The Evolution of Security Leadership in the C-Suite

Clarke Rodgers (00:09):
Chris, thanks so much for joining me today.

Chris Rothe (00:11):
Absolutely, thanks for having me.

Clarke Rodgers (00:13):
If you'd be so kind, just tell me a little bit about your background and your role at Red Canary?

Chris Rothe (00:17):
I'm the CTO, co-founder of Red Canary. We're in the detection response space. Before founding the company, I worked in satellite data processing, which is “collect a lot of data and apply interesting algorithms.” And then the things that are interesting, put them in front of analysts to make decisions, which incidentally is very similar to something we do in cybersecurity.

Clarke Rodgers (00:39):
Since you've been in the cybersecurity industry for quite some time, we often joke that the CISO used to be kept in the basement and now the CISO's in the boardroom. How have you seen that evolve?

Chris Rothe (00:49):
The biggest thing I think is it's gone from being a technical role to a much less technical role and much more political role, critical to be the advocate for security across the organization and build security into the culture. Additionally, for folks like us who have SaaS platforms, it's also a very customer-facing role in making sure that customers have trust that we're protecting their data.  

Clarke Rodgers (01:16):
When you talk to customers in your role, how do you articulate the business value of security?

Chris Rothe (01:21):
At the end of the day, business risk is all about financial risk. That takes different shapes depending on what industry you're in. If you're in financial services, it's about your reputation and making sure people trust you with their money. If you're in manufacturing, or healthcare, or something like that, it's operational risk to make sure that your machines still work and people stay alive in the healthcare scenario.

And so that's really what it's all about, is if you can get to the point where you're talking about money and then how do we actually reduce the risk on a per dollar basis, those can be really successful conversations.

Sometimes that's not what folks want to talk about. They want to talk about the technical aspects and how do you help me reduce the number of security incidents I have, and things like that in sort of our world. And that's great too. Ultimately, those things all tie back to dollars and cents at some point.

Clarke Rodgers (02:06):
So internally at Red Canary, how do you increase the efficacy of the security team and make sure that that lone developer cares about security and is thinking about security in his or her day-to-day life?

Chris Rothe (02:22):
It’s extremely important to us. As a security company, we're sort of held to a higher standard. So, it's important that everybody in the company cares about the security of our business and our customers’ businesses. Some of the things that we've done over the years in order to make sure it's native to everyone's role, in our software development lifecycle, we have product security specialists who are part of every scrum team. So, they're in their part of the sprint planning, part of the upfront planning. It's not like, "Hey, we're going to put a design together and then go ask security if it's okay." They're there along the way. So that's a really fundamental piece of it.

The second is making sure that security checks and static analysis, or whatever else we're going to do, is native to where the developers live. It's integrated into the CICD pipeline. Don't think twice about it. You just got to get all those things to pass before we merge the code. And that sort of meets developers where they are, and it's sort of a non-event most of the time.

Clarke Rodgers (03:17):
It's pretty universal that it's hard to find security talent. So you either have to hire it, or you retain it, or you train it. What are some of the strategies that you used at Red Canary to really sort of bolster the strength of your security professionals?

Chris Rothe (03:31):
So, we aim for security professionals in our team not to have to just do repetitive, “undifferentiated” heavy-lifting, to use an AWS term.

Clarke Rodgers (03:40):
Sure.

Chris Rothe (03:40):
Not have to do that for more than about 60% of their day. If they're spending more than 60%, that's sort of the magic threshold where they start to get bored of the repetitive nature of that work. And so, we do that through tooling and building out automation that they can use, we do it through looking for repeat patterns and building — whether it's ML, AI, etc. — building tools to do that undifferentiated heavy-lifting for them so that they can focus on things that are more interesting.

Clarke Rodgers (04:09):
You mentioned tooling and automation. Generative AI is all the rage these days, right? How do you think about it both as a security practitioner, meaning “How am I going to manage the risks of using this?”, but then also as a business owner and looking at the advantages that it can bring you? Could you talk a little bit about that?

Chris Rothe (04:31):
From the risk standpoint, I think where we started our journey was “Let's make sure we have the right protections in place so that we're not using content that was created by an AI that we're unclear about who owns it.” And so, we've put some guardrails in place to deal with that.

But generally speaking, we want everyone across the Red Canary team using generative AI in a way that makes sense for their roles. Whether you're a sales person and you've just had a great call with a customer and you need to put together a follow-up email, let's make that faster and make the quality of that communication better. Because ultimately, that's better for the customer and better for you, because it took you five minutes instead of maybe an hour. So that's been our approach, is to make sure that everyone can use it in a safe way.

But I think we're early in that in terms of learning “What are the pitfalls?” and “What are the challenges associated with that, what type of legal things are going to come up over the next several years as it relates to generative AI?” In terms of how we're using it specifically in security, the co-pilot construct or idea is one that we're really a big fan of.

For years we've sort of thought of our security platform as... This is kind of a silly analogy, but kind of the mech warrior suit, where we can put a relatively normal soldier into this crazy machine with rocket launchers and they can run faster and jump higher, and all that kind of stuff. And generative AI gives us some great new tools to take that even further and kind of figure out, how do we make that investigation process faster, more complete, more accurate, ultimately so that we find and stop threats sooner?

So those are some of the applications that we're looking at it. The big challenge in security, ultimately, is there's not enough people to go around. And so that's why it's so important the work that AWS does in terms of making the platform more secure and the services more secure, inch by inch, mile by mile. And then outside of that world, it's important that we leverage the fairly scarce resources we have in terms of security professionals and don't burn them out on toil. Give them tools that allow them to do great things.

Clarke Rodgers (06:42):
On a similar vein, you speak to lots of customers, and many of those customers are using more than one cloud. How do you advise them around the security aspects, the challenges that may be there of securing multiple clouds?

Chris Rothe (06:58):
Generally speaking, we try to push an agenda of “Let's make sure you have the same set of controls and same understanding of data and access across whatever platforms you're using, be it cloud, be it on-prem.” That's sort of a baseline layer. It's like let's just make sure we know who has access, what they have access to, and how we're going to know if something bad happens.

Clarke Rodgers (07:21):
And I imagine their security outcomes should be the same as far as what they're defining?

Chris Rothe (07:25):
Absolutely. And if you can't get to that outcome with a particular cloud platform or something else, maybe that's a point to challenge it and consider whether we should be using it or not. If security isn't fundamental and isn't possible in the way that it should be for that sort of baseline set of controls, why is it in your architecture?

And those are hard conversations because people put a lot into their strategy associated with multi-cloud. But I think ultimately making sure that we just understand what controls need to be in place and how, ultimately, we're going to find the bad guy, is the starting point. If you can't answer that, then we need to rethink our architecture, or strategy.

Clarke Rodgers (08:07):
That's a great perspective. So Chris, thanks so much for spending time with me today.

Chris Rothe (08:12):
Thanks for having me. Appreciate it.