Cybersecurity Effectiveness Podcast

back to podcasts
Listen on:
Subscribe:
stay up to date

Terry Ray

"For your business, look at what's most important and put your controls around it because you will not be able to put controls everywhere. Begin where it's most important, and start to build it out and as you mature, you'll get more and more there. It's not about absolute security, in my opinion, but about acceptable risk."

Terry Ray is the SVP and former CTO of Imperva, Inc. and has specialized in data security and privacy for over 15 years. He is a frequent speaker for professional security and audit organizations in the Americas and abroad.

Brian Contos:                

Welcome to the Cybersecurity Effectiveness Podcast, sponsored by Verodin. The Verodin Security Instrumentation Platform is the only business platform for security that helps you manage, measure, improve, and communicate security effectiveness. I'm your host, Brian Contos, and we've got a really special guest today. Joining me is Terry Ray. Welcome to the podcast, Terry.

Terry Ray:                    

Thanks, Brian.

Brian Contos:                

Hey, Terry, before we--

Terry Ray:                    

Good to be here.

Brian Contos:                

Oh yeah, it's wonderful to have you here as well, and you know, before we get going -- I know we have a number of things we'd like to discuss today -- can you give everybody a little bit of background about where you came from and how you got into this space and what eventually led to you becoming CTO for Imperva?

Terry Ray:                    

Sure, happy to. So, for years earlier in my career, I worked on network security checkpoint software, Cisco, and some of the others. It was always interesting to me that so many companies ignored what sits in the network. The things that people have access to, and all the network firewalls I ever configured, every single one had port 80 and port 3 wide open, because that's how you run your business.

Terry Ray:                    

And so, I met a guy named Shlomo Kramer who was one of our founders at the time. He brought me over as the first sales engineer for Imperva back in 2003, and really just kind of grew up in the company. It was one of the first start ups I had ever gone to. Learned the process of maturing through a company and the company's own maturity itself. Becoming a manager, a director, a vice president. Running the sales organization and ultimately becoming part of the executive staff where you have executives. They come and go. But at the end of the day, you need somebody at the executive level that can have technical conversations with an organization, with a CISO, CIO, or even CEO in some cases about why their data is important, about why their applications are important, or why they're spending this money to solve a problem that they thought they solved with all the other stuff that they bought.

Terry Ray:                    

Being able to have that conversation, having done this for 15 years is kind of what led me to become aCTO at this point, to be able to not just talk about our technology, but look across the industry landscape, and see what other technologies are correlating to our own, maybe beneficial to our own, or synergistic to what we're trying to achieve.

Brian Contos:                

Yeah, that's fantastic. Especially the fact that at Imperva, you've been there 15 plus years, the fact that you've been able to climb the ranks, if you will, to that executive level, that CTO level and bring with you all the experiences that took you there and sort of combine that business and technical acumen, you don't necessarily see that a lot. You certainly don't see, and we talked about this earlier, a lot of folks that are with a Silicon Valley based startup or any start up that's matured over the years, like Imperva has, for 15 plus years. It's three or four lifetimes and you've reinvented yourself a number of time obviously, and did a lot of new and interesting things, so that's really cool to see that.

Terry Ray:                    

Yeah. Thanks.

Brian Contos:                

Terry, I know one of the things that's really important to you is data privacy. What's your overall sort of view of the state of data privacy today?

Terry Ray:                    

It's interesting. Yeah, I would say data privacy today is far better than what it was 15 years ago, far better than it was 10 years, and a little bit better than it was five years ago. But if I had to put that on some kind of a scale, I would say 15 years ago it was at a one or a two out of 100, and over the years we've moved it up maybe close to 30 or 40. But we're still well into what I would consider a failing grade in terms of data privacy. To the point that, countries and organizations and everybody else has to build regulations around it to say, "Organizations really need to be doing more. You've got to do something different than what you've been doing to get just to the fundamental baseline of what regulatory compliance would require of you." And most people would agree, best practice is well beyond what regulatory compliance requires.

Terry Ray:                    

But still we find companies today that still aren't even meeting compliance, and so you read the newspaper every single day, and there's going to be some article in there about this breach, that breach, this exposure, that exposure. And what you don't read, is you don't read people's networks are being stolen, or networks are being broken into physically. You see them being broken into virtually, and the only thing you can steal virtually when you go into a network is data. So, I would say, frankly, it's gotten better, but I would just still give it an overall failing grade which is why I'm still in the business today.

Brian Contos:                

Sure. Well, and a lot of people would talk about there's, the cyber workload if you will, it's migrating and in many cases it already has migrated over to the cloud. How is that effecting applications and subsequently, how is that affecting data security?

Terry Ray:                    

If we went back five years ago, and again, you were to say, "Terry, do you think companies are going to be putting their most private data in the cloud?" I would say,"The companies I talk to, the answer is probably not any time soon, with a few exceptions here or there." What I see now, is I see a lot of companies actually saying, "Yeah, this made a lot of sense for us to put our workloads out there." It's significantly cheaper, they perceive a greater risk, but the fact is, they know they're already at risk so it's and in many cases an acceptable risk. They know that they are taking on the responsibility that they already had anyway On-Premise, but they can now save money.

Terry Ray:                    

I see a lot of companies saying, "We are going to move workloads to the cloud applications and data,” but at the end of the day, they're putting the security requirements or security responsibility of that right back down on the security professional. I think that what's really the challenge here is when we think about going to the cloud, you have organizations that are already having a challenge of trying to protect the primary avenue to data, which are your applications and then back behind that, the data itself whether it's from an insider threat or through vulnerable applications. And they don't really have the expertise to do that On-Prem, now when you go to the cloud, you start to talk about orchestration and kubernetes, and tera form and all the different, the provisioning type tools that are out there in the cloud. And you talk about containerization, and micro services, API's, and how complex applications are becoming.

Terry Ray:                    

What you're really creating is you're creating an environment where a security organization has to have absolutely broad expertise across all these various domains, including all the stuff they had to know before. Email, security, and network security, and all that sort of stuff. And I think what you're finding now, is you're finding organizations that are just out-pacing what security can really achieve. And we're seeing more of that again, with the breaches that we're seeing today, as just as many of them are cloud workloads as they are On-Prem.

Brian Contos:                

Yeah. Well, you mentioned how organizations are sort of outpacing what security can achieve. I think that's an interesting perspective and a lot of people would point to, one of the remedies to address this, is regulations. I don't know if I necessarily agree with that but, there definitely seems to be an increase in regulations that are focusing on data privacy today. How is that actually impacting data security efforts by organizations? Are these regulations hurting, helping, is anything changing at all?

Terry Ray:                    

I think if nothing else, and I tend to agree with you when I think about regulations. I don't know that they directly benefit cybersecurity professionals from making them smarter or better at their job. I think if nothing else, they at least for the companies that feel like they have to adhere to these regulations, at least apply budget to security. Which security always has a hard time finding budget. So, if nothing else, they get an influx of money to say, "Okay, what are we going to need to do X, Y, and Z that this regulations states we must do that we weren't already doing? How much do you need to solve this problem?" So, if nothing else, security now has an influx of money. It has higher level, in some cases board or at least CIO level attention. And I think it starts to bring the world of the CISO, and the world of the functional portion, under a CIO, together to say, we really need to start working together.

Terry Ray:                    

What the CISO is trying todo, is trying to achieve whatever this requirement happens to be. But at the same time, the functional, the DBA's, the business units, et cetera, whoever owns that data that is relevant to that cybersecurity policy, or our regulation, they're also going to be on the hook for some of this requirement. So it starts to bring these two teams together to at least have a conversation.How are we going to meet the regulation? Where before security does what security is going to do. Functional does what they're going to do. And oftentimes there was a bit of, for fewer words, a firewall between the two.

Brian Contos:                

So, let's get a little bit more tactical. We've, you've mentioned some of the folks with hands on keyboards, the applications developers, the security folks, the DBAs, et cetera. How are security professionals preparing themselves for these threats? The ones that are every application and data centric, and let's include the cloud workload as well. What's the preparation? What are security professionals supposed to be doing?

Terry Ray:                    

Well, they certainly need to be learning as much as possible. But I, as I noted. Right? The technology, the demand on technology. The user demand for access to data across multiple platforms, is causing the pitch, the field if you will of cybersecurity to become wider, and wider, and wider but you don't get any new players. So what we're seeing is we're seeing simply the security teams do everything they can to prepare and be as knowledgeable as possible in these spaces. But what I'm seeing now is this space, is I'm seeing a heavy leaning on machine learning and AI. Right? If you go to RSA, you'll be hard pressed to find a vendor that's not talking about machine learning and artificial intelligence to try and decrease the alerts, simplify the workload, all of these things. And that's simply because in many cases, the security departments were already overloaded anyway with data. But at the same time, you also recognize that in many cases, the alerts that they were receiving, they simply didn't have the expertise to understand anyway.

Terry Ray:                    

So here you're seeing, you'll see a lot of vendors going out and saying, "Look, we're going to try and solve this problem for you. We're going to tell you even better than what we did before, how we can tell you what's important. We'll take what was a thousand alerts, we'll give you two alerts, and you just need to go figure out what these two alerts are. And we'll try and help you as much as possible to solve that problem." I see vendors doing that quite frequently, and I think the other thing that you're going to see a big increase on, we're already seeing a bit of it here as well, is subscription services. Right? So, a company simply saying, "Okay, I'm going to hire a couple of security professionals, but I fully admit, and they fully admit, they don't know everything. And they will not have the capacity to cover my entire environment." So, you'll see people going out and outsourcing parts of their security deployments to manage services for applications security, security network, security, whatever it happens to be.

Terry Ray:                    

As a little bit of a proof point on this, if you go to LinkedIn and you search, in quotes, for network security, database security, data security, application security, cloud security. Search in quotes on those sorts of things, and what you'll find is as you get down closer to data security, or cloud security, whichever one you see, you're going to see you're down in the sub 1% of the overall availability in LinkedIn that had any even belief that they're experts in those realms. And if we assume that LinkedIn is, half the people on LinkedIn are experts and the other half of people that say they're experts aren't really, you're at even a smaller number.

Terry Ray:                    

So, I'll just throw out two numbers here. Right? So, network security in LinkedIn is 1.8 million people.Say that they're network security experts. If you go down to data security, you're looking at about 100 thousand people. If you go to cloud security, you're around 30,000 people. There just aren't a lot of expertise out there, so you're going to see companies slowly, unfortunately, but recognize that they don't have the expertise, and they won't be able to hire their expertise. So, if they either have to buy technology or they have to buy services.

Brian Contos:                

On the technology side, you talked about walking around these conferences and everybody has a machine learning or AI solution. It's cloud, it's IOT, it's block chain, it's this or that. Do you think there's a level of fear or maybe intrepidation by customers when they hear a vendor say, "Yeah, we're going to go ahead and take a thousand events, and we're going to boil it down to two." How are you going to do that? "Well, we have really, really advanced AI or machine learning." What's that conversation like?

Terry Ray:                    

It's the way that they're going to trust what you're saying or not. Right? Whether they're drinking the Kool-Aid so yeah, I had a conversation with somebody at Google. One of their AI people and they were of the opinion that when an organization like this is going to say, "I want to see your technology, I want to test your technology," that they're going to start asking questions about,"Well, what kind of AI are you using?" And do the companies themselves that are doing this testing, the consumers of this technology, do they need to be actually AI experts so that they can determine whether one AI is better than another AI, versus another AI.

Terry Ray:                    

My take on it is, they're not cloud security experts or data security application experts, I don't knowhow you're going to expect them to be an AI expert, and go hire data scientists as well. It's just not going to happen. So, I think the results are going to have to just speak for themselves. And so, when these companies go out and look at these types of technologies. When they do their piloting, they're going to look at accuracy, and if you're buying a cybersecurity technology and you don't believe it's accurate then I think that's the first red flag that pops up as to whether it's going to be viable on a large-scale production environment. If the accuracy is not what you would anticipate.

Terry Ray:                    

So what's just simply going to have to be part of the testing model is accuracy. And it should have always been part of the testing model, anyway. It'll just have to remain that and probably become a little bit more so.

Brian Contos:                

Yeah, I agree. Testing, validation, whatever you want to call it, I think most vendors that are out there, are, they're telling you what they do, and they're being pretty clear and concise and open about what's working, what's not. And in most cases, some maybe not as well as they should be, but anytime you buy anything. Network security, end point security, cloud-based security, you've got to validate and test it. You can't take it at face value and if somebody says their AI is supercharged and the other guy's AI isn't supercharged, well maybe you've got to evaluate that for yourself. Right?

Terry Ray:                    

Exactly.

Brian Contos:                

And I could have said this exact same statement 10 years ago, but there's hardly a day that goes by where there hasn't been a breach in the news and it doesn't really seem to be changing. What I am seeing, is that the multitude of attacks, and the multi-directions of these cyber threats that are levied against organizations. What chance do organizations have today, that prevent from all these desperate angles, and they've got stuff On-Prem, and stuff in the cloud, and they've got users with Bring Your Own Devices and application over here that the CIO doesn't even know about. It's this real, sort of melting pot of solutions. What's an organization actually to do?

Terry Ray:                    

It's a challenge without question. It's very difficult. And earlier in my career I would have said, they just need to know what they should allow in their environment, and what they shouldn't allow in their environment. But to your point, it's just gotten too complex for any reasonably sized organization to even answer those basic questions. We, and myself, when I start to talk about cybersecurity now, I really don't talk about absolutes so much. I talk primarily around acceptable risks.

Terry Ray:                    

You're always going to have some form of risk, and there's never been, as far as I can tell, very many cybersecurity organizations that gave you 100% guarantee, nothing's ever going to happen. And that's them saying the same thing to you. Saying, "Look, nothing's perfect." Hackers are like water. They'll take the look at the least resistance. At the end of the day, what I look for, and this may be just me having done this for the last 15 years is, I have customers try to look internally and say, "What is the absolute most important piece of your business?"

Terry Ray:                    

Is it up-time? Is it... you could have a data breach, but you just can't have your systems go down. But if that's the case, then we're talking about reliability. Right? We're talking about making sure your systems are up. Anti DDoS, make sure that you don't have people that can go in and crash your system. So, identity access management that only people that have the right things, can only execute the right types of commands. Checks and balances if you will. One-time passwords, and that sort of thing. But then there's the other flip side of people who say, "Look, if I'm heavily GDPR compliant, and I know I am going to get slapped with a fine if I haven't at least done my due diligence on data or data is just the most critical thing to me. I'm PayPal or I'm some large bank somewhere around the world."

Terry Ray:                    

Well, if I lose my data, I lose credibility. I like to use the example of Tesla. What if I'm Tesla, and it's learned that people can break into my cars and stop my cars whenever I want? That is critical brand damage. So, from my perspective, I say, look at what is the most critical thing to you, and start putting controls around that first. Traditionally, that wasn't the case. Right? Traditionally, it was let's build a perimeter. Let's start looking at those things we use, the email, that sort of stuff, but okay, it's bad if email gets out, but it's not always the end of the world. It's bad if you get a network attack on your network firewall and this, but fact is, is the keys to the kingdom aren't necessarily right there at the perimeter. They're in the back of the kingdom, back of the business.

Terry Ray:                    

So my opinion is, you've got to be looking at the back of the business. If you're not looking at your data, if you can't answer the most rudimentary fundamental questions about your data. Who touched it? When did they touch it? Should they be touching it? Then you really have no clue what's going in your environment, so everything else is absolutely irrelevant to that point. So my point is, is look at what's most important and put your controls around it, because you will not be able to put controls everywhere. Begin where it's most important, and start to build it out and as you mature, you'll get more and more there, but it's acceptable risk. It's not about absolute security in my opinion.

Brian Contos:                

Yeah, and absolute security being for the most part, unachievable. You have to look at what the business drivers are. What drives the business, or what drives your business mission, and kind of work it back from there. I think for a long time, people in our industry, vendors, and operators, et cetera, have worked from, "Hey, this latest attack is out. Or there's a new vulnerability, or we need to do a new patch, or this new, new exploit." As opposed to from the business perspective. So, I think that's very sage advice, Terry.

Brian Contos:                

You know, Terry, something that we like to ask of all the folks that we interview on the show is, who is your favorite superhero or super villain, and why?

Terry Ray:                    

Well, it's got to be somebody who survived the Snap, I guess. No so, it's interesting. One of the things that I'm fairly well known for, is the fact that I travel all around the world, all the time. So, for my super hero, it's not about saving the world, it's very, very personal to me. It's I think, Dr. Strange would be the one. I want to be able to open a portal and walk through and be in Paris instead of having to take a 12-hour flight to Paris, or whatever place I need to do. It's just simply making my life easier. About being able to step through, step back, do my job and get out of there. Travel is the one thing that we just haven't really nailed down well enough I think in this world. It takes too long to get anywhere. That would be my answer. I'd like to be Dr. Strange.

Brian Contos:                

I love that response, as do my knees and my back, being on those flights as well. Oh, that would be awesome.And he's got a cool cape, so I mean time travel, teleportation and an awesome cape. There you go. Well, Terry, thanks so much for being on the show. It's been about, I guess now, it's been about 10 years since we worked together at Imperva, but you always have such great comments and insights, and I really hope our listeners enjoyed hearing your details today. Thanks to all our listeners throughout for joining. And be sure to check out other Cybersecurity Effectiveness Podcasts, sponsored by Verodin.

 

 

download transcript (PDF)
back to podcasts
Follow:
Subscribe:
join the list
X
Business Need
technology
company
resources
blog