Every week, Casey Cammilleri interviews an expert leading the charge on empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.

In our latest edition, we dive into our interview with Jack Leidecker, CISO at Gong. Here are the top takeaways from the interview.

#1: Expect Creativity and Measurable Impact from Your Security Teams

“If I have no value, I don't want to do that. So, I mean, that's always something. I always push with my vendors, too. It's like, look, we're paying you. I want you to find something different. I want you to get creative with it. Let me know what you did that's not just something that was scripted, because I can do that myself.

“And in fact, we do do that ourselves all the time. We want to check what's happening. Some of the stuff we've done more recently with my new offensive security guy, he's been doing a lot of automated purple teamwork, too, which is kind of cool. That way we get a baseline, ‘hey, are we not detecting this? How can we change it? What's going on with it?’ So even currently, we use that a lot.

“And I would say also if you're thinking about, from an executive perspective, being able to quantify impact and show what it actually does is very meaningful. Because then you get out of that theory where it's like, well, we think we might have something and it's like, no, no, this is what actually could happen.”

Actionable Takeaway: Push vendors and security teams to be creative and show measurable impact. Automated security checks are useful for establishing baselines, but executives need more than scripted processes. They need solutions that quantify real threats, identify undetected issues, and demonstrate the tangible business impact of security measures.

#2: Shift Security Mindsets to Collaborate with Developers

“Some of it is even I almost say philosophy in a way. I always feel like I have to get some of my security guys’ mentality shifted a little bit. And what I mean by that is I've never actually met a dev that wanted to write bad code, right? They need to get new code out. That's what they're doing, but they just want to do their job.

“And I think as silly as it is, if you can get that mentality, it's not a confrontational discussion. We want you to do it. I want the company to make money. That's where I get a lot of benefit from it, too. How do we do that? So being able to integrate into that part and shifting the mentality, like, hey, we're not just here to find problems. We want to create better processes. We want to streamline it.

“Integrating in our CI/CD pipeline helps quite a bit, too. And then also being able to show that, hey, if we can fix this beforehand and start blocking it, which we've been doing more and more of, if you have an AMI that has a high vulnerability, it's not going to production anymore. Hey, we scan with our different code-scanning ones, and it's like that package has some vulnerabilities. Let's just stop it, right? And that wasn't an easy thing to put in place, I will say. Not everyone is able to do that, but it is one where if you do it, because then it makes it easier for them — hey, you're not dealing with a whole bunch of vulnerabilities after the fact. We're stopping it before”

Actionable Takeaway: Align security and development teams by shifting mindsets. Instead of focusing on finding problems, security teams should work toward streamlining processes and ensuring developers can push code safely. Integration into the CI/CD pipeline ensures vulnerabilities are caught early, reducing post-deployment issues and improving workflow efficiency.

#3: Rethink Pen Tests to Make Security a Continuous Process

“How are you looking at different things now? If you're doing a pen test once a year, probably not going to be super reflective of it. again, cost does become a challenge for a lot of orgs, but it's how are you building it into your process that you understand what's going on? And even if you can't do a full pen test, what else can you do to help validate some of your controls?

“Some red team exercises, because there's a lot of stuff that's out there now. It's a lot easier than it used to be to be able to do it. Like a lot of times a lot of the blue teams want to be able to jump into some of that too. So you don't always have to have someone dedicated, if you can. Awesome. That gives them a different focus. They can get more creative. I think it's super helpful. But if you can, even figuring out on your team who's interested and wants to do some of that and how do you augment that with other people, too?”

Actionable Takeaway: Annual pen tests won’t provide a comprehensive understanding of risks. Consider integrating more frequent tests, red team exercises, or automated checks into your processes. This approach helps validate controls continuously and builds a deeper understanding of your organization’s security posture, even with limited resources.

Listen to full episodes out now:

For more information about Ahead of the Breach, please visit www.sprocketsecurity.com/aob-podcast. Episodes are available on all major podcast platforms.

Apple

Spotify

YouTube

We look forward to bringing you more conversations with actionable insights that help in your pursuit to protect your most valuable assets — and help clients do the same!