Host/Announcer

Best advice I ever got in security.

Andy Ellis

Go.

Amit Megiddo

The best advice I've ever received in security is that complexity is a vulnerability.

Host/Announcer

It's time to begin the CISO Series podcast.

David Spark

Welcome to the CISO Series podcast. My name is David Spark. I am the producer of said CISO series and joining us as our co host, you know him very well. It is the principal over at duha, Andy Ellis. Andy, say hello to the audience.

Andy Ellis

Hello to the audience.

David Spark

There you go.

Andy Ellis

I thought I'd try something new today.

David Spark

It's like the classic line of walk this way and then they all sort of walk in the same silly motion. It's an old, old gag. We are available@cisoseries.com where you can check out all of our other wonderful programming. We have four other shows on our network. Go discover them. No need to explain. Now, our sponsor for today's episode is Native, the cloud security control plane for the Enterprise. And guess what? We're going to be talking a lot about cloud security on this show. And in fact, they're responsible for today's guest, who I will introduce in just a second. But, Andy, something unique just happened. You and I just got back from rsa and we both, within an hour, just published our summaries of the event. Yours was different than mine. Give us a quick synopsis of what your post was about, which, by the way, the volume you did was insane.

Andy Ellis

Yep. So I walked the entire show floor, recorded 607 exhibitors.

David Spark

That's a lot.

Andy Ellis

And wrote the state of security vendors, which was my impressions as a buyer who also does marketing of what marketers think they're selling, who's in what spaces, given a view towards, like, where's the money coming from for VCs, you know, where are they actually sort of investing in to sort of get this overarching view of what's going on. I got to say, about 10% of the vendors had zero messaging on their booths at all. No idea what they did. I mean, I knew some of their names, but it was kind of crazy how many couldn't tell what they did from what was on their booth.

David Spark

Well, so this is a conversation, and people listening to the show may have heard me say this before. I remember I was walking the floor with Adam Klick, who was a CISO himself, and I just said, look at all those names out there. What percentage would you say, you know, what they do? And just shooting from the hip, he said, like, maybe 25%, which may actually, I think could be high. But think about this.

Andy Ellis

Yeah, so my, my 10% is. There's no hint at all as to what they do.

David Spark

No, no, I, no, I get that.

Andy Ellis

But 37% said they did AI security. And I still don't know what that means.

David Spark

Right. But the reason I bring this up is this says a lot about just the industry of security, that if you're talking with some of the smartest people in the industry who should be in the know and at the most, by the way, I've asked this question of many CISOs, and the highest number I ever get is 25%, which again, is shooting from the hip. I know if we actually put them to the task, it'd be a different story. But if the smartest people in the industry have a 25% clue of what's going on in the market, that is a mess. Because I'm thinking about it. In any other industry, like automotive or health or something, I can't imagine the smartest people have a 25% clue of what's going on.

Andy Ellis

So I think that you're asking the wrong question because I do agree we have a problem. But that number isn't the indicator.

David Spark

What is the indicator?

Andy Ellis

Imagine if you went to an automobile show that was aimed at the manufacturers, not at consumers. So it is every sub in the entire industry. Yeah. If you walked in and said to some random car designer, how many of those vendors do you know what they do a priori? They're going to tell you 25%. The market is massive.

David Spark

No, I think it would be much higher. I argued.

Andy Ellis

No, because if you work for Ford, you know all of Ford subs, but you don't know all of Toyota subs. And so you don't necessarily know that, like the person who makes the fiber optic channels for Toyota might not be your vendor, so you might not know who they are. And there's a lot of little vendors at rsa. We should remember that.

David Spark

Yes, there's a ton. Well, hundreds and hundreds and hundreds. And you were able to, I should

Andy Ellis

say rsac because they've insisted that media call them RSAC this year.

David Spark

Oh, well, rsac. There they go. Let's get on with our show, which is far more important. Let me bring on our guests for today's episode. Thrilled to have them on board. They've been a new sponsor with the CISO series and we're thrilled to be working with them. From native, the CEO and co founder, our sponsor guest, none other than Amit Megiddo. Amit, thank you so much for joining us.

Amit Megiddo

Hi, David. It's great to be here. Thanks for having us.

Host/Announcer

The great CISO challenge.

David Spark

What is a CISO's real power? Is a CISO really needed in a moment of crisis? I've spoken to a few CISOs who challenge their employees with equipment. Question what would you do if I wasn't there? When your team says, we did it ourselves, you have achieved the highest level of leadership, said CISO Tradecraft in their newsletter. Now, this philosophy also leans into the Socratic method of education. You don't tell people what to do, but rather let them discover it on their own. Maybe you have to guide them, but you let them come to a final decision. Now, my father, who was a doctor, used to do this with his medical students. They'd ask my father, what would he do? And he didn't want to just tell them immediately. He wanted them to look at the patient or the case study and figure it out for themselves. So if they were missing a key piece of evidence, he would point it out to them. So, Andy, I will ask you the same thing. How do you train your staff so they can think critically and ultimately not need you?

Andy Ellis

So, I think the Socratic method is a component and a tool in the toolbox. But I've known a lot of leaders who think that's the only thing they have to do. And there's a lot of people who don't learn well with that because you're not actually helping them if you just always are challenging them, well, what would you do if I wasn't here? Their answer is, I don't know, because you've never told me or you've never shown me. So it's a combination of show them, tell them, give them an opportunity to do something with safety rails before you're gonna sort of put them out on their own. And I'm a big fan of starting with escalations as the place where most people need more help, but the person who needs the most help is the leader at the top, the CISO you should look at every time you overrule your staff that they have told somebody something and their boss or they come to you and you change what the ruling is. Right? Your people say, well, you can't do that. And you say, well, you can do it as long as you do these few things. That means you did not put your person in a position either. They didn't know that they could have that flexibility, and they should. It should be that nobody gets a better deal by escalating. If they escalate, it gets worse. Because you're saying, wow, I had to get involved and that's not the right thing. My people should give you the best possible deal for the business. And it's when you escalate that you're making the deals not work so well. So that's the way I like to think about it is they should always be able to put themselves, they being your staff, put themselves in your shoes. What would my boss do so that I can do that?

David Spark

You know, Jerrick Beason says the same thing. He has the challenge, what would Jerrick think or what would Jerrick do? Jerik Beeson being the CISO of WM and a frequent guest and co host on this show. All right, Amit, I'm throwing the same thing to you. I guess the question is how do you let your staff know how to operate completely without you?

Amit Megiddo

This actually I'm sort of hearing this question. I go through like different stages in my career and I'm thinking how this equates. So first of all, you know, background spent over a decade in a 200 Israeli military intelligence units. And there's like a common saying when you're trained up to become a young officer, which is the officer is measured or graded sort of in his absence. You learned that very early. I then, you know, next step for me was I did my mba. Andy, not too far from where you are at Harvard Business School. And that's all about the case method, right? No answers. It's not a lesson. And you start and you get to the final answer. Here's a challenge or a situation a business leader was put in and now 90 students get to discuss it and reach together the best answer. And then the last state, like sort of before starting native was at AWS for close to six years. And there it's all about process, right? Like you operate at that scale, it's all about how is the process built to get to the best outcome and how do you learn from mistakes. So it's not someone's fault, but how could the process be improved? And sort of all of these build up to where I am now. And then, by the way, Andy, also what you said, escalation, it's such a core thing sort of in the Amazon culture, like escalation is a good thing. You get dinged for not escalating. Escalating is not a political move. It's a customer obsessed move. And then where I am now, I think a core thing to it as I think about it now, building my own company, first of all, finding the right partners to work with, right? You can't do everything. And it's first of all you need to trust the partners you work with and your senior leadership. So it starts with hiring. You need to hire people that you can trust to make a lot of decisions day to day without you being there. And then it's also, I think, this gradual process of letting go. And how do you build that trust with your people that work for you and also start to. It's sort of always that back and forth At a young startup, you don't want too much process, right? You want to move fast, but you also want to make sure that in the end things work well. So finding that right balance. But right now, where I am, it's all about trust in the people that work closely with me.

Andy Ellis

I'm a big fan of the pre escalation. Teach your people to escalate to you. When they're about to say something that they know will escalate to you anyway, they should just reach out to you and say, here's what I'm planning on doing, here's what I want. And you can then easily redirect them before it becomes a problem rather than afterwards.

Host/Announcer

What's the best time to do this?

David Spark

Business wants to go quickly, and time to value is absolutely important. Cyber becomes an afterthought for EY America's Ayaan Roy. As quoted in a recent CSO online piece, Cloud misconfigurations aren't a technical problem. They reflect organizational priorities, dev teams spinning up resources with elevated privileges they never walk back. Security teams excluded from the conversations that matter and security sprawl from M and A are the symptoms. And the cloud providers aren't helping. Microsoft, Google and Amazon hand you an insecure product by default and leave you to figure out the rest exposed. S3 buckets are a trite cliche at the point. Yet the misconfigurations are worse, not better. 70% of Azure VMs are misconfigured, 63% of Google Cloud platform. So if the tools, the frameworks and the awareness all exist, why does this keep happening? Is cloud security fundamentally a business velocity problem that security is always working around? What's one structural move a CISO could focus on? Amit, I'm throwing this to you. That would make the biggest difference in turning the tide on misconfigurations. By the way, this is a story that comes up again and again and again. What's your take?

Amit Megiddo

So first of all, I'll start with answering the question directly and then maybe I'll take a step back answering directly what Should a CISO do to sort of address this issue? I think for too long we've sort of let these things happen and then fixing them after the thought is a huge challenge. We can get into. Into why? I think the one thing is to start at the architecture level, right? How do we ensure that the architecture, the Secure by design architecture that went through the review, actually is translated into an enforceable architecture at the csp, at the cloud service provider level?

David Spark

By the way, we're going to get more into this Secure by design a little bit later in the show, but continue on.

Amit Megiddo

So that's the one thing you can do. How can you sort of ensure, close that gap between what the good architecture looks like and what does reality look like? But taking a step back, for sure, I sort of say the business is doing business, right? It's not security. In the end, security is there to support the business. If the business isn't producing great product and going, going to market and making money, then there's no point in it at all. And security has sort of historically found itself always lagging behind because there's a new technological trend, there's a new way to do something better, produce better product, go to market better, the business runs forward as it should, and security sort of then plays catch up. And that's what we've often been seeing as well, Right. In the cloud as well, where there's sort of this endless sort of menu of how you can do different things and the business will run fast and make mistakes or maybe intentional things that open up to risk. And that's sort of where. How. How we ended up here. And I think, first of all, that's the preferred state. We don't want security to slow down. The question is, for the ciso, how can you both enable the business, maybe even allow it to move faster? I'll get to that in a moment. Without lowering the standards, how can you now build that expertise and confidence to, say, tell the business you can go into a new cloud? You know, we're on AWS and we want to go into Google Cloud. How can we do that without lowering the standards? We're now running on AWS and we want to adopt, or Azure and we want to adopt, build new AI applications. How can we do that without lowering the standards? The security always should think in the terms of how can I be a business enabler?

David Spark

All right, Andy, your take on this as well. It seems like this problem never goes away. We're constantly misconfiguring.

Andy Ellis

So I think cybersecurity has always been an afterthought. So I want us to be cautious that this isn't a new dynamic. What's just changes the pace.

David Spark

Right.

Andy Ellis

It used to be that by the time a developer could get an application into production, they had to go fight with it to get a server. And those of us who remember the hassle of dealing with networking, by then security had figured out what was going on and could come in and provide hopefully some help. And the challenge that we're running into right now is somebody has a clever idea for an app and it is live and in production by the end of the day. So there is no lag for a human to show up and say, oh, you should do these things. And so I think if we want to stop being the afterthought, it needs to go from you should do these things to we have already done these things for you, that we've become a service model and we think of ourselves as enablers that we will make your system secure before you even have to think about it.

Amit Megiddo

I think to your point, Andy, I think an ironic part of this is that with security being the afterthought to allow the business to run fast down the road, it just slows everybody down, right?

David Spark

Absolutely, yes.

Amit Megiddo

We let all those issues happen and now security has a long queue. They can't just go and fix them. Right. Things are already running in the environment. So what happens? You open the ticket, you start the campaign. I've been on the receiving end of those building products at AWS and 20, 30% of engineering time would go on security campaigns. They're needed, they're necessary, they're there because of how of everything we discussed, but ends up trying to allow the business to run fast, but in the end sort of just slowing it down the road.

Andy Ellis

Yep.

David Spark

Cloud providers ship powerful built in controls, but most teams struggle to turn security intent into consistent enforcement across aws, Azure, Google Cloud and oci. Different policy models for security teams into manual translation and one off exceptions which get brittle fast as accounts, services, APIs and AI workloads change. Our sponsor Native is the secure by design control plane for cloud security. It helps teams operationalize provider native enforcement, manage intent centrally and roll out changes safely at scale. Native works through the cloud's own mechanisms, so guardrails are enforced natively while teams can preview impact before deployment and reduce drift over time. With native, security isn't bolted on after the fact like what we were just talking about. It becomes part of how you operate the cloud. You want to learn more, you got to go to their website, go to Native security. It's just spelled exactly the way it sounds. N, A, T, I V, E. Security. Go there. And when you go there and you find out more, let them know that you learned about them from the CISO series.

Host/Announcer

It's time to play what's worse.

David Spark

Amit, I'm pretty sure you know how to play this game. Correct.

Amit Megiddo

I play them with my kids occasionally, so I'll give it a shot.

David Spark

Yes, you do.

Amit Megiddo

I'm usually not on the receiving end,

Andy Ellis

but you get to go second. On the bright side, I have to answer first.

David Spark

Yes, you do. So I'm going to this is two bad scenarios brought to us from a listener. This is from Louis Zhang of AIA Australia. They're both crappy and you have to decide which one is the worst scenario. The one you would like the least. It is a risk management exercise. All right, Andy, you are a CISO of a high growth, budget tight company. Here's the first scenario. It's the beautiful security strategy that nobody follows. You hire a strong enterprise security architect. Clean target state architecture, Standardized controls for technology stacks, Clear security baselines. Governance framework in place. An ambitious multi year roadmap. On paper, it's world class. Then the reality hits. The business moves too fast. Teams bypass design reviews. Exceptions quietly become the norm. Cloud environments drift within weeks. Shadow IT and shadow AI thrive. Nothing critical gets built the way it was designed. You have a great strategy, but limited to no enforcement. At least you.

Andy Ellis

I suspect it wasn't even designed safe. Let's be honest. People are going to ignore your design style. There you go.

David Spark

Well, at least you have something polished to report to the board and the auditors. So you have something that looks good.

Andy Ellis

I mean, I really want to know what could possibly be worse than this? Because you're basically useless. But let's see.

David Spark

Okay, hold on. Second one's bad. This is the second scenario. Secure projects zero architecture. You skip the enterprise architect. Instead you hire multiple transactional security solution architects and contractors to, quote, build it secure. So we're going into chaos here. Get ready. Projects go live with reasonable security controls. However, every team does it differently. Different tooling, IAM models, logging standards and cloud patterns. To make it worse, high mobility among solution architects leads to inconsistent, sometimes conflicting decisions across projects. The stack explodes. Complexity compounds. No North Star, no baselines. Everyone is optimized for speed. So you have delivery but no cohesive security strategy. Security becomes structured chaos with good intentions. The quality varies upon whoever happens to be on the project at the time. And you Feel nothing is under control. All right, which one is worse?

Andy Ellis

Okay, so I'm still gonna go with the first one is worse.

David Spark

Okay? Because the second one sounds pretty bad.

Andy Ellis

But I have to bring up the near rule because anybody listening is like, well, if I get to change, which one would I rather inherit? You probably want to inherit the first one because you're like, well, I can walk in and do enforcement if I've got a coherent. Like, everybody does it the same way. But here's the reality. Nobody will ever do it that way because the near rule says we don't get to change the near future. We're stuck with this. So either I have an on paper, beautiful architecture that nobody actually implements, which means they have no security architecture at all, or in the second one, sure, I don't even know what my architecture is, but at least I have one. And generally it's pretty decent. It's reasonable. These folks are doing well.

David Spark

It's all over the map. There are holes in this thing like

Andy Ellis

Swiss cheese, but the other one doesn't even have the cheese. It's nothing but the hole in the first one. I don't actually have a security program at all. Like, there's something written down. That's not a security program. That's vaporware. I would much rather have the second, where I've got people actually out helping make things marginally better. Yes, I know my successor is gonna have an awful future, but that is not part of the scenario is what my successor gets. It's only what I'm stuck with. So I would rather have the second. First one is worse. We're not doing anything from a security perspective.

David Spark

All right, I throw this to you, Amit. Agree or disagree?

Amit Megiddo

I was really looking forward to disagreeing with Andy, but, yeah, I have to agree with him. And I think the main reason is sort of like what it points to, like the organizational culture. And what's the harder gap to bridge? Right? Like, if you sat for hours and you know what? Good luck. But you don't have the organization, expertise or culture to actually do something about it. That's a huge gap. Whereas if you didn't do that exercise, but people are. There is that motion in the organization to implement, to do, to push architectural controls into the environment, you're in a better situation. And then the gap, that gap you have to bridge is. Okay, now let's understand, what is the current state? Where are the gaps? What does good look like? And you have to go and do the work in either case, you have to go to do the work. But the first one sounds much more daunting work, even finding the right people that can have the expertise and the want to do it. So I have to agree with Andy on this one.

David Spark

All right. Andy gets another win.

Andy Ellis

Yeah. I've got to say, I'm really happy that Nier tossed that rule at us because he threw it at me because I used to modify the scenarios and be like, well, because in the old world I'd have been like, well, I would take the first one because I think can make it better. And so he gave us the rule of, you can't make these better. You're stuck with them.

David Spark

You're stuck with these. Yes. None of these would be bad if you could change scenarios. Right?

Amit Megiddo

Yeah. I'll say from a native perspective, it's sort of like the first one sounds really appealing to me because I'm building company that can take that greatness that you sat in a room and did and now we can help you implement it. But really, that is like a totally non ICP for us. Right. Because there's no one there that has even. We'd rather be in an organization that is trying to do it. There's people doing it, there's showing initiative and now we come and help them rather than like just.

David Spark

Yeah, it's chaos.

Amit Megiddo

Yeah.

Andy Ellis

Right. But it's chaos in which you can show up and survival of the fittest. Give them something that actually works.

Amit Megiddo

Right.

Andy Ellis

And get adoption that way.

Amit Megiddo

I like that there's a person in the organization that cares.

Andy Ellis

Yeah.

Amit Megiddo

Maybe it falls down to that. Yeah,

Host/Announcer

please.

Andy Ellis

Enough.

Amit Megiddo

No more.

David Spark

Today we're talking about secure by design in the cloud. Amit just referenced it just moments ago. But I'm going to start with you, Andy. What have you heard enough about with secure by design in the cloud? And what would you like to hear a lot more?

Andy Ellis

So when people say secure by design. I've been hearing that my entire career, so I'll be honest. It's one of those. Those phrases that makes me go, ugh, just for a moment. Because almost every time I've heard it, it's somebody who's basically saying, I want to design from scratch. Fresh, blank sheet of paper, I'm going to build the most perfect thing. Rather than saying, how do I design for success? And sit down and I don't have to build from scratch. I've got a lot of tools. We are building on top of the shoulders of not just giants, but also lots and lots of people. How do we implement successfully so that we end up with security. And we don't have to design new security in with every single thing we do because it already exists for us. That's what I want to hear more about.

David Spark

All right, that's a good take. All right, Amit, this is your bailiwick. This is what Native is all about. First, let's start about what have you heard enough about with secure by design in the cloud? And then what would you like to hear a lot more and explain what native is doing?

Amit Megiddo

Again, agree with Andy on this one. Andy, you're good. I've heard enough. Secure by design, right? It's been going around for so long and I think the reason for that is that in any like intuitive, logical, you know, way you think about it, it makes sense, right? What would you rather be secure by design or what's the alternative?

David Spark

Right, exactly.

Amit Megiddo

Not secure by design. So of course that makes sense and that's why we've been hearing about it for so long. I think the gap has always been that as an industry, one, as an industry, we weren't mature enough to actually go there. Right. We moved to the cloud. We first sort of needed to know what can go wrong. It was also easier for vendors to come and build visibility, observability, scanning capabilities that don't add friction to the environment. Gave the security the CISO that, you know, initial feeling of, at least I know what's going on and I can start to manage it. So on the one hand, there's an industry we maybe weren't mature enough. Also tools to allow us to drive secure by design infrastructure weren't mature enough. Right? The cloud providers have been aws, Azure, Google Cloud, Oracle Cloud. We support all four. They've invested heavily. If you look at their roadmap in big announcements from the past year to three years, they're all around secure by design, tools and capabilities to give you or controls and capabilities to drive that. And then three, so the industry's matured the capabilities. The cloud providers give you now the controls to do it. Three, it's necessary now, right? We're now in a world increasingly, you know, this will launch in a while. So maybe by the time this launches, everyone will actually know what the Claude mythos is. Right? And it's not just going to be a leak, but right now we're moving increasingly into a world where the scale and speed of AI augmented attacks, there is no other option. Right. This old approach of let's scan the environment, see what's wrong, open tickets, fix them, is just no longer sustainable. And that's why we sort of reached this conclusion really. Going back to my years at AWS as well, building a lot of the native detection capabilities, right? I helped launch and scale Amazon GuardDuty. My co founder was on Security Hub. We saw this from the inside, but then we saw also what good looks like when the more architectural controls are pushed into an environment and what does secure by design look like and how can you build a more proactive cloud security program. The challenge is that it's hard to do, right? Because you going back to that previous what's worse situation, we can now know what good looks like. We can help you map that. But now there's the question of how do I actually push changes into the environment? How do I know what I want to achieve and then translate that into actual cloud service provider architecture and from that cloud service provider architecture translate that into actual enforcement controls that I can deploy in the environment. How do I make sure they're safe to deploy? Right. This is no longer coming from the outside, scanning, pointing at what's wrong. This is driving architectural change into the environment. So we invested a lot in R and D into capabilities to simulate the impact of an enforcement control before you implement it. Is it safe to introduce this architectural change in the environment or not? You now deploy this architectural change in the environment. Is the control I put in place today, is it relevant tomorrow? In a year from now? AWS just launched a new database. Azure just launched a new region. Someone in your organization just needs an exception. Just for a moment here. How do I make sure all of this stays operational, breathing and living over time? All of these are very hard challenges in a single cloud enterprise, let alone in some of the largest enterprises, multi cloud enterprises we're working with in the world today. And that's what we built that end to end platform control plane.

David Spark

Yeah. Let me ask you something. So I referenced Adam Glick being on the show floor and I remember very soon after I was asking him the question about how many vendors he knows, he said something about specifically about drift and saying I would like to know and it sounds native can do this. Correct me if I'm wrong here. He said I want to know when I set something up today, six months from a year from now. How out of whack is it? Does it give you a clue as to or are you adjusting for drift over time? Like what is native doing?

Amit Megiddo

100% huge problem. Sort of that secure architecture that went through the review and was deployed today. What changes over time? So first of all, native monitors for it constantly Right. So we can identify now how your organization is behaving, if there's new requirements or needs or exceptions. And we will alert, we will sort of tell you about it in real time as well as monitor the changes from the cloud providers. Right. Aws, Azure, Google Cloud, they all constantly change their API and their services. So a big piece of it is sort of that constant bridging of the gap between the policy intent you defined and the actual what happens in the ground in reality and API level in the cloud providers.

David Spark

Andy, you know what this is like. It's like using a payroll service provider that tells you what all the local tax laws are so you don't have to frigging deal with it.

Andy Ellis

Yes, absolutely. I have a colleague that used to say if you pave the road, you know it's flat. And the challenge with drift monitoring, the way most people think about it, is it's like pothole reporting. It's like, oh, we're going to go look for the pothole and when we get enough potholes, we'll try to go deal with them. And if instead you say, no, no, no, I will have flat roads, I go pave them every day. And so the moment there's a deviation, you just fix it. It completely changes the experience for everybody else because they're not trying to work around potholes or road crews, they just have flat roads to operate on.

Amit Megiddo

Right. Because when we say drift, it's not another here's a misconfiguration. It's here's a change in how the environment is architected to not allow the misconfiguration. You designed it today. You said the environment is now designed to allow the business to move fast within the architecture. That doesn't allow it to open up the environment to risk. And now what we monitor for is not is there a misconfiguration or risk that cannot happen. The environment is designed to not allow it. What we now monitor for is a change in the architecture of the environment if all of a sudden it is open up to allow these sort of risk into the environment. And then we'll help you. Either you could literally click a button in native and revert back to the old state. You could also say this is an accepted new state, but will constantly monitor what is happening in reality versus what you defined as good looks like.

Host/Announcer

Is AI going to help us or hurt us?

David Spark

Is product security about to hit a wall we're not ready for? Cameron W of Teradata framed the issue succinctly on LinkedIn. If AI can find and fix vulnerabilities in critical open source faster, cheaper and more thoroughly than traditional methods. Where does that leave the product security team? In two years, are we still running the same SCA scanners and triaging the same CVE backlogs? Or does the role shift entirely toward governance, AI model risk and supply chain integrity for a code base that's increasingly machine generated, End quote. So Andy, I start with you. Do you see that happening and will it be the only way to manage AI generated code bases? Because they're going to be making a lot of them.

Andy Ellis

I would love to see that world, but I don't think we're headed for that. I think we've got a different disaster on the horizon and that is walking the show floor. The most vendors at RSA are in application security. The number of vendors trying to tackle this problem with 18 different ways. The problem has never been our ability to find vulnerabilities.

David Spark

No.

Andy Ellis

Has never been the ability to create patches for those vulnerabilities. And it has always been the inability of security teams to get development teams to actually integrate those fixes. For a lot of reasons. Like SDLCs are really complicated. They do not self heal. Lots of issues in there.

David Spark

By the way. I will say 99% of these vendors will say, oh yeah, we'll connect with your JIRA system, we'll connect with this and you're all doing the same thing.

Andy Ellis

So it's like, right, we'll connect and we'll make it easier for you to issue tickets to a team that's going to ignore them. Flunked out the problem. We had an entire industry space that was sore. Security operations and an automated response didn't really go anywhere. Why? Because at the other end of it, nobody trusts security to issue a change and just let that change go out. It has to go through change management that everybody's going to fight. So until we get to AI managed code basis, we're not going to see a massive change here. What is fascinating and I was very glad to see when Claude Code did this, when it was like, oh, let's go actually find vulnerabilities in open source. I have been yelling this to every vendor out there who claims to do vulnerability research for 20 years. If you think you're great at vulnerability research, please go find the vulnerabilities in open source so we can all learn from them. But that doesn't mean people are actually taking those new versions or it doesn't mean they're taking the minimal versions that are becoming Increasingly available. But here's only what you need. That's where we need to get to. I don't think we're going to have AI managed code bases writ large for a while. We'll have AI in charge of code bases, but I don't think they'll be well managed.

David Spark

All right, Amit, I'm throwing this to you, what's your take? It'd be wonderful if all of this was handled automatically. But if we're creating so much machine generated AI code, something's got to give here.

Amit Megiddo

Yeah, I think as so often security, it's back to basics and back to fundamentals, right? Like the CISO from Amazon, CJ Moses published a few weeks ago a report about an attack viewed from within AWS that was a single non sophisticated actor leveraging AI in practically every part of the chain. It was able, over a very short period of time to target close to 600 targets. And that, that's what made the headlines. If you go into the actual blog and you read it, there were targeted organizations that ultimately were not breach or did not escalate to any business impact and they had the fundamental defenses in place. AI is going to increase like amazingly fast. And any gap in your architecture it will find and it will find it fast and it will exploit it. So the question is, do you have the basic controls, the architectural controls in place to be prevent that proactively? I think there was another interesting one was around you now have also this is from the angle of the code driving changes and you know, agents in your environment, right. This was also coincidentally also an Amazon case from a few weeks ago where their coding agent drove an infrastructure change, deleted a database table and bought part of their production environment down for 13 hours again. So AI is now both a threat from the outside, from the inside. I think again it goes back to why did we have, I don't know, 10 agents running production changes today? How many is it going to be tomorrow? A thousand? A million? Rather than again chasing each one of those, defining what they can do, what they can't do. It's back to fundamentals. In this production environment, maybe just Andy and Amit can delete the production database tables and no one else. Right, and maybe we need each other's approval as well, right? Just in case, Andy, maybe you've gone rogue.

Andy Ellis

I don't think you want me able to delete your production tables.

Amit Megiddo

But so again, back to fundamentals. How do we architect the environment, put in the right controls so that both from the outside and inside, we're ready for this wave that is already here and coming and then the speed that it's coming sort I believe it's going down. The AI versus AI right. Like we need the fundamental controls in place but they need to be able to adapt at the speed sort of that meantime to adapt has to go down to zero. If now the threat detection layer somewhere in the world identifies a new attack vector that AI is doing or there's a new vulnerability that was discovered or we need now security to be native to the environment, need to shift down into the platform, into the infrastructure so it can continuously adapt and bring that adaption time down to zero. So it knows now what is the latest way that the AI is going to attack it and the defenses immediately are put up in accordance. And that's where I think things are going. We need to sort of back to fundamentals but do everything at AI speed natively in the environment.

David Spark

Excellent. Well that brings us to the tail end of this very show. I want to thank Amit and I want to thank Andy, but I also want to thank Amit's company and that would be Native. Remember the cloud security control plane for the Enterprise. Amit, I'll let you have the very last word if you have a offer or anything that you would like to give to our audience. And also for that matter, if you're hiring over at Native, by the way, let me remind everybody that their website is Native security. Go check it out there. Any last words from you Amit?

Amit Megiddo

First of all, yes, we're hiring across functions, we're growing very fast and opportunity work with really some of the foremost experts in this space and with security teams across the most forward thinking organizations and companies out there. So big opportunity. We welcome. Anyone can reach me directly on LinkedIn as well. I think it's back to sort of, you know, we touched on it on different points throughout the show, right where things are moving very fast. It's about how do we adapt to it. I think it's hard for us to predict now what things are going to look like. I think it's that continuous adaption to this changing reality. And in the end I think the fundamental shift we're going to see across security, we're starting with cloud, but across security is that shift down where security is part of the infrastructure, part of the services, part of the platforms where we're building and operating and that's what will allow us ultimately to adapt quickly enough to this changing landscape. But yeah, it was great being here Andy, always great to chat and yeah

David Spark

thank you, David well, thank you very much. And thank you to our audience. As I always say, and I always mean, we greatly appreciate your contributions. And for listening to the CISO Series

Host/Announcer

podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website ciso. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines. Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.