The CyberSec Sessions Episode 6 - with Jake Bernardes
We discuss Anecdotes, what a Field CISO does, why AI ISNT the end of the world for CyberSecurity proffesionals and more.
I can barely believe it but we’re now on Episode 6 of the CyberSec Sessions already. This week Jake Bernardes discusses his work at Anecdotes and some opinions that might make him unpopular with some of my previous guests.
Don’t have the time to listen? Here is an overview of what we covered.
Anecdotes helps with some of the toil around compliance
Due to the huge amount of complexity around regulations currently, from ISO27001 to FedRamp to GDPR, there is a lot that needs managing. Typically this is all done manually, involving lots of spreadsheets and screenshots
Anecdotes works by plugging into your existing applications in your stack and pulling out all the data needed, all in real-time.
You can then use this data-driven compliance info to decide how to manage risks, where to deploy resources, or even show it to potential customers in real-time. This frees up huge amounts of time for GRC teams.
What a Field CISO is, is still up for debate.
Jake says that typically there are 2 paths for a field CISO. A sales focused person with a fancy title, or those that may have been a CISO or Advisor in the cybersecurity space multiple times. With his past in penetration testing, Jake sits in the latter camp.
These roles are usually found in SaaS security companies, acting as facilitators for a whole bunch of functions. He looks at how to go to market, how to build pipeline, taking potential customers through a journey to explain how they add value, working with existing customers to ensure they’re using the product in the best way to achieve their outcomes.
All the information gathered here is then reported back to either marketing teams to refine their approach, or product and engineering teams to make sure the right features are being developed.
In Jakes words ‘My Job is to make the dots connect’.
Having a technical background in this space definitely helps to this credibility, and helps get a deeper understanding of how their product fits into the wider ecosystem, whereas an Account Executive may only understand their specific product well.
Don’t worry about AI, it won’t take your job and it won’t ruin Cyber
Contrary to the other guests I’ve had on the podcast (even contrasting against Zechariah’s view last week), Jake thinks that all those companies both worrying about AI, or implementing AI into everything, need to chill out.
Having been to conferences myself recently, there are a LOT of teams touting their new product as the miracle cure to all your CyberSec issues just because it has the word AI in their tagline.
Jake says that it is all about relevance, what are you trying to ACHIEVE by adding AI to your product? Is it actually achieving business outcomes, the thing that all Cyber Experts should be focusing on, or are you following the trends.
Equally, any company claiming to ‘Fix the AI Security Problem’ should be scrutinised. There have been very few AI based breaches, meaning we don’t really know what the attack vectors are.
AI is no different to the changes that has to be made for Big Data, for cloud, or for analytics. AI is just another risk to prepare for, the same way all these other risks were.
The one difference AI has is its name recognition. No-one outside of tech even know what cloud was, now even your Nan knows about AI, that’s where the fear is coming from, the media effect.
Even on the ‘AI taking jobs’ front, the industrial revolution changed a lot in the UK, but people weren’t suddenly unemployed overnight.
So if people ask Jake has he’s doing about AI? He’ll say sitting back, analysing, deciding what the risks are and then addressing those risks in the most logical and reasonable manner, the way any good CISO should.
There are 2 big problems facing CyberSecurity he does agree with
The first is the skills gap, or more accurately, the fundamental misunderstanding of what security talent does in different areas of the business, and therefore how to hire for it.
Being able to define job descriptions for other roles can be easy, but defining what a CISO, passing that to HR then HR passing it to Recruitment, and everyone being able to understand and then find that person, that is what is tricky.
The second is one is that CyberSecurity in a company needs a facelift. It has always been thought of as a cost centre, something you have to do to keep your company safe and avoid fines or worse.
CISO’s need to become better at sales, and learn to focus on talking about business outcomes and pitching in terms of return on investment.
Jakes examples:
Q Why do I want to spend money on that new framework?
A “So you can sell to more enterprise customers’
Q Why do I want to hire 4 more security people?
A ”Because we’ll be able to respond faster to security questionnaires, improving speed in the sales cycle“
CISO’s need to learn to speak in these terms to be successful in Cyber over the next few years.
Knowing what you want is the key to attracting talent, from there its building culture
However the best way to explain it to your recruitment/HR teams is, even if its sitting them down with another engineer and saying ‘find me another person like them’, you need to get everyone crystal clear about what they are looking for.
Good engineers will respect a team that knows what they want, are efficient in their hiring, is purposeful about the questions in their interview etc.
Once onboarded, it’s building a culture that gives people something to care about. It may be a cliche but people work harder when they care. Treat people well, make sure they’re taking holidays, and being given the right opportunities wherever you can, and they will stay.
That’s all Folks
I hope you enjoyed this week’s Episode Summary. Watch the full video below for more details.