Cloud Security in a world of multi public cloud

View Show Notes and Transcript

Episode Description

What We Discuss with Stu Hirst:

THANKS, Stu Hirst!

If you enjoyed this session with Stu Hirst, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank Stu Hirst on Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Ashish Rajan: [00:00:00] Hello, everyone. Welcome to cloud security podcast. Today’s guest hits to Hearst. It gives me immense pleasure to welcome him to the show because I have a lot of offline interaction with him, online traction with him. So I have been greatly looking forward to this episode. Welcome Stu, glad to have you on the episode. 


Stu Hurst: Yeah. Thanks for having me great to speak to you and to be on. Awesome. 


Ashish Rajan: Well for people that don’t know you and don’t really follow you on Twitter and don’t really get your jokes on Twitter. How do you explain what, what you do and how’d you get into cybersecurity? 


Stu Hurst: Yeah. So I’ve been in what? We’ve 2020. So I’ve been in about nine years. 


I’ve been in it over 20, was a mainframe developer for the main bulk of the start of my career. And then I I’ve, I’ve mentioned this on a few kinds of podcasts. I, I joined the company called the train line in the UK, and sort of morphed into doing PCI related work, which just got me into the whole cyber security world or, or whatever terminology you want to use for what we do. 


And then just a number of years really upskilling and in that area. And I’ve been lucky enough to be, be a few, awesome companies over the last few years. And really just kind of, yeah, yeah. [00:01:00] Learning as we go and, and, and trying to build teams, cool companies. I’ve morphed into this cloud world of late, which the last company I was at, I kind of made a deliberate decision to, to sort of shift into that because it, it needed, looked at and needed dealt with. 


And then I’m now at just the, which is, you know, one of the, one of Europe’s biggest kind of food delivery and online ordering services and, heading up cloud security there with a really, really cool teams split over the UK and Canada. Yeah, and just really getting my teeth into all things, cloud security, which is still very new, very niche. 


Yeah, lots to get, to get stuck into. And it’s really exciting. So that’s kind of where I’m at. And a lot of those things have been through no rhyme or reason as to how I’ve got into those. The, I would say my transition into security was probably luck more than judgment. I’m, I’m, I’m super glad that I did cause I love it and I’m very passionate about it. 


But I didn’t pursue that career. I didn’t pursue going into that part of technology. I just sort of found myself there. Right. And I’m still here. I’m still 


Ashish Rajan: here. Well, I’m glad we are here because I really get along with you at least from the first few conversations that I had with you. So I’m glad I’m glad someone of you in the cloud [00:02:00] security space and what a forecast to be on to talk about cyber security right now. 


Absolutely. And probably the obvious question. I guess people were, and I ask this every time as well, more is cloud security for you? Like what does that mean? 


Stu Hurst: Yeah, I think there’s a number of different facets to it really. The role I’m certainly in personally at the moment is, is heavily around the infrastructure of, of cloud. 


So you know, various, the various cloud providers and how, how those infrastructures are built and secured. There’s obviously other areas of cloud. You’ve got kind of SAS products, which are, you know, many of those are now cloud-based which you then consume as part of your, your business so that, you know, there’s a need to protect data and, and and things within those. 


So I think it covers, it covers a number of different areas. It’s still quite new for a lot of companies. I I’m lucky I work in internet economy and, and that, and that’s powered by the cloud really. I mean, you know, if you’re any reasonable internet company worth its salt, your applications are being built in the cloud. 


That’s just sort of how it is. Yeah, but I totally understand that for a lot of other businesses, bigger, more traditional machines [00:03:00] or corporate businesses are either just starting to make that transition or, or, or maybe thinking about it. I’ll be surprised if there aren’t any businesses in this day and age that aren’t in the cloud in some way, shape or form. 


So whether that’s just you, you know, consuming cloud applications or whether they’re actually starting to build, build in that. So yeah, I still, I still think it’s pretty niche. I think it’s a subset of the security industry as well. I mean, a lot of the things that we’ve had to do with more traditional networks with now, I guess replicating in the cloud, but having to do it a different way, just because of the way that the cloud is, the cloud is built. 


So yeah, that’s kind of where I find myself and that’s, I don’t think there’s a huge amount of people. Industry-wide really, invested in cloud security. There’s it’s a subset of, yeah, but the rest of us it’s quite small 


Ashish Rajan: anyway. Yeah. That’s an interesting one because I do want to get into recruiting for a cloud, especially because to your point, it’s so toxic. 


You already so new that a lot of people are still trying to figure it out, whether it’s just infrastructure or is it infrastructure and application? How, what, like, I mean, The cloud service providers like AWS or Amazon Azure, Google cloud, everyone [00:04:00] slaps the shared responsibility more or less well, so it’s almost like, and that gets even more complex. 


When you talk about enterprise, whether it’s an internet company or district traditionally banks or anyone else. Before we get into that, I wanted to ask, you mentioned your focus, infrastructure and application is an internet company as well. So you have people for your colleagues on an application, or what are the, I guess security stream exist in just feed? 


Stu Hurst: Yeah. So we’ve got, I suppose, a traditional setup. If that’s what you want to call it, it’s what I’d expect from any reasonable business, regardless of what you call the team name. So we have a security operations team dealing with, incident response and alerting and threat hunting and things. And then we have a, an application security team, so all things code and then how to build secure product. 


And then the more traditional kind of awareness, risk and compliance, a sort of small function dealing with that, even though, I mean, the work, the work we do at this company is, you know, we don’t do sort of death by PowerPoint or kind of training, boring online training platforms. So that the teams that are working in those areas, we’re always looking for really cool things to work on. 


Right. I’ve seen [00:05:00] different companies use different terms for these kinds of teams. So, you know, SecOps is SecOps, but sometimes application security is called product security. Yeah, depending on on the kind of company cloud security sometimes gets merged or morphed into just an infrastructure security team or platform maybe I’ve seen used 


Ashish Rajan: one of the, actually not one of the, one of the episodes that talk security podcast, I spoke to the prosecutor. 


Director of Dow Jones and his role was kind of expanding between infrastructure application or for all the products in Dow Jones. So there’s that version as well, where someone may not have the title of cloud security, but technically they’re looking after everything in a cloud context because Dow Jones is primarily. 


So, and talking about primarily AWS, are you guys multicloud or 


Stu Hurst: Uniqlo? Yeah. Yeah, no, we, we, we are fairly public about being multi-cloud for different reasons. I think that’s a sensible approach for, for various reasons. The cloud providers, some of them are better at some things than others, which is, I don’t want to sort of call that out or, or name that particularly, but you [00:06:00] might find one does something a little bit better than another one, and that might be why you, you choose to use different ones, obviously resiliency considerations there to, to, spread risk potentially. 


So yeah, w we’re we are multi-cloud, but, but, Yeah. A cloud first company, I guess, is probably what you would describe it 


Ashish Rajan: as. So also I guess, cause a lot of companies I guess non-internet based companies, banks and stuff. A lot of them in Australia actually. So I’ve kind of going down that part where they’re saying they’re going to go SAS, SAS first, then a paths than I as is that a similar model for you guys as well? 


Stu Hurst: Yeah, we’ve been in AWS for a reasonable amount of time. So everything we do is cloud first, really. I mean, it would be very unusual for us to be looking at anything that isn’t cloud, unless there was a specific business reason to do that. And there are in, in lots of different companies as to why they would potentially want either their own data centers or, or physical CA within their own offices to do certain things. 


It just depends on the, on the need of the business. I mean, I’m not, I’m not in the world of banking or, or government where, you know, there’s obviously data requirements and [00:07:00] protections that need to be in place that perhaps make cloud more difficult. I think when I worked at capital one for a short period of time, sadly, a bit, a bit shorter than I was hoping, but 


Ashish Rajan: before the incident, 


Stu Hurst: no, this was a few years ago. 


Well, it’s very interesting in that, you know, one of the best things I’ve ever worked with actually, and, and very proud to have, have worked there. They are not fully in the cloud 100%, but certainly the American business had a expectation to be fully cloud over a period of time and everything. You know, that cloud team is incredible. 


Actually, there’s some very clever people in it. And so for a bank of that size to be so close to being a fully cloud company is impressive. And I think that just shows how, how the world is moving and how tech is moving. And, and some of those traditional ways of thinking about securing networks, it’s just, it’s just shifted. 


And as I said, I just, I feel if you’re a company that hasn’t leveraged the cloud yet for a number of different reasons, I’d be keen to hear why that is because the companies that I see that are really innovating and really flying and doing more. Yeah. 


Ashish Rajan: Other examples you hear of people who kind of moved into cloud and moved out of cloud, where do the big giants again Dropbox, as an [00:08:00] example of Facebook, as an example, these guys spent on cloud, but then they realized the compute over there was already enough. 


But what average population of people using tech? I think cloud is a huge step from what the traditional data center has been. It’s really, I think a friend of mine went to the U S and he was saying they have a very different problem. And I don’t know if this exists in UK or Scotland as well, but they were saying that they have problems with hundreds and thousands of accounts like AWS accounts. 


Is this something that you see, like the scale of usage of public cloud, do you see like either yourself or your colleagues in other companies, you hear much about that in UK, where people are talking about the scale of public cloud that they have to deal with in terms of. 


Stu Hurst: Yeah, a little bit, I suppose, to touch on the drop box point, they did a really good blog about their reasons for shifting some things out of out of Amazon into their own data center. 


I mean, they, I think the business reason for them was that, you know, they’re storing such a huge amount of data that, yeah, I think it was actually much cheaper for them to do it themselves. So it was to have it in Amazon, 


Ashish Rajan: the company. 


Stu Hurst: Yeah. I’m sure compute will be [00:09:00] as part of that as well. You know, the speed at which they could potentially get get access to historic data, but there was, there was a very specific set of business cases as to why they did that. 


And I don’t think they’re fully out of AWS. I think they still run applications in AWS and I’d have to dig it out and then I’ve looked, 


Ashish Rajan: oh, well they have the other problem. They want to be out of the cloud and into the Dell data center. Whereas everyone else is trying to get out of the data center. 


Stu Hurst: Yeah. 


But again, every business is different than has, has its reasons for doing what it, what it does. I think on the sort of environment scale. Again, it depends where you’re at. I mean, I watched a great talk recently from Chris Ferris, which she was talking reinvent think he’s the Warner group or whatever that’s called now. 


And I think they, that, that group is, you know, X amount of companies absorbed into that group. And I think on that talk, when he talks about how to use guard duty and do threat hunting, I think they’ve got a very under accounts in AWS. So that, I mean, that to me is huge scale. Yeah, and that’s a really, it’s worth watching as a talk, just to see how they’ve started to address threat Intel across such a huge range of. 


Ashish Rajan: Oh, yeah. I’ll definitely look that in the show notes. I think that’s a good one. I think there was in the, slack [00:10:00] channels as well. I guess it’s actually health that you and I shared. It was definitely that as well. He’s either. He’s a solid dude. Definitely. If he was falling on the refit and the work he’s doing. 


So in dental scale, if you’re looking at, so what do you, what is your strategy for now? You, because you’re being multicloud. What are your thoughts around folks who are, might be taught themselves? How do you deal with it or how you’re trying to deal with it? If it’s the onset of it, what are your thoughts on this? 


Stu Hurst: Yeah, I would say the one, I mean, I’m upskilling in cloud every day and I worked with some really smart people who teach me lots of cool things. And I would say the one thing that I initially struggled with in. In creating a team of, you know, of cloud security in how to address cloud security, a major business is what do you go after first? 


You know, w w what do you care about? You know, you could have hundreds of accounts, you could be split across numerous cloud providers for various reasons. You know, you have conflicting priorities across all sorts of teams, you know, that there’s such a myriad of things to, to care about. So I went back to basics a little bit of risk, you know, not, not [00:11:00] the, I keep saying this, but it’s not the super sexy stuff. 


Unfortunately, when it got, when it comes to some of the things we can do, but it was like, what should we care about across these environments, that infrastructures. So, you know, I don’t reinvent the wheel with these things. There’s a lot of good frameworks out. I did an article recently this out this week on you know, there’s places you can go and get a lot of reasonable frameworks for cloud. 


So, CIS benchmarking nest and the Maya framework, it might not be a one size fits all, put it, those kinds of things should give you at least an understanding of where to start to what, what I fundamentally done at this company so far has built a risk framework that allows us to understand what it is we care about and why we should care about those things. 


And then any piece of work we now do essentially aligns to any of those risks of which they’re, you know, risk rated and reviewed. Constantly really. So we’re always able to justify why we’re doing certain pieces of work over other pieces of work that the premise being is reducing risk in certain areas that we know to be, potentially more serious than, than something else. 


So that’s kind of where I started. I think the other thing that’s [00:12:00] super important when you either come into these kinds of jobs or you’re somebody starting in cloud security is you just need to understand the environment. And I don’t just, I don’t just mean the cloud environments that you would be responsible for the first six weeks in this job. 


I did nothing but speak to people. You know, anybody, anybody, and everybody from engineering, finance, HR, whoever I could speak to just to understand their world, their job, what applications they use, what data they’re potentially using Just to get a feel for, for the things that go on. And I think that’s important insecurity cause we’re not just siloed. 


You know, we tend to consider things across the whole business, 


Ashish Rajan: talking about silos. How does our deployment pipeline look for you guys? I’d work point, the security got involved the beginning, where suppose I guess you can, they could either as a new product being launched by Just-Eat or you can talk about existing products being updated, however you want to take it. 


I’ll do you approach security and justice for, 


Stu Hurst: yeah, I mean, I, I guess I can’t, I can’t go into too much detail. We’re very into you know, DevSecOps and everything being as far left as possible, you know, [00:13:00] to use the, the shift left terminology that we’ve probably all people, I guess 


Ashish Rajan: what I was going with that automation being the success or the key to success for cloud security in cloud. 


What are your thoughts? 


Stu Hurst: Yeah, it’s obviously really key. Isn’t it too much of what we’re doing? Not, not just in cloud security, but I think security in general and engineering in general. So, you know, we’re always looking to automate processes and procedures as, as best we can. I think the way that the cloud is built and the functionality of the cloud providers makes it interesting to use automation in a way we haven’t used before. 


We’re really keen at the moment on exploring the whole or remediation piece, especially in AWS, you know? So somebody does something that the. Potentially risky and you can auto remediate as soon as they’ve done that. So yeah, and you’re, you’re effectively reversing their decision. So you can start small with these things you can, behavior is seen and you can alert on it. 


So maybe that’s the first step. You, you, you automate your alerts so that you can see that something’s happened, go and carry out some kind of manual tasks to deal with that or ignore it. You know, it [00:14:00] could be just a, an alert you, and you’re not going to do anything with, and then you, excuse me, you go into more. 


You know, can we take retrospective or very quick retrospective action on that that behavior or that, that thing. So yeah, we were sort of heavily looking as to where we can leverage a lot of those things with it’s certainly within AWS, but also with the other cloud providers. We, 


Ashish Rajan: so people who are probably listening and I guess starting off in security in cloud, it could be multi-cloud Azure, AWS, or whichever one. 


What do you recommend as to what your point earlier? So use the first six weeks to find out what the company does and that’s kind of next up is SDLC software development life cycle. We do. How do you recommend they approach security in cloud for a DevOps team or a pipeline based company or. 


Stu Hurst: Yeah. I mean, it’s fundamentally massively important for you to understand the environment, you know, w what accounts have you got? What, what applications do you have in the cloud? What what’s running, where, where where’s your data, where’s your card data. If that’s what you do, where’s your personal [00:15:00] data. You know, what testing environments do you have? 


And then I suppose you’ve got to start looking into what protections you currently have in place. You’ve talked about the shared responsibility model. That’s quite, quite well established now, and, and it gives a good breakdown of what you should then look at because you know, the cloud providers deal with the other side. 


And I suppose you’ve just got to go and see where or where a lot of your protections are missing, and then use those risk frameworks that I’ve talked about to start to break down. Okay, you’re using these frameworks, are these things applicable to my business? And are they the main things I should be worrying about? 


You’re not going to immediately jump into if you’re just starting out and you just, maybe just building a team in cloud security, it was, you’re just starting to address it for the first time. It’s unlikely that in six weeks you’re going to be automating the headlamp things and using Lambda and, and, and, you know, you’re going to be starting with a lot of basics. 


You’re going to be cleaning things up, firefighting, some issues, you know, reaching out to your engineering teams to help them understand some of the practices a little bit about, you know, building some best practice or training programs. You know, you’re not going to be one of these super-duper cloud [00:16:00] engineering teams overnight. 


And I think. Yeah, you need to do a lot of those basics first before you can then strategize what you do next. There is a it’s like anything in tech, you sort of go through a journey. I suppose it’s how it’s how quick you can get there. The more people you’ve got, the easier that becomes, and that’s one of the talks I do on cloud is I tend to ask the crowd or the people watching. 


What do they feel is the most important thing in cloud security. And I get loads of great answers, you know, Nesby and public buckets and security groups or whatever it is. And I tend to say it’s recruitment because you can have all the great ideas in the world, but if you don’t have the people who can help you achieve it, then those things don’t happen. 


So I’m, I’m very lucky here that I’ve got some great engineers that we brought on board. 


Ashish Rajan: But yeah, that’s a good segue into recruitment as well. What do you recommend that people should have? And I think, I believe you yourself had a challenge yourself recently when you were trying to grow your team. 


So I’d love to hear, but what do you think is inside of team and what kind of roles should they have? 


Stu Hurst: So, so we had, I joined them. There was only a couple of people in the end, the team, but, but you know, very talented people, unfortunately left for [00:17:00] other roles and, and, it was fundamentally faced with two open roles to fill, across the UK and Canada and, you know, cloud security is niche anyway. 


And, in an industry like this, you tend to know who those people are. Jet generally, it’s the same names that sort of float around at more senior levels. Yep. So I was obviously doing a lot of digging around senior cloud security engineers and reached out to a few people. I knew who were, who were awesome, but it was hard. 


It was really hard work. We put a senior cloud security engineer job out onto the market and didn’t have a huge amount of sort of contact. You know, we had a few, a few applications and a few interesting people to speak to. But it was slow. And you know, it took a few weeks to really get much back. 


So I had discussions with our team internally here around what kind of thing are we looking for? I mean, yeah. Senior people to help drive certain things, but then we also considered, well, how about bringing somebody more junior in who’s either transitioning from another security role or maybe a network engineer role, or even somebody who’s been in a an end, a pure engineering role. 


So I put a junior jobs back out and I had had over 200 applications for that job. I had about [00:18:00] 15 for the, for the senior one. So we’re talking a huge amount of people applied for, for that, which was just awesome. And it took weeks to go through all the CVS and applications, That was a bit of an eye-opener and lots of the people that I spoke to had a lot of experience and not necessarily in cloud all the time, but years of experience in network teams or in it, or in support. 


And then lots of people kind of coming out of university or looking for first roles in companies and that kind of thing. So it made me feel that potentially, maybe we’re putting the wrong kind of job specs out. Maybe we’re looking for too many things. Maybe we, or maybe people just don’t feel confident enough that they are senior. 


If that’s what the term is, it just felt like more people were applying for the junior role thinking maybe I’ve got more chance of getting that than I have of the senior role, even though they were not junior, as I would kind of term it are, you can have first jobs or, or, you know, kind of just out of university or new to. 


Ashish Rajan: Both application and infrastructure in cloud, or was it at your point earlier? It’s just what was just focused on infrastructure, but people just felt, well, I haven’t worked in clouds long enough. 


Stu Hurst: So the, the [00:19:00] senior job space, wasn’t it, wasn’t too different from the junior one. It asked for a couple of different things, potentially things like Ansible, Terraform or cloud formation, but, but not in any real detail, not, not not a super technical level, but, We also didn’t demand that people needed all three of the main cloud providers. 


It was like, you know, knowledge of one is probably enough because you can learn the other ones. I just wonder if the term Sr and the connotations of the term senior, from an experience, point of view, you just put a lot of people off because they felt that either they didn’t have it, or because they were trying to transition into a, more of a cloud role that, that they just thought, well, I haven’t been a senior cloud engineer, therefore I’m not going to apply for it. 


So that, that was just a real eye opener and, and exchanged my thoughts on future hiring and how we go about doing that. So even if we put out a junior spec, but then we hire somebody, but then they come in at a bit of a higher level. That’s totally, that’s totally fine. So yeah, really, really interesting experience, but we’ve, we, you know, we’ve had a couple of awesome people 


Ashish Rajan: join, anyone, looking at the coding, anyone should they. 


Open, I guess if they have one role for [00:20:00] senior, they probably should look at doing a senior and a junior. 


Stu Hurst: Well, I just think that, and I’m not the only person that talks about this and that my, my, my boss had just eat. Kevin is very passionate about this as well. I just think we put too many things on job specs for security. 


I think we asked for too many things. And the reality is that very few people are experts in any of those things. So we should probably restrict job specs to. Bare minimums. And then if you get really awesome people who know a hell of a lot, then that’s great. You’ve kind of, you’ve got what you wanted, but it also just opens up the pool to lots of people who either underestimate their value or their skillset, or they have imposter syndrome like me, and they don’t feel that they’re, that they’re, that they’ve got the skills to do it. 


And so I think it’s an industry thing. I don’t just think it’s cloud. I see some job specs for security roles, and I just think you’re looking for, I don’t know what you’re looking for. You’re looking for somebody who appears to not exist because you’re asking for almost like experience in every facet of information security and real life experience of it, which it just isn’t the case. 


People might have a little bit of knowledge about things, but the reality is they weren’t, we’ve been in jobs where they’ve been able to use that. 


Ashish Rajan: Sorry, 


Stu Hurst: sorry. Yeah. [00:21:00] I was going to say that if these people do exist, you know, I hate to use the term, but they’re the sort of rock stars, you know, that are probably on such massive salaries and very hard to employ anywhere. 


Ashish Rajan: Are you talking about job descriptions where they ask for CSSP experience with cloud security, architecture, security, architecture, risk management. I’m clearly not one person because this job is like a million dollar job. 


Stu Hurst: Yeah. All those jobs are sort of position that engineer level or mid range level. 


And yet they seem to want the experience of a CSO or yeah, yeah. Years and years of experience of driving this change at a huge organizations. And I think we just need to be realistic insecurity that there’s a massive amount of talent in the industry. And there’s a lot coming through and a lot coming out of great universities or people transitioning in their careers, but we need to get those people into company. 


And then, and then give them the ability to, to upscale and to, to drive change. There’s there’s one person. My, I don’t like calling out specific people cause I work with a really, really awesome team. But one of the people that I brought in had come from another UK internet company and he was a pure platform engineer, who had been working on some security stuff, but hadn’t, hadn’t done a degree in [00:22:00] security. 


He hadn’t been a prominent security team member, but was really interested in it and had done some work in it. And we interviewed him and it was just a very easy decision and he’s come into the team and within three, four months is just smashing out the park. So it’s almost like those people just need the opportunity. 


They’ve got such an amount of skill in certain areas and yeah, they might be missing some of the security aspects, but we can teach that and you, and you get that by being in the. So I think I’ve talked on a couple of podcasts around, I think hiring people who hire security professionals need to be a little bit more realistic about what they’re able to get and also what they’re able to get for the money, because you see some roles that are supremely underpaid for what it seems like they’re asking for. 


You know, if you want massively senior security people with a huge amount of skillset, who’ve done it at big organizations and my fade, you have to pay for that. That’s what the industry demands. So similarly, if you’re taking on junior people or new to the industry, setting huge expectations of what you think they should know, it isn’t the way to go. 


So for me personally, that the last few months has been a real learning curve on hiring and, and what to look for. And, it was great to get such a huge amount of applications. I mean, I wish I could [00:23:00] give everybody a job, but it’s just not, it’s just not how it works. 


Ashish Rajan: What are your thoughts on having someone who. 


You hired someone who was a platform engineer, and then you gave them the, of thinking like a security person while doing the same thing he may have been doing as a platform engineer was that, I guess obviously it depends on the right candidate as well, but what was in the job description? Like did he apply for, was it through a referral? 


I’m just curious if the description, like what people are listening and probably a hundred recruit in this space. And they would be trying to say, look for that unicorn, who does cloud engineering experience as well as security architecture experience, should they be probably try and put it more so that it opens up, say a platform, engineer reading the job description. 


Like, oh, actually I think I’ll do all of these. I may not do the security thing. Maybe I can apply for the junior role or something else. Like, 


Stu Hurst: absolutely. And I think if you’re willing to accept that you can bring people in and train them up or, or, or allow them to get that knowledge that you might want to tweak your job specs, to look for those kinds of people. 


Let, let let’s look at what security does. On the whole, I mean, yes, we cover whole businesses, but we’re very aligned to engineering or [00:24:00] development or whatever it is you want to call those teams. You know, the people who actually build things and then push out change. Now you want people who are comfortable in those environments. 


Now that doesn’t necessarily mean coding, although that’s valuable. It just means people who, who can speak that language at a certain level, because honestly the security side of things can, can be taught. There’s plenty of great material out there and courses and videos and the theory behind it. We’ve all had to upskill on that. 


So having people who are just comfortable in that world and can speak to engineers at their level and their, their language, that’s half the battle, really, because they’re the people you’re trying to influence and change. And. Yeah, that’s kind of what we look for in a company. Like just the, I mean, it’s such, such a massively, culturally aware company where people have got the massive ability to come in and drive great work themselves, and it’s very autonomous. 


So it demands a certain type of person to be comfortable doing that. So personally, when I, when I’ve interviewed some people, it’s, it’s less about technical ability. Cause that comes, that comes in time. It’s as much about, you know, is this person going to fit into the culture of what it is we’re trying to do? 


Yeah, that [00:25:00] autonomy thing is very big and in a lot of these kinds of companies, and I know, I know it is across other big brand names where people come in and they’re not, they’re not told what to do on a day-to-day basis. And, and we’re the same in the, in the cloud team, cloud security team, the people in my team have they drive the work, they, they decide what path we’re going down and how we get there. 


And I’m just somebody that tries to bring it together at a sort of different level. But these are the smart people who make the decisions and teach me, you know, they, they, they know how to get these things done so 


Ashish Rajan: that the smart people who make a decision like this also have a good reasoning behind it as well. 


So, 


Stu Hurst: yeah. Or, or sometimes it’s the wrong decision, but it’s right to make it. And then you find out that, okay, perhaps it wasn’t the right way to go, but, and that’s how we learn and that’s how we develop. And, I think. We’ve got good examples in our wider security team of an apprentice. And then, and then, you know, some people at our university who’ve come in and within six months they’re making decisions like really important decisions about how, you know, what products we use, what, what, what technology we go after or how to change certain things, improve certain things. 


And I think that’s just incredible, a young [00:26:00] point in your career, or you know, in your security career, you’re able to drive that kind of change because I’m wary that it’s not like that everywhere. So I, I, I love these companies for that reason. I mean, it’s quite, it can be intimidating for somebody like me, who’s only 40, but you know, to see sort of 20 year olds who were smashing it, what 


Ashish Rajan: was I doing? 


Why wasn’t I making decisions when I was funny, I should’ve been 


Stu Hurst: there and it’s kind of, it’s humbling really. And it’s great. I don’t think there’s a barrier on who you learn from, or not. This cloud’s a very interesting space where, I’m really not a super expert on a lot of it. And I’ve learned a lot over the last year or two, and really tried to invest a lot of time in learning. 


But it’s from the people in the industry. We both look to, to get that information and to get, to get an idea of what to, to look at 


Ashish Rajan: sweet. Well, that’s a good segue into our second segment, which is MythBusters and keeping the team of mistake may have it or missed it, not really mistakes, but more it’s more around what are the myths that you see people have about cloud security? 


Like maybe top of the people talk security. What are you, what does that first thing that you feel is like a myth that we would like to bust? 


Stu Hurst: Yeah. That it’s not [00:27:00] secure. I’ve done panels and workshops specifically on cloud security and rooms of people whose businesses and not so far along their cloud journey. 


And there is a bit of a recurring theme of, oh, we’re not in the cloud because it’s insecure because we lose control. We lose the ability to protect things. I sense that’s because if you’re probably you’ve got your own data centers, you’ve got a well-established set of controls, you know, where everything is, you know, I sense that if you’re in that world and you’re comfortable with it and you’ve got repeatable processes and it doesn’t change that quickly, that’s where your world is. 


I think if. Then thinking about cloud with all its ability to spin things up and close things down within seconds and the containerization world and serverless world where it’s all just a bit crazy. And we’re not really quite on top of it yet. That probably presents some concern, I think. So I do see that a bit, but I think it’s because until you get into it, until you actually start trying to secure in the cloud, you probably, don’t probably not aware of what’s capable of what you can can do. 


You know, we’ve talked about the shared responsibility [00:28:00] model and, and the companies who run those cloud platforms take care of a huge amount of things that you now no longer really have to deal with hardware, Aaron, and some of the operating system security. Yeah. The flip side is that. It’s still allows us to make a hell of a lot of mistakes as engineering teams or as people who build in the cloud. 


But I don’t think that’s any different from traditional. 


Ashish Rajan: It’s not that, I mean, even these days, we still have, I think the way I’ve always looked at cloud is that, well, back then everyone was a small company. People were in a dorm or economical garage, somewhere. They were managing their own servers. This is the day before cloud and everything. 


Right. Then you moved on to data centers, which we were managing. Then we outsourced it even then at that point, I’m pretty sure I wasn’t there for most of the time, but I’m pretty sure a lot of people were still like, oh, I don’t have any control. So they would have been forced into that part where they had to make controls and processes. 


And they obviously would have made a mistake. I feel this is a similar transition. Now we are on that far part where well data center was outsourced, but now it also is completely, you just got access to a console on the. But you can still make the same [00:29:00] controls. You can see out the same processes. It’s not that you’re losing control. 


It’s just that I feel like people get lazy or just way too comfortable. And to your point earlier, it’s like, oh, this is the right thing to do. I, because I know this, I don’t know cloud. So I’m just going to say, 


Stu Hurst: I think it’s, I come back to the risk. I think people see it as well. You’re just going to introduce more risk at a time where we feel like we’re on top of the risks that we’ve got. 


And you know, that movement into cloud is maybe just going to introduce things that we’re not not quite ready for. I think the one, the other thing that I always hear, and it’s not really security, but people just assume that the cloud is super expensive and it absolutely can be depending on how, how you configure it and how you use it. 


But if you’re a company that’s building product and you want to ship that product as quickly as possible and, and scale, it’s far easier to do in the cloud than it is on. On prem or, or data centers, as long as that has shaped things. Yeah. That has moved move things along. And I think when we look at the security aspect of that, we can scale at the same pace. 


We just have to find out how to do it in a, in a lot of areas. W interstate at the moment, we’re definitely look a lot of the processes that we’re driving. We’re trying to be [00:30:00] as clever as we can with them, where they, they cover. There was scalable across any cloud platform. It doesn’t really matter what the platform is or what or where, and the infrastructure is, or you know, that there is a repeatable process and automated process that can just be rolled out wherever we feel it needs to be, to be rolled out. 


That’s kind of, high-level what we’re trying to, rather than have individual processes, individual things that we have to build and maintain to fix certain problems. Yeah. We want some. As best we can sort of covers as much of those things as we can. That’s very high level. I wish I could go into a bit more detail, but that’s, that’s kind of our strategic, 


Ashish Rajan: I mean, just on that same, Dwayne, I guess, is the sea level concerned about cloud security or do they take it seriously? 


A big intern company? I assume the answer is yes, but 


Stu Hurst: yeah, without that, I mean, they’re, they’re very security savvy anyway, written, not just cloud. It’s one of the reasons I joined the organization is Kevin field and my, my boss had already built a an awesome team here. You know, it doing the right things and, and lots of freedom to make decisions. 


We think of the right decisions. You know, I’ve come in and been able to build a team. And, and given the, the, [00:31:00] the autonomy to do that. And yeah, I think, I think I did a, an article recently where I said that I still feel like some companies and we’re not one of them where the C level isn’t yet quite invested in security. 


And, and I just wonder how many more major hacks have to come out for those boards to understand that they probably need to invest a little bit more money because it’s just it’s every week, isn’t it. And I actually think the cloud security side of things, we’re seeing more and more incidents now than we obviously did maybe two, three years ago. 


Ashish Rajan: Yeah. Even though Amazon and other people are trying really hard to make it before making an se. Yeah. Or 


Stu Hurst: yeah. Sometimes just, you know, there’s, there’s been a few more niche incidents that have happened as well, but, No, we’re just, we’re just continuing to see major component from not even major companies, but many, many companies hit by things for, for various reasons. 


But 


yeah, you’ve got, you’ve got lots of companies getting it right as well. You know, CSOs at more board level and being able to influence really at those levels. And certainly from a budgetary point of view, being able to get the, get the money they need and the people they need. I think it’s just an ongoing, an ongoing battle. 


If companies underestimate [00:32:00] the the value in it, then they probably need to speak to some companies that have been hacked. And anytime one of these, these hacks comes out publicly. I always find it interesting how many job adverts go out in the weeks and months afterwards? Because there’s a change of direction. 


That senior level was to say, well, hang on that we really have to do something about this. Now we maybe didn’t a year ago and now we really have to focus on, 


Ashish Rajan: I think Equifax, the, one of the biggest ones, I met someone, I was at one of the AWS spendings and I met someone from Equifax and he was, he joked about the same thing that he got the job straight off of the hack because they finally everyone’s like, oh my God, we need to predict this money edit. 


Stu Hurst: It’s probably not the worst time to join an organization, actually, because you’ll get a huge amount of input from the right people because they don’t want that thing to happen again. Everyone’s invested. It’s probably the easiest time to ask for more money and people it’s, it might not be the worst time to to join companies. 


I think that there was a good article. I think it was about the Equifax hack where I think one of the main security dudes had just talked about, I think he did an article for the BBC about just how difficult that all was and how, how much pressure was on the teams and then the PR [00:33:00] response and, and just what that whole world felt like. 


And I think we, I guess we can all empathize that, you know, so they’re very, very difficult roles to do. And, I, I do genuinely feel concerned when the press goes after companies that have been hacked because. They don’t really know what’s going on behind closed doors. And I think it could be any of us at any point in time. 


Yeah. It’s a nice, it’s a nice story. Isn’t it for press. But there, there, there are real people behind these things, Jen, generally trying to do the best job they can with what they have available and, and sometimes we don’t get it right. Yeah, I just think. Yeah. If the press, how about have a role to play in helping companies? 


I think, and, and just continually beating down security teams is probably not gonna work long to, to get companies to, to 


Ashish Rajan: do the right thing. But that also means it would always be people who would be employable as well. I guess people would be like, oh, I want to do this from the blue team and not just be hacking in. 


Stu Hurst: Yeah, I suppose it depends what it is. I mean, you know, if it’s negligent than then, then that’s different, but if it, this is so many things to consider now insecurity, themes, and, and cloud is just one of those things where I’m [00:34:00] personally always a level of nervousness about. You can’t cover everything. 


It’s impossible to cover everything. It’s impossible to say that everything is secure. It’s just not, it’s just not doable. So you’re always thinking, is that the right thing to do? If I miss something here or you’re making a decision to not do something? Yeah. I’ve got 50 things I need to fix and I can only fix 20 of them in this period of time. 


Therefore, I can’t fix the other things. And do I need to do something? Do I need to find another way to get that done or risk accept or whatever it might be? And that’s the battle at any level of security regardless of senior seniority? Yeah, that’s an interesting one 


Ashish Rajan: because that made me think because in Australia we have the single mandatory data breach notification, basically a mandate from the government to say, if you get breached, you need to notify the government hidden $40. 


All right. I was going to ask, so is there a thing in UK as well? 


Stu Hurst: We have the ICO which is. I don’t know the levels of data that you have to have lost, but you have to go to the ICO to say there has been an incident. We believe this data has been compromised. The ICO that other department who look at that, they’ll end up doing the investigations [00:35:00] as to why that happened. 


What was missed, w was the company. And then they can fundamentally find organizations if they feel that they didn’t protect well enough. And that’s obviously relating to GDPR as well. You know? So, you know, it’s, it’s far better regulated than I think it was 10 years ago, but I think was still a hell of a lot of work to do. 


Ashish Rajan: And that’s a good segue to my next question. If there is a breach that you will may be part of, or you may have done it yourself, but you don’t want to claim it or you may have heard of, from your colleagues, is there a breach that you can share with I guess it could have been a win for blue team, or it was just learning that you’ve games that came across. 


Stu Hurst: I’ve certainly dealt with a lot of incidents in the companies I’ve worked for. That’s probably the best I can. I’ve not, I’ve never, I’ve never dealt with a breach, so. Yeah. 


Ashish Rajan: You already answered in the 


Stu Hurst: cloud, I guess. I mean, I’ve certainly had incidents happen all the time of varying degrees. You know, sometimes their alerts on things that are happening that you need to go and investigate sometimes it’s you know, external parties trying things or, or bots or 


Ashish Rajan: right. 


What is the thinking around things like buck card and stuff there, you know how they do [00:36:00] almost crowd funded, not from a carpenter, but basically sourcing pen testing. What are you talking? Yeah. 


Stu Hurst: So I did, when I was at Skyscanner in 2015 we started a bug bounty with crowd and it’s public. Now. It went public last, last year. 


I think so. Yeah. W we, we were fairly new to the, to the whole crowd source testing thing. It’s much bigger now. And you know, to adjust the leverages, some of that, that capability. Yeah, massively actually. I think there’s still there’s still a place for traditional pen testing that that’s always going to have a a place in businesses, but the crowdsource model for me had a huge amount of benefits because you’re getting more people testing your applications. 


It’s very good for, external facing applications where you almost want a real world view of what, what might be happening. And then you get such a diverse set of skillsets across those crowdsource testers that, you find some interesting things, the gamification of it as well makes it interesting because people have to work a little bit harder to find things or, It just went, I’ve been running bunk valley schemes. 


I’ve found that the output that we get from them was more valuable than a pen test there’s value in the pen test. Sure. [00:37:00] And you find things and you fix things. But I remember rolling out that bug bounty at Skyscanner. And the first, I think we had a two week program, which was at the private program and we opened up and I think we had a hundred. 


I can remember the figures. I think we had 149 bugs in the, in those two weeks. I would struggle to have got 149 bugs out of a two week pen test, maybe, you know, but, but if it was maybe just one person or two people and I was moving out and it was an eye opener, not because the product was fundamentally insecure, it was just that they were finding lots of things that we hadn’t really considered. 


We tightened up on scope a lot after that because we sort of just went, okay, it’s the wild west crazy. And we’ve matured a lot in those couple of years around how to scope Jordan, 


Ashish Rajan: right? If you’re not a mature security organization, it just could be basically opening, fight the opening, the fire hose on security space. 


It’s security with mature enough, 


Stu Hurst: I suppose. There’s two schools of thought to that. There’s yeah. I think you need to be at a point in time before you went to a bug bounty scheme. I don’t think you would just start one of those before you had a, an established security team, but at the same time, it, it was very powerful to show engineering [00:38:00] how many bugs were found, because I, I genuinely think they just didn’t appreciate what was, what external people were capable of doing. 


And the good thing about those platforms is they, you can force testers to show you videos of how they’ve, they’ve exploited, whatever it is they’re doing, or how they found that bug. And we use that information to build internal workshops and little training courses around, you know, we did one on cross site scripting, which right. 


You know, here’s how that thing happened. And here’s the video is here’s somebody actually showing you a fundamental code level. What, what, they’ve, what they’ve done. And I think now you even get to the point where, you know, testers can put in remediation steps and things that you should think about. And it’s almost, it gives a hell of a lot of information for engineers to go and upskill and, and, and fix it. 


It’s not just about fixing things. It’s about if you’ve got one type of bug that comes in quickly and regularly, you know, you’ve got a problem with that type of thing in your, in your engineering teams. So you can go and not just fix those individual things, but you can say, well, okay, as a business, we are no longer willing to accept that we will have any cross site scripting in our, in our code and you can up various ways to go and [00:39:00] eliminate that. 


Ashish Rajan: I just want to go quickly into our next section as well, which is kind of like, almost goes into this, but it’s a 12 Unicon segment, basically. It’s talking about. Things said you do, which makes you a unicorn and kind of where I’m going with this, but we kind of spoke about the meetup that you have, the overarching cyber security stuff that you do. 


We would love for the audience to hear about it as well. I’m sure we would get some sort of fans as well, who might be moving in the end to a squadron as well. So could you shed a bit, obviously love to talk about music as well, which people would watch the YouTube video, where that shows you the background, but maybe a bit about. 


The sub security book that you do outside of just eat. Yeah, 


Stu Hurst: sure. I don’t know if unicorn unicorns a great term don’t feel that’s all, but, I definitely do do some, some things outside my day job. I talk at events and I started a meetup a few years ago that Scotland’s got a great little cyber community, actually. 


We’re we’re I think we’re ahead of lots of parts of the world on cybersecurity here. We’ve got some great startups and tech businesses in cyber. Some of the best people I’ve worked alongside, live at live and work here either in academia or in business or government. [00:40:00] And we tend to all know each other, which is, you know, an interesting dynamic. 


And I think that’s a good, that’s a good thing. So of late myself and and a friend of mine in the industry, herring, McLaren started cyber Scotland connect, which is, it’s a way to try and bring. The cyber communities in Scotland together. So there’s lots of great stuff going on. There’s there’s the meetups that, that, that some of us are doing, oh, wasps, we’ve got a good, you know, great event up here. 


We’ve got some death con events. We’ve got I SACA and lots of these, these bodies doing, doing great events and evangelizing the industry. But what we try to sort of bring together was imagine if all these people had a way to talk to each other, a way to share information, perhaps you you’re new to the industry here, or you’ve moved here and you’re looking for information on how to attend an event or start something, or, You know, you just want information about what universities are. 


You could potentially apply to what companies are hiring at this point in time. Imagine just having that one stop shop for all things, cyber and then Scotland. So that, that’s what we created. We’re we’re, you know, there’s, there’s myself and Harry that run it, but we’ve got 17 moderators of which anybody can be a moderator. 


And those [00:41:00] people sort of take care of certain parts of the industry in community that we’ve tried to build. So it’s fairly unique. I can’t think of, I haven’t seen anything else on the planet where it is a community bringing together lots of communities in NSN. So we’re quite lucky in that Scotland’s are the right size for us to be able to do that. 


So yeah, that, that, that’s what we do. We work with some other leading events in, in Scotland as well. A couple of the main expos and conferences, you know, we, we run workshops at them and, do panels and things. That’s super exciting. And I’m really humbled to kind of work in, in cyber in Scotland. 


And I encourage anybody if they’re looking for, you know, a great part of the world to come and study or progressive cyber career, that this is one of the best in the world. Honestly, it’s not just, I’m not just saying that. We have some of the best universities, for ethical hacking, and, and a great and growing, cyber community that is because of our size is able to kind of move things on a lot more quickly than other parts of the world. 


So, yeah, that’s, that’s kind of what I do 


really, 


Ashish Rajan: I suppose. Okay. Maybe I should just read it about this. They would be like, what did he say? 


Stu Hurst: Yeah, yeah, yeah. That’s not good, but politically what’s happening in the UK, but. 


Ashish Rajan: Oh, that high. I [00:42:00] want to get into the last section, which is a fun question is basically, but the non technical questions and you’ll as I go to them, there aren’t that many as well. I just, a couple of questions once we do three questions. Where do you spend most time on when you’re not working insecurity? 


Stu Hurst: Yeah, I’ve got two, I’ve got two little kids. So mainly being run ragged by a toddler. You’ll see behind me, I’ve got my drum kit and guitars and things. If I find, if I find time, I love music. I love going to gigs. I used to DJ here used to DJ, but I used to travel a bit and 


Ashish Rajan: even back out sometimes 


Stu Hurst: when you get fired firmly, tucked away for another day. 


Ashish Rajan: Cool. 


Stu Hurst: So, yeah, that’s kind of, it’s hard to find the time actually, the day job as well. Like we invest a lot of time insecurity don’t we, and then kind of reading and trying to keep on top of things. So that tends to keep 


Ashish Rajan: and cloud especially keeps us really busy when AWS releases 200 updates every event. 


That’s right. The next question is what is something that you’re proud of, but is not on your socials? Like LinkedIn or Twitter? What am I proud of? It could be anything. It would be like a good body trick or it could be, 


Stu Hurst: it doesn’t have to be, I’m going to be really boring and say my family actually, you know, if I take two little children and they’re awesome. 


And, yeah. I suppose my, my career has [00:43:00] been a big focus over the last few years. Not, not just for family, obviously number one, but I’m proud of how I’ve shaped my career. And I love doing the community work and being part of that. It’s, it’s a big effort and, and it, it takes a lot of personal time to do that, but I’m really proud of what, you know, what that’s become. 


And I hope it’s helped. I hope, you know, if I’ve ever helped somebody connect with somebody and get a job or the community thing helps people upscale that, that I’m super, super proud of that. Well, That’s all we’re can think of 


Ashish Rajan: really. That’s a good one though. Cause I think, 


I 


Stu Hurst: think very lucky I did like the music thing that I used to do. 


I loved that and I traveled and I got the chance to go to places that I never thought I would go to and made records and really had to think a lot as well. I had tracks played on radio one and 


I just, it’s just another time, you know, I quit when I was 30. So I had 13 years of working in that industry. Right. And have a hell of a lot of fun. And I look back at it now and I did some cool things. I had a little fun. But it’s funny how life kind of moves on in stages, 


Ashish Rajan: different stages of your life as a journey, I guess. 


Yeah. 


Stu Hurst: I’m very boring, 


Ashish Rajan: but I kind of enjoyed that part, but knowing you a bit more, that the final question is probably getting even [00:44:00] more personal. What’s your favorite cuisine? Or a restaurant 


Stu Hurst: cause they indefinitely. I am a Curry person. So I’m the one, but I mess about living, not living in London anymore. 


Is it some of the best food I’ve ever had has been in London? My two favorite Curry houses are in London. I abs and Hawk about house for anybody who lives in the UK and the shoe is an awesome place in the UK. It’s like a whole Bombay cafe and Mexican after that, the the, some great Mexican places in the UK. 


So yeah. Indian, Indian, Pakistani food first Mexican second. Yeah, nice. They might go to a food outlet 


Ashish Rajan: like her offer that you go to potatoes, I guess, 


Stu Hurst: I guess 


Ashish Rajan: It’s been really awesome. Thank you so much for taking the time out when where can people find you online? Just strictly? 


Stu Hurst: Yeah. So at Stu Hurst, InfoSec on Twitter and I’m on LinkedIn. I’m always happy to connect with people on LinkedIn. I try and blog a little bit and put a few things out there. 


That’s probably the two best places to. 


Ashish Rajan: Sweet. Thanks again so much. I really appreciate that. You’ve got the time for this. No, no worries. We’ve got insight as well. And I can’t wait to, I guess, share a lot more when we meet in person, hopefully one day and one of the concerts if I visit Scotland one day, but please tell us again for [00:45:00] your time and really appreciate that you have to speak as well.