Anna Belak, former Gartner Analyst and Sysdig Director, Office of Cybersecurity Strategy

Speaker 1 (00:03):
Hello and welcome to Get It Started, get it Done, the Banyan Security Podcast, covering the security industry and beyond. In this episode, our host in Banyans, chief Security Officer Den Jones, speaks with Anna Blac, c a former Gartner Analyst in Cloud container and Kubernetes security buff. We hope you enjoyed Dens discussion with Anna Beak.

Speaker 2 (00:29):
Hey folks, welcome to another episode of Get It Started, get it done. I’m your host, den Jones, uh, the Scottish guy with a shitty accent, and this is Banyans, um, adventure, I guess, into podcasting. So if we feel a software company, then I guess this is what we’re falling back to, which I’m just glad that we’re not gonna have to fall back to this nonsense. So, uh, every episode I bring in some exciting guests. I’m not even sure how I meet some of these guests, so if you wanna learn how I meet them, uh, I don’t have any good advice there either. Uh, but this, this show, we have got Anna from Sig, and just so I don’t totally butcher the shit outta this. Anna, why don’t you introduce yourself, <laugh>.

Speaker 3 (01:14):
Um, hi. It’s a pleasure to be here. Thanks for having me. We met on the internet, actually, I think like most people meet on the internet these days, right? Uh, I am Annabell, I work for sig, and at SIG I own something called the Office of Cybersecurity Strategy, which tells you almost nothing about what it is that I do, <laugh>. It’s, it’s very cool

Speaker 2 (01:34):
Title. We’ll dig, we’ll dig, we’ll dig into that shortly, I guess.

Speaker 3 (01:38):
Yeah, so I’ve been at SIG for almost two years. Uh, before that I put in six years at Gartner as a Gartner analyst. And there I covered, uh, DevSecOps things, Kubernetes containers, everything related to that world, and then also security operations, um, threat detection, vulnerability management, and all that goes with that. So I claim that I know all of that <laugh> very well, and that’s why they let me do things like cybersecurity strategy.

Speaker 2 (02:04):
Awesome. Yeah, and it, it is funny. So, um, our connection came by way of Brian Kennedy, who I worked with during my Adobe days when he was at CyberArk and my Cisco days as well, I think actually. And, and Brian and I, we were, we were chatting and stuff and I’m like, what, what the hell is this cystic thing you’ve moved to? Cuz he’d been with CyberArk forever. I never, I, I never thought he would move, but, but somehow Cystic managed to convince this, this, this awesome guy, Brian to move over. So, so what is, what does Cystic do and why should we be paying attention to cystic,

Speaker 3 (02:42):
Uh, SIGs? Extremely cool actually, which is obviously why Brian works here now and why I work here. <laugh>, uh, as the short version is we’re a cloud and container security company. Uh, the slightly longer version is, as you all know, cloud is all the rage. So everybody’s doing everything in, um, the kind of handy thing about cloud, like the real valuable thing about cloud is you can get started very quickly. So if you were like, started a company tomorrow and you wanted to build some software and deploy it somewhere, you don’t have to worry about like building a data center and building a team to run the data center, right? You can just kinda like provision some stuff with a credit card and try it out and you might actually have an MVP of your product in like days, hours, right? Yeah. Um, so that’s really cool and it’s causing lots of people to go and do these things. And since it comes in at the point where you’ve, uh, maybe decided to add some security to whatever it’s that you’ve created <laugh>, cause uh, people probably won’t buy it otherwise. Uh, so we secure pretty much the whole life cycle of it called native application. So from like the artifact that you would deploy it all the way into runtime, uh, thread detection and monitoring of that beautiful, beautiful product that you are building.

Speaker 2 (03:52):
And, and now, uh, it, it’s funny, right? Cuz my experience, certainly in the Adobe days, we were very early adopters of that cloudy business, AWS and everything. And, and the experience I got was, it’s so easy and super quick to get the shit up and running, but it’s also so easy to screw it up and make it really insecure and leave doors open all over the place. So, so do you guys address the poor configuration of the doors being left open and S3 buckets magically being available for everybody? Or do you address some other kind of space

Speaker 3 (04:28):
We address? Uh, kind of all of it. So the configuration is like sort of the first step. Oh, I mean, I guess you could argue vulnerabilities are the first step and the configurations are the one point, fifth step, if you will. So you have to ensure that you haven’t left any like, critical CVEs in there and then that you haven’t left the door wide open. So we’ll check that for you and let you know if you’ve screwed up. Um, but then I think the actually more interesting piece, and arguably the harder piece is what happens after that, right? So let’s say you’ve configured it all beautifully and it’s perfect and you’ve deployed it and then time moves on and in time, like new vulnerabilities are disclosed, or, um, maybe it turns out that you didn’t configure it as well as you thought. Um, like there are moments where your C S P M tools will scan and say, okay, you’ve done a good job with all these requirements, but then there may be some tiny nuance where you like put the wrong character and all of a sudden it becomes a big issue, right? So, uh, we specialize actually in the runtime piece, right? So what happens after it’s deployed? Um, is someone messing with it? Are people just kind of doing run of the mill things, administrative tasks that look weird? How do you know the difference between something that looks weird and something that is weird? Um, so that part’s really fun. Like our third research team discovers all kinds of crazy things all the time in terms of cloud attackers doing cloud attack things.

Speaker 2 (05:46):
Yeah, no, that’s, that’s awesome. It is, yeah. It’s, it’s, it’s funny, right? Because I know that the market is a busy market right now. I mean every, so cloud suppliers, um, they’re, they’re trying to improve how they secure what their customers are leveraging, and then you’ve got all these niche products that will jump in. They’re like you guys where you’re like, yeah, we solve this problem and we solve it really well and we do it really cool. So it’s, it’s another piece of Kool-Aid. Um, it’s a fascinating market. Now, I I, I do remember in my conversation, uh, with Brian and your team, somebody said you were a bit sassy <laugh>. I’m like, so what, what, what, what, what was, what is, what is this sassy business? How, how would you describe yourself or why do you think your friends describe you as sassy?

Speaker 3 (06:39):
I assume you don’t mean the sa s a sassy secure access service. Sorry.

Speaker 2 (06:44):
Well, that’s a funny thing. I’m like, are we talking a security acronym here or just a personality trait?

Speaker 3 (06:51):
Um, I actually can’t, cannot stand security acronyms. It’s one of my pet peeves. Um, I don’t know, I just like the bullshit allergy I think, right? Like, I really don’t tolerate the bullshit. Well, um, maybe it’s a little cultural, like my family’s Russian and it’s a very transparent kind of folk. Um, but I’m, I aim to be very to the point, right? Like one of the cool things about being at Gartner is you’re trying to help people navigate this mess. Granted, Gartner is guilty of inventing the acronym, so we sometimes make it worse, but nonetheless, like you want help people get to like the answer, right? Uh, and sometimes the fastest way to do that is suggest like remove all the nonsense first and say, look, this is all bs. Like this is the point <laugh>. So that’s kinda of my jam.

Speaker 2 (07:35):
No, that’s awesome. It’s awesome. And I, you know, I’m, I’m very similar, right? I, i I think it’s a cultural thing where we grew up just like no bullshit straight shooters. It is what it is. And, and ultimately for me it’s like my reputation is more important than sh than hiding something under the carpet. Or I’d rather just be like, if the team’s screwing up, the team’s screwing up, let’s, let’s all call a spade of spade and then figure out together how we move forward rather than try and hide shit under the carpet and, and then hope it goes away. Cuz these things tend to never go away. They tend to bite you in the ass at some point. <laugh>. Now, um, I picked up on the ex Gartner analyst doesn’t like acronyms. <laugh> <laugh>. So, so let’s dig into that a little bit. So, um, Gartner, who are famous for coming up with acronyms, cuz I think everything needs to be in some magic quadrant. Everything needs to be understood from a a go-to market strategy. Everything needs, pigeonhole needs to be in a box. So I mean, what’s, what’s your views on, is that, do you, do you think these, do you think that approach is helpful for practitioners or do you think that’s just more helpful for marketing and sales and, and, and people like that?

Speaker 3 (08:57):
Yeah, that’s a good question. So I love Gartner by the way. Um, really cool job. Uh, if you get a chance to work there, you totally should. It’s like awesome. Um, so I think there is, it’s actually hard to tell when the acronym creation is useful and when it’s not. Um, but if you think about it for a minute, it becomes obvious, right? So it’s useful when you’re defining something that isn’t well understood, right? Or when something has changed a lot. Um, it’s not useful when you’re just like naming random things for the sake of putting them in boxes, right? So I, for example, um, I don’t like it when we create acronyms that make it unclear what’s actually being described. Uh, or when we create acronyms that it can, could include like too many things <laugh>, right? Like this is the acronym for all of security and you’re just like, okay, why?

(09:45):
Why? Yeah. Um, so I think it’s, I think it’s hard to say, um, I would say most analysts are trying to do to be helpful. Um, but we also end up in our own heads a little bit, right? Like, we want like the perfect definition of the perfect market. And that’s not really possible cuz it’s really messy in real life. Uh, practitioners I think don’t actually care about the acronyms, right? Like they just wanna know like, how do I solve my problem? Um, yeah. So I always ask the question of like, okay, how is this helping? Like how is this helping me? The security analyst or me, the cso like get from A to B. Uh, and I choose usually to avoid using the acronyms unless I have to like tell you which thing to buy. Like you need to buy this type of thing, uh, because it’s usually not helpful.

Speaker 2 (10:25):
Yeah, it it, and it is funny. I mean I’ve, I’ve, I’ve done since joining Banyan, I mean a lot of my time is evangelism and conference talks and things like that nature. And I avoid, I avoid really talking about our prob our, our, our technology. And I gravitate to the problems that, that people need solved, right? And in, in some cases our technology will solve the problem on the thing I’m talking about. In some cases it doesn’t. I think the big thing for me is, um, I, I spent 25 plus years out there in the trenches building systems, deploying technologies and, and solving problems. And I don’t remember anywhere in the 25 years knocking on my executive door and saying, Hey, we’re gonna do some zero trust <laugh>. It’s like you, these terms, these terms are great to frame things. I think like you say, I mean, is it, is it a good way to say when, when someone’s is trying to solve these problems, this falls in the bucket of, or someone’s trying to sell you something that falls in the bucket.

(11:36):
But, but the reality is is I I I’m paid to solve problems and from a security perspective, we’re paid to reduce risk. And at the end of the day, ultimately, um, if you are being attacked by a nation state or if you’re concerned about ransomware or have been, um, impacted by ransomware or you’ve been impacted by some business email compromised scams or whatever else, I mean, the reality is, is nobody really, I, I make this joke, I’ve never met a CEO who said, I want to spend more money on cybersecurity, or I wanna spend more money on it. They don’t wanna spend, they don’t wanna spend that money on that shit. They wanna maximize profits and reduce expenses. So that means we are akin to car insurance. You’re really only spending the money on it because somebody said you had to. And if they could get away with not spending it, they would, they would rather not spend it.

(12:36):
I mean, un unless there’s some direct business benefit where they can generate revenue. Um, I I, and, and it’s funny cuz I’ve, I’ve seen this over 30 years and it, it’s almost like everybody would try and avoid it. And I remember being at one of one of my previous roles where there was a big breach and it was very public and then all of a sudden all the money was made available. All the money you had ever asked for the 10 years before suddenly becomes available <laugh>. Um, and security becomes the number one thing, you know? Uh,

Speaker 3 (13:13):
Yeah. That’s the, the famous, uh, trope, right? Like the best way to get security budget is to get breached.

Speaker 2 (13:18):
Yeah. I I, you know, if you had, if you had a security incident, uh, in q3 it was the best <laugh>. Cause that’s, that’s where, that’s where you’re doing budget, that’s where you’re doing budget planning, right? For the next year. And, and then if you’ve got a security incident in q3, that timing’s perfect.

Speaker 3 (13:36):
But all the zero days came out in q4, man, <laugh>.

Speaker 2 (13:39):
Yeah, I know, right? So you’re like, you know, shit. Um, so yeah, so it’s, it’s funny. Now, how would you, so how would you describe, so you, you’d done the Gartner job for a lo for a number of years and, and then you’ve moved over to Cystic. How, how would you describe the difference between the kind of role, the work you were doing as an analyst compared to the work you’re doing now?

Speaker 3 (14:03):
Yeah, it’s actually, uh, hilariously not that different. Uh, I guess I’m cheating where I just take, I got the job I love and I, I’m keeping it at a different company. Um, it’s, it’s not different because what my, what my function is supposed to do, the office of cybersecurity strategy is exactly what you’re describing. It’s like, let’s go find our customers or our prospects. Let’s actually figure out what they’re suffering from. Um, and then talk them through kind of like the process of getting to a point where they’re gonna be suffering less. Um, if that results in them buying our trinket, like that’s fantastic. And if not, that’s okay too. Cuz that’s not my job. Like my job’s awareness really. Yeah. Um, and it’s kind of like the thing too is we’re very early in what we’re doing. Like we’re doing security for this new way of operating.

(14:45):
That’s still quite early maturity in the grand scheme of things. And security programs aren’t built outta acronyms, right? No one like was working on their security program going, ah, I need to check all these boxes of like C DAP and C S P M and whatever. Um, so we start from there. We start from security program kind of design and thinking about what gaps people have and what they’re trying to build and then follow them on that journey. Um, and that’s really what Gartner does too. Like Gartner has customers call them and ask a question of like, I have this problem, what do I do? And then Gartner answers the question. Uh, probably the biggest difference, which is fun I guess is that Gartner customers on average, like they’re average, right? If you take all the enterprise IT people in the world, you average them out.

(15:25):
Like that’s the Gartner customer. Um, because we are doing something very bleeding edge. Most of our customers and our prospects are actually also super advanced, um, and super skilled teams and companies. So they get to tell us about things that Gartner doesn’t actually hear about for a few years <laugh>, because they’re kinda, yeah, right? So this is really fun cuz I get to talk to just like FinTech and like high tech customers who are doing really cool things and I’m like, wow, okay, I anticipated that might be a problem someday, but like watching you work it out and be trying to help you solve it is really fun.

Speaker 2 (15:59):
Yeah. Yeah. It it, it’s funny, right? Because I I, any tech forward company, those tend to be fun because you’re, you’re sitting there bleeding edge and I, I remember, you know, my team in Adobe, we’d, we’d sit there and we’d try and figure stuff out and, and actually our zero trust deployment, like, uh, we’d had very few 2017 very few reference companies. I mean the Google Beyond Carb was, was brilliant, but, but it wasn’t within our price range. I mean, we couldn’t afford to do it the way Googled done it. So, so we had to get creative and then start working with vendor companies and partners and, you know, glue shit together, really. And when you’re that bleeding edge, then you’re really working with companies like Okta and these other guys and saying, Hey, we need you to build an integration between this and this.

(16:54):
We need you to build something that doesn’t even exist yet. And you’re, you’re really partnering in with teams like that to kinda move into the future. Um, so, and, and it’s fun, you know, that for me is always fun when I’m doing the circuit now and, and talking to other CISOs and executives, it’s, it’s interesting for me to see the different sectors and how much of a struggle it is for certain industries where their investments not brilliant or their investments brilliant, but their risk tolerance is really low, which means they’re not getting as adventurous with cloud and some of the other stuff, you know, as I think they could be. Um, but again, you know, everyday risk tolerance is different. So it’s, it’s, I think that market, like you say right, the, the cloud market, we’re not tapping into the potential customer base that’s that’s available there. It’s, you know, it’s a huge industry that that’s only, only just begun really. Right.

Speaker 3 (17:59):
Gonna be a fun couple of decades.

Speaker 2 (18:00):
Yeah. Yeah, exactly. Well, I, I kinda look at it like, I remember I was in the veil admin years ago, right? And I remember people being like, oh, that shit’s gonna die of death, Microsoft, da da da da. And it’s not like they were wrong, but for 10 years later I was still getting pulled into stuff where Adobe had customers who were still running Novell and they still needed our lab team to come up and do some testing on Nave platforms. And literally finding something in Adobe like 2010 that knew Nave was <laugh> was pretty tricky.

Speaker 3 (18:40):
Um, I know Nave was full of smart people because like half of them went to Gartner or something. <laugh>.

Speaker 2 (18:46):
Oh yeah. It’s funny for me that that technology was brilliant. I mean, it was, they, they had some great tech. Um, now when you’re not working, what do you love to do for fun?

Speaker 3 (18:59):
Okay, I don’t know if this is still embarrassing or if it’s cool again, but I’m actually a gamer girl.

Speaker 2 (19:04):
Oh, gaming and what’s, what’s the go-to game at the moment?

Speaker 3 (19:09):
Uh, at the moment I have two small kids, so I have to play things that can be paused. Uh, so I play Hades, which is like a rogue, like, uh, Hades is an awesome game by the way, so you should try it if you haven’t. Uh, my original go-to game is Dota two, which is actually how I met my husband.

Speaker 2 (19:23):
Oh really? Wow. Yeah. Like you guys were both gaming and online and stuff and you met that way.

Speaker 3 (19:29):
We met kind of accidentally on the internet. Yeah. And donor too, by the way, is like a super toxic community. So these people will like say things about your mother and troll you. And uh, nonetheless, I married one of them <laugh>.

Speaker 2 (19:38):
Oh jeez.

Speaker 3 (19:40):
So yeah,

Speaker 2 (19:42):
It is, it’s, it is funny. It’s like, you know, my, my kids, my, my daughter’s 18 actually. And so, um, her friend group are, are are go be, they go beyond the people you meet in high school now. So, so it’s really bizarre. Yeah. Cuz cuz she’s online, she’s in the gaming community or other communities and stuff and it’s fascinating how people in the future, they’re gonna meet other people. Just not, not the way I did. I mean, shit, half my friends, they’re either from school or from work, but that’s it. And very rarely have I got a friend that I’m still in touch with that I’ve met through some other community. Um, so yeah, that’s a

Speaker 3 (20:21):
Bit bizarre. Well, work is online too now. Um, I’m actually the opposite. I think most of my friends are people I met online too.

Speaker 2 (20:29):
Yeah. Yeah. I I guess I’m not, I’m not online like that as much. I mean, I guess I’ve got some CISO Slack groups and some other groups like that, but I kind of still consider that work I guess like if, if I meet people through that community. Um, but then there’s some other music related stuff and things of that nature where I guess I’m, I’m expanding that friend circle through, through that interest. Now, um, you men you mentioned, uh, oh, so when you were talking to non-techie friends and family, how do you describe your job to them?

Speaker 3 (21:09):
<laugh>? Um, I tell ’em that I write blogs about security <laugh>. It’s actually, it’s really hard, uh, to explain to non-techie people cuz I think to, uh, to non-techie, especially people who have, like I say, real jobs. Like if you’re a teacher or a nurse or something, you do like actual work that is obviously valuable. Um, so to explain like why somebody even needs what I do is, is really painful. Yeah. Um, the closest one maybe is, I’ll say that I’m like a teacher for adults that don’t understand it, <laugh> or whatever. Right. Um, it’s sometimes I sound like a journalist, which is also kind of true. Um, yeah. But yeah, it’s, it’s a weird job. Um, really I’m trying to explain unnecessarily complicated things in words that make them simple and, and actionable. Uh, but it’s hard to explain why somebody should pay me for that.

Speaker 2 (22:00):
Well I used to dodge the whole question I used to tell people, because I’m based in San Jose, California, I used to tell people I’m an igloo repairman and I figured if I tell them that they’re not going to ask me any computer advice, they’re not gonna try and get me get them any cheap software, you know, bullshit stuff. They’re not gonna like bore me with their stupid question about why their laptop’s not working. Um, you know, so, and, and then definitely they’re not gonna knock on my door to get the wr gloo repaired. Um,

Speaker 3 (22:31):
Not in San Jose, I don’t think.

Speaker 2 (22:32):
Not in San Jose. So I, I figure it’s probably better just to tell them that or uh, uh, if they do visit my house, you know, I’m a starving musician.

Speaker 3 (22:42):
<laugh>. That’s a good one. Yeah.

Speaker 2 (22:44):
And quite clearly not starving based on my studio setup, <laugh>. Um, so

Speaker 3 (22:50):
I did not make it as a pro gamer. So, uh,

Speaker 2 (22:53):
I no, I know. That’s the thing. Like I tell people I’m a musician who does this job because I need the money to buy music gear.

Speaker 3 (23:02):
Fair, fair.

Speaker 2 (23:03):
And that really kinda describes my, my, my, my view of the world. Let’s

Speaker 3 (23:07):
Do that. Yeah.

Speaker 2 (23:09):
Oh yeah, yeah, yeah. So yeah. So I think that’s the thing, right? I also know I’m not a good musician, <laugh>, you see, because if I was really talented and good at what I’d done musically, then we wouldn’t be having this conversation because I’d be on my helicopter going to The Bahamas for a gig or something. Right? <laugh>.

Speaker 3 (23:26):
So this is like, I’m starting to get the sense that cybersecurity is full of people who failed at the actual job they wanted

Speaker 2 (23:31):
Because probably, yeah,

Speaker 3 (23:33):
I was supposed to be a physicist. Like I’m a failed physicist actually I have a PhD in like computational physics and I was like, I just don’t like it very much <laugh>. But it took me like six years to figure that out. Yeah. Um, so I quit and got into cyber and then I was on David Sparks podcast and he told me he’s a failed comedian, so now he’s a

Speaker 2 (23:51):
Podcast. Yes. Yeah, David, he he, he was, he was a standup comic right? Or something like

Speaker 3 (23:56):
That. Yeah, yeah. In New York. And he’s like, just wasn’t very good at it. It’s like, here I am podcasting <laugh>.

Speaker 2 (24:02):
Now how did, how, so how did you get into cyber? Like what was your entry? What got you in the door?

Speaker 3 (24:08):
Uh, accidentally I guess. Uh, it’s actually a kinda a dumb story. So I got into Gartner, um, because I quit physics and I was like, I won’t do this. It’s too hard. Uh, let’s do something a little more instant gratification cuz tech moves really fast and physics moves really slow. Uh, and I show up, I applied to a bunch of jobs and Gartner was actually hiring some fairly junior folks, which they don’t do very often, but they do sometimes cause I’m like straight outta grad school, right? And I get this job and they’re like, okay, you’re gonna cover like Docker cuz no one else knows what that is, <laugh>, nobody wants to touch it. I’m like, I show Cheryl cover docker, whatever that is. Uh, and I did this for a few years, but at my onboarding, like my first day at Gartner is like an in person.

(24:49):
They’d fly everyone out and you meet everybody. I’m sitting with my manager and this other manager shows up and he says across from me and he goes, you’re an experiment and I’m watching you <laugh>. And I’m like, he’s wrong. This guy, security guy, obviously, right? Like only a security guy would do that. Uh, and he asked me a question, I actually don’t remember what I said. He asked me a question about what I think about security with respect to something. And I knew nothing, like nothing at this point, but apparently like my physics brain conjured. So I’m like half intelligent response. And he filed this away as like, okay, she’s kind of smart. Uh, and then three years later he had an o opening on his team. So pick me. He was like, how would you like to do some security <laugh>? I was like, I know nothing about that. And he was like, doesn’t matter, <laugh>

Speaker 2 (25:27):
Doesn’t matter. You’ll learn, you’ll pick it up. So

Speaker 3 (25:30):
As that, literally that’s what happened. And I joined that team, which had, um, two, uh, very brilliant analysts at people might know Anton Quin and August Barros. And they taught me like everything I know. And here we are.

Speaker 2 (25:42):
Wow, that’s awesome. And it’s, it’s, it’s funny, I’ve spoken to a lot of Gartner analysts over the years during my time at Adobe, right? I mean, Adobe, first of all, what a customer of Gartner and we, we’d meet and talk to a lot of analysts, but quite often they would call us and they’d be like, what are you guys up to? Like, yeah, what are you working on? What’s your, what’s your next 12 months or three year plan looking like? And, and I think it is because they, they kind of recognized that we were doing a lot of forward thinking. We were ahead of the curve of a lot of customers. Um, and you know, I, I was blessed because my team, I mean, I, I assembled a brilliant team with the, the enterprise security team at Adobe. So my life was really simple in the sense of I had great leaders, I had great people on the team, they were executing, I was giving them just enough, uh, uh, just enough rope where they could, you know, they could swing from the trees or hang themselves.

(26:48):
Um, and, and ultimately, you know, when shit hit the fan, give them enough backing and stuff as a leader to say, Hey, I’ll own, I’ll own it. When it goes to shit and you can own it when it’s successful. Um, I mean, I’ve asked the glory of the team anyway, right? So what does it matter? Um, and, and when it all goes to shit, my, my joking personality would always play it off. I mean, we, once we once shut down, we were doing, we were doing our, our zero trustee business and we were playing around with NAC policies and my, my engineer by mistake ended up shutting down the whole network. <laugh>, like ev everybody was offline, with the exception of the 50 people in our pilot group for our, our zero trust effort, right? <laugh>. So, so we are all working away thinking life is fine, it’s fine.

(27:44):
<laugh> the rest of the company was all down, right? And, and we were getting to this point in the project where we were talking about restricting network access, um, and turning office networks into guest networks, which is kinda like a bit of a high risk maneuver, right? I mean, networking in general is a thankless profession where you’ve always gotta get it right. And like electricity, you know, nobody, nobody thanks you when it works and they will kill you when it doesn’t, right? Sure. So I went into, I, I went into a meeting the following week after this outage with, with our c o and our cio, I, I solid line to one dotted line to the other. And we’re having the conversation about the next phase of this project, but I’m talking about, you know, restricting network level access and the cio, she’s like, oh, like you did last week, <laugh> <laugh>.

(28:45):
And, and I, and I looked at her and, and, and you know, the bullshit artist in me all I turned around and said was, Hey, you’ve not thanked me for that yet. And, and her and my boss, you know, the cso, they just look at me and they’re like, what? What, what do you mean? Like, you shut down the whole network? And I went, you’ve not thanked me for that. And, and they’re looking at me puzzled. And I went for the first time in our history, I could guarantee there wasn’t a bad actor on our network, <laugh>. I went, guaranteed. And they look at, they look at me and they just start laughing <laugh>. And I’m, and I’m like, you’re welcome, <laugh>. I went, now granted, there was nobody on the network, but at least we knew there was also no bad actors on the network.

(29:34):
<laugh>, it was the safest we’ve ever been. It was the safest we’ve ever been. And they just started laughing and I was like, okay, yeah, we’re still, we’re still doing the root cause analysis on how we got there. Don’t worry, we’re gonna come back on that. You know, the seriousness kicks in at some point and you’re like, yeah, don’t worry. You know, we we’re, and we did a full R c A on how it happened and, you know, all that nonsense. And ultimately, um, for me, you know, getting, getting to be in that kinda situation, I’m like, we’re, we are really pushing the envelope when, when we’re taking just, we’re trying to take calculated risks. We’re trying to move fast. Um, but we don’t, we don’t done some fun stuff. It w it was always, I, I think in our industry it’s always about balancing that risk and we’ve got the risk of the bad people attacking us, or even insiders, which are still bad people, I guess.

(30:32):
Um, but sometimes those insiders are just naive, uneducated employees who are actually trying to do their job and still, you know, cutting corners or making mistakes and, you know, there’s bad outcomes and bad business things caused by that. So anyway, anyway, needless to say, uh, we still have a good long career ahead of us because there’s always, there’s always bad actors and there’s always the advent of, of technology moving forward. I’m gonna say with our career ahead of us. Anna, there’s one thing I always like to ask people these days. How concerned are you about that AI business?

Speaker 3 (31:16):
<laugh>, do you have another 30 minutes? <laugh>?

(31:20):
Oh, AI business? Um, I don’t know, man. I’ll tell you the thing that’s actually most concerning to me about the AI business is the way that most people think about it. Um, we were actually just talking about this with a colleague of mine. Like social media hit us in a, in a way, um, and it caused some pretty painful outcomes, right? Like you have kids like struggling with like kinds of mental health issues now that we couldn’t have anticipated, you know, 20 years ago when this all started. So I think AI is gonna actually cause the most damage in this specific way of like, unintended outcomes that are actually very human, where people like lose track of what’s true and what’s not. And people kind of lose track of how to relate to other people and all these things that are very much taken for granted.

(32:06):
Like I don’t think it’s the killer robots, we have to worry about <laugh>. Like I think it’s what it actually does causes humans to do to each other. Um, that is scarier for me. Uh, the underlying tech is like, I don’t know, I’m not that excited about it. Cuz if you’ve been following it for a couple decades, you kind of, it, it’s doing the thing we thought it would do, right? Um, like actually we were also just talking about a company called Endgame that you probably know, or endgame invented a chatbot like six years ago or eight years ago, whatever it was, right? Mm-hmm. <affirmative> and okay, like whatever, it’s just another chatbot. It was pretty effective. So I do think the evolution cool. Um, but I’m worry much more with the human impact, uh, than the technology stuff.

Speaker 2 (32:45):
Awesome, awesome. Yeah, it, it, it is, it’s, yeah, it’s definitely something more and more people are getting concerned about from a security angle. Um, in, in some cases, I, I know of companies already that are trying to restrict their employees access to some of these technologies because they don’t want them to upload, uh, company IP source code or employee data or customer data and stuff like that. So I think there’s, I think the next 10 years we’re gonna be cloud security, AI security and like you say, like, is it, is it the, the rise of the machines we’re concerned about? Or is it the, the knock on effect to the humans and how we respond? And generally speaking as humans, you know, we’re pretty shit when it comes to responding to, to big, big sweeping changes like this.

Speaker 3 (33:44):
So yeah. And we’re shit at risk management. So

Speaker 2 (33:47):
<laugh>. Yeah, <laugh>. Yes. Yes, for sure. Now, uh, thank you very much Anna. This has been awesome. Really appreciate your time. Thanks for coming on the show. I’d love to have you back maybe at some point we do a panel with some people talking about just AI in general and see where, see where that goes. Um, are you gonna be devcon or Black Hat this year? Is that something that you guys are getting involved in?

Speaker 3 (34:11):
I believe I will be a black cat. I don’t think I’ll be a Defcon. Um, but yeah, black Hat, if you’re there,

Speaker 2 (34:17):
Yeah, I’ll be there. Yeah, I’ll be, I’m gonna roll in on the Thursday cuz I’m gonna actually hang out for Defcon more than I will be the Black Cat event. Okay. So yeah, so that’s my current plan anyway, unless something marvelously changes. So. Awesome. Anna, thank you very much for your time. I really appreciate it. It’s been great having you on the show and uh, yeah, we shall catch up again soon.

Speaker 3 (34:42):
Awesome. Thanks for having me again.

Speaker 1 (34:45):
Thanks for listening. To learn more about Banyan security and find future episodes of the podcast, please visit us@banyansecurity.io. Special thanks to Urban Punks for providing the music for this episode. You can find their track, summer silk, and all their music@urbanpunks.com.

 

Close Transcript