Hot Topics
Cybersecurity Governance, Risk & Compliance Security Boulevard (Original) 

Simplifying Compliance for Cloud-Native Organizations

Avatar photo by Alan Shimel on February 15, 2022

Chris Ford, Threat Stack‘s VP of product, talks with Alan Shimel about how to simplify compliance framework requirements and accelerate audits for cloud-native organizations. The video is below followed by a transcript of the conversation.

Announcer: This is digital anarchist.

Alan Shimel: Hi, everyone. Thanks for joining us here for another segment of TechStrong TV. My guest this segment is my friend,  Chris Ford. He’s the VP of product at Threat Stack and Chris, welcome to TechStrong TV. How are you?

Chris Ford: Hey. I’m great, Alan. Thanks for having me back.

Shimel: Well, look. You did a good job last time. We figured we’d push our luck. All kid aside, pleasure to have you on. I see you’re fancy now with the blurred background and everything. Very cool. Very cool.

Ford: Well, you got to _____ during these _____.

[Crosstalk]

Shimel: Yeah. No. It’s the evolution. It’s the evolution of Zoom technology during COVID, right? We went from fake backgrounds where when you turned half your head would disappear or people didn’t have ears all of a sudden to now blur is in style.

Ford: I was in my kitchen last time, Alan.

Shimel: Yeah. Well, it happens. It’s all good though. Chris, most of our audience, I think they know who Threat Stack is, but maybe there are people who aren’t sure. Why don’t we give them a little Threat Stack background and while we’re at it, give them a little of your background.

Ford: Sounds good. Well, thanks, Alan. Yeah. Threat Stack, we’re in the security observing building business. So we help customers with monitoring of their Cloud innovative infrastructure for a variety of use cases whether it’s threat detection, best practices in hygiene for securing Cloud infrastructure, or even compliance, which I know we’re gonna talk about a bit more today. We’ve been doing that now since 2014 and growing very nicely as a company. And I’ve been with Threat Stack now for almost four years. Hard to believe. But my background is enterprise security and data loss prevention. So what we’re doing at Threat Stack fits in really nicely with where I’ve been.

Shimel: Very cool. Very cool. And Threat Stack has been – doesn’t seem that long. I think I remember when they launched, but it happens. That’s the point of getting – growing older. Chris, of course it’s been a crazy time with COVID. Security is, as always but even more so now, really under the spotlight. Companies and organizations are really having to look at what are they doing. No one wants to be the next headline whether it’s a supply chain attack or ransomware or garden variety web application vulnerabilities and what have you. Everyone wants to shift left. Everyone wants to develop better code. Everyone – no one wants to raise their hand and say, “I was a victim.” But it happens, right? The world we live in is a pretty dangerous place as well. So you guys had some recent news coming out along those lines of helping and what’s happening. If you don’t mind, why don’t you share?

Ford: Yeah. Sure. Well, there’s some trends in the market that I find really interesting and you’ve talked about a spotlight that’s on security and that is absolutely true. I’ve seen some very encouraging things in the market of late around compliance. Now compliance is a pretty broad topic. There’s regulatory mandates. There’s industry best practices like PCIDSS. There’s security frameworks like NIST and Soc Two, Type Two.

What I’ve seen, when I was in data loss prevention years and years ago we used to – compliance was always the bogeyman. You would have to try to scare people about the finds that they would have to pay if they were found in noncompliance with something like HIPAA. What I see in the market now and I don’t think this is a new thing. It’s been thrust into the forefront, is that compliance is becoming a weapon, a sales enablement tool for our customers. So it’s really encouraging. So rather than working from a place of fear, I talked to the chief security officers now all the time that say, I am all about revenue enablement.

My job is to help us sell our service to customers. And the biggest way that I can help sell our service to customers is by attesting that we are secure. And if you look at things like Soc two, Type two, PCIDSS, these are our sales tools now. So we’re excited about that because part of our investment for the past six to eight months has been in a true data platform. We take the trillions of events that we capture from our customer’s infrastructure every month. Now we make them searchable.

So we’re enabling our customers now to generate compliance reports based on all those behaviors that we capture. But what’s really exciting to me is it’s not just about proving compliance to an auditor. It’s about putting tools in our customer’s hands that help them sell, help them get more confidence from their customers that they are indeed secure. So that’s what we’ve been up to.

Shimel: Absolutely. Chris, it’s more than just a sales tool. These kinds of things about being Soc two compliant or GDPR, HIPAA, or PCI, these are table stakes today. You don’t even get to sit at the table without that, right? It’s not a nice to have. They’re must haves. They’re must haves. You wanna be considered, right? The recent executive order that comes out of DC is talking now about building materials for your software. It’s this – it’s really part of that same thinking about my friends are your friends and who you associate with comes back to me.

So I have to know where that supply chain is. I got to know where are the components and where do they come from and who are they using and are they secure and are they soc two client, and generate how far down do I need to go, two generations, three generations. We’ll see. But this is gonna be – you’re right. It’s not just a compliance issue. It’s not compliance for compliance sake. It’s compliance for survival. No one wants to be the next who ever. I’m not gonna name names here, but no one wants to be the next headline.

Ford: No. And together I think as an industry we can lift each other up. The idea behind compliance at the end of the day is to become more secure. It isn’t to tax on your business. It really is to become more secure.

Shimel: No. Absolutely. And that was lost. I’ll tell you something, Chris, I saw this happening around 2010, maybe 2008, maybe through 2016, 2017, or later even that people started doing compliance for compliance sake. They thought of it as a tax, as just another government regulatory hurdle, but it wasn’t. People lost fact that compliance was supposed to represent not best practices, minimum. The bare minimum of what you need to do to be reasonable. Anything below that is unreasonable. At least be reasonable. You may not do the best, but be reasonable. And so it was meant as the starting point, not the finish point. And we got lost there for a couple years. We wondered in the compliance hinterlands thinking that that – we lost the connection between compliance and security.

Ford: Yeah. I think we as a vendor community played a role in that to a certain degree. We really marketed toward the compliance use case and _____.

Shimel: It was bunching. It was bunching for it.

Ford: Exactly right. Exactly right. I’m glad to see though that we’re now at a point where we’re treating compliance as the bare minimum means to get to a secure place so that we can keep our customers data safe. That’s really what it’s all about.

Shimel: Absolutely. So Chris, what are you seeing though with customers? I imagine most are buying into this now. One of the things though that I’m seeing is customers are grappling with how do I do this with a work force that works from anywhere whenever they want on whatever they want? And so that presents new chShimelges I would imagine. What’s Threat Stack doing on that?

Ford: Well, I think one of the chShimelges in this work from anywhere world is just that there are now so many different types of infrastructure to monitor. There’s a lot of moving pieces honestly. It used to be that at least from a compliance perspective, and I’ll say this more broadly from a security perspective, we had a tool for this and a tool for that and a monitoring point for that. Our philosophy is that you should have one platform that can get you to where you need to be from a threat detection and a compliance perspective regardless of infrastructure that you’ve chosen to build on whether it’s bare middle virtual machines functions as a service and everything in between.

What we do is observability and our goal is to be able to bring to bare that threat detection and best practices from hygiene perspective and compliance reporting for any of those technologies so that you can have one partner, one tool, and even one man in service if you childhood to go with Threat Stack for that to help monitor your infrastructure. That gives you that visibility across all those various limits. So that’s really a chShimelge that our customers are asking us to help them solve.

Shimel: You’re right. Good stuff. It’s gonna be an interesting – so as this long time security person like you, Chris, I’m excited by the attention that security is getting, by the energy behind finding new solutions to what many times are old problems. But part of me, the skeptic in me just thinks the noise will die down and it’ll go back to the same old, same old.

Ford: I sure hope not.

Shimel: I hope not. I sincerely hope not.

Ford: Yeah. Well, it’s getting harder and harder. So we just have to keep the fight.

Shimel: Yeah. You got to keep fighting the good fight. We didn’t mention, Chris, if people wanna get more information about Threat Stack where do they go?

Ford: Sure. Just go to our website, www.threatstack.com and there are plenty of ways to reach out to us.

Shimel: Excellent, man. All right. Anything else we got to throw in the pie here or are you gonna come back and visit us soon?

Ford: We’ll come see again. We got a lot of great stuff in the hopper. We’re helping our customers get a lot more proactive about security. It’s not just about observability. It’s about taking the next step into being proactive about remediating risks. So when ready I’ll come back and talk to you about that some more.

Shimel: I’m looking forward to it. Chris Ford, VP product Threat Stack here on Tech Strong TV. We’re gonna take a break. We’ll be right back. Hey, Chris. Thanks.

[End of Audio]
Recent Articles By Author
Avatar photo More from Alan Shimel
Alan Shimel , ,
Avatar photo

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 82 posts and counting.See all posts by alan