1 00:00:02,940 --> 00:00:05,820 Narrator: You're listening to the Humans of DevOps Podcast, a 2 00:00:05,820 --> 00:00:09,450 podcast focused on advancing the humans of DevOps through skills, 3 00:00:09,480 --> 00:00:13,800 knowledge, ideas and learning, or the SKIL Framework. 4 00:00:17,170 --> 00:00:19,870 Brian Smith: In a lot of companies they see the CISOs. 5 00:00:19,870 --> 00:00:23,260 They were doing all this, but there's this DevOps group over 6 00:00:23,260 --> 00:00:26,620 here, and I'm not quite sure what they're doing, I fully 7 00:00:26,620 --> 00:00:29,800 understand it and so bridging that gap, I think is sort of 8 00:00:29,800 --> 00:00:31,840 where a lot of companies are fairly immature. 9 00:00:34,000 --> 00:00:36,520 Eveline Oehrlich: Hello, all this is Eveline Oehrlich, Chief 10 00:00:36,520 --> 00:00:39,370 Research Officer at DevOps Institute, and this is the 11 00:00:39,370 --> 00:00:45,310 Humans of DevOps Podcast. We are excited to have a wonderful 12 00:00:45,310 --> 00:00:50,230 gentleman with us today, Brian Smith. But before I introduce 13 00:00:50,230 --> 00:00:54,040 Brian, to you, the title of our episode today is the Importance 14 00:00:54,070 --> 00:00:58,810 of Humans in Cybersecurity. As you all know, we're focusing 15 00:00:59,110 --> 00:01:03,670 much on the human angle within DevOps and and the greater 16 00:01:03,670 --> 00:01:07,060 topic. So welcome, Brian. Hello, there. 17 00:01:07,660 --> 00:01:10,750 Brian Smith: Hi, It's great to be here. Thanks for Thanks for 18 00:01:10,750 --> 00:01:11,200 having me. 19 00:01:11,450 --> 00:01:14,330 Eveline Oehrlich: Thanks for taking the time out of your busy 20 00:01:14,330 --> 00:01:19,940 day to come to us and speak with us and me quizzing you on a 21 00:01:19,940 --> 00:01:23,900 variety of things. So let me, to our audience, introduce Brian a 22 00:01:23,900 --> 00:01:26,690 little bit here. There's a lot of things I will read because I 23 00:01:26,690 --> 00:01:30,050 cannot remember them all. So Brian Smith is a 20 year 24 00:01:30,050 --> 00:01:34,280 veteran, an entrepreneur in multimedia, cybersecurity, and 25 00:01:34,280 --> 00:01:39,800 technologies alike. He is co founder and CTO at Spyderbat, an 26 00:01:39,800 --> 00:01:42,710 automated runtime security platform, we'll talk a little 27 00:01:42,710 --> 00:01:48,770 bit about Spyderbat in a minute. spider bit Just quickly, stops 28 00:01:48,770 --> 00:01:51,530 attacks and automates root cause analysis on cloud native 29 00:01:51,530 --> 00:01:55,100 environments by proactively recording cloud systems and 30 00:01:55,100 --> 00:01:58,310 container activities into a living Google Map. That sounds 31 00:01:58,310 --> 00:02:03,020 very intriguing. So Brian has some background here and 32 00:02:03,020 --> 00:02:07,250 technologies in 2000, Brian founded in conjunction with 33 00:02:07,250 --> 00:02:10,580 somebody else, tipping point technologies, which was acquired 34 00:02:10,580 --> 00:02:17,660 by three come. Then in 2009. He founded click Security acquired 35 00:02:17,660 --> 00:02:21,170 by alert logic. I remember those guys, that's exactly the time 36 00:02:21,170 --> 00:02:23,960 when I was thinking about going into security, but I stayed in 37 00:02:23,960 --> 00:02:26,840 doing infrastructure and operations at my former company. 38 00:02:27,620 --> 00:02:30,560 Brian has a PhD in Computer Science from the University of 39 00:02:30,560 --> 00:02:35,480 California at Berkeley, and in 1994, and was the Xerox 40 00:02:35,480 --> 00:02:39,920 Professor of Computer Science at Cornell University until 1998. 41 00:02:39,950 --> 00:02:43,010 I'm sure maybe there are some former students of yours, Brian, 42 00:02:43,010 --> 00:02:48,680 who are listening in wouldn't that be super? And he holds 13. 43 00:02:48,710 --> 00:02:52,730 One three patents and is a fellow of the Alfred P. Sloan 44 00:02:52,730 --> 00:02:57,500 Foundation. Fantastic. This reads wonderful, Brian, we're 45 00:02:57,500 --> 00:03:03,020 excited to have you here. My first question, I have to ask 46 00:03:03,020 --> 00:03:08,360 this Spyderbat. That's quite a name of a company. So first, how 47 00:03:08,360 --> 00:03:11,270 did you come up with this name? And second, tell us a little bit 48 00:03:11,270 --> 00:03:12,350 more about Spyderbat? 49 00:03:12,690 --> 00:03:15,900 Brian Smith: Yeah, so when you this is like you said, this is 50 00:03:15,900 --> 00:03:20,400 my kind of my third startup that I've done. And when you are 51 00:03:20,400 --> 00:03:23,310 coming up with names for startups, there's couple of 52 00:03:23,310 --> 00:03:26,880 considerations. One is you want it to be memorable. One is it's 53 00:03:26,940 --> 00:03:30,900 it needs to be not too cute or too tricky. These names where 54 00:03:31,530 --> 00:03:34,980 you say them and you can never spell them and say can never 55 00:03:34,980 --> 00:03:38,790 find a website. And so when we were coming out when we're 56 00:03:38,820 --> 00:03:41,220 talking about names with a company, we wanted something 57 00:03:41,220 --> 00:03:46,290 that was kind of fun. And we're from Austin. So Austin, I don't 58 00:03:46,290 --> 00:03:50,550 know if you know it has this big bridge that goes across the the 59 00:03:50,580 --> 00:03:53,940 Colorado River, that big lake there in central Los I have been 60 00:03:53,940 --> 00:03:57,540 there. And it's the Congress Avenue Bridge, and underneath it 61 00:03:57,540 --> 00:04:02,370 has the largest colony of bats, Mexican free tailed bats in the 62 00:04:02,970 --> 00:04:07,020 North America, I believe. And they're like the million bats 63 00:04:07,020 --> 00:04:10,230 live under there so often is known as bats. And the city has 64 00:04:10,230 --> 00:04:13,740 that. So we there's a type of bat called the spider bat. And 65 00:04:13,740 --> 00:04:17,430 so we decided to have that as the name but it's spelled SPI D 66 00:04:17,430 --> 00:04:23,190 or that they expire. And so when we went to open up our bank 67 00:04:23,190 --> 00:04:27,450 account, we're just getting started. The guy at the bank 68 00:04:27,480 --> 00:04:30,990 misspelled the name with spyder, and we thought well that's 69 00:04:30,990 --> 00:04:34,770 pretty cool. So we we hadn't actually fired the corporation 70 00:04:34,770 --> 00:04:37,440 documents yet. So we read incorporated under under that 71 00:04:37,440 --> 00:04:39,420 name. And that's it story. 72 00:04:39,600 --> 00:04:42,540 Eveline Oehrlich: That is a great story and the banker has 73 00:04:42,540 --> 00:04:46,380 done you a favor by making a spelling mistake. That's a great 74 00:04:46,380 --> 00:04:50,760 story. And at some point you want it to be instead of you go 75 00:04:50,760 --> 00:04:54,450 Google it you want to say you go spyder batted right. That's kind 76 00:04:54,450 --> 00:04:58,920 of the goal. So when people say let's go Spyderbat, did what? 77 00:04:59,160 --> 00:05:01,830 What does that mean? In what what? Tell me about this Google 78 00:05:01,830 --> 00:05:05,700 map recording? Tell us myself, of course, I'm curious as I'm an 79 00:05:05,700 --> 00:05:08,730 analyst. Tell us about Spyderbat a little bit. 80 00:05:09,000 --> 00:05:10,830 Brian Smith: Yeah, we've been, you know, I've been working in 81 00:05:10,830 --> 00:05:14,820 security for for 20 years now and one of the toughest problems 82 00:05:14,850 --> 00:05:19,140 is, you'll usually get notified about a security incident when 83 00:05:19,140 --> 00:05:23,520 sort of when it goes boom, when something goes boom. And then 84 00:05:23,520 --> 00:05:27,030 the tricky problem is trying to root cause that trying to figure 85 00:05:27,030 --> 00:05:29,700 out what actually happened, do you have a bunch of 86 00:05:29,730 --> 00:05:33,630 considerations? Like, what is it still happening? What happened? 87 00:05:33,660 --> 00:05:37,590 What was the impact? How do I how do I stop it right now, who 88 00:05:37,590 --> 00:05:41,010 do I need to inform and how to prevent it in the future. And a 89 00:05:41,010 --> 00:05:44,670 lot of that is trying to figure out what happened. And the 90 00:05:44,670 --> 00:05:47,370 problem we have right now is the traditional way that people do 91 00:05:47,370 --> 00:05:50,100 that is they start going through the logs and trying to figure 92 00:05:50,100 --> 00:05:54,270 out, you know, just from from log analysis, it's painful. And 93 00:05:54,300 --> 00:05:59,370 a lot of times the data that you need is not there in a box. But 94 00:05:59,460 --> 00:06:03,990 we looked at that and said, you know, the, these things are all 95 00:06:03,990 --> 00:06:07,410 just computers running. And so if we could record everything, 96 00:06:07,410 --> 00:06:10,830 build this kind of DVR like capability of everything good, 97 00:06:10,860 --> 00:06:15,900 bad and different that happened, and then use that data to flag 98 00:06:15,930 --> 00:06:19,620 this is interesting, this is interesting. This was something 99 00:06:19,620 --> 00:06:23,340 bad happening. Once you have the bad, you could trace back to 100 00:06:23,670 --> 00:06:27,420 root cause where this thing started. So we started building 101 00:06:27,420 --> 00:06:29,400 something that could record everything that happened like a 102 00:06:29,400 --> 00:06:35,100 DVR for your entire network. It built this map, we put that raw 103 00:06:35,100 --> 00:06:37,470 data is if you just looked at the raw data, you'd be kind of 104 00:06:37,470 --> 00:06:41,970 sad. So it built an analytic system that turned that into a 105 00:06:42,030 --> 00:06:44,970 amount that you could understand, have a world call a 106 00:06:44,970 --> 00:06:47,730 causal map that for any instance, you can say this 107 00:06:47,730 --> 00:06:50,520 caused all this stuff to happen. And this is the stuff that 108 00:06:50,520 --> 00:06:53,430 caused it. And then if you can just attach a security incident 109 00:06:53,430 --> 00:06:55,800 onto that, then you can go from that and say, Okay, this is all 110 00:06:55,800 --> 00:06:59,340 the bad stuff that happened. As a side effect of that, and work 111 00:06:59,340 --> 00:07:03,570 backwards to this is what caused it. When you have that base 112 00:07:03,570 --> 00:07:07,260 capability, then it's not a long stretch to add in security 113 00:07:07,470 --> 00:07:10,260 content on top of that, that says these are bad things 114 00:07:10,260 --> 00:07:13,710 happening. And then pretty easy to add on top of that, well, 115 00:07:13,710 --> 00:07:17,310 let's stop it dead in its tracks. Because what we find is 116 00:07:17,310 --> 00:07:21,030 that when something the average industry time at I'm sure you 117 00:07:21,030 --> 00:07:26,190 know this level is that when something bad has happened, it's 118 00:07:26,220 --> 00:07:29,310 56 days that they've been in your network, because the what 119 00:07:29,310 --> 00:07:34,590 they call the dwell time, and then it's 178 days to actually 120 00:07:34,890 --> 00:07:37,890 inventory everything that happened and figure out of 121 00:07:37,890 --> 00:07:42,180 investigation time and then 96 days to clean it up. That whole 122 00:07:42,180 --> 00:07:46,920 process is this massive manual effort. And so we by having this 123 00:07:46,920 --> 00:07:48,690 recording, we can really crush that time. 124 00:07:49,110 --> 00:07:51,360 Eveline Oehrlich: So you really reducing MTTR quite 125 00:07:51,360 --> 00:07:55,140 significantly, right. That's, that's I think, to me and 126 00:07:55,140 --> 00:07:58,620 infrastructure and operations, which is what I come from, it 127 00:07:58,620 --> 00:08:00,630 sounds like it is an application. It's almost like a 128 00:08:00,630 --> 00:08:03,600 dependency map, right? As we sometimes have application 129 00:08:03,600 --> 00:08:06,510 dependency maps, but with the focus on what's actually 130 00:08:06,510 --> 00:08:10,410 happening from a security perspective, which then allows 131 00:08:10,410 --> 00:08:15,840 me as a team member, not necessarily security, but maybe 132 00:08:15,930 --> 00:08:19,080 others to kind of look at it, where we can collaborate and 133 00:08:19,080 --> 00:08:22,230 say, Hey, here's something and this is where we need to hone in 134 00:08:22,230 --> 00:08:25,470 and need to do something file. That sounds fantastic. Great. I 135 00:08:25,470 --> 00:08:29,550 love the name spiral bad superduper. Well, thanks for 136 00:08:29,550 --> 00:08:33,480 sharing that anybody out there? Go check out spinal bad. But 137 00:08:33,510 --> 00:08:38,610 again, I wanted to focus on a few things here. Because when I 138 00:08:38,610 --> 00:08:42,450 started at Forrester, I had a colleague, and I know your 139 00:08:42,450 --> 00:08:46,500 LinkedIn with him a John Kinder bag. I know, you know, John, so 140 00:08:46,620 --> 00:08:52,110 John, dear friend of mine. He told me once, Eveline, you know, 141 00:08:52,110 --> 00:08:56,460 you have to remember insecurity, it's not really, it's not really 142 00:08:56,460 --> 00:09:00,180 to technology, it's to humans. It's the people who make the 143 00:09:00,180 --> 00:09:05,310 change. And challenges always have a head and into shoulders. 144 00:09:05,310 --> 00:09:09,150 Right? And I never really, I never had the chance to do 145 00:09:09,150 --> 00:09:14,070 research with him. But I was always intrigued. And I did some 146 00:09:14,070 --> 00:09:16,890 research before this podcast. And there's a couple of 147 00:09:16,920 --> 00:09:19,380 challenges and a couple of shifts were actually a few 148 00:09:19,380 --> 00:09:23,010 shifts happening. This is from Gartner want to make sure I 149 00:09:23,010 --> 00:09:26,610 shout out to two colleagues, Gartner. And I want to highlight 150 00:09:26,610 --> 00:09:30,330 them quickly. So first of all, this role of the CFO, the chief 151 00:09:30,330 --> 00:09:34,380 information security officer is reshaping. So Gartner saying 152 00:09:34,380 --> 00:09:38,700 it's reshaping from preventing breaches to facilitating risk 153 00:09:38,730 --> 00:09:41,640 management. So that's very different, a very different 154 00:09:41,640 --> 00:09:46,800 role. second shift is from cyber risk is a security problem to 155 00:09:46,800 --> 00:09:49,740 cyber risk is a business problem. And I think we've seen 156 00:09:49,740 --> 00:09:54,120 that there's multiple headlines out there, which made to the to 157 00:09:54,120 --> 00:09:58,530 the demise of those. And then third, from security being a 158 00:09:58,530 --> 00:10:03,810 road plaque blog to say Speed. Security is actually an Abler of 159 00:10:03,810 --> 00:10:07,050 agile and secure products. And that's the one for me in the 160 00:10:07,050 --> 00:10:10,950 DevOps in the DevOps folks, which is, that's a great 161 00:10:11,220 --> 00:10:16,140 statement of shifts. But if you think about so now, your 162 00:10:16,200 --> 00:10:20,760 question for you, Brian, if you think about the three shifts, 163 00:10:22,110 --> 00:10:25,530 and think about the clients and your connections and your 164 00:10:25,530 --> 00:10:29,490 networks, and the folks you talk to and your experience of 20 165 00:10:29,520 --> 00:10:31,560 years, and I don't believe that 20 years, I think you'll have 166 00:10:31,560 --> 00:10:36,060 more than that. But we'll leave it at that. Where are we there? 167 00:10:36,120 --> 00:10:40,050 We will somewhere in these three things? Are we somewhere at the 168 00:10:40,080 --> 00:10:43,650 beginning? Are we already kind of if we think of a hype cycle, 169 00:10:43,650 --> 00:10:45,660 right, are we somewhere at the beginning of those things? Are 170 00:10:45,660 --> 00:10:49,200 we somewhere in the middle? Or have we already matured on to 171 00:10:50,550 --> 00:10:54,540 organizations making these shifts from that, to that? What 172 00:10:54,570 --> 00:10:55,800 What are your thoughts on that? 173 00:10:56,190 --> 00:10:58,680 Brian Smith: Well, I think there's three, there's a lot to 174 00:10:58,680 --> 00:11:01,350 unpack there. But there's, there's from the risk 175 00:11:01,350 --> 00:11:05,460 standpoint, I think that the CISOs have been taking that 176 00:11:05,460 --> 00:11:09,570 attitude for for a fair amount of time. So I think most 177 00:11:09,570 --> 00:11:12,270 companies are fairly mature. And I think part of that is just, 178 00:11:12,540 --> 00:11:17,940 it's an acknowledgement of just having a very pragmatic approach 179 00:11:17,940 --> 00:11:24,180 to it. One way, that the sort of notion that you can prevent all 180 00:11:24,180 --> 00:11:28,260 breaches through, you know, some magic bullet security project or 181 00:11:28,260 --> 00:11:32,160 some magic bullet process is is just kind of fantasyland. 182 00:11:32,190 --> 00:11:37,410 Honestly, it's the waste I best way I heard described as imagine 183 00:11:37,410 --> 00:11:41,370 a castle, like a medieval castle. And so it's got it's out 184 00:11:41,370 --> 00:11:43,950 on a plane, and there are, you know, hundreds of windows and 185 00:11:43,950 --> 00:11:47,850 hundreds of doors. And it's and, and you're the defender of that, 186 00:11:48,300 --> 00:11:51,780 you have all these different ways that, that an attacker can 187 00:11:51,780 --> 00:11:55,110 come in, and you have to defend every single possible entry 188 00:11:55,110 --> 00:11:58,950 point. And it's just kind of this impossible, impossible 189 00:11:58,950 --> 00:12:04,500 task. So the pragmatic approach is, to certainly shore things 190 00:12:04,500 --> 00:12:07,980 up, you don't want to leave just everything unlocked. But then 191 00:12:07,980 --> 00:12:11,640 also have, you know, sort of patrols and guards and humans in 192 00:12:11,640 --> 00:12:14,340 there that are, that are watching watching the fortress 193 00:12:14,340 --> 00:12:16,560 and saying, that's a little weird and being able to 194 00:12:16,560 --> 00:12:20,940 investigate. And so the risk management is focusing on those 195 00:12:20,940 --> 00:12:23,850 areas that give you the most bang for your buck on those 196 00:12:23,850 --> 00:12:26,370 things. Whereas if a breach happened here, it doesn't really 197 00:12:26,370 --> 00:12:29,550 matter if a breach happens here, that's really, really bad. And 198 00:12:29,550 --> 00:12:32,790 so the risk is, you know, assessing, assessing that 199 00:12:32,790 --> 00:12:36,450 situation, it's fairly, depending on the organization 200 00:12:36,480 --> 00:12:40,920 fairly mature. The, the agility part is really interesting part 201 00:12:40,920 --> 00:12:47,310 to me. Because traditionally, the security opera, you know, 202 00:12:47,310 --> 00:12:49,860 security was a bit of a roadblock. And part of that was 203 00:12:49,860 --> 00:12:54,330 the developers bring in security as they're the main guys come in 204 00:12:54,330 --> 00:12:56,610 at that the last minute, and then they're the guys that say, 205 00:12:56,610 --> 00:13:00,570 Hey, wait, we need to make this secure. And it feels like it 206 00:13:00,570 --> 00:13:03,930 slows things down. And by involving them earlier, earlier 207 00:13:03,930 --> 00:13:06,900 in the cycle, which is a lot of the ship left stuff, that 208 00:13:06,900 --> 00:13:12,780 opportunities that we've seen, you end up being able to, for 209 00:13:12,780 --> 00:13:18,870 them to become enablers of having things go faster, but 210 00:13:18,870 --> 00:13:21,840 still, we still have to be secure as we deploy these 211 00:13:21,840 --> 00:13:28,170 things. And part of the reason for that is just that, if you if 212 00:13:28,170 --> 00:13:31,350 you're not secure, if your application gets popped, you're 213 00:13:31,350 --> 00:13:35,640 gonna have a really bad week, or really bad month while you try 214 00:13:35,640 --> 00:13:38,550 to, you know, clean up and assess the damage and stuff as 215 00:13:38,550 --> 00:13:42,420 as a developer or development manager, DevOps. So it's all in 216 00:13:42,420 --> 00:13:46,350 all our interest to prevent that from happening also from from 217 00:13:46,350 --> 00:13:49,320 the business standpoint, and I think the business side is just 218 00:13:49,320 --> 00:13:52,920 the recognition of, of all the damage that these things do to 219 00:13:52,920 --> 00:13:56,070 the business. And so it's gotten bored level attention at this 220 00:13:56,070 --> 00:13:58,260 point. So it's not just the security group that says 221 00:13:58,260 --> 00:14:01,890 isolated silo, but it's much more on the business side. 222 00:14:04,270 --> 00:14:06,760 Ad: Are you looking to get DevOps certified? Demonstrate 223 00:14:06,760 --> 00:14:08,770 your DevOps knowledge and advance your career with a 224 00:14:08,770 --> 00:14:11,740 certification from DevOps Institute, get certified in 225 00:14:11,740 --> 00:14:15,520 DevOps Leader, SRE or DevSEC Ops, just to name a few. Learn 226 00:14:15,520 --> 00:14:19,270 anywhere, anytime. The choice is yours. Choose to get certified 227 00:14:19,270 --> 00:14:22,720 through our vast partner network self study programs, or our new 228 00:14:22,720 --> 00:14:25,720 skillup elearning videos. The exams are developed in 229 00:14:25,720 --> 00:14:28,270 collaboration with industry thought leaders, and subject 230 00:14:28,270 --> 00:14:30,910 matter experts in the DevOps space. Learn more at 231 00:14:30,970 --> 00:14:33,190 DevOpsInstitute.com/certifications. 232 00:14:37,000 --> 00:14:40,300 Eveline Oehrlich: So I've heard conversations, or I've 233 00:14:40,300 --> 00:14:45,400 overheard, and I've heard at RSA or other places. Now, of course, 234 00:14:45,430 --> 00:14:48,550 most of them might join virtually, hopefully soon, I can 235 00:14:48,550 --> 00:14:53,140 go again, we can all travel again, where I've noticed that 236 00:14:53,770 --> 00:14:57,580 I've actually seen more business people at those conventions and 237 00:14:57,580 --> 00:15:02,080 joining so I an admin Many times I always wondered, so why is 238 00:15:02,080 --> 00:15:05,950 business not wandering? In asking it more questions 239 00:15:05,950 --> 00:15:09,220 relative to those types of things? What is your what are 240 00:15:09,220 --> 00:15:11,740 your thinking? What's your thinking on the wise business, 241 00:15:12,010 --> 00:15:15,670 they don't seem to chime up when things have happened. And then 242 00:15:15,670 --> 00:15:19,810 they are all worried and now, but they haven't in the past 243 00:15:19,810 --> 00:15:21,820 kind of worried about it. They're just like, Oh, you guys, 244 00:15:21,820 --> 00:15:22,960 techies, you guys got it? 245 00:15:24,220 --> 00:15:25,780 Brian Smith: Well, I think I mean, I think there's a couple 246 00:15:25,780 --> 00:15:29,650 different things going on. One is, you know, I like the part of 247 00:15:29,650 --> 00:15:34,060 the shift towards pragmatism is this realization that, it's, 248 00:15:34,090 --> 00:15:38,440 it's really hard to make it make yourself completely bullet proof 249 00:15:38,530 --> 00:15:41,620 for one of these things. If someone really wants to go after 250 00:15:41,620 --> 00:15:45,430 you like a nation state, it's, it's very difficult to defend 251 00:15:45,430 --> 00:15:50,320 against that practice, and to prevent the breach. But if you 252 00:15:50,320 --> 00:15:55,480 can have a rapid response to it, then that involves people and 253 00:15:55,480 --> 00:15:59,440 processes and technology. So you want you have to do a little bit 254 00:15:59,440 --> 00:16:03,190 rehearsal. But that means it's not just a security only kind of 255 00:16:03,220 --> 00:16:07,270 these guys, the guys in the security group, it really has to 256 00:16:07,270 --> 00:16:11,950 be kind of everyone's business. And the other is that where we 257 00:16:11,950 --> 00:16:15,460 get, you know, a lot of the breaches come in at is through 258 00:16:16,180 --> 00:16:19,270 exploiting people, honestly, exploiting social engineering 259 00:16:19,270 --> 00:16:23,830 attacks and things like that, which is why companies focus on 260 00:16:23,830 --> 00:16:27,730 training the people is a good way. One of the one of the many 261 00:16:27,730 --> 00:16:31,690 good ways to prevent breaches, but what I've seen is that, you 262 00:16:31,690 --> 00:16:36,370 know, sort of the, their, this traditional security group has 263 00:16:36,370 --> 00:16:43,750 been focused on securing sort of laptops and mobile devices, and 264 00:16:43,750 --> 00:16:47,530 IT systems and things like that. And then as we've moved into 265 00:16:47,650 --> 00:16:51,010 DevOps, and more cloud native world, those are often are, 266 00:16:51,310 --> 00:16:54,670 especially in Kubernetes, those are Linux systems. And they're a 267 00:16:54,670 --> 00:16:57,460 little outside of the expertise. So I must have seen these 268 00:16:57,460 --> 00:17:01,510 bifurcation of the security responsibility falling on DevOps 269 00:17:01,510 --> 00:17:07,120 dev SEC ops and sre. And this other group, on the side, LLC, 270 00:17:07,120 --> 00:17:11,170 suicide in the traditional SEC ops group, sort of managing the 271 00:17:11,260 --> 00:17:14,590 the people and processes over here, and bridging those two 272 00:17:14,590 --> 00:17:18,220 gaps together, I think is a business thing, because it has 273 00:17:18,250 --> 00:17:22,510 it. Otherwise, the two sides, sort of can fight each other. 274 00:17:22,870 --> 00:17:27,250 And in a lot of companies, I see the CISOs say, We're doing all 275 00:17:27,250 --> 00:17:30,700 this. But there's this DevOps group over here, and I'm not 276 00:17:30,700 --> 00:17:33,820 quite sure what they're doing, and they don't fully understand 277 00:17:33,820 --> 00:17:37,270 it. And so bridging that gap, I think, is sort of where a lot of 278 00:17:37,270 --> 00:17:38,710 companies are fairly immature. 279 00:17:39,150 --> 00:17:41,310 Eveline Oehrlich: Yeah, I would agree. I would agree with seeing 280 00:17:41,310 --> 00:17:45,960 that in our research. And you'll be delighted to hear in our 281 00:17:45,990 --> 00:17:52,140 latest upskilling, it 2022 Which report is out on our website, 282 00:17:52,590 --> 00:17:56,490 security, and cybersecurity was the number one technical skill, 283 00:17:57,390 --> 00:18:01,830 even before even above cloud, so that, you know, cloud computing 284 00:18:01,830 --> 00:18:06,150 skills and things like that. So I think that's fantastic. So if 285 00:18:06,180 --> 00:18:10,800 people are out there thinking about new careers, whatever 286 00:18:11,520 --> 00:18:14,400 changes you want to make security, cybersecurity is one 287 00:18:14,400 --> 00:18:18,600 of those I wish, I wish I would have followed John, way back 288 00:18:18,960 --> 00:18:21,900 into into this field. And I tried to get my kids into it. 289 00:18:21,900 --> 00:18:24,090 Unfortunately, one is an architect, the other one is a 290 00:18:24,120 --> 00:18:27,180 psychologist. So they never really got interested in either. 291 00:18:27,930 --> 00:18:30,330 Brian Smith: Now, one thing I heard along those lines is there 292 00:18:30,330 --> 00:18:33,420 was my data was from a couple of years ago, but at that time, 293 00:18:33,420 --> 00:18:36,000 there were something like half a million open jobs in 294 00:18:36,000 --> 00:18:40,980 cybersecurity was forecast to grow by 2025 to over a million 295 00:18:41,010 --> 00:18:47,550 open positions. And some of that is because at least at the time, 296 00:18:47,550 --> 00:18:52,380 and still is the job is so manual. And so one of the ways 297 00:18:52,380 --> 00:18:57,480 we have to look at is automating it, but not automating it away. 298 00:18:57,840 --> 00:19:03,780 But automating it as in providing, making the computer 299 00:19:03,780 --> 00:19:07,230 these automated systems, partners with humans that make 300 00:19:07,230 --> 00:19:09,690 the there are force multipliers for the humans. 301 00:19:10,560 --> 00:19:12,960 Eveline Oehrlich: That gets me to my next question, actually, 302 00:19:13,020 --> 00:19:18,180 because there is behaviors and culture, right, which play into 303 00:19:18,180 --> 00:19:23,160 all of that, you know, if I think of my family in terms of 304 00:19:23,190 --> 00:19:26,760 their laptops and their devices, I probably could break in easily 305 00:19:26,760 --> 00:19:30,660 to most of them because the passwords are, I can get them. 306 00:19:30,960 --> 00:19:34,770 But there's also there's more than just on the client side. 307 00:19:34,770 --> 00:19:40,080 But there's other challenges. So around humans and cultural 308 00:19:40,080 --> 00:19:44,280 changes, what have you seen and what would what can you suggest 309 00:19:44,310 --> 00:19:47,430 to our listeners, what should they do? What should they look 310 00:19:47,430 --> 00:19:51,330 out for? What advice can you give folks how to respond and 311 00:19:51,330 --> 00:19:55,800 how to work within this challenge of helping out in 312 00:19:55,920 --> 00:19:59,190 around organizations and both in IT and business? 313 00:19:59,540 --> 00:20:03,230 Brian Smith: Yes. So I, you know, I think, you know, part of 314 00:20:03,230 --> 00:20:06,650 this is what I was saying before is that traditionally, this was 315 00:20:06,650 --> 00:20:10,310 viewed as a SEC Ops problem. And so we could kind of 316 00:20:10,310 --> 00:20:12,410 compartmentalize it and say that's their problem, I'm just 317 00:20:12,410 --> 00:20:15,950 going to focus on what happened. And I think there's this growing 318 00:20:15,950 --> 00:20:20,360 recognition. And this is, this is a good thing, that it is a 319 00:20:20,360 --> 00:20:23,420 business problem, and so that everyone has a has a bit of a 320 00:20:23,420 --> 00:20:27,110 role to play, because you don't want your laptop to be the entry 321 00:20:27,110 --> 00:20:31,340 point for a giant breach of some sort. So some of this is just, 322 00:20:31,370 --> 00:20:36,470 you know, go, if you're a leader, make sure you start 323 00:20:36,470 --> 00:20:41,570 training, have company wide training on this. Because every 324 00:20:41,570 --> 00:20:46,790 individual should know what the signs are of someone trying to 325 00:20:46,820 --> 00:20:51,800 trying to break in or trying to fool you. Social engineering is 326 00:20:51,800 --> 00:20:59,480 a big attack. But the the, the other that that sort of, from 327 00:20:59,480 --> 00:21:03,020 the human standpoint, from the, from the, you know, frontline 328 00:21:03,020 --> 00:21:06,770 workers, people and in non technical positions, for people 329 00:21:06,770 --> 00:21:09,350 in technical positions, it started building those bridges 330 00:21:09,380 --> 00:21:12,440 to the SEC Ops and not treating them as the enemy, but kind of 331 00:21:12,530 --> 00:21:17,450 inviting them in to try to try to work together. And I think a 332 00:21:17,450 --> 00:21:20,240 lot of the problem there is that we, we almost talk in different 333 00:21:20,240 --> 00:21:26,480 worlds. And in those things, so finding ways that we can 334 00:21:26,480 --> 00:21:30,830 communicate with each other so that we can, the developers, for 335 00:21:30,830 --> 00:21:34,250 example, that are developing application can pass along 336 00:21:34,250 --> 00:21:37,100 artifacts to sec ops to say, this is the way I expect my 337 00:21:37,100 --> 00:21:41,210 application to behave. If it's not behaving, contact me be that 338 00:21:41,210 --> 00:21:43,850 way. Because I want to know, because we're all you know, 339 00:21:43,850 --> 00:21:47,660 DevOps, we're all responsible for keeping our piece up and 340 00:21:47,660 --> 00:21:50,420 running, and we know our piece better than any anything else in 341 00:21:50,420 --> 00:21:55,820 the world. So I see that kind of role of DevOps, if they can 342 00:21:56,570 --> 00:22:00,110 establish those communications of this is what my piece is 343 00:22:00,110 --> 00:22:03,140 supposed to be doing. That would be that would be awesome. And 344 00:22:03,170 --> 00:22:06,350 we're kind of working on at about about, about developing 345 00:22:06,350 --> 00:22:09,170 those artifacts that help automate those processes. But 346 00:22:09,170 --> 00:22:13,400 then, in the the other parts of the roles are, you know, there's 347 00:22:13,400 --> 00:22:18,170 typically like SRS or more kind of DevSEC Ops, which are 348 00:22:18,170 --> 00:22:22,010 responsible for the full platform security, and as 349 00:22:22,010 --> 00:22:26,810 opposed to individual component securities. And so I think all 350 00:22:26,810 --> 00:22:31,160 of those have kind of roles to play within this. But there's 351 00:22:31,160 --> 00:22:36,260 but it's, it's treating it not as the SEC ops problems, but SEC 352 00:22:36,260 --> 00:22:39,920 Ops being more of a coordinator of how we how we deal with 353 00:22:39,920 --> 00:22:44,240 responses and sort of best practices for longest, and then 354 00:22:44,240 --> 00:22:46,820 facilitating communication and treat them as a partner. 355 00:22:47,330 --> 00:22:50,240 Eveline Oehrlich: I love that when you said coordinator, I 356 00:22:50,240 --> 00:22:54,020 would actually sometimes think that word means different 357 00:22:54,020 --> 00:22:56,270 things. Maybe it's more of an orchestrator. But I think that's 358 00:22:56,270 --> 00:22:59,090 the same idea, right? It's said orchestration, going out and 359 00:22:59,090 --> 00:23:02,270 bringing those folks together because many of those folks have 360 00:23:02,270 --> 00:23:07,250 their own roles. And they have their own projects and things to 361 00:23:07,310 --> 00:23:11,210 do on a daily on a daily list on a daily the daily tasks. 362 00:23:11,240 --> 00:23:15,560 whenever necessary. I'm responsible for whatever on call 363 00:23:15,560 --> 00:23:18,590 plus I'm supposed to be also doing some development, but 364 00:23:18,590 --> 00:23:21,290 really highlighting that and orchestrating what have we done 365 00:23:21,290 --> 00:23:26,660 now, that makes me think of this is not something I have any done 366 00:23:26,660 --> 00:23:31,220 any research, but metrics, sometimes. We don't, it seems 367 00:23:31,220 --> 00:23:34,760 like we don't measure the right things. We don't incent people 368 00:23:35,540 --> 00:23:38,930 to be reaching out and orchestrating right. Have you 369 00:23:38,930 --> 00:23:43,370 seen any, any specific examples of organizations who say, Well, 370 00:23:43,400 --> 00:23:45,680 we're going to go and do something completely different, 371 00:23:45,680 --> 00:23:50,540 we're going to incent everybody on doing one security thing a 372 00:23:50,540 --> 00:23:55,460 week, or having little jam sessions or little whatever 373 00:23:55,460 --> 00:23:58,760 those things are called anything, anything creative. 374 00:23:58,760 --> 00:24:01,430 You've seen on on humans getting together and saying we need to 375 00:24:01,430 --> 00:24:02,300 change something. 376 00:24:03,149 --> 00:24:06,809 Brian Smith: You know, the one thing I think about is there's 377 00:24:06,809 --> 00:24:14,459 this this book called Thinking Fast and Slow. Oh, yes. And it's 378 00:24:14,459 --> 00:24:18,509 about, you know, how did this sort of help? There's parts of 379 00:24:18,509 --> 00:24:21,359 our brain where we really engage our brain and our rational 380 00:24:21,359 --> 00:24:24,689 thought, and that's the thinking slow part. And then there's the, 381 00:24:24,989 --> 00:24:27,749 I don't know, scrolling your social media feed. And that's 382 00:24:27,749 --> 00:24:30,539 the thinking fast part, right? Where you just kind of you're, 383 00:24:30,569 --> 00:24:35,339 you're doing what I think they call the information scavenging 384 00:24:35,939 --> 00:24:38,879 where you're scrolling through and just looking around, and 385 00:24:38,879 --> 00:24:44,819 that tends to be based on our biological. It's the information 386 00:24:44,819 --> 00:24:48,389 equivalent of our biological version of scavenging for food. 387 00:24:48,689 --> 00:24:53,009 And for us just looking around and trying to find pattern 388 00:24:53,009 --> 00:24:55,169 matching. You're saying, Oh, this looks interesting to go get 389 00:24:55,169 --> 00:25:01,889 or this is a threat. And what I Think once you there, one of the 390 00:25:01,889 --> 00:25:04,439 most interesting things is trying to teach people about 391 00:25:04,439 --> 00:25:11,159 that and use it to train that train the people not to kind of 392 00:25:11,159 --> 00:25:15,209 just click on things mindlessly, because but actually spend it, 393 00:25:15,239 --> 00:25:18,719 but sort of see the warning signs, train train them in that 394 00:25:18,719 --> 00:25:21,569 information scavenging to see the warning signs and say, Well, 395 00:25:21,569 --> 00:25:25,769 that looks like a threat and turn on the slope. And, and, and 396 00:25:25,859 --> 00:25:31,229 and think before they click on that thing or do that, that I 397 00:25:31,229 --> 00:25:34,319 haven't seen too much in the way of, you know, kind of what I 398 00:25:34,349 --> 00:25:36,749 what I think about metrics of, you know, sort of dials on 399 00:25:36,749 --> 00:25:39,299 gauges. Yeah, thanks. 400 00:25:39,000 --> 00:25:41,610 Eveline Oehrlich: I think there is still there's still some work 401 00:25:41,610 --> 00:25:46,170 to do in this in this notion of the safety culture, and shaping 402 00:25:46,170 --> 00:25:49,530 that safety culture, as you said, first, just quickly 403 00:25:49,530 --> 00:25:53,880 summarizing, so first, really not just sick ops, but really 404 00:25:53,880 --> 00:25:58,740 the DevOps and the other side of, of security, to bridge 405 00:25:58,770 --> 00:26:02,820 across to the SEC ops folks who do the normal things, and then 406 00:26:02,820 --> 00:26:06,900 for business to ensure that they are aware of what's happening, 407 00:26:06,900 --> 00:26:09,990 right. So if we do design thinking, for example, in that 408 00:26:09,990 --> 00:26:12,870 stage, right, if we do development of products and 409 00:26:12,870 --> 00:26:16,440 projects, that we have that awareness, and then for us, as 410 00:26:16,440 --> 00:26:20,190 individuals, no matter if we're in it, and business in whatever, 411 00:26:20,820 --> 00:26:24,360 then we have a safety culture and start helping ourselves and 412 00:26:24,360 --> 00:26:27,900 training each other and helping each other out. So fantastic. 413 00:26:27,930 --> 00:26:30,720 Anything, any other thoughts you want to share with us? 414 00:26:30,000 --> 00:26:33,000 Brian Smith: Yeah, the one other thought is just, you know, in 415 00:26:33,000 --> 00:26:37,710 general, security tends to have these trends. And one of the 416 00:26:37,710 --> 00:26:42,120 more recent trends was in the ship love culture was we would 417 00:26:42,120 --> 00:26:47,640 try to build, get everything to be invulnerable, before we 418 00:26:47,640 --> 00:26:52,770 actually shifted ship. And that sort of, I've seen sometimes 419 00:26:50,190 --> 00:27:44,820 Eveline Oehrlich: That is that is a that is great advice. I 420 00:26:52,770 --> 00:26:57,060 that sort of great being the enemy of the good in the sense 421 00:26:57,060 --> 00:27:00,150 of, Well, once I do that, I don't have to monitor anything. 422 00:27:00,240 --> 00:27:03,150 It's sort of like I've built perfect locks on my house. So I 423 00:27:03,150 --> 00:27:07,680 don't need an alarm system. And I think that's a not a pragmatic 424 00:27:07,680 --> 00:27:14,490 approach. So I think as we as we go through this evolution 425 00:27:14,520 --> 00:27:16,890 towards, you know, sort of understanding spirit, just try 426 00:27:16,890 --> 00:27:21,000 to be pragmatic about it, don't try to vote and the focusing on 427 00:27:21,000 --> 00:27:26,850 risk is a good part of that. And the focusing kind of what is 428 00:27:27,000 --> 00:27:30,480 actually happening as opposed to what theoretically could happen. 429 00:27:30,930 --> 00:27:37,980 Is a good general trend. And just don't let the the 430 00:27:38,250 --> 00:27:40,800 perfection over here be the enemy of good. 431 00:27:44,820 --> 00:27:48,840 remember, Diego and myself at Forrester talking about shift 432 00:27:48,840 --> 00:27:51,720 left many, many years ago. I think we took too much of a 433 00:27:51,720 --> 00:27:54,930 theoretical approach at the time. So what you just said, 434 00:27:54,930 --> 00:27:57,810 really thinking about that in a programmatic way is great advice 435 00:27:57,810 --> 00:28:01,440 to our listeners. Appreciate it. I have one more question has 436 00:28:01,440 --> 00:28:06,060 nothing to do with security. What do you do it? And don't 437 00:28:06,060 --> 00:28:08,670 tell me you're doing security things on the weekend. But what 438 00:28:08,670 --> 00:28:10,020 do you do for fun, Brian? 439 00:28:10,000 --> 00:28:13,600 Brian Smith: Oh, recently I've gotten into tennis see, I have 440 00:28:13,600 --> 00:28:20,230 two boys. They're they're 18 and 21. Now, but my younger son had 441 00:28:20,230 --> 00:28:23,980 gotten really into tennis, from about the age of nine. And I 442 00:28:23,980 --> 00:28:27,430 started playing with him. And then he rapidly advanced and I 443 00:28:27,430 --> 00:28:31,300 couldn't play with them anymore. So last year, I've been trying 444 00:28:31,330 --> 00:28:34,030 the last three years, I've been playing tennis pretty 445 00:28:34,030 --> 00:28:36,520 aggressively to try to get up the points just so I can play 446 00:28:36,520 --> 00:28:37,120 with my boy. 447 00:28:38,430 --> 00:28:40,170 Eveline Oehrlich: That sounds great. Well, maybe there's a 448 00:28:40,170 --> 00:28:43,890 natural Roger Federer just retire. So maybe there was a 449 00:28:43,890 --> 00:28:48,510 Roger Federer out there in one of your sons, who knows, never 450 00:28:48,510 --> 00:28:52,140 know. Well, Brian, this has been wonderful. We learned a lot. 451 00:28:52,200 --> 00:28:55,650 This was great meeting you great chatting with you. And thanks 452 00:28:55,650 --> 00:29:01,050 for your time always interested in few points from the other 453 00:29:01,500 --> 00:29:06,570 groups such as security. If folks want to learn more about 454 00:29:07,740 --> 00:29:11,730 your spider bat company, I guess it's easy to find, but anything 455 00:29:11,730 --> 00:29:14,670 else you want to point out to any white papers, any other 456 00:29:14,670 --> 00:29:15,210 things? 457 00:29:16,290 --> 00:29:19,860 Brian Smith: No, just it's one thing in I guess the one thing I 458 00:29:19,860 --> 00:29:24,600 doubt in Spyderbat is that it's got a free mode. So one of the 459 00:29:24,600 --> 00:29:26,910 things that's always annoyed me about companies is where they 460 00:29:27,060 --> 00:29:30,690 you have to talk to a sales guy and sign away things I want 461 00:29:30,690 --> 00:29:34,860 people just to try it, experience it. And then if it 462 00:29:34,920 --> 00:29:38,700 turns out to be useful for you, let's talk but just getting 463 00:29:38,700 --> 00:29:40,230 feedback is always good. 464 00:29:40,660 --> 00:29:42,610 Eveline Oehrlich: Excellent and as an analyst I approve that 465 00:29:42,610 --> 00:29:46,330 because that's exactly what we recommend to our vendors. Super. 466 00:29:46,630 --> 00:29:50,710 Thank you Brian this was wonderful. Enjoy your upcoming 467 00:29:50,740 --> 00:29:55,030 day for me. I will enjoy the rest of my day as well and 468 00:29:55,060 --> 00:29:57,670 everybody else here listening into this is Eveline Oehrlichm 469 00:29:57,700 --> 00:30:01,420 Chief Research Officer DevOps Institute with Brian Smith from 470 00:30:01,450 --> 00:30:05,080 Spyderbat. Thank you, Brian. Have a great day everybody out 471 00:30:05,080 --> 00:30:06,250 there. Thank you. 472 00:30:08,380 --> 00:30:10,480 Narrator: Thanks for listening to this episode of the Humans of 473 00:30:10,480 --> 00:30:14,020 DevOps Podcast. Don't forget to join our global community to get 474 00:30:14,020 --> 00:30:17,380 access to even more great resources like this. Until next 475 00:30:17,380 --> 00:30:20,680 time, remember, you are part of something bigger than yourself. 476 00:30:21,130 --> 00:30:21,910 You belong.