David Stoicescu (Part 1): More SaaS, More Information Security Problems

David Stoicescu: You have to know who all of your third parties are, and you have to understand where your either customer information is going or your employee information is going. So that's what really makes it difficult. If you don't have a grasp on what these applications are, you really don't know. There's a lot of unknowns. And what you don't want to have is a day when the FBI calls you and says, " Hey, we found your employee or your customer information out on the web." And your next question is going to be like, " Well, how did that happen?" And then you start digging and digging, you realize, " Oh, wow. It was some application that we had no idea about."

Cory Wheeler: Hello, hello, and welcome to SaaSMe Unfiltered: The SaaS Management Podcast, the show with give it to you straight, real life advice from pros knee- deep in SaaS every single day. SaaS management superheroes just like you. We're back for another episode of SaaSMe Unfiltered. Really excited to have everyone join us today. I'm Corey Wheeler, co- founder and Chief Customer Officer here at Zylo. I'm very excited to have our next guest joining us, really to provide a bit of a different view of SaaS management than we've previously had on the podcast. So this person has more than 17 years of experience with expertise in establishing programs that scale for high growth, leading and executing strategies that strengthen security, reducing risk while enabling his business to operate efficiently without friction. He's led the building and scaling of information security programs, including product and application security, incident response, security operations and engineering, GRC, and privacy. And he believes that an approach to effective security starts with building people, staying true to the foundations of security and risk, and implementing a pragmatic approach that adapts to business needs. He is the former Deputy Chief Information Security Officer at Expel and currently the Chief Information Security Officer at Deepwatch. With one note that he chose to leverage Zylo again, I had the good fortune of working with him at both of those stops while he's building out his InfoSec team currently. Outside of work, loves mountain biking, loves CrossFit with his partner and high speed racing events as well. So everyone, please join me in welcoming David Stoicescu to the show. Hey David, how are you?

David Stoicescu: Very good. Thank you, Corey. I appreciate the introduction. I thank you've given me too much credit today.

Cory Wheeler: Well, I've known you for a while. So it's probably reflective there. But we sure are excited to have you on the show, talk about security, security related to SaaS management, SaaS tooling, all conversations that you and I have had over the years. So before we jump into the interview, we'd love to get your take on something. We are calling this Segment Hot Takes with Tom. Our colleague Tom McCorkle is going to share a Zylo point of view. And tell us what you think after you've heard that, whether you agree or disagree with it and what you think about the overall take. Are you ready?

David Stoicescu: Let's go.

Tom McCorkle: Hey, everyone. Welcome to Hot Takes with Tom, a give it to you straight point of view on SaaS management and optimization. Today's hot take is that InfoSec is the Superman of your organization and must have a seat at the table when it comes to SaaS management. Sure, on the outside, they seem like your typical Clark Kent, making sure that apps are secure, that you're not leaving a rock unturned when it comes to risk. But then that big scary event happens. That$ 10 app you overlooked turns into a$ 10,000 compliance fine. Or that employee expense tool that you didn't know about has a data breach, which could cost you$ 9. 4 million on average. It's immensely challenging to quantify the value of a robust security process until something happens. You simply can't put a price on peace of mind. So the bottom line, having InfoSec as a stakeholder in your SaaS management program will enable them to save the day before kryptonite strikes. Security can feel a bit like checking a box, but it can be one of the most costly impacts to your business if not prioritized.

Cory Wheeler: What's your take on that, David?

David Stoicescu: I 100% agree, especially with the fact that security needs a seat at the table. However, I would also like to point out and give credit to the IT organization and all of the employees and people throughout the organization that enable the security organization to be Superman.

Cory Wheeler: I like that. Yeah, it's a team sport. We're actually going to dig into that here in a little bit, but I fully agree with that. I think everything has to work seamlessly for the overall IT delivery set to be effective inside most organizations. You have seen that more closely than a lot of folks I've worked with as you've built and scaled InfoSec programs. And I guess let's take a quick step back and understand a little bit about that. How did you get into InfoSec? How did this begin? And what are the passions that drove you to get into this field?

David Stoicescu: So my career has started in information technology, and that's really how I got my start, working in help desk roles and eventually in engineering roles and consulting roles. I would say the consulting roles that I've had have really been the most exciting because I had an opportunity to touch so many environments and get a lot of experience in a very short period of time, eventually moving into leadership roles. And it's been an awesome journey because I learn a lot along the way. Probably the most important lessons I've learned is being able to work with others as a part instead of trying to go at it alone. So really making it a team effort, bringing others along to the ride, leveraging automation as much as possible. And don't be afraid of trying something and potentially failing. And try to fail quickly if you can help it, right? But have a safety net in place. My career in cyber really started when I was at Mandiant. If you're not familiar with Mandiant, they are what I consider to be one of our nation's leaders in cybersecurity incident response. And I got to learn a lot about various customer environments and how different CISOs really approached cybersecurity while being at that organization. And it gave me a lot of perspective. However, I continued to be in IT roles for the next couple of years after Mandiant. And when I had the opportunity to move into a full- time security role, I really wasn't even considering it. It's not something that I thought about, " Hey, I really wanted to be a CISO and run security programs." But it was just something that was second nature and it came really easy. I understood it very well. And it wasn't until a mentor of mine said, " Hey, I think you're ready for this. And I think you should go in this direction." And I thought about it and meditated on it. And when it clicked, it clicked. And when I finally got into that role, that security leadership role, I leveraged my background in information technology to prop up security and to enable security to be a very effective program. And I did that by taking down that wall that often exists between information technology and the security organization.

Cory Wheeler: Maybe double- click on that for me. You had mentioned when we've talked previously that you started doing InfoSec and security work before you were actually in the industry. What do you mean by that?

David Stoicescu: I think every technology team, even if you zoom out a little bit and you look at, for instance, a DevOps team, so the folks that are writing your code, gone are the days where everyone's slinging code, and then it gets tossed over the fence, and then somebody has to review it. It's very time- consuming. So there's this new methodology, DevSecOps. Really, what that means is you're baking security into the development lifecycle of your code and your infrastructure. It's ingrained into your developers, into your leaders, and it's something that they're thinking about along the way. It's not something that gets done later. Security is done as a matter of course. Now, the same thing applies to information technology. I think, and my opinion is, that more IT and security teams need to be working a lot closer together, if not in the same team or organization, so that the IT folks are almost working on behalf of security and baking security into all of the automations and processes and procedures that they engineer on a daily basis for their employees.

Cory Wheeler: That's insightful and it's topical. We had a customer advisory board meeting recently here at Zylo, and one of the number one concerns that came out of that was security. The top of mind focus for a lot of leaders today is certainly on optimization and scale within their business, but security is at the top of the list of things they're paying attention to. So before we jump into some of these follow- up questions, tell me a little bit about Deepwatch. What does Deepwatch do today?

David Stoicescu: So quite simply put, Deepwatch gives our customers the ability to focus on the things that matter most to them when it comes to running their security program. We handle what I consider to be the most difficult component of a security program to build and scale, which is your SOC, or your Security Operations Center. So we have host of methods and capabilities, things that we've built, where we leverage our platform, we leverage our expertise, our engineering knowhow, our efficiencies to take all of the telemetry that any organization might generate from a security perspective, be it your cloud or your email or your identity and access management. And we wither that down to just the alerts that are actionable, that really need eyes on glass folks to investigate. And we have a 24/7 team that investigates those and triages those alerts, and then works with our customers. And what that does for our customers is it enables them to focus on, from a security perspective, the things that really matter for them that are specific to their organization. And often it gives their engineering teams the ability to focus on actual engineering than having to focus on alert, triage, and looking at dashboards and monitoring 24/ 7. It's a very difficult thing to do. And it is very easy to get burnt out in those roles. The average tenure for a SOC analyst is about 24 months. I think it's starting to shorten a bit. But we figured out a way to do this at scale, especially in the enterprise space. And I think we've done a really great job there.

Cory Wheeler: That's really interesting. When you look at your role, both at Deepwatch and prior, where does your passion sit professionally? Is it around security? Or is it around how you build security, the team, the people, the outcomes? Maybe talk a little bit about the passion that you've got in your role today.

David Stoicescu: Sure. I think, listen, building security is exciting. I think it's ever- evolving. The threats are changing. The technologies are changing. And it's always really interesting to take your team and position them to focus on some strategic outcome, whatever that might be, depending on whatever the gaps you're trying to close or whatever maturity you're trying to attain within your organization. That being said, what I enjoy doing the most is the journey, right? And I think the journey starts with the people. And I look at the people that join the team. And as I hire those individuals, the thing that I care about most is having a shared vision. And for those folks, if we can share that vision, I think that they're going to be very successful on my team. Within the security organization, they're going to be passionate about what they do. And they're going to be able to leverage those skills and capabilities well beyond Deepwatch into their next role and the role beyond that. I can tell you without any shame that in previous roles as I was figuring out how to be a great leader, I had always thought that being a great leader meant being able to hire people, retain those people, not have any turn, and they would continue to work for you the rest of their life. That's just not reality. That's not how things work. So I think a better way to look at it is, and what I've discovered slowly and painfully throughout the years is being able to support people really objectively, not necessarily, " Hey, what can you do for me at my organization?" But I think it's a two- way street, being able to help them just as much as they help you. It's got to be a mutual relationship. So when I have people that are passionate come work for me, and I see them grow and I continue to push them, whether it's through training or mentorship, or maybe it's that next certification that they want and giving them those opportunities, that's what really excites me. It keeps them very engaged and excited. And what does that mean? We deliver a really awesome product and experience for our employees.

Cory Wheeler: Yeah. High performing teams begin with that culture, that commitment from leadership, the shared and aligned vision. I love it. Truer words could not have been spoken. So let's pivot a little bit over to SaaS and software and the management of it internally from a security perspective. We had the good fortune of starting to work together about five years ago when you really first started to get into looking at software, how that affects your organization, where the security risks are. We love to ask all of our guests, did you have an oh shit moment internally where something was on fire, a problem happened in any of your previous stops that led you to, " I need to get my arms around this and figure out what we're doing in a real strategic way"?

David Stoicescu: Not necessarily, Corey, under my purview. But what I will say, I've seen those oh shit moments happen with customers or with people that are in my circles. And I think whenever I see something like that happen, I try to learn from that experience myself. Even if something happens in the news or some article comes out, I'm like, " Wow. How would I have handled that situation?" And I've seen plenty of scenarios where someone acquires some application, and this is, I think, it happens in all types of organizations, but it really gets out of hand in the enterprise space because you've got thousands and thousands of employees. So I remember, Corey, when Zylo was probably no more than 15 employees or something back in the day. And I was thinking about as I was building the program, because the company that I was at before, I think we were no more than 30 employees at the time. And I was already starting to think in the back of my mind, " How do we make sure that we don't run into that problem several years from now?" Because it's not that difficult to manage the mischief at a small scale when you know all the employees by name. That's how I approached the problem. And I wanted to develop that relationship early and I wanted to build that muscle early within the organization and make sure that we had the various organizational leaders aware of the applications and the spend, and that if there was something unauthorized, whether it be marketing or sales, that they had visibility into that and they can do something about it. So that's how I started to think about it.

Cory Wheeler: Yeah. Everything begins with visibility. That's how you build out that muscle. You had mentioned to me previously that you knew this was a thing that could go off the rails. What does that mean when you think about things going off the rails that you had learned from other experiences? What are some of those risks that you could see coming?

David Stoicescu: Corey, one of the things that's developed within me over the last decade is just thinking with a risk lens. Almost everything that I look at is some risk- based decision, anything from hiring to acquiring some new platform or looking at actual risks within the organization. The thing that I'm concerned about most, and when I say shadow IT, what that really means is folks within the organization, most of the time it's really intentional. They're just trying to get their job done, acquiring applications, and then putting organizational data, unprotected data within that application. And what that does is it puts that customer information or corporate information in a system that the security team doesn't know about and hasn't been vetted and hasn't actually gone through a third party vendor risk assessment process. And if you are SOC 2 or PCI or ISO 27001 or 701 compliant, those are all things that you need to do. You have to have a grasp on your information security, you have to know who all of your third parties are, and you have to understand where your either customer information is going or your employee information is going. So that's what really makes it difficult. If you don't have a grasp on what these applications are, you really don't know. There's a lot of unknowns. And what you don't want to have is a day when the FBI calls you and says, " Hey, we found your employee or your customer information out on the web." And your next question is going to be like, " Well, how did that happen?" And then you start digging and digging, you realize, " Oh, wow. It was some application that we had no idea about."

Cory Wheeler: Right. That's it. I think that's an oh shit moment for a lot of customers that we talk with. That's the primary layer.

David Stoicescu: I got to stress this, Corey, it's also very embarrassing. When I look at it from my perspective, it's easy to say, " Well, hey, I didn't know." Right? But when somebody reads about it in an article, it just comes across like, " Hey, you just don't run a competent program. Clearly, you don't know what you're doing." Right? That's the first thing that people think about. So perception makes and breaks people and companies and reputation. So there's that angle to consider as well.

Cory Wheeler: Yeah, you're 100% accurate. And that's every organization out there today. There are very few orgs that truly understand the breadth of every application they're dealing with today. It's a part of the founding story that I've got jumping over to create Zylo six and a half years ago. Because the organization that I was at, their security team had no idea what applications were out there. And at the time, they were around 30, 000 employees. So they had hundreds and hundreds, thousands of applications in use. And they turned and said, " This is a big risk for us and we have no idea. So we'd like some processes to be put in place." And they assigned that to me. So that was part of my, " Hey, if this is a 30,000 employee company problem, then this is something that's pervasive across the industry." David, this has been such a great conversation. Thank you so much for joining us on the show today. But there's a lot more to cover, so I'd love to keep it going. For all of you listening today, be sure to join us for part two where we'll be digging deeper into SaaS security, compliance, and governance. Did you enjoy the episode? Pass it along to your friends. Subscribe to get notifications for the latest episode. Share your favorite takeaways and join the conversation on social media using# SaaSMeUnfiltered.