- Cloud Control
- Posts
- Tim Youngblood on Securing Non-Human Identities and Preparing for AI-Driven Cyber Threats
Tim Youngblood on Securing Non-Human Identities and Preparing for AI-Driven Cyber Threats
Tim Youngblood on Securing Non-Human Identities and Preparing for AI-Driven Cyber Threats
Hey Cloud Control family ✌️
I'm thrilled to bring you an in-depth conversation with Tim Youngblood, the CISO in Residence at Astrix Security. Tim’s experience is incredible – from steering security strategies at giants like T-Mobile and McDonald's to now focusing on the challenges of non-human identities at Astrix.
We talked about a lot of exciting topics. One thing that really stood out was Tim's approach to aligning security with business goals. He shared some fantastic insights on how startups can leverage frameworks like NIST CSF and OWASP to build a solid security foundation. Trust me, this is gold for anyone looking to enhance their cybersecurity game.
Tim also opened up about the intricacies of managing NHIs and the critical steps companies should take to stay ahead of threats. His practical advice on building a robust security posture is something you’ll definitely want to implement.
So settle in and enjoy this insightful chat with Tim Youngblood. I promise you, it's worth every minute.
Cheers,
Ian
P.S. Was this email forwarded to you? If so, sign up to receive Cloud Control interviews delivered to your email each week here.
Tim Youngblood, CISO in Residence at Astrix Security
Question 1 💭
Welcome to Cloud Control, Tim! To kick things off, could you tell us a bit about your current focus areas at - and outside of - Astrix Security and some of the key initiatives you're working on?
Answer 1 🎯
Appreciate this opportunity to connect with your subscribers. Well I’m not one to twiddle my thumbs waiting for something to do. At Astrix I’m the CISO-in-Residence, my focus is on helping to mature an already amazing solution to combat the challenges of Non-Human Identities (NHI) challenges, working closely with the organization on product strategy. My focus is to ensure the Astrix security platform is built to address NHI risks while fitting enterprise security teams’ day-to-day practices and challenges. I also work as an NHI security evangelist with the marketing team to bring awareness of NHI security to the industry. Outside of Astrix I’m an active Angel Investor and participate in deal screens in my investment thesis areas of cyber, medical devices, cleantech, and media. I’m also active on several boards in private equity, healthcare, cyber, and media among others. With my spare time I’m enrolled in a Professional Education program at MIT working with some of the best researchers in the world on product engineering, product design, design thinking program that’s been a year long commitment. So never a dull day.
Question 2 💭
You've led cybersecurity strategies at major brands like T-Mobile and McDonald's. What key principles have guided your approach to aligning security strategies with business objectives across these diverse organizations? How can startup founders bring these principles to their teams?
Answer 2 🎯
I have a masters degree in entrepreneurship from the University of Texas at Austin. I also have been working with several international and domestic venture capital companies over the last fifteen years. I understand the challenges of the startup ecosystem very well. Having been the CSO/CISO for four major brands I’ve learned a lot about building strategy. Some of these lessons can certainly apply to startup founders.
Lesson one, there is strength in numbers, never attempt to do strategy in a black box on your own. Strategy is a team sport and you need to include all your leaders in your planning and get feedback from partners, investors, and customers.
Lesson one, there is strength in numbers, never attempt to do strategy in a black box on your own. Strategy is a team sport and you need to include all your leaders in your planning and get feedback from partners, investors, and customers. Lesson two, set stretchable goals. In order to create an amazing product you have to do things that others are not doing which means setting goals that are not easy to obtain. If you obtain all your goals in the first year of your strategy then you weren’t ambitious enough. There is learning in failure. Lesson three, connect the dots. Your strategy may be supporting a bigger strategy for a partner or customer. Have tangible outcomes in the strategy that show that support. Understand how your Objectives and Key Results (OKRs) make an impact on others. No strategy stands alone.
Question 3 💭
Throughout your career, you’ve overseen incident responses to various high-stakes situations. Can you share a particularly challenging incident and the key lessons learned from it?
Answer 3 🎯
Throughout my career I have been up close and personal to many tragic events. I was a consultant at Enron when it exploded before my very eyes. I participated in some diligence of MCI WorldComm as it went under, I had just started with a company and had to respond to the largest breach in telecom history. I can’t go into detail on any one event, yet I can point to some general principles in dealing with a crisis. The most important aspect in any crisis is communication. There has to be a communication plan for every level of our company. One that focuses on customers, one for partners/regulators, one for internal employees, and one for the executive team. In the middle of a major event the first thing to break down will be communication. You have to do some prep work with legal and compliance teams on how you will define containment of an event. In many cases operations may not be impacted so customers won’t notice any changes in service but that doesn’t mean you can state an event as contained. Ensure your incident response team has the support they need to do their jobs. That may be bringing in a third-party responder with more experience, assigning an incident commander to deal with politics, or establishing a war room as central location for all operation teams so they’re not hunting for answers. The best thing any team can do is to continuously practice the plan. It is the only way to become competent at responding.
With many of these requirements [HIPAA, GLBA, GDPR and State Privacy laws] for companies, security leaders are taking the bulk of responsibility. It is not uncommon for a CISO to also be the Privacy Officer. The connecting glue are the controls. Companies have to do a good job of understanding the necessary controls for their organization to meet the privacy rules and drive a higher compliance with cybersecurity rules.
Question 4 💭
Privacy and cybersecurity are getting more intertwined, especially with all the new regulations popping up. How do you see these fields coming together, and what should companies be doing to stay compliant while keeping their security tight?
Answer 4 🎯
The saying goes there is no privacy without security, yet there can be security without privacy. There have been connections to these worlds since they evolved as formal disciplines in industry. Privacy controls support security outcomes on almost every level. Security is supported by Privacy that can bring rules and expectations of behavior to the table. The last decade we’ve seen the connections with things like HIPAA, GLBA, GDPR and State Privacy laws. With many of these requirements for companies, security leaders are taking the bulk of responsibility. It is not uncommon for a CISO to also be the Privacy Officer. The connecting glue are the controls. Companies have to do a good job of understanding the necessary controls for their organization to meet the privacy rules and drive a higher compliance with cybersecurity rules. At the center of most of these requirements is data. So CISO’s should be putting a significant amount of their investment in data protection and protecting things that have access to that data. It is one of the hidden blind spots that I think Astrix does a great job of highlighting with its platform. Few security shops understand the machine to machine identities that are connecting to data. NHI issues related to data include service/process accounts, over-permissive API keys, and malicious OAuth apps. These have the potential to violate many privacy law expectations if not managed appropriately so it’s an important aspect of a cyber program these days. We’ve seen the security issues with the recent attacks with NY Times, Snowflake, Okta, and Microsoft.
Question 5 💭
Cybersecurity-as-a-Service (CSaaS) is becoming a go-to solution for many startups. How does this model benefit smaller, agile companies, and what aspects of CSaaS do you find most game-changing?
Answer 5 🎯
Look, XaaS is what fuels many startup companies. It is one of the killer features of cloud platforms to bring disparate services together to serve a company in ways it could never accomplish. CSaaS is particularly helpful for companies that can’t hire the expertise needed to secure their services. Being able to push XDR, IPS, next gen FW to a platform without having to own the infrastructure is game-changing for startups that would be slowed to a halt attempting to deploy these capabilities on their own. Speed is the name of the game, and being able to subscribe to what you need allows for startups to deliver to their customers a higher value and in some cases a lower cost. Of course, all of this has to be evaluated as things scale and the ROI can change rapidly at some transaction levels. Yet for a company getting started it is the only way to go if you don’t want to be in a hole from the very start.
Read the Full Q&A on Gomboc.ai
What’s New at Gomboc
Gomboc’s Honored in Notable Capital’s Rising in Cyber List 🚀
We’re excited to announce that we’ve been named one of the 30 most promising cybersecurity companies in Notable Capital's Rising in Cyber 2024! Being selected from nearly 200 nominees by over 100 CISOs and security leaders is a tremendous honor, and we are deeply grateful for this recognition.
Proud to be listed with many amazing cybersecurity companies!
For more details, visit Rising in Cyber 2024.
Latest AWS and Azure Updates You Don’t Want to Miss
Top Articles and Resources of the Week
Articles
Resources
Federal Cyber Defense Skilling Academy: CISA’s Cyber Defense Skilling Academy provides federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program.
The Workforce Framework for Cybersecurity (NICE Framework): Learn more about the NICE Framework Categories, Work Roles, Competencies, and Task, Knowledge, and Skill (TKS) statements as well as the relationships between those elements in this downloadable PDF.
Workforce Management Guidebook - Cybersecurity is Everyone's Job: A publication that talks about cybersecurity from every business function and aspect of an organization’s operation. It is written for a general audience who may not be knowledgeable about cybersecurity and can be read as a complete guide or by each business function as standalone guides.
7 Popular Cloud Security Certifications for 2024: This article provides a comprehensive overview of the top cloud security certifications for 2024, essential for professionals seeking to enhance their skills and career prospects in the rapidly evolving cloud security landscape.
Cybrary.it: A platform for cybersecurity professionals at all levels, featuring free courses, certification training, and hands-on virtual labs designed to prepare users for the latest threats and vulnerabilities, making it a valuable resource for anyone looking to start or advance their cybersecurity career.