With over 25+ years of experience in IT, Todd Dekkinga, CISO at Zluri, has become a force to be reckoned with in the cybersecurity world. He's worked with several high-growth organizations and modernized IT departments for companies like Airgap Networks, Armis, Genomic Health, and more.
We sat down with Todd to discuss challenges faced by modern IT teams, the evolving role of a CISO, and how one can catch up with the latest trends.
It's a very difficult thing to do. The first step, you can see if the company is GDPR compliant. However, with all these app integrations and APIs, it's a very difficult process to prove that you're actually following the GDPR regulations. It’s because when you connect an API, data can travel out, and you don't necessarily know where it's going.
So you need some kind of solution that is constantly monitoring all of your SaaS apps, the data flow, kind of the access control list, who has elevated access, and just kind of monitors all the connections that are available to those apps.
It's more of a compliance versus security question. So the best solution we have right now is security awareness training, and we should probably do that on a regular basis. And really focus on what your company is doing and what kind of applications your company is using. Be really specific, not just phishing training and things like that. But as I alluded to, it's a compliance thing more than security.
I still think it's security's job to secure all these applications so that the end user does not have to worry about it as much. Obviously, people should be trained so they don't click on phishing emails and get all their money stolen and other consequences from clicking on bad links. But it's a challenging situation right now. So there’s not really one good answer for that. It's a work in progress.
It's created a lot more chaos for IT and security. Because in the old days, everything was contained behind the four walls of your office, you had your servers, and there you had your applications in there. In order to bring up a new application, an end user wouldn't be able to install it; you'd have to go to IT, who'd have to install, configure, purchase it, and all this stuff, right? Today, with SaaS, AWS, and Azure, I could just spin up an application for free. I could sign up for almost any SaaS application for free or freemium, whatever you want to call it. But it doesn't require a credit card. It doesn't require procurement. So it's kind of a nightmare for IT and security trying to figure out what is in your inventory and what people are using.
So not only is it essential to be able to identify all the hardware assets that are in your company, but also your software assets. Because if some Dev is signing up for some free dev SaaS tool, but it's not compatible with the rest of your stack, or it has some misconfigurations, or has vulnerabilities, it could affect the rest of your environment. And so it's just harder to discover all these. So that's why you need something like Zluri to at least find all of your applications. But things are a lot different and will continue to be different, and we just have to adapt. And so if you're an old-school IT person, you must keep learning about Cloud, AI, ML, SaaS, everything.
It's impossible to secure what you don't know about, as mentioned in the last question; the same goes for SaaS. If you don't know your SaaS applications, and what people are using, it could cause problems. So, for example, I worked at a company four or five years ago. And I noticed that we had five different project management SaaS applications. So I was like, we probably don't need that. So I had one of our consultants go and do a Software Asset Management, where he basically went out and talked to all the department heads and figured out all the software everybody was using. He returned to me with a spreadsheet and said, hey, look, we have 250 applications. He had it all in a spreadsheet with a pivot table and showed me the users; all that good stuff, right?
And then this is about a year when all these SaaS management tools started coming out. So I tried one. And as soon as I plugged it in, we found over 750 applications in our environment. And so that was a big eye-opener to us, and we had to deal with it. But without that visibility and not knowing what you have, it's almost impossible to manage it. And so that's where a SaaS management product like Zluri would come in to help you find all of that shadow IT.
We're still trying to figure that out. Because right now, cloud computing and SaaS have been taking over for the last 10 years or so. We still don't have the best solution to secure or manage that. We are getting a lot better at it. But everything is publicly accessible now. Again, it's up behind our four walls. So we don't have a lot of control over it. Much less access to those applications. Now, not everybody has to use a corporate laptop to access corporate resources. They can use anything. They can use an iPad, your phone, or any BYOD device to access corporate resources, which is not good. So there are solutions to get around that. But not everybody's doing it. And it's just going to be a difficult task. And now, with AI and all this stuff that exists today. It's just going to make it more and more difficult. So I'm not sure what the future will hold and what it will look like 10 years from now. But we just have to keep adapting and learning to figure out how to get there and secure that.
The role of the CISO has changed a lot. And it's also kind of a new role over the last 20 years. Security has always been part of IT because I've always been an IT person, and security was just a subset of my responsibilities. But now security is its own role. You see a lot of CISOs reporting to the CEOs, CISOs are now getting board positions. So the role has changed a lot. Again, I bring up the four walls scenario; we went from protecting everything behind the four walls to now we have to protect everything. Now, there's cloud infrastructure and users. There are a lot of product companies. So we must protect the product, DevOps, identity and access management, compliance, and risk. The list just goes on and on of what your responsibilities are. So it's tough being a CISO. And if you want to be one, it's a long road with much responsibility.
First of all, you must understand IT and infrastructure. So start small. I started my career at Help Desk. And I just moved up from there and kept learning more and more. So start small; start with a SOC position or something. Get some real basic security certifications. And just kind of grow. So let's see, ask for more work. If you're working in a SOC, looking at alerts, and fixing problems all day, say, I want to move it to the next level and be a researcher. Or I want to move up to the next level and start doing some Red Team, Purple Team, Blue Team kind of roles and just keep moving up the chain and figure out what you're really looking for.
CISO role at medium and large companies is more of an administrative role where you have to talk business to the board and the executive team. You're not on the keyboard, solving real security problems. So if you aspire to be that, then great. If you want a more hands-on role, then consider being Director of Security, Deputy CISO, or things like that.
The other thing you really have to do is - network. So connect with every security person that you can on LinkedIn, and connect with every CISO that will connect to you. Look for a mentor that can kind of help you along the journey. Join every roundtable or group you can think of that has to do with security, and just keep learning and learning, and the opportunities will come. You just have to make yourself visible so people know you and understand your work. Post a lot on LinkedIn about security projects you're working on. It gets noticed, even if you don't get the likes. But people do look at those. And so if you become very visible on LinkedIn and other platforms, that you're an expert in security, you will start moving up the chain and get noticed.
There are all kinds of books out there. I won't name any specific ones. But I mostly look at online articles, the latest news that's going on. I join every roundtable discussion that will allow me, and it's a lot easier these days because all these roundtables are now virtual. So they're a lot easier to join; just look for the topic that you want to talk about in there pretty easy to find. I mentioned networking and showing up at every possibility, which will let you in. So I work for a product company. So they only sometimes lead me to all these events. But at every event I can go to, I show up, talk to people, and figure out what they're working on because there's always something new coming up.
Join as many Slack groups as you can, probably 20 or 30. And I look at those all day long to see what's happening and ask questions. So Slack is my favorite tool. Because if I'm having an issue at my company, I can just say, Hey, is anybody else experiencing this issue? And how did you fix it? And I'll get 10 answers back. And so it's a lot more effective than Googling something because It isn't always accurate. But when you're talking to security professionals in a Slack channel, you'll get real answers and solutions. And that's kind of how I keep up to date.
SaaS Whispers is a private community that offers a space for IT professionals to network, learn, and grow together. We host regular AMA sessions, events, and networking mixers with industry leaders. Apply to join
Tackle all the problems caused by decentralized, ad hoc SaaS adoption and usage on just one platform.