DevOps Chat: The Business of Security and DevSecOps, with Sonatype’s Tyler Shields
Tyler Shields is someone who has made the leap from technical security expert to business leader. At Veracode, CA and now Sonatype, Tyler is someone who can clearly enunciate the path forward for business leaders on what they should be doing in regard to DevSecOps, open source security and minimally viable security.
Tyler gets it and you can learn a lot from him. In this DevOps Chat, Tyler and I discuss the business issues related to DevSecOps and more. Have a listen and enjoy.
As usual, the streaming audio is immediately below, followed by the transcript of our conversation.
Transcript
Alan Shimel: Hey, everyone, it’s Alan Shimel, DevOps.com and Security Boulevard, and you’re listening to another DevOps Chat. Today’s DevOps Chat is really my pleasure to have an old friend, an acquaintance from the security business side of the house, Tyler Shields. Tyler has really joined Sonatype. Tyler, welcome.
Tyler Shields: Thank you, Alan. Appreciate the invitation to chat.
Shimel: Alright. Let’s get the housekeeping out of the way, Tyler. So, you joined Sonatype about a month ago, now?
Shields: That’s right, yep. [Cross talk]
Shimel: And you are basically running a corp dev strategy type of role? I’m sure there’s a real title.
Shields: Yeah, so the official title is VP of Strategy in Bus Dev or Corp Dev. I work with a gentleman named Bill Karpovich who runs it at the SVP level, and we’re looking to do some pretty amazing growth initiatives inside of Sonatype and help Sonatype take it to the next level and push it towards a much bigger platform.
Shimel: That’s fantastic. And actually, I know Bill, I guess, back to the Sourcefire days.
Shields: Yep, yep. He’s been around the block a bit, too. We’re all a bunch—we’re all a bit long in the tooth. [Laughter]
Shimel: Right. And we should mention that, Tyler, you and I go back a bit of a ways. So, Tyler, one of the other things that I always love talking to you about is, so many of my guests on this show are very, very technical. And not to say that you’re not very technical, but I really relish the chance to talk to someone about business and business climates and business strategies, and you’re kind of really a guru when it comes to that.
Shields: [Laughter]
Shimel: So, if you don’t mind, let’s focus in on that on this episode.
Shields: I don’t mind at all. What makes it interesting, I come from a weird background that your listeners may not know, but I actually was an offensive pen tester through At Stake, came up through the ranks at Veracode for a while, was on R&D teams, helped build out rootkit and anti-debugging detection technologies, right?
So, I went down that academic security rathole very, very hard, to the point where I remember having a very distinct moment where I was in days, I think, six or seven of the same pajamas. And, you know, you spend 10, 12 hours a day hacking code, and it just got to the point where I need to go do something else, and it just wasn’t right for me any more.
And I remember the day that I left that world and went over to the more business side, Chris Ang, who is a very close, personal friend of mine, bought me a talking Darth Vader mask and said I’m going over to the dark side.
Shimel: To the dark side, absolutely. But here’s the thing, and I see a lot of similarity there, though I wasn’t quite as technical as you, but you know, I often hear from people when I’m out at conferences speaking—how do you get to where you are? How do you kinda straddle both worlds like that?
Because I’m like—look, I want to law school and I did my law thing. But I got into technology by playing with networks, and truth be told, WordPerfect was my first kinda thing that I really screwed around with. But, you know, I’ve done it all and did my own hosting company.
But let’s me clear, Tyler—it’s a rare bird, it seems anyway, that can have a foot in both of those worlds.
Shields: Yeah, it is. And for me, honestly—and I would tell this to anybody that asks me—it’s about following what you’re passionate about, right?
Shimel: Yeah.
Shields: And when you lose the passion for whatever it is, you find whatever is the next passionate thing and you double down and you dedicate your time to learning and focusing on that thing. And for the first half of my career, I was very focused on bits and bytes and building security technologies and breaking technologies. I went and did my Master’s degree in Computer Science, focused on security, and then just one day, I wanted to try something new, right? The challenge for it had left for me, and that’s when I went back, and I actually did my MBA focused on business.
And for me, I’m not saying you have to go back to school to make these kinds of shifts, because you do not. But for me, that was my immersive way of spending two years of study, of very focused study. And then it’s just immersing yourself in that world, right? And getting yourself networked with the right people who know that you can learn from it being humble and showing humility that you don’t know everything. [Cross talk] And as long as you approach the world that way, you’re in good shape.
Shimel: Yeah, I agree with you. And really, for those listening out there who think, “Jeez, I’d like to be like Tyler when I grow up,” focus on one thing.
Shields: Set your bar higher—first of all, set your bar higher. [Laughter]
Shimel: [Laughter] But seriously, there’s one word to use that I think people need to focus on, and that’s passion. Be passionate about what you do. If you can’t be passionate about what you’re doing, find something else to do.
Shields: That’s true.
Shimel: And that’s where that is. So, Tyler, we also—you know, I’m reminded of the Eddie Murphy/Dan Aykroyd movie, Trading Places—it’s not just the genetics, it’s the environment, right? And we live in a very interesting times environmentally when we look at the, what’s called now cyber security, I still call it info security world. Why don’t you—I don’t wanna put words in your mouth—give me what you think the lay of the land is here in terms of where we are around security, whether it be cyber or info or what have you?
Shields: So, you know, there’s a lot of—there’s two ways I can approach that answer, given our previous discussion we just had, right? I can approach that answer as the technical shifts that are occurring, right? So, DevOps, agile, cloud, containers—kind of how all of that is changing both the development side of the world as well as the operational side of the world, everything is being reimagined and rebuilt. That’s kind of the first purview.The second purview, and most people don’t think about this when they come from the security side of the world, is that actually I think that a lot of security problems are largely solved or solved to, let’s call it, the 80/20 point of acceptance and happiness for the buyers.
Shimel: Mm-hmm, and diminishing returns.
Shields: And that’s true, and now, don’t get me wrong, I’m not suggesting we stop further research and we don’t push and innovate the technology. But if you’re a young startup founder in the security space right now, I would tell you, focus on different go to market strategies. Focus on price point differentiation. Focus on ease of use, simple deployment, getting data to the right people at the right time. You don’t really necessarily need to focus on 98 percent accuracy of your assessment tool, getting it to 99. Because it doesn’t matter. That doesn’t sell your product, right?
And so, it’s very interesting to look at a lot of these startups now are really innovating and disrupting based on go to market models, ease of use, SaaS versus non-SaaS, you know, credit card swipe charge models instead of $100,000.00 a year total contract value, you’re swiping your card at 200 bucks a developer, and everybody swipes their own security card, right?
So, it’s pretty interesting times that we’re looking at, and I think both of those ways can still differentiate and innovate in the security space today.
Shimel: I think the other thing, Tyler, though, is security, as much as some of us may think otherwise, security does not exist in a vacuum, right? In security today, we are being confronted with the truth that we can’t just be the people who say no at the end of the caboose of the train. We’re not in the caboose any more, right? We are seeing such disruption in the way software is developed, in the way it’s deployed, in the way it’s updated and managed and so forth that security needs to jump in with two feet, right?
Shields: Yeah.
Shimel: To stay relevant, to stay on point. Where do you see—it creates opportunity. It creates disruption but it creates opportunity.
Shields: So, I think there’s a couple—there’s one thing that I’ve been talking about for years now, and it makes security, traditional security hardened people bristle the moment I say it. And I call it the minimum viable security model. It’s not really about maximum security, because if you put maximum security in place, your usability, your all of the other flip side of the security coin goes to garbage, right?
Shimel: Yeah.
Shields: And they find ways around it. Well, it’s always difficult to define viable, but minimum viable security is what security people should be shooting for. Instead of coming from a point all the way on the right that says, “This is hardened security, as hard as we can secure our SOC, our network, our PCs, whatever.” And coming back until you get to a point where the business functions, you gotta come the other way. What is the minimum amount of security that is viable to actually securing our environment? So, come from the other side of that coin and push until you get to the point where we’ve got good security, good enough security and don’t go any further than that.
And that’s a hard thing for modern security people to grasp. They always want to come from that world of lockdown.
Shimel: Yeah. I mean, it gets to the heart of managing risk and what’s acceptable risk and all of that. But you know what? Look, we’ve both come and lived in the security world a long time. It’s not just the security people who have to grasp that concept, it’s—
Shields: No, gosh, it’s way more than that.
Shimel: – it’s [Cross talk] team, too. Right? They’ve got to understand that we’re not necessarily gonna be the people who say no, we’re gonna be the people who say, “Yes, we can, but.”
Shields: “Yes, and.” I call it the, “Yes, and.”
Shimel: Right, “Yes, and.”
Shields: “Yes, and here’s how you do it.” [Laughter]
Shimel: Exactly. And if we’re telling you, “Here’s how we do it,” know that we’re trying to give you that MVP.
Shields: Yes.
Shimel: You know, MVP sort of spot on the continuum. When you push beyond that, you’re going below minimally viable, which is not viable, right? [Laughter]
Shields: Yeah, and that’s the catch—identifying viability in this kind of minimum viable security model that I’m talking about. Identifying viable is the difficult part. What I mean by that is, in the world of cyber espionage and state agencies and government problems, viable is very different than the viable security level you need to put into a basic application that manages, you know, my band’s gigs on a Friday night, right?
Shimel: Yeah.
Shields: So, the viable shifts, and that’s the gray part, that’s the managing of risk. That’s the area where it’s not binary. So, that’s the hard part of understanding how much security to put into play.
Shimel: And it is, and it takes—it kinda takes a little experience and you’ve gotta be really familiar with what it is you’re trying to accomplish, business-wise. But it can be done, and I think that’s where we’re headed. You know, we’re recording this, I guess it’s the week before Christmas, right? Next week is Christmas. Looking at 2019, everybody’s doing their predictions and what the new year—I don’t know if 2019 is gonna be a hell of a lot different than 2018, right? We’re still gonna see a whole bunch of headline grabbing security incidents.
My biggest fear is that we pass from having our security incidents be measured in terms of how many records were stolen—like, personal, identifiable information, and we don’t move on to how the security incidents were catastrophic in terms of damage caused to infrastructure or some other critical piece of this. And to me, that’s—you wanna know the truth? That’s what keeps me up at night.
Shields: Yeah, you know, I think it’s—how we measure the results of a breach? That’s really a difficult thing, right? Because you can equate it to dollars per record—which, actually, the insurance industry is getting to the point where they have pretty good dollar per record type numbers.
Shimel: Yeah.
Shields: But does that really show the impact on the individual human being? No, not really. And how do you quantify it as a dollar per breach metric? How do you quantify how much security you really need to dump in? If you have 100,000,000 records and dollar per record is $3.00 per record, do you really need to spend $300,000,000.00 in security on that?
My point is, none of that is formalized in a good, academic way today. It’s very handwave-y, and that leaves such a gray area for people to know what is acceptable. In the world of law, there’s always the concept of—I forget the exact term they use, but it’s something to the effect of doing what’s right and appropriate, right? The level that’s appropriate of security—well, what is that, right? What is that? And my level of appropriate security in my home is very different from the level of security at the White House, so.
Shimel: So, [Cross talk]—
Shields: And until we can quantify that, we’re in trouble.
Shimel: – the reasonableness—
Shields: That’s the clause I was looking for, right—reasonableness.
Shimel: And that’s a well-defined thing in negligence common law, right?
Shields: Yep.
Shimel: What would be reasonable? You have an eggshell skulled plaintiff versus a plaintiff who has a normal skull, right? You know, you can take different measures.
But here’s what I’m talking about—back to your minimally viable. What’s minimally viable to protect your personally identifiable information or your medical records, let’s say, is very different than what’s minimally viable to protect someone hacking an electric grid or a water delivery system or some other kinda thing where PII breaches will be literally small potatoes to what really bad things can happen, right? Chaos ensues. Taking down—just taking down the traffic lights in a metropolitan area, something silly like that.
Shields: Yeah. Yeah, you know, it’s funny. People will begin to ask this question of reasonableness, and it really comes down to what is reasonable for that particular context.
Shimel: Yep.
Shields: And the problem is, we’re able to, as a litigious society, as a legal society, provide reasonableness based on hundreds if not thousands of years of humans being around and the knowledge on, okay, that hard eggshell versus non-hard eggshell bump in the head.
Shimel: Right.
Shields: Security, as a practice, has not existed nearly 1 percent as long as the law. So, there’s just no way to say the reasonable level of security in this context ________.
The other flipside of that is kind of defining—well, it’s the reasonableness in context and kind of trying to understand how to truly apply that, and there’s just no uniform approach to it, and that makes it an extremely difficult solution. PCI—PCI is the definition of reasonableness for the retail world. Really. That’s what it comes down to.
Shimel: Yes. Or [Cross talk], anyway.
Shields: Well, it’s supposed to be, right? We’ll leave out the arguments on the efficacy over to the side, but I feel like there has to be some kind of governing bodies jumping in here that say, “This is reasonableness. This is where we’re gonna define reasonableness in this context.” And it can’t be a global context, because that’ll never work. It has to be unique to certain scenarios.
Shimel: [Cross talk] geographically, yeah.
Shields: I hope, in ’19 or ’20, 2019 to 2020, we start to see some of that at least maybe around voting, democracy—those levels of things would be nice. I’m not gonna bet my life on it. [Cross talk]
Shimel: Yeah. [Laughter]
Shields: I’m not gonna bet my life on it, but it would be nice.
Shimel: No. It would be really nice. It would—because here’s the, it goes back to, you know, this is why we can’t have nice things on the internet, right? [Laughter]
Shields: [Laughter]
Shimel: I mean, if only we could solve these things. I mean, what a great boon to humanity, I mean, the Internet and technology could be but for some of these things.
Shields: So, directly—back to your question, Alan, 2018 was an interesting year. In 2019, I think we’re gonna see continued pushes and shifts in movement toward automation of builds, breaking of builds, right? Really, DevOps is skyrocketing, as you know, right, being the DevOps guru that you are. And that’s because it’s automation. So, I believe we’ll see significant upticks in security automation in ’19.
Shimel: Faster.
Shields: Around the actions that come from security tools. Security tools—every security tool is three things. It’s data in, analysis, and actionable intelligence out. Every single security tool. And we’ve done a good job of taking huge amounts of data in. We’re starting to solve the analysis problem better with AI, but the actionable nature of the results are causing a human problem with insert huge number here of heads of people we have to hire. So, automation becomes the next frontier that really has to occur in a rapid way.
So, I think, ’19 and ’20, we’ll see a lot of automation techniques, a lot of applying AI to lessening the requirements for humans in the SOC or in the response capacity, so, I’m excited about that stuff. And then, as I mentioned before, I think we’ll see, in ’19 and ’20, a lot of shifts around security business models. They have to change to become more democratized.
Shimel: Absolutely. So, let’s take a couple of those things a little deeper. So, first of all, you know, what I think sort of gets—is not spoken about, but should be understood when we talk about automation is speed, right? When you start automating these things, you are increasing the velocities as such that humans really can’t keep up, right? If you could truly automate, the velocity becomes that—it’s almost like self-fulfilling, right? The more you automate, the faster you go; the faster you go, the more you have to automate, right?
And it’s an important—right? So, we’re—you know, and so AI and machine learning and all these other great, and big data, all of these mega-trends kind of play into that. And where does that leave the security analyst? Because that—right, people listening to this, there aren’t machines, I don’t think, listening to this, it’s people. And they’re saying, “Oh, that all sounds great, but I gotta put food on the table.”
Shields: Yeah, so, here’s the deal with ML and AI and the security space—well, here’s the deal with ML and AI across the board. We are way too early to say that ML AI is going to take over entire huge categories of jobs and things like that. You really need to be looking at ML and AI and saying, “Hey, this is an automation component to take the low hanging fruit of decision making off the table for the human.” So, the human can do basic things like look at a square peg and put it in a square hole—well, guess what? ML and AI can do those level of decisions, freeing the human up for the advanced decisions, freeing them up for the gray area decisions that there is no real answer to. Every AI system has to have a truth oracle, okay? And that truth oracle provides the long term answers to what is right or wrong as the ML and AI system continues to learn.
Well, the human being is that truth oracle in these systems, and it provides back, “Here’s the 80 percent of the things that I don’t even think about. I just know this goes here.” And that’s what the AI and the ML learns today, freeing us up for that 20 percent of higher order difficult decisions, and we are so behind the 8 ball in the security world with regards to hiring, if we could automate away 80 percent of the decisions that have to be made by the humans, we’ll still be in a huge amount of debt.
Shimel: Amen. A, A, A, A f-in’ men. And that is the problem, right? We have a human problem in security. So, you know what? The entrepreneur in me looks at that situation, Tyler, and says, “Wow, it’s like looking in a room full of horse manure. There’s gotta be a pony in there, somewhere,” right?
Shields: [Laughter]
Shimel: And so, there’s a pony in here somewhere, right? I think it’s a time for a real opportunity. People looking out there saying, you know, “How do I capitalize on this, or where is the opportunity?” without maybe giving away your own secrets, what would you recommend?
Shields: Yeah, I mean, let’s—to continue the AI story, let’s not look at AI as the panacea to anything. If we look at AI as the automation side of the house, right, as the kind of intelligent automation, it becomes very clear where we can provide value to customers. So, by that, I mean, if you have a SOC analyst who looks at 100,000 different items a day and you can AI away 80,000 of those, thus freeing up 80 percent of your SOC analysts to look at other things, there’s a direct ROI on your product to be bought, right?
Shimel: Mm-hmm.
Shields: And so, that’s—you know, automating what humans do in a way that makes their life easier and frees them up for higher level things is one great way to look at any kind of technical innovation you’re making today in this world.
I think the other side of that, the other piece of that, as I mentioned before, is innovating in a space that is slightly long in the tooth with regards to user experience, with regards to the business model that they’re taking, and where they really haven’t thought of, “Hey, let’s do things differently, here,” and doing it in a way that makes it easier on the buyer, easier on the consumer, easier on the user, because then you can disrupt a market that already exists and has been a $1,000,000,000.00 revenue stream for companies for the last 10 years. You can disrupt that and start to steal significant revenue from them.
So, when I’m talking with the young security entrepreneurs, I work with a number of them, these are the kind of things that I pressed them on besides the normal product market fit and getting your products to market and building your business. These are kind of the larger thought processes I press them on.
Shimel: Absolutely. So, Tyler, I think I mentioned when we started, this time goes really fast. This was the longest 15 minute to 30 minute interview that we’ve done. But we’re about out of time. I’m gonna just give you the final word, though. For folks listening out there interested in this stuff, final thoughts on what you can tell them for 2019 and beyond?
Shields: Yeah, things are gonna change in ’19 and ’20, and it’s gonna change faster than it’s ever changed before. Follow your passion, whatever it is. Don’t be afraid of innovation. Don’t be afraid of doing things differently if you’re an entrepreneur in the security space. Embrace the change and call me if you need help.
Shimel: Excellent. Hey, man, Tyler Shields, welcome aboard to Sonatype, they’re lucky to have you. Best wishes for a happy holidays, happy new year, and we’ll catch up with in 2019, man.
Shields: You, too. Thank you, Alan.
Shimel: Alright. Tyler Shields of Sonatype, here on DevOps Chat. This is Alan Shimel, and you’ve just listened to another chat.
