Say hello to new Dazz advisor, Evan Morgan — Ally Financial’s Executive Director of Cyber Security Technology!
At Dazz, we’re working with the industry’s best and brightest minds in cloud technologies, DevSecOps, and cybersecurity. Today, I’m excited to share that Evan Morgan, Executive Director, Cyber Security Technology at Ally Financial, one of those bright minds, has joined Dazz as a company advisor.
Evan began his career in the U.S. Air Force in October 2001, where he served for nearly seven years “turning wrenches” on A-10s, C-130s, F-16s, and U-2s to support Enduring Freedom and Iraqi Freedom missions post September 11th. As a self-proclaimed technology and computer nerd, Evan has leveraged his technical engineering and problem-solving skills to lead organizations through large scale transformations while at Ally, and previously with TIAA and EY.
We caught up last week to discuss his new advisory role, the impact of AI and automation in cybersecurity, and his advice for CISOs struggling with cloud security remediation.
Julie: What interested you in becoming an advisor to Dazz?
Evan: The vision that created Dazz is very much a forward leaning and innovative one in an industry that typically "copies and pastes" a lot between firms for incremental evolution instead of a revolutionary change. The Dazz leadership team views cloud security remediation as a fundamental problem that needs to be fixed in a revolutionary way! It's a problem that every organization using modern cloud platforms is facing, so the combination of strong vision, leadership team, and technology, plus the ability to help other organizations be more efficient and effective, is why I chose to join as an advisor to Dazz.
Julie: What are some of your strategic initiatives at Ally?
Evan: Ally has been undergoing a few years of continuous, broad scale transformation, which I have been fortunate enough to lead a sizeable portion of within the cyber and technology spaces. We still have multiple large-scale initiatives underway, including an integrated, seamless digital customer experience that unifies all our business lines into a single experience, along with many other major scope areas any cyber program would focus on improving.
Julie: Cloud development has taken off, creating new levels of speed and agility; however, not without a few challenges along the way. What are some of the pain points your team is experiencing in cloud security?
Evan: We have the same challenges as our peers in the industry, and a common example is around ensuring we are holistically reporting on risk to the organization as more elastic architectures based on load triggers are spun up and down in an automated way throughout each day to support the user demand upon our business.
Julie: On a scale of 1-10 with 10 being PAINFUL how would you rate the remediation process overall? Before Dazz, of course!
Julie: That’s painful. What is the underlying issue?
Evan: While we have an uncommonly supportive leadership team within Ally Tech and support from the business leadership to continuously exceed our regulators’ and customers’ expectations, the demand for business growth is exceptional, which leads to exceptional demands on the individuals supporting that explosive business growth. With that in mind, time. Time, and focus from those whose time we need, is the most painful part of it, still.
Julie: How much time does your team typically spend investigating alerts and triaging causes?
Evan: Much more so than we’d like to…
Julie: Sounds like you could benefit from automation and AI to help free up time for your team. What’s your take on the impact these technologies will have on cybersecurity?
Evan: We are at the precipice of a monumental shift in the technology industry — and that includes every other company that thinks they aren’t a Tech company yet —what we are doing today will not be what our next generation will be doing within the engineering and operations roles many of us are in currently. We’ve had automation and AI since the days of text-based scripting within technologies, so the pandemonium the world is going through now is a normal hype cycle. Generative AI is simply the next iteration under the AI umbrella, which is showing to be much broader than the use cases we all have used for years for targeted automation of activities to further scale what we can accomplish each day.
Now that Generative AI can perform more complex logic operations, it is becoming closer to that what we expect from an analyst on weighing numerous inputs and outputs of a scenario and coming up with their hypothesis on why something is happening, and then taking necessary actions as a response.
This is scary to folks, as the thought is: “generative AI is doing what I am doing for my job today!” The existential crisis begins for everyone individually, but what happens when you shift from fishing for your own meal to having someone fish for you, as an example? You get to focus on higher-level projects with more strategic impact, rather than a collection of activities (i.e., time spent gathering food to eat vs the act of eating the food). This turns AI or automation into a solution for us to use - not a boogeyman to be afraid of. We need to have the right mindset (at all levels) about leveraging it within our organizations.
Julie: Let’s talk about Ally as a Dazz customer. Why did your team decide to check out our platform?
Evan: At the time, we were going through multiple mergers and acquisitions, so we had multiple environments within our Cloud Service Providers, and Dazz provided us with the means to have a single piece of tooling for understanding and controlling all those environments better than we would have piecing together the outputs from the cloud native toolsets.
Julie: Are there any learnings you can share from your early implementation?
Evan: As with much of this space, it is important to trust, but verify, the systems of record that you leverage for your cyber and technology operations. As any organization can attest to, accuracy of asset reporting, especially within the CSP space, is not a trivial need to solve for today, as environments are far more dynamic than they previously were when paper-based controls for those legacy environments were designed/built. (i.e., Configuration Management Database (CMDB) is a great idea, but usually never correct, so automation of inputs/output for upstream/downstream processes is vital to solving the problem holistically and permanently.)
Julie: Do you expect Dazz to help improve the relationship between security and dev teams?
Evan: Yes, as it has helped refine the conversation in a few spaces such as application security, vulnerability management, and incident response. The dev teams have more context now on the asks from the security teams, which allows for faster remediation, ultimately improving the security of the organization by reducing risk we were already carrying with us.
Julie: Couldn’t you just use your detection tools to help remediate cloud security issues?
Evan: You CAN use a screwdriver as a hammer. That does not mean that you SHOULD do so, because it will be ineffective, inefficient, and wasteful, just like using the wrong tool for the job would be in any profession.
Julie: What advice would you give other organizations who are struggling with how to reduce MTTR and improve the efficiency of their security teams?
Evan: Prioritize, prioritize, prioritize. How? Automate, automate, automate. And that means starting with your business processes, which leads to defining what the goal of the process’ outcome is, what you are going to do to get there, and how you are going to do those activities. That true process focus is missing in most of the organizations I have consulted at previously or have been employed by too and is fundamentally one of the most important parts to prevent teams and individuals from just spinning in desperation on trying to solve the onslaught of cyber demands.
Cybersecurity is a field of never-ending demand. Burnout, and reduced efficiency from it, comes from fighting ALL battles the same. The wisest generals — and the ones still not on the ground from exhaustion — are the ones that pick their battles while protecting the organization versus taking the “forced march” approach to battlefield management (like we see in the news today by some “leaders” in the world).
Julie: When you aren’t helping keep Ally and its customers safe from the bad guys, what do you enjoy doing?
Evan: I’m naturally an introvert, which means I gain energy by solo efforts and lose it from group efforts. That connection explains a lot of who I am and how I interact with the world as a leader, as I’ve led all types of missions and efforts over the years and can work the room to network like any other, but that isn’t how I truly enjoy my time. What I enjoy doing is tinkering. Tinkering on some electronic thing, some electrical thing, some mechanical thing, some…you get the picture I’m sure… Tinkering is how I learn, how I understand the world around me, and how I enjoy the time I have outside of Ally. If I’m not tinkering, then you’ll find me with either my family or a few very close friends, and we’re likely either relaxing to a movie marathon or outside somewhere enjoying that time together in nature.