CISOs Guide to Cyber Resiliency; Security, Speed & Innovation with ASPM

Amir Kazemi:

Hey, everyone. So, super excited to welcome you to this executive session from Cycode. CISO’s Guide to Cyber Resiliency, Security, Speed, and Innovation from ASPM. The session is part of Cycode’s AppSec series, which is our monthly webinar show. So, hello again if you’ve joined us before, and then welcome, everyone, if you’re joining us for the first time.

My name’s Amir Kazemi. So, I’m the director of product marketing here at Cycode. Super excited to be your host today. But I’m also joined by a special guest, Roland, the former chief security officer at TikTok. So, Roland brings a huge amount of experience and expertise on our topic today, so wanted to dive straight into it. Before we do that, Roland, why don’t you go ahead and give the audience a quick background on yourself?

Roland Cloutier:

Sure, Amir. Thanks for having me. I love this subject, so it’s great to be here with you. Yeah, simple. I’m a 20-something-year chief security officer. It started in federal law enforcement and anti-terrorism. Then moved into technology defense and critical infrastructure defense.

Was the chief security officer at EMC, now Dell EMC, and was the chief security officer of ADP for over 10 years. And then, got the incredible opportunity to lead and build the global security program at ByteDance and TikTok, and build the US national security program with them, which just was an amazing opportunity. And of course, so much of what I did has to do in this space. So, like I said, it’s going to be a fun chat.

Amir Kazemi:

Amazing. Yeah. So, I kind of wanted to get into the topic of cyber resilience and code defense. So, with your background, having served as global CISO at some of the biggest companies in the world, how have you seen the role of code infrastructure evolve when it comes to business resilience or even cyber resilience?

Roland Cloutier:

Yeah. Well, it’s everything. If you think of where our industry and what our programs previously were focused on was a lot about network infrastructure and systems infrastructure. And obviously, we’ve always had SDLC programs in place, but that has grown so dynamically to what code is to digital organizations.

I mean, our networks are now SDNs. Our applications and supply chains are connected via APIs and other technologies. Our businesses are using advanced AI concepts both in ML models as well as LLMs in so many different various ways. So, code is our business and resilience relies on that code. So, I’d say it’s everything.

Amir Kazemi:

Yeah. Absolutely. So, do you feel like cyber resilience is critical for all enterprises today? Because the majority of these organizations are basically built on these digital footprints in ecosystems, right? So, is that your take on this?

Roland Cloutier:

Yeah. I think the principle thought here is we have to move from a concept of SDLC, which predominantly, initially was a thought of how do we make sure we don’t have vulnerabilities within our code? To migrating into this stock concept of good quality code to ensure resiliency above our operations. And I haven’t met a company yet that this isn’t important to.

And so, in the same way that data has become so instrumental to organizations to ensuring they have a incredible global program around that, so is cyber defensive operations around code defense and application defense in a much broader context.

Amir Kazemi:

Yeah. Absolutely. And I would say that now we’ve gone through this kind of evolution of digital transformation over the last decade or so, and now I would say we’re almost in this age of AI now. Has AI impacted us in the world of cyber resiliency and business resiliency in your eyes?

Roland Cloutier:

Well, certainly, I mean, AI has impacted us in many, many, many different ways. I’ll try to stick on the code defense, but if you think about, first, being on the receiving end of cyber incidents and issues associated with negative impact events around bad things happening to our companies because of AI, it’s lowered the bar to entry for cyber criminals essentially. But on the flip side of that, it’s given us amazing transparency into our environments and new capabilities to use the data assets at hand to be able to understand what’s happening in our environment. And we’ll see that continue to evolve over time.

In context to our discussion here today, I think two things are happening. One is there’s just a lot more code. We’re going to be developing a lot more code at speed, and it’s not just going to be our dev organizations and humans doing it. Entities will be AI platforms providing the development of code. So, it’s going to be a mountain, but there’s good news in that. And the good news is that by the use of integrated systems and platforms of systems to be able to manage this, like ASPMs, we are going to be able to manage what happens in the delivery of that code at the speed of as it’s being developed, whether from machine or human, and very far left-

Amir Kazemi:

Sure.

Roland Cloutier:

… like before it’s even developed. So, we’re going to have a much better capability I think, over time, to defend our infrastructures and make them more resilient.

Amir Kazemi:

Yeah. Absolutely. So, as we kind of know, so securing applications and code at every stage of the SDLC is super difficult. So, what are some of the biggest challenges in your opinion with that?

Roland Cloutier:

Well, one of them is not pissing off your partners in the CTO or apps dev organization. I think that’s a huge thing we have to deal with, and understanding the implications of putting in programs that help protect the code they’re developing and secure it and drive quality, but not doing it in such a way that hinders them. So, that’s huge. But in order to even get there, one of the biggest problems we’ve always had is visibility, right? We don’t own the code stack, we don’t own the repos, we don’t own the pipelines. And so, getting total visibility, which is what it takes to do this right, is hard. So, that code ecosystem is super, super important.

I think the second area is, how do you provide a level of systematic and consistent capabilities back to developers in order for them to be effective? Right? So, what is the information we’re giving them with context that makes it easier for them to understand? And the third area is really being able to measure it effectively as an executive, “How do I provide information to my executive team? How do I provide information to my partners in development? How do I show a consistent ability across all of our development areas to be able to really manage the message of the component of security as a component of quality and code?” So, those are three real tough areas that we still struggle with today.

Amir Kazemi:

Yep. Absolutely. So, how do you strike the balance between AppSec and the need for speed and agility in today’s fast-paced development environment, or even when you’re getting so much pressure from the business to innovate a lot faster these days?

Roland Cloutier:

Shift left. I mean, I know it’s an overused term, but how do you get it to a point where you’re giving tools in the developer’s pipeline and code manufacturing process, so they don’t have to come out of it, so they don’t have to wait for tomorrow? How do you get it so as they’re coding, we’re helping them? And it’s not an easy answer, but finally we’re getting there with platform technologies that give the capabilities in the tool sets, but we have to be there. We have to be there at the time of code creation, and we can’t kid ourselves about that.

Amir Kazemi:

Awesome. So, you kind of touched on visibility as well. So, I think context is king here. So, why do you think visibility matters so much in AppSec? What’s the big deal here?

Roland Cloutier:

Well, I mean, if you’re going to protect your organization and do your job, you can’t have “the weakest link.” You have to understand the totality of what code does for your business, for your digital ecosystem, for your partnership, for your supply chain, for your networking infrastructure. It’s not, “I’m just going to do products,” or, “I’m just going to do apps,” or, “I’m just going to do this.” If you’re going to do it and do it right, you have to have that visibility. And just because you’re doing the primary application, if you don’t understand that in the context of how it connects into your business value chain, you’re missing a lot of it. So, visibility is absolutely critical.

Amir Kazemi:

Yeah. Absolutely. And with your experience, you’ve kind of been in the trenches, you’ve built these programs from the ground up. Why has visibility been such a challenge to gain, I would say, in the organization, from your perspective?

Roland Cloutier:

Every organization is different, right, Amir? I mean, you have politics, you have ownership, you have access issues, you have even understanding, you have segmentation within development organizations of what repos are being used for what, who owns what code. I mean, there’s so many issues around that because until today we haven’t had capabilities that give us that total transparency. It’s hard to affect automation of insight and access to that ecosystem. So, it’s just been an uphill battle the entire time.

Amir Kazemi:

Yeah. Yeah. Absolutely. And when you drop one altitude level lower, why is it important to get that view into your entire ecosystem? So, like pipelines, repos, coding, environments, and even the ownership behind them. Right? So, why is that important to tie all of that together and gain the visibility across all those different items?

Roland Cloutier:

Well, this is where code lives, right? You have to be where code lives and where it interconnects and what it does, to see the issues and problems associated with it. I think that’s number one. Number two is, you have to understand the context of the environment for which it operates in, not just the development, not just the pipelines, but how it’s being protected. Where can negative impact code insertion happen? Where does certain vulnerabilities matter or not? Right?

So, understanding that total ecosystem of how code is developed, delivered. It’s like electrical. People don’t think about getting electrical to their house other than wires. But there’s generation, there’s movement, there’s last-mile delivery, and the security of all those things are important for you to put lights on in your house. And it’s the same thing with delivering a digital business. You have to see that total ecosystem of code, pipeline, management, and delivery to get it right.

Amir Kazemi:

Yeah. Is there a way to get a unified view of your entire code ecosystem? Is there a best practice for security teams or security leaders on that?

Roland Cloutier:

First of all, you have to find it. So, you have to have that partnership and relationship and accountability within your organization to do it. But I mean, the future is ASPM platforms. ASPM platforms like we got into eight years ago or more with CSPM when we started building massive cloud platforms, DSPM, when we started aggregating massive amount of data. We’re doing the same thing with application code defense now with ASPM platforms. That gives us the visibility, the control capability, and the understanding of how all this connects together.

Amir Kazemi:

Yeah. Absolutely. So yeah, security needs to also, I would say, effectively engage the developer org as a key partner, but also AppSec hasn’t always been developer friendly. Where are the tools and the processes creating that developer pain, would you say?

Roland Cloutier:

I could go into the list that I’m given on a weekly basis, but I think there’s two, maybe three. The first is interrupting their work to accomplish the significant things that you need to do to do your job, in their job, right? So, they’re often interrupted or delayed or slow while they’re waiting for responses. We have to work the way they work. Our tools have to integrate with their tools. It can’t be two separate infrastructures. I think that’s number one. You have to go where your customer is, and the developers are our customer, and therefore, we have to figure that out.

The second answer is all the stuff we send to them. One of the issues becomes a massive amount of data that we push to them when we scan code and we give them everything that comes out of a tool. And not saying that everyone does that, more mature organizations know how to reduce that, but when we run a tool against something and we give them all the output with no context to the infrastructure they’re operating in, no context to the other software that it’s integrating with, to the data assets they’re looking at, to the countries they’re operating in. When you don’t give them context and/or a prioritized view, you’re causing them so much more work that it’s often overloading. And that’s where we fail.

Amir Kazemi:

Absolutely. So, context is key there. Would you say there’s anything else in terms of some of these tools or even ASPMs need in terms of requirements for becoming developer friendly? Or, is it mainly the context, would you say?

Roland Cloutier:

I mean, context and the output of the context. You think about how we have to prioritize threats for them to go after that, make them understand risks associated with the business risk that they’re dealing with. We talked about workflow.

Amir Kazemi:

Sure.

Roland Cloutier:

I mean, we have to deal with the work within their workflow from their quality systems and development systems they’re using, and we have to give them a reason to want to engage with that information to make their process better. So, all of those things, I think, are crucial.

Amir Kazemi:

Yeah. What do you think devs need actually to go from insight into action or even remediation? What are some of those details in your opinion?

Roland Cloutier:

So, I mean, I think there’s a lot that they need. I think they need to understand why. I mean, everybody wants to know why, but they need to get it, so they can get their code right. What is the impact of the issue that we’re talking about? How really severe is it? And whether it’s aligned with CVEs, or whether it’s aligned with KEVs, or whatever the reason, how do you put it in context for them to understand the impact and severity? And where it is causing a problem within the application that they’re producing, is it at the data end? Is it within the front end? How do you give them the understanding of where that’s happening within the operating environment that the software lives in?

Amir Kazemi:

Yeah, because you’d probably say that developers have probably the most context into their own ecosystem as well, right? But also on the flip side, we touched on ASPM as well. How do you think an ASPM platform can play a role in this context situation with developers? How can they provide them as much context as possible?

Roland Cloutier:

Yeah. I don’t think we can do it without an ASPM. I mean, what are you going to do, write scripts to pull all the data out of all the code repos? Take all the independent tools that people are using and manually create APIs or SDKs to get the information you want? You don’t have time for that. You have to defend your business. You need a platform to be able to give you the visibility to connect into other tool sets, to connect into the ecosystem that is your cyber defense program, to pull in risk information. To be able to take the context of your risk program with your code risk issues, put them together and give you that information. Or, you’re going to be doing spreadsheets and lists and tertiary GRC platforms instead of actually doing your job.

So, my belief is that just in the way that it’s almost impossible to manage a multi-cloud environment at a infrastructure level without a CSPM. How do you expect to protect a multi-code organization from product to enterprise, to network to digital ecosystem, to supply chain, without having the same level of capability to pull those things together for you, give you the insight, provide that data back in a way that resonates with developers and integrates into their platforms? My belief simply is that it has to be an ASPM to do that.

Amir Kazemi:

Yep. Absolutely. Kind of switching gears here back into the talk around cyber and business resiliency, I think that’s not only an executive imperative or a CEO imperative, but it’s also like a boardroom imperative nowadays. How do CISOs or even security leaders break down and communicate ROI efficacy on some of those security measures back to the CEO and to the board? Do you have any advice for security leaders on that?

Roland Cloutier:

I do. I think there’s two avenues that you have to answer today. In 2024, this year, in the top two for both global CEOs and domestic CEOs in the United States, the issue is around resiliency. So, I think you have to talk to the resiliency of your business and the impact of code to that resiliency, and be able to provide a level of knowledgeable, real, informative view about not just the defensibility, but how code impacts the resiliency of the go-to market, the ability to monetize and ability to deliver services as a company. So, I think that’s number one, figure out your discussion around resiliency.

The second area is probably a little bit easier for us, especially within ASPM technology, where we can start to talk about the total view of quality and how we think about security as a component of quality in our trust services going to market. So, think about all of your applications, think about all of your products, and be able to provide a very high level view to executive management in your executive committees or your technology risk groups within your board, or even the full board, of when we think about what we’re delivering to market and the quality of the security components that we’ll be measured against in different jurisdictional regulatory areas. Here is that view. It’s magic, right? Being able to provide that view and then have a talk about the resiliency aspects of the business are probably the two best things that CISOs and security executives can focus on in the coming year.

Amir Kazemi:

Yeah. Absolutely. How about, I’m sure a lot of people on this call would think that AppSec is really difficult to measure or even report on. What are the challenges there and what kind of advice do you have on the general reporting or measurement around AppSec?

Roland Cloutier:

Yeah. Because we do it piecemeal, right? And we do it either in an SDLC level and the quality components coming out, vulnerability issues, how fast they’re remediated, who has open issues? We do it in a variety of, I think, of different ways. And it really gets back to the quality discussion. How do we establish policies and programs focused on quality? And then, how do we report out on those holistically in a view that makes sense to our business’s value chain in their areas of the go-to market, their ability to operate their business and bring those up a level?

So, it’s been so difficult because different repos, different issues, different tools, and there’s never been a way to pull those together to give you a single view. Now that we have that, it becomes a little bit easier and now we can actually create that business view for each of our own organizations to be able to go accomplish that.

Amir Kazemi:

Yeah. Would you say that there’s maybe one or two KPIs or metrics that you think gives you a pulse on whether or not you’re doing well or not in your AppSec program?

Roland Cloutier:

I have a lot of them, but here’s what I’ll say. What’s my transparency into my code? How much of my code have I reviewed? How much have I been able to provide a context risk review over? And then, the normalized tracking of how fast are we remediating that? Not just remediating, but how much have we stopped before it got committed?

How much have we integrated into the process by which we didn’t have a security, vulnerability or quality issue because we stopped it during code? That’s super important to say that we’re maturing this program and process to the point where we’re able to stop bad things before they happen instead of scanning afterwards and making people go fix it. So, that’s some of my top things to focus on right now.

Amir Kazemi:

Yeah. Awesome. And in terms of from a reporting or ROI perspective, what impact do you think more of this centralized ASPM can provide, in your opinion?

Roland Cloutier:

Well, I mean, it gives you the visibility. It gives you the information. It gives you the risk context of the totality of your business operating environment and your cyber ecosystem. Not just a tool to tool, to tool view, trying to bring those together to do it. It centralizes your capability across a very diverse portfolio of technologies, of repos, of development capabilities, of organizational constructs within your own business, and brings it to a single view. That’s what it gives you, and it gives you the ability to do your job.

Amir Kazemi:

Yeah. Absolutely. So, a little bit more future looking here, Roland, what advice would you give CISOs, security leaders, that are looking to prioritize AppSec in the coming years?

Roland Cloutier:

There are probably about a hundred things I could tell them to do, but I think, listen, focus on implementing a platform where you can connect into how developers work, how you can instrument control capabilities in the pipelines, how you can get transparency across the entirety of your internal, external, and cloud repo environments. How you can start to introduce informational assets into your decision support platform for app and code security through an ASPM in the collection of broad risk information, that then can make better decisions for you, right?

Like, if you have to take all this information out and then go give it to a GRC team, or give it to a risk team, or give it to another group. You’re talking about days, weeks, months, quarters, to be able to get a view, instead of having a platform view that gives you instantaneous understanding and a view. So, my suggestion is, in the coming year, start planning for the implementation of a holistic capability around a platform view and integration across your organization. Also, get policies, standards, and accountability, responsibility matrices aligned in your business. It’ll make the implementation, the operations of this, and the output even better as you start to deploy it within your environment.

Amir Kazemi:

Amazing. Love it. So, that’s it for today. Special thank you to you, Roland, for diving deep on this topic with us today. If there’s any information that you’d like on Cycode’s complete ASPM, head over to cycode.com. And then, Roland, quickly, if folks would love to connect with you, what’s the best way to do that?

Roland Cloutier:

Hey, they can hit me up on LinkedIn. Find me at roland.cloutier@linkedin, or csoroland@linkedin. Happy to connect. But Amir, thanks for giving me the opportunity. You know it’s one of my favorite topics, one of my most passionate areas. I think it’s critical for the things that me and my peers are focusing on today. So, thanks for hosting.

Amir Kazemi:

Again, thanks for joining us. Thanks, Roland. See you, everyone.