Rafal Los is the Founder and Host of Down the Security Rabbithole Podcast. He is also an Advisory Board Member at the Security Advisor Alliance.
Rafal Los joins Matt Rose on episode 17 of Tattoos, Code, and Data Flows in a conversation around improving the cybersecurity industry (including some very spicy takes on the industry).
Rafal Los is an industry innovator, strategist, and personality. His career spans 20+ years while working inside companies from the Fortune 10 to a firm of less than 10. His most recent achievements include assisting a company in its pivot from infrastructure provider to security-as-a-service by developing a pre-sales strategy and developing a professional services framework; implementing significant changes in business processes that led to the company’s ability to measure the impacts of various efforts on the sales cycle.
Rafal is an active member of the Security Advisor Alliance, serving on the advisory board with the intent of creating innovative ways for security leaders to give back to their communities through service and knowledge sharing.
- Being a founder & host of Rafal’s podcast “Down the Security Rabbithole”
- Eliminating ¾ of the Security Industry
- 3 Pillars of Applications
- Defining Application Security Posture Management
Tune in to the full episode to learn more about the cybersecurity industry, application security posture management, and more.
Watch the Full Episode
Top 3 Takeaways
Takeaway #1: “Eliminating ¾ of the Security Industry”
What are we trying to solve in the industry of cybersecurity? 25 years into the industry, and we are still talking about absolutes as if minor decisions can’t turn into large-scale issues (and vice versa).
By Raf standards, we should be making security more mainstream by:
- Finding a way to force security to be an audit and governance function where they set and enforce policies
- Embedding security into software development, engineering, architecture, and product management teams through education
The reason why security has a hard time getting anything done is that security experts are the only ones who understand security. By embedding security into all of the teams, secure development is the standard.
Takeaway #2: 3 Pillars of Applications
Based on a previous experience of Raf’s at HP, he recalls a great breakdown of how applications should be determined to be successfully developed and deployed:
- Does it function?
- Does it perform?
- Is it secure?
If security was truly embedded into software development, then software development, engineering, architecture, and product management teams would be able to answer these 3 questions with ease.
Takeaway #3: Defining Application Security Posture Management
You need a holistic approach to application and cloud security. For far too long, there has been the concept of “shift left” where security is pushed as far left in the development process as possible.
The problem is organizations are fragmented, especially in the development process. So if you are shifting left, you are making security decisions in a fragmented approach, and aren’t getting the big picture when it comes to the impact on the organization.
Functional, technical, and vulnerability/risk mapping of your complete application architecture is a better way to look at security. If you don’t know what your applications do, it is very difficult to understand how to hack them (or prevent them from being hacked).