Balancing Security with Speed with Ralph Pyne, CISO, Apollo.io

Ralph Pyne [0:00:00]: The thing that's different now is just the velocity.

Ralph Pyne [0:00:01]: It's just the speed or it's the tools have been rolled out.

Ralph Pyne [0:00:04]: Just staying ahead of the risk is a challenge at this point in time.

Ralph Pyne [0:00:07]: Either you have these problems and you're thinking about them or you have these problems and you're just not aware.

Aaron Morin [0:00:37]: Today's guest is Ralph Pyne, CISO of Apollo.IO, and someone who's not afraid to challenge the traditional playbook when it comes to building security programs that actually scale.

Aaron Morin [0:00:46]: Ralph has spent the last several years leading zero to one security initiatives at high growth startup where speed and scale can easily out pace traditional controls.

Aaron Morin [0:00:55]: Along the way he's developed a reputation for doing things differently from taking a data first approach to security to questioning industry assumptions like the principal of least privilege access.

Aaron Morin [0:01:06]: I'm excited to dig in with him.

Aaron Morin [0:01:08]: Ralph welcome to Patch Me If You Can™

Aaron Morin [0:01:10]: Hey.

Ralph Pyne [0:01:11]: Thank you, Aaron.

Aaron Morin [0:01:12]: So, you know, we're we're in the midst of, lots of shifts in the the industry mostly, led by Ai, and a number of other things I'm curious from your perspective where you sit, Ralph, what's one of the security trends that you're seeing seeing or or challenges you're seeing right now, they think most teams aren't taking seriously enough.

Ralph Pyne [0:01:32]: Yeah.

Ralph Pyne [0:01:32]: I mean, I've done about in terms of seriously enough but I think you touched on Ai.

Ralph Pyne [0:01:35]: Right?

Ralph Pyne [0:01:36]: And, you know, it's just such a massive transformation in the industry at the moment.

Ralph Pyne [0:01:40]: I think actually, up to a few months ago, even though I wasn't taking this seriously enough.

Ralph Pyne [0:01:44]: And, you know, just give you some context as well as security or I'm fraud abuse and around business systems and my team last year as well.

Ralph Pyne [0:01:50]: And, you know, I was responsible for our internal Ai initiatives all the productivity uplift all the tooling and this kind of stuff.

Ralph Pyne [0:01:56]: So being very close to that.

Ralph Pyne [0:01:57]: So, you know, I think I'm pretty ai aware ai native at this point and systems what I've seen if people, you know, in literally in the last three months, and it's really been with the advent of chord code and become a quote code becoming so popular and so effective, we're just seen this step change in terms of the velocity of development in the organization, and also two things.

Ralph Pyne [0:02:17]: It's both velocity from an engineering perspective, and it's also the democrat of the tools.

Ralph Pyne [0:02:21]: So we're seeing a lot of, like, citizens and developers pop up using vibe coding tools, beginning to build stuff, beginning to build agents, you know, with agents running on machines, you know, agents deployed in the data center, all this kind of stuff, you know, really being kind of rolling out an accelerating rate?

Ralph Pyne [0:02:35]: Again, if you ask me three months ago, like, hey, how's your Ai strategy and program.

Ralph Pyne [0:02:39]: So we're pretty far ahead both on the deployment side and the controls and government side.

Ralph Pyne [0:02:42]: At this point in time, we're actually scrambling.

Ralph Pyne [0:02:44]: Right?

Ralph Pyne [0:02:45]: Which is, like how do we continue to support the business because, you know, this these technologies are...

Ralph Pyne [0:02:49]: We're finding they are transformative and give you some specific examples of metrics around there of what we've seen.

Ralph Pyne [0:02:54]: But, you know, we are seeing the technology technologies being transformative, but the risk is also very significant.

Ralph Pyne [0:02:59]: And, you know, tip of the sphere stuff, like, open chloride is obviously there.

Ralph Pyne [0:03:02]: But it's even, just you know, people building, and, you know, actually using the tools to build against various platforms, be that Sales or application, you know, internal applications.

Ralph Pyne [0:03:10]: It's just a new thing.

Ralph Pyne [0:03:11]: So if you're not looking at that really seriously.

Ralph Pyne [0:03:13]: And I think, you know, but at Apollo, we're said we're pretty bleeding edge in terms of how we're adopting and using AI.

Ralph Pyne [0:03:19]: If you can run into that now, yeah, you're gonna see next three to six months, it's really going to be a big strain on security teams.

Aaron Morin [0:03:27]: Yeah.

Aaron Morin [0:03:27]: And I love the fact that you called up the the citizen developers as you called it, You know, there was a an interesting article released recently talking about the rise of single use apps that are being developed.

Aaron Morin [0:03:39]: You know, it could be someone didn't finance or someone in Hr who's trying to vibe code something whether it's a feature that they don't have in their current product or a product that doesn't even exist, or something mean that's not being paid for by the company.

Aaron Morin [0:03:51]: And they're trying to solve their problems through byte coding, which obviously opens up some new threat areas and in some new vectors that I'm sure, very top of mind for you.

Ralph Pyne [0:04:01]: And it's that's amazingly powerful.

Ralph Pyne [0:04:02]: I personally do that.

Ralph Pyne [0:04:03]: Right?

Ralph Pyne [0:04:03]: You know, I'm, you know, in call of building various tools to both in my personal professional life and so on, But, you know, the way that we see this, you, having a discussion about this internally, which is that we could see, you know, we have almost a thousand people in the company, and, you know, we enable large proportion of those to do this kind of work.

Ralph Pyne [0:04:19]: We can have thousands of ten there, tens of thousands of apps in a pretty small period of time.

Ralph Pyne [0:04:23]: And it's just a incredible transformation from where we were.

Ralph Pyne [0:04:26]: You know?

Ralph Pyne [0:04:27]: And, I mean, one thing I will call out as well is, I I don't think this is...

Ralph Pyne [0:04:30]: In a way it's not new.

Ralph Pyne [0:04:31]: Like, I've seen multiple these transformations before we move cloud was one to Saas was another devops was another whereby we went through this kind of step change and, like, fundamental change in, like, how the business is operated and security use to adapt to that.

Ralph Pyne [0:04:44]: But the thing that's different now is just the velocity.

Ralph Pyne [0:04:46]: Right?

Ralph Pyne [0:04:47]: It's just the speed which the tools have been rolled out the adoption and so.

Ralph Pyne [0:04:50]: So I think mentally, if you're, like, intellectually flexible and intellectually curious.

Ralph Pyne [0:04:53]: Like, I mean, I kinda of describe this as it's...

Ralph Pyne [0:04:56]: It's, like, insanely interesting and also incredibly scary.

Ralph Pyne [0:04:59]: Right?

Ralph Pyne [0:05:00]: At the same time.

Ralph Pyne [0:05:00]: Right?

Ralph Pyne [0:05:01]: It's like, I...

Ralph Pyne [0:05:01]: I love the technologies.

Ralph Pyne [0:05:02]: I think it's really incredible what we could do with them.

Ralph Pyne [0:05:05]: But, you know, just staying ahead of the risk is is a challenge at this point in time.

Ralph Pyne [0:05:09]: And I'm not...

Ralph Pyne [0:05:10]: This is not proprietary to Apollo specifically.

Ralph Pyne [0:05:12]: I would say that either you have these problems, you know, thinking about them or you have these problems in your aware at this point in time because I guarantee that there are some smart people in your organization who are using these tools, spinning them And, yeah, you've got an option.

Ralph Pyne [0:05:25]: Of course, you can absolutely lock that stuff down.

Ralph Pyne [0:05:26]: Right?

Ralph Pyne [0:05:27]: You know, We we use, or, you know, we can use Or whatever to implement controls the endpoint to control this stuff.

Ralph Pyne [0:05:33]: But there are, you know, legitimate business uses.

Ralph Pyne [0:05:35]: So either you work with the business and you work with the engineers and you work with their users to try and build to support the technologies and what they're doing really stand against it.

Ralph Pyne [0:05:43]: But the reality is is in my opinion, you know, the companies that don't, make this move and adopt the technologies are gonna be left behind.

Ralph Pyne [0:05:50]: So, you know, we're security professionals have to be aligned with those business objectives of supporting, you know, the use of these technologies but we have to work out to

Aaron Morin [0:05:58]: do it safely.

Aaron Morin [0:05:58]: Yeah.

Aaron Morin [0:05:59]: And, like you alluded to knowing is, obviously, half the battle.

Aaron Morin [0:06:02]: I think oftentimes folks in organizations, they see security as the...

Aaron Morin [0:06:07]: In many ways, in an on fairway, they see the security group as the the team that slows things down.

Aaron Morin [0:06:13]: Decelerate things gets in the way or that's very much not the the case, at least if you look at the the bigger picture and with that stake.

Aaron Morin [0:06:22]: You know, I I'm curious, you mentioned Ai being a step change.

Aaron Morin [0:06:26]: I love that you you know, talked about these various different shifts that we've seen over the the past couple of years, whether it's cloud or Ai, etcetera is being step changes.

Aaron Morin [0:06:35]: There are opportunities for businesses to do things more efficiently or to realize more value through the same or less level of effort.

Aaron Morin [0:06:42]: You know, how do you start to kind of change the perception or shift the perception away from, oh, this team is just going things down?

Aaron Morin [0:06:50]: How do you build a culture of safety in security?

Aaron Morin [0:06:52]: We're still accelerating things like, like you mentioned Ai development?

Ralph Pyne [0:06:57]: There's a couple of approaches here.

Ralph Pyne [0:06:58]: I think there's a mindset you have to create within the security team.

Ralph Pyne [0:07:01]: You know, there's is a perception of governance teams or control teams like security or departments of no.

Ralph Pyne [0:07:06]: Right?

Ralph Pyne [0:07:06]: And I think that, you know, I always like the phrase of, like, we're a department of Yes at.

Ralph Pyne [0:07:10]: Right?

Ralph Pyne [0:07:10]: Which is, like, yes, We're gonna help you to do this.

Ralph Pyne [0:07:12]: And you are gonna do these things as well, which is gonna make this, you know, controlled, secure, you know, reliable, all the various things that they need.

Ralph Pyne [0:07:20]: So I think the first thing is just, you know, it's just a mindset.

Ralph Pyne [0:07:24]: Like, I consider myself, and I really encourage this in my team with, like, we are all to drive the business forwards.

Ralph Pyne [0:07:29]: Like, we need to understand what the business objectives are, you know, the best building product to generating revenue or, you know, healthy people.

Ralph Pyne [0:07:35]: Whatever your business is doing, Like, fundamentally understanding what the business is there keeping that in the front of your mind.

Ralph Pyne [0:07:40]: Right?

Ralph Pyne [0:07:40]: So, you know, I remember Talk to previous CEO and they said, one of your two objectives.

Ralph Pyne [0:07:44]: Let's say my two objectives in this company are driving revenue reducing or managing risk.

Ralph Pyne [0:07:48]: Right?

Ralph Pyne [0:07:48]: And, you know, it's like...

Ralph Pyne [0:07:49]: And, you know, I've really wanna build that that mindset.

Ralph Pyne [0:07:52]: And I think if you take that mindset of, like, what are we trying to achieve as a business and you go back to that, then you start thinking about the context of, you know, the controls and what you're building and what you're supporting.

Ralph Pyne [0:08:01]: And fundamentally also what risks you're taking because like, you know, I generally work in pre Ipo startups ups, I said, you know, there's one builds, fast moving, you know, your biggest risk So, like, not finding product market fit or, you know, not succeeding in your go to market, And, you know, these kind of things.

Ralph Pyne [0:08:16]: And you need to contextualize the risk that we're taking as a business from a security perspective against those other the risks of the business.

Ralph Pyne [0:08:22]: Has.

Ralph Pyne [0:08:23]: And I think if you can do that, and you can kind of, like, effectively communicate like, hey, there are these challenges, you know, good examples of this if, like, you know, hard lines for us have been things like Ai browsers, open call the new agents and things like that.

Ralph Pyne [0:08:36]: Well we just had to say, no.

Ralph Pyne [0:08:37]: Like, we cannot...

Ralph Pyne [0:08:38]: For at this point in time, we don't have the controls to support these technology technologies securely.

Ralph Pyne [0:08:43]: So we'll draw a hard line.

Ralph Pyne [0:08:44]: But the reason that people will listen to you is that you built the credibility over time of really working with the business understanding what they're trying to achieve, aligning risks along with them.

Ralph Pyne [0:08:53]: And just giving them good advice and empowering the business, you know, I always say as my role is not to say no.

Ralph Pyne [0:08:57]: Or whatever It's like, is to give the business great information about what the risks are, so they can make good decisions contextualize against all the other things that they're doing.

Ralph Pyne [0:09:05]: So, yeah.

Ralph Pyne [0:09:06]: It's it's really just having that business context

Aaron Morin [0:09:09]: and being business aligned ultimately, and that helps you solve the problems.

Aaron Morin [0:09:11]: You know, when you think about doing those things and doing it well and making sure that you're aligned with where the business is going.

Aaron Morin [0:09:17]: I'm sure, you know, metrics come into to view things like Kpis apis.

Aaron Morin [0:09:23]: Yeah.

Aaron Morin [0:09:23]: I'm not sure how you all over Apollo, you know, measure where you are and where you're trying to go.

Aaron Morin [0:09:28]: Obviously, data driven that concept that's been thrown around for a while now.

Aaron Morin [0:09:32]: Teams talk about dashboards and reports.

Aaron Morin [0:09:34]: There's, you know, countless Linkedin thought pieces about what data driven is and and isn't.

Aaron Morin [0:09:40]: In practice, what what is being truly data driven mean to you when it comes to security and how does the tie into some of the things we've talked about already?

Ralph Pyne [0:09:49]: Yeah.

Ralph Pyne [0:09:49]: I mean, I could spend the entire rest of this session talking about that one subject, honestly.

Ralph Pyne [0:09:52]: Again, going back to the speaking, you know, big business lines, speaking language that the executive understands.

Ralph Pyne [0:09:58]: You know, if you...

Ralph Pyne [0:09:59]: One of the things that, you know, in a functional business, you know, most really high functional is extreme nature of and, you know, they're looking at sales figures or, you know, deployment velocity or, you know, there's, like, you know, N mps and so on.

Ralph Pyne [0:10:11]: And so I think the, you know, the thing there is, like, finding what are the affected metrics that you need to measure your security program.

Ralph Pyne [0:10:19]: And honestly obviously, there are many more bad metrics and there are good metrics.

Ralph Pyne [0:10:21]: And, you know, my my definition...

Ralph Pyne [0:10:24]: Is it's a couple of things.

Ralph Pyne [0:10:25]: When you start a program, you will start...

Ralph Pyne [0:10:27]: I I think you have, you know, transitional metrics and you have permanent metrics.

Ralph Pyne [0:10:30]: Like a transitional metrics is something you're measuring because you're trying to improve it to get to a certain state.

Ralph Pyne [0:10:34]: Then you have, like a, you know, long standing kind of permanent metric, which is something which is, like, look what is a final outcome that measures the security maturity and efficiency of the program you know, within the organization.

Ralph Pyne [0:10:45]: And so I'm saying this they're like, hey, this is really...

Ralph Pyne [0:10:48]: Know, whatever I'm saying this because you get someone is incredibly hard.

Ralph Pyne [0:10:50]: Right?

Ralph Pyne [0:10:51]: So there are the challenges in here are, like, to defining what those metrics are your specific organization.

Ralph Pyne [0:10:56]: And they're also just the measurement.

Ralph Pyne [0:10:57]: Right?

Ralph Pyne [0:10:58]: Because, you know, often, you...

Ralph Pyne [0:11:00]: I've seen a lot of metrics programs.

Ralph Pyne [0:11:02]: People manage the stuff that they can measure, and the stuff they can measure is defined by certain technical limitations that they have of how they can dig into the system.

Ralph Pyne [0:11:10]: So I've done this, I've what with vendors to do this before, I've got my own metrics programs, I think that the the but the key thing is is, like, you know, really understand is to say, like, looking at that thing around change.

Ralph Pyne [0:11:20]: Like, looking at what the key metrics on.

Ralph Pyne [0:11:22]: I'm not gonna get into specifics because again...

Ralph Pyne [0:11:23]: But I think the the things that we really want to look at are, you know, one of the things are gonna influence change, which metrics can you assign to teams and individuals, like, one of the great things about metrics programs is you use metrics to be able to hold people accountable because especially like an executive level having metrics and rollout up metrics and presenting them, like, at some kind of executive metrics meeting or business meeting, planning meeting and so on, is a very way good way of, like, communicating state, getting people to look at, you know, their challenges and you can also tie, like, okay, ours and bonuses and all kinds of good stuff to them as well.

Ralph Pyne [0:11:55]: So I think it's an ideal that we should aspire to insecurity.

Ralph Pyne [0:11:58]: I think it's something that, especially, you know, I can't kinda describe, you know, I built zero to one security programs, you know, in, you know, fast growing, you know, tech startups ups.

Ralph Pyne [0:12:07]: A lot of times when you join a company like that.

Ralph Pyne [0:12:09]: They're not really ready.

Ralph Pyne [0:12:09]: Now they don't have the telemetry.

Ralph Pyne [0:12:11]: They don't have the systems they don't have the way about creating the data, but you need to move to those things, both at a procedural level, just like managing Sla and stuff like that, but also mentioning like technical capabilities and so.

Ralph Pyne [0:12:21]: So, yes.

Ralph Pyne [0:12:22]: I'm big big fat, you know, but it's it's hard.

Aaron Morin [0:12:26]: It is hard.

Aaron Morin [0:12:26]: And and you alluded to this as well, but so often teams, they wanna measure certain things.

Aaron Morin [0:12:31]: They don't have the instrumentation though right now in that current moment to measure those things you know, maybe for the the folks that are listening that are curious when they go zero to one, when they're looking to to build that instrumentation, Is there any guidance that you can you can provide?

Ralph Pyne [0:12:46]: Yeah.

Ralph Pyne [0:12:46]: I assume I think the...

Ralph Pyne [0:12:47]: Historically, you know, I've looked to what what I've seen in Enterprise.

Ralph Pyne [0:12:51]: I won't to start an enterprise And like, at the enterprise scale, this stuff is usually established and everyone rolls it themselves.

Ralph Pyne [0:12:57]: There's companies in this space, you know, I...

Ralph Pyne [0:12:59]: I would look and have a look at those and see what they can do.

Ralph Pyne [0:13:01]: The challenge I've seen there is just that, you know, it's so Specific.

Ralph Pyne [0:13:05]: Right?

Ralph Pyne [0:13:05]: The systems that you're running be across Apps surfing and cloud and whatever.

Ralph Pyne [0:13:08]: The normalization of this data has always been a struggle.

Ralph Pyne [0:13:11]: So I think that the the key thing I would look at is Like, make a buy build decision initially and do look at the the vendors.

Ralph Pyne [0:13:17]: There are some good vendors out there who beginning pretty new so this space vendors is out they're doing.

Ralph Pyne [0:13:21]: The second thing is, don't try and measure timothy things.

Ralph Pyne [0:13:23]: Right?

Ralph Pyne [0:13:24]: Like, really focusing on, like, what are the key metrics.

Ralph Pyne [0:13:26]: He's go gather a hundred things most of them are valued.

Ralph Pyne [0:13:29]: That's like, I've seen people show, like, number of attacks on our file or something ridiculous like that Isn't the millionth or whatever.

Ralph Pyne [0:13:35]: It's just completely analogous of us.

Ralph Pyne [0:13:36]: Right?

Ralph Pyne [0:13:36]: And, you know, it's really going back and looking.

Ralph Pyne [0:13:39]: Go back to that point of about accountability.

Ralph Pyne [0:13:40]: Working out, like, what what are the metrics gonna drive?

Ralph Pyne [0:13:43]: Is this just a vanity metric We put it up here It looks good.

Ralph Pyne [0:13:46]: Great, You know, it does nothing or is by monitoring this metric by measuring this system, are you actually gonna try an significant change.

Ralph Pyne [0:13:53]: Now one thing I will also advise is I've done this because I work with engineering teams a lot, you know, working tech start two is very closely with work with engineering teams.

Ralph Pyne [0:14:01]: One of the things I found is engineers responded very well to having to find metrics.

Ralph Pyne [0:14:04]: So engineers like, love logic, they like things being defined, give them a problem to go solve it, you know, well.

Ralph Pyne [0:14:08]: However, one thing I really have found is that when you start measuring and comparing the teams, there's a lot of pushback.

Ralph Pyne [0:14:13]: Right?

Ralph Pyne [0:14:13]: So, you know, for example, you might be looking at, you know, how quickly people are patching vulnerabilities or, you know, bugs of a certain severity level and so on.

Ralph Pyne [0:14:22]: And you start parent pinch benchmarking you sell dashboard across the teams You have a school and whatever.

Ralph Pyne [0:14:25]: People do get very competitive.

Ralph Pyne [0:14:27]: But, I mean, it's also, which is great because they fix the issues.

Ralph Pyne [0:14:29]: But the the challenge there is is that you also do get pushback and friction.

Ralph Pyne [0:14:33]: Right?

Ralph Pyne [0:14:34]: And there's a lot of argument ballet will how the metrics measures and all this kind of stuff.

Ralph Pyne [0:14:37]: So you have to be thoughtful about before you institute a metric, really think about the story you're trying to tell with that, impacts you're trying to drive, and then what the impact on the people have being mentioned is gonna be.

Aaron Morin [0:14:47]: I love it.

Aaron Morin [0:14:48]: And that holistic view, like you say creates that well rounded metric that you're able to to go and and actually have it be value to the organization and not something that is noise And like you said a vanity metric that has little meaning to none.

Aaron Morin [0:15:01]: Alright.

Aaron Morin [0:15:01]: Well, I I know before the show, you mentioned the the cons of least privileged access was a redundant one.

Aaron Morin [0:15:08]: I know you've you've developed over time, you know, some some very strong thoughts around what that should look like an organization and practice, you know, what access should look like.

Aaron Morin [0:15:18]: And I'd love to hear, you know, a little bit about what privilege done right looks like inside of an organization.

Aaron Morin [0:15:26]: And, you know, maybe how that conclusion has has led you to implement it and any any things you've found to be any gotcha in implementing, privileged access, or access general.

Ralph Pyne [0:15:38]: Well, yeah.

Ralph Pyne [0:15:39]: I like that one to attack because, you know, principle, it's privileges it's just like so cod in somebody many in the security stands we have.

Ralph Pyne [0:15:44]: You know, I work in B2b to b companies.

Ralph Pyne [0:15:46]: We exchange security questionnaires and talk to Vendors.

Ralph Pyne [0:15:49]: It's just such a common question in my order and questionnaires and this kind of thing.

Ralph Pyne [0:15:53]: And I think that it's one.

Ralph Pyne [0:15:55]: There aren't many, and again, we could spend time on this, but, like, there are many, I think, you know, kind of well t paths or like, things that we kind of accepted truths in security industry.

Ralph Pyne [0:16:04]: That is just no longer of.

Ralph Pyne [0:16:05]: If they were ever wrong.

Ralph Pyne [0:16:06]: Right?

Ralph Pyne [0:16:06]: Because...

Ralph Pyne [0:16:07]: And I think prince police published for me is, like, write the pinnacle of that because it's so specific.

Ralph Pyne [0:16:11]: It's like, have you defined, you know, the minimum required access or whatever Evan says, you know, yes, we have no one ever has.

Ralph Pyne [0:16:17]: You know, I've never seen...

Ralph Pyne [0:16:18]: I've never talked to Cs.

Ralph Pyne [0:16:19]: I've never worked in an organization where actually, that policy is strictly.

Ralph Pyne [0:16:23]: Now you can step back away from and say, well, you know, we've taking commercially reasonable steps to get there.

Ralph Pyne [0:16:27]: Well, say that.

Ralph Pyne [0:16:28]: Right?

Ralph Pyne [0:16:28]: That should be the requirement.

Ralph Pyne [0:16:29]: But I also think it's interesting because we probably initially, you know, we talked about this.

Ralph Pyne [0:16:33]: Maybe I was asked that question, it was probably a few months ago.

Ralph Pyne [0:16:36]: Originally, the, you know, I put that in just like, hey.

Ralph Pyne [0:16:39]: There's this kind of shi out here.

Ralph Pyne [0:16:40]: What is it?

Ralph Pyne [0:16:40]: I'm kind of coming to the opinion that...

Ralph Pyne [0:16:43]: And this is also driven by...

Ralph Pyne [0:16:44]: Again, the rapid changes in Ai.

Ralph Pyne [0:16:45]: And I've seen it, you know, kinda mentioned some the previous kind step changes to transformations.

Ralph Pyne [0:16:49]: I think a lot of the security controls that we historically have implemented and going going to be essentially redundant in, you know, Ai systems, which essentially gonna be the vast majority of systems that we're running because And and again, you know, I'd love if someone can argue with me on this.

Ralph Pyne [0:17:05]: Please hit me up directly if anyone's got better answers than I have on this, But I think that if you look at for example, how, you know, L are being constructed as you pull data into an l and you train on the data.

Ralph Pyne [0:17:15]: The L is losing all of the excess control information as it's building the model.

Ralph Pyne [0:17:19]: Right?

Ralph Pyne [0:17:20]: So, you know, the reality is is that the L is just responding to particular the context.

Ralph Pyne [0:17:24]: And even before that, the reality was if if security was, like, you know, permissions replied they were generally replied poorly.

Ralph Pyne [0:17:30]: There were a lot of gaps.

Ralph Pyne [0:17:31]: We spent a lot of time by trying to filter through and find exceptions and build appropriate roles and all this kind of stuff, but it was, like, it wasn't good in the first place.

Ralph Pyne [0:17:37]: And I think a lot of the security controls that we've historically relied on, you know, as we moved to this much faster moving world as we moved to, like, you know, the loss of information moving to our items so this kind of stuff.

Ralph Pyne [0:17:47]: I think that stuff's gonna go away.

Ralph Pyne [0:17:48]: So I think we've historically, you know, we've tried to build the security, you know, each layer of security.

Ralph Pyne [0:17:55]: Each generation of security is kind of inherited, a bunch of concepts have come from the previous generations.

Ralph Pyne [0:18:00]: And I think we're at this point.

Ralph Pyne [0:18:02]: And I and, actually, when I look back, you know, it's like, one of those things have...

Ralph Pyne [0:18:04]: You know, you don't really see the transition.

Ralph Pyne [0:18:07]: It's like, the boarding frog.

Ralph Pyne [0:18:08]: And, said, false thing.

Ralph Pyne [0:18:09]: You saw a real thing.

Ralph Pyne [0:18:10]: But like, you know, imagine the frog boarding and water whatever.

Ralph Pyne [0:18:12]: I feel like Ai for me has been this point.

Ralph Pyne [0:18:14]: If I look back and I look at Cloud and At Sas and whatever.

Ralph Pyne [0:18:17]: I just realized like, the things that we are conceptually academically relying on.

Ralph Pyne [0:18:21]: I just haven't been working for a long time and they're especially not gonna work in this environment.

Ralph Pyne [0:18:25]: So what's next.

Ralph Pyne [0:18:27]: Right?

Ralph Pyne [0:18:27]: And that's kind of what I'm interested in is, like, I think there's a couple of things.

Ralph Pyne [0:18:30]: I think Ai is problem and source potential solution.

Ralph Pyne [0:18:32]: It allows us for example, analyze information and content much faster than we have before.

Ralph Pyne [0:18:37]: So I think that we're gonna move towards, you know, still defining roles.

Ralph Pyne [0:18:40]: I think extremely important to think about the concepts of roles and access, but I think the context of data is gonna become much more important.

Ralph Pyne [0:18:46]: I think we're going to make many more decisions access decisions on the fly.

Ralph Pyne [0:18:50]: I think we're gonna start analyzing.

Ralph Pyne [0:18:51]: And these these are not new concepts necessarily, but it's, like, aggregating them.

Ralph Pyne [0:18:55]: And use them in this model.

Ralph Pyne [0:18:56]: I think we're gonna start basically permitting access and then looking for abuse.

Ralph Pyne [0:19:00]: Right?

Ralph Pyne [0:19:01]: So one of the teams, I also run for abuse to the Apollo.

Ralph Pyne [0:19:03]: And we do a lot of stuff statistically.

Ralph Pyne [0:19:06]: In fact one of the things I kind of joke about in fraud, but it's kinda serious.

Ralph Pyne [0:19:09]: Is the, you know, with Fraud, you, you're failing every day.

Ralph Pyne [0:19:13]: Right?

Ralph Pyne [0:19:13]: But what you get to do is to get control how much you fail.

Ralph Pyne [0:19:15]: And actually, that's the magic and that's the skill running a fraud program as you dial the controls up to a level whereby the cost is appropriate for the risk reduction the fraud reduction you see.

Ralph Pyne [0:19:25]: And I think these kind of more statistical models, this more kind of, like dynamic analysis and dynamic application of security.

Ralph Pyne [0:19:31]: It's the closest thing I can see as a solution as we move into a new world.

Ralph Pyne [0:19:34]: So Yeah.

Ralph Pyne [0:19:35]: I mean, not only do I think the the concept of principle privilege is Flawed.

Ralph Pyne [0:19:39]: I think it's not even relevant.

Ralph Pyne [0:19:40]: I think when we're moving our interim L and a modern agent world and, you know, all of these things communicating with each other.

Ralph Pyne [0:19:47]: I think we just have to really start thinking about new principles of how we do that.

Ralph Pyne [0:19:52]: If anyone has the priorities to hip me off because I'm...

Ralph Pyne [0:19:54]: I'm still pissed solve this problem there.

Aaron Morin [0:19:57]: No.

Aaron Morin [0:19:57]: That...

Aaron Morin [0:19:57]: That's great.

Aaron Morin [0:19:57]: And that's so interesting.

Aaron Morin [0:19:58]: It almost the visual is, like, the concept of privileges is going from two d chest to three d chest.

Aaron Morin [0:20:04]: They there's so much more to consider around, like, data classification and privilege and, like you mentioned the information that that's training the model.

Aaron Morin [0:20:13]: How do you ring fence that?

Aaron Morin [0:20:14]: I think that's that's gonna be a challenge that many companies have to deal with in, moving into this Ai.

Ralph Pyne [0:20:20]: I think the other thing is that you also have to assume failure.

Ralph Pyne [0:20:22]: Right?

Ralph Pyne [0:20:22]: I think we come from a principle and security of, like, there's a binary set binary decisions.

Ralph Pyne [0:20:27]: And if we do enough work, we can make things secure.

Ralph Pyne [0:20:29]: I mean, I'm not saying that's real because it's not.

Ralph Pyne [0:20:31]: But I think there's almost been...

Ralph Pyne [0:20:33]: That's kind of, like, again, why principle is it's privileged is irritating to me because it's like, there's this assumption of, like, oh, you do the right set of things and it's gonna be okay.

Ralph Pyne [0:20:40]: And the reality is we all know, like, you know, as practitioners is like, we all build into response clients.

Ralph Pyne [0:20:44]: Right?

Ralph Pyne [0:20:44]: And they're incredibly important.

Ralph Pyne [0:20:45]: And, you know, we know that things are gonna go wrong.

Ralph Pyne [0:20:48]: I think skill is, and I think that the more more architecture are gonna assume failure, but it's going to be, you know, moderating how that failure is controlled.

Ralph Pyne [0:20:57]: And the volume and the scope.

Ralph Pyne [0:20:59]: And I think that's like, the more you know, mature security challenges more mature security programs are going to, you know, pick up on those things.

Aaron Morin [0:21:07]: Maybe zooming out.

Aaron Morin [0:21:07]: Right?

Aaron Morin [0:21:08]: Because privilege is just a and one aspect of a a well built mature security program.

Aaron Morin [0:21:15]: You know, you've obviously built a number of zero to one security programs in your career.

Aaron Morin [0:21:20]: How do how do companies level up their, security and their security posture without slowing things down, kind of tying this back to the the previous question that we talked about around the perception of security.

Aaron Morin [0:21:32]: Like, what's your playbook for keeping speed and momentum for product teams for other internal teams, that are building maybe, you know, what does that look like when you're building it from from scratch?

Ralph Pyne [0:21:45]: Yeah.

Ralph Pyne [0:21:45]: I there's a lot of ways answering that question because there's a lot of areas of business you can interact with.

Ralph Pyne [0:21:49]: But I think the...

Ralph Pyne [0:21:49]: You're kind of alluding to the fact of, like in a product and engineering kind of organization.

Ralph Pyne [0:21:53]: And that's probably the easiest one for me to answer.

Ralph Pyne [0:21:55]: So, you know, my background, you know, I've done engineering teams before.

Ralph Pyne [0:21:58]: And so I'm very sympathetic to this.

Ralph Pyne [0:22:01]: Right?

Ralph Pyne [0:22:01]: I've been in the position of pain of, I once joined a company as a director security and I ended up running engineering.

Ralph Pyne [0:22:05]: Right?

Ralph Pyne [0:22:06]: And I could tell you when I was running engineering, I spent about one percent of my time thinking about security.

Ralph Pyne [0:22:10]: So the the reality there is is like, you know, you've got these strong business drivers.

Ralph Pyne [0:22:14]: You've got product.

Ralph Pyne [0:22:15]: You've got customers.

Ralph Pyne [0:22:16]: You've got product, like, teams pushing on you to ship product fast.

Ralph Pyne [0:22:19]: So firstly, I start with that position of empathy.

Ralph Pyne [0:22:22]: Right?

Ralph Pyne [0:22:22]: It's like, you know, what is the business trying to achieve, what are the individuals trying to achieve in the process?

Ralph Pyne [0:22:25]: Then the second thing is we do have to have controls.

Ralph Pyne [0:22:28]: Right?

Ralph Pyne [0:22:28]: We do have to have detection response whatever within these processes.

Ralph Pyne [0:22:32]: But when we're building them, you know, again, I tend to staff engineers in my teams.

Ralph Pyne [0:22:37]: So there, we can be running alongside.

Ralph Pyne [0:22:40]: You know, we kind of look at...

Ralph Pyne [0:22:41]: Can you go into an organization, you're building it series one program.

Ralph Pyne [0:22:44]: Sometimes there are some controls there, frequently not.

Ralph Pyne [0:22:47]: Right?

Ralph Pyne [0:22:47]: And so you go in, you analyze existing process.

Ralph Pyne [0:22:50]: And the first thing, I think about is actually how can I make this faster?

Ralph Pyne [0:22:52]: Right?

Ralph Pyne [0:22:53]: So, you know, you talk to the teams, you understand the problems that they're trying to solve.

Ralph Pyne [0:22:56]: You work out, like, in a lot of cases, people are do security and they're doing it badly.

Ralph Pyne [0:23:00]: Or they're doing it in an inefficient way.

Ralph Pyne [0:23:01]: And my first starting point is, like, let's start driving efficiencies here, like, use Better tooling, remove the stuff that doesn't make sense.

Ralph Pyne [0:23:08]: But then also, like, when you're building controls and, like, you know, for example, a, good example, it's is around around vulnerability management.

Ralph Pyne [0:23:14]: You know?

Ralph Pyne [0:23:15]: So you know, you want to raise the very specific issues that report to the business.

Ralph Pyne [0:23:19]: So when you haven't...

Ralph Pyne [0:23:20]: We have an issue, we will do as much work as we can technically and, you know, using humans to ensure that the issues that we're escalating are really relevant.

Ralph Pyne [0:23:28]: Right?

Ralph Pyne [0:23:29]: You know, reach built analysis.

Ralph Pyne [0:23:30]: Is it affecting, you know, company data, like, appropriate prioritization.

Ralph Pyne [0:23:35]: And then we bring the issue to forward.

Ralph Pyne [0:23:37]: And as much as possible often come the fix as well.

Ralph Pyne [0:23:39]: Said, I engineers my team, we'll often build the fix for them, and just give them a poll request and say, hey.

Ralph Pyne [0:23:45]: Here's the problem.

Ralph Pyne [0:23:45]: This is why this is a problem.

Ralph Pyne [0:23:47]: Here's the solution.

Ralph Pyne [0:23:48]: Click on this button and it'll be up.

Ralph Pyne [0:23:50]: Right?

Ralph Pyne [0:23:51]: And it's like, this kind of thing when you get to that level, and, you know, the then the engineering team knows, you know, you really care about what they...

Ralph Pyne [0:23:58]: You understand their problems.

Ralph Pyne [0:23:59]: You really care about what they don't.

Ralph Pyne [0:24:00]: You care about the business you're trying to move fast.

Ralph Pyne [0:24:02]: You can build processes that are really well dovetail out.

Ralph Pyne [0:24:04]: And, of course, there's gonna be some increasing work.

Ralph Pyne [0:24:06]: Okay, you know, nothing is ever free.

Ralph Pyne [0:24:08]: But again, you know, if you've done this pre work to really understand, you know, what the challenges are that the team engineering team knows that you are working on the most important things.

Ralph Pyne [0:24:17]: You get very little pushback in my experience.

Ralph Pyne [0:24:19]: It's like, you know, they're, like, they know that you're giving them high quality problems and often high quality solutions.

Ralph Pyne [0:24:25]: And so I think that, again, an aspiration of to never slow them down at all, it's probably impossible.

Ralph Pyne [0:24:30]: But to actually you know, go as fast as you can and be aligned with them, You know, that's definitely achievable.

Ralph Pyne [0:24:35]: And I and I found actually, honestly, it's very successful because you get to that position, you're working as partners with the engineering team.

Ralph Pyne [0:24:41]: I actually...

Ralph Pyne [0:24:42]: In my role now I'm actually in engineering.

Ralph Pyne [0:24:43]: But, you know, you actually are, you know, partnering with those specific teams, and you have the same business goals.

Aaron Morin [0:24:50]: Yeah.

Aaron Morin [0:24:50]: I love the fact that you're calling out the the partnership that really needs to exist, you, all the leaders that I work with in the past that are responsible for or in organization's, It and or security.

Aaron Morin [0:25:01]: The strong feeling of partnership and trust is really where the best things come from?

Aaron Morin [0:25:05]: And so I love that answer.

Aaron Morin [0:25:07]: What are some of the the thoughts or ways of doing things or approaches or philosophies, whatever you wanna call it, that you really wish more folks in the industry were following or or took seriously or saw what you're doing and they wanted to kinda recreate

Ralph Pyne [0:25:22]: Yeah.

Ralph Pyne [0:25:22]: I think probably, and this has been a point for me for a long time is just around things like the way that we interact with the people in the business.

Ralph Pyne [0:25:29]: I it's in, you know, the end users and engineers and so on.

Ralph Pyne [0:25:33]: I have worked...

Ralph Pyne [0:25:33]: I've worked coming out of financial services and I remember going through compliance trading in worst thing ever and you have to every year in matter a.

Ralph Pyne [0:25:39]: This kind of stuff And I swore having done that, like, the fifth year, I've done it whatever, I was like, I will never inflict this on anyone else.

Ralph Pyne [0:25:45]: So I think that, you know, there's a couple of things.

Ralph Pyne [0:25:48]: You know, I genuinely anything believe you know, most people working in an organization wants to do the right thing.

Ralph Pyne [0:25:53]: You know, they're diligent, They're honest, they're hardworking working.

Ralph Pyne [0:25:56]: And I think that, you know, the way that we interact with them.

Ralph Pyne [0:26:00]: And the way they give access to systems, but also train them.

Ralph Pyne [0:26:03]: And so on should reflect that.

Ralph Pyne [0:26:04]: So, you know, a couple of things that I'm really keen on is, and we're can't...

Ralph Pyne [0:26:08]: We caught in the middle here because, you know, the...

Ralph Pyne [0:26:10]: So it's...

Ralph Pyne [0:26:11]: Well, the two things are policy in training.

Ralph Pyne [0:26:13]: Right?

Ralph Pyne [0:26:13]: So around policies, we have requirements, and especially as you move towards being a public company, those requirements come more and more onerous.

Ralph Pyne [0:26:19]: But, you know, around the compliance requirements we have, the regulatory requirements and we have, there's a lot of stuff to generate policy and so on.

Ralph Pyne [0:26:26]: And, you know, we send people these, like, three hundred page policies expect to read the.

Ralph Pyne [0:26:30]: So, you know, that's one thing, you know, we've really try and make you know, when we engage with people on a policy perspective, we try and make things as consumable as simple as easy to use as possible.

Ralph Pyne [0:26:40]: So, you know, we do, like, bite size training at Slack.

Ralph Pyne [0:26:43]: We send people, like...

Ralph Pyne [0:26:45]: Very short videos.

Ralph Pyne [0:26:46]: Right?

Ralph Pyne [0:26:46]: Just like really run kind of consumable content Like, what is the thing we're trying to achieve.

Ralph Pyne [0:26:50]: What's the goal from a security perspective?

Ralph Pyne [0:26:51]: What's the minimum amount of content we can give them to get that point and make that consumable?

Ralph Pyne [0:26:55]: So, yes, it's that kind of combination between, you know, policy and training of, like, I think I've seen so much bad stuff in this space.

Ralph Pyne [0:27:02]: And, you know, really just orientated around the compliance objective.

Ralph Pyne [0:27:05]: And I think we actually need to flip that around and be more human focused and actually look at the outcomes and build stuff that's actually engaging with people.

Ralph Pyne [0:27:13]: So that's something that...

Ralph Pyne [0:27:14]: I think maybe it's still unusual, because I don't think a lot of security people I should really care about that stuff that much.

Ralph Pyne [0:27:18]: From what I've seen, but I think that that interface with people is really important.

Aaron Morin [0:27:22]: Ralph, I have one more question for you.

Aaron Morin [0:27:23]: It's the question that we like to close out these episodes with if you could instantly patch anything in your world in tech, security or life, what would that be?

Ralph Pyne [0:27:34]: This is a hard one.

Ralph Pyne [0:27:34]: I I spent a lot of time thinking about this, and I going and try to get to a root thing because Like, if I could...

Ralph Pyne [0:27:39]: This like a wish.

Ralph Pyne [0:27:39]: Right?

Ralph Pyne [0:27:40]: If I could change one thing, I think would have a meaningful effect.

Ralph Pyne [0:27:43]: I think it's actually, you know, people having a greater level length of empathy one another.

Ralph Pyne [0:27:46]: This applies at work.

Ralph Pyne [0:27:47]: I think it applies socially.

Ralph Pyne [0:27:48]: I think it applies, you know, politically internationally and so on.

Ralph Pyne [0:27:51]: I think there's, you know, we have I see a lot of people really in their own heads.

Ralph Pyne [0:27:55]: And I think if we could just kinda get out and think about others and put it out myself and there's something I personally try to do a lot, is put myself in other people's shoes.

Ralph Pyne [0:28:04]: I think we'd have better personalized better work lives better society and so on.

Aaron Morin [0:28:09]: That's great.

Aaron Morin [0:28:09]: And, obviously, based off this conversation, you know, we've taken away, that's a lot of how you lead your security functions and org and people within those orgs.

Aaron Morin [0:28:18]: So that's been almost the red string that's gone across this whole conversation.

Aaron Morin [0:28:22]: I love.

Aaron Morin [0:28:23]: Well, thank you, Ralph for joining us on this episode of Patch Me If You Can™.

Aaron Morin [0:28:26]: If you like this episode, hit follow, share it with someone who is ready to lead It and security from the front, and we'll look forward to seeing you all next time.