Security Superfriends | Garrett Held, CISO of Carta
I’m excited to share our first episode of Security Superfriends! I’ll be posting videos of chats with my friends who are on the security front lines in many episodes to come. We’ll tackle topics including cloud native innovation, investing in new tech, serverless vs FaaS vs CaaS vs Kubernetes vs….and much more!
What’s on your mind? What would you like to learn? Email me to participate or let me know what you’d like us to cover.
Our first episode features Garrett Held. Garrett is the CISO for Carta, a fast moving cloud native company leveraging Kubernetes. I specifically met with Garrett to talk about the changes being brought about in security due to cloud native software velocities. He is uniquely qualified to talk about this having worked at the likes of Salesforce.com, Twilio and now Carta. They are all leveraging cloud native technology, and each is increasingly modern in their approach.
I started by asking Garret to share his personal path from developer to CISO. I suspect we will see more and more CISOs with this profile. This makes sense as infrastructure as code, serverless, functions as a service (drop in your buzz word) becomes the norm.
We also discuss the types of skills he is looking for in team members. For those of you security pros who are looking to migrate where the action is: listen up!
Critical to success in cloud native is working hand in glove with Site Reliability Engineering (SREs), DevOps, and of course developers. Garrett covers his working relationship with these organizations and what seems to work best in high velocity organizations. We also touch on the “Build vs Buy” in the cloud native context and how to plan for the future when working with a fast moving and ever evolving tech stack.
Below are some highlights from the podcasts Q&A!
Richard Seiersen: Over the last decade you have worked for the leaders in the cloud/api/native space for companies like Salesforce, Twilio and now Carta. How has the role of security changed as the cloud has progressed?
Garrett Held: Salesforce was quite the gambit of situations, from four month release cycles on the main product to continuous releases in the cloud products. So (we were) really learning how to make our tools run inside the pipeline instead of having a review time, locking down, hardening the environments and then working with the teams. Instead, we had to work on the fly and use tools that would keep up with development teams as they created things. That became even more important at a company like Twilio, where not only do we have the normal web and API security concerns, we also are dealing with really old communication, and really new communications from SiP to 5g security that we have to worry about.
RS: Company cultures vary, and even vary over time on the Build vs Buy spectrum. Where are you on that spectrum and why?
GH: We make a lot of use of the term "leverage" which is maximizing what we can do with the resources we have. So we're going to buy when our claim can be better spent doing something else. If there's something common that a lot of companies face, there's usually a product out there for it. And there's no sense in us building the same thing over and over again. However, if there's something custom - the way our application works, or there's some new method, maybe a research project as well, we're going to look at building that. And then of course we're always building the glue that holds a lot of these things together.
Want to catch the latest and greatest in Security Superfriends? Subscribe to our Youtube channel for updates, and find all episodes of Security Superfriends on Apple Podcasts, Google Play, Spotify, or wherever else you get your podcasts.