Joseph Mente (00:05):
We have a relatively small team and we need to leverage all of the latest and greatest technologies in order to maximize the effectiveness of that small team, on the DevOps team, on the IT team, and also on the dedicated security team. Because there’s always more that can be done with security. So how can you do the most possible with the resources you have?
John Giglio (00:29):
Hello, [00:00:30] welcome everyone. You are listening to another episode of Cloud and Clear, SADA’s Cloud Transformation podcast. I’m your host, John. Today I am very pleased to welcome Joseph Mente, senior director of DevOps, security, and ITOps at DroneDeploy. Before we get started, don’t forget to like and subscribe to our channel on whatever your favorite listening platform may be, so you can stay up to date on all the latest Cloud and Clear episodes from SADA. And Joseph, welcome to the show.
Joseph Mente (01:00):
[00:01:00] Glad to be here.
John Giglio (01:01):
Before we jump into the show and really get into some of the deeper areas of talking about security, can you just give us an overview of DroneDeploy and what you do?
Joseph Mente (01:13):
DroneDeploy is in the reality capture business. So a story I like to tell around that is construction. It’s always over budget and late. Well, why is that? Right? Well, you have some sub, sub, subcontractor digging a ditch, like specialist equipment [inaudible 00:01:26] and everything and some other sub, sub, subcontractors, only job is to put in [00:01:30] the piping, plumbing, and stuff, right? Simplified, but roughly that. Well, what if you could make sure before the first contractor leaves the job site that the ditch is exactly where it needs to be to the centimeter, exactly the right depth with everything, and then the next contractor, same thing, right? It’s exactly where it needs to be. All the way up through the concrete pour, the structural supports, the facade on the outside, taking pictures of the inside, the ventilation, HVAC, [00:02:00] electrical, plumbing, stuff like that. And then once you pass it over to the building owner, if there’s a leak or something, you can say, “Hey, there’s a leak behind here. Is that sewage or is that fresh water?” Well, you can actually see a picture of behind the wall, like x-ray vision.
(02:12):
So we like to say that we give our customers superpowers. You can do things, you can compare over time. You can see through walls, you could fly around, stuff like that. So that’s what DroneDeploy does for construction, for agriculture. Trying to figure out where the best place to put fertilizer would be. For solar panels, the solar industry [00:02:30] trying to figure like, oh, you do thermal analysis on a solar panel, see if something’s overheating or not hot enough. You can tell if there’s a short circuit there. Oil and gas, you name it. Anything that’s valuable, bigger than a table, valuable outside, that’s what we do is to manage all of the cloud infrastructure that runs all of that and make sure it’s all secure. All of the internal employees are productive using the latest technology and everything.
John Giglio (02:58):
Yeah, super important. There’s [00:03:00] a lot of data in there, I’m sure. So yeah, it reminds me when I was building my house, it was like, do I FaceTime with the contractor to try to get video evidence or have them show me around? That kind of thing. So that’s really cool. That sounds awesome. Yeah. So I guess bringing it to the security discussion, you mentioned it a little bit there, but what are some of the considerations? What types of data does that [00:03:30] mean? Are you worried about how to handle that, how to protect that data and what does that look like for you?
Joseph Mente (03:39):
Yeah, we store a lot of imagery data, but not just the source imagery, it’s the 360 cameras, the orthographic projection, stuff like that. But we also store 3D models of it. Our customers entrust their blueprints to us essentially because you want to compare that against the actual as built is what it’s called. [00:04:00] So we have a lot of sensitive data that we store on behalf of our customers, and we need to make sure that it is usable but also not at risk for exfiltration of any kind.
John Giglio (04:12):
And are you guys doing that all in the cloud? I know your title director of DevOps, security and IT operations, you’redoing this in a modern environment. What does that aspect look like?
Joseph Mente (04:26):
Quite a few years ago, we went from co-lo data centers to [00:04:30] running exclusively on the cloud. So we run the vast majority on the cloud. We have a little bit of a footprint on Amazon as well.
John Giglio (04:37):
And how did you get from, I guess that on premise mindset when you shift into the cloud from security, a lot of customers that we talked to, there’s this shift that happens and to move into a more modern automated fast paced environment. Did you experience any of that [00:05:00] or go through any of that? How did you deal with it?
Joseph Mente (05:02):
Yeah, I mean, if anything, the cloud tools give you much, much more capabilities. It’s certainly riding a fast train as it were, but with on-prem, you have to manually deal with it or manually deal with your on-prem provider because we weren’t large enough to actually own our own data center. Most companies don’t. So we would use a co-located data center and we’d have to [00:05:30] go through all the checklists, they’d have to do everything. But with the cloud offerings, all of that’s completely automated. All of the physical data security completely automated at this point, far beyond anything we could manage ourselves. And a lot of the built-in tooling to provide access management, alerting, anomaly detection, stuff like that is all in there. As well as the additional premium tools like Security Command Center, and we have a couple of third parties in there that help us [00:06:00] manage this stuff at scale. Far beyond anything we could do on a co-lo data center.
John Giglio (06:04):
Again, a lot of companies that we talk to are always talking about doing more with less. Did you experience any of that? How did you deal with that? Or do you feel like you are able to do more with less because of the cloud?
Joseph Mente (06:20):
Yeah, absolutely. It’s not a complete free ride. You have to actually understand how it works, but it’s certainly a force multiplier. I try to [00:06:30] make sure that we punch well above our weight, it’s the phrase I like to put around there is that we have a relatively small team and we need to leverage all of the latest and greatest technologies in order to maximize the effectiveness of that small team on the DevOps team, on the IT team, and also on the dedicated security team. Because there’s always more that can be done with security. So how can you do the most possible with the resources you have?
John Giglio (06:56):
Yeah, absolutely. Common challenge that we hear a lot. Like I said, doing [00:07:00] more with less, being able to do that effectively utilizing the cloud tools. So can you give me an example of that or give the audience an example of what that might look like? Is that tools specifically that you’re using? Is that a change management process or something on the people side? What does that look like from a real world example?
Joseph Mente (07:22):
I mean, there’s lots of stuff and the easiest one to visualize is something that comes, it is quite challenging to do natively, [00:07:30] but with Security Command Center for example, it just comes right out of the box, and that’s asset inventory. It seems like a really simple thing, just like what is a list of all the stuff you have, right? Well, with Security Command Center, it’s literally right there. You can list all the VMs, all the IP addresses, all the this, that, and the other thing, and it comes right out of the box. It’s not a thing you need every single day, but when you need it, you want to be able to quickly access it. So that’s one of a myriad number of things.
(07:54):
Making sure we do infrastructure as code for everything so that we don’t have to go and find some message [00:08:00] somewhere like, oh, I updated for this reason. It’s all in code, it’s all in the Terraform. There’s a PR you can reference. That’s really, really huge. It may take just a tad longer to do stuff, but you save it in spades. Just coming back and reviewing like, well, why did we do this three years later? Why is it like this? Why is this like that? So it’s stuff like that. It’s all about using the automation and having things streamlined as you go.
John Giglio (08:23):
That stuff is huge. And I love that you called out that sometimes it takes a little bit longer upfront, but [00:08:30] you’ll save it on the backend. So we did an assessment of the environment that you guys are operating in in GCP, and we came in and looked at that. I’m curious from your perspective, what’s the value there of having a third party come in and look at your environment? What was that experience like? What’s the value there?
Joseph Mente (08:53):
Yeah, so it’s really two things. One is want to be able to make sure we’re getting the best practices across industry. So SADA has [00:09:00] tons and tons of different customers they do the assessments for, and we want to make sure that we’re not missing something in our own little bubble here. We’re not just staying inside our own lane.
(09:10):
And the other thing is you don’t want to grade your own homework. There’s a reason why typically security and compliance teams are separated. They work together closely, obviously, but you want to make sure that you have someone in there, someone outside be like, “Hey, did you check this, this, and this?” And because you get in a groove internally, you keep doing the same thing over and over again. And sometimes [00:09:30] that groove misses something, right? So that’s why we like to, on top of our regular security compliance audits, we love to have these external assessments that come in from a focus less on the compliance side and more on the pure security engineering side to make sure that we are in fact taking advantage of the latest tools. We are in fact doing the best standard practices that best in class customers or companies are doing.
John Giglio (09:56):
The viewpoint of just making sure that things are going [00:10:00] smoothly. And I’m also curious, so when you have somebody come in and look at your environment, and obviously you’re going to get some recommendations from that, what kinds of strategies do you use internally to communicate those things to maybe feed those back to the team, to your board, to your executives? What does that look like for you from a results perspective?
Joseph Mente (10:29):
Yeah, that’s a good point. [00:10:30] So there’s a saying somewhere that sometimes you need to pay someone external just to tell you the same thing you already know. And that’s always true because that’s how you can get management to listen, like, “Hey, there’s a validated third party. They know what they’re talking about. They have all these credentials, and they’re saying the same things that we’re saying to make sure that this is what we need to resource. This is the roadmap we need to follow.” That’s really, really helpful. And it may seem really, really annoying. [00:11:00] That’s the world that we live in, is that… But if you think of it’s from the executive’s perspective, they’re like, “Well, I mean they seem like they know what they’re doing.” Your own team. But how do you know that they’re actually doing their job? They’re not an expert in security.
(11:13):
They hire someone who is an expert, which is presumably you, but how do they know that their team is actually doing the right job? If you don’t understand the job that someone’s doing, how do you go validate? Well, you have a third party come and say like, “Hey.” You have this trusted third party that comes in and says, “Yep, [00:11:30] they’re doing the right thing. They’re trying to like, oh, here’s some areas for improvement. Here’s some areas where they’re doing a really good job.” But it’s really important for the social aspect of a company as it’s not, don’t get in your own head like, oh, well, I know what I’m doing. I’m the expert. You should just listen to me. How do they know you’re the expert? And that’s where it’s important to have third parties come and just like… Again, you don’t grade your own homework. You want to sure that you are validating both for your own internal technology growth, but also when you’re reporting up to [00:12:00] management that, “Hey, this is the right track. We’re on the right track. Keep going.”
John Giglio (12:05):
The view or the conversation around security versus compliance. You mentioned grading your own homework as well and doing compliance activities, but it’s very different from security. I’m a firm believer that if you’re doing security well, compliance won’t be difficult. Compliance to me comes from good security. I don’t usually like it when it’s [00:12:30] the other way around. There’s a lot of things you can do to just check a box, but it doesn’t necessarily guarantee you any risk reduction or anything like that. So like I said, I’m a firm believer, good security informs compliance and makes it a whole lot easier.
(12:45):
So yeah, I love that comparison there. Talking about, like you said, not grading your own homework, having that validation performed, but from the perspective of good security, just best practices, just understanding [00:13:00] what those are. And I think that also gives you an opportunity to go a little bit outside of some of those, I’ll call them compliance boxes, because when you’re in a compliance framework, you’re looking at very specific things. And security, if you’re just looking at it from a best practice perspective, you get to look a little more broadly and you can go outside some of those typical boundaries and talk about new tools or nowadays it’s AI-based things that can help out [00:13:30] that might not be mentioned otherwise if you were just staying inside of that well-defined compliance boundary. So yeah, I agree. Looking at that from a best practices perspective is very helpful. So-
Joseph Mente (13:42):
Yeah. Absolutely. If you think about it from the compliance perspective, it’s all best practices. It’s all good stuff, but the nature of the consensus that it takes to create a compliance framework necessarily means that it’s out of date in this fast moving… It cannot possibly move as fast as the rest of the [00:14:00] industry, nor does it strictly have to, but it’s a minimum bar, right? It’s an important minimum bar, but we just have to recognize that it is a minimum bar.
John Giglio (14:09):
Yeah. Yep. Absolutely. Yeah. And then I’m also curious, so when it comes to communicating that to executives, you touched on it a little bit, but are you using any specific framing in that communication? Is there a modeling of any sort [00:14:30] that you’re doing that ties it to dollars or things like that, like a fair modeling, anything like that that you’re doing when you’re communicating those?
Joseph Mente (14:39):
Yeah, it’s really difficult to tie it directly to a dollar amount. I know some folks are able to do that more exactly. Thankfully in our business, our customers are all other businesses, typically larger corporations. So we definitely have the buy-in from our leadership on security is important. There’s always [00:15:00] trade-offs, here’s always limited resources. But thankfully at DroneDeploy, it’s never been a problem to be like, “Hey, security is important. Security is how you get deals.” I’m on so many deals with customers and they’re just so grateful for the strength of our security program. It just makes it so much easier to land deals. So it’s hard to nail down a dollar figure, but it’s definitely very clear to the executive team that security gets deals done, it gets revenue in the door.
John Giglio (15:22):
Which is a huge distinction. Security as a business enabler is almost, it’s almost unheard of. Having to have that [00:15:30] in place to get deals, to win customers, that’s super important and that’s a great spot to be in. So that’s usually what it comes down to is, like I said, unlocking those dollars. You have to understand the importance of security to the business. And you guys, I think, absolutely do that. So that’s amazing.
Joseph Mente (15:54):
For that one, what we try to do is we really try to impress our customers with the security. It’s not just like, oh, you have some [00:16:00] certification or you do these check boxes. It’s often for the customers that really care about it, they want have a conversation. They want to know that you know what the heck you’re doing. They want to know like, oh, you’re going above and beyond what, again, these good certifications are great, but you’re going above and beyond that and that you really feel like you have it.
(16:18):
Now, once a deal is closed or an upsells happen, do they go and check you constantly? No. But that trust and that ongoing conversation, if some new upsell happens, like, oh, maybe they want to think about your [00:16:30] AI tools, the new AI features coming out. Well, they want to have another conversation. Well, how are you handling AI? How does that relate to the rest of your data management? So those kinds of conversations really build trust with the customer, and that’s one of our core values is building trust. It’s actually built into the whole DNA of the company as we build trust internally as well as with our customers. And it is that trust element that’s really key. Security is a way to achieve trust, but trust is the goal.
John Giglio (16:55):
Definitely. That’s where you get that business enablement from. So yeah, I love it. [00:17:00] Okay, so talking about the assessment and what we go through, when we do these, typically we see identity and access management, logging and monitoring as usually one of the, or the two highest risk areas that we identify. I’m curious from your perspective, we don’t obviously have to go into details on what we did together or whatever, but just generally speaking, what are the, in your opinion, the highest, [00:17:30] you can call them hidden risks or just plain old risks, they may not be so hidden, but what are some of the risks that organizations like yours or other organizations might face?
Joseph Mente (17:41):
Yeah, I would say thankfully for this assessment, it’s not always true, but there weren’t really many big unknown unknowns here. It really did reinforce, in this case, the existing known challenges that we have. And we do know that while we have a [00:18:00] good perimeter defense, our defense in depth is decent, could be a little bit better, and especially around our automated alerting could be improved a little bit. That was highlighted in the report, which is good, which is then we can take that back up to my leadership and say, “Hey, this is where we need to invest more. We need to get some new tool, some new emphasis, some more temporary support.” That kind of stuff. So it is all about, again, improving. So while we do have stuff in [00:18:30] place, there’s always more to be done. What is the next thing you should do?
(18:34):
Just like you ask if we lock our front doors, right? Well, it’s not that hard to barrel down a door if you have a giant truck you can ram through, but that’s not likely to happen. You want to make it so that it’s more trouble than it’s worth. So that’s where it’s, you’ll lock your doors, not because it’s going to be like a foolproof Fort Knox thing, but more trouble than it’s worth. And then, well, if things get more valuable in there, then [00:19:00] maybe you put some stuff on your windows or you’ll get a alarm system, stuff like that. So there’s always more you can do. And what is the next thing that you should do? What is the next marginal improvement on security that makes sense? What is the right investment there? It doesn’t make sense for everyone just driving around in armored trucks. That’s just not, that’s just way overkill. But in some cases that’s appropriate. And when is that appropriate and when you should do that? And that’s [00:19:30] really where these assessments are really helpful.
John Giglio (19:32):
It’s all about the risk. Like you said, certain areas, it makes sense to have more strict controls in place and better security. But do you need that everywhere? Probably not. So yeah, that’s awesome. Having that understanding is super critical and it’s all about just measuring and understanding that risk. And one of the things that I like to do as well anytime that I’m talking to somebody is just talk about risk, it [00:20:00] can mean a lot of different things to a lot of different people, but also it can get to a point where it almost becomes not real. So keeping it based in reality.
(20:12):
You gave the example of driving around in your car or locking your front door, the likelihood of things. Could it happen? Yes. And sometimes I think it’s really easy when we’re talking about risk to get more over into the like, oh, it could happen. It could happen. But balancing [00:20:30] that line between the possibilities of what could happen and the reality of what you see. Yeah, I mean, I’m curious how you deal with that as well. Do you pull data from your environment? From a data-driven perspective, how do you deal with that?
Joseph Mente (20:50):
Yeah, we have internal rubrics around probability and impact that we gauge all of our internal security tickets around. And there’s a whole, it’s never comprehensive, but [00:21:00] each little level has a half a dozen to a dozen different examples of it to try to gauge like, okay, this is a low, this is a high, this is a critical, that kind of stuff. So we gauge that against those real-life scenarios. Like, oh, what’s the impact of someone getting right access to company confidential information, right? Well, what is that classified as? And how does that compare to someone getting root access to all customer data? That kind of stuff. And it’s never [00:21:30] going to be exactly numerical in that respect, but having that guide of the risk-based approach and the impact. So it’s not just likelihood, it’s likelihood of an impact.
John Giglio (21:40):
Yeah. Let’s talk about, I guess the future, I’ll call it. Some emerging trends and threats. You mentioned looking at the hardware. Obviously there’s a whole bunch of software components here, but what kinds of things are you seeing in the industry? Maybe it’s not exactly applicable to [00:22:00] DroneDeploy, but just generally in the security industry, what are some emerging threats that you think are out there?
Joseph Mente (22:07):
The biggest one that I see coming down the road, although it has not yet manifested, is the impact of AI on the security malicious actor. So far what we’ve been seeing is that they’re more prolific with what they’re already doing, but it hasn’t fundamentally transformed. I mean, you hear these news articles of some CEO is [00:22:30] impersonated with a deep fake type thing, and that does happen. I mean, it’s real, but it’s so rare. It’s so hard for those to pull off. But I mean in the realm of phishing, for example, the historically be like know grammar is terrible, stuff like that, but it’s easier for a malicious actor to do, just pull up a deep research on a specific individual so they can automate stuff that they’re already doing in some degree, and so they can pull off. It’s still low probability of any given event, but they can do more [00:23:00] deeper researches of more spear phishing is typically the term where it’s like, I’m going to deeply research this individual, but they can have an AI do that now.
(23:10):
They can say, “Oh, I want to know everything about this specific sales leader or whatever to get in their, the organization.” That’s really where things are happening now. And there definitely are some emerging trends around prompt injection type stuff yet that’s real for sure, and you need to make sure that there’s no real way to secure that right now. So you need to be really careful [00:23:30] about sandboxing anytime you have user input. But that’s fundamentally similar to any other data sanitization, input sanitization. In general has been around for a long time, but it’s just the rate and the effectiveness of these malicious actors to do more of the same.
John Giglio (23:49):
You’re spot on. I would agree. It’s almost the same things that can be used for good are also able to be used for bad. So you mentioned profiling [00:24:00] a person. You see that now in a lot of sales tools where it’s like, hey, I’m about to go into a call with a customer. I want to know everything I can about them. That takes a lot of time. Let me automate that, bring some data in from an AI agent of some sort. And that can also be turned around to be used for profiling and understanding where some target may be weak or susceptible to social engineering or phishing. So what guidance [00:24:30] would you give to other security leaders or folks that may be in a similar role to yourself on doing some of the things that we just talked about, right sizing their security program to align with business objectives to account for the ever-changing threat landscape? You mentioned that continuous improvement and continuous testing and growing and learning. What guidance would you give to other security leaders [00:25:00] on how to do that?
Joseph Mente (25:01):
I would say, this is something I learned earlier in my career, but is truer today than any other time, which is it’s not good enough to be good at your job. You need to be able to communicate to others what your job is and how that brings value to the whole organization. You could be the absolute best security leader, best security, and you have top notch NSA, CIA level security. But if no one cares about that or if it’s not valuable or [00:25:30] even if it is valuable, no one knows that you’re doing that, then you’re just wasting your time essentially. So definitely having that communication of value up to your leadership. And it doesn’t have to be like, oh, we brought in two and a half dollars of whatever. You don’t have to be super exact dollars or list out every deal, but you definitely need to make sure that you communicate up to your leadership the value of the security program, what it’s actually buying them, because they’re spending a lot of money on [00:26:00] it. It better be worth something to them.
(26:02):
And making sure that it is right size for what the value that your leadership wants out of it. Not every leadership wants everything to be that highest security. You could, again, there’s no end to things you can do in security. You can always do more. What is enough? What is the right amount? How do you make it more trouble than it’s worth for any malicious actor?
John Giglio (26:24):
Yeah. And it has to be done in conjunction with the business as well. So yeah, no way to do it alone. Love it. [00:26:30] Super practical advice. Thank you again, Joseph, for joining us today. For those of you listening, again, like and subscribe. You don’t want to miss the exclusive insights from leaders like Joseph, and we’ll see you next time on Cloud and Clear.