Securing a startup valued in the billions of dollars is no small feat. According to Ryan Kazanciyan, CISO at Wiz, it’s all about process. His previous experience with companies like Mandiant and Meta rounded out his security background. Using his experience from large enterprises, Ryan takes a considered approach to securing a startup.
Securing a startup valued in the billions of dollars is no small feat. According to Ryan Kazanciyan, CISO at Wiz, it’s all about process. His previous experience with companies like Mandiant and Meta rounded out his security background. Using his experience from large enterprises, Ryan takes a considered approach to securing a startup.
The cloud security company has an existing ethos of security first, so Ryan and his team are equipped to tackle old and new security challenges alike, from run-of-the-mill phishing attacks to sophisticated AI-enabled threats.
----------
Listen to learn more about:
* His time consulting on the hacker TV series Mr. Robot
* Ryan’s thoughts on balancing privacy, security and convenience
* Lessons from his heavy-hitting cyber career
[00:00:16] Blake Thompson Heuer: Welcome to WE’RE IN!, a podcast that gets inside the brightest minds in cybersecurity. I'm your host, Blake Thompson Hoyer, and I'm thrilled to be ushering in the new year with season three of our podcast. We have a fantastic lineup of guests joining us, and we'll cover a lot of ground, from artificial intelligence to election security.
On that AI front, our guest today knows a thing or two about how generative AI technology and large language models are transforming cybersecurity. Joining us is Ryan Kazanciyan, Chief Information Security Officer at, cloud security startup, Wiz. Ryan's InfoSec career has spanned senior positions at heavy hitting companies, including Tanium, Mandiant, and Meta.
We'll talk about what he's building at Wiz, hear Ryan's thoughts on AI, and get some advice for CISOs. But before we dive into the conversation, let's hear a quick word from our sponsor, Synack.
[00:01:06] Sponsor: Confusion in the marketplace about which is the best method of security testing is so real. Bug bounty, pen testing, pen testing as a service. What do they all mean? We break it down in our latest playbook, Navigating the Security Testing Landscape, to demonstrate the strategic value of third party security testing. We cherry pick the best elements across the security testing market to incorporate into a strategic, comprehensive pen testing solution, the Synack platform. Learn more at synack.com forward slash playbook. That's S Y N A C K.
[00:01:49] Blake Thompson Heuer: Welcome, Ryan, thanks so much for joining us on the podcast.
[00:01:52] Ryan Kazanciyan: Thanks so much for having me.
[00:01:54] Blake Thompson Heuer: I wanted to jump right in with the big buzzword of the day, artificial intelligence. And as I understand it, Wiz works with quite a bit of the Fortune 100 companies. I think 40 percent was the number that you provided and really helping secure their cloud environments. What are some of the observations you can share with us regarding AI adoption? I feel like it's moving so fast, it's hard to keep tabs on.
[00:02:14] Ryan Kazanciyan: It is. Across my entire career, I'm not sure I can think of a single technology that has had the degree of disruption, or at least at this pace, as AI and AI enabled services.
I think of it in sort of two dimensions. There's for companies like us that are building software and services, there's safely doing so with AI. And it's the same sort of fundamentals as when you think about securing any new attack surface or technology surface, like you first prioritize visibility and coverage, and then hardening.
And we call this AI security posture management. And the idea is you start out with As a company that's building AI services or AI enabled services, you need, like, an inventory, a bill of materials, so what are all of those services and technologies and models in use across your organization? And then once you've got that coverage and visibility, you can think about, like, security posture management and ensure that You as an organization are using each of those services securely, building atop them securely, enforcing good data governance, and mitigating the risk of sensitive data being exposed or at risk as a part of AI R& D.
And the other aspect is adopting AI technologies, like every enterprise. Organization is building AI into their products and services and using third parties that are using AI. And so orgs are now revisiting, like, how is the data that I have as a company being shared with my vendors that are in turn using AI services themselves.
Well, it's such an important topic
[00:03:37] Blake Thompson Heuer: because obviously everybody wants to adopt AI and use it to accelerate innovation. But then the big question, of course, looming over that is, okay, how can I safely build with it? And do you have any sort of tips or guidance that you'd offer to your fellow security leaders?
I know you touched on this a little bit in your response before, but anything else that you'd want to add as people really try to race to adopt this and make the
[00:03:56] Ryan Kazanciyan: most use out of it? The first thing is, I always like to focus on fundamentals, and so prioritization is important. It is, as an organization, even if you're not building software, if you're using services that are bringing AI features in, to understand what is your risk of exposure versus all the other, like, security and attack surface management initiatives you have.
A lot of organizations are still struggling with really basic fundamentals around authentication and authorization, around cloud security, and if you don't get those fundamentals right, And you just jump straight to the like problem of the day, which is securing AI, you're going to leave a lot of things open.
So keeping AI risk in proportion and relative to all of your other initiatives is important because if you're not managing access to data, if you're not managing the security of your systems or infrastructure, if you don't have like good visibility and coverage, AI is only one facet of a number of risks that you're probably exposed to and need to manage.
And so, yeah, prioritization is key. On the whole,
[00:04:52] Blake Thompson Heuer: do you think that AI is going to tip the scales in favor of attackers or defenders? You know, it's somewhat of a philosophical debate going on right
[00:04:59] Ryan Kazanciyan: now. I think it will be balanced. I think it's going to help defenders do everything from building detections faster to doing things like synthesizing logs and finding insights and anomalies quicker, understanding their environment, their infrastructure more easily.
Helping accelerate how people write security tools and develop, like, automations to deal with common, repetitive security issues. And it likewise will help attackers automate certain things, so, like, researchers have looked at areas like building better phishing emails by training LLMs on a corpus of a victim's mailbox so you understand exactly, like, what messages they write and how they write.
Interesting. I take a tempered view towards this because a lot of the hardest things in security are not so easily automated. So for an attacker, for example, throughout the last couple of decades, what we've seen is there's always a new initial entry vector that gives you access. There's always going to be another exploit.
There's always going to be a social engineering technique that lands you access. The hard part is what you do with that access. And so for attackers, the job is that post compromise activity and scaling that out. And if you're a crimeware group, it's scaling it for financial gain. If you're an espionage motivated attacker, it's leveraging that foothold to get the data you want.
But I don't think that aspect of the work is as readily automated. And the same is true for defenders. Like, Dealing with tier one and alerts and all the day to day noise and internet weather you get with defending infrastructure is time consuming and well suited for automation. Dealing with the more tailored, targeted, advanced stuff, I think these are areas where AI technologies can augment humans, but there's still a long ways to go before we figure out where it might replace outright.
[00:06:41] Blake Thompson Heuer: That's a really good point. Personally, I agree. I do think that there's still that kind of finesse that's needed with certain aspects of both attacking and defending that it seems like AI would be really hard pressed to erase right now. Especially like you're saying, if you get a foothold in the environment and then you're trying to pivot somewhere else, it's not like you can rely on this corpus of data to tell you what to do next.
It's all new to you. You got to map it out. You got to explore it. You got to figure out what's going on. And you know, AI is not necessarily going to help
[00:07:06] Ryan Kazanciyan: you with that. There's always this, like, cycle of adaptation by both attackers and defenders. I think back to when Silence first released their product, and their innovation at the time was applying machine learning to do malware detection and training a model on binary features and then using that to reliably and efficiently detect new malware variants.
And it was a revolutionary idea at the time. And I remember for a hot minute there, like a decade ago, everyone was like, OK. If this works, this completely disrupts the malware ecosystem, and it basically solves the malware problem. And here we are a decade later, and every single anti malware solution leverages ML models, and yet, as we all know, malware and living off the land techniques and other attack techniques are still pervasive.
Now, that isn't to say, like, these solutions didn't work. They made things better. They shifted the attack surface. But they didn't solve the problem outright. And at the end of the day, like defenders still have plenty of new things to deal with and attackers have plenty of new tools to work with. So I look at that as an example where yes, LLM and AI technologies are going to be incredibly disruptive, but I also always have this degree of skepticism.
Like you rarely see things that just upend the scales for attackers or defenders in such a comprehensive way where you never kind of go back to the middle and find this equilibrium at some point.
[00:08:25] Blake Thompson Heuer: No, I'm reminded of some of DARPA's cyber grand challenges too. The Defense Advanced Research Projects Agency, where they had, I think a couple of years back, they had their own AI extravaganza that was like producing self healing software, right?
And everybody's like, Oh my God, if this works, we can eliminate entire categories of vulnerabilities. We can solve the like vulnerabilities and software problem. Well, needless to say, dear listeners, that problem is still very much with us. So I wanted to pivot to, you know, startup culture. Okay. We're both Working for startups, I guess you could say.
I mean, SYNAC now is 10 years old, but it's kind of its own thing, the culture. And what made you really want to jump into the fray and what do you see next on the horizon for cybersecurity
[00:09:03] Ryan Kazanciyan: vendors? I've been fortunate to work at, I think, three or four now startups that are around this size, like, between 200 and 2, 000 people.
And I guess, as you said, like, you reach a point where startup is maybe not the right word. But my favorite aspect of organizations in that size is the agility, and I like wearing lots of hats. I like being hands on in problem areas while in parallel trying to build sustainable teams and functions that can run those things in over time and getting to do that mix of things is something that like startup environments are usually great at.
You also get the flexibility, especially if you're coming in early to design and build systems. the way you want or the way you aspire for them to be. And that's really fun and really rewarding. And I think with that, though, you have to sort of embrace the crazy pace and sometimes the ambiguity that comes with the reality of operating in these earlier stage organizations.
Well, and I have to
[00:09:58] Blake Thompson Heuer: think that. your title being chief information security officer at a cybersecurity company kind of carries some extra baggage. I imagine everyone at the company kind of speaks your language and probably feels like they have some sort of stake in the outcome of your role and your work in some of those systems you're setting up.
So what advice would you give to other chief information security officers, especially those who work for cybersecurity
[00:10:21] Ryan Kazanciyan: companies? I feel really fortunate in That, uh, working for an organization with founders and a team that knows and takes security so seriously makes my job so much easier, you know, never have to fight for air or support when it comes to prioritizing security work, but at the same time, as a startup, we also move at an incredibly brisk pace.
We're willing as a, like most startups to take more risks in terms of how we expand and grow what we do. And so that also creates challenges as a security leader to make sure that we're not creating too much friction, but also making sure there are good guardrails around systems and processes as the business grows at the pace it does.
And so the way I always look at it is like our role as a security organ, a security company is protect the company. Protect our customers, and then enable the business. And every single thing we build and do, I try to tie to those three overarching goals. Ruthless prioritization, I think, is incredibly important for any security leader, but especially in a SaaS or security startup.
We start every quarter in our team with a fresh look at the risks across the company that we're collectively inventorying throughout the quarter. And we openly discuss what we're planning with the rest of our leadership team, not just to get a common understanding of what we're doing, but also To get a common understanding of what we're deliberately not working on and why we're choosing what we prioritize.
And I think getting everyone aligned on those trade offs that are inevitable is a super critical aspect to doing this job effectively, because you otherwise, no matter how well resourced you are, spread yourself too thin and never make progress on the big things. And so getting that common understanding of the trade offs and the risks you're trying to burn down and why.
I think is a really important aspect of managing your teams, making your teams feel like they're making a difference and making your executive stakeholders feel like there's actually a strategy and direction underway here. I think the
[00:12:10] Blake Thompson Heuer: fact that you're talking about doing that sort of risk analysis quarterly already tells you something about the company you work for, when I feel like a lot of companies have never done a comprehensive risk analysis across their assets of what they're actually up to and, and where they might need to prioritize.
But speaking of that sort of trade off point that you made, that segues well into my next question, which is, it really has to do with, with one of your former employers, but somewhat recently, late last year, I guess, Meta announced that their, launching end to end encryption for Messenger. And obviously this is a tool that's used by just untold millions and millions of people, if not billions.
It strikes me as pretty monumental, but stepping back from the particulars of that announcement, which I know obviously you won't be able to speak to, I would be curious to hear your philosophy when it comes to that sort of trade off issue of balancing privacy, security, and convenience. You know, it's a calculus that can factor into so much more than just Messenger.
Just about any product these days needs to strike some sort of balance. What are your thoughts on that?
[00:13:05] Ryan Kazanciyan: It's a super interesting topic. Like, we could probably spend hours just on this and there are security engineers far smarter than me that could go much deeper. But I think end to end encryption is a really good example of a domain where you have to think about the trade offs really consciously and with a lot of diverse stakeholders participating across, across the organization.
And so to give a singular example to ground this, so let's take end to end encryption and how it affects security. So in end to end encrypted messaging, you can't do a lot of the security focused content filtering that you could do in an open messaging solution. You can't screen URLs that are being sent or attachments that are being sent in the messages in a centralized manner and look for malicious content.
And so then how do you ensure malicious content doesn't reach the user's device? Maybe you push some of that filtering to the device, but then if you're building a solution that has to be used by billions of people with a huge range of device types, and you need it to be accessible by people with old and new phones alike.
Again, those create trade offs and constraints, and so it's super interesting to think about those constraints as you're engineering a system. The most important thing I think I found is that you have to begin with a documented and clear set of first principles. that are established across privacy, security, legal, and every other stakeholder that might be affected.
And just negotiating those out can take months, sometimes years. But that framework has to be used as a grounding point for all future decision making. The nice thing, though, is when you do have that in place, I think sometimes through that sort of crucible of limitations or trade offs, you sometimes get really innovative approaches.
And I've definitely seen that firsthand, where people will approach a problem space and say, Well, This is now impossible to do because of the trade offs we've had to accept. And then they look at the problem and come up with a clever way around it that actually balances the equities pretty well. There isn't always a perfect solution that achieves that, but it does create a lot of innovation, which I think is part of the fun part of working through those types of problems.
And good luck
[00:15:08] Blake Thompson Heuer: getting an AI bot to have that same little stroke of genius, right? Now, so you're, you're based in the DC area, as am I actually, I'm reporting here from Capitol Hill, and you've helped contribute to the FBI's mission, not to mention I know Wiz for Government and the FedRAMP work, I imagine that keeps you pretty busy as CISO.
What's the next frontier for cybersecurity in the federal space, whether from defensive or law enforcement perspective?
[00:15:30] Ryan Kazanciyan: We're seeing federal organizations migrate to the cloud at massive scale. I mean, you, you see like publicly the big news releases from all the major cloud providers like Amazon and Microsoft about the contracts they're negotiating and winning.
And that's indicative of just the sheer scale in terms of the size of these agencies and the organizations and how much is going to be moving into public cloud in the coming years. And so as compared to other sectors, in many cases, they're earlier in their journey. And the higher regulatory bar in terms of like enforcing security standards and compliance paired with the complexity of moving workloads, both new and old to public cloud, just creates a massive amount of complex work.
And the good news is there's good processes and tools and frameworks in place. I think in general, public cloud, when well managed, can be much more secure and manageable than what a lot of organizations were previously doing on premises, but it takes planning and effort. So I think you're just going to see that in this coming decade.
And it's why organizations like Wiz are providing federal focused offerings, because it's a massive need and a massive opportunity as agencies modernize their back end infrastructure and production stacks to run in public cloud. And I'm sure
[00:16:42] Blake Thompson Heuer: as they're modernizing those, they're not misconfiguring anything.
It's all flawless implementation of the cloud, cloud adoption, right? No, nothing to see
[00:16:49] Ryan Kazanciyan: here, folks. Yeah. And like, you know, you've got the sort of ideal, which is if you're building a system with the premise of like having it run in the cloud from day one, you make very different design decisions, but sometimes you have to keep the lights on or operate under budget or operational constraints.
And that means. Moving old systems over to run in the public cloud, but still running in old ways, at least in the near term. And so you have to accept that and work around that you can't always build for an ideal reference architecture. And I think that's, again, where a lot of security organizations and security product vendors are focusing their efforts on enabling that.
I feel like
[00:17:23] Blake Thompson Heuer: the real time theme I'm getting seen emerging here is one of trade offs, right? There are always trade offs with these things that, you know, so keep an eye on that. But you've worked at some really heavy hitting companies in your career, Mandiant, Meta, now Wiz. What's something that you've learned along the way and would want to share with others who are contemplating a career in cybersecurity?
[00:17:42] Ryan Kazanciyan: Yeah, I mean, I've been fortunate to get to work and learn from some really remarkable people at those organizations. And I think there's two things I found. One is the balance between spending some time in huge organizations and spending time in startups, I think, gives you a good mix of perspectives.
Early in my career, I worked at PwC and then most recently again at Meta. And I think learning how those organizations built systems to run at massive scale in a relatively consistent, repeatable way was really informative. And If you take the bits of that, that you can then apply to like startup world, you can inject good process and structure and learnings in ways where it's helpful.
I think personally, I also tried to always, when considering new roles, like take something that forced a perspective shift and put me out of my comfort zone. And so like at Mandiant, my day to day life was leading breach investigations and understanding security from the vantage point of post breach investigation and cleanup.
Then at Tanium, it was weaving security into IT operations and like the preventative hygiene. And then at Meta, it was security ops at massive scale. Now at Wiz, like shifting to cloud and also shifting to the CISO role. And so moving out of my comfort zone and taking those different perspectives, I think gave me the benefit of learning from a lot of different stakeholders and perspectives and.
I think gives you a bit more of a like, well rounded experience than if I were to just have hyper focused on one area like incident response or red teaming or one other facet.
[00:19:08] Blake Thompson Heuer: That's really quite an impressive career you've had. And that includes, I guess, working on two seasons of Mr. Robot. I have to ask, how did that happen?
And what's kind of a misconception that you see in Cyber based media. I feel like Mr. Robot handled issues pretty well. Maybe because you were consulting on it. I don't know, but Black Hat and Chris Hemsworth, uh, man, I don't know if that movie,
[00:19:30] Ryan Kazanciyan: I watched Black Hat and I can't even remember anything from it now, which which tells you how much, how much stuck.
No, it was a really interesting series of coincidences that led me to, to work on, on the Mr. Robot team. So a former coworker of mine was at a CES convention, like panel with. A few other technology leaders and then one of the producers and writers for the show, Corradana, who was responsible for the technical accuracy of the show, including all the hacks.
And that was during season one and they needed an FBI consultant. And my former coworker was a former FBI agent. And so like he got brought in for that. And then. During season two, they needed a new technical consultant and it was already midway through the season. And so through that connection, they pulled me in and I helped with a couple of scenes, including like the end of the season hack and we had a good working relationship.
I really enjoyed it. And so like season three came along and they're like, do you want to do this again? And I said, absolutely. So worked from like the early stages of when they were in the writer's room, coming up with hacks to. fit in with the story and align with like the broader like plan of the season arc and did a lot of like design work on what the hacks would look like with the amazing production team there.
So yeah, it was a super fun experience. And I think the focus on accuracy was exciting. Like everyone would freeze frame the show and then tweet like the screenshots and talk about like what was right or what was wrong about them. We'd always pay attention to that because it was gratifying that people knew and cared.
The hardest thing to get right, and this is even true with Robot, is time. Like, we would always have to simplify and squeeze the time in which it took to do something, even though the show was much more, or tried to be much more accurate than traditional media. Anytime you see hacking depicted in the media, it's always like things that would take days or weeks to plan and execute you see squeezed into like a matter of minutes or hours at best.
And that's like the one trade off we'd often make in the show like, all right, we're going to make this as realistic as possible. But Elliot can't spend two months like planning this, he's gonna have to do it in like an hour for the story to work, and we just accepted that.
[00:21:34] Blake Thompson Heuer: Well, you're preaching to the choir there, I mean, the name of our podcast here, We're In, alludes to that classic hacker, Okay, just type in the keyboard frantically for a couple seconds, and boom, we've hacked the ultra encrypted dual, you know, military grade mainframe, and we're in.
We're in! You know, which is classic. But, speaking of cyber TV and movies If Christopher Nolan or, okay, some other famous director, doesn't have to be Chris Nolan, but were to direct a cybersecurity film about our current era, maybe 20 years from now, what do you think it would be about? And Stuxnet doesn't count.
That's too old. Cause I feel like that's kind of
[00:22:05] Ryan Kazanciyan: an easy one. I just finished watching Oppenheimer. So like Nolan's film or amazing film work is, is fresh on my mind. Yeah. It's interesting because like, there's been so many breaches that like, As someone in the industry, we think of it as so impactful and so interesting, but don't necessarily have that obvious kinetic effect to like the general public, like solar winds, I think is an incredibly compelling and the Mandiant Breach and everything that went around that is super interesting, but I'm not sure it has that like kinetic boom that to an outsider of the industry would convey why it was so impactful and why it continues to have ripple effects.
You know, maybe Sandworm, Andy Greenberg's got the great book on it, but The sandworm attacks and the effects it had in the Ukrainian power infrastructure and now that we know today like where that led with the war between Russia and Ukraine, like that potentially is a better narrative for a Chris Nolan type movie and is one of the examples I can think of where cyber attack had a very like overt kinetic impact.
[00:23:02] Blake Thompson Heuer: Yeah, that one was, uh, Sandworm. Don't even get me. We could talk for an hour on Sandworm as well, because I reported on that group quite a bit in my career at Politico and E& E News. But yeah, I really appreciate your time. I know you've got a packed schedule with all sorts of exciting stuff you're working on over at Wiz and building these systems.
No legacy codebases to need to win. That's the startup advantage, right? You can kind of start from scratch and do things right. So I do want to ask you one question that we ask of everybody who appears on the podcast, which is The fun fact question, if you will, what's something that we wouldn't necessarily know about you just by looking at your
[00:23:36] Ryan Kazanciyan: LinkedIn profile?
One thing that comes to mind is how to pronounce my last name, which I often get a lot, Kazancian. So, uh, it's an Armenian last name. I'll often get asked about its heritage. I guess my background is kind of interesting. So. Armenian last name. My father is Armenian. My mother is a mix of Greek, Italian, French, and a bit of Armenian as well.
And they both grew up in Istanbul. So I'm first generation American. They moved over when they were really young. And so I grew up hearing like a mix of languages like Turkish and others in the house along with English. I don't think I appreciated this growing up, but it definitely in hindsight, like the exposure to the cultures and perspectives from like that global view, I think.
Served me well and in later years, my wife and I have traveled the world quite a bit and now working in an international company, like I continue to just appreciate like having grown up in a background where you got to be exposed to all those different cultures and perspectives at an early age.
[00:24:27] Blake Thompson Heuer: Well, again, I appreciate you sharing some of those global insights with us here and thanks again for joining us.
[00:24:31] Ryan Kazanciyan: Thanks so much for having me. It was a pleasure. If you liked what you heard today,
[00:24:36] Blake Thompson Heuer: I hope you'll give us a five star rating and review. It's a big help. And please share this episode if you know anyone who could appreciate a little InfoSec wisdom on their morning commute. We have a whole catalog of episodes well worth a listen, so you may want to check out past interviews as well. Finally, if you know someone who might be a good fit to appear on the podcast, or have any comments or feedback, drop us a line at wereinpodcast@synack.com. That's S Y N A C K dot com. Until next time
[00:25:06] Narrator: WE’RE IN! is brought to you by Synack. If you're looking for on-demand, continuous access to the world's most skilled and trusted security researchers, you can learn more at synack.com. Synack recently launched its Empower Partner program so that partner organizations can more easily offer the sync pen testing platform to their own custom. This approach helps optimize Synack partners technical competencies and allows them to better integrate Synack into their portfolios. It's a way that partners can win new business by adding continuous, best in class solutions to cybersecurity, cloud, and DevSecOps offerings. Synack partners with organizations around the world to make them safer, more resistant to cyber attacks, and more capable of finding and fixing dangerous vulnerabilities before attackers are able to exploit them. Learn more at synack.com. That's S Y N A C K dot com.