Can Cybersecurity be “Agile”? with Brian Wagner

Justin Beals: Hello everyone and welcome to SecureTalk. I'm your host, Justin Beals. 

I've been thinking lately about a fundamental shift happening in security leadership. One that goes far beyond the threat intelligence feeds or compliance frameworks. 

It's about how we think about security itself and frankly, how we can get it wrong. If you were to walk into any oil and gas company office, not the oil fields, just the corporate headquarters, everywhere you look,there are reminders about safety. 

Safety protocols are woven into the fabric of daily operations from the glass corner office down to the machinery itself because that industry has learned through hard experience that safety isn't just the safety team's job, it's everyone's responsibility. 

Now, contrast that with many of our digital organizations today. When it comes to cybersecurity, we still operate under this outdated model where security is seen as a dark art practiced by hooded figures in corner offices. 

Security, that's not my job, that's the CISOs problem. But what if we flipped that script entirely? What if instead of information security, we're talking about information safety? What if we made cybersecurity as intuitive and culturally embedded as wearing a seatbelt or looking both ways before crossing the street?

This isn't just a philosophical musing, it's becoming a business imperative. 

We need to democratize security within our organization, realizing that good community is good security. Leading organizations aren't just buying more security tools. They are fundamentally thinking their approach to security maturity. They're moving from reactive firefighting to proactive threat hunting, and ultimately to what we'll discuss today, adaptive security, that can treat cybersecurity like an agile business process. 

But here's where it gets really interesting in all this change. Artificial intelligence, of course, isn't just changing our threat landscape. It's also revolutionizing how organizations defend against threats. Now, of course, we can think about all the products that might be for sale, and we could talk about magic AI boxes that solve problems. But what we're really interested in this episode is talking about the practical applications where AI excels. It can do things very well, like pattern recognition at scale, without getting bored or tired. And harnessing these tools are critical for cybersecurity leaders. 

Also in today's conversation, we're going to explore these themes through the lens of someone who's been in the trenches, both as a technologist building products and as a security leader protecting organizations.

We'll dive into a practical maturity framework that can transform how you think about security strategy, examine real-world AI implementations that are actually working, and challenge some fundamental assumptions about the relationship between security and business value. 

Most importantly, we'll explore how the most effective security programs are often the most efficient ones, and how that insight can help you build both a stronger security posture and a more compelling business case. 

Our guest today is Brian Wagner. Brian is a security and technology executive and leader who has extensive experience in organizational transformation. He is an expert on robust cybersecurity practices with a career spanning over 20 years. His new book, Redefining Information Security is out on June 24th. Currently, he's the chief technology officer at Reveneer, and he's held previous C-suite and leadership positions at Bulletproof, Defense.com, Moody's RMS and Amazon Web Services. 

He speaks globally at high-profile events on the latest advancements and practices in cloud technology and security. He is based in the UK. 

Thanks for joining me today in welcoming Brian to Secure Talk.

-------

Justin Beals:  Brian, thanks for joining us today on Secure Talk.

Brian Wagner: Cool, thanks for having me.

Justin Beals: I wanted to kick off on a hot topic. It's been, I am almost tired of talking about AI, but inevitably something interesting happens again and I'm back full circle. You've spoken a lot about AI's potential insecurity, particularly in pattern recognition and compliance. How are you implementing AI-driven security solutions at Reveneer? And what do you see as the kind of promising aspects of AI, you know, as a user or someone that's implementing for the enterprise?

Brian Wagner: Sure, sure. I kind of want to answer that backwards. I that's how I generally think about these things that, you know, AI, I'm sick of talking about it as well, but it's got a lasting impression. You know, if you look back at technology trends or buzzwords or hype or whatever in the past, know, things like blockchain, NFTs and all that stuff, not to say that those are irrelevant, please, please don't get me wrong. But, you know, there's a lot of talk about them, and then there's a, you know, there's not really a common use case or common application for those things. then they sort of, they settle down. AI seems different. AI seems like it's kind of here to stay. It is, I think, talked about a lot, but I try to sift through all that by looking at what it's good for. 

That's what I've always built my whole career on is it's not about what can we use AI for or what can we, you know, what can we use this piece of technology? What can we do with it?

It's, it's, I kind of take it the other way around. It's a, it's a tool in a toolbox, right? If I need a hammer, I'll use a hammer. If I need a, I need a screwdriver, I'll use a screwdriver. So for me to understand AI, you know, I'm no longer a software engineer. So for me, AI was more theoretical. I still like to get my hands dirty. So I set out to understand AI mathematically and technically. And what is it, you know, is it really intelligence or is it, what is it? And, once you learn more about AI and what it's good at and how it's built.

And this isn't going to be a masterclass in AI by any means, but it does a really good job of pattern recognition. does a really good job. That's how it emulates intelligence, right? It recognizes the inputs, even if it's human input, even if it is non-technical or not business-related, whatever, and it recognizes those patterns and gives you back something based on that pattern. 

And it seems so intelligent and it is applying that to security is really fascinating because security is about pattern recognition. Security is about knowing what normal is, so you can understand what abnormal is. 

Once we get into it today, I can't wait to talk about things like reactive security and predictive security and adaptation and all that. But understanding what's normal so that you can spot what isn't normal is like, that's the arms race of security.

So at Reveneer, we're doing that in ways that you could, for anyone listening that is already a security professional can probably connect the dots and say, okay, great. You know, there's log data, there's, there's all sorts of telemetry from different services and whatever. You throw that into an AI and you ask it, what's, what's interesting about it. Sure. That's a low-hanging fruit, but the space that Reveneer operates in is a, which is VAT-reclaimed super-underserved market, from a technology point of view.

It doesn't sound that interesting at face value. However, as a technologist and as a security professional, it's actually really interesting because security goes beyond what are the machines saying. We are in a space where a lot of personal identifiable information is being thrown around. There are very sensitive documents, passports and facial recognition and geolocation. 

These are highly sensitive pieces of information that aren't as easy to parse as, let's say, some log data, which has a standard format. So without giving away too much of our secret sauce, the AI that we've built is actually built in-house. We are not pulling GPT off the shelf. We have a specialty trained AI, several specialty trained AI models to look for basically these disparate data sources, including non-structured data like faces and passports and again, very sensitive stuff. And we are looking at not only cybersecurity, we're also looking at fraud, fraud detection and arguably better than the industry does it today, I would say.

Justin Beals: You know, in North America, we don't understand how the VAT system that it's value added tax. Is that right? Right? 

Brian Wagner: Yes, yeah, would be sales tax. Yeah, sorry. I sometimes forget that

Justin Beals:But I think it's really unique. One of the things that you point out is that you're taking in financial transaction information and personally identifiable information, and not even as like a bank. Right. But cross banking.

You know, cross international borders, we might see that in like a hospital system, you know, here in North America, I think. Yeah, it is very sensitive. So you've been building models internally, even though your product is not software, to handle the pattern recognition that you want to optimize for at Reveneer, right?

Brian Wagner: Yeah, it is software, right? We are not a SaaS, but we are a service provider for VAT reclaims. And we achieve that with software. Yes, yes, across the board,

Justin Beals: I think, you know, let's break into this concept, the reactive, we start there, right? That's where our kind of security, so many of the terms in the security space are so abused, but maybe our model, you know, for maturity, yeah.

Brian Wagner: Yeah. Like I say, this is fundamental of like even talking about AI or otherwise, but even before AI, used to do when I worked at AWS, I did some talks, lot of talk, lots and lots of public speaking in the security space. And as everything, the other annoying thing besides talking about AI as a buzzword is that everything is a subscription now.

Justin Beals: Yes.

Brian Wagner: If you want, especially the enterprise, know, everything is a subscription. Everything is a monthly fee. But what that really means in the risk and compliance space is now you're taking data and you're putting it outside of your organization. We're doing that over and over and over again. So the whole thing about knowing what good looks like, what normal looks like, it gets harder and harder and harder as we are shipping things away from the organization. That means now I need to consume logs from here and here and here and here. This one's a different format.This one's a different connection, whatever. 

So proactive versus reactive. mean, reactive is the default, right? If something bad happens, I want to try to shut that bad thing down. That's easier to spot. But it's what I always said in my talks, and I'm trying to remember if I put it in my book or not, but reactive or sorry, proactive security and knowing what good looks like is like finding a needle in a stack of needles, right? 

You're actually finding a very specific needle in a whole pile of needles, right? Needle in a haystack is a lot easier. You got tools, you can just magnetize that thing out. But what if you have a stack of needles? Everything looks sharp. Then how do you find the right one? Because the thing is, when you look at all these breaches that you can see in the news and like Krebs, Brian Krebs does an incredible job and other journalists, like he's the most notable for kind of investigating these breaches. 

You can always track it down to something where you kind of look at that going, surely that was someone, someone somewhere missed an alert or there wasn't an alert. Like it could have been prevented had that organization known what good looks like. 

You know, if someone's trying to log in from Barbados at four in the morning and you don't have any staff in Barbados either living or visiting, and that's off-hours time, but they keep failing. say, well, it's just a failed login. It's no big deal, but you know,

These are just little things that, when you put them together, are indicators of compromise long before the actual thing happens. In fact, in most enterprise-level breaches, if not the smaller ones as well, the attackers were probably sitting dormant for weeks, maybe even months, just watching. And knowing that the attacker was there in the first place is way in advance of reacting to when they breach data or what have you.

AI is helpful on that first part, which is finding what normal looks like. That way, just one uptick in the graph. That means a lot, actually. So what is that? Let's dive into that. And that's what I would argue where AI probably has the most benefit.

Justin Beals: Yeah. Another topic area I think we agree on, so I'm preaching to the choir here, is you've championed open source collaboration in security. And I love banging this drum. Can you, is there any good practical applications or use cases in your mind of how open source technologies are helping change the cybersecurity landscape for y'all at Reveneer or broadly?

Brian Wagner: I would say more broadly, we probably have some better options more broadly. I'm using a lot of proprietary stuff internally. Maybe some of the models are open source, but I think without being specific, kind of on purpose, and maybe I'll get there, but with the defunding of the CVE program recently in the United States is obviously very risky for everybody.

But I think the advantage that open source technologies have in that space is that it is open source. It is community-based. And you've got people with direct access to that source code that can raise these things as they happen. And they don't necessarily rely solely on the CVE program. And that goes along with my, the reason why I'm so passionate to even talk about it or do security things is that it's democratic. Security is democratic. 

It is not a closed society. I think people find security professionals, at least traditionally, they say, Oh, no way, I'm not going to engage with them. Actually, they're the most welcoming educational group of people I've ever come across. But we've got to find a way to all communicate. And open source is a great way because a lot of the manifestation of good security practice is in technology. But that's, of course, not the only place that it exists.

Justin Beals This concept though, Brian, I think you hit the nail on the head where, you know, security is democratic at the end of the day, right? It doesn't, you know, the whole reason that we work together instead of individually is for kind of a shared concept of what we can trust or not trust or rely on or not rely on. And if we're open about that, it's very powerful.

We've been working on software bill of materials work a little bit. And it's, think we're in the nascent stages of understanding this kind of dependency maps. And we did find that there's interesting data on vulnerabilities, but to your point, you know, we're losing some of that practice. So I want to highlight, you have a new book coming out. Yeah, redefining information security. And I like the bold title. So I'm just curious.

You know, there must be a new definition you're coming with, Brian. Yeah.

Brian Wagner: Yeah, it is similar to what I was kind of on the same vein as what I was just talking about, about democratizing it. And what that kind of translates to is if you take the word safety, that can mean a lot of things. And if we're obviously in the context of information security, but what about information safety? What about cyber safety? 

I think that's kind of the crux of the redefinition. And what I mean by that is if you've ever been to any customer site or worked at a site, a corporate site that is in the oil and gas industry, I don't know if you've ever been to like a BP or a Shell or anything like that. I did in my AWS days. And when you walk around these corporate offices, right, these are not like, it's not like oil fields. 

I'm not talking about oil fields, or I'm not talking about factory floors you get, they're everywhere. There's all this stuff about hold the handrail and wash your hands. Like it's, it is everywhere. You cannot look in any direction and not be reminded of your physical environment of safety. And that came from a lot of regulations and just the industry at large internationally with this very, very high standard for your physical awareness. 

Because as you might imagine, you know, people, especially in like factory situations, it's dangerous if you're not careful. But that's kind of what I, that's the challenge, right? I think in cybersecurity or information security is historically speaking, and thankfully things are changing, but historically speaking, it's like, security, that's your problem. You know, I'm not a security person. That's your job because it felt like this dark art. But if we talk about information safety, if we talk about that democratization of security is let me share why you're not.

You shouldn't be using your personal Google Drive at work. It's not because I'm mean and I'm smarter than you or I know more than you, but it's my job to know what risks that could pose to the business at large. And if I can explain that to you in a way that makes sense and also provides you with an easy-to-use alternative or reason why to adhere to the company standard, you're going to be more inclined to do that, and also maybe pass that on to your new starter.

I'm not going to be able to sit at your desk every single week and tell everyone around you that I haven't seen before. So it is about evangelizing safety and promoting safety in just the little things like use your password wallet, right? Use your, use your password generator. Like that's if everyone could just do that, we're in great shape. Don't click on emails that you don't recognize things like that. 

So that's kind of where it's redefining the discussion and how we think about it. It's just part of everyday life, or it should be part of everyday life, especially not only in our personal lives but in our professional ones.

Justin Beals: Yeah, I think it is this foundation is comes from culture of security, right? 

Brian Wagner: Absolutely.

Justin Beals: And it seems like I was just at RSA and it's a great conference but man It's a little bit of a circus and I understand why a lot of security professionals get into the field with like what do I what tools should I buy for you know, my biggest concern, but I think what you point out in your book is that if you build that culture first, that's the foundation where the rest of the work comes from. 

Brian Wagner: Absolutely.

Justin Beals: So one thing I loved in the book is that you talk about three different levels of maturity, felt like. We talked about one already reactive. Can you describe proactive? and then adaptive, you know at a high level

Brian Wagner: Yeah, proactive. It's a careful, it's a word that is very close to preventative, right? And preventative and proactive aren't the same thing. I don't know if you've ever worked at a highly regulated organization where everything's on lockdown. That gets a little bit, that's not very user-friendly, but proactive is in relation to the word maturity. 

Proactive means that there is a conscious investment in the ongoing betterment of the security posture. What I mean by ongoing is, you know, I keep as much I don't like talking about AI, look at me talking about AI again. It is, you know, it is this nascent technology, it does produce new outputs every day. But we're also talking about it from the standpoint of, you know, the good guys or the defensive side. 

But technology advances in the offensive side as well, right? Every single day, every single hour, every single minute. It's truly an arms race. 

There's no winners and losers. You can't just stop. To me, proactive security at a maturity level means that the organization that is enabling proactive security is an organization that understands that everything is changing all the time. The only constant is change. And it does take an investment. It takes an investment to make sure that you've got the basics covered. You've got monitoring in place. You've got people to look after that monitoring, you know, you've got the right policies and procedures in place, and you've at least practiced them once or twice a year. That's the basics. That is like table stakes for unlovable. 

But proactive is when you start getting to threat intelligence and threat hunting and, you know, having human beings who are, I would argue, more intelligent than artificial intelligence, real intelligence, human intelligence, looking after these different sources of information, and really diving deep into those and finding out what's ahead and say, wow, there has been something laying dormant here. How did that get here? Retrace those steps, maybe close off a certain part of the network, or that's a user that has been deactivated but not deleted or whatever. There's all these different things you can do before bad things happen. But again, relating proactive to on a scale of maturity, it is about that investment. It is about someone at the top or near the top, has bought in and has championed security culture within an organization.

Justin Beals: Yeah, if you get that level of investment, I feel like the leadership is essentially saying, we're going to put money to this, not because it's going to generate anything that we can measurably see on the other side. Just that we believe threat intelligence is an important practice for us as an organization.

Brian Wagner: Yeah. Absolutely. Like how do you that's been the hardest thing is, you know, in this industry at any level leadership all the way down is we talk about metrics and KPIs and you're like, well, if breaches are zero, that's good. But like, wait a minute, I'm paying for zero. 

Like I'm paying for zero, that is really hard to compute because the return on investment, like chart, is completely inverse to what we're used to. know, the more, it's not always about money, but like the more time, effort, energy, sometimes money I invest, the less likely something is gonna happen. Like, where does that balance strike? And that's been a huge challenge in my own career, which is why I sort of flip-flop between I going for CISO roles? Am I going for CTO roles? 

Am I doing? both roles, like it depends, because in the CISO side, you need a certain size of business. And even then, you need a certain level of maturity for that to be worthwhile. And it's a challenge out there. And it's like, it's like buying insurance. Like when I go to buy insurance, I'm not going to say what's the most expensive insurance I can buy. I say what's the least amount that covers exactly what I want to cover in case something bad happens.

Justin Beals: Yeah, yeah. You know, you say in your book, I loved this quote, risk is a limit in mathematics, which forever approaches X where X is always increasing. It's very Sisyphean, right? Like constantly pushing this rock up the hill and we haven't had a breach yet. Now, you also kind of suggest in your book an adaptive approach. So, can you describe an adaptive approach for us?

Brian Wagner:  Absolutely. So as you might imagine, it sits somewhere between reactive and proactive, which is, know, are we, I don't know, a practical example might be, you know, someone, a threat hunter has spent, you know, six months hunting something down. It's like, well, if it doesn't apply to us, or it's, I don't know, maybe it's based on a vulnerability in a library, which we don't use in our software or whatever, you know, that that might be a little bit over-indexed. 

 I've already sort of mentioned that KPIs are, I don't know, they're not hard and fast, but they are useful. You have to measure something. So I guess what I'm trying to say is, you're proactive. Make note of the things that you've found along the way. You're reactive. You've noticed, easy ones are like logins from Tor exit nodes or something. And when you put all that data together, constantly evaluating the metrics that come out of that and adjusting your approach sort of incrementally. 

And that leads to things like applying agile methodologies to security. It's just, it's incremental. It's not boil the ocean. It's not, how are we going to, you know, get everybody to 16-character complex passwords and across the business? Like that's, that's not what this is about. This is about, let's look at, you know, let's look at failed login attempts and see when the last time they changed their password was or whatever.

But it is, like I said, just incrementally looking at the output of the proactive and the reactive efforts and making micro adjustments along the way just to fine tune that balance between how much you're investing, again, that's beyond money, time and energy, resources, whatever, versus your outputs.

Justin Beals:  Yeah. I like this approach, and I'm going to throw us a curveball. We've seen the emergence of kind of a new kind of, I don't know, a threat vulnerability. can't, I'm always grasping for the right words. But where we've seen kind of employment faking, right? Like someone wanting to come in, applying for a job, being from most recently North Korea, and some interesting tools and techniques used to pull it off. I think this is a perfect example for this type of adaptive approach. How would it fit in sprint to sprint, let's say, yeah.

Brian Wagner: Sure, sure, I mean, that one starts with education. Simple things like if you're the interviewer interviewing this person, they have to have their camera on. That might be the of the ground zero, like, okay, are you actually talking to someone who appears to be having a conversation with you? 

But then, iteratively speaking, that can get more and more nuanced. They could be talking to you, but they might have, you know, Chat GPT up answering questions based on you know, entering your questions in there installing for the answer until they get the answer. Are they an AI generated or they you know, are they is that even a real image? There are ways to You know, from a technology point of view, there are ways to ensure or at least get some confidence around whether or not that's really being or who they say they are, and that might be sort of on the scale of like on the spectrum rather of incremental work. 

So ground zero is just make sure they have the actual camera on. I would say also from a training point of view, asking questions which require competency, as opposed to are you right or wrong? You know, if I ask you what goes on when I type in www.amazon.com in the browser and you're going to talk about, you know, the SSL handshakes and certificates and all that stuff.

Well, that's a quiz question. That's an exam question. That's not really, that doesn't mean you understand what security means. So yeah, a few things you can do without technology at all, and then start layering in things like, you know, making sure we know where their IP address is coming from. We, you know, any sort of detection, you know, things to look out for, is the background of their video. Does it have any text that doesn't make any sense? Right. Cause that's a sign of like an AI-generated model, things like that.

Justin Beals: Yeah, absolutely. Well, it's an intriguing vector for ATT&CK, isn't it? Yeah. And it does, as you point out, go at the cultural affect of the business, more HR processes or where that begins than a true cybersecurity issue. You mentioned that you've flipped back and forth between a CTO role and a CISO role.

I've talked with some security friends about like agile software development. I spent more time on the CTO role side on the product side. And how do you, I'm just curious how you think about kind of compartmentalizing security practices in that agile modality, and at the ground level, is it daily standup, weekly sprint, quarterly planning, you know, style work?

Brian Wagner: Right. No, it's actually not compartmentalized at all. It becomes part of the software delivery. You know, it becomes a feature rather than something that's bolted on. It's thought about at the, least in my organization, we are a small startup, which is great. And I have, you know, I bring both the seniority in technology and security. 

I mean, technology was my passion. been, I'm 42 years old. I've been professionally writing software for 25 years. I started very young. That's always been my passion. Security, kind of, I kind of fell into it by accident, but I bring both of those from a seniority point of view at my current role, which, you know, so I'm driving that architecture. I'm driving the product. And as such, that just becomes part of the requirements. 

We don't separate security from sort of end-user features at all. So it just becomes, there is no compartment. It is literally part of the, a part of the everyday.

Justin Beals: Okay, let me see if I can translate this. Let me see how I do, Brian. Let's take that example with like impersonation. I could see you looking at the secure, like a security posture, as a set of features. And you're like, okay, this sprint, we need to roll out a new feature, which is an education outcome for our team of this understanding, there's this new attack, and this is what you need to do with the browser.

And we get to the end of the sprint, we're like, did we do it? Yeah, you know, it's checked off and we taught them and we incorporated it in future security awareness training videos.

Brian Wagner: Hmm? Yeah, yeah, that works. Just bringing that to the attention of the people that need to know it, or ideally everybody, especially in the case of a startup, when everyone's doing all the hiring. But it is, yeah, it's about talking about it, getting out in the forefront. It could be as simple as, like you say, a training. It could be a Slack message. It could be training and a Slack message. Yeah, but yeah, the outputs are many, but exactly that, right? It's just incremental. It's just, are we going to solve every single case?

No, we're absolutely not. to get people to deliberately acknowledge that that's a thing, they will think twice. They will pause the next time they're going for an interview and say, well, let me just do a couple more internet searches on this person's name. Let me just do a little bit more due diligence on that individual in order to make sure that this person is who they say they were. I've actually been a part of previous company where that actually was that vector was exploited. So that was that was always fun. Yeah

Justin Beals: Yeah. Another thing I really liked about your book, and we've talked with a lot of guests, is that security is an excellent business driver. mean, you must experience that on a couple of different levels. One is your product platform sells itself on practicing good security.

Brian Wagner: Absolutely.

Justin Beals: Secondly, you have a regulatory requirement to implement or a third party risk requirement to implement good security. Otherwise, you couldn't participate. It's pretty layered into almost all aspects of business work, I find today.

Brian Wagner: Yes, it is.

Justin Beals: The struggle of course is to help, I think, the go-to-market team unlock the value there in the market. Since you've bridged this product security, how do you work with your go-to-market team to help them kind of understand what's valuable about the security work you do in terms?

Brian Wagner: Yeah, I boil it down to why it matters. I could talk about the bit size, the encryption keys, but no one really cares about that. What they do care is that customer data will be secured by an industry-standard protection mechanism. And that's the kind of thing, and that's just one example, of course, especially over in Europe.

There's, you know, are you GDPR compliant? It's not so much the ins and outs. saying that yes, we are. And any additional information that's needed in order to have those conversations without pulling in someone who knows that. So it's really about understanding, you know, I go to the, you know, go to our go-to-market team and say, all right, you pitch me as a customer. Like you tell, like, let's talk about. I want to hear what you're saying. And I can help support that with things that matter.

Things that matter, that fit along with that story, that the best salespeople and the best go-to-market people are storytellers, I can help enhance that story so that it's not an afterthought, but it's also, we also have to exude some confidence in there and say, yep, we're already looking after, we already know that we are asking for very sensitive data.

And we are B2B2C. So not only are we asking sensitive data, we're actually asking sensitive data from your customers, not even our customers. In order to do that, you better come ready to answer some really, really hard questions. But it is about boiling it down and just making it plain English for them so that they can understand not so much what it is, but why it's good.

Justin Beals:

Hmm. I like that, you know, certainly there are important compliance outcomes, like regulatory, as they're pro-risk, but it sounds like you love crafting a story as well around even why that why that compliance matters or why your security is unique in its work. Yeah.

Brian Wagner: Always. Yeah, absolutely. it so far touchwood, I suppose. So far, I have not had to make any adjustments for the sake of new ventures, new markets, new risks. Basically, are, I keep the product is lean, it is very purposeful. So it's not like this big complex mess. It's actually quite primitive on purpose. 

And it allows me to have some very, very, very strong security principles which we extend to the customer that they get that at no extra charge. It's part of, as I said before, it's part of the product. It's actually a fundamental feature, or all of them are fundamental features.

Justin Beals:  I've seen this in conversations myself. We think about appropriate network segmentation, for example, and we see some tool sets that are more agent-driven in approach in that they kind of launch code inside a system, code which you don't have the ability to introspect on or see what it's doing. And we're like, no, all communication needs to go over the right set of network segmentation.

And at first it's a challenge because they're like, well, it's harder for me because I have to tell you where to go. But then, when we say, yeah, but at least you are limiting what we can see, and you can tell us through a standard API, which seems like a baseline requirement to me. Yeah. Yeah. And it helps when they understand the story. Yeah.

Brian Wagner: Yeah. It's the why behind it. You know, when, like I say, we have in our conversations with customers, it's always, they're always like, why are you, you know, why do you do you really need the passport info? Do you really need like to see the, or you say, yeah, we have obligations. So we, like I say, we know that that's sensitive, that's a of sensitive material. So we, we offer some pretty, I would say pretty creative ways that actually it's all encrypted before it leaves their side, comes over to our side and it stays encrypted, which is great. So you can bash at it all you want, but you're not going to jar that PII loose. 

But yeah, that's exactly it. It's that story. It's, what's in it for me? That's what everybody wants to know is what's in it for me, whether that's internal, if you're trying to educate on security, the HR people, for example, if you want to talk about interviewing, what's in it for me is the, is the question that I always seek to answer, especially when I'm introducing new concepts to the product.

Justin Beals Yeah. Let's talk a little bit about the thorny relationship between security and compliance. You you tackle it in your book and I kind of like how you lay out the landscape. Why don't you give us an overview of your opinion broadly on this intersection? Yeah.

Brian Wagner: Sure.  I think they both lie on some spectrum, which I don't care to try to name, but I would say compliance, I would say is definitely at the lower end of the spectrum in terms of it's a definition of what bare minimum is. And that's not a bad thing. I actually am a big fan of compliance. I think it's done a lot for regulated industries to make sure things stay afloat. I'm actually a huge fan of GDPR, things like that.

On the flip side, though, to be compliant is not necessarily to be secure. know, compliance comes out of typically like industry consortiums or international consortiums to come up with standards. And the job or the angle which those come from are for the preservation and the safety of the industry, right? Security is the other way around. If I want to participate in this industry, yes, I have to meet your industry requirements, but I need to be secure for myself in order to protect myself to you in this sort of market. 

On one end of the lower end of the spectrum, you've got compliance, which is a definition of bare minimum with usually not super prescriptive in terms of how you get there, but they just say this just has to be fine. Now, security, on the other hand, is that limit approaching zero, and zero is always moving. So there is no real end to the spectrum. But I guess the point is the more you pursue closing that limit, getting it closer and closer to zero, which of course is a moving target, it's diminishing returns, right? It'll take you four times the energy to just tick off another point on your risk profile. So there is a balance there. If compliance is the bottom end and near perfection is the top end of security, there is a balance. You've definitely got to be ahead of bare minimum, but also it's got to be good enough. It's got to be good enough and you've got to diversify your security investments to cover a variety of risks, but always keep an eye on the minimum. 

And in my industry, as compliance comes from different countries, different regulatory bodies, that minimum is actually like a grey area. So we have to make sure that we have a pretty high security watermark.

So that when we add another compliance requirement to that minimum. So like I say, so far we haven't had to make any adjustments to raise that bar at all. But it is that balance, right? Staying ahead of the minimum, but don't overdo it.

Justin Beals: It's almost impossible to mature through the compliance requirements without a very precise understanding of what you do for security. I think that's oftentimes why so many people get caught, you know, is that they don't have that act of what is good and how they're doing on it, to your point, yeah.

I think another aspect of this that is possible, I'm curious, your opinion is that it's that generally, not always, but broadly, I've found that efficient security was also effective security. Like we could find paths to not be like very costly and do good security. And actually that was oftentimes the most effective solution for the problem.

Brian Wagner:  Yeah, usually I yeah, there's there's low hanging fruits where cost isn't really doesn't really come into play too much. For example, especially with cloud nowadays, like there's no excue for not encrypting stuff. 

Like you just I don't I cannot I don't care if you've got a million people that work in your organization. Encryption is cheap. It is ubiquitous. Like you can't there's there's no excuse. 

But to your point, like you could get really, really fancy with tools that do certain things when maybe there was a simpler way of just having an education, having some education about it, and that can mitigate quite a bit. They always say humans are the weakest link in security anyway.

Justin Beals: Yeah, I come across a fair number of groups where they're like, they're very concerned about cloud security. And I'm like, well, have you turned on the security tools on your cloud platform? You checked and see what they say? yeah, right. Yeah, absolutely. Yeah.

Brian Wagner Yeah, just do that. Yeah. Yeah. Yeah. Start there. You know, you maybe you may have all everything you need right there without having to spend money on something else.

Justin Beals: Brian, let's talk a little bit of the future. You're both building product but also functioning as a CISO as well. How do you see the next five years from an innovation perspective? Either as a buyer of cybersecurity product, what are you looking for? Or what are you trying to set the bar in the marketplace for?

Brian Wagner: Yeah. Yeah, if we're talking about buying security tools, think my criteria is pretty simple. I don't think this is a very common answer, but it is my answer. My true answer in terms of buying stuff is the first thing I do is I look at the pricing, not because of the cost, like cost and value. Those are two different things. And like, I'm cool with that. I'm not looking for a number of what I am looking for is what they charge extra for. for example, I will not buy any product security or otherwise that does not let me, integrate single sign on. Or if you're going to, if, I, or if I can, but I have to pay the enterprise price for it, that's a tax, that's a security tax. And I really don't appreciate security tax.

So for me, that's that is number one is how much tax am I paying for the security of the product that I'm trying to buy? Aside from that it is as I said before I look at security as a toolbox and or a tool rather in a toolbox So, you know, I have to be I my requirements for what I'm trying to solve if I am buying something have to be very very clear and the only way to get that clarity is to have a relationship with the product team,  with the go-to-market team, with the HR team, like what are we trying to solve? What are the things that bother you? What are the things that bother me as a security professional? But that is to kind of go to the rest of that question about, you know, what does it look like in five years? It means I've got to have a lot of empathy. I've got to have a lot of business acumen because I'm not going to people in accounting and saying, you know, tell me about your worries about North Korean hackers you know like I what wait hold on they say well this is you know this is the software that I use every single day and you know vendors email me invoices and I click there to pay them okay I need to understand your process so that I can I can take my security brain and apply what I know about what I've just heard and maybe ask some follow-up question but like I say the purpose of this exercise is to buil a pretty finite set of requirements. And that's how I go shopping, basically. I either build it internally, or we turn on some tools internally, as you say, or we go shopping, and I will go and talk to the people at these companies. I'll go to conferences, I'll call them up, whatever we have to do and see if we can get to the bottom of it.

Justin Beals: I Think one thing that is definitely true is that the media trope of the computer science security wizard in the corner not ever talking to anyone is the antithesis, yeah, of really the skill set, which is high emotional intelligence if you want to be a leader in one of these roles.

Brian Wagner: Yeah, it is. It's empathy. It is.

Justin Beals: 

And that's developed. Natural talent is helpful, but you can also develop emotions.

Brian Wagner: Yeah. Yeah. And I think that, like you said, I think the industry, the security industry is stigmatized, but the security industry, like any industry, even non-technology, will have, of course, a spectrum of personalities. And that's not, that's actually really, I think that's the best part about, in particular, security. think, I think the types of people you meet, it is such a diverse crowd of thought, of background, of how, like my favorite thing to do is how did you get into security? That is my favorite question because I don't think I've ever heard the same answer twice. Like it's the coolest thing and it makes up for such a diverse community of opinion, of ways of doing things. Like there is no real right or wrong. It is really a dark art. 

But yeah, it depends. You want to lead, you want to branch outside of that group, then yeah, you do have to walk and talk alongside like maybe someone. That we would not be recognizable as a traditional sort of trope, stereotypical security person.

Justin Beals: Well, it's been a treat to meet you today, Brian. Thanks for sharing your book with us and your expertise with our audience. We really enjoyed having you on the podcast.

Brian Wagner: Cool. It was great to be here. Thanks so much for having me.