Zane Lackey is the co-founder and CSO at Signal Sciences, and the author of Building a Modern Security Program (O’Reilly Media). He serves on multiple Advisory Boards including the National Technology Security Coalition, the Internet Bug Bounty Program, and the US State Department-backed Open Technology Fund. Prior to co-founding Signal Sciences, Zane lead a security team at the forefront of the DevOps/Cloud shift as CISO of Etsy.
In this interview with Help Net Security he discusses CISO challenges, cloud security strategies, next-gen security, and much more.
Based on your experience, what are the most significant challenges a CISO of a large enterprise faces when trying to strengthen an existing security program?
The challenges facing virtually every CISO right now (and there’s no shortage of those) is the shift to DevOps, cloud and the journey through digital transformation. With this fundamental shift, more and more organizations are evaluating what this means for their security program and recognizing the need to make security a real-time, every day part of an agile development culture.
At a high level, security needs to shift its core role from being a blocker to an enabler. To be successful, security must focus on bringing security capabilities directly to development and operations teams, and enabling those teams to be security self-sufficient.
Modern enterprises use a variety of on-premise, multi-cloud and hybrid-cloud apps. What’s the perfect strategy for making sure all of these are kept secure?
In the past, enterprises operated on traditional software engineering models of data center and waterfall development and deployment strategies. In some ways, it meant bringing in new solutions was pretty simple. IT could just buy hardware appliances to plug into the data centers.
At the enterprise level, there are now legacy apps in data centers, new apps in the cloud, microservices in containers, and everything in between. As a result, enterprises must focus on bringing in new technologies that are flexible and can be deployed anywhere — whether in a hybrid cloud environment, multi-cloud environment, or even legacy data centers.
We see security professionals talking about the next generation of security all the time. What does this mean for you? What’s cutting-edge nowadays and what should security leaders pay attention to?
There’s an exciting shift going on in the security product market. Historically, security products have always been designed for dedicated security experts, which has resulted in the technology being used in a highly siloed fashion. Flash forward to today, and the number one defining characteristic of modern (or “next gen”) security tooling is the focus on products that can be used by the development teams, DevOps teams, as well as the security teams.
In today’s world, security teams can’t scale headcount fast enough to keep up with adoption of DevOps and cloud, it needs to focus on bringing security capabilities to the rest of the organization that they can consume directly.
DevOps, Continuous Delivery and Agile are surfacing in security teams. What advice would you give to an organization that wants to modernize security in the DevSecOps era?
DevOps and the shift to cloud are here to stay for the foreseeable future and will only increase in velocity. The only way for security teams to scale is by embedding security capabilities directly into the development and operational teams. This means training developers or embedding a security partner directly into those DevOps teams, then complementing them with modern security technology that doesn’t require a siloed security expert and, instead, can be used directly by those teams.
Why do global companies use your next-gen WAF and RASP to protect web applications, APIs and microservices? What makes it unique?
We come from being practitioners ourselves. Our story started at Etsy, where we were running security at the forefront of the DevOps/cloud shift and growing increasingly frustrated with legacy web application firewall (WAF) technology that didn’t enable our DevOps/cloud shift and kept breaking our apps with false positives. So, we built a modern approach.
We took the lessons learned from Etsy and started Signal Sciences. We’re now defending more than 10,000 applications for Fortune 500 companies all the way down to small scale startups. Our customers consistently tell us they are shocked and delighted by three key attributes:
1. 95 percent of our customers use us in full blocking mode for all of their production traffic with no learning, no tuning, and none of the false positives that they are used to with legacy WAFs, such as Imperva, Akamai and F5.
2. 9 out of 10 organizations who try us, buy us. This point really speaks to the fact that we’ve all been frustrated with the legacy WAF industry for so long that it’s such a breath of fresh air when you get your hands on something new and modern that just works.
3. Our architecture is built based on how a modern enterprise is constructed today. This means, an organization can have applications in the cloud, in a data center, and everywhere in between. We provide an architecture that works seamlessly right out of the box for hybrid cloud, multi-cloud, and legacy data center applications.