Cloud Control: Q&A with Marsha Wilson of ScaleSec on Harnessing Military Discipline for More Robust Cybersecurity

May 14, 2024

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

Marsha Wilson of ScaleSec on Harnessing Military Discipline for More Robust Cybersecurity

Hi everyone,

I'm excited to bring you another interview filled with wisdom that only comes from years of experience, this time with Marsha Wilson, the Co-Founder and CEO at ScaleSec.

In our chat, Marsha dives into how her military background shaped her approach to cybersecurity where discipline and strategic thinking are key. Her transition from traditional IT to specializing in cloud security and governance gives her a unique perspective on industry trends - you won't want to miss them.

We also explore the significance of code-driven, automated, audit-ready security operations, and how ScaleSec sets them up to make a difference in clients' compliance and security landscapes. Marsha's practical advice on navigating compliance requirements and transitioning to the cloud is a goldmine for anyone in the industry.

But that's just scratching the surface. Marsha dives into a wide range of topics, from the unique security challenges across different sectors to the emerging technologies shaping the future of cybersecurity.

This is a great read to start your day with. So grab a coffee or tea, settle in, and dig in to Marsha's wealth of knowledge and experience in the cybersecurity space.

Cheers,

Ian

P.S.. We're hosting a roundtable on June 4th as part of New York Tech Week. Myself and other cyber & cloud security founders will be discussing how growth-stage companies can harness AI to scale their organization securely. Expect an exciting roundtable, the opportunity to meet others in the space, and of course - drinks. Register here to save your spot.

Question 1 💭

Hi Marsha, I’m excited to have you here. We share a bit of a common background, which is that you served in the Army as well - for your country. Let’s start by sharing how your military experience has influenced your leadership style and approach to cybersecurity? What do you think other founders or CISOs can take from this?

Answer 1 🎯

I was in military intelligence, part of signals intelligence. And, like cybersecurity, this demands discipline, strategic thinking, and curiosity about anomalies that inform risk management. As an enlisted soldier, I was trusted to be the eyes and ears near the front, and working with my analyst buddies, I would work to bring insights and inconsistencies to my command for further consideration. That is also a big part of cybersecurity--but we have many tools and AI now to assist the humans. That's a good thing.

And I'm not sharing anything CISOs and other business leaders don't already know, though I appreciate the opportunity to reinforce the messages: Emphasize Training and Prepare for the day you need it, do this to enhance your teams' responsiveness and skill levels in cybersecurity.

Foster Discipline and Accountability: guardrails for cybersecurity tasks to hold team members accountable--assuming they are all properly trained--can improve the overall security posture.

Learn from the military's adaptability and resilience, and support leaders as they focus on building systems and teams that can withstand and quickly recover from cyber incidents.

Delegate as far down as you can, and prioritize leadership development to ensure that the cybersecurity team is as equipped as possible to handle crises and lead initiatives effectively.

Question 2 💭

Your move from traditional IT to specializing in cloud security and GRC was a strategic move. What were some of the key industry trends or personal motivations that caused you to do this? How has it shaped ScaleSec’s mission?

Answer 2 🎯

When I left the military in the late 1990’s, I leveraged my security clearance and worked in the defense industrial base for a decade. Though job security was a thing, I really wanted to move faster and work in the commercial space. So I segued in 2011.

As for ScaleSec’s mission, in 2015 we originally thought we would have some commercial and some government work, since my cofounder Aaron and I both came from DIB. We found that in fact, we recognized through our FedRAMP work in the early days that what agencies need us to do is help commercial tech companies understand the government world. So our focus became readying companies to do business with US government entities. And though we are still certified as a service disabled vet owned business, that is not really a business differentiator at this point.

Question 3 💭

At ScaleSec you promote a security-first philosophy in all your consulting engagements. Can you explain further how this approach has an impact on project outcomes compared to more traditional security models?

Answer 3 🎯

Again, after a decade leading ScaleSec, much has changed. Now, teams need embedded subject matter experts. And we are a team of Cloud Developers, Engineers, Architects and Compliance experts who examine all the options through a security lens. It makes sense in today’s world.

With a focus on shifting security left, we often support a customer's cloud migration, and assess their Cloud Software Development Life Cycle (SDLC). It's not uncommon to find processes lack early security considerations, leading to gaps and inconsistencies in security controls across applications.

With a focus on shifting security left, we often support a customer's cloud migration, and assess their Cloud Software Development Life Cycle (SDLC). It's not uncommon to find processes lack early security considerations, leading to gaps and inconsistencies in security controls across applications. We identify opportunities to formalize security standards and processes to address these gaps before deployment, reducing risk of a production-level breach; reducing team disruption and costs from recurring, post-production fixes; and keeping pace with the evolving threat landscape. It is gratifying to have a Director of Security or VP of Product Development say, "Wait no, our teams need to see you using this so they can skill up too." And we are happy to do that.

Question 4 💭

You've talked about the significance of having code-driven, automated, audit-ready security operations. Can you walk us through how ScaleSec sets these up and what kind of difference they're making in your clients' compliance and security landscapes?

Answer 4 🎯

We tell our clients on the very first intro calls that we are there to take the pain away from their security operations teams by layering the security controls into the SDLC rather than waiting until a resource is deployed, when the risk goes from potential to actual. SecOps should be about Detective controls, and let the SDLC insert preventative controls. Because if you wait until post- deployment you have 10,000 vulnerabilities, rather than catching the one configuration error prior to launch. Adding security into the SDLC presents opportunities for security to PREVENT risk to the business, while reducing cost to fix thousands (or tens of thousands) of problems with one line of code. Like Gomboc does with pull requests.

So prior to automated deployment, you examine the reference architecture and the security checklists; during the build use automated testing you add your security tests against appropriate compliance frameworks and leverage scanning tools. During automated deployment, you make sure your cloud organization policies are enforced. Then your SecOps team knows that when a resource comes online, it has been provisioned with security--as defined by your company--baked in. No more real vulnerabilities sitting in the open while it takes days to discover and resolve them. No more delaying GTM or trying to get the dev team back to the table 30 days later, when they're 3 sprints into their next epic; and no more rinsing and repeating this process for the next app

At ScaleSec we recognize that this may be a new muscle for many teams. Security team members must learn how to refactor their workflows using code, and the AppDev team needs to trust that security will not keep them from meeting their business deadlines and milestones. But when clients see how this works, and can work with a team that can demonstrate the impact this shift can have, it is very gratifying.

To fully take advantage of cloud optimization, teams need to start with a hardened baseline, to allow for consistent security management of your environment, and moreover focus your development efforts on the true business differentiators that will allow your business to thrive. This is a hard discipline to instill. But it works.

Question 5 💭

With your understanding of different compliance frameworks, could you share some typical hurdles companies encounter when shifting to the cloud? How can companies smooth out these transitions?

Answer 5 🎯

Teams need to consider the full extent of compliance requirements. External requirements, brought to bear by industry, geography, federal and market sources. Internal requirements as determined by threat modeling, and the residual risk stance your company is comfortable accepting. These all feed into a robust security and compliance program, from which your full complement of requirements, policies, and standards are derived. THESE are then used to create your hardened baseline on which all teams should build their applications. This seems logical but we have found more often than not is not part of the build process at companies--instead they focus on the technology first, not risks first, which technology addresses through controls.

To fully take advantage of cloud optimization, teams need to start with a hardened baseline, to allow for consistent security management of your environment, and moreover focus your development efforts on the true business differentiators that will allow your business to thrive. This is a hard discipline to instill. But it works.

For example, our customer Dexcom started as a small shop in San Diego, then grew their team internationally to the point that synchronous meetings were impossible to align on a consistent basis, so we set them up with GitOps to manage changes through code. Experimentation in the console is fine for development, but it does not scale.

How can companies smooth the transition to cloud? By training these processes until they are second nature. And most importantly, finding the courage to set policy and permissions to prevent changes via the console in production. The longer you've been changing prod through the console, the more this hurts.

Reinforce the habits you want to see replicated.

Question 6 💭

You’ve worked with clients in defense, energy, and healthcare—sectors with very different needs. Could you highlight some unique security challenges they each face? How can teams customize solutions to address their specific concerns?

Answer 6 🎯

I think actually they more often share a common security challenge, which I touched on a bit above. When you don't address security requirements prior to build, it will introduce real risk and increase the chances of issues. A strong security program built using a common compliance framework will ease the challenges of disparate compliance mandates that come from across various sectors. For example, you may have HIPAA and PCI and Privacy requirements. You can use NIST 800-53 for your common security and compliance baseline to inform your security program, and crosswalk the technical controls for PCI and HIPAA. The compliance frameworks and requirements themselves are not the greatest challenge. It's getting companies to build the requirements into the infrastructure that will yield the best outcome, regardless of the sector in which they work.

Question 7 💭

We all know how crucial collaboration is in tackling complex security challenges. Could you give us an example or a story where working closely with a client led to a major improvement in their security strategy?

Communication between the teams was rare, and no trust had been built. We recognized the need to encourage and build that trust. To do that, we sought inputs about approach, timelines, and milestones from each side, and then took ideas from one team and shared it with the other. We looked for places where both agreed, and negotiated between them when they differed.

Answer 7 🎯

We are currently completing an engagement where one team was responsible for the build pipeline and another was leading the effort to roll out a new payments platform subject to PCI requirements. Communication between the teams was rare, and no trust had been built. We recognized the need to encourage and build that trust. To do that, we sought inputs about approach, timelines, and milestones from each side, and then took ideas from one team and shared it with the other. We looked for places where both agreed, and negotiated between them when they differed. Many times we backstopped our work with vendor recommendations and not our opinion to shore up approaches that would yield the best business outcomes. As we near the end of this project, we are pleased to see across the board buy in for this effort, but better still we see the lines of communication opening up and allowing both teams to recognize the importance of their role in the success of this project. Hopefully this will allow for a stronger and more cooperative venture when these teams tackle new challenges in the future.

Question 8 💭

What new threats are you keeping an eye on, particularly with more companies adopting multi-cloud strategies? How are you advising them to stay prepared?

Answer 8 🎯

This might be a good place to explain some of the nuances around security teams, and how we are the green team, not the red team pen testers. Many folks equate security with CISO, or SOC, or other important and vital parts of maintaining a strong security posture. While CISO and SOC functions are critical, at ScaleSec we focus on shipping secure products as fast and efficiently as possible. In fact, most of our engagements do not arise from the CISO’s budget line, but rather from product delivery teams, this due to the fact that we are builders with a security mindset. We help the product teams build applications in a way that will pass security and compliance requirements. We do confirm and interface with the security teams but only to validate that we are baking in the controls that they are expecting, those that will make their lives easier in the SOC.

So with that in mind, the risks associated with a multicloud strategy include the obvious increased attack surface: Using multiple cloud providers naturally expands the attack surface. Each platform has its own set of tools, security protocols, and potential vulnerabilities, making it harder to maintain a consistent security posture. And quite honestly, if your team has trouble managing one cloud effectively, you exponentially increase complexity by adding another cloud.

With multi cloud, you also have more complex identity and access management challenges. Inconsistent IAM policies can lead to security gaps--many of our engagement focus exclusively on helping teams get their arms around IAM.

At ScaleSec we recommend cloud native first, and if at all possible, choose to be all in on one cloud, to reduce this challenge. I know it sounds sweet when the sales person from the competing CSP calls and offers you a fantastic deal to move to their cloud. Don't do it.

Question 9 💭

You’ve told me that you are passionate about helping teams deliver tech solutions quickly yet securely. What DevOps practices do you recommend to strike this balance, and how can companies implement these effectively?

Answer 9 🎯

The way to permeate security across a company is to establish a cloud operating model that touches all parts of the company. The Cloud Operating Model moves “cloud” out of IT and into the whole organization. It is aligned to a digital transformation. You start with a cultural shift. Find a respected leader within the organization who can foster a culture where security is everyone’s responsibility. This person will be your zealot, to encourage collaboration between development, operations, and security teams to integrate security into all phases of development and operations.

Once you get some mindshare, start offering training (or retraining) to upskill all team members on the latest security practices and how that affects their day job. Specific to DevOps, include hands-on sessions to ensure everyone is empowered and understands how to implement security controls by default.

Finally, this is a titanic endeavor. Set your expectations accordingly, and know that to be successful, this is forever, and will require iterative improvement. So, start with small, manageable security improvements and scale up efforts gradually. Use feedback from all the teams to continuously refine enterprise cloud best practices.

Question 10 💭

As we look ahead, what trends or emerging technologies do you find most promising or concerning? How should the industry, including leaders and policymakers, prepare for these changes?

Answer 10 🎯

Well, like most of us in tech, we are watching a number of exciting developments that affect our space. Most prominent is of course AI/ML. Advances in AI are looking particularly promising in healthcare, finance, and manufacturing, where they can drive innovations like personalized medicine, automated financial advising, and predictive maintenance. Key to this will be the data itself. For companies looking to train on their own data, no time like the present to actually understand the data you have to enhance the fidelity of your LLM.

Another advancement that continues to astound me personally is quantum computing, as it promises to solve complex problems much faster, while also potentially threatening our reliance on encryption, on which so many cybersecurity measures rely.

Another advancement that continues to astound me personally is quantum computing, as it promises to solve complex problems much faster, while also potentially threatening our reliance on encryption, on which so many cybersecurity measures rely. Experts believe breaking encryption will require cryptanalytically relevant quantum computers (CRQCs), which will not be developed until at least the 2030s, but dude, that is right around the corner for tech.

Finally, I am fascinated by Blockchain and Decentralized Finance (DeFi). I heard from Cheri McGuire, the Chief Technology Officer of SWIFT, a global provider of secure financial messaging services. She shared how Distributed Ledger Technology is evolving and how banks and countries are morphing to accept currency beyond the current global currencies. Blockchain technology offers transparent, secure ways to conduct transactions and store data. DeFi extends the concept of blockchain to the financial sector, proposing a more open, accessible, and less regulated alternative to traditional financial services. Cheri also noted how insider threat detection must be built in from the start if this is to be the value exchange of the future.

It's clear that when you are working in security, there is always something new on the horizon, something new to learn. I'm happy to have shared some about ScaleSec and my own personal passions about the security industry.

Thanks for inviting me to collaborate with you all!