GISGID – Episode 19 – Fabrizio Di Carlo

Announcer:
Hello and welcome to Get It Started, Get It Done, the Banyan Security Podcast, covering the security industry and beyond. In this episode, our host and Banyan’s Chief Security Officer, Den Jones speaks with Fabrizio Di Carlo. Fabrizio is a cybersecurity expert with cross-industry experience in firms from startups to enterprises and is a speaker around the world on cybersecurity topics. We hope you enjoy Den’s discussion with Fabrizio Di Carlo.

Den Jones:
Hey everybody, welcome to another episode of Get It Started, Get It Done, I’m your host Den Jones. This is Banyan’s best efforts I guess, at podcasting. So between myself, my mother, and probably five other people who might listen to this shit, we don’t know. My guess is stats and the marketing team will tell me otherwise. And every episode I have a great guest that comes on and shares their experience. We try and find some of the best leaders in the industry, and this time I’ve actually jumped across the pond. So far, all of the leaders I’ve discussed with are contacts and connections that are within the US. So today we’ve got Fabrizio Di Carlo and as he introduces himself, he’ll let you know that he doesn’t live in the US. So hey Fabrizio, thanks for joining the show, do you want to do a better introduction?

Fabrizio Di Carlo:
Thanks for having me. So, yes. Sure. I’m Fabrizio Di Carlo. As you said, I live across the pond. I’m currently living in Germany, but I travel in different countries of Europe for work. So I’m Italian originally but I spend one-third of my life abroad in different countries. I’m currently a group manager for a consulting company. And at the same time, I have my own company that is working in different field, in IT security or IT in general. And I’m also a security advisor or advisor for different companies and startups. So I am keeping myself busy, I would say.

Den Jones:
Awesome, awesome. Hey, well look, I know you’re busy so thank you very much for spending some time with us today. So let’s jump in. And it’s funny, we met originally, I think it was a panel discussion that we were on talking about Zero Trust. So I’m going to park the Zero Trust topic for a second, let’s kind of raise up to the 5,000 foot level. When you’re talking to companies about strategies and you’re explaining to the CEO the role of the security organization, how do you like to explain that in a way that they understand?

Fabrizio Di Carlo:
Yeah, thanks for not talking about Zero Trust, although it’s one of my favorite topic. So strategy is really a nice topic because well, I’m an architect at heart and I think that an architect should do strategies. Right now it’s a lot of job advertisement that architect is just doing design. I think that a nice visual diagram without a strategy or a vision behind is basically nothing. So strategy is really what matters to me. And I usually say this, that a company without a strategy, or even without a security strategy, is effectively dysfunctional. I can go all the budget in this world, buy all the fancy security codes out there, all these shiny lights. But if they are not integrating into a proper architecture and a proper strategy and if the strategy is not let’s say, baked into the company DNA, it’s effectively all you did is just spending a lot of money but not getting them work properly. And that’s why I say strategy is way more important than tooling and so on.

Den Jones:
Yeah, it’s funny because I think a lot of people miss that. They miss the fact that there’s a business that you’re running with a business strategy. And then from there we’re going from business strategy to the departments and their strategies is to support the business strategy, right? And yeah, you can buy all the tools you want, it doesn’t mean shit if it doesn’t support that strategy.

Fabrizio Di Carlo:
Exactly. The nice thing is that my previous, previous, previous role was effectively in that department called Security Strategy and Architecture. So I think they were right on the name of department, I think then how it was organized and how the relationship with the seesaw was a bit strange, but I think they were really hitting and nail in the right direction.

Den Jones:
Right. Yeah, yeah, yeah. I think the important thing is you want to be in a situation where you’re understanding the strategy of the organization and that everybody in the organization understands that, so they all understand the direction of that organizations going in. And then there’s so many analogies. So whether they’re the wood’s behind the arrow or you’re steering the ship in the right direction. But the reality is everybody in the organization needs to understand the direction the organization is going. They need to see that it will be successful so that they can buy into that direction. And then they need to understand what their part in that strategy is, like how do they participate, how do they get involved? And it’s funny, for me that’s leadership and team building 101. Most teams fail or most teams have disharmony if they don’t have a good understanding of the direction, and the roadmap, and the role and the strategy. Otherwise, how can they support what they don’t know, how can they get behind it if they don’t know it?

Fabrizio Di Carlo:
Yeah, exactly. I’m a nerd at heart, so I love technologies, I love being a nerd and so on. But aside that, I think my role change in the last probably five years to being less technical and more communicator. I think in this case being on a panel or being a public speaker definitely helps.

Den Jones:
Yeah.

Fabrizio Di Carlo:
Yeah, definitely. But the truth is that you need to be able to communicate your strategy, you need to be able to communicate effectively what is the angle. And coming back to your original question, when I try to communicate what is strategy, I’m effectively not referring to things like, I don’t know, Zero Trust or DevSecOps, because these are methodology, these are security models, and I’m always trying to refer to the principles. I say once I communicate the principle right, maybe using analogies, then everything goes fine. And I think that that’s the main part of my job.

Den Jones:
Yeah. And so one analogy that I’ve hated over the years is the castle and moat analogy that people have used for Zero Trust. I just hate it because it’s almost like all they’re trying to say is VPN was the moat and everyone can get around VPN these days. And I’m, “Okay. Well, just say that.” Just being really simple about it because when you get into some analogies, they can become quite confusing. And you can say that, “The VPN is my boundary,” and I totally understand it but it was one for me that I think a lot of people struggled with. Because if you are assuming that the audience is technically gifted well enough that they understand how an enterprise protects the perimeter, and the problem is most executives don’t really understand how you do that. They don’t know it’s a collection of firewalls and VPNs and other technologies. So for me, analogies I think sometimes work, but if they’re not done right they can just confuse people.

Fabrizio Di Carlo:
I spend a lot of time in the financial services and actually one of the analogy I recently mentioned is about security frameworks and regulations. We did [inaudible 00:09:19], so basically if I want to open a Michelin Star restaurant and so how to do that and things like that. And I realize that the analogies sorts of works because everyone can relate to food, and then they more or less know the security frameworks and analogy because they have to comply to that because they expect you to sign to the X so that works for me.

Den Jones:
Yeah, exactly. Now when you’re explaining your job to friends and family who are not technical, how do you explain your job and how do you explain the industry?

Fabrizio Di Carlo:
Well, so I’m working as an architect, as a security architect, enterprise architect. So it’s really I’m trying to be as much as flexible. And I borrow analogy from one book, it’s one of my favorite book, it’s called the Software Architect Elevator. And I said, “I’m like a concierge in the hotel in fifties in New York. So imagine this super fancy hotel that has a concierge in the elevator and goes down to the [inaudible 00:10:44] room to the machinery where there are the operational guys. And then up to the pent house where there are the executive, the board and say, I am communicating between these two, and try to basically align what the guys downstairs are going with, what the guys on the top would like to have.” So that’s the best analogy and the best way I’m able to explain without going into the technicalities because nobody’s interested in that.

Den Jones:
Yeah, no, that’s awesome. Yeah, it’s funny, I never thought of it like that but it’s pretty true, right? I mean we have to try and take what the executives at the very top in penthouse they’re trying to envision and imagine for the company. And we’re trying to make sure that all the layers between them all the way down to the people at the bottom are helping to execute that based on architectures and strategies that we’ll put together so that’s pretty cool. So before I jump onto when you not working in Zero Trust, so you and I have met, we both have an interest and passion about Zero Trust and Banyan Security. From a marketing perspective, I’d say we like to pigeon ourself in these quadrants. So Zero Trust or SSE is the quadrants that we play in. But when you think of Zero Trust or why do people give a shit, what is Zero Trust to you and why do you think people have been talking about it and caring about it more?

Fabrizio Di Carlo:
I will give you a funny story behind. So I started to talk about Zero Trust around 2017 here in Europe. And I met John King, the father of Zero Trust, and I become probably one of the first in Europe to talk about Zero Trust publicly, at least publicly in 2017. The companies that right now they say, “Oh, we did Zero Trust back in the time,” they will basically come to me and say, “You are crazy, ditching VPN, no, no, no, no, we are not going to do that.” But I mean what is Zero Trust to me is essentially a model, is an evolution because as the security department back in the time was considering the department of now and or is leaving this isolated castle effectively is not possible. So if in the reality that we are now where we have contract work everywhere in the world. Where there was pandemic, but there are a lot of situation working remotely. And so I think that it’s really just an evolution on the way we are working right now. And I’m lucky for even getting this, specifically period of time. And of course security had put up to that, so security and now we have Zero Trust, which is nothing else, it’s a security model then is applied to process and technologies. And why I’m saying process first, because effectively if you think about all the things like that, we are talking about Zero Trust, [inaudible 00:14:41]. If they don’t have a process that is behind that, I mean it’s nothing. And again, we are coming back to the strategy that we were discussing. I mean you can have all the fancy codes you want, but if you don’t have a cohesive strategy, your security is nothing. I mean it’s buying the super fancy firewall and then I have a rule and [inaudible 00:15:07].

Den Jones:
Yeah, hey I think some people probably have that rule.

Fabrizio Di Carlo:
Yes. I mean I’m working in a company where they had is, so yeah.

Den Jones:
Yeah. And it’s the way we describe it and actually my team at Adobe done a Zero Trust implementation, we called it Zen. My teammate Cisco done the Zero Trust implementation there and then when I joined Banyan, I joined Banyan because I’d been a previous customer while I was at Adobe. And then those expediencies, the thing that I realized is no one really cares about the name of the thing. Like you say, there’s technology and there’s workflows that you put in place in order to achieve some outcomes. And the outcomes that I talked to people about was, “Hey, we want to go password less, we want to not use VPNs, we want to have people log in less, see visually logins less. And we want to improve the user experience and improve security.” And read a big list of stuff that was all going to change as a result of it. So there I focused a lot and the team focused a lot on users accessing applications and services.When I got to Cisco, Cisco because of the products they sold, they had Zero Trust the Workforce, the Workplace and the Workload. So they had it really defined, again based on the products they were selling. But I think different people look at it in different ways.
And like you, I’d met John during my time at Adobe when he was at Palo Alto, and we were talking about things like packet inspection. And for me it’s like, but I don’t want to do packet inspection. I see packet inspection, I’m back calling the traffic, I’m busting the traffic open and I’m looking at packets. And I’m just like, some people might want to do that but I don’t want to do that and inherently don’t see the value in it for me. That’s a level of maturity that I didn’t necessarily want to get to. So one of the things I’d done in Adobe was I actually created a maturity chart of Zero Trust maturity.And I was like a low maturity level one is over here, you’re just doing this and by the time you get to five, you’re busting packets open and doing all the always bang stuff. But I think the problem in the industry, most people think when you do something you need to get to perfect, but the problem is you don’t have so much resources and money. And I like to get to what I’ll call good enough, and if it’s good enough and achieves the business goals, then I’ll go to the next thing, which is not good enough. Because as you know, there’s always a lot of share that you don’t do well enough.

Fabrizio Di Carlo:
Yeah, no, you are totally right. And it’s funny that you mentioned this topic, I think I posted something on LinkedIn, I do a lot of ranking, a lot of useful post at least I think. And one of that was [inaudible 00:18:23] about good enough because I recall, especially in certain companies where the security function was not really mature and we were trying to look for the perfect solution, but perfection doesn’t exist and what is perfect today in nine months won’t be. And nine months is effectively the time that it takes basically to do evaluation, the POC and so on. If we want to find an analogy in the perfect world, sorry, not in the perfect, in the real world. You can see that in a comparison between NASA and SpaceX. Obviously someone will disagree with me [inaudible 00:19:12]. So yeah, [inaudible 00:19:17] but effectively what happen is that NASA want to do basically lunch a rocket and it’s perfect and effectively SpaceX doesn’t care. We blow our rocket, who cares? We collect data, we create and we study the data and the next lunch will be perfect or will be better than the previous one. And I think that that should be the spirit but as my former manager used to say, security is not really a mature industry yet and we have to learn from more mature industry, but we are failing out there.

Den Jones:
Yeah, no, absolutely. And it is funny, the mentality of SpaceX is very much a Bay Area mentality, but it’s fail fast. And it’s like this concept of failing fast, for me it’s more about move fast, take calculated risks and understand that I’m not looking for perfection, I’m just looking for better than yesterday. And when people realize that, it’s like I want to move fast on a weekly basis and I want to do something which is just slightly better than it was last week. And when people start to get their head around that, and if I create as a leader the environment for people to do that, then we move much faster. And I’ll tell you, I’ve had people talk about deploying Zero Trust and how it’ll take years. And I’m like, it doesn’t take years, at Adobe we done it in about seven months at Cisco we done it in five months. I mean it can be months and I’m talking about for 40 or 110,000 people so it doesn’t have to take years.
Now, how do you define what doing Zero Trust means in that timeframe? For me was I’ll remove the term Zero Trust and say I’ll deploy Passwordless and VPN list for 50 applications to 40,000 people and I’ll do it in this timeframe. And I’ll remove the needs to change passwords over again, only compromise indicator. And then people are like, “Oh my God, that’s crazy.” So it’s rather than the term, the buzzword Bingo, that I come back to let’s talk about what problems will I solve at what price and how quick will I do it? And then for me, people will say, especially executives because executives want to see tangible stuff that they can touch and feel from a deliverables perspective so that’s good. Now, let’s jump away from work for a few minutes. Out outside of work, I heard from our prep call, you have a passion for wine. So why don’t you share just a little bit about this wine business, this passion that you’ve got. And educate us a little bit of wine from a European perspective, which in all frankness for me sometimes kicks the ass out of the Napa wines. So let’s have that conversation.

Fabrizio Di Carlo:
Well, I actually funny enough, there was the judgment of Paris which is a historic event in the wine world where basically were comparing the wine from Napa to the wine from France. And effectively, I don’t remember how many wines from Napa they reached the first place, regular than French wine [inaudible 00:22:58]-

Den Jones:
So Napa did win in that example.

Fabrizio Di Carlo:
Yeah, we win exactly. That’s why Napa Valley wine they got very higher price right after. Wine, I come from Family that had Vineyard back in Italy so it was by my grandparents had a small vineyard for their production. I moved when I was relatively young and unfortunately my grandparents passed away right after I moved. So my wine blog, or at least was started with the wine blog most effectively. My way to connect with them and to try to basically to continue them. Like I said, I cannot have a vineyard here, but at least I can do something in the wine space. Then it evolved to the way it is now so it’s after one year, we have effectively three branches, which is one is the educational part with the wine post that we are doing on Instagram Reader gang. The book that I’m writing right now on wine. And then we have the investment part where basically we invest in fine wines or we invest in vineyard for our return in bottles. And then there is the consulting part where, so if you want cook and a seller and you don’t know which bottles to take into your seller, I’m here to help you. It’s a good and healthy way basically to get away from work and try to do something a little bit different than normal.

Den Jones:
Yeah, I was just going to say that. So it seems to me that it serves a couple of purposes, one is you’re very passionate about it. But then the other one is it’s a good way for you to disconnect from the IT security game, right?

Fabrizio Di Carlo:
Yeah, exactly. Because I live and breathe security, so no discussion there. But my job changed and I think also [inaudible 00:25:28] when you start to become a [inaudible 00:25:30] so we are more involved into not the technicalities, but more in the political side of it. And sometimes you just want to go away and disconnect and try to do something a little bit more.

Den Jones:
Yeah, yeah, exactly. And then also you’ve picked a passion, is tastes good. So if I going to pick a passion and it’s between maybe bird watching or wine tasting, I think I’d probably do wine.

Fabrizio Di Carlo:
Well, you have music as a passion actually we can see from behind you.

Den Jones:
Yeah. Yeah. Well it’s funny because music and then wine, I can play music and drink wine at the same time. I’m just not really great at either. I’m not really educated on wine and then musically you know I’m not that great because I’m not famous, I’m working for Banyan. So yeah. Hey, look, as we wrap up today’s session, I’d love you to share with the audience, what is one piece of advice that you’ve been given that benefited you in your career that you think you could share with everybody that might benefit them.

Fabrizio Di Carlo:
Be cool and always try to understand more and especially when you approach your first job or the first job. And someone is telling you, “Oh yes, we always did like that. Yes, but why? What is irrational?” Or if you have an issue, “Oh yes, it’s because of reason X, Y, Z. And why we have Reason X, Y, Z? Oh, because we haven’t fixed because A, B, C,” and so on and so on. So try to reach the root course to try to find the rationale. Because it is like a [inaudible 00:27:43] effect, so you have this bigger goal and then you have the smaller and the smaller is the root cause. And most of the times, because the time, because the money, because everything, we always sort the bigger materials or the second ones, but we are not going deeper. And if we go deeper, we can solve plenty of problems. Maybe we are even not aware of it because if I’m thinking about IT and security in general, I will think about going to solve the fundamentals. So pick up the [inaudible 00:28:19] if you’re in US or the CIX fundamentals, the basic controls. And then try to fix that, try to fix the asset management for example, is a problem that most of the companies are struggling with, but it will solve a lot of the problems.

Den Jones:
Yeah, it is funny, right, because you touched on a few things there. So be curious, is something for the career advice, which I think is brilliant. And then yeah, you get into things like five why’s, like why, why, why, why, why. So as you dig down, there was a thing here of five why’s I learned years ago. And yeah, I think people growing in the industry, this is a fast moving industry, so it’s really important to try and be open to change, be curious and adapt as you grow your career. And the other thing was, there was a book that I never read but someone said I shared is, What Got You Here Won’t Get You There. And the whole principle I guess is about obviously the things that have made me successful in my career may have been successful for those roles and those industries or jobs that I’ve done. But you can just assume the same things there done again in my new job are going to help me be more successful.
And especially as you go through the ranks of technologists to leadership, to executive, then those things don’t often apply. The way you have a conversation with technologists is totally different than the way you have the conversation with the execs. Go back to your elevator analogy, right in the elevator at the bottom ground at the operations, you’re having one type of conversation, but on the top floor that conversation is entirely different, it’s all business.

Fabrizio Di Carlo:
Oh yeah, definitely.

Den Jones:
So hey Fabrizio, thank you very much for your time, I really appreciate it.

Fabrizio Di Carlo:
Thanks to you.

Den Jones:
It’s been great having you on the show, we’ll need to do this again sometime. And then if you’re in the states, let me know if I’m in the Bay Area, if I’m back over in Europe, I’ll drop you a line. Although getting our paths to across is probably really, really tricky.

Fabrizio Di Carlo:
Well, you’ll definitely be in France for the fact that airport is quite big and is almost stopover from every flight from US to Europe. So if you are ever here, so you’re more than welcome, let’s enjoy a glass of wine together, no problem at all.

Den Jones:
Awesome. Yeah, I’ve been through that airport a lot over the years, it’s a great airport.

Fabrizio Di Carlo:
[inaudible 00:31:16].

Den Jones:
Thank you Sir. Stay safe. And I’m actually leaving here and heading straight off to RSA and try to survive the vendor shit show and not-

Fabrizio Di Carlo:
Enjoy RSA.

Den Jones:
Thank you Sir. Be good. Take care. Bye.

Fabrizio Di Carlo:
Bye.

Announcer:
Thanks for listening. To learn more about Banyan security and find future episodes of the podcast, please visit us at banyansecurity.io. Special thanks to Urban Punks for providing the music for this episode. You can find their tracks Summer Silk and all their music at urbanpunks.com.

Close Transcript