How do you get 10,000 Developers to write Secure Code? with Dimitry Shvartsman

212 How do you get 10,000 Developers To Write Secure Code? with Dimitry Shvartsman

Justin Beals:  Hello, everyone, and welcome to Secure Talk. I'm your host, Justin Beals. 

We certainly have talked a lot on the podcast about our security concerns with AI. We haven't talked quite as much about the opportunity that AI represents in developing new security products. Machines broadly, computers AI tools they can be better than humans, I think, in two primary aspects.

One of the aspects in which they can be better than humans is that they can be more precise. It is possible for a machine to take measurements that we can't see with our own eyes, and a machine can crunch a lot of data that we couldn't hold into our head into an average. For example, as a function, and be very precise with that value.

Machines are also good at very repetitive tasks. Tasks that might be very simple. But need to happen over and over and over again, perhaps billions of times over a period of just a short amount of time, days or weeks, and they do it without getting tired. And this is really important, especially when we think about some of the security operations that we undergo.

The repetitiveness of the task can lead to a lack of accuracy and precision in the performance because we, as human beings, are just bored with it. Not unusual happens all the time. One of the areas that is a big concern lately from a security perspective is how code gets released into production. Or, as I like to call it, the software development life cycle, what is the process by which we design features that we're going to deliver, write the code for those features, and then test those features and deploy those features. 

And it can be both flexible in areas and very specific. One of the areas of specificity usually has to do with a code review process. So, for example, if I wrote up a feature, I have that particular code, and I've checked it back into a code repository, usually another developer or a senior engineer or someone as defined by the organization will review the code I wrote and make sure that it meets guidelines, architecture, desires and security practices.

So this human interaction can be positive. There's a lot of positivity out of it. But I think the security review is the one that has struggled to get the most amount of attention. We're generally passing over and saying, I think that looks fine. So, of course, this is a really great opportunity for a machine that can ingest a lot of code, may have some training data on what code represents a security issue, and look for those patterns inside an emerging code base as we add more code.

The machine can be both more precise in that it can hold a lot more security issues than any single human being. And it doesn't get tired of looking for them ever. Whereas we, as people, would for sure. So this is an interesting opportunity and it this is what intrigued me about our guest that we're going to get to chat with today.

Today, we're going to meet Dima Schwartzman. He's the co-founder and chief product officer at PrimeSec. Dima has over 18 years of cybersecurity experience, including working with startups and large enterprises. He's led international teams in various settings, focusing on security strategy and implementing security policies, practices, and products.

He started his career in military intelligence and served as the senior director of cybersecurity strategy at PayPal, where he was instrumental in shaping the security framework for over 10, 000 developers at the company. Please join me today in welcoming Dima to SecureTalk. 

—--

Justin Beals: Dimitri, thanks for joining us today on SecureTalk. We're grateful for your time. 

Dimitry Shvartsman: Thank you for having me. 

Justin Beals: So let's just start off with a little bit of your background in computing. We're always interested in how our colleagues got interested in computing and careers in computing. You started computer science program in 2003 at university in Israel, I believe. Is that right? 

Dimitry Shvartsman: I even before that, actually, that's right. I started in high school. So ever since I got my first computer and I could play my little heart out. Uh, I knew that that was kind of what I wanted to do in one way, shape, or form. 

And when I got to high school, there was this program as part of my studies, which had a bunch of computer different topics in it that I had to not only Learned, but actually I didn't do my finals on and it ranged everything from back then it was HTML programming to, um, a little dating myself, but to Pascal, which was a language way back when, and all the way to assembly.

I was still learning assembly back then, so not much of a fan of assembly, to be honest, but that got me really hooked on computers in general. And from there. It was very much, I was, I would go to assembling my own PCs and swapping parts and all that good stuff. 

Justin Beals: Yeah, you know,  I didn't get a computer science degree myself.

I didn't have the formal education in it like a lot of my colleagues have over the years. And one thing I was always jealous of is none of them liked it, but they were like, yeah, I did assembly. They made me build a compiler, but I thought it was very interesting to kind of have that perspective on computing.

Dimitry Shvartsman: It is. I think it really helps with the fundamentals and the basics, but honestly, with how things are progressing, how fast things are progressing, I think you also need to adjust and adapt. And I honestly, I'm sure that people will disagree with me. I don't necessarily think that the same fundamentals that existed even 10 years ago are applicable to today's situation.

So I think, and the flexibility to really learn what you find the most interesting is, is out there. In my high school years, there was no Udemy or any of the other platforms that offer just, you know, insane high-quality ways for you to pick up something and learn. And so it was very much this way or no way.

And I, I think there's a lot more other options today than the formal path. And I think it's amazing because it lets. You know, a beautiful kaleidoscope of people to join, you know, areas of that have to do something with computers. 

Justin Beals: Yeah, it is very different than, you know, my experience in education where you kind of had to go to consume it, right?

So what are, what are the fundamentals that you look for? You know, we'll get to a little bit of this, but you're in a hiring position these days. You know, it, or if you were, you know, younger, you were just starting out in your career, if not assembly, what, what do you think early career computer scientists need to know about?

Dimitry Shvartsman: Uh, that's a very good question. I'm going to turn this around a little bit. I don't necessarily think it's around knowing or honestly, and this is again, super subjective. I don't personally care if you have a degree or you know, what university you attended. Or if you don't have it, I really don't. What I care most about is what kind of experience you manage to gain, whether if it's formal or informal, and how did you apply that skill set? And what did you learn from each and every aspect? 

And then how, it's going to sound a little weird, but essentially how hungry you are and what's your problem solving capability. So a lot of things that I'm looking for that don't necessarily have to do anything with formal education.

If anything, oftentimes, I came across situations where people would come in with a very strong formal background, lacked the very much needed experience, even in some of the basic things, and it was like, okay, we're going to start from basics. And a lot of the conditions were, well, that's not how we were taught, or that's not how academia approaches things.

It's like, yeah, of course it's not. And again, I think the, the objective of academia is one thing, and then the industry needs something different. So, and both have their space, but academics to research and, and kind of spend time in, in that area while the industry needs. Practicality. 

Justin Beals: Yeah, I think this, I love how you said it, this hunger, I've called it curiosity for me, building software, playing with computers has been a lot about like, what can I invent?

You know, what is possible? What's interesting about it? What's unique? And it's interesting. I think I've seen it. As we were desperate to hire engineers, we would sometimes have engineers that didn't necessarily have that intrinsic curiosity or that hunger, as you put it. And, I think they struggled in the, in the field.

Dimitry Shvartsman: I couldn't agree more. You really want that need for rediscovery and constantly something that is pushing you in order to get better at what you're doing and not necessarily just coming from a place. Oh, I already know everything. 

Justin Beals: Well, let's kind of talk about, I'm a little curious about what you're doing now, what your current project is.

You co-founded Prime Security. Maybe tell us a little bit about what that solution is, what you're working on. Absolutely.

Dimitry Shvartsman:  I would love to. So, I'll take us a little step back just to define a little bit the problem space that we operate in. Yeah. I think we can agree the world is very much when we say products. We oftentimes think about software, software products.

And if we think about the process to create those products, which is the product development lifecycle, if we oversimplify for the sake of the conversation. We have pretty much three stages. We have the design time, where the components are being designed, the architecture is being put in place.

Essentially, the whole area of answering the question, what are we building and why we're going to build? Then you've got the build time or dev time, where we actually go into building what we said we're going to build, right? That's the how part. And then you get the runtime. So it's ready. It's out in the world.

We're running it, operating. So security was Historically in the runtime, so, okay, we have something out there, it's in the world, we need to secure it. Great. So there's a lot of techniques and practices for that area. And then, and I'm sure you've heard this more than once, there was this whole shift left situation where we shifted to the dev time, which made total sense.

There's too much of threats, there's too much of things that we're chasing after in the runtime. We need to make it earlier. So let's go to the death time and a bunch of tools, very much needed solutions were born for the, for code scanning and another great things that are happening in that build time.

However, we're still very much overflown with security issues, with vulnerabilities and so on and so forth. But wait, there's also major risk concerns that are being integrated into the logic of the product that originated in the design time. And up until now, all of the security controls and security reviews that are being applied to that, to that area, to that, to that space have been completely manual.

And so you can't scale, you're forced as a security organization to accept risks that are going to your production, not from a bad place, but from a place of there are certain design flaws that have been introduced at that step. And there was just not enough eyes on glass to review them properly and provide the needed controls around it.

So we're the first security design platform that conducts those security reviews at scale. We leverage AI to analyze, to understand the business context that originates at that design stage, at a design time. We then conduct a security review on top of that context, flag potential security concerns before there's any code, and provide security recommendations on how to reduce that risk.

Justin Beals: Yeah, I love the model here. Certainly, I remember runtime and, you know, setting up servers with the wasp recommendations. And then, you know, moving security into, you know, kind of that development cycle. And I think the control that I see most often implemented for this on teams is just peer-review like we expect.

In a code peer review moment in the concurrent versioning system, that some, some amount of security assessment is accomplished, but most devs don't care. They're trying to get the pull request, you know, submitted and into the main branch. Yeah. 

Dimitry Shvartsman: You're spot on. I think the intent that we have here is actually supporting the increase in the velocity that has been ongoing, for years now, which is only natural, right?

Like we're trying to ship products faster. The whole transition and shift to cloud enables that. And so, at the end of the day, our whole intent is not to stop developers like it happens today, oftentimes, because, Oh, wait, we haven't done a security review. You can go into production. So, wait, but we've already developed it.

It's ready to go. Now it's two days to launch. Now you're telling me that I have to rework a big chunk of it. And that contributes to the tension between security and development. And our whole intent is to reduce it by coming before there's work and saying; we just want you to think about the following things.

As you build so that you can incorporate security, you're not surprised by what's coming, but you actually know what to do and how to build that into your development process. And so it's, now you have the whole picture as a developer, what you need to work on. Security has full visibility into what's being developed so that they're not surprised by certain triggers or, you know, knock on wood, God forbid incidents happening down the line from things that could have been and should have been resolved as early as they're being talked about in design, 

Justin Beals: right? Yeah, certainly it, it allows the developer to make a faster contribution. And I've actually heard from a couple of colleagues, and we've had some guests on in the past that have mentioned this as being a really emerging enterprise issue, right?

Like. They're desperate. Microsoft, for example, is desperately trying to put more security into their platforms. They've had some breaches that they didn't like that slowed down development time, which has hit their ability to, you know, reach outcomes that they want. And at that scale, it's like a massive tension to get through all the security reviews.

Dimitry Shvartsman: It's also the, I think, we've been for years trying to bolt security after the fact. And we've always been playing this reactive game. That's always been the case. There is something that we need to remediate means that it exists and that we need to remediate it, right? There is a vulnerability. We need to remediate it.

There's an incident. We need to go and tackle it, and, and resolve it immediately. I think now with the evolution of AI capabilities. We've for the first time, if used right, have the ability as security professionals to be preemptive. I'm not saying proactive, which we can talk about, but I'm saying preemptive.

And I'm not of the opinion or of the camp, and please forgive me that AI is going to solve all of our problems and that it's a magical solution is going to solve, you know, unfortunately, it won't solve probably world hunger within, within a matter of hours. But I think that if applied the way it's designed to certain areas, that's been a very heavy lift, and that's why I think our solution is viable today.

If applied properly, then you're opening up a very wide area and very wide range of opportunities for security, to position themselves to be a lot more preemptive, like finally mapping and understanding business context. That can then be linked directly to risk and then presenting what needs to happen to reduce that risk so that it's not disconnected from the business like we've oftentimes heard.

Justin Beals: Yeah. You know, there's this incredible tension. You and I are probably pretty aligned or pragmatic around the opportunity that some of these innovations represent. You know, it's, I, think I recently heard one of the, the big, bigger tech companies, CEO state that they're not hiring more engineers because AI is going to write code.

And I thought that was just so ridiculous. I granted I hold out that. It will get better, and over time, it will probably write more and more code. And certainly, we have, we all have engineers that are utilizing these tools to see what's possible for them. But I think you are a little more pragmatic, right?

Like these large language model innovations, you know, how they can analyze code has a very precise type of solution when applied in the right way. 

Dimitry Shvartsman: So, yes, I think that, you know, we're taking this even to pre code, right? So we're taking it to JIRA tasks. Yeah. We're analyzing, and we're extracting that context.

We're building that through the engine that we've created to understand what's about to be developed. What's about to happen? And we extract that context and we build it. And then on top of that, we conduct our security review. So it's even before there's actual code and for that context extraction piece is, is what AI is, is really good for the ability to access unstructured sources of information, correlate it, build it, understand that, summarize it. Fantastic.

Security review part is something that you need to apply that know-how that comes from experience. I think the best way, the best analogy that I have. I don't know if you've seen this, this been like, uh, maybe a couple of years ago, there was this video making the rounds of fully robotic, autonomous kitchen hands.

Have you seen those? I think some of them, right?. And it's like, it's a big thing in your kitchen. There's two, you know, heavy robotic arms that move around. They get the pot. They. You know, boiled the water, the put in the pasta, like they told a computer that you click whatever recipe you want and then it cooks it, right?

But how many times have we cooked the same dish, and within that second, something sparked, and we were like, Oh, you know what? I'm going to try go off bread out of that recipe structure and try that. New spice and see if that's going to make it better or worse, right? So you're gonna, you're gonna try that spice.

You're going to taste and go, Ooh, that's actually great. And now you've created something new. AI can't do that where it's not there, right? It's not that capability, the capability, of that. This is where you need a combo of still, the human skillset and what AI can do. And so exactly that augmenting the mundane tasks.

The things that will take us hours on end and provide that last mile, 20 percent human skill set capabilities to solve interesting, challenging problems. That's why I completely agree with you. I don't think completely getting rid of people that are writing cold is  a viable possibility. 

Justin Beals: Yeah.It's funny. I, it's like they need to oversell the opportunity to garner the crazy investment dollar amounts, but we all know that’: pragmatically, you know, the feature set over the next year, it's going to be really great. I mean. To your point, like this is a very powerful, scalable tool. You get more coverage over, for example, your code or other aspects of the infrastructure or your enterprise with these AI tools. But yeah, I, the hype is difficult to follow. Yeah. , 

Dimitry Shvartsman: I get, it's difficult to follow. It's really difficult to cut through the noise, I think. There's, there's things that AI is great for, or it's, I mean, we say AI in a very general form, but for the sake of the conversation, for what it is right now, it's great.

And then there are certain things that there's some anticipation that it's amazing, but it really isn't because. That's, that's not, it's stronger. That's not what it's designed currently to be good at. And I think that as long as we approach it as a tool versus a solution for all, then our perspective changes.

So that's how we do it at Prime. We use it as a tool, and we have a bunch of other tools that we apply to build our product. And in order to be very comprehensive in how we do secure product design management, it's a variety of tools. One of said tools is AI, but just like you have your hammer and your screwdriver and right, you don't just use your hammer every single time.

That's why we apply it when needed. And then we apply other things to reach that. Full security review. That is context. True. 

Justin Beals: Yeah, I deeply agree with you. It's funny. I should qualify it when I use the word AI, the way I think about it is. There's some probabilistic model used in, you know, a computer interface.

As a matter of fact, I did sit with a team once, it was a long time ago, and no one believes me anymore. And I was like, AI is the interface, you know, that's the human-computer interaction, data science, machine learning models that we build. That's the computer science bit. Yeah. 

Dimitry Shvartsman: It's, you know, funny enough, what comes to mind, there was this great sticker some years back.

I think it's still floating around. Where you see like this little cloud with a tear, and underneath it, it says there's no such thing as cloud. It's just someone else's computer. And, and so this is what you're describing is very, it's very much of that, like. The AI that we're talking about, like when I say AI, the first thing that comes to people's minds is like the interfaces, whether it's like Cloud or, oryou know, chat GPT or what have you.

But behind it, it's, you know, it's exactly like you're saying. 

Justin Beals: So you've been involved in the product as a product leader or developing product, designing product in the security industry, cybersecurity industry for quite some time. And I was reading some of your recent writings, and one of your, I think, recent criticisms about products in the industry is that they're really complicated, and it makes adoption very difficult.

You know, I'm curious, as someone that's continuing to develop security product, what are some of the first principles that y'all use? You know,, to try and combat that challenge for your customers. 

Dimitry Shvartsman: I think the challenge there is always, how do you correlate between maximizing value that you're trying to bring to your customer through your products, but in such a way that it's not.

Completely overwhelming. And we haven't, and we were having these conversations, frankly, all the time internally, because you have, you're sitting on this valuable data, whether if it's visibility or whether if it's specific actions, and you want to be able to provide that super fast and, and in a constant matter to your customers.

But there's also this delicate balance of realizing you're not the only tool as much as you would have wanted, but you're not the only tool product in their arsenal, and they have to do constant context switching like I, like I did when I was an operator. And so how do you balance between the, the wealth of information that you're going to give them and in, in, so, so in small chunks that it's actually palatable and they actually can do something with it versus saying, okay, great, now you just bombarded me with more information.

And I think that is something that we all in the product building space and security need to think about. It's. Because we're adding more features because we're adding more capabilities, how do we simplify the meaning behind them? How do we simplify what it, you know, what it gives me? What are the value add that it brings to me versus just adding more and more features and writing more and more data?

And it's tricky. It's very, very tricky. It's you're trying to find new ways in order to simplify that. And sometimes it works. Sometimes, it backfires terribly because it's, it's very much you, you view it as how I would have approached it. And sometimes you make it right, and sometimes people look at it and go, I have no idea what you want me to do here.

That's, that's the delicate balance that we got to keep on trying to try and play at. 

Justin Beals: I've often felt like, in designing product that I needed a really solid information model. You know, before I could communicate with another individual that's an expert, that's a non expert in what I do. Do you think about that and like an information model for prime security?

Dimitry Shvartsman: Yeah, I think, honestly, we think about it all the time. I think  the real challenges, how do you call to action that is driven by data in a simplified way? One of the things, one of the challenges that I always had with various tools, both in security and out is that the first time you log in, you see that dashboard, and you're bombarded with information right away that you don't necessarily know what to do with.

it's different widgets, it's different dashboards, it's different graphs, and it's right there. And you're just trying to understand, you're just trying to answer, and this is a driving principle in how we build Prime; tell me how am I doing and what do I need to do next? And what do I need to do next needs to accommodate different palettes.

But at the end of the day, are you answering how am I doing what I need to do next? And if the answer is yes, then it doesn't necessarily need to be. You know, 20 different widgets, you can try and minimize it, but if not, answer and ask, what do I need to bring forward in order for my customers to understand how they're doing, what they should do next.

And that data is extremely crucial, and sometimes, and I'll be the first one to raise my hand. No one's perfect. Even if, you know, I definitely fail it sometimes because I. Try to, you know, get into the weeds and be like, Oh, I found this golden nugget that only if we extrapolate, you know, through, you know, 14 different things, the customer is going to be super excited, and I need to be reminded myself that come down, how am I doing what I should do next?

And then the drill downs and everything else. 

Justin Beals: Yeah,  it's very important in a product leadership role to be reflective on your own mistakes. They're easy. Like, I certainly get excited about what I can build, what's possible to build, you know, the vision of building the thing, but sometimes it's not of value to any customer.

I do think, you know, one of my first jobs was in a network operations center for British Telecom, and we were operating their global network, and it was an overload of data, right? Like, we would lose a pipe somewhere, or we'd be getting errors on a pipe in the network equipment, and the flashing lights start going off, and, you know, you're, you're running through things, and when I go to places like RSA today, I see so many whiz-bang casino things going on on screens, and I'm thinking your SOC, your secure operations center, you know, that's not an effective way to operate, right?

Like it's just chaos. 

Dimitry Shvartsman: It's chaos. And I would take it one step further. It's not organized chaos. Because it's not self-explanatory. What do I need to do? 

It's you're absolutely right. Because we're trying, we need to stop trying to think that we're the one and only tool we need to make sure that we answer the pain points that we exist to solve.

And we do that very, very well. And if, if customers. You know, access and use our product for, fthat specific need. That's amazing. That means that we've accomplished what we set out to do. Versus like the bells and whistles around it. Like the, at the end of the day, security is outnumbered. There's always a lack of security people.

There's always, like I said, context switching. There's always more work than you have hours. Forget about in a day, in a year. And so we need to help accommodate that not to create additional things to draw your attention from. And, and I think that's always a challenge when you're building, because to your point, you're, you're in your little, you know, 'm building the best product out there.

So I got to stay focused. I got to do this and whatever it takes. 

Justin Beals: Yeah. I wanted to talk a little bit about your experience at PayPal as a director of cybersecurity. You know, I think you started there, not in the early days. I think it was around 2016, or 2017 at PayPal. And you had a pretty large purview as director of cybersecurity.

How many developers were you expected to engage with at the organization? 

Dimitry Shvartsman: So at one point, cause I managed different teams.  I was the head of security strategy as my last role. And. On average, I would say at peak, we were supporting about 10, 000 developers. 

Justin Beals: Obviously you can't do that on your own. And I don't think there's a team big enough to hit everyone. What are, what were some of the critical technological solutions that needed to be brought to bear to help you scale to that size? 

Dimitry Shvartsman: So that's a, that's a great question. By the way, that was. One of the main disabilities, one of the main pains that I had that led to eventually the formation of prime security and what me and my co founders are doing today, that's when I felt from my end, that pain point, because one of the teams that I led was a team of security architecture and their, their lead and the team was, and still is a phenomenal group of, of very well versed security professionals.

But it was eight of them, and there was 10, 000 developers and, and everything that came with it, meaning, you know, the product managers and the different organizations and, and the needs. And, and honestly, it was a struggle because I was always between the rock and the hard place because you were either torn to support very large initiatives that required security reviews and required architectural efforts.

Or you were trying to accommodate a minor change, what if it's like a feature update or some, some other thing, but potentially had a very high risk to it. And you didn't know where you had to deploy resources until somebody. Either came to you, or you overheard something. So there was not no viable technological solutions.

And yes, we had plenty of tools and capabilities, but again, those tools and capabilities were very much around the runtime and the build time. Within the design time, it was very much either somebody submits a ticket or somebody pings you on Slack or sends you an email, or there's a conversation about topic X, but you're overhearing somebody mentioning something.

Why? And then you go, wait, did somebody from security review this? And then you become the bad person in the room because you're now blocking deployment because nobody reviewed it. You understand how critical it is because it has to do with, for example, you know, customer data. And you go like, I'm sorry, we got to block this.

Because we got to review it, we got to make sure that the security controls in place. So it's always a challenge to balance that. I think the team, honestly, I mean, heads down, amazing group of people, everyone that was reporting up to me, they were doing real magic, real magic, because being able to do that kind of context switching was just absolutely phenomenal.

But really, there was no viable solution rather than. You know, internal processes that we had to prioritize things as they were coming in. 

Justin Beals: I'm wondering if you could answer a question for me about the business of PayPal, especially during that period that you were there, like the broader company, you know, I I've known PayPal has been around for a long time.

It's, you know, one of the first like digital finance solutions in the marketplace. I'm sure there were a lot of. Innovative security things. But during your period, you know, were you guys coping with new competition in the marketplace that was driving innovation? Or was there like a need to solve some tech debt issues, you know, since the company had been around for so long, what were some of the major initiatives that were challenging the business?

Dimitry Shvartsman: I think all of the above and then some, so, you know, I was there from like, like you mentioned from 2017 till end of 23. And it was during that period of time, the pandemic was there. So there was like a, this massive boom. So there was quite a lot of competition in different areas that, that people operate in and it's important to remember that PayPal is a, is a very big company with a variety of products that it offers, which is quite amazing.

For some reason, people is always associated with this one thing.  You know, they have insane amount of offerings, insane amount of products. Uh, some more known, some less known for a variety of reasons, but it's just a very, very, very robust financial platform.

Justin Beals: I want to own Dimitri that I just think about that credit card interface, 

Dimitry Shvartsman: I know, but trust me, if you go, if you dig a little deeper, there's, there's way more than that; I think that is exactly part of that challenge because people also acquire quite a lot of companies. And so now those companies already come with their own set of infrastructure and products and methods and challenges, right?

So how do you plug that in? How do you secure that as part of the broader ecosystem? So you've got trying to, you know, match competition at the speed of the competition because there's a difference between an enterprise with tens of thousands of employees and, you know, 300 fintech startup that is now trying to go off to your business.

So you also need to kind of balance between that. At the same time, we need to support. The various M& A efforts that are happening and make sure that you provide that security coverage. And at the same time, you also need to kind of think about the integration of those acquisitions that are happening.

And lastly, there's also, you know, new products being developed that has nothing to do, well, I won't say nothing to do with competition, but. Brand new things that are being developed as to continue pushing the, the business forward. And that is just a very, very, very big map to play on. And like I said, you know,, the security team is, is honestly, I will, hands down one of the best teams I had the pleasure and honor of working with at that company.

But it's tough. It's very tough because of that constant context-switching. 

Justin Beals: We hear a lot from the customers that we've been working with that one of their big challenges is like the enterprise M & A environment, or there might be one company, but they're really an aggregate of a whole bunch of different organizations, different technologies, different risks, different security controls, different compliance outcomes.

Did you, did you have security teams placed in other teams that you would interface with like a subsidiary company or things like that? 

Dimitry Shvartsman: Absolutely. The way we were structured is that obviously we had like the mothership, right, the CISO and then everyone who was reporting to him, but then we also had integrations into the different business units that were, at the end of the day, we were providing service, right, to the business.

So yes, we had different departments and different sections that were supporting, and then there were things that were applied to all. So, kind of like, the general, this is applicable to all. And then the word needs, which are very specific. And if you don't have people that are embedded with those specific needs, you can't really accommodate some things that a particular business unit that was acquired needs because they're now, you know, paper is a, is a big GCP shop.

It's no secret, you know, it's quite public, but then there are other, you know, bought companies that are historically in a WS and keep them there. Right? But so what is applied in terms of security needs to GCP is obviously different when it comes to a WS. But you got to support both. So, in some cases, you need to understand what are the needs, what are the concerns, what are the risks associated with this infrastructure, this environment, and then with this one, and you need to accommodate them.

So, without having people embedded, you can't really understand, again, going back to the business context. That is driving those potential risks and how to remediate them. And so, obviously, we're operating like this, but again, the challenge is to scale without a single pane of glass of what that business got to this and what development is working on at any point in time. It was extremely difficult to understand what's going on. 

Justin Beals: Yeah, and the M&A thing is a whole unique wrinkle. I mean, I think about United Healthcare and the change healthcare system that they bought in the major breach. And I'm not going to, I'm not picking on anyone, but I think even PayPal and 2017 had a breach through TIO Networks, one of their acquisitions.

You know, how did you set up a cybersecurity review of a major acquisition? Were you before the deal would be made, or did you more come in after the fact? 

Dimitry Shvartsman: That wasn't part necessarily of my direct responsibility, so I wouldn't be able to add much to that, but one of my dearest friends and colleagues was overseeing the M&A function.

And first of all, it was always very, very need to know basis. No one knew until you had to knew. And then two, there was a very, very robust program that he built around, you know, from the moment that you're, that you're notified that something is happening and if you need to know what kind of sets of, of things you've got to check, you've got to make sure you've got to test.

And a lot of it was updated, modified, and, like, there was a lot of lessons learned. So, he was like, listen, it must be my time, but a lot of lessons learned from that kind of transpired and turned into a very robust program, you know, don't let a, an incident go without its proper RCA. So, that actually taught a lot of things and turned a lot of playbooks into what they are, which is.

Justin Beals: Yeah, yeah, it is a little bit of a learning by doing, you know, the business is going to want to do these things and, and things are always changing, but it does sound like a basically structured assessments, you know, help, help the process at least generate confidence and understand, predict how long it will take to complete the assessment so you could have due diligence wrapped up.

Dimitry Shvartsman: Yeah. And there was also things that are obviously, you know, extremely critical and important and I would say non-negotiables. As you conduct the process again, less my area of expertise from the little that I do know. 

Justin Beals: Yeah, absolutely. Well, any predictions for 2025, especially around the cyber security marketplace?

You know, we, of course, I think we're hoping for all of our businesses to have a great year, but any big influences or things that you'll see this year? 

Dimitry Shvartsman: I think, first of all, I do believe that a lot of the platformization or whatever it's called, That is being driven by the larger players is definitely going to continue.

I think it from strictly strategical standpoint, I really see, how it makes sense. I think there's a question of how you integrate and, you know, to your previous comms around M& A's. And I think there's, that's a whole different, um, skill set of how you actually transition and tie together what you acquire. 

I think.AI definitely is going to play a major, major role across everything. I'm not unique in this, in saying this, what I do believe is that as a tool, it would be used both for good and for bad. We're seeing, you know, an uptick in, in different attacks that are, they're being driven by anything from, you know, voice generation to image generation, to what have you from fraud to, um, extortion to, to whatnot.

And then there's going to be more and more leverage of AI to augment existing workforce just because we don't have enough hands and heads to solve the amount of, of security challenges out there. So I think there's going to be a boost. In productivity gains by applying properly, applying AI as a tool, for security capabilities.

But there's, I think it's going to be a very interesting year in terms of threats as well. 

Justin Beals: Dimitri, it's been such a pleasure to have you on SecureTalk today. 

Dimitry Shvartsman: Thank you very, very much for having me. It's been a pleasure.