Boardroom Conversations on Security is an ongoing series on how to discuss and present cyber security concerns to your board. It comes from an extended conversation between Enrique Salem, Investor at Bain Capital, and Erkang Zheng, CEO of JupiterOne. For your convenience, the entire series is available as a single download.
"Enrique, how do we move from security as restrictions, towards a hybrid model to secure ephemeral systems that are getting built up and torn down at will?"
The biggest question here is agility, and how to be responsive. There are two dimensions to think about. One is what things can you automate, what can you make so that you don't have to manually collect or go inspect. What are the things you can automate and use technology to make better.
I think the second point that's really important here is the profile of the team we have in security has to have a bit more of a engineering set of capabilities. This has been the evolution.
I remember back in the early days of software development and quality assurance, the QA team was really involved in, “How do we test quality into a product?” They'd write some level of automation. It became almost like the police force for the development community. That model is completely changed.
What has to happen is that in security, we have to think about what are we doing to build security in as part of the process, and what are we doing to automate the collection of information. These are the steps that have to change just as it did in the software development process. That means that some of the capabilities in the security team need to have this engineering set of capabilities to make this possible.
To add on to that automation piece, Enrique, at the very beginning of our conversation, you mentioned the assets. Automation can only work effectively if you have clean data and the right data. Otherwise it becomes a garbage in, garbage out situation. We've all seen that, automation trying to do the work, but it doesn't have the right data, because it doesn't automate things that aren’t there.
You have to have some foundation to feed into the automation to drive it. This is why having great visibility into assets, configurations, activities, events, and all of the cyber assets within the company, allows you to connect the dots. Then it can properly feed into the right automation for the team to make knowledgeable decisions.
A hundred percent right. I think this is the biggest thing, Erkang, you and I have always talked about: there's a lot of data. The question is how do you put that data together in a really usable form?
The example that you and I have talked about that I've seen, unfortunately, more times than I care to admit, is this notion of I've got servers that have software, and that software has vulnerabilities. But what I really care about is what are the servers that have software that has vulnerabilities that also have something I care about protecting. That intersection is what ultimately matters.
It's not just about having a bunch of data about a lot of assets. It's about bringing that together and being able to say, "Here's how I prioritize where I spend my time."
The complete series, Boardroom Conversations on Security, is available as a single download for easy distribution to your board and security team.
Read the full Boardroom Conversations series:
- Boardroom Conversations Part 1
- Boardroom Conversations Part 2
- Boardroom Conversations Part 3
- Boardroom Conversations Part 4
- Boardroom Conversations Part 5
- Boardroom Conversations Part 6
- Boardroom Conversations Part 7
About Enrique Salem
Enrique Salem was the president and CEO of software company Symantec from 2009 until 2012, and was a member of Barack Obama’s U.S. President's Management Advisory Board. Enrique joined Bain Capital Ventures in 2014, where he focuses on infrastructure software and services with a specialization in cybersecurity.
About Erkang Zheng
Erkang Zheng is a hands-on leader in cybersecurity. He is an engineer by trade and an entrepreneur at heart. Before starting JupiterOne, Erkang was CISO, Privacy Officer, at GM LifeOmic Security. In August of 2021, Erkang was selected as one of The Top 25 Cybersecurity CEOs of 2021 by The Software Report.
Posted By Mark Miller
Mark Miller speaks and writes extensively on DevOps and Security, hosting panel discussions on tools and processes within the DevOps Software Supply Chain.
Mark actively participates in the DevOps/DevSecOps community by building DevSecOps tracks at security conferences such as RSA Conference, InfoSec Europe, CD Summit, AppSec USA and AppSec EU. He is the Senior Storyteller and Senior Director of Community and Content at JupiterOne.
As well, Mark is Executive Producer of the DevSecOps Podcast Series (300K+ listens), and the Executive Editor of the LinkedIn DevOps Group (124K+ members).
To hear more from Mark, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.
Subscribe to our newsletter!
Get updates from JupiterOne Mission Control
Fresh content and cool cybersecurity news alerts delivered to your inbox at least 2x a month! Just let us know where to send it.