Startups are all about proving the value of their product and growth. At the beginning, all of their money is funneled into product and market development. When do they need a CISO, if at all?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, and guest co-host Jimmy Sanders (@jfireluv), head of cybersecurity for Netflix DVD and our guest is Bryan Zimmer (@bryanzimmer), head of security for Humu.

Thanks to this week’s podcast sponsor, Lepide

Ninety eight percent of all threats start with Active Directory and nearly always involve the compromise of data stored on enterprise data stores. Lepide’s unique combination of detailed auditing, anomaly detection, real time alerting, and real time data discovery and classification allows you to identify, prioritize and investigate threats – fast.

Got feedback? Join the conversation on LinkedIn.

Full transcript

Steve Prentice

Hi, I’m Steve Prentice. If you enjoy our daily Cyber Security Headlines podcast, then do yourself a favor and check out our Week In Review which airs every Thursday at 4pm Pacific, 7pm Eastern where we look at some of the stories from our morning podcasts and invite a cyber security expert to come in and weigh in with their expertise on those stories. It’s always a fascinating 20 minute conversation and you can be part of it as well simply go to cisoseries.com click on the register for video chats button and sign up. We’ll see you there!

David Spark

Start-ups are all about proving the value of their product and growth. At the beginning, all of their money is funneled into product and market development. When do they need a CISO, if at all?

Voiceover

You are listening to Defense in Depth!

David Spark

Welcome to Defense in Depth! My name is David Spark, I am the producer of the CISO series and I have a guest co-host today, Jimmy Sanders, who is the head of Information Security over in Netflix DVD. Jimmy, thank you so much for joining us.

Jimmy Sanders

It’s great to be here with you David.

David Spark

Alright and that is the sound of Jimmy’s voice by the way, it sounds different than the other co-hosts that I’ve had on the show so don’t let yourself be confused. Our sponsor for today’s episode is Lepide. If you are trying to understand the data that you have you’re going to want to listen to what Lepide has to say later in the show. That’s L-E-P-I-D-E, Lepide. Alright, today’s topic came to me from Jason Dance. He alerted me to this post by Mickey Boodaei, CEO of Transmit Security who said quote, “If you have customers get a CISO.” Now conversely I’ve heard start-ups should not bother getting a CISO because the security program will drastically change from its start-up routes. But, Boodaei said quote, “Having security tasks split across the organization without a clear and single owner is a recipe for disaster.” Boodaei went on to offer advice on what a start-up should look for in a CISO. So, why is this an important conversation that a start-up should have at the beginning Jimmy?

Jimmy Sanders

It’s a great conversation because when you start bidding your product instead of having a bolt on security at the end you can make it into the beginning. We’ve seen many instances where people have had all these security solutions, they’ve had all these solutions, they forgot about security and it ended up biting them in the butt in the end.

David Spark

Well, we are going to have this very discussion now on this show with a good friend of ours, Bryan Zimmer, Head of Security over at Humu. Bryan, thank you so much for joining us.

Bryan Zimmer

Thanks for having me. Long time listener, first time caller and I have to say that your intro music is my favorite due to the 100% more cowbell versus all your security podcast competitors.

Why is this relevant?

00:02:57:08

David Spark

Ainsley Rattray of AWS said quote, “One of the most important responsibilities that CISO has is to ensure there is a system in place to monitor/detect deviations from your security base line,” and RAMN said quote, “Start-ups or any business regardless of what series or stage they are in, if they hold crown jewels they need to be protected and if they have customers it shows maturity by engaging in information security at the beginning.” Paul Moskowitz of the Israel National Cyber Directorates said quote, “Your IP might be targeted and if so your customer’s investors might lose confidence in your product,” meaning if you don’t have any CISO or security encase. Alright Jimmy, to you, they said like hey you need it if you got customers. Do you need to bring a CISO on that early if you have customers, Jimmy?

Jimmy Sanders

Yes you do, because a lot of times when customers ask you questions or you’re filling out questionnaires, they’re saying, “Do you have somebody who runs security? Do you understand audits? Do you understand compliance?” And by having a CISO up front early you are able to grasp those audits, grasp those compliance questions and potentially bring in more customers.

David Spark

But and I’m going to throw this out and by the way I’m going to probably act like devil advocates through this whole episode because this entire thread discussion with very pro hire a CISO but they were all security people who often worked at security vendors so they’re already kind of security minded in that respect. But, as we know, CISO’s are not cheap and when you are at the beginning you’ve got to kind of prove your product and get it market fit and bring in customers. You don’t necessarily have money to hire a CISO. I mean doesn’t sort of a balance game need to happen at this point, Jimmy?

Jimmy Sanders

Yes you don’t have to necessarily hire a CISO but you need somebody who owns and leads security for the compliant reasons. For the reasons that I know from my historical background, not that I was ever a black hat hacker, but I know the easiest targets that I looked for were the ones that I knew did not have security in place and that way you could just attack them easier and earlier.

David Spark

That’s a very good point. Alright I’m going to take the same question to you Bryan. Is a CISO, and I’m talking full time CISO because we’re going to get into alternatives, is there kind of a right and a wrong time to bring in a full time CISO? And also keep in mind they’re not cheap.

Bryan Zimmer

So listening to your podcasts over the years I know your middle name is controversy and you like it when people disagree so I’m going to completely disagree with Jimmy here, well no not completely. Yes so I would say you need the right kind of CISO. You don’t want your full blown like head of ATNT security or head of, you know, Google security type CISO. You need someone in the beginning that’s more of an experienced engineer ideally looking to level up and start going from, you know, the hands on to the management to the executive level to grow with the company.

David Spark

That’s a very, very good point. So, and again talking about controversy because I’m going to be pushing this too, can any of you sort of see the view of the business and like hey we really do need to balance this like how much of a security push do we have to do early on? I mean all companies sort of have a security program, what is the security program at the earliest stage, Jimmy?

Jimmy Sanders

Every company has some form of a security program but not every company has somebody who actually owns it. And when you don’t have somebody who actually owns security then you have people who dabble at security and then they’ll think they can do their own encryption standard. And they just get it wrong because if that’s not your full time job you don’t focus on it you can lose the ball.

How would you handle the situation?

00:06:55:05

David Spark

Steve Moss of Freeman Clarke said quote, “Many growing companies won’t need a full time CISO to cover their needs, on demand is the answer. Buy what you need when you need it.” Brain Haugli of SideChannel said, “We see our clients cost and risk lower much earlier in their growth.” And RAM’N also said, “External consultants are helpful to bridge the resource gap but an internal employee would know your organization better, including its culture, risk appetite and having a sense of ownership, as it’s their career on the line.” Now I should mention the first two Steve and Brian are the CISO’s themselves so understandable they would push it but they make a very good argument. And RAM makes a good argument of, “Well if you’re not there you’re not part of the culture.” Well how good can you really be? Bryan, what do you think to these two arguments?

Bryan Zimmer

I think it depends on the company. I mean you know, you can definitely get away with a V-CISO.

David Spark

What do you mean get away, qualify that for me?

Bryan Zimmer

Okay, so yes I am biased in the completely opposite direction of V-CISO because I’m a full time head of security so I’m of course biased in the direction. So, me personally I would rather have someone full time like RAM was saying like hit the nail on the head of someone who is in the company who can be, you know, meeting people day to day, glad-handing and kissing the babies, integrating security into the culture, taking care of getting processes and procedures in place, all the technical controls. Whereas I mean, I feel I could be wrong that if you have a V-CISO you are going to be getting good advice but that you need someone to put that in place.

David Spark

Okay. What’s your take on this V-CISO versus permanent? And do the V-CISO have a place maybe earlier on?

Jimmy Sanders

V-CISO’s definitely have a place for building up because, for instance, you may do a start-up and you may hire somebody who doesn’t understand how to think broad picture, they may be more of an engineering mindset and so they’re used to looking at logs, looking at things from a small scale. But when you want to broaden out you need somebody who has that broad mindset and that may be a virtual CISO because you can’t quite afford to hire a real CISO yet.

David Spark

Could either of you speak to determining when to get a CISO or V-CISO and, you know, these could be two different answers here, of do you determine this by the number of employees you have? The number of customers you have? If you’re up to this number of customers or you’re up to this number of employees get yourself a V-CISO or CISO? The reason I mention it, it’s like you think some start-ups are literally two people or one, like they can’t really hire a CISO at that point. Is there a barometer and I know creating a hard line is tough but what would you say Bryan to something like that? And is that the way to look at it? Maybe I’m looking at it completely the wrong way.

Bryan Zimmer

I mean, I would say once you’ve got the basic teams built out, you know, a couple of people on each team at least, end sales, marketing that kind of thing then you can start bringing in the CISO because you want to bring them in early and start integrating security from the beginning. Like Jimmy said earlier, you don’t want to bolt on at the end. I wouldn’t say necessarily a specific size of companies is the cut over point, maybe revenue when the company feels that they can afford that and then also the existing, you know, if you’ve got somebody in there currently handling security or you know, slices of people handling security, where are there gaps at with the V-CISO so bringing the picture, like Jimmy mentioned and help kind of tie that stuff together.

David Spark

Alright Jimmy, do you have an answer to this question?

Jimmy Sanders

Yes, so when I see you start hiring a CMO, CFO’s, the CISO’s should be right in line with that. So that just depends on your team and how you’re building out that. But once you start your executive sweep the CISO should be right alongside that.

David Spark

And the rationale being just because that’s how you’re building up the company or is something happening intrinsically to the business that’s like we need it?

Jimmy Sanders

Something is happening as Bryan was eluding to. Once you start building out your teams, once you get approximately like 30 employees or a little more and you start branching out, if you don’t start to ensure that security is at least embedded in from the beginning you will do whack a mole at the company once you do bring a CISO in.

David Spark

Let me just quickly ask, have either of you been at a start-up where you’ve actually seen this play out?

Jimmy Sanders

Oh yes. So, I’ve been in several start-ups. The company I worked for before they got acquired by Samsung, M-Spot. I was approximately the 30th employee and then we grew to a couple of hundred but as you grow you start to see we had AWS instances that may not have been the most secure because nobody was really watching or taking care of where the keys were. So yes I’ve definitely been in that situation.

David Spark

And would it be safe to say that most companies have AWS instances that are not as secure as they should be? At varying levels?

David Spark

At varying levels.

Sponsor: Lepide

00:11:50:10

Steve Prentice

The need for understanding who has access to what data has never been so great as is it now.

Steve Prentice

This is Aidan Simister, CEO of Lepide, a company that specializes in intelligent threat detection with a focus on active directory and compromise of data stored on enterprise data stores. Lepide zooms in on the status of your data which Aidan says is the ultimate key to security.

Aidan Simister

If you’re able to say I can show a report that shows exactly who has access to our most sensitive data as opposed to saying here’s the report who has got access to these files or folders that becomes meaningless.

Steve Prentice

In a world where too much security information can be as bad as too little, Lepide helps consolidate the priority information allowing for a sound decision making and overall management of a company’s key theater assets.

Aidan Simister

For us, I kind of feel that our main value is the fact we’re bringing together these elements of discovering classification access governance and user behavior. That makes it significantly more valuable than other solutions that are out there on the market.

Steve Prentice

For Aidan and his team it comes down to one word, visibility.

Aidan Simister

Visibility is the crux of being able to protect your data, know who has access to it and know what’s happening to it. The fact is a lot of organizations just don’t have some of these controls in place and yet they’ve spent a lot of money and a lot of time on their security and yet they can’t answer these questions which are fundamental, fundamental! Visibility is key.

Steve Prentice

For more information visit Lepide.com.

Well I guess that’s one way to solve it.

00:13:30:05

David Spark

Mike Kelley who is the CISO over at the EW Scripps Company said quote, “I bet you will find plenty of CISOs out there that would give some of their time if the service solves real problems,” and Sammy Chowdhury of Prescient Security said, “You would be surprised at how much free advice the security community is willing to offer you if you’re just willing to network with security advisors and leaders. Just ask.” I’m going to throw it to you Bryan, how much can you get away with with free advice?

Bryan Zimmer

Well I mean, are we talking about having someone already in the company handling security and then they’re getting free advice or is this nobody’s handling security and the company is trying to grab anything they can to slap together some security?

David Spark

I think the latter and I’m thinking really the earliest early stages so before you’ve built out the team like we described in the last segment, earliest earliest stages? You know, I just started two people and like I don’t even know where to begin with security here. I got to assume that I can get some free advice. How far can that go? What can I do with that? Like to what level could I get some free advice? I don’t even know. But they argue you could get somewhere with it.

Bryan Zimmer

Well best free advice is hire a V-CISO or CISO, there you go problem solved.

David Spark

That’s not free advice. I mean the second you said hire the word free went out the window.

Bryan Zimmer

Yes I mean I think for the initial founders and the initial, you know, engineering founders and that sort of stuff that definitely helps because that can guide you to you know, what regulations you have to follow, what certifications you should get, what infrastructure you should put in place, what some of your basic application features should have, like SSO and authentication and encryption all that sort of stuff. But then once you start getting past that you start needing someone dedicated to hiring all the rest of the security stuff like working with your legal department, answering security questions, working with your sales team, working with marketing, working with IT and engineering. All the stuff that you need to tie together because you know, while those can be little slices of people spread across the company you need someone with a kind of that glue to tie everything together and make it happen.

David Spark

You know what, I also believe that the quote ‘free advice’ leads you to hiring because I remember this goes many, many years ago when I first started a business, even before the one I currently own and I’ve met an accountant at a party and I told the accountant, “Oh, I have this business,” and the accountant started asking me all these questions and I kept thinking, “No, I’m not doing that, no I’m not doing that, no I’m not doing that,” and I realized I had to hire him so it was, you know, a very good sales pitch on his part. I got to assume that’s pretty much the way a good free CISO advice would work is you’d realize all the things you should be doing that you’re not doing, right Jimmy?

Jimmy Sanders

Yes, but to me this question also is from a technology centric lens. If you go to places where there’s not technology or other places where the network isn’t as robust you wouldn’t be able to get free advice. Who would you even turn to? But if you live in Silicon Valley or Ulstone or someplace where it’s tech centric, yes you could ask your person across the street or whatever.

David Spark

Well we’re all virtual now so you can find advice from anyone but let me ask this. Have you either of you talked to some kind of a founder who was literally like they’re spinning around, they don’t know where to point their head and you offered them just some basic advice kind of like that moment I had with that accountant where I’m like, “Jeez I’m not doing any of this stuff.” Have you had that moment with a founder of some sort, Jimmy?

Jimmy Sanders

Yes, but hopefully they take it with a grain of salt because unless they actually know you and they’re your real friend, how do they know the advice you’re giving them is even sound?

David Spark

I didn’t know this accountant when I met him. Bryan, have you had this experience?

Bryan Zimmer

I totally agree with Jimmy and I mean you can lead a horse to water but you can’t make him drink, so you know, that whole thing. You may slowly win them over and you may open their eyes but if they’re not on board with bringing security on from the beginning, you know, they think they can do just some of the basics in the casket by. You know that could work until they start getting their first serious enterprise customers and they start drilling into their security with security questionnaires and audits and those sort of things and then it all rapidly falls apart. So that tends to convince them to start caring about security too.

David Spark

Well, I think you both know that if you meet a founder who couldn’t care less about security you just brush him off and go well you’re doomed or you’re gonna figure it out, you know, the hard way right, Jimmy?

Jimmy Sanders

I don’t know, I’ve seen a few founders that didn’t care about security that ended up being billionaires, so what do I know!

David Spark

They sold before they had to deal with anything?

Jimmy Sanders

Or they got enough users who said. They weren’t as regulated, so if you’re coming into a regulated industry, yes but like look at Facebook. You really think Facebook cares about security?

David Spark

They do have a few people hired for security but yes, what is amazing about Facebook is that things come out about their security and their privacy issues and their stock goes up. So yes, they have reversed engineered that problem. We’d all like to have that problem. Security problems go up, stock price goes up with it, how awesome!

This problem won’t change on its own.

00:18:43:17

David Spark

Niklas Volcz of Springflod AB said quote, “Find someone that knows what risks to accept and understands the business,” and Bob Schuetter, CISO over at Ashland said quote, “There are a lot of CISO types in the world and you probably need different kinds as the company matures and grows your customer base.” So I am going to start with that comment right, that last one. What is the type of CISO you need at the very beginning or can that CISO mature along with the company, Jimmy?

Jimmy Sanders

As Bryan eluded to earlier, generally when you start off you want somebody who is more technical, who understands the weeds better and then as you grow as a company you can’t be technical anymore because you’re so large so you can’t grow with that. But generally from what I’ve seen and my peers have witnessed and explained to me, you hire different CISOs when you get ready to IPO than you would be pre IPO.

David Spark

So who are those two different CISO’s, the pre and the post?

Jimmy Sanders

So the pre IP CISO is generally more growing the brand, growing the security department, where the post CISO IPO they’re getting more higher level people. So now you’re getting a virtual, not a virtual CISO but like a vice president CISO and you have more staff. That’s what I’ve seen.

David Spark

Alright, Bryan, what’s your take on the different stages of CISO at a start-up?

Bryan Zimmer

I totally agree and like I said earlier, you know, in the beginning the more engineering focus growing up towards like management type skills, leading team, being a director and then on up to the VP level where you’re much more removed from the technology. But also important is someone that fits the company culture because you know, you’ve got to work with closely with leadership to figure out what their risk appetite is and are they willing to give the employees a little more leeway on their laptops and the applications they install or are they going to want much more highly regulated industry where they’ve got to lock everything down? And then you’ve got to be on board with where they are on that spectrum and then acting on behalf of leadership, making the calls of yes this is approved or well this is kind of risky so let’s go find you a different solution.

David Spark

Going to the first one what Niklas Volcz said, this seems like basic advice about to find someone who knows what risks are, to accept and understand the business. There was also the talk about being ingrained in the business, understand the business but if you were to start-up, how hard is it to figure out what the risks are since it’s a smaller start-up or is it still a very, very difficult problem to figure out, Jimmy?

Jimmy Sanders

Oh, it’s very difficult because the nature of the start-up is they’re always trying to find their best product and so a lot of times you’ll be at a start-up and it pivots. It will be in this segment now oh we’re pivoting this because we found that this was hot. And so finding that is still difficult. And the other thing that happens is generally the start-up is more risk of tolerant. They want to try new crazy things and you know, it’s harder to rein them in sometimes in the practices.

David Spark

No but hold it the argument being that the business essentially accepts a risk rather than you know, security department. If they say, “We want to be risky, we want to try a lot of things,” you go, “Okay this is what I suggest for that and this is going to allow you to have this kind of a leeway but you can’t go beyond this line because, well that could be business ending kind of a thing.” I’ve got to assume you have that side of that business line for security yes?

Jimmy Sanders

Yes exactly and the scarier thing when you’re a start-up is that your most recent security issue could be the end of your company.

David Spark

Yeah. Let me take that to you Bryan because one of the things we’ve seen with breeches is that many, many companies survive them. Can start-ups survive them like other companies especially when they barely have a brand?

Bryan Zimmer

Well they can. I mean I’ve seen stats about of how much a company stock goes down after breech and it’s a little bit, but it’s survivable. With start-ups, I mean when I’m doing my security training for the new employees I mention just because we’re a small company doesn’t mean we aren’t being constantly attacked and at risk of like vaporizing. I always mention the company that was called Cold Spaces and notice I said was, and they were start-up everything was in the cloud in theory doing everything right but they got hacked and all their customer data got deleted and they had to fold up shop and close everything down. So yes definitely an extensional crisis.

Wrap

00:23:18:20

David Spark

And that high note brings us to the end of this show. Don’t let yourself be an extensional crisis get yourself a CISO or someone to own security. They don’t necessarily have to own that title but they need to own security. Alright we’ve come to the point in the show where I ask the two of you what was your favorite quote and why and I’ll begin with you Jimmy.

Jimmy Sanders

Yes, my favorite quote was by RAMN. External consultants are helpful to bridge the resource gap but an internal employee would know the organization better including its culture, risk appetite and have a sense of ownership and has its career on line. And I love that because it’s the ownership part of security. If you don’t have somebody specifically devoted to security they don’t own it. They may be security enthusiasts but they wouldn’t necessarily have to own it and have their career on the line because of it.

David Spark

Good point, and Bryan your favorite quote and why?

Bryan Zimmer

So I like the cut of RAM’s jib, he’s got two good quotes and he’s got my favorite one in there that start-ups or any business regardless of what series or stage they are in, if they hold the crown jewel that need to be protected and if they have customers shows maturity by engaging in information security at the beginning. And that speaks everything right there. I mean it’s a differentiator for your company, you’re getting your company off on the right foot, you’ve set the path right and you’re basically setting yourself up for success.

David Spark

God point. Alright, that is now the end of our show and I want to thank our sponsor Lepide L-E-P-I-D-E, check them out especially if you have issues on finding what your data is and how sensitive your data is and what is the most sensitive data. Essentially the big crown jewels question which is the big question that our audience I know has, because we’ve talked about it a lot on this show. And I want to thank our guest Bryan Zimmer who is the Head of Security over at Humu and also I have to thank you Jimmy for being my guest co-host who is also Head of Security over at Netflix DVD. Alright, Jimmy, any last thoughts on this topic and our guest Bryan too?

Jimmy Sanders

This was a great topic and obviously check out Bryan is a big leader and thought leader in terms of how start-ups need a CISO.

David Spark

Awesome, well thank you. And by the way I always ask, are you hiring right now Jimmy?

Jimmy Sanders

No sir, we’re not hiring currently.

David Spark

Not hiring. Okay. I am going to ask you the same question Bryan. Bryan are you hiring and have any last thoughts on this topic?

Bryan Zimmer

So we are hiring but not for security. We’re hiring platform infrastructure engineers, front end developers and full stack developers, so check out our site humu.com/jobs. We’re making it easy for organizations to improve their morale, engagement and performance every single week so check us out at humu.com. Let’s see do I get a chance for a shout out?

David Spark

Please shout it out.

Bryan Zimmer

Okay. Remember when you’re a CISO or someone the higher up security to send the elevator back down as Jack Lennon would say so help out those who are just starting their careers, help out those who don’t look like you or who don’t have the same background as you. You know it’s a good thing to help people out it makes you feel good but also it increases diversity and security and helps solve our hiring problems. And then also spend a little time talking at your community colleges and high schools, giving little presentations on, hey here’s security, here’s how I got into it. Which, you know, could either help guide someone in their career or also just inspire people to try out security.

David Spark

I will echo that last comment and say the best quote I ever heard from someone on terms of sort of finding what your passion is, is I interviewed a woman, she said she introduces her kids to people who love their jobs. Doesn’t know what her kids are going to do just introduce them to people who love their jobs because no-one can speak to how great that job is than the person who does it and loves it. And essentially anyone in cyber security if you love your job tell others especially who are trying to figure out why you love your job. So thank you very much Bryan. Thank you very much Jimmy and thank you audience as always for your awesome contributions. We greatly appreciate it. Keep them coming in and if you see a really good conversation online let me know because that’s what we can turn into an entire episode of this very show. So, as I always say, thank you for contributing and listening to Defense in Depth!

Voiceover

We’re reached the end of Defense in Depth! Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please, write a review, leave a comment on LinkedIn or on our site cisoseries.com where you will also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast contact David Spark directly at dave@cisoseries.com. Thank you for listening to Defense in Depth!C