Sep 29, 2024
Episode Description
Max Mosharov, CEO and founder of Whitespots.io and CISO of Salmon Groups, discusses his journey as a CISO and founder. He shares his experience working as an application security manager and the challenges he faced in communication between different teams. Max talks about starting his own consultancy services and eventually transitioning into a software company. He emphasizes the importance of having a strong team and an overview of processes as a CISO. Max also discusses the challenges in cybersecurity, the need for automation, and the importance of metrics and staying updated
Watch On YouTube
hi everyone welcome to the Hands-On cesa podcast my name is AD and today we'll be talking to Max mosharov Max is both the
CEO and founder of wh spots IO and ceso of salmon groups group I don't often see
cesos doubling as Founders so this is going to be really interesting Max how are you yeah fine thank you so before we
started recording you were telling me about your company that you started so can you tell everyone how did it happen
that right now you're both a c so and the founder y sure so uh I worked as
application security engineer or manager I'm not sure what's going to what's uh
what's better to say uh because when you work as a application security manager
you are um engineer as well so you have to prepare some sort of tools and then
uh prepare some sort of processes and um you have to deal with uh policies you
have to deal with uh awareness sessions you have to deal with um some sort
of threat assessments uh with the requirements PR prep prepayment with the
scanners uh and the defs stuff uh then you have to um work on incidents
so as application security manager you have to talk to a lot of teams a lot of
people and it it was a strange situation for me uh then uh like when I realized
that uh people in QA uh function they um don't communicate often to other teams
so for example uh one QA was not able to tell me uh what's going on like in
another team and um it was clear to me that um security function is has like
more overview on all of the processes in the company and U yeah so that's that
was my first uh flag let's say that uh
it's going to be interesting and I have to grow as
CA uh then I just realized that I do
like the same things from one company to another company and uh I've started my
consultancy services and uh the the main difficulty
is uh uh that I started it in uh 2020 so
it was a um early February I think yeah
and uh in a month uh the lockdown started and uh people were not um sure
about their carers they were not sure about their companies and uh 20 calls
were like um okay that's interesting we could work together but um we are not
sure about our budget we are not sure about our economy we are not sure about everything uh uh if
we our life in um in in a year let's connect once
again uh okay and then I've realized
that I have some friends I can go to them and U they could be my first
clients so then they can refer me to their reference and so on um and uh at
some point we had 25 employees at wi spots uh who did some sort of Consulting
uh services and uh service we had some service agreements with many companies
and U what was the problem uh I don't um want to make one more eam or one more
loft or one more like big company like price water house coper uh I don't want
to be their competitor because no no you have a lot of risks
and some sometimes uh someday you going to have this problem about quality and I
didn't want it so the problem was uh to
make reviews of what people are doing and U they did some problems for some
companies which I had to uh deal with after um so yeah that's
why I don't want now to have this consultant Services uh so that's why we
are software company right now and uh we have developers qes uh we have devops
Engineers we have to uh different functions but they uh make
the portal like application security portal and uh uh like what I wanted to say here is
that first you have to uh have your great team which you can rely on uh then
you have to have this sort of overview uh to be able to like tell
people what's going to be uh in different situations because like um
when you're at cisa for example uh ah okay and I'm answering about uh I'm
answering on this question like uh what are expectations from cisa and what are
your um like suggestions for U young cisters for example um yeah so you have
to establish a good team then you have to uh establish your own overview on
processes on project management on some um things uh people you will ask you um
and you're going to be uh you have to be ready for um like some questions like uh
Max buy your experience what's better this one or this one and you don't have
any experience and um you have to choose between these uh processes but
maybe not between them but maybe uh introduce your own and um people will
always um challenge you about like with these sort of questions you have to be
open you have to uh
be like fair enough as well uh you have
to say that okay guys I don't know this particular uh problem but uh let's dive
into it and uh think about it like let's have a
brainstorm session let's uh I'm not sure let's uh go to podcast
let's listen to uh people let's uh connect to someone and
um uh like think about this problem uh and uh come up with the uh some sort of
solution and write it somewhere to not to forget and use it as a guidel
guidance uh for like next questions uh like next similar questions and um
someday you're going to have this knowledge base someday you going to have this sort of good team uh and uh
everything will be fine just relax and uh take this
ownership uh and U uh like be ready to change your mind
be ready to um hear uh because people will tell you what they need and you
going to secure it so uh when people want to connect to Production Services
I'm not going to uh say anything about salmon what we do there but uh as a so
and wi spots of X consulting company and House of PR
security company uh I'm I'm going to just say about my clients uh so um you
could establish some sort of uh
tools you can Implement a Teleport you can Implement U other tools to connect
to uh them and they will provide you the access to some sort of production
databases uh you could um uh establish uh it in this way you
could say that uh developers are not able to connect to any databases
same production uh you could say that it's uh the only allowance uh for like
it's only allowed for uh devops Engineers for example uh it's possible
uh to say that it's allowed for everyone but uh you are monitored you have
corporate laptops uh you have like uh everything recorded even uh
case Strokes so don't buy anything online from your
computer uh so there are many ways to do it uh you have to decide like what's
better option for you um so that's maybe the biggest challenge
in coll uh to understand what's better in
your situation uh but there are chats there are people in LinkedIn there are people
like everywhere just pick up someone and ask him like oh hey I don't
want to sell you anything I just want to ask you I had this situation what's
going to be your opinion um so that's it I
think amazing and so you talk about what you do now and
how you got to it but how did you even start looking how did you get into the security field in the first
place oh it was
no um it was a long time ago um it
was it was actually 10 years ago uh I just Googled uh how to hack some
and uh the video on YouTube was about um sniffing some traffic and uh uh I
just tried to hack uh
my college or what was it and uh I just
got the connection to cameras and uh I've reported to our
security team like not security team about engineering team and
uh they told it to like guys who had
um uh configured it and um they were my um teachers on the next
year so it was really hard to to learn Docker
without any documentation at that time like in
2014 or maybe 201 13 yeah I'm not sure but yeah it was
that time uh when people uh didn't realize that it like uh it is is not
virtualization it's containerization and you have to write dock your files you
don't have to uh put everything in uh like virtual machine and uh
it was hard for me to learn bucker because uh when people
uh uh were like uh dealing with their homework on
Virtual machines I was dealing with the docker uh it was hard for me because um
I was that guy who had uh uh some problems with them um
so uh that was my introduction to
security and yeah after that I I've just joined a
large security company in Russia it's called positive technologist and
um U we've um it was really fun actually
um I've um I was seeking for job uh like
for 20 hours a week and uh they had this um position for me and uh the only thing
they asked me to do is uh the test and the test was write
some uh vulnerable application okay I thought like my PHP application uh at
college is vulnerable anyway uh and uh yep
I had a job uh yeah so after that uh We've
validated uh issues with neural networks we've uh
uh we've worked on S and D tools we've
worked on W and uh that is that place
where where I got my experience uh and um
I think I'm reusing something right now in my platform uh because we are working
on uh neural network which will validate
vulnerabilities for you um yeah and uh then after one year working there
people guys just told me that uh we don't need the RNG function so we have
to uh get rid of you okay thank you thank you for your experience and
for this awesome year um yeah so after that I have just joined the bank
team pretty the same one uh which I'm working with right now because uh they
are ex te of team and uh I I joined the
team of that year uh um so everything is about your friends about your
connections about your relationship with people if you are okay
to like speak uh normally if you are okay to uh like uh to not be a toxic
man uh it's going to be easy to kick off your career yeah
that's how how hard or easy is it to get your
first CEO role uh yeah I think it's it's hard because
uh you expect something from this role uh but people usually don't expect
anything from you um they don't know how to hire cisa so you should look at this
situation from both angles uh from your and from the companies so if a company
uh had not CIS before uh they it's may be better to ask
them have you ever worked with ciso and if they say that uh okay we don't we
didn't have any security before so now we are kind of ready to hire someone to
start something okay that's one situation uh
you could like tell them your experience and how you can help them and maybe you
could find some match and if uh they had cisa before they definitely have some
sort of expectations because uh if that c was
not okay to work with them maybe uh he signed uh from like uh His Wish uh but
maybe they wanted him to resign and uh you have to ask them about it like
what problems you had before and uh what are your expectations uh maybe uh maybe
they want to hire someone just because uh they have to uh hire someone because
they're they're has to be ciso somewhere because regul regulator wants it um but maybe uh they
want you to um for example to uh make the
application security function stronger maybe they want you to uh make
infrastructure security function stronger maybe they want to finally uh
describe all the policies and procedures uh so they want you to do
something on purpose so you just want to know this
purpose so you were saying it's very different some when you join a company
that already had a ceso versus a company that is just getting one because now
they grew enough that they need it yeah interesting and
when you're in the seeso role because you have like two hats but when you're
the ceso do you deal a lot with um education like educating the team
telling them what they can't can do how does that look oh
okay um okay that's that's open um that's
open information actually because you can Google it and um like scan this um so we use Microsoft
and Microsoft is really cool uh platform to uh perform for example fishing
inducation so we perform fishing simulations uh just because we want um
uh um we we want some caros for example so in security team uh we are U sitting
in like um we are living in the same area in Serbia in oad and uh we are
working together often from Cafe and or like from work working places so uh we
are connected and um we meet each other uh every time and U there are no
schedule uh there is no schedule we just um sit somewhere and uh we
uh think like let's make some chaes let's make some chaes okay and we press
uh some wizard buttons and we have um fishing simulations every month or every
week it's it depends uh because attacker has no
schedule yeah and um uh that's how we do fishing
simulations and now I'm going to switch back to wh spot's previous experience
because I don't want to reveal this from someone someone's pers perspective um so
you have some sort of LMS Solutions uh Learning Management Systems uh because
in banking you have uh LMS which is loan management system uh it's it's very hard to match
uh the context with the financial guys uh so okay you have learning management
system systems and uh they provide you the content uh or some of some some of
these systems provide you the way uh you could uh put your own content there so
you can record your own content or you can uh find it on the internet and just
combine your own uh module and just publish it in
this Learning Management platform which could be for example high spring or EAS
LMS or whatever else uh there are a lot of such Solutions and uh then assign this
training for uh developers and for other functions uh this system will track them
the system will P them and so on uh compliance is uh really
happy because uh you have to have some sort
of recordings and audits audit logs that
you've conducted these trainings uh but
um developers and other functions are not happy because they have to go to
this platform spend some time on uh so some strange courses and
U uh you uh like the better option is to test
people if they pass some score uh you don't have to assign the training if
they don't pass this score they are yours uh so you could like assign the
training ping them whatever else so that's the approach uh
I uh want to be implemented in every company actually because uh in this way
uh you can um train people easily and it's scalable uh you
could have um some sort of webinars as well uh but it is painful to find this
time slot uh but if uh it this um
approved by management or you are this approver for example uh you can uh just
put this time slot in every single calendar and um record this session and
for example assign this recording as a training in LMS solution so yeah that's
how you can do it interesting and what do you think
think is one of the biggest challenges in cyber security
today um as as a c and founder of wh spots I could say that people are not
open to any sort of Automation and U people are not familiar
with the let's say uh current approaches and
if you cisa of any company for 20 years
and that's just okay for you to sit in this role and get your money and uh uh
relax take some coffee or tea like every morning and uh get your salary uh maybe
that's not a problem for you uh but that's a problem
for for CEO actually but if you are working with them for 20
years doing nothing and it's just fine that's not a problem but at the same
time uh cesa um has to provide some sort
of controllable metrics controllable uh state for developer or for for
Developers for uh management to uh
to answer to this question like uh Max what what's going what's um our Security
State that's okay for example I could say uh but they could ask me um okay
and now now it's okay but is it better than yesterday or worse and uh I could
say it was better yesterday how how how can I measure it so I have
to establish metrix uh system I have
to um measure everything to understand
to where uh security could go where we could expand
our of like power uh and U uh to do so uh you have to uh
understand um some sort of basic things uh what you could U establish uh what
you could measure and uh measure it and
uh like grow and be open to uh like any
solution any automation any uh scoring system anything like uh now I'm CEO and
founder of white spots I see this problem like in 90% of our
organization U and um as see so I see um
The Challenge uh to combine all these metrics together uh because there are
some systems like uh like metabase like gra for
example here as well uh where you could put uh every single
metric from your application security posture from your uh awareness uh
program from your uh infrastructure security uh and um from what else data
protection so four main domains okay from physical security as
well and from people uh yeah how do you decide
how do you decide what are the metrics that are most important to keep track
of I decide I don't think I decide uh I think
we decide in our organization so I am talking to C and CTO and other roles and
we are uh looking at uh most convenient metrics because when you okay I have U
let's switch back to white spots uh we have metric for application security for
example uh we have weighted R Trend it was introduced by hel parer actually in
2010 and um uh we have this presentation
which you can Google uh like five gpis for security it is under AAS right now
um so they had this approach uh you can measure or you can map your
uh Quantified to qualified so uh you can
match like uh uh one to low two for um
medium five for high and 10 for critical uh for example you can put whatever else
there and um uh like summarize your
findings your risks or whatever uh what has any sort of
criticality and um then you can multiply it by business
criticality of this particular asset for which you found uh these findings or
like issues or whatever and uh then you um going to have this V Trend which you
have to track and which you have to assign to product owners actually to not
to overcome some sort of risk appetite so for example you have a product uh
with five repositories one domain and two Docker files Docker images uh you
have this weighted restraint which is which equals to 100 for example and your
risk appetite is uh 200 per product and overall this uh risk
appetite is 1,000 so all products should should not overcome 1,000 and each one
um should not overcome 100 so uh this is the U GPI for product
owner and at the same time every single vulnerability should be closed in
um 20 days eight days and so on so you have slle for Developers for every
single vulnerability and at the same time uh their count should not overcome uh
this risk appetite so we uh drive this
uh from white spots but this could not um fit into our understanding uh in
salon for example okay that's not a problem uh we can track vulnerabilities
and uh some sort of fixes in another way um there are many metrics offered by
vendors so that's what I wanted to say um there are a lot of um approaches and
uh not all of them are okay for you uh maybe it's okay for you to measure uh
this W wrt in money maybe it's okay for
you to measure it just in Paras we could say um and um maybe uh you don't have to
do it because you have zero bu uh policy in your organization like
somewhere uh yeah uh because you don't have to
track this wrt if you have no issues in your production because you
have quality gate and you don't allow merg requests because you like found
something um have you ever heard of a company that has no
issues I've heard about company about a company who um has a lot of issues but
it has zero tolerance back policy so interesting what does that
mean yeah uh they have a huge backlog really really huge backlog uh they don't
deal with it but uh they uh don't allow any new issues on production uh and they
uh like get rid of these vulnerabilities from time to time yeah that's actually
uh the average situation with any company uh who just started uh the
process interesting how do you keep updated on what's
important and how to not add new vulnerabilities that you didn't think about before or didn't exist before like
how do you stay updated I'm not uh okay yeah I'm just joking uh
so there are news there are chats uh and um if you see for example log
4J uh it's going to be on your desk like in an
hour uh if you see uh crowd strike problem you're going to see it if you
have crowd strike uh you have updates from vendors uh if someone has a data
Bridge uh they will inform you if they not uh it's going to be a jail case
somewhere um so that's why you are
updated more than enough uh if if there
are some vulnerabilities um just update your
tools they will inform you uh if they if
there are some data breaches vendors will inform you as well that's
basically interesting do you find the ceso role to be a stressful
role uh that's interesting question uh
sometimes yes sometimes not uh I would say usually not but but but sometimes
yes uh uh when it's stressful for example
you have um you have an audit uh at the same time you have
another audit and at the same time uh you have a backlog and your team
is busy and you have to deal with this uh
these two uh audits alone uh and uh you
give you provide some sort of answers but they're not so qualified for example
or they have checklist and you have to say yes or no but that's not about yes
or no we they are somewhere here uh and
you put yes and you have
some um how to say evidences um about
this yes but they doesn't satisy auditor and uh they doesn't they don't
satisfy you as well actually uh but
um yeah that's that's the most stressful part uh when you have to show uh
something to someone and uh
you like your license or your future depends
on it for example interesting so you're saying like the
most stressful part for you is when there's an auditor or an audit heading
up and and maybe there's a lot of things to do and sort of yes to everything but
also not 100% yeah and you you tell them this
information and uh they go through the checklist uh then you start the
conversation and you realize that realize that they just don't understand you they don't understand that uh like
uh do you guys have this is not about Salon uh like do you guys have uh Google
uh yes we have it and do you use um the Google workspace uh admin controls so do
you uh secure your Google admin panel and you say yes and at the same time uh
you have a lot of findings so you kind of have this control but
uh on 20% for example and um uh there there are some um softwares
like V for example uh they help you to work with
Auditors uh I've not used it before but uh I know this from other guys maybe if
someone from want will will look at this podcast they will
contact me yeah and um they can uh help you to
work with Auditors you provide the interface for them and this software uh
gets uh proofs for them but the problem is that uh you cannot
automate everything and if you have a like let's say if you have a technical
control it doesn't mean that you have a policy process whatever uh and uh the
problem is that want provides you Tech the proof of evidence proof of technical
controls as far as angle maybe not um and uh yeah uh for these type of uh
audits uh I I would use this sort of automation uh as a new approach for
example which came up one or two maybe years ago um and for uh documents I
would find something as well it's it's really painful and um uh I have this
uh prefilled uh question here
U just to copy paste uh answers but the problem is that uh people formulate
their questions differently and uh sometimes you have a question about
penetration testing sometimes you have a question about VIP vulnerability
assessment um andri testing uh yeah so and this is not so
like let's say stressful but that's something
you are worried about because audits are
not like designed without any purpose so if you
want to apply for cyber cyber insurance for example you have to pass their audit
and you have to pass their audit like for a better score and uh you're going
to have the discount so that's why it's maybe better to find
evidences as better as you can got it so you're saying it's
annoying and but there are comp like you can get help with it at least to some
extent interesting so we're almost out of time and I have one last question to
ask thank you so much for coming on the podcast and sharing everything you know it's a very interesting perspective
someone who's also a ceso but also has a company so what do you think this field
is going to look like in a few years what is going to be different what is going to be the [Music]
same let see uh because uh 5 years ago it was different
situational Market uh you you can see some posts on LinkedIn
from old sees um who could uh say that uh it was really hard
to be C uh 10 years ago you had to uh be
U an experienced guy uh uh like you had to have like 10 years of experience you
had to uh have some certificates or whatever uh and uh
now it it's not uh like this and you can meet cissus like very young uh 23 years
old 25 years old and um um what's what
has changed um there is a market uh and uh there are a lot of uh software
Service uh startups uh there are a lot of Education startups there are just a
lot of startups and you have to secure them and
um yesterday yesterday's Engineers uh they are cissus
now that's not a good Trend actually uh but uh okay I'm ex engineer as well and
I I I could say that's not good way good Trend yeah why because if you don't um have um
JC system in your mind if you don't have a uh an understanding of um like what
people expect you to do you don't understand which controls you have to
implement and which um risks uh actually you have because like uh there are
compliance risks like we uh can apply for a new
license we can um I don't know open a business only if we fulfill these uh uh
regulator requirements which one uh we have a company in Dubai we have a
company in New York we have a company in um California for example with the
another laws we have a company in Germany and um we are Fork startup for
example I'm not start we just for business uh there not much you can
actually do in Forex to be a startup uh
so you have Forex business it's really regulated and you have a lot of um
Regulators uh and you have to fulfill their requirements uh so you have to get
the list and uh do something with this uh from my perspective is good actually
to map uh these requirements to uh ISO controls and uh then just Implement ISO
controls and then track other obligations with this mapping uh
someone uh thinks different so someone's uh some someone's opinion maybe on this
to get requirements and fulfill the requirements uh requirement list uh then
take another one and just fulfill it uh and so on um
so you have to be you have to have this systematic approach as seon and um if
you don't have it if you uh don't if you cannot for example uh say no to people
like we have this uh this we need your approval no I just don't have time on
this uh I have to deal with another stuff which is more important and you
could go to this person because I've delegated this function to this person
uh you have to delegate yes and uh uh these
uh skills you have to establish before you go to the cisa job if you are an
engineer if you are young you want to have another row into your CV uh you
could go probably uh you could dive in this into this
problem and U resolve it and just add your role into CV but um being at cisa
is not about your CV it's it's not about your roles and so on it's more about
business continuity it's more about um like overview on some processes and
improvements and helping people uh in HR department in security oh in IT
department Department in uh whatever Department in compliance Department uh
so there are a lot of areas a lot of aspects of their work and uh you have to
help them uh in terms of security of course maybe maybe not uh and uh you
have to do it in a more systematic way you don't have to um unfocus yeah
amazing thank you so much