Security Superfriends Episode 8 Randy Barr, InterVenn
Randy’s career includes leadership roles at pioneering companies, including WebEx back when it was a small startup through its IPO. He was CISO for the SaaS security leader Qualys, and he was head of product security and security operations for Zoom as its usage exploded over the last year with the pandemic. Now, he’s back to being a CISO at a highly regulated life sciences organization, InterVenn. In this episode, we discuss the importance of shifting left for modern software development with the high velocity of code releases. Getting security implemented as early as possible, close to developers is key. The goal is to help them find and understand any vulnerabilities early so they can fix issues. Effective strategies include implementing tools for static and dynamic testing, giving developers security training, and working with pen testers that can interact directly with the developers. He also discusses his approaches to securing what is becoming the new normal of a largely remote workforce. You may not know where team members are connecting from, how they’re connecting, whether there are others connecting on their same network, whether they are using personal devices, etc. There are opportunities to use security controls to enable this flexibility for employees while ensuring security. We also discuss the importance of community participation. Randy participates and shares his knowledge with local chapters of information security groups, the cloud security alliance (CSA), and he works for companies that embrace working with other security professionals. I can’t emphasize how important this is! A CISO can’t (and doesn’t) know everything. For example, the supply chain risk with Zoom is going to be entirely different than with precision medicine at InterVenn. It is so easy to think “I’m the CISO, I should know…” A better answer is, “I have a community, we have each other's backs. And while I may not have the answer right now, I will have feedback from several peers in real companies dealing with this very issue in real ways.” When you stand in front of a board, they will ask, “How are others doing this...specifically companies x,y, and z…” I have heard this numerous times myself. And this is Randy’s chief point. Build and use your community – it’s arguably your strongest asset. Perhaps this point of view comes from his military training, having started his career in the Marines (is it just me, or is there a growing cadre of security leaders with backgrounds in the military)? Surround yourself with great intel. We are fighting a digital war, we need our allies! As he points out, there are a lot of bad actors out there, so working independently, in silos, doesn’t work when you could be working together to fight the bad guys.