In episode 76 of The Secure Developer, Guy Podjarny is joined by Lucas Moody, CISO at Rubrik. Lucas has had an impressive career in Silicon Valley including being the first CISO at Palo Alto Networks. Here we explore what it means to work on security as far as operations and product innovation too, and Lucas compares his experience doing this at Palo Alto, a security company first, versus at Rubrik which is more focused on data management, resiliency and recovery, and backup. We also discuss how the shift to cloud and SaaS has changed tech companies and is leading to exciting evolutions in the roles of CIOs, CSOs and CISOs. Plus we look at how the pandemic has affected the security strategy at Rubrik.
About this episode:
[0:01:20.8] Guy Podjarny: Hello everyone, welcome back to The Secure Developer, thanks for tuning back in. Today, we have a great guest that has really seen security both from the side of the operator but also the provider, so the vendor of the other side and definitely digs a lot into sort of security innovation and forward thinking, Lucas Moody, who is the head of security innovation and operations at Rubrik. Lucas, thanks for coming on to the show.
[0:01:42.4] Lucas Moody: Absolutely, thanks for having me, pleasure to be here.
[0:01:45.5] Guy Podjarny: Lucas, before we dig in, tell us a little bit about your journey, what is it that you do and how did you get into security in the first place?
[0:01:51.3] Lucas Moody: Yeah, no, absolutely, I appreciate it. I’m currently at Rubrik, I’ve been here at Rubrik for just under year. Just shy of a year now but prior to my time here at Rubrik, I was at Palo Alto Networks where I was the first CISO and during that four years of time, kind of built that organization from scratch into what I believe to be a world class organization that I left behind that I’m very proud of.
And then, before that, I was at companies like eBay, PayPal, I was at KPMG, did some consulting in security, I was at Oracle and Intuit. If you’re not familiar with Intuit, it’s a company responsible for turbo tax so I think most of us are familiar with them in some capacity.
But just very lucky to have had a journey like that one at some great companies here in Silicon Valley. How I got my start in security, I was a CS major and actually joined Oracle at the beginning of my career in networking. Quickly made the jump to security because around that time, that was before the year 2000, there were a lot of investments that were starting to be made because it was starting to be seen that hey, this security thing is really important, security related issues can bring real existential threat to enterprise, we need to invest in this so I kind of took the leap back then, knowing that it was this dynamic space, no two days were the same.
It’s that kind of, you know, I got ADD and so I like to shift tasks and topics and learn new stuff and I get bored easily and so it was a good match for me. Today, at Rubrik, innovation and operations, what does that mean? Operations because I’m focused on the technology side of security, focused on what we need to build to ensure the company stay safe, ensure that we’re doing the right things from an organizational development standpoint, engaging with engineering, engaging with a product management organization, supporting our brothers and sisters in IT to ensure the enterprise stays safe and so on and so forth.
That’s the operations side and that also entails dealing with incident management, monitoring, response and that type of thing. The innovation moniker because that’s kind of new –
[0:03:42.3] Guy Podjarny: That’s the unusual one like security operations, you see more security innovation and operation is more enticing.
[0:03:47.6] Lucas Moody: Yeah, absolutely. That was kind of a requirement for me. Leaving a post like CISO at Palo Alto Networks was really tough and I salute those that are still there, it’s a tough job, doing security for a security company is no small task, it’s like being a bodyguard for somebody that can very well defend themselves and somebody that’s a target. It was a great four years.
Leaving that post it was important for me to find the right next step and for me, that was really being able to get involved with the product in a more sophisticated or in a more impactful way. Rubrik, if you’re not familiar with the company, Rubrik is a company that’s involved in ensuring that companies stay resilient, back up and recovery and data resiliency. That’s what the company does as a core, but when I was talking to the CEO of the company, early founders, some of the other executives, to me, what really stuck out to me as an opportunity is this space straddles security pretty significantly even if it doesn’t come to mind immediately.
You know, Rubrik helps to keep enterprise online, operational and resilient but a lot of the data that goes in to ensuring that the company does that really well, also plays into solving for security in some pretty profound ways. I wanted to play a part in that and that’s why I joined the company. To really straddle not only security but to try my hand and support the product management organization in thinking about how to evolve the product and not only be a backup or recovery product but also in supporting security in more profound ways than it does today.
[0:05:17.3] Guy Podjarny: Got it, yeah, I mean, makes perfect sense, security is about risk reduction, you know, I think when you talk about resilience of the business, losing your data, you lose it to a breach then you’re in pretty bad shape but for starters, you need to sort of preserve it instead of having not be lost in the first place. I think an aspect of resilience. It’s interesting organizationally though.
If I paraphrase, is it safe to say that security operation is around keeping Rubrik secure and the security innovation piece is more about helping Rubrik’s product keep the client secure, is that the right way to inspect it or –
[0:05:49.1] Lucas Moody: That’s absolutely right.
[0:05:49.9] Guy Podjarny: Maybe we can dig down a little bit into the org, you know? How it’s being structured. Are these two arms, are you sort of more of an advisor, is there a security operations group or some sub organization and then a security innovation sub organization?
[0:06:03.9] Lucas Moody: The security organization proper rolls up in the same way that it does at a lot of tech companies. We roll up into the arm of the CFO and so, our primary responsibility as a security organization is securing the product and securing the enterprise. In the same way that my role was carved out at Palo Alto Networks where I had that same duality, supporting, keeping the product secure as well as keeping the enterprise in the workforce secure, that’s what our primary focus here at Rubrik is.
The secondary moniker on innovation is where I spend about 30% of my time. Where 70% of it is really focused on that kind of core CISO-like responsibility, the CISO organization here does that same thing. That other 30% of the time I’m working with product teams, I’m working with customers, I’m engaging with partners, supporting in whatever way I can go to market, predominantly to get out there, talk with customers around how the product is deployed and how that product can then be further advantaged with additional features, with additional capabilities, maybe in changing the way our thought process works around the way that we collect or process data such that we can implement further downstream capabilities into the product, to make it a little more attractive from a security perspective as well as from a data resiliency perspective.
An example of that would be – we’re a data backup and recovery firm but we also have capabilities into our product to support detection or remediation of ransomware.
Because, when you think about data resiliency, that’s one of the biggest threats that comes in your stack of top risks. We’ve got a ransomware product called Radar, we’ve also got a data management arm around a product called Sonar. We’re starting to play in the space of helping you understand what type of data you have stored where. How it’s being leveraged, who has access to it and things like that.
You know, again, thinking about how the product core can help you solve for things that are also important that we have ready access to because of our install base so that we start thinking about how better to evolve the product to support, not only IT organizations, not only engineering teams but also security organizations.
[0:08:11.6] Guy Podjarny: Yeah, that’s fascinating and to an extent Lucas, it sounds like you’ve kind of put yourself back into that same situation so you went from a security company where you are offering security solutions as well as keeping the enterprise secure to company that you’re helping turn into in part, a security company as well. Offering these types of products.
I’ve had sort of fascinating conversations, clearly I think about this in the context of Snyk as well but I had great conversations with Mike Hanley for instance from duo security, talking about having a security offering and in his case, he had a security labs team that was hacking together all sorts of forward thinking product features that were largely or in decent part, focused on the product offerings that Duo was offering.
I guess, a little bit less maybe direct but Shaun Gordon at New Relic, was talking about how they built sort of their insights product, they sort of build the security dashboard based on those and use that capability and are furthering and actually I’m not entirely sure where that sits today with New Relic’s capabilities but you know, the intent was okay, this can tee up a product or a capability there.
The path makes perfect sense to me as it’s built up. When you think to Palo Alto, how much of this was happening there? You’re the CISO, you’re securing the team, how did you collaborate or how did your team collaborate with the product side as being the internal security team as well?
[0:09:35.5] Lucas Moody: Sure, without going into detail that would compromise my previous employer in any way, here’s what I can show, the security team did play a significant role in thinking about the evolution of products, we were a first customer and so, early critics of product, also played a significant role and thinking about not only how to evolve the products that that were our core but also thinking about products that were peripheral to that core product that would add value to it, where one plus one would be three, that type of thing.
Obviously, I think going to significant detail but thinking about the companies that Palo acquired over time, think of a security organization is being an early adopter of those products, finding ways to make it meld and live within the ecosystem and sitting alongside the product management and BusDev organizations to help that better understand like how do these things tie together, do one plus one truly equal three or is one plus one 1.5?
Yeah, played a significant role there. Also, just super thankful for the opportunity back then to engage with customers and really hear customer testimonials, customer challenges, understanding what problems they were having and then being able to carry that back as a person that had practitioner-to-practitioner dialog to say hey, these are the things that are really on the ground where there’s really nothing being held back because you know, we’re all in this together and bringing that back to product to get feedback on things that maybe we weren’t thinking about.
But on the other hand, you know, Palo had a massive army of folks within the product and engineering teams that were focused solely on security. That’s where I think the big difference is, at a company like Rubrik where the company is focused on data management, on resiliency, on recovery and backup. That’s their core and so the value that I can bring to the table here is a lot different than at a company like Palo Alto Networks who you know, that’s their bread and butter, that’s what they do for a living.
But you know, another point I’ll bring up is, we had a – and they still do, world class security operations team there that I’m proud to have played a part in building. But that team would have the product management folks roll through there just about every day to engage with the team and really find out what’s happening on the ground, what are the challenges you’re having when you’re using our products and tools, what are the things you love, what are the things you hate, what doesn’t work well, what is awesome?
What are ways that you’ve used the product that we’re not talking about with our own customers? Are there hidden features that were there for a reason or two but that you’re using in a way that we didn’t anticipate. Things like that. That would come out all the time and it’s a fascinating place, amazing team of leaders and executives there. I mean, they had a rocket on their back and they still do, it’s a great company and was lucky to have had the chance to be there for four years.
[0:12:07.1] Guy Podjarny: It sounds like a super opportunity and you know, one that you tapped into around being both a current customer and a prospective future customer, kind of helping embed additional products that would come in by actually being a customer of those products or rarely seen starting from prospecting them and sort of seeing are they good, are they bad and even using them.
I guess, maybe let’s tap into that market perspective a bit, right? And talk about changes. You were securing an organization and participating in kind of the guidance on what else does this significant security player, Palo Alto build, you’re building security capabilities into your existing company and Rubrik. What do you think like if you harken back over the last five-ish years in the world of security, of security operations, what would you say are some of the big changes or revolutions that have happened in the space?
[0:12:59.4] Lucas Moody: Particularly in security?
[0:13:01.0] Guy Podjarny: In security and in around I think cyber security clearly and in sort of this world of technology, right? I think I relayed, I perceive both companies to be more in the cloud space, more in the advanced infrastructure type surrounding. I guess, what would you say are changes from your perspective maybe five years ago. Maybe it’s even personal learnings, right? If you think about it.
[0:13:23.1] Lucas Moody: Yeah, no, absolutely.
[0:13:24.4] Guy Podjarny: What was top of mind and you and your peers needed to do five years ago, how is it different than what you think you and others in your type of role would need to do today?
[0:13:34.3] Lucas Moody: Absolutely, and I’ve got this great proving grounds for it in the way that my own career has evolved over the past 10 years but think about a company like Rubrik. I think Rubrik represents what the future looks like in terms of companies. What I mean by that is, Rubrik we’re largely a ‘born in the cloud’ shop, we don’t really have traditional data centers in the way that companies have been around for years do.
We also don’t have to think about digital transformation in the same ways because just about everything that we do is backdropped by SaaS and things like that. We’re an interesting looking company, I’m sure Snyk looks a lot like that today as well, you know, born in the cloud company yourself. Whereas companies that I’ve had in my past, or companies that really had to be IT shops, right? They had to go and build data centers, they had to scale their businesses by scaling the number [inaudible 0:14:24] that they have and they had to scale and nearly with the uptick in consumer activity and all the rest of that stuff, such a tough problem to solve.
That’s starting to change, if you think about the roles that companies need to invest in to enable that. 10 years ago, CISO was a niche role, most folks wouldn’t have understood what the acronym stood for and most of the folks that were involved in security were largely kind of born from compliance and that neighborhood of things if you will.
The CIO was king, the CIO was building all this infrastructure, was at the head of digital transformation and all the rest. That’s starting to change, right? When I think about CIO’s role more recently, it’s largely becoming a managing SaaS and so we’re not building these big massive ERP infrastructures anymore, we’re often times leveraging what’s deployed in cloud and you’re able to consume it as a service. You know, CRM is the same way, CRM used to be a beast of a product to deploy.
Think about it today. Everybody in the world is at salesforce.com shop. Just about. We’re in this point we where CIO role started to change and how that ends up in five years, who knows but you know, I’m starting to see a lot of startups think about things like investing first in security, investing first in a Chief Security Officer, Chief Information Security Officer and then plugging in enablement and availability behind that organization. That’s new. Seeing that evolve, seeing security take a front seat now, I think it’s just a sign of the times. I mean, you and I both know, because we’re security folks but the prevalence of news associated with companies not thinking about security in the right way has really forced the hands of executives to think more profoundly around security.
I love that. I think that’s great, I think it’s a step in the right direction and I think it’s an investment that’s probably should have been had some years back but I like directionally where things are going. You see board of directors now, getting smart on security, engaging with CISOs and other companies to go like, what are the things that I need to push top down as a board member to fulfill my judiciary responsibilities? Things like that.
I love that I think directionally, it’s where we need to go, it’s time for us to think how CIO needs to evolve of the way that the world is changing too. Because I think there’s a place for managing technology availability and enablement for companies. I mean, it’s important that we all stay sharp, that we are agile, we move quickly, that we’re enabled with the right products but we got to think about how best to organizationally enable that so it’s just an interesting space and I find fascinating and I’m really excited to see it evolve.
[0:16:54.9] Guy Podjarny: I think it is a great point of view or thing to highlight. You know we talk about the lower cost of ownership of SaaS, you know like that cost of ownership comes from somewhere, right? There used to be, when most of your applications were not SaaS or are not SaaS, then there is a significant amount of cost of ownership that you need an organization, you need a technology, you need a team and staff to be able to deal with that.
If you are offloading that, you are creating a certain new problem, which is a proliferation of SaaS providers and it is almost like cloud security, right? It is a wrangling problem that requires its own solution and requires its own competency and so I guess the competency around managing how data flows in the organization and how the organization can have the right sort of processes and technologies and tooling to run it, that need remains the same but the whole operational arm of keeping these tools running and floating, that’s a different set now.
You’re indeed administering all of these different SaaS solutions and ensuring they are all connected to oppose to actually keeping systems and servers and data centers up.
[0:17:55.3] Lucas Moody: Absolutely. If I could just add one point there, what you brought up is a really important point and when I think about 10 years ago, everybody and their grandmother had to be a subject matter expertise in keeping the lights on and that had to be their competitive advantage, right? Now with the offloading to providers, we are enabling them to become that subject matter expert. We’re making it their problem to make that their competitive advantage so that we can invest elsewhere and that is why I say the CIO is evolving. The CIO is evolving in ways that I don’t know if we have all the answers for yet. It is not going away but we certainly need to think better about how organizationally that team can now shift their attention to other ways in improving the business and business outcomes, and in many ways and the same way that CISO’s are starting to become more business leaders because we have to be. If we are not then we are not doing it right, CIO’s too and that’s why I find it exciting and interesting to watch this all play out in front of us.
[0:18:52.1] Guy Podjarny: Yeah, for sure. It might even increase the strategic nature of the CIO role because for many companies, keeping the lights on was a necessity but wasn’t necessarily a differentiator or something they could tie into business value. Now, you know the great CIO’s know how to help the business operate fluidly and smoothly and move data from the right spot to the right spot and allow agility while observing a certain amount of guardrails and set ups.
And a lot of these terms actually sound very security-esque. I am interested though, another related change and I would love to get your take on it is I talk about this shift from IT security to application security, how in the pre-cloud era, applications were mostly and I am choosing black and white terminology here, applications were mostly this sort of code and some libraries built on top of a central IT stack, which we just discussed.
And then in the cloud surrounding beyond the SaaS solutions for the technology, you yourself build, that cloud stack as much smaller but conceptually the layers exist. You know there is still a network that you can allow attackers in through, there is still an operating system that can be unpatched, there is still a database that has data that needs to be secured, but the decisions around all of that are now made by developers. The decision or the processes around securing those.
So they also move a little bit out of the CIO’s purview necessarily because in most organizations the CIO doesn’t run those processes, the sort of developments processes and systems are kept separate from the rest of the organizations for a variety of reasons including the technical capacity of those teams, and so I guess in some conversations here like the CISO of Slack for instance, talk about Jeff who is now at LinkedIn, when he was on the show he talks about how they are reporting to engineering or into the CTO.
And he felt that that was actually very significant for relationship inside the company because the primary focus of the security organization – they were still doing the things that are outside of the organization but the primary allegiance if you will was to the product, to the security of the customer’s data and such inside the organization. I guess how often do you see that? Is that being discussed? What do you think about CISOs not just outside the CIO or sometimes they may be at the board but rather being a part of the technology organization?
[0:21:11.8] Lucas Moody: You know I see that a lot and I have been involved in a lot of conversations kind of ideating around this and I think the jury is still out and let me explain why I am saying that, because there is two things at play here. There is one, as you mentioned, there is this, “Where is your allegiance? Where do you spend the majority of your time?” That’s an important question but there is also, “Where are the incentives in the right place to drive change even if it is painful?”
And often times what we do in security leads to outcomes that are harder than the path of least resistance and I bring that up because there is often a conflict that starts to arise when you’ve got a team planted in an organization that also has objectives and outcomes that are in many cases anti-security and what I mean by that is it’s the same problem that you run into when you see these security organizations planted under CIO, right?
Because you’ve got the CIO that has a set of business objectives that are often times tied to five nines of availability or enabling the business or launching a new set of capabilities that enable the workforce, maybe by developing a tool or by adapting SaaS or something like that. So that’s the primary focus. That is where bonuses are tied and all the rest and in many cases with engineering teams, you run into a similar thing. It is around speed of delivery, it’s around new product introduction.
It is around being able to deliver a feature within a certain quarter, which often times takes front seat and when your cycles are hammered, when you’ve got resource constraints, that’s when security can sometimes be pushed to the corner to go, “Well, we just need to release this feature,” and you get the situation in which the two are competing and that’s what I like to try to get away from to the degree we can. Now that is not to say that it happens like that all the time.
I’ve met a lot of engineering leaders that put security ahead of all else, which is great but that relies on being able to raise above the frame, have a god’s eye point of view of things and so I say that because I encourage organizations to think about the incentives, where they live and what that’s going to do for your ability to execute on the right things at the right time, which is why I like the alignment with CFO because ultimately, the CFO owns a great deal of risks for the company.
The go to market risk, financial risk but also security related risk – when you do that and they also own the purse strings and so often times, you get a different kind of alignment and you’ve got the ability to operate at the e-staff level to drive change when it is absolutely necessary even if it means making tough decisions. So that is a long way around the barn but hopefully that make sense. It can work in any one of those three. You can have CIO’s that are focused on security.
You can have engineering leaders or CTO’s that are focused on security. At Palo Alto Networks, we had a CTO, Nir Zuk, who is also the founder, who was also my boss who was dedicated to security. He is a security guy. You know he wouldn’t take no for an answer. So you know it can work as is with most things, it is all the dynamic of the company and a lot of it is focused around people and what people’s priorities are so.
[0:24:07.7] Guy Podjarny: I think it is a fascinating conversation that indeed doesn’t have a silver bullet but it is probably a conversation that hasn’t been challenged up until the last few years. You know it’s been a bit more obvious, like it could have been maybe under CFO or CIO but I think that is where it stands. At Snyk, we actually ended up anchoring because that applies to our conviction to ensure that product security, application security, that sits within engineering.
It is a part of the engineering organization. We started by having information security so the rest of the security responsibilities be outside and we currently help those groups stay the same. We actually moved that organization in its entirety to be with engineering under the aspect of engineering and I think the perspective and granted it is also different needs for different size companies and as you point out, we have security DNA throughout the company.
So it is not necessarily a fair comparison but we’re basically considering whether over time, product security seems clear that it would stay within engineering but the remainder or the rest of the security organization including the CISO as you say, jury is still out. We need to see, what is the right home as the organization evolves.
[0:25:15.9] Lucas Moody: There is a lot of other things that play into it. To your point, there is this concept of security DNA. It is how fast and ready do you think about security as part of your day to day operations. You guys obviously are a security company and the same with the Palo Alto Networks was and that kind of in many ways makes security in adjacency to all things that we do to stay alive. That’s one.
Two, to be able to hold these teams accountable. So if we are planting product security within engineering, we just need to be able to hold that team accountable to executing. That could be a great way to at least drive tactical change within that org, right? You’re responsible for security now and we know all of these things that are broken and wrong, that is a great way to do it. Now if you have to go and find all of those things that you are doing wrong, all of a sudden it’s, “Well, if I don’t find it, I can focus on that.”
And so you just need to think about where you stand, where you are in your evolution. At some point I hope and I believe, this is a crystal ball thing because it is not the way the world operates today but at some point in the future I see, especially as CISO’s evolve and mature because it is still a relatively immature space if you will – we are still really looking for really strong business leaders to come and take a step up and take on a role like this one and really think about both straddling the business as well as the tech.
But I hope at some point in the future, CISO is much more elevated in the organization and for companies where it really matters, CEO level reporting structures not in my opinion outside of the question and so, there are a lot of ways to see this play out but you are absolutely right. I mean there is no silver bullet, there is no right or wrong answer. You’ve got to be able to kind of peel back the layers and think about how your organization needs to organize around this stuff.
[0:26:53.9] Guy Podjarny: Yeah, absolutely. So I think this has been a fascinating conversation. So we got quite absorbed into it, maybe we’d squeeze in one more bit to talk about practices. So you know the world has turned upside down recently and applying security might not have been the same in the last six to seven months as it might have been before in the midst of the pandemic and various other challenges thrown at us.
How have you approached or what have you learned or changed when you are securing your current enterprise with the past six and seven months? What changed and maybe what didn’t work that you think is worth sharing?
[0:27:26.6] Lucas Moody: Yeah, you know that is a really good question and it is a timely topic and frankly, lots of folks are talking about this. I like asking that same question myself just out of curiosity to hear how others are doing and how their world is being turned upside down not at home but at work, you know? And so without sharing all of the things that we are investing in internally, what I will say to high level is the strategy has had to change significantly.
It is interesting because as we turned the corner into 2020, we had a game plan and a road map that was about 18 to 24 months long. We had started that journey at the end of last year and we were trudging along and we had this plan to execute on a number of what I consider to be critical security related projects over that period of time.
I want to say March rolled around it’s like end of March where all of a sudden it is we’re not going into the office. The workforce is entirely remote, everything had to be thrown out the window and we had to rethink where we were investing our dollars or resources, spending what was in our wallet if you will for security, and we realized quickly there is a lot of things that we didn’t think about. We didn’t really think about a 100% remote workforce. We didn’t think about how to push a security capability on the enablement side out to the end point.
We were thinking more in terms of old school secure with the right infrastructure and so we had to rethink some things. How do we secure the remote user in the same way that we think about a user that is in the office or on a VPN and things like that and so we had to rethink that, kind of took dollars for more the infrastructure related projects and started pushing them more into how we were thinking about things like identity and access.
Mutli-factor auth, adaptive auth and things like that were always on the roadmap but we just thought that was a next year thing and so –
[0:29:10.8] Guy Podjarny: Probably bump them up the list.
[0:29:11.4] Lucas Moody: Absolutely, bump them up the list and frankly speaking it has been a really good time for us. Security is very much an in person thing like we need time with people. Security can’t operate in a vacuum. Security relies upon our relationships with engineering, our product teams, our IT and I question whether or not we’d be able to stay as productive when I am sitting in my master bedroom to work on on securing the company and the brand.
And I have been surprised – it’s been a journey but I think we’ve gotten some great outcomes despite all of the crazy things that are happening outside of the walls that surround us in our new temporary prisons if you will.
[0:29:47.8] Guy Podjarny: Yeah that sounds definitely like a journey that I’ve heard before, which is had to adapt, had to prioritize this remote work or set up to it and have adapted, have changed and we learned how to form those connections, book the office hours, book the one on one’s, maintain those relationships differently, not the same but in a way that it also works.
[0:30:09.0] Lucas Moody: Absolutely.
[0:30:09.8] Guy Podjarny: Before I let you go here, one question I like to ask every guest coming onto the show, so if you can give one bit of advice to a team looking to level up their security foo, something they should start doing, they should stop doing, what would that advice be?
[0:30:23.2] Lucas Moody: One piece of advice to uplift your security foo, god, I’ve had so many learnings. It’s tough to focus on one but maybe I’ll talk about a few and you can decide –
[0:30:35.8] Guy Podjarny: You can pick a pet peeve as well, it can be the thing that’s top of mind at the moment.
[0:30:39.3] Lucas Moody: I think we had the chance to talk through one of them, which is thinking about the appropriate incentives within large organizations and doing the right thing for security. You know we talked at length about that, but in many ways, the way that we’re investing in security has been against a roadmap that has been well-established and I see this a lot. I see security leaders take on a post within a new company and we’re dusting off that old playbook in the way the world used to work.
And I try to get feedback to that end as much as I can to those that are taking on new roles at new companies and have a chance to green field security and they are not doing it. They are going back to the things that are tried and true that have made them successful in the past and that doesn’t work anymore. The old innovators, I won’t mention any names because that is not the point of me bringing this up but the old innovators they just don’t work for the way that just the technology world around us has evolved but they still exist.
And investments are still being made in those older, ‘tried and true,’ I am air quoting here since you can’t see but the “tried and true text,” and so that needs to change more rapidly, right? And so scrap your playbook when you take on a new security post. Rethink things from the ground up, you’ve got this great opportunity and you have runway now that you’ve got this new role to rethink things from the ground up and I think once you start doing that, you start to realize that, “Hey, things are going to look different this time around.”
So that’s one and that’s high level but more tactically and this is nothing new. This is nothing that’s going to be new to your listeners, but we really made a concerted effort when I was at Palo Alto Networks to really rethink red team, what red team could be at Palo Alto Networks in supporting product security and application security, and we try to scrap the old playbook. We borrowed from companies that know what success look like here but really thinking about carving out an independent red team. That had full reign and a carte blanche hall pass to really hammer the product as a bad guy and to leverage the right tools to do so and to bring the attention of those things that are identified all the way up to the top can be a very powerful tool.
I loved the work that we did in that capacity at Palo Alto Networks. I love the work that we are doing in that capacity here at Rubrik. It really helps to toss out the egos and go, “Look, we are all invested in this in a real way.”
And then part two to that is you’ve got that team that’s independent but also meld that with your operations team such that the two can learn from the behaviors that are happening on the opposite side. I hear a lot of companies talk about that as a principal but I see it executed in that way very seldom, and I am not saying we did it perfectly. There is always room for improvement but investing in that, double down in those efforts can bring a lot of value for not necessarily a ton of effort and dollars.
Invest in people, invest in talent and get the business bought into the idea and you can reap the rewards from that.
[0:33:26.7] Guy Podjarny: Yeah, really sound advice. Lucas, this has been a fascinating conversation. You know I think we’re probably could have gone on for another couple of hours here but I think we are out of time here. Thanks a lot for coming on and sharing this perspective and a fun conversation here.
[0:33:40.3] Lucas Moody: Always enjoy time with you Guy. I appreciate you making the time for me. Good luck with everything, stay healthy and safe and I hope to chat with you soon.
[0:33:46.8] Guy Podjarny: And to everybody tuning in, I hope you enjoyed the episode and I hope you join us for the next one.
CISO at Rubrik
About Lucas Moody
Currently, at Rubrik, Lucas is supporting the company through scaling the unicorn startup to IPO readiness. In the four years leading up to his time at Rubrik, Lucas was the first CISO at Palo Alto Networks as they grew into the largest enterprise security company in the world. Before that Lucas was at a smattering of Silicon Valley companies including eBay/PayPal, Intuit, Oracle and KPMG.
Stay up to date on all the episodes
Secure by Default
with Andy Steingrueblplay_circle
Approaches to Security from Across the Industry
with Sacha Faustplay_circle
Training Security Champions
with Brendan Dibbellplay_circle
Four Years On: Reflections from Our First-Ever Guest
with Kyle Randolphplay_circle
Exposing the SourMint Scandal
with Danny Granderplay_circle
About The Secure Developer
In early 2016 the team at Snyk founded the Secure Developer Podcast to arm developers and AppSec teams with better ways to upgrade their security posture. Four years on, and the podcast continues to share a wealth of information. Our aim is to grow this resource into a thriving ecosystem of knowledge.
Hosted by Guy Podjarny
Guy is Snyk’s Founder and President, focusing on using open source and staying secure. Guy was previously CTO at Akamai following their acquisition of his startup, Blaze.io, and worked on the first web app firewall & security code analyzer. Guy is a frequent conference speaker & the author of O’Reilly “Securing Open Source Libraries”, “Responsive & Fast” and “High Performance Images”.