Understanding Security Metrics: A Modern Approach - Maxim Mošarov, founder @ Whitespots & group CISO

Understanding Security Metrics: A Modern Approach - Maxim Mošarov, founder @ Whitespots & group CISO

Understanding Security Metrics: A Modern Approach - Maxim Mošarov, founder @ Whitespots & group CISO

Sep 29, 2024

Episode Description

Max Mosharov, CEO and founder of Whitespots.io and CISO of Salmon Groups, discusses his journey as a CISO and founder. He shares his experience working as an application security manager and the challenges he faced in communication between different teams. Max talks about starting his own consultancy services and eventually transitioning into a software company. He emphasizes the importance of having a strong team and an overview of processes as a CISO. Max also discusses the challenges in cybersecurity, the need for automation, and the importance of metrics and staying updated

Watch On YouTube

Episode Transcript

Episode Transcript

Episode Transcript

hi everyone welcome to the Hands-On cesa podcast my name is AD and today we'll be talking to Max mosharov Max is both the

CEO and founder of wh spots IO and ceso of salmon groups group I don't often see

cesos doubling as Founders so this is going to be really interesting Max how are you yeah fine thank you so before we

started recording you were telling me about your company that you started so can you tell everyone how did it happen

that right now you're both a c so and the founder y sure so uh I worked as

application security engineer or manager I'm not sure what's going to what's uh

what's better to say uh because when you work as a application security manager

you are um engineer as well so you have to prepare some sort of tools and then

uh prepare some sort of processes and um you have to deal with uh policies you

have to deal with uh awareness sessions you have to deal with um some sort

of threat assessments uh with the requirements PR prep prepayment with the

scanners uh and the defs stuff uh then you have to um work on incidents

so as application security manager you have to talk to a lot of teams a lot of

people and it it was a strange situation for me uh then uh like when I realized

that uh people in QA uh function they um don't communicate often to other teams

so for example uh one QA was not able to tell me uh what's going on like in

another team and um it was clear to me that um security function is has like

more overview on all of the processes in the company and U yeah so that's that

was my first uh flag let's say that uh

it's going to be interesting and I have to grow as

CA uh then I just realized that I do

like the same things from one company to another company and uh I've started my

consultancy services and uh the the main difficulty

is uh uh that I started it in uh 2020 so

it was a um early February I think yeah

and uh in a month uh the lockdown started and uh people were not um sure

about their carers they were not sure about their companies and uh 20 calls

were like um okay that's interesting we could work together but um we are not

sure about our budget we are not sure about our economy we are not sure about everything uh uh if

we our life in um in in a year let's connect once

again uh okay and then I've realized

that I have some friends I can go to them and U they could be my first

clients so then they can refer me to their reference and so on um and uh at

some point we had 25 employees at wi spots uh who did some sort of Consulting

uh services and uh service we had some service agreements with many companies

and U what was the problem uh I don't um want to make one more eam or one more

loft or one more like big company like price water house coper uh I don't want

to be their competitor because no no you have a lot of risks

and some sometimes uh someday you going to have this problem about quality and I

didn't want it so the problem was uh to

make reviews of what people are doing and U they did some problems for some

companies which I had to uh deal with after um so yeah that's

why I don't want now to have this consultant Services uh so that's why we

are software company right now and uh we have developers qes uh we have devops

Engineers we have to uh different functions but they uh make

the portal like application security portal and uh uh like what I wanted to say here is

that first you have to uh have your great team which you can rely on uh then

you have to have this sort of overview uh to be able to like tell

people what's going to be uh in different situations because like um

when you're at cisa for example uh ah okay and I'm answering about uh I'm

answering on this question like uh what are expectations from cisa and what are

your um like suggestions for U young cisters for example um yeah so you have

to establish a good team then you have to uh establish your own overview on

processes on project management on some um things uh people you will ask you um

and you're going to be uh you have to be ready for um like some questions like uh

Max buy your experience what's better this one or this one and you don't have

any experience and um you have to choose between these uh processes but

maybe not between them but maybe uh introduce your own and um people will

always um challenge you about like with these sort of questions you have to be

open you have to uh

be like fair enough as well uh you have

to say that okay guys I don't know this particular uh problem but uh let's dive

into it and uh think about it like let's have a

brainstorm session let's uh I'm not sure let's uh go to podcast

let's listen to uh people let's uh connect to someone and

um uh like think about this problem uh and uh come up with the uh some sort of

solution and write it somewhere to not to forget and use it as a guidel

guidance uh for like next questions uh like next similar questions and um

someday you're going to have this knowledge base someday you going to have this sort of good team uh and uh

everything will be fine just relax and uh take this

ownership uh and U uh like be ready to change your mind

be ready to um hear uh because people will tell you what they need and you

going to secure it so uh when people want to connect to Production Services

I'm not going to uh say anything about salmon what we do there but uh as a so

and wi spots of X consulting company and House of PR

security company uh I'm I'm going to just say about my clients uh so um you

could establish some sort of uh

tools you can Implement a Teleport you can Implement U other tools to connect

to uh them and they will provide you the access to some sort of production

databases uh you could um uh establish uh it in this way you

could say that uh developers are not able to connect to any databases

same production uh you could say that it's uh the only allowance uh for like

it's only allowed for uh devops Engineers for example uh it's possible

uh to say that it's allowed for everyone but uh you are monitored you have

corporate laptops uh you have like uh everything recorded even uh

case Strokes so don't buy anything online from your

computer uh so there are many ways to do it uh you have to decide like what's

better option for you um so that's maybe the biggest challenge

in coll uh to understand what's better in

your situation uh but there are chats there are people in LinkedIn there are people

like everywhere just pick up someone and ask him like oh hey I don't

want to sell you anything I just want to ask you I had this situation what's

going to be your opinion um so that's it I

think amazing and so you talk about what you do now and

how you got to it but how did you even start looking how did you get into the security field in the first

place oh it was

no um it was a long time ago um it

was it was actually 10 years ago uh I just Googled uh how to hack some

and uh the video on YouTube was about um sniffing some traffic and uh uh I

just tried to hack uh

my college or what was it and uh I just

got the connection to cameras and uh I've reported to our

security team like not security team about engineering team and

uh they told it to like guys who had

um uh configured it and um they were my um teachers on the next

year so it was really hard to to learn Docker

without any documentation at that time like in

2014 or maybe 201 13 yeah I'm not sure but yeah it was

that time uh when people uh didn't realize that it like uh it is is not

virtualization it's containerization and you have to write dock your files you

don't have to uh put everything in uh like virtual machine and uh

it was hard for me to learn bucker because uh when people

uh uh were like uh dealing with their homework on

Virtual machines I was dealing with the docker uh it was hard for me because um

I was that guy who had uh uh some problems with them um

so uh that was my introduction to

security and yeah after that I I've just joined a

large security company in Russia it's called positive technologist and

um U we've um it was really fun actually

um I've um I was seeking for job uh like

for 20 hours a week and uh they had this um position for me and uh the only thing

they asked me to do is uh the test and the test was write

some uh vulnerable application okay I thought like my PHP application uh at

college is vulnerable anyway uh and uh yep

I had a job uh yeah so after that uh We've

validated uh issues with neural networks we've uh

uh we've worked on S and D tools we've

worked on W and uh that is that place

where where I got my experience uh and um

I think I'm reusing something right now in my platform uh because we are working

on uh neural network which will validate

vulnerabilities for you um yeah and uh then after one year working there

people guys just told me that uh we don't need the RNG function so we have

to uh get rid of you okay thank you thank you for your experience and

for this awesome year um yeah so after that I have just joined the bank

team pretty the same one uh which I'm working with right now because uh they

are ex te of team and uh I I joined the

team of that year uh um so everything is about your friends about your

connections about your relationship with people if you are okay

to like speak uh normally if you are okay to uh like uh to not be a toxic

man uh it's going to be easy to kick off your career yeah

that's how how hard or easy is it to get your

first CEO role uh yeah I think it's it's hard because

uh you expect something from this role uh but people usually don't expect

anything from you um they don't know how to hire cisa so you should look at this

situation from both angles uh from your and from the companies so if a company

uh had not CIS before uh they it's may be better to ask

them have you ever worked with ciso and if they say that uh okay we don't we

didn't have any security before so now we are kind of ready to hire someone to

start something okay that's one situation uh

you could like tell them your experience and how you can help them and maybe you

could find some match and if uh they had cisa before they definitely have some

sort of expectations because uh if that c was

not okay to work with them maybe uh he signed uh from like uh His Wish uh but

maybe they wanted him to resign and uh you have to ask them about it like

what problems you had before and uh what are your expectations uh maybe uh maybe

they want to hire someone just because uh they have to uh hire someone because

they're they're has to be ciso somewhere because regul regulator wants it um but maybe uh they

want you to um for example to uh make the

application security function stronger maybe they want you to uh make

infrastructure security function stronger maybe they want to finally uh

describe all the policies and procedures uh so they want you to do

something on purpose so you just want to know this

purpose so you were saying it's very different some when you join a company

that already had a ceso versus a company that is just getting one because now

they grew enough that they need it yeah interesting and

when you're in the seeso role because you have like two hats but when you're

the ceso do you deal a lot with um education like educating the team

telling them what they can't can do how does that look oh

okay um okay that's that's open um that's

open information actually because you can Google it and um like scan this um so we use Microsoft

and Microsoft is really cool uh platform to uh perform for example fishing

inducation so we perform fishing simulations uh just because we want um

uh um we we want some caros for example so in security team uh we are U sitting

in like um we are living in the same area in Serbia in oad and uh we are

working together often from Cafe and or like from work working places so uh we

are connected and um we meet each other uh every time and U there are no

schedule uh there is no schedule we just um sit somewhere and uh we

uh think like let's make some chaes let's make some chaes okay and we press

uh some wizard buttons and we have um fishing simulations every month or every

week it's it depends uh because attacker has no

schedule yeah and um uh that's how we do fishing

simulations and now I'm going to switch back to wh spot's previous experience

because I don't want to reveal this from someone someone's pers perspective um so

you have some sort of LMS Solutions uh Learning Management Systems uh because

in banking you have uh LMS which is loan management system uh it's it's very hard to match

uh the context with the financial guys uh so okay you have learning management

system systems and uh they provide you the content uh or some of some some of

these systems provide you the way uh you could uh put your own content there so

you can record your own content or you can uh find it on the internet and just

combine your own uh module and just publish it in

this Learning Management platform which could be for example high spring or EAS

LMS or whatever else uh there are a lot of such Solutions and uh then assign this

training for uh developers and for other functions uh this system will track them

the system will P them and so on uh compliance is uh really

happy because uh you have to have some sort

of recordings and audits audit logs that

you've conducted these trainings uh but

um developers and other functions are not happy because they have to go to

this platform spend some time on uh so some strange courses and

U uh you uh like the better option is to test

people if they pass some score uh you don't have to assign the training if

they don't pass this score they are yours uh so you could like assign the

training ping them whatever else so that's the approach uh

I uh want to be implemented in every company actually because uh in this way

uh you can um train people easily and it's scalable uh you

could have um some sort of webinars as well uh but it is painful to find this

time slot uh but if uh it this um

approved by management or you are this approver for example uh you can uh just

put this time slot in every single calendar and um record this session and

for example assign this recording as a training in LMS solution so yeah that's

how you can do it interesting and what do you think

think is one of the biggest challenges in cyber security

today um as as a c and founder of wh spots I could say that people are not

open to any sort of Automation and U people are not familiar

with the let's say uh current approaches and

if you cisa of any company for 20 years

and that's just okay for you to sit in this role and get your money and uh uh

relax take some coffee or tea like every morning and uh get your salary uh maybe

that's not a problem for you uh but that's a problem

for for CEO actually but if you are working with them for 20

years doing nothing and it's just fine that's not a problem but at the same

time uh cesa um has to provide some sort

of controllable metrics controllable uh state for developer or for for

Developers for uh management to uh

to answer to this question like uh Max what what's going what's um our Security

State that's okay for example I could say uh but they could ask me um okay

and now now it's okay but is it better than yesterday or worse and uh I could

say it was better yesterday how how how can I measure it so I have

to establish metrix uh system I have

to um measure everything to understand

to where uh security could go where we could expand

our of like power uh and U uh to do so uh you have to uh

understand um some sort of basic things uh what you could U establish uh what

you could measure and uh measure it and

uh like grow and be open to uh like any

solution any automation any uh scoring system anything like uh now I'm CEO and

founder of white spots I see this problem like in 90% of our

organization U and um as see so I see um

The Challenge uh to combine all these metrics together uh because there are

some systems like uh like metabase like gra for

example here as well uh where you could put uh every single

metric from your application security posture from your uh awareness uh

program from your uh infrastructure security uh and um from what else data

protection so four main domains okay from physical security as

well and from people uh yeah how do you decide

how do you decide what are the metrics that are most important to keep track

of I decide I don't think I decide uh I think

we decide in our organization so I am talking to C and CTO and other roles and

we are uh looking at uh most convenient metrics because when you okay I have U

let's switch back to white spots uh we have metric for application security for

example uh we have weighted R Trend it was introduced by hel parer actually in

2010 and um uh we have this presentation

which you can Google uh like five gpis for security it is under AAS right now

um so they had this approach uh you can measure or you can map your

uh Quantified to qualified so uh you can

match like uh uh one to low two for um

medium five for high and 10 for critical uh for example you can put whatever else

there and um uh like summarize your

findings your risks or whatever uh what has any sort of

criticality and um then you can multiply it by business

criticality of this particular asset for which you found uh these findings or

like issues or whatever and uh then you um going to have this V Trend which you

have to track and which you have to assign to product owners actually to not

to overcome some sort of risk appetite so for example you have a product uh

with five repositories one domain and two Docker files Docker images uh you

have this weighted restraint which is which equals to 100 for example and your

risk appetite is uh 200 per product and overall this uh risk

appetite is 1,000 so all products should should not overcome 1,000 and each one

um should not overcome 100 so uh this is the U GPI for product

owner and at the same time every single vulnerability should be closed in

um 20 days eight days and so on so you have slle for Developers for every

single vulnerability and at the same time uh their count should not overcome uh

this risk appetite so we uh drive this

uh from white spots but this could not um fit into our understanding uh in

salon for example okay that's not a problem uh we can track vulnerabilities

and uh some sort of fixes in another way um there are many metrics offered by

vendors so that's what I wanted to say um there are a lot of um approaches and

uh not all of them are okay for you uh maybe it's okay for you to measure uh

this W wrt in money maybe it's okay for

you to measure it just in Paras we could say um and um maybe uh you don't have to

do it because you have zero bu uh policy in your organization like

somewhere uh yeah uh because you don't have to

track this wrt if you have no issues in your production because you

have quality gate and you don't allow merg requests because you like found

something um have you ever heard of a company that has no

issues I've heard about company about a company who um has a lot of issues but

it has zero tolerance back policy so interesting what does that

mean yeah uh they have a huge backlog really really huge backlog uh they don't

deal with it but uh they uh don't allow any new issues on production uh and they

uh like get rid of these vulnerabilities from time to time yeah that's actually

uh the average situation with any company uh who just started uh the

process interesting how do you keep updated on what's

important and how to not add new vulnerabilities that you didn't think about before or didn't exist before like

how do you stay updated I'm not uh okay yeah I'm just joking uh

so there are news there are chats uh and um if you see for example log

4J uh it's going to be on your desk like in an

hour uh if you see uh crowd strike problem you're going to see it if you

have crowd strike uh you have updates from vendors uh if someone has a data

Bridge uh they will inform you if they not uh it's going to be a jail case

somewhere um so that's why you are

updated more than enough uh if if there

are some vulnerabilities um just update your

tools they will inform you uh if they if

there are some data breaches vendors will inform you as well that's

basically interesting do you find the ceso role to be a stressful

role uh that's interesting question uh

sometimes yes sometimes not uh I would say usually not but but but sometimes

yes uh uh when it's stressful for example

you have um you have an audit uh at the same time you have

another audit and at the same time uh you have a backlog and your team

is busy and you have to deal with this uh

these two uh audits alone uh and uh you

give you provide some sort of answers but they're not so qualified for example

or they have checklist and you have to say yes or no but that's not about yes

or no we they are somewhere here uh and

you put yes and you have

some um how to say evidences um about

this yes but they doesn't satisy auditor and uh they doesn't they don't

satisfy you as well actually uh but

um yeah that's that's the most stressful part uh when you have to show uh

something to someone and uh

you like your license or your future depends

on it for example interesting so you're saying like the

most stressful part for you is when there's an auditor or an audit heading

up and and maybe there's a lot of things to do and sort of yes to everything but

also not 100% yeah and you you tell them this

information and uh they go through the checklist uh then you start the

conversation and you realize that realize that they just don't understand you they don't understand that uh like

uh do you guys have this is not about Salon uh like do you guys have uh Google

uh yes we have it and do you use um the Google workspace uh admin controls so do

you uh secure your Google admin panel and you say yes and at the same time uh

you have a lot of findings so you kind of have this control but

uh on 20% for example and um uh there there are some um softwares

like V for example uh they help you to work with

Auditors uh I've not used it before but uh I know this from other guys maybe if

someone from want will will look at this podcast they will

contact me yeah and um they can uh help you to

work with Auditors you provide the interface for them and this software uh

gets uh proofs for them but the problem is that uh you cannot

automate everything and if you have a like let's say if you have a technical

control it doesn't mean that you have a policy process whatever uh and uh the

problem is that want provides you Tech the proof of evidence proof of technical

controls as far as angle maybe not um and uh yeah uh for these type of uh

audits uh I I would use this sort of automation uh as a new approach for

example which came up one or two maybe years ago um and for uh documents I

would find something as well it's it's really painful and um uh I have this

uh prefilled uh question here

U just to copy paste uh answers but the problem is that uh people formulate

their questions differently and uh sometimes you have a question about

penetration testing sometimes you have a question about VIP vulnerability

assessment um andri testing uh yeah so and this is not so

like let's say stressful but that's something

you are worried about because audits are

not like designed without any purpose so if you

want to apply for cyber cyber insurance for example you have to pass their audit

and you have to pass their audit like for a better score and uh you're going

to have the discount so that's why it's maybe better to find

evidences as better as you can got it so you're saying it's

annoying and but there are comp like you can get help with it at least to some

extent interesting so we're almost out of time and I have one last question to

ask thank you so much for coming on the podcast and sharing everything you know it's a very interesting perspective

someone who's also a ceso but also has a company so what do you think this field

is going to look like in a few years what is going to be different what is going to be the [Music]

same let see uh because uh 5 years ago it was different

situational Market uh you you can see some posts on LinkedIn

from old sees um who could uh say that uh it was really hard

to be C uh 10 years ago you had to uh be

U an experienced guy uh uh like you had to have like 10 years of experience you

had to uh have some certificates or whatever uh and uh

now it it's not uh like this and you can meet cissus like very young uh 23 years

old 25 years old and um um what's what

has changed um there is a market uh and uh there are a lot of uh software

Service uh startups uh there are a lot of Education startups there are just a

lot of startups and you have to secure them and

um yesterday yesterday's Engineers uh they are cissus

now that's not a good Trend actually uh but uh okay I'm ex engineer as well and

I I I could say that's not good way good Trend yeah why because if you don't um have um

JC system in your mind if you don't have a uh an understanding of um like what

people expect you to do you don't understand which controls you have to

implement and which um risks uh actually you have because like uh there are

compliance risks like we uh can apply for a new

license we can um I don't know open a business only if we fulfill these uh uh

regulator requirements which one uh we have a company in Dubai we have a

company in New York we have a company in um California for example with the

another laws we have a company in Germany and um we are Fork startup for

example I'm not start we just for business uh there not much you can

actually do in Forex to be a startup uh

so you have Forex business it's really regulated and you have a lot of um

Regulators uh and you have to fulfill their requirements uh so you have to get

the list and uh do something with this uh from my perspective is good actually

to map uh these requirements to uh ISO controls and uh then just Implement ISO

controls and then track other obligations with this mapping uh

someone uh thinks different so someone's uh some someone's opinion maybe on this

to get requirements and fulfill the requirements uh requirement list uh then

take another one and just fulfill it uh and so on um

so you have to be you have to have this systematic approach as seon and um if

you don't have it if you uh don't if you cannot for example uh say no to people

like we have this uh this we need your approval no I just don't have time on

this uh I have to deal with another stuff which is more important and you

could go to this person because I've delegated this function to this person

uh you have to delegate yes and uh uh these

uh skills you have to establish before you go to the cisa job if you are an

engineer if you are young you want to have another row into your CV uh you

could go probably uh you could dive in this into this

problem and U resolve it and just add your role into CV but um being at cisa

is not about your CV it's it's not about your roles and so on it's more about

business continuity it's more about um like overview on some processes and

improvements and helping people uh in HR department in security oh in IT

department Department in uh whatever Department in compliance Department uh

so there are a lot of areas a lot of aspects of their work and uh you have to

help them uh in terms of security of course maybe maybe not uh and uh you

have to do it in a more systematic way you don't have to um unfocus yeah

amazing thank you so much

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel