— Cloud Security Office Hours Discussion
Quick recap. The meeting focused on various topics including cybersecurity, AI, and coding, with participants sharing their experiences and insights on these subjects. The group discussed the challenges of implementing effective cybersecurity measures in organizations, the importance of having skilled professionals in the field, and the increasing prevalence of internal security threats. They also explored the use of AI in coding, the importance of critical thinking skills in cybersecurity, and the need for a collaborative effort between academia and industry to address security issues.
Show 7 discussion topics
Cloud Security Office Hours Discussion
The meeting begins with informal conversation among participants, including jokes about identifying real people versus AI in video calls and North Korean workers. Shawn, the host, welcomes everyone to the Cloud Security Office Hours, emphasizing that it's an open forum for questions and discussions. He encourages new participants to introduce themselves, and RB, a security engineer from Omaha, Nebraska, does so. Shawn explains that the session is a safe space to ask questions, even "dumb" ones, and to interrupt for clarification on any unfamiliar terms or acronyms used.
Stryker's Cybersecurity Journey and Certifications
Stryker, a threat intelligence professional, discussed his journey into cybersecurity and the value of certifications in his field. He shared his experiences with various certifications, including the CCSP, and emphasized the importance of critical thinking skills in cybersecurity. Stryker also highlighted the need for people with communication skills in the industry. The group welcomed Stryker back and discussed the challenges of transitioning into cybersecurity from other industries.
CISA Certification and Security Auditors
In the meeting, Stryker discussed their experience with an exam and the benefits of the CISA certification. Shawn and Nicolette discussed the importance of security auditors and the need for more people in the field. Ryan introduced himself and expressed his interest in learning from the group. Nicolette shared an article about secret scanning and its importance in cybersecurity. Matthew brought up the issue of developers making the same security mistakes for years and the need for a solution. The group agreed that the problem of developers not writing secure code is a long-standing issue that requires a collaborative effort between academia and industry.
Balanced Approach to Cybersecurity Measures
The discussion focuses on the challenges of implementing effective cybersecurity measures in organizations. Jay argues that while fear can be a motivator, it can also lead to fatigue and loss of effectiveness if overused. He suggests that compliance requirements and regulatory frameworks can be more effective in communicating the importance of security to business leaders. Jay also emphasizes the need to prioritize threats and move from a culture of fear to a culture of risk, where ownership of risk is clearly defined within organizations. The group agrees that a balanced approach, combining compliance, risk management, and targeted awareness, is likely more effective than relying solely on fear-based tactics to drive security improvements.
US App Code Development Challenges
Ross and Stryker discussed the challenges of developing app code in the US, with Ross arguing that the US is more of a service industry and not focused on building things. Stryker countered that the US has the talent, but companies are not willing to pay for it, leading to offshoring. They also touched on the issue of security risks associated with offshoring app code development. The conversation ended with Shawn agreeing that there is talent in the US, but the cost of living and the desire for remote work make it challenging for companies to hire locally.
AI and Cybersecurity Risk Assessment
The discussion covers several topics related to AI, coding, and cybersecurity. Brandon explains how cyber insurance companies assess risk based on company size and revenue, emphasizing the importance of having appropriate controls in place. Jay adds that presenting a plan with cost estimates is crucial when addressing security issues to executives. Matt and Stryker express skepticism about statements made by CEOs of tech companies, particularly regarding AI and coding. They discuss the high costs associated with AI services and predict potential price increases in the future. Stryker raises concerns about the accuracy of AI-generated code, citing statistics on acceptance rates of GitHub's AI tool and highlighting the potential risks of relying too heavily on AI for coding, especially for less experienced developers. The conversation concludes with a question about the long-term implications of training junior coders primarily on AI-generated code.
AI in Coding and Insider Threats
The group discusses the increasing prevalence of internal security threats, particularly in healthcare, as reported in the recent Verizon Data Breach Investigation Report. They explore the various types of insider threats, including accidental, ignorant, and malicious actors. The conversation then shifts to the use of AI in coding, with experienced engineers finding it helpful for speeding up tasks, while junior developers may struggle to use it effectively. The group emphasizes the importance of having skilled professionals who can properly leverage AI tools rather than relying on them entirely without understanding the underlying processes.