Podcast
Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.
Links
Follow Me
Follow Me
Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.
Rethinking Software Security Compliance in the Age of AI with Nick Selby
Play On
04 NOV • 2025
57 mins
Share:
Why do so many teams treat software security compliance as a box-ticking exercise, and what does that mindset cost them? In this episode of Nerding Out with Viktor, I sit down with Nick Selby, a veteran security leader known for his clear-eyed approach to building practical, human-centered security programs.
Nick traces his path from the early days of hands-on security work, where risk was measured by intuition and experience, to the era of standardized frameworks and regulatory oversight. He reflects on how compliance frameworks like SOC 2 and ISO 27001 emerged to bring order to chaos but often became ends in themselves. Instead of driving real-world resilience, they sometimes created a false sense of assurance. For Nick, this isn’t just a process problem; it’s a cultural one. He argues that companies should see compliance as the outcome of good security practices, not the starting point.
As the conversation deepens, we explore the messy middle between technical rigor and operational reality. We discuss the rise of AI tools in engineering workflows and how adoption often outpaces security readiness. Nick shares examples of companies racing to integrate generative AI without understanding the privacy and threat implications. We dig into the cultural dynamics that cause even well-intentioned teams to make risky shortcuts, especially when compliance audits and investor expectations start to shape technical decisions more than engineering principles.
The discussion also turns toward the evolution of modern frameworks and legislation, from the Cyber Resilience Act to the growing importance of SBOMs (Software Bill of Materials) in software supply chains. Nick explains how these measures can bring much-needed transparency to vendor accountability but warns against treating them as magic bullets. Compliance, he suggests, should evolve alongside the products themselves, adapting as systems grow, architectures shift, and user expectations change.
By the end of the episode, the message is clear: software security compliance should serve the business, not the other way around. Nick and I leave listeners with a challenge to rethink how they build trust and resilience into their systems, not just their documentation. For anyone passionate about open source, product development, or building technology that lasts, this is a conversation worth tuning into.
Links
- Safety Co-Option and Compromised National Security: The Self-Fulfilling Prophecy of Weakened AI Risk Thresholds
- EU Cyber Resilience Act
Transcript
Show/Hide Transcript
You know, they're never a cop when you need them, but.
But if there is, they didn't understand what to do with the breach.
And that was like, well, how hard could it be?
I asked, and then I found out.
So I went to the police academy, worked doing.
Doing cyber investigations.
I mean, I started in patrol and do it like, But.
And then in 2018, I went to the NYPD, where I was the director of their cyber intelligence and investigations for the Intelligence Bureau.
Welcome back to another episode of Nerding out with Viktor today.
Today I'm joined by Nick Selby.
Welcome, Nick.
Hey, thanks a lot, you.
I got to know you through mutual fund Chris Swan, who's been on a previous episode that you've done some work with before.
And most recently, I bumped into you at 44CON, where you gave the keynote speech, and I was so.
Yeah, I was so impressed by your talk there, because I actually, like, this would be a great podcast episode.
There's so many nuggets of wisdom in that episode that I kind of wanted to, like, take that and turn that into an episode and chat more about that.
So.
But before we dive into that, you have a fascinating backstory, and I'll just give people kind of backstory of like, who's Nick and what do they know?
Before we dive into the nitty gritty details of the lovely nerdiness.
Yeah.
World's weirdest resume.
I started out, weirdly enough, doing sound, and I worked in television and resumed recording, and then I got into the.
To the.
Really into the security field and in physical security and then into cybersecurity in the late 90s.
In 2004, I established the Information Security practice at 451 Research, which is now S and P Global Intelligence.
And I went out on my own 2009 as a consultant.
And then I quickly gravitated to incident response because there's no politics incident response.
It's like it's either it's popped or it's not.
And that was quite good.
I got into law enforcement in 2010 mainly because I was doing incident response, and I could never find there's never a cop when you need them, but if there is, they didn't understand what to do with a breach.
And that was like, well, how hard could it be?
I asked, and then I found out.
So I went to the police academy, worked doing cyber investigations.
I mean, I started in patrol and do it.
And then in 2018, I went to the NYPD, where I was the director of their cyber intelligence and investigations for the Intelligence Bureau.
Soon after that I was in Paxos and did a stinted trail of bits.
Worked with Evertas, which is crypto insurance.
And then a bunch of us who were doing professional services at Evertas spun it out.
Very cool.
Epsd before we dive into kind of like where I think we spend the most of the talk today around AI I'm really curious about what you kind of alluded to before, which about your stint at NYPD and kind of working in law enforcement.
And that must have been a bit, it must have been an interesting journey.
Of course.
So like how shocking was that shift from work in private sector to go into I guess state owned, state operated where bigger resources but also a lot of bureaucracy and yeah, walk me through like that transition for you.
You know, I was really lucky because I was able to keep one foot in both camps for a long time.
So for several years I was just, you know, part time doing stuff.
Then I, then I was more into like organized retail crime investigations and things like that.
And then the NYPD obviously was full time.
Then I went back after I left that into part time again.
The, the shock, actually it wasn't all that shocking.
The really, the thing that's the biggest difference is you just sort of said resources, there are none.
And nobody wants to vote for a tax increase to get the cops better computers.
And if you take a look at like I crack up when I see a cop show and they're doing computer stuff.
I mean a law enforcement computer is a, you know, is a nine year old laptop with a black screen and white, all capital letters.
And it's like, it's literally reverse compatible to simple telex over radio.
So.
And I listened to a lot of assumptions that people make about the kinds of things even at the NYPD and the Intelligence Bureau, which is, it is very well funded, but still the toys don't really exist.
And I don't get to see the kind of things that, that people think I get to see.
But what I also found was really interesting.
New operational requirements.
We can never throw anything out ever.
You have to document absolutely everything.
You have to write.
Everything is a report.
Everything, every report is public record.
Everything you do is public record.
And you know, I was an early proponent of body cams on all officers.
I did for a number of years with Professor Peter Moskos from John Jay College of Criminal Justice.
We did a thing called Quality Policing, a podcast where we would just Go through things that happened during the week and talk about, you know, was this proper?
Did they, are they protecting people or are they abusing their authority?
Was that a legitimate use of force?
Why?
And questions like that.
I guess you, you must have had an interesting vantage point because I mean particular in the rise of chat control in eu that's transpiring right now with all these.
You see the polarized view of law enforcement wants access to everything and there is no privacy whatsoever.
How has working coming from tech where people tend to be more privacy oriented coming into the police world where yes, I guess it's completely polarized, where you basically, you want for good reason, often have full access to data.
Right?
How has that shaped you?
Because that must have been like completely polarized, right?
The one, the one order I, the one order that I actually refused and my boss was kind of like, I'm not sure you get to refuse.
I'm like, well, I just did was it was around the FBI position on encryption backdoors.
And I thought it was manifestly dumb and unworkable.
And I got the real feel.
Look, I can understand there is an argument and especially because.
And now I'm on the board of a charity that does anti human trafficking and we help law enforcement locate traffic children and rescue them.
And you know, there are very few things that I think are not good tools to use for that.
And the privacy part of me is like, well, you know that's really not true.
When government gets grabby especially, yeah, chat control, like putting in things that are looking through and breaking encryption, I am dead set against it.
And I, and I always have been.
This is a consistent position for me.
I'm not against, I'm not against body cameras.
As I said, I am absolutely against throwing away.
A lot of people are like, well, you know, you should throw away the video after you use it.
Really.
I know of a lot of people who have been sprung from US prisons 30 years on because a piece of DNA evidence was discovered that, you know, that was exculpatory.
What evidence should we throw away?
Like, there's inculpatory and exculpatory evidence and it's on video.
You want me to throw that away?
What else should we throw away?
The answer is it's dumb, right?
But like I, I support, for example, automated number plate readers.
I understand that's controversial.
I understand the privacy concerns about flock cameras and things like that with decent controls.
I think that we can reasonable people can find a middle ground.
It's very difficult when the public and the police don't share the kind of trust that you would want them to, to, to share.
And that's, you know, that's on both of those.
Like there was a news today that ring is kind of moving into the same domain as Flock.
Right.
And yeah, I'm so familiar with like that's so that law enforcement can essentially access private cameras.
All right.
And I, I think the biggest criticism there is that the.
We hear from people in the tech world is yeah, it's great when there is a level of like opt in and a level of like you access that you can access data from this dating point in time for this particular reason.
But the problem is when you have like the palantir of the world who just consumes everything and then just like you don't.
If you're.
You, like you lose completely control.
And it might be fine for the current government if you agree with that state or the government, but what about the next way after.
Right.
Yeah, yeah.
And, and I think the other problem that happens is there's a, there's a sort of bundling and conflation of these different technologies.
Right.
So we can talk about.
And then there's.
There are, there are in fact double standards.
I'm, I'm not a big Palantir fan, but yeah, it will gather a lot of things and synthesize a lot of data and do visualizations.
And so I don't think it holds a candle to ChatGPT and I don't think it holds a candle to some of the things that we voluntarily do.
I don't know of any individual law enforcement surveillance technology that could even come to 5% of the pervasive surveillance of meta, you know, and, but on the other hand, when you see procedural errors.
I was having a chat the other day with somebody in, who works on the privacy side against law enforcement on these things and you know, go back years and some of the things, you know, I know that if I've got photo, a facial recognition hit and it says right on it, like this is not probable cause to arrest.
Right.
Is it in fact reasonable suspicion to have a chat?
Yeah, I think it is.
If we find that the procedures are not being followed and I'm using that as an opportunity to go and talk to somebody and sort of use it as a pretext to arrest Them.
I think that's just completely wrong.
But I also think that having worked on, you know, child sexual abuse, material investigations, Internet crimes against children, sometimes I want to know exactly where that guy is right now, and I want to find him.
And so things do have to be balanced, and we have to have individual conversations that are greater than talking points that are.
That are willing to dive into the fact that a lot of these things are dual use.
And, yeah, there's a good side and a bad side.
How can we find.
How can we find systems to.
To hold people accountable and.
And truly measure what people are doing?
Not what they could.
What they're.
What they're actually.
I mean, there's no doubt that I think the vast majority of people would be absolutely.
For arresting these people, 100% right.
I don't think that's controversial whatsoever.
The controversial part is, like, the creep of that.
Like the blast radius of that.
Yeah.
And that's the tricky part.
Yeah.
Yes.
I was in a. I was at a conference.
This is probably, I don't know, eight or 10 years ago.
And it was myself and somebody from the Brennan center, and were talking about automated number plate readers.
And somebody in the back said, well, you know, I said, well, how is that different from me just sitting on the street writing down your license plate and then running it?
And he said, look, if you're doing that, I understand that.
That, you know, there's no expectation of privacy on the street.
But.
But when you're doing 3,000aminute now, suddenly there's a chilling effect on association.
And I'm against that.
I'm like, well, you know, that's a really great point.
And at the other end of that continuum, this very morning, and it was true, that very morning, were searching for a guy who was wanted for a bunch of child sexual abuse material.
And the US Marshals Fugitive Task Force was helping, and they used number plate technology.
They found the guy in a motel about 40 miles south of the city, and they arrested him.
So he was in jail at that very moment.
Right.
That's the other end of the continuum.
Somewhere in the middle, we've got to find controls, and nothing's all evil and nothing's all good.
We could probably spend the entire episode speaking about this because it's something that I'm very interested in diving into.
I don't want to derail the conversation.
We actually had pipeline for today's show, and maybe that's a future episode.
What I really want to talk about.
Today is kind of like the keynote you gave at 44con, but by the way, shout out to Adrian and the people at 44con.
Fantastic conference.
If you haven't been.
Oh yeah, I was really interested what you talked about there because one of the big talking points you had at the conference in the keynote was around the Drift and the Sales Loft story.
Right.
For, for people not familiar to it.
Maybe we can recap that real quick because I think there are so many lessons to learn from that story right.
In the era of AI.
So if you mind recapping like what happened and kind of like, yeah, diving a bit into that.
Sure.
Drift.
Drift is one of those chatbots that goes on websites and pops up and you know, offers you the ability to, you know, hey, do you want to talk to somebody in sales?
I can, I can get your calendar, you know, answer a few questions.
Where, where's your company?
How big is your company?
That kind of thing.
Okay, we've got the right account executive.
They're free Tuesday at 12.
Do you want to do it?
Yes.
Click the thing.
And now you've got a calendar invite.
And, and that is valuable.
One of our customers said that they got more high intent leads from that than from any other channel.
Now that's super powerful.
Right.
When you think about that, what do you need to connect to that?
It's a little bit surprising then that when.
So Drift is owned by a company called Sales Loft.
Salesloft has a couple of these AI tool kinds of things and they got hit and they had pure cyber breach.
From what we can tell from the company's public statements, just a pure cyber breach.
It was, you know, it was some insufficient authentication and access control.
Looks like they didn't have two factor or it's unclear whether there was universal or required two factor.
There was, there was clearly.
And we can only infer because their communications weren't that great.
They were, they were a little bit vague.
But we can infer from things that they said that hard coded secrets in their source code repositories.
We can infer from what they said that they had customer credentials in production servers, perhaps not in secrets management, perhaps.
Right.
We don't know really.
But, but the blast radius of users of Drift turned out to be pretty big because, you know, you'd think just having a thing to check the calendar, it would just be, it would be probably talking to, you know, your Google or your Microsoft calendar, but in fact it was also, it was hooked into Salesforce Cloud.
It was hooked into a number of different data repositories to get context, right?
Have we seen this person before?
Do we have a relationship with them?
Who did we talk to last time?
Are there any open cases?
So they had access to that.
And the more we looked, the more we found that there were tentacles into this and providing information into this AI tool from all over.
And the last thing is that in a lot of companies there were more than 700, maybe even more than 750 companies got hit by this.
A lot of the big guys got hit.
Cloudflare got hit.
A lot of people did and they wrote about it.
But for the mid sized companies and the smaller companies who might not have considered the implementation and monitoring and data loss prevention and other tools that they could use, this was a pretty big surprise because they were like, wow, this is a great tool.
It does a really good thing.
Let's just take their advice and hook it up to everything.
But yeah, your take on this horse is so important.
Which is like the second you sprinkle a over something we kind of throw all the common wisdom and learnings we've had over the last 20 years or 40 years.
As far as security goes, it just out the windows like well AI will solve it.
So therefore like security doesn't matter.
Right.
And I think that's, that was, it's so interesting here, right, because a lot of this is already a solved problem, right?
We don't really like there's nothing, if you think about an AI agent, there's nothing really new there in terms of security.
The attack vector might be slightly different, but how it access data and access controls and all those things, those are solved problems.
We've already solved those long time ago.
Right, But I'm curious about how you think about that.
Like when you are going into companies today and working with companies like how are you advising them to kind of like think about these AI tools that oftentimes there is top level board mandate to like, oh, we have to sprinkle AI over everything because AI otherwise we gotta lose out and whatnot.
Right.
But in terms of like threat modeling and all those things that kind of are part of common best practices, how do you engage that when, how are you advising your clients when you work with them to kind of think about these things to kind of, well, to bring them back into the real world and not like magic fairy dust of AI?
Well, all right, so but yes, but we have to begin in the real world, right?
So if I have a widget company and I've got some competitors, the chance that one my competitors is not using AI is increasingly low.
Right?
If they are using AI and they are getting the kind of results, remember I said you have more high intent leads than any other channel.
So there are certain things that AI is doing that in fact is increasing velocity, increasing sales volume, increasing pipeline.
And once your customer, your competitor is doing it, there is, I mean real pressure from your board of directors, from your investors.
So that is the real world.
And, and it's true that a lot of times the senior executives, the chief executive might not be entirely familiar with what the benefits are, but they know of some and the ones that they know of are enough to get them really saying AI the everything.
Right?
So that is, that's real world and it's important also Wendy Nader says that she likes to call it software because when you say AI, it tends to enchant and in source all people.
And like so as soon as you say those letters, people believe that it's doing magical things.
I'm going to say that one of the really hard problems that I've had by the way, I don't really see a lot of sort of AI secure.
A lot of the, the stuff that people talk about with AI security is really kind of, it's, it's advanced stuff.
And you know, I'm not suggesting, I'm not pooing it at all.
But what I'm saying is most companies are looking to understand how do I do this safely?
They're starting kind of on the back foot because they're really not clear.
They hear that it's open air, it's anthropic.
These are very big companies with hundreds of millions of dollars in funding that makes it sound like every other enterprise software company and it's not.
But, but it sounds like that, right?
And so they kind of look at this as an enterprise software purchase and it's very difficult for them to find, it's really easy to find you people who tell you why you should do it.
Very few people to tell you how to do it safely.
So the governance is becoming really very important.
What, what we're now recommending for people is like write down your business goals and the anti goals, like what do you want this thing to do and what do you not want it to do?
Let's make sure that actually, you know, the kind of AI that you're talking about is the right thing to do.
But like write down these goals and see and see how, how are you going to measure its success?
How are you going to know if it's working?
And in some cases, like the sales pipeline chatbot, it's really easy.
In another one, like, hey, let's turn over some of our customer support to this thing and it'll answer the most commonly asked questions.
And you might not know it, but everybody's getting angry.
Or it might make things up, right?
Or it might tell people things that you don't want it to tell them so that it's a little trickier.
The next thing is documenting and sitting down with legal security operations it the people who are running these systems and thinking about like what data is necessary for this thing.
We can talk about least privilege all the time, right?
But how do we know what data is really necessary?
And how do you make the risk reward decisions?
Because remember, when you bring this in, there's a few things that can happen with AI, and this is not anti AI.
This is just like you could have an AI failure like I was just mentioning, right?
You could, you could have poor information, you could have like inaccurate information that causes losses.
You could have one of those crazy bots that goes nuts and starts being racist.
And right, there's AI failure.
But the cyber security is rock solid.
You could have the opposite where the cybersecurity is a disaster and the AI stuff just works as way it's advertised.
You could have both, right?
You could have both benign and both malicious.
So there's a lot to really think about.
It comes to me when we talk to clients.
It comes down to blast radius.
What systems will it talk through?
What data does it have access to?
What happens when things go wrong?
How do we know that it's doing what it's supposed to be doing?
How do we know that if we put into place compensating controls to mitigate risks like data loss prevention or even just, you know, hey, there's a high volume download out of here that we haven't seen.
Does that really work?
How do we test that and make sure that it really works?
We saw some failures during the Drift sales loft where some DLP systems didn't actually pick up.
It was clear.
The company even said, yeah, we should have caught that.
We didn't.
There was, there was something wrong.
I mean the scenario there, like I think you mentioned, you talk about the One of the common ways people install these applications was just give themselves first admin.
Right.
And they just like, cool, yeah.
What could go wrong?
So like, yes, I think let's not lose track of like least privilege positions.
Right.
Like those things seem to be like.
Because I could have mitigated quite a lot of this.
Right.
As well from the get go.
Right.
And because what you could do as admin is obviously very different, but then you could do as a read only user for like a subset of the data.
Yeah.
And, but again something like that like read only is really interesting because if you take a look at what was happening.
So the sales loft drift thing was actually a nation state or like a sophisticated actor attack coming through and for the sole purpose of stealing credentials to get further access.
Right.
It was a true supply chain attack.
And on the way they were just downloading all the data out of connected Salesforce and Google and other implementations.
Read only didn't help you at all because that's all they were doing.
They were only reading even more rogue actor.
They could have wiped all your Salesforce data in the process.
Absolutely, absolutely.
And a lot of times what we've talked to people and we're like, you know, don't.
You might have escaped you.
It might not have actually caused the leak of anything that you care about.
Understand that was attacker's choice.
Right.
You didn't do anything that prevented them and had they asked for it, they would have gotten it based on the level of extraordinary access that they had.
So yeah, limiting what it's connected to how it's connected.
The, the circumstances of it putting things on.
We love Obsidian security, like being able to say, hey, there's a lot more coming out of there, especially if you can get it on both sides.
Right.
It's asking for something, it's getting something that is anomalous.
Let's.
Let's look at that.
Let's alarm on that that's kind.
Of important to like MCPS and the things around those.
I think that's kind of tangential here, but like how the run the joke is the S in MCP sense of security.
Right?
Yeah, that was great.
Tools like that, like what.
What have you seen with regards to that?
Like ease of use.
Great.
But at what cost?
It's.
It's kind of the same thing.
Although I think that it's a little scary that people are more likely to trust the stuff that their engineers build internally because they can follow the bouncing ball and see where it went.
And so we have seen a bunch of mcp like server, like people forget.
Yeah, the MCP stuff is great and it's connecting these things and wow, look at that.
It's wicked cool.
And it's a server.
And when you forget things like SSO and when you like basic core security stuff, that's when people get in trouble there.
One of our clients was suggesting because they're, they have a lot of this stuff and they were like, you know, we should actually take a look at, have a better way to look at the traffic, both directions.
Maybe we should make an MCP gateway that we could monitor.
I like that.
Right.
Like thinking about ways that you can keep tabs on things just the way you keep tabs on other things within your organization.
Like, just because it's AI doesn't mean that it's either safe or correct.
Talk a bit about red teaming and AI in general.
I'm curious, like, you've gone down this rabbit hole a bit, right?
Oh yeah.
Even redefining like a bit of a safety revisionism, I think you called it right.
In terms of.
All right, I didn't call it that.
That was, that was Heidi Khalif and the AI Now Institute.
But, but I agree with it totally.
And if you.
And we talk at 4.4con, there was a lot of people talking about different ways of tricking AI systems to give you stuff that the AI system want, that the maker doesn't want you to do.
Unfortunately, the way the, the, the AI companies.
And there's a paper on this, I hope you'll link to it.
And there has been this change of what the words mean.
And the best one is red teaming.
Right.
It's like we think of red teaming in the information security world as, you know, you get a bunch of people together and you, you shake something until you break it and then you show them how.
And then the blue team fixes it.
Right.
Or that's doing both really.
With AI, it's like, let's run a bunch of tests to make sure that this thing won't tell you how to make an ied.
And it sounds like.
And when they talk about vulnerabilities, when they talk about safety, they're using it in completely different contexts.
I talked about this at 4.4con, where I asked Claude the Anthropic LLM, right.
I asked it to talk to me about red teaming in the anthropic context.
And it said, well, I really don't know anything about that.
I'm like, wait a minute, what?
And it sent me to their documentation and in their document.
Exactly.
All of this stuff.
Right.
And even if you get through all of the security stuff.
So like what.
I guess the main thing that we're warning people is don't let the words.
Don't, don't just hear the words and assume that you know what the words mean.
Really understand the context of how the words are being used.
And then when, once you start looking at the real results and you've metaphor mapped it out so you understand what we're talking about.
The other danger that we've seen is that, yeah, health and safety in this AI context really is the kind of the same thing.
Is it going to go on racist screens?
Is it going to try to convince you to kill yourself?
Right.
A lawyer who is looking at this from a procurement standpoint might think that when they see some words like health and safety that they're thinking about product liability and sort of standard terms that are used describe the way the things that lawyers are looking for.
So again, we have to metaphor map on the legal side as well.
Yeah.
And I think, yeah.
Take nothing for granted here is really.
That these safeguards are not to perfect, protect your data, they are to protect their models.
Right.
And I think that's the big thing to drive home here.
Yeah.
And that.
Well, the data inside their models and.
Yeah, yes.
Yeah.
It doesn't mean what you think it means.
And I think it's so.
Important to emphasize that because when you read, particularly you read the security notes, that it's not about you, it's about them.
It's about them preventing PR disasters and preventing their models to be leaked against their competitors.
Right.
Yeah.
And I think that there's a lot of that when we hear people talking about AI security, first of all, they're talking about people who leverage AI to conduct better attacks.
Okay.
That's important that we understand that.
And that's a really important field of study that I'm completely uninvolved with.
And then there's the people who are saying, how could somebody steal our stuff?
How could somebody subvert what it is that we do?
On the, on the AI side, again, totally separate.
I'm, I am mainly focusing on just.
All right, with all that stuff going on, how does the average CEO, the average non technical or somewhat technical CEO who's getting pressure to do this, what are the Things that they need to think about when they're trying to implement this and at least limit or understand the downside so that they can experience better upside that you drove home.
I think which is important as well, is simply find a language, right?
And when you speak into these higher level decision makers that are presumably not from Tech.
Org or even a CISO who might not be that technical because they are more from the policy side than the technical side, like driving home and simplifying the language is very paramount in terms of making sure you get your point across rather than acronym laden whiteboarding about.
Oh yeah, I mean, I think one of the things threat models really help like formal threat models and risk mapping.
And I understand that some in the threat model world don't really put too much faith in risk mapping.
I do.
It's really, it's good visual, it helps executives understand kind of the, you know, traffic light or T shirt size of what it is that we're talking about.
But when you are, when you are talking about identifying the threats that are tied to the implementation of a certain tool, certain piece of software that you're integrating into your systems and data, suddenly a lot of kind of theoretical stuff really comes into focus.
We were doing one and I really liked this where it's a company that's very aggressively AI forward.
They, they really are pushing people to find better use cases.
And the question, there were questions around certain things that they wanted to integrate.
And once we started going through the threats and we started going through the cost of the, of a mistake in this field, right?
Like if you get this wrong, here's what could happen very quickly.
And the senior executives were like okay, wait, what was the use case again?
Why did we want to do this?
Like, and we brought them like, and we did a really, I think fair job of saying look, it's really cool what your people want to do.
I can understand it.
But because of all those risks being identified and because they were high or very high, they actually started to split the difference and ask for, for mitigations.
I am a real proponent by the way.
If you're using chat, GPT Enterprise, they have the OpenAI compliance API and it's very, very powerful.
But, but you can in fact go in only, it's only for enterprise customers, but you can actually write a tool to go in and take a look inside.
You could force it to change data retention.
You can ask it for certain Types of data, certain kinds of uploads.
You can look for patterns within the data.
It's a really great way to test other things or to just reduce your risk of stuff that you're keeping in there.
And again, once you've done the threat model, that should inform where you might consider mitigations that could at least act as compensating controls, at least as early warning systems that something is wrong.
It's a, is a concept that I think most people in TechCard are familiar with.
But when you going in there like you want to do like a rudimentary, so imagine our listeners want to do like a rudimentary threat modeling off of some service they write about.
They have some, they have some buy ins from some stakeholder.
They want to deploy something.
How do you go about, like, how do you decide like the first like few hours of a threat modeling?
Like if you want to have like a really rudimentary trep modeling model, Is there any methodology you follow?
How do you go about doing these threat models?
You know, it's funny because Adam Szostak just, he made it so easy and we actually sent several of our folks to Adam's classes in Barcelona.
And I really like that, you know, what are we working on?
What can go wrong?
How do we know if we did a good job like these?
The really basic questions when you think about, it's like what is this thing connected to and what happens if that goes wrong?
Right?
What can go wrong?
What are some of the things using the stride framework?
What are some of the ways that people could do spoofing?
What are some of the ways that people could gain access in a way that's not intended.
And then as you think about those things, asking the team to come up with proposed mitigations along with, and I find this really important proposed mitigations and statements about the requirements to maintain those mitigations over the course of the lifetime of this thing, right?
Because it's not like you fix it now and then it's done.
It's, you really have to have teams looking at these things regularly and making sure that your mitigations are still working.
Right?
So, so there has to be ownership.
And that's obviously of that.
If you come from the startup world, it's very different than if you were in enterprise.
We have earmarked security teams that can like dedicate all your efforts to just doing red teaming, blue teaming or whatever it might be.
Right.
But something like, I think it's important.
To like yeah, I'VE never worked there, by the way.
Like, I've never found that company.
Whereas, whereas in Saraplan, even if you have a few hundred people, they rarely have an earmarked department for just doing this.
Right?
So.
Right.
And oh, by the way, that's why the ownership is so important.
Right?
Because most of the time security actually doesn't own the assets that they're trying to help defend.
Right.
That they need to beg, borrow and steal.
But if they're not very explicit about the things, you know, security shouldn't be accepting risk on behalf of the business.
They should be, they should be articulating what the risk is, proposing mitigations, but then also proposing ways to make it very clear, okay, the business wants you to do this.
The business is saying that this is how you mitigate it.
We think that this is the right team to do that.
We're not telling you how to do it, we're just saying they are.
We will audit it when they're done.
We will create the security requirements before they start.
But, but this isn't on the information security team because we can't make those changes.
Right.
And so being really explicit about that.
This is so much bigger, right?
Because I mean, I, to me, security is not a job function, it's a culture function.
Right.
Security must be like, it must be drawn at every level.
I mean, it's not like it's not one person's responsibility to do security because that's a surefire way to fire fail at security.
Right?
And yeah, yes, by the way, there are many others.
But yes, that is one good one, surefire.
One of the things, one of my pet peeves or one of my issues I have in the industry is an over index on compliance frameworks like SoC2 and ISO.
Right.
And yeah, it's just like, oh God, yes.
I'm sure we've both seen so many spectacular failures when it comes to common sense security conducted by companies that have all these badges, right.
And they're like, cool.
How did this happen?
Oh, well, it happened because most of these frameworks are documentation exercises, not actually really cultural changes in the complex.
Right.
I mean, documentation is important.
But yeah, no, and we agree, like, it's just that it's not everything.
And it is very possible to get a SoC2.
And with Judicious setting of scope and depth, you can end up putting lipstick on a pig.
You really can.
I mean, I do think that part of the Problem is the way, the way we conduct third party risk is still, you know, not very good.
And based on the spreadsheet rodeo and it's been like that for years.
We now that we start to see.
What I really like is the trust centers that we're starting to see with vendors like Vanta Security, Pal.
Like vendors who are giving better visibility into.
Right?
Here's our documentation, you can download it.
Here's our policies, you can download that.
Here's a real time look at what our company is doing right now.
If you take a look at the trust center for Sublime Security, right.
I think it's Trust, Sublime Security and it's really nice because you can start to get a sense of what it is that they're saying that they have, which is great because now you can ask the questions that are left out without having just to look at a spreadsheet.
I wrote a blog post a few weeks ago about.
So in screen the amount of company we do signage.
Right.
And, and my, the op ed piece there was about signage players being completely out of scope.
So like all these guys are they are SOC2, ISO competitor compliant competitors.
But then you actually start to poke a bit on that and it's like wait, you're running an EL Android device and you're still compliant and this is when you realize like wait, this is.
Well that's where you realize it's out of scope.
Right?
SoC2 is.
SoC2 is basically judging you against your own policies.
Right.
And so you can have a dumb policy and if you're compliant, you're good.
It's really IoT.
It doesn't actually include IoT devices.
Right.
So you could be like an IoT vendor.
And this thing, the thing that you sell is not in scope for the compliance framework.
Yeah, right.
You're talking about your corporate network is very nice and serenely secure.
Right.
But, but this thing that we just sold you that you.
Know, why are we indexing so much on like security tick box.
But actually it's a culture thing inside the company.
Do we actually care about this stuff?
Right.
And with me that's so important.
Important.
Right.
Yeah.
But I'm sorry, I just want to add one thing.
Like you can tell the companies that really care about this.
I mean when you run across them.
I just, I just mentioned Sublime, by the way.
I should mention I, I never ever get referral fees.
I'm not like, I'm not.
I, I've mentioned a couple of product names I, I've never get referral fees.
It's something that I've never done.
So when I say it's just because I think it's good when you talk to a company that's truly squared away and you take a look at what it is that they do.
Yeah.
The risks are, the risks are there.
The impact of the risk is still as high as it would be.
Right.
But the likelihood is just continually reduced based on the program that they have.
And it becomes easier to see once you've asked the right questions, not just give me your sock too.
You are an American who relocated to Europe.
So now that you are based in Europe, you are probably been a lot more exposed to cra, which is on the horizon.
Speaking about holding vendors kind of accountable to what they're actually selling, what's your take on this?
How do you see this shaping the industry?
I think it's always really hard to do when you've got well intentioned regulators or industry bosses, bodies that are trying to force a cultural change, force a business change.
Right.
And the kind of resentment that is, I always.
Well, the resentment that comes across because it's seen as yet another one of these dumb frameworks that cost me money and time.
It doesn't give me any business value at all.
Right.
And I'm going to sort of do the least and the least possible to get through.
Years and years ago, Josh Corman was saying that like it was expected to be the ceiling, but it's the floor.
Yeah.
Or sorry, it was supposed to be the floor, now it's the ceiling.
Yeah, thanks.
It's.
And so all of.
I think that we're going in the right direction.
It's just we've got to find the right incentive mix to make it so that people understand that this is better.
Gent, there's a number of different articles out there right now about this very thing and Chris Swan just did a very good webinar about this.
For me, this really comes down to that security is a market failure.
There is.
If you, if you think about it, there is absolutely no incentive from a commercial perspective for a vendor to care about security because generally speaking that will not help their business.
Right.
So this is why we saw regulation in California for Iot many years ago coming through.
Right.
But generally speaking, I'm not a fan of heavy handed regulation.
However, I'm a big fan of maybe there are issues with cra, but the gist of cra, I'm a big fan of, because without this it will never change.
Yeah, we need change.
Yeah.
I mean even I think GDPR drives many people crazy on the consumer and on the producer side it's just, it's very complex and there's so many ways to go wrong and when you get wrong it's just really a beating.
And if you look at all the goals of it was incredibly laudable.
It is, it's really around the human right of controlling your data.
How do you do that correctly out of the gate?
You know, what is it, six years in, eight years in?
It's, they're not doing so badly.
If we could reduce some of the.
If we could only remove the cookie.
Cuts, some of the, remove the cookie.
Butter, then we repeat a good law.
Yeah, well, it's not even the cookie banners.
It's like, you know, I do like, for example, I like the idea that you've got a set number of hours once you determine that you've got a data breach to figure it out and let people know that they could be in danger.
I like that.
I've never heard of them not extending, you know, if you go to the commissions and say like hey, we just had a breach, we're trying to get our arms around this, we're not going to have it done.
I'll, you know, I will update you in 24 hours about what our progress is.
We're going to do this as fast as possible.
They're like, yeah, that's fine, that's consistent.
And so I kind of, I wish it could be simplified.
And I mean the fast tracked a little bit because it's also by the way, ask a lawyer and a business person and an operations technology person to sit there and talk about is X PII covered by gdpr.
You'll get five different answers and then they'll start arguing because it's just, it's really hard.
PI.
Right?
There you go.
An obfuscated IP address.
Well, what's the business use case?
Oh God.
All right.
I mean for me there are some good things.
We all see how, what the dot when the dust settles, how CRA will help us.
But I mean for me there's a big focus on SBOMs in CRA.
Right.
And that's one of the things that I am a big proponent of.
Not because I think SBOMs are exciting per se, but they're a litmus test if you know what you're doing as a Supply chain provider.
I mean I'm so happy that you say that because yes it is.
And it's funny because like when I ask for an SBOM and it's not often but when I'll, when I say to a vendor like I need to see your SBoM, we've just started negotiating at that moment because the time it takes you to turn around and give it to me is something that I notice and it is very clear the people who can push a button and say here versus oh, okay, I'm going to get back to you after I have five stand ups and get all the different teams together and you know, we're going to cobble it together and Maybe see if GitHub can help us out.
It's not even like yeah, we all know that people have been spawn well for a while.
We like the quality will vary but the fact that you can at least generate something tell volume to your supply chain.
Yes.
Because if you cannot, that should be a very big red flag.
I mean.
Yeah.
100%.
And, and we're having conversations about this around sell side and buy side due diligence.
It always surprises me that this doesn't come up like it seems to be sort of tacked on to the end of.
Yeah.
Of due diligence conversations.
Right.
But there's a lot of rich, it's a target rich environment to go into a company that wants to be acquired and start looking at the way they do things and how much will it cost to do this in the same way.
And it's a very important thing.
I can't, I can't say that it's taken off and, and we see much more of that.
I really can't in terms of, in you know, acquisition due diligence.
But I mean I know it's like.
A pretty bin in acquisition discussions where Aspen's been part of that question.
So that it is happening, right?
Yeah.
Yes.
Oh yeah.
I was actually speaking a little bit beyond S bomb.
Like and especially when you start getting into like what's your secret sauce?
What's the, what's the thing that you do that's most important?
Like let's dig into how you are delivering that and let's you know, walk me through your entire CI.
Those kinds of questions are really quite excited about.
Getting more and more excited about this is on the procurement side and using SBoMS for the procurement side of things in terms of like Third party management platforms been around for ages.
And anybody who had the unfortunate luck to sit and work with any of them know that they are a pain in the ass to work with.
All of the one you've exposed work with and they're essentially glorified Google forms.
Right?
Most of them.
And nice of this stuff.
Well, not a lot of it could probably be automated with just S boms, which is kind of a big part of it at least.
Yeah, you're reminding me of this is orthogonal to that.
But, but one of the biggest things that I am a proponent of, every CISO I know has suffered from this, including me, third party risk management inside an organization, you know, there's kind of a predictable life cycle.
It's like somebody wants to get something.
They get, you know, Gartner reports and in flight magazines and they, you know, they make their list of five and then they come down to a list of three.
Then they get to the part of a list of two and they want to do a bake off.
And at that point is when people start to get a little bit serious about it.
And by the time the security team is read into this, the decision's really already been made.
The business decision of this is the tool that we want has really already been made without the benefit of that for the procurement side.
So I think that that's key.
And also on the like, if you are talking to your customer and your customer is sending you that spreadsheet from hell, this is the biggest burden I think, to, to CISOs.
You typically get a spreadsheet with, you know, 80 to 300 questions and probably 30% of them are actually hardcore information security questions.
And a lot of them are engineering questions, operations questions, SRE questions.
They're, they're, how do you put stuff together?
But most companies throw this at the CISO organization because, oh, it's security.
There's stuff in there about firewalls, so it must be you.
And so you end up with your team spending, you know, all this time getting training and getting experience and then they become spreadsheet jockeys.
And if you do the analysis of the pipeline that they're unlocking and the kind of the work that goes into it, they're spending an awful lot of their time doing that.
I have encouraged CISOs to bump that out to the sales organization.
That's a sales process, that's a sales supporting thing.
It's not information compliance tool now called Valve and actually one of the cool thing they do and one of the reasons why we got really kind of hooked on it was they obviously how all your compliance documents so your SOC2 ISO fed like or whatever it may be, right.
So they have all those documents but then they have a really cool thing which is like when you get that dump of three hour questions they have a tool that allows to enter the question, answer the question based on your documents.
I've heard this threatened before by other vendors and they've never actually shown me it working.
If you know of it, if Valve is doing it, I am.
Yet let me know.
I want to check it out because.
Because we're still in the process of migrating to them.
Okay.
See.
Yes that's from our.
Like they cannot do this.
Yeah, Vanta cannot do this.
But what Vanta can do is make it super simple for again I'm not, I don't get any money from Vanta.
But, but Vanta and Vanta like things right?
You know, suck stuff out of Osquery, put it into a database, mix it up with the questions that it's supposed to be tied to.
Give it to somebody.
Right.
They're really cool.
If you've, if you've got that your trust center can take care of all of the sort of low level customers here.
All the answers to your questions that are reasonably asked are right there.
If you're, most of the time during audit that's when it's really valuable.
Instead of having to run around begging people please sir, may I have a screenshot?
You just give your auditors, don't give me the login and they can go and check the information that they want.
Yes, screenshots.
Yeah because that kid so like faked.
Yeah.
Yes.
I'm holding up today's newspaper and here's the like but like, and the, the one thing that I really thought was cool in the Vanta Trust center is that if you go out of compliance it's not going to turn the thing red, it's just going to take it off.
It's just going to take it off the list until you fix it.
Now you'll get a message on the back end but customers coming in, they won't see that, you know, all of your machines are running EDR and like they won't see that.
It'll just be.
And then they have to ask it.
So you have a good incentive to get it fixed fast.
Otherwise you're going to have to be answering those questions.
I mean the security sensors, they are becoming the norm and I don't think it's a bad thing.
I think it's actually the putting that as a sales tool is actually really powerful.
And I, I think we are at a pivotal moment in the software industry where we are start to see the right questions being asked and that was not the case.
Maybe it was the case for the more sophisticated enterprise buyers, but now it's like moving its way into the mid market and even lower than that.
I think that's a really good change.
But, and it's something that you said, right?
It's like you're buying an IoT device.
Security is this big mystery and it really shouldn't be.
Right.
Security should be an expectation.
If, if you believe that security should be an expectation, then these trust centers that we're talking about and that ability for a customer to see exactly what's inside the tin, they're super important and they are sales functions and they should be intimately integrated with the sales overlaying.
Lifestyle security as a culture that spans sales and engineering.
Right?
Yes.
And if you can show that like, look, we do care about it.
Here's, here's how much we care about it.
We knew that you'd ask that and here's the answers in plain English with color coding.
And I mean that is, I think that's a real advance and now we just have to make it more ubiquitous.
Nick, we're almost running out of time here.
Before we wrap up today, I do want all your time limits today and is there anything you want to shout out about things where people learn more about you or things you are excited about that you want to share with the viewers before you wrap up today?
No.
I mean, you and I have talked a little bit about security, communications, breach communications and we work closely with Melanie Ansign and I just love the way she frames the world.
And recently we've had a couple of, let's just say less than overly disclosing posts about things when you don't disclose the details of how something happened.
Right.
And I think you and I talked about this like there is a big difference for me as a user of your product to know that you know a rogue privileged insider who was very upset about something, you know, stole some credentials and did something.
Right.
It's not a great look, but at least that's a little bit different in terms of how I'm thinking of whether this truly affects Me.
Then there were all these vulnerabilities and total strangers came in over the public Internet and popped them open and stole everything that they had.
And then they went on and knocked out.
Right.
So now what if you're not telling me exactly how these people got in, exactly the scope of the damage, exactly what they did.
Like, don't just say they took secrets.
Why were there.
Yet there were hard coded secrets in our source code that we hadn't done.
Part of our incident response is that we are fixing them.
We've hired these people.
We're using, you know, truffle hog.
And like you get the chance to say it.
When you don't do that, then people are forced to go elsewhere for their information about you.
And we've seen this.
I was mentioning Salesloft and their disclosure, right.
The, the Cloudflare disclosure about the Sales Loft breach was better and more helpful to me as a user than the Salesloft site itself.
And so suddenly they have abdicated and let somebody else take control of their incident.
That's not where you want to be as a company.
You want to be helping your customers.
And so we really recommend strongly that you consider when your lawyer says.
We only say the very minimum.
Right.
If you're, if all you're worrying about is being sued, you're going to get sued anyway and all this stuff is going to come out in discovery.
But if you put it forth in the name of being helpful to your customer so that they can defend themselves against something that you had happen to you.
Yeah.
Now they look at you as a partner.
So I think that's, that's really important.
The same thing called Cloudflare certainly do.
Sales Loft probably didn't.
So.
Yeah, probably right.
Thank you so much for coming on the show, Nick.
Really appreciate it.
And maybe back for a second episode at some point in the future.
Thanks so much, Victor.
I really appreciate it.
It was a lot of fun.
Found an error or typo? File PR against this file or the transcript.