{"id":207,"date":"2021-08-31T16:05:07","date_gmt":"2021-08-31T16:05:07","guid":{"rendered":"https:\/\/connect-community.org\/\/2021-8-31-how-to-migrate-your-organization-to-a-more-security-minded-culture\/"},"modified":"2021-10-14T08:41:50","modified_gmt":"2021-10-14T13:41:50","slug":"2021-8-31-how-to-migrate-your-organization-to-a-more-security-minded-culture","status":"publish","type":"post","link":"https:\/\/connect-community.org\/2021-8-31-how-to-migrate-your-organization-to-a-more-security-minded-culture\/","title":{"rendered":"How to migrate your organization to a more security-minded culture"},"content":{"rendered":"<div class=\" image-block-outer-wrapper layout-caption-below design-layout-inline combination-animation-none individual-animation-none individual-text-animation-none \" data-test=\"image-block-inline-outer-wrapper\">\n<figure class=\" sqs-block-image-figure intrinsic \" style=\"max-width: 3345px; overflow: hidden;\">\n<div class=\"image-block-wrapper\" data-animation-role=\"image\">\n<div class=\"sqs-image-shape-container-element has-aspect-ratio \" style=\"position: relative; padding-bottom: 59.82062911987305%; overflow: hidden;\"><noscript><img decoding=\"async\" src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/1_toptoptop.jpg\" alt=\"top top top.jpg\" \/><\/noscript><img decoding=\"async\" class=\"thumb-image lazyload\" data-src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/1_toptoptop.jpg\" alt=\"top top top.jpg\" data-image=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/1_toptoptop.jpg\" data-image-dimensions=\"3345x2001\" data-image-focal-point=\"0.5,0.5\" data-load=\"false\" data-image-id=\"612e4f2a6a189c5caa73cec2\" data-type=\"image\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" \/><\/div>\n<\/div>\n<\/figure>\n<\/div>\n<p class=\"\" style=\"white-space: pre-wrap;\">Bringing broader awareness of security risks and building a security-minded culture within any public or private organization has been a top priority for years.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Yet halfway through 2021, IT security remains as much a threat as ever &#8212; with multiple major breaches and attacks costing tens of millions of dollars occurring nearly weekly.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Why are the threat vectors not declining? Why, with all the tools and investment, are businesses still regularly being held up for ransom or having their data breached? To what degree are behavior, culture, attitude, and organizational dissonance to blame?<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Join us here as\u00a0<a href=\"http:\/\/www.briefingsdirect.com\/\" target=\"_blank\" rel=\"noopener\"><strong>BriefingsDirect<\/strong><\/a>\u00a0probes into these more human elements of IT security with a leading chief information security officer (CISO).<\/p>\n<p class=\"\" style=\"text-align: center; white-space: pre-wrap;\"><a href=\"http:\/\/traffic.libsyn.com\/interarbor\/BriefingsDirectHow_to_Migrate_Your_Organization_to_a_More_Security-Minded_Culture__From_Development_to_Production_to_Partners.mp3?dest-id=20179\" target=\"_blank\" rel=\"noopener\"><strong>Listen<\/strong><\/a><strong>\u00a0to the\u00a0<\/strong><a href=\"http:\/\/briefingsdirect.com\/how-to-migrate-your-organization-to-a-more-security-minded-culture-from-development-to-production-to-partners\" target=\"_blank\" rel=\"noopener\"><strong>podcast<\/strong><\/a><strong>.\u00a0Find it on\u00a0<\/strong><a href=\"https:\/\/itunes.apple.com\/us\/podcast\/briefingsdirect-podcasts\/id85270006\" target=\"_blank\" rel=\"noopener\"><strong>iTunes<\/strong><\/a><strong>. Read a\u00a0<\/strong><a href=\"https:\/\/www.briefingsdirecttranscriptsblogs.com\/2021\/08\/how-to-migrate-your-organization-to.html\" target=\"_blank\" rel=\"noopener\"><strong>full transcript<\/strong><\/a><strong>\u00a0or\u00a0<\/strong><a href=\"https:\/\/www.slideshare.net\/danalgardner\/how-to-migrate-your-organization-to-a-more-securityminded-culture-from-development-to-production-to-partners\" target=\"_blank\" rel=\"noopener\"><strong>download<\/strong><\/a><strong>\u00a0a copy.<\/strong><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">To learn more about adjusting the culture of security to make organizations more resilient, please welcome\u00a0<a href=\"https:\/\/www.linkedin.com\/in\/adrianludwig\/\" target=\"_blank\" rel=\"noopener\"><strong>Adrian Ludwig<\/strong><\/a>, CISO at\u00a0<a href=\"https:\/\/www.atlassian.com\/\" target=\"_blank\" rel=\"noopener\"><strong>Atlassian<\/strong><\/a>. The interview is conducted by\u00a0<a href=\"https:\/\/twitter.com\/Dana_Gardner\" target=\"_blank\" rel=\"noopener\"><strong>Dana Gardner<\/strong><\/a>, Principal Analyst at Interarbor Solutions.<\/p>\n<p><iframe class=\"embedly-embed lazyload\" title=\"YouTube embed\" data-src=\"\/\/cdn.embedly.com\/widgets\/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2FJTH9Tczy1M4%3Ffeature%3Doembed&amp;display_name=YouTube&amp;url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DJTH9Tczy1M4&amp;image=https%3A%2F%2Fi.ytimg.com%2Fvi%2FJTH9Tczy1M4%2Fhqdefault.jpg&amp;key=61d05c9d54e8455ea7a9677c366be814&amp;type=text%2Fhtml&amp;schema=youtube\" width=\"854\" height=\"480\" frameborder=\"0\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-load-mode=\"1\"><\/iframe><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Here are some excerpts:<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0Adrian, we are constantly bombarded with headlines showing how IT security is failing. Yet, for many people, they continue on their merry way &#8212; business as usual.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Are we now living in a world where such breaches amount to acceptable losses? Are people not concerned because the attacks are perceived as someone else\u2019s problem?<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0A lot of that is probably true, depending on whom you ask and what their state of mind is on a given day. We\u2019re definitely seeing a lot more than we\u2019ve seen in the past. And there\u2019s some interesting twists to the language. What we\u2019re seeing does not necessarily imply that there is more exploitation going on or that there are more problems &#8212; but it\u2019s definitely the case that we\u2019re getting a lot more visibility.<\/p>\n<div class=\" image-block-outer-wrapper layout-caption-below design-layout-inline combination-animation-none individual-animation-none individual-text-animation-none \" data-test=\"image-block-inline-outer-wrapper\">\n<figure class=\" sqs-block-image-figure intrinsic \" style=\"max-width: 200px; overflow: hidden;\">\n<div class=\"image-block-wrapper\" data-animation-role=\"image\">\n<div class=\"sqs-image-shape-container-element has-aspect-ratio \" style=\"position: relative; padding-bottom: 100%; overflow: hidden;\"><noscript><img decoding=\"async\" src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/AdrianLudwig.jpg\" alt=\"Ludwig\" \/><\/noscript><img decoding=\"async\" class=\"thumb-image lazyload\" data-src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/AdrianLudwig.jpg\" alt=\"Ludwig\" data-image=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/AdrianLudwig.jpg\" data-image-dimensions=\"200x200\" data-image-focal-point=\"0.5,0.5\" data-load=\"false\" data-image-id=\"612e5020457959391e81efdc\" data-type=\"image\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" \/><\/div>\n<\/div><figcaption class=\"image-caption-wrapper\">\n<div class=\"image-caption\">\n<p class=\"\" style=\"white-space: pre-wrap;\"><a href=\"https:\/\/www.linkedin.com\/in\/adrianludwig\/\"><strong>Ludwig<\/strong><\/a><\/p>\n<\/div>\n<\/figcaption><\/figure>\n<\/div>\n<p class=\"\" style=\"white-space: pre-wrap;\">I think it\u2019s a little bit of both. There probably are more attacks going on, and we also have better visibility.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0Isn\u2019t security something we should all be thinking about, not just the CISOs?<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0It\u2019s interesting how people don\u2019t want to think about it. They appoint somebody, give them a title, and then say that person is now responsible for making security happen.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">But the reality is, within any organization, doing the right thing &#8212; whether that be security, keeping track of the money, or making sure that things are going the way you\u2019re expecting &#8212; is a responsibility that\u2019s shared across the entire organization. That\u2019s something that we are now becoming more accustomed to. The security space is realizing it\u2019s not just about the security folks doing a good job. It\u2019s about enabling the entire organization to understand what\u2019s important to be more secure and making that as easy as possible. So, there\u2019s an element of culture change and of improving the entire organization.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0What\u2019s making these softer approaches &#8212; behavior, culture, management, and attitude \u2013 more important now? Is there something about security technology that has changed that makes us now need to look at how people think?<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0We\u2019re beginning to realize that technology is not going to solve all our problems. When I first went into the security business, the company I worked for, a government agency, still had posters on the wall from World War II:\u00a0<em>Loose lips sink ships<\/em>.<\/p>\n<h3 style=\"text-align: center; white-space: pre-wrap;\"><strong>Learn More\u00a0\u00a0<\/strong><\/h3>\n<h3 style=\"text-align: center; white-space: pre-wrap;\"><a href=\"https:\/\/traceable.ai\/dana\" target=\"_blank\" rel=\"noopener\"><strong>About Traceable.ai<\/strong><\/a><\/h3>\n<p class=\"\" style=\"white-space: pre-wrap;\">The idea of security culture is not new, but the awareness is, across organizations that any person could be subject to phishing, or any person could have their credentials taken &#8212; those mistakes could be originating at any place in the organization. That broad-based awareness is relatively new. It probably helps that we\u2019ve all been locked in our houses for the last year, paying a lot more attention to the media, and hearing about attacks that have been going on at governments, the hacking, and all those things. That has raised awareness as well.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0It\u2019s confounding that people authenticate better in their personal lives. They don\u2019t want their credit cards or bank accounts pillaged. They have a double standard when it comes to what they think about protecting themselves versus protecting the company they work for.<\/p>\n<h1 style=\"white-space: pre-wrap;\"><strong><em>Data safer at home or work?<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0Yes, it\u2019s interesting. We used to think enterprise security could be more difficult from the user experience standpoint because people would put up with it because it was work.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">But the opposite might be true, that people are more self-motivated in the consumer space and they\u2019re willing to put up with something more challenging than they would in an enterprise. There might be some truth to that, Dana.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0The passwords I use for my bank account are long and complex, and the passwords I use when I\u2019m in the business environment \u2026 maybe not so much. It gets us back to how you think and your attitude for improved security. How do we get people to think differently?<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0There\u2019s a few different things to consider. One is that the security people need to think differently. It\u2019s not necessarily about changing the behavior of every employee in the company. Some of it is about figuring out how to implement critical solutions that provide security without changing behavior.<\/p>\n<blockquote>\n<p class=\"\" style=\"white-space: pre-wrap;\"><em>Security people need to think differently. It&#8217;s not necessarily about changing the behavior of every employee in the company. It&#8217;s about implementing solutions that provide security without changing behavior.<\/em><\/p>\n<\/blockquote>\n<p class=\"\" style=\"white-space: pre-wrap;\">There is a phrase,\u00a0<em>the paved path or road<\/em>; so, making the secure way the easy way to do something. When people started using YubiKey\u00a0<a href=\"https:\/\/www.yubico.com\/authentication-standards\/fido-u2f\/\" target=\"_blank\" rel=\"noopener\"><strong>U2F<\/strong><\/a>\u00a0[an open authentication standard that enables internet users to securely access any number of online services with a single security key] as a second-factor authentication, it was actually a lot easier than having to input your password all over the place &#8212; and it\u2019s more secure.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">That\u2019s the kind of thing we\u2019re looking for. How do we enable enhanced security while also having a better user experience? What\u2019s true in authentication could be true in any number of other places as well.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Second, we need to focus on developers. We need to make the developer experience more secure and build more confidence and trustworthiness in the software we\u2019re building, as well as\u00a0in the types of tools used to build.<\/p>\n<h1 style=\"white-space: pre-wrap;\"><strong><em>Developers find strength<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0You brought up another point of interest to me. There\u2019s a mindset that when you hand something off in an organization &#8212; it could be from app development into production, or from product design into manufacturing &#8212; people like to move on. But with security, that type of hand-off can be a risk factor.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Beginning with developers, how would you change that hand-off? Should developers be thinking about security in the same way that the IT production people do?<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0It\u2019s tricky. Security is about having the whole system work the way that everybody expects it to. If there\u2019s a breakdown anywhere in that system, and it doesn\u2019t work the way you\u2019re expecting, then you say, \u201cOh, it\u2019s insecure.\u201d But no one has figured out what those hidden expectations are.<\/p>\n<div class=\" image-block-outer-wrapper layout-caption-below design-layout-inline combination-animation-none individual-animation-none individual-text-animation-none \" data-test=\"image-block-inline-outer-wrapper\">\n<figure class=\" sqs-block-image-figure intrinsic \" style=\"max-width: 457px; overflow: hidden;\">\n<div class=\"image-block-wrapper\" data-animation-role=\"image\">\n<div class=\"sqs-image-shape-container-element has-aspect-ratio \" style=\"position: relative; padding-bottom: 66.73960876464844%; overflow: hidden;\"><noscript><img decoding=\"async\" src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/toptop2.jpg\" alt=\"\" \/><\/noscript><img decoding=\"async\" class=\"thumb-image lazyload\" data-src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/toptop2.jpg\" alt=\"\" data-image=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/toptop2.jpg\" data-image-dimensions=\"457x305\" data-image-focal-point=\"0.5,0.5\" data-load=\"false\" data-image-id=\"612e51799c75b35963254d6b\" data-type=\"image\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" \/><\/div>\n<\/div>\n<\/figure>\n<\/div>\n<p class=\"\" style=\"white-space: pre-wrap;\">A developer expects the\u00a0<a href=\"https:\/\/www.traceable.ai\/blog-post\/use-the-owasp-api-top-10-to-secure-your-apis\" target=\"_blank\" rel=\"noopener\"><strong>code\u00a0they write isn\u2019t going to have vulnerabilities.<\/strong><\/a>\u00a0Even if they make a mistake, even if there\u2019s a performance bug, that shouldn\u2019t introduce a security problem. And there are improvements being made in programming languages to help with that.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Certain languages are highly prone to security being a common failure. I grew up using\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Compatibility_of_C_and_C%2B%2B\" target=\"_blank\" rel=\"noopener\"><strong>C and C++<\/strong><\/a>. Security wasn\u2019t something that was even thought of in the design of those languages.\u00a0<a href=\"https:\/\/www.java.com\/en\/\" target=\"_blank\" rel=\"noopener\"><strong>Java<\/strong><\/a>, a lot more security was thought of in the design of that language, so it\u2019s intrinsically safer. Does that mean there are no security issues that can happen if you\u2019re using Java? No.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Similar types of expectations exist at other places in the development pipeline as well.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0I suppose another shift has been from applications developed to reside in a data center, behind firewalls and security perimeters. But now &#8212; with microservices, cloud-native applications, and multiple\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/API\" target=\"_blank\" rel=\"noopener\"><strong>application programming interfaces (APIs)<\/strong><\/a>\u00a0being brought together interdependently &#8212; we\u2019re no longer aware of where the code is running.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Don\u2019t you have to think differently as a developer because of the way applications in production have shifted?<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0Yes, it\u2019s definitely made a big difference. We used to describe applications as being monoliths. There were very few parts of the application that were exposed.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">At this point, most applications are microservices. And that means across an application, there might be 1,000 different parts of the application that are publicly exposed. They all must have some level of security checks being done on them to make sure that if they\u2019re handling an input that might be coming from the other side of the world that it\u2019s being handled correctly.<\/p>\n<h3 style=\"text-align: center; white-space: pre-wrap;\"><strong>Learn More\u00a0\u00a0<\/strong><\/h3>\n<h3 style=\"text-align: center; white-space: pre-wrap;\"><a href=\"https:\/\/traceable.ai\/dana\" target=\"_blank\" rel=\"noopener\"><strong>About Traceable.ai<\/strong><\/a><\/h3>\n<p class=\"\" style=\"white-space: pre-wrap;\">So, yes, the design and the architecture have definitely exposed a lot more of the app\u2019s surface. There\u2019s been a bit of a race to make the tools better, but the architectures are getting more complicated. And I don\u2019t know, it\u2019s neck and neck on whether things are getting more secure or they\u2019re getting less secure as these architectures get bigger and more exposed.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">We have to think about that. How do we design processes to deal with that? How do you design technology, and what\u2019s the culture that needs to be in place? I think part of it is having a culture of every single developer being conscious of the fact that the decisions they\u2019re making have security implications. So that\u2019s a lot of work to do.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0Another attitude adjustment that\u2019s necessary is assuming that breaches are going to happen and to stifle them as quickly as possible. It\u2019s a little different mindset, but the more people involved with looking for anomalies, who are willing to have their data or\u00a0<a href=\"https:\/\/www.traceable.ai\/blog-post\/web-api-security-rule-based-and-signature-based-security-isnt-good-enough\" target=\"_blank\" rel=\"noopener\"><strong>behaviors examined for anomalies makes sense<\/strong><\/a>.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Is there a needed cultural shift that goes with assuming you\u2019re going to be breached and making sure the damage is limited?<\/p>\n<h1 style=\"white-space: pre-wrap;\"><strong><em>Assume the worst to limit damage\u00a0<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0Yes. A big part of the cultural shift is being comfortable taking feedback from anybody that you have a problem and that there\u2019s something that you need to fix. That\u2019s the first step.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Companies should let anybody identify a security problem &#8212; and that could be anybody inside or outside of the company. Bug bounties. We\u2019re in a bit of a<a href=\"https:\/\/www.traceable.ai\/blog-post\/traceai-machine-learning-driven-application-and-api-security\" target=\"_blank\" rel=\"noopener\"><strong>revolution in terms of enabling better visibility into potential security problems.<\/strong><\/a><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">But once you have that sort of culture, you start thinking, \u201cOkay. How do I actually monitor what\u2019s going on in each of the different areas?\u201d With that visibility, exposure, and understanding what\u2019s going in and out of specific applications, you can detect when there\u2019s something you\u2019re not expecting. That turns out to be really difficult, if what you\u2019re looking at is very big and very, very complicated.<\/p>\n<figure class=\" sqs-block-image-figure image-block-outer-wrapper image-block-v2 design-layout-card combination-animation-none individual-animation-none individual-text-animation-none image-position-left \" data-scrolled=\"\" data-test=\"image-block-v2-outer-wrapper\">\n<div class=\"intrinsic\">\n<div class=\" image-inset\" data-animation-role=\"image\" data-description=\"\">\n<div class=\"sqs-image-shape-container-element content-fit \" style=\"position: relative; overflow: hidden;\"><noscript><img decoding=\"async\" src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/Atlassianlogo.png\" alt=\" - \" loading=\"lazy\"\/><\/noscript><br \/>\n<img decoding=\"async\" data-src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/Atlassianlogo.png\" alt=\"Atlassian logo.png\" data-image=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/Atlassianlogo.png\" data-image-dimensions=\"310x163\" data-image-focal-point=\"0.5,0.5\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"lazyload\" \/><\/p>\n<div class=\"image-overlay\" style=\"overflow: hidden;\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n<p class=\"\" style=\"white-space: pre-wrap;\">Decomposing an application down into smaller pieces, being able to trace the behaviors within those pieces, and understanding which APIs each of those different microservices is exposing turns out to be really important.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">If you combine decomposing applications into smaller pieces with monitoring what\u2019s going on in them and creating a culture where anybody can find a potential security flaw, surface it, and react to it &#8212; those are good building blocks for having an environment where you have a lot more security than you would have otherwise.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0Another shift we\u2019ve seen in the past several years is the advent of big data. Not only can we manage big data quickly, but we can also do it at a reasonable cost. That has brought about machine learning (ML) and movement to artificial intelligence (AI). So, now there\u2019s an opportunity to put another arrow in our quiver of tools and use big data ML to buttress our security and provide a new culture of awareness as a result.<\/p>\n<blockquote>\n<p class=\"\" style=\"white-space: pre-wrap;\"><em>Most applications are so complicated &#8212; and have been developed in such a chaotic manner &#8212; it&#8217;s impossible to understand what&#8217;s going on inside of them.Give the robots a shot and see if we can figure it out by turning the machines on themselves.<\/em><\/p>\n<\/blockquote>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0I think so. There are a bunch of companies trying to do that, to look at the patterns that exist within applications, and understand what those patterns look like. In some instances, they can alert you when there\u2019s something not operating the way that is expected and maybe guide you to rearchitecting and make your applications more efficient and secure.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">There are a few different approaches being explored. Ultimately, at this point, most applications are so complicated &#8212; and have been developed in such a chaotic manner &#8212; it\u2019s impossible to understand what\u2019s going on inside of them. That\u2019s the right time that the robots give it a shot and see if we can figure it out by turning the machines on themselves.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0Yes. Fight fire with fire.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Let\u2019s get back to the culture of security. If you ask the people in the company to think differently about security, they all nod their heads and say they\u2019ll try. But there has to be a leadership shift, too. Who is in charge of such security messaging? Who has the best voice for having the whole company think differently and better about security? Who\u2019s in charge of security?<\/p>\n<h1 style=\"white-space: pre-wrap;\"><strong><em>C-suite must take the lead\u00a0<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0Not the security people. That will be a surprise for a lot of people to hear me say that. The reality is if you\u2019re in security, you\u2019re not normal. And the normal people don\u2019t want to hear from the not-normal person who\u2019s paranoid that they need to be more paranoid.<\/p>\n<p><iframe class=\"embedly-embed lazyload\" title=\"YouTube embed\" data-src=\"\/\/cdn.embedly.com\/widgets\/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2FJTH9Tczy1M4%3Ffeature%3Doembed&amp;display_name=YouTube&amp;url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DJTH9Tczy1M4&amp;image=https%3A%2F%2Fi.ytimg.com%2Fvi%2FJTH9Tczy1M4%2Fhqdefault.jpg&amp;key=c6502efcb3c84824bc6c1f27d683be13&amp;type=text%2Fhtml&amp;schema=youtube\" width=\"854\" height=\"480\" frameborder=\"0\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-load-mode=\"1\"><\/iframe><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">That\u2019s a realization it took me several years to realize. If the security person keeps saying, \u201cThe sky is falling, the sky is falling,\u201d people aren\u2019t going to listen. They say, \u201cSecurity is important.\u201d And the others reply, \u201cYes, of course, security is important to you, you\u2019re the security guy.\u201dIf the head of the business, or the CEO, consistently says, \u201cWe need to make this a priority. Security is really important, and these are the people who are going to help us understand what that means and how to execute on it,\u201d then that ends up being a really healthy relationship.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">The companies I\u2019ve seen turn themselves around to become good at security are the ones such as\u00a0<a href=\"https:\/\/www.microsoft.com\/en-us\/\" target=\"_blank\" rel=\"noopener\"><strong>Microsoft<\/strong><\/a>,\u00a0<a href=\"https:\/\/about.google\/\" target=\"_blank\" rel=\"noopener\"><strong>Google<\/strong><\/a>, or others where the CEO made it personal, and said, \u201cWe\u2019re going to fix this, and it\u2019s my number-one priority. We\u2019re going to invest in it, and I\u2019m going to hire a great team of security professionals to help us make that happen. I\u2019m going to work with them and enable them to be successful.\u201d<\/p>\n<h3 style=\"text-align: center; white-space: pre-wrap;\"><strong>Learn More\u00a0\u00a0<\/strong><\/h3>\n<h3 style=\"text-align: center; white-space: pre-wrap;\"><a href=\"https:\/\/traceable.ai\/dana\" target=\"_blank\" rel=\"noopener\"><strong>About Traceable.ai<\/strong><\/a><\/h3>\n<p class=\"\" style=\"white-space: pre-wrap;\">Alternatively, there are companies where the CEO says, \u201cOh, the board has asked us to get a good security person, so I\u2019ve hired this person and you should do what he says.\u201d That\u2019s the path to a disgruntled bunch of folks across the entire organization. They will conclude that security is just lip service, it\u2019s not that important. \u201cWe\u2019re just doing it because we have to,\u201d they will say. And that is not where you want to end up.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0You can\u2019t just talk the talk, you have to walk the walk and do it all the time, over and over again, with a loud voice, right?<\/p>\n<div class=\" image-block-outer-wrapper layout-caption-below design-layout-inline combination-animation-none individual-animation-none individual-text-animation-none \" data-test=\"image-block-inline-outer-wrapper\">\n<figure class=\" sqs-block-image-figure intrinsic \" style=\"max-width: 503px; overflow: hidden;\">\n<div class=\"image-block-wrapper\" data-animation-role=\"image\">\n<div class=\"sqs-image-shape-container-element has-aspect-ratio \" style=\"position: relative; padding-bottom: 87.87276458740234%; overflow: hidden;\"><noscript><img decoding=\"async\" src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/Top2.jpg\" alt=\"\" \/><\/noscript><img decoding=\"async\" class=\"thumb-image lazyload\" data-src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/Top2.jpg\" alt=\"\" data-image=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/Top2.jpg\" data-image-dimensions=\"503x442\" data-image-focal-point=\"0.5,0.5\" data-load=\"false\" data-image-id=\"612e522b271eed1abae7a9ba\" data-type=\"image\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" \/><\/div>\n<\/div>\n<\/figure>\n<\/div>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0Yes. And eventually it gets quieter. Eventually, you don\u2019t need to have the top level saying this is the most important thing. It becomes part of the culture. People realize that\u2019s just the way \u2013 and it\u2019s not that it\u2019s just the way we do things, but it is a number-one value for us. It\u2019s the number-one thing for our customers, too, and so culture shift ends up happening.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0Security mindfulness becomes the fabric within the organization. But to get there requires change and changing behaviors has always been hard.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Are there carrots? Are there sticks? When the top echelon of the organization, public or private, commits to security, how do you then execute on that? Are there some steps that you\u2019ve learned or seen that help people get incentivized &#8212; or whacked upside the head, so to speak, when necessary?<\/p>\n<h1 style=\"white-space: pre-wrap;\"><strong><em>Talk the security talk and listen up<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0We definitely haven\u2019t gone for \u201cwhacked upside the head.\u201d I\u2019m not sure that works for anybody at this point, but maybe I\u2019m just a progressive when it comes to how to properly train employees.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">What we have seen work is just talking about it on a regular basis, asking about the things that we\u2019re doing from a security standpoint. Are they working? Are they getting in your way? Honestly, showing that there\u2019s thoughtfulness and concern going into the development of those security improvements goes a long way toward making people more comfortable with following through on them.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">A great example is \u2026 You roll out two-factor authentication, and then you ask, \u201cIs it getting in the way? Is there anything that we can do to make this better? This is not the be-all and end-all. We want to improve this over time.\u201d<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">That type of introspection by the security organization is surprising to some people. The idea that the security team doesn\u2019t want it to be disruptive, that they don\u2019t want to get in the way, can go a long way toward it feeling as though these new protections are less disruptive and less problematic than they might otherwise feel.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0And when the organization is focused on developers? Developers can be, you know \u2026<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0Ornery?<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0\u201cOrnery\u201d works. If you can make developers work toward a fabric of security mindedness and culture, you can probably do it to anyone. What have you learned on injecting a better security culture within the developer corps?<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0A lot of it starts, again, at the top. You know, we have core values that invoke vulgarity to both emphasize how important they are, but also how simple they are.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">One of Atlassian\u2019s values is, \u201cDon\u2019t fuck the customer.\u201d And as a result of that, it\u2019s very easy to remember, and it\u2019s very easy to invoke. \u201cHey, if we don\u2019t do this correctly, that\u2019s going to hurt the customer.\u201d We can\u2019t let that happen as a top-level value.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">We also have \u201c<em>Open company, no-bullshit\u201d<\/em>. If somebody says, \u201cI see a problem over here,\u201d then we need to follow up on it, right? There\u2019s not a temptation to cover it up, to hide it, to pretend it\u2019s not an issue. It\u2019s about driving change and making sure that we\u2019re implementing solutions that actually fix things.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">There are countless examples of a feature that was built, and we really want to ship it, but it turns out it\u2019s got a problem and we can\u2019t do it because that would actually be a problem for the customer. So, we back off and go from there.<\/p>\n<h1 style=\"white-space: pre-wrap;\"><strong><em>How to talk about security<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0Words are powerful. Brands are powerful. Messaging is powerful. What you just said made me think, \u201cMaybe the word\u00a0<em>security<\/em>\u00a0isn\u2019t the right word.\u201d If we use the words \u201ccustomer experience,\u201d maybe that\u2019s better. Have you found that? Is \u201csecurity\u201d the wrong word nowadays? Maybe we should be thinking about creating an experience at a larger level that connotes success and progress.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0Super interesting.\u00a0<a href=\"https:\/\/www.apple.com\/\" target=\"_blank\" rel=\"noopener\"><strong>Apple<\/strong><\/a>\u00a0doesn\u2019t use the word \u201csecurity\u201d very much at all. As a consumer brand, what they focus on is privacy, right? The idea that they\u2019ve built highly secure products is motivated by the users\u2019 right to privacy and the users\u2019 desire to have their information remain private. But they don\u2019t talk about security.<\/p>\n<blockquote>\n<p class=\"\" style=\"white-space: pre-wrap;\"><em>Apple doesn&#8217;t use the word security very much at all. The idea that they&#8217;ve built highly secure products is motivated by the users&#8217; right to privacy and the users&#8217; desire to have their information remain private. But they don&#8217;t talk about security.<\/em><\/p>\n<\/blockquote>\n<p class=\"\" style=\"white-space: pre-wrap;\">I always thought that was a really an interesting decision on their part. When I was at Google, we did some branding analysis, and we also came up with insights about how we talked about security. It\u2019s a negative from a customer\u2019s standpoint. And so, most of the references that you\u2019ll see coming out of Google are security\u00a0<em>and<\/em>\u00a0privacy. They always attach those two things together. It\u2019s not a coincidence. I think you\u2019re right that the branding is problematic.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Microsoft uses\u00a0<em>trustworthy,<\/em>\u00a0as in trustworthy computing. So, I guess the rest of us are a little bit slow to pick up on that, but ultimately, it\u2019s a combination of security and a bunch of other things that we\u2019re trying to enable to make sure that the products do what we\u2019re expecting them to do.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0I like\u00a0<em>resilience<\/em>. I think that cuts across these terms because it\u2019s not just the security, it\u2019s how well the product is architected, how well it performs. Is it hardened, in a sense, so that it performs in trying circumstances \u2013 even when there are issues of scale or outside threats, and so forth. How do you like \u201cresilience,\u201d and how does that notion of business continuity come into play when we are trying to improve the culture?<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0Yes, \u201cresilience\u201d is a pretty good term. It comes up in the pop psychology space as well. You can try to make your children more resilient. Those are the ones that end up being the most successful, right? It certainly is an element of what you\u2019re trying to build.<\/p>\n<h3 style=\"text-align: center; white-space: pre-wrap;\"><strong>Learn More\u00a0\u00a0<\/strong><\/h3>\n<h3 style=\"text-align: center; white-space: pre-wrap;\"><a href=\"https:\/\/traceable.ai\/dana\" target=\"_blank\" rel=\"noopener\"><strong>About Traceable.ai<\/strong><\/a><\/h3>\n<p class=\"\" style=\"white-space: pre-wrap;\">A \u201cresilient\u201d system is one in which there\u2019s an understanding that it\u2019s not going to be perfect. It\u2019s going to have some setbacks, and you need to have it recoverable when there are setbacks. You need to design with an expectation that there are going to be problems. I still remember the first time I heard about a squirrel shorting out a data center and taking down the whole data center. It can happen, right? It<br \/>\ndoes happen. Or, you know, you get a solar event and that takes down computers.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">There are lots of different things that you need to build to recover from accidental threats, and there are ones that are more intentional &#8212; like when somebody\u00a0<a href=\"https:\/\/www.worldoil.com\/news\/2021\/5\/9\/ransomware-attack-shuts-down-biggest-us-gasoline-pipeline\" target=\"_blank\" rel=\"noopener\"><strong>deploys ransomware and tries to take your pipeline offline.<\/strong><\/a><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0To be more resilient in our organizations, one of the things that we\u2019ve seen with developers and IT operations is DevOps. Has DevOps been a good lesson for broader resilience? Is there something we can do with other silos in organization to make them more resilient?<\/p>\n<h1 style=\"white-space: pre-wrap;\"><strong><em>DevOps derives from experience<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0I think so. Ultimately, there are lots of different ways people describe DevOps, but I think about taking what used to be a very big thing and acknowledging that you can\u2019t comprehend the complexity of that big thing. Choosing instead to embrace the idea that you should do lots of little things, in aggregate, and that they\u2019re going to end up being a big thing.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">And that is a core ethos of DevOps, that each individual developer is going to write a little bit of code and then they\u2019re going to ship it. You\u2019re going to do that over and over and over. You are going to do that very, very, very quickly. And they\u2019re going to be responsible for running their own thing. That\u2019s the operations part of the development. But the result is, over time, you get closer to a good product because you can gain feedback from customers, you\u2019re able to see how it\u2019s working in reality, and you\u2019ll be able to get testing that takes place with real data. There are lots of advantages to that. But the critical part of it, from a security standpoint, is it makes it possible to respond to security flaws in near real-time.<\/p>\n<div class=\" image-block-outer-wrapper layout-caption-below design-layout-inline combination-animation-none individual-animation-none individual-text-animation-none \" data-test=\"image-block-inline-outer-wrapper\">\n<figure class=\" sqs-block-image-figure intrinsic \" style=\"max-width: 434px; overflow: hidden;\">\n<div class=\"image-block-wrapper\" data-animation-role=\"image\">\n<div class=\"sqs-image-shape-container-element has-aspect-ratio \" style=\"position: relative; padding-bottom: 66.82027435302734%; overflow: hidden;\"><noscript><img decoding=\"async\" src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/working-code2.jpg\" alt=\"working-code 2.jpg\" \/><\/noscript><img decoding=\"async\" class=\"thumb-image lazyload\" data-src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/working-code2.jpg\" alt=\"working-code 2.jpg\" data-image=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/working-code2.jpg\" data-image-dimensions=\"434x290\" data-image-focal-point=\"0.5,0.5\" data-load=\"false\" data-image-id=\"612e5263271eed1abae7aee5\" data-type=\"image\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" \/><\/div>\n<\/div>\n<\/figure>\n<\/div>\n<p class=\"\" style=\"white-space: pre-wrap;\">Often, organizations just aren\u2019t pushing code frequently enough to be able to know how to fix a security problem. They are like, \u201cOh, our next release window is 90 days from now. I can\u2019t possibly do anything between now and then.\u201d Getting to a point where you have an improvement process that\u2019s really flexible and that\u2019s being exercised every single day is what you get by having DevOps.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">And so, if you think about that same mentality for other parts of your organization, it definitely makes them able to react when something unexpected happens.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0Perhaps we should be looking to our software development organizations for lessons on cultural methods that we can apply elsewhere. They\u2019re on the bleeding edge of being more secure, more productive, and they\u2019re doing it through better communications and culture.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0It\u2019s interesting to phrase it that way because that sounds highfalutin, and that they achieved it out of expertise and brilliance. What it really is, is the humbleness of realizing that the compiler tells you your code is wrong every single day. There\u2019s a new user bug every single day. And eventually you get beaten down by all those, and you decide you\u2019re just going to react every single day instead of having this big thing build up.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">So, yes, I think DevOps is a good example but it\u2019s a result of realizing how many flaws there are more than anything highfalutin, that\u2019s for sure.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0The software doesn\u2019t just eat the world; the software can show the world the new, better way.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0Yes, hopefully so.<\/p>\n<h1 style=\"white-space: pre-wrap;\"><strong><em>Future best security practices<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0Adrian, any thoughts about the future of better security, privacy, and resilience? How will\u00a0<a href=\"https:\/\/www.traceable.ai\/blog-post\/traceai-machine-learning-driven-application-and-api-security\" target=\"_blank\" rel=\"noopener\"><strong>ML and AI\u00a0provide more analysis and improvements to come?<\/strong><\/a><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0Probably the most important thing going on right now in the context of security is the realization by the senior executives and boards that security is something they need to be proponents for. They are pushing to make it possible for organizations to be more secure. That has fascinating ramifications all the way down the line.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">If you look at the best security organizations, they know the best way to enable security within their companies and for their customers is to make security as easy as possible. You get a combination of the non-security executive saying, \u201cSecurity is the number-one thing,\u201d and at the same time, the security executive realizes the number-one thing to implement security is to make it as easy as possible to embrace and to not be disruptive.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">And so, we are seeing faster investment in security that works because it\u2019s easier. And I think that\u2019s going to make a huge difference.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">There are also several foundational technology shifts that have turned out to be very pro-security, which wasn\u2019t why they were built &#8212; but it\u2019s turning out to be the case. For example, in the consumer space the move toward the web rather than desktop applications has enabled greater security. We saw a movement toward mobile operating systems as a primary mechanism for interacting with the web versus desktop operating systems. It turns out that those had a fundamentally more secure design, and so the risks there have gone down.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">The enterprise has been a little slow, but I see the shift away from behind-the-firewall software toward cloud-based and software as a service (SaaS) software as enabling a lot better security for most organizations. Eventually, I think it will be for all organizations.<\/p>\n<p><iframe class=\"embedly-embed lazyload\" title=\"YouTube embed\" data-src=\"\/\/cdn.embedly.com\/widgets\/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2FJTH9Tczy1M4%3Ffeature%3Doembed&amp;display_name=YouTube&amp;url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DJTH9Tczy1M4&amp;image=https%3A%2F%2Fi.ytimg.com%2Fvi%2FJTH9Tczy1M4%2Fhqdefault.jpg&amp;key=61d05c9d54e8455ea7a9677c366be814&amp;type=text%2Fhtml&amp;schema=youtube\" width=\"854\" height=\"480\" frameborder=\"0\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-load-mode=\"1\"><\/iframe><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">Those shifts are happening at the same time as we have cultural shifts. I\u2019m really optimistic that over the next decade or two we\u2019re going to get to a point where security is not something we talk about. It\u2019s just something built-in and expected in much the same way as we don\u2019t spend too much time now talking about having access to the Internet. That used to be a critical stumbling block. It\u2019s hard to find a place now that doesn\u2019t or won\u2019t soon have access.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Gardner:<\/strong>\u00a0These security practices and capabilities become part-and-parcel of good business conduct. We\u2019ll just think of it as doing a good job, and those companies that don\u2019t do a good job will suffer the consequences and the Darwinian nature of capitalism will take over.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><strong>Ludwig:<\/strong>\u00a0I think it will.<\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\"><a href=\"http:\/\/traffic.libsyn.com\/interarbor\/BriefingsDirectHow_to_Migrate_Your_Organization_to_a_More_Security-Minded_Culture__From_Development_to_Production_to_Partners.mp3?dest-id=20179\" target=\"_blank\" rel=\"noopener\"><strong>Listen<\/strong><\/a><strong>\u00a0to the\u00a0<\/strong><a href=\"http:\/\/briefingsdirect.com\/how-to-migrate-your-organization-to-a-more-security-minded-culture-from-development-to-production-to-partners\" target=\"_blank\" rel=\"noopener\"><strong>podcast<\/strong><\/a><strong>.\u00a0Find it on\u00a0<\/strong><a href=\"https:\/\/itunes.apple.com\/us\/podcast\/briefingsdirect-podcasts\/id85270006\" target=\"_blank\" rel=\"noopener\"><strong>iTunes<\/strong><\/a><strong>. Read a\u00a0<\/strong><a href=\"https:\/\/www.briefingsdirecttranscriptsblogs.com\/2021\/08\/how-to-migrate-your-organization-to.html\" target=\"_blank\" rel=\"noopener\"><strong>full transcript<\/strong><\/a><strong>\u00a0or\u00a0<\/strong><a href=\"https:\/\/www.slideshare.net\/danalgardner\/how-to-migrate-your-organization-to-a-more-securityminded-culture-from-development-to-production-to-partners\" target=\"_blank\" rel=\"noopener\"><strong>download<\/strong><\/a><strong>\u00a0a copy. Sponsor:\u00a0<\/strong><a href=\"https:\/\/www.traceable.ai\/\" target=\"_blank\" rel=\"noopener\"><strong>TraceableAI<\/strong><\/a><strong>.<\/strong><\/p>\n<h3 style=\"white-space: pre-wrap;\"><strong>YOU MAY ALSO BE INTERESTED IN:<\/strong><\/h3>\n<p class=\"\" style=\"white-space: pre-wrap;\">\u25cf\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<a href=\"https:\/\/www.briefingsdirectblog.com\/2021\/06\/how-api-security-provides-killer-use.html\" target=\"_blank\" rel=\"noopener\"><strong>How API security provides a killer use case for ML and AI<\/strong><\/a><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">\u25cf\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<a href=\"https:\/\/www.briefingsdirectblog.com\/2021\/05\/securing-apis-demands-tracing-and.html\" target=\"_blank\" rel=\"noopener\"><strong>Securing APIs demands tracing and machine learning that analyze behaviors to head off attacks<\/strong><\/a><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">\u25cf\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<a href=\"https:\/\/www.briefingsdirectblog.com\/2021\/04\/rise-of-reliance-on-apis-brings-new.html\" target=\"_blank\" rel=\"noopener\"><strong>Rise of APIs brings new security threat vector &#8212; and need for novel defenses<\/strong><\/a><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">\u25cf\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<a href=\"https:\/\/traceable.ai\/dana\" target=\"_blank\" rel=\"noopener\"><strong>Learn More About the Technologies and Solutions Behind Traceable.ai.<\/strong><\/a><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">\u25cf\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<a href=\"https:\/\/www.traceable.ai\/blog-post\/what-threat-vectors-get-addressed-with-zero-trust-application-security?utm_source=partnersite&amp;utm_medium=podcast&amp;utm_term=episode-01&amp;utm_content=&amp;utm_campaign=gardner\" target=\"_blank\" rel=\"noopener\"><strong>Three Threat Vectors Addressed by Zero Trust App Sec<\/strong><\/a><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">\u25cf\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<a href=\"https:\/\/www.traceable.ai\/blog-post\/web-application-security-is-not-api-security?utm_source=partnersite&amp;utm_medium=podcast&amp;utm_term=episode-01&amp;utm_content=&amp;utm_campaign=gardner\" target=\"_blank\" rel=\"noopener\"><strong>Web Application Security is Not API Security<\/strong><\/a><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">\u25cf\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<a href=\"https:\/\/www.traceable.ai\/blog-post\/does-sast-deliver-the-challenges-of-code-scanning?utm_source=partnersite&amp;utm_medium=podcast&amp;utm_term=episode-01&amp;utm_content=&amp;utm_campaign=gardner\" target=\"_blank\" rel=\"noopener\"><strong>Does SAST Deliver? The Challenges of Code Scanning.<\/strong><\/a><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">\u25cf\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<a href=\"https:\/\/www.traceable.ai\/blog-post\/everything-you-need-to-know-about-authentication-and-authorization-in-web-apis?utm_source=partnersite&amp;utm_medium=podcast&amp;utm_term=episode-01&amp;utm_content=&amp;utm_campaign=gardner\" target=\"_blank\" rel=\"noopener\"><strong>Everything You Need to Know About Authentication and Authorization in Web APIs<\/strong><\/a><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">\u25cf\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<a href=\"https:\/\/www.traceable.ai\/blog-post\/top-5-ways-to-protect-against-data-exposure?utm_source=partnersite&amp;utm_medium=podcast&amp;utm_term=episode-01&amp;utm_content=&amp;utm_campaign=gardner\" target=\"_blank\" rel=\"noopener\"><strong>Top 5 Ways to Protect Against Data Exposure<\/strong><\/a><\/p>\n<p class=\"\" style=\"white-space: pre-wrap;\">\u25cf\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<a href=\"https:\/\/www.traceable.ai\/blog-post\/traceai-machine-learning-driven-application-and-api-security?utm_source=partnersite&amp;utm_medium=podcast&amp;utm_term=episode-01&amp;utm_content=&amp;utm_campaign=gardner\" target=\"_blank\" rel=\"noopener\"><strong>TraceAI : Machine Learning Driven Application and API Security<\/strong><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p class=\"\">A discussion on creating broader awareness of security risks and building a security-minded culture across organizations and ecosystems.<\/p>\n","protected":false},"author":1,"featured_media":52652,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"content-type":"","footnotes":""},"categories":[16,411,24,43,21],"tags":[80,95,211,206,4,48,208,90,7,50,8,15,204,96,203,53,124,205],"coauthors":[],"class_list":["post-207","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai","category-blog","category-devops","category-security","category-user-experience","tag-ai","tag-aiops","tag-algorithms","tag-api","tag-briefingsdirect","tag-cloud","tag-cyber-security","tag-cybersecurity","tag-dana-gardner","tag-devops","tag-digital-transformation","tag-interarbor-solutions","tag-microservices","tag-ml","tag-secops","tag-security","tag-technology","tag-traceable","category-16","category-411","category-24","category-43","category-21","description-off"],"_links":{"self":[{"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/posts\/207","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/comments?post=207"}],"version-history":[{"count":0,"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/posts\/207\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/media\/52652"}],"wp:attachment":[{"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/media?parent=207"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/categories?post=207"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/tags?post=207"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/coauthors?post=207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}