Jun 1, 2024
Episode Description
Jose Bonilla, an information security GRC leader, shares insights on his career journey, the challenges of cybersecurity, and the evolving landscape of security in the age of AI. He discusses the importance of continuous learning, the impact of security incidents, and the need for a security-first culture in organizations. The conversation covers various aspects of cybersecurity, including AI, machine learning, career advice, security awareness, and the importance of security in organizations. It also delves into the challenges of auditing and the advice for those entering the field or working in organizations new to security practices.
Watch On YouTube
Adi (00:01.329)
Okay, so today we have Jose Ponea, who is an information security GRC leader with over 15 years of combined experience in corporate financial services and fintech. He's built and helped scale GRC programs in several small and large reputable tech companies in Silicon Valley. Jose enjoys promoting a security first culture and holds an unquenchable thirst for knowledge on emerging threat vectors and latest security techniques.
On his spare time, he enjoys spending time with his growing family and learning about governance in generative AI and large language models. Jose, how are you today?
Jose Bonilla (00:42.362)
I'm doing great, Adi. How about yourself?
Adi (00:44.977)
I'm great. So just reading your intro, like, it sounds like you, it's very important for you to stay up to date and know what's going on. How do you do that in such a growing field?
Jose Bonilla (00:56.218)
Exactly. Exactly.
That's a great question. So part of the process for me has always been just never remaining complacent. I think I've had an act for security. I've never just realized it until later on where you're like subconsciously thinking, wow, why is it that I want to have more of a desire to learn about either AI or Web3 or blockchain technology, despite me just being in financial services? Right. I always joke I could have just been a teller or a banker and that just would have been it for me and I would have been OK. But.
Adi (01:26.577)
You
Jose Bonilla (01:29.562)
I always wanted more out of it and learning what was happening, kind of the nuts and bolts behind the background. And so for me, it was very important to learn about just the emerging threat factors and just the intelligence that a lot of our security engineers, site reliability engineers, and even devs have on just the latest threats, right? And so collaborating with them, learning more about it.
I realized that, yeah, this is definitely something that I see myself in for the next decade or even more than that. And so making it now more of a career than ever and kind of in hindsight, taking a step back and looking at it holistically, it's definitely been a desire to just continue learning and wanting to know how exactly financial services can help others. Funny enough, I've always wanted a career in law enforcement. I want to be like a police officer or some kind of attorney to some degree.
Adi (02:18.385)
Hmm.
Jose Bonilla (02:20.89)
But I always wanted that. And so I felt like, OK, well, I can't catch the bad guys this way. Let me see if I can catch the bad guys at least virtually through the cyber world, if you will. And so that's how it all came about. And so always having kind of that desire to just do right, not only behind products, financial products, but also our customers as well.
Adi (02:39.409)
That's so cool. How did you get started? First of all, if you once thought you were going to maybe even be in law enforcement, how did you decide this is the career path you're taking?
Jose Bonilla (02:51.802)
Sure. So it really started with just one day I applied to Wells Fargo Bank. I started at a kind of a commercial bank level. And at that point kind of worked my way up behind the scenes and worked directly in the fraud verifications team.
And the move that really changed everything for me was the pivot from kind of a traditional commercial bank financial services over to a fintech company. And at the time it was a small money transfer, pre IPO. And we were, I joined roughly when we were about maybe like 50, 60 employees. So we were a series B company.
And we steadily grew to then have our IPO and then become Series D and then later acquired by a big payment giant out of Silicon Valley. You may have heard of them, but PayPal basically. So that was, as they say, kind of just jump on and go for the ride type of moment, a meteoric rise and just rapid growth. And during that time for me, just learning more and more about exactly how you can embed tech into what you're doing on the financial services side.
But there were a lot of things happening at the time. I mean, this was again 2014, 2015. So a lot of peer to peer services, payment services, and understanding exactly how the neo banks are going to kind of like take over at that time. And so a lot of it for me became just still having that passion for financial services, but then also understanding how there's a crossroads of just all things risk, fraud and security as well. Right. And so.
GRC did not exist at that time. I felt like really that, that, that acronym was not thrown out there as much. And now we're seeing it thrown out more and more and even in kind of integrated with information security and cybersecurity. So it's interesting how that for me kind of helped establish like my foundation in, in, in, security. But it all really started with, your traditional kind of fraud account takeovers, unauthorized payment source usage, that sort of thing, charge backs, BSA, AML stuff from just my banking days.
Jose Bonilla (04:57.018)
But I always joke it's helped establish the foundation for me and where I'm at today in security.
Adi (05:02.993)
Wow. And do you currently, do you have a team that's working with you that is also in charge of security or are you the person who's like doing it in the company?
Jose Bonilla (05:14.49)
I've always been in a very kind of IC role. For folks that don't know, it's just kind of an individual contributor. Someone that basically is just like takes things from the reins and works directly from sea level down and helps kind of just change the culture in its entirety. So when you think of folks being a bit cavalier, not realizing exactly just the threats that are around every corner.
I changed that in so many different ways, my most current role being one where a lot of procurement was going on, financial exposure to the company with third party services, and of course data security and data privacy issues that would arise. And knowing that that was just something that we needed to look at, whether it was residual or inherent risk, but still knowing that jumping into that first day in my role, I would already start to identify these things for a company. So.
I would say that it's always been for the most part individual contributor. I mean, in the past, I've led some small teams, teams of about maybe two to three analysts, but all focused on just various facets of information security and just working in parallel with cyber liability engineers and also security engineering teams. You think of things like efforts like business continuity, disaster recovery, supply chain risk.
Those are all things that kind of tie us all together, but the major one, and my most recent experience, and I've done this for now the past five years, has been SOC 2 and PCI, right? So when those acronyms or words get thrown out there, I know that for some folks it's daunting. It's like, my gosh, you know, here comes Jose again with like this compliance requirement. But in essence, it's not, it ties everything together. These are essentially what I consider to be all hands on deck assessments, right, for the organization.
Adi (06:50.961)
Hahaha.
Jose Bonilla (07:00.698)
What that means is that there's a lot of intersection between working closely with the engineering and devs and specifically IT to identify some of those potential gaps in your controls and then go to like formally assess, right, and ensure. They call it rock the badge as soon as you're done with SOC 2, which essentially is just a badge that says that you've tested those controls and you're ensuring that they're working periodically, right, the way that they're intended to.
But it's also kind of like a sign of trust, if you will, and establishing that trust with your customer base. And then also with your prospective partners, right? I mean, who wouldn't want to have kind of an independent assessment of your controls instead of you just being very biased and saying, no, like, this is definitely all great. Our WAF is set up the way it should be. We have our application secure. It's like, do you really? So that tends to be one of those things where...
leading those small teams into these assessments has been a high privilege of mine just knowing that we've all worked together side by side to build something great.
Adi (08:06.289)
Do you feel sometimes like what you said people say like Jose is coming. Do you feel like a bad cop sometimes like you're the person who's law enforcing in a way?
Jose Bonilla (08:18.394)
Isn't that a good segue? That's definitely, I feel like that was perfect. I just like literally like just, yeah, the assist alley -oop to you there. Yes, it is one of those things where I am viewed that way sometimes it feels like. I think when you say good cop, bad cop, the bad cop comes to mind whenever I have found something that's considered like an internal threat, right?
Adi (08:20.089)
I don't know what to do.
Adi (08:39.953)
Yeah.
Jose Bonilla (08:43.706)
there tends to be sometimes that if it's maybe a rogue employee or someone that just didn't have a good experience with the company and So insider threat if you will is definitely one of those things that comes to mind Believe it or not. Yes. I've had an experience like that in the past not the best experience but As soon as that happened, I almost felt like there was a newfound Maybe respect is not the word I'm looking for but just essentially just like I I'm definitely aware that Jose
Adi (08:59.025)
Really?
Jose Bonilla (09:12.602)
can come and provide this type of level of oversight on things, right? And it wasn't the best experience in my career at least, but it did change things for me where a lot of folks were coming to me for questions, right? The most simple of questions like, Jose, you know, I have this plugin, can I like download it? Is it okay? And I'm like, you guys, you know, despite what happened with this employee, understand that I'm not here to like red tape everything, right?
I mean, you can come to me with questions, it's an open door policy. And that leads me to my next point. Security is something that has to be everyone's responsibility, essentially. I shouldn't be treated as just kind of like the one all or de facto police here in essence. I'm not policing. What I'm trying to do is establish more of that synergy and just kind of overall security awareness with the organization.
But I do feel like a lot of times we're viewed as just kind of like the pranksters or people that are trying to catch you doing something wrong, you know, hand in the cookie jar type of scenario. And we're not, you know, for me, especially, it's one of those things that you go out into the world, you try to kind of cast a net and see what's good and what's bad. And then essentially try to weed out kind of the things that should be maybe bad behaviors we should move away from, right? Characteristics are things that we just need to kind of like change as a culture.
overall just as like security awareness. But yes, it's bad cop a lot of the times, especially when it comes to the assessments. It's like, is that time of the year again? Like really Jose? Like, I'm like, I'm sorry, I have to do it. Someone has to do it. So things like PCI, for example, that tend to just be like annual assessments, PCI feels like it's never ending, right? You prepare for it literally your first year.
Adi (10:45.521)
You
Jose Bonilla (11:02.394)
I would say maybe a year or two prior you prepare and then you jump right in and you're in that assessment every year after that, right? Because you have to maintain the certification. The same works for SOC 2. You work closely and you build that rapport with your auditors, but unfortunately you do have to go back to the organization and knock on some doors and say, hey guys, unfortunately we're back at it again.
Adi (11:27.345)
Interesting. How do you think, what do you think is the best way to look at it? And like, I'm trying to think as a security leader, how do you get the company to be sort of on board, to understand the meaning of it, to understand that it really isn't just your job. It really is protecting the company.
Jose Bonilla (11:52.41)
Right. So we've seen it time and time again. I think the big one for me is when you see a lot of the headlines of just big tech companies that, you know, absorb an amount of, you know, revenue and just overall like portfolio sizes just out of this world where they, you know, are overseeing a lot of data. They're essentially data stewards for what feels like half the globe, if not more. But we see a lot of the times that they'll fall.
prey to any type of potential threat. And in this case, it could be the most simple one that we can think of, which is just fishing. I've always said fishing is something that, for a lot of attackers, is very simple, easy to do. It's not complex, but it's very lucrative. Essentially, they could target someone. They could do whale fishing and target a big CEO or someone in the sea level and come away and walk away with a ton of money.
right now off of the offshore account in Nigeria or maybe somewhere else. But I mean, essentially it's just that type of attack method that's very simple to do and kind of execute. And so I've always shared that with C -level just overall leadership that it's important to take these things into consideration, right? The concept of like a human firewall, you have your logical controls, but you still have to train your employees to also serve as that barrier for security, right?
essentially kind of putting up an additional layer, a multi -layer approach in security, ensuring that everyone's aware of the latest threats. Folks understand that if we're working, especially now, for the most part, hybrid, but a lot of companies still in a fully remote workforce, they have to understand that there are threats in that aspect as well. Working remotely, connecting to any kind of public Wi -Fi, things of that nature. So it tends to be something that it puts more...
of a dependency on our IT teams and our security teams as well to educate, right, to drive that awareness. And so I've always felt that it's very important to do that. And the best way to kind of, again, I go back to that idea of just an open door policy, working closely with others, you know, no question is outlandish in security, but the idea is that you start to build that synergy in the past.
Jose Bonilla (14:12.25)
I've had experiences of just being able to lead some of the hackathons, if you will, capture the flag kind of activities and just allowing it to be more interactive, right? To where a lot of the employees feel engaged and they feel like they want to learn more about it and every year it becomes something brand new. And so I use that to my advantage. Things like in October, which is Cybersecurity Awareness Month, it's like, wow, a full month just dedicated to sharing.
what we all do respectively in our roles in the cybersecurity space. And so that's a big reason for why I think it's important to drive that awareness and share with a lot of leadership exactly what can happen when you do this early on in a company and you start to kind of have a culture shift, right? It becomes very apparent that at that point you're pitching to a prospective partner, you're sharing your product to them, letting them know exactly what you've built.
but then also like, hey, take a look at this. We also have bolstered our security in so many aspects, right? So it allows for you to share that your company is multifaceted in that approach. And I think now we're starting to see also a shift in just the industry. Companies are starting to promote that, hey, we take data privacy seriously, right? Just the other day I was in a highway and...
saw a billboard of Apple and normally Apple has just this beautiful design, it's very aesthetically pleasing to the eye. It's like, okay, you have Apple Watch or you have something that just looks great. But now they're starting to put out there that it's like, we take data privacy seriously and there's the customers first and there's security and you have control over your data. So you're starting to see that as kind of like a benchmark of a product as well and kind of integrate it into that.
Adi (15:59.369)
And just think do you think what do you think led to that change?
Jose Bonilla (16:06.106)
Sure, I mean, it's a good question. What led to the changes ultimately, I think, just a race to continue to have things that are easily accessible to the average consumer. Data obviously being one of them, but of course, just like the product itself working, technology is evolving so fast that we still have to figure out a way to ensure that there are guardrails in place. And so how do we do that?
And it becomes very apparent that it's part of the process to ensure that security is lockstep to product. So you hear about compliance by design. There's also just the concept of security by design, ensuring that our teams understand the importance of exactly different threat vectors that could come into play, whether it's through a web app or a mobile app. It's important to understand exactly those things and just the impact that it can have on the organization in the long term.
So we've seen that, and so there's a shift in that process, right? The importance of also supply chain risk is very important. I think the biggest one just being, we saw it two years ago almost at its peak, log 4J, which was kind of like a zero day vulnerability that really impacted a lot of organizations. But of course you have even bigger waves of just like impact as well. We recently actually had, I experienced the Move It file transfer.
So that was another one that was also kind of considered a zero -day vulnerability and immediately just created mass hysteria among a lot of the different third -party services. But what that does is, if I'm working at a company, we may not experience it, but maybe our service provider's service provider is impacted by it. So it's like a second, almost third -party risk.
And so it becomes very clear that it's one of those things that you definitely have to consider along the ways. And that's what I think has definitely shifted a lot of the culture and what you're seeing now in the industry.
Adi (18:09.073)
And we talk about these big topics of like the way people act around security and what needs to be done, but on a day -to -day basis, how do you actually make sure these things happen? Like what does your day look like?
Jose Bonilla (18:28.41)
Sure, so my day essentially looks like just making sure that I'm always checking in directly with leadership, trying to just communicate of any of like the potential risks involved with the organization. Where do we see ourselves in the next year or two? You know, currently, what are the limitations that we have? I'm very big on just making sure that...
Obviously, working in smaller organizations, you kind of have to be, and I think it's also the impetus for this podcast is the fact that you have small to mid -sized businesses that really are kind of like, you know, bursting at the seams and they're stretching every dollar that they can, you know, essentially to be able to continue operating effectively. But one of the things that I've learned is just tempering expectations, right? You have to temper your expectations. Yes, you can see yourself.
you know, the ideal kind of desired state is that, we have the latest and greatest software that's out there, right? And go ahead and make full use of it. But that puts a strain on us, right? From resource standpoint, budget planning, you know, it's going to be very indicative for us to go ahead and just like re look at it and kind of reassess. And so my approach with that is that I always like to check in with all different types of cross -functional teams that I work with, whether it's accounting, finance,
IT, rest of the security teams, of course, and leadership, of course, and focus on exactly where we see ourselves in the next year or two. If we're going to pitch to another prospective partner, what can we do to prepare ourselves adequately for that, right? So it's important to do that. And it's important to also make sure that you are open to just other suggestions, right? Not being biased, because a lot of the times there's that approach of like, I kind of see it from a security lens.
But I want to take a step back and do it from other perspectives as well. And so that's very important. And so the day to day is exactly that. It's engaging these individuals, working closely with them, checking in on some of the things that maybe they feel are pain points and how can security best assist with that. And then a lot of the work is heads down, of course, as you can imagine, with audit preparedness. So there's always a focus on just making sure that our controls are up to snuff.
Jose Bonilla (20:44.89)
and that we're ready to go formally test them with our auditors in the next couple of months. Previously, we had kind of like an audit schedule. So I would work with a lot of the C -level and as well as just the rest of the people managers to ensure that they were fully aware that there was dependency here. And I would try to avoid major holidays. Obviously, we do not want to have, no one wants to have a SOC 2 audit in the middle of November or December. That's absurd. But we try our best to do that.
Adi (21:03.889)
I'm sorry.
Jose Bonilla (21:12.314)
So it's important to remain cognizant of just exactly when we're going to have some downtime. There's also just the taking into consideration if there's a code freeze in a specific month. OK, maybe we don't want to do that. If we're going to go ahead and push out a new release or anything like that into production, OK, maybe we want to take a brief pause on that and then wait and then formally assess our controls at that point. But it's doing so with the idea that you remain aware.
of just what's going on in everyone else's world, not just your own. So a lot of just working cross -functionally and engaging these individuals day to day.
Adi (21:48.945)
Got it. Have you ever been, of course, no names or companies, but have you ever experienced like a really bad security event situation, like something that you were like, no. Tell us.
Jose Bonilla (21:54.97)
Sure.
Jose Bonilla (22:04.346)
Yes, I've experienced a couple. I think if I share that I have little over 15 years of experience in security, you'll have had to have at that point experienced more than one, right? And I think that's the case. I would not be doing my job if I did not have any kind of incident that I've experienced or at least have helped lead in triaging. But yes.
Adi (22:15.409)
True.
Jose Bonilla (22:31.034)
The one that comes to mind, there was actually a distributed denial of service, so a DDoS attack, and there was a GitLab dev version. And apparently the dev version of GitLab was not updated. And so we were kind of running on an older version that was susceptible to a remote code execution and a zero -day vulnerability at that point. So that impacted us a lot just at that time because it was almost kind of just like a...
you know, right away, you know, fire drill, you know, kind of sound the alarm and go through the entire triaging process and how we were going to go ahead and identify exactly what was the root cause of it all. And so that was definitely one of the major impacts to the organization. I mean, it literally just like shut us down for a couple of hours based on just the fact that it was a distributed denial of service attack. We did find the issue. It was, you know, remediated, of course, and patched, but,
During that time, there was a lot of just hysteria and trying to figure out exactly where this was all coming from. Attackers used a scanner called Shodan to just be able to just identify exactly the remote code execution and vulnerability. But in doing so, I mean, they used the company's GitLab account to just go ahead and execute a lot of the remote code. So that was interesting. I can share another one. And that was actually, I'm sorry, what was your question?
Adi (23:52.241)
How do you communicate?
No, you continue, sorry.
Jose Bonilla (23:57.658)
No, no, no, no, no. I think I heard how do you communicate, right? Like something, yeah, yeah.
Adi (24:01.617)
Yeah, I was going to ask, like, how do you communicate the severity of the situation to the people working in the company? And like, what do you do after a situation like that?
Jose Bonilla (24:08.858)
Right.
Right, yeah, it's kind of like run for the hills type of situation. You try to automatically just sound the alarm and let folks know, no, I have to kind of wear several hats in that process, right? You have to consider also if any accounts, customer information, customer sensitive data was accessible or at any point in time subjected to exfiltration. So you think of PII.
The acronym we throw out there a lot of the times, personally identifiable information, if any of that was actually subjected to this attack. And you think of just consumer notices from a compliance standpoint, like how are you going to remain compliant? Okay, if you're operating in certain states and maybe the states have requirements of data privacy around customer data and what your obligations are as a financial services company to report on the attack, okay, well, yeah, I got to get started on that. I got to identify the state. I got to identify exactly which customers were impacted.
But the other one as well is also working closely with security engineering teams and cyber reliability teams to figure out exactly where areas were vulnerable to the attack, right? And going back to your configurations, ensuring that things are just definitely revisited and updated accordingly. So you try to do that to the best that you can. And also, as a team, try to figure out exactly who's available. Because a lot of these times, of course, we're going to have our...
on -call engineers that are available, but these attacks can happen, you know, in obviously non -business hours. So, you know, attackers will try to target your organization. And even then I've seen also a rise in attacks whenever there's major holidays, right? Because they're thinking, okay, everyone's just kind of got like their systems and everything down, right? Or essentially there's, you know, a bill that's not at his desk right now and monitoring PagerDuty or any of the different...
Jose Bonilla (26:03.674)
security systems that we use. So there tends to be that focus, but the triaging is very important as part of that, right? And identifying who's going to be kind of the incident commander, individual kind of responsible for communicating these things. And then at a high level in the organization, how do you just translate everything into a way where the non -technical employees understand the impact that this will have, right?
And so that goes back to even just not only compliance and security, but it also goes back to just your operations team. We have customer support. Maybe this impacted someone's account and they no longer have access to it. They're kicked out of the mobile app. OK, well, they're going to contact customer support. So you have to also work closely with your frontline to just ensure that individuals understand just the gravity of the incident.
Adi (26:55.665)
Interesting. Right now, what is one of the big challenges that you see in the cybersecurity world or a challenge that you face in it?
Jose Bonilla (27:06.458)
Sure, sure. I mean right now in cyber security, there's several challenges along the way. I mean you think about a myriad, there's a myriad of just hybrid attacks. I know of some that now a lot of attackers are starting to become more sophisticated with their attack methods and trying to use a hybrid attack approach where it's essentially not just one type of specific attack or approach, but it's more than one.
Adi (27:12.177)
I'm sure.
Jose Bonilla (27:34.938)
And it even can happen in kind of a very high frequency. So it's very important to consider those things. But one of the big ones for me, and I think is also very important and kind of the ethos, if you will, of just everything is just that with small and mid -sized businesses, there's a supply chain issue, right? There's a sense of just like trying to also ensure that you have the best talent on board, right? And trying to retain top talent.
And then the other issue is also with the downstream impact that it has with other organizations and your service providers as well and what they're kind of faced with. I think the big one, and we can see this all around us right now, is that on a macro level, our economy is just somewhat still uncertain. There's things we're trying to figure out as we go along. And a lot of financial services companies, fintech startups, if you will, they are faced with it day to day and trying to figure out the one buzzword that I hear all the time is runway.
What's our runway look like for this year? What is it going to look like for next year? Okay, so how do we actually, what's the trade off, right? Where do we go ahead and just scale back on uncertain security initiatives? I was faced with that most recently, but then also early in my career. So it's interesting how that happens in waves, but being faced with that, it's going back to the concept of just tempering your expectations, right? Okay, yes, you want this latest software.
Yes, you want to see your process build out this way, but maybe we can't do that this year. We have to hit the pause button on it and focus on other initiatives. So there's a lot of conflicting priorities in my mind, but when it's all said and done and on paper, we have to obviously look at the bigger picture and where the company is positioned and where they see themselves in the next year or two. But those are definitely, I would say, some of the woes, I would say, in security.
One of the things I've noticed also is that there's this big shift. Everyone's right now the race to artificial intelligence. I think I read somewhere that by 2029, artificial intelligence will have already been kind of in the billions in terms of just revenue and overall how lucrative it will be. But a lot of companies, of course, are focused on that and looking at, OK, how can we start to integrate this into our product? We see this already with generative AI. But.
Jose Bonilla (29:57.242)
All I'm hearing is not even just the technology. I'm hearing sense of governance, the sense of like guardrails, where exactly does like security come into all of this? and, and there's a lot of great stuff happening in the space. small companies, of course, that are focused on like cybersecurity tax. And you think of the traditional old wasp top 10 and then apply that to kind of like the AI space. And you're just like blown away with like exactly what, will, will transpire over the next couple of years. And so.
Mark my words, I definitely feel like there will be an increase in that. And with that happening, a lot of more dependencies on security teams to build out sound products using AI and machine learning.
Adi (30:38.353)
Interesting. It sounds like a lot of, like from what I know about you and both what you said now, you're very into like understanding the AI space within the cybersecurity context. Do you think there's...
someone who's getting into this field, someone who's going to cyber security. Is there other things that he should be focusing on from now to understand where it's going?
Jose Bonilla (31:09.338)
Yes, I think first of all, it's a great time, right? If I was fresh out of college and looking at an internship or wanted to do something just out of the box and just challenging myself, it would be exactly that, right?
Adi (31:15.985)
You
Jose Bonilla (31:26.425)
I probably would have even said, you know, I would have loved to have taken maybe a year or two to just travel abroad and study abroad and work at maybe one of these companies out there. But we're seeing that like the European Union specifically has come out with a lot of guidance on just like best practices and security awareness around AI usage.
And one of the big ones for me is that you have to educate yourself. Don't just stick to one thing. Try to become more multifaceted. I mean, online there's so many resources, library of different resources and things to choose from that you can customize, right, to your own schedule and exactly where you're at in your career. But the importance is try to establish a foundation. Find something that you're really good at and at that point just continue building off of that, right, and finding ways where that...
Intersects with other things as well. It's very important to understand that for me. It was just everything kind of fraud and risk and My foundation as I mentioned earlier built out from that right so I could have stayed in that fraud and risk space You know and just decided that that was kind of like my bread and butter at that point But there was more to it than that right? and so I think it's important for a lot of You know individuals, especially now professionals that are
early on in their career trying to figure out what's next for security and what they want to do in the security space, that they focus on those things to help build a strong foundation and then kind of work up from that. That would be my advice.
Adi (32:58.321)
So you're saying don't only learn what you have to learn but in a way try going as broad and understanding as much as you can.
Jose Bonilla (33:08.09)
Correct, correct. I mean, a lot of times it's easy to kind of slip into more of just the day to day and what you do, right? How do you apply it to what you're doing in a company and the company's needs as well? And of course that has to come second to none, you know, second to none. But I mean, in part of the process for me is understanding exactly what are the things that you see in the overall industry, right? So if you take a step back, yes, I can go ahead and...
assist the organization with these things, right? And provide kind of serve as a conduit, if you will, for a lot of the things in security and compliance. But if I take a step back, what else is happening in the industry? What's happening around me? I always make it a point to figure out just if there's a company that's out there I've never heard of, I want to learn about it, right? And there's so many, and so it's hard to keep track of all of them. But when you find out what's happening in the space,
then you start to realize, wow, there's a lot going on. I like also my downtime, just going ahead and looking at Web3 and blockchain technology. DeFi is a big one as well, which is kind of decentralized finance. That's a big one. And I think it's just understanding exactly what's happening in the DeFi space as well. And so there's a lot there to kind of just like take in, but.
I know that in educating yourself in that process, if ever you come across it in your day -to -day work, then it's great that you kind of yourself are used in your company as like a Swiss army knife of sorts, right? You understand all these things and you have kind of like a little bit of everything to be able to kind of like contribute to any discussion or even issue that may arise.
Adi (34:53.009)
How do you recommend... What is the way that you learn? Is it reading articles? Is it... Like, what are the ways to get the newest, best information that doesn't just... Is a lot of buzzwords.
Jose Bonilla (35:14.298)
Sure, of course. So, I mean, for security, I would say, I'd be lying to you if I said, I'd love picking up a book and reading it. It's like, you know, no, let's, in the spirit of candor, no, I'm just, I'm not a big reader. If I was, then I'd probably at that point would have had my JD and started up at a law firm. And yeah, I just, I don't. I actually absorb more information hands -on, just, you know, if I can.
Adi (35:23.889)
Hahaha
Jose Bonilla (35:43.738)
and actually just like play dough, treat it like play dough and kind of mold it and shape it, great. But if not, I think part of the process for me is definitely like podcasts. I love podcasts, right? So a big one for me is Dan Measler's Unsupervised Learning. I like that one. I like tuning into that. I think just overall his voice and just like hearing him, he's got this kind of like very kind of melodic voice, very low key where it's like, okay, great. You're not like shouting at me, but you're, you know, letting me know exactly how I can apply this to day to day work that I do.
So it's podcasts like that. It's great stuff or what's the other one that I'm thinking of Breakdown Security, a couple of other podcasts that are out there. And then of course you have obviously Krebs on Security, which is like a big one. A lot of folks go there for his website and just kind of pull up to various articles that are being published. But everything that's just kind of online based, right? And quick for me to just like pick up and start to like tune in. In the morning, every time I'll just like turn on my phone, go ahead and just, you know, log in to the podcast and just
hear from there, right? And so I think that that's the easiest for me. And it's a quick 10, 15 minutes, right? And it's just like, again, synthesizing everything that's happening currently in the industry. And then at that point, you know, going about my day. But if I can tune in quickly and I can just like absorb that information, it's great.
Adi (37:02.993)
Interesting. How often do you change the priorities of the things that, let's say, are most important to deal with? So say you have your priorities, you know what you have to deal with, and you're always going to have some amount of risk, I assume. And then you listen to a podcast about some new...
tool or attack or anything that you learned, does that affect what you look at? In what way do these things relate to each other?
Jose Bonilla (37:42.714)
It does. I mean, subconsciously it does. I would definitely say it does. And one of those things is that I'm looking at exactly what we're doing in the downstream effect, right? What I just finished learning about how that can kind of like shift and...
maybe change things for us as we operate, right, as a business and continue to operate. So I think that that is one of those things where I look at, I'm very aware of that understanding exactly how to introduce it and share with the rest of the organization without it feeling like it's kind of a flip of the switch, right? Like, you're kind of thinking really outside of the box here. I still feel like there's a healthy balance between challenging the status quo.
but then also being realistic, right? With like our expectations and the company's plan to continue to scale. So it's very important to consider those things, but for me, it's kind of spoon -fed, right? It's spoonfuls of it in kind of sharing that type of information and seeing if it resonates with anyone, right? Specifically with leadership, of course, because we want to remain lockstep to what we're doing in the security space.
And so if that's, yeah, and it goes back to the idea of like hackathons and driving that sense of awareness because great ideas come out of these hackathons. I mean, we're all, yeah, no, sure. I think the biggest one is like if we find ways to have better automation, right? More streamlining of just the different processes that we have, but instead of us having it be so manual and ad hoc.
Adi (38:57.745)
We're saying.
Adi (39:09.777)
Could you give me an example?
Jose Bonilla (39:24.858)
you know, out of this hackathon came maybe, you know, an engineer that came up with a way to have a clear integration into Jira and ticketing works out this way instead. And we're able to then push to production quicker. And as part of the software development lifecycle, there's more automation that gets introduced by that way.
or the way in where, you know, how we kind of manage our audits, right? If we're looking at various controls, is there a way to kind of give us like a broader look at everything, a more holistic view, if you will. So maybe there's something in Tableau or reporting that they can come up with and it's automated. Great. So those are examples, I think, where, you know, it's important to drive that sense of just like a think tank, everyone just coming together, throwing ideas on the whiteboard and just seeing what sticks, right? So it's important to understand that.
I think to your point and kind of going back to your question, it's taking that information and then understanding, well, should I share with leadership as well and try to like push for this to become an actual initiative and maybe at a company level have it impact the company or should I kind of just like pause and wait to see what.
you know, happens, right, during that process. It's important to understand that because I think there's ways to also have great ideas, but then there's other ways where you can introduce these ideas and it deviates from what we're already doing. So that's where you want to make sure you have kind of the balance of the two.
Adi (40:50.917)
When talking to leadership of companies, you've worked with so many throughout the years and is security something that is usually top of mind for them or is it something that usually comes more from the security team?
Jose Bonilla (41:10.874)
You know, it depends. I would say it's a combination. When I've joined your more kind of larger established companies, you know, they've seen their fair share of attacks, right? I remember joining a very small startup at the time where the CEO thought that they would never, you know, be subject to any kind of attack. Like no phishing attack, no type of like DDoS like I mentioned earlier, like none of that.
And I thought, man, this guy is living kind of like in a utopian state of mind right now. Like it's definitely not that at all. Like, yes, you will get it. You will at some point as a financial services company have an attack, right? You're going to experience it.
Adi (41:43.761)
I'm sorry.
Adi (41:52.689)
How common is it?
Jose Bonilla (41:55.098)
It's very common. I mean, it just depends, right? It depends what's out there. It depends exactly. One of the things I noticed, we again, joined that company that was small, really didn't have much of a footprint. It was a lot of organic growth. So we didn't have like major like marketing and...
you know, all sorts of just like major budget, big budget for us to go ahead and just go out and start to publish things. And we didn't have that. And so, a lot of folks did not know about the company and it wasn't until we started actually coming out with commercials, putting out more articles and, you know, that's when we started to see kind of like an uptick and we're like, wait, what's going on here? Is there something that we don't know about? Is there a promotion that we're running that all of a sudden this is like kind of the impetus for that.
And it was really because attackers just realized there's an actual company out there doing this, right? So it's like, okay, more of a notoriety, more of like word of mouth. And that gets out quickly, even in the best of places and the worst of places.
And so when you look at kind of threat actors, they're always kind of out for the big fish, but the little fish as well. I mean, they're targeting them and they're seeing exactly what they've already kind of established. And a lot of the times they're coming in with a mindset that these smaller companies probably are strapped when it comes to just like resources and budget. They're not going to be able to pour in as much into their security. And so great. That's like easy pickings, right? It's open season on this company. And so I've come across that, but yes,
I mean, for me, it was eye opening to kind of like hear from like C level specifically that high up in leadership that, you know, someone just feels like, no, we're never gonna have an attack. It's like, no, we definitely are gonna be subject to an attack. No matter what you do, there's always, always something that will arise in the security space for the most part. But.
Adi (43:37.297)
I'm out.
Jose Bonilla (43:48.218)
Yeah, I would say it's been a combination for sure. Not just one where a company is actually like fully built out and has a great security team and has a strong mindset on security. But I'm starting to see also, again, we talk about that shift in the industry where I feel like a lot of organizations are starting to work on that, right? You're seeing even at a board level and investor level, show me your security. What have you guys done in security? Like how have you assessed these controls? You're seeing that a lot more now. And so before...
your board members, they didn't care about a SOC 2 report. Like what's a SOC 2 report? I don't know. Are those the ones that I put on early in the morning before I put on my shoes? Like, what are you talking about? They really don't care about it. They care about the numbers. They care about exactly just exactly what you've grown and how you've grown the business and how the product is doing and kind of more along that line. But, you know, with security, we're always viewed as not being revenue based, right? We...
are more kind of like cost.
we take on more of the cost, we take on more of just like the resources, right? So cost intensive. And so it becomes very clear that like, yes, we're going to be using up resources, but understand that it's also because of the process and like building out a great security for your company and ensuring that your data remains, you know, protected in this world of just like ever evolving threats. And so that's the main focus for sure is part of that process. But you're seeing more of an intentional focus on that now where before, like,
they didn't really care much about a report, now they do. And I've seen that even most recently in my experience is that they're asking you questions that are like, well, where are you pulling that from? But it's kind of your due diligence, if you will, of just like making sure that security is up to stuff.
Adi (45:37.169)
Cool. So you're saying it sounds like people who haven't experienced the trauma of having something happen to them are more chill about it and then the people who are in the game for a bit longer know that they have to protect.
Jose Bonilla (45:54.938)
Right, right. I would say there's kind of like a sense of just like, you know, let your foot off the gas for a little bit if you haven't had any type of incident or you haven't experienced one, you know, and when it does happen, then that's where you start to revisit controls, right? And there's more of an intentional focus on it. But I would say so, yes. I mean, around that time, at least when I had the conversation with the CEO that, you know, I...
was working closely with. I mean, it was like, you know, no, we're not going to be subject to an attack. You think we are? I'm like, yes, we are. But, you know, again, I'm sorry to, yeah, exactly, exactly. Yeah. And it's, it's a harsh reality of it all, but the more that you have that approach of like, no, it will happen.
Adi (46:28.177)
I'm sorry to tell you.
Jose Bonilla (46:41.882)
The more likely that your company is going to start to drive more security awareness amongst just each other. What can you do to protect this? How can we manage this? And start to identify some of the deficiencies for sure.
Adi (46:59.441)
Okay, well, we're at the last question. And by the way, even like, thank you so much. You've been so knowledgeable and I feel like I really understand the mindset that you come with that you really do want to keep the companies safe and just show to people that this is, there is some, like, there are some annoying things like the sock and all of these other.
Jose Bonilla (47:03.45)
Sure.
Jose Bonilla (47:28.186)
Right.
Adi (47:28.913)
like audits, but end of the day, it's really for the company. So it's, I mean, I think it's such a great mindset to have because there's, at the end of the day, you're affecting people. If people don't care about this, then everything you do is, it goes to waste. So it's a...
Jose Bonilla (47:44.474)
Correct.
Jose Bonilla (47:50.362)
Correct, correct. And something you just mentioned there maybe kind of triggered a little bit of an idea as well and just something that I also want to share with the rest of your audience is that whatever company, professional security professionals are working at, specifically, I'll give you the example that I have, which is in the financial services space, you're dealing with people's money, right? Like who wouldn't want to make sure that your security is up to snuff? Like you're not going to just give...
your money to some guy in a dark alley, right? And let's just face it. And I use that analogy just because it's exactly that. It's like, all right, so let's look at this. You entrust us with your money and your finances. Like you're going to entrust us with your data. That's very like sensitive, highly sensitive. What are we gonna do to like protect that, right? Not just from insider threat, but from external threats as well. And so...
it becomes very clear that it's not even just the customer first, it's just the right thing ethically to do, right? It's like my job, my role is to make sure that we mitigate as best as we can. And realistically, you're not going to be able to address everything, right? We all try, but in an ideal world that would happen, but realistically, resources, everything that we tie into.
competing priorities, all of these things, it's one of those things also that you have to figure out, okay, where is the company currently at? What are our limitations? And then exactly what can we just tackle today and like prioritize, right? And then move from there. Things like SOC 2, which I didn't even explain, right? So SOC 2, system operations control, there's three different SOCs. There's SOC 1, SOC 2, and SOC 3.
Why a SOC 2 specifically? SOC 2 just really tests your operational controls. SOC 1 is more considered like a financial report, and SOC 3 is more for just like marketing purposes, like for your customer base. But SOC 2 actually goes into the nuts and bolts of your organization and tests your security controls and your IT compliance controls. Excuse me. So that's SOC 2. PCI DSS is the Payment Card Industry Data Security Standard.
Jose Bonilla (50:04.154)
So it's essentially a mouthful, but what it does is that instead of just testing all of your non -public information, general data like SOC 2 does, so it's a very broad scope for SOC 2, PCI has a very defined scope, and that scope is literally one thing. Just show me how you protect credit card data. If any of your customers use your service and register a credit card, what are you doing to protect that credit card? That's essentially what the audit does.
And you'll hear it from a lot of professionals recently, the Security Standards Council, which is the governing body for PCI recently rolled out version 4 .0, which comes out, goes into effect April of this year. So literally just last month. And it's very prescriptive. Everyone will tell you it's, I would say first goes FedRAMP in terms of just how prescriptive and tedious it can be.
And then second to that is probably PCI because of just how prescriptive it is. And so, yeah, I just wanted to throw that out there as just like a quick explanation of these frameworks and exactly what they do and kind of why you audit them, but.
Adi (51:08.497)
I think it's important for anyone. It's really important for anyone new in the field. I mean, me personally, I only learned about sock a few weeks ago. So it's actually really nice to hear someone explaining the how it works in a way, like what it actually means.
Jose Bonilla (51:17.658)
Yes.
Jose Bonilla (51:24.538)
Yes, yes, yes, yes. And no, what led me to this point, you brought up working with teams, you know, the kind of going in and auditing these controls as a group and the importance of it. It truly is, because if you think about it, especially for a smaller organization, they're probably hiring you and bringing you on as a security lead because they have no audit footprint.
They've never formally went out and audited. So what does that tell you? In my opinion, when they say that, there's probably no internal audit. No one has lifted up the hood and taken a look at what's under there. So what needs to happen? Which is scary, right? Which is scary. Yes. Especially if they've collected data and they've been operating for like the past five, seven years. It's like, okay, let's pump the brakes here and let's figure out what's really going on. So that's the first, and it's a snapshot of exactly everything that's happened. But.
Adi (52:04.977)
Which is scary.
Adi (52:15.953)
haha
Jose Bonilla (52:23.418)
In my opinion, that is so many ways like an internal validation of your controls, right? Like going in auditing and having engaging a third party independent auditor is part of the process. And yes, it gives you the, you know, the paper, the certificate that says, yes, you've completed it.
But it doesn't stop there. The work doesn't stop there. We need to go back and then realize, OK, well, what are we doing internally, like audit preparedness, to validate this, like these controls? We should be doing that ourselves, and then taking them to the auditor and saying, OK, here you go, and showing proof that we've audited them. So for many companies that have not had a structure around this, no audit roadmap,
Sock2 does that, right? It throws you in the hot seat and says, look, these are the controls you have not reviewed. These are the controls that you need to start taking a look at and having some form of internal validation, whether it's automated or manual, but someone has to go in and make sure that these controls are operating effectively. And so, yeah, I say sometimes it's trial by fire for some companies and it's like, okay, we got to get our stuff together.
or companies have an idea of it. They're already kind of gearing up towards that and then they start wanting to actually formally assess the controls. So yeah, it's interesting stuff, but I love every minute of it for sure.
Adi (53:45.617)
Interesting. Wow. I'm just thinking like how, what an experience to go into a company that never did any security before. And then just finding all the, everything that you find out.
Jose Bonilla (53:56.858)
Right.
Jose Bonilla (54:01.13)
Right, yep, the web, the web if you will, of just so many different things. No, no, no, probably not. Doesn't make for like a best Friday night work and like closing out the week, but it makes for good cocktail hour and just like discussion, right? Like definitely, definitely that I would say.
Adi (54:06.929)
sounds not so fun.
Adi (54:19.113)
I'm sorry.
Adi (54:26.289)
that actually connects me back to the question that I was gonna ask, like to sum up of what advice would you give, I was gonna ask what advice would you give to someone who's just getting into the field, but now I wanna ask instead, what advice would you give someone who's going into an organization like that? Like a place that was never before audited or even, you know.
Jose Bonilla (54:51.834)
The advice I would give them is take a deep breath. Take a deep breath first, just take a deep breath and then go through kind of your steps that you have. If you want even write them down. Have kind of a notepad of just the steps that you want to take to go ahead and go through the process bit by bit.
Adi (54:57.169)
I'm sorry.
Jose Bonilla (55:17.274)
and try to just focus on that. I'm big on acronyms and so a lot of times if there's something that really sticks with me it's because you know I use it in my career development and just working but I have the idea of like a security shark and this was shared by one of the directors of engineering with me most recently when I worked on like a specific project and said you know you got to be a security shark and it's basically the idea of shielding, hunting, advocating, reacting.
and compliant. So it's those five. And how to kind of describe each one. I mean, essentially what you're doing there is that you're trying to determine exactly within each one of those elements, exactly how you can best add value to the company. So interpret it however you want. But at the end of the day, it's looking at where the company's at, taking a snapshot of that, asking questions, and just being very curious.
leading in with curiosity and then going back to your security shark points and going from there, right? And having kind of a very iterative approach, understanding that even the solution that you come up with may not address it overnight, right? But those pain points with the company, what are you gonna do in a very iterative process, right? Month after month, quarter after quarter, term after term, however you break down in your company, but that fiscal year, what are you doing?
leading up to that and providing kind of a strategic roadmap for yourself of like, okay, these are the things that I'm looking to target and what I want to do, right? Each and every month, this is the deliverable or this is what will impact directly my work with the organization and how it will continue to impact the company's security posture and just go from there, right? But always kind of like road mapping and just ensuring that you have a plan for yourself every month.
not only just to grow professionally, but of course prove to the company and yourself the value that you bring.
Adi (57:18.385)
Amazing. Okay. So Jose, it was so nice to have you on the podcast and thank you for being here with us today.
Jose Bonilla (57:25.498)
Yeah, thank you so much for having me. It's my pleasure. It's great. I mean, who doesn't like talking about themselves and just a little bit of their experience? But honestly, this is a real pleasure. Thank you so much for inviting me.