Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.
Kathy Wang, Former Chief Security Officer at Discord, on Raising the Bar on Security
Meet Kathy Wang: former Chief Security Officer at Discord, and former Chief Information Security Officer at GitLab and Very Good Security. In this Q&A, Kathy shares her perspective on building strategic security roadmaps, building top-tier security teams, and navigating incident response in real-time. Take notes as we have a seasoned expert diving into the nuances of cloud security, emerging technologies, and the intricate balance of security and innovation👇
Question 1 💭
Let’s start with a brief background on you. What are some recent wins you’ve had in your role? What challenges in the industry are you most focused on currently? What’s got your attention lately?
Answer 1 🎯
As a CISO, I’ve always focused on how to incrementally raise the bar on security at a cloud-native organization. When a CISO can properly assess, understand the organization’s risks, and build a consensus-driven roadmap for what’s next, that’s considered a good win. The advent of generative AI capabilities recently has presented both challenges and opportunities for CISOs, and has my attention.
Question 2 💭
When building strategic security roadmaps, what are important things to consider for companies at the size and structure of Discord? How does it shift the way you think about cloud?
Answer 2 🎯
Regardless of the size or structure of the company, each has unique risks and challenges. The key is to guide the security team to work in tandem with cross-functional organizations such as engineering, product, finance, etc. so that a comprehensive risk assessment process is developed. This risk assessment must also include cloud infrastructure in terms of visibility in how all of the services and applications are deployed, as well as accesses.
Question 3 💭
As someone deeply involved in building security teams, what specific qualities and skills do you look for when hiring security professionals? What skill sets and technologies are needed for the industry in the next few years?
Answer 3 🎯
Security is highly operational, and it’s good to hire people who have a strong tendency to exhibit bias to action. In every company I’ve been at, security teams are responsible for helping the rest of the company understand security risks, so I also look for people who are willing to communicate those risks. People who are willing to be strong advocates while building consensus will be successful in security roles. These skill sets will apply even in the next few years - I don’t see this changing.
Security is highly operational, and it’s good to hire people who have a strong tendency to exhibit bias to action.
Question 4 💭
Building highly effective security teams is a complex task. What unconventional approaches or strategies have you employed to differentiate your teams and attract top talent, especially when competing with other companies for skilled professionals?
Answer 4 🎯
It is still difficult to find and hire great security professionals. That’s why it’s important to have strategies on not just hiring top talent, but retaining top talent. I’ve found that the best people really value transparency. If prioritized well, transparency will empower security teams to achieve great outcomes, which will then help to attract and retain top talent.
In order to continuously improve or raise the bar on security, it is critical for security teams to avoid operating in a silo. In the past, my teams have been transparent to the rest of the company on our roadmaps and goals, even documenting these items where everyone can view and provide feedback. In this way, we achieve better collaboration from other teams in the organization.
Question 5 💭
Establishing feedback loops is essential for continuous improvement. In your experience, where do you see communication silos or gaps in feedback loops most often? How do these pose challenges further down the line?
Answer 5 🎯
In order to continuously improve or raise the bar on security, it is critical for security teams to avoid operating in a silo. In the past, my teams have been transparent to the rest of the company on our roadmaps and goals, even documenting these items where everyone can view and provide feedback. In this way, we achieve better collaboration from other teams in the organization. Security teams operating in a silo sow distrust within their organizations, and collaboration will be hindered down the line.
Question 6 💭
On the attacker or defender side, what trends, tactics, or emerging tech are you keeping a close eye on?
Answer 6 🎯
There’s been no shortage of recent startups that utilize generative AI capabilities to augment either defensive or offensive security operations. All of this is worth keeping an eye on. It is a rapidly evolving landscape, and will continue to rapidly evolve for the next 2-3 years, at least.
Question 7 💭
What are some unique pains or insights that gaming and social platforms like Discord face when it comes to remediating vulnerabilities or responding to incidents?
Answer 7 🎯
The first step is to ensure the right level of observability to detect the incident. Next, the security team needs to deploy tooling and processes to quickly and accurately assess the impact of the incident.
Incident response processes are nuanced depending on whether the organization is primarily B2B or B2C. For example, the former will require contractual notifications to impacted customers, while the latter will have other considerations, such as privacy laws by country of the impacted users. Either way, the common thread will be to quickly and accurately pinpoint the impact of the incident. The first step is to ensure the right level of observability to detect the incident. Next, the security team needs to deploy tooling and processes to quickly and accurately assess the impact of the incident. Finally, the process includes optimal processes to respond to the incident. Stop the bleeding first, then figure out how to mitigate the vulnerability. Better yet, deploy tooling and automation to empower the organization to not make the mistake of introducing the vulnerability to begin with wherever possible. All of the above needs to be part of a CISO’s roadmap to reduce security risks.
Question 8 💭
As a startup advisor, you have a front row seat to the latest innovations, but also the latest challenges founders are facing. What are some interesting ways you’ve seen founders navigate obstacles with your advice?
Answer 8 🎯
I really enjoy working with early-stage startups. Most of the founders really listen and take to heart advice from CISOs. The last 1-2 years have been challenging for startup founders, due to the economic downturn. Most CISOs have had to deal with reduced security budgets and/or reduced staffing. I have advised founders to keep all of this in mind - if the product can help to scale or automate a leaner team, or help CISOs with justifying security spend, that’s a big win-win.
Question 9 💭
With your dual role as CISO and investor, you have a unique vantage point. What considerations should cybersecurity founders keep in mind when engaging with investors?
Answer 9 🎯
CISO investors think differently than most VC investors. The former will have detailed knowledge of operational security principles, and will be able to quickly pinpoint whether the product is going to solve a real problem or if it is more of a “solution looking for a problem”. Don’t spend too much time setting up to talk about the problem - if it is a real problem you’re trying to solve, we already know, and you’ll waste a lot of time preaching to the choir, rather than talking about the details of your solution.
Question 10 💭
As a leader in the security industry, what initiatives or projects are you currently excited about? How do you see them contributing to the advancement of cybersecurity on a broader scale?
Answer 10 🎯
I’m always excited to see security products that find a way to either scale and automate security teams, or empower peers to security teams (e.g., engineering development) to easily make the right choices in their workflows. Surprisingly few companies do all of that very well - it’s important to create secure practices workflows that are going to be the easiest path for everyone to implement. Otherwise, people will work around the security team, which none of us want to happen.
Latest AWS and Azure Updates You Don’t Want to Miss
- Amazon EKS introduces simplified controls for IAM cluster access management
- Amazon Cognito user pools now support the ability to customize access tokens
- Amazon Aurora PostgreSQL now supports RDS Data API
- Cloud Services (classic) deployment model is retiring on 31 August 2024
- Dedicated clusters in Azure Monitor logs now support any commitment tier
Top Articles and Resources of the Week
Articles
- Apple Issues Patch for Critical Zero-Day in iPhones, Macs - Update Now
- Cryptographers Just Got Closer to Enabling Fully Private Internet Searches
- Microsoft Falls Victim to Russia-Backed 'Midnight Blizzard' Cyberattack
- Data Privacy Week: How to Gain Consumers’ Trust Around Personal Data Use
- Security Experts Describe AI Technologies They Want to See
Resources
- Major Cloud Security Events and Conferences: Opt-in to this resource to receive updates on events and conferences in cloud security. Meet like-minded cloud-security professionals from around the globe to learn, exchange ideas, network, and more.
- Top 50 InfoSec Networking Groups to Join: Join these top 50 associations, LinkedIn groups, and meetups to stay ahead of the curve on all things InfoSec.
- CIS Benchmarks: The Center for Internet Security (CIS) is a fantastic resource for initiating, implementing, and upholding a robust cloud security strategy. Access their detailed benchmarks tailored for AWS, GCP, Azure, and more. For a deeper understanding, explore the CIS Controls Cloud Companion Guide.
- SANS Practical Guide to Security in the AWS Cloud: In collaboration with AWS Marketplace, SANS introduces an in-depth guide tailored for AWS enthusiasts. Whether you're a novice or an expert, this extensive resource delves into the intricacies of AWS security.
- Security Best Practices for Azure Solutions: Learn key security practices tailored for Azure solutions and understand their significance. This comprehensive guide offers insights into developing and deploying a secure Azure environment.