All Resources

CISO to CISO Webcast with Will Pizzano, founder of Sentant, former CISO at Hustle

Webcast and Podcast | Altitude Networks, June 4th, 2021

On this episode of CISO to CISO we would like to welcome Will Pizzano, founder of Sentant, a modern and security-focused IT consulting firm operating in the Bay Area and NYC, former CISO at Hustle, and former Director of IT at Thrasys Inc. As the founder of Sentant, Will currently act as virtual Chief Information Security Officer (vCISO) at several technology firms. The Sentant team supports their clients with everything from cloud and application security to day-to-day IT. Will is a lifelong technologist specializing in Information Security and Compliance, and is a Certified Information Security Manager® (CISM).

Read, Listen, and Subscribe to the Podcast

CISO to CISO-05:13:2021-Will Pizzano.m4a: Audio automatically transcribed by Sonix

CISO to CISO-05:13:2021-Will Pizzano.m4a: this m4a audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Michael Coates:
Welcome, everyone. This is another edition of CISO to CISO, I'm your host Michael Coates, CEO and co-founder of Altitude Networks and formerly CISO of Twitter, hence my ability to be here on a CISO type show. Super excited today to welcome Will Pizzano to the show. He is the founder at Sentant and he's a virtual CISO on a number of small and medium startups. Will, thanks so much for being here today.

Will Pizzano:
Great to be here, Michael. Thanks for inviting me.

Michael Coates:
Yeah. So we're going to dive into some really exciting topics today. For those of you that have followed along before, we have the videos that you might be watching. And of course, like it's a video, I'm watching it. Or you may be listening on the podcast. So definitely check out the other one if you're not aware and these shows are brought to you by Altitude Networks. We are focusing on data security and cloud collaboration platforms like Office 365 and Google workspace. So if you wonder who's taking your data, who shared it by accident to the world, to the whole company, or drop their personal account for backdoor access, that's our world. We find that all the time everywhere. So check us out. With that, let's dive in. Will, so you have been at a number of exciting places. I can't wait to hear a little bit more about Sentant, but your background, you were at Hustle, you were at venture capital work. Tell us all about those different places that you've been and worked with.

Will Pizzano:
Oh, right. So, yeah, after graduating college, I knew very much that I wanted to specialize in system security and kind of break into that field. That's already something I've been doing throughout high school, etc. So what I ended up doing is first I kind of wanted to and needed to break into the IT industry after getting out of college. So I started working in financial services in New York City, being a UNIX sysadmin, you know, taking care of Solaris servers, which are so rare these days and all that for financial services companies to be able to run their accounting systems and whatnot. And with that, I just kind of naturally gravitated towards what would become kind of like the security management side of that, which would be securing the servers, making sure that access to this highly sensitive, you know, trading data that was restricted, as well as helping with things like the SEC, FINRA compliance, which requires a lot of disaster recovery knowhow and restoration. There's always in an area kind of before the Cloud. So after that, I moved out here to San Francisco where I live today, and I got a job at a local consulting company doing basically security incident response. And for those who aren't familiar with that discipline of incident response means it means, well, I've been hacked and I'm calling somebody to help me get unpacked at this time.

Will Pizzano:
So I was the un-hacker, if you will, for a variety of companies, including some large venture capital companies, as well as even something like manufacturing and restaurants, et cetera, all of which that had security incidents. And I think, you know, gaining this experience of actually seeing what companies did wrong and what led to the eventual breach brought me into focus on what can I do to be proactive so that I'm not an incident responder here. How can I help companies not have to call someone like me? Because it seems as though if they were to have, you know, an ounce of prevention here, it would be worth thousands and thousands of dollars, you know, of cure. So that's why I ended up next as I worked at a health care company for a number of years, which is now UpHealth. And there I basically was the first IT hire and build the IT team and the security program and infrastructure. And this was starting in the days before, you know, the Cloud was really a thing. And if you went to I remember when I first started, I called up Amazon and it was like, hey, I work in a health care company.

Will Pizzano:
I want to use your Cloud services. Will you sign a HIPAA agreement with me that says, you know, you know, this is protected health data? Absolutely not. Was the answer at this time and so is for everyone else. So we had to very much kind of make it bespoke and, you know, roll around. But after doing that, we were able to be one of the first cloud providers that was approved by some large entities such as Cigna from a security standpoint. So in that, I learned how to kind of build from scratch a security program, which I then leveraged. And when I became Chief Information Security Officer Hustle and obviously the job at Hustle was to leverage all of that knowledge, to both enhance the company's security posture and in general way obtain various security compliance to help the company grow. And since they were the campaigns and elections space is avoid disruptive incidents during a very contested election season. And so luckily that security architecture was not going to be able to do all of those things. And that's much of the experience that I've drawn today when I represented numerous companies as VC. So to help them build a sensible security program for a company of their size.

Michael Coates:
Mm hmm. Will, tell us the truth, though, incident response. You got out of it because you didn't want to do all you're working in the middle of the night. That's that's what I remember. Incident response. Nothing ever breaks, you know, at 10:00 a.m. it always breaks like 2am. I like.

Will Pizzano:
It was not a 9 to 5 strictly job, no. So, yes, it's better to be proactive for one's own sanity, perhaps.

Michael Coates:
Yep, yep, yep, definitely. Well, that's exciting because as a as a virtual CISO, you are seeing a lot of different environments then. It very much reminds me of the paths lots of people get into security and myself included, which was from a early on a consulting path because by its very nature of seeing different environments, it really stresses you're thinking like, well, maybe this is the academic or the best practice by the book, but here it is in this environment, all these things change for this environment. So I have to imagine you're really experiencing a lot of different interesting perspectives when looking at entire security programs in the lens of different companies at this point.

Will Pizzano:
Yeah, and this is something I actually tell to, you know, budding security engineers all the time that, you know, if you really want to grow your career, one of the best places you can work would be at a consultancy of some kind because you're going to be able to see what goes wrong, what goes right, a number of different environments and figure out for yourself which tools match what situation. So a lot of times when people work at a single company, they get used to a certain tools that are a certain stack. And what you'll find is that that stack may work in certain environments, but those needs will differ. So being able to come from that kind of neutral perspective on and I think is very helpful for anyone in security.

Michael Coates:
Yep, yep. I totally agree. So, you know, based on all that visibility you have and especially working with, you know, small and growing startups, you know, the one thing we always hear in security from every company is like, hey, we have a business to run. We don't want to disrupt that. And part of our feedback, of course, as well, getting hacked would really disrupt its let's do security. Right. But also in your preventative approach, finding things that are both streamlined and fast and solving the right problems. So what is the advice you're giving to startups? Like what areas should they be focusing on from a security perspective?

Will Pizzano:
Hmm. That's a great question. And I think a lot of the times the answer to that precedes at a very tactical level like, oh, you should be using, you know, this kind of multifactor authentication tool, this kind of antivirus, et cetera. But I like, you know, from a CISO perspective to take that to a high level and ask what business is your startup in and what are your business needs around security? And the answer will generally flow from there as to what your security roadmap will look like. Well, I mean by that, for example, let's say you're in a B2C markets and you're going to be gathering a lot of information that's personally identifiable, like names, email addresses from users. Then obviously for your startup, then you should be prioritizing security around first the handling of that personally identifiable information, who has access to it and the compliance around things like the GDPR or the California Consumer Privacy Act, et cetera. Because these are things that you're going to be facing immediately or very shortly after gathering a lot of data. By contrast, if you're in the B2B space, you have to look at what verticals you're in and what customers you're going to try to attract, because their security requirements will be the ones that boil down to you. Example, if you're in the health care space, you know what to expect, intense HIPAA requirements from some of the larger enterprises you work with. While if you're in just a general kind of B2B services, it may be just that you need a basic kind of SOC2 certification or something like that show best practices. So this will very much depend on not just, you know, what market you're in, but who your intended customers are and what you can expect from them to require. Mm hmm.

Michael Coates:
Yeah, and it's fascinating because as I talk with startups as well, that element of the SOC2, you know, I think we all know what certifications don't necessarily make you secure in and of themselves. Absolutely. But they also go a long way to say you've covered a lot of ground. Like you can't just sort of skate your way through all of the different requirements of a SOC2 without having done considerable work. And clearly, you don't stop there. But it's always a great way of getting some some groundwork and some foundation and giving that as an attestation to to who you're going to be working with.

Will Pizzano:
Yeah, absolutely. And I think that when it comes to SOC2 the driver that we see it, startups and small companies is usually sales. So that's why I say, you know, the best thing a CISO or any type of security consultant can do for you is to align your security program with your business needs. And generally that for a startup, that's going to be all about sales and that recurring revenue that drives the business. So when you align that the need for a SOC2, the need for other security measures with that and you get buy in from the stakeholders of the organization, you can have a much less friction, full process of implementing security.

Michael Coates:
Mm hmm. And then, you know, I've seen on some of the tactical items to some of the things that may be difficult to try and turn on for a thousand person company. If you turn them on when you're 10, like, all right, you get a little bit of people going, what's this? What that. But then each new person that comes in like, well, everybody else is doing this already. I guess I can't really lose my mind. For example, like Two-Factor, if you're in an organization of a thousand people without Two-Factor, like man, that's going to stink to turn it on, but you sure need to. But turn it on now. And, hey, maybe even you turn it on all the way and go to, like, actual key fobs. Like, that's pretty cool to do that out of the gate. There's a lot of opportunity at ground z ero to get that stuff in the door.

Will Pizzano:
Yeah, I think that in an early stage is the best time to do these projects for a number of reasons. One, you know, keeps you secure as you grow. But to again, you know, drawing back to the kind of business concern here is you're absolutely going to get a return on investment by deploying these things when you have 20 or 30 people, as opposed to when you have 500. And by the time you have 500, chances are it's going to be an emergency that you have to implement all these security measures. Well, you have the luxury of taking your time in an earlier phase. So I'd say that late seed stage, early series A is a great time to really take security roadmap seriously and get in a lot of that stack that you want on the security front so you don't have to implement it later.

Michael Coates:
Now, for people that are watching, I guess, who are listening, if you've seen our previous shows, you know that we hold, you know, hold back no frills, we get out the Altitude Networks, virtual jet, we fly me and the guest somewhere in the world, while virtually somewhere that's meaningful. And so while we're both actually in San Francisco, we've picked somewhere outside of the city. So Will, tell us where we are today and why you chose this location.

Will Pizzano:
All right. So we are in lovely Bushwick in Brooklyn here, which is a place where I live for a number of years and people in my family were living in the late 1800s. I go back a very long way in this neighborhood. So it's important to me because it's actually where I started my tech career. So as a as a young boy, I guess around the age of 12 years old, I actually got my first job at a local Internet service provider and they were based in a building very much like the one behind me right here. And when you walked in, it was just a bank of just massive cabling and modems, all these 28.8 modems. What was my first job to upgrade those to 33.6 modems and the defects the cabling. So this is kind of where it all started in terms of my I.T. career. And, you know, even though I'm in San Francisco now, I still look back to that rack of modems as being my introduction to this world.

Michael Coates:
That's awesome. And, you know, I'm surprised we don't have more of these. But do you have do you have a ringtone with, like, the modem connection screen noise string? Because I think that there's something about that, especially when it rolls into the next. It's like, oh, no, I can't log in to the bulletin board system.

Will Pizzano:
My claim to fame, though, is when I was 13, I could call a 14.4 modem like a fax machine, and I could, with my mouth, make enough of a handshake's and that it would proceed to the second phase of the handshake for minutes.

Michael Coates:
That is a legit claim to fame like that. I know you party trick now.

Will Pizzano:
There's no more modems to do that. But for a brief time, I got.

Michael Coates:
That's good, see, that's a hidden skill that we didn't know about. We have uncovered something new here.

Will Pizzano:
Yeah, the 14.4 verbal handshake.

Michael Coates:
That's funny. That's funny. So I want to step back to one of the items you were talking about earlier, about security needs, for startups. But from the other perspective of of working in sales and working with the customers, one of the things that B2B startups certainly see is that as they're selling to companies, those companies are coming back to them saying, we have these expectations of your security program. You need to meet them. You need to fill out our 100 page questionnaire. You need to validate these things. So what kinds of questions and diligence are you seeing in the larger companies ask of startups and how can they best prepare for those things?

Will Pizzano:
You know, we're seeing, especially as a result of last year's Solar Winds breach, an acceleration of the kind of vendor review process that a lot of large organizations and also an intensification of that process is looking more into getting gathering more evidence, looking more into the maturity of the program, et cetera. So obviously, for most startups there, a vendor in some capacity and are subject to these reviews. What we're seeing for startups is just out of the gate. A lot of businesses either require a SOC2 already be present as a certification or that they commit to within either six months or a year obtaining that certification. Beyond that, what we're seeing is a lot more questions about the handling of production data. Who has access to production data, how do you centralize authentication? And also now because of Covid the added dimension of a work from home policy. Now, I mean, some people may not want to believe this, but a lot of security questionnaires that were sent out by these large organizations completely overlook the fact that most startups were already in a remote work kind of situation, work from anywhere, and asked a lot of questions about the physical office, badge scanning and all that.

Will Pizzano:
But we've known for a while that even if you did break into most startups office, they're going to have little there but Wi-Fi access points and certainly no real data that's going to be able to be hacked. So security is very much the same. However, now they're finally starting to ask more questions about this kind of beyond Corp work from home model. So it becomes important to make sure that your devices are well managed, that you have authentication and you're not trusting any of these endpoints with a place and a privilege network just because they're at some Wi-Fi or they're in some IP address that you have to go through authentication to get onto their VPN or in no VPN solution. And that restricts you to a device that's owned by the company. You can't go on any random computer at your home. So we're seeing a lot of those measures being asked about for early stage startups before they were completely ignored.

Michael Coates:
Mm hmm. Yeah. And I know I've been on both sides of this. You're going to get those questionnaires. And, man, that is that is really an unsolved problem. Every company has their various flavors of these. I don't know if you have any helpful shortcuts for companies to take shortcuts, maybe just like streamlines. You know, the only thing I can say in that category, at Twitter, we, of course, impose this upon our vendors. And I know some of them personally have come up to me and said that was really a lot of work, like, sorry, sorry. But we also tried to help the problem with, like the Vendor Security Alliance trying to build a standard set of questions that hopefully companies would adopt. And then you could have one set of answers. So I've I've recommended that to some startups like, hey, if you fill out one set of questionnaires, you may be able to give that to a company and say, hey, we've got this. Will this suffice? But, well, are you seeing other strategies or is it kind of like, well, you just got to suck it up and put on your big pants and fill out this questionnaires?

Will Pizzano:
Well, ultimately, you're the vendor. So if they do require highly customized questionnaire, you do end up having to suck it up. But there are ways to kind of lessen that pain. And while much like you lament the Balkanization of kind of the security questionnaires in general, that they ask similar questions, but in very different forms, there's very there's a few different templates that are drawn from is I would say after a couple of months, that your sales team will probably start to get a sense, depending on your vertical of what the standard questionnaire in your industry is. You know, for example, in financial services, a lot of times it's the SIG like questionnaire, the full version of the SIG questionnaire, while in higher education, they use a format called HECVAT and in other spaces they may defer to the Cloud Security Alliance as the star registration and those are all very lengthy, you know, 300 plus questions, security questionnaires. So ultimately you will have to go to the exercise of filling them out once. However, I find that if you see that many of the companies that you're trying to do business with require the same things such as CSA STAR, you can point them into this direction and say, hey, look at this. This is our CSA store. Do you have any specific questions beyond this? That accompanied by some type of compliance verification, whether it's SOC2 or ISO can often negate the need to even fill out the entire security questionnaire, and instead, address some minor questions with a meeting, so, you know, if there is a questionnaire that you see frequently being delivered in your industry, I'd say fill that out and use it as a reference point going forward.

Michael Coates:
Mm hmm. And this is all really good advice. Again, sitting on both sides of this, both previously as a buyer from like Twitter and Mozilla and now as a vendor at Altitude Networks. The investment in all of these things has has really worked wonders. We came out of the gate with, you know, a security architecture based on minimal privilege and separation of environments, which has only served us as we've scaled our engineering teams. And we pursued SOC2 from the very beginning. And sure, you know, people are like, oh, we're spending time on SOC2 certification in addition to product. But it just became part of the the mentality. It just became part of how we worked and people just absorbed into that reality. It's worked really well. And I think even, you know, at the beginning when talking to companies again, we have our SOC2 like you have a SOC2 you're like only x months old or whatever. Yeah, yeah. Of course. Because we take it seriously and we just want there.

Will Pizzano:
Yeah. And we're seeing more and more that the industry obviously Altitude's in the security space that you want to get that right out of the gate. But companies that are also in similarly sensitive, you know, verticals like financial services, I also recommend taking that approach because ultimately, when the head of sales puts up their hands and says, oh, I'm blocked on this deal, it's going to have to happen anyway.

Michael Coates:
Yep, definitely. Now, one of the other things that you mentioned that I think is interesting to dig into is, is how technology is changing and how we think about security, maybe traditionally and naively for just big companies. But the fact is, as far as startups, we may have a small number of people, but on a rocket ship in terms of value and efficacy and hence incredible amounts of data. But to the point you raised, we already are in this sort of zero trust or zero office reality. You walk in and it's a hotspot drop. So what what are the areas that we say, hey, that's security for big companies? You know, that's old school. We don't even think about that. But as a startup, we do need to be thinking about these areas. What are some of the trends that you're seeing there?

Will Pizzano:
Mm hmm sure, well actually even add to that in saying that there's a lot of, you know, general themes in security, like antivirus software, for example, which there's going to be a strongly different approach when you're at a large company and an enterprise, as opposed to when you're at a small company. And the last thing you want at a small company is to create a security architecture that is going to cause your developers and everyone else who needs to do work to throw up their hands and be like, I can't work today, you know, this can't happen and decreased productivity. But at the same time, you do need to ensure security. That's when it becomes really about a choice about what vendors are going to use and what exact settings you're going to put it. What we find in the enterprise is that by default, they tend to go with the most onerous approach, like I've worked, for example, with health care companies where they come for a meeting and we need a bigger conference room table because everyone has a work laptop, two different phones. The that and some of them even have a second secure laptop for work, which is the red one, which is used for the non. So the solutions that an enterprise can do, which is throwing a lot of money at hardware and trying to solve the problem to being inconvenient is not the same solution that a small company should use. I think when you're doing it at a small company, you really have to look into the impact on productivity and what value you're getting and choose a very new best of breed software that's going to speak to your security needs without causing people to constantly need IT support or other care and feeding this to get some work done.

Michael Coates:
You have, you know, the magic, the magic and security right now, I think is something you're alluding to there, which is seamless and usable, like it has to be invisible. It can't disrupt things. We were just talking actually before we jumped on this call. I've got super fast new Internet, but right now, until I configure it right, the uptime isn't perfect. So it doesn't matter how good the thing is in the background, if the usability disrupts things and I think about that with security, too, like once you start to impact business, you cause friction that security might get ripped out and thrown out the window in a big company or in a startup or, you know, things are at breakneck speeds.

Will Pizzano:
Exactly. This is what I like to say is, you know, what I've been preaching for years is telling everyone, hey, NIST upgraded their password guide that says you don't have to force a password reset every month. And before that, I was thinking, oh, we need to reset password every 30 days. And what do you see then? Well, the user's password starts at password one, and then over the course of months, it'll end up at password thirty and so forth. That's not the point of the security. So it becomes counterproductive.

Michael Coates:
Mm hmm. Yeah, I totally agree. And glad you mentioned that we need to get more awareness of that update to the standard because there's still plenty of companies that, you know, are hanging on to that old way. And, you know, maybe there was. I mean, there was there was a reasoning at the time for it that has progressed, we have moved past that and man, we've got to update that that policy.

Will Pizzano:
Absolutely. And I still see it asked for in questionnaires all the time. And like, it's really funny. I see. Do you comply with NIST standards, you know, regarding security? Then the next question is, do you reset all passwords within 60 days or just like, well, that is no longer the case.

Michael Coates:
The answer is trick question. See question above.

Will Pizzano:
Usually the answer is we haven't updated the questionnaires in six years.

Michael Coates:
Yes, that's right. That's right. So, so. Will, based on everything you've seen in your career and the path you've taken, what kind of advice would you give to the next generation of security leaders? Maybe they've started their career in security. Maybe they're just a student in technology, in high school, even right now, thinking about this as a future. What kind of things would you say, man? I wish I learned this stuff sooner.

Will Pizzano:
And that's a great question. And I think that early in my career, what I was most focused on was being the best security engineer possible, learning everything I could about encryption, about how to secure systems and how to be a good sysadmin or dev ops engineer to be able to implement all of the security. But then I learned, and this is the advice that I would give to a budding security engineers technical skills are very important, but it's also very important if you want to become a security leader, to be well-rounded. What I mean by that is learning about other disciplines. And No.1 thing that, you know as a CISO you are going to draw on his business skills and learning the business side and how the company works, how startups receive funding and how money is spent, allocated, etc., how to be a leader at these companies. And that'll also help you when you need it. When it comes time to build and manage a team, which is the first step towards becoming a CISO in the security realm. The other area that I would suggest is to get also more well-rounded in the field of communications and law. There's tremendous overlap when working in security with law. And I think that having either some law classes in college, some pre law background has been an incredible strain for myself and for others. I see in security because there is so much overlap today between these matters of law like privacy regulations and matters of security.

Michael Coates:
Yeah, that's that's a really good piece of advice. I totally echo the the business sense because, you know, where we start in technology, early security, it very much is haha I'm the hacker I have subverted this, which is all true. But as I kind of describe it, there's a "so what" factor to it that the business will ask. And until you can answer that question, or at least iterations of that somewhat to something that impacts the business, you won't get as much traction. And so understanding what matters, the business is huge. The the second part, though, about, you know, legal and compliance. That's awesome, because a lot of that somewhat comes down to also like, well, you're violating the law or you're not going to satisfy this compliance requirement. And those things are you know, those are pretty nuanced. If you've ever had a and you probably have this Will if you've ever been on the receiving end of an audit, you may get an auditor that is saying your technology is not satisfied at this requirement and your ability to understand that compliance, understand the wordings, both the written and the intention can really help because otherwise you'll be cast into, like you said, well, this is what it was six years ago, and you should have adopted six year old technology. But if you're moving fast, like, hey, this is what it does, this is how we meet the spirit and the intention of that compliance. You have to understand all those moving points to make that case.

Will Pizzano:
Absolutely. And I think that you're being a CISO is very much about being cross-functional. And one of the departments are going to interact with the most is legal. So being able to even get opinions from lawyers and be like, no, this is not the problem. And being able to take Occam's razor to it is one of the core skills that a CISO needs to have.

Michael Coates:
Mm hmm. Yeah, they were they were my biggest advocates and biggest partners in previous companies. Build a great relationship with legal. You'll you'll need that.

Will Pizzano:
Absolutely.

Michael Coates:
Well, Will, thanks so much for your time today. I know we covered a lot of ground before we go. Anything that I missed or we jumped past or anything you want to add?

Will Pizzano:
Um, no, I would say this has been a great session. I've definitely enjoyed our chat here today. So thank you very much for inviting me for this. And I hope the audience has been able to learn a thing or two about security at small organizations today.

Michael Coates:
Yeah, yeah, definitely. And that's what's so fascinating about our field, is there are so many different disciplines inside security. There's so many different flavors. And then when you go and say, all right, let's think about it for fast growing startups, what do they need to care about? Like a whole nother lens on top of things. So it's really been exciting to get your perspective on this. And again, I agree. I, I think people in the audience got a lot of good tidbits out of this today.

Will Pizzano:
Right. Well, hey, Michael, thanks a lot for inviting me for this.

Michael Coates:
Awesome. Thanks. Thanks, everybody. Until next time.

Will Pizzano:
Take care all.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your m4a files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you'd love including advanced search, upload many different filetypes, world-class support, share transcripts, and easily transcribe your Zoom meetings. Try Sonix for free today.

Subscribe for More

Get notified of future CISO webcast and other exciting security content

Thanks for subscribing!

Ready to get your Cloud Security in Check?

Fill in some contact info below or schedule a meeting so we can reach out to provide more details on how Altitude Networks can protect you from data loss in the cloud.

We'll be in touch!
OR