Master Application Security, Threat Modeling, and Security Resilience with Dustin Lehr

Host: Hi, everyone. Thanks for tuning into another episode of Scale to Zero. I'm Purusottam, co-founder and CTO of Cloudanix. Today's topic includes security programs, culture, and much more. To discuss this topic, we have Dustin Lehr with us. Dustin is the senior director of platform security at Fyprn and also the co-founder and chief solutions officer at Catalyst Security.

which helps companies build security culture and security champion programs. Before shifting into cybersecurity leadership, Dustin spent 13 years as a software engineer and application architect in various industries like retail, Department of Defense, even video games. This background helps him build relationship and partnership with development teams, engineering leaders and software security advocates so that security programs can be designed and developed to the maximum engagement. He also co-hosts the open discussion meetup, a remote meetup, Let's Talk Software Security and authored the security champion program Success Guide. Dustin, it's wonderful to have you in the show. For our viewers who may not know you, do you want to briefly share about your journey?

Dustin Lehr: Sure, first of all, it's great to be here. Thanks for having me. You captured a lot of it. I was a developer for over a decade, so I spent a lot of time writing code, spent a lot of time interfacing with security folks. And I would say my journey led to security because I always cared about quality, and I always cared about building good software, which security was always a factor in that, right? So… Um, it kind of led me toward becoming a security architect. And then that led, uh, pretty quickly into security leadership. And I never looked back, you know, I love it. So this was at, this was at staples that I got the opportunity to lead an AppSec team back in the day. And then, um, I've been with Fivetran, like you mentioned for about two years now. And, uh, you know, basically built a program from scratch at Fivetran. Uh, it's been a ton of fun.

All the things, software security, right? Champions, like you mentioned, scanning, inventory, you know, all, all, all of the necessary, uh, elements to building a software security program. Um, and then I do a few things on the side, like you mentioned. So I help companies build security champion programs. I run a community. It's a completely free, open, practitioner, practitioner-led community. Let's talk software security. We meet every month. It's an open discussion. It's a ton of fun. So, uh, I don't want to plug that too much on your show, but, uh, show up, uh, cause it's a lot of fun. Um, and then I also built a guide to, like you mentioned, uh, the security champion program, a success guide, which helps people, hopefully, uh, helps people go through and build great champion programs, you know, I basically put all my knowledge into that guide, uh, in order to help the industry. So that's a little about me.

Host: Thank you. Yeah, so quite a journey. It's a pleasure to have you in the show. So I want to like unpack some of these things so that I can learn as part of the process. Right. So the way we do the podcast is we have a security section and then we go into the security rating like practice rating section. So let's start with the security questions. Right.

So recently, security awareness has been growing. Right. with executives and stakeholders instilling like a security-first attitude. However, there are many organizations who are still not paying a lot of attention to security or it's not their priority. Like one example could be like startups, right? Or maybe organizations think that they are not vulnerable to attacks. So what I would like to understand from you is.

What exercises or policies that these organizations can implement so that a security-first culture can be created and maintained?

Dustin Lehr: Yeah, it's a good question. I mean, you touched on startups and I think we should talk about that a little bit because, you know, should a startup prioritize security out of the gate. Right? No, I think that their priority is building a business, you know, and, and this is a security person saying this, that you shouldn't, shouldn't put priority on security until you have found market fit, until you have a product that customers like, and so on, because you have little risk. What exactly are you risking, right?

By, you know, you shouldn't go relaxed on security, and I think there's best practices you should set a precedent for, but I don't think it should be a top priority, not for a little while. Now, what I would say to that, as well is at the point that you do find market fit and now you have a product and now you have customers, now you have something that you want to protect, right? That's the point you focus more on security.

But what I find is a lot of companies, they don't do that. They continue to focus on next feature, next feature, more customers, etc. And they don't turn around and focus on building a resilient and high-quality product. That's where the mistake is made.

Right. And I think we need to get the word out in terms. And, and, you know, I, I do think the industry in general is, is changing and there is more focus on security than there has been in the past, which I think is fantastic. Um, if you want to create a resilient, good product that's going to last and going to make your customers happy and not lose their data or expose their data, then I think it's going to be important, you know, to, to turn around and start implementing those types of controls. So. Yep.

Host: Okay, so yeah, go ahead.

Dustin Lehr: Well, I was just going to say, you know, and how do we raise awareness of this issue? I do think it starts with focusing on the customers like we were just talking about, ensuring you're protecting their data, but also as the industry is becoming more aware of the importance of security, more customers are asking for it too.

And I think that that can drive a lot of your early focus on security through compliance, right, certifications that, you know, ideally you should be implementing the controls in an effective way to actually meet those compliance requirements.

But those are things that a lot of your customers are gonna be asking for, you know? So I think that's a good way to initially focus on it and then build from there. So.

Host: Okay, so few things that you highlighted right? The first thing is day one you are starting your startup, don't focus on security or rather don't go crazy on implementing security right, focus on building the business or building getting to the product market.

So once you get to the product market fit, how do you sort of start focusing on security at that time? Like.

What challenges do organizations face at that stage? Do not focus on maybe solely on features, but start focusing on security as well.

Dustin Lehr: Yeah, I think understanding your risk at that point, like understanding that you do have a product that's out there and you know, you could face reputational risk, loss of data, et cetera, you know, CIA risk that would be detrimental to your business at that point. Um, so recognizing that kind of getting the awareness around that, but then, like I was saying before, I think.

More and more, your customer base will be asking for good security. I think when you initially start a company, you're going to be finding design partners. You know, folks that will work with a fledgling, you know, sort of new company. But as you mature, you're going to likely be going for larger and larger customers that probably have more strict requirements when it comes to security.

That's where you can. you know, sort of use that demand by the customers to start to drive better security overall. So that's what I think can initially start the snowball. And then there's plenty of stuff to do from there, which I'm sure we'll get into later, like address your culture and that sort of stuff.

Host: Right. So sort of listen to what the market is telling you, right? All your customers are telling you so that becomes your indicator that, hey, you should start investing in security now rather than just continuing to build features and features. Right. One of the things that you highlighted earlier was that like implement some of the security controls, right? Maybe because through like the compliance frameworks,

Any specific controls an organization should start with and how should they monitor that they are getting implemented as well?

Dustin Lehr: Yeah, I always say start on the right side. So there's, there's been this saying, you know, shift left, which I, I think is for some reason going down in trend right now, people are saying shift everywhere, et cetera, but I always like to say start on the right, which, which really means figure out how you are doing in production. Okay. Put things in place so that you can find the issues that have reached production. That means pen testing.

Right. Looking for actual issues in production. But it also means like you touched on monitoring as well. Right. Like seeing, you know, from a incident detection response standpoint, are there any weird things going on on your servers? Right. That sort of stuff. I think understanding your current environment is the first step.

From there, you can start to shift left or shift everywhere or whatever we want to call it, you know, implement best practices in your processes to address those things that have reached production that are in your environment over time.

Host: Yeah, so I must say like this is slightly different than what a lot of folks talk about. Everybody talks about shift left. You should start from source code and then you go to let's say CICD and all other layers.

But it makes sense to start from the right because by the time you start from left and you get to your production, it takes a lot of time, a lot of time, effort and budget and all of that that could impact that could delay those security program altogether.

Right. So it makes sense that you start with pentest your monitoring and all. And you can also look at your CI CD and all of that. You can do that in parallel in a way.

Dustin Lehr: Yeah, because frankly, how, just to expand on this for a minute, how do you know you're making a difference? Right? Like the production environment is there, that's where the attackers are going to focus on. If you put all these other controls in place, uh, code scanning and training and all those things, how do you know it's actually affecting the bottom line, which is what reaches production period.

Right? So starting on the right, setting up those metrics, setting up monitoring, understanding your environment is that first step that can justify the other changes that you make in the process. Root cause analysis is important too.

I think we'll probably hopefully talk about this a little bit later, but when you do have an incident, is it like, okay, we'll just sweep this up and then continue doing what we're doing? No, ideally you should figure out what led to that incident because that could further justify change in your process.

Host: Yeah, no, that makes sense like monitoring your incident response plan. All of that plays a major role in it as well. So I want to talk about the security champion program, right? Like you're a big advocate of it. For our viewers, can you can you share what is it? Like

What is the security champion program?

Dustin Lehr: Yeah, there's a lot of depth here. So let's start getting into it. I love talking about this topic. As you mentioned, you know,

I think where it starts is, um, you need help from people across your environment. You're not going to have a successful security program if it's just the security team running around trying to secure things for everybody else. So I'm a big fan of awareness.

Like we talked about and, uh, getting the, getting the message out and you know, having help from others across your environment, which essentially means a bit of a culture shift to some degree, because you have to encourage better habits, behaviors, and overall culture to be more focused on security. Security champions is a good way to start that, okay? So security champions

I like to define as finding your initial allies, okay? Working closely with them, and then, basically following like a diffusion of innovation type of flow where you're, you're crossing a chasm, you're, you're tipping the scales. And now you've reached even more people across your environment. And then before, you know, you have sort of a culture shift and you have more behaviors focused on security, like we talked about.

So it's typically starts by go out there and find a few people who care about security, you know, they're out there. Like you as security folks, sometimes we get discouraged because we're like, nobody cares about security like we do, you know, for us. But there's a lot of people out there who do care about security. Find them, spend more time with them, you know, help them understand and be educated about security so they can become advocates for security across your organization.

So that's essentially what it is. You know, there's a lot of...ideas, concepts there in terms of like trying to have at least one champion on each of your teams. Um, that typically works pretty well with that. You don't necessarily need to start there. I think that's more of like a mid level of maturity.

Host: Okay, so let's take a scenario right. Let's say we run a startup, we have hit the product market rate. Now we are thinking about security. Is that the right time to start focusing on the security champion program?

Dustin Lehr: I would say so. Yeah. I would say so. As at that point, again, you're reducing your overall security risk by getting more people involved in the, in the security mission, essentially, you know, you need help, you're not going to be able to protect everyone from all the phishing attacks and all the social engineering attacks, et cetera.

You need other people to, to be that frontline of defense. You know, people talk, I hate this term where people say, Hey, people are the biggest risk.

Well, no, I think actually the people are the biggest opportunity. The more people that you can get on your side and aware of security, the better you're going to be able to reduce your overall risk.

Host: Make sense. So, okay, let's say you convinced me that security champion program makes sense. Now there are two aspects to it, right? One is going to the leadership and saying that, hey, we want to invest in it.

How do you talk to your leadership so that they buy into this program?

And I also want to understand like once I know that leadership is behind it,

What steps should I take to implement this program? So maybe let's start with the like talking to the leadership and getting their buy in. How should I approach that?

Dustin Lehr: Yeah, you know, leadership buy-in is a very important step. We're going to talk about steps in a minute, but leadership buy-in is very important. So I, you know, I find success in using the language of the business to talk about this type of thing.

How can you show that there is going to be a return on investment? for them in terms of reducing security risk, which ultimately, you know, you want to put it in terms of money to some folks, you want to talk about risk to other folks and help them understand how it does help the business. It could be a differentiator.

You could talk about it in that aspect. You know, it really depends on your specific product and industry. But you know, talking about, hey, you know, if we do. lead the pack when it comes to our security posture. You know, that could be a compelling reason for customers to choose us over somebody else.

Not to mention trying to quantify and express the actual business monetary risk that security poses in reputation, in acquisition of customers over time, and that sort of stuff. So again, it's really about thinking about your audience and speaking in the terms that they speak in and that they would understand.

Which isn't always done. You know, I think a lot of security people show up and start talking about, I don't know, the number of vulnerabilities. And they're like, we need to reduce these and businesses like, well, why, and why isn't that just an acceptable level of risk, you know, so trying to put it in terms they understand, I think is super important.

Host: So the communication is the key and showing like talking to the talking in the language, which makes sense rather than using like jargons and all of that. Right. And this happens a lot with even engineers, right? Because engineers also start talking about architectures design and all, but unless you show the value to the leadership, sometimes it's challenging to get like a budget or head count for growing your team and stuff like that. So I can I can relate to it.

Now let's say you have convinced your leadership that it makes sense and you have the budget. What step should I start with?

Dustin Lehr: Exactly. Yeah, and this is kind of what I outlined in that guide that I mentioned earlier that I published, because it's essentially a process for you to build a champion program. The reason I built it that way is because not every, you know, I didn't want to be prescriptive and say, do this because it's going to work. Every culture is different. So stepping back and really understanding your environment is a big emphasis on the process.

Place to start is what are you trying to accomplish? What's your vision? What's your mission? What are your goals specifically for your champion program? And the more that you can make those smart goals, you know, specific measurable, you probably heard that, the better because then you understand what metrics you're actually trying to influence with your security champion program.

Beyond that, like I was just saying, I think understanding who you want to involve. Who are you going to invite as champions? What do they look like? Is it senior folks? Is it engineering? Is it beyond engineering? Understanding that. And then starting to get into the behavioral and motivational side, which is why I think these programs are so fascinating. Understanding what motivates those folks. Once you've decided who you want to invite. thinking about, well, what actually makes them tick? What would motivate them to get involved in a program like this, right?

From there, it's really understanding specifically what do you want them to do or accomplish? What are the specific behaviors that you want them to display? What are the security-focused actions that you want them to take, right? I want them to report issues, you know, in the environment when they see them. I want them to report phishing emails, you know.

Listing those out and just being very intentional with what you're trying to influence people to do I think is a really important step and then again moving more into the motivational side How do you use? Gamification or other motivating factors in order to influence those behaviors, you know.

And then finally I would say measuring yourself ensuring that you're providing that ROI that we discussed back to you're just ensuring you have those metrics in place, you have dashboards, you have ways to show your success with the program.

Host: Okay, that makes sense. So few things that you highlighted is like first thing is define your goals, right? Like what are you trying to achieve? Then picking the right champions across teams, let's say engineering product and all. And last thing that you highlighted is around the measurement, right? Like the progress of the program. How should that be done? Like do you have any?

Do you use any tools or frameworks for measuring it so that you can show the progress to the leadership, right?

Dustin Lehr: Yeah, you know, there's a number of, of sort of metrics and reporting tools, uh, that I like to take advantage of, uh, kind of more analytics tools, uh, you know, things like your Looker and Sigma and, and those types of things in order to, um, take the data that you're collecting and display it in a way that would make sense to leadership. But I also think this is kind of where inventory comes into play, which I always talk about inventory too, as part of my AppSec programs, collecting data and getting it into one place so that you can write queries and ask interesting questions in order to display those reports, display those dashboards, et cetera.

So again, data collection, like understanding for your champion program, are people showing up. If you have like brown bags or regular ways that you meet with your champions, we talked about finding your allies and then working more closely with them and training them and sort of increasing their knowledge.

You know, are people showing up to those? Are you measuring attendance? Are you measuring things like participation? Are people speaking up? Or are they silent? Is it death by PowerPoint? And there are crickets every time you have questions, you know, or are you engaging your audience with questions throughout the presentation? Do you have little quizzes, you know, little check-ins to make sure people are paying attention. And are you measuring all that stuff too, to kind of see if people are engaged?

Right? And then we talked about all the actions that we listed too. Like are people reporting security issues? Well, you can track and measure that as well. Right? And you can kind of show over time, Hey, this is working because people are now reporting more issues than they used to in the past when they didn't know the security team. And when you didn't talk to anyone and when you didn't find your allies. So hopefully, you know, you, you want to put those things in place so that you can show that things are improving in your culture.

Host: Okay, that makes a lot of sense. So engagement and monitoring and looking at different metrics so that you can report back to your leadership and show the progress. One of the things that you highlighted is the brown bag, right? That's a great way to sort of connect with your security champions. Are there any other such initiatives that you would recommend organizations follow to build a security program? execute check champion program.

Dustin Lehr: Yeah, yeah, I think, you know, connecting with your champions in different channels is a good thing. So we talked about brown bags. This could be like an hour meeting that you have every month. You get together with your champions, you listen to them, you know, you bring in speakers, you know, you do things that makes that an engaging experience for them.

I find that to be effective. Having a dedicated like Slack channel or Teams channel where people can post things and sort of be part of the community, see newsworthy items and announcements and that sort of stuff is another way to connect. I also think, when I typically run my AppSec programs, I will have specific people on my team assigned to different lines of business. And having...those lines of business security leaders connect with their own champions as well. Makes sense because now there's more context, you know, like those people are all kind of working on similar things. And then the person on the AppSec team is supporting that area. They understand those specific things and it becomes a little bit more of a focused discussion versus a broader discussion that you find by inviting all of your champions, right?

So, That's another good panel to reach folks. Um, and then, you know, coming up with opportunities too, like, you know, I think there's a lot of, uh, of things that you can roll out through your champions. Like, we'll might talk about this, uh, later, but. You know, why do these champion programs even work to begin with touches on the fact that people are more likely to listen to their peers than listen to security people, right? When I talk about.

Host: An outsider sort of right? Yeah. Yeah.

Dustin Lehr: Yeah, like when I talk about security, everybody's like, whatever, you're a security person. What? Dustin's talking about security again, whatever. But when it comes from someone they already respect who's on their team, who has the exact same message that I did, they're more likely to listen, you know? So, so it's starting to roll information out through your champions. Um, it's just, it's another channel, right? To reach people throughout your culture.

Host: Makes a lot of sense. One of the things that you highlighted and I want to dig a little deeper on it in it is culture. Right. So let's say you have product market for it. You started building the security champion program, but it goes back to the culture that you have set. Right. Like, and every company has a culture. So as a security leader,

How do you, how do you set that culture, that mindset, security first mindset in an organization?

Let's say even before you have achieved product market fit or you are getting close to product market fit.

Dustin Lehr: Yeah, I mean, the first place to always start, I think, is to connect with other people. Start building relationships. Be part of the solution. You know, be at the table, right? Like earning a seat at the table. This is not, you know, hey, they hired me. I'm now the AppSec person or I'm now the CSO. So I have a seat at the table, right? No, not necessarily. You know, how are you?

Proving that you provide value to the organization. Your work starts, right, when you get hired to get that seat at the table. And I think that's extremely important, you know? And that comes through providing value. And like we talked about, speaking in the same terms, you know, that the people you're trying to reach speak in and earning your way in, it's difficult, okay?

There's already a, I would say negative perception of security that we have to start to shift, you know, when we join new organizations. Because people still view security for the most part as blockers, as people who are just gonna get in the way in the office of no and all of that. So by connecting with folks and showing that, hey, I'm not like this, like I'm on your side, I want a solution, you know, like I was saying before.

I'm a security person, but I talk about focusing on the business first. You know, having that message come out will make people trust you and we'll invite you in to get a seat at the table ultimately. So I think that's where you start.

Host: Yeah, I mean, I'm pretty sure you must have been in meetings where I have at least I have been in few meetings where when a security person walks in, folks are like, oh, we'll have more requirements. It will delay our feature rollout. Like there is that mindset, right? In people. So

What like in what do you use? Like what type of tools or frameworks that you use to build that relationship or? showing the value or building that culture.

Dustin Lehr: Yeah, I mean, like I said before, being transparent, having dashboards and metrics and reports and just showing people, here's where we stand in terms of how you're seeing it as a security person, I think is important. But doing it in a context, again, that they would understand. So how does it affect our bottom line? How is this putting us at risk for acquiring new customers or...

whatever that is. Like the more you can measure in your environment, the more you can make people aware of, hey, this is an issue, the better. But put it on them too. To some extent, you're gonna have to allow people to weigh in as well. If you come in and you know exactly what needs to be done and you don't involve anyone else and you just like do it your way, you're not gonna have a lot of success, right?

But if you bring people into the conversation and you open up the books and you say, hey, I just...the last few months measuring our environment, here are the types of risks I see. What do you think? Is this a problem? Because if leadership says, after you show everything that you think, you consider a problem and you show it to them and they're like, oh, that's fine. Okay, then you have to adjust your approach based on that. But if they look at it and they say, oh, this is a problem.

Oh, I didn't realize we had intruders actually actively in our environment, wow, how do we address that? Now you've caught their ear and now you can move forward. And that's because you were open and inquisitive and you invited them into the conversation instead of just driving your own agenda without involving others.

Host: Yeah, makes a lot of sense. So it's all about building the relationship, showing value, showing the progress that you are making together rather than just coming up with the requirement that, hey, this needs to be, let's say, incorporated at the platform in the next few months or few weeks, something like that. So having that engagement adds a lot of value.

Dustin Lehr: Yeah. And I think a good place to start, sorry, one last thought. Well, a good place to start is showing that you're putting things in place that customers want that to me, that's an easy win in order to acquire this prospect as a customer, they're asking for this, so we put that in place and then we acquired the customer. Like pretty simple to start, you know, but, but again, that gets the snowball rolling and then you can go from there as well.

Host: Sure sure. Yeah, it shows the direct value in a way, right? Like short-term value as well. That if we implement five of these security policies, we get a big customer. And that sort of starts, as you said, like the snowball effect within the organization. Makes sense.

So I'm just going back to the previous scenario again. I have one more question on it. Let's say you have reached product market fit. And you do not, let's say you did not invest a lot in the security, you don't have a security team members.

So you have to teach a lot to let's say engineers or product teams when it comes to security so that they can do some of the deeper analysis themselves when it comes to an incident, like the root cause analysis that you highlighted. How do you do that? Like

How do you train them so that they can judge different incidents or they...start paying attention to security as well?

Dustin Lehr: Boy, that's the question. I think if we've completely solved that as an industry, then we're good, right? This is where there's a lot of challenges. I do think it comes down to what we were talking about earlier that when you talk to leadership, you gotta speak in their language. Same with engineers, right?

Speak in their language. What are they trying to accomplish? We also talked about understanding your audience when you're creating a champion program.

And their motivations, right? What do they care about and how can you position your message in a way that? It aligns with what they care about. Okay, do they like writing quality code? You know, do they want to write bad code or not? Like start there. Yes. I do want to write good code. Okay, great. Well, here's some things that I've learned with my experience In terms of how to write good code. What do you think invite them into the conversation?

Right, allow them to weigh in. Does this make sense? Can you get some direct feedback? Like, here are some best practices, here are some standards and guidelines. Do these work for you? Why not? What prevents you from using the guidance that we've posted every day as you're doing your own coding? What is that underlying motivator for perhaps ignoring security? Is it pressure from the top? Well then.

Go address that, right? Is it, well, I already feel like I write secure code. Well, go approach that like prove, you know, like, like we said, understand your environment, prove that number of vulnerabilities, you know, your defect density, whatever you need to do shows that people aren't writing secure code, you know, work with them on that. What do you think about this result? You know, it basically says some of our code is, you know, could be improved. Right.

So I think it's about navigating your culture and really bringing people in and having a conversation about it.

Host: Yeah, so I think that's a great way to end the security questions. Right? Like the gist for me is it's all about building relationships, communicating with other team members, the security champions, so that they can work with the team.

And the team also feels that it's not the security member talking to us, but rather somebody who we trust is working with us rather than working, like giving us directions. They're working with us so that we can improve the overall security of our platform, right, or applications or of the organization. One of the things that I... Yeah, go ahead.

Dustin Lehr: Yep. Yeah. Sorry. I was just going to say, I think one other, you know, this, this does come from my development background in that this is something I didn't see as a developer. What I saw is judgment from an ivory tower, you know, boy, you're really bad at writing secure code was the message from security. It's like, there's no relationship here. Like you can't influence unless you've built a relationship.

And so I'm happy to see that we're kind of evolving as a industry in general to try to reach people instead of just throw rocks.

Host: Yeah, no, that makes a lot of sense. And one of the, you highlighted about your, the guide that you have written, right, on the security champion program as well. So make sure to tag that when we publish the video so that our audience can also go in and learn from it, like how to set up the security program, what are the challenges, how to communicate, how to build relationships and all of that. So we'll definitely do that.


Thanks, Dustin for the lovely conversation. Here are a few important points which stood out for me:

  1. For an organization starting to incorporate Security into their systems, start right (as in securing your Production Systems) and make progress towards securing the Source Code. This helps bridge the gap between best case scenario and current state.
  2. Security is not always the highest priority. Depending on the stage of the organization, Business Growth is of higher priority than Security. For example, a pre-product market fit startup.
  3. Security is driven by culture of the organization. For a security champion program to work, focus on Building Long Term relationships, Communicate using the right language and show value by using the right metrics among other things.

So let's move to the Security practices rating.

Rating Security Practices:

So I'll share a security practice and I want to see how you rate it and if you want to add context to it that would be awesome as well. So the first practice is conducting periodic security audits to identify vulnerabilities, threats and weaknesses in your security systems and applications.

Vulnerability management deep dive with Walter Haydock
Table of Contents Subscribe Spotify Youtube Transcript: Vulnerability Management Deep Dive with Walter Haydock Host: Hi everyone. Thanks for tuning into our Scale to Zero ship. I’m Purusottam Cofounder and CTO of Cloudanix. For today’s episode, we have Walter Haydock with us. Walt…

Dustin Lehr: I think you're gonna be able to guess my rating here based on our conversation. So I would give it a five. However, the word periodic makes me think four because I think you should be doing it continuously and obviously automating where you can as well. So good practice, try to automate, try to constantly be measuring and identifying vulnerabilities and weaknesses.

Host: Make sense. The second one is security processes are a roadblock to business growth. Grant users unrestricted access to systems and applications so that business growth is not affected at all.

Dustin Lehr: Again, I think you probably guessed based on our conversation, but I would say two. You know, I don't think that's a great approach. However, why didn't I give that a one? Because I also think it depends on the size of your team and what stage you are in. Okay.

This is a risk decision. If you have two people in your company, then okay, sure. They should have probably both have access to everything. Right. How about three? You know, at what point do you draw the line and say, okay, now we're starting to be large enough that we should be more restrictive with access. So that's why I would give that a two.

Host: Okay, the last one is same incident never occurs, recurs, it reoccurs. So once an incident is resolved, there is no need to do like a retrospect, a retrospection on it.

Dustin Lehr: Yeah, we talked about root cause analysis as well earlier. I think one here, you know, I think that, you know, you shouldn't assume that an incident's not going to recur, first of all. There's this man named Roy Sullivan, who was struck by lightning seven times in his lifetime. So, you know, lightning never strikes the same place twit. No, sometimes it does, right? So I think.

we should remember that and try to do as much of a retrospective or root cause analysis as possible because then you can identify process issues and you can identify opportunities to them.

Host: I would have been surprised if you would have given different ratings honestly based on our conversation. But yeah, it makes sense. And thank you so much Dustin for coming to the show. I learned a lot around the security champion program, how to approach it for different sizes of the companies. Yeah, it was lovely speaking with you.

Dustin Lehr: Yeah. It was great to speak with you as well. Thanks for having me.

Host: Absolutely and to our viewers, thank you for watching. Hope you have learned something new. If you have any questions around security, share those at and we'll get those answered by an expert in the security space. See you in the next episode. Thank you so much.

Insights from Scale to Zero

Incident Response, Digital Forensics, Threat Intelligence
Knowledge-led information shared by experts to understand what is Incident response, Digital forensics, and Threat intelligence. Don’t miss this gem
Secrets of Threat Modeling | Brook Schoenfield | ScaletoZero
Expert advice on Threat modeling. The significance of threat modeling in software development and how it integrates into the entire SDLC.


What is an Incident Response?

In general, Incident response is nothing but gathering the list of processes and controls to help an organization prepare, detect, analyze, act, and respond in case of any data breach.

Get the latest episodes directly in your inbox