- Welcome to the Cyber5. Where security experts and leaders answer five burning questions on one hot topic and actual intelligence enterprise. Topics include adversarial research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host Landon Winkelvoss, Co-founder of Nisos Managed Intelligence company. In this episode, I talk with ServiceTitan Chief Information and Security Officer, Cassio Goldschmidt. We talk about life as a CISO for a late stage tech start-up including what to prioritize when starting a security program. While tech start-ups have a mantra of move fast and break things, Cassio talks about how a security program should enable business and adapt to the culture. He also discussed the pitfalls to avoid when starting a program like this. Stay with us. Cassio, welcome to the show. Would you mind sharing me a little bit about your background for our listeners, please? - Hey, so glad to be here Landon. So I've been in information security for the last 15 years I would say, or 15 plus years. Time flies, right? I started at company as a software engineer, then I move into application security where I start managing a team responsible for the security of all products worldwide, and then got into the management part of things and that's what I do right now. Today, I work for a company called ServiceTitan. I'm the Senior Director and CISO of the company, and I'm here today, representing myself the opinions that they have, or my own and not ServiceTitan's but will be really glad to talk about life from start-ups and my experience in the different places where I've been in the past. - That's really helpful, Cassio. I appreciate you joining the show and I'm excited to dig into this. It's not every day that we have seasoned security leaders that have been with large companies, as well as start-ups. And I think the nuances there are very distinct and I guess, kind of starting out and then that's exactly what we're gonna be talking about today is kind of "Move fast and break things." And a lot of people understand what that means in the tech space in terms of the development, but that certainly means something as well when you're coming into a company fresh and starting a security program. Because I think you have to have the same type of mindset, you have to have the same type of culture and you have to have the same type of perspective, of really what's gonna be rational to grow a security programs. So, from that perspective, for our listener's background, kinda set the stage if you don't mind. You're coming into a company, let's call it somewhere between $50 million and $150 million ARR, you're at later stage investment rounds, you're about ready to consider going to the next rounds of growth, set the stage of what it's like coming into a company like that and what's in front of you that first 90 days? And talk about like, what's beyond in the next year to two years. - Yeah. So the first thing is to understand why they're hiring you, right? What's the reason they decided to one day go and look at each other and say, "We really need somebody to do security and we need the person to be here full time." And there are different reasons why companies will actually go and try to start a security initiative if it doesn't exist at all. Couple of different reasons that company would start such initiative is for example, compliance. Sometimes a company is in a highly regulated industry, or there's a need to have more discipline because the market will want it. So for example, cryptocurrency. There might not be a lot of regulation there, but if you want to really provide the comfort level that your customers want to actually buy cryptocurrency, you might want to have a very good security program in place. Marijuana, for example, is another market where you might want to have strong compliance to show that you're doing something that is clean, that is good and so on. Maybe sometimes companies hire the security people because they want to avoid regulations altogether. Some areas are not regulated and showing that you have good security in place, will avoid the government to come and actually say, "Okay, I'll tell you how to do." which is a lot of times more prescriptive and something that the companies don't want. There are some cases that companies start their own security initiative because of reputation, and that is very common with security companies. If you do a security product, you should have secure products, which is a completely different thing and people don't realize that sometimes until very late. Then there's the case where a company has experienced a breach, right? Some companies do experience the breach firsthand, some others look at their competitor who experienced that breach and say, "What if this happens to me?" and finally, there are the companies who decide to do security because of customer demands or because they start losing business because they are competing with some companies that are more mature and they need to have some security that matches what they're seeing with their competitors, or some customers are just spreading to leave. So the question was, what's the state of a company when you start? And there was, security's still something that they were deciding to go full time and to have somebody looking at it 24/7. Most of the times there's going to be some heroes in the company. Some people who are working 12 hours, 16 hours, and trying to implement all the new features, all the customer requests, trying to solve all the bugs in the system and they also implement the security. They do the best they can, but they know that what they know is not enough to make think security. They realize that security is indeed a full-time job and they need somebody there. So in all cases, when you step in a start-up, one thing to look at is also the growth of this start-up, 'cause you need to have a vision. You need to see where the company is today, but not solve the problem for the company as it is today. You have to look at how the company is going to look tomorrow. So you're building security much bigger than what you need today in order to actually fulfill the needs of this start-up. And at the same time, you can not stop. This car is going a thousand miles an hour. As people in GitLab likes to say on their security initiative, they say, "We're not gates. We're guardians of security. We're the ones actually advising you how to do things right and avoid the bad things from happening." So going back to the car comparison, it would be your job to actually listen to what people have to say about security, where they are and then start building the features that will prevent debt crash from happening proactively. So in a car would be the, let's say blind spot warning or adaptive cruise control, or the forward collision warning. This kind of thing still will allow you to still drive a thousand miles per hour but safely. - So I guess, you know... And I know this is no one stop answer for any company, but what are some common pitfalls that you've seen in early stage start-ups or people reusing the same passwords, there's no end-point security, there's little to no application security program, there's no goal image standard for laptop issuance, there's no off-boarding process of employees. I mean, I guess it would be helpful to understand just different pitfalls that you've seen within start-ups. - Yeah. So I think there are number of things when you step into a start-up, you need to actually think about and understand before you do anything. So one of the most important things when you step in this type of environment is to actually understand where you are. Perform a risk assessment, that's the first thing you have to do in order to get to a avoid any of the pitfalls that you see in the past or things that they were doing and they should not be doing or they should be doing. Interview people, do skip levels whenever you can in order to get a better understanding of the company. And hear from all departments, don't really look at some people have different bias because of the places they have been before, but you really have to hear from all sorts of departments out there and not only from a formal perspective, like interviewing and doing the risk assessment, but also from a more informal type of information gathering too. Invite people for lunch, talk in the break rooms with people. And understand that you cannot actually solve everything by yourself, right? You're going to need supporters. You're going to actually need to bring the entire company to your side. And the way to do that is actually by having a good education program once you start so that people understand what their role is and they finally realize that the CISO is not there to actually fix everything, but really to serve as a consultant or somebody who can actually show the way where things needs to be done differently and then have other teams to help you to actually fix things. As for the pitfalls, the fixed debt you see most often broken in start-ups, unfortunately there are the no sexy things that people often overlook and they are in misconfigurations, people not taking a really good attention to phishing emails. And this is particularly true with the start-up is always in the news or receive another round of funding. Whenever, for example, start-ups that I've been with, they receive another round of funding, everyone is celebrating and I'm very concerned because the next day I'm pretty sure there's going to be a number of new phishing attacks target against us. Credentials are in the wild. It's really important to actually make sure that you're on top of it in communicating to people that they must use strong passwords, and this days two-factor authentication became mandatory for everybody. Onboarding and offboarding is incredibly essential as well because people tend to come and go. Start-ups can have ups and downs and people might jump off the bolt. And if the systems are not connected and federated, you're going to have some problems with accounts that just linger out there and they are never closed and sometimes exposed to the internet. - In terms of the priorities, so I think you laid it out pretty well. When a company starts a security program, they're going to either be compliance-driven, or they're gonna be coming off of a breach or an investigation. Walk through the different priorities, given those two scenarios that you just laid out, what might be the common priorities immediately like that first 90 days to six months from the different models there? - I think that the first priority is actually to listen. It's to really understand what a company is and once you have that, then you create a map. You really look at what's the most impactful of findings that you had from your research and how difficult it is to fix things. As I mentioned, you cannot just stop what a start-up is doing. It's just different from Microsoft that had the luxury of seeing, "Okay, we're going to stop developing on your software and actually fix bugs for three months" like they did in the past. But once you have this map of risk and how difficult it is to fix things, you can actually start fixing the most impactful low-hanging fruit, so you can start showing some progress to your peers and starting getting the posture right. And then work with the other teams in convincing them that the more difficult stuff needs to become a project and be properly resolved over time. - When you talk about threat models, because at the end of the day, you're doing your risk assessments that you cited there. Any programs are gonna be undertaking to build defenses that goes against the threats that they're actually facing. What threat models do you find useful in this environment culture? - Yeah, so I think that the most common things is in a start-up, the plans that you see happening most often, or actually abuse cases, and then people who actually did bad things, phishing problems, and just misconfiguration in general. For example, MongoDB servers that have no password, it have been exposed to the internet or S3 buckets, and in things like that, that happened to all too often. A lot of people actually jump into a start-up and think about all the type of attacks or the things that are in the news, and that's misleading because those are not the things that are going to be your main threats that you have to fix right away. What's going to cure you is actually those things that have not been fetched and they're like men exploits type of exploits out there that can be used against you. - I heard patching and I heard abuse cases in phishing as three types of priorities or threat models, so to speak. And not necessarily worry about navigating to a domain controller and exploiting SPNs or something more advanced or looking at WMI lateral movement, like a lot of nation states are capable of doing. I mean what I heard is more of the basics, but I'm just kinda curious when I hear abuse that speaks a lot to consumer safety, not just the confidential integrity and availability of data. I'm kind of curious how you think about abuse in terms of ultimately how to tackle abuse that's any different than traditional protections against CIA of data systems and networks? If that question makes sense. - Yes, it does. And you're absolutely right. Abuse cases are a big thing and sometimes it's a shared responsibility. For example, if you are a multitenant type of environment, or a SAS type of business, you have some things that are your company is responsible for. And when it comes to credential use or who is going to use the software or configurations of the service they are providing, it really goes to your tenants to actually do the right thing. And depending on the industry they were, the level of sophistication can vary greatly. For example, in the case of ServiceTitan, they served the home service business. And there's a big variance between the most sophisticated tenants that the company has and the ones that are not, smaller shops that actually come to some homes in, fix the plumbing and so on. And whenever, for example there is a phishing case that we see the small companies start sending emails to everybody, including ourselves. We actually treat that as it was our own flaw and work with our customers in order to help them to block the pages on the internet and so on in order to do the right thing, it's not something that we charge for. And we just want to help them because we are in an industry that is in their influence when it comes to technology being more sophisticated than most. We can help them to bring to the right level that is necessary given today's exposure to the internet and all the risks of running in business that is actually online and that you dependent upon in order to get your business rolling. - In terms of understanding the "Move fast and break things" culture, how can security be an enabler of business? I've talked to a lot of different IT minded professionals, mostly on the CIO Shop, a lot of them say security can't be a disabler of business, but really how can security flip that coin and have security being a true enabler? - The motto "Move fast and break things", I think it works wonders for some type of businesses, but not for everybody. So when I hear that model, I cringe. Meaning, for example, if you are a social network type of website and it is okay to be down for a while if you break things because nobody's life will depend on it, it might be okay to actually move fast and break things. If you're doing a business that people's life depend on the information that you're providing, it's not the right thing to do in my opinion. It's something that actually should be avoided. And if security professionals are just for example, doing testing production or breaking things, they're just going to lose the credit with the engineering team and will make things a lot harder to actually perform good work if you're trying to do that. So I'm more in the opinion of "Move fast, but don't break things." Do everything actually to make sure that availability is always up as much as you can and be responsible about the system that you provide to your customers. Now, how Infosec can actually help things? We can actually break things and show how they are broken, not necessarily in production obviously, but we can actually show them, "Hey, there are a couple of single points of failures here that needs to be addressed." So the business know and we're actually showing them what needs to be fixed. Then there's also the part that we can also help our customers, as I was mentioning in the case of the home services business, they have been traditionally underserved area and you can help them providing your security information upfront to prospects to show that you really care about this area. And with that, you can help your sales. You can have your success teams, you can have support and so on, and you can help your customer showing what's the best practice in the industry, because a lot of them don't have the luxury of having this Infosec Department that you have. And with that, you can bring their trust and they will come to you whenever they need something related to security. - It's certainly refreshing to hear that perspective and to certainly really talk to how security can help the business and not just break things and leave it for lack of prioritization. Last thought I guess, what are the pitfalls to avoid? I think you've highlighted some of them already in terms of what to avoid as an example, not to focus on nation state behavior. If you are still a young company and a young security program, what are some other pitfalls to help justify the program? And another one just from talking, when you hear abuse and fraud, and you're gonna have to have that multi-tenant approach where it's dependent on consumers or your users of your platform to also be secure, which is troubling, a lot of folks start thinking about bringing and building threat intelligence programs, I guess overall, like what are some pitfalls to be careful of when you're starting out? - You do bring a very valid point, which is build versus buy or even use services that are external to your company. And you can surely create, for example, our red team from the get-go, but at the same time, are you going to be using your resources in a wise manner? Will this red team actually have enough to go and be busy all the time? Or are you better off actually going to a external company and asking them for penetration tasks, bug bounty programs, and so on in order to have as many people looking with different methodologists to find the vulnerability that we need? Are you better off actually creating a SOC team or using external SOC in the beginning and depending on the industry they were? So those are some very important things to consider when you are actually considering the pitfalls to avoid. Also, estimating the ROI of what you're going to be, asking your finance department don't create a wall. Estimate based on reputable papers they're out there that provides some numbers on the cost of a potential breach, and then multiply by the likelihood that that can happen to you. So you have some numbers that are actually more manageable and would be more comparable with how much you're going to be spending in a security. You should spend the money as it's your money, not your company's money, and really be frugal, understand what the solutions can actually buy for you and understand that the solutions that were a must in the past might not be something that is essential today, or there are replacement solutions, for example, antivirus, traditional antivirus became end-point security. And these days you have EDI, XDR, MDR and so on. With more in the service side things, you have firewalls, IPS, IDS, sourcing. You have to understand what all this technologies will do for you and the difference between each technology and what they're going to catch. Sometimes even if they are going to replace some of the people that traditionally were in a security team, we fail to make a solution that will do the work. And finally, there are some solutions that were very useful in the past and quite frankly, I was big fan such as a dynamic analysis tools, that today given the way you build webpages, they're not as effective as they were in the past, at least the traditional ones that I've seen. And the understanding that will help you to also plan your budget wisely and not just buy a tool that works in the past in different companies that you've seen. And you'd go, "Oh, I must have these tools because it just doesn't catch the same tracks that you were expecting these days." - Cassio your opinions on the show were fantastic, very nuanced. And I think that there's certainly with the tech, a lot of tech companies being certainly a growing part of the economy, I think these are certainly important facets. Certainly as we look to combat the threats that are in the news every day. So, I appreciate your time on the show. - [Voiceover] For the latest subject matter expertise around managing intelligence, please visit us at www.nisos.com. There we feature all the latest content from Nisos experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all Nisos teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane and conduct high state security investigations. Without the value of the team provides day in and day out, this podcast would not be possible. Thank you for listening.