Balancing Tech and Soft Skills in Modern Cybersecurity With Rui Ribeiro Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Balancing Tech and Soft Skills in Modern Cybersecurity With Rui Ribeiro

August 13, 2024 • Joe South • Episode 163

Send us a text

Imagine the bustling energy of DEF CON suddenly shifting from Caesars to the Las Vegas Convention Center. How will this change impact the magic of one of the world's most renowned cybersecurity events? Join us as we share personal experiences from past DEF CONs, consider the logistical hurdles, and discuss the potential financial implications for local resorts. Our guest, Rui Ribeiro, brings his invaluable insights into how such changes can alter the attendee experience, setting the stage for a deep dive into his impressive professional journey in cybersecurity.

As we navigate the realm of client-side security, we uncover the fascinating story behind the founding of Chase Prep. From the chaotic days of the early internet boom to a pivotal meeting with Cloudflare's CEO, we explore the transformative power of JavaScript and the intricate parallels between telecom and banking industries. Rui and I emphasize the critical need for clear communication of security requirements to decision-makers, particularly in emerging markets, highlighting the often-overlooked technical challenges and opportunities in this niche field.

Our conversation also tackles the evolving landscape of cybersecurity with a focus on balancing technical and soft skills. We discuss strategies for embedding security into everyday processes, the importance of adaptive security measures, and how rapid advancements like those during COVID-19 have reshaped business practices. From insurance risks and evolving security models to the joy of building a safer digital world, this episode covers the passion and practicalities that drive us in the field of cybersecurity. Join us for an enlightening discussion that promises to leave you with fresh insights and actionable takeaways.

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Speaker 1: 0:54

How's it going, Rui? It's great to get you on the podcast. I know we've been planning this thing for quite some time now and my schedule has been so chaotic, so I apologize for the delay, but I'm really excited for our conversation and it's a great opportunity because we're almost coming up on Black Hat.

Speaker 2: 1:15

I don't know when this is going to be broadcasted, so these topics are as relevant as possible and we're coming so close to such a big security event.

Speaker 1: 1:25

Yeah, yeah, absolutely. You know, typically I try to make it out to DEF CON, but last year, like last year, I got so just from, just from meeting with so many different vendors. It was like all day, every single day, I'm meeting with vendors, talking about the podcast, trying to get more sponsors, and you know all that sort of thing. It's just like it's so exhausting. I told myself literally when I flew back home last year I was like like yeah, next year, next year, I'm taking a break, I'm not doing DEF CON.

Speaker 2: 2:00

I've been doing DEF CON for maybe the past 10 years, so I'm one of those guys that not from the start of DEF CON, but every year, every year and this year I'm not also doing it I'm going to blackout because of the company and Jay Stradler and meeting with everyone. Def CON for me was the fun part, like engaging with the peers from a security perspective. I won't have the opportunity this year because it becomes a little bit overwhelming.

Speaker 1: 2:31

Yeah, you know, and I mean maybe this is just for me, but they changed the venue right Because Caesars kicked them out right, and I mean it's kind of.

Speaker 2: 2:45

Well, so you got a lot of security guys there and breaking stuff and still not working.

Speaker 1: 2:50

Go figure that out, yeah well you know, honestly, I think it's kind of it's partly on Caesars or MGM's or MGM's CISO, that kind of challenged all these hackers. What was it? Four or five years ago at this point I think it might have been four years ago they challenged all these hackers saying, oh, we have top-notch security, no one's going to get in and this and that. And I mean you know, you've been there, so you know, the past couple years someone has blue-screened every slot machine in a resort you know, for the entire week of DEF CON and it's like, oh yeah, you're so secure that we blue-screened every slot machine all at once.

Speaker 1: 3:31

It took them like 10 seconds last year, you know, and it's kind of their own doing, but that was also a part of like the, the extreme convenience of defcon. You know like I can go to defcon right, be a, be a hacker, degenerate and then stumble out into a, into a casino where I can continue my my escapades. I'm not hacking random people, I'm not hacking slot machines or anything like that, but I can go and have a beer with someone right, I can go and gamble if I want to. My room is a 10-minute walk away. That is a huge, giant convenience that was eliminated when they were forced to move to the convention center. Granted, I've never been there, I've never been on the tram in Las Vegas, but as soon as I heard that I had to take the tram, it's like, okay, there's 50,000 people that are going to be in town for this conference. We all now have to take the tram or an Uber or a taxi to get to where we need to go. That sounds like a really bad idea.

Speaker 2: 4:44

And we already know that it was too many people there. And what's the effect of this escape? It might be good, but I have my, like you, I have my doubts that it's going to work as well in terms of your magic of the, because there was a lot of mingling, a lot of yeah. I think it might lose part of the magic of the event itself, but it might not like yeah let's.

Speaker 1: 5:17

Yeah, I could be wrong. I mean, next year I'll more than likely go, regardless of the venue. But you know, I wonder if these resorts are going to be looking at. You know, last year how much money did they make during DEF CON compared to this year? Right, because for Caesars to kick them out, that's a pretty big year. Right, because for Caesars to kick them out, that's a pretty big deal. Right, if Caesars kicks you out, well, you have one other organization you can go to for hosting you. Right, that has the size and that's even kind of a stretch, because it would be stretched out throughout the strip, like we saw the past couple years. You know, it's interesting because I think they're actually going to lose a lot of money. I think that they're going to lose a good amount of money and gambling, because there isn't going to be that like hacking, like I.

Speaker 1: 6:11

I call it degenerate, but it's, it's out of convenience, it is truly. It is so convenient to literally just walk out of a talk and be like you know what? I'm gonna go have a beer with my friends. Yeah, right, and it's right. There, the las vegas convention center will probably obviously have that same sort of vibe and environment and whatnot. But then you have vendors that are putting on parties that you know town nightclub, right, and that's in caesars. Well, my room is in the link or wherever, right Like now. It is a huge conundrum that people have to work through. Um, and it's, uh, it's frustrating, right, because if it was, if it was at the same location right.

Speaker 1: 6:52

Like that spread across like Harrah's and Flamingo and Lincoln and whatnot. If it was the same location I would probably be there, but I kind of want to see how it shakes out.

Speaker 2: 7:02

Yeah, I understand.

Speaker 1: 7:03

Yeah, definitely. So you know why don't we start with your background, right? What made you want to go down the route of IT and security? And then let's talk about your journey into founding Jscrambler.

Speaker 2: 7:20

That's a very good question. What made me go down the IT path not the security path, but the IT path is because I am from the generation of Spectrum and Amigas and all of that, and that was what got me into computing, like the first PCs and 4P drives and that kind of stuff. I went through all of it and, of course, I graduated in computer sciences in the area of telecommunications engineering, and then out of the university I went to work for banks, because you had two options Either you worked for telcos or for banks. That was the fastest to work and you get there. And now, looking back, I worked for a company where STL injection was a feature. It was their filtering capabilities and search capabilities. They were built over an STL injection for a banking app internal banking app but still that was a feature. So I always wanted to create a company. I always wanted to build something.

Speaker 2: 8:31

We went through all the 2001, the hype of companies and the internet booming, and I wanted to be part of it and I was lucky to be friends with my co-founder. So we have known each other since 16 or maybe earlier, I don't know the precise date. I challenged him let's do something together and that's what created Chase Prep. So we have been working together as a company, like formally and publicly since 2014. So that makes us almost 10 years old, which in internet time, is centuries, and we have been addressing a very neglected part of security, which is the client-side security. And even when I talk to you like client-side security, I think that you must be like searching for a definition. What is client-side security? Is it like protecting the endpoint? Is it what is endpoint? What is it? What are you talking about? We focus on making sure that applications that are running on a browser or using web technologies either a browser or a mobile device that's why we call them web applications that they are able to execute properly in an unsafe environment, maintaining the data of their users private. So we are not only making them doing integrative applications, but also modifying the application. And also the objective here is, when we create the company is, let's focus on a market that is emerging, not crowded, and where we is, let's focus on a market that is emerging, not crowded, and where we could make a real impact in terms of security for everyone. And, of course, everyone knows about network security, everyone knows about server security, but there wasn't that much in terms of client-side security.

Speaker 2: 10:35

When we started and it's still an evolving topic I was just listening like before me I was listening to the Cloudflare CISO rant and he was talking about, like Cloudflare, the bastard they took and I'm not comparing those to Cloudflare, I'm just talking and sharing an anecdotal story. Like in 2014, I was able to meet the CEO of Cloudflare and I had like 15 minutes, like 30 minutes, talk with him and the gist of it is he said Hui, you're great, love what you guys are doing, but like JavaScript is technology. That's really bad. I think I should focus on something else. Like JavaScript is crap and, to be honest, it was right, but JavaScript became much bigger and today, even today, all of their IPS technology is built on JavaScript. So I can say I was right, but they still built the most successful company that I wished I had built when compared to them.

Speaker 2: 11:41

But that's to say that we are focusing on a very important topic. It's a big challenge, it's a very big technical challenge and that's what makes it fun and everyone else is also coming and understanding that client-side security and monitoring the third parties and making sure that all the third parties that are there are not accessing information that they shouldn't be accessing. It's becoming a much more relevant topic. I understand, joe, that you also have a background and you have worked a lot with banking or classified unions. Yeah, so I think that we might have like very similar we must have had very similar meetings in the past, where we go there to talk about security and the guys that hold the keys to the vaults, to the resources that we need to do our work they don't understand most of what we are talking about.

Speaker 1: 12:40

Yeah, that's a. It's an interesting challenge, right, because the people that hold the keys to what you need to do the work. They're smart people, right. They're very knowledgeable in whatever their area is right. They're very knowledgeable in whatever their area is right, they're very knowledgeable. But it is very rare to find someone that understands security and understands what you're requesting, right?

Speaker 1: 13:13

Architects, tenured architects that are very smart people that do not understand the concept of having a security exception in the environment. They can't wrap their head around it. They think that it's like something you know that you shouldn't do, that's immediately bad and frowned upon and whatnot. And it's a. It's an interesting dynamic, right, when you're in that room, because you have to toe the line between explaining something in a way that they will understand but not insulting them. Right, because they are very smart, they just may not know. A nuance, right.

Speaker 1: 13:50

And I think I wonder with your telecom background, because so I actually started my career on the help desk for a telecom integrated solution, right, so we were heavily reliant upon our solution integrating with PBXs from Cisco and Avaya and every kind of PBX you know that you can name. We integrated with it and of course, that meant that the support team also had to be very familiar with these PBXs. We had to be just as familiar with it as the engineers at these Fortune 500 companies, you know, that would be deploying it and engineering the solutions and whatnot. We had to literally be able to walk them through these management consoles that are extremely complicated and I, oh man, like the amount of hours that I had spent just looking through you know where different settings were is insane. It's extremely complicated, right, and I bring that up because it took me down a path of being able to think a certain way. Right, that kind of made me successful in the banking industry.

Speaker 1: 15:06

Right, because you have to approach problems from a totally different perspective. Right, I feel like in the banking industry, knowing the problem and knowing how to solve it is maybe 10% of the actual issue. The other 90% is getting to the right person, is talking to them the the correct way, right, ensuring that they understand what it is talking about. The same thing, right, like that's probably more of the, the, the problem that we face, than anything else. And I feel like I learned all of those skills in the telecom industry because it's very similar. It's very interesting as to, like, you know how that experience with telecom can relate so directly to banking. Is that something that you found as well? Or maybe I'm off target?

Speaker 2: 15:58

No, no, no, and I found it. And when we started to create the company, and as we message the companies and we message what we do, I say it all the time I don't want to create a company that they don't understand what they are buying or not using it. And even when reaching J Scrambler, I focus a lot on we built this company to solve a very big security problem that you have, but I don't want you to stop, I don't want you to die. For example and I'm going to give you examples because it's this Everyone trying to understand You're a company. You want to add the new AI chatbot. You can just add it and have the compliance guys and the people that are doing all is not accessing any information that it shouldn't be accessing. When you're logging into your bank, it's not an integer statement or stuff like that and that's to say, our company enables the banking to adopt those soft boxes and move faster instead of. My company told them not to have that AI chatbot there. So we created the controls. We allowed that AI chatbot there. So we created the controls. We allowed that AI chatbot to be there. We sandboxed it. We made sure that he was not able to access any information that was classified as private, and in such a way, we are creating security that enables new stuff, instead of creating a template of security that just points the finger at you and says you did a shitty job, I broke that, I tested that. That's easy.

Speaker 2: 17:47

Breaking stuff is easy and moments ago we were talking about Defcon. I call it the Breaking Stuff Con, because everyone there is showing off what they can break, not what they can. It's easy, and moments ago we were talking about DEF CON. I call it the breaking stuff CON, because everyone there is showing off what they can break, not what they can protect, not what they build Not everyone, but there are a lot of people there. That's the mindset that you go there. But I think as an industry, the security industry, needs to change that mindset, not into attacks or not only to attacks, but also as how we become enablers for innovation on these contacts. And that's a very different mindset at Rockwell too. And, as you correctly pointed out, if you don't talk to business line of it, if you're just saying you're under 10%, you're saying you have this problem. You're not saying you're not finding the right person, you're not explaining it properly so that they understand that they have an advantage to solve that security problem, then you get nowhere fast.

Speaker 1: 18:47

Yeah, that's. You know, it's really important what you bring up right, what you just brought up, because it's interesting. When you're training and going through different certifications, I mean, no matter what the certification is, you are learning how to break things. You're learning the gaps and the holes and everything else like that. No matter what security book you pick up and read, you're learning how to identify different gaps and holes, right, but very rarely do they approach it from here's the gap and this is how you vocalize it right. They don't give you the soft skills and you only get the soft skills through having really difficult roles and really difficult situations where you have to break bad news to people constantly. Right, like, that's the only way that you really get it. But I wonder if there might be, you know, a way to kind of train people up in that area without spending the years in in help desk, right, right, like. Because you know, you, you bring up a very valid point, right, like we're.

Speaker 1: 20:03

We're always coming at it from a from that angle of no, you, you, you know you can't code in this library, you can't do this. It's always no, no, no, right, and I've always tried to take the approach of flipping it. Well, how can we make this work? You know, and if it's something like hey, someone's using something that is so insecure we just can't allow it in the environment, you know, then I will come to that conversation with such a good background on it, like you know, rock solid evidence and whatnot saying like, hey, we just can't do this. You know, we just can't have MFA not enabled on these admin accounts, like that's just not something that we can do. You know, you got to come prepared to that argument and I feel like it's almost a part of you know, I don't even know why this comes to my mind the Amazon leadership principles. Right, and the leadership principles are. They're crafted in a way you know, they really do apply to like every business, you know, across like every function of business, and it's customer obsession.

Speaker 1: 21:11

Customer obsession is one of them and I'm probably like maybe the biggest proponent of that right when, when you're on help desk and your company doesn't understand what your customer needs, you're the only one that really knows what they need. You have to be so obsessed with what they need that you vocalize it internally to say we need to do this, this is why we need to do it, and you're going about it like that and you're making that case rather than having that customer make the case, they only have to make it to you, you know, and you have to then vocalize it internally and kind of champion that entire process internally. That was something that I learned, that kind of really formed even how I address security situations now in the present day. Right, my customer to me is the business, it's the development community. Right, I'm not a developer, but I mean, man, if I could be a developer, just by osmosis, I'd be like the greatest developer in the world by now.

Speaker 1: 22:12

You know, because I spent so much time with these guys, I'm basically speaking their language at this point. But you know, when they come to me and they're saying I can't do this, I'm not able to do this, or whatever it might be, it's my job not to say, well, here's the reason why you can't do it. It's my job to say, okay, this is a problem, let's go back to the drawing board and figure out how we can enable you to do it. You know, and even even in my current job, that is a fight amongst other security professionals on the team. You know, because they, they just want to say no to everything, and I'm, I'm over here, I'm like we cannot just say no, we have to progress.

Speaker 2: 22:50

And that's that's exactly the mindset that we try to put on everything that we build is how do we enable the companies that we work with to do either more or faster, or even do impossible things like providing technology that wasn't previously available but allows them to do stuff that wasn't possible before? And that's really the mindset here. And the problem is that there are two problems in how security is done in the past. The first strategy of and maybe more problems, but the first strategy of breaking stuff and saying and way to developers and say I broke your application instead of this is how we do it better, and here is the tooling that will allow you to do it better, but that requires a lot of not only social skills, but a lot of knowledge of what the other person is doing. The other thing is that we need to make sure that security is not just defense against attacks. Security is a strategy that you have on a day-to-day basis, on everything that you build, deploy and also in every process that you design. Like you were saying, they might have bought the multi-factor authentication product, but are they actually using it? Are the accounts that are important? That's about the process itself, and there's also about the limitations that not only people but also technology has. We're doing today a lot of stuff on your browser. That was impossible a few years ago.

Speaker 2: 24:31

In COVID time, which is I don't know that limbo of where we were all doing stuff without being able to get out of our homes, I was able to open bank accounts by showing my picture to a phone and stuff like that, which was a rapid implementation that some banks did. But all of the sudden I say that wasn't the bank, that was a third party doing this. This was being done on the browser, did it was a need. We had to do it, maybe after all. Here's some of the way to check this.

Speaker 2: 25:07

It's not far as it didn't need to be implemented. It's there now as part of the process and and um, and a lot of things in companies are being done like this, like if there's some urgency, there's the need to sell more, there's a the need to cover that specific need that a competitor has. So we put something out and we don't even ask about security. The security teams just go around it and try to get it deployed and then the security guys will complain later on. But that's not a problem, that's what we are changing here.

Speaker 2: 25:43

That's why we have always had an approach of embedding ourselves into the apps, because then we are part of the process, like the app gets delivered with our integrity verifications and with our capabilities to monitor the search parties. So it's not like security is a layer, security is part of the process, security is part of the app.

Speaker 2: 26:04

These things are easy to understand but complex to implement and you need mature companies to understand, like okay we have developers, we have marketing, we have a lot of different people interested in delivering a good experience, but not all of them are going to understand what they are doing, and we have been involved with a lot of anecdotal situations where life additives have more power than security guys, even on stuff that is easy to understand. This is a no-no Business, the business mentality of we need to move forward, we need to sell more. If we don't have the controls in place, stuff is going to happen for sure, and so I think that there is a lot of work for us, as security guys, to be able to connect with the marketing teams, talk their language, talk them. There are many things that are very interesting in the industry, for example, google Tag Manager. What is a Google Tag Manager? Google Tag Manager is a way for you to inject JavaScript from multiple sources in production, based on multiple criteria, which makes the client side as variable as me and you buying the same stuff on Amazon. I load a different set of JavaScript than you just because of my computer, your location, whatever, which makes it exponential the number of combinations of stuff that's running on the client side and that could have access to your own information. We need really to work out processes and systems that control how each of these elements is doing the work that needs to be done. Understanding, like this third party, this AI chatbot is here only to provide answers on this, this, this and these questions. It can never access your name, your social security number. We cannot trust these third parties because down the road, someone misconfigured it.

Speaker 2: 28:29

I have the example of the video player on the banking page. Configured it. I have the example of the video player on the banking page. Most of the video players out there third-party solutions. They were designed to be behind the paywall, like a Netflix or some company like that. When they are in a banking webpage, if they are incorrectly configured, could they show right next to the login, their own login, because they should be configured to the login, their own login, because they should be configured to only provide video behind a paywall? All of these mistakes are just errors, but these errors have a very big impact on a company as big as an attack, a cybersecurity attack. So that's why I say that security goes beyond just attacks. Security is a mindset that you need to put on. Everything that you do, you have to verify, you have to sandbox, you have to make sure that this individual, this company is only doing exactly what you brought in here to do.

Speaker 1: 29:27

Yeah, it's a really good point and you know, you kind of brought up almost like the evolution of security technology and how we address the problem right, and so the cloud makes everything more complicated and I feel like people don't understand that concept.

Speaker 1: 29:53

Yeah, you know, from time to time I look at, I look at the job market as a whole, right, just because I want to stay up to date on what kind of roles are being posted. Maybe there's a skill set that I should pick up to make myself more competitive and whatnot. And it is surprising it's surprising right now at least, right In 2024, how few cloud security roles there actually are, and I think it's indicative of a broader issue going on, you know, in the marketplace, right, but it also kind of makes me feel like companies don't really understand the cloud. They don't understand the skill set, they don't understand the cloud, they don't understand the skill set, they don't understand the need and I'll I'll, you know, I'll caveat it with this, you know, prior years, right before the cloud, when we're talking about cyber security, we're talking about things that are in between you and the outside world, or things that are between you and the application or whatnot. Right, like a WAF. I'm thinking about network firewalls, I'm thinking about even endpoint detection, right, it's an agent that lives on a machine that is supposed to be kind of on the outside, in its own user space almost that separates you from everything else, and space almost that separates you from everything else.

Speaker 1: 31:17

And you know, recently I went through and I I went and deployed Fastly's WAF application and this is probably my only you know correlation right that I can, that I can describe what you were talking about. I went through and I deployed it. It's a, it's a WAF right. I assume this thing is going to take me six months to deploy right, because WAFs are innately very difficult or historically very difficult to deploy. They're so difficult to deploy that companies will literally buy those applications or those servers from Imperva or whatever you know web vendor. You will right, and they'll just sit there, they won't even do anything, they'll sit in passive mode for forever, you know, and they're not configured or anything like that right. So I go and I, I deploy this fastly wav and you know it's direct into the code, into the application. You know you can deploy it basically anywhere. It'll do a full WAF protection and you can deploy it anywhere. It's right into the code.

Speaker 1: 32:24

And I deployed it, you know, 15 seconds, 30 seconds, and my first question was well, what do I? What do I do next? Right, well, where, where do I go from here? Their response was it's already deployed, just let it go, let it do its thing, go, do something else. And I bring this up because it's kind of the evolution of where we're moving as a security industry overall. Right industry, overall, right. We're going from this, you know, outside this server, this firewall, this, whatever it might be this, I guess it would be like high code or high demand solution to something that's like no, you just put these three lines of code into your code there, into your application, and it does everything else, like you don't have to worry about it, you don't have to touch it. That's the sort of, that's the sort of direction that we're going. And I mean it was very difficult for me to wrap my head around it, like I did not trust it but it was so light and so easy to deploy that I forgot that it was even there.

Speaker 1: 33:32

That's how it was. And do you see that? That's where everything is going now? Because it kind of has to to some extent? Right, Because the cloud is so expansive, it is so insanely aggressive with how vast it can be in seconds. Right, that the only way that you can really stay on top of your security posture is if something is embedded with the application that you can just, with the click of a button, say this has to be embedded into every Lambda in AWS. Right, Every Lambda includes these three lines of code. Right, and those three lines authenticate you to a solution and the solution does all the work.

Speaker 2: 34:15

And you're going straight to the point, like it needs to be embedded into the solutions. That's one thing, because you have to understand. It's not only that it's easier and you make sure that it's everywhere, but also that if it's embedded into the solution itself, it will be able to know what that application is supposed to do. What's the normal behavior, what's the abnormal behavior? When you were talking, you were talking again about server-side security, about the cloud. We do exactly the same, but on the client-side. The same, but on the client side. Sometimes we have been branded as the firewall for the client side, or the WAF for the client side, or the RAST for the client side those the industry has too many acronyms. But it's exactly that point that I was trying to push, and thank you for connecting you to the server, because everyone understands it much better. We have this massive customer base or client base. We have these massive servers and massive infrastructures and it's not one size fits all, in a sense that if we are just on the layers, we are continuing to build the layers on top. It's like I'm building additional walls, walls, walls, walls, but the problem is that the walls themselves don't know what's inside. What are they supposed to put there. They are just like dumb walls. They sit there and that's not the security that we want. We want walls. We don't even want walls. We want agents that are there, that are able to understand what is this business, what is the data that it is supposed to have here, what is supposed to go out? That kind of questions is talking the business language of that company and we need to make sure that all of the security products that we as an industry push out they talk the business language, or else we will continue to lose power, as we have seen. We have seen the cycles of security was on the topic. Security budgets went sky high and were unlimited, and now security budgets are going down. They're going down because the security teams say oh, you cannot do that. You cannot do that, you have to move slower. You cannot. That's not the option today. The option today is I am the security team, I am working with the development team, I am working with the development team, I am working with the guys that make sure that the solutions get delivered and I'm helping them build better Not perfect Better solutions. That's also the importance of setting the expectations to the right level. We are always going to have security problems. If that company is alive, if that company is selling, if that company is engaging with customers.

Speaker 2: 37:20

It's just a question of how well you're able to stop that problem, how well are you able to react to that problem, how fast and how you can contain it If you have a security. For example, going to the PCI. Pci is as you know and I've seen you mention PCI, so you know that it's a security standard for accepting credit cards and we are very much focused on that topic, like avoiding credit cards being stolen from websites. It's totally different when an employee says someone stole 100 credit cards from stolen from websites. It's totally different when an employee says someone stole 100 credit cards from me or they stole half a billion credit cards from me. It's a totally different problem.

Speaker 2: 38:04

And that's what security is. We stopped leaving 100 credit cards. We were a success because we stopped that problem at the $100,000, which is valid at maybe $20,000, $30,000, $50,000, whatever problem for our company and say this problem could have gone to half a billion if I wasn't here, and kudos for the development team and for this team and for that business unit for being smart enough to enable this design process. This is how I feel that we may fix this marriage Marriage that is not it's kind of dysfunctional. Security is not part of the development. Yes, security is part of the development.

Speaker 1: 38:55

Yeah, you bring up a lot of different facets right there and I think one of the key things you know when I am working with developers or really anyone right to make the environment as a whole more secure, right, and in security, how do we, how do we judge that? Right, we judge it based on a rule set score and what is included in the rule set and you know if we're compliant with it and whatnot. Right, that's like, that's probably like the best way that we have to to judge it right now. And you, when we make a lot of progress, when, when these teams are, you know, really getting it done and knocking it out of the park, we're meeting our benchmark requirements and everything else like that, I always, always lead and finish with good job. You know, and I make it a mission in that call to to not even bring up questions about stuff that they didn't get done, stuff that they didn't do or whatever it might be, because the target was hit technically right, we hit our goal of hitting this percentage or whatever it might be. They did a lot of work. They need to know it's appreciated. It's those soft skills right, because now it'll keep them coming back for more. It'll keep them coming at this problem with. Well, I know it's appreciated. I know the work that I'm doing is heavily appreciated by the team that used to cause me a whole lot of issues and heartache, and so I'll keep doing it right. I'll keep on working.

Speaker 1: 40:40

And it's interesting, I have to be careful who I invite to those calls, because there's some people that have that old mindset of great job. But what about this? And it's like, hey, this isn't a but what about this phone call? Right, you could do that tomorrow. Right, you could do that next week. That's on your own time. This call is to really thank them for doing their job, right. I mean, I guess I shouldn't have to thank them for doing their job right. This probably shouldn't even be a part of their job. In all honesty, it should be a part of my job. But you know, you have to be able to recognize when someone does good work, when they meet the goals that you set for them. You have to be able to recognize that and be able to congratulate and reward to some degree.

Speaker 1: 41:30

And I wonder if some of it has to play into also the insurance side of cybersecurity that not a lot of people ever really talk about. I don't want to talk about it ever because it's so convoluted and difficult to understand. And with the insurance side, it's almost like companies buy these solutions so that they can check the box and the insurance. I mean, I've literally had phone calls where it is asked on the call well, do we have to buy it or do we have to deploy it? If we have to deploy it, does that mean it's in full blocking mode? Or if it's in passive mode, right, and I mean they will buy something just to make their insurance premiums go down and not even deploy it if they don't have to and whatnot. And that tells you kind of that the security industry as a whole is in a weird place where our solutions are so convoluted and they're so difficult to deploy that this is a very real conversation.

Speaker 1: 42:36

Right, when you have the insurance requirement, you're saying, well, what kind of deployment does it have to be? Rather than we need this piece of technology in our environment, it's going to increase our security posture dramatically. It will protect the user from itself, you know, or it'll even protect the developer from itself and the company from itself. And rather than basing it off of an insurance premium, you know, which is a very real thing, because these premiums are tens of millions of dollars a year. Like you know, I heard recently from a company that their insurance premiums tripled just from last year. It tripled. I know it's going to become Now with CrowdStrike, with the CrowdStrike issue oh my God, that is probably. I mean these insurance providers. You can imagine that these insurance providers are probably at risk of going out of business if a large enough claim occurs just from one customer.

Speaker 1: 43:37

You know like you look at, if you look at something like CrowdStrike right, impacted pretty much every industry, right, because they're they're touted as the top tier endpoint security solution and you know, to this day they probably still are right. There's no doubt about it. But the impact that they had and it plays into the narrative that they have told for the past decade right Is that you can deploy this agent on anything, anywhere, anytime, and it's going to work. It's going to work. It's not going to hurt your workflow, it's not going to hurt how your device is used or anything like that. And come to find out it does impact it. They have a solution to secure satellites.

Speaker 2: 44:27

You're talking about, first, insurance companies. They never go out of business because the next year they increase the premiums. You know your answer what's going to happen next year because of CrowdStrike? So the premiums are going to go up. And then the other question is how does a reliable company that has proven track record make such a mistake of being? Let's imply this to all the world at the same time? I'm not going to say that I didn't do that mistake one time in my life, but that's kind of stupid.

Speaker 1: 45:04

I mean, when you have billions of devices, you should probably have a test pool of at least your company, like, hey, let's deploy it to internal only.

Speaker 2: 45:14

Or this country, first Drop that country out of the map, but that's. They add those options and everyone knows that they add those options. But there are many things that I from an industry perspective that buy-and-buy checklist kind of problem, like I'm buying to a last top 10, but I don't know what foul this face to my company. This is a problem. This is a real problem of setting recipes that are standard and apply to this one public place, to this company, to this company, to this company, to that company. I'm not sure, I'm even afraid to doing the claiming. There might be a company that doesn't need a firewall, there might be a company that doesn't need a firewall, there might be a company that doesn't need a firewall. And the insurance companies? What they are saying is my work is I calculate risk? I've learned that in the past, companies that use this type of products have less claims. So if you have this type of products well implemented, because most of the time those companies that they have from previous history, they are the ones that are the ones that implemented them properly, not the ones that are just, oh, and I have to put it, the moment that they put it on the checklist for the insurance company. They just burned out the old premises that justified that product to be there. So people start putting those products on these companies, but they are not configuring them properly, they are not using them properly, they don't even want them. They just want to lower their premium. Then they've just destroyed the whole logic of why they asked them to have this. So maybe insurance companies should be asking more how many incidents you actually have, security incidents? How many users were impacted? Not how many incidents, but how many users were impacted. How many naked leakages you have? What was the extent of it? Those are the proper questions. If you go to, you see those signs on construction site like 10 days without incidents without someone breaking a layer or something like that. This is the metric that they need to have in terms of business of that company that they are insuring, not the.

Speaker 2: 47:41

Are they all wearing helmets? Yes, it's pretty obvious that in the construction space, wearing a helmet is important. But having helmets what they are asking is do you have a helmet? Not if you're wearing the helmet. Have you bought 100 helmets for 100 employees? And the company say, of course, yes, they are there on the basement, they're brand new, they are really good, no one is wearing them, and that's the kind of analogy that makes sense. And for IT, it's pretty easy for us to hide this. You were talking about the WAFs. Like they just stay there.

Speaker 1: 48:20

Oh yeah, they are.

Speaker 2: 48:20

They're still in the learning process for like two years or whatever. They stay there, but they are mandatory, like if you don't have a WAF, the premium goes up.

Speaker 1: 48:32

Yeah, I have seen it where quickly, quickly, left, right. I've seen it where a company would. They had the full security stack. You know every top tier solution out there and every time an audit would come around, they would turn everything on. It would be considered a blackout period for the company and they would consider that, because everything would break everything on, it would be considered a blackout period for the company and they would consider that, because everything would break right, they would turn everything on for this audit. The auditors would see that everything is hey, everything's enabled, configured, everything's good to go. You know who cares if the business is able to operate for that week or two, they'll pass the audit, they'll turn everything off and then it'll be back to business as usual. Right, that is something is probably illegal and very, very questionable. Um, but it is. It's something that they, that they started doing because they had a security team of two people, you know, and across the cloud, across network security security, across IAM, you know, encryption, data security, like everything. Right, two people and they refuse to spend any more money. And so you know, you have companies that are going down that path.

Speaker 1: 49:46

But you bring up an interesting question. You know that, I think, kind of ties into where the industry is going. And you said do we really need a firewall? Well, we're going to a place where we may not need a firewall at the perimeter anymore. The firewall might be built in everything, so to speak, like this firewall, like Jscramblerler, may be built into your application, your browser, your whatever it might be right. And so I think we're going into a place where it's less about deploying controls around everything and allowing certain actions through. It's more of deploying the right serverless agent, right, or those those three lines of code that I talked about before, deploying those three lines of code to everything and letting it do its job while your developers and your business and everything else can continue running as expected. Is that where you see it going as well? I would assume so right.

Speaker 2: 50:57

I would add that if you're buying a product and there is no business champion saying I need this, there's only the security guy, then you're already buying the wrong product. You're already you already buying the wrong product. You're already Because, like the thing is not because the business knows more than the security guy. It's not that. It clearly shows that the two are not communicating and the other one doesn't see the value. So if it doesn't see the value, it's not going to use it properly or implement it properly. Today, I open every website and everything is encrypted. 10 years ago, you'd only have bigger websites and only the checkout page would be encrypted and stuff like that. So we have been able to do this continuous process where the business doesn't even think do I need to have every page encrypted? We said we can put it everywhere, so let's put it everywhere. And because there is an effect in terms of for the company, in terms of and also in terms of privacy and overall security posture with the company and its users, I can relax. Every security solution must have a value for the business that we clearly map, which is going to be like how are you going to sell? I need a firewall from a security perspective. But there is ways that we understand that metric and the impact for that business, because I've made the effort to understand that the company that I work for sells whatever product. I can really understand. Like that firewall is needed because if we don't do that, that product might have this or that, or our customer list is going to be easily accessible or if we can talk the business language of them without just talking about when we get taxed. That's the other thing. We have to sell business value on a day-to-day basis without the guy in the basement that's going to attack us, because we also know that security today is not the guy in the business. It's big organizations, governments. It's also the kind of basement it's still there, but it's a very big industry that has loads of money being thrown at it from governments and whatever being strongly from government and whatever. So, again, what the company does must be the thing that the security team remembers every day. We build cars. They need to remember themselves. That's what you guys are doing and that's what security you are providing. You are providing security for a company that builds cars and that's how I need to justify the value.

Speaker 2: 53:55

Or, if you're talking with a banking banking is interesting because the banking industry works a lot to buy security because of compliance. That's the main reason I need to comply with this regulation. I need to comply with that so they end up buying a lot of stuff and they invest heavily on security because they know that it a lot of stuff and they invest heavily on security because they know that it's a trust relationship. Like a bank knows that they are selling trust. You trust your money to me, so they accept buying everything that keeps that trust level as high as possible. That's not to say, like a company that sells shoes. They don't have that many compliance requirements. So they need to understand that they are under security because if they don't have security, one day they won't be able to sell shoes online just because their website is down or because they have been known to leak all their users stuff.

Speaker 2: 55:01

That really has an impact on the organization and you have to go to explain to the CISO or the CEO of that company. Yes, I know that you're worried about shoes and rubber and leather and whatever, but if you don't do this, then you're not selling shoes, you're just building them and they will stay there in the factory. It's not a business. The business is about the full flow for the company from building to selling, to delivering and customer support and whatever. That's the full business and that's what we are there to to make sure that's up and running everywhere. I see it always as a continuous process. That's why we say as a company, we secure every user of that company on every direction that they are doing with it and we know that user is running on an unsafe environment on a browser that's on their computer. That's not what they did. That has all of these external plugins that will try to get a lot of information. We assume that we cannot control anything on the environment and we say let's do the best that we can do on that environment. And that's really cool Because we have enabled companies to do a lot of stuff that you would say it is impossible unless you are able to install endpoint security on that customer.

Speaker 2: 56:31

And you are able to do that.

Speaker 2: 56:33

That could make it podcasting possible altogether and we wouldn't have the innovation of me opening a bank account using a phone.

Speaker 2: 56:41

We wouldn't have that kind of stuff. We wouldn't be able to even do this. We are recording this, we are live streaming from a browser to each other we are talking and recording. This wasn't possible a few years back. It's possible because it's a browser, it's JavaScript. You have invested a lot on this type of technology. It has encryption, it has communications, it has compression of video. This is all happening in real time and we are part of it in some way.

Speaker 2: 57:11

So I really get a lot of ratification from when building an event. And now, moving from the aspect of how I am a geek about security but into the aspect of time, I'm a geek about building stuff, and building an event is part of building stuff. That's where I get the motivation to wake up every day, and this is helping make the world a little bit more secure, and that's a very positive aspect that we, as security guys, need to try to incorporate in our day-to-day life. It's not about yeah, I show those developer guys that they are done. They invested a month developing this and I broke their application in one day. That's not the right stance. That's totally the opposite of what we should get our kicks out of.

Speaker 1: 58:03

Yeah, absolutely, and you know, with that I think we've come to the top of our time, unfortunately. But you know, rui, we had a fantastic conversation. I'm definitely going to have to have you back on and you know we'll talk more and whatnot, but you know I appreciate you coming on.

Speaker 2: 58:21

Yeah, thank you. Thank you for this. I was afraid that we wouldn't have enough topics to discuss, but yeah, I think we still have a lot more to come back.

Speaker 1: 58:31

Yeah, absolutely so. Before I let you go, how about you tell my audience where they can find you if they want to reach out and where they can find Jscrambler?

Speaker 2: 58:39

Yeah, just go to our website, jscramblercom, and we'll be out there to help you guys, to assist you guys in any of those client-side security risks that you guys are facing on a day-to-day basis.

People on this episode

Joe South

Host