Mark Lambert: Hi! And welcome to Let's Talk ASPM. My name is Mark Lambert, chief product officer here at ArmorCode, and I'm joined by my good friend Karthik Swarnam. How are we doing, Karthik?
Karthik Swarnam: Doing fantastic mark, and glad to be here with you.
Mark Lambert: Yes, yes, we we're. We're getting into a nice rhythm with these. It's and you know the thing that I really appreciate, Kathy when when we talk, is you? You bring this perspective from really
Mark Lambert: outside of the vendor community. You know you're you're our chief security and trust officer here at ArmorCode, but your background, you know, at AT&T, at Kroger, you know you you really have that perspective understanding what is in the mind of the CISO, and you know what security organizations need. So
Mark Lambert: what I'd like to do today is actually talk about, you know, obviously, ASPM, that's what we talk about, right. But what is it that security teams are are looking to achieve with ASPM. And and how? What should they look for from an ASPM path platform? And you know the nexus for this is, or the genesis, for this is the asp and bias guide that we've just released in there. Check out the show notes, everyone that they'll be actually there in there, you'll be able to click and download that. So let's start with the 1st question that comes perfect, you know, when you look at an ASPM I know you were looking before you joined us. You know. What what problems were you looking to try and solve what was driving the need for an ASPM in your world.
Karthik Swarnam: Fantastic Mark. My 1st and foremost job and my responsibility at ArmorCode is to protect and secure ArmorCode as a company, as a platform. Right? Everything else is secondary. We're a security company, and we are a security company that is managed to securely right. When you put that 2 things together. It is a powerful statement. How do you go about doing it? We are, you know, any company today is a digital company software company. Lot of applications run their businesses right for us. Even we're a security company that runs our business through software right? So in order for us to be able to run a secure business, we need to have secure posture management capabilities right? And talking about ASPM ASPM being, I would probably say, a collectively exhaustive capability that brings in all sorts of security, posture, management, right? Henceforth, you know, ASPM is very vital for us to be able to not only, you know, understand our security posture statement, but also helps us say, Hey, where do we need to focus? What is our priorities? You know? What am I gonna do tomorrow to ensure my security is preserved, and I'm enabling the business while I'm preserving the level of security right? That is why ASPM is critical for us at armor code for any. For that matter, I would say, for any company that has got a software digital footprint, you know. Yeah.
Mark Lambert: Yeah. And and you know, I I think you know to to O over use the add nature everywhere. Every software that every company is a software company now, right? I mean, your Kroger in your in your prior life is like the software right there, obviously, in all of the cash registers. But then you got the mobile app you've got the website. You've got data you're having to manage and to be able to get like a comprehensive posture requires a complete ecosystem.
Mark Lambert: So when when you know your let's let's see this in 2 angles like W. Yourself as a CISO. What you look for in in a, in a company or an ASPM solution and a provider. But then also your team, what would they? What did they look for? What did they need to help them kind of like, really define and and understand the Security person, and take it whichever way you want to go and take from your side first, st or your team size.
Karthik Swarnam: Yeah, yeah, I mean, I I'll I'll start from my side to start with, right? As a leadership position as any of you. I in your leadership roles. Right? You need to be able to think about. Whether do you have the right solution right? Whether your solution is able to handle your entire ecosystem. I know that you refer to the word ecosystem right? I may have hundreds of you know, applications and systems. I may have to be able to map it back to a collectively
Karthik Swarnam: common set of business capabilities. I may have 5 scanners. I may have 4 code repositories and code review tools. Right? So 1st and foremost, I would say, who's gonna give you a collectively exhaustive level of capability meaning ingesting, you know all your source tools. Right? You don't wanna have one or 2 or 3 alone. Right then what are you gonna do with the gap? Right? So that's not a good. So I think one is to be able to say, Who's gonna
Karthik Swarnam: to be able to give you a entire escape coverage? That's number one. I look for number 2. You know what? Let's not. Yes. Pm. Is relatively a new capability in the Security domain. It's not as old as a firewall would be, but that kind of, said, I. Look for companies that have, you know, trail not only trailblazers, but also have established capability. Are you been in the business for 3 to 5 years or 2 to 3 years. Right? So have you established. I.
Karthik Swarnam: You know, your product and capability in the marketplace that has taken in input from being in that real life. So how much of your real life implementations, right? And also all of these tools are very dependent on data and experience. Right? So if you have volume of data that you're trying to ingest right, not only from my own company, but but many different sources. It gives you right. It gives you that breadth of experience so that your product can be better. So these are all like high level traits that I look in an ASPM type solution. Going back to my team per se. They need to execute this day in and day out, right? They're gonna look at to say, well, how effective and efficient the capabilities, or how much of automation can I drive? How much of robust run books that I can help drive towards that right, and how much of that independent layer that kind of brings it into it. Not only I can bring all of this stuff, but I can dedupin and correlate it, and not just seeing by words, but also how effectively can you do it? Right? So is it, my, is it? My team looks at it, saying that, hey? Can I do my job? You know better, faster, cheaper, right? Meaning quicker, right? So that is some of those pieces that my team looks for. Right. So I look for maturity of the capability and the and what powers your platform, and providing that kind of you know breadth of capabilities, while my team looks at saying, you know how robust that capabilities, how much automated capabilities that I can drive and how it's going. Gonna help me do stuff that I can do better, faster, right? So hope that helps answer the question mark. So.
Mark Lambert: Yeah, it did. And I think you're just on a couple of key points, right? Is like, you're looking for a company that's been delivering, and a company that is also still agile, right? And and I think that's always the challenge in the market. I mean, it's 1 of the reasons I joined Omicut is like the the way that the team delivers is just phenomenal, and the the traction that we've had over the last 2 and a half years that I've been here, and over the last 4 years since we we came we were incepted has been phenomenal. I mean the Gartner Peer Review insights you can kind of see as a newly established company, and focusing solely to your point earlier, is like we're focused solely on the governance layer, the orchestration layer. The piece is independent of the scanners, and the reason being is that that world is very diverse. You're going to want to be able to change those scanners, as you know.
Karthik Swarnam: Correct.
Mark Lambert: You also got a very, you know. I I think you should say say, like, Hey, 4 scanners on the code base, 5 scanners on the infrastructure and cloud. It's like you're already there at a dozen. You know what happens when some of those change. You need to be able to make sure that you got an ecosystem that can manage that.
Karthik Swarnam: Right? Absolutely. You know, it needs to be modeler. Right? I need to be able to switch pieces in and out, depending upon the relevance right? Because you can expect your product, your vendor space to be constantly, you know, waiting which most of the companies do. But if they don't, you need to control your destiny and for you to be able to control your destiny. You need to be able to abstract those layers, and if you abstract those layers, and you can control those pieces, you know, in a better orchestrated manner.
Mark Lambert: Yeah. And and I think the the another thing that you talked about that was actually the the volume of data, knowing kind of like the how much, how robust the platform is, how you know how much is being validated. And the thing about the volume that that I I also think about is is obviously as as you and I talked about on on previous podcasts and and offline is like how we can start leveraging AI more and more to streamline, innovate further and streamline the processes. And you know, when I when I think about where the data is, there's you know, deep pockets of data and individual tools for sure, right? But as we start looking at not just the volume, but the variety.
Karthik Swarnam: You know.
Mark Lambert: Build on the validation of that across the you know, within the case of Omico, you know, we we have over 1,500 security professionals supporting over 75,000. And that's right. And that's a lot of validation, a lot of process, and a way where we can really kind of like, then start taking not just to hey? How do I get my current security debt under control? How do I drive that down? But how do I future proof myself? And how do I expand further from that.
Karthik Swarnam: Absolutely. I mean, I think, Mark, your team and the product team at Darwin could does a fantastic job right? Because I've seen it 1st hand in the way I look at it is, it's a delicate balance between not having enough data versus having a lot of data not having enough data. You don't have a lot of intelligence to go off of, right. We have too much data. Do you want? You don't want to get flooded with that information and how you're going to find the needle in the haystack. Right? So I, what I've seen firsthand is, we have enough volume of data, and you have intellectual property on top of it. AI based, you know, correlation and such and such, which then actually makes a lot more meaningful prioritization and decisioning using this volume of data. So you're basically using this to your benefit and your advantage rather than a handicap. Right? So I I think, having that volume a lot, you know. Companies. If you don't have data enough data, what are you going off of? Right? No, experience is not a great thing. You have too much data, and you're not able to. You're assuming in noise. That's also not a good thing, right? But if you can put these together and and apply these capabilities in the optimum level, using AI powered correlation that you talk about, which actually makes it much more powerful for us to be able to have a capability in the aspen space. That is much more meaningful, much more targeted, which can give me precise, actionable capability.
Mark Lambert: So when we just take a little bit of a step back, and it's like when you talk to, you know, providers and you you're looking at, you know, just looking at the technology. I didn't. From the point I take away from you said earlier, is like a lot of that. You'll be focusing on the team. The team over there to validate does what it says on the outside of the can. Right? Am I able to achieve the calls that I need to achieve. You're doing more of an evaluation of the company, the strategy that traction has so far kind of like focus come in, because, you know, there are a lot of you know your vendors in the in the space that have multiple fingers in multiple pies. You know. Obviously, in the Asb M space. Obviously, there's organizations like an arm code where we're not a scanner. Your pure play ASPM. And there are organizations which are kind of like ast tools, you know, leverage doing tools, guys and then having a layer of an asp on top of that, there's even vulnerability, management workflow tools also carry doing that, becoming more.
Karthik Swarnam: Sure.
Mark Lambert: Management space kind of like, how do you view kind of like focus?
Mark Lambert: And and and how does that play into a decision as you're building us, you know, in essence, a practice at your organization.
Karthik Swarnam: Yeah, yeah. So the lines start to blur right in every company, every product organization want to stretch themselves into other areas where there is probability and more light in the end of the tunnel type of an approach. Right? But when I look at it I look at anything that are you a specialized capability. And if your purpose built capability, if you're a purpose, built capability, and if that's 1 thing that you do, you would do a good job in that one thing that you're doing it right. That's that's, you know. 1st and foremost, right? Not, you know, all for everybody. Right? So you are focused and your purpose built for a for a purpose. That's very important, right? The second thing I look at it is also the maturity of the leadership in the organization. Right? You know, who's driving the vision? Are we getting where we need to get there? Not solving yesterday's problem? That kind of comes in in terms of the people. Aspect of it right? And then any product, any company has to see through it. Right? It is a people process, technology situation. Right? If you've got to give me a great cool technology that's fantastic. You have good people that's awesome. Have you thought about my process? How is this going to come and live in my environment, in my household, in my estate? Correct. So if you have thought about the processes, if you have thought about the run books. If you thought about all of that stuff, and and that's the 3rd component. The 4th component. To think of it is a sense of community being built. I know you talked about 1,500 practice, you know. You know, over 1,500 practices because it is. it's a community sport. So everybody's gonna contribute right? If you build a run book, if you put a playbook, if I've done it, solved it this way, right type stuff. So a company and a product, that kind of embraces that level of community ship can go a long ways, right? So these are some of the traits that I would probably look for, and I asked my team to look for it in addition to the technical aspect of it. Right? So so we can take it from, you know, having the community having that purpose built aspect of it, thinking through everything, from A to Z people to process in the technology being in the middle, are all essential attributes that you should look for in an asp solution.
Mark Lambert: Great. Well, well, thank you. And I I was just checking the timer. Can you believe we've been yacking for more than 10 min? So I you know I I thank you very much. I I think you know, for for those that have been tuning in, as I said at the beginning. Check out the link below we'll have a link to the ASPM Buyer's Guide. We'll also add a link to the gotten a peer review insights for for ArmorCode there, so you can kind of check out some of that config as always. Thank you for your time, and I really appreciate it. Safe travels. And look forward to seeing you on the next podcast.
Karthik Swarnam: Thank you, Mark. Thank you for having me on the show. Take care.
