Pop Goes the Stack

menu close

The perimeter has shifted

/ 25:58/E9

00:00:05:12 - 00:00:29:24
Lori MacVittie
Hey, everyone. This is Pop Goes the Stack, the podcast where emerging tech is put under the microscope and sometimes the flame thrower. I'm Lori MacVittie. Put your safety goggles on for this episode, because Joel and I are here today to talk about the perimeter. That isn't where we left it. Or maybe it didn't exist. Or it does or it doesn't.

00:00:29:26 - 00:00:55:13
Lori MacVittie
We're not sure. We got Chuck Herrin here, and he's going to help us talk about the impact of agents on the move. APIs are also on fire. Your infrastructure is about as ready for this as a fax machine is ready for a DDoS. This week we're talking about guardrails, actual guardrails, for the age of agentic AI. Which isn't here, but it is here.

00:00:55:13 - 00:01:19:19
Lori MacVittie
But it could be here, very shortly. We're not sure, okay. Cause your dashboards are off doing something with metrics, but vendors actually got serious and they've started dropping all sorts of different product launches, to, and they show a clear pivot toward AI security. AI washing, Joel, right?

00:01:19:24 - 00:01:24:17
Joel Moses
In some cases I'm sure. There's some, there's some interesting stuff happening in vendor space today.

00:01:24:18 - 00:01:43:17
Lori MacVittie
There, there is. That's true. Well, lets not, lets not, you know, completely dismiss it because it is. We have to move and sometimes it's it's just moving in small steps, but it has to move. I think that, that's the premise. It, security has to move because the perimeter already did.

00:01:43:19 - 00:01:44:06
Chuck Herrin
Yeah.

00:01:44:09 - 00:02:04:12
Joel Moses
I don't know about that, Lori. Every time I, if I had a nickel for every time someone, in my 30 years of security experience, told me that the perimeter was shifting, they tell me it shifts almost as much as paradigms do, and I don't believe either one of them shift all that much. In fact, I frankly don't even think the concept of a perimeter really even existed.

00:02:04:12 - 00:02:24:12
Joel Moses
It's a, it's an arbitrary thing. It's that's, that's specific to the scenario. These days, there virtually is no perimeter. The inside and the outside look almost exactly the same. With agents, it becomes the inside, the outside, and the context. And I think that that's that's something we're going to have to come into contact with.

00:02:24:13 - 00:02:25:07
Joel Moses
What do you think, Chuck?

00:02:25:11 - 00:02:46:14
Chuck Herrin
Yeah, I totally agree. I mean, the perimeter to to to your point. Why you I think you'd have so many nickels is the perimeter has been shifting for 20 years. You know, we we started it in in the first time I really started using public cloud was in the late 2000s. And we did it because we needed to do it for stress testing, for financial services.

00:02:46:14 - 00:03:11:16
Chuck Herrin
You just simply couldn't burst 10,000 cores into existence in your data center. So we had to learn how to operate in a whole new model. And we've never gone back. Like, we've never really gone away from that. And now know most, most enterprises that I speak to in my, you know, my travels and so forth, they don't know how many interfaces they expose to the outside in terms of API endpoints in most cases, plus or minus 5000.

00:03:11:19 - 00:03:36:28
Chuck Herrin
And what perimeter is there? I think that we've really been setting the stage for where we're coming out of this, this really, I think, hype cycle into, into, a lot of folks don't see how good AI is getting at a lot of things because they're still constrained to the chat interface. And having a casual conversation next to a single serving friend at a bus stop doesn't really indicate how smart they actually are.

00:03:37:03 - 00:03:58:09
Chuck Herrin
You can't get that to the core of just how smart today's frontier models really are via a chat interface. And so I think a lot of the real intelligence that, that forward looking enterprises are actually getting use of aren't immediately intuitive to those who are thinking of LLMs in the context of like, ChatGPT. But where we are from a defender perspective reminds me of, you guys

00:03:58:09 - 00:04:19:16
Chuck Herrin
remember that early scene from, I think it was attack of the clones, where a young Obi-Wan Kenobi is on Kamino touring the the the the factory where the clones are being grown? And they're not quite ready for battle yet, but but they're coming. And and this is what I'm thinking when I think of the economic incentives for attackers and where we are as defenders.

00:04:19:22 - 00:04:39:16
Chuck Herrin
When you look at the economic incentives for, incentives for attackers, everybody wants AI agents doing their bidding and making them money. Criminals are no exceptions. They just aren't quite ready yet. So what do we need to be getting ready for? If we think that we still have a perimeter, I think, Lori, we're sorely mistaken. But what do defenders need to be thinking about in terms of: What used to be the perimeter?

00:04:39:16 - 00:04:51:21
Chuck Herrin
What does my actual attack surface look like? And what do I need to be worried about? I think that's the conversation that a lot of defenders need to be having. They they still don't know. They don't know today, much less know, you know, what it's going to look like in a year from now.

00:04:51:24 - 00:05:24:12
Lori MacVittie
Yeah. And I think that one of the scary things that people haven't considered yet, APIs always enter the conversation, because that's how we communicate and integrate with inference, which is actually how we get at our models. That makes sense. API security has to grow and change and adapt as well. And I think it is. That's part of the, you know, vendors dropping new capabilities is, a lot of it is, around APIs. But they're not necessarily looking at what's in the actual payload.

00:05:24:18 - 00:05:49:12
Lori MacVittie
Right? What's being exchanged? I mean, we talk about prompt injection, but we don't really look at it and say "what's going on?" And what's going on is it's sending system level messages inside a user prompt. Now, that is completely different from anything that we've seen in the past. And how do we secure against that, becomes the big question.

00:05:49:13 - 00:06:02:00
Lori MacVittie
There is no perimeter. There's not even a differentiation between control plane and data plane in that case. It's it's just all the surface area is, yes, everything.

00:06:02:03 - 00:06:28:16
Joel Moses
Yeah. There's an architect here at F5, and he and I oftentimes discuss, things in the context of the old OSI layer model where, you know, down towards Layer 7, you have the presentation, then the application layer, and that there's really the emergence of a Layer 8, a contextual layer. One that where, you know, a lot of things present themselves as web transaction. API transactions present themselves as a web transaction.

00:06:28:16 - 00:06:51:12
Joel Moses
When you're looking to see whether something should be allowed or rejected, when you're looking to see whether an attacker is misusing something, you almost have to go one layer deeper and understand how the context of what's being performed. Understand the context of the request that's being performed. And analyze that for security problems. And so we always joke that there's there's an emerging Layer 8 and

00:06:51:12 - 00:06:53:00
Joel Moses
nobody's seen it yet.

00:06:53:03 - 00:07:05:22
Chuck Herrin
Totally.

Lori MacVittie
Eight, nine. Layer 8 has emerged so many times. APIs. Business processes. It's humans. No, there's there's like eight, nine, and ten layers, right, at this point.

00:07:05:24 - 00:07:21:25
Chuck Herrin
Yeah. Well and when you look at what the attackers are doing, you know exploiting that that Layer 8 or the new, these new attack surfaces, whether we call them perimeter or not, but things that the defenders aren't necessarily aware of. Like go ask the average CSO. I do a lot of, you know, CXO roundtable events and things like that.

00:07:21:27 - 00:07:44:27
Chuck Herrin
Show of hands. How many CISOs have have accepted that it's going to be their responsibility to secure inference? They're not they're not thinking of that yet. And you know, QA testers aren't aren't, you know, aren't aren't thinking of that yet. But and when we look at attack patterns against even the bigger, the bigger frontier models now, new attack patterns, like, well, old attack patterns like best-of-N jailbreaking are still highly effective.

00:07:45:03 - 00:08:11:12
Chuck Herrin
And now new attack patterns like echo chamber jailbreaking, which is much more like gaslighting of a model. If you think of a, of a model as a stochastic approximation of a human, they're they're actually pretty easy to social engineer. And, you know, the defenders, CISOs aren't really thinking of how how are they part of the development, the growing process of these models, how are they securing inference, and whose problem is it.

00:08:11:14 - 00:08:27:19
Chuck Herrin
And and where, where I think we're going to land as defenders here in the next year or so is, if if chief and security is in your title, security stuff is your problem. How do you get your arms around that? And where do you even know these models are coming from? It's, it's, it's a really, really difficult challenge.

00:08:27:19 - 00:09:05:25
Chuck Herrin
And the attackers, however, are going to continue to get faster and smarter and better. They already are. So you mentioned context earlier. Look at how the attackers today are amplifying what the old attack patterns, social engineering, phishing emails, you know, things like that. They're doing things now, automatically generating context based on LinkedIn relationships, and things that that, you know that they can infer and, and figure out based on open source information and automatically put that in phishing emails that are targeting, you know, these broad populations. They're exploiting context more effectively than defenders have started using context on the defense.

00:09:06:00 - 00:09:07:28
Chuck Herrin
We're going to have to change that.

00:09:08:01 - 00:09:36:27
Joel Moses
Yeah. Let's talk for a moment about the impact of agentic AI. And I want to look at it from two different perspectives. First of all, agentic AI use to make money, to generate money for businesses. Everybody wants to make money out of, out of automating things, creating automated sequences. Attackers also have the equal access that all of us do to agentic AI, and are using it to affect there. What, what do people need to take into account when, when they're deploying agentic AI?

00:09:36:27 - 00:09:41:13
Joel Moses
And what do SOCs need to take into account if they are the target of malicious agentic AI?

00:09:41:16 - 00:09:45:07
Chuck Herrin
Lori, do you want to start? Or do you want me to?

00:09:45:09 - 00:10:10:09
Lori MacVittie
Wow. Well, I you know, what should they be aware of? Well, one let's start with, that exists. That's a thing. And you do need to be aware that you may not have been a target in the past. There's sometimes a perception that, well, they're not going to attack me, right? They'll attack someone else. You know, the the dragon and the, example.

00:10:10:09 - 00:10:31:04
Lori MacVittie
Right, you don't have to be faster than the dragon, you just have to be faster than the next guy. You know, that was actually a security concept spread around the community many years ago. And so they sometimes think, well, we won't be attacked. Well, AI not only helps them do it faster and better, but it also means that they can have better coverage.

00:10:31:04 - 00:10:50:22
Lori MacVittie
So, you may not have been a target before, but I think now you might be because it costs them almost nothing to go out and just blast everything. Right? So it's changing the reach, I would say, of attackers as well. So you have to be aware that you are probably going to be under attack at some point.

00:10:50:24 - 00:11:12:05
Chuck Herrin
Yeah, I totally agree. And you know, Joel, my my thought on that is that the primary metric that that I'm looking at this from a CISO perspective is the return on attacker investment. So, you know, we talk a lot about if you show me the incentive, I'll show you the the outcome. The reason that attackers are leveraging generative AI to the degree that they are is because that's where the money is.

00:11:12:08 - 00:11:34:19
Chuck Herrin
As as they get better at, at doing things like enumeration and attack surface mapping and chaining together series of API calls that that currently take human penetration testers or human bot herders to do. That's what they're going to do, right? That that's going to. And I think what we're really going to see is for organizations that don't have their fundamentals in order,

00:11:34:22 - 00:11:49:10
Chuck Herrin
my biggest concern is that that people simply don't know what their attack surface is. You stand no chance in an asymmetric battle when when, what I'm calling red agents, get good enough to approximate human penetration testers.

00:11:49:13 - 00:11:50:09
Joel Moses
Yeah.

00:11:50:12 - 00:12:13:03
Chuck Herrin
Everybody falls to a human penetration tester. Every, like when I used to be a penetration tester. We had a 96% success, you know, success target. And this was almost 20 years ago. And generally speaking, where we didn't hit success, it was some constraint of the exercise that stopped us. And that was that was a limitation of human labor, the amount of intelligence we could put to it,

00:12:13:03 - 00:12:31:02
Chuck Herrin
we have reports to write, we had other clients in the queue. All that stuff goes away. And and the attackers then are going to seek the return on attacker investment that, that they, they're going to be able to maximize. And they're also not going to pay for their own GPU. They're not going to pay for their own compute. They're they're going to steal it.

00:12:31:02 - 00:13:02:12
Chuck Herrin
They're going to do what they do today. They're going to, you know, we start embedding LLMs or SLMs with IoT devices. That you, free trials, gift card fraud like this this whole ecosystem is going to shift to automating as much of this as possible. And as long as there's a positive return on investment, it's it's it's a virtuous spiral from the attacker's perspective. I think the defenders, that now is the time really to master the fundamentals and get your house in order. Get your attack surface under control and get your technology debt.

00:13:02:12 - 00:13:21:27
Chuck Herrin
Get some plans to really get these basics in order, because you're not going to be able to defend against automated human level penetration testers. Which is what I think sort of the phase two,

Joel Moses
Yeah.

Chuck Herrin
of of AI, of red agents, right, attacking agents, agents, is really going to go, and that's probably going to be, my guess, in the next 12 to 24 months.

00:13:21:29 - 00:13:43:21
Joel Moses
Yeah. You know, the thing that I spend a lot of my time thinking about in, in the area of context, by the way, which, which, we've talked about context already. But context is really the thing that you're trying to build toward to ensure trust. One of the things that agentic AI is bringing to for, is that an agent will do work on behalf of someone.

00:13:43:24 - 00:14:09:08
Joel Moses
It will do something with their identity to, to, to to perform an action on their behalf. And so really, understanding agentic AI means that you have to not only connect the agent and its behavior, but you have to connect that behavior back to the identity that it's acting on behalf of. Would this be something that someone would ask for?

00:14:09:13 - 00:14:28:09
Joel Moses
It's kind of the next step from, from trying to figure out if someone is a bot or not. Now you have to figure out is, it is a bot, but is it a bot that's actually acting behaviorally in a way that this particular user would? And that's, that's going to be that's going to be tricky business.

00:14:28:11 - 00:14:49:18
Joel Moses
A lot of people are going to grant rights to agents to act on their behalf without understanding exactly what they are doing. They're going to, to grant rights to do a sequence of activities that is going to be planned out by the AI agent itself. They're not going to be able to specifically and explicitly allow each and every individual action.

00:14:49:21 - 00:15:13:04
Joel Moses
And I think that that's, that's that's a that's a whole new world, a new territory. You know, from the attacker side, I can also see that if you're trying to figure out whether an attacker is, has stolen a set of identities, and is using an agentic AI to to automate an attack sequence, you're going to have to figure that out. Because the identity is going to look, yeah,

00:15:13:06 - 00:15:24:01
Joel Moses
this this this is an authenticated and authorized, action. But is it an action that that user would actually perform? That's that's where this technology is going to have to go.

00:15:24:03 - 00:15:53:19
Lori MacVittie
Well, and that's and that is almost a good case that they actually do, right, tie it to a user identity. Because traditionally integratation and systems inside operate using system level or generic accounts. JDBC account, right, that connects to your database. It was never tied to a user. The systems actually had to go, okay, this user made this SQL call and that's not okay,

00:15:53:25 - 00:16:18:05
Lori MacVittie
and connect the dots that way. So if they're actually giving them some sort of identity, I think that's actually a step forward because that will give them at least a leg up to understand, well this person does not have rights to be looking at this data or the system or connecting. So that may help a little bit actually. I think that may actually be a good impact on security.

00:16:18:08 - 00:16:19:05
Joel Moses
Yeah.

00:16:19:07 - 00:16:59:13
Chuck Herrin
Yeah. I mean, and I think that what we're going to see, so to kind of in that space too, is we, we need to better understand the, the context and the way that our applications work. Because that's going to be much more important than, you know, like, stateless firewalls or rate limiters are really going to be blind to, you know, say AI agents going out semi autonomously or autonomously, finding some novel 15 step sequence of legitimate API calls to create an account, apply five different promotions to it, place an order, and then have a refund issued to a different account.

00:16:59:15 - 00:17:24:13
Chuck Herrin
So sort of all in sequence, right. That that kind of complex attack pattern currently takes humans to figure out. We're going to need to increase the visibility and understanding of how our applications work at Layer 7 to be able to effectively defend against that. That's where from an API security space, we've been seeing these types of attacks for a long time, but they've been restricted to to human exploitation.

00:17:24:16 - 00:17:27:13
Chuck Herrin
That, that that's not going to be the case in a year or two.

00:17:27:16 - 00:17:50:26
Joel Moses
Yeah. Now shifting gears here. Let's talk about what's going on in the security industry to kind of directly attack this, this issue with agentic AI. There have been there's been plenty of work that's gone on either in startups or I know that some of the big names, people like Palo Alto, Akamai, etc., they've been they've been hard at work, figuring out what to do about this problem set.

00:17:50:29 - 00:17:56:06
Joel Moses
Anything strike you as particularly interesting out there? Chuck?

00:17:56:09 - 00:18:17:04
Chuck Herrin
It's it's, I'm a little disappointed, actually, just coming back from Blackhat a few weeks ago, at the at the just sheer amount of AI washing and hype that we're still in. And and it seems like, it's kind of like the old, the old saying, never ask a surgeon if you need surgery, because because the answer is always yes.

00:18:17:06 - 00:18:44:01
Chuck Herrin
It seems like everybody that we talk to in one way or another is positioning themselves for why what I already sell is the solution for tomorrow's problems. And and unfortunately, I think there's lots more than a grain of truth to that. If you think of the defense in depth, you know, strategy that that we generally recommend, things like signals intelligence, bot defense, rate limiting, job validation, a lot of these things really do still matter.

00:18:44:03 - 00:19:21:27
Chuck Herrin
And, and I think that the hype cycle is blurring away from what are the actual things that we need to defend against, and how are we going to actually use AI for defense in real practical, technical terms? You got to kind of dig for that, right? But I do see some real, some real movement, especially in, in financial services and to a lesser degree in telecoms in effectively using generative AI for security operations, a lot of automation of workflows, defenders getting better, defenders getting smarter, and even red teams being more effective at mapping out their own attack surfaces and doing more advanced enumeration.

00:19:21:27 - 00:19:41:27
Chuck Herrin
So you kind of have to shift through, sift through a lot of the BS still in the hype cycle. But I think there's legitimate offerings here. What I haven't seen is anybody really pull it all together end to end. Because I think the space is just evolving too quickly. You know, it's, it's one thing to play with something in a lab,

00:19:41:27 - 00:19:50:13
Chuck Herrin
it's another to productize it and test it and then get it ready to run at scale and get it out into the marketplace. And like that, that's kind of a different animal.

00:19:50:15 - 00:20:20:24
Joel Moses
Yeah, I tend to agree. I, as I look around, I am excited and intrigued by some of the advancements that are being made in AI observability. I think some of those systems are getting quite, quite good at being able to look at and, and manage, and provide visibility into how your AI systems are functioning. In some cases, some of them have expanded even into the area of semantic threat detection, and protection at runtime, which which I think is, is is quite, quite good.

00:20:20:27 - 00:20:41:15
Joel Moses
But yeah, like you, I, I, I'm a little disappointed that, that a lot of old technologies are being reapplied anew. Although you still have to do the basics. The these technologies are, at their heart, web technologies built on an API back. And you, you need to protect them in ways that you would normally protect those applications.

00:20:41:17 - 00:21:09:13
Joel Moses
But there's that semantic, there's a contextual layer that I think is, is something that can only be seen through true observability. I also look around and see a steady improvement in, in AI assistance for specifically for SOC. I, I looked at a particular startup, just a few weeks ago. It was offering the ability to automatically produce an after action report while the investigation was still going on.

00:21:09:16 - 00:21:27:29
Joel Moses
So you can, you can basically point your executives at, at a postmortem, that's being generated of an incident in flight. Which I think is kind of cool. It definitely takes a lot of pressure off the SOC analyst who, who knows that they have to solve the problem, but at the same time, they have to keep everybody informed.

00:21:27:29 - 00:21:36:08
Joel Moses
And there's a there's a tension between getting that done and actually solving the problem. So those tools are definitely going to make SOCs more effective.

00:21:36:10 - 00:21:55:16
Chuck Herrin
Yeah. But there's nothing more frustrating than running down an incident and also fielding update, update, update, update requests, you know, every 15 minutes from the executives. So, so anything we can do to sort of lower that cognitive burden, and resource burden on the behalf of defenders is definitely going to help, especially when you're hot in the middle of a response unit you don't know

00:21:55:17 - 00:21:57:09
Chuck Herrin
what in the heck's going on.

00:21:57:11 - 00:22:22:00
Lori MacVittie
That, that sounds like, at least two of our, our takeaways at this point: one one being the tools that you have are still valuable. You can't throw them all away. There are still going to be DDoS attacks and bots. AI is additive. It's not taking away all of the attacks you already have to defend against. So those tools, still valid.

00:22:22:03 - 00:22:41:21
Lori MacVittie
And I see the second one I heard is, it's got to change. It's it's got to change. There has to be new techniques, new approaches, new tools. Because this is just advancing very, very fast. And that's two. So, you know, one of you guys want to come up with a third takeaway for listeners?

00:22:41:23 - 00:23:04:15
Chuck Herrin
Yeah. I mean, for, for me it's choose who you decide to partner with, thoughtfully. So build a partnership based on the expertise and the value that they can bring to your technology ecosystem. So I always stop short of recommending, like, any one partner for for security, because I think that's too much supply chain, too much vendor risk.

00:23:04:17 - 00:23:26:25
Chuck Herrin
But when I think of managing the complexity of my attack surface as a defender, as a CISO today, along with a complex supply chain where everybody's trying to AI all the things. They don't have their own cryptographic bill of materials, They're not ready for PQC yet. I need to simplify my entire ecosystem. I need to understand, like, I need to map my true battlefield, which is really my my interfaces.

00:23:26:25 - 00:23:47:07
Chuck Herrin
They're attacking you via your interfaces. So whatever your interfaces are, whether they're APIs, application programing, interfaces, web, etc. You got to know that. Control the choke points. So while the perimeter is dead, we still do have choke points where we can do governance, observability, automation, defense and all of that stuff. And then choose your partners wisely. I think those are the three things I would I would throw out there.

00:23:47:10 - 00:24:06:14
Chuck Herrin
Because you really don't have time to sift through a supply chain of 100 different vendors with their own AI BS, and hype cycle to deal with. Pick a few good ones and get 90% out of 10, 10 relationships instead of, you know, 10% out of 90 relationships. That would be my advice to the vendors.

00:24:06:17 - 00:24:29:12
Joel Moses
Well you guys took most of my takeaways, but I would leave you with one specific one. And I think as a security professional, I think it's time for us to get very thoughtful about the concept of contextual security. I think we need to start thinking a little bit more about how we actually build trust levels. You know, we've we've we've been, we've run down the rabbit hole of zero trust.

00:24:29:12 - 00:24:54:09
Joel Moses
And I think zero trust is a misnomer. If you have zero trust, you shouldn't be allowing any access. It's actually about a managed process of constructing contextual security based on attributes that you know are true, about something that you're trying to ensure the trust for. And I think that that we've gotten okay at it in certain certain scenarios, with certain zero trust tools.

00:24:54:09 - 00:25:08:00
Joel Moses
But I think the holistic one, in the face of agentic AI, is going to have to be completely rewritten. And I think as as security professionals, we need to think long and hard about what contextual security really means.

00:25:08:03 - 00:25:28:00
Lori MacVittie
I like that. I like that, yes. Contextual security. Security is going to change. I think that's ultimately, you're in for some fun, some excitement, some learning, some new things. And it's it's going to be a rough ride. So buckle up. But you'll all get there. You'll all get there.

00:25:28:01 - 00:25:32:23
Lori MacVittie
Because, cause that's a wrap

Joel Moses
And if the perimeter shifts and the paradigm change changes,

00:25:32:25 - 00:25:35:05
Lori MacVittie
I tried to wrap before he said it.

00:25:35:06 - 00:25:36:02
Joel Moses
I need that nickel.

00:25:36:07 - 00:25:37:05
Lori MacVittie
I tried.

00:25:37:07 - 00:25:40:11
Chuck Herrin
We'll have new AI quantum blockchain synergies.

00:25:40:14 - 00:25:41:08
Joel Moses
There we go.

00:25:41:08 - 00:25:53:02
Lori MacVittie
All right, that is definitely a wrap for Pop Goes the Stack this week. Smash subscribe before we set something else ablaze. Take your safety goggles off, until next episode.

Creators and Guests

Joel Moses
Host
Joel Moses
Distinguished Engineer and VP, Strategic Engineer at F5, Joel has over 30 years of industry experience in cybersecurity and networking fields. He holds several US patents related to encryption technique.
LinkedIn
Lori MacVittie
Host
Lori MacVittie
Distinguished Engineer and Chief Evangelist at F5, Lori has more than 25 years of industry experience spanning application development, IT architecture, and network and systems' operation. She co-authored the CADD profile for ANSI NCITS 320-1998 and is a prolific author with books spanning security, cloud, and enterprise architecture.
X LinkedIn
Chuck Herrin
Guest
Chuck Herrin
Field CISO for Web App and API Security at F5. Chuck's purview includes customer advocacy and active engagement across Product, Marketing, Sales, and Channel operations to bring thought leadership and alignment of solutions with the real-world problems enterprise customers face every day. Prior to F5, Chuck was the CTO of Wib, an API security firm that created the second generation of API security solutions designed from the ground up to provide end to end visibility, testing, and context to discover, test, and secure all APIs across a customer ecosystem. Prior to Wib, Chuck spent 19 years as a CISO in financial services and banking, including SVP and Head of IT Security, Risk, and Compliance for all of AIG’s consumer-facing divisions ($29B annual revenue) and EVP and CISO of Texas Capital Bank prior to being named “Most Trusted Bank in America” by Newsweek in 2022. A lifelong learner, Chuck holds a litany of industry certifications gathered over the last 25 years, as well as a bachelor’s degree in biology from Lenoir Rhyne University.
LinkedIn
Tabitha R.R. Powell
Producer
Tabitha R.R. Powell
LinkedIn
The perimeter has shifted

headphones Listen Anywhere

More Options »
Broadcast by