Fred Bret-Mounet, CISO at Clarify Health Solutions, reminisces about negotiating a 25% salary increase and still being drastically underpaid, eating pasta every day, and learning that security can’t just be focused on building Fort Knox.
About Fred:
“t all started with early e-commerce sites storing item prices client side!
A tinkerer from an early age and the constant need to feed my curiosity have been critical skills to my Information Security career.
With strong technical skills that I keep current and some amount of business acumen, I realized early that my role was not to build mini Fort Knox everywhere I went but instead teach people new skills: I am an evangelist helping organizations understand enough about the risk dimension associated to security and privacy – just as we understand financial, brand or contractual / legal dimensions in our daily activities.
I am also an enforcer! Not the one that carries a weapon – instead, I keep us honest by providing a platform for self policing.
SPONSER NOTE:
Support for Cloud Ace podcast comes from SANS Institute. If you like the topics covered in this podcast and would like to learn more about cloud security, SANS Cloud Security curriculum is here to support your journey into building, deploying, and managing secure cloud infrastructure, platforms, and applications. Whether you are on a technical flight plan, or a leadership one, SANS Cloud Security curriculum has resources, training, and certifications to fit your needs.
Focus on where the cloud is going, not where it is today. Your organization is going to need someone with hands-on technical experience and cloud security-specific knowledge. You will be prepared not only for your current role, but also for a cutting-edge future in cloud security.
Review and Download Cloud Security Resources: sans.org/cloud-security/ (http://sans.org/cloud-security/)
Join our growing and diverse community of cloud security professionals on your platform of choice:
Discord (http://www.sansurl.com/cloud-discord) | Twitter (https://twitter.com/SANSCloudSec) | LinkedIn (https://www.linkedin.com/showcase/sanscloudsec) | YouTube (https://www.youtube.com/SANSCloudSecurity)
This is the cloud Ace podcast bringing you the latest in Cloud security through captivating chats with fascinating cyber Security Experts who are leaving their mark on the industry Cloud Ace is brought to you by the Sans Institute and hosted by Sans fellow Frank Kim and now prepare for departure we’re cleared for
Take off here’s your Captain Frank K hello everybody and welcome back to the cloud Ace podcast today I’m really excited to have on the show with us Fred Brett mun who is the ceso at clarify Health Solutions Fred thank you so much for joining hey how’s it going Kim no Frank
Sorry well Fred hey no no better way to start the uh the uh the podcast here then with a little bit of verbal typo here all right well hey like we like to do on this show you know want to start with a little bit of personal history
Now hey you’re originally from uh your family is French so originally from France but from as I understand it you lived in a number of different places and also grew up in uh in Africa can you tell us a little bit about that history and how that might up coming to be so
I’m French and very proud of being French um but yes I was born in Ghana and raised in Ghana and Nigeria English-speaking countries that’s why I unfortunately don’t have a thick French accent which I could have used when I was single for sure um I truly believe
My upbringing is why I am in cyber security today um it forced me to be self-reliant to be curious and to fix things which is the beginning of understanding how things work very interesting I was pausing for a sec because I thought you were going
To keep on going but tell us give us what’s an example of how you had to be self-reliant uh as a kid in that environment growing up um actually a funny story comes to mind um so we would go back to Europe once a year in the
Summer um to for vacation and also to replenish in the the mission critical stuff and one year I remember my parents having a suitcase full of shoes for me and my brother for the year uh because you couldn’t buy shoes locally so had to bring your shoes
With you turns out that suitcase never made it um I remember us going to the market and trying to find some shoes which were probably rejects from Nike or some other manufacturer and I ended up with two left shoes because we forgot to check um and so that year I was in flip-flops
Most of the year um I remember having a bicycle um which was hard to find in Nigeria so we had brought it back it was one of those mountain bikes I brought it back from Europe and uh I quickly broke it of course being a kid and I had to figure
Out how to disassemble and reassemble my bicycle to fix it um so yes I had lots of toys that were disassembled and never made it back to the reassembled phase but in the process I learned a lot I learned how to fix stuff Electronics uh and and mechanical items too um because
We didn’t have access to most of the western world’s uh conveniences and so if we couldn’t fix it ourselves we didn’t have it now before I go on and ask you you know kind of hey the the security origin story the foundations were laid here with you know
This background that you had as a kid you know why uh you know what was your family doing in in Ghana um my uh my dad was working for a French company uh similar to the West Indies colonial times uh except that it was the French version um he started working for
That company in Ivory Coast which is an ex- French colony and then got promoted through the ranks and gradually went West no east across the the West African uh uh uh uh line of countries um that was the standard promotion path for uh French expatriates in that company ah
Okay so none nothing of my doing I was just the uh the little Pawn that you moved around with the family so as this was all happening you mentioned not necessarily having some of those modern conveniences then how did you get introduced to your first computers oh I’ll have to share a
Picture of me and my first computer um actually another happy um event because in the 80s when our first computer got introduced to the household uh it was The Craze for the Apple The Ataris and the commodor and whatnot um which were the typical household computers at that
Time and my Dad decided to go for some a lot more obscure an Osborne one M um that was a CPM based computer would actually four or five pieces of software bundled into it and actually that’s what convinced him to to buy that because it had a word processor a spreadsheet and
Some other things it didn’t have games uh for a what was I 13 14 year old that was really bad news because I was not interested in a spreadsheet uh I was much more interested in games and so I had to learn basic and uh learning to
Code in basic was done by copying all of those printouts in those magazines because at that time that was the way you shared programs was through magazines and uh of course the typo would uh insert itself and I would spend hours trying to figure out why it was
Not working for me and so that really is the reason why I became so fascinated by computers and why I didn’t become just a gamer because I’m lazy just like everybody else and I would have taken the path of least resistance if I had it very cool now did you also play those
Asy art games uh back then oh my God yes and so the osbor one had a very interesting feature it was one of the first portable computers it was the size of a sewing machine of course it didn’t have any batteries or anything but the screen was the screen of an oscilloscope
So it was what 5 in by 5 in and it was a virtual screen on a larger uh uh display so you could only see a quarter of your screen at the time and it was purely text um and we had a uh what’s the precursor to the dot matrix the daisy
Wheel we had a daisy wheel printer uh and I I I printed so much ASI art um and of course being a young uh uh boy um there was some racy asky art if you can call it racy by today’s standards oh that’s too funny all right well hey we
We’ll just leave it at that so hey so so you’re you’re in Ghana you know hey you’re kind of coming of age here and then what happens next where do you go next so actually I was in Nigeria um going to a oh when I think about it I have I have
A slightly unique background um I did school by mail before the internet so all of my Middle School uh was done via snail mail um my teachers were in France and it would take me three months to get my homework corrected um I can tell you that that feedback loop doesn’t
Work very well um and so when it came came time to go into High School my parents made the wise decision of sending me and my brother to boarding school so I went back to Paris um and uh spent two years yeah two years in boarding school um
Actually fascinating one it was a chatau from the 18th century uh that was my boarding school uh it was beautiful wow hey but that’s the both incredible not only the school in the setting but taking school by mail that that just sounds incredible school by mail was phenomenal the internet R
Revolutionized that but before the internet it still existed uh in France um every French citizen anywhere in the world has access to free French education so they had to figure it out and the way they made it was uh to use um um teachers who are in permanent partial
Disability to teach by mail and so yes I had assigned teachers and I had a little profile like uh like in your uh u in your dating profile U I had the little profile of my teachers and then I knew of them I they would share their stories
But it was all done over snail mail it was very different so you go to this French boarding school and you show up there do the other kids make fun of you for not having a French accent yes at that point I I had a little bit of a British accent speaking
In French um I did adapt relatively well um because I had been in the French school system for the last six or seven years at least um what I did not adapt very well to was Winter that was my first true winter in Europe and I still remember the palm of
My hands peeling of the lack of humidity uh the entire winter because I was used to 99% humidity uh in in West Africa and that was not the case I was also seriously disappointed in the lack of uh postcard like Christmas colors I.E my my vision of what winter was in Europe was
White beautiful snow and all of the uh Christmas lights all over the place turns out winter in most cities with snow is more like a gray mess a dirty mess and I was very disappointed that’s right well hey so let’s let’s fast forward a little bit
You know I think we both started our careers in the.com boom and and the bust and so tell me a little bit about your first job how did that come to be so um I ended up finishing College in uh Steven Tech in New Jersey
Hobooken um they had a they had made an arrangement with uh my college in France where I got a master’s in computer science where you could transfer for the last nine months and get an American Masters which uh was very attractive to me I I I’ve always had the vision of
Going International it did not really happen but that was my vision as a young adult I ended up spending 6 months in Hoboken I uh ended my program early and went back to France thinking the American dream was not mine uh Hoboken in the winter without a car with the
Wife to be stuck in France uh two-year-old kid in France was not my definition of fun so I went back to France thinking um my American dream was over I also was part of the last compulsory military service contingent so I was still due to do my 12 months or
16 months of military service and I was resigned to doing it um there’s a whole story behind that we can go into it over a beer later uh ultimately a few weeks before having to report for Duty I got a telling me that I had been Exempted from military
Service um I’ll just say someone pulled some strings and I benefited from it um so time for me to find my first job and uh there was a small ad in uh my college in France looking for a software developer in Novado in uh California wow exciting California you know the
California Dream um while I had crossed San Francisco as a as a kid um I had never been to San Francisco so I thought you know what a an opportunity we’ll try it and I started writing um shrink crap software for OCR optical character recognition so we were bundling software with
Scanners uh that was try to read scans and making sense of it in the 90s that was quite a feat uh and absolutely not as good as it is today so I started my career as a software development I landed in Novado a seven employee company uh the guy was
French and knew exactly what he was doing because he was explicitly targeting those French graduate from that high from that college that was specialized in computer science and I think his first offer was 1,200 bucks a month which back of the napkin calculation sounded really really not
Enough you didn’t have the internet at that time to do any comparison or or any research um and so I countered telling him yeah I’ll do it for 15 turns out I was way under wow with a with a wife and kid in toe as well um so I have fun memories of
That time we didn’t have any access to credit because we didn’t have any credit history so we were cash only and yes I remember some last few days of the month having to eat the pasta that was the only thing we had in the in the kitchen
Because we were out of cash but at the same time it was a simple life I didn’t have to worry about financing mortgages or anything like that uh so yes it was tight but it was maybe healthy so you go from there how long did you work there CU then shortly
Thereafter you go to uh one of the I guess iconic.com Consulting agencies not not security focused we’ll get to that in a moment but you w wind up at uh Sapient how did you wind up there ah Sapient again luck of the draw I have quite a few of those points in time
Where they were a magical moment for my future and I didn’t even know it uh so I joined Sapient I believe in 97 um I do remember it was 3 months before sapen went public and um so I sapen taught me so much Sapient was a phenomenal
Company to take newly graduate kids I was in my late 20s I was still a kid at that time um and make Consultants out of them um yeah sure we had to to wear suit and tie um which made my life easy because it was
White shirt the only choice I had in the morning was what color tie would I pick um so at sapen I learned how to interact with customers how to understand business requirements which it turns out is one of the reasons I’m successful in cyber security is because I understand the bigger picture than
Just the security picture um so I joined sapient in 97 um as an immigrant sapen also turned out to be my green card sponsor and that has some repercussions down the line but I ended up spending I think six years at Sapient I went all the way up the the do boom
And all the way down the do com bust uh which was slow enough that I watched all of my riches vaporize over six months or a year um and I also watched most of my colleagues lose their jobs um at the height I think we were somewhere around 3,000 people uh by the
Time I got laid off I I think we were 1500 or a thousand so there had been a lot of thinning of the ranks and yes 2001 in March I got laid off um I got laid off by a really close friend of mine and I’m still bitter
About it because on Sunday I was at a barbecue with him and I was telling him about my plans of buying a new Minivan and he W he sounded wishy-washy about it and sure enough the next day Monday morning he was the one to call me
To tell me that I had not made it through the latest round of layoffs um I still love him to death but another key skill you learned early on is reading between the lines I was not that good at it that at that time so anyhow March 2001 the disaster
Happens disaster for quite a few from quite a few angles uh one uh single household income uh my wife and our kids at that time I had yeah I had three kids already um where all depending on my income um I still remember taking the Golden Gate bus back home
That day and wondering if I should stay at work till the end of the day or what I was going to tell my wife because the sense of Shame was absolutely horrific um and and you know it it was my first time getting laid off so I was taking it very
Personally um there was also a bigger problem that was Green Card employer sponsored and at that time time I was under the impression that if I didn’t have my green card in hand my sponsorship would end with my employment termination so on paper it was time to
Pack uh which was absolutely not our vision for our future and would have been a disaster in my plans um so we looked at our finances and decided we had enough for to stick around for five weeks and then we would have to start thinking about going back to France um
In those five weeks I find out one one of the biggest realizations of my career is that you don’t look for a job by posting your resume on dice or whatever it was at that time you looked for a job by networking and believe me for an
Introvert that’s a huge thing um but I learned that lesson and and and that’s exactly how I found my next opportunity um literally the only place that was or nobody was hiring you know especially in systems integration Consulting um I was a jack of all trades I didn’t have a
Specialization yes my specialty was helping failing teams I was the fixer I was taping was about fixed price fixed time uh that was our delivery model and so it was really important to identify teams in trouble early and give them the help they needed to get back on track
Otherwise our bottom line was quickly impacted so that that was my specialty get in there help them out get them back on track and then move on to the next project so anyhow turns out the lights are out everywhere uh nobody is retiring I think in those five weeks I had maybe
Two interviews uh that that was it um one place where the lights were on was the brand new industry called security Consulting um turns out one of my brilliant moves of my career which was totally accidental is that I knocked at the door of a company
Called at stake uh at stake was still about a 100 employees at that time uh still in relative infant seat and they were hiring like crazy um week five arrived I had an offer in hand and I was going to start on that Monday and it was Friday and I still did
Not have my green card uh and I knew that on Monday my employer was going to ask for proof of right to work um that Friday mail was godsend because it had my temporary green card in it and that’s how I recovered from the dot bust um I still remember intensely that
First week at at stake um at stake gave me a big a big shot um I had I yes I did have my uh cissp um I was an application developer and I kind of had some cyber security knowledge uh but they were really interested in that cross of application
Security because even then that was the Unicorn I still remember my first week at at stake in in our office in in San Francisco um the at stake had a policy that that everything was fair game for hacking except for payroll uh it makes sense um while I thought of myself as a
Hacker in the traditional terms of hacking which is making things do something they’re not intended to do I was certainly not a hacker in the terms of black hat white hat um and so I still remember that first week we Wi-Fi didn’t exist at that time
So it was ethernet plugs and the whole week I would connect to the network on demand I I needed to refresh Outlook I would plug in the ethernet Jack I would refresh Outlook and I would unplug as quickly as I could because I was a Sitting Duck and you know there were all
Of those brand names around me uh I can remember of Mike shiffman David Pino and and others like that uh that were phenomenal in their skill sets and I got to learn from them so much I’m so grateful for that so that’s how I got into cyber security and it was it was
Just a lock of the draw to be honest that’s a amazing journey you know you wind up you know go from a web consulting company sapen one of the best known names at the time to probably what the iconic security Consulting company at stake from which even today many
Security leaders and Industry experts that we know of have their roots in uh in at stake and so you show up the first week at work and for you’re there for the first month you know unpluging from ethernet you mentioned you had your cissp which was pretty early but uh you
Know hey you know you kind of did you you already knew some of these people how did you know them if you weren’t in security I did not know them that’s the that’s the luck of the draw is I had no idea who stake was until I was at at
Stake um then then I started realizing how much history there was uh yes you’re right those people are thought leaders all across the cyber security world today uh I am a failure compared to all of them because they’re all in top influential uh yeah it’s just mindboggling how many Legends I’ve
Worked with without even realizing it yeah so you wind up being there for I think almost four years you know how why did your time there come to an end what happened and why did you wind up transitioning ah it’s a sad story um I think it was in 2004 uh there was
Some consolidation of the cyber security world uh large security product vendors where acquiring security consulting firms to give them a little bit more clout in the cyber world instead of just being antiviruses they wanted to be a One-Stop Consulting shop um and so I believe maffy acquired one of our competitors um
Sanch decided they couldn’t let that be and acquired at stake uh at that point the San Francisco office was maybe a dozen people um the entire company was maybe 250 people I certainly knew I was not interested in being one of 60,000 um so most of the San Francisco office
Reached the same conclusion as I did which was not with me um and most of us ended up quitting that is how ISC partners was created that was the time when the San Francisco office decided we’ll start an at stake over but we’re not going to be part of semantic um unfortunately that
Option was not an option for me I could not afford to go back to the Consulting World um I had something Unthinkable to in today’s world I was traveling to be physically present at customers to do pentesting uh nowadays rarely do we do that that uh
But I I I was burnt I I I you know being on the same flight on Monday morning as the people who are on the flight Friday night coming back from uh from Redmond uh was getting really old uh my personal life was taking a toll and so I decided
It was time for me to move on um you remember that guy who fired me 3 months later he followed me to at stake and then um I think a few months before I left at stake he had moved on to a health care company that was essentially inventing the web visit that
Was our term for the online doctor visit um and so at that time he talked me into becoming their ceso and so I moved there that was an eye openening experience because as a Consulting as a consultant I was dead accurate on my findings I was very proud
Of the value I was adding and then suddenly I realized how full of it I was it the the the goal is absolutely not to build Fort Knox it is impossible to build Fort Knox if you do build Fort Knox you put your company out of business uh especially espcially when
It’s a younger company that is still trying to prove its business value um the focus on security has to be the least intrusive possible um and very balanced I.E there’s other priorities like making payroll uh not spending on the latest seam or whatever so at relay I learned the
Reality of what it is to be a cyber security professional which is a really very balanced approach and that’s where I redescribed my vision of myself as being an evangelist I.E I’m that trusted advisor that will help you see something you were not aware of and will help you
Assess the risk associated to that and decide what to do about it not just be a cop or build fort KNX and so I always go back to the analogy of buying a car most of us are capable of buying a car we have knowledge of what the reputable
Brands are what our business needs are do we need a two-seater do we need a five-seater whatever minivan in my case for example uh we have an idea of how to evaluate the quality of that vehicle that we’re considering I.E there’s a crash test rating there’s some reviews etc etc
But when it comes to paying for that if we’re if we know we can pay cash the answer is easy we can make that decision but if we have to go for a more complicated financing option that’s where we’re supposed to involve the expert you call your financial adviser
Hey should I lease this vehicle should I buy it should I uh uh put a loan on seven years 5 years two years there so options I’m not the expert I have to rely on the expert to help me build my decision which is unique to me and it’s not the same as
Frank’s decision about how he’s going to finance his car and so my role is really that financial advisor that helps you with the incres of cyber security when it comes to make big decisions for the simple stuff I should have taught you that your minimum password is 12
Characters and then should this and that you’re capable of picking the the right password usually and that is a lesson that many security people and Security leaders don’t learn for many many years so that’s something you picked up relatively uh early so getting in the security game early and figuring out
That that’s the one key lesson learn that every security professional needs to know so many of us do ourselves disservice by not having business Acumen uh because in a vacuum Our advice is irrelevant yeah telling telling a company it needs to build Fort Knox when it’s actually having a hard time meeting
Payroll because it’s a startup is the worst thing you can do for that company and unfortunately in my career I’ve seen so many of us be so focused on the technical side of cyber security and completely missed the mark on the social side which is communication and the
Business side which is you’re not the only priority a business has far from it so that experience really started a very long run in healthc care specifically you know after that you wind up at McKesson and that was a a very long stint there and at at McKesson
How’d you wind up there how did you see that change in security from when you started to to when you left so you remember how I quit at stake because we were acquired by a monster a few years later relay was acquired by the healthcare monster called mess I didn’t realize that and
That’s and you still stayed for that long I had a little bit more wisdom that told me hey check it out before you quit uh and it turns out messen is really a holding company sure they have corporate Security Services they have corporate compliance services but really things happen at the business
Unit a lot more and when mcken acquired us they realized the the the corporate security uh Department realized that relay was actually in a relatively good security posture knock onward um we had never been compromised and I I knew a little bit of what I was talking about so we
Were doing things relatively right um to a point even better than McKesson was at large when you think about it a monster like mcken is really something hard to manage its security posture there’s always weaknesses hiding here and there it’s so hard to H have an understanding
Of the broad security posture of such a large organization so it turns out mcken actually made offered us something that is what led me to stick to stick around uh they were comfortable with us running independent on our security posture and only involving them for things we needed
Help with so for example uh workstation and corporate security policies and procedures I was happy to delegate that to them they had a sock they had managed services and whatnot that I could not afford on my own um and so that was theirs uh their idea of having us host
In their own data centers I said no uh and we kept our own hosting independent from messen and I was right because at one point there were some compromises that did not affect us um so that that that setup worked really well where I was as independent as as I
Wanted and apparently as influential as I wanted to be uh because at one point um messen had the concept of uh distinguished technologist which was a program where they had half a dozen uh technologists uh elected every year for exceptional services to the organization to this day I’m the only security guy
Who was a distinguished technologist at mcken um again going back to business Acumen technical skills and cyber security skills and my ability to overcome my uh my introversion and being able to talk semi intelligently to a crowd um and so that’s how I stuck around with messen with with a very symbiotic
Relationship now towards the end there was McKesson um moving already to the cloud McKesson was actively trying to move the the cloud they had made a large deal with uh with Amazon no sorry Azure um the other one um and we were in the process of migrating our uh our data
Center or exploring the migration of our data CER Center to Azure uh by the time I left unfortunately um McKesson at one point decided to divver of its uh technology services and so it resold our business unit to change Healthcare um and change healthc Care’s corporate cyber security strategy was 180 Dees
Opposite to mckesson’s it was let’s consolidate every everything into a centralized service which I absolutely conceptually disagree with there is no way a centralized service can understand the details of a business unit and and get the uh not the authority but the uh the willingness of a business unit by
Not being part of them I.E me being inside the business unit was a huge advantage to my colleagues being corpor corate security imposing something on the business unit um and so that that’s when I I decided it was time for me to move on because uh of that
Strategic difference um which I I absolutely and still to this day disagree with and that’s how I started my special my specialty which has been for the last uh seven years now I specialize in uh young startup up Healthcare technology companies I am their first ciso and I get their
First security program in place uh usually being a oneman show for three to five years uh before starting to uh to recruit a team to help augment me now you’ve done that for a number of times now so you know it’s usually I always find it very difficult to be the first
Ceso at any organization especially a young one because at any organization the rest of the leadership team is trying to figure out how to work with security how to incorporate you into the leadership decisions and so on and then especially joining an early stage company as you said if you’re a single
Person team well then hey you’ve got to roll up your sleeves and actually get stuff done and uh you know not just uh right being a be a PowerPoint jockey all of the time how how do you how do you manage uh all of that actually getting
Stuff done is is the reward for me um I love getting uh uh getting my hands dirty I I’m remember I’m still a technologist I still have an easier time talking uh python than I do talking to humans um the last two companies I think I was
Lucky that they reached out to me so there was already a connection uh between the leaders and I of through prior relationships and there was an understanding that the the ceso rooll was needed um so I don’t know if it’s luck or if it’s me choosing my next venture carefully
Enough but in those two cases I’ve never had any problems selling my agenda um actually to at some points I’ve actually tried to sell the opposite of my agenda uh for example at clarify uh the company I’m currently at like a lot of companies um last year was a
Little bit of a tough year and so we had to do rounds of layoffs and I I bubbled up the idea that maybe it was time to eliminate the role of aiso because survival of the company was more important because I had a program in place that
Could afford to live for a year or two freewheeling um and so my role was potentially less critical than it used to be when I started and when I introduced the whole program and to your point about it being a mess when you start yes that’s the part I love is that
There is so much to do and so much to look at that it can be overwhelming but I tend to I tend to to enjoy that let’s let’s try to get Just a Touch technical here so you know you show up at one of these organizations I presume they’re
All in the cloud now because they’re they’re young companies and uh what’s the what do you start doing what’s the first thing that you do to improve improve the cloud security capabilities huh I think there’s two things that are the recipe to Magic um one is in both cases those organizations were
Interested in becoming High trust certified and even though a long time ago I have poo pooed High trust in its infancy um I must give it credits today um High trust is a very balanced approach to cyber security and it has helped me at least uh get around my blind spots remember I
Come from application security I tend to focus a lot more on that if I were left to my own desires uh I tend to not like policies so I would be very weak in the policy front if there was not an overarching framework like high trust to ensure that I don’t
Forget of the the the balanced approach that I need to have the second ingredient is around identity and access management um in both companies I have put my eggs in the OCTA basket uh but that that strategy could work with Office 365 or even other uh centralized identity platforms
Uh the idea is 100% of systems that we have access to need to be in Octa or in your I am the reason I say that I have anecdotal evidence to support that and I’m sure you’ve seen that all over the place over your career is that
A system that is not managed by it or infosec ends up having too many broken windows um and I’ll pick an example we use Nets Suite our financial backbone is in netsuite I did not want to have access to netsuite because there was way too much sensitive data in there that I’d
Rather not be privy to so I let Finance take care of managing their their system and access to their systems for a few years and then at one point I had to look into it and suddenly I saw the list of users in net suite and immediately red flags went all over the
Place ex employees still had access uh guess what everybody was admin even contractors you know because it solves the problem the wrong way but it solves the problem really quickly by giving everybody ad um so my that reinforced what I knew already and I should have known better
Which was if I don’t manage it it’s not going to be managed and through the use of a centralized access control system and I’m not talking samel or SSO because that this is still very far from that um we only have a third of our 300 applications are integrated through
Samel but just having that inventory system of who has access to what has proven to be a godsend because now uh I can I I report automatically on Confluence the number of licenses that we use for every single product and I can tell you that some products are
Assigned to let’s say 50 people and only 10 have used them in the last 90 days I know we’re over licensed on that product or it’s useless I have phenomenal data to make business decisions with it it also gives me things capabilities from a security perspective that are absolutely unachievable in any other
World um termination is a j ticket away HR puts a termination date and time and within 3 minutes of that time access is terminated automatically rain or shine regardless of if Fred is on PTO or not um through Automation and centralization in Octa all of that is possible it’s not
If you don’t have a centralized aim um I am sorry um the other thing is high trust and many Frameworks require you to validate that people have access the appropriate access they need to have to do their job guess what we’re 250 employees I can guarantee you I can’t tell you for three
Qus of people what their job really means from a daily perspective and what systems they really need to have access to um so I have to do access review every every 60 days or so per High trust there is no way I can do it myself I
Don’t know enough about the business and the details about people to make an educated guess um I built a crowdsourcing framework for that every month I have automation that generates a j ticket for every manager and lists what each man has access to and how it deviates based on a template for their
Role so for example you have AWS access and it’s not in your default role it will be bolded in your GE ticket hey this is something you might want to pay attention to and then the manager has to review and attest it’s five minutes for them and for me it’s free because it’s
All distributed uh I do have to bebit a lot but that’s a a different story um that process would have been possible if I did not have a centralized identity and access management framework because I would not know where to find who has access to what it would be so expensive
Every 60 days to build that right now it’s a script that runs for 10 minutes and it generates something like a 100 tickets it knows that every 60 days you need to do it for privileged systems and every 90 days for non-privileged systems it decides this is the month where I do
Privileged this is the month where I do unprivileged and it generates all the tickets because of that OCTA system it understands who’s managing who and what roles and titles are etc etc um so that’s my last part to my secret sauce and the reason why I’m the oneman show
Is that because of my developer background because of the fact that I know I’m not trustworthy uh I’m very flaky like every single human on the planet so I know if I don’t automate it it’s not going to happen um so everything is automated amazing foundational capability with a lot of
Benefits very great example great example the uh hey before we go on to wrap things up here I just want to ask you about one other thing here you know hey that the buzzword of the year if you will I believe clarify Health has been doing using AI for some time already can
You talk a little bit about kind of hey what’s going on and you know the security aspects that you need to think about as products are getting built with AI gen AI functionality in them oh that’s that’s a touchy subject um I’m unfortunately not going to be
Able to go into lots of details except to say one thing um just like everybody else we’ve been hit by the generative AI Avalanche of last year um and and just like everybody else we’ve had people whip out their credit cards to sign up for Chad GPT and just like everybody
Else cyber security found out mostly after the fact and just like everybody else was not happy about the Privacy policies that were attached to those and the uh the ndas and msas that were attached them actually funny part and I’m still not over it open AI refused to talk to us about Enterprise
Licenses unless we were upfront willing to commit to spending $100,000 oh wow I understand they had a very good problem but not very friendly from the business perspective um so yes we’ve had to do some catch up we’ve normalized the situation um as well as we could but
This is not just an AI problem this is a SAS model problem which from a sales perspective from a business perspective is really phenomenal you want your product to be accessible to anybody who has access to a credit card uh that way you can bypass all of the procurement
Processes and get entrenched into an organization before they even know what hit them uh from a compliance and security perspective it’s not good but it does mean it’s it it opens up the best door possible for those vendors uh and it does mean that once a quarter I’m
Looking at next weite to understand where we’re spending money because I know that those credit cards will trigger a reimbursement request and so I look at that data to find out who bypassed the process sorry um because there will always be someone who didn’t know or didn’t care
To know that there was a vendor risk assessment process to be followed all right well hey thanks for sharing that element of the the journey there oh no problem yeah hey let’s go ahead and uh wrap things up here and uh you know as we close out give you an
Opportunity to ask a uh reverso question here any question that you would like to ask me before we wrap things up Yes actually something that’s been worrying me increasingly how worried are you about what appears to be the trend to hold cesos personally liable yes that is very concerning you
Know you’re talking about kind of hey Tim Brown what’s gone on recently with the SEC charges and so on and uh you know the uh I haven’t spoken to Tim personally but you know this is definitely sending repercussions of course throughout the ceso community and
Many of us are worri about it and you know for me personally I just feel personally a little bit lucky that you know I I’ve haven’t had a sitting seat so role you know in terms of kind of running security program for for an Enterprise and since before all of this
Actually went down and if I go and read when I go and read all of the U uh the details of the SEC charges and so on it really boils down to one thing is that that hey these things were said about the security program and the capabilities um but the evidence shows
And the aftermath after effects of the breach show according to the SEC charges that that wasn’t the case and really for me you know one thing I’ve tried to do you know sometimes more successfully than others is to really be transparent and that’s what the SEC in my reading is
Really saying it’s like hey are you saying what you’re GNA do are you doing what you say and if you can’t do what you say well tell us about it and you know they’re putting more guardrails around that and you know for for cesos for us as Security leaders it’s hey
Making sure that leadership is upfront and if there is something that we as a security leader need to take a stand on in the organization hey we need to be up front and say hey I’m not comfortable about this thing for these reasons X Y and Z and here are the corresponding
Business impacts and you know my simple reading of the SEC charges is they’re really just asking for transparency and and honesty now this specific case I don’t know all of the the details but on the surface that’s just what they’re asking for and they’re saying hey and we
Need to do that now in the 10K and 8K maybe I have way too dark thoughts uh because my reading is not as positive as you’ve worded it yes I can understand that Vision but I also can see the Practical outcome which is that the ceso
Is going to become an outcast whose only job is to cover expose things instead of helping fix things um for example patch management the Achilles heel of the online World um all right while we have standards of what is acceptable what timelines are acceptable to patch things the reality is I’ve
Never seen an organization that could systematically meet those requirements systematically a as in hit 100% of the patches that they needed to hit every month over and over again um so as my role as a ciso is to try and make sure we improve to get as close close to that number as
Possible but if things continue down the road of that enforcement my job is going to be also to be a whistleblower I hey we didn’t do it and we need to go public about us doing only 90% instead of 100% And I have a feeling that if things go down the wrong path
The ceso is gradually going to become a whistleblower and going to be excluded from the internal workings of the organization I could see that as a downstream effect now I’ve never had a uh uh gotten to 100% of yeah no I I don’t don’t believe it’s possible yeah
And I think you know hey and just like as we know when the audit happens when the auditor comes in it’s not so much about having zero critical vulnerabilities it’s more about the process what is the process for uh getting to that Improvement or working
Towards that so you know I think that in that particular case that’s going to be you know hey I’m certainly not going to blow the whistle and say oh well we need to you know go public and say we’re not at 100% I think uh because that’s as we
Said not achievable but if there are other strategic decisions right that uh that are being made I think you know you can argue that hey the CFO the CFO would in the past decades ago have perhaps some um incentives after socks to um to to maybe uh Hey Maybe cover things up or
Be the The Whistleblower and uh we largely we don’t see that right I think we’re in aary period for the ciso that the ciso is now going to be you know kind of like following the footsteps of the CFO after socks no it’s a very good point and then
Maybe I need to look at it from that perspective um it’s there just a lot of unknown and as you pointed out we don’t understand the details of those cases enough to understand what people were thinking or what people were expecting of each other and so this amount of speculation
Yes but Fred that’s a really really great question and with that we’re going to go ahead and end it here on high note Fred thank you so much for joining uh that was uh Fred bretman everybody Frank thank you it was a lot of fun appreciate It