November 25, 2024 • 39 mins
Anne Baker's journey from mechanical engineering to cybersecurity marketing is nothing short of inspiring. With a love for math inherited from her father, Anne began her career at Boeing before leveraging her engineering skills in various roles, eventually landing in the tech-forward world of cybersecurity marketing. We share our own unconventional paths, including a leap from criminal justice to cloud security engineering, while highlighting the diverse backgrounds that enrich this field. The demand for cybersecurity talent is growing rapidly, evidenced by unique career shifts like an opera singer becoming an application security engineer.
The discussion turns to the significant role soft skills play in cybersecurity, often overshadowed by the emphasis on technical prowess. Drawing from personal experiences, we underline the necessity of communication and conflict resolution skills, learned in high-pressure roles, to succeed in cybersecurity. It's crucial for candidates to balance technical expertise with the ability to foster teamwork and drive security initiatives through effective communication. Hiring for attitude and aptitude, not just technical skills, can lead to growth and stability in this fast-evolving industry.
Interdepartmental dynamics in cybersecurity bring their own set of challenges, from maintaining security protocols under developer pressure to the tension between IT and security teams. We explore how effective communication and emotional control are vital in fostering productive relationships across teams. Additionally, the conversation highlights the innovation of Adaptiva's OneSite platform in automating vulnerability management, helping simplify the patching process. To top it all off, we discuss a remarkable opportunity for aspiring cybersecurity professionals: scholarships for the Microsoft Fundamentals course in security, offered through a collaboration with Women in the Cloud. This inclusive initiative is a great starting point for anyone looking to enhance their cybersecurity knowledge and skills.
Follow the Podcast on Social Media!
Tesla Referral Code: https://ts.la/joseph675128
YouTube: https://www.youtube.com/@securityunfilteredpodcast
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
How's it going, Anne?
It's great to get you on thepodcast.
I think that we've been tryingto get this thing done for a
couple months now, but I'mreally excited for our
conversation.
Speaker 2 (00:11):
Thanks, joe.
It's great to be here, Happy tofinally connect.
Speaker 1 (00:15):
Yeah, absolutely so, anne.
You know why don't you tell meabout how your journey started,
right?
What made you go down the paththat you did?
Because you have a bit more ofa unique background compared to,
you know, the other degeneratehackers that I have on the
podcast, right?
Speaker 2 (00:34):
Yeah, I know.
Thanks for letting you knowsomeone from the dark side of
marketing come into your, yourpodcast.
I appreciate it.
But I I did start with anengineering degree so I actually
went from the tech deep techover to a little more soft
skills but still have stayed intechnology and cybersecurity and
(00:54):
have really loved this industryand space.
So happy to be on the show.
Speaker 1 (01:02):
So you got your degree in engineering.
What specifically like, whatpart of engineering?
Speaker 2 (01:08):
I did mechanical engineering.
I really loved math and lookedat different careers that would
allow me to do things with mathand numbers and analytics, and
it went into that area.
My father was an engineer.
He really encouraged me, whichI appreciate to this day, and I
(01:32):
started out interning at Boeingin true kind of mechanical
engineering and then, you know,just sort of evolved evolved
into more product management andthen now kind of all aspects of
marketing which I enjoy andstill getting to work with a lot
of the technology, getting thedive as deep as I want to go but
still be able to enjoy some ofthe creative aspects that
(01:54):
marketing brings.
Speaker 1 (01:57):
Yeah, it's interesting, when I was in
college I was getting my degreein criminal justice and I worked
with a guy that was getting hisdegree in mechanical
engineering and you know, he, hestudied more than anyone else I
knew, and I I mean he.
He ended up getting his degree,but he didn't go into
mechanical engineering oranything like that, he actually
(02:19):
just went into iet and I.
I graduated like a year or twoahead of him and I told him I
was like hey, you know, I knowyou're trying to be a mechanical
engineer, right?
I don't know what the careerpath looks like for that, but
you already have experience inIT.
Just look at that first andthen try and make your pivot.
You know, because he hadstudent loans, like I did, right
(02:40):
, so he has to have an income,you know, coming in to pay off
those loans.
But it's really fascinating,right?
Because I always think if Iwere to go back and like get my
bachelor's and do it all over.
I would probably get my degreein, like math or engineering or
something like that.
Like that is right.
In my wheelhouse I tookcalculus for fun, because it was
(03:02):
.
I considered it to be an easyclass, and math that is an easy
class.
To people that are not in math,you know that's considered to
be like a difficult class, right, I took.
I literally took it for fun andI wanted to go farther with it.
But it was like, okay, you'regonna, you're gonna do criminal
justice, you're gonna do math.
And I was like I don't knowabout that math thing yeah, I
(03:25):
did.
Speaker 2 (03:25):
There's something great about like getting that
solution at the end of a problem, and so I still, uh, really
enjoy, enjoy math although Idon't get to do it nearly as
much anymore now.
It's just maybe calculatingrevenues and things like that
not as not as much detailedcalculus as I was doing at one
point.
But engineering is a greatdegree that you can use to
(03:47):
bounce off into so manydifferent fields of study, and
that's how I feel aboutcybersecurity in general.
You know we're seeing more andmore people come into this field
and this realm and this area.
They come from all differentbackgrounds, right.
Sometimes it's communicationscoming into cybersecurity.
Come from all differentbackgrounds, right.
Sometimes it's communicationscoming into cyber security,
sometimes it's testers.
Speaker 1 (04:07):
It all different, different areas that are now
joining kind of the whole swathof cyber security professionals
that are needed to kind of fillsome of the resource gaps that
are happening in this industrytoday yeah, yeah, it's
interesting, you know, as, as Imean, now I'm a cloud security
engineer, right, and so I haveto be able to think of problems
(04:30):
forward, backwards, start at themiddle, go to the end, start at
the middle, go to the front.
You know, like I have to reallybe able to just dissect
different problems,no-transcript, you know you'll
(05:06):
see a solution and you startthinking of, okay, well, how did
they get there?
Well, this is probably wherethey started.
And you know, like it's a game,almost right, and I think that
that's what kind of piqued myinterest with cybersecurity,
right, is that ability to be sofluid with your thinking.
Because, you know, I guess it'sinteresting.
(05:26):
I don't consider myself to be avery creative person.
I consider myself to be likevery average, not creative at
all.
I can't draw to save my life.
I can't play an instrument tosave my life.
My wife, on the other hand, shecan play like six or seven
instruments, you know, likehands down, like she's a
symphony orchestra violinist,like I'm sitting over here, the
(05:53):
least talented person in my, inmy family, you know, and somehow
I made it right.
So it's interesting.
Also, you know, you bring upthe different backgrounds that
everyone is coming intocybersecurity with, and a few
months ago, maybe even a yearago at this point I think it
might have been a year I had onsomeone that was a former opera
singer and now she's anapplication security engineer
and I'm sitting here like how inthe world do you make that jump
(06:16):
?
Speaker 2 (06:17):
I think you're going to see more and more of that,
though.
I mean because there is thishuge gap, right, four million or
something.
The world economic forum saidopen jobs and a deficit in cyber
security workers, and sothere's a huge opportunity here,
when the job market as a wholemay not be as exciting in tech
as we'd like it to be, and soyou know you're going to see
(06:40):
people, I think, explore it andsee if there are ways for opera
singers or marketers or otherpeople to play a part, because
it is one of the maybe uniqueroles in tech where you really
feel like you can make an impactand that you're giving back.
In a way, there's a you know,there's a real purpose to it, in
the sense that you're fightingthe bad guys.
Speaker 1 (07:01):
Right, you're fighting the bad guys, right,
(07:21):
and you're, you know, not onlyhelping companies be more secure
and resilient, but potentiallyeven the whole 2014, 2015,.
I was doing everything underthe sun that I possibly could be
to get into the field.
Yeah, you know anything likethat really.
(07:42):
You know, in all honesty, I wasunderpaid, so I wanted to make
more money, right, I wanted to,like, make enough money to have
a family and whatnot.
But it also, like, piqued myinterest.
It seemed like there was just,you know, never ending amount of
things that I could learn, thatI could dive into, that I could
specialize in.
And now, you know, that stillholds true, right, and so that
(08:03):
kind of scratches that itch forme in a different way, if that
makes sense.
But I think COVID kind of Idon't want to say exacerbated
the situation, but it really putcybersecurity at the forefront,
right, because you know, I'lltell you, I have a friend.
(08:27):
He's a manager in a in a fordmanufacturing plant, right, and
I went to high school with himand we've stayed in touch ever
since and whatnot.
And when covid hit, he was outof work for like six months.
Like six months he wasbasically out of work and for
the next maybe two years afterthat, there will be months where
he just didn't work becausethey'd shut down the plant for
(08:48):
whatever reason.
You know, and I'm, I'm overhere just living my life like
nothing ever changed, because itliterally never changed.
You know, the only, literallythe only thing that changed for
me was my manager calling me oneday and saying yeah, you're
just going to be remote now it'sfine.
And I've been remote for thepast, you know, four years, five
(09:09):
years at this point, and likethere's nothing changed, right,
I've changed jobs several timesand whatnot.
And he looks at that and he'slike man, I really want, I want
the stability, I want thefreedom to be able to you know
kind of work from wherever Iwant to work.
It doesn't make sense for me tohave to be in one singular
place, you know, to do a job.
And he, he wants to be able tohave a family, you know, have,
(09:34):
have a career that is paying,paying the bills, you know,
having some money left over forthe family and whatnot.
And I think that was put to theforefront of everyone's mind
where there was like I feel likeit happened for a week, but
during that week people werelike well, what jobs are still
working right now?
What jobs were not evenimpacted and I mean the job that
(09:57):
was the least impacted thatworked the entire time was
cybersecurity.
Speaker 2 (10:03):
Yeah.
Yeah, I mean, that's reallyeye-opening yeah, I mean, not
only is, I mean obviously cybersecurity is a, you know, fairly
lucrative field, but yeah, it'snot going away anytime soon.
In fact, the problem's onlygetting bigger.
I mean my company, adam tiva.
We're in the patch managementspace, where we're patching
vulnerabilities that arediscovered on endpoints, and
(10:24):
last year there were like 26,000plus vulnerabilities discovered
.
It's going up this year and themeantime the exploitum just
keeps getting faster and faster.
I think it was like seven dayson average, and for some of the
high risk ones it was like lessthan a day.
So when you are facing thosekind of numbers and with some of
the new technology that'scoming out, like AI, that only
(10:46):
makes it faster and easier tosecure your network, but also,
potentially, if the bad guys useit, exploit it, then you know
this career path is one that isonly going to become more and
more in demand and potentially,you know just more and more
areas to be able to focus on andhave to look at and secure.
(11:09):
And so you know, obviously Ithink it's a great area to be
involved in, but one that I hopewe can recruit more people into
and bring more people into,because there's so much work to
be done.
Speaker 1 (11:23):
Yeah, it's interesting.
You bring up an interestingproblem, because I feel like
still there's a lot of companiesout there that don't know the
type of position or the type ofperson that they're looking for
to really come in and make ameaningful difference.
I'll give you an example, youknow previously, when I was
(11:46):
interviewing for a job which, ifyou're my employer right now
and you're listening, I haven'tdone it in a while, right, but
people would be like extremely,extremely technical, right, and
that's fine, I can deep diveinto things.
But typically when I get intothose interviews, you know the
recruiter is prepping me aheadof time and they're saying like
(12:09):
hey, they're going to do a deepdive into IAM or Kim or whatever
.
It might.
Be right, because it's acourtesy, it gives me the
opportunity to brush up on thatknowledge, because I'm not going
to know everything at all times.
I may have learned it for threemonths and I haven't touched it
in four years.
I mean, that's a very realthing.
(12:30):
It's not that I don't know it,it's that I haven't looked at it
.
You know, like there's a verybig difference between the two.
You know, and you know, thisrole really needed someone that
was more of a people person.
You know someone that wouldactually meet with the teams,
get to know them.
You know, kind of sway them topatch.
You know one of those 26,000vulnerabilities right and make a
(12:52):
difference in the environment.
And you know this company kepton going extremely technical.
And I'm sitting here like guys,you don't need that.
What you need is you needsomeone that can talk to people,
that of which you know I have aproven track record of over 200
episodes where I could talk toyou.
Know anyone and make an impactright, make a difference to some
(13:13):
extent.
But they didn't see it likethat, you know.
But they're hiring for a rolenow that isn't going to be a fit
for the job functions that theyhave, and that's a problem that
is very prevalent, I think.
And then I think another partof it is companies.
One, they don't know really theskill sets necessary for the
(13:37):
role.
But two, we're alsounder-hiring.
If you go on LinkedIn Jobs rightnow, I feel like LinkedIn jobs
is a good barometer for wherethe job market is.
Every single security role outthere has over 100 applicants,
every single one, and if youfind one under a hundred, like
(13:58):
it's a, it's a rarity.
You're on page 12,.
You know you're probably prettydesperate at that point, which
is which is crazy to me, becauseit it tells me something really
weird is going on in the market, where I think everyone's a
little bit nervous.
You know, we have a, we have amajor election coming up here in
a couple of days.
People are nervous about wherethe economy is going to go, like
(14:20):
what the outlook of it is, andI think a lot of companies are
also worried, and so we're.
We're in an interesting likelimbo that we haven't been in in
quite a long time at least notnot that I remember.
You know I entered theworkforce what I like 2009,
technically right, and that wasat like the tail end of the
recession, so I didn't evenreally understand the recession,
(14:44):
you know of like what was goingon when it was happening, you
know yeah, and I I mean I Ireally agree with you.
Speaker 2 (14:50):
Your ability, you know, to communicate is key, I
think, in the cyber securityrole and you're not alone in
that sometimes those technicalcertifications and things will
open the door for you and getyou the interviews.
But in hiring today there reallyhas to be that balance, because
I had a boss shout out to LisaStewart that used to say she
(15:11):
hired for attitude as much asaptitude, and I think that's
really going to become key withcybersecurity roles in
particular going forward,because, you know, not only do
you have to have those technicalskills to be able to do the
forensic analysis or whateverthe job is requiring from, you
know, just security perspective,but you have to be able to
(15:32):
communicate that, you have to beable to present it to the team,
you have to be able to convincepeople to, you know, do certain
, take certain courses of action, and you also have to maybe
have just sort of thatcreativity to try different
solutions to problems.
So, um, and hopefully highintegrity as well in this role
is key, uh, too.
(15:53):
So there's a lot of soft skillsthere that just have to blend
with the the technical skills aswell in order to really make a
good candidate and a goodemployee, but it is still very
competitive.
I agree it's kind of hard toget your foot in the door
sometimes on these positions.
For sure, and a lot of peopleare recognizing there's a lot of
(16:14):
growth potential, stabilitypotential in this space that are
struggling to kind of findtheir way in and navigate how
they at least get that firstdoor open for them in
cybersecurity.
Speaker 1 (16:27):
Yeah, yeah, that's a good point.
You brought up the soft skills,right.
We've been talking about it fora bit now, right, but you
brought up the soft skills andhaving that foundation of soft
skills really, really benefits.
You know you like tenfold incybersecurity and I'll give you
a good example.
(16:48):
You know I started my career inhelp desk right, when you're on
help desk and I worked for anenhanced 911 company, right.
So when our solution is goingdown, people typically just lose
their mind because they may ormay not be able to dial 911.
And, yes, it is absolutely anemergency, but you know you
don't have to, you don't have toyell at me right from hello,
(17:10):
right so, but I've learned a lotof social skills in that job,
right, and for probably a yearand a half, you know I would
have like massive anxiety inthis job, to the point where I'd
have to like go for walks, youknow, several times a day for 30
minutes just to just to likedecompress and process what I
(17:30):
just went through.
And you know that that may besound I guess that maybe sounds
potentially like weak or stupidor something like that Right,
but you know, going from beingin education right, just being
in college to a job that is highstress like help desk overall
can be high stress regardlessbut now you're thrown into a
(17:52):
company that supports a criticalapplication for a business and
you don't even know what acritical application is.
You know because you're thatnew in the field.
It was a trying time but youknow.
In that situation I learned howto de-escalate very quickly.
I learned how to you know findout critical information within
(18:13):
30 seconds.
Within 30 seconds, you knowfind out critical information
within 30 seconds.
Within 30 seconds, you knowwhat's going on generally and
you can start making progressand whatnot.
I learned how to get the rightpeople on the call right from
the very beginning.
You know how to assess thesituation quickly and move
forward with it in the rightdirection.
And all of those skills reallydo pay off when you get into
security because I always, Ialways tell people start with
(18:36):
help desk right, like you want.
You want the ability to tellsomeone no, have them yell at
you in return and you stick toyour no, right?
I'm 10 years into security,literally.
Last week I had a phone callwith 150 developers on the call
(19:00):
and then I was the only securityperson on the call the only one
and they were trying toconvince me.
At first they were very nice.
They were trying to convince meto put in a certain rule into
my AWS WAF that I was rollingout globally.
And they couldn't really explainit properly.
(19:21):
Right, because I need to knowwhat the rule is, why it's
getting blocked, why do we needto add this exception?
Does it bypass the entire WAF?
You know all of these.
You know minutiae, right, thethings that you need to know for
the technical aspect of the job.
Well, at one point in time theycouldn't give me any straight
(19:42):
answers, and so I just kept onasking questions for 30 minutes.
I asked questions, I didn'tgive any answers, I didn't give
any context.
I only asked questions becausethey were trying to beat around
the bush and I could tell theywere trying to bully me into,
you know, just going with them,right, because they wanted to
get off this call.
And so they figure okay, 150developers are going to
overwhelm Joe and you know he'sgoing to give us what we want.
(20:04):
Right, because it probablywould have worked.
At the other, you know 10security guys that they had
there, but not with me because Igot all day.
You know, you, that they hadthere, but not with me because I
got all day.
You just made this a priority,right?
So now I get to call otherthings off and at the end of the
questions, literally 30 minutesof me questioning it.
I said you guys are just tryingto bully me into bypassing the
(20:26):
WAF because you don't want todeploy it, you don't want to
work within it.
And I had to explain to them.
I said, hey look, this was anaudit finding right.
They gave us a timeline forwhen we needed to fix this.
This is why it's going in.
And they like tried to rebuttalit, tried to refute it you know
many different ways and whatnotand I said there is no refuting
(20:48):
this.
You are doing this or it'sgoing to be reported to your VP
and your director and I willreference this conversation and,
like I told him, I was likeit's being recorded.
I have the minute keeper, likeright now, and I'll tell them go
to minute 33 in thisconversation where I started to
like really go into them.
Speaker 2 (21:07):
Yeah.
Speaker 1 (21:09):
Right, and at the end of the day, you know they very
begrudgingly went along with it.
But you know I had to learn howto stand my ground from 10
years prior, Right, Like I hadto learn how to literally look
at someone that is yelling at mein the face in person to you
and you know, tell them no,that's not happening and that's
(21:33):
a very unique skill set that notmany security professionals
have.
Like I said, the other 10security people that they would
have had on that call, theywould have just caved in 10, 15
minutes.
It's funny they wouldn't haveknown that they were making the
environment less secure.
Speaker 2 (21:52):
Our CEO here and founderak kumar.
He came, he actually has amedical degree, so he was a
doctor and now he does software,so he's made a big career
transition.
But he has often, uh, talkedabout, just you know, the need,
especially when you're in themedical profession and dealing
with emergencies, to sort ofstay emotionally calm and how,
(22:14):
like, having a control over youremotions is so key in just
day-to-day business, creating,in marketing and also in even
our technical roles.
He really encourages us to lookfor people who either have a
customer service background atsome point in their career or
like a help desk background,like what you're describing,
(22:35):
where they've had to deal withchallenging personalities and
figure out how to just maintainthose relationships and be
professional and not get overlyemotional or overly reactive in
those situations.
He feels that that basic skillset is something that is just so
hugely important in day-to-daybusiness at all different levels
(22:58):
of the company, and so, as werecruit, that's something he
always encourages us to look for, and I think it applies to the
cybersecurity profession as well.
It's just like I said, even formarketing.
I tend to try to look for thattoo.
It's just a great skill to have, especially when you're on a
call with you know 150 peoplewho might be, you know telling
(23:18):
you something different.
Figuring out just how you findcommon ground and work forward
is really key.
Speaker 1 (23:25):
Right, yeah, I mean I've.
You know, I've been insituations where I'll go into a
company and there's a terriblerelationship between my team and
another team and of course, asystem down incident occurs and
I need that other team.
We're relying on them and theyreally don't like to work with
(23:48):
us.
I have not shied away frombribery with food and drinks and
whatever it takes, you know, toget the help that I need I
agree on that.
Sometimes it's required.
Speaker 2 (24:03):
It really is.
You know, and I will say, thecybersecurity in general, a lot
of emergencies that that happen,and being able to handle those
crisis communications in a waythat's, you know, done
professionally, delicately,understands everything and all
the implications that come at it, can be challenging.
(24:24):
So you have the those bigemergencies that happen that you
really need strong leaders whodon't get overly, you know,
overly emotional in some ofthose situations, but then also
just day to day.
I mean, you mentioned startingin IT or starting in help desk
as a way to potentially pivotand swerve into a cybersecurity
(24:45):
career, and one of the things Ihear about most often, even from
our customers and prospects ismost often even from our
customers and prospects is, youknow, that kind of fight between
IT and security today or atleast gap we'll call it gap
where you know security isfinding all these
vulnerabilities and issues andthen pointing to IT to go fix
(25:05):
them and that's saying, oh, it,you're not, you know, moving
fast enough and you're exposingme to too much risk, and so
there is sort of this constantkind of like back and forth
that's going on between IT andsecurity today and having the
skill set to, you know, approachthat from a collaborative.
How can we work together toreduce risk for our organization
(25:28):
?
Perspective is important, butyou know where we're coming from
too.
Perspective is important, butyou know where we're coming from
, too is we also want technologyto help bridge that gap too,
between IT and security teams,where the reports and the
findings and the vulnerabilityassessments all that data is
there and being found bytechnology.
But then IT can also show theirprogress against it and how
(25:50):
they're taking action on thatdata, and you know the rationale
they have behind what they'reprioritizing and how they're
taking action on that data.
And and you know the rationalethey have behind what they're
prioritizing and what they.
They can connect all that intechnology and use technology as
a way to bridge the, thesecurity teams and the IT teams.
That can help augment some ofthe and hopefully resolve some
(26:11):
of the communication issues thatcome about because of just that
dynamic between IT and securityteams.
Speaker 1 (26:20):
Yeah, you know something that I've recently run
into that's been a prevalentproblem for many years now.
Right, is, with the advent ofthe cloud, your on-prem legacy
solutions don't quite work likethey should in the cloud, right,
and so now you end up having,you know, six, seven solutions
(26:40):
doing vulnerability management,looking at different things,
different ways, and how in theworld can your developers or
your engineers or just itoverall keep up with that?
Right, because I'm the securityprofessional that's supposed to
own all seven of those toolsand I don't look at all of them.
Right, like I need a solutionthat correlates all of it,
(27:04):
brings it all in and tells mewhat I need to pay attention to.
Right, and I think that's likekind of where most of the
industry is missing the mark.
Right, it's like they provide asolution of we do pipeline
security vulnerabilitymanagement, right, or we do
infrastructure in the cloudvulnerability management, all
(27:25):
this stuff.
It's like I don't care.
You said vulnerabilitymanagement.
At the end of all of that, Ineed it all in one singular tool
.
Speaker 2 (27:35):
Yeah, and it's been interesting.
I mean, vulnerabilitymanagement is one area, right,
but security in general I mean,how many different tools and
technologies and vendors arethere in that space?
Now it's unbelievable, andthat's why we're starting to see
especially some of the bigleaders, like CrowdStrike and
Microsoft and others, starttalking about consolidation.
And how can we help youconsolidate the number of
(27:55):
vendors you're using, the numberof technologies you're using,
so that you know, I mean becausethere's a risk to that.
I mean, just managing a wholebunch of different vendors is
hard on resources, but also,like making sure they're all
secure and keeping up to date iskey, and so we are seeing a
move towards trying toconsolidate and have fewer
(28:17):
vendors and fewer differentproducts in the space.
And so I think the technologiesthat are going to be, you know,
cross-platform, like for us,like helping you patch Windows
and Mac and Linux on all yourdevices as opposed to needing a
different solution for eachthose are the ones that you're
going to start seeing win acrossthe board.
(28:37):
And then also, in addition tojust sort of consolidating the
different vendors, I think ingeneral, you know just the more
that we can bring togethervisibility into what's happening
across your systems, the betterin and get all your alerts and
(29:05):
keep an eye, but I feel like ITis missing, that IT doesn't have
that single view into all mydeployments that are happening,
all my patches that arehappening, all the things in
real time and I actually believecertainly that's where we're
heading from a product visionperspective is starting to give
companies more unified insightinto both their security and
their IT operations, bringingthem together into one kind of
(29:27):
single pane of glass so that youcan stay on top of all the
changes and data that arehappening across endpoints and
across the network.
Speaker 1 (29:37):
So talk to me about how Adaptiva does that right,
how you guys bridge the gapbetween all these different kind
of sprawling domains ofvulnerability management and
bring it all together into aconsolidated way.
Speaker 2 (29:54):
Yeah, so we built a platform we call it our one-site
platform and on top of that webuilt a suite of products, and
the one that most you know we'retalking about most these days
is our patch management one-sitepatch solution which integrates
with all your differentvulnerability management
solutions out there in themarketplace today.
(30:15):
So, for example, next week I'mgoing to crowdstrike's falcon
event in in europe and um, andthere we'll be showcasing how
you can use Falcon to analyzeand assess all the
vulnerabilities on your network.
They have something calledtheir expert AI rating that
prioritizes them as critical,high, medium, low.
(30:38):
We take all that data and wetake their criticality factors
in and we allow you to set uppatching strategies based on
that data.
So if it's a critical one,maybe I want you to go patch it
right away with very limitedapprovals, but if it's a lower,
medium one, maybe I want to rollthat out more slowly.
A series of deployment waves.
(31:00):
Deployment waves she set upthose rules in our system, but
we're pulling in all thevulnerability management
information from thevulnerability management
providers and then we're kind ofconsolidating, reporting them
right.
So, immediately, the securityteams can quickly see the
reports, see the insights inreal time.
Okay, how are myvulnerabilities getting patched?
(31:22):
Which devices still need to bepatched?
Which ones are successful?
What versions are they on Allthat rich insight and data in
real time?
So today in many companiesthose vulnerability assessments,
they print them out on likehuge Excel spreadsheets and hand
them over to IT and say gopatch this.
(31:43):
And they meet every week andkind of fight back and forth on
why more things weren't patched.
We're hoping again that by justpulling all that data, in
taking automated action on thedata, you can solve that or
resolve those kind of back andforth fights on vulnerabilities
and provide a single, unifiedview into the compliance of your
(32:05):
organization and it.
Speaker 1 (32:08):
So it sounds like you know my, my developers or my
engineers.
They would be able to log inand like see the assets that
they're responsible for, or getlike some sort of automated
alerts like hey, you know thisnew high finding or whatever
right is on your assets overhere.
Here's the card.
(32:28):
Go work on it, that sort ofthing.
Is there a flag?
Speaker 2 (32:34):
We're taking a slightly different approach.
I mean traditional patchmanagement forces kind of the IT
teams to have to go in andevery time a patch comes out
they have to take it down, takethe metadata, configure it, test
it, roll it out to a testsystem, make sure it's working.
With us we have a team that'sconstantly putting those patches
(32:56):
into our catalog and really ourcustomers just set up the rules
.
They say anytime for you knowthis group of machines or for
this type of patch, do thesethings, and so we let you really
set up the strategies and thenwe automate it.
(33:19):
So we believe in reallyspeeding and accelerating the
patching through automation soyou're not having to manually
patch and set up deployments foreach patch.
You're setting your rules forpatching as an organization and
we're taking care of the rest.
But we're putting controls inplace too, because we know
(33:39):
automation can be scary.
Bad things can happen sometimeswhen you roll out patches and we
give a lot of control over thatprocess so you can pause
patching, you can cancel patches, you can roll back patches to
previous versions.
Our belief is you need to movefaster.
The bad guys are not slowingdown.
You need to find ways toaccelerate and free up your IT
(34:01):
teams and limited resources, andso by allowing them to set up
their rules and then we automate, but giving them controls and
guardrails that if somethingdoes go wrong, they can pause.
Take a minute.
That's our belief on howpatching should really happen in
the future.
Speaker 1 (34:17):
Hmm, and does it work for like pipeline security or
pipeline vulnerabilities?
Speaker 2 (34:25):
We're focused on endpoint.
So our patching is aroundendpoints, but we're beta
testing right now the fullcross-platform, so Mac, linux
and Windows updates, and thenalso third-party applications,
and then also third-partyapplications.
We support patching of over9,000 third-party applications
(34:46):
BIOS, drivers, servers, allsorts of patching, truly unified
endpoint patching.
Speaker 1 (34:54):
That's interesting.
It seemed like when I got intosecurity, the industry was at a
scheduled, a scheduled, you knowpatching process right, where
you're like, like what you said,this group of devices gets
patched, you know, every mondaynight at like midnight or
whatever it might be right.
(35:14):
And then I think, as people gotmore into the cloud and their
environments grew rapidly, theystarted moving away from that.
It's interesting because Iactually never noticed moving
away from it, but I moved awayfrom it and it's a fascinating
way to kind of bring it back,especially if you're
(35:37):
centralizing all of it right,like you're making it more
easily consumable for everythingto be in one place and then
schedule it out from there.
That really kind of like freesup at least my developers, right
, frees up my developers to beable to do developing work
rather than security worknecessarily.
Speaker 2 (36:01):
It's the only way you can really start.
I mean, with the rate ofvulnerabilities that we were
talking about earlier and justhow many are coming at you and
how quickly they're beingexploited, the only way that you
can get the scale necessary isto automate work, and right now
we did a state of patchmanagement report with the
Ponemon Institute and we foundthat 59% said it was taking them
(36:24):
two weeks or more to begin apatch, a deployment after a
patch was released.
So that's just like way toolong when, on average,
vulnerabilities are beingexploited every seven days.
And in many cases I thinkGartner found it was taking,
like companies, a month or moreto fully roll out of cash.
So that's just never.
You're just constantly going tobe behind and it's never going
(36:47):
to scale.
And so we're very bullish onautomation that's going to help
you scale, but automation withcontrol, yeah.
So yeah, it's a mindset shift alittle bit for companies, but
with how limited we are inresources right now and people
to just tackle this problem,technology is going to have to
(37:10):
fill the gap.
Speaker 1 (37:11):
Yeah, yeah, absolutely.
Well, you know, unfortunately,I think we're at like the top of
our time here.
I know you have a flight tocatch and whatnot, but you know
I really enjoyed ourconversation.
I definitely would want to haveyou back on sometime.
Speaker 2 (37:26):
Yeah, it was great, joe, I loved it.
Thanks for letting a marketerstray over here.
I appreciate it and would loveto talk again in the future.
Speaker 1 (37:34):
Yeah, yeah, absolutely.
Well, before I let you go, howabout you tell my audience you
know where they could connectwith you if they wanted to
connect with you and where theycould find the company if they
wanted to learn more?
Speaker 2 (37:45):
Sure, I'm very active on LinkedIn, so that's a great
place to find me and Baker andLinkedIn, and then also Adapteva
is the name of the companyA-D-A-P-T-I-V-A.
If you're a drummer, I want togo check that out.
I blog on there and we have alot of great resources just for
training.
And also, I know we talked alot about entering the
(38:07):
cybersecurity field.
I will just put a shout out to.
I'm very active in Women in theCloud, and Women in the Cloud
right now is working withMicrosoft, who's sponsoring over
5,000 scholarships for peoplewho want to take the Microsoft
Fundamentals course in security.
That's a great one for womenand allies as well.
(38:29):
It's gender neutral to go andapply for those scholarships.
If you want to break intocybersecurity, I highly
recommend going and taking alook at that, and that's a great
way to start getting some ofthose early certifications with
Microsoft in order to startshowcasing and learning more
about cybersecurity.
So definitely check that out aswell.
Speaker 1 (38:49):
Yeah, absolutely Well , thanks everyone.
I hope you enjoyed this episode.
How's it going, Anne?
It's great to get you on thepodcast.
I think that we've been tryingto get this thing done for a
couple months now, but I'mreally excited for our
conversation.
Speaker 2 (00:11):
Thanks, joe.
It's great to be here, Happy tofinally connect.
Speaker 1 (00:15):
Yeah, absolutely so, anne.
You know why don't you tell meabout how your journey started,
right?
What made you go down the paththat you did?
Because you have a bit more ofa unique background compared to,
you know, the other degeneratehackers that I have on the
podcast, right?
Speaker 2 (00:34):
Yeah, I know.
Thanks for letting you knowsomeone from the dark side of
marketing come into your, yourpodcast.
I appreciate it.
But I I did start with anengineering degree so I actually
went from the tech deep techover to a little more soft
skills but still have stayed intechnology and cybersecurity and
(00:54):
have really loved this industryand space.
So happy to be on the show.
Speaker 1 (01:02):
So you got your degree in engineering.
What specifically like, whatpart of engineering?
Speaker 2 (01:08):
I did mechanical engineering.
I really loved math and lookedat different careers that would
allow me to do things with mathand numbers and analytics, and
it went into that area.
My father was an engineer.
He really encouraged me, whichI appreciate to this day, and I
(01:32):
started out interning at Boeingin true kind of mechanical
engineering and then, you know,just sort of evolved evolved
into more product management andthen now kind of all aspects of
marketing which I enjoy andstill getting to work with a lot
of the technology, getting thedive as deep as I want to go but
still be able to enjoy some ofthe creative aspects that
(01:54):
marketing brings.
Speaker 1 (01:57):
Yeah, it's interesting, when I was in
college I was getting my degreein criminal justice and I worked
with a guy that was getting hisdegree in mechanical
engineering and you know, he, hestudied more than anyone else I
knew, and I I mean he.
He ended up getting his degree,but he didn't go into
mechanical engineering oranything like that, he actually
(02:19):
just went into iet and I.
I graduated like a year or twoahead of him and I told him I
was like hey, you know, I knowyou're trying to be a mechanical
engineer, right?
I don't know what the careerpath looks like for that, but
you already have experience inIT.
Just look at that first andthen try and make your pivot.
You know, because he hadstudent loans, like I did, right
(02:40):
, so he has to have an income,you know, coming in to pay off
those loans.
But it's really fascinating,right?
Because I always think if Iwere to go back and like get my
bachelor's and do it all over.
I would probably get my degreein, like math or engineering or
something like that.
Like that is right.
In my wheelhouse I tookcalculus for fun, because it was
(03:02):
.
I considered it to be an easyclass, and math that is an easy
class.
To people that are not in math,you know that's considered to
be like a difficult class, right, I took.
I literally took it for fun andI wanted to go farther with it.
But it was like, okay, you'regonna, you're gonna do criminal
justice, you're gonna do math.
And I was like I don't knowabout that math thing yeah, I
(03:25):
did.
Speaker 2 (03:25):
There's something great about like getting that
solution at the end of a problem, and so I still, uh, really
enjoy, enjoy math although Idon't get to do it nearly as
much anymore now.
It's just maybe calculatingrevenues and things like that
not as not as much detailedcalculus as I was doing at one
point.
But engineering is a greatdegree that you can use to
(03:47):
bounce off into so manydifferent fields of study, and
that's how I feel aboutcybersecurity in general.
You know we're seeing more andmore people come into this field
and this realm and this area.
They come from all differentbackgrounds, right.
Sometimes it's communicationscoming into cybersecurity.
Come from all differentbackgrounds, right.
Sometimes it's communicationscoming into cyber security,
sometimes it's testers.
Speaker 1 (04:07):
It all different, different areas that are now
joining kind of the whole swathof cyber security professionals
that are needed to kind of fillsome of the resource gaps that
are happening in this industrytoday yeah, yeah, it's
interesting, you know, as, as Imean, now I'm a cloud security
engineer, right, and so I haveto be able to think of problems
(04:30):
forward, backwards, start at themiddle, go to the end, start at
the middle, go to the front.
You know, like I have to reallybe able to just dissect
different problems,no-transcript, you know you'll
(05:06):
see a solution and you startthinking of, okay, well, how did
they get there?
Well, this is probably wherethey started.
And you know, like it's a game,almost right, and I think that
that's what kind of piqued myinterest with cybersecurity,
right, is that ability to be sofluid with your thinking.
Because, you know, I guess it'sinteresting.
(05:26):
I don't consider myself to be avery creative person.
I consider myself to be likevery average, not creative at
all.
I can't draw to save my life.
I can't play an instrument tosave my life.
My wife, on the other hand, shecan play like six or seven
instruments, you know, likehands down, like she's a
symphony orchestra violinist,like I'm sitting over here, the
(05:53):
least talented person in my, inmy family, you know, and somehow
I made it right.
So it's interesting.
Also, you know, you bring upthe different backgrounds that
everyone is coming intocybersecurity with, and a few
months ago, maybe even a yearago at this point I think it
might have been a year I had onsomeone that was a former opera
singer and now she's anapplication security engineer
and I'm sitting here like how inthe world do you make that jump
(06:16):
?
Speaker 2 (06:17):
I think you're going to see more and more of that,
though.
I mean because there is thishuge gap, right, four million or
something.
The world economic forum saidopen jobs and a deficit in cyber
security workers, and sothere's a huge opportunity here,
when the job market as a wholemay not be as exciting in tech
as we'd like it to be, and soyou know you're going to see
(06:40):
people, I think, explore it andsee if there are ways for opera
singers or marketers or otherpeople to play a part, because
it is one of the maybe uniqueroles in tech where you really
feel like you can make an impactand that you're giving back.
In a way, there's a you know,there's a real purpose to it, in
the sense that you're fightingthe bad guys.
Speaker 1 (07:01):
Right, you're fighting the bad guys, right,
(07:21):
and you're, you know, not onlyhelping companies be more secure
and resilient, but potentiallyeven the whole 2014, 2015,.
I was doing everything underthe sun that I possibly could be
to get into the field.
Yeah, you know anything likethat really.
(07:42):
You know, in all honesty, I wasunderpaid, so I wanted to make
more money, right, I wanted to,like, make enough money to have
a family and whatnot.
But it also, like, piqued myinterest.
It seemed like there was just,you know, never ending amount of
things that I could learn, thatI could dive into, that I could
specialize in.
And now, you know, that stillholds true, right, and so that
(08:03):
kind of scratches that itch forme in a different way, if that
makes sense.
But I think COVID kind of Idon't want to say exacerbated
the situation, but it really putcybersecurity at the forefront,
right, because you know, I'lltell you, I have a friend.
(08:27):
He's a manager in a in a fordmanufacturing plant, right, and
I went to high school with himand we've stayed in touch ever
since and whatnot.
And when covid hit, he was outof work for like six months.
Like six months he wasbasically out of work and for
the next maybe two years afterthat, there will be months where
he just didn't work becausethey'd shut down the plant for
(08:48):
whatever reason.
You know, and I'm, I'm overhere just living my life like
nothing ever changed, because itliterally never changed.
You know, the only, literallythe only thing that changed for
me was my manager calling me oneday and saying yeah, you're
just going to be remote now it'sfine.
And I've been remote for thepast, you know, four years, five
(09:09):
years at this point, and likethere's nothing changed, right,
I've changed jobs several timesand whatnot.
And he looks at that and he'slike man, I really want, I want
the stability, I want thefreedom to be able to you know
kind of work from wherever Iwant to work.
It doesn't make sense for me tohave to be in one singular
place, you know, to do a job.
And he, he wants to be able tohave a family, you know, have,
(09:34):
have a career that is paying,paying the bills, you know,
having some money left over forthe family and whatnot.
And I think that was put to theforefront of everyone's mind
where there was like I feel likeit happened for a week, but
during that week people werelike well, what jobs are still
working right now?
What jobs were not evenimpacted and I mean the job that
(09:57):
was the least impacted thatworked the entire time was
cybersecurity.
Speaker 2 (10:03):
Yeah.
Yeah, I mean, that's reallyeye-opening yeah, I mean, not
only is, I mean obviously cybersecurity is a, you know, fairly
lucrative field, but yeah, it'snot going away anytime soon.
In fact, the problem's onlygetting bigger.
I mean my company, adam tiva.
We're in the patch managementspace, where we're patching
vulnerabilities that arediscovered on endpoints, and
(10:24):
last year there were like 26,000plus vulnerabilities discovered
.
It's going up this year and themeantime the exploitum just
keeps getting faster and faster.
I think it was like seven dayson average, and for some of the
high risk ones it was like lessthan a day.
So when you are facing thosekind of numbers and with some of
the new technology that'scoming out, like AI, that only
(10:46):
makes it faster and easier tosecure your network, but also,
potentially, if the bad guys useit, exploit it, then you know
this career path is one that isonly going to become more and
more in demand and potentially,you know just more and more
areas to be able to focus on andhave to look at and secure.
(11:09):
And so you know, obviously Ithink it's a great area to be
involved in, but one that I hopewe can recruit more people into
and bring more people into,because there's so much work to
be done.
Speaker 1 (11:23):
Yeah, it's interesting.
You bring up an interestingproblem, because I feel like
still there's a lot of companiesout there that don't know the
type of position or the type ofperson that they're looking for
to really come in and make ameaningful difference.
I'll give you an example, youknow previously, when I was
(11:46):
interviewing for a job which, ifyou're my employer right now
and you're listening, I haven'tdone it in a while, right, but
people would be like extremely,extremely technical, right, and
that's fine, I can deep diveinto things.
But typically when I get intothose interviews, you know the
recruiter is prepping me aheadof time and they're saying like
(12:09):
hey, they're going to do a deepdive into IAM or Kim or whatever
.
It might.
Be right, because it's acourtesy, it gives me the
opportunity to brush up on thatknowledge, because I'm not going
to know everything at all times.
I may have learned it for threemonths and I haven't touched it
in four years.
I mean, that's a very realthing.
(12:30):
It's not that I don't know it,it's that I haven't looked at it
.
You know, like there's a verybig difference between the two.
You know, and you know, thisrole really needed someone that
was more of a people person.
You know someone that wouldactually meet with the teams,
get to know them.
You know, kind of sway them topatch.
You know one of those 26,000vulnerabilities right and make a
(12:52):
difference in the environment.
And you know this company kepton going extremely technical.
And I'm sitting here like guys,you don't need that.
What you need is you needsomeone that can talk to people,
that of which you know I have aproven track record of over 200
episodes where I could talk toyou.
Know anyone and make an impactright, make a difference to some
(13:13):
extent.
But they didn't see it likethat, you know.
But they're hiring for a rolenow that isn't going to be a fit
for the job functions that theyhave, and that's a problem that
is very prevalent, I think.
And then I think another partof it is companies.
One, they don't know really theskill sets necessary for the
(13:37):
role.
But two, we're alsounder-hiring.
If you go on LinkedIn Jobs rightnow, I feel like LinkedIn jobs
is a good barometer for wherethe job market is.
Every single security role outthere has over 100 applicants,
every single one, and if youfind one under a hundred, like
(13:58):
it's a, it's a rarity.
You're on page 12,.
You know you're probably prettydesperate at that point, which
is which is crazy to me, becauseit it tells me something really
weird is going on in the market, where I think everyone's a
little bit nervous.
You know, we have a, we have amajor election coming up here in
a couple of days.
People are nervous about wherethe economy is going to go, like
(14:20):
what the outlook of it is, andI think a lot of companies are
also worried, and so we're.
We're in an interesting likelimbo that we haven't been in in
quite a long time at least notnot that I remember.
You know I entered theworkforce what I like 2009,
technically right, and that wasat like the tail end of the
recession, so I didn't evenreally understand the recession,
(14:44):
you know of like what was goingon when it was happening, you
know yeah, and I I mean I Ireally agree with you.
Speaker 2 (14:50):
Your ability, you know, to communicate is key, I
think, in the cyber securityrole and you're not alone in
that sometimes those technicalcertifications and things will
open the door for you and getyou the interviews.
But in hiring today there reallyhas to be that balance, because
I had a boss shout out to LisaStewart that used to say she
(15:11):
hired for attitude as much asaptitude, and I think that's
really going to become key withcybersecurity roles in
particular going forward,because, you know, not only do
you have to have those technicalskills to be able to do the
forensic analysis or whateverthe job is requiring from, you
know, just security perspective,but you have to be able to
(15:32):
communicate that, you have to beable to present it to the team,
you have to be able to convincepeople to, you know, do certain
, take certain courses of action, and you also have to maybe
have just sort of thatcreativity to try different
solutions to problems.
So, um, and hopefully highintegrity as well in this role
is key, uh, too.
(15:53):
So there's a lot of soft skillsthere that just have to blend
with the the technical skills aswell in order to really make a
good candidate and a goodemployee, but it is still very
competitive.
I agree it's kind of hard toget your foot in the door
sometimes on these positions.
For sure, and a lot of peopleare recognizing there's a lot of
(16:14):
growth potential, stabilitypotential in this space that are
struggling to kind of findtheir way in and navigate how
they at least get that firstdoor open for them in
cybersecurity.
Speaker 1 (16:27):
Yeah, yeah, that's a good point.
You brought up the soft skills,right.
We've been talking about it fora bit now, right, but you
brought up the soft skills andhaving that foundation of soft
skills really, really benefits.
You know you like tenfold incybersecurity and I'll give you
a good example.
(16:48):
You know I started my career inhelp desk right, when you're on
help desk and I worked for anenhanced 911 company, right.
So when our solution is goingdown, people typically just lose
their mind because they may ormay not be able to dial 911.
And, yes, it is absolutely anemergency, but you know you
don't have to, you don't have toyell at me right from hello,
(17:10):
right so, but I've learned a lotof social skills in that job,
right, and for probably a yearand a half, you know I would
have like massive anxiety inthis job, to the point where I'd
have to like go for walks, youknow, several times a day for 30
minutes just to just to likedecompress and process what I
(17:30):
just went through.
And you know that that may besound I guess that maybe sounds
potentially like weak or stupidor something like that Right,
but you know, going from beingin education right, just being
in college to a job that is highstress like help desk overall
can be high stress regardlessbut now you're thrown into a
(17:52):
company that supports a criticalapplication for a business and
you don't even know what acritical application is.
You know because you're thatnew in the field.
It was a trying time but youknow.
In that situation I learned howto de-escalate very quickly.
I learned how to you know findout critical information within
(18:13):
30 seconds.
Within 30 seconds, you knowfind out critical information
within 30 seconds.
Within 30 seconds, you knowwhat's going on generally and
you can start making progressand whatnot.
I learned how to get the rightpeople on the call right from
the very beginning.
You know how to assess thesituation quickly and move
forward with it in the rightdirection.
And all of those skills reallydo pay off when you get into
security because I always, Ialways tell people start with
(18:36):
help desk right, like you want.
You want the ability to tellsomeone no, have them yell at
you in return and you stick toyour no, right?
I'm 10 years into security,literally.
Last week I had a phone callwith 150 developers on the call
(19:00):
and then I was the only securityperson on the call the only one
and they were trying toconvince me.
At first they were very nice.
They were trying to convince meto put in a certain rule into
my AWS WAF that I was rollingout globally.
And they couldn't really explainit properly.
(19:21):
Right, because I need to knowwhat the rule is, why it's
getting blocked, why do we needto add this exception?
Does it bypass the entire WAF?
You know all of these.
You know minutiae, right, thethings that you need to know for
the technical aspect of the job.
Well, at one point in time theycouldn't give me any straight
(19:42):
answers, and so I just kept onasking questions for 30 minutes.
I asked questions, I didn'tgive any answers, I didn't give
any context.
I only asked questions becausethey were trying to beat around
the bush and I could tell theywere trying to bully me into,
you know, just going with them,right, because they wanted to
get off this call.
And so they figure okay, 150developers are going to
overwhelm Joe and you know he'sgoing to give us what we want.
(20:04):
Right, because it probablywould have worked.
At the other, you know 10security guys that they had
there, but not with me because Igot all day.
You know, you, that they hadthere, but not with me because I
got all day.
You just made this a priority,right?
So now I get to call otherthings off and at the end of the
questions, literally 30 minutesof me questioning it.
I said you guys are just tryingto bully me into bypassing the
(20:26):
WAF because you don't want todeploy it, you don't want to
work within it.
And I had to explain to them.
I said, hey look, this was anaudit finding right.
They gave us a timeline forwhen we needed to fix this.
This is why it's going in.
And they like tried to rebuttalit, tried to refute it you know
many different ways and whatnotand I said there is no refuting
(20:48):
this.
You are doing this or it'sgoing to be reported to your VP
and your director and I willreference this conversation and,
like I told him, I was likeit's being recorded.
I have the minute keeper, likeright now, and I'll tell them go
to minute 33 in thisconversation where I started to
like really go into them.
Speaker 2 (21:07):
Yeah.
Speaker 1 (21:09):
Right, and at the end of the day, you know they very
begrudgingly went along with it.
But you know I had to learn howto stand my ground from 10
years prior, Right, Like I hadto learn how to literally look
at someone that is yelling at mein the face in person to you
and you know, tell them no,that's not happening and that's
(21:33):
a very unique skill set that notmany security professionals
have.
Like I said, the other 10security people that they would
have had on that call, theywould have just caved in 10, 15
minutes.
It's funny they wouldn't haveknown that they were making the
environment less secure.
Speaker 2 (21:52):
Our CEO here and founderak kumar.
He came, he actually has amedical degree, so he was a
doctor and now he does software,so he's made a big career
transition.
But he has often, uh, talkedabout, just you know, the need,
especially when you're in themedical profession and dealing
with emergencies, to sort ofstay emotionally calm and how,
(22:14):
like, having a control over youremotions is so key in just
day-to-day business, creating,in marketing and also in even
our technical roles.
He really encourages us to lookfor people who either have a
customer service background atsome point in their career or
like a help desk background,like what you're describing,
(22:35):
where they've had to deal withchallenging personalities and
figure out how to just maintainthose relationships and be
professional and not get overlyemotional or overly reactive in
those situations.
He feels that that basic skillset is something that is just so
hugely important in day-to-daybusiness at all different levels
(22:58):
of the company, and so, as werecruit, that's something he
always encourages us to look for, and I think it applies to the
cybersecurity profession as well.
It's just like I said, even formarketing.
I tend to try to look for thattoo.
It's just a great skill to have, especially when you're on a
call with you know 150 peoplewho might be, you know telling
(23:18):
you something different.
Figuring out just how you findcommon ground and work forward
is really key.
Speaker 1 (23:25):
Right, yeah, I mean I've.
You know, I've been insituations where I'll go into a
company and there's a terriblerelationship between my team and
another team and of course, asystem down incident occurs and
I need that other team.
We're relying on them and theyreally don't like to work with
(23:48):
us.
I have not shied away frombribery with food and drinks and
whatever it takes, you know, toget the help that I need I
agree on that.
Sometimes it's required.
Speaker 2 (24:03):
It really is.
You know, and I will say, thecybersecurity in general, a lot
of emergencies that that happen,and being able to handle those
crisis communications in a waythat's, you know, done
professionally, delicately,understands everything and all
the implications that come at it, can be challenging.
(24:24):
So you have the those bigemergencies that happen that you
really need strong leaders whodon't get overly, you know,
overly emotional in some ofthose situations, but then also
just day to day.
I mean, you mentioned startingin IT or starting in help desk
as a way to potentially pivotand swerve into a cybersecurity
(24:45):
career, and one of the things Ihear about most often, even from
our customers and prospects ismost often even from our
customers and prospects is, youknow, that kind of fight between
IT and security today or atleast gap we'll call it gap
where you know security isfinding all these
vulnerabilities and issues andthen pointing to IT to go fix
(25:05):
them and that's saying, oh, it,you're not, you know, moving
fast enough and you're exposingme to too much risk, and so
there is sort of this constantkind of like back and forth
that's going on between IT andsecurity today and having the
skill set to, you know, approachthat from a collaborative.
How can we work together toreduce risk for our organization
(25:28):
?
Perspective is important, butyou know where we're coming from
too.
Perspective is important, butyou know where we're coming from
, too is we also want technologyto help bridge that gap too,
between IT and security teams,where the reports and the
findings and the vulnerabilityassessments all that data is
there and being found bytechnology.
But then IT can also show theirprogress against it and how
(25:50):
they're taking action on thatdata, and you know the rationale
they have behind what they'reprioritizing and how they're
taking action on that data.
And and you know the rationalethey have behind what they're
prioritizing and what they.
They can connect all that intechnology and use technology as
a way to bridge the, thesecurity teams and the IT teams.
That can help augment some ofthe and hopefully resolve some
(26:11):
of the communication issues thatcome about because of just that
dynamic between IT and securityteams.
Speaker 1 (26:20):
Yeah, you know something that I've recently run
into that's been a prevalentproblem for many years now.
Right, is, with the advent ofthe cloud, your on-prem legacy
solutions don't quite work likethey should in the cloud, right,
and so now you end up having,you know, six, seven solutions
(26:40):
doing vulnerability management,looking at different things,
different ways, and how in theworld can your developers or
your engineers or just itoverall keep up with that?
Right, because I'm the securityprofessional that's supposed to
own all seven of those toolsand I don't look at all of them.
Right, like I need a solutionthat correlates all of it,
(27:04):
brings it all in and tells mewhat I need to pay attention to.
Right, and I think that's likekind of where most of the
industry is missing the mark.
Right, it's like they provide asolution of we do pipeline
security vulnerabilitymanagement, right, or we do
infrastructure in the cloudvulnerability management, all
(27:25):
this stuff.
It's like I don't care.
You said vulnerabilitymanagement.
At the end of all of that, Ineed it all in one singular tool
.
Speaker 2 (27:35):
Yeah, and it's been interesting.
I mean, vulnerabilitymanagement is one area, right,
but security in general I mean,how many different tools and
technologies and vendors arethere in that space?
Now it's unbelievable, andthat's why we're starting to see
especially some of the bigleaders, like CrowdStrike and
Microsoft and others, starttalking about consolidation.
And how can we help youconsolidate the number of
(27:55):
vendors you're using, the numberof technologies you're using,
so that you know, I mean becausethere's a risk to that.
I mean, just managing a wholebunch of different vendors is
hard on resources, but also,like making sure they're all
secure and keeping up to date iskey, and so we are seeing a
move towards trying toconsolidate and have fewer
(28:17):
vendors and fewer differentproducts in the space.
And so I think the technologiesthat are going to be, you know,
cross-platform, like for us,like helping you patch Windows
and Mac and Linux on all yourdevices as opposed to needing a
different solution for eachthose are the ones that you're
going to start seeing win acrossthe board.
(28:37):
And then also, in addition tojust sort of consolidating the
different vendors, I think ingeneral, you know just the more
that we can bring togethervisibility into what's happening
across your systems, the betterin and get all your alerts and
(29:05):
keep an eye, but I feel like ITis missing, that IT doesn't have
that single view into all mydeployments that are happening,
all my patches that arehappening, all the things in
real time and I actually believecertainly that's where we're
heading from a product visionperspective is starting to give
companies more unified insightinto both their security and
their IT operations, bringingthem together into one kind of
(29:27):
single pane of glass so that youcan stay on top of all the
changes and data that arehappening across endpoints and
across the network.
Speaker 1 (29:37):
So talk to me about how Adaptiva does that right,
how you guys bridge the gapbetween all these different kind
of sprawling domains ofvulnerability management and
bring it all together into aconsolidated way.
Speaker 2 (29:54):
Yeah, so we built a platform we call it our one-site
platform and on top of that webuilt a suite of products, and
the one that most you know we'retalking about most these days
is our patch management one-sitepatch solution which integrates
with all your differentvulnerability management
solutions out there in themarketplace today.
(30:15):
So, for example, next week I'mgoing to crowdstrike's falcon
event in in europe and um, andthere we'll be showcasing how
you can use Falcon to analyzeand assess all the
vulnerabilities on your network.
They have something calledtheir expert AI rating that
prioritizes them as critical,high, medium, low.
(30:38):
We take all that data and wetake their criticality factors
in and we allow you to set uppatching strategies based on
that data.
So if it's a critical one,maybe I want you to go patch it
right away with very limitedapprovals, but if it's a lower,
medium one, maybe I want to rollthat out more slowly.
A series of deployment waves.
(31:00):
Deployment waves she set upthose rules in our system, but
we're pulling in all thevulnerability management
information from thevulnerability management
providers and then we're kind ofconsolidating, reporting them
right.
So, immediately, the securityteams can quickly see the
reports, see the insights inreal time.
Okay, how are myvulnerabilities getting patched?
(31:22):
Which devices still need to bepatched?
Which ones are successful?
What versions are they on Allthat rich insight and data in
real time?
So today in many companiesthose vulnerability assessments,
they print them out on likehuge Excel spreadsheets and hand
them over to IT and say gopatch this.
(31:43):
And they meet every week andkind of fight back and forth on
why more things weren't patched.
We're hoping again that by justpulling all that data, in
taking automated action on thedata, you can solve that or
resolve those kind of back andforth fights on vulnerabilities
and provide a single, unifiedview into the compliance of your
(32:05):
organization and it.
Speaker 1 (32:08):
So it sounds like you know my, my developers or my
engineers.
They would be able to log inand like see the assets that
they're responsible for, or getlike some sort of automated
alerts like hey, you know thisnew high finding or whatever
right is on your assets overhere.
Here's the card.
(32:28):
Go work on it, that sort ofthing.
Is there a flag?
Speaker 2 (32:34):
We're taking a slightly different approach.
I mean traditional patchmanagement forces kind of the IT
teams to have to go in andevery time a patch comes out
they have to take it down, takethe metadata, configure it, test
it, roll it out to a testsystem, make sure it's working.
With us we have a team that'sconstantly putting those patches
(32:56):
into our catalog and really ourcustomers just set up the rules
.
They say anytime for you knowthis group of machines or for
this type of patch, do thesethings, and so we let you really
set up the strategies and thenwe automate it.
(33:19):
So we believe in reallyspeeding and accelerating the
patching through automation soyou're not having to manually
patch and set up deployments foreach patch.
You're setting your rules forpatching as an organization and
we're taking care of the rest.
But we're putting controls inplace too, because we know
(33:39):
automation can be scary.
Bad things can happen sometimeswhen you roll out patches and we
give a lot of control over thatprocess so you can pause
patching, you can cancel patches, you can roll back patches to
previous versions.
Our belief is you need to movefaster.
The bad guys are not slowingdown.
You need to find ways toaccelerate and free up your IT
(34:01):
teams and limited resources, andso by allowing them to set up
their rules and then we automate, but giving them controls and
guardrails that if somethingdoes go wrong, they can pause.
Take a minute.
That's our belief on howpatching should really happen in
the future.
Speaker 1 (34:17):
Hmm, and does it work for like pipeline security or
pipeline vulnerabilities?
Speaker 2 (34:25):
We're focused on endpoint.
So our patching is aroundendpoints, but we're beta
testing right now the fullcross-platform, so Mac, linux
and Windows updates, and thenalso third-party applications,
and then also third-partyapplications.
We support patching of over9,000 third-party applications
(34:46):
BIOS, drivers, servers, allsorts of patching, truly unified
endpoint patching.
Speaker 1 (34:54):
That's interesting.
It seemed like when I got intosecurity, the industry was at a
scheduled, a scheduled, you knowpatching process right, where
you're like, like what you said,this group of devices gets
patched, you know, every mondaynight at like midnight or
whatever it might be right.
(35:14):
And then I think, as people gotmore into the cloud and their
environments grew rapidly, theystarted moving away from that.
It's interesting because Iactually never noticed moving
away from it, but I moved awayfrom it and it's a fascinating
way to kind of bring it back,especially if you're
(35:37):
centralizing all of it right,like you're making it more
easily consumable for everythingto be in one place and then
schedule it out from there.
That really kind of like freesup at least my developers, right
, frees up my developers to beable to do developing work
rather than security worknecessarily.
Speaker 2 (36:01):
It's the only way you can really start.
I mean, with the rate ofvulnerabilities that we were
talking about earlier and justhow many are coming at you and
how quickly they're beingexploited, the only way that you
can get the scale necessary isto automate work, and right now
we did a state of patchmanagement report with the
Ponemon Institute and we foundthat 59% said it was taking them
(36:24):
two weeks or more to begin apatch, a deployment after a
patch was released.
So that's just like way toolong when, on average,
vulnerabilities are beingexploited every seven days.
And in many cases I thinkGartner found it was taking,
like companies, a month or moreto fully roll out of cash.
So that's just never.
You're just constantly going tobe behind and it's never going
(36:47):
to scale.
And so we're very bullish onautomation that's going to help
you scale, but automation withcontrol, yeah.
So yeah, it's a mindset shift alittle bit for companies, but
with how limited we are inresources right now and people
to just tackle this problem,technology is going to have to
(37:10):
fill the gap.
Speaker 1 (37:11):
Yeah, yeah, absolutely.
Well, you know, unfortunately,I think we're at like the top of
our time here.
I know you have a flight tocatch and whatnot, but you know
I really enjoyed ourconversation.
I definitely would want to haveyou back on sometime.
Speaker 2 (37:26):
Yeah, it was great, joe, I loved it.
Thanks for letting a marketerstray over here.
I appreciate it and would loveto talk again in the future.
Speaker 1 (37:34):
Yeah, yeah, absolutely.
Well, before I let you go, howabout you tell my audience you
know where they could connectwith you if they wanted to
connect with you and where theycould find the company if they
wanted to learn more?
Speaker 2 (37:45):
Sure, I'm very active on LinkedIn, so that's a great
place to find me and Baker andLinkedIn, and then also Adapteva
is the name of the companyA-D-A-P-T-I-V-A.
If you're a drummer, I want togo check that out.
I blog on there and we have alot of great resources just for
training.
And also, I know we talked alot about entering the
(38:07):
cybersecurity field.
I will just put a shout out to.
I'm very active in Women in theCloud, and Women in the Cloud
right now is working withMicrosoft, who's sponsoring over
5,000 scholarships for peoplewho want to take the Microsoft
Fundamentals course in security.
That's a great one for womenand allies as well.
(38:29):
It's gender neutral to go andapply for those scholarships.
If you want to break intocybersecurity, I highly
recommend going and taking alook at that, and that's a great
way to start getting some ofthose early certifications with
Microsoft in order to startshowcasing and learning more
about cybersecurity.
So definitely check that out aswell.
Speaker 1 (38:49):
Yeah, absolutely Well , thanks everyone.
I hope you enjoyed this episode.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!