Sean Zadig has plenty to be paranoid about. The internet is a frightening place, and Yahoo’s Paranoids–the name for the company’s infosec team–have their work cut out for them protecting Yahoo’s more than one billion global users. As vice president, chief information security officer and “Chief Paranoid” for Yahoo, Sean is charged with keeping sensitive company data safe from an onslaught of cyberthreats, working collaboratively across all Yahoo’s media and technology brands. In the latest WE’RE IN! episode, Sean speaks to the need for balance in security messaging and shares how he addresses risks like Log4j. It takes patience and finesse to build a strong culture of security in any organization, let alone a global tech and media company with thousands of employees. “It's important to not shame people, so you don't want to say, ‘how could you miss this?’ Or, ‘what happened? Why, why did you commit that code?’” Sean says. “Instead, we use it as a learning experience.”
Sean Zadig has plenty to be paranoid about. The internet is a frightening place, and Yahoo’s Paranoids–the name for the company’s infosec team–have their work cut out for them protecting Yahoo’s more than one billion global users.
As vice president, chief information security officer and “Chief Paranoid” for Yahoo, Sean is charged with keeping sensitive company data safe from an onslaught of cyberthreats, working collaboratively across all Yahoo’s media and technology brands.
In the latest WE’RE IN! episode, Sean speaks to the need for balance in security messaging and shares how he addresses risks like Log4j.
It takes patience and finesse to build a strong culture of security in any organization, let alone a global tech and media company with thousands of employees.
“It's important to not shame people, so you don't want to say, ‘how could you miss this?’ Or, ‘what happened? Why, why did you commit that code?’” Sean says. “Instead, we use it as a learning experience.”
Tune in to discover how Sean keeps Yahoo on the right track and hear more about:
* Yahoo’s approach to bug bounties and pentesting
* His unlikely path to security leadership– “It was never my career aspiration to become a CISO”
* Sean’s focus on examining what motivates the attackers targeting Yahoo every day
Links:
* https://www.yahooinc.com/technology/paranoids-blog/
Bella: So hello, Sean. Welcome to the show. Uh, Jeremiah and I are both really, really excited to get to chat with you today. Um, so first of all, uh, I, you know, in addition to being Yahoo's CSO, uh, I've heard that you are also the chief paranoid.
Uh, could you tell us exactly what that means and who the paranoids are?
Sean: Yeah. And the first off, thanks for having me. This is really cool
Sean: Um, so the paranoids, uh, the paranoids, our Yahoo's information security team. And so, as you said, in addition to being the CSO, I'm also the chief paranoid and the name is, you know, it's kind of fun. Um, people like smile when they hear the paranoids, but also it, you know, it has a serious side and I think it's sort of, uh, It shows how we think about our users and their, and [00:14:00] their security and their safety.
And we are essentially paranoid, uh, for them we're paranoid, so they don't have to be, um, so they don't, you know, they can come onto our websites and they can use our services and, you know, kind of do it, um, uh, kind of worry free while we're the ones kind of behind the scenes being paranoid and looking at the threats and thinking about their.
Bella: So as the chief paranoid, uh, do you think that that makes you more paranoid than everyone else? Or do you think that it's more of a case of you are leading the paranoia of your team?
Sean: I would think I'm probably. Help guide and shape the paranoia. And, uh, I wouldn't say I'm more paranoid than others. I have a lot of paranoid folks, uh, who have really interesting backgrounds, um, on the team with me. Um, but I think I try to help them balance that paranoia and make sure we are kind of guiding it and directing it in a very useful way.
It's really easy to get taken, like to get carried away. I think, um, [00:15:00] thinking about threats and thinking about, um, You know, what could happen in the, in the internet. It's a very scary place. Uh, but then balancing that with like, what is happening and are we, you know, as we try to bring people along, as we think about threats and risk, are we losing some people because we're talking about, you know, you know, very militaristic or like intelligence community focused terms, um, which I, I do as well.
Um, but you know, having that balance and making sure we're not being too high speed, too tactical or whatever, in our, in our conversations with. With our users and our stakeholders is probably the balance that I bring.
Bella: And how do you, like when, when pursuing that balance, how do you know, you know, if you've gone too far and your, in the kind of unproductive realm of paranoia, and if that happens, how do you come back to that more, you know, rooted in action and productivity, you know, version of this kind of work.
Sean: It's hard. I think people don't get it right. Um, or often don't get it right. I mean, [00:16:00] I guess a clue is if you're talking in like people's eyes start glazing over then that's, that's a, that's a sign. Um, but I think, I mean, really, you know, you sort of have to check yourself and like, are you using language?
Isn't inclusive. Isn't well understood by, um, you know, all the people you're trying to reach and support.
Jeremiah: I was wondering if you could also discuss sort of the business side of what you do from a CSOs perspective. What's the average day, like for a CSO.
Sean: So I think my day [00:19:00] probably resembles a lot of, a lot of CSOs. Um, it's kind of a mix between. Inward facing. So looking at the security team itself, um, and you know, meeting with members of the team, um, getting, uh, like, so for example, today I attended at what we call our quarterly ops reviews with different parts of the organization where they, like, I just got out of one with our cyber defense team and they presented from the different parts of that team.
Like insider threats are a threat detection team, eco crimes, other teams they present, um, You know, what's, what's happened in the quarter, some of the accomplishments and, uh, things they're proud of projects they've completed and then also areas of friction they might be having. Uh, and so I like to kind of spend time with the team, understand, you know, what's working, what's not what they, what might they need air cover on and, you know, some assistance with, uh, so yes, so half of my time is spent in. And then the other half is spent sort of external to the security team. And [00:20:00] that might include, um, you know, company stakeholders, like our CEO, our, um, uh, our CTO or other executives or company, you know, parts of the business where they might be doing, um, Mergers and acquisitions or new products or things that you know, are new risky areas that they might need some security guidance with, um, or even outside the company.
So other CSOs sharing, threat information, best practices, you know,
Jeremiah: Oh, well, that's interesting. So do you, have you guys set up like a consortium of information sharing with other spaces or,
Sean: hopefully I'm allowed to talk about it. There, there, there may or may not be a, a community of, uh, with the virtual component where I can kind of go in and talk to other CSOs in industry and, you know, have you seen this or, or if you're going for a cyber insurance, when you're old, you know, what, what sort of, um,
Jeremiah: I love
Sean: of things.
Jeremiah: because that's one of the problems in industry today and in cyber and in federal and in DOD and in everything is there's not enough [00:21:00] information sharing and everything's kind of siloed off. So. That's huge.
Bella: I think that has come up on some of our previous episodes too, where we're, I think like there has been what I think I and others have seen as sort of a shift towards more. And I guess it's not even really necessarily a recent shift. I don't want to sound dramatic there, but like over the years there's been a shift towards more collaborative, more of a collaborative environment insecurity where CSOs and companies and all different sectors really are sharing that information so that we can all as a community push towards better security.
And it seems like that's like really important, but I guess, yeah. As a CSO. What's your take on that in terms of importance? Like, why is that necessary?
Sean: I think it's super important. I think we're, we're coming to the point in industry and, you know, in sort of our collective security consciousness, that a lot of this is collective defense and, you know, and to use another [00:22:00] cliche, um, the rising tide lifts all the boats.
Jeremiah: so I'm going to circle back. Paranoid side for a second again. Um, with that same concept of information sharing, I know there are [00:23:00] some in the industry who are afraid that if they share too much information with others, uh, that might inadvertently cause them to become more vulnerable themselves. Um, how do you all juggle that and how do you get around that level of paranoia versus, uh, the rising tide, a cliche that we spoke about?
Sean: It is a balance.
Jeremiah: Yeah.
Sean: Uh, part of it is there needs to be a level of trust. And so I am going to share, you know, I'm going to be more open perhaps with, uh, somebody from, uh, a company that I've, that I've worked with in the past or that I trust, or I get introduced via a trusted contact. Um, unfortunately that the network that like, you know, person to person network is really still a very critical and it doesn't scale very well.
Um, but it also, uh, you know, It is hard to sort of share openly because there are, you know, attackers, I was [00:24:00] about to say adversaries, but there are attackers who, you know, it's hard not to, it's done say it. Um, but they, they break into the infiltrate companies, infiltrate communications. You know, technologies.
Uh, and so, you know, there's, I've been in situations where attackers are monitoring my communications and, uh, want to be sure that, you know, I'm having a communication with somebody who I think, uh, is, is trustworthy. Um, but you know, once we've got past that kind of initial level of like, Hey, do I trust you with this information?
Um, You know, being as open as possible, uh, is, is really beneficial. And, you know, even with the general public, with, uh, with policymakers, like is the, the more, our sort of impression is the more you can share the better. And we use this another term, not a cliche, but a term of, uh, no secret squirrels and, you know, try it, try to avoid again, that sort of like non-inclusive, um, high-speed language like that turns people off and, uh,
Jeremiah: you don't want any green door [00:25:00] programs then?
Sean: Yeah, exactly.
Exactly.
Jeremiah: Um, so we've seen some really, uh, you know, nasty vulnerabilities that have presented themselves over the last couple of years, um, with having to juggle everything going on at Yahoo, from the CSOs perspective and these, um, critical on the high level vulnerabilities like logs for log for J log for shell.
Can you walk us through how you all handle those and how you go about exchanging information in such critical ways?
Sean: Yeah, that's the, uh, so log for J log for shell was, uh, you know, I told the paranoids, uh, at a recent all-hands that this is hopefully one of those, uh, incidents that you will only experience once every five to 10 years. And it's one thing you'll look back on your career and say, wow, I'm really glad I went through that.
Um, I learned a lot during that period. So within Yahoo, You know, we had a very significant and [00:26:00] serious response to that. Um, but I think for us, the real work began many years before that. Um, and because we had to create essentially a culture, uh, inside the company, uh, of cybersecurity, we had to lay the groundwork that allowed us to respond quickly.
Um, To log for shell, but we had to really begin that many years in the past. Um, because we had to back the trust, we had to sort of establish trust with our business units, our engineers, software engineers, across the company, um, to show that we're, you know, responsible stewards of their time and attention.
And if we are ringing the bell and saying, this is the biggest deal in years, like it really needs to be, and people, uh, who, you know, who depends on us. Securing their infrastructure and, you know, doing your code reviews and such if we are sort of standing up and we're saying, this is really important, you need to stop everything.
You're doing stop working on new features and patch this vulnerability. They understand that we mean it. And they're going to do that, even though it's going to [00:27:00] potentially disrupt their, their roadmaps and their, uh, their product launch calendars.
Jeremiah: So that's pretty hard, right? Because there are so many different, I was just thinking about the different components that are involved there and that's a lot of logistically that's, that's a difficulty, I think. How, how are you, you all not seen as the bad guys and you become trusted partners with the rest of the business.
Sean: It's taken a long time. And I [00:28:00] think, I think we probably started out in that more adversarial, um, perspective where, you know, Initially, I think the company thought that we introduced friction and we were there to slow them down and be the sort of department of no. So, uh, I it's funny. I was never, I was never an actor.
I always sort of, as a sort of true nerd was behind the scenes doing like, you know, theater, uh, lights and sound and things like that. But there was a line from that my actor, friends like to use when they were doing, um, uh, you know, sort of stand up or what have you. And they would, it's not, it's not, no. It's yes. And, and so we became, I think the team of yes. And so somebody comes to us and they want to do a certain thing that we think is kind of risky. Um, instead of just saying no and shutting the conversation down altogether, we'll say let's find a way for you to get there in a way that makes us happy.
Uh, you know, still reduces risk, but, um, you know, allows for that business important business transaction or [00:29:00] deal or whatever it is to proceed. Uh, and so it took a while I think for the. The company to realize that we, you know, we're committed to the success of the business, uh, while simultaneously, uh, committed to the protection of, you know, our users and the data that they trust us with.
Um, and to be honest, they get, wait, the way they get there is to be as open as possible. And so when there's an incident like log for shell, um, we're not going to go into total lockdown mode and not communicate. Uh, we're going to actually tell our. You know, our stakeholders or business partners within the company, what we're doing and what we're asking them to do.
And if we make a mistake along the way, we'll tell them, Hey, you know, we made a mistake. Uh, we ticketed that thing. We shouldn't have it. Wasn't really vulnerable, you know, but we're trying to move as quickly as we can to protect everybody. So, you know, like here's, here's transparency, here's where we're going forward.
Um, and that, that seemed to work. Okay.
Bella: I think something like this, this idea of, you know, a culture like security, [00:30:00] cybersecurity, more ingrained in the culture of, um, a company in particular. I think that's something that we've talked about. Like I'm seeing more of a trend towards that. Um, and something that I feel like always comes up when we talk about this is how to shift towards all levels of the business.
how do more levels of the business move towards better cybersecurity or less friction, at least with cybersecurity?
Sean: it's a really difficult problem that I think, you know, we're still trying to get it right. Um, [00:31:00] part of it is making sure that when you're communicating with your audience, um, in this case, our internal stakeholders, our executives or product teams, You know, we're, we're approaching at the level that they that's important to them.
Uh, and so, you know, I may not go talk to our CEO, who I have regular conversations with about security and may not talk to him about vulnerability scanning or you know, about, um, patch management. Like I think I want to speak to him at the, at the level at which he's at, which is really around business and.
Contracts and around like, what's what is important for him to know? What does he need to know to do his job and having that kind of targeted conversation at all levels of the company, I think really does help, you know, build trust with them. They kind of understand that you're you speak their language.
They don't have to learn your language necessarily, so you can kind of bring them along for the ride a lot easier, um, understanding what's important to them as well. And I think that's really important is this.
Jeremiah: Is it, is it important [00:32:00] for in your, your professional opinion? Is it important for executive leadership to take an onus upon themselves though, to educate themselves more in this realm as well, instead of just the CSO or the CIO having to 100% speak their language so that you can get the point across, obviously that's important, but should there also be reciprocity the other way?
Sean: I think there kind of has to be now. I mean, because cyber is so ingrained in the, in the daily conversation now, um, you know, with what's happening in Ukraine with ransomware gangs, uh, with things like solar winds, uh, I mean, it's like these conversations are happening at the board level with our insurers, um, with our business partners, you know, if.
A partner who wants to sign a large deal with us. Um, they're going to ask us questions about our security posture and, uh, you know, our sales teams, our executives, our CEO, they need to know where we stand and what to say when they're [00:33:00] asked to nose in those venues, because those conversations aren't happening just at the security team level anymore, they're really happening in all areas of the business.
Uh, so yeah, I think there is, there is some kind of basic level of understanding. Hey CEO, a board member, you know, a VP of sales needs to have a, and then they also need to know when did they call us? And then we come in into that current.
Bella: So I imagine that, you know, this, this idea of a culture of cybersecurity or building a security culture is probably kind of a moving target. I imagine it's something that is constantly evolving and changing. Um, you know, with that in mind, what do you view as success? Or how do you know when you're on the right path?
Sean: So I think one of the ways we know. People come that our internal teams, for example, our products, uh, they come to us and they ask for engagement earlier. Um, and so we've kind of trained them on like, Hey, if you're seeing a product [00:34:00] come to us before you launch and we'll review it and make sure it's safe.
Um, but we're getting even clamoring for more engagement and, um, even so much so that we have, we have a program, we call the deputy paranoids where we, um, we actually sort of train and federate, um, Individuals within the development teams, we give them special training security training. We kind of deputize them to be like, sort of our, you know, eyes and ears within the product team.
And it allows them to go through code reviews, faster launch products, faster. Um, and you know, we, we get so much interest in that like business leaders are like, we want people to be deputy paranoids too, because it helps them avoid, um, you know, problems that happened earlier in the product design or launch.
Or, you know, kind of engineering lifecycle and to use another cliche, like we're always trying to shift left. Um, but this is something that really, you know, our business partners across the company are really excited about is like, we want deputy paranoids too. And I think when you get [00:35:00] that level of engagement, when they come to you and they want, you know, want that, or they're coming to you, and they're asking for your opinions on things like, you know, geopolitics and what does the situation with Russia and Ukraine mean? You know, China and Taiwan, for example, or a couple of years ago, uh, the Hong Kong national security law, um, how does that affect, you know, our personnel and data in Hong Kong, those sorts of things, uh, getting that engagement from them, they come to us and they ask for our counsel. I think that shows we're on the right track.
Jeremiah: I think that's super interesting. Uh, first time I've heard of a program like that actually in the, um, security space within an organization. And I really like it.
Um, early in the conversation you had mentioned the paranoids, um, sort of act as the paranoids on behalf of the customer and then to, um, Bella to Bella's question, how do you measure the success and how do you know you're going down the right track? Um, how does that translate over to, uh, uh, communication to leadership on the success?
Sean: Yeah. I think one thing we try to do is tell stories, um, and. We have a lot of situations where, you know, we might have disrupted a, uh, a gang of south African, uh, eight, uh, BEC hijackers, for example, who we're targeting, uh, you know, certain types of professionals and maybe, you know, we got at, and this is, you know, not maybe we did, uh, we, you know, resulted. [00:38:00] Having some individuals in South Africa arrested based on investigation. We had done, uh, where user accounts were being hijacked. And instead of kind of like taking that information and not sharing it with, with the company, we actually went on a road show. We talked about here's the lessons that we learned here is, you know, what you need to understand for the product you're developing.
Um, here's why, you know, this feature you want to launch might maybe isn't. And maybe she'd be reconsidered or you should come to us for, for some guidance earlier. Um, so I think sharing as many stories as we can, and we have a lot of good stories, um, about, you know, we have a platforms that are, you know, over a billion users around the world, use our platforms and one way or another, uh, hundreds of millions of active users, uh, on a monthly basis.
Um, so as a security team, we get to see a lot of interesting things. And the more that we can do to share what we see. From a sort of threat and a attacker profile perspective, what users are really doing [00:39:00] on the products, um, how, you know, bad actors are thinking about, uh, about new products, take that and kind of go on little road shows inside the company that helps us get the message across that.
Um, you know, that we're, we're a resource for them to engage with, uh, and that, um, you know, they can, they can come to us with questions. So, yeah, I, I think telling stories is a big part of that. The answer to that.
Jeremiah: So early in your security career, you worked at, um, as an E crimes investigator for NASA. Uh that's that's awesome. Uh, I think that sounds super interesting and I was just kind of wondering what that was like and, um, how often were hackers trying to break into NASA networks and steal data?
Sean: Yeah. So I spent seven years as a special agent with the NASA office of inspector general. Uh, they had a computer crimes division, or now it's called cyber crimes division. Um, and I was a, uh, a federal agent carried up, [00:40:00] carried a gun and a badge, uh, And investigated cyber crime. Uh, it was not as glamorous as it sounds.
It was, uh, you know, I was, it's probably the nerdiest sort of federal law enforcement job you can have. Um, but it was really rewarding. Um, NASA is a, is a really interesting environment. As you may know, there are a NASA, what they call centers all over the country of the United States. And, uh, each of them is kind of run like a university with their own security policies and posture and level of investment.
Uh, and there are a lot of different types of attackers who are really interested in getting into NASA systems. And some of these could be, um, you know, nation, state attackers who want to steal, you know, rocket technology, which you could use. Um, you know, launching space shuttles, but also launching missiles.
Uh, but it's also like a lot of, you know, script kiddies, to be honest. Um, and for some reason, the Romanians really loved hacking into nasa.gov, uh, servers and then popping on [00:41:00] IRC and bragging. Uh, and so, yeah, it was, it was really, um,
Jeremiah: That's not the company I would immediately think or the country I would immediately think
Sean: uh, Romania was like one of our most active countries. Um, when I was there, I, I spent some time working those threats, but I spent most of my time working on, um, bought that in our investigations. And those were actually situations where most of the time, the, the attackers, the bad actors were not, um, targeting NASA itself.
They actually were just looking for hosts that they can sell their malware on. Um, maybe it was spam sending malware, or maybe it was click fraud, advertising fraud, malware.
Jeremiah: from an external faces.
Sean: Yeah. Uh, and then, you know, I actually was really great. I got to sort of travel the world. I went to Russia and met with the FSB.
I went to Estonia and did a, you know, worked on a giant, um, botnet, takedown. Uh, we had, I had, you know, individuals, I was investigating and arresting [00:42:00] and Nigeria and went to China and met with, uh, Chinese law enforcement to try to get a, uh, um, a hacker arrested there. Uh, it was really kind of a fulfilling and exciting place to start my security.
Bella: That's wild. I think like it's interesting. Something that we, we kind of, we end up talking about a lot. I think we've talked about it on this podcast, but also just like, I have this conversation when talking with fellow security folks in general, um, this idea of like a lot of the people that are working on security for large companies.
how important is it to have insight into the, the opposite side, the attackers, um, you know, whether firsthand, as you know, I have a, I have a background in penetration testing and informs everything that I do in the [00:43:00] way that I think about security.
Like, does that kind of experience to seeing the attacker side of things inform the way that you do your.
Sean: A hundred percent. I, if your background is a penetration, tester informs how you look at the world and security. I think my background as an investigator, as a, um, S you know, as somebody who. Investigated incidents and, uh, and in situations and in criminal activity, really, um, that really informed my informs to this day, how I look at the world and how I approach, uh, security.
And so I would say I am very focused on, um, what motivates an attacker, not necessarily like who they are, that's helpful sometimes, but I don't need to know. You know what building they work in, uh, or where they live sometimes that's useful, but, um, [00:44:00] knowing what motivates them, um, what are they after if they, if they get it a foothold into a network, where are they going to go?
Um, how long, you know, how well resourced are they? Um, are you seeing just a small portion of the attack? Um, are they, are you seeing, you know, the whole thing? Um, that really, as a defender, I think really helps, um, You know, kind of contextualize, uh, what you might be seeing early stages of investigation. It helps you really focus, you know, where you need to go.
Um, and really, I think has helped me cause I think about, you know, investing and how to, you know, strengthen a cybersecurity program, focusing on things like, you know, cyber threat intelligence, um, is, is really important. And, uh, I think we've had some situations where, you know, that that's really proved its weight in helping, you know, uh, erect defenses that are.
Jeremiah: so taking what you just said there, um, and tying it into current situations that are going [00:45:00] on in the world today with, uh, Ukraine and Russia. So given that kind of a background in thinking about how the attacker thinks, um, how are you all, uh, thinking about current threats from Russia towards.
Sean: I think we are thinking about it a lot first off. Um, you. is not just sort of a normal company. Like we're not like a manufacturing or pharmaceutical company. Um, we are a company that provides services to users around the world, and there are users in Russia or in Russia, adjacent states like Ukraine. Like Moldova, like other places where, um, you know, Russia has an interest, uh, and you know, we see Russian threat actors and threat groups targeting our consumers, um, through Spearfish, through malware, um, through, you know, information gathering of some sort. Uh, and so, you know, we need to make sure that we [00:46:00] protect those users, um, because there are situations, um, where, you know, cyber targeting.
Maybe at first glance seems innocuous could have real world consequences. And, uh, and you can see that, you know, what's happening in the news and Ukraine right now, uh, where, you know, that that could result in an artillery strike, uh, being sensitive someone's way. If their location is leaked from, you know, like a app they're using, for example, So we take that really seriously.
And we think about, you know, the user first, um, we also think about, you know, our business and our partners and, um, you know, do we need to adjust how we, how we do business in that part of the world? Um, you know, what's the current sanctions regime, uh, OFAC compliance and things like that, uh, that might be happening.
And that is a very rapidly changing environment. Um, so I think there's a lot of different aspects to. To that. And frankly, one of the aspects is our, our employees have questions. [00:47:00] They want to know what does it mean for them? And you know, what does it mean for the world if this is happening? And we actually have a page on our internal intranet where we update on a very regular basis, you know, new developments in the Ukraine and Russia war, and, you know, try to kind of guide them toward, Hey, this is, this is the impact to you.
This is the impact of our business. This is, you know, what's happening in the cyber world, um, to enlighten them.
Jeremiah: so out of curiosity, uh, because you are so, um, focused in providing services and, and, um, products to individuals worldwide, um, do you all have anything like that? Like you have on your intranet, uh, external for maybe customers to also do some, um, I don't know, learning themselves about.
Sean: Yeah. So one of that's, one of the things that we are actually working on [00:48:00] doing right now is we have what we call our behavioral engineering team, uh, which focuses on using behavioral science techniques to encourage our employee base, to, uh, to adopt, you know, beneficial security technologies. Uh, and so that might be a. You know, cleaning personal data from data brokers sites that might be enabling two factor on, you know, personal accounts, um, uh, using password managers, things like that. Um, we want to take this, you know, really kind of incredible content we've developed for our employees. And take those same kind of behavioral science, you know, psychology, sociology, economics, um, perspective, and start deploying that to our consumer base and, uh, you know, really trying to get them to, you know, to adopt a more QFA or, you know, move from SMS to, uh, to push or hardware token, depending on their, you know, individual threat level, for example.
Um, and so I think that's an area we're going to be focusing. In the next, uh, next [00:49:00] year or so is really taking away, learned for the past two to three years internally, and then deploying that externally to our.
Bella: How do you make that? Like, I know we've talked a lot about, you know, internally focusing on gaining trust and, uh, creating this culture of security. And I think that that's one thing to do internally. Right. But it's a whole other thing to do customer facing. And I think I'm curious, how do you approach.
Making security seem feasible and attractive to customers.
Sean: Yeah, it's, I think it's a multi-pronged approach. So we need, for example, and you see built into our product marketing. Um, and so as we launch new products, as we, you know, do it, any company does and try to get users to adopt and to utilize our products, we need to make sure that security is, you know, one of the things that's there and, um, Really sort of making sure that those consumers as users, uh, can sort of feel like they can trust our products and they feel safe on our products.[00:50:00]
Um, so that's, that's one way, um, and that sort of marketing angle, uh, I think it's also, we have a fairly active, um, Blog, we have, we actually have our own podcast. Um, we have a very active Twitter account. We do a lot of engagement with it, with the bug county, uh, community as well. Um, and we try to, uh, you know, use that to kind of build a bit of street crowd in a way, um, and kind of have a long sort of, you know, uh, backup, not backlog, but like backstory of, um, of credibility in the area that we can, you know, we can then leverage and.
So to speak with authority when it comes to, uh, you know, getting, getting my grandmother to adopt two factor for us.
Bella: yeah, we actually, we wanted, it's funny that you mentioned this because we wanted to talk about, uh, bunk bug bounty, uh, with you today. Um, I know that Yahoo pays out millions of dollars to ethical hackers who find flaws in [00:51:00] software. Um, and last year I heard that Yahoo announced an elite bug bounty program, and we were curious, uh, what that is and how the is going so far.
Jeremiah: millions of dollars.
Sean: We do, we do pay out millions of dollars. Um, so I, you know, again,
Bella: hackers. Are you listening?
Sean: yes, Um, you know, and this is actually going back to kind of my lens on, you know, on cybersecurity speaking as a former, you know, former investigator from our federal agents. Um, I see the bug bounty, your program. To use another metaphor, uh, taking arrows out of the quiver of the attacker. And so we are depriving the attacker. Um, you know, a, a technique, a vulnerability that they could then, you know, use to hurt our users. We're paying a, uh, an ethical hacker to tell us about that first. And so that program has been around for a long time.
, we have launched this, this new elite program and, uh, what this does, is it, I mean, we really try to approach bug bounty as a whole with a scientific approach, scientific method in some ways.
And so with our elite hackers, which. 10 hackers from R R you know, the thousands of bug bounty hackers, who, uh, who do research on our platform. We've invited 10 into a much smaller community, um, where they get expanded scope, they get early access, they get special promotions, uh, and we get to sort of try out things on them.
And so say, for example, we're really concerned about XSS or a CSRF or something, and on a certain part of our platform, um, we can. Point those, those hackers, the elite researchers at it and see what they find. And, you know, they like it because they're getting these sort of promotions. There's nobody else competing with them.
Uh, in that part of the part of the program, maybe we even give them authenticated access into an environment that [00:53:00] they wouldn't normally get. And then we get to sort of see, you know, what happens and then replicate those findings. Um, and you know, what we get with engaging with them into the broader community of the entire bug county, uh, research community.
So it's been going for, I think, about a year now or so, and, uh, been really been really exciting and actually really, really have got a lot out of it.
Bella: what's the difference between this type of bug bounty program and a traditional pen test?
Sean: Um, so I think first off we see a couple of different levels of engagement we have with the research community. You know, the first is just general, um, you know, by bounty hacking on our platforms, our scope is there. Um, we also run, um, uh, bug bounty, uh, life hacking events. And so in those situations, sometimes they're in person. And [00:55:00] then we'll actually bring hackers into a, you know, a central location. Um, know, we'll engage with them.
Like I've gone. Some of these events, I've talked to them in person, uh, we'll have our developers or engineers who work on their products, kind of talk to them. Uh, and so, you know, the hackers are learning about our platforms. Um, but then the, uh, um, you know, our engineers are learning from them and thinking about, you know, how to hackers think and what are they after and like what motivates them.
And so it's, it's really valuable, I think both ways. And then of course, there's the elite program I mentioned earlier as that sort of third dimension, um, So, you know, the, I guess the value of it, like again, so yes, we are sort of depriving the attacker. Those weapons, those sort of cyber weapons they could use against our users.
Um, we also try to make it much more part of our, instead of being its own thing off on the side, um, that is kind of an annoyance to our engineers.
Bella: what happens when you find something that went to production, which means people maybe on your team throughout the company missed something.
Um, and you know, w we've I've heard conversations a lot about like the right way to approach that, right? Because if you come out with like, how could you have missed this, uh, that can potentially create an environment that's like, not the best for security. Um, but also like, it's really important to make sure that those things aren't missed.
Um, so I guess my question, what is your take on that? Like, how do you create a security environment when you're responding to things that were missed in security checks?
Sean: Yeah, I think it's important to not shame people. And so you don't want to say like, how could you miss this? Or, you know, what, what happened? Why, why did you commit that code? Uh, and instead kind of, we use it as learning experience. So. You know, how did our controls miss it? So, okay. A developer may have committed something and it got pushed to production.
That was, uh, that was vulnerable, but [00:58:00] should we have caught it ourselves with our, you know, our code scanning and, or other, um, controls we have. And so, you know, we first looked inward, what did we miss? Um, and then we might circulate that as a, as a new type of, um, you know, just some time learning that we can do.
And so. Uh, if a developer's committing code, maybe we can do a pop-up like right at that code commit and say, Hey, you know, almost like Microsoft Clippy, right? Like it looks like you're, you know, about the SQL injection. Well,
Jeremiah: oh, Microsoft Clippy.
Sean: it never, never gets old. Um,
Jeremiah: best
Sean: so really use it as a opportunity to engage and, you know, maybe it started to sparks a conversation, um, where, you know, we're like, Hey, what else are you up to?
Oh, it's interesting. You're, you're, you're working on that product. We had no idea. And you know, it kind of becomes a more deeper relationship we can have with that, you know, team, for example, to lemons or lemonade.
Jeremiah: I think there's so many, uh, so much insight you can gain from a program like that. but shifting gears a little bit, I wanted to just sort of, uh, ask a more general question around individuals who might want some advice, uh, from you, if you would be willing to share how they too could become a CSO, if that's something that they wanted to do
Sean: So I, you know, I never wanted to be a CSO. Um, I actually.
Jeremiah: well, you got it now.
Sean: And I'm stuck with it. Um, it's, it's super, I mean, to, you know, to be fair, it's very rewarding. I love, I love this work. I love this team. Um, but, uh, you know, it was never my sort of career aspiration to become a CSO. Um, I actually, you know, on multiple occasions was like, I love cyber defense work.
I love investigations. I love getting my hands dirty and data. I don't want to do anything else besides that. Um, [01:00:00] But there are there, there come points in, you know, everybody's career when, um, there's an opportunity to take on a little more scope, take on a new project to take on, um, you know, a new team or something, or, or you see a problem that needs to be addressed.
And, you know, you raise your hand and say, Hey, we should, we should address this problem. So an example I was hired at y'all. Almost eight years ago to build and start the, what we call our crimes team. That's our cyber crime investigation team. And in doing this, this was back in 2014 into 2015. We, we realized it's not just criminals.
Like there's also nation states. It's also governments. That, you know, we're also targeting our users. And so I raised my hand and I'm like, Hey, you know, maybe we should build a team that focuses on Apte or advanced persistent threat actors and got approval to do that. And then kind of kept going and then started to see, well, there's also this insider threat issue that maybe we should look [01:01:00] at and maybe we should build an insider threat team, got approval to do that.
And so, you know, it's a combination of. Seeing a problem asking, you know, basically saying, I want to fix this and I'm proposing a plan to do it. Uh, but then also when opportunity, you know, happens like, say for example, at Yahoo, the company got sold, um, uh, Verizon acquired Yahoo for a couple of years. And when that happened, a lot of people got really nervous and you're like, oh, I don't want to work for Verizon I'm out of here.
And they didn't wait around to see like, would it be okay or not? And so, you know, that that creates opportunities. People who decide not to leave, to say, well, I'll take on a little expanded scope and I'll, I'll fill in and do some of those duties, uh, of people who left. And so, you know, not being afraid to say I'll do a little more.
Bella: Awesome. I love that. Um, we just have one last question for you. Uh, it's the question that we ask everyone at the end of the show, [01:02:00] um, feel free to answer as, say as much or as little as you'd like. Um, but what is something that we wouldn't know about you just by looking at your LinkedIn or other online social media profiles?
Sean: I love that question. So,
Jeremiah: uh, long with, along with date of birth, uh, last four of your social and, um,
Sean: and the street I grew up on and yeah.
Jeremiah: right. Yeah.
Sean: so, uh, think. Okay. So I might've mentioned, I might have hinted a few times that I'm kind of a nerd and, um, one thing you probably wouldn't know from my online presence is that I recently got into, uh, an S it sounds so nerdy to say, I recently got into again, um, Uh, wargaming, which is like tabletop, um, or gaming there's this game called a Warhammer 40 K that I used to play when I was literally in high school and like early college and have dropped it for 20 years.
And I was like, I need a hobby. I need something to do that. Isn't like, you know, work [01:03:00] and family. And like, I love those things, but I also need something that's like my own thing. Right. So I literally, a couple of weeks ago bought like a set of like Warhammer models and I'm like assembling them and going to play nerdy games.
Bella: that's awesome. Honestly, you're in good company. I don't think that's, that's not even nearly the most nerdy thing that I've heard in the last week. So.
Sean: Okay. I I'm relieved.
Bella: studying for, uh, my D and D character is leveling up next, next week. So you're in good company. Trust me.
Sean: So I'm not, I'm a former DVD player as well. And my son who's eight, uh, within the past year has started to play, uh, once a week on zoom with his friends from school. And I missed my heart just like really like three sizes. And yeah, I was, I was really like proud that he is also a D and D player.
Bella: Everyone. Look, that nerds are cool again. I don't know what to say. That's it? Um, well,
Jeremiah: we've always been cool, [01:04:00] Bella. I
Bella: Yeah, Sean, thank you. So, so, so much for, uh, for chatting with us today. This was really cool. Honestly, I feel like I could have kept talking forever. So thank you for sticking with us and chatting with us for quite some time
Sean: This was super fun. Thanks for having me.