How Security Pros Handle Complexities with the Shift to the Cloud | TJ Gonen and Dmitriy Sokolovskiy
Security professionals sometimes find it hard to absorb the notion that the cloud was actually by definition designed for developers.
A developer is not a regular techie. In fact, they are not a techie at all. A developer is a creative person.
And if you put any constraints on a creative person, you will kill their creativity.
We [security professionals] may not be able to understand them but we have to try to do is listen and hear them in order to simplify their lives.
Find a developer next to you and give him a big ass hug.
Brutally honest insights from TJ Gonen, Vice President for Cloud Security of Check Point and Dmitriy Sokolovskiy, VP and CSO/CISO of Avid and Principal CISO Advisor, Lead Instructor of Audience 1st.
In this episode, Dani Woolf had a conversation with TJ and Dmitriy about their challenges, goals, what vendors do that piss them off, and the alternatives.
Guests at a Glance
💡 Names: TJ Gonen and Dmitriy Sokolovskiy
💡 What they do: TJ is currently the Vice President for Cloud Security at Check Point and Dmitriy is currently the VP and CSO/CISO of Avid Technology and Principal CISO Advisor, Lead Instructor at Audience 1st Academy.
💡 Where to find them: TJ Gonen and Dmitriy Sokolovskiy
Keeping up with the pace of change is not a walk in the park for anyone.
Keeping up with the fast-paced world of cybersecurity isn't exactly a walk in the park, to say the least. In this industry, acquisitions are common, which is exactly how TJ ended up at Check Point. His company in the cloud security space was acquired by Check Point a few years ago.
TJ knows all too well the challenges of the industry, saying, "What keeps me up at night, beyond the usual, as you would expect, like meeting business objectives, which is very important as part of our day job is I think keeping up. Just generally speaking, keeping up."
TJ's problem is what we call the hundred times problem. Everything in the industry is a hundred times bigger, faster, and more spread out. It's a challenge to keep up with all the changes happening at lightning speed.
He adds, "Just finding better ways, more efficient ways to keep up with the pace of change. That's the number one hard thing on my agenda."
This is where people like TJ come in handy. CISOs, or chief information security officers, can't possibly keep up with everything happening in the industry, and that's why we need vendors like Check Point to help digest all the technology changes happening.
Dmitriy says, "We need people like TJ to do this 24/7 because CISOs cannot even try to keep up with everything. We barely touch the very tops of the keep up. We need the vendors to do that initial digestion of technology."
What are systematic methods that can help to keep up with the pace of change?
TJ suggests using the "1-3-2" method for strategic planning in the industry. This method involves predicting where you want to be in two to three years and then working backwards to figure out how to get there.
The process is simple:
- "1" represents where you are currently
- "3" represents your future goal
- "2" is the series of actions that will take you from "1" to "3."
The idea is to visualize the end goal and then figure out the steps you need to take to get there.
It's important to note that this process is a cycle. As soon as you reach your "3" goal, you need to start working on your next goal.
“The only way to actually keep up is to understand that you can't fully keep up. And unfortunately, as soon as you're closing in on a 3, you already have to be doing the next 3. Now, 3 is a 1, it's a cycle,” says TJ.
TJ suggests that it's crucial to have a clear idea of the landing point, or the end goal, because otherwise, it's just a series of disconnected actions.
By using the "1-3-2" method and visualizing the end goal, it becomes easier to think strategically and plan for the future.
However, many people, including most CISOs, struggle with this process. It can be difficult to step outside of the present, or "1," and think about the future, or "3."
“[As CISOs], we are in 1 trying to get to 2, and the vendor is there with a bunch of 3s that we might choose from to get to. In many ways the vendors are like the science fiction of the 60s and the 50s where they were coming up with the flip phones. First it was science fiction and then it was made into the real world,” says Dmitriy.
“Theoretically your immediate guess would be that people have a hard time sitting down and defining 3. I find a lot of people having a hard time even trying figuring out 1. Trying to give an honest, unbiased, realistic opinion of “where I am right now, what's working and not working,” says TJ.
“Start - Stop - Continue” method
In addition to the "1-3-2" method, there's another strategy called the "Start - Stop - Continue" method, which is used by Amazon Web Services (AWS) and can be helpful for CISOs.
This method involves evaluating what needs to be started, stopped, and continued at the beginning of each year:
- What should we start fresh?
- What should we stop doing?
- What should we continue doing with what we're doing right now?
The idea is to reflect on what's working and what's not, and then make changes accordingly.
This can be challenging for some people, as it can be difficult to admit what's not working and identify areas for improvement. However, it's a crucial step in staying ahead of the game in the cybersecurity industry.
“Sometimes it's so hard for some people to say out loud: “What sucks right now?. What's working and what's not working?” Forget 3. Even 1 is hard!”
It's worth noting that CISOs need to have a holistic understanding of the business to make informed decisions that will impact revenue streams.
This means that they need to understand how the decisions made by their team will affect other departments and the overall organization.
By using both the "1-3-2" and "Start - Stop - Continue" methods, security practitioners can gain a deeper understanding of their organization and develop a strategic plan to keep up with the fast-paced world of cybersecurity.
What complexities exist with the shift to the cloud?
One of the complexities that might exist with the shift to the cloud is the challenge of defining the current state, or "1," of an organization. This is because people tend to operate in their immediate circle, or "zero," which can make it difficult to step back and assess the bigger picture.
“Many people have a hard time defining the 1 and it's because people don't actually operate in the 1, most of the time people are in a zero. Zero is the immediate circle around yourself,” says Dmitriy.
Defining the current state requires a conscious effort to pause from day-to-day activities and evaluate where the organization stands. This can be a difficult task because the way we see ourselves and our work may not align with the reality of the situation. It's important to make a conscious effort to assess where we are and what we're doing, regardless of the environment or situation.
“So 1 requires you to pause from doing the zero and actually look where you're standing. That's a conscious effort.”
The shift to the cloud can bring about other complexities such as:
- Data security
- Regulatory concerns
It's crucial for organizations to address these challenges and develop a strategic plan to mitigate any risks associated with the shift to the cloud.
“The way you see what you're doing and the way you're feeling is not the same as you making a conscious effort to assess what it is that you are, where you are and what you're doing. So that alone is difficult in any environment, any situation.”
This requires a holistic understanding of the business and the ability to make informed decisions that will benefit the organization in the long run.
Is the Cloud really making our lives easier?
The cloud was initially seen as an amazing solution that would make lives easier, but the reality is more complex than that.
Many developers are running blindly into the cloud, building new infrastructure and applications without considering the bigger picture.
As a result, the cloud can be difficult to understand and manage.
“Of course the AWSs of the world didn't make it easier because again, everything is turned on by default.
The cloud brings with it what clouds normally bring: fog, a lot of stuff happening, not much understanding, moodiness. So that makes it more difficult. It is more difficult to understand my 1, to understand my zero,” says Dmitriy.
Even cyber security has evolved to become cyber resilience, complexity management, and risk management.
While businesses may see the cloud as a way to save money and improve operations, it can actually be more expensive and risky:
- It gives less control
- There is less understanding of it
- There is increased uncertainty among people and organizations
- As such there is increased complexity and higher risk
Dmitriy asserts, “the cloud is amazing and it can be good if it's done correctly. But right from the beginning it creates a lot of headaches and we have to get used to this and know what we're doing. We need companies like Check Point concentrating their efforts in that space. This is one of the best tools we have to improve in this situation. We can't do it ourselves.”
While the cloud has the potential to make our lives easier, it is important to approach it with caution and a clear understanding of its complexities.
Businesses need to be aware of the risks and challenges associated with the cloud and work with experts in the industry to implement it correctly.
The real purpose and value of the cloud
The cloud was designed by AWS primarily for developers to speed up their development process. While security professionals may find it challenging to absorb this notion, it's essential to understand the real purpose and value of the cloud.
“We as security professionals sometimes find it hard to absorb the notion that the cloud was not designed for us. It was by definition designed for developers by AWS 100%,” says TJ. “That's how they build their business. Everything is for the builders, the developers, and it was designed for them.”
The real value of the cloud is:
- Its speed
This allows developers to develop more stuff faster.
While it may not always be cost-saving, it's faster than on-prem data analytics.
AWS provides developers with the ability to codify and control everything, but this can also lead to security issues if not done correctly.
The cloud is designed to have zero friction, which allows developers to move fast and innovate quickly.
Security professionals must embrace the fact that the old world is gone, and we need to adapt to new ways of doing things.
“A developer’s job is to move fast and the cloud allows them to do it but there's zero friction in the cloud… Security professionals have to embrace that the old world is gone. I sat with a customer last week and she literally said to me: ”I miss the time developers needed me to open a port, to open or close something for them.”” says TJ.
It's essential to understand that any tool security professionals develop must enable developers to move faster because if we slow them down, they will find ways around it.
Security professionals need to understand the importance of adapting to new ways of doing things and creating tools that enable developers to move faster, without compromising on security.
Will we see security professionals move away from the cloud given complexities?
While there may be some security professionals who are hesitant to move to the cloud, there is a lot of value in doing so.
“There's just too much value in moving to the cloud: the speed, elasticity, flexibility, ability to spool up and spool down on a dime. All those things are massively important. Geo-geopolitical resiliency…you can go on and on.”
The issue lies in the naming of the industry itself.
When we refer to cybersecurity and security in general, it can make it seem like we are trying to secure an insecure way of doing things.
“This is why we're having the problems we're having because the only way to secure it is to lock down. And lockdown inevitably is a loss of functionality, loss of speed, loss of a lot of different things. And, not surprisingly, everyone is against it,” says Dmitriy.
“I don't see shifting away from the cloud, I'm starting to see a lot more codification of things, which allows for standardization, allows for easier testing and so on and so on, leading to what I hope is the utopian world of not needing a security team,” he adds.
It's important to approach the shift to the cloud with caution and a clear understanding of the risks and challenges associated with it, while also working to ensure security measures don't compromise on functionality and speed.
How Security Practitioners Can Simplify Developers’ Lives
The reason why some cloud deployments may be insecure is not necessarily due to a security problem, but rather the result of complex and poorly documented configurations.
Solving this issue with a security solution can be problematic, as security solutions were not designed to handle this type of problem.
Instead of focusing on locking everything down, the industry is moving towards simplifying and standardizing processes in the cloud. This will allow for easier testing and greater efficiency, eventually leading to a world where a security team may not even be necessary.
Dmitriy says, “we are attempting to solve it with a security solution, and that's a problem. We are trying to nail a small problem with a tank. They weren't designed for this.”
We are trying to reduce complexity and uncertainty. And in the cloud it's actually a lot easier to accomplish that, there’s a lot more flexibility to simplify. A lot more ways to massively deco something without losing a lot of functionality. This is what developers are always good at.
“We are moving away from “let's lock it down” to “let's simplify it”. Let's explain it, understand it, and make it better, cheaper, simpler.”
The goal of security professionals should be to make it easier for developers to do the right thing, rather than putting roadblocks and adding complexity.
TJ asserts, “as long as we make it harder to do the right thing, people will do the wrong thing. I like to give this example. We grew up in Israel and back in the day we pirated every freaking movie on the planet. You know when I stopped? When it became easier to do the right thing, it became cheaper just to get Netflix or AWS”.
So our job is to make it easier for them to do the right thing. Talk their language, integrate with their tool, automate stuff.
If we make it easier to do the right thing, they’ll do the right thing. As long as we put roadblocks, make it complex, send them all sorts of remediation.”
Closing thoughts: find a developer next to you and give him a big ass hug
One of the key takeaways from our discussion is the importance of listening to the other side, particularly developers.
It's crucial to understand that developers are creative individuals who are developing within a different medium. They're not just techies, but creators who need space and freedom to be creative.
Constraints on their creativity can be detrimental and kill their innovative spirit.
“The only job we have is to allow these incredibly creative people that are very, very weird creative people to create. We may not be able to understand them but we have to try and listen, hear them all the time and try to simplify their lives, oftentimes at our expense,” says Dmitriy.
Approach them with empathy, ask questions, and try to learn more about their lives.
Find a developer nearby and give them a big hug, and apologize for not always understanding them.
It's time to work together to create a more productive and collaborative environment.
Subscribe to Audience 1st
Get notified every time an episode drops to better understand your audience and turn them into loyal customers.