Code to Cloud

• Navigating NIS2 and Cyber Resilience Act: Business Resilience Insights from EY’s Koen Machilsen

  This episode of Code to Cloud features a discussion with the EY Consulting Partner in Cybersecurity, Koen Machilsen. There, Koen is responsible for delivery and innovation of the EY Consulting Cybersecurity and privacy service offering, and has been with the company for over 16 years. Prior to joining EY, Koen held various roles in IT operations. Koen and host Tim Chase, Global Field CISO at Lacework, discuss the significance of integrating cybersecurity into business resilience strategies. The conversation covers how to respond to cybersecurity incidents, the importance of preparation and regular training, and the necessity of understanding business impact when developing cyber crisis management plans. They also delve into the European Union’s NIS2 and Cyber Resilience Act regulations, explaining how they aim to enhance cyber resilience across organizations by mandating stringent cybersecurity practices and reporting requirements. The discussion underscores the need for local transpositions of these directives and the challenges they introduce. Finally, they emphasize the importance of cyber resilience as an integral part of overall business resilience in the digital age.Key Quotes*”In today's digital world, you cannot have decent business resilience without having cyber in there. And why is this? Because technology is embedded in the heart of many organizations. That technology is interconnected with clouds and based on internet technology. So it makes it inherently vulnerable to cyber attacks. So if you want to have a good business resilience strategy, to me, cyber is a vital part of that.”*”The overall objective of incident reporting is not to get organizations fined. It's to be able to do early sharing of those incidents or those indicators of compromise potentially to other organizations within or across different member states. All again, to make sure that whatever impact there is, that it does not get bigger from a member state or from a European Union perspective.”*”A lot of organizations are prepared to handle crise -, the traditional ones - but do not really fully understand yet what it takes to handle a cyber crisis specifically. I think one of the biggest benefits that NIS2 will bring is creating that awareness and making sure that decent cyber crisis management is adopted.”*”The key question here is to really understand the impact of an incident from a few angles. I think understanding the impact of that incident is, is that really in the area that falls in scope of NIS2 for that organization? In what local European market is this impact cost? And to what extent is this impact significant? Because that's again at the discretion of the organization to determine. And I feel that those three elements really can help you decide how and where and when you need to report those incidents. So capturing all that information as part of your Security Incident Management process is key.”Time Stamps[0:30] Meet Koen Machilsen, EY Consulting Partner in Cybersecurity[1:00] Handling a Cyber Incident: First Steps[2:03] Understanding the Impact of an Incident and Communication[3:45] The Importance of Regular Exercises[6:26] Threat Modeling and Business Impact[8:27] Regulation Insights: NIS2 Explained[11:05] Incident Reporting Challenges[20:24] Cyber Resilience Act Overview[26:39] Rapid Fire Questions with Koen Machilsen[30:13] Conclusion and Final ThoughtsLinksConnect with Koen on LinkedInLearn more about EYRead EY’s article on how to prepare for NIS2Learn more about LaceworkThis podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.

  --------  

  30:55

  --------

  30:55
• Cybersecurity challenges in manufacturing: Insights from Church & Dwight's Global CISO

  This episode of Code to Cloud features a discussion with the Global CISO at Church and Dwight Co., the parent company of brands like Arm & Hammer and OxiClean. And at Church & Dwight Co., David transformed the global enterprise-wide information security program key areas of strategy, risk management, and compliance, among others. Prior to joining the company in 2020, David spent over 22 years in security at Bed, Bath & Beyond. David and host Andy Schneider, Field CISO EMEA at Lacework, discuss the primary cyber threats facing the manufacturing sector, with a specific focus on ransomware, and the strategies utilized by Church & Dwight to mitigate these threats, including a robust third-party vendor assessment process. Ortiz highlights the importance of adaptability in cybersecurity, the role of leadership qualities such as empathy, accountability, and urgency, and underscores the significance of identity management, preparedness, and swift response in enhancing cyber resilience. The conversation also covers the benefits and considerations of moving services to the cloud, reflecting on the necessity of collaboration between cybersecurity teams, manufacturing units, and other stakeholders to safeguard against an ever-changing threat landscape.Key Quotes*”Technology is getting more and more complex every single day. What we may have viewed years ago as a simple firewall rule has become much more complex with our connected ecosystems across multiple clouds, multiple sites, multiple networks. So the complexity is going to continue to grow, but our mission hasn't really changed with what we need to do to protect it. We just need to adapt and keep up with the changing threat landscape.“*”Everybody has a role in cyber and protecting our people, our technology, our processes. I want to instill that mindset of accountability and ownership so that everybody understands that they have a part in reducing cyber risk.”*”From the vendor community, my ask would be: Help us install foundational cybersecurity, help us understand where we're potentially oversharing data. And let's have a little less hype on AI in general. Let's really surface all the good that's going to come out of AI and derive it from that conversation versus a hype conversation and I think that would really benefit everybody substantially so that we could get ahead of the bad actors out there and really use AI to its full potential for good.”*”You can teach technical skills. You can't teach drive and passion. And that sense of urgency that I mentioned early on, Those are some of the characteristics that you need in this field. So, as a company is interviewing and looking for people in the cyber or the IT risk management field, look past the certifications, look past some of those requirement bullet points that you may see on a job description and really get to know the person and explain the role that they're interviewing for to them and see if they're really a fit for that role. And again, knowing that you could teach people technical skills, but you want to really hire the person, not what's on their resume.“Time Stamps[0:32] Introducing David Ortiz: Global CISO at Church & Dwight Co.[1:05] Transforming Cloud Security in Manufacturing[1:15] Ransomware: The Persistent Threat[1:58] Vendor Assessment and Cloud Adoption Strategies[3:44] Cybersecurity Incident Response in Manufacturing[6:15] Leadership Qualities in Cybersecurity[7:58] Building Trust and Accountability in Teams[11:04] The Role of Technology in Cybersecurity[15:51] The Future of Cybersecurity and AI[18:47] Career Insights and Advice in CybersecurityLinksConnect with David on LinkedInLearn more about Church & Dwight Co.Learn more about LaceworkThis podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.

  --------  

  31:13

  --------

  31:13
• Strengthening security culture: the CISO-CTO dream team

  This episode of Code to Cloud features a discussion with Immuta's CISO, Mike Scott, and Co-Founder and CTO, Steve Touw, hosted by Andy Schneider, Field CISO EMEA at Lacework. Mike is a highly experienced and accomplished leader in information and data security, real-time analysis of immediate threats, and IT and infrastructure designs. And Steve is known for his data science work with US Special Operations Command and the US Intelligence Community. The conversation centers around the importance of a 'shift left' culture in software development, emphasizing security from the start of the development process. Both guests share how this approach has enabled Immuta to move to a SaaS model, deliver features and security fixes more rapidly, and foster a strong security culture by bringing the CISO and CTO teams closer together. Practical insights include the adoption of communication tools like Slack, the significance of automation in maintaining a rapid release cadence, and the importance of understanding employee communication styles using the DISC assessment. The discussion also touches on overcoming conflicts and the critical role of setting realistic goals in achieving security and compliance milestones.Key Quotes*”Security is inevitable. And we can all look back and see where it's delayed us, when security was brought in at the end of the game. Versus if we can move our mindset to really thinking from ideation all the way through creation to delivery of software, we're going to meet a lot of those challenges early. And then what we've seen, I think the outcome is a more timely release and less of security being a roadblock and more just like a small speed bump along the way.” - Mike Scott*”Shifting left has also allowed our teams to understand the security impact sooner. And so when a critical vulnerability comes out, the engineering team has already decided, ‘Are we vulnerable? What's the fix going to be?’ within hours of getting that notification versus responding to a customer's inquiry before.” - Mike Scott*”We needed the security to be there so that we could change our release cadence, the shift left. And our architecture changed quite a bit too. Most of our customers are SaaS now, used to be self-managed on-prem type solution. And we've really tried to push the SaaS solution because it helps us with releasing faster, getting features in our customers hands faster, but also allows us to deploy security fixes more quickly as well. So, that forcing function of having to deliver more quickly, of providing it or making us do the shift left to be able to do that. it flipped it on its head and also allows us to fix problems more quickly as well.” - Steve Touw*”I'm constantly reminding our governance committee, ‘Hey, we put a lot of stuff on this team to meet ISO requirements and slot 3 requirements.’ And for me, that's defending my partner, Steve, right? It's saying, ‘Hey, this is taking extra time. This is taking away from his ability to deliver product.’ And so when they're hearing Steve say it, and they're hearing Mike say it, and they're hearing other parts of the business say it, it's also helping get that justification for resources or at least changing prioritization.” - Mike ScottTime Stamps[0:40] Introducing the Special Episode with Immuta's CISO and CTO[1:46] The Shift Left Culture: Enhancing Security and Efficiency[3:24] Building a Security-Minded Engineering Culture at Immuta[5:34] The Measurable Benefits of Shifting Left in Security[10:04] Fostering Collaboration Between CISOs and CTOs[14:43] Championing Security Through Engineering and Automation[22:04] The Critical Role of Automation in Modern Software Development[23:46] The Drive for Faster Feature Delivery[24:16] Breaking Down Big Goals into Manageable Pieces[24:36] The Journey to Compliance and Certification[25:54] The Impact of SOC 2 Compliance and Beyond[26:40] Collaboration and Strategy in Achieving Compliance[29:37] Addressing Conflicts and Embracing Collaboration[34:53] Leveraging DISC for Effective Communication[39:28] Reflecting on Career Lessons and the Path to Leadership[43:37] Essential Tools for Success and How to ConnectLinksConnect with Mike Scott on LinkedInConnect with Steve Touw on LinkedInLearn more about ImmutaLearn more about LaceworkThis podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.

  --------  

  46:07

  --------

  46:07
• Data dialogues: Protecting personal data with AWS Director Jenny Brinkley

  This episode features an interview with Jenny Brinkley. Jenny is Director of Amazon Security at AWS. Prior to joining Amazon, she co-founded an artificial intelligence start-up called Harvest.ai focused on protecting highly sensitive data using behavior analytics to prevent data loss. Harvest.ai was then acquired by AWS in April 2016. Jenny has also been awarded a few patents focused on data loss prevention and the right to be digitally forgotten. And on this episode, Jenny and host Tim Chase discuss the value of personal data, the importance of security at the executive level, and diversification of the workforce.Key Quotes*”We're living in a really interesting time where people are just starting to understand the value of their interactions with different digital products and the different types of outputs that they get. But then couple in the fact of where we're seeing the future of how Gen AI related to still keeping me unique and special and different is important. And that's where I really am curious to see how this year is going to unfold related to individuals understanding the value of that data and how to stay not only safe as you're operating online, but  how to also think about how you either get compensated for the use of your data, or how you get to set the parameters of what you want to see with the different type of data that can be used in training models.”*”People don't necessarily understand what they create and how valuable that is, but then also how to protect themselves as they're operating within different technology stacks.”*”I feel so blessed I was able to spend that time in thinking about how data classification at the scale of AWS really should operate and how it should think. But I think that there's still such an open space for someone to come in and solve for making it easy. Like, how do you really identify that type of data that's so important to your organization and who has access to it? And how do you turf up alerts in a way that can not only give you insight into how to take action, but that all should be automated for you. And that's where I really see the future of where generative AI is going to come into play.”Time Stamps[0:56] Jenny Brinkley's Journey: From AI Startup to Amazon Security[1:30] The Evolution of Data Protection and Privacy[2:46] Understanding the Value of Data in the Age of Generative AI[5:02] The Role of Security in Business and Regulatory Compliance[10:28] The Shift in Security Mindset: From Basement to Boardroom[14:52] Redefining Data Loss Prevention and the Future of AI in Security[23:31] Diversifying the Cybersecurity Workforce for the Future[34:52] The Importance of Community EngagementLinksConnect with Jenny on LinkedInLearn more about AWSLearn more about LaceworkThis podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.

  --------  

  35:40

  --------

  35:40
• Decoding AppSec in the Cloud Age: A Conversation with Sean Wright of Featurespace

  This episode features an interview with Sean Wright. Sean is Head of Application Security at Featurespace, the world leader in Enterprise Financial Crime prevention for fraud and Anti-Money Laundering. He is an experienced application security engineer, having started his career as a software developer. His expertise is in web based application security with a special interest in TLS related subjects. And on this episode, Sean and host Andy Schneider discuss navigating AppSec in the cloud age, finding and leveraging security champions, and Sean’s take on open source as it relates to supply chain risks with third party software libraries.Key Quotes*”The thing that really scares me, we've seen it already with Python packages, NPM packages, Ruby packages, is those who actually intentionally put malicious code in there. There's things to steal secrets, crypto miners, the whole shebang. And that to me is probably the biggest worry I have around open source. Because trying to catch that…it's just, how do you do it? And just the massive volume that's there.”*”Break down barriers between the security teams and the engineering teams. I don't see why there needs to be this friction. At the end of the day, you're working for the same company. You're trying to achieve the same goal. Work together, support one another. See each others’. Issues or frustrations, problem points, and try to achieve the same goal. And at the end of the day, it'll work out for everyone.”*”How can we expect people to write secure code if they don't even know what that is like? Universities need to have some elements of this in the bachelor of science, computer science degrees. Embed that in, make it part of the curriculum. It doesn't have to be sophisticated. It can cover the top level stuff, but at least make people aware of it. There's this fixation on some of the more glamorous stuff in the industry. So we kind of ignore some of the stuff that really needs to be tackled. Go look at SQL injection, go look at cross site scripting, those kinds of things. It's been around for decades, yet we still haven't solved those problems. And they're not difficult problems to solve.”*”You got all these new technologies, these new languages coming out, and now you have to not only know how to use those technologies, but use them securely. And that's probably where we need to start looking at building secure by default into the technologies rather than as a bolt on or afterthought. It's kind of happened over the years as well.”*”I'm not just focused on AppSec. I engage with other areas of a security team because the security department's pretty small. That means I get exposure to other things, or I can help provide outside influence or thoughts, opinions that could help. So don't just fixate in your bubble. Work with other people, share ideas. Get engaged, things like community, different groups, and learning.”Time Stamps[0:30] Introducing Sean Wright, Head of AppSec at Featurespace[1:06] Sean Wright: From Developer to Application Security Expert[1:39] The Evolution of Software Development: Pre-Cloud to Cloud Era[4:06] The Transformation of Application Security in the Cloud Age[6:07] Effective AppSec Measures: Frameworks, Training, and Collaboration[12:09] Navigating the Risks of Open Source and Third-Party Libraries[18:15] Strategies for Managing Open Source Security Risks[20:18] Why Software Remains Vulnerable[21:01] The Importance of Secure Coding Education[21:32] Addressing Long-Standing Security Issues[22:40] The Rapid Pace of Technological Advancement[23:22] Language Choices in Security[25:26] Industry's Struggle with Cybersecurity[28:37] Advice for Aspiring Security Professionals[31:26] The Potential of AI in Application Security[34:24] Future Trends and Challenges in AppSecLinksConnect with Sean on LinkedInLearn more about FeaturespaceLearn more about LaceworkThis podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.

  --------  

  39:03

  --------

  39:03

More Business podcasts

Trending Business podcasts

About Code to Cloud