Clea Ostendorf, the dynamic CEO and co-founder of Wolfpack Security, unveils her journey from startup highs and lows to the impactful changes in the cybersecurity field. You'll gain a firsthand account of how she's transforming the industry by addressing immediate security needs, even as businesses face budget constraints and staffing challenges. Clea shares personal reflections on leadership, drawing parallels between facing cybersecurity challenges and her own kitchen remodel, illustrating how expertise and collaboration lead to success.
Explore the groundbreaking trends in application security with a focus on collaboration rather than isolation. Clea sheds light on how integrating security with development processes fosters empowerment rather than fear. The importance of pen testing, automation, and the need for seamless collaboration between security and development teams is emphasized, ensuring that security practices propel rather than impede progress. Discover how the landscape has shifted from seeing insider threats as invasive to opportunities for innovation and integration.
In navigating the complexities of DevSecOps and work-life balance, Clea offers invaluable insights into managing the myriad tools in the security landscape. We discuss the future of application security, especially regarding legacy systems like Log4j and the dual impact of AI. Clea passionately argues for hiring former developers with security experience to foster trust and effective communication. Her reflections on leadership highlight the importance of vulnerability and openness, aiming to break down silos and leave a legacy of support and collaboration.
https://www.vigilantviolet.com/
www.linkedin.com/in/jessvachon1
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Jess Vachon (00:33):
Hey everyone, welcome to episode one of Voices
of the Vigilant podcast.
So happy to have you all here.
I'm even happier to have myguest, Clea Ostendorf of
Wolfpack Security.
Clea is the CEO and co-founderof Wolfpack Security and rather
(00:59):
than me tell you all about Cleaand Wolfpack Security, I'm
going to turn it over to Cleaand let her tell you about
herself and introduce herself.
Clea, welcome.
Clea Ostendorf (01:08):
Thank you, Jess.
I'm so excited to be here.
I remember this starting from aconversation on a bench at RSA
years ago, so it's really coolto see this coming to life.
So I'm Clea Ostendorf,co-founder and CEO of Wolfpack
Security.
We're an application securityconsultancy.
What that means is we are notgoing to be coming in to sell
(01:32):
you a product.
We are here to stop thebleeding and make your products
more secure.
So we do that throughpenetration testing, through
consulting services, throughhelping in DevSec, ops
optimization and whatever elsesomebody needs in the space.
Jess Vachon (01:45):
And how long has the company been in existence?
Clea Ostendorf (01:54):
So if anyone's ever started a company, it takes
a lot longer than you expect.
So we have been around about ayear and a half and then we went
live, you know, open forbusiness last June.
So we're coming up on a year.
Nice and how are you feelingabout everything I know previous
to us going live?
We talked a little bit aboutyou know that level of
responsibility, that thatcommitment that you're making.
(02:17):
Can you talk a little bit aboutthat for us?
Oh, man, sure, I mean that I sawa video where somebody was
saying living what life isliving like?
Living with a startup founderand it was this girl.
Like dancing to techno music,so excited, life is so good, and
then she's crying and thenshe's up and dancing.
(02:37):
So that's how it's going.
I mean, there's highs and lows,and like in anything, you just
have to kind of and lows andlike in anything, you just have
to kind of mourn the lossesquickly and then keep moving on,
looking forward because timedoesn't stop.
Jess Vachon (02:51):
Yea, building up that business is a lot of that
work and it is a lot of thehighs and lows like working on
Vigilant Violet and Voices ofthe Vigilant myself it's been
daunting sometimes andoverwhelming at other times, but
when you get to that day, whenyou go live, it makes it worth
it.
And then after that there's thehighs and the lows.
(03:14):
But I don't know about you.
For me it's those little brightspots that start to add up,
that make it all worth it.
And I suspect, because youhaven't folded up the tables and
gone to do something else, thatis happening for you.
Would you agree?
Clea Ostendorf (03:33):
Oh yeah, absolutely.
I mean we've we've seen greatsuccess with you, know the
customers that we have and ourstory is resonating.
And it's such a relief to know,when I speak to somebody, we're
not we're here to help you,we're here to solve problems,
period.
This is not, you know, futurestate.
We'll get there, but where areyou bleeding today?
(03:54):
Where can I help you today?
And let's make some, someprogress to, to support you,
because I think, especially insecurity, we are all
understaffed, we're overwhelmed,we're totally burnt out by
alert fatigue and sometimes youjust need somebody to help guide
you through that noise and thatmess so that you have a clear
perspective on how to moveforward.
And that's what we're doing.
(04:16):
So that's incredibly rewardingwhen you see the light through
the trees and you get thatfeedback from your partners and
customers and you know the team,it feels energized, that
they're doing making adifference, because you know
some people start a company tomake money.
Yes, we all, you know, need tolive, but I think founders I can
(04:37):
speak for myself you know we'redoing this because we see a gap
and we want to make thatdifference.
So we think we can.
So it drives me.
Jess Vachon (04:47):
So I have to ask a lot of companies have limited
budgets, right, and as we lookout at you know the posts that
we're seeing on LinkedIn or justwatching the tech news a lot of
companies now half um,ostensibly because of
(05:07):
shareholder value or limitedfunds that they can put towards
information security, andspecifically, appsec.
Are you finding that change inthe marketplace or that dynamic,
is working in favor of yourcompany?
So, when I asked that question,are you finding that more
(05:28):
companies are choosing to go outand partner with a managed
services provider or asupplemental type staffing
arrangement?
Is that what you're finding foryour company?
Clea Ostendorf (05:39):
Yeah, yeah, I mean, of course it depends right
, that's always going to be theanswer.
But we are seeing that becauseteams have been cut and the
noise is not reducing right.
And I can almost equate it tothe mistakes I made when I was.
I remodeled my kitchen when wefirst moved into this house and
I thought, I mean, I think Ihave good design sense, I can do
(06:00):
all this, I can, you know,design the kitchen.
I know where things go, youknow I'm good enough, but when
it gets down to the level ofdetail that's needed to actually
complete the project, I was wayout of my league.
And I think that happens to alot of teams where you know
application security is not thesame mindset and it's not the
(06:21):
same deliverables.
And the same people that youwork with we'll say, on network
security or the perimeter, or,you know, securing from the
outside, these are your internalemployees, your peers, that you
have to shift their mindset onhow to be more efficient in
building secure products.
So it's more, I think it's morechallenging than you know just
(06:44):
a contractor coming in andfixing everything.
It has to be a partnershipacross the board and we have
found people who are receptiveto that.
Now the first parts of theproject 100% are we are stopping
the bleeding, we are triagingalerts, we are assigning it to
the teams, and then you buildtrust and then you can start to
say okay, well, how is thisprocess broken?
(07:06):
Let's talk about that.
Let's empower the engineeringteam to make the right decisions
based on the information thatwe have and the things that
we've been working on togetherto fix this.
So I mean, it's incrediblyrewarding because it's not a
checkbox and walk away.
Jess Vachon (07:23):
I love that approach and that cooperation
that you speak of is.
In my experience, that's alwaysthe tricky part to figure out.
Right is that trust,relationship and what does you
know Wolfpack do?
And what does the customer'steam do?
And that first engagement wherethe internal team is saying,
(07:44):
well, what about our jobs?
Like, are we being replaced?
And then you and your teamcoming in saying, no, you know,
we're kind of the cavalry comingto save you.
I mean, how do you overcomethat piece of the dynamic?
Clea Ostendorf (08:02):
I think it has to do with trust and, like
anything, communication.
So for our, our partnerships,we're often on a slack channel
with with the team, and thatjust helps put us where the
messages are happening, right.
So we're hearing thecommunication.
We're we're hearing like hey, Idon't know how to, what's going
on with this?
This build isn isn't working.
(08:23):
I'm getting blocked by thissecurity control.
What's happening?
And then we can jump in and say, hey, have you thought about
this?
What about rerouting how you'reconsuming this information?
Here's another option, and it'snot telling somebody to do
something.
It's more like I'm here to helpyou.
We're here to brainstorm.
This has worked in other places.
I'm going to help you.
We're here to brainstorm.
(08:44):
You know this has worked inother places.
I'm going to give you thatoption.
You know, it's just somebody tohelp guide you in a
non-assuming way.
Jess Vachon (08:54):
I love it.
I love that approach.
I want to change up thediscussion just a little bit so
people who are just getting toknow you and listen to you right
now they need to understandthat you just didn't wake up one
day and say I want to startthis company and I want to
pursue AppSec as my newdirection in my career.
(09:15):
Can you tell us, like, how didyou get to where you are today?
Like, what was your career pathto this point?
Clea Ostendorf (09:24):
Very roundabout.
So my career career started.
First of all, I studiedinternational affairs because I
thought I wanted to be adiplomat.
Um, that did not happen.
And so, like a naturalprogression, I went into
technology sales, because thosetwo are so connected.
Um, but it, but it really, Imean it opened up my eyes to a
(09:44):
whole nother world.
I remember when I first startedI was like what is Java?
I feel like you know, likeGoogling, what Java is, what is
this, you know?
So I learned a lot on the fly.
I'm naturally inquisitive, whichI think is both a positive and
a negative.
Most times it's usuallypositive.
So I just kept digging in andasking questions about processes
(10:07):
.
And you know why this, why thisproblem exists in the first
place.
And what are you doing that'snot working?
What are you doing that youthink could work?
And that led me into security.
Because I would ask my, mycustomers OK, yes, I can help
you with this technology roleasked my customers okay, yes, I
(10:28):
can help you with thistechnology role, but what do you
really need help with?
And they said cybersecurity.
So this was 15 years ago and Isaid, oh, okay, I'll look into
security.
What is security?
And then I totally becameenamored because it's this
battle of good and evil andwe're all fighting against the
same kind of attackers and thisincredible community and
incredibly smart people who arethinking outside of the box to
(10:49):
secure all of us and I just Ireally felt like it was part of
a greater good.
The security community so movedinto another sales role at a
consulting firm, helped do aproduct, launch a product for
them.
We were a little ahead of ourtime but it was a really cool
application security developertraining product.
(11:11):
And then I joined Code42 where Idid customer implementation,
program building and thenultimately left as field CISO,
which was a fantastic role,allowed me to do a lot of
research and talk to you knowall different walks of people
(11:33):
and understand you know whatmakes them tick problems.
They were having help solutionwith them.
And then one of my oldco-workers reached out to me and
said, hey, I have someinvestors who want to start a
security company.
And I said, oh, okay, I havesome investors who want to start
a security company.
And I said, oh, okay, let'stalk.
And then this, this came aboutand it was really, it's been an
incredible journey.
It's a huge learning curve butyou know, at the end of the day,
(11:54):
it's the fundamentals that wehave to run through, which is
listening, asking questions,understanding problem pain
points and coming to the tablesaying can we help you or not?
And if we can't then let'srecommend somebody else who can.
So, again, it's sort of comingback to what I love to do, which
is learn and solve problems,help people.
Jess Vachon (12:19):
Love it.
So when we first met a fewyears ago, you were working in
insider risk, insider threatmanagement, and what I found
interesting was, when we weretalking about it, I was
approaching it as almost anadversarial type program where
I'm watching people and makingsure they're not doing wrong and
(12:39):
then, if they are, slap them onthe wrist.
You opened my eyes and said, no, that's not the approach that
you want.
You want one of collaboration,you want one of understanding,
you want one of education, whichcompletely changed how I
thought about the relationship,not just in security, but with
(13:01):
peers across an organization.
We have to have more respectfor the people we're working
with.
Those of us in informationsecurity can't approach anything
we do with this thought processthat our coworkers are the
enemy, they're the threat, right?
How did you get yourself tothat point?
(13:23):
You learned informationsecurity or you you kind of grew
into that role?
How did you get yourself intothat mindset um, so early in
your career?
Was there anything inparticular that happened, or is
it just because of the valuesthat you live as a person?
Clea Ostendorf (13:40):
I mean it was a combination of both.
You know, working for Code42and with the Insider product it
was named Insider.
Right, we were talking InsiderThreat and the market really
pushed back on that, the marketbeing, we'll say, technology
companies and the commercialsector really pushed back on
that.
You know, anyone coming fromgovernment or more military
(14:00):
background really understoodInsider Threat.
Government or more militarybackground really understood
insider threat.
That didn't scare them.
But when we were taking it tomarket, the general consensus
was this is scary, this is bigbrother, this is against our
culture.
We're not allowing this.
So we as a company had to shiftpretty quickly to redirect how
(14:22):
we were framing this and thatwhere the more collaborative
approach came from.
But truly, I believe that youknow, you if you and I think
it's a shift of mindset and howsecurity kind of used to be
versus where it's going today.
Right Back in the day you kindof you didn't tell anyone what
you're doing, you kept yourguard up, you didn't collaborate
(14:42):
, you were at a you know hole inthe basement.
There was no communicationacross organization, what you're
seeing right, it was just weprotect, we don't discover, we
keep this clandestine world.
And now it's much morecollaborative, because who's at
the front line?
It's your employees, it's yourpeers, right?
(15:03):
Who's clicking on the emails?
Who's exposing yourorganization?
So if you're not going tocollaborate with them and
empower them, then I thinkyou're kind of doomed to fail.
And you know, people want to dothe right thing.
They don't want to put theirjob at risk.
They don't want to, you know,hurt their peers.
They just need a littlecoaching and training.
(15:24):
And if you do it in a waythat's framed as helpful you
know we're here to support youand help you then I think people
are much more receptive than dothis, or you're, you know,
going to be written up by HR.
Jess Vachon (15:37):
Yeah, I can see how that part of your experience,
that part of your career, is astrength in your role now
working with dev teams, becauseit's so much has to be hand in
hand right.
It absolutely can't beadversarial.
It has to be let's, let's go inthe same direction, let's
(15:59):
educate each other, let's makesure that we're doing security
but keeping the business going,Because, as we talked about
prior to going live, that thatdevelopment cycle is so fast now
that we, as security people,can't simply say stop, do it my
way.
We have to sprint catch up tothem, run alongside them and say
(16:21):
hey, I see what you're doing,it's a good idea, but I have
some suggestions on how to do itbetter, and it sounds like
that's the focus of your companyand that's the approach you
were taking.
Would you agree with that?
Clea Ostendorf (16:39):
100%, 100%.
I mean, you know our coreservice is a pen test right,
there's a dime a dozen for pentesting companies.
What I want to do is say, okay,we found these things.
This tells you a lot aboutwhat's going on in your
development environment.
Why don't we work to addressthem?
Yes, we, as Wolfpack, we willhelp you fix the current
vulnerabilities.
We will close those gaps.
We will support you in thatsense.
But now let's go one layerdeeper and figure out why
(17:00):
they're manifesting.
Right, Because there's brokenprocesses and things are not
sinking somewhere upstream thatwe can help with.
Right.
And it's a lot of communication.
It's a lot of, again,empowerment, right.
If you build the guidelines andframework on how you want the
checks and balances that youwant in the development
lifecycle, give that to theengineering team to work into
(17:24):
their daily workflows, make itnatural for them, let them own
that, and then you come back andevaluate Are we getting better?
Are we getting worse?
Do we need more?
Do we need more?
Do we need less?
What is the feedback?
It has to be dynamic and Ithink really I mean I mentioned
this before, but I feel like, inapplication security, coming
back into this world after afive-year hiatus, we have just
(17:48):
tried to buy our way secure,right.
There are so many tools andthere's so many things that are
constantly going on.
And who's buying this?
It's security, buying it fordevelopers who are like I don't
know how to use this, I don'tknow how to tune this, no one is
checking on this.
This doesn't make sense to me.
I don't know how to fix this.
I have another priority, and sothey ignore it.
(18:08):
Um, and now we've gottenourself in, you know, a mess, I
think, um, and we're slowlytrying to, you know, unwind
ourselves from that.
I
can only assume that there'sgonna be a ton of comments after
we've finished recording thisfor everyone, saying absolutely
that's exactly what it's likestop just buying tools, not
talking to us.
(18:28):
Show up with us, work with us.
I want to talk about it.
So earlier today, you had a poston LinkedIn about an article,
State of Application SecurityWorkflow by Kodum Security.
I saw that post, I went out andwas reading through document.
So, the key findings thatreally stood out for me is that
78% of organizations reportfragmentation in toolsets .
(19:00):
Right, we just kind of touchedupon that.
62% of organizations reportremediation as the largest
bottleneck.
So we're getting all the tools.
Now we don't have time to fixthe issues that we're finding
with the tools.
Thinking about the pace, 84% oforganizations are pushing for
automation because, as I wasjust mentioning, dev is moving
(19:22):
way too fast for security tokeep up and we don't have enough
cycles for people to manuallybe patching these
vulnerabilities.
How do we leverage automation?
Which, hello, if you're a CISOin 2025 and you're not thinking
automation, get on the bandwagonbecause otherwise you're
getting left behind.
And then 75% of organizationssay managing security across
(19:46):
CI/CD, and prod environments arethe top operational challenges.
I think you just touched uponall of that.
Do you think these statisticsare accurate and how do you
influence the reduction in thoserisks and the automation for
(20:08):
your customers?
Yes, I think they're absolutely accurate.
I'm looking, I have lots ofnotes here and I was having an
amazing brainstorming sessionwith somebody a few weeks ago
and we were talking.
I was like just break down theDevSecOps world and he listed
probably 45 tools that are partof this right that are both
(20:32):
developers using or SecOps orsecurity.
We'll just say 40 tools.
40 tools are floating around inthere giving output at all
times.
How are you supposed to consumethat?
How are you supposed tounderstand that it is tuned
correctly, it's working, it'sthis is my source of truth.
It's completely overwhelming.
So, yeah, I think this isbasically a universal problem.
(20:56):
How do we get out of it?
I don't.
I think security is there toguide, sort of like.
As a CISO, you're not actuallywell, some are, some are not.
So in your role, you're notactually in the weeds tuning
things right.
You are getting the informationand you are making decisions
and you're communicating that tothe business for them to make
(21:17):
more decisions right.
On a very simplistic level, whycan't we do the same thing in
application security?
Engineers, this is theframework from which we want you
to work within.
These are the security controlsthat we are thinking about.
How do you want to get there?
You choose the tools, youchoose the products, you choose
the output, you choose thecommunication.
(21:38):
This is what we need to havefrom you in order to maintain
our standards and our frameworksand keep our customers happy.
How do you want to get there?
And I think for so long it'sbeen.
Security is pushing things downto development, and development
is, you know, trying to consumeeverything and, you know, do
their job at the same time, andit's just created this riff that
(22:02):
we've, we're, we're living in.
So how do we fix it?
Partnership.
Jess Vachon (22:09):
Okay, I'm trying to think of how to phrase this
question, so it's not like I'mhanding a grenade to you after
I've pulled the pin.
So we've outlined the problems.
If things don't change, what doyou see the future of AppSec
(22:30):
security looking like?
What do you see the products,the security of products being
developed?
What do you see that lookinglike if things don't change.
Clea Ostendorf (22:43):
Well, I will say this I think most new products
being developed are secure ormore secure than they ever have
been.
Right, the right checks andbalances are in place for new
development.
That's not always the concern.
The concern is all the legacystuff that exists that has those
(23:03):
grenades in them right, log4jis such an easy one to pick on
because we all experienced itright.
If there was better visibilityand version control and logging,
we would have had fasterresolution to closing that huge
gap.
Right, but most places don'twant to do that because it's
(23:27):
hard and it's messy and it'slike legacy boring stuff.
No one wants to touch that.
But that is where I see a hugegap.
It will continue to be thereand you know we have to think
about that with our eyes wideopen.
Jess Vachon (23:43):
Okay, we talked about automation earlier.
Let's talk about artificialintelligence.
How do you see artificialintelligence as a play, positive
or negative?
Clea Ostendorf (23:58):
in AppSec.
It will be positive, and itcould be negative too.
I mean, just in like everyother case.
So positive, I'm seeing theadoption of real-time
remediation happening in code.
So in runtime code, somebodywill write something maybe they
have a cross-site scripting,which is a very common
(24:19):
vulnerability.
Instead of letting that pass,the AI will immediately
remediate it, or give it a flagand say, hey, fix it this way,
right?
So it's stopping thesevulnerabilities from making it
upstream Okay.
So I think that's very positive.
I think it also and just inlike how we all consume it the
(24:40):
information we can't just takefor for the truth.
We have to also test itlogically.
So I I hope that these toolsremove the low hanging fruit,
but there's still the integrityto test things with our brains
from a logical perspective.
(25:00):
That's where I see this.
Jess Vachon (25:05):
I like that answer.
Do you see any tools out therenow that leverage AI that you
think are bringing value today,or do you think that it's a
couple more years until we startto see the real value of having
AI added into those tools?
Clea Ostendorf (25:23):
I personally haven't touched them, but I know
Korgia is doing runtime, airecommendations and dry run
security.
Those are two that I thinkthey're competitors, but you
know they're.
They're getting a lot of reallygood traction.
(25:44):
So you know, I would saythey're interesting to look at.
I know all the big players areputting AI on top of everything.
The big players are putting AIon top of everything Great.
But you know again, you got touse it with a grain of salt at
(26:05):
this point at least.
Jess Vachon (26:06):
Okay, I know you as a leader.
You're always looking fortalent in AppSec.
What are you looking for todayin potential staff for your team
, and what would you recommendto someone looking to get into
AppSec that they should have forbackground, whether it's formal
education or hands-onexperience?
Clea Ostendorf (26:27):
So for our team, we always try and hire former
developers who moved intosecurity, and that's very
intentional, not only in thework that they're doing, but in
the way that they communicatewith their customers, ie the
teams that they're deliveringreports to or they're working
with.
I think understanding justsmall nuances like instead of
(26:48):
saying a vulnerability, you saya bug that makes a difference in
gaining trust and understandingamongst teams.
So we look for that.
My next hires.
I'm looking for people who youknow have really lived in the
trenches of a strong or notstrong DevSecOps environment,
(27:11):
who can really go in there andunderstand the strategy and
bigger picture of what's beingtrying to be done and then get
into the weeds to actually helpfix things that are broken.
So that's where we are lookingfor, you know, future state for
Wolfpack.
You know really taking thehands-on pen testing and then
(27:32):
really also diving deeper backinto the processes that got us
there in the first place.
So that's, you know, if youknow anyone we're talking.
Jess Vachon (27:43):
Yeah, if I know anyone, I'm keeping them for
myself, right now, I know I knowa few people too.
Clea Ostendorf (27:49):
If you know, maybe you're going to hire them
first.
Jess Vachon (27:52):
Yeah, I think we have to have a no poaching rule
between ourselves deal um, well,thank you for that, uh, so I
want to.
I want to change up theconversation a little bit.
We've talked a lot about appsack and we've talked a lot
about, um, your company.
I want to move towards the morewhat I call the more human side
(28:15):
of what we do, who we are andhow we operate and what our kind
of belief systems are that webring forward.
One conversation that I've seengoing on that I've found very
interesting centers around whatit means to be a woman in a
professional space.
In the past, a lot ofconversation has suggested that
(28:37):
we have to give things up inorder to be successful in our
professional lives.
In the last year or so, I'veseen that conversation shift
where more women are saying wedon't have to give up anything.
We're not asking men what theyhave to give up.
Men will tell you, they're notgiving up anything.
That conversation is veryinteresting to me, and one of
(29:02):
the things I like to ask otherwomen is how do you view the
conversation?
Do you find any truth in it?
Or do you just show up as aperson who's living your life
and doing your, running yourcompany, and then is a parent or
a spouse or, you know, has amillion other things that you do
outside of work.
Give me your perspective onthat.
Clea Ostendorf (29:24):
I kind of vacillate in my head between the
two that, yes, you can do itall, you can have it all, and
then think realistically Well,do you?
I mean you.
You know there's sacrifices.
So I'm a mom of two, two boys,six and three, and so you know I
get up early in the morning tohave a little bit of me time you
(29:46):
can see my yoga mat in the backlike just a little 30 minutes
just take care of yourself, andthen it's mom mode, and then
it's work mode, and then it'smom mode, and then I need to
sleep, right.
So where do you fit in your lifeoutside of that?
That's, that's been thechallenge.
And I'm really lucky.
I have a lot of really greatfriends.
But I was joking to my husbandI'm like I'm not gonna have
(30:09):
friends in 10 years because Idon't have time for anyone.
So that's where I start to geta little sad about it, because
there's only so much time andyou know, little kids are very
demanding and I want to bepresent for them.
But I also need to have timewith my husband and I need to.
You know, I need my like girltime with my friends.
Where I can, just, you know,let loose.
(30:30):
So it's.
I think it's a balance and youknow, each phase of the business
and each phase of motherhoodchanges.
I think I'm getting a few hoursback each week now, so I'm
hopeful that I'll have more.
You know balance soon, but younever know.
It's ongoing.
Jess Vachon (30:50):
I appreciate that candid answer and it's
interesting because I'm aBuddhist and people think that
enlightenment is a destination,but a Buddhist will tell you the
destination, is the trip.
That is the enlightenment piece.
So being in the moment, beingcognizant of each step that
(31:13):
you're taking, is what it is allabout, right, and what I just
heard you talk about was each ofthose pieces.
Like you sound very cognizantof each of those pieces.
At the end of the day, do you?
Do you feel like, yeah, this iswhat my life is about, this is
the whole thing there's.
So, even though you touched on,you have to give something up.
(31:35):
Are we really giving anythingup?
Or is this, it Like all thoseelements?
Is that fulfilling?
Clea Ostendorf (31:44):
That's such a great question.
Yeah, I'm pretty happy.
I mean I feel I love that I canbe present for my kids.
That's really important.
I had a mom who she was not astay at home mom, she worked
full time but she was alwaysaround and always present and
that really impacted me as aperson to have that support and,
(32:06):
um, you know, just somebodyalways cheering in your back
corner.
So I want to give that to mychildren.
But I love to work.
In fact I love, you know,monday mornings, that's my
special, that's my, that's likeme time.
I'm like, all right, kids aregone, I could like sit at my
computer and do my thing.
(32:27):
Um, that's that, I love that.
But you know, there's like Iwould also like to be able to
paint again or travel my goshfor fun.
Jess Vachon (32:38):
Nice.
So you paint ?
Tell us about it .
Clea Ostendorf (32:42):
Yeah, I used to do a lot of oil painting
landscapes and pets and you knowI really enjoyed doing that.
But right now now if I canscribble with a marker, I feel
like, okay, yeah, we got alittle creative energy out when,
when you were younger, is thatkind of the path you thought you
(33:03):
were going to go in was to bean artist or be more on the
creative side, not to suggestthat what you're doing now isn't
creative 100%.
I wanted to be an actress or anartist and my parents were very
practical and said you need tomake money, like you need to,
like we are not.
They were both artists.
(33:24):
They're like we're notsupporting you, you know so I.
So I saw, I saw the both thebenefits of you know being
around artists and that also youknow the downside.
Like I saw the both thebenefits of you know being
around artists and then also youknow the downside, like let's
pay bills and you know that sortof thing.
Nice.
Jess Vachon (33:39):
So what kind of kid were you?
Were you the, the good child orthe wild child?
Clea Ostendorf (33:46):
I, I like to push boundaries.
I still do.
Um, you know, I am the type ofif you don't tell me no, I
assume it's yes.
So and I would never I'm notever malicious and would never
hurt somebody but you know, I'dlike to, I like to push
boundaries.
That's probably why I likecyber so much, because it is
sort of always teetering onpushing boundaries.
(34:09):
So, yeah, I was a littlenaughty, but I didn't get caught
very often.
Very often.
Yeah, I did get caught a fewtimes and then really regretted
my choices, but for the mostpart I was under the radar.
Jess Vachon (34:27):
Do you see the influence of your parents and
how you grew up as a strength inwhat you're doing now?
Clea Ostendorf (34:43):
Totally.
They were always thinkingoutside of the box, always
community driven.
I mean, they were fantastic,fantastic parents.
I'm super lucky and I think Iattribute a lot of, and my
sister too, who's incrediblyaccomplished.
I think the way we were raisedreally allowed us to take
chances but know we have asafety net and not I'm not
saying a financial safety net,more like we're here to support
(35:04):
you, like you always, willalways support your choices, we
believe in you.
A lot of positive affirmationand that just built a shell
around me like a confidence thatI can do it and so far it's
working.
So better knock on some wood.
Jess Vachon (35:24):
Do you find that whole part of you that you just
discussed, that you bring thatto work and you coach that, or
you bring that to work and youyou coach that or you mentor
that with your teams.
Clea Ostendorf (35:42):
I feel like for the first time since taking this
role you know, startingWolfpack I am trying to bring my
whole self.
I'm trying to not pretend I'msomething, I'm trying to not, um
, pretend I'm something, I'm not, or pretend I'm somebody, I'm
not, I'm in it's.
It's really refreshing, um, youknow, to finally take off a
(36:05):
shell and stop pretending thatyou are one way or another.
You just show up as you are oneway or another.
You just show up as you are.
I'm a newer manager.
I don't know how to bring thatout in people, so Jess, maybe I
(36:26):
lean on you on how you bring outthe best in people.
Jess Vachon (36:29):
It's interesting because I've found and you just
touched upon it, I've found thatbeing vulnerable, allowing
people to see how I'm vulnerable, people will tell us it's a
weakness.
I've found it to be a strengthbecause when you're vulnerable,
others can be vulnerable andyou're not spending all this
energy trying to put up a front.
That's, that's inauthentic,right, and so when we get that
(36:53):
out of the way, then then we canwork with each other and we can
focus on the things that areimportant.
So it's, I like to ask thatquestion because I like to see
what others think about that.
And more and more when I askthat question, I'm hearing
people say you know, I justprefer to be me, I prefer to be
vulnerable and open.
(37:15):
We all have a little line thatwe keep there because, for you
know, human resource issues,legal issues we have to keep a
little bit of a line and andthere has to be a delineation of
who's who's at the helm and whoisn't at the helm.
And I say that, and, as I saythat, I reflect back to what we
(37:39):
were talking about before wewent live, where we have all
these different people on ourteams, right, and they're all
leaders.
And when I look at the teams Iwork with, they're all the
experts and my job is just toget the problems out of the way
for them, show them thedirection we're going in, make
sure that their voices are heardand they have the ability to
(38:01):
manage up.
I hear a lot of that in whatyou're saying.
So it's it's interesting whenyou say you're a new manager,
(38:37):
because I think you're bringinga lot of wisdom to the table, a
lot of experience to the table,both your professional wisdom
and experience and yourintrinsic value.
That you have, just as as you,Clea, uh, as the person who
wanted to be the artist, uh who,who went into sales and then
found themselves in AppSecrunning their own company.
Do I have an accurate pictureof you or you tell me?
I don't want to tell your story.
Clea Ostendorf (38:50):
You summed it up yeah, there's a few bumps in
between there, but more or lesshere we are.
But, yeah, I've always foundbeing not only makes you more
human, it, I mean, it'srelatable and you know, you
start to build trust.
Um, and I don't want to bearound people who you can't, I
don't want, I can't trust Right,I, I, I, I need to know that
the people around me support me,right, and I will support them.
(39:17):
So the vulnerability helps.
Jess Vachon (39:21):
When you think forward to that time when you've
decided your career is closing.
You want this to be done.
You know you're moving on tosomething different.
What legacy do you want toleave behind, or what do you
(39:44):
hope that people will say aboutwhat you've contributed as a
leader and in the security realm?
Clea Ostendorf (39:47):
What a great question.
Hmm, I would hope that theywould say that you know myself
and Wolfpack.
We broke down silos and allowedpeople to be vulnerable and
share how they are hurting orwhere they need help and be okay
(40:11):
asking for that help.
I think so often asprofessionals especially highly
paid professionals who areleading teams or in charge of
things we're afraid to ask forhelp because it makes us look
weak.
But that shouldn't be the case.
So I hope that our legacy isthat we've bridged the silos and
(40:32):
allowed people to feel okaysaying I don't know.
Jess Vachon (40:36):
I love it.
I love it.
Okay, I am going to ask what Icall an empowering question.
I'm actually getting this froma deck of cards that were given
to me a while back.
It's not meant to embarrass you.
It is meant to put you on thespot a little bit.
I'm going to ask the questionin terms of how you would be
asking it to yourself, so justbear with me.
(40:57):
I had three to choose from, andthen I said I'll just mix them
up and pick the first one.
So I'm just going to read itand we'll go from there.
Good luck.
Clea Ostendorf (41:08):
All right.
Jess Vachon (41:09):
All right.
What are your most importantvalues and how are they
reflected in your life and yourdaily decisions?
Clea Ostendorf (41:20):
I had a coworker , Beth Miller, she said, did a
whole exercise with me on valuesand it was about 40 cards and
kept pulling them.
So these are the ones thatresonate for me Equality, and
equality means we all areputting forth the same amount of
effort when we can.
Equality, you know, acrossroles, across gender.
(41:44):
In my house, I mean, I'mdefinitely make my husband be
50-50 with me, otherwise I getreally, I get really frustrated.
So that's really important tome that we're all kind of like
balancing this together, bothpersonally and professionally.
Three values, you know trustand honesty.
(42:06):
I don't know if that's one ortwo, I'm going to roll that into
one.
You know, be honest so that youcan trust each other.
And then my third valuekindness.
You know, I really think if weall thought about others a
little bit more, the world wouldbe a better place.
Jess Vachon (42:27):
That's awesome.
Thank you for sharing that andplaying along with that part of
the podcast.
Oh, it's good, I appreciate it.
So we're coming to the closingportion of the podcast.
Right now, I want to give youan opportunity to tell us what
you're going to be doing in thenext month or so and also how
people can find you, both atwork and wherever else you are.
Clea Ostendorf (42:51):
All right, so the next.
So first of all, you can findme on LinkedIn, Clea Ostendorf,
Wolfpack Security.
You can find our website,wolfpacksecurityco, and around
town.
I will be in Chicago this weekat a WiCYS event, speaking
amongst a great group of ladies.
(43:12):
I will be in LA speaking at theLayer 8 conference in February
and then in March I'll be inMilwaukee for another Women in
Tech event, and if anyone is inany of those places, I would
love to connect with you.
Jess Vachon (43:27):
I love it.
No moss is growing on you.
No, no, ma'am moss is growingon you.
No, no, ma'am, thank you somuch.
This brings us to the end ofthis podcast.
I'm so grateful that you wereokay with being my inaugural
guest.
It means so much to me.
Please, everyone, go check outClea, check out Wolfpack, give
(43:48):
them some love, and we'll belooking for your comments after
we close this up.
So thank you.
Clea Ostendorf (43:55):
Thank you so much, Jess.
Bye.
Hey everyone, welcome to episode one of Voices
of the Vigilant podcast.
So happy to have you all here.
I'm even happier to have myguest, Clea Ostendorf of
Wolfpack Security.
Clea is the CEO and co-founderof Wolfpack Security and rather
(00:59):
than me tell you all about Cleaand Wolfpack Security, I'm
going to turn it over to Cleaand let her tell you about
herself and introduce herself.
Clea, welcome.
Clea Ostendorf (01:08):
Thank you, Jess.
I'm so excited to be here.
I remember this starting from aconversation on a bench at RSA
years ago, so it's really coolto see this coming to life.
So I'm Clea Ostendorf,co-founder and CEO of Wolfpack
Security.
We're an application securityconsultancy.
What that means is we are notgoing to be coming in to sell
(01:32):
you a product.
We are here to stop thebleeding and make your products
more secure.
So we do that throughpenetration testing, through
consulting services, throughhelping in DevSec, ops
optimization and whatever elsesomebody needs in the space.
Jess Vachon (01:45):
And how long has the company been in existence?
Clea Ostendorf (01:54):
So if anyone's ever started a company, it takes
a lot longer than you expect.
So we have been around about ayear and a half and then we went
live, you know, open forbusiness last June.
So we're coming up on a year.
Nice and how are you feelingabout everything I know previous
to us going live?
We talked a little bit aboutyou know that level of
responsibility, that thatcommitment that you're making.
(02:17):
Can you talk a little bit aboutthat for us?
Oh, man, sure, I mean that I sawa video where somebody was
saying living what life isliving like?
Living with a startup founderand it was this girl.
Like dancing to techno music,so excited, life is so good, and
then she's crying and thenshe's up and dancing.
(02:37):
So that's how it's going.
I mean, there's highs and lows,and like in anything, you just
have to kind of and lows andlike in anything, you just have
to kind of mourn the lossesquickly and then keep moving on,
looking forward because timedoesn't stop.
Jess Vachon (02:51):
Yea, building up that business is a lot of that
work and it is a lot of thehighs and lows like working on
Vigilant Violet and Voices ofthe Vigilant myself it's been
daunting sometimes andoverwhelming at other times, but
when you get to that day, whenyou go live, it makes it worth
it.
And then after that there's thehighs and the lows.
(03:14):
But I don't know about you.
For me it's those little brightspots that start to add up,
that make it all worth it.
And I suspect, because youhaven't folded up the tables and
gone to do something else, thatis happening for you.
Would you agree?
Clea Ostendorf (03:33):
Oh yeah, absolutely.
I mean we've we've seen greatsuccess with you, know the
customers that we have and ourstory is resonating.
And it's such a relief to know,when I speak to somebody, we're
not we're here to help you,we're here to solve problems,
period.
This is not, you know, futurestate.
We'll get there, but where areyou bleeding today?
(03:54):
Where can I help you today?
And let's make some, someprogress to, to support you,
because I think, especially insecurity, we are all
understaffed, we're overwhelmed,we're totally burnt out by
alert fatigue and sometimes youjust need somebody to help guide
you through that noise and thatmess so that you have a clear
perspective on how to moveforward.
And that's what we're doing.
(04:16):
So that's incredibly rewardingwhen you see the light through
the trees and you get thatfeedback from your partners and
customers and you know the team,it feels energized, that
they're doing making adifference, because you know
some people start a company tomake money.
Yes, we all, you know, need tolive, but I think founders I can
(04:37):
speak for myself you know we'redoing this because we see a gap
and we want to make thatdifference.
So we think we can.
So it drives me.
Jess Vachon (04:47):
So I have to ask a lot of companies have limited
budgets, right, and as we lookout at you know the posts that
we're seeing on LinkedIn or justwatching the tech news a lot of
companies now half um,ostensibly because of
(05:07):
shareholder value or limitedfunds that they can put towards
information security, andspecifically, appsec.
Are you finding that change inthe marketplace or that dynamic,
is working in favor of yourcompany?
So, when I asked that question,are you finding that more
(05:28):
companies are choosing to go outand partner with a managed
services provider or asupplemental type staffing
arrangement?
Is that what you're finding foryour company?
Clea Ostendorf (05:39):
Yeah, yeah, I mean, of course it depends right
, that's always going to be theanswer.
But we are seeing that becauseteams have been cut and the
noise is not reducing right.
And I can almost equate it tothe mistakes I made when I was.
I remodeled my kitchen when wefirst moved into this house and
I thought, I mean, I think Ihave good design sense, I can do
(06:00):
all this, I can, you know,design the kitchen.
I know where things go, youknow I'm good enough, but when
it gets down to the level ofdetail that's needed to actually
complete the project, I was wayout of my league.
And I think that happens to alot of teams where you know
application security is not thesame mindset and it's not the
(06:21):
same deliverables.
And the same people that youwork with we'll say, on network
security or the perimeter, or,you know, securing from the
outside, these are your internalemployees, your peers, that you
have to shift their mindset onhow to be more efficient in
building secure products.
So it's more, I think it's morechallenging than you know just
(06:44):
a contractor coming in andfixing everything.
It has to be a partnershipacross the board and we have
found people who are receptiveto that.
Now the first parts of theproject 100% are we are stopping
the bleeding, we are triagingalerts, we are assigning it to
the teams, and then you buildtrust and then you can start to
say okay, well, how is thisprocess broken?
(07:06):
Let's talk about that.
Let's empower the engineeringteam to make the right decisions
based on the information thatwe have and the things that
we've been working on togetherto fix this.
So I mean, it's incrediblyrewarding because it's not a
checkbox and walk away.
Jess Vachon (07:23):
I love that approach and that cooperation
that you speak of is.
In my experience, that's alwaysthe tricky part to figure out.
Right is that trust,relationship and what does you
know Wolfpack do?
And what does the customer'steam do?
And that first engagement wherethe internal team is saying,
(07:44):
well, what about our jobs?
Like, are we being replaced?
And then you and your teamcoming in saying, no, you know,
we're kind of the cavalry comingto save you.
I mean, how do you overcomethat piece of the dynamic?
Clea Ostendorf (08:02):
I think it has to do with trust and, like
anything, communication.
So for our, our partnerships,we're often on a slack channel
with with the team, and thatjust helps put us where the
messages are happening, right.
So we're hearing thecommunication.
We're we're hearing like hey, Idon't know how to, what's going
on with this?
This build isn isn't working.
(08:23):
I'm getting blocked by thissecurity control.
What's happening?
And then we can jump in and say, hey, have you thought about
this?
What about rerouting how you'reconsuming this information?
Here's another option, and it'snot telling somebody to do
something.
It's more like I'm here to helpyou.
We're here to brainstorm.
This has worked in other places.
I'm going to help you.
We're here to brainstorm.
(08:44):
You know this has worked inother places.
I'm going to give you thatoption.
You know, it's just somebody tohelp guide you in a
non-assuming way.
Jess Vachon (08:54):
I love it.
I love that approach.
I want to change up thediscussion just a little bit so
people who are just getting toknow you and listen to you right
now they need to understandthat you just didn't wake up one
day and say I want to startthis company and I want to
pursue AppSec as my newdirection in my career.
(09:15):
Can you tell us, like, how didyou get to where you are today?
Like, what was your career pathto this point?
Clea Ostendorf (09:24):
Very roundabout.
So my career career started.
First of all, I studiedinternational affairs because I
thought I wanted to be adiplomat.
Um, that did not happen.
And so, like a naturalprogression, I went into
technology sales, because thosetwo are so connected.
Um, but it, but it really, Imean it opened up my eyes to a
(09:44):
whole nother world.
I remember when I first startedI was like what is Java?
I feel like you know, likeGoogling, what Java is, what is
this, you know?
So I learned a lot on the fly.
I'm naturally inquisitive, whichI think is both a positive and
a negative.
Most times it's usuallypositive.
So I just kept digging in andasking questions about processes
(10:07):
.
And you know why this, why thisproblem exists in the first
place.
And what are you doing that'snot working?
What are you doing that youthink could work?
And that led me into security.
Because I would ask my, mycustomers OK, yes, I can help
you with this technology roleasked my customers okay, yes, I
(10:28):
can help you with thistechnology role, but what do you
really need help with?
And they said cybersecurity.
So this was 15 years ago and Isaid, oh, okay, I'll look into
security.
What is security?
And then I totally becameenamored because it's this
battle of good and evil andwe're all fighting against the
same kind of attackers and thisincredible community and
incredibly smart people who arethinking outside of the box to
(10:49):
secure all of us and I just Ireally felt like it was part of
a greater good.
The security community so movedinto another sales role at a
consulting firm, helped do aproduct, launch a product for
them.
We were a little ahead of ourtime but it was a really cool
application security developertraining product.
(11:11):
And then I joined Code42 where Idid customer implementation,
program building and thenultimately left as field CISO,
which was a fantastic role,allowed me to do a lot of
research and talk to you knowall different walks of people
(11:33):
and understand you know whatmakes them tick problems.
They were having help solutionwith them.
And then one of my oldco-workers reached out to me and
said, hey, I have someinvestors who want to start a
security company.
And I said, oh, okay, I havesome investors who want to start
a security company.
And I said, oh, okay, let'stalk.
And then this, this came aboutand it was really, it's been an
incredible journey.
It's a huge learning curve butyou know, at the end of the day,
(11:54):
it's the fundamentals that wehave to run through, which is
listening, asking questions,understanding problem pain
points and coming to the tablesaying can we help you or not?
And if we can't then let'srecommend somebody else who can.
So, again, it's sort of comingback to what I love to do, which
is learn and solve problems,help people.
Jess Vachon (12:19):
Love it.
So when we first met a fewyears ago, you were working in
insider risk, insider threatmanagement, and what I found
interesting was, when we weretalking about it, I was
approaching it as almost anadversarial type program where
I'm watching people and makingsure they're not doing wrong and
(12:39):
then, if they are, slap them onthe wrist.
You opened my eyes and said, no, that's not the approach that
you want.
You want one of collaboration,you want one of understanding,
you want one of education, whichcompletely changed how I
thought about the relationship,not just in security, but with
(13:01):
peers across an organization.
We have to have more respectfor the people we're working
with.
Those of us in informationsecurity can't approach anything
we do with this thought processthat our coworkers are the
enemy, they're the threat, right?
How did you get yourself tothat point?
(13:23):
You learned informationsecurity or you you kind of grew
into that role?
How did you get yourself intothat mindset um, so early in
your career?
Was there anything inparticular that happened, or is
it just because of the valuesthat you live as a person?
Clea Ostendorf (13:40):
I mean it was a combination of both.
You know, working for Code42and with the Insider product it
was named Insider.
Right, we were talking InsiderThreat and the market really
pushed back on that, the marketbeing, we'll say, technology
companies and the commercialsector really pushed back on
that.
You know, anyone coming fromgovernment or more military
(14:00):
background really understoodInsider Threat.
Government or more militarybackground really understood
insider threat.
That didn't scare them.
But when we were taking it tomarket, the general consensus
was this is scary, this is bigbrother, this is against our
culture.
We're not allowing this.
So we as a company had to shiftpretty quickly to redirect how
(14:22):
we were framing this and thatwhere the more collaborative
approach came from.
But truly, I believe that youknow, you if you and I think
it's a shift of mindset and howsecurity kind of used to be
versus where it's going today.
Right Back in the day you kindof you didn't tell anyone what
you're doing, you kept yourguard up, you didn't collaborate
(14:42):
, you were at a you know hole inthe basement.
There was no communicationacross organization, what you're
seeing right, it was just weprotect, we don't discover, we
keep this clandestine world.
And now it's much morecollaborative, because who's at
the front line?
It's your employees, it's yourpeers, right?
(15:03):
Who's clicking on the emails?
Who's exposing yourorganization?
So if you're not going tocollaborate with them and
empower them, then I thinkyou're kind of doomed to fail.
And you know, people want to dothe right thing.
They don't want to put theirjob at risk.
They don't want to, you know,hurt their peers.
They just need a littlecoaching and training.
(15:24):
And if you do it in a waythat's framed as helpful you
know we're here to support youand help you then I think people
are much more receptive than dothis, or you're, you know,
going to be written up by HR.
Jess Vachon (15:37):
Yeah, I can see how that part of your experience,
that part of your career, is astrength in your role now
working with dev teams, becauseit's so much has to be hand in
hand right.
It absolutely can't beadversarial.
It has to be let's, let's go inthe same direction, let's
(15:59):
educate each other, let's makesure that we're doing security
but keeping the business going,Because, as we talked about
prior to going live, that thatdevelopment cycle is so fast now
that we, as security people,can't simply say stop, do it my
way.
We have to sprint catch up tothem, run alongside them and say
(16:21):
hey, I see what you're doing,it's a good idea, but I have
some suggestions on how to do itbetter, and it sounds like
that's the focus of your companyand that's the approach you
were taking.
Would you agree with that?
Clea Ostendorf (16:39):
100%, 100%.
I mean, you know our coreservice is a pen test right,
there's a dime a dozen for pentesting companies.
What I want to do is say, okay,we found these things.
This tells you a lot aboutwhat's going on in your
development environment.
Why don't we work to addressthem?
Yes, we, as Wolfpack, we willhelp you fix the current
vulnerabilities.
We will close those gaps.
We will support you in thatsense.
But now let's go one layerdeeper and figure out why
(17:00):
they're manifesting.
Right, Because there's brokenprocesses and things are not
sinking somewhere upstream thatwe can help with.
Right.
And it's a lot of communication.
It's a lot of, again,empowerment, right.
If you build the guidelines andframework on how you want the
checks and balances that youwant in the development
lifecycle, give that to theengineering team to work into
(17:24):
their daily workflows, make itnatural for them, let them own
that, and then you come back andevaluate Are we getting better?
Are we getting worse?
Do we need more?
Do we need more?
Do we need less?
What is the feedback?
It has to be dynamic and Ithink really I mean I mentioned
this before, but I feel like, inapplication security, coming
back into this world after afive-year hiatus, we have just
(17:48):
tried to buy our way secure,right.
There are so many tools andthere's so many things that are
constantly going on.
And who's buying this?
It's security, buying it fordevelopers who are like I don't
know how to use this, I don'tknow how to tune this, no one is
checking on this.
This doesn't make sense to me.
I don't know how to fix this.
I have another priority, and sothey ignore it.
(18:08):
Um, and now we've gottenourself in, you know, a mess, I
think, um, and we're slowlytrying to, you know, unwind
ourselves from that.
I
can only assume that there'sgonna be a ton of comments after
we've finished recording thisfor everyone, saying absolutely
that's exactly what it's likestop just buying tools, not
talking to us.
(18:28):
Show up with us, work with us.
I want to talk about it.
So earlier today, you had a poston LinkedIn about an article,
State of Application SecurityWorkflow by Kodum Security.
I saw that post, I went out andwas reading through document.
So, the key findings thatreally stood out for me is that
78% of organizations reportfragmentation in toolsets .
(19:00):
Right, we just kind of touchedupon that.
62% of organizations reportremediation as the largest
bottleneck.
So we're getting all the tools.
Now we don't have time to fixthe issues that we're finding
with the tools.
Thinking about the pace, 84% oforganizations are pushing for
automation because, as I wasjust mentioning, dev is moving
(19:22):
way too fast for security tokeep up and we don't have enough
cycles for people to manuallybe patching these
vulnerabilities.
How do we leverage automation?
Which, hello, if you're a CISOin 2025 and you're not thinking
automation, get on the bandwagonbecause otherwise you're
getting left behind.
And then 75% of organizationssay managing security across
(19:46):
CI/CD, and prod environments arethe top operational challenges.
I think you just touched uponall of that.
Do you think these statisticsare accurate and how do you
influence the reduction in thoserisks and the automation for
(20:08):
your customers?
Yes, I think they're absolutely accurate.
I'm looking, I have lots ofnotes here and I was having an
amazing brainstorming sessionwith somebody a few weeks ago
and we were talking.
I was like just break down theDevSecOps world and he listed
probably 45 tools that are partof this right that are both
(20:32):
developers using or SecOps orsecurity.
We'll just say 40 tools.
40 tools are floating around inthere giving output at all
times.
How are you supposed to consumethat?
How are you supposed tounderstand that it is tuned
correctly, it's working, it'sthis is my source of truth.
It's completely overwhelming.
So, yeah, I think this isbasically a universal problem.
(20:56):
How do we get out of it?
I don't.
I think security is there toguide, sort of like.
As a CISO, you're not actuallywell, some are, some are not.
So in your role, you're notactually in the weeds tuning
things right.
You are getting the informationand you are making decisions
and you're communicating that tothe business for them to make
(21:17):
more decisions right.
On a very simplistic level, whycan't we do the same thing in
application security?
Engineers, this is theframework from which we want you
to work within.
These are the security controlsthat we are thinking about.
How do you want to get there?
You choose the tools, youchoose the products, you choose
the output, you choose thecommunication.
(21:38):
This is what we need to havefrom you in order to maintain
our standards and our frameworksand keep our customers happy.
How do you want to get there?
And I think for so long it'sbeen.
Security is pushing things downto development, and development
is, you know, trying to consumeeverything and, you know, do
their job at the same time, andit's just created this riff that
(22:02):
we've, we're, we're living in.
So how do we fix it?
Partnership.
Jess Vachon (22:09):
Okay, I'm trying to think of how to phrase this
question, so it's not like I'mhanding a grenade to you after
I've pulled the pin.
So we've outlined the problems.
If things don't change, what doyou see the future of AppSec
(22:30):
security looking like?
What do you see the products,the security of products being
developed?
What do you see that lookinglike if things don't change.
Clea Ostendorf (22:43):
Well, I will say this I think most new products
being developed are secure ormore secure than they ever have
been.
Right, the right checks andbalances are in place for new
development.
That's not always the concern.
The concern is all the legacystuff that exists that has those
(23:03):
grenades in them right, log4jis such an easy one to pick on
because we all experienced itright.
If there was better visibilityand version control and logging,
we would have had fasterresolution to closing that huge
gap.
Right, but most places don'twant to do that because it's
(23:27):
hard and it's messy and it'slike legacy boring stuff.
No one wants to touch that.
But that is where I see a hugegap.
It will continue to be thereand you know we have to think
about that with our eyes wideopen.
Jess Vachon (23:43):
Okay, we talked about automation earlier.
Let's talk about artificialintelligence.
How do you see artificialintelligence as a play, positive
or negative?
Clea Ostendorf (23:58):
in AppSec.
It will be positive, and itcould be negative too.
I mean, just in like everyother case.
So positive, I'm seeing theadoption of real-time
remediation happening in code.
So in runtime code, somebodywill write something maybe they
have a cross-site scripting,which is a very common
(24:19):
vulnerability.
Instead of letting that pass,the AI will immediately
remediate it, or give it a flagand say, hey, fix it this way,
right?
So it's stopping thesevulnerabilities from making it
upstream Okay.
So I think that's very positive.
I think it also and just inlike how we all consume it the
(24:40):
information we can't just takefor for the truth.
We have to also test itlogically.
So I I hope that these toolsremove the low hanging fruit,
but there's still the integrityto test things with our brains
from a logical perspective.
(25:00):
That's where I see this.
Jess Vachon (25:05):
I like that answer.
Do you see any tools out therenow that leverage AI that you
think are bringing value today,or do you think that it's a
couple more years until we startto see the real value of having
AI added into those tools?
Clea Ostendorf (25:23):
I personally haven't touched them, but I know
Korgia is doing runtime, airecommendations and dry run
security.
Those are two that I thinkthey're competitors, but you
know they're.
They're getting a lot of reallygood traction.
(25:44):
So you know, I would saythey're interesting to look at.
I know all the big players areputting AI on top of everything.
The big players are putting AIon top of everything Great.
But you know again, you got touse it with a grain of salt at
(26:05):
this point at least.
Jess Vachon (26:06):
Okay, I know you as a leader.
You're always looking fortalent in AppSec.
What are you looking for todayin potential staff for your team
, and what would you recommendto someone looking to get into
AppSec that they should have forbackground, whether it's formal
education or hands-onexperience?
Clea Ostendorf (26:27):
So for our team, we always try and hire former
developers who moved intosecurity, and that's very
intentional, not only in thework that they're doing, but in
the way that they communicatewith their customers, ie the
teams that they're deliveringreports to or they're working
with.
I think understanding justsmall nuances like instead of
(26:48):
saying a vulnerability, you saya bug that makes a difference in
gaining trust and understandingamongst teams.
So we look for that.
My next hires.
I'm looking for people who youknow have really lived in the
trenches of a strong or notstrong DevSecOps environment,
(27:11):
who can really go in there andunderstand the strategy and
bigger picture of what's beingtrying to be done and then get
into the weeds to actually helpfix things that are broken.
So that's where we are lookingfor, you know, future state for
Wolfpack.
You know really taking thehands-on pen testing and then
(27:32):
really also diving deeper backinto the processes that got us
there in the first place.
So that's, you know, if youknow anyone we're talking.
Jess Vachon (27:43):
Yeah, if I know anyone, I'm keeping them for
myself, right now, I know I knowa few people too.
Clea Ostendorf (27:49):
If you know, maybe you're going to hire them
first.
Jess Vachon (27:52):
Yeah, I think we have to have a no poaching rule
between ourselves deal um, well,thank you for that, uh, so I
want to.
I want to change up theconversation a little bit.
We've talked a lot about appsack and we've talked a lot
about, um, your company.
I want to move towards the morewhat I call the more human side
(28:15):
of what we do, who we are andhow we operate and what our kind
of belief systems are that webring forward.
One conversation that I've seengoing on that I've found very
interesting centers around whatit means to be a woman in a
professional space.
In the past, a lot ofconversation has suggested that
(28:37):
we have to give things up inorder to be successful in our
professional lives.
In the last year or so, I'veseen that conversation shift
where more women are saying wedon't have to give up anything.
We're not asking men what theyhave to give up.
Men will tell you, they're notgiving up anything.
That conversation is veryinteresting to me, and one of
(29:02):
the things I like to ask otherwomen is how do you view the
conversation?
Do you find any truth in it?
Or do you just show up as aperson who's living your life
and doing your, running yourcompany, and then is a parent or
a spouse or, you know, has amillion other things that you do
outside of work.
Give me your perspective onthat.
Clea Ostendorf (29:24):
I kind of vacillate in my head between the
two that, yes, you can do itall, you can have it all, and
then think realistically Well,do you?
I mean you.
You know there's sacrifices.
So I'm a mom of two, two boys,six and three, and so you know I
get up early in the morning tohave a little bit of me time you
(29:46):
can see my yoga mat in the backlike just a little 30 minutes
just take care of yourself, andthen it's mom mode, and then
it's work mode, and then it'smom mode, and then I need to
sleep, right.
So where do you fit in your lifeoutside of that?
That's, that's been thechallenge.
And I'm really lucky.
I have a lot of really greatfriends.
But I was joking to my husbandI'm like I'm not gonna have
(30:09):
friends in 10 years because Idon't have time for anyone.
So that's where I start to geta little sad about it, because
there's only so much time andyou know, little kids are very
demanding and I want to bepresent for them.
But I also need to have timewith my husband and I need to.
You know, I need my like girltime with my friends.
Where I can, just, you know,let loose.
(30:30):
So it's.
I think it's a balance and youknow, each phase of the business
and each phase of motherhoodchanges.
I think I'm getting a few hoursback each week now, so I'm
hopeful that I'll have more.
You know balance soon, but younever know.
It's ongoing.
Jess Vachon (30:50):
I appreciate that candid answer and it's
interesting because I'm aBuddhist and people think that
enlightenment is a destination,but a Buddhist will tell you the
destination, is the trip.
That is the enlightenment piece.
So being in the moment, beingcognizant of each step that
(31:13):
you're taking, is what it is allabout, right, and what I just
heard you talk about was each ofthose pieces.
Like you sound very cognizantof each of those pieces.
At the end of the day, do you?
Do you feel like, yeah, this iswhat my life is about, this is
the whole thing there's.
So, even though you touched on,you have to give something up.
(31:35):
Are we really giving anythingup?
Or is this, it Like all thoseelements?
Is that fulfilling?
Clea Ostendorf (31:44):
That's such a great question.
Yeah, I'm pretty happy.
I mean I feel I love that I canbe present for my kids.
That's really important.
I had a mom who she was not astay at home mom, she worked
full time but she was alwaysaround and always present and
that really impacted me as aperson to have that support and,
(32:06):
um, you know, just somebodyalways cheering in your back
corner.
So I want to give that to mychildren.
But I love to work.
In fact I love, you know,monday mornings, that's my
special, that's my, that's likeme time.
I'm like, all right, kids aregone, I could like sit at my
computer and do my thing.
(32:27):
Um, that's that, I love that.
But you know, there's like Iwould also like to be able to
paint again or travel my goshfor fun.
Jess Vachon (32:38):
Nice.
So you paint ?
Tell us about it .
Clea Ostendorf (32:42):
Yeah, I used to do a lot of oil painting
landscapes and pets and you knowI really enjoyed doing that.
But right now now if I canscribble with a marker, I feel
like, okay, yeah, we got alittle creative energy out when,
when you were younger, is thatkind of the path you thought you
(33:03):
were going to go in was to bean artist or be more on the
creative side, not to suggestthat what you're doing now isn't
creative 100%.
I wanted to be an actress or anartist and my parents were very
practical and said you need tomake money, like you need to,
like we are not.
They were both artists.
(33:24):
They're like we're notsupporting you, you know so I.
So I saw, I saw the both thebenefits of you know being
around artists and that also youknow the downside.
Like I saw the both thebenefits of you know being
around artists and then also youknow the downside, like let's
pay bills and you know that sortof thing.
Nice.
Jess Vachon (33:39):
So what kind of kid were you?
Were you the, the good child orthe wild child?
Clea Ostendorf (33:46):
I, I like to push boundaries.
I still do.
Um, you know, I am the type ofif you don't tell me no, I
assume it's yes.
So and I would never I'm notever malicious and would never
hurt somebody but you know, I'dlike to, I like to push
boundaries.
That's probably why I likecyber so much, because it is
sort of always teetering onpushing boundaries.
(34:09):
So, yeah, I was a littlenaughty, but I didn't get caught
very often.
Very often.
Yeah, I did get caught a fewtimes and then really regretted
my choices, but for the mostpart I was under the radar.
Jess Vachon (34:27):
Do you see the influence of your parents and
how you grew up as a strength inwhat you're doing now?
Clea Ostendorf (34:43):
Totally.
They were always thinkingoutside of the box, always
community driven.
I mean, they were fantastic,fantastic parents.
I'm super lucky and I think Iattribute a lot of, and my
sister too, who's incrediblyaccomplished.
I think the way we were raisedreally allowed us to take
chances but know we have asafety net and not I'm not
saying a financial safety net,more like we're here to support
(35:04):
you, like you always, willalways support your choices, we
believe in you.
A lot of positive affirmationand that just built a shell
around me like a confidence thatI can do it and so far it's
working.
So better knock on some wood.
Jess Vachon (35:24):
Do you find that whole part of you that you just
discussed, that you bring thatto work and you coach that, or
you bring that to work and youyou coach that or you mentor
that with your teams.
Clea Ostendorf (35:42):
I feel like for the first time since taking this
role you know, startingWolfpack I am trying to bring my
whole self.
I'm trying to not pretend I'msomething, I'm trying to not, um
, pretend I'm something, I'm not, or pretend I'm somebody, I'm
not, I'm in it's.
It's really refreshing, um, youknow, to finally take off a
(36:05):
shell and stop pretending thatyou are one way or another.
You just show up as you are oneway or another.
You just show up as you are.
I'm a newer manager.
I don't know how to bring thatout in people, so Jess, maybe I
(36:26):
lean on you on how you bring outthe best in people.
Jess Vachon (36:29):
It's interesting because I've found and you just
touched upon it, I've found thatbeing vulnerable, allowing
people to see how I'm vulnerable, people will tell us it's a
weakness.
I've found it to be a strengthbecause when you're vulnerable,
others can be vulnerable andyou're not spending all this
energy trying to put up a front.
That's, that's inauthentic,right, and so when we get that
(36:53):
out of the way, then then we canwork with each other and we can
focus on the things that areimportant.
So it's, I like to ask thatquestion because I like to see
what others think about that.
And more and more when I askthat question, I'm hearing
people say you know, I justprefer to be me, I prefer to be
vulnerable and open.
(37:15):
We all have a little line thatwe keep there because, for you
know, human resource issues,legal issues we have to keep a
little bit of a line and andthere has to be a delineation of
who's who's at the helm and whoisn't at the helm.
And I say that, and, as I saythat, I reflect back to what we
(37:39):
were talking about before wewent live, where we have all
these different people on ourteams, right, and they're all
leaders.
And when I look at the teams Iwork with, they're all the
experts and my job is just toget the problems out of the way
for them, show them thedirection we're going in, make
sure that their voices are heardand they have the ability to
(38:01):
manage up.
I hear a lot of that in whatyou're saying.
So it's it's interesting whenyou say you're a new manager,
(38:37):
because I think you're bringinga lot of wisdom to the table, a
lot of experience to the table,both your professional wisdom
and experience and yourintrinsic value.
That you have, just as as you,Clea, uh, as the person who
wanted to be the artist, uh who,who went into sales and then
found themselves in AppSecrunning their own company.
Do I have an accurate pictureof you or you tell me?
I don't want to tell your story.
Clea Ostendorf (38:50):
You summed it up yeah, there's a few bumps in
between there, but more or lesshere we are.
But, yeah, I've always foundbeing not only makes you more
human, it, I mean, it'srelatable and you know, you
start to build trust.
Um, and I don't want to bearound people who you can't, I
don't want, I can't trust Right,I, I, I, I need to know that
the people around me support me,right, and I will support them.
(39:17):
So the vulnerability helps.
Jess Vachon (39:21):
When you think forward to that time when you've
decided your career is closing.
You want this to be done.
You know you're moving on tosomething different.
What legacy do you want toleave behind, or what do you
(39:44):
hope that people will say aboutwhat you've contributed as a
leader and in the security realm?
Clea Ostendorf (39:47):
What a great question.
Hmm, I would hope that theywould say that you know myself
and Wolfpack.
We broke down silos and allowedpeople to be vulnerable and
share how they are hurting orwhere they need help and be okay
(40:11):
asking for that help.
I think so often asprofessionals especially highly
paid professionals who areleading teams or in charge of
things we're afraid to ask forhelp because it makes us look
weak.
But that shouldn't be the case.
So I hope that our legacy isthat we've bridged the silos and
(40:32):
allowed people to feel okaysaying I don't know.
Jess Vachon (40:36):
I love it.
I love it.
Okay, I am going to ask what Icall an empowering question.
I'm actually getting this froma deck of cards that were given
to me a while back.
It's not meant to embarrass you.
It is meant to put you on thespot a little bit.
I'm going to ask the questionin terms of how you would be
asking it to yourself, so justbear with me.
(40:57):
I had three to choose from, andthen I said I'll just mix them
up and pick the first one.
So I'm just going to read itand we'll go from there.
Good luck.
Clea Ostendorf (41:08):
All right.
Jess Vachon (41:09):
All right.
What are your most importantvalues and how are they
reflected in your life and yourdaily decisions?
Clea Ostendorf (41:20):
I had a coworker , Beth Miller, she said, did a
whole exercise with me on valuesand it was about 40 cards and
kept pulling them.
So these are the ones thatresonate for me Equality, and
equality means we all areputting forth the same amount of
effort when we can.
Equality, you know, acrossroles, across gender.
(41:44):
In my house, I mean, I'mdefinitely make my husband be
50-50 with me, otherwise I getreally, I get really frustrated.
So that's really important tome that we're all kind of like
balancing this together, bothpersonally and professionally.
Three values, you know trustand honesty.
(42:06):
I don't know if that's one ortwo, I'm going to roll that into
one.
You know, be honest so that youcan trust each other.
And then my third valuekindness.
You know, I really think if weall thought about others a
little bit more, the world wouldbe a better place.
Jess Vachon (42:27):
That's awesome.
Thank you for sharing that andplaying along with that part of
the podcast.
Oh, it's good, I appreciate it.
So we're coming to the closingportion of the podcast.
Right now, I want to give youan opportunity to tell us what
you're going to be doing in thenext month or so and also how
people can find you, both atwork and wherever else you are.
Clea Ostendorf (42:51):
All right, so the next.
So first of all, you can findme on LinkedIn, Clea Ostendorf,
Wolfpack Security.
You can find our website,wolfpacksecurityco, and around
town.
I will be in Chicago this weekat a WiCYS event, speaking
amongst a great group of ladies.
(43:12):
I will be in LA speaking at theLayer 8 conference in February
and then in March I'll be inMilwaukee for another Women in
Tech event, and if anyone is inany of those places, I would
love to connect with you.
Jess Vachon (43:27):
I love it.
No moss is growing on you.
No, no, ma'am moss is growingon you.
No, no, ma'am, thank you somuch.
This brings us to the end ofthis podcast.
I'm so grateful that you wereokay with being my inaugural
guest.
It means so much to me.
Please, everyone, go check outClea, check out Wolfpack, give
(43:48):
them some love, and we'll belooking for your comments after
we close this up.
So thank you.
Clea Ostendorf (43:55):
Thank you so much, Jess.
Bye.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com