At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.
We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.
Datadog CISO Emilio Escobar joins CISO Insider for a discussion on data security approaches for today’s cloud-first world. By seeing data as trust, Emilio can influence his teams to find better solutions to data security problems and learn from typical pain points.
Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at firstname.lastname@example.org.
Chris Martinez: Welcome to CISO Insider, Nightfall’s chat with Chief Information Security Officers. We host CISOs from different industries to discuss their pathways to the role, the challenges they face in their everyday work, and lessons they can share with anyone aspiring to become a CISO. This podcast brings you into the world of cybersecurity and gives you a window into the most brilliant minds in the business.
Chris Martinez: Datadog CISO Emilio Escobar joins CISO Insider for a discussion on data security approaches for today’s cloud-first world. Emilio shares how he sees infosec: creating security responses based on people and teams over brute force blocking of apps and systems. This approach allows Datadog to defeat the enemy of complexity in IT service quality, and helps build a more inclusive culture at the company. By seeing data as trust, Emilio can influence his teams to find better solutions to data security problems and learn from typical pain points. We're excited to share this and more from our chat with Emilio in this episode. Please join me in welcoming Emilio to CISO Insider.
Chris Martinez: We're going to get started with some questions on data security fundamentals. In your own words, why is data security so important to you in your role and for your company?
Emilio Escobar: I think data is trust. In our business at Datadog, our customers send us their data and logs, and they trust us with it. Without proper data security, that means that they can't fully trust us as a vendor. We have to give them the assurance that their data is handled with the utmost care and that they can benefit from their own usage of that data. We need to have the right controls in place.
Chris Martinez: How has your experience as a security practitioner in the entertainment and media industry informed how you approach data security?
Emilio Escobar: Working in the media and entertainment space taught me the different cohorts of the value of data. In security you always prioritize data that has liability concerns behind it, or regulatory requirements like personal data, intellectual property, or credit cards. But, in the media and entertainment space, you also have this whole subset of data that outside that space, you don't have to deal with. Things like creative content, which has its own life cycle, which is different from data in other industries. What's interesting about it is that content is a piece of data that is meant to be shared and seen and touched by multiple hands. As you're filming a show, there are multiple stages and different people who have to see it.
Emilio Escobar: In the end you have an entire marketing team that is trying to broadcast that content as far out as possible. It was interesting to work with those teams to understand their business cases and how we can protect something that is sensitive to us, but yet still be able to be accessed by many people. It’s a different approach than usual. You have to rely on your teams and not use a typical Fort Knox point of view of security when it comes to data security in that space.
Chris Martinez: Would you be able to tell our audience which companies you worked for in the media and entertainment space?
Emilio Escobar: Prior to Datadog, I was running security for Hulu, which is a video on demand and live TV streaming platform.
Chris Martinez: How do you approach the data sprawl problem in your everyday work?
Emilio Escobar: Data is continuously growing. Many people think that data is like garbage. The more you keep it, the more it starts to smell. But it has value and meaning to different teams and different business units. We have to make sure that our customers have the proper tools that they need to handle and manage their everyday work. We have a known catalog of services and tools that we use at Datadog. We know where the data is, so we can help them apply the right level of controls and legal agreements. But then we also create an environment where our culture is open. People can ask for new tools if the ones that we currently support do not meet their needs.
Emilio Escobar: We enable our teams by trying to reduce the probability of shadow IT. We don't put a lot of blockers that keep people getting the tools that they need for their work. We work with those teams to understand the life cycle of data that I mentioned. We ask questions like, What are we using? Who needs access? How long do we keep it? And then we try to take an approach of “set it and forget it” so they don't have to continuously think about that on top of their day-to-day work, which for most of the company is probably not security related.
Chris Martinez: We talked about shadow IT with Chris Sandulow at MongoDB. Can you define what shadow IT is for our listeners who don't know what that term means?
Emilio Escobar: Shadow IT, in its literal definition, is tools, applications, and services that people are using that are not known to your IT or security teams, or other teams that are tasked with maintaining those systems or at least need to be informed. That includes legal, for example. I think shadow IT is a good measure to track. At Datadog, I also oversee IT security. For me, it's a good indicator of how well we are serving our customers. Do we have the right tools in place or do they feel like they're forced to go elsewhere and get a tool because the current ones don't meet their needs? I use that as a measure of IT service quality or product terminology like Net Promoter Score for how much people trust IT and why they can come to us and ask for new tools. We have a system built so they can go get what they need.
Chris Martinez: I think that's a good segue into our next question. How does your team maintain visibility and security of critical data for the entire company?
Emilio Escobar: At the very least, we rely on people. The business units know what data they need, and the value and criticality of the data. We have a hybrid approach where dedicated people like an Enterprise Applications Team, for example, make sure that we're implementing the right guard rails or controls when we onboard a vendor or a service. If the tool is managed by an operations team that sits under finance, for example, they need the right knowledge and mindset to know exactly how that data needs to be protected. Or, we rely on those teams to tell us which data they need and for what purpose. And, in a way, we make them own the security of that data.
Emilio Escobar: I think it's hard to expand a culture of security. It's everyone's responsibility. If you just have a few people doing it for everyone else, we must focus more on enabling people to do it on their own. And then if they need an escalation or assistance, then we have that team that I mentioned to help them. We focus on building guardrails and defining what is acceptable in security, and helping our teams understand the reasons why. That goes from, not just enterprise, but also on our service offering side and on the production side. We make sure all the people we work with understand the sensitivity of the data that we deal with.
Chris Martinez: As teams evolve and change the coding languages and tools that they use, what impact does this have on data security infrastructure?
Emilio Escobar: We don't rely on a blanket overview of people using a certain set of languages or frameworks, because the moment that changes, we're caught off guard. But we also realize that complexity can also be an enemy to security. One of the things that we benefit from is that we leverage managed services as much as possible. Our product offering runs Datadog’s main cloud providers and they have native services that they offer for data storage, databases, and segmentation. The benefit of relying on that is that they come with security controls that can be applied by default.
Emilio Escobar: And that way, not everyone has to think about it. We do it as part of leveraging those secure defaults while we're building out that infrastructure, so we know if they're storing data here, we know exactly where it is encrypted, who has access to it, and which applications can talk to it via segmentation. We build that into the configuration, regardless of the coding language that is used by the applications. Again, we just focus on those guard rails. We allow people to come to us with questions and we help them get there versus a checking boxes approach to security. In addition to that, we build solutions for them so they can do their work securely.
Chris Martinez: What unique challenges is your security organization facing in the new landscape of rapid cloud adoption and remote work?
Emilio Escobar: Historically, and moving forward, we've maintained a flexible work environment. We have people who are fully remote. We have people who work in the office and we have people who work in a remote/office hybrid. Datadog was born in the cloud. Not only do we offer products natively from the cloud, but a lot of the services, vendors, and software as a service that we use are cloud-hosted. We have very little to no on-prem infrastructure. But with everything in the cloud like this, anyone can access it because we can't rely on a hard perimeter to control who comes in or out. The challenge is, how do we provide the right controls to make this fully cloud model secure?
Emilio Escobar: We talk about rapid cloud adoption and keeping up with new cloud products so that we can establish those guard rails that I mentioned to make sure that the secure defaults are being used or that the teams can come to us with the security defaults for new services they want to use. We’re also dealing with an increased demand for hardware and developer workstations as hybrid and remote work expands.
Emilio Escobar: We focus on building remote or cloud-hosted development instances for the developers as well as staying on top of new cloud products and leveraging those internal experts as well. We adopted hardware authentication pretty early. One hundred percent of our employees get a YubiKey, for example, when they get onboarded into Datadog. Anywhere you try to access within Datadog, a hardware key is required for authentication. That makes it a bit simpler in common security cases where somebody gets fished, for example. There's always going to be that security challenge that gets requested with a token, which has helped us mitigate data exposure and risk from that side.
Chris Martinez: As a company that's undergoing massive growth, how has Datadog's approach to solving data security problems evolve with your company's growth?
Emilio Escobar: I have the teams focusing on continuous improvement. Our growth has been great, but with that you have different approaches for how to manage security. When your company is at one hundred people, your approach to security is different from when your company is over 2,000 people, or when you have over a thousand engineers. One of the things that has come out of our growth is that we have certain parts of our platform that are very unique or specialized. One example could be our compute environment, where we run our containers or Kubernetes clusters. Because of our footprint and scale, it requires a very specialized team to run, fine-tune, and monitor and maintain. We trust the team with the security concerns of that environment, because they hire the experts in that technology.
Emilio Escobar: We have people who sit in the security SIG chair or co-chair for Kubernetes. We have that kind of expertise internally, so we definitely trust them with that. They don't necessarily report to security, but they come with the expertise to do the work properly. On top of that, we have people within the security teams who act as advisors for different compliance frameworks or different implementations or technologies. We can leverage them and embed them deeper with other teams to make sure that security concerns are being addressed appropriately. We deliver value to customers by providing them with the tools that they need to do their work securely. That has been evolving as the company has continued to grow.
Emilio Escobar: Very early, we built a culture where security is everyone's responsibility. We have a good dynamic where people come to us with questions. We work with them. I don't like checkbox approaches. I don't like throwing things over the fence to other teams. We continuously work to make sure that security teams are deeply involved with product engineers, and finance and legal operations teams, to make sure that we're working with them to prioritize security. Enabling that trust goes both ways. Building champions across your entire company is the best way to scale security. That way you don't need security as one all-seeing eye everywhere. That’s definitely not going to scale for us.
Chris Martinez: How are you addressing different security challenges among your infrastructure and different apps? Where have you identified the biggest gaps and where are the biggest learnings coming from?
Emilio Escobar: I see the needs of the business teams as a hierarchy. There are teams that still are in that survival stage of needs where they might need more feedback and very basic support. But then you also have teams that are a little bit more advanced in their practice. They might be in that self-validation stage where they have a good sense of what's happening within their environment or products. They just need somebody to validate that what they're doing is proper and that gives them the growth and self-validation they need at a higher level. We have coverage for all of that.
Emilio Escobar: One example for the self-validation could be a pen test. If you have a team that is really good at threat modeling or identifying failure domains and working on implementations to address those, and we test against that and see how well they're doing, that gives them continuous feedback both internally and externally. We provide those services and continue to learn. Our best learning comes from feedback. I'm pretty transparent. I like to give feedback, but I appreciate the feedback even more. I always welcome and encourage people to give us feedback into how we're doing. I ask them questions like where are we not doing well, where do we disappoint, and where do we overpromise and underdeliver. We learn from this feedback and we learn from our mistakes.
Emilio Escobar: If everything is working fine, we wouldn't need to change. I always encourage people to give us constructive criticism we can learn from. We know nothing is perfect. Every time I hear someone say everything is great, I always challenge that cause I'm sure there are times where they thought, "I wish I could have been able to do this but security didn't allow me to, or we were not allowed to for any other reasons where security can potentially help."
Chris Martinez: Where are the biggest hotspots or areas of concern for data security in your organization? This can be general like code repos or databases or specific like apps and other platforms that you use.
Emilio Escobar: We have unique needs based on what we do as a business, but we also have some overarching needs that I think the entire industry also has a problem with. We've made significant investments in this problem already. We continuously focus on the integrity of the software artifacts when we, as a business, build software that our customers trust us with and run within their environments. We continuously make investments in making sure that the trust level for that can continue to grow and we keep learning with what's happening in the industry.
Emilio Escobar: The entire open source ecosystem and supply chain is very complex. This is an area that we're constantly focusing on and investing in. It’s a security hotspot throughout the industry. It applies to us a lot because of what we do, but every company out there leverages open-source technology, or they rely on critical vendors that leverage an entire supply chain. It's something that we continuously think about and we address it in areas that make sense for us. We also work with industry peers for new approaches and new lessons to solve that a bit more collectively.
Chris Martinez: What's one hidden or lesser-known skill that security leaders need to excel in their work, on the security side and as a successful manager and coworker?
Emilio Escobar: This is an area that I spend quite a bit of time thinking about. As I grow my teams, I just have to say one word. Empathy. We have to focus on the people. We have to listen. I believe that security isn't a given. Every business needs risk for it to be a healthy business. Our job is to make sure that the business is operating within the boundaries of risks that are acceptable. Not a riskless environment, but we know we have risks that are known and acceptable. It's a continuous journey. We chip away at progress and work towards a goal that keeps evolving.
Emilio Escobar: I will say to security leaders, you have to find joy in that. The only way you can successfully do that is by leveraging the people around you. Not just security people, but everyone in the business, because at the end of the day, everyone should want their business to be successful. Everyone should have a say into what that is. You have to enable that success. You can’t make security a black box. For security to be everyone's responsibility, you have to get involved in the business and support other needs that might not be security related. This could be cultural needs, or growth needs, or diversity needs. You need to be part of the business in order for the business to be a part of you.
Chris Martinez: What motivates you to get out of bed every day as an infosec leader?
Emilio Escobar: Sometimes there are ups and downs. Some days you say, "Ugh, another day” when you wake up. For me, I’m motivated by the people I work with, not just my teams and my direct reports, but also everyone at Datadog and in the infosec community. What motivates me every day is asking, “What new thing can I learn?” When there’s a new breach to read about that day, I know potentially my board is going to ask me about it. I welcome these days because that’s where the greatest lessons come from. And so I get motivated by learning, that's what gets me out of bed. Every time there is a new challenge in the IT space, I enjoy it because it's something that's new to me and I learn from it. If I were to say it in one word, it's learning.
Chris Martinez: What are the top two lessons you've learned from your team in the last year?
Emilio Escobar: I’ve learned that people are generally interested in everything that happens at the company. People want to know what security or IT or any other team is thinking and doing. They ask questions about why we are doing things, how can we help their teams, how it impacts them, and how it compares to other priorities and what are the trade-offs? I think focusing on transparency is critical. People want to be in the know. They want to be involved, and want to feel included. The most successful culture is one where you allow people to feel included in everything. Datadog does a really good job at communicating business ideas, direction, reasons, and results with our employees. That way they feel included and their work actually matters.
Emilio Escobar: The information has to be more than just the day to day, sprint to sprint, or OKR to OKR view. Those things don’t help if you don't understand what the big picture is. That was a good lesson learned within the last year. It’s refreshing to see that as a reminder every day at Datadog.
Emilio Escobar: The second lesson I’ve learned from my teams this year as a first time IT manager was reinforcing what I’ve always known about being customer-first. I did consulting for a long time early in my career. That taught me to really be customer-first. But in IT that's even more critical. An example is when security makes a policy change where they implement two-factor authentication throughout the company. Usually IT takes the brunt of the change. Security most of the time is siloed, where they make the policy change and IT has to deliver. IT is the team dealing with the tickets, user feedback, and training.
Emilio Escobar: What I've learned with IT this year is getting more visibility into that process and how much of the customer story we have to focus on before we make changes. We must be transparent about why we're doing it and the outcome that we're looking for. The change curve has been a huge lesson for me in the last year.
Chris Martinez: How does your team approach data security when acquiring companies and integrating the workforce and systems of an acquired company?
Emilio Escobar: This is a good thing for us. We have an active Corp Dev team. We're pretty much attached at the hip with them. They loop us in when we're working on an acquisition and they gave us time to do the due diligence. We do two types of due diligence depending on the company or environment or transaction that we're working on. We have an overarching due diligence, which is based on questionnaires and interviews. We get documentation and policies from the companies, if they have any. Then we give a pretty good risk picture of this potential acquisition to the business so we know exactly what are the hotspots that we need to worry about for environments that have their own infrastructure with customer data, or any kind of data. We also do security assessments of those. Then we work with the leadership of that company to address any potential issues we discover.
Emilio Escobar: During the acquisition process, we act as an advisor and consultant not just Datadog, but also for the company that we're working with. We inform the business and help them get better. Let's say we decide for whatever reason that the transaction doesn't go through. At least we helped them get better with their security posture.
Emilio Escobar: On the integration side, we immediately work on a plan for how to migrate their data into systems that we are currently using. That way we know that the controls are applied. Instead of applying controls elsewhere, we move the data to where we know the controls are. Depending on the roadmap, maybe we do something on their systems, if the outcome that we want is the data to move over. That’s one way we can feel comfortable with what we have, and we don't have to worry about something new to maintain. Complexity can be adverse to security.
Chris Martinez: Do you have any podcasts or books that you can recommend to our listeners?
Emilio Escobar: I enjoy the Hacker Valley Studio Podcast, and the CISO Series Podcast. Another one that is not directly related to security is Pivot with Kara Swisher. It's a really good podcast with a host that understands the business landscape, venture capital, startups, business ideas, go to market, and a lot of other things I think every security leader should know or be involved in within their own company.
Emilio Escobar: As far as books go, recently I read The Culture Code: The Secrets of Highly Successful Groups by Daniel Coyle. I thought it was really important for learning how to build a culture that enables growth and success of the business. The one book that I always recommend is What You Do Is Who You Are: How to Create Your Business Culture by Ben Horowitz, where he focuses on building a culture within your organization, team, or company, depending on the scope or scale that you operate in right now. The process should resemble who you are as a person as it comes naturally. It doesn't seem fake and then you can scale for the long term, versus if you're going away from what your true beliefs are, then people are going to catch you in that lie pretty quickly. I like that book because the way he writes and some of the case studies that he presents are not even business-related. They’re just really good to read through and learn from.
Chris Martinez: Do you have anything you'd like to promote, like your social media channels, articles you've written or your team has written, or anything else?
Emilio Escobar: Check out Datadog. We're always hiring. Follow us on social media. I'm on social media as well, if you want to follow me. I mostly post sarcastic comments on Twitter, but happy to chat about anything industry-wide related as well. And definitely promote your local security chapters, whether OWASP and any local diversity groups in your area. Hopefully we can match opportunities with where the talent is, and address the so-called cybersecurity skill gap.
Chris Martinez: Thank you so much. Emilio. I had a wonderful time talking with you today.
Emilio Escobar: Thanks for having me.
Chris Martinez: Thanks for listening to CISO Insider, a podcast created and sponsored by Nightfall AI, the industry’s first cloud native data loss prevention solution. If you are enjoying this show, please leave us a review and rating on Apple Podcasts. The ratings and reviews help more people find us. Follow Nightfall on Twitter, Facebook, LinkedIn and Instagram at Nightfall AI. That’s Nightfall AI, and email us at email@example.com with questions, feedback and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from. Stay safe out there and we’ll see you again next time.
Next time on CISO Insider, it’s our Season 2 recap episode featuring the best quotes and highlights from our six episodes this season. We’ve gathered insights, lessons, and other valuable soundbites from CISOs and security leaders at Even Financial, Segment, MongoDB, One Main Financial, and Datadog. Stay tuned for this episode coming September 1!