A CISOs Blueprint; The 'Must-Haves' to Build & Scale Your ASPM Program

Jimmy Xu:

Hi, everyone. Welcome to our next session, A CISO’s Blueprint: The Must-Haves to Build and Scale Your ASPM Strategy. I’m your host, Jimmy Xu, Field CTO at Cycode. I’m delighted to introduce you to a very special guest speaker today. V.Jay, welcome.

V.Jay LaRosa:

Hey, folks, how’re we doing? It’s great to be here.

Jimmy Xu:

Thank you, V.Jay. It’s such a privilege. For the audience, V.Jay is a award-winning CISO, currently at Cisco Meraki. He was actually recently named as a finalist for the prestigious Top Global CISO for 2024 Award in Cyber Defense Magazine 12th Annual Awards Program. V.Jay brings almost three decades of experience in IT. And he has played major roles in the InfoSec programs at TikTok and within the federal government. V.Jay, your track record speaks for itself. Very excited to be here with you, V.Jay.

V.Jay LaRosa:

Thank you.

Jimmy Xu:

First of all, can you please introduce yourself to the audience and give them some context of your background?

V.Jay LaRosa:

Yeah, yeah, it’s crazy. It’s hard being 22 years old to have had this 30 years’ worth of experience. I’ve been doing this for a long time, and cybersecurity, it’s just so much fun. You get to be involved in so many different things, and you meet so many interesting people and work on so many different problems. I started so, so long ago, way back at Westborough, Massachusetts, and being here now at Cisco Meraki, it’s a dream come true. Working with the people that I work with at Cisco, it’s really, really exciting, and we’re doing some really fun things here.

Jimmy Xu:

Love it. I have a federal background as well in the past, so very excited about this. Obviously, we’re talking about ASPM and application security today. So interesting, it’s obviously a hot topic for the era, I would say. So, having served as the CISO for one of the most complex software-first companies, how have you seen the role of AppSec evolve?

V.Jay LaRosa:

Yeah. Application security is just so important from a quality standpoint. When you think about the products that we’re producing, whether it be the hardware, or the software, or the elements that are supporting infrastructure, running the cloud, that continuous visibility, the centralized controls, the centralized governance, the traceability, it’s all just so important. And being able to bring all of that together in one place and really being able to highlight the code quality efforts and the infrastructure quality efforts in that singular platform, it’s really, really important.

Jimmy Xu:

Yeah. So as a fellow practitioner, and I really like the fact you highlight the quality, I think you said quality multiple times in your response, and I find that it’s one of transformations, that seeing software as a form of quality versus think of security as something else. You also mentioned about application infrastructure and cloud. One of the things I’ve seen is that part of the transformation and a paradigm shift is the fact that application security is you’re not just talking about code, right? Not just finding the application. There’s other components tying to the infrastructure, and obviously, the cloud. Cloud also, in my opinion, is also not just a destination, but also a form of practice. So, all that, as you say, is part of the transformation, the AppSec. What do you think are the drivers that led up to this shift?

V.Jay LaRosa:

Yeah. I mean, I think the drivers are speed, speed and time to delivery. Way back in the day, it would take you months to stand up an application because you would just have so much manual labor. You’d have to rack and stack, and cable, and configure, and install operating systems, and configure databases. I mean, it was months before you could launch anything new. Now, today, we can do it in minutes. Sometimes in seconds you can stand up new things. You can try things. You can experiment, move much faster. It really is such a massive paradigm shift.

And to be able to keep pace with that and be able to support that, be able to run alongside these new teams, SRE teams are now the way of the future. It’s this integrated development and operations and support ecosystem where they’re not just managing servers, or databases, or networks. They’re deploying the code. They’re bringing up the applications. They’re supporting the operational testing to ensure that the applications are functioning properly. So from a cybersecurity perspective, being able to come together and couple together with those and deliver very high quality, very high precision cybersecurity at the same time, it’s a lot of fun, and it’s challenging at the same time.

Jimmy Xu:

Yeah. I like the fact that you mentioned about bringing teams together and, obviously, talking about speed, right?

V.Jay LaRosa:

Yeah.

Jimmy Xu:

I guess we talked about it’s not just application delivery, right? It’s delivery of infrastructure. I remember Cisco, obviously, I deal with Cisco for a long time. It’s a good example where it is the destination, right? You mentioned SREs. Treating the software delivery team, whether it’s application or SRE, the same way as you release software, that’s also part of that. So, do you think that is part of the reason of just call it the platform approach, the ASPM, the thing, is that bringing everything together? What’s your thought on that?

V.Jay LaRosa:

Yeah. I mean, I think about security as a team sport, and when you can start to bring all of these components together, almost as that player-coach, and being able to observe and introspect into what’s going on, and enable capabilities to either be guardrails or sometimes full tilt blockers of things, having that all in one configurable playbook, one configurable location where everybody understands how this ecosystem works together to be able to support this goal, the end state of high quality, resilient, reliable, stable ecosystems, I think it makes the entire journey much easier, and it helps bring everybody together to have the conversations in a central forum rather than all these point solutions where you have to go talk to different teams and different people, and you have different rules for this or that. Being able to bring this all together into one environment where everybody understands the totality of how the entire program is going to work together, and what the results are, and where we stand, I think that makes a massive difference.

Jimmy Xu:

Thank you. Yeah, I think things described to me exactly sounds like platform engineering, which is gaining a lot of traction, bringing people together, now I know. I think that ASPM, the platform, is exactly matched for that.

V.Jay LaRosa:

Yeah, I agree.

Jimmy Xu:

Now, it’s also 2024. I always joke that you cannot talk about 2024 without mentioning about AI. So, it’s crazy how AI has changed, especially gen AI in the last 12 months. So, AI has changed the game. We all know that, right? I mean, one of the things that we hear is, “Copilot this, Copilot that,” right?

V.Jay LaRosa:

Yeah.

Jimmy Xu:

So, we have system developers now that are writing code who are not used to writing code. So, code is everywhere, exploding in code. So, how do you think the AI has impact on code quality, and what do we need to do different in terms of security?

V.Jay LaRosa:

Yeah. AI is hugely enabling for security practitioners as well as the development organizations, but if you don’t use it right, it can be extremely problematic. Building those guardrails, building the ability for us to look at this code and at a much deeper level is going to be really, really important, because we can’t throw more humans at the problem. We have to figure out how do we use systems and technology better? So, if we’re going to produce 50, 60, 80% more code, we’re not going to add 50, 60, 80% more people to the organization. We have to have technology that’s going to be smarter, that’s going to be faster, that’s going to enable us to be able to keep pace with what AI is doing. So in a lot of ways, it’s AI on AI. You’re looking at, how do I use different types of AI technology to help me look at what AI produced? It’s pretty wild.

And when you start really thinking about using systems to look at what systems are doing, you have to start getting into a scenario where you’re going to steer things to humans to be able to double check and provide that feedback, that learning, into these LLMs to be able to reduce the amount of human effort that is going to occur. So, it’s massively enabling in terms of productivity, but we have to still be very, very careful in terms of the quality. Just because you can use something, doesn’t mean you should use something, and it’s going to take time for us to really get comfortable with it, and learn, and train, and understand where humans still have to get involved. And having this centralized in one place, again, really is going to help make this much easier for us to expedite adopting and using.

Jimmy Xu:

Thank you. I have a follow-on question on AI, because I think as a CISO, people always wonder… Well, what I’m hearing is we’ve got to embrace it, right? So obviously, it just means that… It is we’re not getting away from it. It’s happening. It’s more around, is your job, how do we actually figure out what that means, and how do we enable the businesses to develop AI safely?

V.Jay LaRosa:

Yeah.

Jimmy Xu:

Right?

V.Jay LaRosa:

Yeah, 100%. If you’re going to try and prevent it, there’s this old adage, if you try and stop someone from doing something, they’re just going to go find somebody else that will help them do what they want to do. So, you have to get out from behind this antiquated mindset of, “No.” You have to say, “Yes, but here’s how.” And being able to continue to focus on learning and being able to help put your team in a position where they can learn and they can understand, that’s going to be really, really important. So as CISOs, I think probably the most important thing for us to do is to help educate our teams, help dedicate parts of your organization to learning about this and using this AI technology in different ways, because if you don’t understand it, how are you going to secure it?

Jimmy Xu:

Right. Thank you. Yeah. I always say that’s one of the key takeaways. So for the audience, definitely, I would think about that, right? Now, obviously, one of the other theme about this session is about ASPM, right? We talk about ASPM Nation. And personally, I’ve done a lot of work recently, both as a practitioner, as a consultant now here at a vendor. I’m just seeing, since Gartner published article last year, the ASPM market just exploded. It really mean different things to different people. The features of different ASPM vendors are very diverse. So, I’m actually working on that to help educate the market on the differences. Very curious, in your opinion, when we say ASPM, what does it mean to you? How do you define it?

V.Jay LaRosa:

Yeah. Yeah, I mean, I think there’s two sides to that coin. ASPM is obviously technology, but your overarching goal really is about risk reduction and being able to understand the risk to your organization, the risk to your products, the risk to your customers. So, being able to leverage technology that’s going to help drive risk for you, and risk identification, risk remediation, it’s really important. Most organizations operate in a hybrid way, right? Operating on-premise and in the cloud.

So, we need technology that not just supports being able to run in the cloud, but understands what it means to deploy things to the cloud, understands your infrastructure as code, your Terraform templates, your cloud formation templates. That’s a big part in this. That centralized dashboard, bringing all of these capabilities into one tool and giving you one place for visibility and oversight, it’s really important, but if you’re not thinking about the risk relevance of what’s going on, understanding what assets and what elements of your projects are most critical and why, you’re going to miss out on things. You can’t just treat everything the same. So, you have to have something that is going to be able to understand the operations, the elements, the key components, what your data is, what your code is, and help you be able to prioritize where things need to be fixed.

You need end-to-end visibility from the developer who writes the code to where that code’s actually running in production. Traceability is a huge problem organizationally, and if you’re not able to understand who wrote code, who provisioned that code, how it went through the automated deployment process into your cloud environment, and how you trace that back to who has to fix it or who has to get educated, a lot of times you have this continuous loop of the same problems just showing up in your organization, and unless you’re able to trace that back to groups of developers or individual developers and understand who you need to go target for education, you’re just going to be stuck fixing the same problems over and over again.

Software composition analysis, huge, especially in today’s world where we’ve got to be more transparent around what goes into our products. That’s going to be huge. SaaS scanning, obviously, is I would call the bare minimum entry bar. You’ve got to be able to find and stop vulnerability, so you have to have a good benchmark against the languages that you can scan to be able to help identify any sort of bugs. We talked about infrastructure as code. Secret scanning. Secret scanning is another really important one that will burn you if you’re not careful with that, right?

And also governance over the CI/CD pipeline, making sure that the components that make up your pipeline are configured securely. That’s something that we forget about all the time. If your Jenkins system isn’t configured properly and someone can get in, get on that system, and can tamper with things going through the pipeline, or your dependency system can be tampered with, that’s a problem. You got to be able to make sure that those systems and those components are secure, that you’re getting logs from them, that you understand that everything is okay so that you can’t wind up with some sort of supply chain scenario unfolding. Yeah, I mean, I think those are the big components of it. External detection, looking for lost or leaked source code is important. Automating complex tasks around attestation is really important. I think that’s the bulk of it.

Jimmy Xu:

Thank you. Yeah. I personally think the ASPM, forget about how we call it, I think the terminology always reinvents itself every couple of years, but it’s the concept. I like the fact that you tie all these components, features into the highest goal, which is risk reduction, to your point.

V.Jay LaRosa:

Yeah.

Jimmy Xu:

I think that ties to what you said earlier. Because the evolution of app security is longer just SaaS and DaaS. I remember early days. I’ve been doing AppSec for many years. It’s way more than that, right, now?

V.Jay LaRosa:

Yeah.

Jimmy Xu:

All these other components. And I like the fact that you mentioned it’s not just the software components or infrastructure components, it’s the software factory, the delivery mechanism, which is CI/CD pipeline. Yeah. Okay. Yeah, so completely agree. I think the key takeaway is that because we have so many different components of potential risk attack surface, that’s why it’s really a complete system that you mentioned.

V.Jay LaRosa:

Yeah, yeah. It’s important to bring it all together, and it lets you focus on your highest priorities too. As security practitioners, we always want to fix everything. We always want to make everything perfect, but we all know we can’t. We have to figure out where the highest risk is, what the most important things are. And if we don’t have tools and technology that are going to help us prioritize that and be able to speak to our partners, speak to the business, and help them understand, help educate them, we’re just not in a good position to be able to drive any sort of effect. If you can’t explain why and give people a good solid baseline understanding, and motivate them, and get them to agree why, it’s tough to get traction. So, that’s really important.

Jimmy Xu:

Yeah. I can tell my experience as a practitioner, right? Literally, the developers would challenge a DaaS finder, for example. “Why is this the issue?” And they’re very good at justifying, like testifying in court.

V.Jay LaRosa:

Yeah?

Jimmy Xu:

I’m going to hire them as my attorney. But I think prioritization is important, because you mentioned about velocity. The expectation of how fast a code needs to get in production, especially with copilots, it’s more a matter of what’s the most important. So, I think, personally, that’s a very critical part of ASPM.

Now, we talked about, obviously, what it is and components. Part of journey is, okay, great, hopefully customers see value and bought it, but it got so many different things, right? And it depends on customer journey. You may already have a SaaS and DaaS. You might already have SCA or infrastructure code, but generally speaking from a operationalization deployment, in terms of if you have that, to roll it out, what do you think are the key components to the strategy of adoption?

V.Jay LaRosa:

Yeah. I mean, I think you have to focus on, again, risk prioritization. You have to look at where do you have the biggest gaps? Where are you creating the most risk for your organization? And you have to start there. Everything has to be a crawl, walk, run journey. If you try and tackle everything, you try and do it all at once, you’re going to fail. It’s just too much. So you need to step back and you need to say, “Okay, if I have a SaaS, or I have a DaaS, and it’s already working and it’s giving me some efficacy, don’t go replace that first.” You’re already getting some value from that. Focus on what’s the next most important thing. Then once you’ve completed that, then you focus on the next most important thing. It’s got to be a journey. It’s a team sport. It’s a journey. It’s not a sprint, it’s a marathon, and you have to figure out what’s applicable and what’s most relevant for your business from a quality standpoint, and then incrementally check off the boxes.

Jimmy Xu:

Thank you. Yeah, it totally resonates with me. I remember when I advised customers about AppSec capabilities in general. There’s literally debates. I remember the last couple of years with explosion of a supply chain and third-party codes, and people would say, “You should do SCA first instead of SaaS.” But there’s also argument that, well, most of the SCA libraries are very noisy. Then the most risky are still custom codes. So, I like the fact that say it doesn’t matter, right? Know what you have has visibility, and what is the next thing?

V.Jay LaRosa:

Yeah, it’s the next thing.

Jimmy Xu:

So ASPM, obviously, with that visibility. Yeah.

V.Jay LaRosa:

Yeah, yep. Yeah, you got to understand risk.

Jimmy Xu:

And just take rest for granted.

V.Jay LaRosa:

Yeah.

Jimmy Xu:

Cool. You mentioned, ultimately, it’s risk reduction, right? So, risk reduction is the most important, once you have visibility, to figure out what do you need to tackle the most? ASPM you mentioned earlier. One of the benefit is that it brings people together and ultimately driving better remediation outcome, because we already don’t have enough time to identify issues, right?

V.Jay LaRosa:

Yeah.

Jimmy Xu:

Now the issue identified, prioritized, we’ve got to quickly enable the right team, trace it to the right origin to help remediate. So, how do you address better remediation outcomes with a tool like ASPM versus point solution?

V.Jay LaRosa:

Yeah, yeah. I mean, I think now you have central visibility, central tracking. Now you have the ability to understand that in this part of the organization, it’s more about educating the developers versus this part of the organization. It’s more about focused on replacing secrets, for example. It gives you that ability to have multiple levers and see them in one console instead of having to run to six different places and try to figure out, “Who do I have to go get? And what do I have to figure out?”

It’s almost like if you’re flying an airplane and the landing gear is in the back, the button for that, you have to run to the back to push that button. And then if you’re going to go put the flaps down, you get to go up into the cockpit to push that button. Running back and forth and running around just wastes time. Being able to have all of this central in one place where you can have an understanding across your entire quality spectrum from a cybersecurity standpoint, it allows you to make better decisions faster, and it allows you to educate people and build up that trust and build up the community and the collaboration around where you need to go and why you need to go there.

Jimmy Xu:

Yeah. So speaking of trust, one of the things, my own experience with me assessing many clients, is in the worlds, app security, DevSecOps, one of the things is getting developer buy-in trust. How do you think the ASPM enabled that in terms of developer experience?

V.Jay LaRosa:

If you do it right, the developers, honestly, should just come along for the journey with you. If you go talk to a developer about a tool, then it becomes about the tool. But if you go talk to the developer about the journey and what the outcome is and you engineer the solution together, then it’s about the outcome. That’s what’s really important. I think if you just show up with a solution and you give people solutions, people step back. They don’t want to be told what to do. They don’t want to be told how to do it. They want to be part of figuring out how they’re going to do this.

So, it’s important to come with the journey, explain what the outcome is, explain where you want to go, where you want to get to, and then talk about the solutions and the approaches and the mechanisms to get there. And ASPM becomes part of that journey and helps enable you to get there. But if you just show up and you tell developers, “ASPM is a solution,” that’s not going to get you where you need to go. You need to talk about trust and quality and outcomes, and then it just becomes a natural conversation for people to be able to understand that, “Oh, yeah, doing this as a platform really makes a lot more sense. It helps us get to where we need to be.”

Jimmy Xu:

Thank you. Oh, that’s really great. I personally want to full-stop the audience because I want to, based on your response, debunk another industry myth of there’s many saying that developers don’t care about security. Obviously, your experience and my experience, especially your track record, that’s not true. If you make the effort you talked about, it can happen.

V.Jay LaRosa:

Yeah, yeah. Every developer really does care, because it’s a quality thing at the end of the day. No developer wants to roll out code that’s not good or is subpar. They want to roll out high quality things that people will trust, will love, will rely on, and they understand that security is a part of that. But if you show up and you tell a developer how to do their job, or you try to force a developer to do something different without them really understanding what the reason is, or the outcome, nobody wants that. I don’t want that. I don’t want people showing up, telling me how to do my job. It’s about outcomes, and it’s about where we need to go, where we need to get to together, and why, and how this makes everybody better, everything better. Because, at the end of the day, this is a team sport.

Jimmy Xu:

Thank you. Yeah, those are good nuggets for the audience. I think overall, hopefully today with our discussion, there’s a lot of nuggets and advice to the audience of how to start their ASPM journey, right? All these little components matters. Any final words as we’re closing this? Anything else that we haven’t mentioned? Any advice you would give to the leaders as they embark of their ASPM journey? Anything else?

V.Jay LaRosa:

Yeah. I mean, I think the big thing is investing in your team, building trust with your team, helping them see where you want to get to, and giving them the opportunity to be able to help pave the golden paths, right? Talk about outcomes, talk about trust. Give them the resources, give them the training, give them the education, and really enable them to help with the outcomes, help with the solutions, and that will make things so much more successful. As a CISO, if you show up and you just tell your team what to do, again, it’s just like telling developers, right? Talk about outcomes. Focus on where you want to get to, and then work with the teams to help chart that path and figure out how to get there and support them, remove roadblocks from them.

Jimmy Xu:

Thank you. My takeaway is that you may have the best tool, best ASPM out there. You got to pair it with the best leadership.

V.Jay LaRosa:

Yeah, that’s right. That’s right.

Jimmy Xu:

Yeah. So thank you, V.Jay. It’s a great session. I just so enjoyed discussing with you. We’ll wrap up here. Really appreciate your time. I wish time is longer. So, thank you, V.Jay, again, for your time today. So great to hear your insights. Next up-

V.Jay LaRosa:

Thank you so much.

Jimmy Xu:

Thank you. And Shawna, back to you, and who will be introducing the next session.