Jun 25, 2024
Episode Description
Sean Turner discusses his journey into the security field and his experiences working in startups. He highlights the importance of having clear roles and responsibilities, especially in the startup environment where security personnel often wear multiple hats. Sean also talks about the balance between strategic and tactical work, the challenges of keeping up with the ever-changing cybersecurity landscape, and the role of AI in the field. The conversation covers various topics related to AI security, data protection, and the challenges faced by CISOs. The main themes include the need for controls and filters in AI systems, the intersection of AI and crypto, the importance of education and automation in preventing security threats, the carelessness of some businesses in handling cybersecurity, the challenges faced by CISOs, and the future of the cybersecurity field.
Watch On YouTube
[00:00:00] Adi: Welcome everyone to the Hands On CISO Podcast. Today, I'm joined by Sean Turner, who's been in the security field for the past decade. Today, we'll be talking about many different things from how he got into the industry and up to what the day to day looks like. Um, so Sean, nice to meet you.
[00:00:20] Sean: Hello, nice to meet you.
[00:00:22] Adi: Amazing. So before we get into anything else, how did you even get into security?
[00:00:29] Sean: I think in common with a lot of people in the, in the field, I just sort of fell into it. So like I was working in infrastructure engineering and, and, and sort of, I'd started specializing in DevOps, um, which, you know, people will have their arguments about whether it's a real thing.
[00:00:48] Sean: Um, but essentially I started working more closely with developers with an operational background, um, for a few years. During the time of the business school and then subsequently at some startups and small businesses and various places and I think one of the first so my first non academic related job, if you like, um, after leaving business school and then, you know, and running infrastructure there for several years, uh, was a fintech startup.
[00:01:21] Sean: Uh, a robo advice starter, um, and their first challenge for me was like, hey, our, our investors. So people who are important to the success and continuance of the business want us to get PCI DSS FAQD. I'm like, that's not really what you hired me for, but let me take a look. Uh, and, and, and from there it was like, you know, actually ended up through my year or so that I worked that.
[00:01:45] Sean: built their sort of DevOps and their pipelines for their building application and did all that sort of nice stuff. We're working with dev teams and making the infrastructure sync, but also worked with facility management, the board, the investors on what security looked like at Wealth Wizards as a firm was called.
[00:02:05] Sean: Um, and which they've carried through, uh, but, but my replacement then went on and implemented things that I'd recommended and, and, and we did, yeah, they, they'd started doing security and taking security seriously while I was there, um, doing it as a side of this project. Um, and essentially I was, I was their information security lead, but, um, we're probably without, without the C bit of the beginning of that time, you know, I was essentially responsible for technology and then information security as a secondary, um, uh, activity.
[00:02:38] Sean: But then I went back into DevOps more heavily, went back into sort of Kubernetes stuff and started specializing in that sort of container orchestration and scaling kind of problems, uh, for some larger businesses and, you know, as part of contracts, um, and working for consultancy for a brief period as well.
[00:02:55] Sean: So I went out of, went back out of security for a bit, uh, but then got more heavily back into it, um, later on. Because I worked for, I took a job at another startup for, again, doing, leading, leading DevOps for this startup. And then they were like, hey, can, by the way, can you do all of the security stuff as well?
[00:03:11] Sean: I'm like, yeah, sure. Yeah, just, just maybe you should change my job title. Uh, so then it was like, yeah, okay, obviously. So, uh. Make, make things happen. I was like, okay, thank you. Uh, that was the kind of empowerment and culpability that I needed to make the things happen. You know, the title was a silly, it sounds like a silly thing, but it's like every time we have this discussion, we're like, oh, well, we want to hire you as information security manager or, oh yeah, we don't want to intimidate sort of the CTO or whatever, and you know, I'm like, no, hire me as a CISO and tell me that I'm responsible for security, and then, you know, I'm When security goes wrong, you can, you can blame me and there'll be more responsibility to fix it and, but there won't be any ambiguity where the, oh, yeah, by the way, this guy, uh, has, you know, guy or girl has an opinion over here and it's like, no, no, security stops, book stops here, right?
[00:03:59] Sean: Let's, let's, let's, let's put that one, get that one, right. And then, you know, whatever other stuff I end up doing because it's a startup. So be it.
[00:04:08] Adi: Interesting. Do you think most startups start out that way that it's like. The person doing security is kind of someone who's not actually security, but kind of falls into there.
[00:04:20] Sean: I think sometimes, I think it depends on the nature of a business and the size of a business. But I mean, if you consider the typical ratios between operational staff and, uh, development staff and security staff in a business, even, even in a fintech. Uh, security staff is going to be by far the smallest, um, percentage.
[00:04:40] Sean: And 20 of you and you've got, uh, you know, a security person and, you know, you're actually, you know, your percentage is up to like 5%, whereas in a larger business, there might only be 1 percent of people working in security. Or even less, um, even in a bank, you know, because they have so many staff, um, the security team still quite tends to be still quite small by comparison.
[00:05:04] Sean: So I think when it comes to a startup, if it's just, if it's a very security focused startup, not necessarily a cyber security startup. So it's a pure place on security starts. They don't have often have a security person responsible security for the business. They're just like, yeah, we saw a dog food this stuff and they do it well or badly as the case may be.
[00:05:25] Sean: But, um, if it's, if it's something where security is, is fundamental. And I think that's where the, that's where the sort of a twin state thing came in with, you know, if. If we get this wrong, um, we will lose business. We will lose clients. We will, we will lose their faith and trust. You know, more so than getting operational stuff wrong.
[00:05:44] Sean: Um, we won't be able to compensate or reimburse people as well in the security space where we've lost our reputation. If you like, Kraken had a similar thing, you know, the whole sort of, we're the most secure exchange thing, um, but they have the luxury of having a hundred people to, to, to work on that.
[00:06:03] Sean: And yeah, here's a lot more hands on. Um, and yeah, so I think, yeah, the, the The ratios and the way it works with different types of startups, a lot of startups will, a lot of small businesses actually will get their security expertise from a fractional CISO, or from an arrangement or consultancy, or from a managed security services provider or something like that.
[00:06:23] Sean: Um, and then you become a certain kind of size or level of criticality before you actually end up having your own kind of secure, dedicated security resource, who then can tap into those resources to, to, you know, to grow without growing, if you like.
[00:06:39] Adi: Yes. And just say, how is being in the company that you started in different from what you're doing now in terms of like your day to day,
[00:06:48] Sean: oh, well what are we, what are we defining?
[00:06:49] Sean: Is when I started the, the first start.
[00:06:52] Adi: The, well, yeah. That told you you're security.
[00:06:55] Sean: Yeah. Yeah. I think it's, it's, it's, yeah. Chalk and cheese, really, um, there we were building things that we were the typical kind of this. Well, it's a typical kind of building a funded startup building products for a market that we were either making ourselves or didn't exist yet.
[00:07:18] Sean: So it's a sort of robo advice back in 2016, um, building things that people weren't necessarily asking for. But we thought that there was going to become, you know, kind of a market and a marketplace for you could see in recent years. That's that's certainly happened. Um, so taking something quite non sexy pension advice, and then turning that into, you know, online and online offering, um, and there are lots of.
[00:07:47] Sean: It wasn't B2C. So there was, but there was consumer data there, then there was sort, there were data integrity considerations. There was a certain amount of concept of consumers actually paying us through the white labeled offering. So there were a few things there that, that don't exist in our, in this institutional B2B space.
[00:08:05] Sean: So I'm in now, uh, around. People's, you know, personal data, you know, actually having users who are, who are end users, um, and, and having, but also having, we also have the B2B relationship with the white label stuff as well. And I think the way in which it's similar, and the way in which all of these startups have been similar when it comes to leading, leading in security.
[00:08:25] Sean: I've been that it's that your number one customer is almost the investor, uh, in terms of getting security right in the, if, if you don't get security right back, that might be who moves first. And if you, if you lose the investor, you know, I think on the stage of a business that back and hurt quite a lot, certainly it would have, it would have made well, for us, it's all pretty flat.
[00:08:46] Sean: They were very, um, funding driven, very high burn. At the time I started securing credit card facilities for the Kraken acquisition, um, it was essentially the acquisition that was on the line. Um, if we didn't get security right, if we'd been hacked and not had our security right during the sort of six months between finding out about the acquisition and the acquisition actually happening, um, it may not have Completely shuttered the acquisition, but it may have affected the bottom line, may have affected the acquisition price or, you know, change the terms of a deal in some way.
[00:09:20] Sean: Um, and it probably would have had a very negative impact on my role as well, because I went on and worked for a subsequent three years in, you know, in senior positions. And clearly, if a startup I was working for at the time of acquisition has been hacked already. That might not have played out quite the same way.
[00:09:37] Sean: So that was higher stakes. All around.
[00:09:41] Adi: Oh, and what was your, like, right now, what does your actual day to day look like? What is the kind of work that you do?
[00:09:50] Sean: I mean, today isn't a great example because today was like, um, pick apart some of, some things that happened on Friday and over the weekend for a post mortem.
[00:10:00] Sean: Not in the security space, but in the operational space. Next. Um, followed by, uh, uh, having to do a little tiny bit of daddy daycare, um, as well, I've had some appointments, uh, and then, uh, and then sort of prepping for this and figuring out what the next steps are with that post mortem type stuff. As well as I had a couple of outstanding tasks on Friday, which were more security related around credentials to save and checking with some day to day processes were working correctly because they don't get looked at as closely over the weekend.
[00:10:37] Sean: They still get looked at, but not like with with a magnifying glass. Um, on the, on the back of the incident, I think we can actually look more closely at a couple of things this morning, um, which are very, Close to the infrastructure, very, very, very, very much like, um, individual contribute to level stuff.
[00:10:59] Sean: Um, but then I, I'm also concurrently preparing a strategy for the next quarter because we're towards the end of Q2 here. Um, so that's happening, well, that's already happened weeks ago, but it's still in the notes of my phone, so I haven't really prepared it yet. Um, And so, yeah, you kind of, you, you, you chop and change, uh, contacting a supplier about getting some stuff delivered by the end of the week, but we need for the data center, uh, because just like some of my other roles, um, I've kind of, I've kind of inherited some infrastructure, uh, responsibility based on, um, it's actually good because if you work at a startup and you've got more than one hat that you can wear, you've been, you, you've Often find that you're required to wear more than one of those hats.
[00:11:49] Sean: To get the job done and make sure that the business is pushing along and sinking as nicely as it can. Um, so yeah, I've had to do a lot more infrastructure stuff recently. We put a little bit of security stuff on the back burner. Um, and I think we've had the luxury of being able to do that because We got it right for the first 18 to 20 months, uh, and got that, got all that stuff in place.
[00:12:13] Sean: So that now my strategic items look a lot less scary than, you know, basically implement everything from scratch, uh, implements a single sign on MFA. Yeah, we have gone from, we have nothing to actually now we're just refining and honing and improving things and making incremental improvements. Um, Which is a challenge in itself, because I think to a certain extent, the business fan expect like the big strategic projects.
[00:12:37] Sean: So you're like, well, actually, you know, I said, we could just go back and reflect on all of this stuff that we already did and just tweak a few things. Uh, and it'd go a bit tactical for a little while. Uh, it's like, yeah, but what are you actually going to achieve? What are your deliverables? It's like, well, I just want to make sure everything's working before I carry it on.
[00:12:53] Sean: Uh, but we've got our own challenges in the, in the sort of, you know, the, the startup fundraising space to, to deal with and then. Regular questionnaires, DDQs from interested parties, customers, investors alike, um, to keep us on track and keep us honest. Uh, and every time we write something in one of those DDQs, like as a response, I've been, I've been tasked with making sure that whatever we wrote in that response reflects reality.
[00:13:22] Sean: So if it says, oh, by the way, yeah, when they say, oh, do you have this? I say, well, no, we don't have it, Q3. So, okay, well, I probably better go have a look at that.
[00:13:33] Adi: Would you say it's correct to, to say that most of your days are kind of like the things that happen and it's more that every day is different than the other?
[00:13:45] Sean: Well, yeah, I mean, some of them are planned out in advance and there'll be, there'll be a day, you know, day full of meetings occasionally. Um, thankfully quite occasionally about that is the style of, style of business we're doing here. There'll be days where I, where I travel somewhere for something, a conference or for to, to meet colleagues or whatever.
[00:14:03] Sean: Um, there's some of the stuff is, is well known in advance, uh, some of the activities have to be done that don't have to be done at any specific time and some things that happen at work at the office, you know, if you like, um, the office virtual, uh, require response. Uh, so there's, there's a, a, a mix, a blend of tactical and strategic stuff and the reactive and proactive work that's probably approaching 50 50 for me.
[00:14:32] Sean: Now, uh, but in the past, it's been way different to that. It's been sort of 95, 5 or, or, you know, 10, 90, the other way, uh, depending on what week of the year it is, uh, what, what, what's current, you know, what, what, what we're planning to do. And, you know, we spent a couple of weeks on, on some stuff that was purely strategic, uh, and some of it was, what's the word?
[00:14:57] Sean: Some of it was sort of, um,
[00:15:02] Sean: Some of it wasn't necessarily going to come off, but it required us to put a lot of effort in anyway. Um, so yeah, sometimes we're preemptive and proactive. Uh, and other times we're just people saying, oh, can you do this by the end of the week? Uh, and it's a bell. It's about three days worth spread across three or four people, um, but most people have still got other stuff to do and one of those people's probably me, uh, so yeah, but they'll be, they'll be, they'll be all hands upon kind of events as well as.
[00:15:35] Sean: Carefully planned out, you know, and, and, and plans saying, no plans. You know, favorite quote, no plans survive, first contact with the enemy. Um, there's not there, there's not always an enemy in this context, but I guess the, the enemy, the enemy is usually time when it comes to that. Uh, no, no plans survive Monday morning, right?
[00:15:55] Sean: Uh, and you think, well, this week I'm gonna achieve this. I mean, you go to the end of the week, so, well, I achieved absolutely none of that. But here are the metrics of what we did achieve in terms of. Revenue improvements, you know, like it's like, okay. Yeah. So we, we, we did all this. Uh, we put those things first because growing with business has always been quite top of our list.
[00:16:18] Sean: It's not as a security person, it shouldn't always be, but as somebody pulling the same way as everybody else in the startup is, um, if that's what you need to survive and to make and to justify the things, you. To justify the projects you want to do next quarter, you've got to grow this quarter, right? Um, so it's finding that balance of it.
[00:16:41] Sean: It's true for all technology and leadership functions, that finding a balance between getting things right, dotting the i's, crossing the t's, and then growing at a crazy pace so that you, uh, keep up with competition or preferably beat the competition, um, and become, you know, Keep a business as, as a, as a, as a viable, um, and fast growing, um, opportunity for people and keep it an interesting place to work as well.
[00:17:06] Sean: I wouldn't have it another way.
[00:17:09] Adi: So kind of doing everything at the same time and doing it the best you can.
[00:17:14] Sean: Yeah, and knowing what stuff, knowing what stuff you can deprioritize, knowing what stuff's nice to have, you know, going, well, look, this is my roadmap, And when you get to the point where you haven't really delivered all of that, and you think, well, okay, the bits will be deprioritized.
[00:17:31] Sean: The whole landscape changed, you know, it doesn't take a quarter for the landscape to change. It can take a week for the landscape to change around this stuff. Working in crypto is no, no, no, two, two days or weeks or months of the same. Things go in and out of fashion. And, you know, we had some projects to like, oh, yes, let's, let's harder and improve the infrastructure for this.
[00:17:52] Sean: And then we find out that that's actually a waning part of our business and other parts of business is just exploding. Like, you know, going, going bigger and bigger at the same time. It's like, well, let's harden the infrastructure for that. And then leave the other one till afterwards. We make sure we don't miss it completely, um, because we have to maintain things working.
[00:18:15] Sean: And things secure, but we also have to maintain consistency across that. And so it's like, whatever we did, whatever we piloted, whatever we see for this project, we need to make sure we now apply that consistently across all the other projects. And that's more of the. Prone up CISO thinkings.
[00:18:37] Adi: A version, what's the other version of
[00:18:38] Sean: CISO?
[00:18:40] Sean: Just sort of, yeah, the naive starter. Oh yeah, we'll just do, we'll just do that. We'll finish implementing that and it will work. It's like, well, you finish implementing that and you'll groan your maintenance overhead for things that need to be looked at. So they carry on working. Every time you implement something and you go, yeah, that's all shiny.
[00:19:00] Sean: It works. It's fantastic. You then have to. Think actually, and I'm going to have to revisit that in about 3 or 4 weeks to make sure it's still working. It's still fantastic. And then I'm going to have to have a regular cadence of like, yeah, all this stuff that needs revisiting and the pile of stuff that needs revisiting just grows and grows and grows.
[00:19:17] Sean: And that sort of BAU capability, um. I think a part of doing this stuff, lean, is lean a good word for this? That you're doing lean security, if you like, is, um, selecting the products that don't have the massive overhead, selecting the things that just work and just, just run by themselves and that don't require you to hire free people to run it or.
[00:19:43] Sean: Post it yourself and run it in a data center, but then knowing where it's not acceptable to do that. And there was lines drawn at the Prac and it was like, okay, so security software has to be self hosted. And that was just a rule, um, the ruled out some of the products we wanted to use. Um, It may have been relaxing.
[00:20:02] Sean: So I'm not sure. Uh, but then it's like, okay, so other software, you know, crazily other stuff, software, like, you know, personnel management software. So stuff where you actually got a massive attack surface was, was, was SAS, but then the software used to scan the security, scan the stuff, the security purposes was self hosting.
[00:20:20] Sean: It's like, which almost felt like the wrong way around sometimes. It's like, actually, you know what, this is what we're trusting with our staff data is actually really important. Um, I mean, not for me to question my decisions, uh, just, you know, the top of it felt a bit off. And, and, and we, but then the security actually went and found problems with the SAS offering and reported them back to the SAS provider and said, here are the problems with your software.
[00:20:43] Sean: And I was like, okay, that's, that's quite a mature security team at this point.
[00:20:49] Adi: Wow. How do you keep on top of like everything that keeps changing in the cyber field? I feel like All the time, there's new things coming out and different things are happening. And at the same time, you have all your things that you already have to do regardless.
[00:21:04] Adi: How do you balance both learning new things and doing the things that you already know you need to do?
[00:21:12] Sean: I think combination of half a dozen WhatsApp, Telegram, Signal channels, uh, LinkedIn, There's not really much useful information on Twitter. I don't find but LinkedIn is valuable. Um, actually, some of my, some of my intelligence about security I get from the BBC News app on my phone, which tells me about some things before the security community know about them.
[00:21:41] Sean: I just like, you know, such and such got hacked and because my, and it'll happen in the U. S. sort of daytime, uh, you know, the press release will happen in the U. S. daytime, so the BBC News app on my phone pings me, and I won't, if I just relied on security, um, industry communication in the U. K., I'd get back like 9 a.
[00:22:00] Sean: m. the following morning, so I've got a few hours of, of heads up there. Obviously, I've then got more noise and more things to look at, but I've. I don't have to just have an exact on my phone for security, right? I have it just for general interest. So some of the things are just, yeah, just having your head in the right space and having the right things going on around you, being in the right groups of people and surrounding yourself with the right people, having the right connections on LinkedIn, um, you know, and being proactive about that.
[00:22:30] Sean: I think the right connections on LinkedIn, it helps if you've got, you know, the guy that used to be the head of GCHQ on your LinkedIn, because then you're going to see what he's posting. What current thinking is in national security and you're not going to get that, but that kind of level of value from looking against his website, right?
[00:22:50] Sean: I guess. And then if you can, um, you know, attending in person events, um, to daytime event, probably once a month, evening event, two or three times a month. Um, obviously it helps if you can travel to somewhere like London or, or wherever's your nearest sort of major hub for that. In the UK, London's good.
[00:23:12] Sean: Manchester's sort of okay. Birmingham's a bit quiet. Generally, I lived near Birmingham and ended up traveling to London and back a lot anyway. I now live closest to London, so that's useful. Um, Yes, so getting that kind of in person touch points, um, organizations, either belonging to organizations or just following and learning from the practices of organizations.
[00:23:36] Sean: I was, in particular, um. So I'm the chapter lead for OS Peterborough, uh, along with a couple of other people, uh, who run sort of Peterborough Cyber, Peterborough, if you like, um, so that's, that's handy, although it's more of a social thing and, and I don't think we have quite as formal and it. Knowledge sharing stuff going on there as in other communities that I'm aware of.
[00:23:59] Sean: OWASP in general has quite a strong knowledge sharing thing and again, OWASP London is huge and incredible scale and quality of presentations and stuff we would never try to compete with, um, as a chapter. Um, CSA similar, so CSA UK chapter, which I'm the co chair of and actually the acting chair of because the chair is on the paternity leave.
[00:24:22] Sean: Um. We're, we don't do as much as the CSA globally, the kind of security alliance globally. But what we do is more UK specific and more sort of tailored to our audience and we'll have different themes and stuff. So while the CSA Global are going off and doing this massive AI push, uh, they're doing AI and crypto big style.
[00:24:46] Sean: We're still focusing on identity management and cloud security and sort of SaaS security and most kind of sort of more niche areas, but are more relevant to some of the maturity levels of the businesses that we work with. Um, so we're not necessarily working with like the hugest, you know, the biggest businesses in the world here, um, and they have challenges at the more basics of that world, foundational level, uh, to deal with before they start getting obsessed with AI, um, get you get the basics right first, so you learn to walk before you try and run.
[00:25:20] Adi: How much do you see AI? I've been hearing a lot of different things from Cecil about, like, how much does AI actually affect your day? Is it interesting to you? Do you deal with anything related?
[00:25:38] Sean: It's been of interest to me for many years, and I know there are going to be lots still coming out of Woodwork to say that, but, uh, I've been attending sort of, um, Um, And I meet up since about 2018, 2019, basically since the inception of the meetup, um, and we used to do hands on sort of hacking sessions, you know, learning how to do stuff with language models and how to do a bit of basic data science, you know, crack open a Jupyter notebook and make something happen.
[00:26:05] Sean: Uh, which was useful and it's sometimes useful in my day job, um, just real basic like Python stuff. Um, yeah, the, the sort of the large language model, you know, kind of like hype cycle AI stuff. Um, some of my peers and colleagues have been using it to write some code, which works to a varying degree. Um, And generally speaking, it becomes a prompt engineering exercise.
[00:26:31] Sean: And if you know what you want the code to do, and you can be very specific about it, it will write the code. And then we had a great one the other day, because we've got chat to write something that we knew exactly what it was, what it was supposed to do. Or at least I did. And my colleague, um, Wrote it and I said, well, that's not quite right.
[00:26:48] Sean: I'll tweak it a bit. So I tweaked it a bit, but he fed it back through ChatGPT. But it was written in bash and, and it'd be much easier for me to play with if it was written in Python. So we just got ChatGPT just to translate the entire logic of the thing from one language to another. And I was like, that would have taken me.
[00:27:06] Sean: Ages, and that's incredibly, you know, incredibly good use case for it is you take something that's can be automated, that's succinct, you know, it's already well described enough. So the best way of describing a piece of code is to, is to write the code. That's, that's the only real way of describing like software is to actually, you know, it's like, oh, yeah, we'll get, we'll get AI to write the code.
[00:27:32] Sean: Yeah, but who's going to write the prompts for the AI to write the correct code? Um, and that's a different generational paradigm when it comes to AI, that's, that's not, it takes you out of machine learning, takes you out of your large language model and building a model based on information that's already on the Internet into sort of more machine reasoning and explainable, uh, stuff.
[00:27:54] Sean: And though those areas haven't improved as much. Um, everything's sort of around this, sort of, hey, let's get a big pile of GPUs and put the internet in one side and get this clever thing out the other side. But the whole, sort of, let's improve how the AI thinks, let's, let's take it from, you know, toddler level reasoning with a, with a problem the size of a plant.
[00:28:18] Sean: To, uh, to behave even more like a human adult, uh, when it comes to when you ask it to do stuff and when it comes to the ethics around what you ask it to do and not being able to fall into doing things it shouldn't do, uh, let's take, we, we haven't managed to delete any of its naivety, uh, and we shouldn't expect to have managed that because it is essentially like training.
[00:28:42] Sean: A child, um, and if you train the child on the contents of Twitter and you don't get a very pleasant child, unfortunately, uh, so you're going to have to put some controls around that. I'm aware of people, you know, you sort of some people, some well known people in the security community, um, are creating products around AI security.
[00:29:03] Sean: Uh, and doing some, some fairly, uh, high level consulting around that stuff. So, uh, Gaddy Everon, Denise Kruse started to push into this space and there's a couple of other, um, you know, practitioners who have gone, well, let's take AI and make it safer. Uh, and let's make it safer so that it's more secure. Uh, this is with a, with a understanding and appreciation of the distinction between safety and security in the first place.
[00:29:33] Sean: Let's make it safer so that it is more secure. But on the other hand, let's Sample access and filters, so it's more secure without having to make the eye itself safer. Uh, you can actually, you know, wrap some stuff around it. Uh, and yeah, and another, another peer of mine just said, well, we just put our, um, we put our DLP.
[00:29:55] Sean: Uh, software, so the data loss prevention, if that's what it's called these days, um, software in front of ChatGPT, in front of like a business version of ChatGPT, so that people couldn't paste stupid things into it. And if they try and paste like, you know, customer database in there and say, can you take this database without anonymizing it, the DLP will go, ping.
[00:30:19] Sean: No, you can't do that. I'm not going to pass this to JVT because it's full of stuff. Um, you know, Jim Newman described that and that was, uh, nine months ago he was talking about it. So it must have been like a year ago. Um, But yeah, we describe this, you know, basic system for allowing people to use it without worrying about what they're, you know, worrying about, A, what they might put in there and B, training them what they should and shouldn't put in, but, uh, but for applications like, A, any prints and numbers off the internet, so our, our sort of, yeah, because we've been using it for like creating, generating scripts to do crypto metrics and all the data is public in We're not putting a client names in there.
[00:31:00] Sean: We're putting addresses of validators and stuff in there and all that stuff's on the public blockchain. So that crashing together of crypto and AI, it's like, well, all the data is public. So AI can have a field day with, with, with crypto, you know, data about crypto, um, And there are some applications of that to actually tracking and tracing where crypto is going.
[00:31:21] Sean: You're doing the flow flow analysis of crypto and all what sort of chain analysis have been doing since the early days of elliptic and people like that took over doing some similar stuff for. Essentially making crypto, I don't know if it's more secure, but more, um, auditable and more tenable for the national governments to, to allow it to continue to exist, uh, and not try and regulate it out of existence.
[00:31:48] Sean: Uh, you know, the sort of applying AML and KYC to crypto, uh, which is a heavy focus of what, of what we're doing. Um, but we, we consume most of that stuff as a service. We don't, we're not building that stuff ourselves. Um, so the sort of the crypto compliance stuff with largely part of human people and staying without our own, you know, staying with what our business does, which is running crypto validators as well as possible.
[00:32:12] Sean: Um, but we are starting to get requests around the compliance space for that becoming more sophisticated, um, becoming not just, hey, who does this money belong to in the first place? It's more like, where is this money being and stuff like that. Um, And you, you saw your global sort of sanctions landscape and all of that stuff, um, plays into that, those considerations when you, when your clients are worried about putting funds on the, on, you know, on a public ledger, uh, what they might be mixing them with, not mixing as in a literal crypto mixer, but what they might be seeing side by side with on a validator or something.
[00:32:53] Adi: If I go back a few minutes ago, you were talking about like what people who work at the company can do and can't do. And like, in terms of honest mistakes, like people who do things that could harm the security, how much of the, how do I put it? How much really is the responsibility in the hands of education, like explaining to people what they can and can't do versus automation of, we know people are going to make mistakes, so we're going to.
[00:33:34] Adi: Make sure they can't.
[00:33:37] Sean: So the inside of threat landscape is an interesting one because somebody put together something about it the other day. Um, one of my peers, I forget who says something about, uh, accidental, uh, accidental sort of naive versus intentional versus. Actually with someone else, uh, you know, you're so sort of like your APT about system track the, the, the laptop in fact, uh, so it's the user's identity has been used, but not the user themselves.
[00:34:12] Sean: That's the 1 way you technical controls are going to come in. Stronger. Uh, but there's still some awareness there, you know, don't go to stupid websites. Don't use different browser, browser profiles, use a different browser for some stuff, you know, don't do really stupid things on your work laptop, that kind of like, if you have a work laptop or whatever your work device is, you know, don't, don't download.
[00:34:36] Sean: Malware, uh, don't download hacked stuff on, on, on your work device, which sounds like common sense, but I mean, it's good to reinforce that common sense with some learning.
[00:34:46] Adi: I recently heard, I was talking to a CISO and he told me that someone in his company, one of the people like higher up was using Grammarly without talking about it.
[00:35:00] Adi: And, like, he didn't think it was a problem and then suddenly it came up and it was like a whole thing of, I was sure I've got it.
[00:35:11] Sean: Yeah, so this is another category. So was that because Grammarly, was Grammarly compromised in some way or was it more of a I
[00:35:17] Adi: don't think so. It was just about, if you're, once you're using Grammarly, Grammarly has everything you've got.
[00:35:26] Sean: Same with, uh, we recently had it with a, um, like a, uh, code, an API testing sort of tool, um, when it turned out that they were loading all the payloads to the cloud, even if you use the tool locally for analysis, and
[00:35:43] Adi: this
[00:35:44] Sean: is, there are lots and lots of SAS companies that have lots and lots of data that they should or shouldn't have.
[00:35:53] Sean: Um, And you, you sort of, you have to have a level of tolerance for that if you want to use the product. What you kind of hope is that the SaaS company, by looking at their compliance information, by, you know, talking to their security people if necessary, getting their sort of security reports. But that would be a good security posture themselves not to get hacked and leak your information via, so the third party risk landscape is.
[00:36:16] Sean: But
[00:36:16] Adi: that's just gnuming that you as a security person even know about that because if someone in the company Yeah,
[00:36:24] Sean: the idea of like, knowing what's, knowing your users are doing with their devices, um, We're not quite there yet, uh, but it is bordering on sort of spyware, uh, but also analyzing the data is not easy.
[00:36:43] Sean: Um, so we, we, we rely on, you know, best in class, anti malware, um, and some end user device controls, but they're quite light touch. Uh, I'm looking at some more sophisticated stuff that would stop people running things that could be malicious, but none of those things would, Kick out Grammarly as, as specifically as a, as a, you know, as a, as a vector, um, without you going into the control panel of those softwares, uh, those agents and actually inspecting and looking and saying, Hey, this guy's got a Grammarly installed.
[00:37:21] Sean: And then thinking, Oh, okay, that could be a problem because X. Uh, so that's, it's, it's, it's a slightly different level of paranoia and integrity. Um. We're currently, we're currently applying. I'm not saying it's not valid. What I'm saying is that you should get your basic device controls in place 1st and worry about a little bit later.
[00:37:45] Sean: Um, more worried about people accessing things that they shouldn't. Intentionally or otherwise, um, people compromising devices and users accounts. I feel it because those things happen more often. Uh, you look at the, you know, look at the frequency, we always look at the likelihood or the probability of something happening as well as the impact, right?
[00:38:08] Sean: And the probability of a gravelly thing is obviously really, really high, but the impact is potentially quite low. Depending on what type of data it is, they're using it for, um, and if it's to help with them writing a report, how sensitive is the report? Is the report sort of confidential? And so, um, James McKinley would love this one because he would point out that You then need to label your stuff.
[00:38:36] Sean: You need to, you have to get obsessed with labeling things as like confidential, private, or, um, which I sort of, I kind of agree with, but I don't work in the same sector as he has been, um, and that kind of like, if it's confidential, don't use Grammarly on it. If it's sort of You know, if it's sort of business wide access, then maybe Grammarly is fairly safe.
[00:39:01] Sean: Um, but yeah, if you are processing things that are genuinely confidential, it's, it's fairly rare that something would be classed as confidential rather than restricted in most sort of, you know, private sector environments. Confidential would probably mean that you're doing work for something that has a higher level of integrity or a government agency or something.
[00:39:22] Sean: Um, it can be company confidential, but that's more, that, that means you can't set the restricted rather than confidential. This is like, shouldn't go outside the business, versus should only be seen by very specific people. And that's the sort of thing that you shouldn't be allowing them to use Grammarly on, whether you can do that for a technical control or whether you can do that, whether you do that through education.
[00:39:42] Sean: The good thing is if it is, if there are people working with genuinely confidential stuff, that's going to be a smaller audience to educate. And you can put them through some additional training, uh, and tailor that to them and that use case, rather than having to have the whole company understand, you know, what, what it is they're working on and why it shouldn't go through that sort of software.
[00:40:04] Adi: What would you say currently is the biggest, um, issue or threat in cyber security?
[00:40:11] Sean: I don't know. I'm, I'm, I'm, I'm still kind of, I'm still kind of deciding between sort of naivety and, so naivety when it comes to people, but when it comes to businesses, there's a, there's a stronger level of the naivety, which is, which is basic carelessness.
[00:40:38] Sean: Um, there are businesses that are genuinely careless about cyber security, but they don't, It's not even on their radar, they don't, and some of these businesses are entrusted with crazy things like the blood records of millions of patients, and what diseases they may have, and what their blood test results are, and where they live, and what their date of birth is, and all of those things we use as identifiers for these people.
[00:41:04] Sean: or somebody's, you know, big companies losing people's pension data. I mean, that's a personal, personal one. Um, so the same company that lost my USS pension data also lost my commentary city council, council tax records. Uh, both of those things were compromised by the same, same fracture against the same third party.
[00:41:27] Sean: Business that didn't get things right. And they're a huge business who awarded government contracts, left, right. And center who passed all of the government sort of controls. And yet they just don't do it right, but they just, they just don't take it seriously enough and their answers about of turning around and giving people like, Hey, we'll buy you a, you know, we'll buy you an experience license for a year.
[00:41:50] Sean: It's like, seriously, that's, that's not good enough for literally losing. Not only like, you know, head shopping was a real goal for me. Cause I was like, you've not only lost my identity, my information, personal information. Including fairly sensitive information, salary details, and you know, where I live, date of birth, and when I'm retiring and all that sort of stuff.
[00:42:10] Sean: You've also lost my beneficiary information. So you've lost my children's information to criminals, to different actors who are, who are using this information to hack, to hack people and compromise people. And it's just a horrible, horrible place to be. And a horrible, you know, thought of like, why do you So wrong, are you going to so badly wrong when you, you know, and so, yeah, I think, yeah, just about general, like, it'll be fine.
[00:42:40] Sean: You know, we, we can, we can get away with it. Um, we have a result for massive data, cloud data, warehouse company, recent news. Um, and it's doesn't enforce, doesn't enforce MFA controls on customer accounts. Uh, because that's a customer's responsibility. And Amazon used to have the same problem. They used to not enforce NFA on Amazon Web Services and say it was a customer's responsibility.
[00:43:09] Sean: And then so many people got hacked through S3 compromises and stuff. But actually, we can't really just wash our hands of this and say it's a customer's responsibility anymore. Literally every company in the world has been popped by somebody looking at their Elastic or their S3 information that they made publicly accessible because they didn't know what they were doing.
[00:43:29] Sean: So a default to secure thing so that you take you, you know, but the, the SaaS providers and the infrastructure and service providers. Then protecting against the naivety in some way, having those technical controls. Did that answer the question ?
[00:43:44] Adi: Well, yes. That, what is, what you think is the biggest problem right now?
[00:43:52] Adi: But I'm wondering, like, when you tell me all that I'm thinking. But these companies must have CISOs, I'm assuming, right? So like, what are they thinking? What is happening and how does that work?
[00:44:07] Sean: I don't really know. Some of them don't. So there's one particular example, which I will not name, that did not have a Chief Information Security Officer.
[00:44:19] Sean: Was responsible for a third party attack against the NHS, which caused quite a large amount of problems. Uh, I'd spoken with someone there about the concept of them probably needing one, uh, informally. Uh, they then hired someone to do that role six months after they got hacked, uh, as an interim and then later as permanent, uh, to, to secure their business, uh, because they weren't taking it seriously.
[00:44:47] Sean: Uh, they had some interesting problems, some of which were visible from, uh, from the physical, uh, physical appraisal of their office, shall we say.
[00:44:56] Adi: What do you think are the big problems of CSOs who aren't aware? Like, what keeps you up at night?
[00:45:05] Sean: So I think when you see big companies, um, big companies, CSOs, CSOs, people responsible for security for large businesses, and you've never seen what their posts on social media are about, how obsessed they are with security.
[00:45:21] Sean: Uh, you know, you've not seen, you've never, none of your connections have ever commented or liked one of their LinkedIn posts. And you think, this person's not part of the community, are they? They're part of some echo chamber. Uh. Well, they think they're doing everything by the book. Um, and they've, they've accepted the risk and they've got their spreadsheet and, but they're not, they're not living it.
[00:45:45] Sean: They're not day in, day out, um, knowing, have finger on the pulse, know what's going on. Um, on the outside and then on the inside, which is this is a presumption because, you know, I don't know how they're behaving internally, but I imagine and having worked in some larger businesses in the past, they've got, like, a strictly defined.
[00:46:09] Sean: So, yeah, they've got boundaries where they're not supposed to step across internally, internal politics type blockers around. Well, you can't have access to that to audit it, or you can't, you don't get enough access to that public cloud presence to know whether the permissions are set right in the 1st place, you'll have to hire a team to scan that from the outside, or you'll have to, you know, engage with a consultancy to buy three weeks of pen testing to see if it's been secure from the outside because we won't let you come and look at the controls because we're a different team, a different silo of the business.
[00:46:45] Sean: And I've had that sort of thing described to me by people who work for banks and larger sort of high integrity financial institutions. Um, Again, informally and colloquially, uh, and generally speaking, the people describing those things to me have been the people trying to do something about it, which is a good thing, um, but some of them in their frustration, either just retired or, you know, retired or gave up when it worked somewhere else.
[00:47:14] Sean: We, we, we have quite a give up and go work somewhere else, um, ethos in this, in the community, it seems like, um, and it's not always voluntary, you know, giving up and go working somewhere else. It's more like, you know, you worked there for two years, you didn't achieve anything. Um, You, you're worried about the security posture in the business you work for, someone makes you a better offer, so you go, you go to a better place and the best people, the best people go to the businesses that are already taking security seriously, as opposed to the ones who are, who are falling by the wayside.
[00:47:45] Sean: So you just compound the problem then, you know, I don't, I don't see job listings from the companies that I would worry about. I see job listings from the companies that I know and love already. Um, I know it already doing security, right? And just see one of my, you know, one of my peers go and get employed there as somebody that.
[00:48:05] Sean: Is already part of a community of people that are getting it right, as opposed to, so there's no, it's the opposite problem is there's no fresh blood going in there. It's just people moving around and the US CSO community has this a little bit more than the UK one. I think people moving around moving from one job to another, leaving something in their wake.
[00:48:25] Sean: Um, and sometimes it's really good things they leave in the way, but there's still a problem with that attrition. Uh, it, but. If so, like, if you work at a really big company, you see this quite a lot. If you work at a Fang type company, uh, Facebook, Apple, wherever it stands for. Um, and you start a project and it's your projects and it's your baby, your initiative, and then you leave sometimes the product just fizzles out.
[00:48:52] Sean: And imagine that happening to half a dozen security projects, but they all go and see what they thought was important because they've spent two years learning the context of what needs to be secured in the business and the new one comes in and goes, yeah, well, that was last, that was last, the last guy, this guy or girl, sorry.
[00:49:09] Sean: Uh, but yeah, um, you know, let's, let's, let's start from, from this, you know, from this time and then HR, uh, sorry, HR are about wrong people to blame, but the human resources is. Uh, environment in which these people are leaving doesn't always have the kind of hand. Let's make sure that the incoming person knows what the outgoing person was doing.
[00:49:36] Sean: Sometimes just because of. You know, bad timing, sort of, you know, inconvenience, sort of admin problems, but other, other times, genuinely, because they don't want the new person to know what the old person was worried about. It's just terrifying, but it happens. I have seen that one kind of firsthand. Uh, and got into an organization, uh, accepted a role at an organization and worked there for two days, pointed out a number of problems, and then been asked, um, to go and find a job somewhere else.
[00:50:10] Adi: Really?
[00:50:11] Sean: And you think, well, that's, that's, that's a, not only a horrible situation for me at the time, but also like, Good luck to them.
[00:50:21] Adi: Wow, that's scary to think about. Like, hmm.
[00:50:26] Sean: But that, yeah, the monkeys thing, right? See no evil, hear no evil. Which one are you guys? Oh, you're all of them. Okay. Maybe I need to find a job somewhere else.
[00:50:37] Adi: Yeah. I'm glad you did.
[00:50:40] Sean: Yeah, it was almost voluntary, but, uh, it ended up being forced. So it was quite entertaining.
[00:50:46] Adi: I'm assuming that if you're a plus interaction that cares about security, then you kind of, like, you don't want to be working there at all once they say something like that.
[00:50:55] Sean: I was genuinely told by a multinational business that, um, was sold for a pound at some point, um, not to worry about the unencrypted, unauthenticated NAS drive in the corner of the office with customer details on it.
[00:51:08] Sean: Because, uh, This is when I was in DevOps, because I wasn't there for that to worry about that. That was someone else's problem. That's like, nice time to start looking for another job.
[00:51:22] Adi: Okay. No. Wow. I'm going to ask you one last question. What do you think this field, the cyber security field is going to look like in a few years in relation to everything you've told me so far and anything else that you think?
[00:51:40] Adi: Will affect it.
[00:51:43] Sean: I don't think a lot's going to change at the top, but I think they're going to be some changes when it comes to how people consume services. Maybe their expectations of certain services, some things are coming to light about how some services are being sold and bought, which is going to involve a little bit more scrutiny of how decisions are made, even in the private sector.
[00:52:08] Sean: I think there's certainly in the public sector where. Um, people aren't supposed to do things like accept bribes or whatever we call them. Um, So, yeah, there's some, some of that's happening at the moment, and that's becoming quite, quite a current problem. Uh, but I think expectations are going to go up in terms of like, when you actually buy a product, it's supposed to work, uh, and, and have some handholding of the implementation, and, and even at the smaller end of the spectrum, the whole sort of, oh, buy our product, and, uh, you just get what you see on the tin, and there won't be any onboarding, and there won't be any sort of handholding as the support, you know, Support is by email only that's gonna start to be sweated out of the industry a little bit.
[00:52:54] Sean: I think, um, because people are going to want more. They're going to want, you know, to interact with at least a chatbot, but then have a human being at the other end of the line. If the chatbot can't fix it for them. Uh, rather as we get in financial services now, um, but in the security industry, we don't it's more like open a ticket Um, but either tickets open with vendors for months and months and months And there's going to be a little bit more expectation around that I think the security industry is going to have to start doing a bit better or You know, word starts to spread a lot quicker these days, it seems, about, you know, there are a lot of exposés and articles and stuff out there and people are like, oh, yeah, it'd be interest of the whole community, we're going to tell you about this, um, and carefully written, so they don't get sued kind of things keep popping up, and sometimes they pop up and then they, they may disappear again, as would be, um, the, uh, Winter weather, uh, focused data warehouse people and one of the, one of the articles written about them, the article pops up and then got torn down again.
[00:54:03] Sean: Obviously, there were probably hundreds of copies of the article made before it was torn down the same day. And so, yeah, things get, things do get kind of, um, outed a bit more, uh, and you're starting to see some of the people that were a bit sort of, were holding back a bit because they were, bear in mind the security industry is growing older, right, uh, because there's not a lot of fresh talent, there's not as much as there needs to be anyway, uh, and the security industry and the concept of a CISO came about in what, 90s or something.
[00:54:44] Sean: I've got the history of it somewhere. It's actually the first person to call themselves a chief security officer, chief information security officer. And so you think, well, those first people that were CISOs in their 20s and 30s. And now starting to get to retirement age, uh, some of them are quite well off, uh, and have opinions and some of them have hold, but held those opinions back for a long time to draw a paycheck.
[00:55:09] Sean: And then they're starting to, uh, so I've seen quite a lot of the older chaps on my LinkedIn are starting to, uh, things all men. But the. 50, 60 year old category is, is, is almost all men, which is another problem, but not something we can do. But anything about retrospectively, um, are all starting to sort of, yeah, by the way, did you know about this?
[00:55:32] Sean: And it's like, no. Yeah. Okay. That's, that's interesting. Thanks for that one. Um, and of course you go into their profile and it's like, they just left. For job where they weren't allowed to say anything about it, , and, and then wait for three months for, you know, whatever, to, to, to close out and, uh, you know, their, their sort of non-disclosure stuff to time out or whatever.
[00:55:54] Sean: It's similar to the, the Trump thing where the guy nondisclosure agreement timed out after 10 years or 20 years or whatever and he went, yeah. By the way, all those things have not been allowed to talk about for the last 20 years. Some, so starting to come out of a wash now, obscurity, industry wise. So I think.
[00:56:08] Sean: There's an interesting prediction for you, but more stuff's going to start coming out, like, people are going to have to start behaving themselves a bit more in the vendor space, um, just out here in the vendor
[00:56:19] Adi: space.
[00:56:20] Sean: It's a possible thing, overall. It could be, but it, it could be that, again, it's like, some people are used to certain things, and, and some things have always been done that way, which is a horrible, horrible turn of phrase, but, um, yeah, so I think my prediction is there'll be some disruption, uh, but it might not be by AI.
[00:56:39] Sean: All right.
[00:56:43] Adi: You heard it here. Wow. Interesting. Oh, thank you so much, Sean. This has been so interesting. I feel like you have a very like energetic approach to the field. It's, it's really cool.
[00:57:02] Adi: Amazing. Thank you so much for being here and sharing all your knowledge. And it was so fun learning from you.
[00:57:10] Sean: Nice to meet you Addy. Thanks for having me
[00:57:12] Adi: on. Amazing. Okay. I'm going to stop the recording.