Originally aired on August 5, 2020 @ 2:00 PM - 2:30 PM EDT
Join us for a fireside chat to discuss one BISO's journey from economic advisor to security officer and learn how his organizations teams with Cloudflare
Hi everyone, thanks for joining. My name is Rachele Gyorffy and I work as a Channel Account Manager here at Cloudflare. I've been at Cloudflare for about the last five and a half years or so and I've really had the pleasure of watching Cloudflare grow from, you know, about 130 people to now north of a thousand people with offices all over the globe. I'm joined today by Heath Nieddu, who is a Business Information Security Officer at Evotech, which is one of Cloudflare's partners. And today we'll chat a bit about, you know, his career progression, how he started really as in finance, right, then moved to an Economic Analyst and Advisor, part of the CIA, and then eventually landing in the information security space working for Evotech. From there we'll talk a little bit more about Evotech, what they do, how they work with customers, and then finally we'll wrap up with, you know, some of the industry trends that Heath and the Evotech team are observing, you know, as they work day in and day out with customers. Towards the end of the session, so for about the last five minutes, we'll be leaving time for questions. So if you guys have any questions, please email livestudio at Cloudflare.tv and we'll make sure that we get those answered. And so with that, Heath, thanks again for joining. Excited for you to be here and, you know, so we'd love to hear a bit more about you, you know, who you are and how you ended up at Evotech and sort of your path, right, your windy path there along the way. Yeah, well thanks for the question. Thank you very much for having me. You know, short story, I live in San Diego with my wife and child. We've been here three years after spending some time in Portland and we both grew up in Florida. So that's who I am generally. And I really do, you know, kind of appreciate the question and chance to talk about a little bit how I got to this particular role at Evotech because I think it was atypical and I think lots of people in information security actually come from places other than we expect and it helps really with understanding and solving a lot of the information security problems that are out there. But in my particular case, I did start out thinking I'd work in finance. I got a degree in finance, started working at Merrill Lynch doing credit analysis in like 2000 and it really, it wasn't really what I wanted. I really wanted to do kind of like equity valuation and things like that. So I pretty abruptly left Merrill Lynch. I spent a few months doing it and joined the Navy. At that point I was just kind of over it and I very much expected to work in networking and that's what I was kind of shooting for is that job field. But they gave me a test and they said you'd be great at learning languages and so instead I spent six years in the Navy as an Arabic linguist and there were aspects of the job that touched on information security but you know more than anything else it was learning about the Middle East and spending some years living overseas in Spain and being deployed all over the world. So that was a really interesting part of my career. Met a lot of great people. Got out and kind of took the finance aspect of my career and the Middle East target knowledge and went to work for the CIA. I spent an amazing couple years with a high profile account as an overt intelligence analyst, all-source intelligence analyst whose primary job is to be the point person in the intelligence community and write the presidential daily brief when it was called for. So that involved again lots of international travel but most excitingly you know getting asked a question by the president and having you know a week or two or maybe even five days going through a couple hundred different folks for peer review and you know really synthesizing technical and qualitative information even when the data was fuzzy into a one or two page memo to help inform decision making and you'd stay up all night writing that thing. Go through about a dozen different people to get the okay. Finally around five in the morning you go to sleep. You come back to work at noon and you know the president of the United States would be giving you feedback on what you had just written. So it was really heady experience. Learned a lot about imperfect information. Learned a lot about kind of demystifying what the technical PhD economist is saying and what those practical implications are for policy which I think really helped me in this field in particular but spent a couple years doing that and it just we couldn't imagine raising kids in Washington D.C. basically. Things are super expensive. It was a great job. A little bit too far from the beach and we were having a discussion about maybe moving on despite this great work and right in the middle of it I got a phone call from a buddy of mine who works in information security and only talked about a couple times a year but he said I've been thinking about you today. I think you would love it out here in Portland, Oregon and you should come out here and give it a try and we just we just did it. We went out, visited and three weeks later we had you know given our notice and packed our things and moved out to Portland. Wow. He's the one that a couple months later helped get me my first job in on an information security team. Very cool and so sort of moving from the CIA then into information security what was your first job sort of in the security space? Yeah that I was so green those first few weeks. I really didn't even understand my title there. It was business process engineer and I was doing some of that work on the information security team like helping to refine incident response processes you know triage and security events things of that nature and kind of just helping people work through those issues but the main part of the job the guy the CISO at the time was a former consultant for EDS understood my government background and the main this is for a 30 billion dollar a year one of the nation's largest health care providers. They had just gone through they just went through a significant incident. They were under scrutiny from regulators and their board and he basically wanted me to help all the years he was working with craft messages to them to let down where we were and help them make decisions about where we need to be. So it was it was a similar job it was writing forward leaning sort of I looked for you just to the board in terms of how to invest where should we focus and things of that nature. So for a couple years along the way I actually taught a course called analytic foundations like 60 engineers went through it and I was kind of the point guy if a new threat would come out hey what does this mean and then Stuxnet hit and that was really the turning point like that attack I really needed to dive into it started to realize the geopolitical issues at stake and the way the technology worked just kind of created my imagination and after I was done kind of analyzing that producing that deliverable I started my CISSP. I was I was like this is a fascinating career I'm feeling useful and so I dug in after and and then after that just kind of led to a number of positions. I spent five years there a couple years at another consulting firm looking at identity and access management an insider threat metrics lead which all that economics knowledge was really helpful as a metrics lead for one of the nation's largest shoe retailers and worked in county government and and through a friend and former colleague was able to be a part of the first two or three people at the security service here at EvoTech. Very cool and for those that maybe not aren't as familiar with EvoTech or in or in in the security solutions provider space can you maybe elaborate more on EvoTech what you guys do what you specialize in and I guess how you work with customers. Yeah sure so we are a strategic sourcing partner we we really try to make sure you know EvoTech wins a lot of awards in its category for quite frankly its revenue growth you know over the last five years and for being a great place to work so on the back end one of the things we're doing is making sure that we have the best people in the best position and we really help our our clients you know businesses out there make sure that they have the right technology portfolios and service portfolios to solve their IT problems I mean that's that's it in a nutshell and I think it's the the trick of it is it's just it's not only having the right people but having a sense of teamwork so that everyone's pulling in the same direction and that extends to our partners like Cloudflare as well you know we we have ways of like you know should we work with this partner or not a lot of the time it comes down to can we pull in the same direction with this partner for the betterment of our clients to get our goals accomplished basically so the security service does everything from virtual CISO to security program assessments I actually have a lot of fascinating things that I'm working on right now from OS hardening to really great to see some practical level threat modeling we're digging into helping with metrics programs you know making sure folks are aligned to certain control frameworks I mean it spans every issue you think of and it definitely keeps me entertained and busy and when you're working with customers what are some of the trends or what are the some of the concerns that your customers are coming to you with right and you know how do you and the EvoTech team essentially work with them to resolve some of these concerns or that they are expressing you know what we've seen so I guess I would I would put those in two main buckets like medium size organizations and large size organizations where the the medium size organizations and I mean that in terms of revenue because it can be anything from hey we've got 30 people to you know 150 people in that in that regards it's growth you know we are a successful organization we were built on certain principles now we're kind of growing up getting more attention by regulators or or the threats like what's version 2.0 of information security for us beyond compliance that that's a trend that I think brings a lot of people to the table and then for the larger firms it's complexity it's all about how do we rationalize the tools how do we demystify a certain topic how do we apply security into something like a CIC pipeline or how do we secure a certain application so that could be tools rationalization or it could be help us kind of get clarity around a single issue is is usually the shape of engagements that I'm saying gotcha and you know from an industry perspective or you know working with security minded customers what are some of the trends that you're seeing in the industry yeah I am I have been pleasantly surprised with a couple a couple things first is the number of clients exploring platform engineering or a CICD pipeline you know when I first started it was the cloud and that was going to be new and amazing and there was this debate about whether or not people would do it and at what pace and now it's not and and as that developed like like many things it's not like everyone went whole hog into the cloud it turned into a hybrid situation you know you know some folks tried to lift and shift maybe certain pieces not all those pieces went over some of them remained in their on -prem data center so we've it's it's kind of developed into a hybrid hybrid thing since then but it was embraced and right now I see more and more of those either application projects or let's say they're gonna there's gonna be a migration from on -prem to the cloud but instead of lift and shift it's more of okay how do we actually adopt a CICD pipeline and that may be old news for some folks with you know big budgets and on the bleeding edge but to see it from medium-sized up-and-coming biotechnology firms and things like that it's it's really neat and really encouraging so that that's one thing another thing is consolidation this is also what I would consider kind of a second wave of consolidation in the tools since since I've been doing this over the last 12 years that first wave it was like the big companies would buy too many different point solutions try to put them all together at once and you know I'm not going to name names but the experience was not cohesive and effective basically and right now it just seems more deliberate more strategic partnerships one at a time making sure they work and then even you know I've been pleasantly surprised by the work that Microsoft has done I mean there's a lot of solutions that they're wrapping together that makes for folks who are already on Microsoft 365. I mean that being said there's always work to augment it we we had a client a couple a month ago and they had an issue with an employee leaving deleting a lot of emails they needed to retrieve them and they could only go back a month because they were relying on some of those default Microsoft archiving procedures so we did have to bring in a point solution that gave them you know more instantaneous and reliable complete archives that they could they could retrieve so it's not a panacea but it feels better this time the consolidation that we're seeing and ultimately reduces complexity and is going to work for our clients so definitely and so talk to me a is driving that do you think it's the buyer right it's a more savvy buyer do you think it's the technology companies I guess what's driving that consolidation I mean I think it is at the end of the day it is there's an economics piece there is a you know economies of scale piece that that drives that but the willingness for clients to and because there's there's pros and cons of course for our clients in that in that arena you know with okay if I if I go all in with a fully integrated solution that I'm somewhat locked in for how long and and what have you so the fact that it's it's not a sweeping platform that is trying to cover every arm of security these are more of like just certain pieces of the security like networking and soar or or cid cicd and soar sim and soar things like that I think the arrangements just make more sense from a client perspective and and the the benefit for clients is the reduction of complexity and when you have you know we did a tools rationalization for a financial firm with over a hundred different security solutions and there are no easy answers I mean we you know we could spend a couple months talking about hard decisions with that but I think that there is just from the client side a real drive to reduce complexity basically and then and then for the providers it's they're smart partnerships instead of let's get together just for economies of scale. Sure yeah that makes a lot of sense so going back to you know cloud transformation or digital transformation you know and sort of the lift and shift from on-prem to the cloud you know how do you think that that will continue to change or you know will that continue to be a priority in the next five to ten years or you know based on the conversations that you guys are having with customers right how is that going to change? Yeah and you know I'll try not to prognosticate too much and and try to keep this based on my experience and what I'm seeing because I think that's you know we're we get to see a certain slice of of clients that I think is is pretty diagnostic but I do think that platform engineering and CIC pipeline is not just for cutting-edge application security companies anymore. I think that there will be you know service by service you know that that move will continue and and but that doesn't mean the old stuff's going away. I think there's still be hybrid arrangements you know I kind of learned a long time ago and this is something I took away from my CIA experience is that when you do retrospectives by the way the CIA is really good at looking at how well it does at telling the future. You can go on their open source website and there are all these magazine articles of retrospectives that we said it was going to turn out this way how did it actually turn out they'll assess their judgment -making ability and you know one of the things I came away with is that the future is usually a combination of a lot of different people's realities and and old technologies and old things they never really go away they may not be defining the issue but they're still there to be managed. We you know people are out there still using Morse code basically and so I just I think there's going to be more and more projects for mainstream companies to engage in more of a platform engineering concept and that it's going to create probably because it will still remain hybrid you'll have these okay how do these two systems talk to each other how do we get compliance and security in a risk posture when we have these these architectures that are from different families basically. Sure definitely and sort of related to that right how do you think buyers or buying patterns have changed as we've moved from you know on -prem to more of a cloud-based model? Yeah I mean the the easy answer is subscription I guess. The buying pattern is it's a different ROI equation now that not that I've ever seen you know like a nitty-gritty ROI equation I mean we do proxies of that I think a lot of times in this business but the when you're doing subscription you know sometimes you really have to show what those offsetting costs are going to be in speed because just because you're doing something like infrastructure to service whether it's lift and shift or CICD you know for some services there can be a little bit of a premium for the reduction in complexity so the the ROI really needs to demonstrate how that's reducing costs in other areas I think and it's that's a tricky thing from an economic perspective from an engineering perspective you know and hopefully those are one of the same you know there's there's lags but it's just it's going to make more sense it's just the the right thing to do I think so yeah. So we talked a little bit about cloud transformation you talked about consolidation right and this really being the second wave of consolidation I guess you know if you had a crystal ball and you were to project sort of what the next trend right in the security industry will be in say the next five to ten years what would that be? Well I have a wish list and I think it's it's pretty likely so I'd like to see two things I'd like to see I would like to see more automation and as a side note I think that well so I learned a lot about technology in general and about some of the more advanced security concepts by picking up Python in the first place and that kind of opened up a world for me with studying you know vulnerability management data and getting into the metrics and you know now I can pick up a book on Python forensics I understand things and there are many SOAR tools being developed out there that rely on these sorts of scripts and Python being among some of the some of the scripting languages you can use so I really think that there if we have the right attitude there there are a lot of things that mainstream not cutting-edge companies can do for automation of responses and it's that classic you know automate the commodity activity so you can focus on the really hard stuff which will always remain there will always be things you can't automate but there are more and more things that you can and more and more responses that you can so I see that and I also see the threat-based prioritization approaches becoming even more important you know we've spent a few years I think trying to fingerprint assets and get a better idea about the value of assets and having that remediate like prioritize a remediation for vulnerabilities and how we make investments but I think that we can augment that now with threat threat modeling and and threat assessments and it can be a little we do see clients I do have some clients that are setting up complete threat teams and they can go all out you know let's just rationalize the spectrum of skills needed to do threat intelligence I mean it's a it's a agency level activity you know at the far end you have people building aliases and they they can you know get to those places on the dark web and other places where they can get the true cutting-edge intelligence and that's fine for some folks if you've got the skills I'm talking more about practical threat assessments using just open sources taking two or three weeks to depict what your threat landscape is using the MITRE ATT&CK framework and looking you know MITRE ATT&CK Navigator is a great resource using it at the techniques there and saying all right you know here after three weeks of research here are our most likely threats who can make the biggest impact according to the MITRE ATT&CK Navigator here the techniques you know what is our portfolio of security solutions where are our gaps so you can use that threat piece to drive investment and to drive vulnerability remediation so yeah those are the two things that my wish list basically and I could see actually happening. That's great how do you think like machine learning or AI will play into threat modeling? Yeah there's a lot, there'll be dragons there I mean there's so I view it as my role you know for many years is when I'm providing intelligence to a decision maker it's my role to demystify it and to make sure that there's not mathematical precision being implied that's not really there or technology that's being implied that's not really there. I mean I've used you know natural language processing you know packages in Python you know like just on my own that's that's fine so I you know I think it could I think for certain problems I think anytime you're engaging in an investment like that you have to take it seriously and you have to really research it and I'll be the first to admit that I'm just going to assume my own ignorance anytime I approach a solution and they tell me that machine learning or AI is being used I'm going to assume I don't know anything and dive all the way in to understand it and I'm going to be skeptical basically. There are just some intractable problems that I'm not convinced that AI can serve can solve certain problems and certain issues in certain contexts but we can't over promise with it basically. Definitely, definitely so I think we're going to switch gears so thank you that was super insightful and really enjoyed chatting with you. I think we're going to switch gears and answer a couple questions. First question is how has the security environment changed with Evotech and your customers since COVID-19? So we did get that initial wave of everyone's got to work remotely now so and we're still kind of we're still kind of going through those sorts of you know network security VPN and for Evotech we can kind of approach that from a number of angles you know and so it's various teams not just the security team helping with those issues and then there's the non -security related issues of just the capacity needed for everyone to be working remotely. So I gotta tell you it's I feel like over the close to three years I've been here since the beginning of the security program and that's kind of an eon and Evotech years you know five-year-old old company we've never been busier. I mean we are busy right now whether it is increasing capacity or increasing security and maybe a little bit more emphasis on network and VPN but my portfolio right now is pretty broad in terms of the types of security issues that that we're tackling. Gotcha. Are you seeing customers you know so with Cloudflare right we're certainly seeing just like the overall a number of attacks go up you know for a variety of reasons. Is that similar with Evotech or customers you know reaching out about you know I need to improve my security posture because I see you know more attack traffic on my network? Yeah and it's really hard to say because we always prioritize phishing because it's kind of like this I don't want to call it low level but so with those maybe COVID style attacks there's a whole new avenue for phishing. It's always a priority for us. It's for a lot of our clients it's one of the things that you know email security is one of the things that we hammer home. In terms of just trying to take advantage of new network configurations and maybe openings so you know I'm starting to read and hear about attackers looking for weaknesses and multi-factor authentication architectures. You know I know of one client who just happened to start getting hammered with scans all over everything from all over the world. Awesome. Thank you so much Heath. Hope everyone watching enjoyed our session and thanks a lot. It was a pleasure. Thank you Rachel. Thanks everyone. Thanks.