Collaborative Security: The Team Sport Approach episode artwork

EPISODE · Jun 7, 2024

Collaborative Security: The Team Sport Approach

from Info Risk Today Podcast · host InfoRiskToday.com

By decentralizing the ownership of cybersecurity and increasing security consciousness among everyone in the organization, businesses can improve their security posture, said Dom Lombardi, the vice president of security and trust at Kandji. He discussed the concept of collaborative security.

Episode metadata supplied by the publisher feed · Published Jun 7, 2024

By decentralizing the ownership of cybersecurity and increasing security consciousness among everyone in the organization, businesses can improve their security posture, said Dom Lombardi, the vice president of security and trust at Kandji. He discussed the concept of collaborative security.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Collaborative Security: The Team Sport Approach

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

Welcome to Cybersecurity Insights, the podcast for the CyberEd.io learning community. Our goal is to bring cybersecurity practitioners the latest and most relevant education and training to upskill and dive deeper into topics that matter in today's modern cybersecurity world. Good day, everyone. This is Steve King.

I'm the managing director here at CyberEd.io. And on today's podcast, we have the pleasure of chatting with Don Lombardi, who's the Vice President of Security and Trust at Kanji, which is a company that we're fond of and have visited several times in the past, most recently with Weldon and his team and responsibilities. And in Don's case, he's the guy that's kind of the tech ops guy, responsible for IT and risk and data privacy and compliance and all the rest of the security related things that I used to worry about for a living. And before that, Don had built a risk-based security and privacy program at Clavio and a couple of other companies, created several SaaS-specific engineering focus programs that used his expertise in product lead, hypergrowth and quantitative security risk management.

Prior to that, Don earned an undergraduate at Roger Williams University and his master's degree in information management leadership, I believe, at Brandeis University. So welcome, Don. It's great to have you on the show. Thank you very much for having me, Steve.

I'm excited to have a conversation today. Great. So let's talk about security as a team sport. You know, obvious part of a multi-part problem that we have today in cybersecurity.

So I'm anxious to get your thoughts about that. So it starts, I think, with how organizations really view cybersecurity professionals and just the industry in general. There's a huge skill shortage and job demand for cybersecurity professionals. And I've never worked at an organization where you're hiring for security roles and you feel like you've got enough people, you have the right resources, right?

There's always constraints that you're dealing with in terms of your own headcount or in terms of how you're growing your programs. And I really like to think about building cybersecurity programs for the companies I work with and help advise through, like you mentioned, it's a team sport, right? Often when you look at highly effective cybersecurity programs, they're ones that help to decentralize cybersecurity ownership across the organization and increase security consciousness within the teams that they partner with. So, I mean, I can go into more detail about that, but I really think that the collective approach to increasing the organization's cybersecurity posture is incredibly important.

Yeah. So how many people do you have working on your team, Don? So my teams are, again, IT, security engineering, operations and governance, risk and compliance. Collectively, I have 10 people who are within my organization, including myself.

So we were about a 300-person company, not the smallest of teams, but also, you know, definitely not a 10X what that is at some of the larger companies, right? Yeah. How did you hire them? It took some time, right?

I think coming into the organization, you want to better understand sort of the skills across the company and to learn what your peers at the organization are really strong at and what they can help complement the people that you'll bring into your organization. So I started off hiring an application security engineer who's sort of a security architect, deepest in application security and security delivery with product and with our engineering teams, because, you know, you hear often like shifting security left, right? Starting earlier with your product people, with your engineering teams during other planning or the design and the build phases of the PDLC. And that's one of the first hires I made was in that role.

And then I've built out a team of other ICs on detection engineering, on cloud and infrastructure engineering. And then, you know, I have a couple of layers of management within my group, right? I just recently hired a security manager to help me lead the security engineering operations teams. And it's been through like, okay, let me understand and evaluate the people I've brought in, what are their skills, where do they need to continue to develop and how can I best complement the people who are here with new talent that I can bring into the organization?

Yeah. You've got a master's degree in leadership in particular, I guess, IT management leadership from Brandeis. What did you learn there that you apply on a daily basis in your current role? So the program at Brandeis focuses a lot on risk management and it looks at all different pillars of cybersecurity through a risk-focused lens, which is the background that I kind of came into security with by way of IT.

So really spent a lot of time talking through different threat modeling philosophies, how to apply and translate cybersecurity risk into business risk, into sort of the risk mitigation activities that we can do as a company. My job as a security leader is to protect and to enable revenue. And I think a lot about how you can do that with your peers if they don't really speak the same vernacular that you do when you're talking about cybersecurity or about security risks or about threats and vulnerabilities. So it's a lot of translating the technical cybersecurity risks into, okay, how could this be actualized and what's the impact, you know, in a dollar sense for the business.

So I've been exposed to more quantitative risk methodologies earlier in my career and a lot of time kind of learning and honing, you know, and applying fair in different organizations that I've been at more recently at Clavio. And I've been trying to bring a more quantitative approach to my team's risk methodologies since then. Yeah. Do you think the FAIR network is an effective tool?

Yeah, a network. I mean, I'm sorry, framework. Framework. I do.

I think, I think all frameworks are, can be effective to a degree. And then there's the interpretation and adaptation of the framework into your organization, right? Like a certain layers of fair start to get really, really say like overly complex if you're going down into like secondary loss events. But sometimes that's important to help really have the organization make a healthy and informed decision about the risk that they are either going to assume or the level of risk mitigation that they want to apply to a particular scenario.

And I like that the fair method, you know, takes a more scenario-based approach to it because you can talk about weaknesses or vulnerabilities that exist on particular assets within your business. But when you start, you know, talking about those things, it's always like, well, so what? Help me understand how likely that's going to be. Help me understand what the impact could really be.

And then you start getting into this really gray and subjective language where your feeling of something might be different than others. I think if you can put it into like the probabilistic methodology that the fair gives you, to be like, oh, I'm relatively confident in this. I'd say I'm 80% confident that we will have this loss event occur once in the next year. Like that's a more concrete way to have that conversation with someone who doesn't live and breathe in that world.

And when I talk about cybersecurity as a team sport, my job as a member of that team is to help my peers understand my language and to also understand theirs. So that comes with asking questions, learning what their goals are, so that I can best align what my team can do to what other members of my peer partners of my company are trying to accomplish because we're trying to win as a team. Yeah. You know, so fair advertises itself as a quantitative risk framework, which it is not.

And I wonder how, when you, you know, when you try to do a probabilistic determination about, as you say, you know, 80% chance of an event, a loss event over the course of the year or something, does your board look at that and say, eh, I'm, you know, I don't see any underlying science here. I mean you ran Monte Carlo or whatever it was in simulations that get there, but, you know, this is fully under our control, is it not? Well, I think it always, when you're presenting risk scenarios to stakeholders, be it your board, be it executives or the peers at the company, there's always a little bit of, eh, in terms of people's reactions to things until you've had a conversation and been able to engage in either the actual exercise of discussing why you came to certain conclusions and how you're going to be working with them to either design mitigation or like what they're comfortable at accepting, right? Like my philosophy on risk management is not to be a hundred percent confident in the methodology that we're using, right?

I'm open to having people say, eh, that doesn't make sense to me. And I'm fine with being wrong. You know, there, there's, there's times where like you adapt that methodology to make sense for the group that you're trying to, you know, work with and it, it can change over time. And I think where, that's why I said, like, frameworks are good to get you started, but then there's the adaptation of them into how your organization actually like handles and discusses risk.

And it might be different than how you did it at a previous organization, even though it might be modeled on the same framework. Yeah. I wonder what FAIR would think about the MGM Grand breach after the fact, you know, yeah. I mean, my point being that some things are endemic to all organizations regardless and, and their, you know, and the resulting threat is very hard to model, I think, because I am pretty much guaranteed that if I called up a help desk person, if I, if I, if I spent time focusing on calling help desk people around the country, I'm going to have success in, in a, in a social engineering hack as the, you know, as the case with MGM Grand was, or if I wanted to, you know, look for misconfigurations or overly permissive configurations in AWS containers, you know, and I could access that, like capital one, for accessing those tools on your device, there's no there's no technical control that's going to prevent you from doing it.

It might be in policy that says we don't allow this, but policy doesn't have the same teeth as the preventative technical control might, you know, depending on the company. But if you are controlling and restricting how people can work from where, right, you end up getting either like disgruntled employees who are uncomfortable with the tools that you've given them who wants to use tools that they're more comfortable with or that they feel allows them to be more collaborative or that the tools that you're providing are not as intuitive. And then you have people who go and self-serve things or they go and they work with their executive group to get something approved, and then you have sprawl and or shadow technology where you're not able to protect, you know, the confidentiality, integrity, and availability of that information, and you're not able to properly understand how your people are working. And I think it goes back to what I said earlier about really having strong relationships with your peer partners, understanding what their goals are and what they're trying to accomplish, because that helps you to best understand the tools they use to do that and what they're also researching to try and make those goals more attainable at a fast rate.

Yeah, so what happens if we just say no? You know, you got to come in the office. I think you're seeing some organizations who are doing that. Organizations are starting to trend more back to a hybrid workforce where they want people to be in the office, right?

But, you know, not every organization is going to have the in-office capabilities to route traffic, to restrict access to unsanctioned cloud applications, and the sprawl is there. I think that's where security awareness and education come in. That's where having strong relationships with your peer partners organizationally and you're communicating the goals that you have for the program, the risks that you see with sprawl, and you educate. And then when you have, let's say, detective controls in place that might alert you to unsanctioned activity, you address it directly, quickly, and much like, you know, any feedback you have to give to someone, it's best to do it timely, to be precise about what you need them to do.

And, you know, I don't think there's a way you say no without someone, without having good rationale and without also saying why, because people don't like to be told no, Steve. And if someone tells you, no, you can't do something, I've found that most people will like to prove you wrong. It's like, well, you sure about that? I'm pretty sure I can do it if I choose to or if I want to.

And then you're fighting this battle. And I think security as a battleground, you don't want to have the battleground be internal to your organization. Yeah, of course. You're responsible for compliance where you, where you are now.

Well, I've got two questions. One is, have you found that being in compliance with regulations that you pay attention to make you feel any more secure about your environment? In other words, are these regulations, these compliance regulations making a difference at all in your estimation? I think compliance is a starting point, right?

And if you look at compliance as a checkbox to how your organization achieves its security posture, then they don't do much. But if you look at compliance as a way that you can again, partner with your peers to enable the business to accomplish its goals, compliance can be a really strong motivator for people in order to implement controls, to understand the efficiency and efficacy of your controls and to help your organization enter new markets, right? If you want to start to expand internationally, there are privacy controls that when you're entering into, say, Australia or you're entering into APAC, that you have to be aware of. And then you have to educate the peers and executives within your organization that this is something that this market cares about.

And you want to have penetration and success in that market, then it needs to be something that you care about, too. Do you guys do security awareness training for your clients as part of what your services are? So Kanji provides mobile device management and endpoint detection and response products for our customers. As part of customer onboarding and customer support and success, we do a lot of education with our customers about ways that they can maximize the utility of our tools and to get the best results for their internal employees or their customers, their people who are using Apple devices in their workforce.

We do a lot of community events. I met with Weldon previously. We do a lot within the Mac admins community where we're trying to not only sort of evangelize everything that Kanji does and we feel does really well and better than the competition, but that there's ways that we can educate people on like thinking about the security of their device fleets, of the hygiene within sort of the policies that they're deploying to their devices. And we do that through events that we sponsor with peer partners in the community.

We do that through blog posts and other social events that we have and host. And I think we can always do more to not only educate our customers, but to provide the guided experience in application. Right. So when you're doing something in app that might be, let's say, like reducing the overall posture of your device fleet.

Right. I think that we could be doing more and not just we, right. Like we as an industry, we as a software can be trying to build in security guidance into the tools that we offer to customers. Yeah.

And you have visibility, interesting visibility too from an MDM point of view anyway, across a broad variety of practical, very practical use cases in that you're in the Apple business. You're also, you know, in the Google and Microsoft business, if you will. And so you're, you see, you see end users with security. We used to assume was inherent because my device has an Apple on it.

Right. That was a hallmark of the, you know, the Apple uh zeitgeist was that you're, you're getting built-in security. No longer the case. Big Apple still has, sorry to interrupt you.

Big Apple still has some really strong built-in security frameworks or practices that they are, they lean into and are continuing to lean into to make their devices more secure or secure as a default. Right. But I think like that, that, I don't know if misnomer is the right word, but that, that misconception that like, oh, I got an Apple logo on this device. It's secure largely because the threat, thought that the threats didn't exist and threat actors like weren't, you know, there to potentially exploit vulnerabilities on those devices.

It's just that the, like the footprint of them was a lot smaller. So I'm going to, if I'm a threat actor and I'm motivated to, let's say, like for a financial gain, right? And I'm going to spend time on a ecosystem in an environment that doesn't have the same market penetration. I'm going to return potentially less money than if I make something that will impact a, say, Windows device, right?

But as you're seeing Apple increase in the enterprise, as you're seeing Apple continue to win in education and in other areas, threat actors are going to get motivated more so to start to attack that ecosystem. And I think Apple is doing a good job of continuing to build security into their products, but security professionals need to start to think through, how are we securing these devices? And I think that's where Kanji is really trying to focus is, okay, we've, we've proven that device management is something that we do really well. And what we're trying to do is now take this idea of the harmony of your devices, the vulnerabilities that exist on them, the threats that exist on them, the malware that might get to those devices, and how are we going to protect and then correct anything that we're seeing on those devices?

And I think the ecosystem that Kanji has around being able to detect, to alert, to remediate, is only going to get stronger and better as continue to build our products. Yeah. Yeah, I'm sure that's true. That's great.

Final question. Do you think that we're, that, you know, 2024 is going to be the year of the uh finally getting to a passwordless state, maybe through the use of passkeys or the acceptability or the um, yeah, acceptability of the passkey phenomenon? I think more organizations are going to adopt passwordless type of authentication with passkeys or with biometrics just because hardware is starting to catch up, right? Now Apple has made it easier to use those both within enrollments of your devices and in the management of your devices.

Cloud IDPs are beginning to move that way as well, right? And if you're a, you know, a cloud first organization, you're using Apple devices, you have a remote workforce, right? So you can't necessarily use like boundaries in a more traditional sense of where people are working from. Passwordless is the way to go.

And more and more organizations, I think are going to do that in this year because the technology is going to be available for them to do so at a more affordable cost. And again, people want to work in ways that are intuitive to them. And I hate changing my password. So if I don't have to change my password, I'm, I'm, I'm all the happier.

And if I can find a solution for my, my people so that they don't have to do that, then I'm, you know, I'm probably making other people happy. Yeah. Yeah. Highly motivated there.

Me too. So I hope you're right. I hope you're right. So thank you, Don.

This has been a real pleasure here. We could probably talk for another four or five hours today, but um I think we, we covered some ground that I was interested in and hopefully it was useful to you as well. And um and I hope

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on June 7, 2024.

What is this episode about?

By decentralizing the ownership of cybersecurity and increasing security consciousness among everyone in the organization, businesses can improve their security posture, said Dom Lombardi, the vice president of security and trust at Kandji. He...

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!