Raising the Bar on Security

Hi again fellow cyber enthusiasts ✌️ This week, we're thrilled to introduce you to Kathy Wang - former CISO at Discord, GitLab, and Very Good Security, Kathy brings her battle-tested wisdom to right to your inbox 🚀

In this interview, we dissect the nuances of cloud security, explore strategies for building rockstar security teams, and peek into the startup world through Kathy's experienced lens. This isn’t just an interview; it's a cybersecurity masterclass. Happy reading👇

P.S. Was this email forwarded to you? If so, sign up to receive Cloud Control interviews delivered to your email each week here.

Question 1 💭

Let’s start with a brief background on you. What are some recent wins you’ve had in your role? What challenges in the industry are you most focused on currently? What’s got your attention lately?

Answer 1 🎯

As a CISO, I’ve always focused on how to incrementally raise the bar on security at a cloud-native organization. When a CISO can properly assess, understand the organization’s risks, and build a consensus-driven roadmap for what’s next, that’s considered a good win. The advent of generative AI capabilities recently has presented both challenges and opportunities for CISOs, and has my attention.

Question 2 💭

When building strategic security roadmaps, what are important things to consider for companies at the size and structure of Discord? How does it shift the way you think about cloud?

Answer 2 🎯

Regardless of the size or structure of the company, each has unique risks and challenges. The key is to guide the security team to work in tandem with cross-functional organizations such as engineering, product, finance, etc. so that a comprehensive risk assessment process is developed. This risk assessment must also include cloud infrastructure in terms of visibility in how all of the services and applications are deployed, as well as accesses.

Question 3 💭

As someone deeply involved in building security teams, what specific qualities and skills do you look for when hiring security professionals? What skill sets and technologies are needed for the industry in the next few years?

Answer 3 🎯

Security is highly operational, and it’s good to hire people who have a strong tendency to exhibit bias to action. In every company I’ve been at, security teams are responsible for helping the rest of the company understand security risks, so I also look for people who are willing to communicate those risks. People who are willing to be strong advocates while building consensus will be successful in security roles. These skill sets will apply even in the next few years - I don’t see this changing.

Question 4 💭

Building highly effective security teams is a complex task. What unconventional approaches or strategies have you employed to differentiate your teams and attract top talent, especially when competing with other companies for skilled professionals?

Answer 4 🎯

It is still difficult to find and hire great security professionals. That’s why it’s important to have strategies on not just hiring top talent, but retaining top talent. I’ve found that the best people really value transparency. If prioritized well, transparency will empower security teams to achieve great outcomes, which will then help to attract and retain top talent.

Question 5 💭

Establishing feedback loops is essential for continuous improvement. In your experience, where  do you see communication silos or gaps in feedback loops most often? How do these pose challenges further down the line?

Answer 5 🎯

In order to continuously improve or raise the bar on security, it is critical for security teams to avoid operating in a silo. In the past, my teams have been transparent to the rest of the company on our roadmaps and goals, even documenting these items where everyone can view and provide feedback. In this way, we achieve better collaboration from other teams in the organization. Security teams operating in a silo sow distrust within their organizations, and collaboration will be hindered down the line.

Read the Full Q&A on Gomboc.ai

What’s New at Gomboc

In the magical land of Silicon Valley, where dreams and code converge, a tale is about to unfold…Imagine a sunny day in the Valley, with Kubernetes on the horizon, ready to set sail into production waters. But, as fate would have it, chaos ensues, and our beloved character, Streamline Willie, finds himself in the midst of a cloud conundrum 🚢💻

Watch Mickey as he goes on a rollercoaster of tech shenanigans, only to be saved by Gomboc 💪

Latest AWS and Azure Updates You Don’t Want to Miss

1. Amazon EKS introduces simplified controls for IAM cluster access management

2. Amazon Cognito user pools now support the ability to customize access tokens

3. Amazon Aurora PostgreSQL now supports RDS Data API

4. Cloud Services (classic) deployment model is retiring on 31 August 2024

5. Dedicated clusters in Azure Monitor logs now support any commitment tier

Top Articles and Resources of the Week

Articles

1. Riding the AI Waves: the rise of artificial intelligence to combat cyber threats

2. Role of Wazuh in building a robust cybersecurity architecture

3. Cyber management details emerge under SEC rules

4. Why CNAPP will be a key enabler for DevSecOps in 2024

5. Top 10 cloud security certifications for 2024

Resources

1. Major Cloud Security Events and Conferences

   1. Opt-in to this resource to receive updates on events and conferences in cloud security. Meet like-minded cloud-security professionals from around the globe to learn, exchange ideas, network, and more.

2. Top 50 InfoSec Networking Groups to Join

   1. Join these top 50 associations, LinkedIn groups, and meetups to stay ahead of the curve on all things InfoSec.

3. CIS Benchmarks

   1. The Center for Internet Security (CIS) is a fantastic resource for initiating, implementing, and upholding a robust cloud security strategy. Access their detailed benchmarks tailored for AWS, GCP, Azure, and more. For a deeper understanding, explore the CIS Controls Cloud Companion Guide.

4. SANS Practical Guide to Security in the AWS Cloud

   1. In collaboration with AWS Marketplace, SANS introduces an in-depth guide tailored for AWS enthusiasts. Whether you're a novice or an expert, this extensive resource delves into the intricacies of AWS security.

5. Security Best Practices for Azure Solutions

   1. Learn key security practices tailored for Azure solutions and understand their significance. This comprehensive guide offers insights into developing and deploying a secure Azure environment.