Cloud Security Today
The Cloud Security Today podcast features expert commentary and personal stories on the “how” side of cloud security. This is not a news program but rather a podcast that focuses on the practical side of launching a cloud security program, implementing DevSecOps, and understanding the threats most impacting the cloud today.
Cloud Security Today
Bonus: AI and data security
Episode Summary
On this episode, Global Head of InfoSec and GRC Strategy at VMWare, Ashish Suri, joins the show to discuss data security and AI. Ashish has over 20 years of experience in business transformation, cybersecurity, data privacy, and enterprise risk management. He has served in numerous roles, including Head for Data Risk, Privacy, and Cybersecurity at Apple, Head of Technology Process and Controls at PayPal, and Senior Director of Finance Internal Controls at Visa.
Today, Ashish talks about the distinction between data secrecy and data security, data security in the Cloud, and the business benefits of investing in data security. How does AI fit into security? Hear about cost-effective risk mitigation strategies and the evolving DSPM space, and get Ashish’s formula for personal growth.
Timestamp Segments
· [01:33] Ashish’s role at Apple.
· [04:27] Data secrecy vs data security.
· [07:20] Data security in the Cloud.
· [09:30] Ashish’s approach to data security.
· [13:53] What does a business get out of data security?
· [17:34] The CIA Triad.
· [21:39] AI and Cloud security.
· [24:24] AI in cybersecurity products.
· [27:59] Cost-effective risk mitigation strategies.
· [30:49] Wading through the DSPM space.
· [35:15] Ashish’s growth formula.
· [37:06] Being humble.
· [38:00] Ashish’s parting words.
Notable Quotes
· “The more we are out there in the Cloud, the larger our footprint becomes, and the risk continues multiplying in different directions.”
· “Speed, accuracy, and automation will also get complimented with people, process, and technology.”
· “Keep learning and keep listening.”
Relevant Links
Website: Bedrock Security
[00:00] Intro: This is the Cloud Security Today podcast, where leaders learn how to get Cloud security done, and now, your host, Matt Chiodi.
[00:13] Matt Chiodi: Data security is one of those topics that listeners have been asking me for months to do on the show, and at first, I thought, “man, we've covered this before,” but after I looked at the last three and a half years of podcasts, I realized, as usual, my listeners are right. So, on today's episode, we are going to talk about data security, and specifically, data security in the Cloud, and I wanted to bring on someone who could look at this, not from a vendor perspective, but from a governance, risk, and compliance perspective, and I could think of no one better than Ashish Suri. Now, Ashish, I love his experience, and yes, I'm always a sucker for someone who has worked at places like Apple, VMware, eBay, Visa, etc., because these are all companies that are known for innovation, and that typically means that people that work there are innovative, and Ashish and I, we talk over this topic, and yes, you'll love this, because we only talk about it from a vendor perspective for about three minutes. We really focus on people and process, and then at the end, we get into the technology side. I hope you enjoy the episode. Ashish, welcome to the show.
[01:29] Ashish Suri: Thanks, Matt. Thanks for having me here.
[01:31] Matt: This is going to be fascinating. I love your background, and immediately, I want to go to your role that you had at Apple. Tell me this. You were the head of data risk for enterprise and new products security. When you think about your three-year tenure there, what are you most proud of?
[01:51] Ashish: If I was to go back, in my previous life, or what I have done, coming from a background of compliance, and then working with some of the FinTech organizations like Visa or PayPal, and then landing a, I would say, very surprising role at Apple, which was all to do with data secrecy, I would say my three years taught me a lot around data secrecy. That's number one, and actually, dealing with data secrecy dovetails with supply chain. Now, we're not talking about the software supply chain. We are talking about the actual product supply chain, our manufacturing vertical-based supply chain, where the products are being made, the products are being developed, the products are being designed, and then you have a go-to-market for those products. So, a lot went in those three years, I would say, three-plus years of having me look into what is the actual core crown jewel information that we are trying to protect during the journey of a product, right from a design state to the final stage, where it reaches the end consumer?
So, I think, I would say, protecting that information, right from the schematics of the products that are being designed, which will be absolutely brand-new, and probably trying to revolutionize the market space in which they are going to be sold, was probably the most intriguing aspect of my stay with Apple. A lot went in, in terms of dealing with the third parties, who are your partners, developing prototypes on those schematics, developing, I would say, products in various stages of its lifecycle, and how do you protect the crown jewel information that could be the algorithm, could be software, could be a camera, could be any of those things that are pretty much brand-new, that the market has never seen, and you're trying to protect that information, but that's the data secrecy element of it, and obviously, after data secrecy comes the data security aspect of it, because you're now trying to protect the actual nuts and bolts of those products that make that product tick and compete in the market space. So, I think, combining those two elements together, of secrecy and security, was probably the biggest learning experience for me.
[04:26] Matt: I love that, and you're the first one I've spoken to who has really made that distinction between data security and data secrecy. Maybe, let's just double-click on that, just for a minute. What is the real difference between data secrecy versus data security? How do you define that? How do you look at it?
[04:47] Ashish: For me, the data secrecy means what, probably, we are trying to keep under wraps from the public view. For example, if I was to come up with a particular product that has not been introduced in the market space, how do I keep the schematics of that particular product from being stolen by a competitor? Or, if I'm trying to make a prototype or a beta estate testing that's going on for that product, how do I keep the information contained before it leaks out? Now, that is where I'm trying to be very secretive about a particular product that should not get leaked, in terms of its nuts and bolts, you can say. Whereas now, the data security is, I could be having a code that I am developing, that would create maybe an operating mechanism for that particular product that is unique in its way. It could be an algorithm that is collecting some third-party data or data for some intelligence, and then processing that data, and I'm protecting that aspect from a data security perspective.
So, it could be, let's say, for example, if we take, today, some of these autonomous technology platforms, where there are these cars that are collecting data. Now, that data is being used by the algorithms, which we now have termed them as LLMs, or whatever language module models that we are creating. Now, that's processing that data. So, you want to protect those LLMs or those algorithms, and keep them secure in your environment, and that could be from insider threat, or from any attacks that are happening on your environment. Whereas, data secrecy could be, how are you designing some of the elements to collect that data that could be unique to that particular platform? So, you are protecting that, and from the aspect of data secrecy, I would hold that as a crown jewel information and want to remain secretive about it. That's how I will distinguish between data secrecy and data security.
[07:01] Matt: That's helpful. I appreciate that. So, looking at your background, you've been a GRC professional for a number of years, and I think, looking over my guest history, you may actually be the first true GRC person that I've had on. So, I'm really curious to dig into your lens on this, but when you look at the Cloud, from a risk perspective, where does data security fit into that?
[07:26] Ashish: I would answer this question in three parts. First one is, as companies have shifted to Cloud-first, the attack surface, especially with multi-Cloud, and data volume, has accelerated. I mean, you're looking at starting from good old days, when we dealt with some bytes of data, and now we are talking about petabytes, and I do not know how or where we are going with the usage of these, I would say, specific words that are being coined, in terms of the storage space, as such. So, from that perspective, I would say, in fact, Gen AI is also accelerating that. That's number one. Number two is, we are talking about the risk, which has come up, not just from adversaries, but also from insider threats, regulators, and risk to/from customers, or partners, or suppliers. So, your ecosystem is also basically increasing where no longer the risk is contained at one particular register, but that register has multiplied because of all the components that are becoming part of this ecosystem. We are extending that ecosystem to, now, different levels, altogether.
Then the third one is, although it remains challenging to be cost effective, but understanding our risks is the key out here. The precision with which we have to deal with risks and not interrupt the business with any friction has become an important ingredient to look at the Cloud, from a risk perspective. So, in a nutshell, I would say, the more we are out there in the Cloud, the larger our footprint becomes, and the risk continues to multiply in different directions. So, we really need to know how we operate, what we want to operate, and how do we control the operation of our services so that we can understand our risks in that ecosystem.
[09:29] Matt: How did your time at Apple influence your approach to data security in your role at VMware? I think, having that background, I think it's unique. What did you take from it? How does it influence your current role in your role at VMware?
[09:48] Ashish: I think, all my previous experiences, including Apple, have played a very vital role as I have progressed in my career. Right from Big Four days, when I dealt with compliance, predominantly, and then switching from compliance, which was a very assurance-driven function, to the advisory side of the house, which was very open, in terms of what the end-client was looking for, and how we could basically provide them with our services, but at the end of the day, everything concluded at one point, which was understanding the risk from a business perspective. You have to understand what business our client is in, what are the different risks of operating or conducting that business, and how do we provide security into that space? Apple was not different, I would say, because, yes, they are into consumer goods, you are dealing with hardware, you are dealing with software, then venturing out into some of the new areas that they wanted to experiment. Some worked. Some did not work. I think, at the end of the day, for any professional to say that he knows everything about data security, I would take it with a big pinch of salt.
I think data security is very relevant to the profession in which you are and how you are looking at the risks, and how you're providing security. So, for me, if I would say that I learned a lot. Absolutely. There was influence. I would say yes, and no, to some extent, but I think the role that I played at VMware was very much focused on the Cloud-delivered services. The objectives were very clear. We want to be very nimble, we should be able to basically jump into the AWS of the world, or GCPs of the world, and then provide our applications or our services to the end customer, and I think that's where the data security came into picture, as to what exactly are we protecting, depending on the type of customer who's consuming my services. In certain cases, it was important when we went into the public space, where we are dealing with FedRAMP compliance requirements, DOD requirements, or CMMC requirements, or the executive orders of the world, and then on the flip side, the moment we went global, and started dealing with the agencies of the specific governments in those locations, ISMAP of Japan came into picture, or IRAP Australia came into picture, you're dealing with the requirements of Italian government, that you have to have a CSP Cloud Services Provider ISO 9001. Now, predominantly, we have heard 9001 is a very manufacturing-oriented ISO certification, but now, we had to basically get creative and understand how we get a CSP through the rigor of ISO 9001.
So, I think data security, I would say, it dovetails with the business you are in, and the risks you identify in that business, and then you put adequate measures around data security, or to secure that data for that particular business. So, I would say, Apple did play that role. I definitely used a lot of learnings coming in from a supply chain perspective, and the data exchange that was happening between Apple and its partners, globally. How do we protect that information? How do we make sure some of the privacy elements that we had to deal with some of the government's dealing in the Far East, where the manufacturing was being done? And how do we protect that information? So, I think all those elements assisted me to better structure my security measures, as part of my governance, risk, and compliance role that I played at VMware.
[13:51] Matt: So, most, let's say, organizations with any level of scale, especially in the Cloud, they typically have a data security program, and I've even seen them have it specific to Cloud. They recognize that they've got these two large silos at a high level of data, and they've put a specific practice in place. I guess, from your perspective, from a GRC side, what does the business get out of a data security program? We tend to think of data security as being so abstracted from the business. They live on the data, but the security of it, that's all just part of a security program, etc., but what does the business get out of it, besides the obvious of staying out of the news? How do you look at that?
[14:41] Ashish: It's a good question. I think, for every business, data security, or security, as such, means very different. It could be a retailer who is using a service, where it's a combination of some cameras, running with some algorithm, trying to give them some real-time feed, and telling them “hey, by the way, I can detect some anomaly, in terms of the customer behavior in the store. Somebody may be trying to go back and forth, trying to get certain things, or try to take those things out of the store,” but then, I also look at it from another customer, or maybe other customers, or other verticals, where technology has accelerated so fast that, even in the past year, there is no reason not to be able to assess risk across our entire Cloud estate for all our data, fast and very cost efficiently. So, be open to new methods and technology, and shift away from a typical old-school DLP rule-based style data security approach. You have to be really creative, in terms of understanding your ecosystem, landscape, the partners you have, the vendors you have, how do you basically want to secure yourself. So that, I would say, will be, again, very business objective-driven, what exactly is the business we are in. Then, the other one is, that risk thresholds will also vary based on the line of business, industry, geography, etc.
So, we have to have a good understanding, in real-time, if possible, of where the data is, who is using it, and then overlay the business understanding of that data, in terms of its materiality, to determine risk, as such. So, one can argue that, I was giving an example of a solution being provided to a retail industry, where it's a combination of hardware and software that deters a particular action, or a loss of business for that particular retailer, in a certain way, versus a Cloud security provider who has a service and wants to make sure that the customer data remains intact from any leaks, as well as availability for that particular service to the customer. So, I think a combination of all these things, I would say, what business is looking to get out of data security and the best practices of how good data security should be for business, and I always say, there is no one cookie-cutter approach. There are a few best practices available that one can follow, but one has to tweak it based on what the business is all about.
[17:24] Matt: So, we're going to talk about tools in a minute. I know that's where security practitioners also often love to go first, is talk about tools, but one of my favorite quotes is from Bruce Schneier, who said, “security is a process, not a product,” and so, when I came up through security a number of years ago, we talked very much about the CIA triad, the Confidentiality, Integrity, and Availability. So, from your perspective, that lens of confidentiality, integrity, availability, how do you apply that in a risk framework? Because often, the questions that I hear from the clients that I deal with is that they feel like they are just relying on a tool, and they don't have a framework by which to apply it. So, just a broad question, but how do you think about it, in terms of frameworks in data security?
[18:23] Ashish: I think, the general view around the frameworks is that the foundation is all built on this triad. Confidentiality, integrity, and availability. So, for me, when I look at different frameworks, I don't analyze those frameworks, but I look at the business that you are in, or if I'm providing a consulting service, I ask, first, what is the type of business one is in? If you are a typical Cloud services provider, probably the availability is the biggest one, because if you do not have the availability, then your customer cannot consume your services. When a customer cannot consume your services, it impacts your revenue in a very direct way. Now, availability has to be there. Now, on top of that, a combination of confidentiality and integrity, in the form of securing that particular service, has to be offered to that customer.
Now, the customer may be responsible for its own data at the end of the day. You are just a service provider, but you still want to provide a tech stack to a customer, which doesn't have any backdoors, which is vulnerability-free. You want to make sure that the transactions that are happening with the end customers, through your service, are secure, you have basic elements of encryption, multi-factor authentication, some of the other best, I would say, security practices ingrained into your tech stack when you provide that service. So, it's like an onion. We can keep on peeling, and we can keep on going deeper and deeper, and deeper, and we will definitely hit the foundation where one could say, “did I use the right measures? Did I use the right tools when I built this product, the code that I wrote, the environment in which I wrote, the people who had access to, the ability to develop that code, and then that code basically was assisted with some tools to migrate from the dev test into a production environment?”
Now, how do you secure the production environment, which could, again, going back to our previous question, depending on the type of ecosystem that we have created, where one Cloud service provider may be using another Cloud service provider for its services, and then, they are an amalgamation of many services together, being offered to the end customers. They all become part of that ecosystem. Hopefully, I've answered that question, what you asked, in terms of the CIA and the foundational frameworks as well. There are many frameworks. I think, in my 20-plus years of lifespan of having dealt with governance, risk, and compliance, I would say, I've seen the latest and the greatest, but the fundamental building blocks still remain the same. Identification of the right risks, performing the right risk assessment, and then putting the right set of controls. Preventative, as many as possible, as much as possible by design, and then basically, the detective controls. So, for me, people may say it's a little old-school, but I would say, it's still the foundational world that we are in, and even if AI comes in tomorrow, it still needs to rely on the foundation of these frameworks.
[21:39] Matt: When you look at AI, where do you see it fitting, as part of a Cloud data security strategy? Is it AI protecting the infrastructure and data, or is it AI as part of the toolset security and GRC uses to monitor and protect the data? How do you see that?
[21:58] Ashish: Fundamentally, there is no one way to accurately scale security and risk programs manually or via fragmented sets of tools and processes, which frankly, most enterprises have been doing. This has led to a number of poor outcomes. Hence the recent surge in legislation and other regulatory oversight. So, AI that can do the work for you, not just a copilot, but actually understand your environment, the data, its materiality, and then recommend action. That is a way to handle the speed and scale that Gen AI and other apps are generating data. Now, that's one aspect of it. I think, there's also some concern around how Gen AI models are trained, and if there is info leakage. It's very challenging to determine if an LLM model output will leak sensitive data, as we cannot easily determine the training dataset. So, really, if we treat Gen AI training data as other data in the OD, we can ring fence or set boundaries on how data should be used, and then let AI-based tools reason what needs to happen.
Last, but not the least, I would say there is an element of how to protect your AI stack itself, but that is more of a traditional vulnerability security approach we use with Cloud workloads and other infra anyway. So, at this point in time, we know when I go back to the question that you asked, in terms of whether AI is protecting the infrastructure and data or AI is part of the toolset, there is no one definitive answer. It, again, goes back to the original discussion as to, one, what business an organization is in, what types of processes that it uses to generate a service or a product, and how it is deeming AI to fit into their business model, as such, and then comes the element of looking at and answering a question, whether it's protecting the infrastructure and data or is part of the toolset, and I can use it both ways if I want to, but it all comes down to the last, I would say, step, or that last step itself as a first step, for me, to understand, how am I generating this service and providing this service, and how am I generating this product and selling this product?
[24:25] Matt: It's funny, everything has an AI label on it now in cybersecurity. I think the SEC recently called it AI washing. So, it's really difficult, I think, for consumers, specifically cybersecurity teams, to know what's real and what's not. I think, even where I'm working today, at Cerby, we've got elements of AI that we're building into the backend of the platform, but in terms of cybersecurity tools, when we look at what actually has AI in it or not, I agree with you. I think it could actually be both, where you have a tool that has AI built into it. That could be. I don't think there's a whole lot of these tools, and again, we'll talk about tools in a minute, but what are you seeing today, around that, in the market? Is it mostly just AI washing, or do you think we're getting close to where we're going to actually start to see this in cybersecurity products, in general?
[25:25] Ashish: I think, in today's environment, it is still in a very early stage, where I think most of the organizations who are either creating a product or a service, and they are using artificial intelligence in conjunction to what they are offering, it can mean differently to different consumers, and it all, again, comes down to a point. What am I consuming this service for, and how am I consuming the service? How beneficial it's going to be for me to use some AI engine that comes with it as a feature functionality. Is it an add-on, or is it part of the DNA itself? That's going to help me to become more efficient, in terms of consuming that service. Am I going to get real-time benefits of getting a real feed to understand what my dataset looks like, what my KPIs are defined, by using this service, how I can, basically, I would say, accelerate my processes by using a service that has a built-in AI engine? So, it again, is very driven from what that service is all about and what a customer is using that for.
Now, the other could be that, we have AI being used, in terms of automobiles, today. So, where you have the firmware and the operating systems that are getting more interactive, that's picking up what you are asking questions, or you're asking certain actions or events to be performed, and it learns from that, and gives you the output, I would say, in a more proactive way. So, that could be beneficial for somebody who may be driving across East Coast to West Coast, or West Coast to East Coast, and wants to determine, based on my EV, where are the charging stations? Although, it's there, but it can get interactive and say if I deviate it or detoured from a certain location. Is it picking up the data points and then artificially calculating the distances, how much charge I have been left with, where is the nearest station, what kind of station is it? Can I get all those details proactively from the system? Now, again, it's a real-time beneficial for some, maybe useless for some others. So, it will come down to a point as to how we want to basically interact with the services that come with the DNA of AI, versus a built-on AI feature and functionality on top of it.
[27:59] Matt: Following up on that, I think, Cloud, and now specifically LLMs, they devour, in some cases, petabytes of data. Let's talk, specifically in terms of steps. What steps do you recommend our listeners take to put a risk mitigation strategy in place that will scale, be responsive enough to act before an incident happens, and then, I think, the kicker I'd throw on this, that can actually be done cost efficiently? Because we know the larger the data volumes, traditionally, the more expensive it was to actually index that data and do something about it.
[28:37] Ashish: Yeah, I think with the cost of infrastructure’s becoming lower day by day, because you have, I would say, cheaper, I would say, ability to use the space in a cheaper way, with the infrastructure service providers available, it will come down to speed, accuracy, and automation. That is what it has to be, but however, what quickly will become a challenge while we add security, and GRC professionals are being tasked to protect data, especially with the LLM as being a high business priority, is that we are not getting exponential resources. So, a strategy must consider how to leverage technology to keep data security protection costs on a linear growth, versus the exponential growth we are seeing with data.
I think, what I want to add on to this one is speed, accuracy, and automation, will also get complimented with people, process, and technology, because at the end of the day, you may have how much ever automation, you may still need subject matter experts who understand the outcome of that automation, who understands the completeness and accuracy of what that automation will report, and the speed with which the calculations are being done or the speed with which the analysis is being done, how accurate that is. So, I think I still default back to my good old days that people, process, and technology remains, still, a key element that will be the foundation on which the speed, accuracy, and automation will sit.
[30:15] Matt: I think, the part that you mentioned on cost efficiency, because I think in your answer, you said something about, although the data is growing exponentially, security teams are not getting exponential resources. So, it's not like if today, I've got a couple terabytes of data, but by the end of the year, I expect to have exabytes with LLMs and things that, a security team is not going to get 10/15/20 more people in order to deal with and to track that type of data. So, the whole data security posture management space, DSPM, there's been a lot of vendors that have pivoted into that space, and on the surface, at least for some security professionals, they all look similar. If you look at their marketing, they look like they all do the same thing. Based on your experience, how do you recommend listeners quickly and effectively wade through this space?
[31:13] Ashish: I believe, most CISOs and GRC leaders, and I would say my peer group members, have a large number of vendors that they already work with. We have seen that collapsing everything into a single platform is preferred. That means you have to have a very clear-cut ecosystem in which you want to operate, but not effective in producing accurate and timely results of data security. So, the hyper-scalers, the CNAP providers, and others, have started to build on DSPM capability, but the cost, speed, and the scale, doesn't match what most businesses really need. So, first off, be ready to consider a best-of-breed approach for data security here. Considering newer companies and innovations that have been born in the Cloud to address these Cloud and Gen AI use cases, for example, in a few weeks, we will see the RSA Security Conference present its top 10 finalists for the innovation sandbox. There are some great approaches being highlighted there. I would start there and look at maybe an organization like Bedrock Security.
In fact, in the top 10, you will see data security companies like Bedrock Security focus on a lot of these big data, Cloud, and Gen AI use cases, which we have been discussing today, as such. So, I'm not saying that there would be one vendor to look into, but I think my peer group members would have a choice in their hand to pick the best-of-breed that's available, that's addressing their, I would say, immediate priority, from a security best practice that they need to incorporate and implement, but at the same time, they also want to look at, from a longevity perspective, you do not want a product to disappear once you make an investment, and then suddenly, these products are gone. You don't want fly-by-night operators, but you want something that is going to give you a return on investment for a longer term. Although, the space in which we are, the pace with which we are operating today, technology gets obsolete very quickly. So, one has to be very prudent, in terms of the investment that one needs to make in these tools and technologies.
[33:28] Matt: I'm a startup guy. I love startup, been part of multiple startups, and I think, typically, when I'm advising my clients for the work that I do with IANS, I always tell them that, of course, you have the option of best-of-breed or working with the platform providers, and generally, I tell them, you likely already have platform agreements in place with the big players. If they have the tech that's already in their stack, and it meets your requirements, go down that path, because the TCO is going to be there, but there are going to be those edge cases, and I think data security is one of those, where the big players likely don't have the same capability that these Cloud-native DSPM providers have today, and I think we're going to see another wave of consolidation in this space, just because, as you said, the rate at which data is growing because of LLMs, Gen AI, and things like that, there's just certain tech that you can't continue to do it the way it was done, even five years ago. It's just not there.
[34:34] Ashish: There has to be a tech debt consolidation that will become, now, a routine exercise for most of the organizations who want to scale themselves and scale their business, riding the new bandwagon, where artificial intelligence is going to play a very crucial role, in terms of the technology, as such, and the technology that generates tools, use cases, address the problem statements. It's going to be an interesting watch, I wouldn't even say 10 years. I would say, next five years, at least, in the data security space.
[35:11] Matt: So, let's switch gears. We've talked a lot about the tech side of it. When it comes to personal growth, and this is a question that I ask all my guests, because everyone always has such a unique answer to this, but what's the formula that works for you? You've been in cyber for 20-plus years. You've been very successful. What's your personal growth formula?
[35:30] Ashish: My personal growth formula is very simple, Matt. Keep learning, and keep listening. The more we listen, the more interaction we have, the more we can learn from the newer organizations, the new technology that's coming up. We have to give opportunity to the startups to come and showcase what problem statement are they solving for us, because, again, coming with the background of having seen the SAS 70s of the world, which was really old school, and now we talk about the SOC 2 and SOC 3s, and then even the frameworks have evolved over a period of time. I think, the technology is definitely going to challenge these frameworks, and the evolution of risk, the morphing of risk. So, for an individual who wants to grow, it's very important to listen, interact with these young organizations that are coming up with newer tools and technology, and be humble about learning, as such. I think we are in that school, where there is no graduation. We have got to keep learning. That's how I suffice my, I would say, intellect, in terms of engaging, interacting, and learning from my peers or youngsters who are coming up with the latest organizations, in the form of startups that are giving cutting edge tools and technology now.
[37:06] Matt: Have you found it, and this is my experience, but I'm curious if you've seen it, but as you gain more experience in your career, we're both at that 20-plus-year mark in cybersecurity, do you find that you have to be more intentional about listening? I mean, I know from my side, I know I do, because there's a part of me that, I just said, “I already know this,” and I have to actually be intentional and say, “You know what? Maybe I do, but maybe I don't.”
[37:33] Ashish: That's when I use the word, humble. You’ve got to remain humble and grounded, and listen. Doesn't matter if we know it, because there might be some element that could be newer, that could basically help us draw references and inferences to the experience that we have gained for 20 years, and where the technology has come up now, and it's going to be in the next couple of years. So, that's how I formed that bridge between the two.
[38:00] Matt: Are there any parting words that you maybe would have for our listeners, or perhaps something you wanted to share that I didn't ask you about?
[38:06] Ashish: I would say, just keep it very simple. Foundation elements in the world of governance, risk, compliance, and security still remain very solid. I think we are in the world where, yes, we want to be proactive, and then react to any situation or events that may surface up, but I think the key is the foundation. Our foundation has to be very strong. So, keep the subject matter experts closer to you so that you can learn and utilize their expertise, and build stronger practices. That's the best I can say.
[38:46] Matt: Ashish, thanks for coming on the show.
[38:48] Ashish: Absolutely. Pleasure.
Thank you for joining us for today's episode. To find out more, please visit us at Cloudsecuritytoday.com.