104. The next frontier of cyber controls with Marc Bown


The first episode for this season we welcome Marc Bown the CISO and Enterprise Technology lead at Immutable, a web3 gaming scale up.  Claire and Marc discuss the culture versus tech debate, exactly what web3 gaming is, and Marc shared his thoughts on what we as a security industry are still trying to get right. 

Prior to Immutable, Marc helped found the security teams at Sportsbet, Fitbit and Afterpay. Passionate about building empowered, high-performing teams, he believes that good security is as much about culture as it is technology.

The Security Collective podcast is proudly brought to you in partnership with LastPass, the leading password manager.


Transcript

CP: Hello, and welcome to The Security Collective podcast. I'm Claire Pales. And today's guest is Marc Bown. Marc is the CISO and enterprise technology lead at Immutable, a web three gaming scale up. Prior to Immutable Marc helped to found the security teams at Sportsbet, Fitbit and Afterpay. He is passionate about building empowered, high performance teams and believes that security is as much about culture as it is about technology. Given this belief, it won't surprise you that Marc and I discussed the culture versus tech debate, I asked him exactly what web three gaming is. And Marc shared his thoughts on what we as a security industry are still trying to get right. I've often caught up with Marc and we discussed everything from security strategy to staffing, so I thought it was about time I asked him to come on the podcast and share some of his wisdom with you. So without further ado, please welcome Marc Bown. So Marc, it's great to have you joining me on The Security Collective podcast today.

MB: Thanks for having me.

CP: So the audience has heard in your bio, and I'm sure they're keen to understand a bit more like I am what is a web three gaming scale up? And how on earth do you secure it?

MB: A great question. So Immutable is two things actually. One side, there's the Immutable platform. And the other side, there's the Immutable studio. You can think of the studio as our first customer, we make games in the studio, using the technology that the platform creates. The platform is a way to facilitate in game purchases. And it's using the technology of NFT's or in cryptocurrency in order to facilitate that. And the ultimate goal of the company is to enable digital asset ownership in games. Right now, when you buy something in a game, you sort of have a licence to it, it stays in that game, you can't trade it out of the game in many cases, so you don't really own the asset. Immutable is about making it really simple for people to own those digital assets and make it really simple for game publishers to build marketplaces and ecosystems around their games. As to how to secure it, that's a work in progress. You know, like a lot of start-ups are doing something totally new. So we've got to invent some of the security practices ourselves. And that's part of what attracted me to the job. I'm super lucky there's a bunch of incredible people there, they're deeply technical, very smart really know the space. To have made a bunch of smart choices already. And that's one of the good things I'm doing in inverted quotes for the listener, about web3 is that mistakes tend to be punished pretty quickly. We've all read myriad stories about crypto heists and things going wrong in that space. So people in this space tend to be pretty clued in about security and certainly really motivated to do security right. And so I'm lucky to be sort of riding on the backs of giants, in terms of the co-founders of the company already been really aware of some of the things they need to do in this area. But in terms of how to secure it, I've got a hypothesis, I think there's going to be a few things that are important for web three gaming. The first thing is that we're a company, and we got to do all the same stuff that other companies do. So you know, have email security and make sure people's laptops are safe. And you know, generic garden variety, organisational security. Second thing is that we're a product. And so we have to do all the things that product companies do, we've got to make sure that our web apps are safe and our servers don't leak information, and you know, traditional garden variety product security, for whatever that way of putting it. But the third part is, product relies on new technologies like blockchain. And so that's a part where we're different, and where we're going to have to spend time and learn things and focus on what's unique about that piece of the product. Our industry is also new and full of early adopters. And those people tend to be pretty tech savvy and able to look after themselves. But if we're successful, then we're going to bring a whole bunch of people into the ecosystem that have no idea how to secure themselves. And so that's another thing I'm really excited about. I think we've got an opportunity to take an industry leadership position there. Think about how mass adoption is going to change security, the security landscape, and try to out of the get go, set a good precedent for how you design a user login flow for a game that isn't easily phishable, as an example. So those are the things I think that'll be important, like taking the industry leadership position, thinking about how for instance are they going to work, designing some of those things out, doing the basics right in enterprise security and product security, and then sprinkling in those new technologies and understanding what's unique about them and adapting accordingly.

CP: Just like that! Doesn't sound challenging at all, Marc.

MB: I'm not going to be bored anytime soon! 

CP: You are definitely one of those rare birds, who is deeply technical, but you can also handle yourself in front of a board, you write great comms, you attract strong talent. And we've seen that through the teams that you've built in your previous organisations. And I'm not expecting you here to recount your career history, it's not a job interview. But how did you end up here, because I've known you for a while. So your early career, you're leading pen testing and AppSec, what's driven you to want to be a CISO and eventually lead tech as well?

MB: I think it's mostly an accident. I can can't claim any actual design to my career. I think I've been really lucky at most turns and been near smart people that have given me good opportunities. And I think that luck also has come in the form of in each role that I've taken, it's sort of given me a chance to do something adjacent to things I've done in the past. For example, I worked for a UK consulting company called Seven Safe, and they hired me to do AppSec. But I sat next to the team that did forensics, computer forensics. And I realised that some of the scripting skills we were using on the offensive side were really useful on the forensic side as well. And so before I knew it, I was doing more Incident Response work than I was doing AppSec work, and ended up leading that practice. So, you know, it was an example where I just through lack of being in the right room, I ended up learning a new set of set of skills from a technology perspective. And I think like, almost all of those learnings have happened just by accident. I think the exception to that is you asked about technology in general, when I was at Afterpay, I argued to start to take on work in our ET team, our enterprise technology team. And I felt like there was a few reasons for that. One was there's great economies of scale, I think increasingly, we're seeing CISOs running IT teams as well. As IT work becomes more commoditised security becomes a bigger portion of that work. And so having one leader driving those two teams in the same direction, I think is really beneficial for the organisation. So I felt like it was good for the company, as I had a hunch that I'd be good at it. Like I really liked technology. You mentioned comms, I think technology is about enabling people to work together in most workplaces. And those are two things I like figuring out, so that was pretty interesting to me. But the third part was this was a career decision in that I was already a CISO. I felt like I had reached a really big and desirable job, and I wasn't sure what I would do next. And my hypothesis was, maybe technology leadership in general will be something that's interesting to me, because I do love tech, and I've got good experience in it. So yeah, that was a decision where I thought, let's try and get that role that should expand the things I know about, let's get some experience in a company that I'm already familiar with in an adjacent kind of area. And maybe my future is more in technology leadership in general, rather than security leadership specifically.

CP: Which I think is quite interesting because having worked with lots of CIOs over the last six years or so, many CIOs I meet, find cyber to be a bit of a black box. And you know, if they're hiring a security leader, often they won't necessarily have been able to do the CISO role or you know, they might caretaker or they might be accountable for the risk, but they don't have the deep security skills that they need in a CSO. Interestingly, on the flip side of that, you as CISO with a very deep technical background, you would think do have the ability to run a tech team. And I think that's a quite an interesting thought around, you know, should we be seeing more security leaders applying for CIO roles? Do you think that that's a thing?

MB: I think it's starting to be a thing. So we catch up as CISOs, from time to time, and a lot of your guests are folks that I know from the industry and we chat and compare notes. And there was a survey, I think it was from Hitch Partners in the US last year, their salary survey, and they said that 20% of the CISOs they surveyed also had accountability for IT. And so that was an emerging trend, where more of them had IT accountability. And there's been a couple examples recently, where folks have been promoted from CISO to CIO, like EA, the games company in the US has recently promoted their CISO to become the CIO. So I think that's a path that's getting to be tried. Yeah, let's watch that space 

CP: Yeah, I love that idea. Because I feel like a CIO, who has a great security background, being accountable for cyber risk, and yeah, being able to run the tech team. I just I think there's a really great opportunity there, as you said, not only for economies of scale, but also for influence. I think there's a huge opportunity there to work at the C-level, and have both those things. There would be people who would argue that there's a conflict of interest between the two, do you have an opinion on that?

MB: I should be really clear that my world is start-up world. And so there are conflict of interests everywhere. Everyone's wearing 10 hats, right. So yeah, maybe in a bank, maybe there that's undesirable, and you have to think about segmentation of duties. In my world, it seems like mostly upside. I also tend to be a bit of a pragmatist. And so I would tend to focus more on like, what's the thing that's most likely to get the right outcomes. When you've got one leader who's cares about both and is really focused on setting up incentive structures where both things win, you're more likely to succeed. Whereas if you're taking maybe a compliance focus were like, Okay, well like how do we design out these sort of problems? And maybe you're less likely to win, the incentives might not run the right way.

CP: You've only recently taken on this role leading security and tech at Immutable. And I'm, I'm keen to understand what have the first few months looked like for you? And where have you started? Because you just mentioned then you know, how around prioritisation, when you first got into this role was it kind of a through a security lens or through a tech lens, where did you start?

MB: There's a few key themes of work I've been doing. The most important part I think, for security leaders and the lesson I taught myself here was, you need to get to know the people you're working with. And you really need to start to build trust. You have to teach the business that they've hired the right person, and that they're building the right team. You have to get licenced to go and do all the things you know, you need to do. So for me that took the form of meeting all the other executives, getting to know what the business's goals are getting to know what their individual goals are getting to know what projects they're working on. Not even talking about security initially, but talking about what they're focused on and understanding what motivates them. It's only after you understand that, you can start to design a message and start to prioritise and start to understand how you're going to get things done and what things you need to get done. At the same time I start to focus on just getting visibility into what assets they have, what resources they have. Think about what security controls are already in place, what ones might need augmenting. Also start to think about a team that can solve the problems or identifying would look like because hiring is a key part of the solution to these things as well. So starting that process of hiring, starting the process of all design. After getting permission basically, winning the headcount you need within the budget you need, coming out with a project plan, getting commission from folks, then it's time to start treating risks. I mentioned before, like luckily for me, there's a bunch of smart people already, so a lot of work has already been done. But in terms of privatisation, I've taken the approach of focusing first on, I want to find a better way to say this, but like generic issues. Like things that are going to get us hacked, just because we're on the internet, not things are going to get attacked because of the specific company we are. But just because we have computers, we're on the internet. So really like zooming out and focusing on if there's a worm tomorrow, is it going to affect us . As the next step focusing on okay, let's say someone decided to come after us, what specifically can they do about us in order to attack us? So that was the order of operations, because I've taken more of a likelihood lens, like what's the thing that's most likely to catch us up front, let's focus on those first, try and make it real. As a few examples, in the first couple of months, we've been working on moving from one time password based multi factor authentication, so rotating codes or push notifications to phishing resistant MFA in the form of UB keys and Fido to authenticators. Uplifting an endpoint security through improved EDR and extra monitoring around patching. They're all things where controls are in place, but we can take it to that next step. And really reduce the likelihood of a common kind of attack like phishing or like malware on our systems. So TLDR it, getting permission and understanding what motivates people and thinking about how I'm going to achieve what I think the company needs to achieve.

CP: I really love that getting permission idea because I think it wraps up with what you said at the start around building trust. And it's so key to find out what the other leaders in the business are doing and what they're facing. And rather than just talking at them about security, you know, asking them questions, and getting them talking about what's going on for them is the quickest way for you to learn about what's going on in the organisation. And even in a young organisation, there are still bodies buried. You still need to have those conversations and build that trust, so that when you do want to make change, as you said, you've kind of got that permission already tick boxed and the people are there sort of supporting you all the way.

MB: I think that some people would say no, you don't need to get permission, like you're the expert, you should be telling them what to do. And it should be clear, like, I'm telling them what to do. But what I'm really doing first is figuring out what messages they're going to be susceptible to. Like, if I go and say we need to do hardware based multi factor authentication tomorrow, like is that going to be good news or bad news to them? And if it's bad news, how do I soften the blow? Or how do I convince them that it's right? So permission is really about like the sales pitch, it's figuring out what we need to do, and then making sure that there's going to be a clear path for it to get done.

CP: And you feel like those conversations that you're having early on, help you to establish in your own mind what the culture is like and what sort of cultural norms there are and what cultural brick walls you might come up against.

MB: Absolutely, yeah. One of the questions I asked a few of the executives was, how do I get stuff done here? Because I think that's a really important cultural norm. Like, do you just do it? Do you communicate a lot about what you're doing and then do it anyway? Do you ask people's permission and then do it? Like understanding which people on staff are considered effective and how they work, I think is a really useful cultural thing to learn because then you can go and mimic those people.

CP: Yeah, and you'll often see when I've asked that question of clients before you often hear you have to go through set and such or, you know, like, there's this one or two people in the organisation that are kind of the go to conduits through which if you build a relationship with them, everything becomes easier.

MB: Yeah. Or they'll say, h, if this executive is supporting it, it'll get done. Or if it's on this roadmap, it'll get done. Fortunately, Immutable, really, like they've really spent time thinking about how to get work done. And they've really encouraged people to self select, in a way, like, they know what the top level goals are, focus on the things that are important. And so far I'd say, like the appetite to get stuff done has been great.

CP: I want to ask a couple more questions about that. Because you've, you've been fortunate enough to live overseas and work overseas. And so culture comes in so many different forms that can be within an organisation and also at a country level. And I know from being an expert too that leading security and other cultures can really require a bit of a mindset shift. And no matter how many people you meet in the organisation, you still kind of come up against some of these challenges. What was it like for you, you know, a few jobs ago, when you were working in America? Was the culture around security, similar to what you'd experienced in Australia? And I guess now you're back, how do you compute that, I guess, in your own mind that in different organisations, in different countries, and working for global companies, like Afterpay as well. How do you get through those cultural challenges that you come up against when you're both an expat and/or working for a global company?

MB: I think actually, you could probably speak to this more than me. I think a lot of the places I've worked, I've selected because of the culture. And so it's a culture I know I can get things done in. And they've mostly been start-up companies, they've mostly been western, although maybe they have a couple of teams that are in places that we wouldn't consider part of the West. But really, within those cultures, I found that people tend to bias towards action. They tend to be companies where if you explain why you want to do something, people will think about whether they want to buy into it, and then they'll do it if it makes sense. I think compare that to maybe some of the cultures you've worked in, where the why is less important, the what is more important. And then what happens if I don't do this, is more important. So yeah, I actually feel less qualified to talk about this, then I suspect you. And I also feel like I've really biased towards companies that are in that sort of start-up mode, where people are really incentivised to move quickly with it. They're heavily incentivised to try and make the company successful, which probably changes the approach.

CP: Given that Afterpay was founded in Australia, but you're working for them both here but also in the States. Do you think the country that the organisation is founded in has any impact? Because when I talk to people in the US and the UK, they're always saying Australia's so laid back about things. And I don't know, do you think that working within an Australian company, but in another country, from a security perspective even as well from that culture side, we can be quite blasé about things. Did that carry through for you in the other countries?

MB: Yeah, it does carry through a little bit, I think it probably actually the area mostly carried through for me was like in the, in the sense of humour that the company had, like, whether you were allowed to be flippant about things or whether you had to be quite serious. So I do think that carries through. That was probably the area I had to be most careful of, when I was at Fitbit prior to Afterpay. That was the first American company I'd worked in America for. And I felt like I had to choose my sense of humour appropriately. That was probably overdue, though. It's probably part of me learning how to be a part of more inclusive teams as much as anything. So I think there's both an element of the country there as well as just my own growing up as it were.

CP: Yeah, I definitely found that working in Asia, you have to be attuned to what's important to them. But the sense of humour part takes a bit of getting used to and making sure that you are not offending people is, you know, an everyday challenge, I think, as well definitely. If we go a bit deeper on the topic, because I know this is a topic you and I both love to talk about. What do you think's needed for an effective security culture? Because no matter what the organisation is selling, or where they're based, what do you think are the standout elements that are needed for strong security culture?

MB: So I think culture is about three things. It's about knowledge, ability, and will. And when I say knowledge, ability and will, it's about those three things in terms in the context of security, like, do I have the knowledge to do the things that will protect me? Am I willing to do the things that protect me. Companies with a good security culture have the will. Like they're willing to spend time, they're willing to make the right trade offs, they're willing to prioritise security over other things. As we know, when you're doing security work, you're not doing other kinds of work, or if you're spending money on security, you're not spending it elsewhere. When I think about companies that have good culture, it's really about that will. I also think companies with good security culture have a broad awareness of what the threats are that they face. And I think for a lot of people this awareness is what security culture is, but I argue that it's not enough just to have awareness. Awareness is one leg of the stool. So I think you use awareness to drive behaviour or to drive engagement. So an example of engagement would be okay, if we're a bank and there's a broad awareness that financial crime exists, you know, we might be willing to engage with the security team when we're building a new feature that deals with financial transfers, because we know that that's a risk. So that's where I think awareness comes in. The last part companies with good security culture have is that they've taken the time to build effective and approachable security teams. So they're not looking at security as a gate, they're not treating security as a process. They're really focusing on how do we empower folks to get access to the knowledge that they need in order to do security well, and they've built a team that's sort of going to be a valuable part of that cycle. This often sounds a bit counterintuitive to folks, but I really like the model of a security of no one being forced to work with the security team, people choosing to work with the security team. Because it leads to this incentive structure where the security team has to be really good at their job if they want people to engage with them. And so it's that awareness, but it's also as much about the will and the knowledge.

CP: I totally agree. And you can hear me banging on in an earlier season, about how much I hate the word awareness. Because I agree with you that knowledge or awareness of a need to do something doesn't necessarily equal action. But I love the idea of the wheel, because that feels a bit more visceral, it feels a bit more like you're compelled personally, not because somebody's sort of forcing you to do it as you said. It's more well, this feels like the right thing for us to be doing, and this is the way we do business around here. The idea that it's a personal choice, it's not an organisation compelling you to do it. It's hard, because I think there should be consequences to people not following the security rules. But I also think that just being a talking head and sprouting awareness, or people doing an online 20 minute cybersecurity awareness training once a year, and that's the extent of the awareness, is totally insufficient. Is this approach this kind of awareness and knowledge and will, is that the approach that you took at Afterpay to build the security culture there?

MB: Yeah, mostly, that's the approach and I should stop and preface it with the fact that I had great people that I worked with at Afterpay. So Cath Wise ran our security community team. And so like most of what I'm saying, here, I just learned straight from her. So I claim too much credit for a lot of what I'm saying here. But yeah, I think when they're really focused on security behaviours, there was some awareness thing like, okay, security, crime is a thing, or you should be aware that these kinds of incidents can happen. But we were always really careful to follow with the and this is what we want you to do specifically. And so the good examples of security asks things like, if you're working on a feature that looks like this, please engage with us in this way. Or we really want you to use a password manager, and this is how to get access to a password manager. Or having good passwords is critical and this is what a good password looks like. So there were these calls to action always and I think things are more, more memorable for people if they've been told to do anything. And if that thing feels manageable, and achievable, and they can do it quickly. The approach there was much more about frequent comms about comms that lead to specific actions, and less about generic awareness. Like one of my pet peeves, you're talking about pet peeves around awareness. Like the obsession we have with trying to teach people not to click on phishing links, I just think it's time sink, like, you can't teach someone not to do something. You can teach someone to do something. And so like, let's focus on a positive behaviour there. And for us, that was reporting suspected phishing emails. And so we know people are going to it's going to get tricked by them. But if we teach people to report things that look suspicious, if we make the assumption that phishing emails go to multiple people, we build this sort of collective immunity basically, against things because we can investigate reports of phishing and deal with them. So yeah, a lot of us have a call to action. The programme now I'm super proud of as well, again built with Cath, we would actually measure whether people were doing the things that we were asking them to do. So we could collect logs from a password manager. And we could tell people, okay, we see that you're using the password manager, like great job. And so you're giving people active feedback about how they're doing, and about what they could do to improve was also really powerful motivator there.

CP: And in terms of motivation, I mean, the last few companies you've worked for have been technology companies. How do you take companies like that, that, you know, almost everybody who works there is a technologist or technician in some shape or form? How do you take them on this, a stupid cliche, but this security journey? We've had a few guests this season talking about how engineers and the security team aren't necessarily on the same page yet and maybe haven't had a huge amount of opportunity to work together. But in organisations that you've worked in, I mean, it's everyone's kind of in the same pool. So do you feel like being deeply technical by trade has really helped you to engage better with these tech leaders to build this company culture of security in a tech based company?

MB: Yeah, I think the way to get the right outcomes is to meet the people you're working with where they are. For us, we've always said, the engineers are only going to work with us if we understand enough about their work to understand the impact of what we're asking them to do. And so if we show up with generic advice that says, oh, you should validate an input. It's not super actionable, we've no idea how long it's going to take, we don't know how they're going to do it. It's not useful sort of feedback. But if we come up and say, hey, we would love you to validate your input, we think that the right way for you to do that is this. We know that's a fair bit of time, is there someone we could talk to help buy you some roadmap space so that you could implement this? Is the technology, we're suggesting one that you would prefer? Or could we help spike an investigation into alternate types of technologies that would fit into your stack. It's about being collaborative, but also understanding the impact of what you're asking for. And genuinely like having skin in the game, showing up expecting to not just throw problems over the fence, but sit in a trench and work on solutions together. And so for us, a lot of the work we've done on, this is the area I'd sort of called product security, you know when you're working with engineers on the product itself. A lot of the work in product security has been about either building solutions ourselves that make things simpler for the rest of engineering to achieve their goals. You know, a lot of companies call that like a paved road approach where you make the simplest way to get something done, also the most secure. Or it's been in that sort of consulting kind of world where we're, we're sitting with those teams talking about problems and working on solutions together. But I think, you know, for modern engineering, focus technology companies, it's critical that the security team has enough engineering background to be able to understand what they're asking folks to do. 

CP: And I love that idea that the most secure way of getting things done is the easiest, or the best way, because then everybody moves forward together.

MB: Yeah, and it's, you know, it sounds lovely, it's a lot of work to build, it turns out, but and I guess that's maybe another great point is being pragmatic, like choosing which hills to die on. If the first interaction you have with an engineering team in your new role as a security leader is that you're making a big deal over something that they're going to perceive as a minor risk, then you're just going to destroy a bunch of trust off the off the bat. And so you got to ask yourself the question like, I know that I'm ultimately going to succeed in this role in two years, if I've built a high level of trust, and I'm more likely to get the things that I'm asking for done. And so do I care about this thing today, or do I care about that thing in two years? It's almost an analogy of like, put your own face mask on before you help others. Like, it feels terrible to think that you're doing something yourself. But you know, the ultimate success only comes if you do that, right. So, yeah, that's, I definitely encourage people to think about that prioritisation call and deciding when to dig in and when to when to let things roll.

CP: But it's also about having the evidence of knowing if something is on fire, and you've got the evidence to show that, that's very different than just coming in and kind of making an explosive change. You know, for most of these types of roles in security, it's going to be a slow burn. As we talked about earlier, it's about building trust, understanding, listening first, you know, that old adage of you have two ears and one mouth. You know, listen to what these people are going through what their jobs are, what their challenges are, and then, you know, stepping onto the bus with them, as opposed to trying to impose security onto people that you don't actually know much about them or and vice versa.

MB: We've always had this as well, there's actually tonnes of allies across engineering teams for security. It turns out like, in most cases, good security is just good engineering. And so a lot of cases we'll find that they are big allies of ours. Like they've had a bugbear for a while they want to get a thing fixed, it has a security impact. It also has like an availability impact or a maintainability impact or some other quality attribute attached to it. And so if you find the site reliability engineering team, or the infrastructure team, or the quality team, you know, they have particular areas that they are concerned about, you can often partner up and say, well, let's fix this together. Like let's solve the security concern, but also improve the quality at the same time.

CP: I want to ask you a question that's a bit backwards to how I would normally approach this with my guests, because I often will say, what do you think have been the big shifts over the last x period of months or years or time? I want to ask you in a slightly different way, because you and I have known each other for about a decade. So if you think back over the last 10 years, what do you see as the security concerns that we as an industry are still chipping away at? What have we not been able to change? What hasn't changed in the last 10 years? Do you think that it doesn't feel like we're making any progress on?

MB: It's the basics. It's sort of horrible to say but most companies still don't have a good understanding of which assets they have. They still don't really have an understanding of what services they're running. Log4J showed us all that we don't really know what software we're running. It's certainly not an easy problem to solve. But I think we've often gone really far down our security programmes are really focused on very specific issues. But we haven't managed to solve those fundamental, like, what am I actually securing questions? And yeah, I often wonder if I'll ever get to the point in my career where like, oh, yeah, we solved those things. And, yeah, we all know, that's the first thing you do, and I tell you get it done.

CP: But I think too, that in many ways, maybe they thought the Essential 8 would start to solve some of those basics or the essentials, but there are still organisations that that have trouble either getting the influence to put the Essential 8 in place, or technically they are unable to put it in place or maintain it, you know, ongoing. So yeah, I definitely agree that there are organisations, many organisations that are still unable to get the fundamentals in place, and potentially unable to influence in any way shape or form the leadership to get those those things in place just to get the water level, you know, up to the right spot.

MB: You know, it's not glamorous work. It's boring, it's expensive. It's time consuming.

CP: Don't forget thankless.

MB: Thankless, absolutely, yeah. But yeah, that's what I think is not changed, still missing the basics before we jump into the deep end.

CP: Have you got a way for us to solve it Marc? If I talk to you in 10 years time, could you say yes, I nailed that.

MB: I doubt it because it's also getting harder. So like when everyone had a computer on their desk, you can at least walk around and count all the computers. Obviously, things are pretty different. Now we've all got multiple computers, and we've got assets that are ephemeral and are in the cloud for a few seconds at a time and then gone. So I don't think I do have the answer. But again, I think it's good engineering, like, increasingly, the systems will tell you that they exist, and they'll tell you what they do. So if you're building pipelines for all of the things that you're doing, and they're self documenting, then you can solve those problems. But again, it comes back to just good engineering practice.

CP: Yeah, and I think too, there's a huge opportunity looping back to something you said at the start about being in the organisation you're in at the moment, in Immutable, you have to invent new security processes, and ways of putting controls in place and ways of securing things. And as you say, like it's moving so quickly. And some organisations choose to just follow the moving target, and not concentrate on some of the well known controls that we need to put in place. And there was a survey that came out recently that talked about the fact that a huge percentage of the cyber attacks that we see at the moment are actually using vulnerabilities that we've known about for a long time, or using viruses that we've also known about for a long time. And until we close the gap on some of these well known exposures, we're going to continue to see unfortunate incidents across many organisations.

MB: Yeah, so the old adage, like, we have to be right all the time, but the attackers only have to be right once. So our job is a challenge about trying to be perfect across everything. So it's a tricky one. We're not going to be bored as you said at the beginning. One of the things I love about security is that it's always moving and we're always learning more.

CP: Marc, I want to thank you so much for coming on the podcast today and for sharing your wisdom. And I think that there's a huge amount of opportunity for security leaders to do what you have done and move into a new frontier like web3 gaming. I'd love to talk to you again, you know in the coming months about how things have evolved and for today thank you so much for sharing.

MB: Thanks for taking the time, I enjoyed the chat.

Previous
Previous

105. Developing a secure engineering mindset with Stephen Kennedy

Next
Next

Season 11 Teaser