All Resources

CISO to CISO Webcast with Yassir Abousselham, CISO at Splunk

Webcast and Podcast | Altitude Networks, June 22nd, 2020

About Yassir Abousselham

Yassir joined Splunk in January, where he is responsible to protect company systems and the data entrusted by its employees, customers, and investors. Prior to Splunk, Yassir served as Chief Security Officer at Okta and Chief Information Security Officer at SoFi, in addition to holding various security leadership roles at Google and Ernst & Young. Yassir holds two U.S. patents in trusted network communication and is an active member in the cybersecurity industry, from co-chairing the San Francisco Evanta CISO Summit, to acting as an advisor for cybersecurity startups. 

Read, Listen, and Subscribe to the Podcast

GMT20200624-195827_CISO-to-CISO w Yassir Audio Only.m4a transcript powered by Sonix—easily convert your audio to text with Sonix.

GMT20200624-195827_CISO-to-CISO w Yassir Audio Only.m4a was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2020. Our automated transcription algorithms works with many of the popular audio file formats.

Michael Coates:
So welcome everyone to another edition of CISO to CISO. My name is Michael Cotes. I'm the host of this webcast. What a great show we have in front of you today. We're joined with Yassir, who I'll turn it over to you in just a minute. But as you know from previous webcasts, we talk with wonderful CISOs from all sorts of companies all across the world to share tips, tricks, their backgrounds, how they got there, all sorts of wonderful things. Really, really a delight. This is brought to you by Altitude Networks. Very briefly, we are a cloud native DLP protecting data inside of platforms like G Suite, Box, et cetera. So if you're concerned about data in the cloud, offboarding, rogue applications, accidents, all of those things, that's what we're here for. So check us out at altitudenetworks.com. With that, why don't we get started? Yessir, so wonderful to have you here today. Just really great to pick your mind and hear your thoughts.

Yassir Abousselham:
Thank you. Thank you, Michael. Great to be here.

Michael Coates:
So you've been in some amazing places. You were previously the CISO at Okta, the CSO at Splunk, and you've been in a variety of places before those. Tell us about your journey, how did you end up where you are today? Did you always know that you were going to be a chief security officer and that was your path through life, or how did you end up here?

Yassir Abousselham:
Yeah, no, not really. But I think it's really hard to actually think about a point in time where I've decided you're going to get into security. I think maybe it's something that started at a very young age. I've always been fascinated by technology and mechanics. I can think of a time where I used to completely dismantle or take apart the family VCR. For those of, you know, just before my parents come back from work and sometimes I end up with a few spare screws and a few spare parts. But that's kind of a topic for a different time.

Michael Coates:
But it still worked. But the VCR still worked.

Yassir Abousselham:
It did work somehow not sure how that happened. But I guess it was not very optimized. But fast-forward, a few years I joined a group called Twenty Six Hundreds, and that is something that took place while I was pursuing my master's degree in computer science and twenty six hundred four for the folks here who are familiar with the forum used to exist. I'm not sure if they exist now, but used to exist at least in a number of forms, a virtual form through websites, a published format. I think it was a monthly Twenty Six Hundreds magazine that you could you could purchase or subscribe to. And then you had the gatherings in the physical world and those used to take place every month. I believe it was the first Friday of every month. And what that give me visibility into is this kind of fascinating underground world of hackers. And I became, as I mentioned, fascinated by all the discussions and interests that they had in different aspects of technology. I ended up joining Ernst & Young as an ethical hacker. So this is where I was able to join my passion to actually getting paid for hacking companies, which was at the time it seemed like the best job in the world. And at Ernst & Young specifically, I spent 11 years. And during those 11 years I've done a number of things, including obviously Pen test, but also ruling out vendor security solutions, different types of assessments, compliance.

Yassir Abousselham:
And towards the end of my tenure with Ernst & Young, I acted as a consultant to a number of CISOs on the development and management of their security programs. After that, I joined Google and at Google I had a couple of rules. The first one was focused on the protection of corporate data and my mandate and scope were focused on all the G&A functions. So think about finance, IT and M&A and so on. And then after that I joined the payments team. In payments is at a time this was one out of seven product verticals at Google, including search and Android and Social and so on. But payments was composed of two things. One is the payments infrastructure, which is how Google managers and the financial transactions pretty much for all the products and services. So we were we oversaw the security of that infrastructure. And the second aspect of it was the payments consumer products, you may be familiar with, Google Wallet, Android Pay and so on. So that gave me visibility into a number of things. One is managing security at scale. And Michael, obviously you've seen this from your time at Twitter. It's one thing to manage security within the context of an enterprise or small company. And it's a completely different thing when you have billions of user records that you are responsible for.

Yassir Abousselham:
So the amount of engineering that there is and customization that is required and automation is completely different from the context of a small structure. The second thing is that there was really interesting is the amount of which the security team, or at least members of the security team at Google were specialized. They were deeply entrenched in very specific topics. And they could afford to spend weeks, if not quarters, digging into one specific area, like the firmware on, let's say, the motherboard that that is used to power machines and data center. It was just fascinating. And then the last thing is, as I mentioned, doing security for consumer products, that is also something that unless you are put in that kind of role, it has its own challenges, but also it has certain considerations that need to be observed. After Google, I joined SoFi, Sofi is a Fintech company based in San Francisco. So now, instead of doing Fintech for Google and having a kind of a slice of the pie in managed information security, now have a 360 view of the entire security program. And I was able to manage it at SoFi. After that, I joined Okta, as you mentioned, as their Chief Security Officer. And my role at Okta consisted of three things. One is managing the security program end to end, and the second was to act as the face of the Okta security to kind of all the external entities, including customers, investors, regulators and so on.

Yassir Abousselham:
And the third one, which was somewhat interesting, is to chair, and this is a role that was added to my mandate after I joined Okta, I think after being there for about four months, is to chair the efforts to pivot into the security markets. Now, Okta did an amazing job at catering to the CIO persona, but what the task that I had on my hand was to essentially define the requirements and make sure that as a company, we meet the requirements and the needs of the CISO persona and the security team. Obviously, what that entailed is work with the product team, with marketing, business development partnerships and so on. And that was a very interesting task, as you can imagine. And then as of January of this year, I joined Splunk. And Splunk is, as you know, a company, a great place to to work. And right now my focus is on driving a data driven security program, if that makes any sense. It's fascinating the amount of focus that the Splunk as a company has on leveraging and optimizing the use of data. So that's something that I think is what keeps me challenging, keep me looking forward to the next thing in context of my role.

Michael Coates:
Yeah, well, you've covered you've covered some ground. I'm going to dig into a few of those things. I also wanted to to mention or take a moment for those of you that are joining the webcast, I can see where we're at here on virtual location again. And I skipped over where we are each week. We're picking each other. We're picking somewhere special to the to the guest. So, Yassir, here, tell us tell her where we are.

Yassir Abousselham:
Yeah. This place is a tiny island in the Caribbean. It's called San Salvador Island. It's in the Bahamas. And the island, I think, has one resorts and maybe a couple of hotels. That's a pretty much and it's just an amazing place. And I think if there's one other place where I'd love to be, aside from being on this webcast, this is the place.

Michael Coates:
I don't believe that we're in a close second to that at all. Yeah, it sure would be nice to be here for real. Our virtual getaway is as good as it's going to get right now. OK, so some really incredible companies. You've been out and so you must have seen security really through a different lens. And each of them are had a different flavor to the role. What does it mean to be a CISO at a basically security company or a company that's selling a product to other security individuals? Do you find that that shifts the focus of your role? I mean, you mentioned a little bit about being the face of the company from a security perspective, but it must have entailed a variety of different activities from some of your other previous roles.

Yassir Abousselham:
Yeah, so I think that's one out of maybe two aspects that is different from traditional industries. Right. You are definitely expected to act as the face of the company towards everyone, everything that's external, all the external organizations, and that varies depending on the types of customers that you're pursuing. So example, there is an expectation to be part of strategic deals and express to you, particularly to your potential customers, how you are going about being a good custodian of their data. Right. So a lot of times those interactions take place between security teams, but in some cases the CISO has to be there and they have to be the one to essentially commit personally to the fact that they will Continue pursuing improvements in security posture, and they have the right controls in place to protect the data. One thing that is interesting that I think is worth mentioning here is those types of interactions tend to be even more important when it comes to doing business in certain regions, in certain parts of the world. And a lot of the interactions, especially with some Asian countries and cultures, the conversation is really not about security. It's about being there. It's about shaking hands. It's about forming those relationships. It's about really about looking someone in the eye and say, yes, I am here to protect your data and I'm not going to slow down. And obviously I'll continue improving the security posture and so on.

Yassir Abousselham:
So it's about forming those personal relationships as the cornerstone of trust. And I think that's an important thing that is good to mention here. The second aspect that I think is relevant for this conversation is the heavy, heavy involvement that you have with the product team. Specifically, what you want to be is a customer zero. So you want to be the security team that dog foods, it's the, any kind of new products and new features and provide feedback to the product team. So it is important to establish that feedback loop between security team and the product team. And part of that is to also, in addition to the feedback, provide them with access to information that we know about, things that are coming from the field in terms of changes to the threat landscape, trends and so on. So established that that communication channel that will act, who does act as a signal for the product team on how to orient and fine-tune as they continue working on the product roadmap. So we are customer zero at Splunk, and Splunk being a company that has, one of our products is RSM, one of the things that we're expecting to do is you have a showcase SOC, right, and share those best practices with our customers on how we use automation, how we use RSM to continue elevating our security posture.

Michael Coates:
Yeah, you mentioned automation a little bit earlier, and that really resonates with me as well. Like you mentioned, you know, for me at Twitter, you know, solving security in isolation is not as challenging as you'd think. Like there's a set controller to apply the most risks and and scenarios. But doing that at scale and with the facets of a fast moving business is a whole other thing. How have you brought in automation? Like how are you thinking about scaling your efforts? So it's not just, you know, more people to try and scale, which never works, but rather scaling something programmatically or operationally.

Yassir Abousselham:
You know, I think it comes down to optimizing for speed and the best use of your resources. Right. And when you think about that is a number of things that come to mind. Automation is the first one. So obviously talent is scarce if you actually pursuing high performers and when you have one, and then the next thing that comes to mind is how am I going to be able to use them to their full capacity, but also how to keep them challenged and make sure that we in this case automates any kind of mundane tasks. Right.? And, you know, there's obviously two school thoughts. One is have an automation function, right, where that acts as a shared service to the rest of a secure organization, and that uses standard tools and so on to deliver on automation requests and requirements from the rest of the function. And second is to have embedded automation engineers within each one of the teams that require this kind of transition. What I've chosen to do, in fact, this is I have a little bit of a different approach that I'm taking right now compared to Okta, is to have a hybrid model where we have both an automation team and also engineers that embedded with the teams that require kind of a heavy lifts, but also somewhat of an expertise in the domain. An example would be automation engineers that are embedded within IR team or within the detection team. So there are some things that I think would be helpful in the context of that topic. The next thing I would say. Is. It is important to have in your bag of tricks a a. Saw technology that is best of breed and allow you to speed up some of the work that is involved in automation, so to the extent that, for example, you have a sort tool that is integrated with a number of your vendors right out of the box. Again, that shortens that cycle of going from an idea to actually implementing something and and deriving value.

Michael Coates:
Yeah, yeah, I agree and it's fascinating, you mention the embedded model, I see a lot of security programs using a security champion's style approach to either deputize someone who's already in the team of security responsibilities or put someone from security team in there from a almost a subject matter expert perspective. What I'm hearing from you is you're doing that with a twist that they're an automation's specialist, but they still bridge that security gap. So they know what matters from security, if I'm hearing that right. And they help you automate your pursuit of it. Is that is that right?

Yassir Abousselham:
Exactly. So we actually do that with a number of, I just call them specialties at this point, right, so I have automation engineers and I have folks who specialize in analytics and also machine learning. Machine learning right now is heavily used in the context of SOC operations, secret operations to and specifically to further the threat hunting program. But it does exist at its own function. And anyone in the security team can call on this function, kind of have a discussion on whether they're going to be able to leverage those skills and those capabilities to further their and speed up the need to take to to attain their objectives.

Michael Coates:
That's really cool. I like that. So with consideration of the world and the time that we're in, maybe this will be all along and forgotten that you're watching this recording years from now. But we're in the midst of a global pandemic, the midst of covid. How do you think that's going to impact security? What does security post covid or continued covid? What does that look like? Are we returning to the office? What does that change for our technology, our security thinking?

Yassir Abousselham:
Yeah. So my perspective is that we are embarking on what I call the new normal. Right. And kind of my rationale is that a lot of us in the security community and, actually beyond security pretty much every professional, have been historically skeptics in terms of can we attain the same level of productivity and team collaboration when it comes to work from home. Now we have this current situation where in fact it's actually forced us to work from home. And what we've noticed as security practitioners, but also at the company level is a number of things that frankly, a lot of them are just win win for everyone who's involved. From an employer perspective, obviously, we've been seeing an increase in productivity, right, from the employees. The second thing I think employers are seeing maybe a drop in costs when it comes to facilities, travel and so on. So that's definitely a win for an employer. On the flip side, for the employee, I don't have to spend as much time commuting. I can spend more time with my family. It can be more productive. I can be more social while delivering on my mandate. So, again, I think this is a win win situation and coming out of the current pandemic, which I hope is going to be fairly soon, I can't wait. As you can see. But but I think we will be in a new normal from a working model perspective.

Yassir Abousselham:
And that new model would be characterized by kind of a shift of that ratio between employees are working strictly from the office and those working remotely. And I think it's going to tilt towards the remote work. So from that perspective, I think as CISOs, as security team, we need to consider the impact on our day to day jobs. My team has been, I would say, fairly early in recognizing the trend and we have conducted a risk assessment or threat assessment. This is a sort of an intelligence team that, you know, resulted in a number of insights. One is there is a number of risks that we need to pivot and prioritize compared to the previous model. And those risk can be thought of as one is attacks against the endpoint. Now that the employee is no longer protected by the corporate firewall, we need to concentrate as many of our security controls in that endpoint. What that means practically is a strong EDR, but also the ability to do things like, respond to incidents more effectively as they happen, as they take place and impact the endpoints. The second thing is obviously phishing, right, we're not the only people who think about the impacts and the opportunity that the current situation represents in terms, you know, the thing that's actually interesting is that there has not been really a change in tactics.

Yassir Abousselham:
The phishing tactics and the social engineering taxes are exactly the same. It's just a theme that has changed. I would say even that the volume of phishing attempts is somewhat similar than what we've seen before. But now all of a sudden, everything is covid themed. Right? So to counter that, obviously we want to have an entirely efficient solution coupled with a communication campaign to make sure that our employees are aware of the current threat landscape and then they're able to effectively protect themselves. Alongside of phishing and social engineering. Some attempts to lure the employee into accepting MFA requests where they don't originate from them actually trying to authenticate. And I think what's important there is to partner with a strong security vendor, one that offers MFA solutions that are context aware if the MFA request is originating from some place in Asia while the employee is in the US, then that should be blocked automatically by the MFA provider. Now, at a minimum, the employee should actually see information about the origin of that request so that they can make an educated decision on the spot. The next thing that comes to mind is corporate data spillage. Obviously a lot of our employees, I guess some employees in this case, will be tempted to use personal devices to access corporate resources in the data. And what that means is a risk to the corporate data, whether it's from the perspective of the employees still working for the company and potentially that personal device being compromised.

Yassir Abousselham:
But also when the employee leaves the company, they can maintain access that data, which is obviously a different type of problem from a solution perspective, what we have decided to accelerate is kind of a zero trust. An agenda where we want to tie identity to the hardware that is IT managed, so from that perspective, if you try to authenticate or coming from IT managed laptop, you can get access to the system, the resources that you typically have access to. If it's a personal device, then that scope will be reduced dramatically to the extent that we can limit access to sensitive information. And then the last thing that that came out of that exercise is the risk of malicious public and public network. I think after we know someone discovers a vaccine and so on, we go back to the real world. I see a scenario where a lot of our employees would be working out of cafes and public settings and so on. So I think it is important now to make sure that our end points are hardened. To the extent that you can rely, that endpoint will remain secure as much as that's even a term of being 100% percent secure, but to remain as much as secure as possible in the context of a public setting.

Yassir Abousselham:
The last trend that we we started talking about is not to say in the context of Splunk, but our customers is this acceleration of the move to the cloud. A lot of the companies that have been sitting on the sideline and thinking, OK, well, we will maintain a higher level of security by managing our our systems and applications on Prem. Now they're facing a situation where they had to multiply their VPN capacity by 5x, 10x, right? And that VPN becomes the single point of failure, which is obviously not acceptable to a CIO or CISO if they want to maintain their job, and I think this is a situation that calls for certain questions about, OK, well, what if really how secure is the cloud? Can we actually make it secure? Right? And does it make sense to diversify and hedge your bets? What do you think about the availability of our systems? And as we accelerate the migration to the cloud, what that will translate to is an exponential increase of the log volumes that are going to be available to SOC analysts to sift through, right? Hence, my previous discussion around SOR the importance of having a SOR technology and automations, that those are some things that came up in the context of that analysis that we performed.

Michael Coates:
Yeah, yeah. That resonates a lot with many of the things I've been observing. I think some of the immediate impacts on visibility and applicability of controls is really interesting to dig into because like you mentioned, a VPN, you either have to massively increase its capacity or shift to like split tunneling. And if you shift a split tunneling, then all of your internal monitoring controls are no longer applicable because half the traffic or more is not even necessarily going into your network. So that realization of what works and what doesn't or if you go the other way and say, well, we will do full tunneling, but then your VPN is a single point failure. Those are some new real challenges to think about. But yeah, and I'm glad when you mentioned public Wi-Fi hotspots, you know, they sometimes get thrown around is like this voodoo thing. You see them in some of the generic news articles about watch out for public Wi-Fi. I mean, I think we all read them are like, tell me exactly what you're concerned about. And I think you got to what actually is the concern, which is if the device is in a potentially hostile network, whatever that is, it has to be secure. I totally, totally agree about that. Yeah, yeah, fascinating. Well, it's yet to be seen how long we're in this reality, and I think, as you mentioned, there will be a new normal, which will be will be different, hopefully, hopefully better in some ways, but nonetheless a moment to reflect and change. And let's see, I'm going to pull in a couple of questions from the audience. We have a few more lined up to go through. But I want to pull in a couple of their's, too. All right. Let's bring this one in. So how do you explain to senior management and the board the value that the security function brings to the company? How do you talk to the board?

Yassir Abousselham:
Yeah, that is there is a really good question. I think to answer that question, we need to start from the perspective of the board mandates, essentially, what is the board supposed to be doing and the value that they're adding to the company and to the shareholders. The board is to a large extent, they're to manage risk. Right. And as we progress as an industry or from a technology perspective, and we see how much of our day to day work is reliant on technology, how much every company now has to become a technology company, if not, they'll just disappear much. So it's that heavy reliance on technology that makes it essential for us to continue investing in information security. So now, you know, information is no longer seen as a tax, right? It is a way of doing business. It is a way to support the business, to accelerate business. But it is important in how we do our day to day work. The risk aspect of it is obviously relevant in the context of this conversation. And the boards, whether they are they have picks on this trend early on or they are responding to regulatory pressures, has to assess the risk of the company from a from the information and cybersecurity perspective. Has the interaction with the CISO right. I think a few years ago it used to be that interaction for the most part, used to take place from the board into the CIO or maybe the CTO. And I think right now the board needs to hear it's in the audit committee that they need to hear directly from the CISO, you know, what's to cover in the context of that conversation? It really depends from its varies from one company to the next.

Yassir Abousselham:
And at the core of of the topic maybe is to understand what your board cares about and to have those conversations early on, to socialize your approach, have a proposal, come in with frameworks and so on, but know that if you don't cover anything, you have to cover the risks that you are currently managing. And it is not an answer or is not at least it's not advised to go in and to go into those kind of discussions with risks, but no mitigation plans. Right? A lot of the work, a lot of the negotiations, a lot of the planning and strategizing that, you know, that revolves around mitigation has to take place before you have a conversation with the board. If you go in with, oh, you know what, where doomsdays as they are near and so on, that's not going to go well. The board expect you to understand your scope, have a good control over your scope, your risks, but also have a robust plan on how you're going to mitigate those risks. The last thing I think that is worth mentioning is you don't want to go into those discussions with disagreements, right? Again, a lot of the conversations around a when are we going to do this, priorities, funding and so on. A lot of that has to take place before you go present to the board. It has to be crisp, it has to be concise, and it has to be a presentation that caters to the interests of your board specifically.

Michael Coates:
Yeah, yeah. I think I think your note about the the presentation of the board is not the first time they're hearing, and I think that's spot on. You've talked to them ahead of time. You know how they're thinking. They're prepared. They're not being surprised. You come with come with answers and plans like that. Very cool. OK, so kind of a quick one. What would you recommend in terms of books or podcasts for those looking for that next nugget of great information, anything that comes to mind?

Yassir Abousselham:
Yeah, one that actually comes to mind is a book called SCRUM. And you can see the link to the to some of the earlier topics that we addressed, so SCRUM by Jeff Sutherland. And essentially, it is about adopting the scrum methodology to projects that do not necessarily follow in the context of software development. I am very much passionate about optimizing things. I think that's one thing that I'm really interested in and scrum gives me those answers. Right. And what is essentially a methodology of optimizing the delivery of projects while allowing for the team to organize and to learn from their mistakes and to continuously optimize and improve as they go. But it's about doing that in a much smaller cycle than your typical waterfall project. I think all of us have been situations where we have planned a project over the course of months, quarters, if not years. Right. And by the time we finish planning, it turned out that a lot of the assumptions that we have made actually are false. We ended up re-leveling and restarting the project multiple times and so on. And to me, that actually translates to waste. What Scrum calls for is this approach to consistently deliver an error rate on the product. So any time you finish those biweekly sprints, you actually deliver a product that is capable of adding value. And there is that does not really have dependencies of the work that's going to be executed in future. The other thing that it does is that it allows you to continuously focus on the highest priority items. When you think about a sprint, it's two weeks. There's just so much work on two weeks. And so part of the discussion is on the sprint planning is to identify those highest priority items. And those are typically the ones that are getting tackled. So at Splunk, we have been piloting the scrum methodology in one team. And I think if everything goes well, we would like to actually use that as the way to plan and execute work going forward. Across the board, within the security team.

Michael Coates:
Yeah, I've really been a fan of all of that thinking as well, and I think being an engineering focused technology organizations, you see that they've adopted that and you say, well, we can adopt this for other things that might not be on a development cadence, but still apply the same way. We could talk about it at length. But I've done a bunch of, you know, thinking about our structures and how they have many benefits, but also have a lot of pitfalls on that longer horizon. And while a scrum in the care, of course, thinking about things at different levels, that short horizon really forces you to say, like, how do I make the most impact right away versus to your point, like waterfall, like talking the thing to death for 18 months and then realizing everything shifted under you. So that's fascinating. Ok, so last last item here, there's a lot of people that are thinking about getting into the field of security or maybe aspiring to lead security as a chief security officer one day. What is your advice for that next generation of security folks?

Yassir Abousselham:
Yeah, I mean, and this is my personal opinion, obviously. But I think this professionally is about passion. So if you're passionate for security, for break things and maybe defend, I mean, it depends what your motivation is, but it is you have to really be passionate about your job. I think that's a good place to start. If you're not passionate about security, then you're in for a treat. It's it's not always easy. And there is a number of avenues that one can kind of look into in terms of how to get into a career in security. And those avenues can vary from, you know, risk and compliance, could be security operations, APP SEC and so on. But the bottom line is that there's not one answer in terms of how to get into information security. Once you're in it, if you're passionate, it's very rewarding. And I think you will wake up every day thinking, OK, this is the best of my life. And I'm actually excited about going back to work, not in the covid context, but maybe going into my office. And now to address the question of CISO or no CISO, I think maybe it comes down to are you passionate about everything and are security or is there a specific discipline or topic that is more interesting to you than the rest? If it's the latter that, then I recommend that you pursue the IC career path, individual contributor, and you can make you can have a really good career as an IC.

Yassir Abousselham:
And the more you specialize, the more obviously you're you're good at what you do, the more demand there's going to be for you, you know, in the context of your company or position or from a career perspective, you choose to to move on to your next organization. If you are like me, someone who just cannot let go, who's interested in everything, then definitely the CISO career is one for you. That's for you. Right. It allows you to have that 360 degree visibility of everything security. It is, as I mentioned, both rewarding and challenging because you actually spend your time a lot of your time negotiating and removing hurdles for your team and so on. And the other thing that you realize is that as a security team in general, the odds are somewhat stacked against you. You're right. You are outnumbered when you think about the ratio of defender to attacker. And from that perspective, it is a challenge because to use the knowledge of a castle with a thousand windows and that is constantly being built in, new windows are being added which way you secure first, you're secure by closing windows or you go in for a threat hunt. And look, if there is, you know, someone who actually already inside your environment, we think about it in the context. Well, those castles now, it's no longer just your castle, you have to protect data in additional castle. So it can be pretty challenging. The second aspect of the challenge is that you may have thought about as someone who or the security team in general, someone who is slowing down the delivery of the products or the business, right, someone who's adding friction. And those are fairly challenging conversations to have. But they come back to the culture of the company. Right. And if your company values security, then it's kind of straightforward. If there is tone from the top and everyone along the the organizational hierarchy of value security understand why you're there for. Obviously, it is embedded in the mission of the business. Then you have your job cut off for you. But other than that, it can be pretty challenging. So that said, I think it is a very rewarding career. I don't think I would have done anything else if I was to do this from scratch. So definitely recommend it for everyone who's interested, intrigued by a security career.

Michael Coates:
That's awesome. Passion. I agree, the passion matters a bunch, that's for sure. Well, this is great. I really appreciate all of your time. Fantastic thoughts and ideas shared with everyone. Thank you, everyone who joined live. Thank you to those who are watching this recorded version afterwards. But we'll come to you again in future weeks with other CISO webcast. So make sure to check us out. We announced on the LinkedIn page and again, this is brought to you by Altitude Networks protecting data in the cloud and cloud applications. So check us out if that's of interest. And again, thanks so much for your time. Really appreciate it. Really awesome.

Yassir Abousselham:
Thank you for having me, Michael.

Michael Coates:
Thanks.

Automatically convert your audio files to text with Sonix. Sonix is the best online, automated transcription service.

Sonix uses cutting-edge artificial intelligence to convert your m4a files to text.

Automated transcription is getting more accurate with each passing day. Automated transcription can quickly transcribe your skype calls. All of your remote meetings will be better indexed with a Sonix transcript. Better audio means a higher transcript accuracy rate. Sonix converts audio to text in minutes, not hours. Get the most out of your audio content with Sonix. Sometimes you don't have super fancy audio recording equipment around; here's how you can record better audio on your phone. Sonix takes transcription to a whole new level. Here are five reasons you should transcribe your podcast with Sonix.

Sonix uses cutting-edge artificial intelligence to convert your m4a files to text.

Sonix is the best online audio transcription software in 2020—it's fast, easy, and affordable.

If you are looking for a great way to convert your audio to text, try Sonix today.

Subscribe for More

Get notified of future CISO webcast and other excisitng security content

Thanks for subscribing!

Ready to get your Cloud Security in Check?

Fill in some contact info below or schedule a meeting so we can reach out to provide more details on how Altitude Networks can protect you from data loss in the cloud.

We'll be in touch!
OR