Cybernomics
Every week, Josh Bruyning peeks behind the curtains of businesses small and large to learn how they use technology to drive economic growth. He delivers straight-to-the-point insights for investors who aren’t tech experts but need to make big calls about tech, or businesses executives looking for fresh new ideas.
We break down the hidden costs, incentives, and opportunities behind today’s most important tech decisions. No jargon. Just clear conversations.
Whether you’re budgeting for compliance, evaluating vendors, or planning your next investment, Cybernomics helps you make confident, high-impact choices without needing a computer science degree.
New episodes drop every Wednesday.
Follow us on LinkedIn and YouTube for bonus content and real-time updates.
Cybernomics
Harnessing AI for Cyber Defense with Cequence Security's CISO
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Unlock the secrets of API security with our esteemed guest, Randolph Barr, the new Chief Information Security Officer at Cequence Security. With a stellar career spanning companies like Zoom, Qualys, Cisco, and Webex, Randy is the perfect guide to navigate the complexities of the digital world. We explore the innovative strategies Sequence Security employs to combat the escalating threats posed by AI-driven technologies. Randy shares his expert insights on the pivotal role of APIs in digital transformation, emphasizing how they serve as the backbone for both customer interaction and backend processes, while also highlighting the expanded attack surface they create.
Randy's dedication extends beyond the boardroom. He brings his passion for tech education to the Philippines, where he actively supports local talent development and collaborates with educational institutions to update technology curricula. His personal journey, deeply rooted in his Filipino heritage, reveals his commitment to empowering the next generation of tech professionals. By advocating for modernized education and offering opportunities to those eager to re-enter the tech field, Randy aims to bridge the gap between academic qualifications and practical technology careers. Join us to learn how his endeavors are fostering a thriving security community and what the current state of API security means for organizations worldwide.
I'm your host, josh Bruning, and today our guest is none other than Randolph Barr, who is the CISO new CISO of Sequence Security. Randy comes to this job with a world of experience. His time at Zoom, qualys, cisco, webex and now his role at Sequence Security makes him the perfect person to talk about the cybersecurity landscape, the API security threats, the state of API security today, and leadership strategy and how to tackle these threats. Randy, welcome to the podcast and congratulations on your new role at Sequence.
Speaker 2Thank you for inviting me to this podcast. Happy to have that conversation around API.
Speaker 1in my experience, it's an honor and privilege to be able to talk to you about this topic today, which a lot of people are thinking about. It's on the minds of CISOs, it's on the minds of businesses, and I know that Sequence has a very unique way of attacking these threats right, Especially AI-driven threats and the rise of AI-driven threats in today's landscape. So today we want to dive into how API security is becoming increasingly critical as organizations adopt AI technologies, and so we'll explore Sequence's innovative strategies and how you address API vulnerabilities in today's fast-moving world. You just made a trip to the Philippines probably still jet lag, but you're doing this podcast anyway and I really appreciate it. But I'm really interested in what you're doing down there. What is the current security landscape like in the Philippines, and can you give us a brief rundown on how you're helping the folks over there?
Speaker 2I have a lot of projects that are going on in the Philippines personally and it's been an amazing experience. I'm Filipino, I have a lot of family there, and so over the past several years I've opened up the foundation that helps a couple of orphanage and some schools, and since then I've grown and expanded that to want to connect more with the security community over there. Security community is growing over there. There's some pretty talented people in the Philippines and I want to promote that a little bit more by participating in some of that. So you're going to see me visiting there quite often, participating in some of the conferences and speaking opportunities.
Speaker 2What's interesting over there is that my cousins, when they grew up and this is why I was very passionate about this, you know got their degrees, got their degree in computer science or in other areas of focus, but they weren't able to work in the area that they went to school for.
Speaker 2So someone with a computer science degree may be working at a call center and they want to get back into it.
Speaker 2They want to look for opportunities like that, and so I'm trying to figure out what are those opportunities that eventually led me towards speaking to professors at universities and looking at opportunities to see how we can enable those professors to update their syllabus to be more current on new technology, and some of the stuff that I really want to do is bring in some of the latest innovation on security and introduce that, because I think it's important for us to be able to educate some of the students today on some of the latest innovation on security and introduce that, because I think it's important for us to be able to educate some of the students today on some of the latest and greatest technology instead of very old tech stack. So a combination of different things, but the biggest one is how do I get some of those folks that have those degrees back into the tech space that they want to? I think there's a lot of opportunities out there, especially with the way we work today.
Speaker 1What is the current state of API security today?
Speaker 2amazing how much information you learn as you work with folks over here at Sequence. When you start doing the research, it just blows your mind. If we think about where we're at today, api has become pretty much the backbone of digital transformation. It powers anything from customers interacting to back-end processes to nearly every sector. But with this innovation and this implementation of all of these integrations and access to really, really cool tools, there's a lot of risk associated that comes with it.
Speaker 2Api itself has now become the top attack vector in the security space and it's driven by the amount of usage and also the vulnerabilities associated with those APIs that are introduced with some of these new tools. As companies continue to innovate, as they continue to rely on APIs to deliver those services, especially to help enhance the customer experience, they also expand their attack surface and it creates a lot more entry points for malicious actors to take advantage of. If we even look at just the findings from OWASP broken object level authorization, broken authentication, security misconfigurations and these vulnerabilities are just technical issues. They're doors that, when left open, you know it allows bad actors to access sensitive information, compromise entire systems and and essentially, or could potentially, disrupt operations at a large scale.
Speaker 1What kind of organizations are most susceptible to this kind of threat? It's everybody.
Speaker 2I mean, if we think about where we're at today, we're getting ready to get into the holiday season and people are going to be relying on ordering things online. So just imagine the interaction from the person that clicks on a link to log it into a site searching for certain goods, ordering it. All those interactions in there is an opportunity for APIs to be leveraged, and if that API is not secure, then there's a potential for that to be compromised. So think about the amount of users that are going to start ordering stuff. Black Friday is probably one of the first events that we're going to be paying attention to, or, if not sooner. I think bad actors look for opportunities when a lot more people are utilizing all of these different APIs, and the holiday seasons is just the right place for that. But every company is susceptible to it.
Speaker 1You may have lots of transactions going through a particular retailer if you're buying your presence online To have all of those moving parts between retailers, suppliers, partners, customers everybody's sort of talking to each other and the glue that holds it all together would be APIs, and so that's where Sequence comes in and makes sure that those connectors are safe, and they're kind of like cracks that the bad guys can use to get into your personal information, and so you want to make sure that's secure. So, randy, as we're getting better, the bad guys are also getting better by leveraging AI. So how would AI and automation make attacks more sophisticated, and what are some of the countermeasures that we're taking to make sure that we're staying ahead of those threats?
Speaker 2It's a very common topic that a lot of folks talk about. I was at a CISO summit in San Francisco yesterday and this is one of those questions that they asked is how do bad actors leverage AI and how can we counter that? If you think about bad actors, bad actors use any tool and every tool they can possibly use to be able to have a successful attack, and they sometimes implement some of the tooling that most other security professionals use in their own environment. Ai just makes it a lot easier for them to do a lot of things. We're seeing a lot more sophisticated approach to attacking. We'll just take something as simple as phishing.
Speaker 2You can leverage AI to be able to identify who may work in a finance department, narrow it down to certain individuals that it maybe works in accounts payable, and then learn a little bit more what's available out there to be able to target that individual using an email campaign specific for that person, but do it in a way that does not get impact or does not get triggered by any of our any of the security tools. So AI has done a lot in that area to help out some of those bad actors, but at the same time, we can also leverage some of the AI solutions to be able to counter some of those threats. So adoption of AI is going to be very important. Companies or teams that look at AI as something that they should block or not utilize in the company really should think about revisiting that or not utilized in the company really should think about revisiting that.
Speaker 1I think this is a good segue and we can shift gears into Sequence's approach to those emerging threats. So what is Sequence doing these days to help keep organizations safe?
Speaker 2Our unified API protection, or what is also referred to as UAP at Sequence, is a solution for real-time API threat detection. We have AI-driven security policies, so some of the data that we collect these are just transient data. They're data on API traffic, and what we do is we leverage that information to be able to determine what type of traffic is going on, what type of activity that's going on. Is any of that activity a potential threat to the company? And, if so, we're going to leverage AI to help create or draft these rules that will protect that company. What we're trying to do is stay ahead of the attackers, and we're leveraging technology, but also leveraging innovation so that we can stay ahead of some of the newer threats. We stay ahead of attackers by innovating with technologies that not only detect in real time but also adapt to those threats. Leveraging AI is one of those innovations.
Speaker 1Which you know, the fighting fire with fire. That seems to be the theme here is that the only way that you can do this is to really just learn how the attackers work, and AI is really good at learning that kind of stuff, but then they're learning what you're doing at the same time. So what's your approach to this in terms of a risk analysis, Because we know that we can't eliminate the threat altogether.
Speaker 2I was sitting at a conference one day, and one of the this is earlier in my career and the best way that someone described how do you protect your assets. And they said look, you know, think about your house and your neighbor next to you. If your house has a sign that says protected by, you know, external security company, your doors are closed, your windows are closed. You have a sign that says you have a dog and your neighbor leaves their door open, doesn't have any of those signs, which one do you think the bad actor is going to go in and try to rob? And so I think that our goal, and every security professional's goal, is how do we reduce the feel factor for someone who wants to go in? And sometimes what you do is you put in some roadblocks, you put in control. That makes it so much more challenging for that individual to get in that they're either going to give up or they're just feel like it's too much of a burden for them to be able to do anything.
Speaker 2The way we use machine learning to help figure out what are those controls, we analyze all those traffic patterns, we detect the anomalies and then we respond directly to those potential attacks by creating those rules and policies that our customers can use. It's obviously not just stopping the threat after it happens, but you know what can you do ahead of time to prevent that from escalating. That's my mindset. Is how do we make it less appealing for bad actors to come in and get us? Risk management is definitely in there. It's always part of the program. You always have to think about not just the matter of if it's going to happen, but when and if so, how prepared are you to be able to manage? Through that, we're hoping to help enable our customers to not have to worry about when it happens.
Speaker 1So the strategy is to help your customers outrun the bear. Yeah, yeah, exactly yeah. And if we can sum it all up in how we do that in one word, would proactive be a good word to sum up the approach to tackling these threats today.
Speaker 2Proactive is a good word. The other words that come to mind is continuous assessment. So you need to keep revisiting your controls. If you just implement and not do anything else with it, then there's a likely chance that somebody else has that same control and figured out how to bypass it. So continuous assessment is very important.
Speaker 1For those smaller businesses that may not have the budget for something like Sequence or to have a sophisticated tech stack today, they may tomorrow, but they may not today. You know, a sophisticated tech stack today, they may tomorrow, but they may not today. What are some practical ways that those businesses can stay ahead of these API security threats?
Speaker 2If they do development internally in the small company, training is always important, enabling those folks to be able to do checks, and some of the easiest stuff to do is standard security practices and leverage some documentations and some frameworks that are already available. Owasp API is one OWASP Top 10. Now, if you don't have your own developers entirely, make sure that you review all those contracts with those third-party developers and make sure that they have the security checks in place. More importantly, if you're not technical, but you do have a business, you also have to remember that the biggest thing that you are responsible for is protecting all of your assets, including the assets that you've been trusted with, and that's your customer data, and so you need to make it a point to highlight security as something that's very important in your company.
Speaker 1There are tons of resources on Sequence's website. Randy, if people want to get a hold of you, what's the best way for them to do so?
Speaker 2LinkedIn. Look me up there, feel free to message me there. Or if it's Sequence directly, then feel free to email me at randolphbarr, at sequenceai.
Speaker 1If you would like more information on what Sequence is doing, you can visit wwwsequenceai Randolph Barr, CISO at Sequence. See you next time. I don't know when the next time is going to be, but we'll see you next time. Thank you so much. I'm going to talk more. Thank you, Josh.