GISGID EP 31 – John Yeoh of Cloud Security Alliance

Speaker 1:
Hello and welcome to Get It Started, Get It Done, the Banyan Security Podcast covering the security industry and beyond. In this episode, our host and Banyan’s chief security officer, Den Jones, speaks with John Yeoh. John is the Cloud Security Alliance’s global vice president of research, a position that allows him to share important industry analysis from a nonprofit perspective. We hope you enjoy Den’s discussion with John Yeoh.

Den Jones:
Hey, everybody, welcome to another enthralling episode of Get It Started, Get it Done. I’m your host, Den Jones, the guy with the wit and wisdom or maybe I’ve just got the bullshit and somebody else will bring the wisdom, not sure. But every episode, I have some amazing guests and today is like no other. So, John Yeoh from the Cloud Security Alliance, CSA. Hey, John, thanks for your time and why don’t you introduce yourself.

John Yeoh:
Hey. Den, thanks for having me, man. I’m John Yeoh, I hope to bring wisdom or bullshit or both, probably a lot more of one of the two. I’ll let you decide.

Den Jones:
Why not, brother?

John Yeoh:
So, yeah. John Yeoh, I’m head of research at CSA. It comes with a lot of different titles, research director, executive vice president of research, chief innovation officer. I don’t even know what kind of title they’re giving me these days, Den, but I always just say head of research because CSA is known to be this … We develop bodies of content, research for cybersecurity, we’ve been focusing on Cloud security but we address all sorts of different emerging technologies. And the goal for us has always been to let’s demystify some of these technologies out there, let’s find out how we can really help build enterprise grade best practices and tools so that companies can take advantage of these technologies, deploy it, run it and develop with them securely. So, that’s been our goal, that’s been our mission and we try to do that each and every day.

Den Jones:
Yeah. And so, the word Cloud Security Alliance makes the audience think of it is only Cloud focused but it’s not really, right? As you mentioned, there are emerging technologies, trends, the future and you’re really trying to enable practitioners to accelerate their work or become better educated in their work. Is that a fair statement?

John Yeoh:
Yeah, yeah, absolutely. And that’s why I even like to say CSA these days is more than just Cloud Security Alliance because, 15 years ago, Cloud was that big disruptive technology and our CEO and co-founder, Jim Reavis, was like, “Hey, man, we need to make sure that people understand that this technology is going to change how we do everything. And in order to take advantage of that, we need to make sure that we build best practices and let people understand that, hey, Cloud, it’s not this far-reaching concept that we really don’t understand, it’s something that’s going to be integrated into every single tool set that we have. We’re going to use it for business operations, for business resiliencies.”

And today, I don’t know anybody who’s not using a Cloud service or Cloud anything. And so, starting from Cloud made a lot of sense but the world changes so quickly. Give us the last 12 months and generative AI has been this huge thing. Go back five, six years, we have blockchain, we have quantum computing that was introduced conceptually. Are we still implementing that in certain ways? Are we still understanding that in certain ways? The answer is, yes, we’re trying to grasp that knowledge. And so, yeah, we just became a resource hub, an education hub that gets people together, like-minded individuals that are interested in cybersecurity like you and me, that are interested in business operations, that are interested in compliance and regulation.

We get everybody into a room in these research working groups and, somehow, competitors alike, we come out with really friendly understandings of, hey, here are the pain points for customers in general. If we’re going to adopt the technology and we’re going to advance our companies in certain ways, we also need to do it safely and securely for our customers, for our citizens, for our employees. So, yeah, we tackle everything, we have to tackle everything. As a security practitioner, if you’re not paying attention to all the technologies and your CEO asks you, “Okay, hey, what are we going to do about AI?” you better understand or you better have an answer right then or else you’re going to be in trouble as a [inaudible 00:04:51].

Den Jones:
Yup. Yeah, yeah, yeah. Yeah, and it is funny because, just as you mentioned, blockchain, I’m like, “Shit, whatever happened to the blockchain business?” I remember it was several years ago and everyone was talking about blockchain the way they’re talking about AI right now but the difference, I think, is blockchain, it almost like it seemed to peak a little bit and then I don’t hear anybody really talking about blockchain. I don’t really hear startups talking about, “Hey, we’re doing the blockchain.” But four or five years ago, yeah, it was all the bloody rage for probably about 12 months and then, all of a sudden, it came and it seems to have just fizzled out. I’m sure there are still people taking advantage of it but you don’t hear it the way you hear about other stuff.

In the last five years, Zero Trust, obviously, I know you guys are familiar with that one and then, AI, everybody’s familiar with that one. So, I think there’s these other fancy buzzwords or whatever’s cool at the moment, they seem to be. There’s other things that kept the momentum and blockchain just disappeared. Do you guys see people building on the blockchain and talking about it as much or am I just in a little cave somewhere?

John Yeoh:
There is and, yeah, we always have to chase a little bit of these technologies and trends just because you don’t know what’s really going to hit. And if you miss out on that as a business, there’s a competitive disadvantage there. If you miss it, Adam, as a security practitioner, there’s massive risks that open up so you do have to explore everything. And blockchain is still around too, there’s definitely big frameworks that we’ve explored like Corda, Hyperledger, you’re still building things into these. Blockchain was supposed to be the answer to a lot of things and I think it almost took on too many things where, yes, blockchain can do this or that from a database perspective or whatever but is it necessary to replace what we currently have, is it going to be that much better, do we need immutable frameworks, immutable ledgers.

It got the point too where privacy can be a big issue there too. What happens if something nefarious is uploaded to your blockchain and now your entire chain is …

Den Jones:
Screwed?

John Yeoh:
Yeah, infected and so you have to just build off these ladders. And so, yeah, I think that became a challenge. If you look at techniques and principles like Zero Trust, I think they’re very foundational to what we do. That’s been pretty good from my perspective as a security practitioner to translate how to secure things to the business, to people who aren’t necessarily security savvy. And AI, you mentioned, AI has been around for a long time but the generative AI tools that we’re seeing in ChatGPT, in Bard, in Anthropic’s Claude, dude, like Cloud, it’s at your fingertips where the public consumption of these tools is readily available. I don’t know a lot of people who know how to use Corda or Hyperledger outside of blockchain experts with maybe certain financial institutions or something like that. But students, moms, dads, every job, it’s impacting everything.

And now, these transformers that OpenAI, Anthropic and Google and others are building, you can build these co-pilots right into your applications, you can do it now, it’s incredible. And so, what we’re seeing is the availability of these generative AI tools built off of large language models that are also not new but they’re all hosted in major Cloud services. So, now you have the availability, the storage and the compute capability, really, the compute capability of tuning and training available with these hyperscalers and Cloud services. Yeah, I think this is different just because of availability and the capability, yeah, I think it’s going to be different.

Den Jones:
Yeah, yeah. Like you say, so ChatGPT, I’ve got friends who are not in the industry and they’re semi tech savvy and they’re all over leveraging ChatGTP. Even Adobe’s Firefly, being an ex-Adobe guy, I still pay attention to that stuff. And I played around with Firefly with my daughter, her graduation pictures from high school and we’re like, “Oh, my god, this is awesome. You can do all sorts of nonsense.” And some of it looks believable and some of it still looks a bit bullshit but the reality is you see the direction, you see the brilliance. But to your point, I think it’s the accessibility by the mainstream for people to take advantage of that technology unlike other technologies. I’ve been involved in the Zero Trust business for quite a while now, I think, 2017, my team at Adobe done some deployment and, ever since then, when I talk to people about Zero Trust, the first thing I would say is what do you mean and what do I mean.

Because I think the hardest thing about that compared to AI, when you say AI to someone, they think ChatGTP normally. If they’re uneducated, they’re going to go straight to, “Oh, yeah, I know about ChatGPT.” Where there’s, Zero Trust, I do conferences all the time and I talk to people and not a lot of them know what you mean or what I mean and I think there’s a couple of reasons behind that but I’d love your take just on … I’m going to Spark ZT to the side for a second, a microsecond and talk about CSA make a lot of content, vendors manufacture and market a lot of content and then practitioners are trying to absorb stuff in order to solve problems that are set in front of them.

Do you think that the average practitioner is overwhelmed with all the content that everybody creates? Do you think the vendor’s marketing teams totally botched it up for everybody else?

John Yeoh:
Man.

Den Jones:
Yeah. That’s a bit there, huh?

John Yeoh:
We need marketing teams, I think they’re fantastic. And marketing teams have goals though too, their goal is to sell products. It should be, that’s the bottom line but it does create market confusion big time. And you said it before, you can go to a conference, you can go into a room of really smart security practitioners and they might all have a different flavor of what Zero Trust is and, yeah, there’s a ton of content out there. What we’ve tried to do as … So, CSA is a not-for-profit organization and we’re not a spinoff of a major vendor or anything like that too, we’re super vendor neutral and that’s, I think, the strength of who we are and how we operate. And so, we try to do that too, Den, we try to create content where, hey, let’s be vendor neutral about Zero Trust.

Zero Trust principles are pretty foundational, those are John Kindervag and go back to even the [inaudible 00:12:48] forum, they’re talking about these principles, 15 years ago now.

Den Jones:
Yeah.

John Yeoh:
I think it’s really important to understand what Zero Trust is and then to formulate the strategy for your business. Now, whenever we come up with strategies in the world today, there’s always this build versus buy, we love these commercial off the shelf products that make things easier for us and, yeah, we absolutely should do that. But starting with a strategy for your business is so important. Once you have a strategy, now you can start looking to solve these Zero Trust puzzle pieces and it’s going to be a combination of what can I do myself, how can I use vendors to solve these kind of problems, whether it’s a network problem, a data problem, something with my end devices and my users. And so, I think that’s where it becomes really important.

So, let’s start from scratch. Just really understand our approach to Zero Trust, really trust and verify kind of thing, let’s understand where these boundaries are and now we can start actually putting products and vendors in the right place to serve our strategy, what we’re trying to do to solve Zero Trust problems. So, yeah, that’s it.

Den Jones:
No, it’s awesome. And two things you touched on there. So, I used to have this sign on my door that said pardon me for interrupting you, I just had a thought but I’ve matured a lot so I’m actually holding them both in. So, one was CSA being vendor neutral and trying to remain. So, I think one of the things that speaks to that is our actual introduction was our good friend Sean Cordero who’s a CSO at Zscaler and Zscaler is a direct competitor to Banyan but yet he and I are good friends and he introduced you to me and said, “Hey, I think you guys should get Banyan and have people there and get their perspective too.” And it speaks to the testament of that vendor neutrality which I thought was awesome and, also, props to Sean for introducing us as well.

And then the other one, when we done our Zen project at Adobe, John Kindervag, he was working at Palo Alto at the time and, him and his team, they swung in, we wanted to share what we were doing, let them see it and I remember John saying to me, “Well, this isn’t really fully Zero Trust because you’re not doing packet inspection.” And I’m like, “Yeah,” and I think my reply was, “Yeah”, I went, “I’m not really labeling it. We call it Zero Trust but I’m not labeling it to the nth degree.”

And I think one thing is there’s a maturity level on some of this stuff and that’s what I said to John. I went, “John, maybe that’s a more mature level of Zero Trust than we’re aiming for or willing to invest in.” And I think the one thing that I caution anybody in professional life is you could read the ITIL book, you could read the Sands book, you could read the ZT book, you can read all these books but delivering what the book says isn’t actually the goal.

Now, you touched on this which was you need to understand your business, your business goals and your business outcomes and then the problems you’re trying to solve and then you’ll look at the framework and you’re like, “Hey, what about this framework can I use to accelerate solving these problems that I have?” Because if you don’t have that problem, just because the book says so, doesn’t mean you have to go do it. And years ago, when ITIL was the biggest thing in the planet for IT shops, I used to say to people, “We’re not reading the ITIL bible, are we? Are we preaching the ITIL bible or are we trying to make IT more efficient?”

And I think that’s the biggest lesson for me when I speak to people is you’re paid to solve business problems, help your business, secure your business, accelerate your business, you’re not paid to deploy Zero Trust. You’re going to leverage what great work people have put in to accelerate you doing it so leverage it wisely, don’t jump all in and spend all your money because you might not have a lot of money anyway. And I think, when we were doing that at Adobe and then at Cisco and as I work at Banyan now, the biggest thing for me is keep yourself grounded on we’re paid to solve problems, we’re paid to enable the business and that gets beyond all that hype and the bullshit and all the other stuff.

And I agree, marketing teams, we have to … We need marketing. We need brand marketing and product marketing and I don’t get that frustrated, really, or pissed off at people that want to market their thing as ZT or AI. Like everybody now, they’ve got some AI in their crap. Even our team, I’m just waiting on our marketing team what we’re retaining on that but any minute now and I think it’s cool. The other thing, love your thoughts on this, what do you guys think of, when someone gets breached, all the product teams suddenly jump in and use that as a method to promote their stuff? Good or bad?

John Yeoh:
Yeah. Good or bad, huh? I do like direct modeling and part of what we do is we sell, like you and I, we are selling security to the business too. And so, when you’re translating, hey, how do we need to be more secure or even we’re trying to … Hey, you mentioned earlier security budgets, yeah, they’re pretty limited, aren’t they?

Den Jones:
Yes. And getting more limited every year.

John Yeoh:
Yeah. So, when you try to get bigger budgets for security, we have to use these examples and I get vendors will do that too like, “Hey, here’s a major breach, could have been prevented by doing X, Y, Z,” and I think that’s something that you always need to have prepared for the board too. Hey, there was a major breach that happened and … I don’t want to use an example, I don’t want to [inaudible 00:19:14] right now, I guess.

Den Jones:
Yeah, yeah, yeah.

John Yeoh:
But yeah. I’m going to say this too, actually. So, I’ve helped a lot of people put packages together for the board and we’ve actually used vendor content that’s really good and so, yeah, I’m not against using vendor content or vendors going after a breach. Now, I don’t like the whole fuddy stuff, the fear, uncertainty, doubt thing when it comes to security but, when we can twist that to talk about how we can protect our customers and build customer confidence, confidence in technology, Cloud, whatever business you have, I think that’s a really good story to tell. Because customer confidence is how we thrive and I don’t know any CEO who would not want to raise customer confidence and so, yeah.

Den Jones:
Yeah. One thing. So, I remember there was a breach, Den, I remember some vendors jumped on the bandwagon and one of the CSO groups I’m a member of, they lit up with they hate seeing vendors pile on bullshit on other vendors that have been breached as if they’re hands are all clean and as if their magic wizard wand is going to save the world if only you used their … If only you used their stuff, that breach wouldn’t have happened, right?

John Yeoh:
That’s right.

Den Jones:
I try and say internally within our team to avoid that as much as we can. And I think we do do it now and again and I know there’s even pressure on me to comment on breaches and events and stuff like that and the hard thing is is I’m always … One of our strategies at Adobe was let’s not be controversial, let’s not piss people off. If you piss people off, then you become the target. So, I think piling on as if you’re the high and mighty doesn’t really help. The biggest and most important thing we should celebrate is, any vendor that has been breached, the more transparent they are, the more clear they are, the more they share about what they’re going to do about it or what happened, that openness and willingness to educate the community on how it happened and the things they can do to avoid it in the future, I think that benefits everybody and actually elevates that company’s trust and credibility.

John Yeoh:
100%.

Den Jones:
If they do that, I think then the whole industry can benefit.

John Yeoh:
100% too. And as long as we can get through legal and all that tape to get that done, I totally agree. And I guess that’s the perspective I was coming from earlier too where … But if we’re saying … Gosh, I have these examples just to bring context. Okta had a couple of attacks and breaches these last couple years and, if another identity company came in and was like, “Oh, yeah, because you used them, here, we don’t do that,” that’s just asking for trouble.

Den Jones:
Yeah, yup, yup. That is totally.

John Yeoh:
[inaudible 00:22:27] on. But yeah, I’m more so, yeah, educating people on here’s what happened and here’s what you can do to solve this. Oh, and it just so happens Banyan Security has great Zero Trust network protection for that. That’s not horrible because you’re educating the company and, oh, yeah, [inaudible 00:22:47] we can do that.

Den Jones:
Yeah. Look, it’s easy for us to say, “Oh, yeah, if Okta had our stuff on top, that would not have happened.” Well, that’s a bold statement. Is it possible it might have made it harder? It’s possible. And I think the reality is we don’t know the exact details, we know what’s been publicly shared so the reality is you’re dicing with fire a little bit. And then the other thing for me is I’ve been a customer of Okta for the longest part, since the early 2000s, I can’t remember exactly when but it’s a great team, great bunch of people, parts right in it and I have no doubt in my mind that there’s a budget grapple on how much money do you give the security team because there is on every single company I’ve ever been in.

And the reality is Adobe publicly had a huge breach in 2013, I can say it because it’s out there. The amount of millions of dollars Adobe invested after that event was incredible and the all hands, when the CEO was talking about security, it was a game changer. I think if a company pays attention to the shit that happens and then they respond and they’re more transparent, I think that’s only good for the industry overall.

John Yeoh:
Den, I want to change that mindset with people too. There are so many … And I have a lot of friends that are developers and so I’ll even go to a lot of developer conferences because we do a lot of cool stuff there too with DevOps and DevSecOps. But there’s this mentality to where, if I build software or product and there are zero or one or two vulnerabilities, look at that, look how perfect my build is which to me is realistic. I want to see those who, hey, yeah, we’ve had this many exploits and we’re patching, we’re fixing things constantly, to me, that’s real and you and I understand that. But I do want to change that mentality where it’s about being transparent, hey, it’s not if but when something happens. Let’s talk about it, let’s document it, let’s show people how we’re disclosing vulnerabilities and fixing things because, in today’s technology supply chain world, it impacts a lot of us.

If something happens at an infrastructure level, it trickles down to software platforms and down to customers and everything in between. I’ve talked to … You’re not just a customer for a Cloud, you are a provider. Tell me there’s no coffee companies that you’re not purchasing things through their application, you don’t have a membership where you’re building points to get your next free cup of coffee. Same with banks, banks are also … You have applications to interact with your account, to purchase things, to invest in things. So, yeah, we’re all customers, we’re all providers. The supply chain’s huge, we need to be better at that, absolutely better at disclosing.

Den Jones:
Yeah. And I think-

John Yeoh:
And sharing.

Den Jones:
Oh, yeah. Look, it’s an industry where … Now, I think, the last 12 months, so I’d love to get your thoughts on this, last 12 months, what would you think from an industry perspective has been one of the highlights?

John Yeoh:
Oh, man. The biggest thing that stands out is the gen AI thing that we were talking about. Generative AI, it’s making noise since Friday. There’s noise with what’s happened at the leadership level, one of those frontier models too and it’s happening.

Den Jones:
I saw that in the news today for the first time. I’m like, “Holy shit, what a weekend.”

John Yeoh:
It’s crazy. But there’s no question generative AI just because the one that’s making the news outside of security, I think it started with students cheating on tests and things like that. Since I get to play around with these technologies and poke holes at it, over the last 12 months, oh, yeah, we’re seeing everything from how do we build security around the AI models themselves, the large language models, how they’re hosted in the Cloud, how they’re trained, the resources that they’re used to train with these new … The GPU power it takes to even train models and build privacy and parameters to these things are ridiculous.

But then we need to build usage policies around this for companies. There’s so many companies that, like they did with Cloud 10, 15 years ago, hey, we have a no Cloud use policy, there’s these no generative AI use policies and what a competitive disadvantage you’re giving to yourself and your employees.

Den Jones:
Yeah.

John Yeoh:
And man, it goes into do we have security and safety and safety practices for how we’re now using these transformers to build generative AI of our own products, our security co-pilots or our co-piloting that we have and then the malicious use of and we’re seeing that across the board. I guarantee you, we’re going to see big changes in how just common types of phishing attacks and code injection attacks, everything’s changing and we need to be on top of it. And so, yeah, easy answer for me over the last 12 months because, going back to November of last year, when OpenAI launched ChatGPT, yeah, that all began.

Den Jones:
Yeah. And I almost think your highlight of 2023 becomes your prediction for 2024. So, in 2024, what do you think is going to be the biggest security concern?

John Yeoh:
Yeah, there’s a lot of interesting concerns. I don’t want to predict that something’s going to happen to one of the major frontier models like we’re going to see major breach, whether it’s data poisoning or misuse or some training errors that happen, that’s always going to be tough. I think, forever, we’re going to be dealing with these biases that are introduced into large language models and into these generative AI systems. Here’s just something interesting to you. If you go into DALL-E or one of the image generators too and you just put something in, give me a picture of a classic American family, what are you going to get? Are you going to get a very diverse look at what America is or do you get a very stereotypical image of an American family?

And these are the things that are going to be forever, we’re forever going to be dealing with. We deal with that with technology today and so, yeah, how that impacts the world especially when we see what’s happening in the Middle East and in Eastern Europe, I think there’s going to be definitely some sensitivities and some awareness to it.

Den Jones:
Yeah. If I look at the next year, and you mentioned about things like phishing attacks and stuff, I mention to people about, if phishing attacks historically have been this mass mailer that went out to a million people with purely worded English and blah, blah, blah, blah, blah, you get 1% success rate on those. So, the reality is, in the future, if they can use LLMs and AI better, you’re going to get to a situation where you’re going to get a million unique emails and that success rate is going to be far greater because they’re going to pull in real information that they found about that recipient from the internet because there’s already a lot of information about us out there.

So, I look at that, and I don’t know if it’s 2024, but I certainly see, as the next 12 months continue, that stuff’s only going to get far smarter and that forces the security companies to look at how they address this cat and mouse game of the attacker and the defender. We’re going to have to have security companies build more and better security that leverages AI to combat the AI attack.

John Yeoh:
Yeah, and basic security practices are going to have to be emphasized more. I think you and I both know that a lot of these breaches happen because basic security hygiene isn’t being met. So, a recent breach was with a security company that does help other enterprises do phishing attacks and their email list is compromised. So, what that means is that a large company went through an email campaign and they were able to identify, oh, my gosh, 14% of our employees clicked on these fake phishing attacks so we need to have correction for 14% of our employees. Well, that leak was list or that list was leaked and so, now, whoever is an attacker is like, “Oh, my gosh, I don’t have to focus on this huge list, I’m dialing on that 14% because these people are suckers already.”

And so, it’s not just that too but, phishing emails, we’re seeing it, not just emails, we’re seeing it in our text messaging and there’s going to be deep fake. With AI, there’s going to be deep fake voicemails, deep fake videos probably now too, right?

Den Jones:
Yeah.

John Yeoh:
Have you heard about the deep fake kidnapping that someone had? This grandmother was like, “No, that’s my granddaughter’s voice, I know it was her, I knew it was her,” but it was just a generated voice of her granddaughter saying that, “Hey, I made a mistake. I’m so sorry, Grandma, send me money.” And meanwhile, her granddaughter’s just out shopping with her friends, wasn’t at risk at all but this person was tricked. And so, yeah, we’re going to see a lot more of those then and, yeah.

Den Jones:
Yeah, sadly, sadly. And actually, the one I heard of was the grandmother received the deep fake voice call where the granddaughter’s like, “My car’s broke down, I need money to get it repaired and get towed. Can you send me money?” and the grandmother at least was smart enough to remember the granddaughter didn’t have a car. So, at least, sometimes, you got to have your wit.

John Yeoh:
There you go.

Den Jones:
Now, one of my friends said that with her and her family, and, actually, she was a guest in my podcast, so she had said when we were talking about AI and security that, her and her family, they’ve all agreed a safe word. So, in person, they’ve all agreed a safe word and they repeat it every now and again so it’s still fresh and they all remember so that, if ever something happens, you’re just like, “What’s the safe word?” And very likely, the recipient on the other end of that, they will not know that answer. So, that’s a really simple thing that I’m like, “Holy shit, that’s great advice. I should remember that at some point.”

John Yeoh:
[inaudible 00:34:43]

Den Jones:
So, yeah.

John Yeoh:
Yeah. When I even think of that too, even having … We always talked about two factor, right?

Den Jones:
Yeah.

John Yeoh:
Yeah, safe word reminds me almost of a password which I think can still get compromised as this world evolves and changes. So, what else can we do? Safe word plus this would be really … But I like that. Just thinking about, that’s really smart, I’m going to do that myself. Just hearing that, Den, too, I’m going to make sure we have a safe word and maybe an additional way like, “Yeah, if somebody calls, guess what? Call me, hang up, call me and then reengage with that person to see if I’ve really been kidnapped or I’m broken down or”-

Den Jones:
Any of that.

John Yeoh:
Yeah.

Den Jones:
Yeah, exactly. Now, so work stuff aside, so you and I tend to bump into each other a couple of times a year, usually at conferences, usually around social events. So, when you are not working hard, because I know you work very hard, when you’re not working hard, what do you like to do to release? Any hobbies, anything cool that you can share with the audience?

John Yeoh:
Man, when do we have time to do these kinds of things? Den, we’re protecting the world right now. No. Man, I try. It’s so funny because I think one great thing about being human, and you know I’ve talked about this a little bit too, there’s people that are like audio files or epicureans that they love food and other aficionados of wine and cigar and I love that about humans, I think it’s incredible how creative and detailed we can be. And so, even right now, and I think I told you before the call, I’ve never worn these headphones on a podcast before, I wore it just for you. These are, I guess, audio file level headphones and so just …

What’s interesting to me too is I like to, not just listen to different types of music with different headphones, but even listen to the same music with different headphones so you feel the differences. Hey, what’s the sound signature for these headphones? Is this how the musician intended for it to be created? Heavy base or maybe you want that extra high end detail. And we’re out and about too, Den, with these … When I see you at conferences, we’ll go out to dinner, we’ll go have drinks. I try to take that same approach to everything.

It’s nice to just have a nice meal, have a nice glass of wine, get a glass of whiskey and understand, hey, why is this whiskey so cool, why is this jewelry doing what they’re doing, why is this winery doing what they’re doing. Den gets the stuff that’s aged 30 years and I think that stuffs pretty incredible. I’m more on the 12-year age budget but, you know.

Den Jones:
The funny thing is, because I’m Scottish, everyone’s like, “You drink whiskey?” and I’m like, “No, no. I stopped drinking whiskey when I was in Scotland.”

John Yeoh:
Okay.

Den Jones:
So, I always think Scotland kicked me out because I didn’t drink whiskey any longer and I couldn’t play golf. I didn’t pick up golf until I moved to the US and then, all of a sudden, and I started to get golf lessons the other week as well. Because I’ve done some executive golf tournaments and charity events and my drive suck so I’m just like, “Shit.” But I think Scotland kicked me out because of my … I’ve tried whiskey every now and again. And another good friend of ours, another Sean, Mr. Harris, he likes a glass of whiskey and he’s very intelligent when it comes to whiskeys and I am not and he’s all like, “Oh, you should try this one,” and I’m like, “Dude, I won’t.” That dollar is wasted on me. My palette’s not that good so I’m not there. But I do, like you, music is a passion.

I think the big thing is just socializing. One thing I learned in my life was, my professional life, was, if you can network with people, if you can engage and get on with other people, if you find good people in the industry, we’ve got a lot of tremendously intelligent great people, great to hang out with, then do it and take advantage of it and try and grow your network because, professionally, it’s useful. But I think personally it’s more useful as well because you start to meet people like you and then Sean Cordero, we like music and I’ve met so many people that are into music and will share musical stuff. Well, you should listen to this band or check this out and it’s great or check out this gear. And I love that, it’s great. It’s great for the soul, for sure.

John Yeoh:
I think that’s it, too. I think you’re right, it’s not just the experience of whatever these things are but it’s doing with other people and talking about it because … Yeah.

Den Jones:
Yeah.

John Yeoh:
And we all got to start somewhere too. I’ll make this translation too, like with whiskey, right away, you’re not going to probably understand the difference between a 30-year and a 24-year or a Scottish whiskey and an American whiskey, you’re probably not going to do that. Same with wine, same with food, same with music. You stick on a pair of headphones, you like what you like and that’s it. And you have to start somewhere and then you get to understand the differences, you understand what you like and then now you can start exploring that part of food more, that part of wine, whiskey your music more. Then things change, you get more mature and then there is a point where you do appreciate those 30-year whiskeys or that Corbin wine or whatever.

I’m going to make that translation. Earlier, you talked about Zero Trust, Zero Trust is a journey like that too where, you know what, you understand the basic concepts, you implement certain things, you know what you have established well, you know what you need to build better, you know what you’re good at and, eventually, it just becomes a journey like wine tasting, like whiskey tasting, like music. You’ll get good at in time but you just have to start somewhere, you have to have a good plan and then just, yeah, and then just begin and, hopefully, within a few months, maybe a few years, you get really good at it.

Den Jones:
Awesome. And actually, John, with that, I think that is a great note to end on, that’s a great thing. Start the journey, you’ve got to start somewhere, whatever your adventure in life is. As we wrap up, where can people find out more about the CSA?

John Yeoh:
Yeah, it’s really simple. Website is cloudsecurityalliance.O-R-G, dot org. We are a non-for-profit organization. We also have cloudsecurityalliance.ai where you can see all the AI activities that are going on now, too.

Den Jones:
Awesome.

John Yeoh:
Big pivot, I do think that’s just the natural evolution of Cloud right now, right?

Den Jones:
Yup.

John Yeoh:
Every gen AI, Cloud is the vehicle for that to get into a business, to get into a person’s fingertips and so, yeah. Hit the website, download stuff for free, join working groups for free, participate for free. It’s just a big playground for security technologies.

Den Jones:
Awesome. John, I really appreciate your time, it’s great catching up. It’s great catching up on video but it’s even better catching up in person so I look forward to seeing again soon.

John Yeoh:
Can we do that?

Den Jones:
Yeah. I don’t think it’s between now and the end of this year but either I’ll come up to Seattle sometime soon or we will catch up in the Bay or Vegas or whatever-

John Yeoh:
Okay. [inaudible 00:42:41] Christmas plans but that’s cool. Maybe you’ll be under my tree on Christmas morning, right? Just, “Hey.”

Den Jones:
You never know, man, you never know. Hey, thank you very much, dude. Really appreciate it. John Yeoh, Cloud Security Alliance. Thanks, John.

John Yeoh:
Thanks, Den.

Speaker 1:
Thanks for listening. To learn more about Banyan Security and find future episodes of the podcast, please visit us at banyansecurity.io. Special thanks to Urban Punks for providing the music for this episode. You can find their track, Summer Silk, and all their music at urbanpunks.com.

 

Close Transcript