CISO Q&A: Kim Green

This week we launched our 2017 CISO Investment Blueprint which analyzes survey responses from 100 security decision makers regarding the current state of application security. In addition to the survey results, we’ve chatted with several innovators in the security industry to get their thoughts on appsec today and the future.

Over the next couple of months, we’ll be publishing these interviews, filled with insights around the challenges and opportunities present for security decision-makers in 2017. We welcome your feedback and observations as well! Tweet us or shoot us an email to share your thoughts.

Our first interview is with Kim Green, CISO at Zephyr Health and Founder of KAZO Security. She is an InfoSec thought leader and a champion for bug bounties.

Jason Haddix: Starting from the beginning… How did you get into security?

Kim Green: I’ve worked in healthcare information technology for over 25 years now. I started off as an IT/telecom specialist in 1991 and then advancing into other various roles until I became CIO of Massachusetts’s largest community health organization. After the birth of my son, I took a two-year hiatus and during that time also relocated from Boston to Portland. Upon returning to the workforce, I contracted with the federal government to conduct FISMA (information security) audits on Washington and Oregon state information systems and their contracted healthcare payers and providers. A few years later, I accepted my first CISO role at Bosch Healthcare.

JH: Today you also work with Zephyr Health and have founded your own company. What are you most proud about in 2016 that you’ve accomplished?

KG: I started KAZO Security in February 2016. KAZO is a security advisory company using experienced CISOs with industry specific knowledge to help start-up and SMB companies develop/manage their security and compliance programs and guide them through critical junctures. KAZO started with two healthcare customers, and one year later we have signed another 12 customers in California and Washington. We are planning to expand into the Latin American cybersecurity advisory services market in September, which will operate out of Panama City.

JH: You’ve had a big year! What have you noticed to be the biggest challenges in 2016 for appsec?

KG: There are several, but in my opinion, the most difficult challenges are around third-party APIs and microservices. Transparency into a third-party’s microservices architecture is extremely limited. Way too many organizations, especially startups, are failing at microservices security.

JH: What do you think can be improved in appsec in the near future?

KG: Much of that will depend on the cloud service providers (e.g. AWS, Azure, IBM). Consider that a key strategy to increasing their market share is by way of competitive platform enhancements. This includes acquiring various security and compliance technologies and tools and rolling them into their platform.

This would eventually result in 1) creating a significant shift in the customer’s role in how application security and compliance requirements are managed,  2) decreasing an organization’s overall security and compliance budgets and 3) saying a final goodbye to 40% plus of the current cloud security vendors in play today.

JH: You’ve had quite a bit of experience with bug bounty programs. How do bug bounties fit into appsec in your opinion? Do you think that will change in the future?

KG: It’s certainly not a secret that I have been a big fan of bug bounty programs from day one, and I do see a change a big change coming. Specifically, I see bug bounty vendors evolving and offering “advanced crowdsourcing,” which uses technology to allow their research community members to be more visible and participative in identifying exploits and vulnerabilities in a customer’s microservices and system architecture.

JH: Looking to the future… What are your 2017 goals?

KG: 1) As CEO of KAZO: stay open to the many wondrous opportunities presenting themselves and to be the “best choice” for startup and SMB companies needing guidance with their security and compliance needs.

2) As an InfoSec leader: being comfortable about voicing my opinions and making the right decisions, not always the most popular.

3) As a mentor and role model: continue to give everything I have in the way of experience and wisdom to the companies and individuals I mentor and to help them catapult to be the best they can be.

To learn more about top appsec challenges and opportunities for the upcoming year, download our recently downloaded asset, “2017 CISO Investment Blueprint.”