Yaron Levi is the CISO at Blue Cross and Blue Shield of Kansas City. In this webcast we discuss:
Apr_15_2020-YaronLevi_CisoToCisoPodcast.mp3 was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2020. Our automated transcription algorithms works with many of the popular audio file formats.
This is CCRC, so a live podcast focusing on information security, leadership, innovation and more brought to you by altitude networks, data security for the cloud.
Great. Welcome, everyone, to another edition of Sea Services are webcast. We're recording this live via Zoom. It's always an experiment and it's always a lot of fun. My name is Michael Cote's. I am the co-founder and CEO of Altitude Networks. I'm also the former CEO of Twitter, former head of security of Mozilla. So that is my right to be in the room and to see the. So we're joined today with Yaron Lévy. We're going have a great conversation real quick. This is sponsored by al Qaeda networks, where a cloud native DLP solution focusing on data security in places like G Suite, obviously sixty five and other SaaS apps in the cloud. So check us out if that sounds interesting. But otherwise, let's just dive right in Yaroun. Thanks so much for joining us. Give us a little bit of background on your your Sisso journey. How did you end up in that role? It's a pretty exciting and wild profession job, etc. and I think everyone's gotten there for a different way. So take it away. Tell us tell us how you got there.
First of all, Michael, thank you. Glad to be here. Honored to be on your webcast. Yeah. I mean, it's it's a journey, right? It's a journey that different for everybody. So I guess my security roots go back to my military days and maybe a little bit before that. But I was a kid who grew up in the eighties, you know, were very interested in, quote unquote, cracking games. So I guess that was like the first exposure to like, oh, there is this thing that was called at that time. But we're looking for different ways to do different things. Right. I guess the real exposure was like during the military days, which was mostly on encryption and things like that, again, wasn't anything close to what we call cyber today. And then I spend the beginning of my career as a sort of developer system architect, says engineer. And what I found is that I always have my kind of one leg on the technology side and the other leg like inside on the business side. So that was interesting and gave me a of perspectives on many different things, both from technology as well as a business, for example, products they have so. I guess the cyber part really, really kicked off or kicked back again for me around 2004 time frame, I was working for a company at that time that Sprint here in Overland Park in Kansas contracted us to build an I am solution for them, for everybody who actually touches the network. It was a result of Sarbanes-Oxley and they're looking for ways to be able to audit everything. Who touches the network, the telecom network? What did they do? So on.
So it wasn't only that. It was it was pretty interesting. It was pretty cool, was involved in that in different capacities. And then in 2009, I was at a different company. At that time, I joined the Cloud Security Alliance and I had some really good people that I collaborated and worked with as part of the team approach to the system. The cloud controls Matrix DCI IQ as well as the cloud enterprise architecture. And the gentleman who was leading was chairing the Cloud Enterprise Architecture, which currently the CEO for Kimberly-Clark gives them entire area. A good friend, somebody I learned a lot from. And, you know, during that time, I realized like, well, when I grow up, I want to be like Hiero. So that's a lot of how I wanted myself. Also was working for eBay at that time, and that was probably one of the best cybersecurity schools I ever went to. But it was interesting. And I think during the eBay days, I decided that, you know, I want to be a CEO. Fast forward end of twenty fifteen. After the anthem breach that happened early in 2015, the Blue Cross Blue Shield Association started to take much more proactive role in dictating to the plans. Hey, you have to have a CEO, you have to have a third consecutive practice. So BlueCross BlueShield here in Kansas City called and said, hey, we are building a new practice. Do you want to join us to the CEO and help us build that? So that's what I do today.
It's really funny that you mentioned video games towards the beginning, that is not the first time I've heard that on these webcasts, and it's actually my journey as well. So I guess everyone that says what video games are rotting our brains or whatever, like, well, it might be sponte entire generations of security professionals.
Oh, yeah. I mean, you know, back in the day, right. We didn't have money. I mean, I remember I was working the entire summer. I had a Commodore 64 and I worked the entire summer just so I can buy the the floppy disks, the floppy disk drive. I think it cost me like almost six hundred dollars that I worked like two months. I mean, just to save all the money I had, like for babysitting and everything else just to buy that. So we didn't have money to buy games, so we had to find other solutions and to get more games. Right. So that's what we started.
That's why I'm crazy. And so the other day there was quite the kerfuffle online about actually Zoome and everyone had an opinion, as we seem to in the security space. And I really liked what you wrote on LinkedIn because you you talked about the issue, but you stepped back and talked about the broader issue, about third party assessments and what this situation represented in particular, you know, the fact that everyone's doing third party assessments. But if this was to happen, like, what value are they bringing? I thought that was really interesting. What kind of feedback did you get from that that post? And tell us more about that.
So that was interesting. I mean, I wrote a post out of somewhat of a frustration. And, you know, I'm I'm not a zoom client of our company and is not using Zoom, but I'm using them a lot with partners and other companies and I use them also privately. I have my own private account. And when the whole thing happened and people start to bash, zoom and you start seeing more and more articles and putting like all the bad things, you're going to step back and think about and say, look, if you keep it in right perspective, download the only one, download the worst one. And I think a lot of those articles try to point and is like, OK, it's the devil, right? I mean, this is sort of the worst part ever. I mean, they are spying on us and sending all our information to China on purpose and everything and. I mean, let's be real, I mean, this is probably not the case, and I was trying to figure out if there is a more balanced view of how to really have a conversation like that in the industry and not bash people right and left, because unfortunately, you see that too many times in the industry when a company is getting breached or something happens and whatever, everybody points at them and yell and shame and everything else. Well, we all know well that nobody's perfect. You know, our house our house is not always, you know, perfectly in order. We all have challenges. So I think we would be better off helping each other out, which I see a lot in this community also than just, you know, pointing fingers and bashing each other and just kind of throwing stones. I mean, throwing stones. It's easy being, you know, pointing to the problems. It's easy, but but how do we become more part of the solution or part of the problem?
Yeah, definitely, you know, you've probably seen that in a season role as well. I remember seeing it myself on the the defensive side. I was I was a consultant years ago. I read T'mar and finding the problems. And when I switched sides to defending, it was really fascinating to see when there was an issue, people would say, oh, that's so easy. How could you have made them a problem? You just do this to fix it and give you the technical solution. Like, well, sure. Like the technical element of it is tends to not be that complicated, but it's like the organizational element of like how do you do that everywhere, every day and scale every developer without grinding things to a halt. Right. Yeah, we definitely need more of that.
That empathy and seeing besides, as you mentioned, I think that makes a lot of everything. You know, there's another thing that I think we tend to forget is that if you look at the security profession, for the most part, it's really young, you know, within the last, what, 15, 20 years, really. It's like, you know, the way that we are seeing it today, there are still many things that we didn't figure out. I think we do think about like engineers and developers, most of them are not wired to even think like security. I mean, because they mostly hire them to build things. We're wired. I mean, to break things. And making the jump or making that connection is not trivial for, I mean, to do a lot of people. So really I mean, how do we educate, you know, how do we make that forefront in their mind? And something that I don't expect on developers. I mean, you know, to be a full blown redeemers up toasters, but at least to have the understanding and the awareness and really it'll bring the issues and include them as any other technical debt, for that matter, not just going to Brussels to decide and say, hey, no, my problem, somebody else from will take care of it or whatever. So it's more of a culture that I think it still needs to evolve and we're not there yet. I think overall this as an industry.
Yeah. Yep, I agree. Now, the third party assessment element of all of this is fascinating as well. I saw some interesting comments from folks like, well, didn't you all do your third party assessments of Zoome, along with every other vendor that you take for your month long validation? And what value do they bring if all of these things suddenly came out of nowhere? What do you think we should be doing with third party assessments? Is it a burden, a checkboxes to provide value?
I mean, so I think, first of all, I mean, in the hyperconnected world that we are today, it's an absolute must, right? I mean, we're just seeing that from a business perspective. We're leveraging more and more third parties. I mean, we're no longer isolated. We're very, very hyperconnected. But I think the other side of it is it's really the need to understand what is the risk of the exposure and what we're trying to accomplish. I think that the way we as an industry soldat solve it thus far with questionnaires or some, you know, risk ratings of your website or public, you know, of public facing systems and give them some some score, I don't think this is the right way. I mean, I think at the most it gives us some cover to checkbooks to say, look, we are doing some diligence was not completely negligent. That's it. I mean, it just kind of put you in a defensible position from a legal perspective. Say, yeah, I somewhat looked at that third party and I did some assessment. But it's largely, I mean, ineffective. I think the problem is that even if you are very honest with ourselves, you know, again, as an industry, right, it's almost like a dance. Right.
Because as a consumer, you're trying to find out as much as possible on the provider posture and strength and weaknesses. On the provider side, I mean, they're trying the most to limit what they expose and what they share, and there isn't a good, good transparency that happens. And I think that's kind of the root of the problem.
Without having that transparency, without having more of a standard of how we look at things and really having a way to disclose it and to share it safely, I think will still, by and large, everybody will try to hide as much as they can rather than really share and work coming through the risk. So I don't know what the answer is. You know, from a technology perspective, I mean, if I find it, I'll probably start a company and, you know, do it. But I just know that at least from what we've tried so far and the way we have done it or the way we are doing it today, it's probably the right answer.
Yeah, it certainly is challenging because from inside the business, you end up requiring all third parties to go through your security assessment and then the business is slowing down, which is a trade off you have to think about. And then, you know what? What value do you get from it? As we were saying here, it's tricky. I mean, we've seen people try and standardize questionnaires and that's it makes sense theoretically, but hasn't taken off. We've seen companies do that. Let's look at the outside of your building and give you a score. Which is something, but at the same time, like how well can you know, like whether or not our building is defensible against earthquakes by just looking at it from the outside. So it leaves some things to be desired. But if we do nothing, then we're deemed negligent, too.
Right, right. I mean, I think, you know, the scoring mechanism is part of the challenges that there is. There's there's no consistency in terms of how you score. I mean, you bring like five different companies who are doing the scoring. Everybody look at it differently. The algorithms are not exposed. I mean, you try to ask and say, OK, so how do you come up with this number? They did. Well, that's our proprietary algorithm. We can share it. OK, so what are you supposed to do? Just take it at face value? I mean, but it's different from the other third parties. So who is right? I mean, that's like I'm saying, I don't think it's the right the right answer. I think the other side of it I mean, if you look at all of these service providers, the model of the agreements and the service agreements, by allowing a lot of them are limiting you from, hey, you cannot give them a lot of Skynyrd's. You cannot test us. I mean, you know, things like that. And again, it kind of goes back to the lack of transparency, because if you would be able to scan and do that and not break any any service agreement, if anything, that will provide more information like, hey, how you can bring or how we can improve your service, because if if I bring a service down only by scanning it, I mean, there is a bigger issue here. I mean. Right. I mean, so still something we still, I think need to need to figure out.
But again, what I think we need to keep in mind is how do we enable more transparency in a safe manner rather than just, you know, hiding and not sharing and just taking the legal side of things? Yeah, yeah.
You know, things that I've seen work somewhat well in the space, and I think we captured the challenges for sure. If you do a risk rating on data exposed to that third party vendor, then you can take your lower risk ones and fast track those. Maybe there's a minimum bar of diligence, which as much as we might get frustrated with, like, oh, it's just a stamp of certification from this whatever, 10 test iso soc, whatever it does, it is diligence. It does take work to do that. And maybe with low risk offenders, that's enough to move through. And for your high risk vendors, you have a little bit more. But that balance of streamlining for businesses is pretty crucial. Any other tips you found that that helped this?
I think it's the understanding internally, you know, why we do what we do and do we really need to do that? Right. So oftentimes you get a requirement to say, hey, you know, we have to send this data and, you know, we have to provide the service. And you are trying to dig a little deeper, like, OK, why do we need to send this data? I mean, we really, really have to send, you know, Social Security numbers or do we really have to send credit cards or whatnot? And sometimes you find that no, actually, we don't. I mean, you know, we just need to have this part of the data or as a matter of fact, and if we could match the data, I mean, that would not be an issue at all. Right. I mean, so I think oftentimes people are not aware to the options and what they can do and how they can do it. I think to your point, yes, it takes more time. So it may slow the business down a little bit. But again, like everything else, it's a it's a risk based decision and there has to be a balance. So if it's more risky to not do it and because of that, your business can either, you know, lose the business or whatever the case may be. OK, I mean, that's one exposure. If it's riskier, I mean, to send information out. And now you have like a bigger exposure than do it.
I mean, so I think we need to do a better job with the business and in the business, having these types of conversations and really making those decisions based on what level of risk you're agreed.
So in addition to all of the work you're doing as a CEO, which is got to take up all of your day and then some, you've also found time somehow to advise multiple startups. Your venture advisors will ventures one. I don't know what magic pill you're taking to give yourself that time in the day, but. But what do you see and what do you see as the security industry evolves from these security startups? Are our startups innovating in the right space? Are you hopeful or is it more quantum apte bitcoin?
Give me money.
Yeah, I think there is a combination. So, I mean, first of all, you are the reason I'm doing it is because that's part of how I keep myself. I have to learn, you know, we're a health insurance company, so we're not heavy engineering organization. I mean, that's the nature of our business. I'm coming from engineering side. And so part of for me to stay relevant and stay up to date and kind of still be part of the team during the game is going to work with. Companies so and I enjoy that, so that's why I spend more time doing it. But to your question, I mean, I think what I see I see is a combination. I see somewhat of a trend of more startups focusing more on the foundations. I know some people call it the basics. I don't like to call it the basics because basic sounds easy. I mean, those indexes are not easy, but I think there is a good, good focus on some things around the foundations. Several startups around access controls authorization, whether it's a compromise in the cloud, you know, providing more or better ways for de facto or password list of things that got really interesting and really innovative, innovative things that really try to find the right balance between security on one hand and usability and user experience on the other hand. So I think this is promising. And for me, it's it's encouraging me to see the stocks going the direction of data discovery, data protection, obviously.
I mean, what you guys are working on, that's another area which is extremely important, in my opinion. Again, given the nature of our industry, given our hyper connectedness, you know, we always joke in health care that, you know, EPA is about keep it private, but shared with everybody. So, you know, it's kind of the same. It's the nature of our business that we have to share the data. How do we protect that data any meaningful way? And data is everywhere. So how do we find it and how do we put the right controls around that data? I think this is, again, another important foundational control that I see most of us focusing on. Then I see I see things like vulnerability and patch management again, maybe more improving the process, making it easier for for the practitioners and then inventory management. I think, you know, CIA stop one and two that we have struggled with forever. I see having some things that that's kind of happening there. So, I mean, from that perspective, I mean, it's encouraging the other things like seeing that. I don't like as much is really this chase around buzzwords, so I see a lot of companies that, you know, they would throw like we use some A.I.M. to reduce your your log fatigue or like an alert fatigue or like, you know, we know that your stock analysts don't really know what they're looking at when they get all those alerts and they're overwhelmed.
So we're going to put in a I will tell them what to do. I don't buy that very much. I mean, yes, it has value and it can help with things, but for me, it's solving the symptom of the problem of the root cause of the problem. And the root cause of the problem is like, what are you going to collect or what is the value of what you're collecting? I mean, do you really need to collect that much? And unfortunately, I see a lot of organizations, a lot of like, you know, or teams of search teams and so on, that they collect everything because that's the quote unquote best practice of what like like who decide. I mean, this is the best practice, right? So you get overwhelmed, you get a lot of noise, you end up not seeing anything. And on top of that, OK, if you get so overwhelmed, well, we're going to bring this magic that is going to solve that doesn't work like that. I mean, I've seen several stops in that. I don't see them take off too much. But I, I have seen a couple that are more promising as long as they take on a more of the targeted approach and trying to solve everything for everybody. But more like let's focus on this type of attack vectors or might attack framework or something like that and kind of focus on that then. Yes, I mean, there is there's some value there.
Yeah, I really liked what you said about the the basics, and I liked your point about kind of foundations, and that's been something I've relied on as well as like what is sexy to Enciso is the most boring things to everyone else. It is like we know we need to do it's authentication, it's access control, minimal, minimal, minimal posture. But doing those academic items, which are simple on paper, at operational scale, the business is incredibly hard. And that's why there's like a huge mismatch between interesting research and academics on security and what we care about, because what kind of research you need, do an inventory management like put it in the inventory. But the challenge is how do we do that with a cloud connected world and data everywhere and all this stuff? So I'm with you like this whole notion of like, how do we take these things? We know we need to do it and somehow do it at scale because on the other side, trying to help the computer overlords will be smarter than us to solve problems that humans can't like. It sounds nice and it would be great eventually. But why do all the hard stuff if we can't even do this easy stuff? Because it's fascinating. So the last thing I wanted to touch on here, given everything you've seen and the journey you've taken, what advice would you give to someone earlier in their career? Maybe they're a manager of a security team. They want to be a CEO, maybe they're a student, and they're saying, I want to get in a dark room and hack loudly like I see in the movies. What might what does my future insecurity.
So what's that advice you want to give to. I would say don't do it. Yeah, I'm kidding. No, I think, you know, I understand there are some things you need to understand me to understand. First of all, it's not for it's not for the faint of heart. It's a very ungrateful job. I mean, you're going to have a lot of struggles and a lot of fights and really understand why you want to do it. And I think that's in general true for everybody. And security, not just see CEOs don't just do it because you think it's cool. Don't just do it because you think, you know, it's it's a good career and, you know, high paying career or anything. At the end of the day, I mean, I don't think any of that matters. Right. I don't think people can pay you enough to be overstressed and you can hurt yourself and you're in your health and your family and everything. Again, I don't think there's any money that I think. If you want to be in security, do it for the right reasons, and especially if you want to be safe. So, I mean, do it for the right reasons. Do it because you want to make a difference. I mean, do it because you care about being part of the solution or part of the problem. You know, if you in health care or health care needs a lot of help, you know, when it comes to security, that's why I'm in health care.
I see other areas, you know, retail, financial, sort of retail, manufacturing, other stuff. You know, a lot of companies, you know, if you step out of the high tech industry and you step outside of the Bay Area, there's a huge drop in talent and maturity when it comes to technology, security, et cetera. And a lot of organizations, a lot of companies of industries use a lot help. So if you want to be part of this journey and be able part of the solution to help them, I would highly recommend, I mean, be be in security and be a CEO. I mean, it's. It's like being in the military in a way, I mean, you are being part of something bigger than just yourself, you know, you want to contribute to the greater good. And I think on top of that, I mean, it's a great community because, you know, a lot of great people have tons of friends. I mean, in the community, there's always somebody who will be willing to help you give you an advice, you know, share information, share knowledge. Even if you are like really dire situations, there's always going to be somebody who's going to give their hand and offer their support and help. So that's, in our opinion, one of the best things about this industry. And I can't imagine doing anything else.
Let's do it, do it for the passion, do it for the bigger impact. That's great for the people. It's about the people at the end of the day. That's awesome. Very good. Well, that brings us to the top of the hour, and we'll go ahead and wrap it up there. Really wanted to thank everyone for joining us again as we do these live recordings and enjoy whoever's listening at your computer on the road, wherever you may be. And again, thanks so much, everyone, for joining us today. Really appreciate your insights and your thoughts on this.
Absolutely, Michael. Thank you very much. Pleasure being here. Keep up the good work. It's great. I think you.
Create better transcripts with online automated transcription. Quickly and accurately convert your audio to text with Sonix. Rapid advancements in speech-to-text technology has made transcription a whole lot easier. Sonix converts audio to text in minutes, not hours. Sonix has the world's best audio transcription platform with features focused on collaboration. Do you have a lot of background noise in your audio files? Here's how you can remove background audio noise for free. Manual audio transcription is tedious and expensive. Do you have a podcast? Here's how to automatically transcribe your podcasts with Sonix.
Get notified of future CISO webcast and other exciting security content