Boardroom Conversations on Security: Part 7

By

Boardroom Conversations on Security is an ongoing series on how to discuss and present cyber security concerns to your board. It comes from an extended conversation between Enrique Salem, Investor at Bain Capital, and Erkang Zheng, CEO of JupiterOne. For your convenience, the entire series is available as a single download.

"Enrique, how do we move from security as restrictions, towards a hybrid model to secure ephemeral systems that are getting built up and torn down at will?"

Enrique Salem

The biggest question here is agility, and how to be responsive. There are two dimensions to think about. One is what things can you automate, what can you make so that you don't have to manually collect or go inspect. What are the things you can automate and use technology to make better.

I think the second point that's really important here is the profile of the team we have in security has to have a bit more of a engineering set of capabilities. This has been the evolution.

I remember back in the early days of software development and quality assurance, the QA team was really involved in, "How do we test quality into a product?" They'd write some level of automation. It became almost like the police force for the development community. That model is completely changed.

What has to happen is that in security, we have to think about what are we doing to build security in as part of the process, and what are we doing to automate the collection of information. These are the steps that have to change just as it did in the software development process. That means that some of the capabilities in the security team need to have this engineering set of capabilities to make this possible.

Erkang Zheng

To add on to that automation piece, Enrique, at the very beginning of our conversation, you mentioned the assets. Automation can only work effectively if you have clean data and the right data. Otherwise it becomes a garbage in, garbage out situation. We've all seen that, automation trying to do the work, but it doesn't have the right data, because it doesn't automate things that aren't there.

You have to have some foundation to feed into the automation to drive it. This is why having great visibility into assets, configurations, activities, events, and all of the cyber assets within the company, allows you to connect the dots. Then it can properly feed into the right automation for the team to make knowledgeable decisions.

Enrique Salem

A hundred percent right. I think this is the biggest thing, Erkang, you and I have always talked about: there's a lot of data. The question is how do you put that data together in a really usable form?

The example that you and I have talked about that I've seen, unfortunately, more times than I care to admit, is this notion of I've got servers that have software, and that software has vulnerabilities. But what I really care about is what are the servers that have software that has vulnerabilities that also have something I care about protecting. That intersection is what ultimately matters.

It's not just about having a bunch of data about a lot of assets. It's about bringing that together and being able to say, "Here's how I prioritize where I spend my time."

The complete series, Boardroom Conversations on Security, is available as a single download for easy distribution to your board and security team. 

Read the full Boardroom Conversations series:

About Enrique Salem

Enrique Salem - 300 x 300

Enrique Salem was the president and CEO of software company Symantec from 2009 until 2012, and was a member of Barack Obama's U.S. President's Management Advisory Board.  Enrique joined Bain Capital Ventures in 2014, where he focuses on infrastructure software and services with a specialization in cybersecurity.

 

About Erkang Zheng

Erkang Zhang

Erkang Zheng is a hands-on leader in cybersecurity. He is an engineer by trade and an entrepreneur at heart. Before starting JupiterOne, Erkang was CISO, Privacy Officer, at GM LifeOmic Security. In August of 2021, Erkang was selected as one of The Top 25 Cybersecurity CEOs of 2021 by The Software Report

 

Mark Miller
Mark Miller

Mark Miller speaks and writes extensively on DevSecOps and Cybersecurity. He has published 9 books, including "Modern Cybersecurity: Tales from the Near-Distant Future"

Keep Reading

What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)
February 6, 2023
Blog
What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)

The new JupiterOne Query Builder streamlines your querying experience by eliminating errors, simplifying query builds, and reducing time to value.

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.