Scott Reynolds, the Senior Director of Enterprise Cybersecurity at ISACA, brings his expertise and extensive background in the field of cybersecurity to a fireside chat hosted by John Richards, Head of Developer Relations at Paladin Cloud.
With a distinguished career encompassing security roles and a breadth of experience across multiple industries, Scott offers insights into navigating the challenges and opportunities of digital transformation.
Download Paladin Cloud‘s free open source product.
John: Hello, I’m John Richards, Head of Developer Relations at Paladin Cloud. And I’m really excited today to get to talk to Scott. So, Let me bring him over on here. Scott Reynolds is the senior director of Enterprise Cybersecurity at ISACA. Scott, thank you so much for joining us today.
Scott: You’re welcome. Glad to be here.
What led you to ISACA?
John: I’m glad we got a chance to talk to you. I was looking a little bit at your history, what you’ve done before. I was looking a little bit at your history what you’ve done before. I see you’ve been a CISO at some startups. You’ve got quite the security history there. I’d love to hear a little bit about what led you on that journey and how you ended up over at ISACA.
Scott: Yeah, so a little bit about me. I’ve kind of been in involved in the manufacturing, health care, fintech industries over the course of my career, various different roles all the way from, you know. Database admin, engineer, DevOps engineer. And I found that really over the time, everything, you know, had a little tendril in security. So, what I felt was in every single role, I still had involvement in maintaining security, helping grow it, you know. Make sure that as we evolved, you know, we were doing it in a secure manner. And really over the course of time, because of this kind of convergence of security and technology, which really are synonymous now. I found myself leading and building security teams as a fundamental part of, you know, managing IT operations. And eventually evolved into, you know, CISO roles and haven’t looked back since.
John: Awesome, I love it. So can you give us just a quick overview of what kind of ISACA does for anybody who’s watching who’s not familiar with them?
Scott: Sure, ISACA is a membership association. We develop both frameworks and certification tests, for risk and compliance and security individuals. We have certifications that focus on information security management. Auditing, privacy, risk. So those who really want to grow their skills and experience, we offer a lot of education, a lot of informational webinars. And some interesting frameworks, such as COBIT. To help everyone on their journey to make things more secure.
What has digital transformation looked like for you?
John: That’s awesome. Well, thank you all for providing those services. So, you’ve, you’ve kind of been in cybersecurity and in just, you know, the cloud for quite a while with these different roles that you’ve been in just, you know, the cloud for quite a while with these different roles that you’ve been in. And I’m sure across that time, you’ve had to deal with this idea of digital transformation or organizations moving over to the cloud. So I’d love to hear a little bit about what that journeys look like for you at organizations that have dealt with that and kind of what that looks like at ISACA.
Scott: Yeah, so I think it really kind of looks different, with every organization depending on how rapidly you adopt new technology, how long you let things, in an unsupported or legacy state. But I really think that most of the transformations that I’ve seen are driven by, you know, just new and better technology. Because the world is constantly evolving, you know cars are. You know, same example of cars. Cars are no longer fully assembled by humans, right? So we’ve introduced automation, robotics, electrical testing for QA and validation. And it’s really helped reduce the amount of time and effort it takes to build a car. Same for technology is that you know what was good 10 years ago? May not be the optimal state for today, especially for remaining as nimble and agile as you can be as an organization. Also, some organizations do it for, you know, cost optimization. Cloud technologies are a perfect case of that. We used to use a lot of a datacenter centric hardware. Where not only did you manage the servers but also the network. Now, because of cloud technologies, it’s really abstracted some of that and made the entry and the barrier a little bit smaller for new organizations to take their great idea and turn it into a business.
John: What are the things you’re thinking about from like a security perspective as that shift happens? Like what new challenges kind of arise and maybe is easier?
Scott: Yeah, I think really the first things that come to mind for me is just as you evolve and, you know, transition from legacy to new, both stay parallel running, right? The first thing that comes to mind is just your tech surface. Being able to manage the old. But also integrate the new, but with new, also comes more complexity, more security rules. Good example is cloud security, while it’s great for onboarding and just getting stuff up and running. They do have this concept of shared security where they manage infrastructure, they manage the storage. But really the IAM, Access management, the network configuration, ingress and egress traffic from the network are still your responsibility. And as you evolve to that and add more and more cloud providers, more integrations, it becomes much more complex.
Scott: There’s also more data transference. So a lot of data privacy and compliance requirements there, especially as the world evolves with, GDPR, which everyone hopefully now knows. It is, you know, regulation that puts a lot more power and control of individuals’ data, in the hands of the consumer and the individual. And the US is following suit with other acts, such as the California Consumer Privacy Act. Also, along with that is just threat detection. As you evolve the ability to really understand how your events are being collected, you know, the new system may not be compatible with the old. So it’s really just kind of focusing on the lift and shift, and you know, hopefully not changing the engine on the airplane 50,000 feet. But, yeah, really just being able to adapt the times and understand, what you’re trying to protect.
How can organizations get visibility of their attack surface?
John: So with that, you bring up some really great points there. What, do you see organizations doing or what are you doing to help kind of get visibility into that attack service, get visibility into that. You know. Dealing with the threat and risks out there that are going on.
Scott: Yeah, I think it’s a good question because, again, I go back to the data center where it was very easy to go in and inventory your servers. Inventory your network, inventory your application servers. With the advent of virtualization, it made it a little bit more difficult but still maintainable. However, with the cloud, it becomes a little bit more difficult. Right? Because you not only have multiple Regions. You also have multiple applications. You have multiple services. You have different levels of access privileges. So me personally,
Scott: The first thing I always do at any new organization or any time I’m asked this question is, know, “What are you trying to protect?” And I think it really starts with just building an inventory of assets. Really understanding “what are you trying to protect?” because if you don’t know it or if it’s shadow IT you can’t really do anything about it. I mean, based on that, probably my next step would probably be looking at, you know, looking at the individual assets and understanding, you know, what is the risk? Or is it running as unsupported system is it on the you know, demilitarized zone of the network, is it internal facing? What are the risks and what are the kind of the baselines that I need to enact to ensure that the system is secure as possible. After that I would probably look at the, network perimeter, you know, what is the external attack surface look like? What services am I exposing externally? What is the traffic from internal, external look like? And a relatively new part of kind of digital transformation for me and just kind of I think the industry in general is, you know, really leveraging third parties. For, you know, their expertise. So as part of kind of you know, digital transformation in the cloud, it’s really made it a lot easier to take this great idea and really disrupt the industry. With not without having a full team to manage all the infrastructure. But as part of that, a lot of the applications now leverage a lot of third parties integrations and making sure that you have a full understanding of all those relationships is really fundamentally important on ensuring the security of your customer’s data as well as your infrastructure.
How can organizations understand the efficacy of their efforts?
John: I really love that inside-out approach. So many people are kind of used to that perimeter and we’ve been hearing like perimeter security is so hard, but I love this idea of like starting with what you want to protect and then working out towards that parameter instead of instead of the reverse. Really good advice there. Thank you. So as you’re looking at doing all of this, what are the kind of metrics that you’re looking at to see the efficacy, like how successful this is being for teams. Are there any specific metrics you look towards when you’re, when you’re kind of gauging if that approach is succeeding?
Scott: I think it really kind of depends on what your focus is. I mean, a security program. Is not just one thing. It’s a slew, you know, making sure that you have vulnerability management in place. Making sure you have incident response plans. Make sure you have business continuity. But focusing more on just, you know, technical security. I mean you could look at the number of incidents being generated you could look at the frequency of changes that are happening within your infrastructure. The more changes, the more likely that maybe something’s going to be accidentally introduced. Also looking at vulnerabilities, you know, how, or also amount of traffic, traffic spikes externally up rapidly. Maybe someone is trying to brute force or maybe you’re just doing a big release and people are starting to use your system more. I also think, really as part of that too. And this goes along with inventory management and assets. Is just conducting security audits because it’s great to know what you’re protecting. But unless you really audit and make sure that they are performing adequately, that the configuration specs working as intended, It’s all for not, right? It’s just, Hey, I know I’m gonna have an issue and I’m just waiting instead of taking the proactive step.
Scott: I think also just working towards business continuity and incident response exercises is kind of extremely important. Because if ever there is an issue or misconfiguration the ability to quickly take that system down and replace it with something that mimics it is extremely important versus spending time trying to determine why. It’s kind of like trying to find a needle in a haystack. It’s easier just to replace that haystack with one that you know that doesn’t have the needle. I think also with digital transformation, it comes really to security awareness and training. As things change in the organization, and this also adapts to policies and procedures. Really being able to socialize that to the organization goes a long way. Making sure that you know the ship is moving smoothly. It’s kind of like being in a sailboat. Everyone knows their job and if one person you know, doesn’t tighten the jib, everything else kind of falls apart and you miss the wind. So I think that’s important. Vulnerability Management is another huge one. And then on top of that is just, you know, threat intelligence and making sure that as you’re moving and shifting the network and moving and adding new systems that you really understand how traffic is moving in this network as well as, you know, what is an anomalous event versus a standard event within your system.
What have you seen work to improve an organization’s security culture
John: Yeah, that makes a lot of sense. And I also like that you called out both the auditing and the training aspects because sometimes it’s easy to get caught up in just tools and technology but there is such a kind of cultural component of this. We often to talk to groups who say, we’ve set a policy that, you know, we’re going to remove something or that we won’t allow this to happen. And then, whenever they actually go and investigate, when they do an audit, they find out, oh, everybody had good intentions, but it only happen about 50% of the time or something along those lines. And then you mentioned like training and pieces as well. There’s a lot of knowledge piece that needs to come in here. So. Beyond the tech as we start to think about like creating a security culture at an organization and the term, DevSecOps gets bandied about at times, but there’s been this challenge where it feels like there’s DevOps and then maybe that’s an odd with the security team. What are some ways that organizations can really have better partnerships between those teams or just increase the idea that security isn’t a single team’s job, but is really everybody at the organization should be aware of this?
Scott: Yeah, and I think it really depends on kind of the structure of your, you know. Particular organization. I’ve been in organizations where you clearly have a specific delineation between security and operations. You also have organizations that have kind of the site reliability engineer kind of methodology. But really, fundamentally, it just comes down to collaboration. In my mind is that doesn’t really necessarily matter how the teams are structured as long as everyone understands their role. Going back to the ship analogy. But really, more fundamentally than that, do you have kind of leadership commitment to, make things as secure as possible because I’ve been in organizations where everyone wants to be secure. But no one’s willing to spend the money, or the resources, or their time and I think in order to really you know, walk the walk and talk the talk, it needs to come from the organizations leadership. To understand that you know there is risk involved in disclosure of you know your customer’s data it’s for some organizations that’s a company-ending scenario. A lot of companies have had that happen to them and they are no longer existent. I really also think, along that, is kind of expectations, policies and guidelines.
Scott: Making sure that everyone really understands their role and what the rules of engagement are. Without policies. Anyone can play the game the way they want. And the way I’ve kind of explained to my team and just the organization that I’ve worked with in the past is, you know, the policies are, essentially how to set up the game. And kind of put those guardrails on what the expectations are. And the guidelines in procedures are really how you play. And it’s making sure that everyone is on the same playing field and really understands. What to do. And really also you don’t want to make security a one-time thing. So continuous improvement is extremely important. You should strive to, you know, recognize that you have a deficiency today. But tomorrow you’ll fix it, right? Don’t just say hey, we’re never gonna get to it. Always strive to improve. And make things better. I mean, that’s, to me, kind of how to really promote that culture. If you follow all those tenants in collaboration, naturally everyone kind of develops that DevSecOps process mindset. Then it’s easier to actually implement the, you know, shift left, introduce technology earlier in the cycle. But everyone has to be on the same page and really supportive of each other in order for that to succeed.
John: Yeah, that seems really helpful. I love that idea of, I mean, because collaboration is so important for these teams is really helpful. I mean, because collaboration is so important for these teams is to realize they’re not at odds and that everybody’s working towards that same goal. So, thank you for that. Thank you so much for coming on here talking about this. I know ISACA is doing a lot of really exciting stuff over there. Can you share a little bit about what people can be looking forward to, what they should be kind of checking out here in the coming months?
Scott: Yeah, so, I mean, As I mentioned before, ISACA, we are an international organization. We have different chapters in each major city. So, I encourage anyone who wants to network, learn more, to really find another group of individuals who are like-minded and really focused on security and compliance and risk, to look one up. On our website isaca.org we also are working on a digital trust ecosystem framework with the idea of focusing on ensuring that not just systems trust each other but also the human component in the culture aspect aligns because computers can’t really do much without humans currently. It’s not to say in the future that’s not the case but that framework is in process now. So, we have a lot more commentary and webinars on our website. And I really encourage everyone to take a look. Try to learn a little something here and there.
John: Absolutely. And we’ll make sure the link is included down below if you wanna check that out. Thank you so much, Scott, for joining me here today. I appreciate it. I’m John Richards from Paladin Cloud. We’ve got an open source, security as code, free repo on GitHub, go check it out, give us a star. Thank you so much for watching, and we look forward to the next time we get to interact. Thanks, everyone.