“Essentially, I design, implement, and operationalize security infrastructures.”
02/02/20202: Jimmy Sanders is Head of Information Security at Netflix and President of the San Francisco Chapter of ISSA.
His motivational executive talk will not be technical but about new ideas and techniques at the speed of business. His session will consist of ideas that are changing security practices and company culture that various industry leaders are working towards.
Katharina Keupp, Command Control project manager, is looking forward to Sanders: “It is one of my personal highlights - what could be more serious than the business continuity of Netflix?"
The main topic of Command Control is Cyber Resilience. How do you understand this approach and how has it changed over the last years?
Resiliency has been an ongoing theme in Silicon Valley, as well as the general technology industry for several years. Netflix created tools such as Chaos Monkey, part of the Simian Army, as a resiliency tool that helps applications tolerate random instance failures years ago. However, resiliency does not only pertain to cyber. Technology is only one power outage, internet disruption, or ransomware attack away from being inaccessible. We must continue to keep ideas such as resiliency, bias, and effectiveness in the forefront of our minds as we create innovative technologies.
We keep hearing that the so-called "human factor" is to be understood as the biggest weak point in the system. What is your opinion on this? Is there a special program at Netflix to educate the workforce?
a. It is a false narrative to scapegoat the “human factor” as the weakest points in the system. The security industry continues to create layers of products to address fundamental security flaws in systems and processes that have nothing to do with the human factor.
b. Netflix employees maintain the motto of “Freedom and Responsibility”. This simple phrase means more than just do your job. It incorporates the culture in everything we do to ensure we allow our employees and customers the ability to achieve their goals, while ensuring that we understand that we are responsible for trying to achieve the best results for our given responsibilities.
Hackers are getting more sophisticated, they are getting better. In your talk, you’ll also talk about DevSecOps. In your opinion, what is the most effective way to ensure the best possible security for your users?
a. Hackers are sophisticated, but hackers have always been sophisticated. The glamourous hacks make the news but the more mundane hacks such as ransomware make the hackers’ money. It is up to us as security professionals to learn from each other and collaborate on how to mitigate and prevent the next big attack.
b. DevSecOps is one of many novel practices that cyber experts should embrace to ensure we are in line with the goals of the business. Security professionals have longed to have security implemented into the earliest stages of a product lifecycle. DevSecOps allows developers to partner with the key stakeholders early in the development stage of a product. As a security practitioner, we should embrace new concepts while also judging them based on their efficacy.
c. Security practitioners should not expect users to be security experts, but we should expect users to practice good security hygiene.
As a cyber security expert, what do you anticipate as trends in cyber – threats but also solutions? In general, but also for your company?
a. A cyber security expert is a fancy way of saying I have practiced security for several years. The next wave of security practice is what I term “Threat Forecasting”. This utilizes various sources of internal and external threat data, as well as security assessments coupled with systems that can handle large data sets to provide advance protection against specific threats. This equates to meteorologists predicting coming rain or other variations in weather conditions.
Often, companies don’t talk in public about their cybersecurity because they fear to attract hackers. In your opinion, how important is networking and open debate about threats in public? Is there any area that you think needs improvement?
a. Each company and environment is different in their view of cybersecurity publicity. However, the problems that we tackle as an industry are getting more complicated instead of less complicated. As the president of the San Francisco Bay Area Chapter of Information Systems Security Association (ISSA), I believe that sharing best security practices and findings, whether publicly or privately, is the best path forward for the entire industry.
Finally, why are you looking forward to Command Control 2020 in Munich?
a. I understand that an open mind that can evaluate the most effective solution is crucial to a great security program. I am looking forward to learning and engaging with my German and European counterparts in positive discussions to improve the overall security of our various industries.
His motivational executive talk will not be technical but about new ideas and techniques at the speed of business. His session will consist of ideas that are changing security practices and company culture that various industry leaders are working towards. Information security professionals and digital transformation leaders will profit most from his ideas and techniques.
Be curious about the essential insights of the person who ensures the business continuity of your favorite series!