hi everyone welcome to the Hands-On cesa podcast my name is AD and today we'll be talking to shiron Cohen shiron has been in the security field for almost three decades and is currently the head of security at better help with over a decade of experience as a ceso in many different Industries I'm really excited for this conversation how are you today Sheron I'm fantastic thank you how are you ad I'm great wow I have so many questions to ask you we just chatted before we started recording and we talked about the differences between cyber security now and the way it was 5 10 15 years ago can you tell me a bit about your experience wow um yeah cyber security changed a lot and the early days there was no really cyber security there was a it was part of the system group that used to really put all of the security either patches or any kind of fixes and it's a part of the what used to call the system administrator the root access this guy used to do that and those days the you know the biggest threat is coming from the outside world those days the outside world was not very much popular right the internet start to booming in I think in 9 5 96 97 when you saw the start of the internet it wasn't like today that the internet is accessible from every house and people can access the internet either from the mobile device it's very difficult that people have access to the web actually access to the web is more critical than have power today you know so that's what happened you know so cyber security change a lot and during those time you know it's been part of the system group part of what's called corporate it they used to you know defending all kind of thread that used to come from the early days of the internet like the internet email what used to be the pop three and it's become you know once in a while you used to get the virus in your email and the you know the antivirus companies which is one of them that grew up on them with semantic they have the noton antivirus very popular these days H used to block them used to stop the virus on your system and usually the it used to correct the system clean the virus and back to life life was normal today or even 10 years later from the late 90s everything changed and the biggest change that happened is that the cloud become very popular when the cloud the compute Cloud become very popular it's revolving a lot so what happened the platform what we know the local platform change completely it become a cloud base so it's not longer your data center that you can walk and you know be physically connect to your machine or either your if your startup with small company or mid company or computer room those days are gone completely since you know the late the late early 2000 you know those days are gone and those the bring a different kind of thread it's a different kind of risk that the C have to be stopping and all new world of what we call bet players what we call hackers it's become very sophisticated they become software developers so right now you know right now it's even even more right you know they're using all kind of sophisticated Ai and the software developers it's become very difficult to stop them and one of the thing that company is start doing since 2015 2016 is that the security the cyber security become part of the software developer team they become part of engineering and this is uh bring them two major win one of the major win is the idea that if you want to stop a software developer not to win it's a stop this is super important to say because cyber security day it's not 100% it will never going to be 100% okay never going to be 100% defense it will be maybe 80 even 75 if you are getting to 80 you have a A+ security program you're like the Pentagon just to give you a little bit what's going on okay the 75 it's a very good score so why you need software developer it's very easy you need the software developer to stop software developer if a person in your cyber security team is a software developer and doesn't understand the code you will not be able today to stop the risk the thread it's very sophisticated it's a very complex today the MW not even Mel the the injections are very difficult to stop even even a a weakness that even you cannot even stop today so back to the cyber security change it's a change that happened usually it happened in few years ago it used to be the system person years later the I and today we more and more seeing that the cyber security team is part of the software developer te or either contain soft developer personel wow that's such a like sounds like so different things to do what was your journey from getting started and like the old world of security what was the your first job in security and how did you progress over the years to where you are now yeah so um I I grew up in it I grew up in as a system person and as I mentioned before the system you know used to be part of the system portfolio the system admin he used to kind of 10% 20% used to do security used to be very security patches all kind of os patches things like that or the one layer after the OS that you can patch some of the vulnerability that exist right during the time it's been changed as I mentioned the risk Chang right you know the internet become popular the cloud become popular when the internet become popular the internet email the the the file transfer between people become popular sending images sending our good friends PDF that brought risk those file used to be contained viruses those file used to be contain all kind of very nons sophisticated program but doing the you know a little bit damage if you guys remember the you know the one of famous One I Love You virus right one of the guy in the organization used to get a virus I love you virus send to the entire global distribution list an email if it's a ad that I love you everybody in the organization right things like that that usually it's used to call P embarrassing right not P1 P embarrassing right so that seems to be the kind of the incident during those days right but that change it becomes sophisticated the cloud become popular the platform disappear the under underwater become the cloud so that brought a different kind of a different kind of thread that cause the causes to developers to either software develop to understand more what the company develop what's the application do right because most of the companies as the cloud become popular their application also change it used to be a package a city Ro you remember those days you used to get a city RO with a package very nice package Swifty a new software beautiful today today it's different today everything you get it on the web it's on the second you download everything you don't have to wait for everything you know so it's a different kind of risk so the app from a package become what we call today software as a service SAS SAS today okay we need to protect the SAS SAS completely reading by programmers by a code for you as a cyber security Personnel for me as the cisil I need to understand and people to be able to understand the code to be able to understand the vulnerability that exist of the code and guess what the SAS brought agile iing it's a very fast way to do changes in the application when you do changes in application meaning that your developer writing tons of lines of code when you write tons of line of code guess what happened out of the bet the code is vulnerable so it's a super critical for any organization that have a SAS offering to have a cyber security team that have the ability to understand the Cod have the ability and tools to stop a bad line of C this is what cyber security today they have to be part of the developing team or either contain software developer some organization are very Enterprise it's very difficult to merge between the dev team business midside to small it's easier to do so but as a ciso to ciso I really recommend you to hire software developer have you ever been a part of a company of course no names or anything but a part of a company that had a serious security breach great question so I can tell you also about security Bridge you can understand as well the answer is yes yes and yes so uh part of my journey um um and I and even today okay so security bridge will happen to most if not all of the companies that exist today why because we as you remember the 8020 rules the 75 there's still vulnerabilities today that we don't have answer to that they still have vulnerabilities because everything is very dynamic and change a lot so there always going to be vulnerabilities in the organization now the question is how you deal with those vulnerability that they become risk how you remediate those vulnerability in most organization without mentioning names there's no way that you can close 100% vulnerability doesn't exist whoever going to tell you yeah doesn't exist I've been giving you you know we don't play poker we want to stop the bad the bad players we all have the same goal over here and those vulnerabilities is that you have to understand if you don't stop them it's a question of time okay when the bad players will be able to find those vulnerability and to do a certain damage now talking on my journey I saw everything from uh social engineering fishing okay to really people you know finance department moving money to North Korea and I saw people um you know have the ability to you know that is there that duplicate a person even you know so a person that was part of a on boarding and it was a fake guy completely you know that was able to you know try to kind of confuse they J try to confuse you know completely fake it's like synthetic social engineering which you take some of the true okay you find some of the true in social social media about a for example and faith and mix it together and you create new person that's very popular yeah yeah yeah very security company not my not in my not in my portfolio that I had de breach the guy was able the person was able to [Music] pass the interviews hired and he only stole the laptop he was hired yeah interesting interest yeah so I saw everything from everything and I was the what brought me you know to bring my passion to security is really the when I saw so many weaknesses during my journey one of them really touch my my my heart and I know we we try not to make it personal and professional in business but when you see innocent people you know getting um so SC or uh risking risking their professional their life and particularly I'm talking about this is how I got into my my current job in better but before betel I was able to protect Peril companies and one of them was during you know 10 almost a decade ago and you know we're talking about 2010 2011 um which uh they used to own 400 hospitals you know major hospitals in California major you know 3,000 patient 4,000 patient huge hospitals in Boston and clinical clinical doctors which is translate to what we call in cyber security Phi person information or private some of the regulation like to call it private and pii some of the pii personal information it's um can be Phi as well in medical for example some of the regulations say if I know a d first and last name and if I know a d where she live and if I know a the cell phone number uh that that combine the pii requirements so I can be as a and fill up all of the you know the security check up when she's calling Bank of America or she calling her her doctor and that's considering violation in Hippa Hippa it's it's the law all the US medical facility and mental facility and everything around medical and mental Medicare have to be under the regulation theah it's a law and by the law there is a set of controls that they have to follow today people follow what's called n control which is built on the EA how to say password how to encrypt the information how to pass the information what happened in an incident what happened in a bridge so back to your question you know I'm today every company going to have a group every company it's not that's my take That's My Philosophy it's super critical how do you take care of after the bridge what happened after the bridge what the step that you did with legal regulation policy so cisos make sure you have incident respond plan make sure you have incident respond policy follow the is control for those policy dry run those policy don't wait for the crunch time you have at least 48 to 72 hours in a Phi you need to do disclosure it's super critical how you taking care of the bridge if you hide the bridge you put it underneath the carpet I do not recommend you to do so Bridges always find out they put it this is the main thing for the B players to do they put it on X they can put it on meta they can put it on Tik Tok and complaints from the patient or from your member or from your client can cause you huge penalties you don't want to go there follow the policies follow the procedures create them they exist ad would I told you every company will have you know it's the way you're taking care of it what would you say are the differences between working in a health tech company which is where you work now better help and companies before and working in a company that is more software or let's uh like information that isn't as flammable maybe that's a that's another good question by so um there is a differ there between in medical mental software company and a software company so I had the chance to work for a data analytics company er before I moved to betel and I can tell you this is a classic cool software company okay that information is very flowing there is no there is access control of course there is a security program and some of the data analytics can have some information that is very sensitive depends on the client of course however H it's less restrict like the medical and mental less policies procedure that the medical and mental okay less a a governance like the medical and mental okay and unless I will say privacy and legal like medical and mental okay because if you send a wrong email in medical and mental to a wrong patient that's a bre that's a disclosure okay it's completely different if you send a wrong email in data analytics to a different client oh you send apology that's the oh it's a wrong idea we have sex over here okay that cannot happen in the medical and mental this is all procedures that need to be happen over here if I told somebody else by mistake and the I send the a prescription of of the medical that need to somebody else that's a violation of IA so we need to follow the procedure so everything more protected obviously I can tell you that in better you know not going to much details we're trying to make it as a software company but as a ciso and on the cyber security program I do bring the bureaucracy in place I do bring the framework that will protect me from EPA violation you know better I brought to better the What's called the it certificat which is bringing that philosophy of bureaucracy with the balance with find my balance because I don't want to stop the business right I don't want to stop the developer to develop but I wanted to have a my member to have the most safe environment I want their data to be extremely safe so that's the balance that I'm doing on my day today between the luxury of Freedom that exists in software developer in a software company or between my cyber security program prog that I'm bringing in for my days of you know grow up in Enterprise like semantic right grow up in Enterprise my past I used to support the company called Pro limited right which is more of a traditional old school security so today security the new school is allowing you to do that merge but you need to do merging between your software developer and security and your software developer that developing the code wow that makes me think about another balance that I see all the time in security where like on the one hand you want to educate people you want to make sure you have a culture that doesn't allow it or doesn't create issues but on the other hand you also have to put some sort of controls to make sure people don't make mistakes and how do you balance that like how do you look at it um so we balance it between we try to move we try to do the do and do not do and help the developer to have more kind of Freedom H but in a process and make the process more agile right H sometimes those processes are very slow you know for example the software Security review right the developer want to install something send it to the cyber security team send it to it they take time two weeks three weeks the guy need it in this afternoon right so we try to embedded a process that will be more flexible but will keep the control that need to be keep right they will keep the review we keep the ability to H give them the freedom with the right respond and also this is a between cyber security maybe it's going to answer your next question but between cyber security and the developer it's a partnership it's not even a partnership you know it's it's a one team approach right and because the cyber security team and pleas ceis this is part of your job because cyber security team cannot defense and support by themselves the entire organization or cannot be the only security guy in the front every person and this is the way I run it every person for years in the in in the company is like a cyber security extended to the team okay you build a very good partnership from day one because it's the same canoe it's the same people that need to fix it okay so you let them be the developer you you let them on the risk get okay there's a philosophy around that people build you know about what I said right now people build all kind of new way of guidance right that will give him the ownership feeling that is helping us to be more secure and the he I'm talking the developer shaon and his team we not going to be able to do it alone and that's correct about all of the fishing that exist today all of the awareness we become very much closed we doing security awareness to everybody in the company years now people do that you know there's the compliance every year in each company that I go that you know every every person once a year go to security awareness so you give them the tools you give them the awareness you make them one of your team member that's the way to be success because in the end of the today my eyes by the way they're not good eyes anymore but my eyes or my cyber security personaliz cannot be everywhere the monitoring of the tool that we're using cannot capture everything and in the end of the day it's about the developer and I'm talking about companies that you know that offering SI so really the latest that people live companies live on the cloud you know it's about the developer that writing that line of code okay so give them the tools make them to protect his work come to you when it's already you know clean and corrected not in the end that we have to save it you know from the beginning this is what happened to companies the cyber security team become Frontline become very very demanding that have to be together with the software develop to find the right balance between I don't want to say bed cup kind of thing but you know like between the you know the cup and the freedom right and it's in line that you have to play with it on a daily basis and be reasonable and I I can tell you that one of the you know some of the weaknesses that exist in the Privacy privacy in the Internet it's something that we need to be very careful for it particularly when you offering ER information like medical mental ER any kind of Bank transaction like Bank like you know your bank online it's a very sensitive information by default privacy become a risk there so how we protecting it that become something that we you know on on on a daily day working on it however I as you know you know those Channel bring lot of Revenue to companies right this is the way to track consumer this is the way to track any kind of new client right everybody going to the website do the purchasing do this so nobody go to the store anymore right so this is why it's a US Channel and we always find that you know between even you revenue revenue channel that can bring risk and it's always the risk go up and the revenue Channel and you have to protect it with your government with your control that's the balance that we need to find H that's so interesting do you think most cisos see it that way also most CIS probably see it that way but most of them don't have the power to change it which is a which is kind of a shame you know they need to be have the power to change it it's a big risk um those channels sometimes they very sensitive channels for the business and nobody really touched them you know and it's going all the way to your CEO to make a big change right that the change can impact Revenue you know so it's a up to way to the CEO to make the decision and it happened that the the the ciso got tools to help them the whole concept of cyber security ER uh best practices or what's called CSF most of CIS know what is CSF common cyber security framework that's the initi um they develop that the CIS not going to be the one throw to joke okay what I mean by that the risk accountability start moving to the business in CSF so if I wanted to increase the the Tik Tok channel that can bring $100 million revenue or 150 can bring it no problem we're going to review it completely we're going to put the risk level there and if one of the risk is not acceptable ad will have to accept the risk as the as the owner for it okay and usually it's a Iraqi sea level okay so the SE is not going to be alone do you understand the concept of CSF it's the accountability is moved to the business owner that's what happened because CIS is starting to get fired every two three years because there was a security Bridge they fired them completely oh it's the CIS fult which in the end of the day you know it's developed by somebody usually even it's a Consulting F or nobody's fault the business wanted you know the the the work was not correct you know but used to have this is why the CSF was developed so the business will be accountable and that was developed few years back today the CSF become next ler the board of director become accountable so this is why the C job become very critical how do you navigate on the one hand first of all you have your you need the company to be secure and then you have your team that you need to manage both on the professional also emotional level and then you also have management that you have certain requirements you have to stand by them I'll assume and also like understand what they want from you how does everything integrate together so um it's very similar to the question you ask it's also we need to kind of find the balance right so uh cyber security become very demanding the hours the weekly hours are crazy and the job never end and the workflow is from here to five years and you know forward just to give you some of the workflow so time management and the way you act it's super critical and I'm super critical for the staff as well you know I I I I personally recommend my stuff to you know to take some time off and to take some vacation time some of the education that I'm doing with them you know is sending them to kind of ser security conference to give them a little bit of a you know different environment for the change environment from the day to day risk that they managing we actually we particularly we're managing risk that's how in our life anything and fixing OB obviously and that can be very much of overwhelming that can be be emotionally drained and that can be putting you to you know to a situation that you you know I can give you an example that you can think that you're the hero of the day and in the end of the day you're not the hero of the day so that's kind of can get to you right so I'm trying to kind of to catch it before it happening you know to kind of protect the protect the staff and with a small team usually cyber security in every organization small they you know they're not like the software developer that they can you know completely huge te and so we try to divide it we try to give them some time of some conferences that they need to and um presenting to the sea level to the executive to the peers to the company WI with the ability to give them information that a not going to be a too much dramatic or do you don't want to create any kind of panic okay and you don't want to create you don't want to be acting as a stopper cyber security team uh have to be business enablers which is very difficult to do when you bring controls okay so you have to find the right balance in the control himself what's the right thing to do what's not the right thing to do some of the control for example I can give you some of the control you know for better help are talking about you know hospitals okay I don't need to be hospitals I need to software develop mental protection so that's that's that's the idea behind it you need to be flexible but in a way that doesn't risk doesn't increase the risk sometime it's sometime it's difficult and sometimes you have to go head to-head to the CEO you know do you have a story of a time where you had a dilemma and how did you deal with it yeah um I have so many dilemas you know that exist in the cyber security right so I can tell you that me personally I try to be a guy that easy to work with it very flexible you know that try to enable the business Revenue something very critical for me however cyber security is is is is sometimes conflict even with Reven so I can tell you that if I get a risk that this risk is very high risk okay so there is the categories for risk right there's a think there's even above ey I can remember extreme or you know above ey this one so I can walk directly with the risk on right with the guy that created sit down with him understand the need understand the business and really it's a business requirement can be either on a product side can be a feature can be all kind of things that exist in s offering okay first of all understand there is and try to remediate the risk by minimizing by doing small small Wings small fixes okay let's give up this one let's see if the risk rate has been lower try to find the try really to find the place that will be easy for both of us to continue okay and sometimes there's no way sometimes there is a conflict and I can give you an example that you know there can be a campaign okay in the previous company I work there's a campaign that can bring millions millions of dollars right and there is a all kind of like testing that give the information there the data is there but the risk can bring vulnerability and this vulnerability can transfer to security bridge this security Bridge can transfer to penalties those penalties can cause also money so those data can come to the you know to the CEO and he have to make a decision and you have to be accountant as a ciso I can recording it I can put it as a record in any kind of ticketing system and I'm done with it that's that's really the what I can do you know if the business decide to take it you know obviously in the organization sometimes when the when it happening also traditionally legal is involved and usually you know the sea level SL the the the CEOs attempt to listen to the to the chief legal guy more than they listen to the private to the to the the CIS so the legal is involved and usually legal always stand and back up the ciso or either the other way around interesting what would you say is one of the biggest problems there is in cyber security right now or at least in the mental health cyber security maybe okay I will start in the first one cyber security is a general okay um so right now we are facing a increase in attacking every company in the planet sooner or later going to have attacking situation so there is no way for even professionally like me to be able to you know to be cover the entire planet with protection right so I do believe that each one of the companies even a small company a med me company please dedicate cyber security team create a cyber security team don't let them sit under your CTO you need a team you need people to review those vulnerabilities companies today have vulnerabilities no matter what it's equ question how you fix those and unfortunately right now in organization even in a small one because of the cloud it doesn't really matter with 50 people small company you can do a job of 500 people with the cloud so it doesn't matter if it's Enterprise medium small or some startup in the garage doesn't really matter okay you need to have dedic security team to look on vulnerabilities there is no way that we can defend on vulnerability that exist no way so each company need to go and do that vulnerabilities are increased more and more than you Expos to the internet when you do internet services all kind of services even even as the client services or either your company offering Services it's always going to be vable buy the tool invent budget put the budget there invent some dollar sign and correct it the the after fact is you there's many many cases of companies that went bankruptcy without a correct cyber security program do not do not let yourself be in that situation about the mental and medical about the mental because this is something very close to my heart that I'm doing for the past five years uh better help always looking for improving our psych security program we are not perfect we're never going to be perfect but we are almost there and it's consistently walking long hours and looking and reviewing every Trend I can tell you that better help is the number one commercials in in America has been very popular yeah the open podcast you know the Michelle Obama is a very famous one a few minutes there's going to be the guy that's you know offer you to take therapy I actually very recommend everybody to take therapy it's great it's actually make me to smile every day and I even myself a better member you know so it's great really recommend you guys to do so H but back to the question you know we looking at um the the thread that exists because we are very popular so also we become very popular on attacking I can tell you that better getting attacked by same group in Korea same group in Ukraine in Ukraine same group and we're talking about like two two two three times a week weting attack all kind of attack the most famous one that most of the people got it you know it's denial of service the Doos attack that's what happened right now in the you know unfortunately in the war right like Iran is attacking didos attack the Trump and Aries campaign or either because of the conflict in Israel they attacking Israel with the Doos we can see it a lot and better because it's very is they're trying to do D on better help as well as a medical and mental facility we see more and more in the past two years increasing from Iran attacking big hospitals in America like Mass Mutual Mass was the big General Mass was the big hospital in Boston got attack we see that getting attacked it was very kind of famous and um so this is the biggest threat that we live today we need everybody help all of the organization employee it's not those five six people or 20 people in cyber security everybody all of your members all of your FTE all of your contractors don't let the contous worker to do what they want usually and C review what happened in the planet review what happened to X to Twitter it happened with with the Consulting it doesn't happen with the FD protect everybody in the company everyone that have access to your resource need to have the same discipline as your FTE wow that's it's a hard thing to build a culture of I would assume interesting so we're we kind of ran out of time but I'm going to ask one final question and before that I'm going to say that thank you so much this has been really really cool and I thinkk you you bring such an energetic and open energy to this topic which is so cool so what do you think that cyber security is going to look like in the future in two years in five 10 years what's going to change so um in two years cyber security going to start defense or fight or whatever you call it you know against very sophisticated smart AI very sophisticated smart AI against the boat that the boat will be very smart it's not going to be the Alexa anymore or not going to be MML that somebody created it it will be a real person kind of thing that have the ability to to to Really to create a damage so we really need to be able to fight back all of the AI technology the AI is here is not going to go away it's actually will be increased and increased it's part of our life and I will demanding those cyber security companies software companies use more leverage AI to fight back because the bad guys the bad players are using the AI so the risk increase the Trad increase I can tell you for the past year and a half because of AI we see increase by 30 to 40% of attacking yeah because of AI so it will be change again it will be super fast super up and we have to keep going keep develop things that will be able to to stop those bad players we want the internet to be safe and it's not completely safe environment today so and with AI the best players using AI it will will continue to be non a self environment because we see increase in human trafficking we see increase in all kind of weapons trafficking in drugs everything with AI and all of the tools that they getting you know the B players using the tools that it's very difficult to really to to to to break in you know the encryp that exist on WhatsApp for example you know they have tools the telegram they have tools to use against you know to good tools but using it to do B things so those tools need to be more security native able to help security help cyber security to be able to stop the smart sophisticated B players perfect do you have anything else you'd like to say to anyone who's listening and is looking into either advancing in security or getting into security yeah uh I do I have a person note that I want to say to the cisos SOS I know sometime it's very difficult to present talk and bring either a risk or bad news but this is part of our job you need to be vocal you need to bring those information to the business Do not sit behind the keyboard or behind the computer click please let the executive let your peers know if you see the vulnerability you know it's impact the business please say please do make sure everything is recording make sure you have ticket for it and I know you sometimes you're all alone but you're not all alone you know talk make sure to understand the cyber security become part of the chair in the board of directors meaning you're not alone stay and do and for the rest of the company I wanted to say each one of you guys we need help each one of you guys it's an extended for the cyber security team you see you say we do [Music] 38:13 Now playing