A

Welcome to cyberatthetop, a podcast from RSAC that unpacks real experiences, lessons learned and practical strategies from CISOs at some of the world's leading organizations.

B

The pace of innovation is moving quickly and today's cybersecurity leaders are right in the middle of it. Beyond defending their organizations, CISOs are also shaping the future of technology. In this episode, we'll explore how security leaders can help guide innovation while still protecting the enterprise. What role should CISOs play in evaluating emerging technologies? How can they work more effectively with startups? And what does it take to build productive partnerships between the security community and the innovation ecosystem? To help unpack these questions, I am thrilled to be joined by my friend, the amazing Nasrin Rezai, Senior Vice President and CISO at Verizon. Nasrin brings a unique perspective on how CISOs can influence innovation, from evaluating early stage companies to building long term relationships with emerging vendors. And I have to mention that Nasrin has been an incredible foundational part of the innovation sandbox competition at rsac. And Nasrin, it is so great to have you here. Thanks so much for being here. We are welcome to the show.

A

Thank you so much for having me. I'm very excited about this next hour.

B

Me too. Well, let me start with the basics. Can you start by telling us a little bit about your role?

A

Of course. So, as you described, I run cybersecurity at Verizon, so that effectively means protection of over 90 million of our consumers. Some of the large enterprises who run on Verizon network, the entire global government customers we have, of course, across the industry sectors who basically leverage Verizon as the resilient network so that they can do what they do. That includes our products, our services, our AI strategy. I'm also the executive sponsor for AI first strategy for all of Verizon. So it's an exciting place to be and crazy and challenging also at the same time. But that's what I do. I've been at the company for almost six years in August, so that's what I do. That's the role.

B

Oh my gosh, that's incredible. I mean, like what, what an amazing estate, which is Verizon, but also having cyber AI. How do you personally define innovation? Today?

A

I separated out Hugh and you and I have had conversations about this. Really, the work, the definition for me is the word practical is the practical application of an invention that has a business value, an outcome that somebody is willing to pay for it because it drives change, it brings risk down for me as a ciso. So if I look at it from innovator and you talked about innovation sandbox for that Innovator is about they have found a niche, they can actually build it and they can build an innovative product to your point and they can make money from it in the next ideally 12 to 18 months. From a CISO perspective it needs to give me something I don't have, something that I can do better, something that would either reduce or eliminate friction in my universe and ultimately also I am willing to pay for it. And it's really that balance of the practical application of an innovation to, to these two dimensions that I will call innovation in cyber.

B

I love that definition because just the phrase that you had eliminate friction like obviously your used to thinking about and people think about reducing risk. The combination of risk going down and friction going down at the same time. What role should a CISO play in bringing innovation into their organization? How do they do that?

A

As you know, and you've been in this space for a very long time, CISOs have been always been at that intersection of innovation and change in cyber. You know, with virtualization, mobility, cloud. We've always been there and I think we're at an intersection of time and a place combination of what I call really the massive escalation of nation state threat actors who are outsourcing us, outnumbering us out, funding the entire all industry sector. And what even in the very short period of time we have seen in the last year or two and even in the last six months, if you agree with some cases that we've seen like with the cloud compromise or things that we're seeing, is that with the AI generated threats, CISOs now have to take a strategic enabler seat. They've always done it, but it was always a little bit combined with no, you can't do it now. You have to be at that front seat and, and, and ask ourselves the question how can I do it in a safe sandbox method so that I am also and my organization at the forefront of this. A number came out recently, especially with AI driven attack from recon to exploitation is down to 28, 29 minutes. So as a CISO now you have to, you have to look at innovation to also bring your time down. Right? So it is a strategic enabler. It's a strategic enabler in terms of emission based defense and it's a strategic enabler in terms of running effective cyber operation.

B

That is a sobering stat. I'm just trying to soak that in 28 to 29 minutes. The way that you describe it, it's CISOs need to be at the forefront of innovation. And you're right, they have been for a really long time. But it's amazing how it's being thrown into the spotlight, especially with numbers like that. But there's so many cybersecurity startups that have gotten funded in recent years. How do you identify which emerging technologies or companies are worth actually paying attention to?

A

So I think one of the things that I think good cyber organizations do on a regular basis is to analyze what they have as part of their strategic planning and what they need to bring to the organization. So in that scanning, either part of sometimes fits into the architecture engineering function, or it could be different parts of the organization. We look at, we scan the landscape and we look at these innovative companies and say, back to the first comment I was making that, which pain point are they removing for me, right? And would that give me like a 5 to 10 extra return or just scratch my, you know, itch a little bit, you know what I mean? So that's number one. Number two, we do a ton of networking with our peers. So we ask the question, hey, what are you using? I have this particular issue, how are you closing the gap? So networking with peers is the second dimension. Third dimension is we have very major partnerships, right? Every CISO has partners that they trust. I do the same. And then I ask, let me look at who they are partnering with. Have they even early on in their innovation, thinking and life cycle gotten the attention of some key partners in that space? The other dimension that's really important is that we're getting smart in CISO organization and especially as we're shifting in building AI platforms in maybe fortunately or not unfortunately for, for these startups that we're building platform that we want these startups to be rip and replaced if we don't like them. So if that's the conversation, what do they have? What is their secret sauce? If, if I look at 10 of them and all 10 with some variation technologies are the same, do they have a data strategy? Do they have an architecture that they bring to the table? Are they integrating with my platform in a way that make them irreplaceable? So that's, that's another dimension that these companies need to think about and then another one in terms of identification as we think about it, are these technology getting foothold into multiple sectors? Not just financial, not just this. So if we're hearing from our peers or multiple tech sectors that they can meet the need, then they have really thought through the problem statement that they're trying to solve. So those are some of the dimensions of how we identify some of these companies.

B

Najrin, I love how you phrase that. I don't think I've ever heard those insights crystallized in that way. Like I'm just putting myself in the seat of a startup founder, for example. What you just said is that CISOs are actually evaluating. Look, this thing, we think it's going to address a pain point, but we don't know we're going to try it. And we're designing our architecture and our system so that if it doesn't meet the needs and it's coming out, that's like such an important thing for a startup to have in the back of their mind. It keeps them on their toes. It also says they really have to deliver and they need to deliver quickly. That's very, very interesting. And I'm wondering, how do you then balance the need for innovation with risk management and operational stability? Is it through the use of this kind of plat platform that you're talking about that really allows agility?

A

Multiple additional things come into that. So number one, so take Verizon. The ultimate challenge for us at Verizon is if we innovate too fast, we impact the network that our customers run on. If we innovate too slow, we miss the boat on the business, right? So it's really a delicate balance. So in that scenario, as we look at these innovation or, you know, startups, we, we look at it from a lens of risk at rest, risk tiering structure. For example, you know, we are in the business of you have wireless service from Bryzen, so what you care about is your customer experience and your billing, right? And then number two, you want the wireless network to be up always, always 100%. So that in my risk Turing is zero tolerance and highest stability. And so in that, if I'm experimenting with technology, the way I go about it, from a risk, it's a little bit different versus a beta test, could be with a customer, but it's a smaller scale. So that risk tolerance changes. And as a result of that, also my governance model changes. What do I mean by that? So if we are experimenting with an innovative company, in my zero tolerance threshold, my exit criteria is a gate. But if I am having a threshold in the other categories, then maybe it's more of a guardrail and the guardrails are still automated. We're trying to get more and more away from humans doing that, but we're still not there. And 100% with it. But the governance element of that categorization also equally important. Right. So that's the dimension that I'm thinking about. And the other one is that as we're thinking about how to test resiliency stability, you really need to take some of what I call chaos engineering construct into practice, really test out not just in your kind of really isolated sandbox, but maybe test it out and break it during like low network time, which is hard to do in my universe, but still be able to simulate real world failure and be able to deal with that. But again with that, I have low tolerance for it in the network and wireless side of the house. But maybe in some other applications, and probably the last mention I would say to you, that is very important from a risk management and it's something that I think over time CISOs are getting better and CISO organization are getting better, better at, is to really make our risk management strategy threat informed. Not just an esoteric notion of risk. But is it exploitable? Is it actually something that my sector is dealing with now? What is my tolerance to experiment knowing that the threat is my door at my door and it's being exploited or, or, or the dimension, it's a little bit different. So it's combination of all of those elements that constitute the thinking around innovation and resilient environment, the risk sharing, how you govern it, how you think about testing it. And lastly, truly that risk management strategy to be threat informed.

B

With that well thought out strategy, I've got to imagine that you see more cybersecurity startups than almost any CISO on the planet. Everybody wants Verizon because it's a marquee logo for their company and it kind of anoints them. And then you're also a part of Innovation Sandbox and a judge there. And so you see all of these new companies that are coming in all the time. What's been your experience working with cybersecurity startups?

A

I think it's the first one. I think you and I agree and we've experienced very clearly during the Innovation Sandbox judging period, if you get on my calendar, have a decent demo, show me slides. Not really, no. You just got on my calendar, show me a decent demo. Something number one. Number two, they need to understand my business model. They need, need not to speak about their output, but my outcomes. Right. And so that's number two, they also need to not just speak to the cost that they bring to me because the, you know, the opex or capex of the software, they're selling me. But what would be additional integration costs I have to deal with? Do I have to bring additional resourcing in the picture because I don't have the skill set. So that's additional dimension. I think it probably third dimension is these days almost every startup talks about I enabled this and I enabled that. It can work kind of past AI assistant model and it needs to be agentic. So you need to really go from alerting to resolving an action. And lastly probably is so fundamental and so basic and you would think that security software would be good at this, but be enterprise ready. If I pen test your software that your API security issues and access management and just some of the basic stuff that are critical for the resiliency of a company are scale and size. Sometimes they're not present. So I would say those are the dimensions that definitely make a startup stand out.

B

Oh, that's great. And you're right, it is incredible how many times a startup comes in and then a company that has resources of Verizon for example, goes and actually tests it or looks at those API calls and they're like what are you doing? Right. Is this into my environment? Okay, so let me try and imagine myself as a fly on the wall when somebody has managed to get a half hour slot with you. Okay, so I'm a startup. I've been months, I've been trying to kind of get your attention. I now have my time. You said I better have a demo. Okay, so I'm going to come with a demo. What would make that startup stand out to you during that half hour call that they got on your calendar?

A

Those elements, they understand my problem. They have actually developed something that touches me and they, they can like I recently, I can't even remember who it was. I met with a company very similar. It's just demo was so relevant to us and relevancy. Right? And then they didn't, they, they truly said, they, they understood our stack and they basically said very honest, let me tell you because they know I ask every startup, what will you replace? They said, I'll tell you what we're bringing to the table right now will not replace anything. But here is what honest feedback. You know what I mean? Don't like sugarcoat something that you know, you know. So it's just that, that, that understanding on my business, the really having thought through my pain points and being able to articulate, I go, you know, that's a use case and critical use cases that they're putting on the table. And then you say yeah, I'm willing to experiment.

B

Okay. Okay. So you've laid out kind of the prototypical good example. I'm sure you've seen some other ones. Aside from their software being Swiss cheese and full of potential vulnerabilities, what do startups often misunderstand about selling to enterprise security leaders?

A

Have the sales guy talk, having the technical people who actually understand the space tell us exactly what this will do. It's really, really important. It's really a combination of the elements I talked about. They talk to us about. They put everybody puts their report out and they show us, here's how much my, my software can detect. I'm over it. Detection doesn't do much for me. What, what else can you do for me? It's just really understanding some of the trends that are happening, some of the pain points that I'm experiencing and you giving me yet another UI with yet another set of outputs, an outcome, no outputs for more detection doesn't solve my problem. And then you try to, you understand the company, so you say okay, what are you doing this in other space? And, and, and then, then they say to you well that's not my department, I'll bring somebody else. Okay, then you wasted my time.

B

Let's say someone hits the right points during that discussion with you, the kind of an initial discussion, maybe you have a couple other discussions, your team has discussions with them. What's the next step? Like how do you structure pilot programs or proof of concepts with these emerging vendors that you find interesting?

A

So I think number one, the responsibility is on us, which is defining success metric, right? What are the use killer use cases that we want to go after. What is success metric? And that's number one because a lot of times they have a perspective their product, what it can do and, and they want to drive to those use cases. We need to start with. Got it. About your product, here is what I want to test, number one. Number two is again bringing back the risk management and the resiliency construct. And how will we test the environment that we would test in? Is it going to be maybe basic logic test with synthetic data or do I have to have a VPC that I fully simulate production but it cannot write to production? And at some point I need to do some scaled production testing volume and I need to really have those criteria. For example, in our AI workstream we are really working with some of these very innovative companies in, in terms of how, how they can combine voice and audio and content to bring to really, really low threshold of human scale interaction versus an AI interaction. Can they give that to us through these different solutions that that they're offering to us? So that' number three, I think in terms of the structuring of the pilot hue is to, as I said, don't just test what they're asking for or they're suggesting their technology can do, but also test what I say. Corner cases, edge cases, make sure that you also do integration test cases. Right. And also probably the most important thing, especially in very, you know, resilient environment such as ours. What's the kill switch? If you know, what would that method be in my environment? So get the thinking about your use case, really clear criteria of dimension of the output that you're looking for. Make sure that you test out all the critical use cases. And then lastly, what is exactly exit? Because we have done this at Verizon and I think many, many of us are guilty of this. We pilot and we kind of go to production, but we never go to what was our go no go. If I structure this for the dimension I described and I went to production with it, have I really thought about my scale? Is this the product I want? So that exit criteria and the go no go is not just a financial dimension, for example. I'll give you an example. I was just reviewing a risk assessment from my team by way of example, not that I'm singling this out like a cloud desktop solution for some of our engineering teams. And there is the cowork feature inside the cloud desktop that allows you to really these autonomous agents to run tasks on your behalf so they can ultimately automate so much of what you can do. Love it check. But there are still some elements of that that we have to work out. And it's not all about cloud. Some of it is about our architecture and how we need to bring that together. So for me, success. But only X number of users. And since the backend of this particular desktop, it was against our Google environment, through the workspace I can control the number of people that can get onto this. So sometimes you have to think about this. Have they fully met all of your use cases? What is that gonna go and exit criteria? You still wanna be innovative. So yes, let's X number of people experiment, let them get value. But in the background, then you close all these other. Then at some point you say, yeah, this is ready for scale.

B

That's great because you've then got a clear framework ahead of time and you know, when things are sober before you've actually kind of run it, what are the criteria that would make me want to further expand this or to actually hit the switch where it really becomes integrated at scale. And I'm wondering, I'm assuming at some point in that journey you're looking at these different vendors and you're kind of making a decision. Maybe it's not a hard decision, but it's a feeling that you have. Is this going to be a transactional vendor for me or is this a place that really is strategic to me that I want to build a long term relationship? And if you put it into that long term relationship category, what advice would you give to CISOs to build a productive long term relationship with those vendors that you think these are the ones we're going to grow with them.

A

You early on to your point sensed that. And then of course the POC and the experimentation shows that remove roadblocks from them. I mean at Verizon we are guilty, guilty, guilty of our sourcing processes. If I brought you a brilliant idea, I do not have to wait three months for contracting. Write a pilot contract for me and with the exit criteria and then do another one. I think for us is how do we internally to our structure make that sourcing relationship an easy one. The contracting relationship boundary and easy one. We sometimes give them there are 450 questionnaire for a long term relationship but where all they want to do do a proof of concept with us. So we need to, if we want to be agile and fast and do these experimentation fast and get it to our platform fast and if we want to kick him out fast then we need to do our part. And I said we are guilty of it as any other. So I said to my team recently as part of our AI first effort we need a different set of contract. We need a different set of criteria for that initial experimentation and sandboxing versus the long term contract. So I think we can do that. Two for the CISOs it's be ready, be ready on your end. Back to the elements of what I described earlier. Know exactly what you're testing and then once you see the value with this and I actually many startups come to us and they want to give us everything we want. And sometimes that's not a good answer. If they really truly understand their architecture and the second and third and generation of their product, they need to, to be that advisor to us. I can do this. But here is what you're missing in the process. And sometimes if you sense those strategic partnership and we have had those relationship with few of our partners then you, you listen and you build those partnership. It's so interesting with our security business at Verizon, the reverse of would regularly meet with the CISOs of companies for which we do either managed service or EDR or whatever as and they would say to the CISOs would say to us don't listen to my people, you know best. You have given me a product that's solving my problem. Challenge us if what we're asking doesn't make sense. So sometimes in the process of meeting the needs of large enterprises, some of these innovative company water down the capabilities of their product and what it needs to become. So that's a balance. But if I see a partner that really methodically works with me through this and also my end facilitated how that sandboxing can occur, that could very well become a very, very long lasting relationship. And then I am willing to, to work with them through their growing pains and okay, I'm here but now I'm making a switch to this area check, you know, why don't you develop it? I give you idea we do some of that together.

B

I love that because that's both advice to the CISOs like removing roadblocks, make it easier for them to contract, allow them to come in. But then you're also saying for the founders and even folks that you're working with, even established vendors, be honest with you because a lot of what I read between the lines of what you're saying is real trust and relationship building. Like tell us how we're not using the full capabilities of your product. For example, you know your environment better than anybody, but we know our product. Let us learn even more about your environment and help us help you. It's a true two way street. Like I, I love that. It's a great roadmap for both. And so then if you look ahead, how do you see the relationship between CISOs and the startup ecosystem evolving? Do you think it's going to change dramatically from what it is now or do you think we're going to continue down the current path?

A

There is if, like if look at the AI space, right? You and I both know because we look at these every year there we get how many? 200, 3, 50, 300 of these. And you look across and you see many of them really bringing the same value proposition to the table, just different shapes and you know how they're bringing. So I think as we move forward it is going to be those startups that can combine this notion of something in their secret sauce that makes them sticky, shift forward, more agentic and less Alerting to resolving and using reasoning reasoning to solve my problem. I think if most CISOs you ask, they want to change their cyber defense structure and current tooling does not allow that. So how do we solve for that? And so we're going to see a lot of that. The other elements that you and I didn't talk about. That's an interesting discussion that sometimes pushes us to not to experiment early with startups. Is that the pace to which incumbents are catching up?

B

Yeah, tell me about that.

A

So what I mean by that, if you asked me a year ago in terms of what set of AI solution, in terms of design or build or runtime I would want to experiment with, I would look at a certain ones because the incumbent, the, the, the existing tech stack that I that I already used didn't have these set of capabilities. Now we're getting to a stage and a place that incumbents are catching up much faster. I ask myself the question like for example in our detection of Shadow AI, do I need yet another platform that takes my CrowdStrike and my proxy did. No. They're getting good at what they're doing, I'm getting good at what and I so I don't need to create these extra layers of analytics that creates more complexity. So if you keep bringing solutions for me that are the role of incumbent but you want me to pump my data into your environment and by the way you have AI enabled it. So chitching ch ching. In terms of my cost of total cost of ownership, you need to really think about that. So I think it's this, this also coming together of faster to innovation in incumbent we we're going to see kind of these layers that are going more of just pure integration of existing technology to solve a particular problem losing its value over time.

B

And do you think that that innovation from the incumbents, from the bigger players, are you seeing a lot of it organically within those players or is it through M and A?

A

Both. But you and I know it's mostly M and A. Yeah, we look at which is completely fine. Right. What are these startups that, that you and I look at just position themselves for that acquisition. So that's a clear strategy. If you have that, that's good. So that then going back to one of the criteria that we talked about earlier, I look at it go who would they be a good candidate for partnership and integration with? Right. So that kind of also comes into that positioning.

B

Okay, I've got two last fun questions for you and this one I can't wait to hear what you're going to say. I have no idea what you're going to say. What is one innovation or trend that you're super excited about right now of anything that's going on? What's your favorite? What, what are you most excited about?

A

See, SOS are under tremendous pressure with what's happening in the world. What's happening like again I use myself, I do not see in any shape, possible shape or form that the pressure that we're feeling and the complexity of matters we're dealing with and the geopolitical dimensions, what's happening around us, changing that would make the burden of cyber less. It's, it's just this escalating factor, right? So we have, I mean if you look at the data, most cyber organizations are still nicely sourced, funded and variation some years 2% up fiverr. But we're still funded. But the reality is that the way we operate, it's, it's very, very human intensive still. And, and so what excites me it's is a rethinking and, and I talk to my team about this and sometimes they worry about this. Go, are you replacing me? I said no, you're replacing the part of your job that you don't love doing. And as part of that, how will you do that so that we keep pushing up and up and solving more complex problems for our company. So what excites me is any kind of direction toward more agentic autonomous defense where I really can look and attack and say cyber criminal nation state, analyzing the behavior, taking those patterns, putting them together, looking at the, that my environment and my footprint and being able to, to really going from what 10 people or 20 people do for me today to, to resolution and sometimes hue. This is easy for a company that's 100% Cloud native, but not companies like mine that has very large on prem presence, that has very large network presence that are still physical routers and switches. So a world where we can simplify that in both detection and prevention. It's a time that I buy to respond to an attack, an attack not to prevent it, but an attack to reduce time to lateral movement so I can respond adequately to that. It's a big challenge we're dealing with. And I don't see the pace off technology and innovation, especially in AI space reducing. I don't see nation state not getting more and more sophisticated in how they use AI either for malware creation or you know, from recon to exploitation. And then businesses are under massive pressure to transform and change. So it is not this open checkbook, right? So we need to do more and more and more with less and less and less in a world that the threat is escalating.

B

I love it. It's the innovation that enables and unlocks the talent that you have inside of the organization to be even more effective and bring out their best skills to bear. Yeah, that's awesome. And a final question for you. If our listeners who are cyber leaders take one lesson about working with innovative companies from this discussion, what would it be?

A

Get your house ready to be in a position to identify them, leverage them quickly and fit them where they absolutely need to fit in to solve your major problems. Facilitate that, take an active role in that.

B

I love it. And I love the phrase get your house ready. And Nazrin, just on a personal note, I can't thank you enough for being here and just the talent and acumen that you bring to this cybersecurity space in general and the fact that you're so generous with your time to share that with others, it's inspiring. I really, really appreciate it. And listeners, thank you so much for joining in. Please keep the conversation going in our RSAC membership platform by visiting onersac.commembership and be sure to check onersac.com for new content posted year round. Nazrin, this is amazing. Thank you so much and I can't wait to see you soon.