The Voice of Cyberยฎ

KBKAST
Episode 274 Deep Dive: Josh Goldfarb | Visibility and Blindness in Complex Environments
First Aired: August 30, 2024

In this episode, we’re joined by Josh Goldfarb, Global Solutions Architect – Security at F5, as he delves into the challenges of getting buy-in for security initiatives from management and executives. Josh discusses the struggle of presenting informative metrics to decision-makers and the need to bridge the gap between security professionals and business leaders. He also talks about the importance of modernizing security guidance to addressing the visibility challenge in complex environments.

Josh (Twitter: @ananalytical) is Global Solutions Architect – Security, at F5. Previously, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Joshโ€™s blogging and public speaking appearances, he is also a regular contributor to DarkReading and SecurityWeek.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Josh Goldfarb [00:00:00]:
If there are policies and procedures that aren’t adequately protecting the organization, those are things that need to be looked at. And all of that takes time, but it’s an investment well worth the resources that it takes because what it does in the long run is it actually reduces day to day putting out fires if you will. But it requires management and executive buy in with the understanding that fixing these problems long term so that the security team can be the most effective and the most efficient requires an investment in time and resources upfront. As hard as that is, it’s very important.

Karissa Breen [00:00:46]:
Joining me today is Josh Goldfarb, Global Solutions Architect Security from F5. And today, we’re discussing visibility and blindness in complex environments. So Josh, thanks for joining and welcome.

Josh Goldfarb [00:01:02]:
Thank you for having me. Very pleased to be here.

Karissa Breen [00:01:04]:
Okay. So Josh, I wanna talk about you said visibility and blindness in complex environments are the most pressing threat facing within organizations. So talk to me a little bit more about this. What does this mean to you?

Josh Goldfarb [00:01:17]:
Yeah. So I think this is an interesting point that maybe doesn’t get enough attention in the security community today. Way back when going back, say 15, 20 years during my time in the security operations role, we knew how to instrument the enterprise on premise network and collect telemetry data for the purposes of compliance and continuous security monitoring and other types of uses for that telemetry data. And then what happened, I would say over the last 10 to 15 years is that gradually services and applications and and infrastructure began to move from a solely on premise or maybe private data center type environment into a cloud or or in many cases, multiple cloud environments. And when that happened, we kind of as a community took a step back and became a little bit blind in terms of our visibility into those environments. We lost that that visibility, that that high quality telemetry data that we had honed our ability to collect on the enterprise network. And when it came to cloud environments, we were basically running applications and services and infrastructure without that visibility. So if there was a breach or there was some type of of inappropriate usage or or abuse abuse type behavior, we didn’t have that visibility to be able to to detect and respond to that, nor did we have the visibility required to be able to analyze the traffic and data going to the multiple different environments for the purpose of improving our preventive controls alongside our detective controls.

Josh Goldfarb [00:02:54]:
And that’s something that’s now starting to change that that visibility, the need for visibility in in in cloud and and multiple different cloud environments is getting some attention. While we didn’t have it or for organizations or businesses that still don’t have it, it is a risk because obviously an attacker can can do any number of of malicious or suspicious activities in in an environment where we don’t have that visibility and that telemetry data. And when they do that, we have no way to detect and respond to that putting aside, of course, the the compliance and regulatory issues that it creates. So I think for that reason, the the lack of visibility or or the blindness that many organizations have in the cloud, including multiple different cloud environments is is a significant risk and it is something that in my opinion, I I don’t think we as a community, security community, give enough attention to.

Karissa Breen [00:03:48]:
Yes. So what do you think that is, though? Why do you think it hasn’t got the attention? Do you think just other things have just captured the attention, or do you think it’s something that people perhaps don’t think about and therefore wasn’t intentional? What are your thoughts on that?

Josh Goldfarb [00:03:59]:
You know, to use an analogy, when when we see somebody walking down the street doing what they’re supposed to be doing, engaging as a respectful member of society, quite unremarkable. When somebody does something they’re not supposed to be doing, for example, if they were to stop in the middle of the sidewalk and begin screaming or they were to throw something at somebody else, for example, that would get our attention. So I think that because visibility and telemetry are are they’re not sexy. They’re not unusual. They’re not there’s no real hype cycle around them. It’s just something we need to be doing. But because it’s not sexy, because it’s just sort of everyday mundane day to day type of activities that need to be done, I don’t think that we as a community remember to give it enough attention. And I think that instead, unfortunately, I would say much of what grabs the attention of of those in the security community are things that are are maybe trends for a particular day or week or or months, or, you know, there are things that that maybe have have quite a bit of of a hype cycle around them, but the question is operationally in a security sense, what is the impact? And and that is a question that is not always clear what the answer is.

Josh Goldfarb [00:05:11]:
And and I think that it’s just, you know, continuous security monitoring, telemetry, visibility. These are things that are just, you could say, mundane day to day activities that need to be done, and and they just don’t get that that hype cycle attention like some of the other issues that we’re seeing.

Karissa Breen [00:05:28]:
So, obviously, this is a problem. You you care about it. You’re in this space. You get it. What are you sort of doing within your own organization, but with clients then as well, to to get this more on the radar? I do hear what you’re saying. And, you know, it’s interesting, like, I’ve almost conducted 300 interviews on the show. And every person I interview, it’s a broad range of security topics. So, like, everything that everyone says is interesting.

Karissa Breen [00:05:50]:
Right? But, of course, there are priorities and, you know, different environments and maturation, all these things. But one of the things that you’re sort of doing even with a customer that’s getting this problem on their radar.

Josh Goldfarb [00:06:02]:
Yeah. So I I think one of the best ways I’ve seen, you know, as I’ve traveled globally meeting with our our incredible partners and customers around the world, one of the ways I’ve seen that is one of the best ways to get the attention of certainly a a customer, but also the management and executives that that our particular contact at a customer or contacts at a customer will be reporting to. One of the best ways to get their attention is by showing them their own data. And I think that when organizations see the lack of visibility and what that means, for example, if we’re talking about APIs and we have 50% of our API inventory that’s not been discovered, that’s completely, unknown, not inventoried, not managed, not secured, or if we have a certain high percentage of our cloud environment where we’re not seeing telemetry data, when we can show that that ground truth data to our customers and to their management and and executives, that makes an impression because lots of people come in and talk about security problems. The question is, in my particular case, if I put on my customer hat, in my particular case, in my specific environment, whatever that environment looks like, no matter how complex, what do my data show me in terms of where I have risk, where I have blindness, where I need improved visibility, things like that.

Karissa Breen [00:07:27]:
Yeah. So what I hear what you’re saying, Josh, is it’s sort of like holding a a mirror up to yourself. Right? So sometimes people are perhaps to your earlier point, you know, they’re they’re off focusing on other other things, and then this is maybe a little bit more mundane, so it sort of gets pushed to the the bottom of the list. So what do you think people need to sort of understand just at this point in the interview that they need to sort of take away in terms of, you know, what Josh is saying makes sense? How can people start to hold that mirror up and say, well, I need to start looking at the data to your earlier point and really, you know, perhaps that’s what’s gonna spur people onto taking action or to even pay attention at all.

Josh Goldfarb [00:08:04]:
Right. So I I think that a lot of the security practitioners out there and and perhaps many of whom will be will be listening to this particular podcast, I think a lot of them know what needs to be done, and I think what they struggle with is getting buy in or getting attention for that from the people who are setting the priorities. I think that, having been a security analyst for many years, most security analysts, most security engineering types, they understand the need to instrument the the infrastructure no matter where that infrastructure lives. And I think what’s what’s stopping that from happening or what’s perhaps a roadblock in the way of that happening is perhaps a lack of of education on the part of people who are setting the priorities, maybe the management and executives in in a particular enterprise. So the question is, given that, what can we do about it as security practitioners? And this is where I think reporting and metrics plays an important role. You know, I remember for many years when I was a security analyst, when I was working in security operations looking back on it, having been around a bit now, the metrics that we were reporting up to our management were not particularly informative or helpful to them. Right? Many people report number of tickets opened and closed, number of incidents by category, perhaps spikes in traffic or, percentage of attacks by type or percentage, risk or priority based on on signature type or things like that. Those are interesting for us as practitioners because they allow us to to tune our false positives to improve our true positive or or detection rates.

Josh Goldfarb [00:09:41]:
They allow us to to hone technology to to better identify where we need to focus. But for our management and executives, it doesn’t tell them a whole lot. And in order for us to really tell that story in specifically, in this case, we’re talking about telling the story around visibility. We can report percentage of of of environment that we don’t have visibility into or that we’re blind into. We can re we can report infrastructure services, applications, and APIs that we don’t have requisite visibility into. We can do that all day long and many organizations do. What’s missing I think is that translation. Translation to what? Translation to to things that matter to management and executives.

Josh Goldfarb [00:10:24]:
So management and executives are primarily focused on risk, risk to the business, and risk to brand reputation and things like that. And that at the end of the day translates into regulatory and compliance fines and monetary repercussions from things like intrusions, loss of customer data, things like that. And and that translation going from here’s the percent of my infrastructure that I wanna better to better monitor. Here’s the percent of my my applications or my APIs that I’m lacking visibility into or that I don’t have proper inventory and management over. Translating from that into risk in terms of dollars, in terms of financial repercussions for inappropriate or or improper security, that is something that we as a community still struggle with. There have been improvements in recent years that I’ve definitely seen as I’ve traveled the globe. But I think that we as a community need to get better at speaking the language of the executives. And I think if we can learn how to do that, how to translate from the blindness or visibility challenges into the language that our management and executives speak, I think that will allow us to get the requisite attention placed on this problem of visibility.

Karissa Breen [00:11:39]:
Okay. So you said something before around presenting, like, facts and figures to executives, perhaps were not informative. So what would informative facts and figures look like from your point of view?

Josh Goldfarb [00:11:52]:
What informative facts and figures look like are are typically they’re typically data points that speak to the audience they’re intended for. So for network engineering types, things like latency, things like, you know, you know, outage information and uptime information, those things are very relevant. For security analysts and security operations practitioners, things like where the majority of the false positives are coming from, where the majority of the false negatives are coming from, which technologies are are doing more for us or doing less for us. These are these are data points that are very interesting. For security engineers, things like which technologies are are requiring an excessive amount of of of costs to operate and maintain. Which technologies have a high sale rate, things like that become very informative. And when we look at executives, they’re really looking at risk in in dollar terms. Right? They wanna know if I don’t if I have a security breach or I’m not compliant with a given regulation or I lose customer data or I have, let’s say a problem with my site availability or the availability of my inventory if we’re talking e commerce type of situation.

Josh Goldfarb [00:13:03]:
What does that cost me in terms of fines? What does it cost me in terms of lost potential revenue? What does it cost me in terms of loss of customers? What does it cost me in terms of of downtime and and outages? And I and I think, you know, those data points, they vary from depending on the audience, and I think that as security professionals, when we look at producing those data points, we need to make sure that we tailor them for the audience that we intend them for.

Karissa Breen [00:13:31]:
So you’re saying that people and I look. I was a reporting analyst for about a decade ago, so I’m very, very familiar with this subject and how wrong we’ve been doing things over the years, so I can relate. So what you’re saying is that, basically, just historically, just people have focused on the wrong things. They’re like, okay. But they wanna try to, I don’t know, maybe get some more money for their security department, but they presented the wrong facts and figures. And executives are like, well, who cares about that? They haven’t positioned it or framed it in a way that makes sense. They can’t quantify it to your earlier point around, well, if we don’t do this thing, potentially we’re gonna lose this revenue, or if we don’t do that, potentially we’ll lose more customers. Is that really the gap that you’re sort of identifying here? And then if so, like, you know, for the last decade, we’ve been talking about this problem.

Karissa Breen [00:14:14]:
But, like, yes, I think the needle’s moving, but, like, why don’t people understand yet and sort of connect the dots a little bit more? Because what you’re saying makes sense. Right? And people and executives are not gonna just hand over money to a security department because the security guy says so. Like, you obviously have to, like, back it up. Like, you have to have, like, a justification that makes sense. So this is the part that I and I’ve been speaking to people all this week, and it’s actually around this topic specifically. So what what do we do from here?

Josh Goldfarb [00:14:43]:
First off, to to answer your question, I I agree. I think your summary is accurate. In terms of where do we go from here, I think that obviously there’s a there’s a delicate balance here because on the one hand, security professionals, I haven’t met too many that that have a lot of idle time, a lot of free hours during the day. Right? It’s well known to be a a somewhat high stress profession with professionals who are running around busy pretty much on a daily basis with more tasks to to complete than there are than there is time in the day to complete them. So it it’s a little bit of a challenge because for a security professional to say, look, I’m gonna take 20% of my time away from putting out fires to focus on the fact that if we were a little bit more strategic as an organization, we would maybe have less fires, but we would also be able to get support for some of the things that are holding us back and making things take longer than they need to take. Right? One of the reasons that security professionals are so busy is because when they go to investigate a potential breach or an incident or a data loss or any of the other potential incidents they may need to investigate, they often struggle to find the data that will allow them to reach the conclusion, the correct conclusion based on ground truth and and facts, not based on assumptions or inferences. And and that sort of running around like a chicken with your head cut off takes a lot of time. And unfortunately, it is part of what contributes to the sort of hectic stressful situation that many security teams find themselves in day to day on a continuous basis.

Josh Goldfarb [00:16:18]:
So I think the better security teams I I’ve come across and by better, I mean, the ones that, have more of a handle on this visibility challenge and have better processes for both preventive controls, but also for detective controls, meaning detection, investigation, and response. They have management and executives that support and understand the need to to allow the team to focus also on strategic problems. So I think, unfortunately, bottom up in my experience, while bottom up, meaning the, the, the operational security professionals who are doing the work day to day while bottom up can, can solve many problems. Unfortunately for this one, I believe that top down is also needed, which means that we need executives and management and security leadership that understand the need to give the team a certain amount of time to have them focus on strategic problems that need to be fixed. For example, if there are visibility gaps, the understanding that those visibility gaps are likely causing some of the some of the the stress or some of the the inefficiency in time. That’s one example. Okay. If for example, technologies are inadequate, meaning that technologies aren’t producing the results that the security team needs in order to operate with the most efficacy and the most and the most efficiency, there needs to be time put aside to focus on finding the right technologies.

Josh Goldfarb [00:17:42]:
Okay? And the and the list goes on, but another good example perhaps is procedures, policies and procedures. If there are policies and procedures that aren’t adequately protecting the organization and aren’t allowing the security team to effectively and efficiently respond to security incidents and prevent them to begin with. Those are things that need to be looked at and all of that takes time, but it’s an investment, I think, that’s well worth the the resources that it takes because what it does in the long run is it actually reduces this sort of day to day hectic hecticness and sort of putting out fires if you will, but it requires management and executive buy in with the understanding that fixing these problems long term so that the security team can be the most effective and the most efficient requires an investment in time and resources upfront. As hard as that is, it’s very important.

Karissa Breen [00:18:34]:
Okay. I wanna follow this a little bit more. This is really interesting. So okay, I’m gonna give you an example. So I get your point around, okay, an executive okay, there are 2 buckets. Executives that get it and, you know, care about security and wanna invest in it, and then people who perhaps don’t get it or whatever. Well, let’s just say the executive that does get it, but then the size that comes up to them and says, well, it’s gonna cost you, like, $10,000,000. Then I feel like people start to backtrack a little bit.

Karissa Breen [00:18:58]:
Security’s not cheap, as you know. It’s not chump change. It’s expensive stuff. It’s complex stuff as well. It’s not, you know, this or that, so it’s not a binary decision. So then I feel, in my experience of speaking to people on the front line every day on the show, but this generally in the industry, I think that sometimes I’ve heard that, yes, an executive may hear the security executive say, well, yes, it’s important. But then when it’s like when it comes to, like, well, you’ve gotta give me all this money to do the thing and hire all these vendors and all these people and all this stuff, feel like there’s a bit of backtracking that happens. So how would you approach someone to manage that where it’s, yeah, they still think it’s important.

Karissa Breen [00:19:33]:
However, it’s like, yeah. But I only feel it’s 20% of important when you when you give me that figure in front of my in front of my eyes.

Josh Goldfarb [00:19:41]:
Yeah. That that’s an excellent question. And and thankfully, I I had a an annoying, call from somebody trying to sell me a a maintenance contract for an appliance I have recently. And little did I know that it it prepped me very well for this call. So while I was on the phone with this person who called me trying to sell me a maintenance contract, for an appliance I bought several years ago where the factory warranty had already expired, I quickly found myself doing calculations in my head. I was calculating how much I’ve spent on replacement parts and and maintenance type of activities for this particular appliance versus how much they wanted me to commit to for a 2 year contract that would cover some of these expenses, but at a cost. And what I quickly realized was that the cost to pay a la carte or out of pocket when and if I have a problem was far lower than getting locked into a 2 year service contract. And this is not a surprise.

Josh Goldfarb [00:20:33]:
This is something that’s well known, a well known calculation with most extended warranties and service contracts on appliances and things like that. So I I think the same is insecurity. If as an executive, you are asking me to put 1,000,000, 5,000,000, $10,000,000 into the security program on top of what I’ve already committed to, let’s say for last year, I need to understand what I’m getting for that. And is it worth it to me? For example, if you want $10,000,000 to mitigate $2,000,000 of risk, while nobody wants to have a breach and nobody wants to lose customer data, financially, it doesn’t make sense. Right? And and an executive may, and and in my opinion, may justifiably say, I need to put that money elsewhere where I have significantly higher risk than, let’s say, the $10,000,000 I’m being asked for. I can apply that 10,000,000 to another problem where say my risk is a 100,000,000 or something like that. I think we need to understand that when we as a security team or we we equip our CISO to go in and make that budget request from the executives. I think we need to understand that at the end of the day, the business needs to make money and the business while strategic is also somewhat transactional and security is no different.

Josh Goldfarb [00:21:41]:
And I think that’s where what I was kind of alluding to or or coming to a bit earlier was that this calculation, this translation from the risks that we identify and the risks that we track in our risk register, along with any mitigation that we have in place, we need to translate that into real potential loss, real risk in terms of dollars. And when we do that, that allows us to go to the executives and say, for example, I know $10,000,000 is a big ask, but because of a new regulation or because of a change in the in the attacker or threat landscape or because of a change or or a recent acquisition in the business, we now have an additional risk of 50,000,000 or a $100,000,000 that we can mitigate or mitigate 90% of it for a $10,000,000 investment. And therefore, it makes sense as a business for us to do that. When we go with that type of a calculation or that type of a return on investment argument, the results in in my experience are are often more favorable.

Karissa Breen [00:22:42]:
Do you also think as well, Josh, that perhaps people don’t know what they don’t know? Now what I mean by that is I’ll give you an example. So I got married around almost 2 months ago now. And when we were, you know, a lot of stuff that goes into getting married, as you know, you know, the few days sort of thing that we did. But anyway, I obviously have never got married before. I haven’t really helped anyone get married. So then when you’re asking these these wedding vendors, like, how much these things cost, sometimes it surprises you, something like that’s a lot or wasn’t as much as I thought because I don’t know what I don’t know. And the reason why I’m telling you that is do you think sometimes as an executive, like, they don’t know how much, like, you know, f 5 stuff costs? Like, they could be like, oh my gosh, that was so expensive. And I also say this because my brother-in-law is a CFO, and I remember a few years ago, he was asking me, like, is this a lot for this company that’s charging me? So do you think that people just don’t know what they don’t know, so therefore, even if you put any figure, people always probably gonna think it’s always lower.

Karissa Breen [00:23:36]:
So even if you put something that’s higher and technology is not cheap as we know, people are gonna always be a little bit taken aback by that.

Josh Goldfarb [00:23:42]:
Yeah. So so first off, congratulations. It’s very exciting, very exciting time in your life and sounds like it was wonderful. Regarding, your question, I think that, you know, I think that this is an area where competition is a good thing. I think that getting competitive bids and comparing the commercial offering or the financial cost of a particular solution with its capability and being able to matrix that with which of the requirements that I have or which of the risks that I’m looking to mitigate does this solution address. I think that allows us to really objectively understand if something’s truly expensive. What do I mean by that? Let’s say a vendor comes and says to a business or an enterprise, our solution, you know, based on your traffic volumes and based on your the number of locations you have, it costs $1,000,000. That’s what this particular solution will cost to mitigate to to address the issue that we’ve been discussing in this case.

Josh Goldfarb [00:24:38]:
Let’s say we have a matrix of requirements and risks that we’re looking to mitigate and looking to address, and the solution addresses 80% of them. That’s a data point that that is very helpful versus if we have a second solution that’s maybe a little bit cheaper, but only addresses 50% of the requirements, meaning that then we’re gonna have to probably go out and get another solution or develop in house, which also has a cost to it. That allows us to really process what does it mean expensive. Because to your point, an absolute number is is not very informative and and and executives are not going to be able to to if something costs $1,000,000 or $2,000,000 or half a $1,000,000, they’re not gonna really be able to understand what that means. But what’s what they can understand is what percentage of the risk will it mitigate and what is the what is the return on that investment in terms of the reduction of risk into residual risk that remains. If it’s significant, it makes it easier to process. We’re not processing an absolute number. We’re processing a relative number relative to the risk to the business that we’re looking to offset.

Karissa Breen [00:25:40]:
Yeah. That’s interesting. Because I just think from the people that I’ve spoken to over the years, it’s just, you know, they’re just like, well, that’s just this stuff costs a lot. And I was like, well, I think it depends, of course. But I think, like, to your point, competitive, you know, people coming up, if you got one player that’s presented a number, but then 2 other sort of players have said maybe a similar number, it gives you that barometer. Right? So I think that, again, when you’re an internal CISO, it’s like, well, every company is different. So it’s gonna be hard then to compare apples with apples then. So I think sometimes I’ve just seen people get a little bit sort of blindsided by these numbers that these security people are putting forward because they they just don’t know.

Karissa Breen [00:26:18]:
They didn’t really grow up in it. They, you know, they’re they’re driven by numbers. If they’re a CFO, they don’t really understand the space. They don’t know whether this service should cost 4,000,000 or 4,000,000,000. So I think that that’s just the part that I’ve also seen that people say they care. But when it’s like, well, you care, but then here’s the cost that you’re gonna have to front the bill for, then I just see the conversation starts to change direction very quickly.

Josh Goldfarb [00:26:40]:
Yeah. I mean I mean, that’s a fair point. I I think that, you know, again, this this is something that we as a security community struggle with. It’s it’s nothing new. I mean, you you mentioned, going back a decade or so that that, this was something that you were familiar with. And, yes, the needle’s moved, but not as much as it should have. I’m hoping that as security continues to mature as a field and becomes more of a core business function, which I really believe it has in in recent years, much more so than than say 20, 25 years ago when I was starting out in the field. I think that we we will need to learn how to operate as partners to and a part of the business rather than sort of this eclectic group of people on the side, like is maybe how people thought about us historically.

Josh Goldfarb [00:27:23]:
I think we’re becoming part of the business. We’re becoming more mainstream if you will, something that’s more accepted as a as an essential or core function of the business rather than just a sunk cost. And I think that with that on our behalf comes tremendous responsibility in understanding how to be a partner to the business, how to facilitate the business in a secure way, but also how to function in the language of the business, understanding the lines of business that our employers or our enterprises have helping address risk, but helping the business operate securely at the same time, not causing detriment to the business or reduction in revenue because of inefficiencies or because of our inability to function as partners. I think as we mature as a field, we need to almost think more like business people as opposed to security professionals in in many cases.

Karissa Breen [00:28:14]:
Yeah. This is interesting when you say, like, core business functions. So when you were speaking, my mind was thinking about, you know, let’s look at HR as a core business function. Like, I don’t know, maybe some of the things that HR people buy, I don’t know, some of these things that they and I’m not a HR person. Maybe it’s something that, you know, you might look at and go, why would we just spend $1,000,000 on some HR system that no one cares about? So it’s kind of like, feel like that the maturation is getting there because, again, it’s like everyone’s gonna look at everyone else’s business unit and say, why would we spend money on that thing when it’s like no one cares about it? So it’s like I feel like security is just becoming like, you know, it’s always been at the little kids’ table a bit. So now I feel like, as an industry, we are sort of getting on the adults’ table, kind of not there yet, but we’re getting there. But I just think that, you know, perhaps we just need to approach this mathematically. I’m definitely not a maths person.

Karissa Breen [00:29:02]:
I’m a, you know, I’m a I’m a speaker, and I prefer my, you know, preferred topic at school was definitely English, but just what you’re saying and even over this week, I’ve probably done about 5 or 6 interviews. There’s a common theme here, and it’s talked about, you know, quantification, but then also the mathematical analytical side of it. So perhaps that needs to come more to the forefront of the conversation.

Josh Goldfarb [00:29:21]:
Yeah. I I I agree with that. I I think that look. An executive may not be a security professional and in in many businesses, the executives are not security professionals. Right? Their core business is something else entirely. The executives that while they may not be security professionals and they don’t have that security domain expertise, they’re not they’re not idiots. Right? Many of them have been in their particular fields for a very long time, have risen through the ranks, understand how their business runs, understand how they can optimize the business and and make more money or a higher profit or whatever the shareholders, need from that particular business. And many of them are quite good at understanding risk.

Josh Goldfarb [00:30:01]:
And and like you said, as we begin to get a seat at the adult table, we need to understand that. We need to approach them in a way that is appropriate for their level, speaks to the things that they care about risk and and and other things like that. And remember that that these are these are serious professionals in their own right. They may not be familiar with security, but they do understand risk quite well in most cases. And if we can if we can posit to them in risk terms and in financial terms, what it is we’re looking to accomplish and that includes, by the way, clearly articulating not only what what we want from our security initiatives and what we what we think we need to do in the coming year or 2 years, but also to translate that into what does it mean for the business. Right? If I say that I need to increase visibility in my hybrid and multi cloud environments to an executive that is thinking in terms of the lines of business, running the business profitably and and mitigating risk, it doesn’t mean anything to them. What we need to help them understand is that we have blindness or gaps in visibility that are introducing risk, and we need to, at a high level, enumerate the ways in which that’s happening and what that means in terms of dollar terms and what the potential exposure there is. And only then can we we gain acceptance or support for that type of initiative that we can then take down to the security team and say, okay.

Josh Goldfarb [00:31:21]:
Now that we have approval for this, let’s figure out what we need to do and how we need to do it.

Karissa Breen [00:31:25]:
I think as soon as someone starts talking like that, I think an executive knows that that’s gonna cost a lot of money. So you mentioned before, executives are not idiots. I agree. You don’t get to the top by being, by being a fool. Right? So would you say and this is just my experience. Do you think, unintentionally, security practitioners have perhaps been a little patronizing to these people? Just because the guy didn’t grow up, you know, learning security doesn’t mean he’s an idiot.

Josh Goldfarb [00:31:49]:
You’re being polite. I think a little patronizing is an understatement. I think that we as a I think that we as a field have had some challenges in not looking down on or or patronizing people who are talented professionals in their own right, but just maybe don’t have a security background. Right? And that includes positions like CIOs, where you may have people who have long histories of successfully running IT infrastructure, but just may not have had that security element to it and therefore need to be educated. And so I’ve always found that a more constructive or a more helpful approach is to to be a partner to the business, to to focus on outreach, to focus on education, to focus on gaining trust. Trust is huge. Right? The minute you have a a an issue or some type of snafu that sets you back significantly. Right? That outreach, that building trust, that working as a partner, creating a a network of constructive relationships within the business and externally.

Josh Goldfarb [00:32:48]:
Right? Oftentimes, we need external partnerships as well in order to be successful. That allows a security team to be the most effective to function as a partner to the business and not merely sometimes what we’re called the department of no, sometimes people call the security team. And that’s not a good place to be. It doesn’t help the business, and it certainly doesn’t help to gain trust, buy in, and budget for security initiatives that in many cases are extremely necessary.

Karissa Breen [00:33:13]:
So So you make an interesting point around guidance from governments and advisory boards that need to be modernized. I just wanna stop there for a moment because the word the operative word here that I’m focused on is modernized. Now the whole reason why I got into what I was doing is because I wanted to have a modern approach on the industry. There are things out there that look like there was born in the nineties. I was over it. So I love this word because I think people do need to have that approach being modern, being more fresh, more, you know, in this, you know, in this year that I think sometimes people are operating really backwards. So what does that then mean to you? What does modernized approach look like?

Josh Goldfarb [00:33:49]:
I think a modernized approach is is really taking best practices or core principles of security and adapting them for the world now, which is a bit different than it was 10, 20, 30 years ago. So for example, a well known in Australia, a well known framework is the Essential 8. This is something that that many people are familiar with, myself included. The Essential 8 is a good core guidance, but it’s a bit dated in in the sense that it it really focuses on endpoint workstations within an an enterprise on premise environment or a VPN type of environment, perhaps, if you will. That’s obviously extremely important, and by no means should we throw that guidance out and and start over. What we did here at f five is we adapted the Essential 8 to a white paper offering some perspective and perhaps guidance, on how the Essential 8 is relevant to hybrid and multi cloud environments, which is a a challenge that many of our many customers and many businesses around the world are struggling with is how do I adequately protect and defend my hybrid and multi cloud infrastructure and environment given that many of the pieces of guidance that are out there are focused more on an on premise or an enterprise world and not on the modern types of architectures that we see. So that’s an area to me, that’s what modernizing means. It means staying true to our core principles, to our professional values, to best practices that have worked time and time again, but adapting them to suit the more modern types of environments that we now find ourselves in.

Josh Goldfarb [00:35:27]:
So

Karissa Breen [00:35:28]:
what happened if people just weren’t modern about it? And I mean, look, I asked that because again, it’s it’s the reason why I wanted to do what I’m doing now. Like, you know, back when I started this show, like, there were not many podcasts out there, not like they are today at all. I wanted to be, you know, ask the hard questions that perhaps people weren’t asking. I think that’s more of a modern, outspoken approach. It was a little different. But what would happen if, you know, people just people don’t take your advice, for example? Like, where would we be?

Josh Goldfarb [00:35:56]:
Well, you know, that’s an interesting question. I think that if people depend on external guidance from governments, from industry bodies and and parties, and they don’t modernize it or adapt it to suit the particular situation that they find themselves in. I think, what you’ll get is a lot of partial coverage. What I mean by that is that if there’s guidance that’s focused on endpoint workstations in an enterprise environment, and we’re only following that guidance, we’ll probably do quite well in that area, but we may not realize that we have certain types of threats in the cloud or certain types of threats to our SaaS solutions or our APIs or or what have you. And we’ll get a lot of really good partial coverage or perhaps a lot of siloed point solutions partially covering the risk that we need to cover, but we really won’t get that strategic overarching approach to to risk mitigation that the security team really needs to be focused on.

Karissa Breen [00:36:53]:
So, Josh, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?

Josh Goldfarb [00:36:58]:
You know, one thing I found over the course of my career is that there’s a lot of good best practices. There’s a lot of good data out there. There’s a lot of good expertise and knowledge. Many people like myself write periodically for different for different publications. People share on blogs or on social media, different approaches. And I think that sort of following on to this discussion around visibility and around modernizing approaches, I think that there’s really good information out there. There are best practices and core principles and professional values that have been tried and true that work for us as a community repeatedly. And rather than, I would say, following the hype cycle or the or the buzz buzz item of the day, what we as community should do is go back to basics, take those best practices, core principle core principles, and and, professional values, and apply them to solving problems in our environments no matter how complex those environments are.

Josh Goldfarb [00:37:59]:
And I think that is how we understand how to translate from the language of security to the language of risk and the executives. And that’s how we can really going about breaking through some of these barriers and solving some of these problems that, that have been around for quite quite some time now.

Share This