net new capability. Sometimes I'm embarrassed when my teams are talking, and I did not know that was actually even possible. As practitioners, as professionals, as leaders, you have to keep up on it, especially as technologists; you have to continue to learn. So I don't think that ever changes." ⚡ Speed and scale are the biggest perks of cloud computing. Cloud computing has certainly made everything easier, especially cybersecurity. Roland shares what he believes are the greatest benefits of the cloud. "Remember when you had to think about how many boxes do I need to order it with, how many cores, and how much memory in order to support that? Whereas today, we might have a dynamic attack issue, and in less than an hour, I can spin up an environment that has six times the data center capability that I was protecting before. The speed and the scale are just insane. I also think that with that comes the pace of innovation." ## Episode Highlights There are significant differences in security language and focus across different industries "I do a lot of transition work with people coming out of law enforcement, government, and the military — to help them through that transition because the language is different, and the focus is different. When you're in global protection and in law enforcement organizations, you're outside of companies — you're dealing with people all over the world regarding critical global issues. And then, all of a sudden, you're inside, and you're trying to use the same language." The level of scale and security at TikTok might be surprising to some people "I think what people forget when they migrate to the cloud, and they start...

Episode Summary Cybersecurity is an ever-changing field. And since the emergence of the cloud, social media networks, and machine learning algorithms, the security space has continued to evolve to respond to the market's needs. But some things never change — the willingness to learn, adapt, and improve remains the golden standard of cybersecurity. In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Roland Cloutier, the Global Chief Security Officer at TikTok. They talk about the most significant changes since the emergence of cloud computing, what it's like to work at TikTok, and why technologists should always keep learning. ## Guest-at-a-Glance 💡 Name: Roland Cloutier 💡 What he does: He's the Global Chief Security Officer at TikTok. 💡 Company: TikTok 💡 Noteworthy: As Global Chief Security Officer of TikTok, Roland Cloutier brings an unprecedented understanding and knowledge of global protection and security leadership to one of the world's leading media, social, and technology companies. He oversees the company's information protection, risk, workforce protection, crisis management, and investigative security operations worldwide. 💡 Where to find Roland: LinkedIn ## Key Insights ⚡ Overseeing the security and risk program for TikTok is an exciting learning experience. Coming from law enforcement and the military, Roland experienced a major shift in his career when he entered the competitive technology space and joined the world's fastest-growing social media giant, TikTok. So, what has this experience been like? According to Roland, it's been an enormous learning opportunity. He explains, "You've got to be ready for that speed and feed. You've got to be ready for that high level of operational tempo that we have, and adjusting my leadership style and capability to ensure that I enable that for the team has been one of the biggest learning opportunities for me." ⚡ Always keep learning. While there are many pre-cloud norms and practices that we should leave behind us, some things should never change, such as the willingness to learn. Roland explains, "Always keep learning. Folks that are static in this environment are going to wither away. On a daily basis, these amazing companies and technology platforms are delivering net new capability. Sometimes I'm embarrassed when my teams are talking, and I did not know that was actually even possible. As practitioners, as professionals, as leaders, you have to keep up on it, especially as technologists; you have to continue to learn. So I don't think that ever changes." ⚡ Speed and scale are the biggest perks of cloud computing. Cloud computing has certainly made everything easier, especially cybersecurity. Roland shares what he believes are the greatest benefits of the cloud. "Remember when you had to think about how many boxes do I need to order it with, how many cores, and how much memory in order to support that? Whereas today, we might have a dynamic attack issue, and in less than an hour, I can spin up an environment that has six times the data center capability that I was protecting before. The speed and the scale are just insane. I also think that with that comes the pace of innovation." ## Episode Highlights There are significant differences in security language and focus across different industries "I do a lot of transition work with people coming out of law enforcement, government, and the military — to help them through that transition because the language is different, and the focus is different. When you're in global protection and in law enforcement organizations, you're outside of companies — you're dealing with people all over the world regarding critical global issues. And then, all of a sudden, you're inside, and you're trying to use the same language." The level of scale and security at TikTok might be surprising to some people "I think what people forget when they migrate to the cloud, and they start...

Episode Summary When someone says Pinterest, the first thing that comes to mind is a social platform and a place to seek inspiration. But for the people working behind the scenes, it's more than that. In February 2021, Pinterest had 459 million active monthly users. That's a lot of data and traffic, and security measures must be put in place for an exceptional user experience. So how do they do it? In this episode of Cloud Security Reinvented, our host Andy Ellis chats with Andy Steingruebl, the Chief Security Officer at Pinterest. The two discuss the difference between the on-premise and cloud era and what differentiates Pinterest from companies like PayPal. They also touch upon the best and worst on-premise practices and the future of technology. Guest-at-a-Glance 💡 Name: Andy Steingruebl 💡 What he does: Andy is the Chief Security Officer at Pinterest. 💡 Websites: Pinterest 💡Noteworthy: Andy is an Information Security professional with more than 25 years of experience. He has extensive experience in most security management and architecture areas, including Policy, Compliance, Communication, Infrastructure, and Incident Response. He is an excellent communicator with the ability to communicate with all levels of the organization, customers, policymakers, and regulators. He has a track record of significantly contributing toward making the internet a safer, more secure place for users and companies. 💡 Where to find Andy: LinkedIn Key Insights ⚡ Transitioning to the cloud was challenging. With all the cloud's benefits, it's hard to understand how we functioned without it. However, as Andy explains, even professionals in the security field had to adjust to it. ''Now, the big issue is trying to come up with policies for yourself on what stuff you need to have your arms tied around and what are the principles. How do you set the right security bar for an outsourced vendor who's going to have access to your stuff or provide some key business function? [...] We're long past, 'I'm not putting some of my really sensitive stuff in the cloud.' You use Workday, Google for mail, and so on.'' ⚡ It's all about efficiency, but we must have the right people in the right positions. Technology today is all about making resources and tools accessible to as many people as possible to enable faster solution development or problem-solving. But is this a good thing? ''The blessing and the curse of the cloud is that because you can deploy so many resources to a problem, sometimes you don't get as focused on how much it is costing you, or if this is the best way to use the technology? [...] So a really interesting perspective is how we've pushed around some of the work. The work doesn't go away; it either doesn't get done, or people who aren't specialized at it are doing it. The same can happen with security, where you let everybody be responsible for certain rules instead of letting a few people try to set a definitive posture like that firewall. I'm not suggesting it's the exact right model, but having some things you can have certainty around is nice, and we've moved away from that. And it's hard to function in that world.'' ⚡ Focus more on people. A piece of advice Andy gives to his young colleagues is to develop healthy relationships with teammates. Yes, everyone will focus on growing professionally, but sometimes it is more challenging to develop high-quality social skills than technical ones. ''As you try to move upwards in your career, it's not just the technical stuff because pretty soon you will outgrow the problems you can solve all by yourself. And once you outgrow problems you can solve by yourself, you need to collaborate with others and how well you can do that is important.'' Episode Highlights How Has Our Perspective of Security Changed in the Cloud Era? ''I was an on-prem guy, and I remember doing vulnerability management. We would buy some bit of vuln scanning stuff to put inside our environment because one,...

Episode Summary When someone says Pinterest, the first thing that comes to mind is a social platform and a place to seek inspiration. But for the people working behind the scenes, it's more than that. In February 2021, Pinterest had 459 million active monthly users. That's a lot of data and traffic, and security measures must be put in place for an exceptional user experience. So how do they do it? In this episode of Cloud Security Reinvented, our host Andy Ellis chats with Andy Steingruebl, the Chief Security Officer at Pinterest. The two discuss the difference between the on-premise and cloud era and what differentiates Pinterest from companies like PayPal. They also touch upon the best and worst on-premise practices and the future of technology. Guest-at-a-Glance 💡 Name: Andy Steingruebl 💡 What he does: Andy is the Chief Security Officer at Pinterest. 💡 Websites: Pinterest 💡Noteworthy: Andy is an Information Security professional with more than 25 years of experience. He has extensive experience in most security management and architecture areas, including Policy, Compliance, Communication, Infrastructure, and Incident Response. He is an excellent communicator with the ability to communicate with all levels of the organization, customers, policymakers, and regulators. He has a track record of significantly contributing toward making the internet a safer, more secure place for users and companies. 💡 Where to find Andy: LinkedIn Key Insights ⚡ Transitioning to the cloud was challenging. With all the cloud's benefits, it's hard to understand how we functioned without it. However, as Andy explains, even professionals in the security field had to adjust to it. ''Now, the big issue is trying to come up with policies for yourself on what stuff you need to have your arms tied around and what are the principles. How do you set the right security bar for an outsourced vendor who's going to have access to your stuff or provide some key business function? [...] We're long past, 'I'm not putting some of my really sensitive stuff in the cloud.' You use Workday, Google for mail, and so on.'' ⚡ It's all about efficiency, but we must have the right people in the right positions. Technology today is all about making resources and tools accessible to as many people as possible to enable faster solution development or problem-solving. But is this a good thing? ''The blessing and the curse of the cloud is that because you can deploy so many resources to a problem, sometimes you don't get as focused on how much it is costing you, or if this is the best way to use the technology? [...] So a really interesting perspective is how we've pushed around some of the work. The work doesn't go away; it either doesn't get done, or people who aren't specialized at it are doing it. The same can happen with security, where you let everybody be responsible for certain rules instead of letting a few people try to set a definitive posture like that firewall. I'm not suggesting it's the exact right model, but having some things you can have certainty around is nice, and we've moved away from that. And it's hard to function in that world.'' ⚡ Focus more on people. A piece of advice Andy gives to his young colleagues is to develop healthy relationships with teammates. Yes, everyone will focus on growing professionally, but sometimes it is more challenging to develop high-quality social skills than technical ones. ''As you try to move upwards in your career, it's not just the technical stuff because pretty soon you will outgrow the problems you can solve all by yourself. And once you outgrow problems you can solve by yourself, you need to collaborate with others and how well you can do that is important.'' Episode Highlights How Has Our Perspective of Security Changed in the Cloud Era? ''I was an on-prem guy, and I remember doing vulnerability management. We would buy some bit of vuln scanning stuff to put inside our environment because one,...

Episode Summary The cloud has been around for a while now. And ever since it emerged — two decades ago — it has brought in new ways to think about security, identity, and access management. But at the end of the day, we still need to make sure that the right people have the right information at the right time. In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Meg Anderson, the VP - CISO at Principal Financial Group. They talk about the changes in cloud security since the emergence of the cloud, some of the best and worst practices, and what the future holds for cloud security. ## Guest-at-a-Glance 💡 Name: Meg Anderson 💡 What she does: She's the VP - CISO at Principal Financial Group. 💡 Company: Principal Financial Group 💡 Noteworthy: Meg participates in a number of CISO councils. She is a board member of the Financial Services Information Sharing and Analysis Center (FS-ISAC), where she chairs the Strategy Committee and is on the FinCyber Advisory Group for the Carnegie Endowment for International Peace. Before the role of VP - CISO, Meg acquired over twenty years of technical and leadership experience in application development. 💡 Where to find Meg: LinkedIn ## Key Insights ⚡ Adversarial relationships within a company can hinder security. There's no room for adversarial relationships in cloud security. We need to embrace collaboration and partnership. Meg talks about Principal Financial Group's culture, "At Principal, what I think is different when I think about cloud security is that there are no adversarial relationships. We're all learning; we're all respectful. And obviously, I say all, but sometimes, there are conflicts. However, we get through them. And I think that that culture is really important." ⚡ Access control and data protection are essential. As we expand in the cloud, we need to keep prioritizing access control and data protection. Meg explains, "They have to be very intentionally thought about and architected. The cloud brings new ways, of course, to think about identity and access management. There are new tools to do it with, but then, in the end, we still really need to make sure that the right people have access to the right information at the right time, and we can't lose sight of that. And our customers trust that we'll protect their information and money no matter where we're doing our computing. So it's not a choice." ⚡ You need to have a strategy. If you want to move forward and adopt the cloud, you need to put a strategy in place first. Meg explains, "If you start with the strategy, it'll pay dividends. You'll reduce risk. You'll increase efficiency. You're probably going to save time and money. It's probably going to turn out better. You're not going to be creating tech debt. So really, stepping into the cloud with a plan is just much better than playing around and looking at it as an opportunity to experiment and try new things." ## Episode Highlights Automation is critical for security integration "There's definitely more ownership by the cloud team and the cloud engineers as compared to relying on specialists that were previously in the infrastructure team. So I think some of the ‘shifting security left’ conversation that we've had over the last decade or more is something that we really need to keep our eye on, because that automation is critical to integrating security into the deployment pipelines and allowing engineers to own their code and its security. That's a change that I think we are, at least, in the midst of here at Principal." We need to stop oversimplifying the cloud "Software as a service is very different from platform as a service or infrastructure as a service. So when we simply talk about the cloud, I think it gets to the point of oversimplification that's probably doing more harm than good, especially at the higher levels of companies, at the board regulators. Everyone's asking, 'How are you securing the cloud?'...

Episode Summary The cloud has been around for a while now. And ever since it emerged — two decades ago — it has brought in new ways to think about security, identity, and access management. But at the end of the day, we still need to make sure that the right people have the right information at the right time. In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Meg Anderson, the VP - CISO at Principal Financial Group. They talk about the changes in cloud security since the emergence of the cloud, some of the best and worst practices, and what the future holds for cloud security. ## Guest-at-a-Glance 💡 Name: Meg Anderson 💡 What she does: She's the VP - CISO at Principal Financial Group. 💡 Company: Principal Financial Group 💡 Noteworthy: Meg participates in a number of CISO councils. She is a board member of the Financial Services Information Sharing and Analysis Center (FS-ISAC), where she chairs the Strategy Committee and is on the FinCyber Advisory Group for the Carnegie Endowment for International Peace. Before the role of VP - CISO, Meg acquired over twenty years of technical and leadership experience in application development. 💡 Where to find Meg: LinkedIn ## Key Insights ⚡ Adversarial relationships within a company can hinder security. There's no room for adversarial relationships in cloud security. We need to embrace collaboration and partnership. Meg talks about Principal Financial Group's culture, "At Principal, what I think is different when I think about cloud security is that there are no adversarial relationships. We're all learning; we're all respectful. And obviously, I say all, but sometimes, there are conflicts. However, we get through them. And I think that that culture is really important." ⚡ Access control and data protection are essential. As we expand in the cloud, we need to keep prioritizing access control and data protection. Meg explains, "They have to be very intentionally thought about and architected. The cloud brings new ways, of course, to think about identity and access management. There are new tools to do it with, but then, in the end, we still really need to make sure that the right people have access to the right information at the right time, and we can't lose sight of that. And our customers trust that we'll protect their information and money no matter where we're doing our computing. So it's not a choice." ⚡ You need to have a strategy. If you want to move forward and adopt the cloud, you need to put a strategy in place first. Meg explains, "If you start with the strategy, it'll pay dividends. You'll reduce risk. You'll increase efficiency. You're probably going to save time and money. It's probably going to turn out better. You're not going to be creating tech debt. So really, stepping into the cloud with a plan is just much better than playing around and looking at it as an opportunity to experiment and try new things." ## Episode Highlights Automation is critical for security integration "There's definitely more ownership by the cloud team and the cloud engineers as compared to relying on specialists that were previously in the infrastructure team. So I think some of the ‘shifting security left’ conversation that we've had over the last decade or more is something that we really need to keep our eye on, because that automation is critical to integrating security into the deployment pipelines and allowing engineers to own their code and its security. That's a change that I think we are, at least, in the midst of here at Principal." We need to stop oversimplifying the cloud "Software as a service is very different from platform as a service or infrastructure as a service. So when we simply talk about the cloud, I think it gets to the point of oversimplification that's probably doing more harm than good, especially at the higher levels of companies, at the board regulators. Everyone's asking, 'How are you securing the cloud?'...

Episode Summary It's been more than a decade since the cloud emerged as a new concept. And it's safe to say that it has practically become the new normal, especially since the COVID-19 outbreak. However, when it comes to improving cyber security and risk management in the cloud, we still have a long way to go. In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Sameer Sait, an information security expert and the former CISO of Amazon's Whole Foods Market. They talk about the shift in security mechanisms due to the explosion of the cloud, the importance of shared responsibility, and what we can learn from highly regulated industries. Tune into this episode to hear some insightful observations about the future of cybersecurity. ## Guest-at-a-Glance 💡 Name: Sameer Sait 💡 Formerly CISO of Amazon / Whole Foods Market 💡 Currently Co-Founder and CRO, BalkanID 💡 Noteworthy: He's an information security and risk executive with 16+ years of global leadership experience at Fortune 100 firms. 💡 Where to find Sameer: LinkedIn ## Key Insights ⚡ We need a playbook for unexpected outcomes in the cloud. Although we expect the cloud world to move fast and smoothly, sometimes there are some unexpected scenarios. That's why we need to get better at how we manage ownership of assets and processes. Sameer explains: "In the non-cloud native world, there is a kind of alignment of accountability, responsibility, ownership, and influence. I think in the cloud world because we expect to just move really, really fast, and we expect things to get taken care of by a certain set of individuals that are working in DevOps, you just sprinkle on some security and expect it to kind of magically get taken care of. I think there's a little bit of the ‘who owns what’ and [we should be] finding ways to align on the exceptions so that even the exception process has accountability and responsibility." ⚡ Since the explosion of cloud usage, engineers no longer need a policeman; they need a steward. It's safe to say that the cloud has changed the way we do everything, including security. According to Sameer, one thing that stands out is how engineers and builders think about security. He says, "I've been pleasantly surprised, and it's probably a combination of the industry itself having exploded, there being a lot more awareness, and technologies being built to enable secure software development and deployment maintenance. And so, with the explosion of cloud usage, I've been pleasantly surprised that engineers don't really need a policeman anymore. They just need guidance." ⚡We should aim for shared responsibility. According to Sameer, the cloud has created a good opportunity for shared responsibility. Instead of building large, slow-moving organizations, we should move towards small agile teams. Sameer shares his predictions and hopes for the future of security. "I think part of it is also security being built into the cloud. I hope to see more and more big tech companies [...]embracing partnerships with tech security companies to make it so seamless that it becomes part and parcel of how we operate in the cloud. I'm seeing that happen, and that's getting me super excited because I care as much about the usability of a product as I should , and the product manager should care as much about the security of that product. And if we both have those shared outcomes, I think we'll do very well." ## Episode Highlights Highly regulated industries set a high bar for cybersecurity "I think the financial services industry really set me up well, given that there was a higher level of awareness and expectations around cyber risks and the impact of those risks. There were already working groups, like the ISAC; there was an FS-ISAC back then. We didn't have that level of maturity outside of, let's say, financial services and potentially, healthcare. I haven't been in healthcare, but I can say that coming out of those highly...

Episode Summary It's been more than a decade since the cloud emerged as a new concept. And it's safe to say that it has practically become the new normal, especially since the COVID-19 outbreak. However, when it comes to improving cyber security and risk management in the cloud, we still have a long way to go. In this episode of the Cloud Security Reinvented podcast, our host Andy Ellis welcomes Sameer Sait, an information security expert and the former CISO of Amazon's Whole Foods Market. They talk about the shift in security mechanisms due to the explosion of the cloud, the importance of shared responsibility, and what we can learn from highly regulated industries. Tune into this episode to hear some insightful observations about the future of cybersecurity. ## Guest-at-a-Glance 💡 Name: Sameer Sait 💡 What he does: He's the former CISO of Amazon's Whole Foods Market. 💡 Company: N/A 💡 Noteworthy: He's an information security and risk executive with 16+ years of global leadership experience at Fortune 100 firms. 💡 Where to find Sameer: LinkedIn ## Key Insights ⚡ We need a playbook for unexpected outcomes in the cloud. Although we expect the cloud world to move fast and smoothly, sometimes there are some unexpected scenarios. That's why we need to get better at how we manage ownership of assets and processes. Sameer explains: "In the non-cloud native world, there is a kind of alignment of accountability, responsibility, ownership, and influence. I think in the cloud world because we expect to just move really, really fast, and we expect things to get taken care of by a certain set of individuals that are working in DevOps, you just sprinkle on some security and expect it to kind of magically get taken care of. I think there's a little bit of the ‘who owns what’ and [we should be] finding ways to align on the exceptions so that even the exception process has accountability and responsibility." ⚡ Since the explosion of cloud usage, engineers no longer need a policeman; they need a steward. It's safe to say that the cloud has changed the way we do everything, including security. According to Sameer, one thing that stands out is how engineers and builders think about security. He says, "I've been pleasantly surprised, and it's probably a combination of the industry itself having exploded, there being a lot more awareness, and technologies being built to enable secure software development and deployment maintenance. And so, with the explosion of cloud usage, I've been pleasantly surprised that engineers don't really need a policeman anymore. They just need guidance." ⚡We should aim for shared responsibility. According to Sameer, the cloud has created a good opportunity for shared responsibility. Instead of building large, slow-moving organizations, we should move towards small agile teams. Sameer shares his predictions and hopes for the future of security. "I think part of it is also security being built into the cloud. I hope to see more and more big tech companies [...]embracing partnerships with tech security companies to make it so seamless that it becomes part and parcel of how we operate in the cloud. I'm seeing that happen, and that's getting me super excited because I care as much about the usability of a product as I should , and the product manager should care as much about the security of that product. And if we both have those shared outcomes, I think we'll do very well." ## Episode Highlights Highly regulated industries set a high bar for cybersecurity "I think the financial services industry really set me up well, given that there was a higher level of awareness and expectations around cyber risks and the impact of those risks. There were already working groups, like the ISAC; there was an FS-ISAC back then. We didn't have that level of maturity outside of, let's say, financial services and potentially, healthcare. I haven't been in healthcare, but I can say that coming out of those highly...