Cloud Control: Q&A with Joshua Marpet, BSides Global Council Member & Faculty Member at IANS

January 16, 2024

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

‍

Joshua Marpet, BSides Global Council Member & Faculty Member at IANS

‍

This week's Cloud Control newsletter features Joshua Marpet, CEO of MJM Growth, BSides Global Council Member, Faculty Member at IANS, and the list goes on. From policing to advising startups, Joshua shares his views on cloud security challenges, startup strategies, and the impact of emerging technologies. Read the full Q&A below👇

Question 1 💭

Give us an introduction of who we’re talking to. Tell us about your career, from being a police officer to then founding multiple companies in the cybersecurity industry. Are you currently focused on any one specific project?

Answer 1 🎯

My path is one I wouldn’t wish on anyone. :) I’ve been in IT for over 30 years. I started in help desk, traveling around the country to fix Thomson-Reuters machines at trading houses and investment banks. I went from there to project management, then sales engineering, then when the economy went south after 9/11, I switched careers to what I could find. I moved down south the Louisiana, was bouncing on Bourbon Street, became a cop at the jail in Covington, LA, and then after Hurricane Katrina, moved back up north. (No more hurricanes for me!!) I went back to computers, working in system administration, and security. After a while, I was solely security, and worked pretty hard on explaining how security worked to get a budget to protect enterprises. You’d be surprised how often better security correlates nicely with the ability to communicate with executives to get a budget! From there, I moved into compliance, because I could really drive a budget for security, with mandates from a regulatory framework. I started trying to fix frameworks, so I helped write CMMC for the DoD, SPDX for the Linux Foundation, and I’ve been working sporadically on continuous risk quantification.

Currently, I’m one of the founders of BSideSDE, on the board of Skytalks and BSidesDC, and I am pretty focused on the two startups I work with. Nudge Solutions is a goal-oriented fintech, where we put the consumer first. Tell us what your goals are, and we work to get you there with near real time nudges. Infosecquote is a new way to procure infosec and compliance services. One questionnaire, multiple quotes, shortlist generated, apples to apples comparisons. Simple.

To sum me up? I solve problems, and think around corners. IT’s fun!!!

Question 2 💭

These days, it seems you’ve turned a focus to helping startups identify product-market fit. From your conversations with security leaders alike, what are some bleeding-neck pains they are facing in cloud security?

Answer 2 🎯

Cloud security? That’s a pretty big field. From understanding the differences between the clouds, to understanding secure configurations, and controlling what SaaS/PaaS/IaaS services are being used by their enterprise, departments, and individuals within their enterprise (without change control, security oversight, or compliance guidance). We used to have Shadow IT, we now have Shadow Cloud, and Shadow AI as well.

Control, configuration, and management are the big ones. Weird, how the fundamental issues are the ones that cause the most headaches, eh?

Question 3 💭

Your most recent venture is MJM Growth, where you work with startups to help identify product-market fit amongst other services. What strategies do you implement to help young cloud and cybersecurity organizations get to product-market fit, and profitability, as quickly as possible?

Answer 3 🎯

Product-market fit and profitability are hand in hand problems. If you don’t have one, you won’t have the other! And frankly, it’s not hard to do. You may have a great idea, which solves a huge problem for a lot of people. If so, you should be able to find 10 people to pay you actual money because they’re so excited about solving the problem!! Get 10 people to pay you money before you’ve written a line of code. I don’t care if it’s 50 bucks. Something!! Then you know people are interested, willing to allocate budget, and more importantly, you’re already revenue positive.

If you’re the CEO, and you’re not willing to sell to your friends and colleagues, you are going to fail. Go sell, and prove product-market fit, and prove profitability. What are you waiting for? GO!!!

Question 4 💭

As an advisor for multiple startups, what new and innovative approaches to cybersecurity are you seeing enter the market? How do these differ from more established players?

Answer 4 🎯

As always, I see so many copycats of any established player. But innovation is far rarer. Right now, what I’m seeing is of course, AI based startups, some of which are amazingly simple, like using AI to explain vulnerabilities and alerts so SOC analysts are incredibly more efficient, to I just had two friends of mine build out a Knowledge Access Management system (KAM) for AI answers, to make sure that only people who should see an answer (and all the inferences and deductions present in the answer) see that answer.

I’m also seeing a lot more fundamentals. Real asset management, API management, and change management. Solid attempts to build out information discovery tools, so you can ask why that restricted data is on 30 laptops??? So tools are being built to automate and actualize some of the fundamental tasks we curmudgeons have been screaming about for a long time! 🙂

Question 5 💭

MJM currently teaches many engineering based founders how to explain what it is their product actually does. What are some of the challenges of communicating those narratives?

Answer 5 🎯

If you can’t tell me what your product does in 30 seconds or less, you don’t understand what your product does. It has to explain why, and why I care, in those 30 seconds. If you can inject How in there as well? Awesome!!!

The biggest challenge for many founders is that they’re dazzled by the shiny of their product. I could care less about shiny. I want to know why I give a crap about another product. Tell me why I care. If you can’t, we’re done.

Question 6 💭

Having founded and served as the CEO of BiJoTi, a security performance monitoring service, what lessons did you learn from the startup experience, and how do those lessons influence your work now at MJM Growth?

Answer 6 🎯

I learned how easy it was to fail. How simple to overestimate sales, and market, and underestimate costs. I learned that serial entrepreneur means “I failed a LOT!, and I still haven’t given up!” I also learned that successful entrepreneurs have financial cushions so that their family doesn’t suffer, or diverse income streams, for the same reason.

I also learned to fire fast, and hire slow. If someone shows you they are not worth their money, drop them. FAST. And make sure they fit the culture, the need, and that there is an immediate way for them to show value.

Question 7 💭

Emerging technologies play a significant role in shaping the future of cybersecurity. How do you see technologies like AI, blockchain, and IoT impacting the industry, and what opportunities and challenges do they present?

Answer 7 🎯

Look, blockchain was a huge bang! And then the scams started. And the sh!tcoins, and the thefts, and the difficult UI’s, and then the re-centralization in exchanges, and did I mention the scams?

Heck, I’m the primary author of a patent to use blockchains for the creation of a digital forensic perfect chain of custody! And I still say most cryptocurrency is a scam.

But AI, IoT, OT, Quantum computing, and quantum decryption, are bringing massive amounts of attention to some very interesting areas. We may have to replace all cipher suites everywhere when quantum decryption becomes commoditized. We may have to drop back to symmetric encryption wayyy before then. And AI is going to change so many jobs and so much workflow, as well as third party/vendor risk reviews!

I am fascinated by how technology changes people’s lives and work. In cybersecurity and outside it. I have a great story about it, if you like. I was teaching a Security Awareness course on Long Island. There’s several highways there with small towns which own a few hundred yards of those highways each. They get like 80% of their budget from speeding tickets. (I’ve gotten some! Grumble) I told my class driverless cars would change their lives. “Why? I’m never buying one!” Do driverless cars speed? “No?” How much revenue will the town lose when driverless cars are numerous? “Lots, like 30-60%” Ok, how will the town make up that revenue? (The light dawns) “My property taxes are going to go up!!!!!” Yup.

‍

Question 8 💭

As a member of the SPDX standards committee, how do you see the role of standards evolving in the future of cybersecurity? How can they create better security practices across diverse organizations?

Answer 8 🎯

This is an interesting question. We’ve got people discussing licensure for cybersecurity, the new SEC guidelines seem to suggest that CISO’s can be held personally liable for breaches, we’ve also got ransomware gangs reporting victims to the SEC! Some think that this is leverage to get the ransom, frankly I think that ransomware gangs will or has been shorting the stock, and then reporting them under the new SEC four-day-to-report-a-breach-deadline. Either way, they win. Either they get the ransom, or they win in the stock market!

But to create better security practices, we have to have some standards so we can measure enterprises, apple to apple. So we can do vendor risk management reviews with actual certifications. In my opinion, I’m seeing more and more risk being measured in ways we can certify.

We’re seeing more risk based measures, rather than threat based, being instituted in standards. This is the best way.

With risk based, we’re going to be able to measure across different threats, different threat actors, different types of critical and non-critical infrastructure. Apples to apples understanding of the risks, the value of the data, and the protections around the data.

With mandated reporting, we get to understand how big the problem actually is, as well!

And with supply chain attacks on the rise, holding prime contractors and vendors accountable for the suppliers, and subcontractors they use, is going to make the entire industry more mature, and taking security more seriously.

Question 9 💭

You are noted as one of the top 10 most influential individuals in the BSides movement and are a board member for 3 out of 4 of these global conferences. Have you observed any emerging trends or topics that attendees are increasingly interested in, signaling potential shifts in the cybersecurity landscape?

Answer 9 🎯

Yeah, starting more podcasts. :) Realistically, we’re seeing a fragmentation in the industry. There are now conferences for blue teamers, for pentesters, for exploit coders, for everything in the industry, there’s a specific conference or set of conferences. Back in 2009, when BSides started, there were just “Hacker conferences” and we covered everything! Is that good? Yes, you can go to conference that interests you and see exactly what you want. Is it bad? Yes, because a lot of the time, the fact that I watch lots of forums and sites means I solve problems with math or solutions from a different discipline. (Thinking around corners takes a lot of info intake) :)

Question 10 💭

You’ve went from police officer to an executive director, entrepreneur, and influential figure in the cybersecurity community. Looking ahead, what excites you most about the future of cybersecurity, and what role do you hope to play in shaping that future?

Answer 10 🎯

I have long predicted the commoditization and specialization in InfoSec. I don't like it and I do like it. The amount of knowledge and techniques and tools we have for disciplines that we didn't even have 15 years ago or were rudimentary at best is amazing. And yet we don't have the same cross fertilization and exposure to people with different techniques and expertise that we used to.

As well the gulf between the people that understand what's going on, and the people that don't, is getting a lot wider. Between surveillance capitalism, state-sponsored breaching of any kind of privacy you can imagine, and hyperlocal advertising that's designed to destroy your mind, we've got lots of new ethical, liability, financial, every kind of quandary you can imagine.

I want to be working with companies that make a difference in people's lives that help them live and grow and survive in a very very competitive and difficult world. I like solving interesting problems, and pointing out even more interesting weirdnesses in the world.

What excites me? The fact that we understand business better than ever, and how to make what we do relevant in a less abstract way. It’s not just about security. It’s about making business happen, and making people’s lives better.