This episode of Code to Cloud features a discussion with Immuta's CISO, Mike Scott, and Co-Founder and CTO, Steve Touw, hosted by Andy Schneider, Field CISO EMEA at Lacework. Mike is a highly experienced and accomplished leader in information and data security, real-time analysis of immediate threats, and IT and infrastructure designs. And Steve is known for his data science work with US Special Operations Command and the US Intelligence Community. The conversation centers around the importance of a 'shift left' culture in software development, emphasizing security from the start of the development process. Both guests share how this approach has enabled Immuta to move to a SaaS model, deliver features and security fixes more rapidly, and foster a strong security culture by bringing the CISO and CTO teams closer together. Practical insights include the adoption of communication tools like Slack, the significance of automation in maintaining a rapid release cadence, and the importance of understanding employee communication styles using the DISC assessment. The discussion also touches on overcoming conflicts and the critical role of setting realistic goals in achieving security and compliance milestones.

Key Quotes

*”Security is inevitable. And we can all look back and see where it's delayed us, when security was brought in at the end of the game. Versus if we can move our mindset to really thinking from ideation all the way through creation to delivery of software, we're going to meet a lot of those challenges early. And then what we've seen, I think the outcome is a more timely release and less of security being a roadblock and more just like a small speed bump along the way.” - Mike Scott

*”Shifting left has also allowed our teams to understand the security impact sooner. And so when a critical vulnerability comes out, the engineering team has already decided, ‘Are we vulnerable? What's the fix going to be?’ within hours of getting that notification versus responding to a customer's inquiry before.” - Mike Scott

*”We needed the security to be there so that we could change our release cadence, the shift left. And our architecture changed quite a bit too. Most of our customers are SaaS now, used to be self-managed on-prem type solution. And we've really tried to push the SaaS solution because it helps us with releasing faster, getting features in our customers hands faster, but also allows us to deploy security fixes more quickly as well. So, that forcing function of having to deliver more quickly, of providing it or making us do the shift left to be able to do that. it flipped it on its head and also allows us to fix problems more quickly as well.” - Steve Touw

*”I'm constantly reminding our governance committee, ‘Hey, we put a lot of stuff on this team to meet ISO requirements and slot 3 requirements.’ And for me, that's defending my partner, Steve, right? It's saying, ‘Hey, this is taking extra time. This is taking away from his ability to deliver product.’ And so when they're hearing Steve say it, and they're hearing Mike say it, and they're hearing other parts of the business say it, it's also helping get that justification for resources or at least changing prioritization.” - Mike Scott

Time Stamps

[0:40] Introducing the Special Episode with Immuta's CISO and CTO

[1:46] The Shift Left Culture: Enhancing Security and Efficiency

[3:24] Building a Security-Minded Engineering Culture at Immuta

[5:34] The Measurable Benefits of Shifting Left in Security

[10:04] Fostering Collaboration Between CISOs and CTOs

[14:43] Championing Security Through Engineering and Automation

[22:04] The Critical Role of Automation in Modern Software Development

[23:46] The Drive for Faster Feature Delivery

[24:16] Breaking Down Big Goals into Manageable Pieces

[24:36] The Journey to Compliance and Certification