Cloud data security is top of mind for CISOs. User data is moving across clouds, platforms and applications, and if we don’t shift to a data-centric approach, we won’t be able to protect that data.

Jack Miller, head of professional services at Menlo Security and former CISO of over 16 years, addresses the balance of data, security and end-user convenience. Locating security close to users, close to data, and both are essential strategies for adapting security to the expanding presence of data.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

The video is immediately below, followed by the transcript of the conversation. Enjoy!

Transcript

Mitch Ashley: Well, I have the great pleasure of being joined by Jack Miller. Jack is Had of Professional Services, and also a former CISO at a different company, and he’s with Menlo Security. Jack, great to be joined by you today.

Jack Miller: Thanks, Mitch, it’s great to be here. Yeah, before joining Menlo, I spent most of my career on the other side of the table as a practitioner. I was actually CISO at four different multi-billion dollar organizations over a span of 16 years. Been in the trenches for a long time, fought a lot of the battles—won some, lost a lot, and here I am today.

Ashley: Such is the career in security, right?

Miller: Yes, it is.

Ashley: [Laughter] No doubt, no doubt. It’s a great pleasure to be talking with you. So, there’s a lot of things, of course, we could talk about, Menlo’s a great company, got some fantastic offerings. 

What I’d like to really spend some time on is data. You know, we think about—I like to say there’s three reasons any application development team outside of IT is gonna come to IT. Security is one, and access to data and integration with systems.

Miller: Mm-hmm.

Ashley: So, let’s talk about data in the cloud, or what are some things we should consider maybe that we didn’t have to worry about in terms of securing data, but also not getting in the way with security for end user usability in the cloud.

Miller: Yeah. I mean, look, I think the last point you touched on I wanna kinda drill into a little bit, because I think it’s so significant, right? That, you know, no matter how vested in security an organization is, right, how high they prioritize it at the very top, how much money they’re willing to spend, right? At the end of the day, it comes down to a battle between security and potential impact to your users and your business operations and business processes, right? 

And when you think about it, I mean, companies and organizations don’t exist to be secure, right? They exist to make money, they exist to provide a needed service, right? So, at the end of the day, that’s what’s really most important. And so, you know, as the user data starts to move everywhere and it becomes in different places and now, we have the users moving everywhere. 

So, we went from a really nice little model in the past where we had our users and our data in the same place most of the time, and now we’re in a model where our users are everywhere and our data is everywhere. And if we don’t shift our approach from a data center approach that we used to have to a data-centric approach, then there’s no way that we’re gonna be able to properly protect the data and do it in a way that’s not gonna be extremely, a difficult situation for the users to access the data, right? We need to make it fast and streamlined and accessible and once there’s a hiccup in their way, they complain and then we have to start turning our controls off, right?

So, it’s a fine dance that we have to walk, and unfortunately, the legacy tools that we have and fitting into that data-centric approach just don’t really seem to work well in this new model.

Ashley: That’s always the struggle with security is the convenience factor. Don’t get in the way of my job, but make sure that it’s secure. Don’t get me in trouble for having a breach or something happening.

So, what are some approaches? Why do we have to think about this where we really can secure the data, wherever it is, and we’re creating more and more of it all the time, right? It’s a huge asset, but growing faster and faster. How do we do that where we can provide end users a level of convenience and security?

Miller: Yeah, I mean, fortunately, today, we have the cloud, and for all the, as a security professional, for all the heartache that the cloud’s brought me over the years and all the challenges that it does introduce, it dos create this new opportunity now where I can, instead of having to have physical controls located somewhere, I can have virtual controls that are logically located all over the world, right? So, now, I can make sure those controls are close to the users or close to the data or close to both, whatever happens to make sense for any given business us case that we’re dealing with.

Ashley: Yeah, that makes a lot of sense, too. And also, I don’t know if automation is the right word, but the manual processes we’ve had in the past of providing access control, whether it be for applications or end users, it’s not realistic with how far and wide we’ve spread data and where it’s all located.

Miller: Yeah, and everything’s so dynamic that even if we could get our hands around it today, by tomorrow, we’re gonna be playing catch up again, right? You know, the cloud has made it really easy for things like shadow IT to flourish, right? So, now, business units can go out and they can add new apps.

So, we spent years in the enterprise putting in robust two-factor authentication solutions to protect our data. Now, suddenly, even if we go out and we do an analysis and we find all of our SaaS apps today and we protect them, what happens tomorrow when another business unit just happens to go out and start using a new SaaS app and they don’t tell you about it?

So, it is a struggle, right? But like I said, there’s a silver lining to it in that the same thing that’s making it difficult for us does give us an advantage to be a little bit more ubiquitous, I think, maybe would be a good word and where and how we can apply security.

Ashley: Mm-hmm. How do you think—and I know, you know, Menlo Security, obviously, being a security product company, but if you thought more generally, more broadly, has the market kept up with the uses and the needs of securing data in the cloud in particular, or we still have a pretty big gap to meet?

Miller: So, I think there’s kinda two parts to that, right? I think from a capabilities perspective, I think that we’re closing the gap, and I think significantly more capabilities exist today than existed a couple years ago to be able to do that, and we’re making, I think, huge strides and great progress there.

From an adoption perspective of getting these new capabilities and technologies out there and adopted with companies, right, that’s where we have the gap today. It’s always hard to get people to embrace new technologies and accept new technologies. And we’ve been talking about digital transformation for years and years, and it’s been very, very slow, the transition. And a lot of what we were seeing pre-COVID was being done to really save costs associated with remote locations, right, and eliminate those expensive MPLS circuits, eliminate redundant hardware and that type of stuff.

You know, now you throw COVID on top where you have, suddenly, all these remote users being remote that were never remote before. So, now, looking at using the cloud and direct access and things like that to kinda solve that same problem but coming at it from a different direction, right?

So, I think what I find interesting right now is that you hear a lot of people talk that this is the new normal, that we’ve proved that remote work can work and everybody’s gonna keep working remotely. And I don’t think this, today, is the new normal. I think that many companies are gonna have their employees come back to the office, for a number of reasons. But I think it’s gonna be very different than it was in the past.

I think now, those areas in the organization that weren’t allowed to work from home a couple days a week are gonna be allowed to, that weren’t allowed to be able to travel and be able to work are gonna be allowed to.

So, I think, you know, we kinda went from this everybody was in the office to now everybody’s at home, and I think now we’re gonna go back to, it’s almost a—who knows where everybody is, because they can do their work from wherever they wanna be.

Ashley: You’ve sort of disproven whatever maybe-ness, maybe partial truths that, you know, “You can’t do this work remotely.” Well, we had to, we did.

Miller: Right.

Ashley: You know, what’s interesting, I think a lot of folks are thinking of a hybrid model, even people that have employees come back to the office is, “Yes, but maybe one or two days of work, they can very easily work remotely.” So, maybe that’s a closer step in the new normal that we’re, at least for the next couple of years gonna be experiencing, and who knows what happens after that? [Laughter] 

Miller: Yeah, exactly, exactly. No, I think that’s where we’ll land. I think it makes perfect sense. I think, from a productivity perspective, that’s probably the best path forward. And I think it’s a path we can secure, as long as we’re adapting our approach, right, and we’re focusing on where the data is and securing the data as opposed to, again, not being focused in the traditional of where the office is or where the data center is.

Ashley: Now, I’m curious your thoughts about this. I’m sure others are thinking about it, I just haven’t heard it a lot in the kinda open press or writings. With so many people mobile—of course, if you would’ve had time to plan it, you might have done some things differently, but thinking forward, if we are gonna live in this hybrid world, there’s probably information, some data that you want to, telemetry information you wanna track about how people are using your applications, where they’re using them from. Maybe the same, of course, applies to customers, if they’re more mobile, also, and yet more data that we’re generating and creating to target this, you know, broad ecosystem of data that we’re trying to collect. 

And now, so much of that data is going back into how do we create a better experience for employees, how do we create a better experience, better services for our customers? So, all of that data is just as important as the credit card transaction that goes through—well, maybe that’s a little more important, but it’s all important that we can share that. So, the challenge, to me, seems like it’s getting bigger, not smaller.

Miller: Yeah, I think it’s getting bigger, and I think we’re seeing—it’s been a while in progress, right, but I think we’re seeing a shift to more of the ransomware type of attacks. I think that it’s easier for the bad guys to quickly monetize their code with a ransomware attack with less chance of getting caught. And plus, one might argue that, you know, we talk about herd immunity for COVID and things like that. From a data privacy perspective, maybe we’ve reached herd immunity because so many people’s data’s already gotten stolen, right?

So, at some point, there’s so much personal information out there that the data itself starts to become devalued, right? But hey, just like the battle we fight as security professionals that I can’t impact my users, I can’t impact my business operations, right, the bad guys are teeing in onto that, saying, “Look, that’s the most critical thing. If we can get in there and threaten to be able to impact those, then that’s a very viable path for them that they keep following right now.”

Ashley: Yeah, it’s the whole business continuity, right? That’s what the ransom is about.

Miller: Exactly, exactly.

Ashley: Using your data for some other purposes, which can happen, also, as well. I’m really curious, just in your personal story as a former CISO, both organizations large corporations—what are some of the things that you were bringing into the role in Menlo Security that you’re hoping to help? I’m sure you have that list of things, “If I could’ve had a product that did this” or some of those problems that you’d love to help Menlo and the broader community solve.

Miller: Yeah, I mean—so, look, let me kinda break that into two parts, right? Because there was a process that I went through when I decided to switch teams, if you will, right, and go from being a CISO to working the vendor space. And a lot of people ask me that question all the time, “Why did you leave being a CISO?” Right? That’s the role everyone wants to get to today—‘til they get there for a while, and then they wanna leave. But, you know, there are a number of—

Ashley: ____ future that you wish for. [Laughter] 

Miller: Exactly. But, you know, one of the big drivers was that, you know, what becomes very clear to me over the years was that most security companies, the vendors, they don’t have a lot of people there that have worked on the customer side before as the practitioners. And so, they don’t really understand the real world in which a company lives and operates, right?

And so, you know, they don’t understand this balance between security and impacting your users. And what that means for you as a CISO, with how far back it can set you—I mean, a story. I’d implemented a large scanning, vulnerability scanning system, a huge vulnerability scanning system. And somebody did a scan one night and his server that was running an old, vulnerable version of WebSphere, and it knocked the server offline. You know, we didn’t get medals because we found these vulnerability before the bad guys did; instead, we had to stop all scanning and we had to redevelop our process so that we could ensure that if we ever took a system down scanning that it wouldn’t impact production. I’m not gonna say that we shouldn’t have done that in the first place and that’s not the right way to do it, but again, it just kinda highlights this one step forward, two steps back, right?

Another example where you see this gap is, ask any security practitioner, right, about IDS/IPS, and they’ll say IDS. Ask any security vendor out there, and they’re all IPS, IPS, IPS, right? But the practitioners know I’m not gonna turn on prevention mode, because the collateral damage to me and my program and what I’m trying to accomplish is too great, right?

So, that was really kind of one of the big things I wanted to bring here. And I feel like heading up professional services is an opportunity for me to do that, because that’s when we’re really working with the customers and we’re trying to get them deployed. And by having that empathy and showing the customers we understand what’s really important to you and we’re not just trying to force a level of security down you, we’re trying to help you be secure but be successful at the same time, I think there’s value there. And that was one of the big reasons why I ended up coming here and what I’m trying to do with Menlo.

You know, the other part of the answer would be from a technology perspective. I think from a technology perspective—and I don’t wanna make this sound like a company pitch here, right, but isolation can provide such a level of value that really, at the end of the day, nothing else can. And I think I’ve always been a big fan of isolation, going back to the very beginning when there were some companies that maybe tried to bite off too much and isolate too many things and that didn’t really work well, right? So, by narrowing down the surface and focusing on what really matters, which is web traffic, isolation can, for whatever connections you can isolate, you can virtually remove your risk, which is unheard of in the security field. 

But, you know, it’s hard, it’s not easy. There’s a hurdle to get there during deployment, and if we’re not understanding those challenges for the customers, then, you know, as a vendor, we can start pushing them too hard and we can push them into trouble without intentionally wanting to do that.

Ashley: Yeah, your experience, you and I have that shared experience, because I’ve been both on the practitioner and the CTO profit company side of it as well. It seems like one of the things that I would guess you would bring to this is, you know what it’s like to try to use products maybe similar, maybe the same as what you’re working with, with Menlo. And you’re immediately gonna have a very good feel for what’s gonna work well for the customer, what’s gonna work and what’s not, because you can very quickly assess where they are and what they’re going through, maybe some similar things, maybe different, but you’ve been in very similar shoes. 

So, you can help bring something to the table to them that is much more compatible. You know the balance of security versus user experiences versus available versus available versus whatever, you know, reporting to the board—all that stuff, all those issues. And you can’t teach that to someone, so that’s a unique skill—unique value, I should say, that you bring. 

Miller: Yeah, well, and, you know, given the options, right? So, interacting with someone like you and being able to—you know, again, a lot of companies want to kinda sugarcoat things. And, you know, as a CTO, right, I’m sure you would agree any day of the week, you’d rather have someone tell it to you straight so you can properly prepare than have someone kinda just make things sound like they’re easier than they are, right? And—

Ashley: The worst problem is the one you don’t know about.

Miller: Right. And so, you know, being straightforward with people and being—you know, oversharing the information and giving them options, right? I mean, at the end of the day, we’re the experts in our technology. So, it wouldn’t make sense for us to ask you, “Well, how do you want this done?” but for us to be able to come to you and say, “Look, you know, here’s a few different options and here’s the pros and cons, right? We don’t totally know all the intricacies of your unique situation, but you know, maybe it kinda fits in with one of these, and what do you think makes sense for you to proceed forward?”

Ashley: Can you tell us a little bit about some of the professional services that you do offer through Menlo?

Miller: Well, I mean, largely, it’s deployment services, right? So, we have a deployment service process we call our QuickStart Deployment service. You know, one of the main tenets is really, we gotta help customers be successful, and a lot of customers, they get a little bit too excited, they try to run before they can walk. 

And so, by putting together, really, a defined process that slowly walks you through it allows you to get your users onboarded, start getting some level of value and security from it so that when you start moving into the harder areas, where you might start impacting some people, you’ve got some good ammunition of value to be able to offset the conversation. Whereas, you know, a lot of customers just wanna run right out the gate and turn everything on full bore. And some of them won’t even do that and start with doing it with their executives, right? So, a lot of—[Laughter] I know how crazy that sounds.

Ashley: Good luck with that. [Laughter] 

Miller: Right, so, a lot of what it’s doing is trying to save the customers from themselves, right? They get excited, they see what it can do for them, pull the back into reality, let them know—look, here’s the pitfalls, here’s one you’re not gonna be able to avoid, but here’s how we can minimize it, right, the time to resolution, and here’s others that maybe you can avoid if we take some proper steps up front.

Ashley: Good. I’m sure it’ll be very valuable to Menlo’s customers. And folks can find out more about professional services on MenloSecurity.com, I assume, correct?

Miller: Yep, definitely.

Ashley: Great. Well, it’s been a pleasure talking with you, Jack. I wish you the best, and I’m sure it’ll be a lot of fun working with customers in your role there at Menlo, so thanks for joining me today.

Miller: Well, thank you very much, Mitch, I enjoyed it a lot.

Ashley: You bet.