The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

26. Andrew Spangler, Head of Security and Compliance at Harness, on Building Trust in Security

Welcome everyone to the security podcast of Silicon Valley. I'm your host, John McLaughlin, and I'm here today with a very special guest, Andrew Spangler, the head of security at Harnest. Welcome to the show, Andrew. Thanks, John.

Really glad to be here and looking forward to talking with you today. I'm super looking forward to it too. You bring to the table so much great experience. You launched your career at Mount Vernon School District as an educational technology specialist back in the day.

From there, you became a system administrator, but then it looks like you got sucked into the security world here. You were a security consultant for Rapid7, and then after that, you were a senior security analyst at Sujit Sound Energy, and then you worked at a very nice place that I'm sure most of our listeners are familiar with, the NCC Group. You were a senior security consultant there for a good chunk, a year or so, in two months. Then Datadog pulled you in.

You were a team lead at, of the information security and compliance group there at Datadog. And that's probably where you met Pierre at the acquisition of his little startup, the Screen startup. Cool. And now you're at Harnest.

You're the head of security and compliance. Welcome to the show. Thanks, John. It's been quite a journey.

Lots of good people along the way, including our mutual friend, Pierre. Lots of good mentors and generous, generous knowledge transfer from folks at each of those places that have brought me to this, to this current role, where I still benefit from the expertise of my teams and the exposure that I get as a part of, as a part of Harnest. I really feel and vibe with the sense of humility, but I'm sure that you also put in some blood, sweat, and tears along the way there. Plenty of that, for sure.

Yeah, plenty of that. I think like many things, or like many of our friends and colleagues, technology was always really interesting to me, even as a kid. My dad was a tech enthusiast from as far back as I can remember. And one of my first introductions to technology was an old warehouse computer with an 8086 processor and an amber screen and DOS manager.

We even had a dot matrix printer. So the whole setup and really got hooked on technology through video games, believe it or not. And I think that's probably not really crazy, but. .

. I think it is a very common story. I remember those dot matrix printers and that funny sound that they used to make. You get it going to, I think it was called Print Shop and you can print out a little banner for your room or happy birthday sign for your sister, in my case, and have a lot of fun and the interest only group from there.

That, that's really sweet. You printed something out for your sister. Oh yeah. Sometimes I think the best use of technology is when you can use it to interact with other people and maybe have an opportunity to even in a small way build something that you couldn't do yourself.

I'm not, I'm the farthest thing from an artist, but there's a lot of sharp edges that can be rounded by using technology even back then. So lots of fun, fun memories back in the day. Oh, that's amazing. So was there anything specific about security that initially attracted you to that space or?

Yeah. So, I mean, as you mentioned, I really got my first formal job in IT working as really a mobile help desk for a couple of different elementary schools in Washington state up there in Mount Vernon. At the time, my future brother-in-law also was working at that school district and he's both a security enthusiast and security engineer. And his interest and passion about that really grabbed my attention.

And I think many of us in the field would echo the sentiment that it's just a cool space to be in. You get the behind the scenes visibility into what's going on with infrastructure and applications. And it really plays off that, I think, common interests that many folks in the field have of wanting to understand how things work. Why does it work this way?

And can I break it? Can I fix it? Let me take it apart and put it back together. And I think that was a big piece for me.

And at the next job you mentioned where I had the chance to do some systems administration. One of the big tasks that I had during my time there was to rebuild our multi-factor authentication system after the RSA poison ivy compromised back in the late 20 aunts or maybe early 2010, which kind of got me some practical hands-on experience with at least security technology. So you guys ripped out the RSA stuff and you put something else in into play? In our case, we ripped out all of the old RSA stuff and replaced it with the new RSA stuff.

So there was a, there was a, hey, our root credentials have been compromised. We're going to go and rotate those and we'll send you all new fobs and we'll send you all new hardware. And part of my job was to seamlessly decommission the old setup and spin up, configure and deploy all of the new keys. It was a smaller company, probably right around 200 tokens that I was able to walk through the process of reprovisioning.

And in addition to that started to, my boss started to trust me with a little more firewall administration and kind of getting to see the broader edges of the security field. And that really was, was exciting work to me. Yeah. You said the magic word trust.

It's, it's, I guess the cornerstone of all things security, isn't it? It's not just something that exists between people, but between like our expectations of systems that I think it, it all comes back to trust in some very fundamental level here in the security world. Absolutely. Yeah.

I, so talking about that kind of first foray into security, not too long after I had a friend of mine put me in touch with his cousin who had just started at Rapid7 at the time, an unknown company to me. This was back pre-IPO 2010, 2011. And the company was hired for a security consultant really to work in the professional services team. So I was able to take the experience and knowledge that I'd gathered at that point in systems engineering and systems administration and apply some real practical security practices as a part of that work going out and helping folks build vulnerability management programs and doing some sort of advisory advisory work with our different customers.

And to your point, being able to cultivate trust in such a small time boxed window, that was a one or two week engagements. You really have a couple of hours to, to build rapport and trust with people. Especially when you're coming in as an external person to advise them on some of the more sensitive processes that they have in our organization. Yep.

As an outsider, sometimes that can be especially challenging. Do you have a favorite technique to help accelerate that journey towards reinforced trust? I think I've never really thought of it as a technique, as much as what helps me feel comfortable just to build relationship and build rapport. I think finding some common ground, common interest, whether it's something like video games or music or travel.

Camping or whatever. Yeah. Camping, exactly right. Camping, hiking out in the desert, all those kinds of things give you a good opportunity to at least establish some common ground in a non-hostile way.

I think one of the things I was always concerned about as a consultant is that the client would have so much more knowledge about their systems and their environment and the intricacies of those things than I would, that I wouldn't be useful or I wouldn't be helpful to them and would be in the way. And so part of my strategy was I want to get to know these folks. And so I'd spend a little bit of time up front just having some casual conversations and getting to know what was interesting to them, which I felt like opened up or maybe a better word is it's the posture of the rooms that we are in, whether it's a server room or a big meeting room. Nice.

No, I love this notion of being a little bit just less standoffish and more together, more connected. People are the interesting part of any job that I've held. And I think that there's always the tactical execution we have to be mindful of, but the richness of relationships and being able to make contributions to other people and to receive from them as well has been far and violated my career. Absolutely.

I couldn't agree more. Did I screw up? Did I miss your education? I did miss your education.

I was just wondering if you had gone to school for computer science or anything, and I'm looking at your LinkedIn here and you're in NYU. You didn't? I was just going to say, man, no, you didn't miss it because there, there wasn't any, there was no formal education. Good for you.

Oh, all respect to the world, man. Oh, man. And that's where I think a lot of those mentors, and you mentioned earlier, the blood, sweat, and tears. I think I heard a quote one time that's, luck is the opportunity or is the intersection of preparation and opportunity.

And I think that's really been true, at least in my case. Right after high school, I moved to Los Angeles for about 18 months. And I attended an intensive program covering global history of philosophy, which I enjoyed immensely. Amazing.

Man, often I think back to those days where my only responsibility was to read books and then talk about what I thought. Those were very good days. But after I finished that, I wasn't really sure what I wanted to do. I knew that I didn't want to make a commitment to an educational path or a financial commitment to student loans without at least some sort of confidence that I can build a life off of this education.

And so I really started doing a bunch of different things. I worked at a few different small businesses and was involved in community events. And then actually, along with the IT piece, I found that friends and family and small business owners in the town that I lived in needed help with their technology. And that was an easy way for me to make a few bucks and to meet some more people and let me scratch that IT itch.

What town was it? This was a little town up in northwestern Washington called Cedro. When I was living up there, I think there was about 6, 000 people. The tagline of the city is, or of the town is the gateway to the North Cascades.

So it's really the last stop before you get into the beautiful wilderness of Mount Baker. Oh, that sounds amazing. No, that sounds really beautiful. And thank you for sharing too.

It's good. I think that everyone takes a different path and no one arrives in this present moment and close to the same. And I think it's those differences that make life interesting and make teams stronger than the sum of their individual parts and really drive at the core of what it means to be a participant in the economy, in the world, and in a team. And so it's good.

Good for you. I think you're, I think you're right on the money, man. It's one of my favorite things about our security field is that it's new enough. I think in this space, really technology in this iteration feels new every year.

But I think that kind of historical discipline of security as it's evolved over the last, at least for me, 15 plus years has been a great avenue for folks with all kinds of backgrounds. Some of the best professionals I've worked with have had liberal arts backgrounds or, or kind of no formal training. And certainly there's a lot of excellence from, from STEM and from the hard sciences, but I love the diversity in backgrounds and the different perspectives that we can bring to these unique problems that we're trying to solve. So like you, you hit it right on the money.

This is where creativity comes from. There are differences. It's not our similarities or similarities made me feel good. And it's important to find those similarities early on in the relationship to help build that trust like we were talking about.

But I believe 100% this is where creativity comes from seeing the world just a little bit differently. Then in fact, I'll, there's a book out there called seeing what others don't. It's a series of case studies around like where creativity has come from in the past and past instances. And it's an interesting read.

I'll put the details in the description, perhaps, but if you, have you read that book questions? No, but I'm definitely adding that to my good reads list. Because you share a lot of these perspectives. It sounds like maybe you had, it also sounds like that 100% or you've taken full advantage of all of your opportunities along the way and put in all those blood, sweat and tears through a long and interesting career through security.

And now you're at Harness. And even though Harness is a quite successful startup, I'm sure many of our listeners maybe have never heard of it. So would you like to share a few words about what Harness does just at a high level and the role security plays at Harness? Yeah, I'd be happy to.

So Harness is a software delivery platform. We do CI, CD, and a bunch of complementary and stand modules that can be used, as I mentioned, either in conjunction with the platform itself or in a standalone fashion. Things like feature flag management, one of my favorite security testing orchestration, helping you to get your VOL scans running as a part of your pipelines, a whole suite of things. And one of the things that really grabbed my attention about Harness is not only a really high caliber leadership team, our founder, Jyoti Bansal, had also previously founded AppDynamics and a number of other ventures out there in the Bay, but then also the space itself.

I think over the last, I don't know, seven or eight years of my career, I've had a kind of a sneaking suspicion that a lot of the work I'd be doing or I was doing at the time would be automated in the future. And sure enough, now it is, and it's through at least primarily through platforms like Harness. And so that was definitely something I wanted to be a part of. I really like industries that build tools for people that build tools, infrastructure level type of work.

And I feel like software delivery is a modern iteration on that theme. David Pyshko It's a natural next step for all things automation, isn't it? David Pyshko Yeah. David Pyshko Yeah.

Especially in this day and age where there's all these layoffs happening and the economy is, it's not all sunshine and flowers like it used to be and you have to do less with more. And I think I bumped into a sentiment every once in a while, which is sometimes people are afraid of automation, not just from a risk perspective, but maybe from like a, almost like a job security point of view. But the way I've always seen it is, yeah, let's get everything automated. Let's please replace everything I do in a day with a script.

So I can go off and think about and work on that next layer of problem and contribute at a much higher level. David Pyshko Completely agree with you, John. That was, that was a, along with that sneaking suspicion was also a looming sort of specter of uncertainty. David Pyshko Is the work that I feel like I'm good at going to be irrelevant in five years, in 10 years.

And so that kind of job insecurity was definitely a factor for me as well. And I think what I've come to realize both through just time in seat, as well as exposure to cloud native companies like Datadog and now at Harness is, it really does. It frees you up to work on more interesting problems. It's less drudgery, it's less spreadsheets, it's less manual deployments and a lot more time back to focus on higher order problems or sort of strategy and the interesting work.

Let's let the robots do the drudgery and we can focus on what comes next. David Pyshko I love it. This mental picture in my mind just popped into my head when you're describing that future. And I would love to be an old man, a grumpy old man that could turn to a young person at some point in the future and say, when I was your age, we had this thing called spreadsheets.

David Pyshko May it be true. David Pyshko Hey, don't give up. We're gonna finish all that hard work that we started your hardest and everything. You're in a perfect position to be able to help, but we can all contribute in some way or another.

étangeloaday Baird anytime I find myself doing something more than twice. That came out wrong. Every time I found myself doing something more than once, It's the indicator that this could be automated. It's really, yeah, definitely.

My brain stops everything and it imagines how it could be automated. It's somewhat intrusive, but that's okay. Meditation helps. A little mindfulness in the mix.

A little bit of mindfulness goes a long way, doesn't it? Yeah, it really does. Okay, so what's been your best day at Harness so far? That's a great question.

There have been a lot of really good days. It's tough to pinpoint the best day. I think there may be a couple of standouts for me that really felt things started to click and that we were on the right track and we were doing the stuff of security. The first was, within the first, I don't know, maybe 60 days, I had inherited a small team of two engineers.

We're a globally distributed remote-first company. And although there are physical office locations, majority of the company, including my team now and at the time, is fully remote. And I had a couple of engineers that I was working with and we had a report that one of our software engineers, laptop sidband, compromised by ransomware. Fortunately, no effect to our cloud environments or to anything in production, but still something that we wanted to prevent any further spread.

And we treated it as an incident. And through that process of incident management and rapid response, I felt we built confidence in each other. Back to, again, your great point about trust as a foundation of the work that we're doing. So that the process and professionalism and expertise that I was able to witness and participate in and contribute as a part of that response effort was a great kind of first win, a great first best day at Harness.

Going through sort of a minor crisis together really has a way of gelling a team. And that was the output from that. I think another highlight day for me, again, has been hiring. So team and the people that I'm working with, people that I'm working for has always been really priority zero for me.

And as we talked about earlier, an integral component to any success that I've had. I know a lot of people, and I'm sure you do too, who are very hard workers and give 110%, but you can do that in a vacuum. If you're not surrounded by a good team, it's not wasted effort, but the result can be less than what you hope. And so big wins for me being tasked to build out a security team from two has been really rewarding to bring on people that are competent and hardworking and catch the vision.

And then maybe the last one that I was thinking of is the best worst day was when Log4Shell was announced and kind of hit the airways earlier this year. Again, for many of the same reasons, seeing the coordination and professionalism and the expertise across the company, not just security, obviously engineering is involved. Our customer success teams are involved. Our legal teams involved in the calm and collected yet urgency with which we responded to that evolving incident over several weeks, really.

It was another great way that felt. We got through, we got through the storm. We're all in one piece and now we're on the other side. That was a really good take.

No, that's amazing. Okay. So what's incredible about your answers is two out of your three best days have been related, have been where stuff has been hitting the fan. Perhaps we're both afflicted with the same, I'm not sure what to call it, mental disability, where no matter what's going on, we're going to see the good that's going to come out of it.

And we're going to focus in on that. And I just don't know any other way to view the world or to view things that happened. It sounds like you maybe have a very similar perspective. Man, that's been a lifeline for me, John, to, I'm certainly not immune to pessimism.

I think in many ways as a security professional, you're kind of a professional pessimist. That's exactly true. We are, we ask all of those tough questions. It's easy to see time.

At least it becomes easier to see what's wrong with the situation or with the technology or with some given task at hand. And I've found that for me, looking not only at the moment, but also reflecting on the past and then again, into the future has helped bring that perspective of even though this feels chaotic maelstrom. It's going to be okay. This is not the worst thing that's happened.

And then that's up to me to see or better see the, the winds, right? The points of light in, in those dark moments. And that's been an important part of getting through those tough times. Oh, I couldn't, I couldn't agree more.

Like seeing, keeping things in perspective. I couldn't imagine what it would be like to be writing like software flies airplanes or that controls like how much drug is administered during a chemotherapy session or an x-ray that blasts you with x-ray radios. Those critical systems have someone's life on the line. But for the most part, a CICD system or, I don't know, coin stuff.

It's not, no one's going to die. I was just going to say, you make a really important, and I think a good point about perspective in our work as well, as a part of our, the tools that we have available to us to execute our work, to interact with people around us, that perspective of what we're doing. And certainly in the moment, things are very important and not to minimize any of those things. But I think back to my time at Cujo Sound Energy, which is the largest utility in Western Washington State, serves, you know, all the big, relatively big cities in Washington.

And part of my role there was OT and OT, operational technology, vulnerability management. And so I had a real privilege to go out into the field, going to generation facilities where, you know, whether it was hydroelectric or natural gas or geothermal, and then out to substations and really getting a small perspective on the underpinnings of something that's easy to take for granted. And then when it's not available, we all notice it right away. And there's, to your point, the potential for catastrophic consequence.

And so my respect for people who have dedicated their careers and their, their expertise to keeping the lights on, to keeping the, the drips in the hospitals moving, it's just immense. Yeah, definitely. I am of the same perspective too. The amount of, it's almost like just serving in the military or something.

It's just more on a cyber scale. Yeah. Yeah. So you had the privilege to see the, get the inside scoop, maybe just a couple of years old of the, how secure the infrastructure is.

I didn't realize that was a security position that you had. Yeah. That was a fascinating world to learn. It's not, not a natural path to go into operations technology as someone without that kind of formal engineering background.

And I worked very closely with professional engineers on this security posture for components of the bulk electric system. And again, benefited daily from the expertise of really great colleagues. So yeah, fascinating work. One of the interesting things that really stood out to me was as we'd go out to these facilities or have conversations with folks, I think of technology as even hardware as almost ephemeral, right?

Even these days, the phones that we use, the keyboards, the desktop computers, three to five years is a good lifespan. Generally speaking in the OT space, these systems are designed for 50 to 70 years. And so you're walking into a substation and they're saying, Hey, we put this in in 1971 and it's still rolling strong and no need to touch it. In fact, don't touch it.

That's it's working fine as it is. Hey, but it's not broken. Exactly right. You know, it's funny you mentioned three to five years.

I try to make my phones last about six. And then I just go off and I buy the best phone after six years. But by the end of that six years, it is. I start to get those funny looks from my friends.

And what's wrong with you? Maybe an upgrade from the thing that belongs at Smithsonian? Or maybe? Yeah.

One more year? There's only one camera on the back of that thing, John? Come on, man. I just upgraded.

So here we go. It has the three now. Finally. Yeah.

It's going to last for a long time. And I love this theme. I feel that it's come up multiple times here. And I'll just call it out.

It sounds like you have a very strong growth mindset. Where you're always learning. You're always curious. You want to understand how things work.

And you're willing to pay that cost to better yourself. Yeah, absolutely. That was, I think, something, again, to go back to those early years. Something instilled by my parents.

By the people that I had the fortune, good fortune to be around as I was young. And then I think also just as a part of the personality that kind of evolved into who I am now is very interested in how things work and in why they work. I would guess that I was one of those kids that just kept asking why. I have to question.

And then there's seven, not seven whys, but there's 20 whys afterwards. And I never satisfied until you get down to the bits and bytes. That's also been a really valuable part of my personal development and professional development over the years. The kind of internal drive to uncover what's next.

What's the next page say? And I think that's a common theme I found, at least in people that I've really resonated with in our community and in our industry, is that sort of shared sense of curiosity. It even connects back to your intense education where you were and philosophy connected to the bits and pieces there. It's funny that you mentioned philosophy, too, and that you did actually go down that path.

I often say that if we had lived in a world without computers or computer science, that we probably would have been a philosopher. Seems like a great gig. What could be better than just thinking it up all the time? It's important.

I think it's important to understand where meaning comes from. Ask those tough why questions. Ask them over and over again. Ask them until you get to the very core value system that you're dealing with.

And then once you get to the core value system, maybe you could even have a playful sense of empathy with your own values and compare and contrast. See how they're different. See how that leads to a different world perspective. And when you have a different world perspective, sometimes problems don't look like problems anymore.

Sometimes they look like features. Funny how that works, isn't it? Yeah. Isn't it?

Yeah. Yeah. At that time, really focused and dedicated to learning, absorbing. Our curriculum was really read three to five hundred pages before 1 p.

m. And then from 2 to 6, we're going to all sit in a room. There's about 15 of us. We're going to all sit in a room with a moderator who's going to lead a discussion in the Socratic method.

Kind of prompting you to examine your assumptions. And like you mentioned, boiling down the periphery to that core value system and then asking, continuing to ask those why questions. And I feel like that experience plus some exposure to the world through travel have really some of the things that I draw on on a regular basis. What I'm kind of thinking through in my life and career.

Or even a computer system. Or even a computer system. Or a video game. Or a video game.

Yeah, there we go. There's nothing wrong with having a little bit of fun over. Life is far too an important thing to be taken so seriously all the time as well, isn't it? Exactly.

Exactly. Okay, so what's been the worst day that you've had so far in your journey at Harvest? Yeah, that's another tough one. I'm sure you've had the unique experience of having components of a best day and a worst day.

In the same day. Somehow crammed into the same 10 hours. Yeah. Oh, cool.

Story of my life. That's, that's, that. Yes. Oh, man.

Those best days can be so fleeting. I think some of the challenges, the challenges for me so far, I've had a couple of folks move on from the team into, into their kind of next adventure. And that's been tough on a number of levels. I think there's, there's a part of me that really values the, that relational connection.

And so even if it's a good thing, especially when it's not, but even if it is a good thing, there's still some bittersweet flavor to that experience. And then just practically when you're building a small security team at a high velocity startup, where, as you mentioned earlier, you got to do more with less. You really feel the impact of all of a sudden, 40, 50 hours a week are just, now you got to figure out where's this going to go. And that, that was a real challenge.

But sure, again, back to the importance of putting ourselves with good people, with diverse backgrounds, with unique perspectives and eagerness to, you know, curiosity and eagerness to learn. Yeah. Yeah. Is really the saving grace in those.

So I started off as an engineer and shifted more into leadership roles. And I have to say, like one of the most rewarding pieces of having gone through that shift is to help people achieve what they want to achieve and bring their careers to that next level. And whether or not that's within the same company or at a different company, I don't think really matters too much because my loyalty is connected to people. And that's where I get my drive.

And very oftentimes it is, you can facilitate that type of growth within the same company. But when you can't, that doesn't mean that our job as leaders is drop the ball. It's just, okay, this is going to be an interesting journey for you. And here's the options that I can think of in my network.

And to watch them, these people, individuals who have that drive, that hunger, that curiosity, like learn and grow themselves and become leaders themselves is quite rewarding in ways that I had no idea until having gone through the experience myself. I would absolutely echo that sentiment. That's, that's by far been my favorite part of transitioning, making that career transition into, into a leadership role. There's always the pressure of execution and your own internal motivation to perform well and make life better for the team.

But seeing people succeed, being able to encourage and in some ways provide mentorship and insights, unblock, and then see them grow and take on new responsibilities, take initiative. Top, top highlight for me, absolutely over the last five or six years. Okay. So in the spirit of people and building teams, what's your favorite interview question and why?

One of my favorite interview questions is to ask folks to tell me about a career highlight. I feel like, again, to close the loop, thinking about the beginning of our conversation where you meet somebody new for the first time and there's ambiguity. There's a little bit of trepidation, especially walking into an interview where you don't know, are they going to be reasonable? Is this interviewer going to quiz me on things?

Is this going to be a trivia session where I have to hopefully try to Google on the side? I don't want to do that. I really want to know, what do you think is a win? What was, what has been a good win for you?

And I feel like that gives candidates the opportunity to brag a little bit. It also puts them in a position where they can talk about something they're comfortable with, that they're proud of. And I feel like that tells me more about someone than those trivia questions or asking for some kind of sneak aside from her. Yeah, exactly.

Yeah. Yeah, exactly right. So I really love to hear it about what was a win for you and unpack it from there. But I think giving people the opportunity to highlight something that they're really proud of achieving is a good way to get to know someone's values and where they need to join the team.

Maybe a good place to plug them in for a quick win during the first onboarding period. Yeah, it set them up for success. 100%. So how about if we fast forward into the future just a little bit?

I'll let you decide how much into the future you'd like to take this question. But if we look into the future or fast forward into the future, what's one tool or service that you just wish someone would build already that you think would make that future so much better and so much brighter? That maybe you haven't had the opportunity to build yourself or it hasn't been a business priority yet for you and your places that you've been at. This is a leading question for the entrepreneurs that are listening to the podcast.

I was going to say, I wish I had a good app to pitch right now. Oh, okay. All right. No, I come back when you could come back and say, John, ask me that question again here.

I got an app now, like in the future. Perfect. Thanks, John. Thank you.

I think personally, personally, I would love for inexpensive, easy button for nitro cold brew at home. I have been searching for a convenient way to make a nitro cold brew at home and I have just not been able to find it. It's doable, but it's a real labor of love. And I would love to just like the dispenser in your fridge or you can get ice or water.

There's more like another button that's nitro cold brew. That's not a fridge that serves your nitro cold brew and all you have to do is put the beans in at the very top and it does the rest. That's right. If you're listening, Samsung, that's, I would buy that.

There you go. We got your first zone right there. From a, from a professional standpoint, I would really love to see the continued integration of this kind of self-healing tools or AI remediation, like Dependabot in GitHub where, you know, hey, we detected there's bones in these libraries. And we've actually even queued up a PR for you.

We need to just review and approve. I'd love to see that get tied in with a lot of the good work that's being pioneered now around software build materials and this vulnerability exchange. We should be able to move towards a future where we have as close to a hundred percent confidence as possible that, again, the robots can do this work and free us out to be more focused on what comes next. Do you think we'll get to a world where the secure software development lifecycle could be 100% automated by something like Harness?

I would love to see that future. I think we're, I know at Harness, we're running in that direction as fast as we can. I think there's lots of interesting challenges to overcome, but peering into the crystal ball, I think there's a future where we're at least close to that. I think so too.

I'm very optimistic about this and I'm very grateful and humbled that there are people in this world, very smart people in this world dedicated to this problem. And especially there at Harness, thinking about it and moving not just that company forward. It's an open source project. There's lots of contributions that are going back.

Like it's all, there's nothing obscure about it. It's very transparent and can really help a lot of people move more quickly. Great story. And I'm excited.

I'm excited about the future. I think there's lots of opportunities in front of the industry and it's cool to be one of the many people pushing on the cart. To move things. Yeah, definitely.

Absolutely. Would you like to leave our listeners with any words of wisdom, perhaps advice for your younger self that you wish you had heard back in the day? Well, what a great question. There, there are many.

I don't even want to give a number because there's so many variants, but there are many jobs in the country and around the world. I think just the name security can come across intimidating to some folks. There are some, there's some historical baggage that the industry carries that I think in many companies we're beginning to see some, some healing and some relief. And so maybe the words of wisdom is give security a try.

Reach out to someone. One of my, along with mentoring the team, one of the highlights for me has been when they get the opportunity to speak with people who are considering a career in security or considering transitioning from, from a different role into a security focused role. I think that's where we as an industry get stronger. I think that's where, to your point, a lot of our creativity and excitement comes from.

And so my word of advice would be give security a shot and you might be surprised with how much you enjoy it. Amazing. Thank you so much, Andrew. It's been a real pleasure to have you on the show.

Thoroughly enjoyed our discussions. Thank you. Thank you again. Thank you so much for your time today.

And thank you to all of our listeners for tuning in to another episode of the Security Podcast in Silicon Valley. Thanks for having me. I'm John. This was great.

‹ 27. Colin Bitterfield - Head of Security (Acting CISO) People Data Labs

25. David Gurle - Founder and Executive Chairman at Hive, on Empathy, Innovation, and Disruption ›