Interview with Ankush Chowdhary

[00:00:00]

Pratik Roychowdhury: Hello, and welcome back to another episode of Prosec Decoded, a podcast where we explore the fascinating intersection of product security and ai. I’m ri.

Chiradeep Vittal: And I’m petal. We are host for your show.

Pratik Roychowdhury: In today’s episode, we had the privilege to feature an exceptional leader and visionary in cybersecurity Anri. He’s currently serving as VP and CISO at HPE. Unkush has had a remarkable career in some of the biggest names in tech, Google, Microsoft, Amazon Web Services, and IBM. Very led to shield digital and cloud security, innovation and transformation.

He was also recently appointed to the Forbes Technology Council. He has been featured in several cybersecurity magazines and is also an author of a book on Google Cloud Professional Cloud Security Engineer Exam Guide. I.

Chiradeep Vittal: In our conversation today, Anush takes us through his experiences in cybersecurity, offering [00:01:00] practical wisdom on navigating product security challenges in the AI era. He shared with us product security use cases and challenges, and also how enterprises should think about product security journey. Take a listen.

Pratik Roychowdhury: Kush, welcome to the product coded show. It’s a pleasure to have you here with us today.

Ankush: It’s pleasure to be here. Thank you.

Pratik Roychowdhury: So RSA was a couple of weeks back. How was your experience there? What were the key takeaways? I mean, EP and I were both there. We at some of the parties, but also went to the expo hall. So would love to hear how your experience was.

Ankush: Yeah, I, I, I think I wasn’t surprised to see that AI dominated I think we see a flavor of AI in nearly every security pitch in, in there, but I, I think my key. Takeaways and, you know, some of the things that I was very closely looking at is not how. AI has been added as an add-on to an existing set of, you know, suite of [00:02:00] products, you know, of security tools that we have out there, but you know, who are the key players who have just thought about bringing in and changing the entire way of delivering a security offering. By implementing ai. So I think there were very few of those. I, I think there was one non third party risk management that I was very closely looking at on how AI is coming in to change the way a third party risk management is done. So I think it’ll be really, really good to see when we see more adoption of ai, of not just. You know, having the chat bot and LLM kind of capability implemented into the products, but, you know, how are we changing the game completely by rethinking on delivering the products on how they’re currently delivered. So I think that that was my key thing on what I was looking at.

Chiradeep Vittal: Yeah, and this year is supposed to be the year of the agents. So we saw agents everywhere. But one question, you know, I would just neatly divide everybody’s like, are you doing AI for security? Or security for ai? So anything on. [00:03:00] The security for AI that you are interested you.

Ankush: I think that that, that, that’s actually a good point. There were few out there, which, you know, I think we are looking at now I think that three models, how we look at how AI is being used how AI is being developed or being integrated, and then how AI is being secured itself, right.

And. And I, I think it’s, it’s been really good journey to see on how, and this is something a, a topic very close to me, is how data security is coming at the center of all of it, right? You don’t have a data security strategy. You don’t have an AI strategy, especially with all of those LLMs, which are data hungry. I, I think it’s becomes really, really important on having a good data security story as well. And then, then I think of the really good things out there was also how you’re securing your own data with the likes of, you know, copilot coming in and, you know, some of the other capabilities, you know, how the agents are doing what they are being used, not just for security use cases, but other broad use cases.

I, I think very recently wrote a block [00:04:00] a couple of weeks back around. How we are seeing agents within an organizations who are essentially in cahoots with each other, right? So we are now giving the in, in a lot of, in, in a non-security way. I think insecurity was still far away from giving fully autonomous capabilities for agents to execute tasks. But, you know, sales, marketing, you know, and some other business functions we are seeing. How the agents are performing these functions, which are fully autonomous and, you know, an agent in marketing is promoting something, what an agent in compliance is redlining, right? So we’re seeing this internal conflict between the AI agents, which is going to be very interesting area on, on how it develops as we see more and more of businesses adopting these agents here.

Pratik Roychowdhury: Actually, we saw the the blog post around agentic civil War. We , go over it a little bit more later on in the podcast, but just before we dive into the the meat of it. Just to kick things off, maybe would love to hear about your cybersecurity [00:05:00] journey. Obviously you have led security teams in some of the largest names in tech, Google Microsoft, Amazon, IBM, and now hp. So would love to hear about your journey what led you into cyber and some of the key highlights and learnings along the way.

Ankush: So I, yeah, I, I usually start my, my, my journey on how it started it, so I’ve been across what, three different continents. I have lived, worked in Australia about 18 years, and I started my security journey over there. And, and you know, back in 2000, you know, security was just network security. It wasn’t anything more. And then, over time we saw multiple domains come in.

We saw firewalls evolve into the next generation. Intrusion prevention systems. We saw more and more into identity space. We saw endpoint security come in. So I think as all of these new domains kept evolving you know, I, I think my career evolved at the same time. So one of the things which I think I’ve been very fortunate enough is, you know, when I look back at my career is, I, I think I’ve [00:06:00] done, if not all, most of the roles in security.

You, so I’ve been a hands-on engineer. I have been an architect, consultant and advisor, and you know, now. Being in, in a CSO capacity you know, running teams across different domains. So I, I, I think what, what it gives me, which, which I, I really value and, you know, again, I say I’m, I’ve been, been fortunate enough to be, to have that opportunity is to work in each one of these domains as they evolved and how my career evolved as well, which gives me a very different perspective on, on, on looking at security and being more. More hands-on with, with my teams and, and understanding the domains and and what the challenges are. So yes, it’s, it’s definitely been a great, great experience just having been involved through all of those domains, not just you know, specialized in just one area. So,

Pratik Roychowdhury: Yeah. , that’s, absolutely fascinating. . So let’s just dive into product security and. to kick things off let’s start with the fundamentals. There is a lot of talk about what is product security, how do you define it? Is it just a fancier name for AppSec or [00:07:00] is it different because AppSec focuses more on the code and pipelines and

product security focuses on the holistic views.

Ankush: I think my, my definition on, on product security and, and the way I look at it is is is much broader, right? It’s about it’s more of a practice of how do you embed. Security into every phase of the product’s lifecycle, right? The design, the development, and the deployment and the maintenance, right?

It’s, it’s not just about how you’re fixing vulnerabilities, but to ensure that security is that foundational pillar and it’s not an afterthought, right? So we’ve seen, you know, traditionally in security or you know, how we are so much focused on protecting systems reactively. and product security gives us this opportunity when, you know how we are building resilience by design and, and it’s that shift from. How do we protect this to, you know, how do we ensure that this can’t be broken? Right? So some of the principles that we see that are coming into the product security is like, you know, Hey, I’ve gotta got fail safe built into it, right? [00:08:00] It’s not just about me protecting it, you know, I just wanna make sure it, it’s, it’s hard to break, right?

So I think that’s my, you know, kind of definition of what I look at product security as.

Pratik Roychowdhury: Yeah, that makes sense. And you talked about , reactive, security, protect versus can be broken. So maybe in that. Context. Another thing that coffin comes up is in product security and in general within cybersecurity, is the concept of proactive or preemptive versus reactive security.

I mean, Gartner quotes that by 2030, you know, preemptive security will account for 50% of it budgets and so on. So maybe, if you don’t mind elaborating a little bit more on that and also how should. Companies think about proactive versus reactive. How do they balance it? Yeah, would love to get your thoughts on it.

Ankush: I, I, I think let’s start with reactive. I think reactive is probably what, what we, we know, and this is something we need to move away from, right? So, so it, it’s, it’s more about treating symptoms, right? You, you wait for an attack, you wait for something to go wrong and then you [00:09:00] respond. And I think pro proactive is just like more the opposite of it, right? Saying, you know, how do we ensure that I can anticipate threats they happen? Right? And, and some of the reactive model, you know, aspects of quite outdated, right? We know the breaches are getting cost clear and cost clear, right?

And you know, if we look at the most recent. You know the cost of data breach. You know, I, I, I think we are now in probably higher four, four and a half million per incident, right? Which is, which is fairly expensive. We are also seeing the regulatory pressure coming in, right? We have, you know, the SEC’s new rules coming in, which is demanding more proactive measures. And, and I think that the most important thing is that the customer trust that erodes faster when your security is an afterthought. So, so you can see, you know, definitely a lot of downsides on. on reactive security. And then when we talk about, you know, preventative measures or proactive securities, and this is the things, when we are start looking at aspects like, you know, threat modeling.

You know, how do we secure by design and all those principles, how do we look at red teaming? How do we look at continuous [00:10:00] validation and not just scanning for ces, right? So I think those are the things, how we see, you know, making that shift from reactive to proactive and you know, anticipating. Things that can happen.

And you know, the two of the things that often talk about is that, know, how threat modeling and red teaming can really, really help us, you know, to build that resilience in the products, you know, throughout the different stages as we go through.

Chiradeep Vittal: I think you, you , talked to us about, in the past about threat modeling as well. So let’s double click a little bit more into threat modeling. Can you elaborate in the context of this proactive product security what are, why are people not doing it? What are some of the challenges in doing it effectively?

And what do you suggest that enterprises do to overcome these challenges?

Ankush: Yeah, absolutely. I, I, I think I see them like two game changers, right? Threat modeling, security left by identifying risks. During the design, red teaming for compliance, you know, how do we stimulate attacks for validating, you know, enterprise security controls? So, so, so let’s, let’s try to dive a little [00:11:00] bit deeper into it.

Right. So tech modeling is, is very powerful, but, you know, adoption is very inconsistent. And then I. There a lot of folks out there who might agree with it and, and may have a different perspective. But we often see, and you know, especially in the developer space, you know, developers see it as an overhead, right?

It is not integrated into workflow. is lack of standardization. We see, you know, every team does it differently, right? We see static models become outdated, as you know. Products evolve, right? And, and these are some of the challenges on how we see that. Even though some of the very mature organizations who have you know, fairly decent product development and, you know, the, the lifecycle management and the security aspects of it struggle implementing this thread modeling very effectively into the process because of those, right? But, but what do we see in the future? I think, this is something we are seeing, you know, quite a lot of shift across, right? So we are seeing. Automated threat modeling [00:12:00] tools. We are seeing, , you know, AI being used to threat to, you to, you know, suggest threats based on the architecture, the source code. We are also seeing AI now being able to execute. On those threat models, and I’ll talk a little bit about that when we, we get to the red teaming side. I think the shift left integration, how we are embedding threat modeling in CICD pipelines, I think that’s missing as well. So we often, when we talk about, you know, shift left, we have a SaaS, we have a das, we keep scanning for we keep scanning from secrets.

They’re not being exposed. and we, we, we scan them, but we are not really embedding the threat modelings in the shift left scenario as well. And, and I think the third one that we see is going to be the continuous threat modeling. You know, how do we do dynamic models that can update with code changes?

I, I think that’s going to be the next future. And I, I definitely see AI playing a very big role, not in just building these threat models, but then of course there’s a human element we need to. [00:13:00] that, you know, the, the corrections are being and the remediations are being enforced as well. It’s not just about, you know, building these threat models.

Right. So, so I think that’s, that’s how I see you know, how we are doing it now. The challenges and, you know, where we, we see going into the future.

Chiradeep Vittal: Yeah. And so, and you’re saying that the threat model can now feed into the red teaming or the proactive pen testing?

Ankush: Yes.

Chiradeep Vittal: Is that what you were saying? Yeah. Okay.

Ankush: So I think traditionally now when we talk about, you know, redeeming, you know, compliance checklists, you know, that kind of things, that’s been looking at, hey, my product is going to go you know, has a new release, you know, new features coming out. Let me make sure that, you know, it meets my compliance requirements, you know, whether I’m doing pen testing or red teaming.

You know, it, it’s, it’s moving in that direction, but, you know, but attackers don’t follow checklists, right? So, so I, I often course. Ask this question. Know why red teaming? Right I think there are three key things. One, it exposes gaps. This is what audit myths, you [00:14:00] know, misconfigurations, the logic, the flaws, you know, all of those things.

Something that can be exposed through, you know, good red teaming exercises. Validating controls in real world scenarios, you know, like the lateral movement in a cloud environment. We, I, I, I think some, one of the things that you often see with red teaming is like, you know, moving from share, you know, shifting from left to right. I. Is how the product or the application that you’re deploying is going to behave in a real world scenario. And when it’s in there, then you can execute these red teaming exercises to see whether it is built for resilience or not. I, I, that’s where red teaming really offers some, some fantastic value. And, and then preparing teams for sophisticated attacks.

Right? You know that famous saying by Mike Tyson, right? Everyone has a plan till you get punched in the face, right? And we’ve seen it so many times, response plans that have been created, but when an actual incident happens, especially if a sophisticated attack [00:15:00] happens, it just, every, every plan fails, right?

And we’ve seen that many times that happens. So I think it helps team prepare for those sophisticated attacks as well, which is, which is really interesting. It, it doesn’t come with its own challenges, right? So it’s not that, you know why we have not seen an adoption in red teaming the way that we have seen what some of the other you know, aspects of security getting embedded into the product security side of things. It a, it’s, it’s the resource intensive. It does require, you know, skill testers, it can disrupt operations if it’s not planned well. And, you know, and some organizations fear that failed tests, but, you know, that’s, that’s the point. I, I think I have seen a lot of organizations who are scanning and doing multiple scans, right?

They’re doing the SaaS, the DA scannings, and they have, you know, CBE findings and they have a big list of. related issues that need to be fixed. And then they look at red teaming and say, oh, I’m, I’m gonna have this now. Come in and it’ll add to my list of things that I need to do. So, [00:16:00] so I, I think when we have organizations who start looking at aspects of red teaming that way, I think that’s not that I should need to be heading into, but, That, that’s definitely is one of the challenge that we, that we see with within the, the organizations when they’re adopting the teaming. How do we see some of the future aspects again, you know, I think the AI angle coming in, which I was referring to earlier, so AI power powered red bots, or agents, you know, that can simulate, you know, adversarial, attacks, you know, they can do it 24 7, you know and then we can have our compliance frameworks evolving to mandate adversarial testing. I think we do not have compliance frameworks right now that mandate the adversarial attacks. We do have, you know, pen testing as a requirement, which is as the best that, what, what we see from a compliance side of things. But I think those two things definitely, in the future, which will. nudge the organization’s. You know, compliance is [00:17:00] always always a big nudge to start adopting the, the red Teamings into their end product security lifecycle.

Chiradeep Vittal: Yeah, and if you, if what you were saying is that if the AI has access to the code and if the red teaming finds an issue, maybe the AI can suggest a fix as well. So,

Ankush: It is, yeah, certainly. Yeah.

Chiradeep Vittal: Yeah, a lot, a lot of possibilities open up once the AI is embedded in the complete software development lifecycle. Yeah. Let’s shift gears a little bit and talk about AI and AI agents.

You brought, you wrote a very interesting post recently about the agent tick warfare. Could you just elaborate a little bit on that, and while you’re at it get your thoughts on the upside of AI and agents to help security teams.

Ankush: Yeah, I, I, I, I think AI agents are fantastic, so I, I think my intent was not to to flag the concern with that, you know, we are not moving in the right direction. I think whenever we move in the right direction, we always see, you know, issues and challenges, and as we evolve, we, we address them. So my intent behind the blog was. [00:18:00] What we are seeing right now and, and this is, this is a, this is a gap, right? The gap is that we are having multiple agents within an organization doing multiple tasks, some fully autonomous, some have some kind of a human intervention, but we are slowly moving in that direction where we are going to see more and more AI making decisions. Without consulting humans. Right. And I had, you know, a few use cases in there that I outlined on, you know, how we see that in sales, how do we see in compliance, how do we see in some of the other areas? And, and when you have, you know, agents within the organization which are taking decisions which contradict each other, which collide with each other, I think that the risk that it creates, and I was trying to put in a bit of a cyber insurance angle, was that, you know, who do you blame? Do you hold the vendor accountable for the AI making a bad decision? Do you hold your organization accountable for the [00:19:00] way it’s been deployed for the decision it is making? And, and if the damage happens, you know, within the organization or to your customers, then you know, is there a cyber insurance right now that covers. That aspect. Right? So, so I, I think it’s an evolving space. We are seeing some of the insurance providers who are, you know, looking into this on, on how to address that and how to, and I think that be probably in the next. And it’s rapidly I volume, we see something come up in, in months, if not years of this area becoming an actual concern where we would see something in real life happen that would create an issue where, I don’t know if you call it an insider threat, but your own agents become an insider threat for you. Right? If you, and I had a very great example, you know, if you are really, really training your AI agents to be able to be ethical and comply with the requirements you know, what if your AI agent then becomes a whistleblower for you, right?

So I, I think we would see some of those [00:20:00] areas which, with the adoption of the agent, AI will evolve. And I think some of the risks related to it will also you know, be, be more than what we are seeing now.

Chiradeep Vittal: Very interesting. I know that while I was at, you know, big job, big company jobs that always found marketing and sales and finance misaligned with my own objectives. So I’m very familiar with that. Now this happens at you know, 10 x the space. Yeah.

Ankush: one of the things that we need to learn just from this whole AI space, and I, I, I very often use this example if there is one vertical that has been using AI in a very sophisticated way from a very long period of time, is the aviation industry. So we have, you know, the planes which have been on. Operated on autopilot from a very long time. You have thousands of sensors that are being fed and all of that information being collected and processed and very safely taking actions to ensure that the lives are not [00:21:00] at risk. I, I think there’s lot to learn from that industry and things. We are, we are tapping onto some of the intel that is sitting within the aviation space that that’s fantastic.

So.

Pratik Roychowdhury: Yeah, I think, it was a very interesting blog when I, when I read it. Because humans have conflict. So why will agents not have conflict? It’s a new way of thinking. And that makes complete sense. So maybe, maybe anush shifting gears a little bit into budgets and implementations.

I guess I. One of the things that a lot of business audience like to hear is, where are the budgets for product security or maybe proactive product security coming from? Are they being reallocated from, let’s say, AppSec vulnerability management, or are they new budgets being created for that? So would like to hear your thoughts on that.

Ankush: You know, I think organization to organization have seen the budgets for product security. Just vary differently in terms of, you know and, and it really also depends on what kind of operating model an organization has. [00:22:00] Right? Some very much centralized with the security teams and they’re responsible for securing the entire organization, including the products. And it’ll be more centralized budget that’s used to manage that, right? I think larger organization, which are very, you know, product centric. Delivering, you know, products for the customers, you would see more autonomy that’s been given to the product teams in order to make their own decisions, you know, well in, in the name of innovation. And, and we often see, you know, budgets sitting with the product teams in order to make those decisions to, to, to secure that. and then we, we also have the hybrid models that exist, right? Where you have the security teams who might be responsible for an aspect of product security, which could be the underlying infrastructure that it’s being used to. On. And then anything that is source code related then sits within the product security team itself. Right. So I, I think it really depends on the organization on where the, the budget sit, depending on the kind of operating model they have within the organization.

Pratik Roychowdhury: So maybe as we wrap up if when organizations are trying [00:23:00] to implement product security, and they might have bits and pieces here and there, how do they stitch together? So maybe would like to get your, you know, guidance for these organizations. How do they, how should they think about product security?

What are some of the key things that they should take into account as they go in on this product security journey?

Ankush: Yeah, I, I, I think three things that I look at, you know, the first one is, you know assess and align, you know, map your existing controls, you know, your SaaS, your DAAs, your threat modeling to, to any of the frameworks, whether it’s. Nist, SSDF or as, which, whichever you are, right, it’s really important that you are mapping to something that just keeps you aligned, right?

That’s, that’s really important. The next one is, you know, how do you automate and integrate, right? Using orchestration tools to unify your security into your DevOps, you know, your, your GitLab built into, in your security scanning, right? So that, that’s really important on how you’re automating and how you’re integrating. and the last one is, you know, how do you. How do you measure and improve? How do you track your leading indicators? You know, [00:24:00] number of tests that are caught in design versus production? And, you know, we, we, we know from mats, right, that anything that is caught in the design stage is way cheaper to fix than something that goes into the production is like at least 10 x more expensive to fix. I think those, those three things. And then, you know, for all of the. You know, what I call, as the future radio organizations will do, is they will treat security as a product feature, you know, not as a compliance checklist. You know, they will invest in the AI augmented defenses, but they will keep, you know, the human expertise or, you know, human in the loop in order to make some of the key decisions.

And then, then embrace, you know, security as code. Infrastructure policies, controls defined programmatically. I think that really, really gives the power to make sure that you are doing things which are, are, are standardized and it, it helps you build, you know, a better more resilient product. I.

Pratik Roychowdhury: All right folks. There you have it. Another fantastic episode on product security and its implementation. So Ush, thank you so much. This was a wonderful discussion. Lots of great nuggets [00:25:00] of information and guidance that we will, our audience will love. So thank you so much.

Ankush: Thank you.

Chiradeep Vittal: From our side too. Thanks.

Pratik Roychowdhury: And thank you to all our listeners for joining us on the Prosec Decoded Podcast. If you found value in today’s conversation, please subscribe, leave a review and share with your colleagues. We’ll be back again soon with another deep dive into the evolving world of product security and ai. Until next time, stay secure.