• Cloud Control
  • Posts
  • Marsha Wilson of ScaleSec on Harnessing Military Discipline for More Robust Cybersecurity

Marsha Wilson of ScaleSec on Harnessing Military Discipline for More Robust Cybersecurity

Marsha Wilson of ScaleSec on Harnessing Military Discipline for More Robust Cybersecurity

Hi everyone,

I'm excited to bring you another interview filled with wisdom that only comes from years of experience, this time with Marsha Wilson, the Co-Founder and CEO at ScaleSec.

In our chat, Marsha dives into how her military background shaped her approach to cybersecurity where discipline and strategic thinking are key. Her transition from traditional IT to specializing in cloud security and governance gives her a unique perspective on industry trends - you won't want to miss them.

We also explore the significance of code-driven, automated, audit-ready security operations, and how ScaleSec sets them up to make a difference in clients' compliance and security landscapes. Marsha's practical advice on navigating compliance requirements and transitioning to the cloud is a goldmine for anyone in the industry.

But that's just scratching the surface. Marsha dives into a wide range of topics, from the unique security challenges across different sectors to the emerging technologies shaping the future of cybersecurity.

This is a great read to start your day with. So grab a coffee or tea, settle in, and dig in to Marsha's wealth of knowledge and experience in the cybersecurity space.

Cheers,

Ian

P.S.S. We're hosting a roundtable on June 4th as part of New York Tech Week. Myself and other cyber & cloud security founders will be discussing how growth-stage companies can harness AI to scale their organization securely. Expect an exciting roundtable, the opportunity to meet others in the space, and of course - drinks. Register here to save your spot.

Marsha Wilson, Co-Founder and CEO of ScaleSec

Question 1 💭

Hi Marsha, I’m excited to have you here. We share a bit of a common background, which is that you served in the Army as well - for your country. Let’s start by sharing how your military experience has influenced your leadership style and approach to cybersecurity? What do you think other founders or CISOs can take from this?

Answer 1 🎯

I was in military intelligence, part of signals intelligence. And, like cybersecurity, this demands discipline, strategic thinking, and curiosity about anomalies that inform risk management. As an enlisted soldier, I was trusted to be the eyes and ears near the front, and working with my analyst buddies, I would work to bring insights and inconsistencies to my command for further consideration. That is also a big part of cybersecurity--but we have many tools and AI now to assist the humans. That's a good thing.

And I'm not sharing anything CISOs and other business leaders don't already know, though I appreciate the opportunity to reinforce the messages: Emphasize Training and Prepare for the day you need it, do this to enhance your teams' responsiveness and skill levels in cybersecurity.

Foster Discipline and Accountability: guardrails for cybersecurity tasks to hold team members accountable--assuming they are all properly trained--can improve the overall security posture.

Learn from the military's adaptability and resilience, and support leaders as they focus on building systems and teams that can withstand and quickly recover from cyber incidents.

Delegate as far down as you can, and prioritize leadership development to ensure that the cybersecurity team is as equipped as possible to handle crises and lead initiatives effectively.

Question 2 💭

Your move from traditional IT to specializing in cloud security and GRC was a strategic move. What were some of the key industry trends or personal motivations that caused you to do this? How has it shaped ScaleSec’s mission?

Answer 2 🎯

When I left the military in the late 1990’s, I leveraged my security clearance and worked in the defense industrial base for a decade. Though job security was a thing, I really wanted to move faster and work in the commercial space. So I segued in 2011. 

As for ScaleSec’s mission, in 2015 we originally thought we would have some commercial and some government work, since my cofounder Aaron and I both came from DIB. We found that in fact, we recognized through our FedRAMP work in the early days that what agencies need us to do is help commercial tech companies understand the government world. So our focus became readying companies to do business with US government entities. And though we are still certified as a service disabled vet owned business, that is not really a business differentiator at this point.

Question 3 💭

At ScaleSec you promote a security-first philosophy in all your consulting engagements. Can you explain further how this approach has an impact on project outcomes compared to more traditional security models?

Answer 3 🎯

Again, after a decade leading ScaleSec, much has changed. Now, teams need embedded subject matter experts. And we are a team of Cloud Developers, Engineers,  Architects and Compliance experts who examine all the options through a security lens. It makes sense in today’s world. 

With a focus on shifting security left, we often support a customer's cloud migration, and assess their Cloud Software Development Life Cycle (SDLC). It's not uncommon to find processes lack early security considerations, leading to gaps and inconsistencies in security controls across applications.

Marsh Wilson

With a focus on shifting security left, we often support a customer's cloud migration, and assess their Cloud Software Development Life Cycle (SDLC). It's not uncommon to find processes lack early security considerations, leading to gaps and inconsistencies in security controls across applications. We identify opportunities to formalize security standards and processes to address these gaps before deployment, reducing risk of a production-level breach; reducing team disruption and costs from recurring, post-production fixes; and keeping pace with the evolving threat landscape. It is gratifying to have a Director of Security or VP of Product Development say, "Wait no, our teams need to see you using this so they can skill up too." And we are happy to do that.

Question 4 💭

You've talked about the significance of having code-driven, automated, audit-ready security operations. Can you walk us through how ScaleSec sets these up and what kind of difference they're making in your clients' compliance and security landscapes?

Answer 4 🎯

We tell our clients on the very first intro calls that we are there to take the pain away from their security operations teams by layering the security controls into the SDLC rather than waiting until a resource is deployed, when the risk goes from potential to actual. SecOps should be about Detective controls, and let the SDLC insert preventative controls. Because if you wait until post- deployment you have 10,000 vulnerabilities, rather than catching the one configuration error prior to launch. Adding security into the SDLC presents opportunities for security to PREVENT risk to the business, while reducing cost to fix thousands (or tens of thousands) of problems with one line of code. Like Gomboc does with pull requests.

So prior to automated deployment, you examine the reference architecture and the security checklists; during the build use automated testing you add your security tests against appropriate compliance frameworks and leverage scanning tools. During automated deployment, you make sure your cloud organization policies are enforced. Then your SecOps team knows that when a resource comes online, it has been provisioned with security--as defined by your company--baked in. No more real vulnerabilities sitting in the open while it takes days to discover and resolve them. No more delaying GTM or trying to get the dev team back to the table 30 days later, when they're 3 sprints into their next epic; and no more rinsing and repeating this process for the next app

At ScaleSec we recognize that this may be a new muscle for many teams. Security team members must learn how to refactor their workflows using code, and the AppDev team needs to trust that security will not keep them from meeting their business deadlines and milestones. But when clients see how this works, and can work with a team that can demonstrate the impact this shift can have, it is very gratifying.

To fully take advantage of cloud optimization, teams need to start with a hardened baseline, to allow for consistent security management of your environment, and moreover focus your development efforts on the true business differentiators that will allow your business to thrive. This is a hard discipline to instill. But it works. 

Marsha Wilson

Question 5 💭

With your understanding of different compliance frameworks, could you share some typical hurdles companies encounter when shifting to the cloud? How can companies smooth out these transitions?

Answer 5 🎯

Teams need to consider the full extent of compliance requirements. External requirements, brought to bear by industry, geography, federal and market sources. Internal requirements as determined by threat modeling, and the residual risk stance your company is comfortable accepting. These all feed into a robust security and compliance program, from which your full complement of requirements, policies, and standards are derived. THESE are then used to create your hardened baseline on which all teams should build their applications. This seems logical but we have found more often than not is not part of the build process at companies--instead they focus on the technology first, not risks first, which technology addresses through controls. 

To fully take advantage of cloud optimization, teams need to start with a hardened baseline, to allow for consistent security management of your environment, and moreover focus your development efforts on the true business differentiators that will allow your business to thrive. This is a hard discipline to instill. But it works. 

For example, our customer Dexcom started as a small shop in San Diego, then grew their team internationally to the point that synchronous meetings were impossible to align on a consistent basis, so we set them up with GitOps to manage changes through code. Experimentation in the console is fine for development, but it does not scale. 

How can companies smooth the transition to cloud? By training these processes until they are second nature. And most importantly, finding the courage to set policy and permissions to prevent changes via the console in production. The longer you've been changing prod through the console, the more this hurts.

Reinforce the habits you want to see replicated.

Read the Full Q&A on Gomboc.ai

What’s New at Gomboc

Join Us at New York Tech Week for a Roundtable Discussion on Harnessing AI for Growth-Stage Organizations

New York City’s Tech Week is coming up and we’ll be there with an exclusive roundtable on how growth-stage organizations can harness AI to enhance their security posture.

We're bringing together top cybersecurity experts for an evening of open discussions and actionable insights. Here’s all that you need to know 👇

📅 Date: June 4th

🕡 Time: 6:30 PM

📍 Location: Secret (revealed upon registration)

Spots are filling up fast, secure your spot now & discover how AI can level up your cloud security strategy.

Latest AWS and Azure Updates You Don’t Want to Miss

Top Articles and Resources of the Week

Articles

Resources

  1. Federal Cyber Defense Skilling Academy: CISA’s Cyber Defense Skilling Academy provides federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program.

  2. The Workforce Framework for Cybersecurity (NICE Framework): Learn more about the NICE Framework Categories, Work Roles, Competencies, and Task, Knowledge, and Skill (TKS) statements as well as the relationships between those elements in this downloadable PDF.

  3. Workforce Management Guidebook - Cybersecurity is Everyone's Job: A publication that talks about cybersecurity from every business function and aspect of an organization’s operation. It is written for a general audience who may not be knowledgeable about cybersecurity and can be read as a complete guide or by each business function as standalone guides.

  4. 7 Popular Cloud Security Certifications for 2024: This article provides a comprehensive overview of the top cloud security certifications for 2024, essential for professionals seeking to enhance their skills and career prospects in the rapidly evolving cloud security landscape.

  5. Cybrary.it: A platform for cybersecurity professionals at all levels, featuring free courses, certification training, and hands-on virtual labs designed to prepare users for the latest threats and vulnerabilities, making it a valuable resource for anyone looking to start or advance their cybersecurity career.