The Cybersecurity Bridge
theCUBEresearch principal Cybersecurity analyst Jon Oltsik hosts the newest SiliconANGLE podcast focusing on bridging the gap between Cybersecurity and all other parts of tech
The Cybersecurity Bridge
Dale Hoak, Regscale
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Dale Hoak, CISO at Regscale joins Jon Oltsik for this weeks episode of The Cybersecurity Bridge
Hello everyone and welcome again to my podcast, The Cyber Security Bridge. I'm John Olzig, your host. And if you are one of the few people, few in the world who have not seen my podcast, why? I don't get it. That's good stuff. But anyway, each episode is broken into three sections where we talk about a particular area of cybersecurity. In the first section, we talk about the present of that area. In the second, we talk about the future of that area. And then the cybersecurity bridge is the third section. We talk about how we get from the present to the future. Now, I talked about we well, we talk about an area of cybersecurity. We're going to vary that a little bit. We're going to talk about a lot of areas of cybersecurity because my guest is Dale Hoke, who is the CISO of Ridge Scale. Dale, welcome. Can you introduce yourself to our audience?
SPEAKER_00John, thank you so much. I appreciate uh the opportunity to come here to speak with you today. Uh, my name is Dale Hoke. I've been the uh CISO of Ringscale for a year. I've I've been at Ringscale for uh since 2022, March of 2022, so uh about four years. Uh and then I've had an interesting past uh, you know, I had 28 years in the Navy, retired in 2017, uh, did some work with the joint chiefs of staff, uh, did some work in security operations for a company called Ferguson Enterprises, uh, and then kind of wrapped all of my security operations work with a uh uh with a stint at uh NYP at the Security Operations Center for NYPD, which was interesting to say the least. So uh I I've I've had quite the road now and I've I it all brought me here today with you, John. I appreciate the invite.
SPEAKER_01All right, thank you. Um well I appreciate you being here. But before we proceed, Dale, are you ready to play cybersecurity trivia? I am. I think I've been studying. Okay. Well, this is a timely question and uh maybe a slam dump for you, or maybe it a total stumper. Um, but we are in uh the season of the RSA security conference. So, real simple question. What year was the first RSA security conference? And I'll give you a couple of choices. Was it 1989, 1990, 91, 92, or 93? I want to say it was 91. And you would be correct. Boy, we are on a string of people nailing after a year, like a year of no one getting my uh tribute questions, we're on a streak. Yes, it was 1991. It was a very small event. It was held at the Sophie Tell in Redwood City, which, if you've ever been to the valley, you've been to that hotel. It's just it's right there. You've been to a conference there, you've made a phone call there, you've stayed there. So good job. And uh we'll move on from there. Um, so in doing some research on you, one of the quotes that was uh um applied to you, or at least uh um cited for you, was that your philosophy of security is practicality over theory. Now, number one, is that accurate? Number two, if it is, what does that mean?
SPEAKER_00Uh yes, it's accurate. And I think uh you hear a lot of people talking and theorizing about what security is, right? You have to plan and deploy it, right? It should always be operational. Uh, so a good practical approach to a security, one that you can defend, you can prove, um, will always be the theoretical approach, right? So there's a lot of uh there's a lot of CISOs that talk uh that are uh practice a lot of thought leadership, but when the rubber reefs the road, they can't they can't make it execute, right? So that's kind of uh to keep myself grounded, uh I always try to make sure that I can do what what I'm talking about and be very practical in my approach, which has always been uh kind of the mainstay. Uh I had somebody tell me a long time ago, one of my instructors at what the Navy calls their C school or their secondary school is if you all if you know how it works, you always be the boss. Uh if you know uh I'm sorry, if you know how it works, you always have a job, but if you know why it works, you always be the boss. Uh that's kind of kind of summarizes that practical thought process that I have.
SPEAKER_01Well, that's funny. I my first job uh at a business school, I worked for somebody who said people who know how always work for people who know why. So so that certainly that expression is is translated into the business. So, with a practical mindset, how do you approach the RSA conference?
SPEAKER_00I so I understand that uh when you start thinking practically, right? What uh what is the purpose of RSA? So the first thing for me is it's a chance to collaborate with people smarter than me. RSA has got some of the top CISOs in the game. Um particularly my one of my favorite um sessions is uh the CISO Unchained, uh, which I think Rule and Clutier is speaking at again this year. And I mean that whole panel is always great uh to kind of spur thoughts. The other is uh the other thing I really enjoy rolling into RSA is outside of you see some wild stuff on on the floor, right? The what the vendors uh are doing to bring people to the booth, but uh there's also a lot of really great products. Uh and I think over the course of the last couple years, uh you've seen that shift in AI, but you also see a lot of people that are able to conduct thought leadership discussions at the booth, which I'm really interested in as well. So uh and then the last thing is you always have some really great parties that bring a lot of great minds together. Uh so when you're getting together in a social aspect, then um great ideas can really flow.
SPEAKER_01Yeah, I totally agree, but I have I'm gonna press you on the practicality because there's certainly a lot of hype at RSA. And I and when you say practicality over theory, I think, well, practicality means understanding the business and the business need and aligning security accordingly. So, how how do you do that with while just avoiding all the hype? How do you stay focused on your mission?
SPEAKER_00Well, so the idea is I have a plan going in, right? So practically, what are my priorities for the year? Um, you know, uh coming into the fiscal year, you have a plan. So if I take a look at my plan, I target the vendors that I want to talk to, I target the CISOs I need to collaborate with. This is a great opportunity to take a look at the to have an opportunity to talk to the CISOs of the vendors that I'm targeting, um, and then to set those meetings up, right? So this is a time when CISOs make time to talk to each other, and particularly um the field CISOs or the um of the vendors that you're looking at, right? So what are my priorities going in? My personal priorities, uh AI security, API security, and threat intelligence. Um, so I have set some time up with folks to discuss those those areas, and then you know, um, you're gonna hit some of the hype, but you need to be focused on what your mission is as a CISO. If you're there selling, how are you selling? If you're there buying, uh, how are you reading through the noise?
SPEAKER_01Yeah, I'm glad you mentioned threat intelligence. It's an area that I'm passionate about that I've done a lot of work in. And I look at AI, I look at these domain-specific uh models that people are trying to build. And to me, they're only as good as the threat intelligence you feed them. So, what's your theory there? Because a lot of a lot of organizations think more is better, and I think more is is uh it's noise, and more noise more means more noise. How do you deal with that?
SPEAKER_00So I think cultivated threat intelligence is better than just mass threat intelligence, right? Anytime that you could take and have curated data that's fed to you against your mission priorities, um, then you're you're optimizing your flow, right? So, for example, um, you know, CVSS scores I think are are underrated, right? A higher critical doesn't necessarily mean that you have more exposure. Um, I think that a a modern, I think in today's day and age, you're gonna see uh threat actors are gonna take any exploit, right? So I want to know what's being I want to know what's being exploited in a while. I want to know how it's being exploited. Um the threat intelligence platforms can tell me if I care, if I don't care. So they can quantify the details of my security operations that I that I'm I'm bringing in. So I think most CISOs would agree with me. Security organizations are just overrun with information. So more information, I don't think, is the key. Uh accurate information that's applied to your environment in a manner that you need to execute, I think is the key.
SPEAKER_01Yes, I well, I I totally agree. And now I I said I'm gonna zig and zag. I'm gonna pull something maybe from your past that you can comment on. So I did some research. All right, all right, all right. Let's go. Um, so I did some research a while back on what the New York what New York City was doing. And I know New York City, um, you work there. Um, New York City built its own fusion center and they used Google Cloud, and so they didn't use Google Chronicle or whatever they're calling now Google SecOps, they built their own. Is that a unique requirement that drove that, or do you think large enterprises really should be looking at their own customization, maybe building their own fusion center?
SPEAKER_00I I think that the NYC Cyber Center, right, is was a unique use case. Um and uh Kelly, uh the CISO there is Kelly Mowen, who has a lot of uh experience in doing that. Um, one of my favorite people to work with. I had a uh a chance to work with her in NYPD for a while. Uh I think large companies um that have that need and have a dynamic operating environment really need to build their own fusion centers because no vendor is going to be able to hit all of the um requirements that you have, and you know your requirements better than any anyone else. So I think that there's a lot of value in customizing your own fusion center to meet your builds, right? And I don't think people realize how huge the cyber footprint uh is in um cities like Chicago, LA, uh New York, particularly around um their their law enforcement. Yeah, all the traffic cams, all the body cams, all the cell phones, it's a huge cybersecurity footprint. So being able to have everything into one place to where you could look at at uh all of your things in a single pane of glass and defend the city. I mean, we see we saw Baltimore got shut down, right? So that's kind of uh what NY uh the NYC was trying to prevent with the fusion cell, and I think it's a great tool and a great plan.
SPEAKER_01Yeah, and of course they're dealing with physical security, they're dealing with geopolitical threats. So it's a it's it's a bit of a different ballgame for them. Um, okay, well, let's move on to the future. Uh, I know that you are one of your initiatives is um using AI to automate GRC, which everyone talks about automating processes and um automating triage and things like that, but you're focused on GRC automation. So tell me about that for the future.
SPEAKER_00Well, so I really think we're in a time where compliance is gonna die and we're gonna shift into operational controls insurance. Uh, and the only way to get to operational controls assurance is to um do uh is to automate uh and build a continuous controls monitoring process, right? So you should know uh a point in time audits are dead. Um compliance is a checklist, it's going away. It's too hard. AI is increasing the speed of uh at which innovation is spreading, um, and manual processes are not going to be able to keep up with it. So you not only do you have to automate the GRC process, but you have to automate the monitoring of all of your different controls across the entirety of your tech stack. Uh, and I I think we're in a we're in a time where as we see things shift from I, you know, I completed this audit in day two of that, I am now out of date. I'm gonna continuously stay audit ready, I'm gonna continuously be prepared uh to um execute, provide evidence as I need to, um based off of good security operations. So uh I think we're the time of manual compliance is dying, and the time of automated compliance is here, and and you in order to stay uh in pace with innovation, you have to have it.
SPEAKER_01It makes sense to me, Dale. Um, my fear though is the attack surface is growing at a exponential pace between AI, between vibe coding, um, new cheaper devices. How do you keep up?
SPEAKER_00Well, the only way to keep up is through automation and the use of AI, which sounds kind of weird because you're using AI to monitor AI, but I think that first you have to build responsibly. Second, you have to be diligent in deploying the tools you need to have a constant vigilance on the entirety of your network. Regardless of any of your regulatory compliance requirements, just good security dictates you have to know what assets spit up and spin down when they're happening. Um, and it's gonna be increasingly difficult. Shadow AI is a problem right now, largely because most people don't really know how to monitor and and and stay in touch with AI. Um, because you know it may not be new. I think it's been around since 2017, but it's it's it's this is the first wave of commercialization. So uh one, we have to educate ourselves. Uh two, we have to stay diligent in our plan. And three, uh, you gotta be flexible, right? Sempre gumby. Uh, you can't get locked into a process and just you know focused on a stack of problems. You gotta be dynamic and shift and and and build your environments to be dynamic uh in the meantime.
SPEAKER_01Now, I I get all that, um, but you'll have a line of business managers, even executives who just are gaga about the the revenue opportunities, the cost-saving opportunities with AI, and how do you wheel them in in a way that's practical and business enabling?
SPEAKER_00Right. So I I did a uh podcast not long ago when we started talking about is AI the good guy or the bad guy? Uh I'm sorry, it was a webinar. And really, AI is a tool, right? So just like uh uh you know when you're using a hammer, there's a responsible way to use a hammer. Uh, if you're using a hammer on a window pane, that's probably not a good plan, right? So um you have to have uh you have to have a plan to use AI. And I'm a big fan of responsible use of AI, but you you you build security in early, you monitor how you're building your AI, you report on it continuously, you have an AI S bomb, just like you have an S bomb for any any uh any software product, uh, then you continuously monitor uh all of your your large language models and everything that's involved with the AI packaging to prevent poisoning and drift and all of the things that are kind of prevalent in Space today. So I think uh I'm with you. I think CISOs, one, have to keep lines of business open, two find ways, uh innovative ways of opening up new lines of business and help the company get to yes, right? That's our primary function. And with that, AI is gonna just kind of blow up and incrementally increase um across the spectrum. There's no no way to to prevent it, right? So CISOs have got to plug in early and strap in, right? Get ready.
SPEAKER_01Absolutely, they do. And so uh, but let me ask you about the future of AI as a CISO. Where do you see the short-term benefits? Where are you a little reluctant? And where do you see the longer-term benefits?
SPEAKER_00I think the short-term benefits you're gonna see you're gonna see administrative functions uh really become easier, right? I I think security compliance teams have been struggling to stay on top of that for a long time. I think risk assessments are going to be easier uh using AI tooling. Um, and right now it's kind of a responsible use model where I flag it and I tell uh I tell uh an operator that this problem is here and they review it and accept it or reject it, right? Um, so that's my initial um kind of the now of AI. Um, the problem that I've seen with AI is like anything in a free market, right? You package it, you market it, you sell it before you know how to secure it. That's what happened with AI. Then we saw a lot of AI incidents occur. Um, and the response to that was um more diligence coming out of companies who are buyers. So this is kind of that normal life cycle of you when you sell before you secure, you run into problems. So I would recommend anybody that's building now, build that DevSecOps process into your AI tooling. Um, and your life is gonna be exponentially easier. Um, and I think in the long term, you're gonna do away with uh a lot of administrative functions that are just redundant, right? I think that AI is going to be better and better as it learns more. We're gonna be able to, we're gonna get better at securing it. Uh, and once we're able to put a wall around it and keep it functioning, I think things like compliance are gonna become entirely AI driven and just uh a click of the button for anybody from uh in the compliance space. I think a lot of security and vulnerability management will be made a lot easier through the use of AI in a long term. So I'm looking forward to that.
SPEAKER_01Um so just curious question on my part. Um, if we can automate compliance and we get a real-time continuous look at the effectiveness of our controls and our risks and things like that, I would think that the cyber insurance vendors would be all over this, pushing it as hard as they can so that they had more accurate data for underwriting. Is that happening?
SPEAKER_00I I think it's starting to happen, right? We've seen it in a few places. The problem is nobody really trusts that product yet, right? And nobody knows what the art of the possible is. So you're seeing people start to experiment. I don't think they're moving fast enough. I think they could be moving much faster, particularly on the cybersecurity insurance side of things. Uh, I also think that um, you know, when you start talking about authority to operate packages or approval packages or audit packages, I think that people don't trust yet. Um there's there's things out there, uh machine readable formats such as JSON or Oscal that can also bring uh a lot of ease there, right? The the problem is there's not a lot of trust, right? So the zero trust culture, uh, which is a good thing, has caused people to to not really kind of run with it yet. They're gonna kind of uh uh people are adopting a wait and see um mentality. But we are seeing some insurance companies move with it, just not as rapidly as I would have envisioned.
SPEAKER_01Yeah, good, because I I I've seen security vendors or excuse me, uh cyber insurance vendors talk about uh, well, if you have if you buy a product that's up in the upper right-hand quadrant of uh the Gardner Magic Quadrant, they'll lower your rate. And that says nothing about, well, are you installing that right? Are you operating it right? Are you tuning it? So that that's crazy talk. Um so let's move on to the cybersecurity bridge, how we get from here to there. Uh, with all of this AI talk, here's one of my fears is that we start to automate processes, and as we do that, we're eliminating the training and the learning curve for junior analysts. So they don't get to experience things because AI is doing that. Am I right in that? And how do you how do you bridge that gap? Are there any skills or training that you as a CISO think are absolutely critical as we move more tests to AI?
SPEAKER_00I so I completely agree with you. I think that I think you're starting to see um, you know, due to AI, like there's there's not going to be junior developers anymore, right? The expectation is you're gonna be a middle of the road or a senior developer. Like developers are just I I I would be shocked if any business is not. Using things like uh Claude Code, right, is a good example, although um you know anthropic is a gotten a bit in trouble with the government. But um I think that there's quite um uh a huge amount of coding being done inside AI. So then I have to question uh the security practices around that. So for junior developers, it's it's tough, right? You're coming out of school, you spent four years learning how to develop, and now your competition is uh a computer set, right? Because now you're into how do I write the the right queries or right phrasing to get the code results, right? So um, you know, I believe thoroughly in cross-training first, uh, so we ensure that um that we're teaching the basics uh and we're making them test against the basics so they understand the coding principles. Because I go back to the root of uh the why versus how, right? Which which you eloquently actually your your phrase was a lot easier, so I'm gonna reuse that again. But um, and then the second part of that is um the responsible use of teaching people how to do it right inside AI because you're just not gonna get rid of AI, it's too easy to use. Uh and you just want people to use that stuff responsibly, and you want to educate people on the principles of what they should be looking for. Um, and I think that's kind of where we're unfortunately moving to.
SPEAKER_01Yeah, I agree. And some specific uh jobs or skills that I think we're we need to pay attention to are things like data engineers, uh, things like we have to teach people about prompt engineering. Um, we have to teach people how to, I think it's called a, I think they call it like a hybrid model of what the AI does and how you tune the AI to help you. Uh, are there any of those skill sets that you're either recruiting for or you are um training your staff to do?
SPEAKER_00I so I I think the um the prompt engineering is a big one, right? So we train against prompts, good prompts, bad prompts. How do you get the product to do what you need it to do? Um, and then we actually um have hired some AI engineers to help build our product in a meaningful manner that and to help kind of school the others in the company on how to do these things, right? So um, and I think another big one, believe it or not, is GRC engineering. Um, you're seeing a lot of what people are calling GRC engineers coming to build and continuous monitoring and automations and uh to for evidence gathering as well. And that's another one that we kind of embrace and kind of lead in lean into as an industry leader. Uh so those are two big ones for our company. And I think uh anybody who has a vested inter invested interest in AI and or GRC as as cyber compliance requirements uh are going to be leading in that same direction.
SPEAKER_01Yeah, and I going back to our how versus why, I think too many security people and and vendors are are much are too uh ingratiated in the how and the why, and understanding how the pieces fit together to get to why, I think will be the interesting skill set moving forward.
SPEAKER_00I would entirely agree, right? So I and I think that uh I mean we've we've cited some of this stuff in our state of the CCM report is taking the time to understand why things are the way they are and why uh it's important to do um these particular functions uh will dictate your how, right? So why am I doing this? Why is there value? Why is it saving time will dictate the how against um and and make it easier to figure out the how when you when you take time to set your goals with a why?
SPEAKER_01Yeah, absolutely. Yeah, I said I was gonna zig and zag, so I'm gonna zig and zag again because we're talking about how we get from the present to the future. Um, one of the things I know you're involved with is FedRAMP. And um I've worked with so many companies and I said, are you selling it to the federal government? They say, no, FedRAMP is if the certification is too cumbersome, it's too expensive. Is the is there a way that AI or any other kind of modernization is going to help the government ease that process so that they can consume some more of this innovative technology?
SPEAKER_00I I do believe. So, first uh there's the open security controls assessment language, right? Oscal. Um, and you're starting to see some adoption there, which will then take that uh that lengthy process at the end uh of that long road to get through the audit process and shorten that that time uh for package review. I will also say that P. Waterman and the FedRAMP team have really made it a focus of getting packages out in record time uh post uh doge. I think another effort that you're seeing on the FedRAM side is FedRAM 20X. Uh, I think that that is taking the time to move to key security indicators and focusing on security operations and provable security operations is another thing the federal government is going to be moving rapidly towards, which will help speed up the process. Um I don't know that it's gonna make it cheaper. It's still as expensive, so it's still a little bit of a blocker to small and medium uh market businesses. Uh, but I I think that um being able to get agency sponsors faster it would be a good thing. I think shortening the timelines would be a good thing. Um and you you're just if you're gonna shoot for FedRAP, if I had to throw advice out there, um, if you are gonna sell to the federal government, getting FedRAMP is imperative. And if you're gonna get FedRAMP, you need to plan for it. Uh, you know, we plan to do this from the inception of our product, and fortunately, I had a product that helped me with automation and AI that made that process faster. Um, so I think that uh planning to achieve the FedRAMP, I still think FedRAMP is a gold standard. I think there is there problems with the process shore. Um, I think there's problems with any cybersecurity regulatory body, uh, and there's problems in all of the processes, uh, particularly on the audience side. But in the grand scheme of things, I think we planned for it. I think we uh we had the automation of the AI to execute. Um, and I think that's what you're gonna see, right? Um, them using technology to move fast.
SPEAKER_01Yeah, what I read, Dale, is that you uh upon getting hired at Reg Scale, you did FedRamp High, you got SOC 2 and CSA star certification. How are you now? Did you never sleep?
SPEAKER_00I mean, how did that how did that happen? Well, I'm gonna tell you, we had a curity, we had an incredible security team, right? Corey Hendriksen is my ESO. So I'm gonna give him a high five here on your podcast, right? Uh if you guys aren't following him on LinkedIn, please do so. He's an incredible ISO, kept me grounded and straight. Uh, and I had a great, I had a uh really great um um cloud team that was able to flex a respond in a meaningful manner, right? I I I think I'm gonna tell you, yes, was it hard? Yes. But if you plan for it and you and you and you work as a team, right? Because security is a is a team sport, uh, if you work as a team, uh, you have the right three PaO that's got the right attitude, uh, then there's really nothing that you can't accomplish. And working with A-line in this particular endeavor was fantastic. Um and uh, you know, so we felt like we were set up for success all the way around.
SPEAKER_01Nice. Well, good start. I mean, though that's that's a ton of work. Um so the the theme this year at RSA is the power of community. And you mentioned the community of CISOs, but is there are there other aspects of community that you're looking for? Community of like-minded industry people, community of uh threat analysts. Um just if you can give me some color on that.
SPEAKER_00All right, so I think there's uh I think there's three communities that I am I I love to talk to while I'm at RSA. And I think RSA and it does a great job of blending all of these things together. So, first it's the CISOs, like you mentioned. Uh, second, it's the community of security professionals, right? And I I mean, and I don't mean individually compliance analysts, security analysts, security engineers. I think, right, I think we've have in the industry a bad habit of stovepiping these the these jobs, right? But security is is is a community, uh requires community involvement, right? And all of these people have a piece of security. So I like the even playing field and the ability to talk to all of them in one place uh at RSA. Uh and the last one, I love to talk to innovators, I love people who are challenging the boundaries. I am a crusader for good ideas, and I love to go and talk to people who have good ideas, uh, and I think RSA is a great place to do it. Uh you know, so I think a lot of people look at it as, you know, this is an event for people to sell. And it is, right? But it's also an event for people to get good ideas, right? And to talk to innovators. Uh, you see a lot of venture capitalists working a floor at RSA. There's a reason for that.
SPEAKER_01Yeah, I totally agree. I have uh all throughout my career, I've had my beacons, I call them. And they're the people who I think are really smart who uh it you feel like you get smarter every time you talk to them. And and many of them will be at RSA. And now I've got a new one, Dale. That's you.
SPEAKER_00Oh, well, I am honored, John. That's that's quite a that's quite a compliment from you, man. I appreciate that.
SPEAKER_01Hey, thank you. Thank you. So let me ask you my final question that I ask every guest, and that is if there's one piece of advice that you'd give, and you can give it to CISOs or cybersecurity professionals or whomever, um, what would it be?
SPEAKER_00I so this is the one thing that I I learned a long time ago is don't operate from a base of fear. Um, don't get stuck in processes because you're afraid to make change. Uh, you know, uh Roland Clutier, who I would consider a mentor, uh, we talk quite often, said, don't be afraid to rip the bandage, right? Uh, so don't operate at a base of fear. If you plan, you execute, right? Always be innovating, always be grinding hard to get to the next level of uh of security and and uh for your business, right? Because I said it before your job as a CISO is to help the company get to yes, you're not gonna do that if you stay stagnant. And too many, I've seen too many people just kind of freeze up in fear. Don't be afraid, man. Just you know, get your team around you, everybody rally to the battle cry of being more secure and move forward. Plan for success.
SPEAKER_01I love it, and uh, and that's a good good advice, you know, going to RSA or not going to RSA, it's just sound advice in general. So, Dale, thank you so much for participating and being a guest on my podcast.
SPEAKER_00John, it was a real honor. Uh, I had a great time today. Thanks for the invite and uh looking forward to seeing you on the floor at RSA.
SPEAKER_01Yes, we'll make that happen. And for the audience, thanks. I'll be at RSA. Dale be in RSA, find me. Come and say hello. I might not have much time, but I definitely say hello. And uh, we'll see you again soon for another episode of the Cybersecurity Bridge Podcast.