Join Evan Johnson as he speaks with security professionals about recent security news!
All right, well, this is Hacker Time. Welcome. I'm Evan Johnson from Cloudflare's security team, and with me is Rebecca Rogers, also from Cloudflare's security team.
And she needs no introduction, but she is a security compliance manager here at Cloudflare.
She's immune to Zoom backgrounds. They somehow have no effect on her, and I think she's going to be the 47th president of the United States.
Welcome, Rebecca. Thank you. Thank you. That was quite the introduction.
I love it. I'm glad you do. So I'd love to hear about your role at Cloudflare and how you help out on the GRC team.
Sure, yeah. I'll start with maybe just like a little bit of background about me.
But yeah, as Evan said, I'm a fellow security team member.
I've been at Cloudflare for about two years now, which has been awesome.
It's been an awesome two years. Before that, I was doing IT audit work at various different SaaS companies.
So that kind of gave me a good, you know, foundation of how GRC works at other SaaS companies.
So that was cool. But yeah, back to Cloudflare specifically and my job here at Cloudflare is I manage our security and privacy compliance team.
So our whole goal is really just to maintain our security and privacy certification A lot of what I do on the day-to-day, though, is working really cross -functionally with different teams at Cloudflare to implement new security controls or maintain our current security commitments or even look for areas of improvement or areas where we want to ensure our security controls and privacy, of course.
Nice. Yeah. Just to interject, I'm gonna apologize to our viewers.
If my Internet goes out, it's been a little choppy.
And if I freeze up, Rebecca will yell at me. And the best part about working with Rebecca over the last two years is the GRC and compliance.
A lot of security people think of as really lame and not fun.
And the team we have here at Cloudflare, it's not lame.
And we hear from really technical people all the time and engineering managers that they actually like compliance and they like when they're in a meeting and see Rebecca and her team on the other side of the table.
How do you do that? That is a superpower. How does that happen? Thank you.
I appreciate the sentiment for sure. I think it's because we have a boisterous team, Evan.
But no, I will say I think making compliance cool is definitely in the eye of the beholder.
But I do personally think it's really cool. And let's see, trying to think how we make it cool and how we work with our stakeholders.
I think just one, like everyone on the security and privacy compliance team, we love learning a broad array of things.
So we love working cross -functionally and learning the different processes within each team here.
And so I think we'll work with engineering, we'll work with legal, IT, HR, you name it.
And so we get to see what they do and how their processes are unique to their own team.
And I personally love processes and I love learning more about them.
And I think what's made our team successful and not just for GRC, but actually probably for the whole security team, we're an enabler and not a blocker.
So what we come in and do on the compliance side is we'll look at their processes and we'll try to work with them and work how they do.
And so I guess a good example is like engineering.
They work in JIRA, they work in sprints.
Usually they're in two weeks time looking at what they do. And so we'll put in our compliance requirements into their sprints, into their JIRA backlog.
And so it seems like something that they are just doing as part of their job instead of this above and beyond cumbersome process.
So I think it's like little things like that, which goes a long way with our stakeholders.
And so they see that we're willing to work with them and I think that's what makes it cool.
They don't even know they're doing compliance when you trick them like that.
It's like when you're trying to feed a child vegetables and you like mix it in something else and they don't even realize it.
That's awesome. So you are dropped into a foreign environment of a different company, a different business to business SaaS company that's trying to get their compliance program rolling.
And it's just you and things are looking a little more tribal and a little less civilized than they are at Cloudflare since we're an enterprise now.
What are the first things that you do to get the compliance ball rolling?
I guess I'll just speak to what I did when I first started here at Cloudflare.
I think the first thing is I tried to build relationships with all of the different key people and figure out who's going to be that compliance champion person and just build a relationship with them.
So then again, we're not going and nagging them and saying you're not doing this but you need to do this.
It's more so here's what we're trying to do.
How could you do this given your processes and your role?
So I would say no matter your security and GRC maturity, I think it's all about building the right relationships so that you can then go and build things off of that.
Nice. Yeah, I like that. At the end of the day, security is so people. It's a people problem and not really...
I mean, it's technical and it's all these other things too.
But at the end of the day, security doesn't really hold the keys to all the things that they're responsible for securing.
And so trying to build relationships with the people who do own those things is key.
Yeah, and it's amazing.
Once you have those relationships, it's amazing what you learn about security or lack thereof.
And so it's really great to build those relationships even just to get your backlog of work on the security side.
Yeah, they're critical.
Here at Cloudflare, having relationships with people so that they understand why you're asking them to do things is super critical.
I wouldn't be able to do my job if I didn't have a similar approach. Right.
Yeah. Well, the news of the week has really been... Well, before I move to the news of the week, we're going to talk more about compliance soon.
But anything else to add about your personal beliefs about compliance and GRC and what else?
I have a lot of different hot takes maybe on why GRC is so important, if you'd love to hear them.
Yeah, I'm all for hot takes. Okay, well, I'll start with a non-hot take.
But I think the foremost reason why GRC is so important is building customer trust.
And that's a large reason why we're here. So customers, of course, want to know that their product is safe and secure and available.
And a lot of the work that we do on the security team, a lot of work you're doing with the product security team is really making sure that our product is secure.
But what GRC is really great about doing is proving that to our customers through industry standards.
So going through the certification and audit process, it gives our customers assurance that we're adhering to a certain security standard in a language that they know, because they know these industry accepted standards across the board with all enterprise customers.
So I think that's why it's really important. And then I think something that we've done a great job here at Cloudflare and why I think a successful GRC team is so important, too, is a lot of the times it can be like a foundation or universal language for the larger security team.
I know you've worked a lot with our security risk team within GRC, and they'll go and conduct risk assessments across the board.
And then a lot of the work that they do there is then used to drive our security engineering roadmaps.
So I think it's an awesome function to be in because we can lay a lot of the foundation for the security team.
Yeah, those are, I would say those are really a, what is it mild, medium, not takes those are, those are super, I agree with all that.
The it's, it's a, if you if you don't think compliance is cool, then it's a bit more of a hot take.
You gotta be bought into it first. That's true. It is about your customers at the end of the day.
So I, I love that because sometimes when you're kind of doing something and you don't really, as somebody who is not very well versed in everything about compliance and what it takes to get PCI and SOC 2 and ISO 27001 and all these different certifications, you can sometimes get lost in these like requirements and documents and whatnot.
And, and having the moral compass that this is for our customers so that they know that we're doing the right thing and we can prove it is the thing that I should remember when we're going through these.
Yeah, yeah, for sure. And I do also like that the, on the risk side, it's a, because every company has these risk, has conversations about risk and the bigger you are, the more you talk about risk.
And the more, the more power that risk team really has to drive changes in the company, but the pointing out problems and then showing them to a really broad set of people and saying, we have to fix this because it's the biggest meteor that could take out our company is, I mean, that's powerful.
Stick to wield. Awesome.
Well, the big news of last week was Twitter got hacked and it was very public.
And you might, if, if people who are watching this have not heard about this I would say you should probably start reading the news because it's been everywhere.
It was super public. Jeff Bezos' Twitter was hacked. Joe Biden's was hacked.
All of these really, really prominent people were hacked. And this, the Twitter has been releasing more details over the past two weeks saying that it was access to an internal dashboard and they've released more information about kind of what else the hackers got access to.
I think, I'm not sure the exact number, something like 30 something direct messages between people were read of these prominent people that were hacked.
And it has been really fascinating to read all of that.
And the big question that people had up until this week was, were DMs accessed?
And I think, I thought that was a pretty interesting thing to be focused on because I thought DMs on Twitter were just for sending memes back and forth.
And then like you send a meme or a funny tweet to somebody and then they say, ha ha.
And then they send you a meme and then, or no, you send, yeah, yeah.
That's like the bulk of, that's all of my Twitter DMs. And then it's me asking, then most recently, it's me like messaging people and asking them if they want to be on HackerTime.
And I thought that this was really interesting around the conversation of end-to-end encryption and in Twitter DMs and Twitter should be adding this.
Like Facebook Messenger has support for this. WhatsApp has support for this.
And why doesn't Twitter have support for this? Rebecca, what do you think about all of this Twitter fiasco and what would you like to add?
Yeah, I was talking with my team about this.
And I think the thing that we were talking around end-to-end encryption, and of course, we're going back to our GRC-minded ways, is really, we think there should be a push for end-to -end encryption with messaging as a standard.
That should be our foundation for messaging apps. So I'm definitely for the end-to-end encryption.
I'm curious what your take is on if there should be any difference between verified accounts versus everyone else on Twitter, if you have any thoughts on that.
I'm down with just banning all verified accounts, because that was the best couple hours of Twitter with not reading what all the verified people are saying.
Yeah, I think it's interesting. They should definitely be rolling out end-to-end encryption.
And I think that's the new standard, I agree, that everybody should be following.
I think it's hard as an engineer, though, if I was on the DM's engineering team, and somebody's like, you're building end-to -end encryption, I'd be like, how?
I'm not sure that every industry has that expertise at every company.
I'm sure Twitter does. They could make it happen. But every company selling some kind of messenger or messaging product with direct messaging, I think would be hard to do end -to-end encryption.
Mostly because of the expertise, but I do think that it should be more rolled out and more prominent.
But also, like I was saying that Twitter is mostly like people saying, saying haha, and sending memes back and forth in the DM's.
I'm sure there's really sensitive things that people will use Twitter DM's for.
But I would hope that a lot of people conducting sensitive business are using at this point, not using WhatsApp, not using Facebook Messenger, using like a real secure messenger, something like Signal.
So I guess, I think everything should have an end-to-end encryption, but people should probably, more prevalence of real secure messengers and a real expectation that you have a secure messenger, I think is a better future than people relying more on Twitter DM's.
Yeah. Yeah, that's a good point. I think there needs to be more awareness for consumers on on what end-to-end encryption in messaging really means and like, what are your options?
I don't think that's something that like outside of the tech world is like something people are thinking about who are using Twitter.
Yeah, let's see a Gartner Magic Quadrant for messaging apps.
And let's get a Forrester Wave going for messengers.
That would have been cool to have that pop up here.
Yeah. Oh, yeah. Okay, next week, I'll introduce my, the Magic Wave, the Magic Wave, because I have to avoid running foul of trademarks.
And I'll make my Magic Wave of secure messengers.
Yes, cool. Yeah, I would, I do think that just, also, I guess this also touches on something that we plan to talk about, about consumer versus business.
Like, consumers don't really know a lot of this. They don't really consider security when they're sending DM's back and forth.
And businesses do, do mostly largely because of their GRC teams.
And people are kind of missing, there is no Magic Quadrant for consumers and security around security products.
And so there's like, there is an education gap. That's interesting.
The, anything to add about Twitter? I was gonna segue. Yeah, I mean, I think the last thing that I was thinking about, and it's very foundational, but I think it is something that's important to call out is, I think this could be a good case where, like, security training within, within a company needs to be tailored.
Because there's going to be teams that are way more susceptible to social engineering attacks.
And so I think this is a good call out of like, we should be tailoring security awareness and like real time, or not real time, but like tabletop exercises for teams on security, things that will affect them, or, you know, make sense for, for what their job function is.
So I think it's just a good call out that, you know, a lot of customer facing teams probably need some training and exercises around social engineering, phishing, things like that.
Yeah, all, all customer facing teams should be experts in this. They should, they should know forward and backwards how to spot a, how to spot a phishing email.
Because they are getting PDFs and docs sent to them all day.
And it is their job to be the front line of like, the mailbox almost of the company.
Yeah, yeah. So yeah, security training would be amazing.
And hindsight's 2020 in their case. But the other big news of the week was something kind of similar to what's happening over at Twitter.
And there's, there is some speculation right now that Garmin, the, the company is experiencing a ransomware attack.
And it hasn't been confirmed by Garmin.
But the, and they're down for about two days now. And it's really concerning.
HugOps over to Garmin. I tried to log a run yesterday on my Garmin watch and wasn't able to.
And so I was disappointed. Dang. They are. So the, the speculation is that they're undergoing a ransomware attack and trying to recover.
But the big trend that I noticed that we've already touched on is that both Twitter and Garmin in the last two weeks are B2C, business to consumer companies and not business to business.
And so I'm going to guess that they don't have Rebecca overworking at, at, at these companies.
And what do you, what do you think about business to business versus business consumer and like how, like there's probably not a GRC team at these companies.
Should they have one? Yeah. I mean, short answer.
Yes, definitely. I think, but I think it's an interesting question and I don't claim to know B2C, GRC teams and how they operate.
I would imagine, I would imagine they're, they're there and they're just looking at a way scope from a B2B company in terms of like the internal environment and what they're testing controls on.
But I think like, even what's really important from, from a GRC perspective for B2B companies is again, just going back to like that, that foundation.
I think it's, it's just as important for a B2C company to have that industry standard of security.
And, and I think even just having like one, one or two security certifications under your belt for, for a B2C company can really give structure to their security team and really even also like build confidence for their security team that they're not just fighting fires when, you know, things like this happen, but they're, they're moving towards a goal of what they want their security posture to look like.
So I think it's definitely, you know, just as important for a B2C company, it's just how that, I guess, ends up looking like is quite different.
Yeah. The forcing function for compliance a lot of times at B2B companies is they want to close bigger deals and the GRC team at the company they're selling to and the risk team wants to see certain compliance certifications that their vendors have.
And that's usually a forcing function for growing SaaS companies to really get good at compliance.
And then B2C doesn't have that same kind of business need.
And so I, I think that the counterexample to, to what happened this past two weeks, potentially at Garmin and with Twitter is, is a company like Facebook or Google, where they're huge, lots of resources, and they're able to focus on the security that matters, but they also don't have this rigor around the controls that they're implementing.
And they don't have this, this part of the org kind of driving them towards a goal.
So it's definitely complicated, but I, I think I like that hot take that these companies should have GRC teams and they should be going for compliance standards.
Yeah. Even if their customers aren't asking for it.
Right. And yeah, kind of going off of, of that, of what, what customers are asking for, you know, obviously a bit different between an enterprise business and a, you know, one person consumer.
But I think pivoting a bit to the other side of things that, that my team looks at is privacy compliance.
And so my, you know, I manage the privacy assessments that we do here at Cloud Player.
And I think something that B2C companies can really look at is, you know, what, from a security and privacy perspective, do their consumers really care about?
Because it will, you know, it's, it's not going to be as robust as B2B, but there are some things that people really do care about.
And I think privacy is more and more becoming one of those things.
So something we've done here is we did a first of its kind privacy assessment on our 22.214.171.124 public resolver.
And so that was really cool because we got to essentially look at like our, our privacy commitments for that product and look at it from like an objective and auditable way and really show our consumers that, you know, we've assessed this product and we're meaning that we're adhering to the commitments that we made.
And so I think like, I challenge B2C companies to look at their products and look at, see if they can do assessments like that to really show their consumers that, you know, they're adhering to security standards or privacy standards that their consumers really care about.
Yeah, I like that a lot. The, the big one that I think a lot of companies don't do is they don't even come up with their privacy commitments.
They don't even make privacy commitments.
Right. Yeah, that's true. It starts at the beginning of the SDLC for sure.
Yeah. They say, well, we've got this GDPR thing. Let's slap a cookie consent box on our, on our website and, and say that we are adhering to private, good privacy standards.
Do you have any, do you have any concrete examples of like what people should be doing?
What good privacy commitments, starter commitments would be?
I mean, starter commitments and something that I think is so awesome about 126.96.36.199, our public resolver is just, we're not selling the data, any of the data, end of story.
And so going through that assessment and like being able to prove that we don't have data even to sell for advertising purposes or anything was awesome.
And it's really empowering to show, you know, we're not, we're not here to profit off of your data.
That's, you know, a huge, a huge thing.
And so it was really cool to prove that. Yeah. And the other thing I think is that came out of Twitter was the access to the data internally and who had access internally.
I think that, I don't know how to formulate like a commitment around that, but that's probably the other big important thing for people to be committing to.
Yeah. Yeah. That's a good point. Yeah. I guess like in one case, like if, if, if you have no sensitive data to get access, then if people gain access, then it's not as big of a deal.
But you know, if you do have that sensitive data, which is going to be a lot of companies, then making sure your access controls are, are, are really immature.
Yeah. In the case of Twitter, they apparently, I guess not the, the, I think the way that Twitter hacked work was they were changing email addresses using this dashboard and then recovering, recovering access to the account that way.
And not accessing direct messages through this like internal dashboard.
And so I think that's, that's a little better. I was for a moment in my mind, I was thinking that there was just like a dashboard to look at all the deep, the direct messages and stuff.
And that's another thing is just not building features is a great way to maintain privacy.
Just not having the DM snooping feature is a great way to not have employees snooping on DMS.
Right. Yeah. Yeah.
I, I think all this stuff is pretty interesting.
There's definitely a lot for, well, one it's, you said that our 1.1 audit was the first of its kind and more privacy kind of initiatives and, and standards I think should be developed in the industry because today we're lacking, we've got 10 different security compliance standards and like none for, none for privacy.
Right. And then two, it sounds like consumers, some form of like consumer education on the security side around what products there's no like consumer reports.
I don't know if consumer reports is doing security audits yet.
I think they might've, I think I might've read something about like security for consumer reports.
I'm not sure though that if you're at consumer reports and watching this, you should start, if you're not already doing it, security.
Right. Ask Rebecca and I, and we'd be happy to consult for the very first one.
And the, the third takeaway was that even though the even though B2C companies don't have a business need to get compliance, a lot of, to, to actually get certified in a lot of these compliance standards it's still actually a pretty good idea and helps them run the security team, gives them some structure and helps them, helps them drive towards a single, single goal and still shows good practices to consumers.
Rebecca, anything else to add where we've got about a minute left?
No, not really. I think, I think we had some really interesting observations and good takeaways.
So yeah, I want to thank you for, for inviting me to Hacker Time.