On January 20th, Menlo Ventures, Glynn Capital, and SVB recently hosted a CISO Leadership Summit on risk and data protection for 2022 and beyond. Security leaders from Stripe, Toyota, Wells Fargo, Albertsons, 7-Eleven, Chime, Aramark, Fidelity Investments, HPE, Twitter, Plaid, Oportun, Blue Shield, Okta, and Freddie Mac, among others, lent their brains to some of the biggest challenges facing CISOs, and other security leaders today.
- Why the Foundational Inventory and Data Map is the Key to Securing and Protecting Data, a discussion led by Leila Golchehreh, Co-Founder & Co-CEO, Relyance AI, and Ashok Banerjee, VP VMWare Platform Services
- How CISOs Maintain Data Protection Supporting the Speed of Change in the Industry, a panel moderated by Dimitri Sirota, CEO and co-founder, BigID; Aaron Hughes, GVP & CISO, Albertsons, and Surbhi Tugnawat, CISO, SRI International
- Building More Secure Data Systems, hosted by Molly Vorwerck, Founding Team Member, Monte Carlo, and Steve Zalewski of SHZ Security Advisory Services, ex. CISO, Levi-Strauss
- API Security: Importance of Understanding Your API Footprint & Best Practices Around Securely Deploying APIs, a panel led by Larry Link, President & CEO, Cequence Security, and Les Correia, Executive Director, Global Head of Application Security, The Estée Lauder Companies
- Security Innovation for Modern Development Practices, hosted by Raj Datta, CEO & Co-Founder, oak9; Aakash Shah, CTO & Co-Founder, oak9, and Nishant Patel, Founder & CTO, Contentstack
- Managing Cloud Risk Without Slowing App Delivery, a discussion moderated by Loris Degioanni, Founder & CTO, Sysdig, and Candy Alexander, CISO and Security Practice Lead, NeuEon
To set the table, one speaker noted, “Development teams are now delivering at a velocity that is greater than security teams can keep up with.” Still, security pros love a challenge, and the wide-ranging discussions generated the following observations and learnings:
- We’re currently at a technological inflection point, one where organizations have the opportunity to “leapfrog forward,” one panelist said, in maturity. This presents opportunities, as well as challenges, for security teams. As one participant noted, “the very technology that’s empowering us may also be imperiling us.”
- Automation is key for any modern and mature security practice.
- Problems that were historically security problems also have elements of privacy and data governance. To that end, many professional services firms have merged their privacy, security, and data governance teams into one entity.
- Regulation is a sample use case that spans from security into privacy and data governance.
- Being able to have confidence in your data quality – whether you’re trying to remediate it, label it, or use it for AI or BI – is absolutely essential.
- In addition to the need for data security, there is a need for greater visibility into data consumption, whether it’s volume changes or schema changes.
- The data map problem really needs to be solved the right way to get visibility on your data. When the data map is manual, it can be difficult to keep an understanding in real time. This is particularly true of the Log4j issue.
- Development teams and security teams must work together to have really good security. Since historically there hasn’t always been a good relationship between those two communities, security pros should try to meet developers where they are. As one security executive noted, “If you’re not just chasing after developers with a bug, to get them to fix a vulnerability, they’re more apt to see you as equals.”
- Enterprises can have securities champions within development teams.
- Attacks on API infrastructure are evolving, getting more targeted, getting more effective using tools.
- With APIs, “shield right while you shift left.” To “shift left,” noted one speaker, is to really consider security in the design of applications. So to “shield right while you shift left,” have an understanding of what your footprint is, so you’re not leaking data, and then look at the development side and tackle problems such as authentication of APIs.
- Cloud environments are so dynamic that they present security challenges, particularly visibility. There’s a need for a common framework to approach security in the cloud.
- High on security providers' “wish lists” is more transparency on data residency. “When things are going wrong or they’re switching over,” noted one participant, “you don’t know where the data is being moved out to.”
- The majority of attacks and data leaks in the cloud “are not the result of some super-sophisticated approaches, but taking advantages of misconfigurations or oversights,” one speaker noted.
- One security posture is to move from “infrastructure as code,” to “configuration as code.” One speaker stated, “use the tools that developers already have where you get the security buy-in for free; don’t try to fight the fight alone.”
Thanks to all who attended and shared their insights! We are making this summit an annual gathering.
