A New CISO Playbook

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors. 

Steve King  00:13

Good day everyone. I’m Steve King, the director of cybersecurity advisory services here at CyberTheory. Today’s episode will explore the need for what many of us consider long overdue, and that’s a new CFO playbook with me to explore this topic is time Mozelle the CFO at kanji who is the market leader in Apple device management and security, where he oversees the product engineering infrastructure, data and information security organizations before akanji behind build engineering first security programs at three of the highest valued multibillion dollar SAS startups. According to him, the job of a CSO is to ensure that there are controls and processes in place to help mitigate risk to the organization. In current global instability is up that risk anti anti for all organizations. question is whether or not we’re doing a good enough job. And I think the answer seems obvious, at least to me, so. So welcome. I’m I’m glad you could join us today.

Chaim Mazal  01:24

Absolutely. Thank you so much, Steve. Happy to be here. Sure. Let’s talk kanji, your company manages Apple endpoint devices to typically make up over half of an enterprise’s attack surface. tell our listeners why this is important how you go about it. Yeah, absolutely. Kanji is an Apple device management platform that really focuses on automation and orchestration, and being able to enable it and security teams to effectively manage their fleet, and have detailed insights around some of the risks that might be presented across that fleet. So also, one of the main things that we focus on is being able to go ahead and help organizations have seamless ease of deployments across global landscape. So really being able to focus on ease of use, and being able to provide detailed insights that better inform teams on how to prioritize their success. Now, we’ve always thought, or at least, I’ve been around long enough to have always thought of Apple as security first company and a company that whose products, you don’t have to worry about from a security point of view. And here we’ve got a whole, you know, ecosystem and infrastructure and in your entire company that’s dependent upon the lack of security that the Apple product brings to the attack surface. From your point of view, is that a growing problem? Yeah, absolutely. I definitely agree that Apple is a security first organization. But I think as the market share continues to increase for Apple devices, across the enterprise, we’re seeing a large increase in the level of malware or ransomware, or general overall, you know, attack playbooks that are written for this ecosystem. So there’s been some interesting stats across the increase of Apple devices in the enterprise. I think it’s like last year was a 34% increase on privately owned companies. And I think also fortune 500 companies, you know, we saw somewhere in excess of 20 20% increases, having a majority are 51%, you know, Apple footprint as far as devices. So I think as that market share continues to increase, some of the problems are going to continue to increase as well. So being proactive and making sure that we stay ahead of the trend. And we’re providing, you know, administrators, IT professional security professionals, with the detailed insights that they need to be able to secure their fleet is something that contrary feels extremely passionate

Steve King  04:01

about. Yeah, I’m and I guess the turning point, if there was one came when we all ended up with these massive computing devices that we held in our hand came from Apple called iPhones and, and suddenly we have a integration problem that we didn’t have prior to that. So I guess, depending upon where you’re standing, it shouldn’t be surprising. But nonetheless, when you think of Apple, he always thought of it as, as he said, security first. It appears from you know, looking at kanji, that you guys are kind of focused around a risk register or risk framework where CISOs can identify and prioritize threats and then kind of outline the probability of their ability to affect the organization and And then present kind of an overall potential impact. Can you tell us a little bit about how that framework works and how your customers go about managing it?

Chaim Mazal  05:10

Yeah, so I think kanji first, as far as device management, so we essentially allow for one touch deployments of devices across organizations. And we have some interesting new features, things like blueprints, which say, like business units can have, you know, defined templates of software, and usability features and things that are pre enabled on their devices, as well as library items, which are pre configured items that we can go ahead and deploy across a set of assets or blueprints. And this gives us a certain uniqueness and power that allows us to create a lot of visibility across a lot of very unique segments of assets in an organization. So what that means is it teams security teams, administrators, in general, can now have detailed insights around certain segments of their business around certain end users within their business, and be able effectively to identify risks and calculate that risks and be able to have a mechanism to better inform the risk register, to allow them to make effective decisions about the order of operation in which they address risks. So we have, you know, a large amount of device data and telemetry, you know, across all of the assets, and being able to funnel those back to our end users, whether you know, that is the, you know, IT team security team, or administrator is a very powerful tool to allow them to be able to have detailed insight into the day to day risks across a small segment of their fleet or across larger segments, have their fleet and effectively then go, you know, and work with their other stakeholders within the business to show a downtrend in that risk or to highlight it appropriately. So we’ve done a lot of things as far as compliance, to be able to, you know, relate these back to certain industry standards, to be able to make them consumable for these teams and for the end users. But I really think the power here is the ease of use the automation, the orchestration in which we deploy and manage devices, and then effectively those datasets that allow teams to stay ahead of the curve, as far as addressing risk for the organization. Yeah, you also

Steve King  07:27

claim that that register makes it easy for administrators to stay up to date on compliance, regulations and standards and so forth. And that’s, you know, GDPR, ISO 2701, double O one, PCI, DSS, etc. That, you know, ensure security and processing integrity and privacy and all the rest of that. How exactly does that work? And how much of that process is automated? Would you say, in the not too distant past, it was very difficult to get folks to deploy risk registers, because so much of it was manual.

Chaim Mazal  08:07

Yeah, absolutely. And so I think the automation portion of Conchi is like the compelling part here. It’s like the backbone of everything we do. And so if you can go ahead and set controls, around configuration around software around deployments to your organization to across various business units within your organization, you can effectively enforce requirements that your organization might have to fit some of these global standards. So by having a way to be able to automate, you know, audit, and verify post implementation, that the controls that have been put in place, at a business unit level, at an organization level are, in fact, in place and working and there isn’t variance, I think, is the key to being able to adhere to a lot of compliance frameworks and to be able to provide that level of insight and peace of mind to the end users who are going ahead and deploying pongee on behalf of their organizations. So the fact that we can have uniform controls, deployed at a multitude of levels that can check all of the checkboxes that may be required, I think, is something that, you know, historically organizations have not had. So being able to do that with a tool like Kanji is something that that I’m very excited about as an end user myself and that our customers are very excited about as well.

Steve King  09:28

Yeah, speaking your customers, can you characterize kind of like what your average customer looks like? Just to give our audience a little context here because I’m concerned that folks listen to this and think, Oh, this is great if you’re a Bank of America or somebody huge, that has literally hundreds of 1000s of iPhones wandering around how much this is supplied to small business operations and and come companies that have you know, 50 to 100 employees?

Chaim Mazal  10:02

I think the answer is yes. Is it a great solution for Bank of America’s Yes. Is it a great solution? Or a seed? You know, technology startup? Yes. I think, you know, the underlying commonality that kanji has, as far as its customer base are a modern organizations who deploy and rely on Mac OS laptops to support their employees productivity and success within their roles. That’s across the gamut. So yes, fortune 500 organizations, absolutely. Series D. $8. billion, you know, valued SAS companies, you know, with 2000 devices? The answer is yes. I think the commonality is organizations that want an easy and better way to be able to manage their Apple devices for their end users, and want to do so in a productivity oriented mindset, right, we provide a tool for teams to have ease of use and to be successful without creating a lot of bloat and overhead while providing a tremendous return on investment.

Steve King  11:09

Yeah, and increasingly, you know, from my point of view anyway, that handheld mega computer, which is kind of the way I think of an iPhone, is going to continue to increase the number of shadow IT operations we have throughout all companies, big or small. And as that happens, federal regulations, and we’ve seen so much of this now with the more aggressive Biden administration’s cease operations in terms of recommendations and executive orders, and so forth, that these government regulations will start to look for ways to impose new standards on platform access. How do you guys leverage the existing controls to make sure that companies are in compliance?

Chaim Mazal  11:59

Yeah, I think that’s the incredible part about Kanji is that allowing, you know, your, your organization in your company, to effectively be able to manage assets within your organization, and also be able to create or integrate with safeguards to prevent, you know, any other, you know, devices or shadow IT things from existing within those assets. So that’s one of the incredible things that we have. So with manage, with manage software, on managed devices, and with the implementation of uniformity and controls across a fleet, right, this should give a significant peace of mind, to the business, to the security team, to the IT team, around, you know, the policies that they’re enforcing, to be able to adhere to controls like this. Also, I think it’s a layered approach, you know, using other, you know, brand leading tools, things like Octa for single sign on and for identity and access management in conjunction with Conchi for the device management against, you know, a myriad of other toolings things, you know, zero trust is a big buzzword these days, but really having some kind of certificate authentication to an organization, as far as you know, software applications, and back in business services, I think is a key strategy across the board to be able to ensure and safeguard that you’re meeting all of those controls.

Steve King  13:25

Yeah, I’m sure the country would love to have a similar position as an industry standard here. And we know that, you know, safe access is obviously a big deal. But, but so is network visibility, that includes the ability to, you know, control the flow of traffic and requests to a given company and all of its assets. How does, how do you guys help with contextualized, seeing those traffic patterns, and defending against interference, in particular, at a nation state level, which we’re seeing more and more of that level of interference going on these days?

Chaim Mazal  14:06

You know, it’s something that I touched on just a little bit before, because devices make up such a significant portion, you know, of the threat landscape for an organization, and the amount of data that comes off of devices. And the amount of data that kanji leverages in management of those devices. Using that in correlation with some other datasets that a company or organization might see is very, very, very powerful. So just an example. You know, if organizations have edge traffic, and they’re seeing certain behavior patterns or traffic that that might be alarming. Having the ability to cross correlate that against, you know, alerts or datasets that you have being generated off of your devices, you know, to validate assumptions or to be able to invalidate assumptions is an extremely powerful tool. Another big part of organist Asians is their cloud posture. So you know, being able to look at your cloud base assets, being able to look at those datasets. And then being able, again, to leverage that data against what you have going on your actual device data, your end user data, to be able to provide any additional insight to activity patterns are anomalous activity, I think is something that is very much needed and demanded by most security organizations today, looking at things in silos is no longer an effective practice or game plan. Having those robust data sets that you can go ahead and really be able to leverage across the entirety of your organization and entirety of your your threat landscape is something that organizations and security operations teams are demanding to be successful. So I’m very excited that kanji does have that robust level of telemetry, that works really good for IT professionals and admins to be able to troubleshoot as well as security teams to have the detailed information insight that they need to be able to track any potential threats across an organization.

Steve King  16:06

Based on what we talked about, you certainly have the data. So that’s terrific. And I think, you know, as we look out into the future, we’re gonna see more of these sort of backbone level attack attempts, ISP and uptime, that affect availability and continuity and networks that would seems that this will naturally extend to all the major cloud providers and, and other internet resources. And, you know, bad actors, you know, tend to focus on resources that allow folks to continuously share information, including services tied to the economy, how do we help prevent cyber attacks against critical infrastructure systems, like those driving, you know, power generation or electricity production?

Chaim Mazal  16:55

I think this is extremely difficult because as motive switch and change, obviously, you know, the way that we go ahead and approach these scenarios have to change as well, when things no longer become monetarily incentivized. And now they have geopolitical ramifications, I really think that there has to be a strong collaboration, you know, with the federal government to be able to ensure that we have a baseline, a framework that we’re going ahead and applying to the segment’s because unfortunately, a lot of our critical infrastructure and the way that it’s actively managed, is severely outdated in general hygiene practices. And a lot of these cases has not been performed. So coming up with a baseline and being able to identify what controls have to be put in place at a bare minimum level. And then also, I think, you know, second to that, it’s how can organizations also be successful with commerce amid some of these emerging attacks and threats? And how can they leverage, you know, a technology stack that would provide for redundancy and continuity in the event that a major segment of you know, the internet or service providers were no longer, you know, available. And so I think most organizations have to take into account that having, you know, a sole provider for a lot of their major offerings is not a sustainable gameplan at this point, and thinking about how to create a layered approach to be able to have backups and fail overs in the event of major catastrophe. You know, I think that we’re living in the golden age of SaaS right now. So it’s, it’s really, as there’s multiple providers, and every space and being able to leverage that combined technology stack might give this some solace, you know, to the business and stakeholders as well. But I really think a general framework for how we manage this key infrastructure, how we manage our overall power, energy, and core service of Internet backbone, I think there does have to be some baseline standard and unification, and watching the federal government continue to drive this through the Biden administration. I think it’s something that’s necessary and has to happen.

Steve King  19:15

Yeah. However, the folks at NIST would tell you, we’ve been at this for years and no one pays attention to us. There are tons of frameworks out there, there’s tons of standards, we’ve addressed all of these issues. And as long as the executive orders continue to, quote, recommend versus mandate, these changes. And again, I mean, I’m not referring to direct DOD, contracts or status, but rather, subs and subs to the service. And then to you know, the commercial infrastructure as a, as a generalized whole. It’s hard to envision much changing. It seems to me And the more that we do these podcasts and talk to folks like yourself, it seems to me that every week, it becomes more complicated, it becomes more complex, we keep upping the ante on the number of elements that we keep adding into the equation, and then the calculus, you know that it’s gotten to the point where it’s almost impossible to manage all of that. So I guess, as a, put your seaso hat on for a minute or, you know, however you want to view it, you’re, you’re even from a product, I guess, from a product centric seaso view? What are your thoughts about how, how do we get out of this? How do we stop the proliferation of complexity? And yeah, you mentioned earlier that, you know, we can’t even get basic hygiene together or down, we don’t have the resources. We don’t know what to do, even though it’s all published, there seems to be a real gap between the current population of skilled security practitioners and the task at hand.

Chaim Mazal  21:15

Yeah, no, absolutely. I do think that, again, in large organizations, and let’s just even say, you know, fortune 100 industrial, because they’ve existed for so long, and there’s so much sprawl. And there’s so many contractors, and there’s so many acquisitions. And it’s a patchwork of, of technologies that have led to this combined success over a period of time, it creates a large series of cracks, right, there is a lot of risk and the ability to manage such a large portfolio of risk over time, when there was discrepancies, disparities, and there wasn’t, you know, any uniformity along the way, is an increasingly difficult problem to solve. But I also do believe in the free market as well. And unfortunately, if these organizations don’t change, and they don’t prioritize hygiene, they don’t prioritize consolidation of technologies and platforms, they will be compromised, and they will have breaches, and that will effectively lead to unfortunately, them becoming insolvent, like or having a major, you know, loss in in their value, right. And if you lose consumer confidence, even, you know, at this level, obviously, those are large ramifications. That’s what’s driving organizations as a whole, to prioritize security. First, I’d love to say that, hey, it’s strong recommendations from the federal government or executive orders. But the real driver for prioritization in business is the long term success of the business. And as long as there’s huge fiscal ramifications and impacts that are being felt across the board by companies that are associated with breaches, or who have had significant material impact by breaches, that is going to be the only driver for prioritization to occur and to take place. And that’s really what’s pushing it to the forefront of every CEOs mind. Like these are conversations that are happening in boardrooms continuously. Now, security has a place at the table because of the financial impact that presents itself in the event that there’s a loss in consumer confidence by breach. Unfortunately, with some of these, you know, older, long standing major industrial institutions within our organization, things take a lot longer to transform, right things don’t happen overnight. And there is a slow progress. But you know, again, from speaking with my peers in the industry, and from knowing people who are definitely a part of addressing some of these larger problems, there is momentum, there is active prioritization, there is active funding. And I think that’s really the only way out of it. The only way out of it is like, hey, we know that this provides significant risk to the business at a business level. And so therefore, we’re making the appropriate prioritizations and giving the appropriate budgets to be able to actively make improvements over a period of time. Again, we’ve seen this happen across financial industries. We’ve seen this happen across technology, and so we’re going to see it happen at the industrial level as well.

Steve King  24:21

Yeah, I hear you. I don’t think it’s surprising that the tightest organizations on the planet from a security point of view are banks. It’s never, you know, in my opinion, these issues have never been a budgetary issue. Because if we look at it from an enterprise risk management point of view, all we’re doing is trying to figure out how to transfer that risk as part of our normal job as a as a board director, and it doesn’t make any difference to us whether we buy insurance or whether we accept it. That you know, I mean, $40 million, is like not a big deal right to At multibillion dollar company, it’s like coffee money. So, you know, really, who cares, right? I mean, if we had breached, we get breached, it doesn’t matter. Let’s move on. What does matter, however, is the fact that I don’t have a Get Out of Jail Free card, and that there may be consequences on a personal liability point of view from my position as a board member. Until that happens, I just don’t see how we’re going to have the kind of leverage required to get anybody to affect any meaningful change. You have any thoughts about that?

Chaim Mazal  25:34

I do think that, you know, we have seen significant change, even in the last 10 years without having that, and I do agree that it is, you know, some organizations accept and manage risk in different ways, whether that is liability insurance, or you know, whether that is accepting that risk. But we’ve seen a huge amount of momentum, as far as prioritization for security as a whole security becoming, you know, a first class citizen, you know, within businesses. And then also, you know, being a topic that’s, you know, front and center at board meetings. So even though it’s been slow coming, I do think we can lie about the numbers, but the numbers don’t lie and significant material impact to business based on loss of consumer confidence is a very, very real thing, something that in cybersecurity insurance cannot buy your way out of. So although I am optimistic that things aren’t getting better, I do think that we do have a large room for improvement going forward.

Steve King  26:37

That’s great. I appreciate your optimism, and positivity home. And I also appreciate you taking the time today to sit down with us and talk through some of these issues. And, and in particular, share your view about the kind of future state here and where we’re heading. So. So thank you for joining us, and congratulations for your success here at Kouachi. I hope you continue to have more of the same.

Chaim Mazal  27:09

Thank you so much, Steve, really appreciate it. Great being here today.

Steve King  27:12

Thanks Take care.