DtSR Episode 641 - Kevin Fielder Security Principles and Guard Rails
Feb 18, 2025
auto_awesome
In this discussion, Kevin Fielder, the Chief Security Officer for NatWest Box and Mettle, shares his expertise in cybersecurity and cloud-native technologies. He highlights the importance of integrating security practices with business goals, advocating for automation in development. The conversation navigates the challenges of vendor relationships and the significance of strategic partnerships in enhancing security. Reflecting on past experiences, Fielder underscores the need for effective communication across teams to bridge gaps and align security measures with organizational objectives.
Building a responsive security infrastructure in a cloud environment allows organizations to address emerging threats while adhering to financial regulations.
Translating technical security needs into business-friendly language fosters collaboration and aligns security priorities with broader business objectives, enhancing overall security awareness.
Deep dives
Navigating Security in Modern Financial Services
The Chief Security Officer of NatWest Box and Metal shares insights on managing security in a unique environment that blends startup agility with the backing of a large bank. The organization operates entirely in the cloud, utilizing AWS and GCP for various operations, including security and data management. This hybrid setup allows for the integration of modern security practices while still adhering to stringent financial regulations. By creating a responsive security infrastructure, the organization can effectively address emerging threats and vulnerabilities in a rapidly evolving digital landscape.
The Importance of Context in Vulnerability Management
Effective vulnerability management requires more than just identifying risks; it involves putting those risks in context. Rather than simply labeling vulnerabilities as critical or medium based on scanning tools, the team assesses the likelihood of exploitation, taking into account the actual systems involved. For instance, a vulnerability on a deeply embedded container might be deemed less critical than one exposed to the public internet. This contextual understanding helps prioritize security efforts, focusing on high-risk areas while maintaining operational velocity.
Adapting Security Approaches to Business Needs
Translating technical security needs into business-friendly language is crucial for engaging with stakeholders at all levels. The security team is tasked with conveying how security measures align with broader business objectives, making it easier for executives to understand risks without overwhelming them with technical jargon. This entails simplifying complex security metrics into actionable insights, ensuring that both teams and leadership are aligned on priorities. Maintaining a collaborative environment fosters a culture of security awareness across the organization, ultimately enhancing overall security posture.
Partnerships with Vendors and the Power of Relationships
Building strong relationships with security vendors is essential for effective tool integration and problem-solving. A focus on partnership rather than transactional interactions yields better results, as vendors who understand the organization's unique needs are more likely to provide relevant solutions. Successful engagement involves open communication, genuine interest in helping solve problems, and offering valuable resources without an immediate sales agenda. This approach reinforces trust and positions the vendor as a strategic ally in navigating the complex security landscape.
TL;DR: On this episodes we welcome Kevin Fielder, CISO @ NatWest Boxed & Mettle, Advisor, investor, Coach, and speaker to talk about building guard rails and principles to minimize security's negative impact on business and technology while raising the bar for attackers.