GreenSky's Ken Bowles on Auditing Controls before They Silently Fail

18 snips

Nov 25, 2025

Ken Bowles, Director of Security Operations at GreenSky, boasts 15 years of expertise in healthcare and financial services security. He dives into practical strategies for prioritizing security crown jewels and managing cloud permissions. Ken reveals how AI significantly speeds up analyst investigations, reducing time from 30 minutes to mere seconds. He emphasizes the need for regular audits of security controls to prevent silent failures. Additionally, he discusses the importance of training analysts with AI support and the evolving role of the MITRE framework in modern security operations.

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

ADVICE

Protect Crown Jewels First

Start your SecOps by identifying and protecting the organization's crown jewels, then scale outward.
Prioritize access reviews and permissions for those assets to reduce cloud over-permission risks.

INSIGHT

AI Lowers The Barrier To Insight

AI and LLMs reduce barriers to insight by unifying searches across disparate security systems.
This yields faster investigator response and more effective operations.

ADVICE

Create A True Single Pane Of Glass

Build a true single pane of glass by connecting your SIM, EDR, and other tools so analysts see correlated context in one view.
Use automation/AI to surface relevant fields and reduce time-to-action.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Over his 15-year journey through healthcare and financial services security, Ken Bowles, now Director of Security Operations at GreenSky, has collected a plethora of practical strategies for prioritizing crown jewels, managing cloud over-permissions, and building SOCs that scale effectively. He reflects on transforming security operations through AI and intelligent automation and discusses how AI is reducing analyst investigation time dramatically.

Ken also asserts the importance of auditing security controls before they silently fail. The conversation touches on the evolving role of the MITRE framework, the concept of signaling versus alerting, and why embracing AI might be the best career move for security professionals navigating rapid technological change in cloud environments.

Topics discussed:

Building security operations programs around crown jewels and scaling outward to manage the most critical assets first.
Managing over-permissions in cloud environments that have snowballed across multiple administrators without proper governance.
Using AI to reduce analyst investigation time from 30 minutes to seconds through intelligent data enrichment and context.
Creating true single-pane-of-glass visibility by connecting security tools and data sources for more effective threat detection.
Training new security analysts with AI assistance to bridge knowledge gaps in SQL, SOAR platforms, and log analysis.
Documenting institutional knowledge while encouraging analysts to trust their intuition when something doesn't look right.
Understanding the limitations of impossible travel alerts and using AI to establish user behavior baselines for accurate detection.
Applying the MITRE framework as a guideline rather than gospel, adapting detection strategies to specific organizational needs.
Implementing signaling approaches that label security-relevant events without creating alert fatigue for security operations teams.
Auditing security controls regularly to catch configuration drift and ensure protective measures remain effective over time.

Listen to more episodes: