Welcome to Speed Data: Quick Conversations With Cybersecurity Leaders. Like speed dating, our goal is to capture the hearts of CISOs with intriguing, unique insight in a rapid format for security professionals pressed for time.
Jonathan Rau, VP and Distinguished Engineer at Query, has made a name for himself online by sharing thought-provoking posts and never being predictable. In this episode of Speed Data, the AWS Community Builder shares his advice for navigating data in the cloud versus on-prem and explains what most organizations get wrong about cloud security.
The path to security PM
Former board advisor, CISO, and four-year Army veteran Jonathan Rau could have gone the way of Jesse James.
“I could probably be a good bank robber,” the Query VP and Distinguished Engineer quipped. His time spent working in radio telecommunications and the bomb squad for the U.S. Army honed leadership skills that — fortunately — Jonathan used for benevolent purposes. “I did a little bit of intel work, and when I got out, I was like, ‘What do I do now?’”
After leaving the military, Jonathan began working as a security project manager for Nationwide. His inquisitive nature more than made up for his inexperience as a PM.
I didn't know much about security other than tiny concepts, but I would always ask, ‘Why are we doing this?’
Jonathan Rau, Query VP and Distinguished Engineer
Jonathan quickly worked his way up through the ranks. “I just picked it up as I went, and then eventually ended up at AWS,” he said.
A new way of identifying misconfigurations
Jonathan’s time at Amazon Web Services helped him author Electric Eye, a multi-cloud, multi-SaaS Python CLI tool that continuously monitors AWS services for misconfigurations that may be degrading the CIA triad.
Electric Eye has grown a lot since I first wrote it at AWS.
Jonathan Rau, Query VP and Distinguished Engineer
“Not only does it support AWS, but it also now has Oracle Cloud and Google Cloud,” Jonathan said.
“It also supports ServiceNow and Salesforce, with a couple of different integrated reporting tools, such as an integration into the Amazon Data Lake. I'm working on a PR for Azure, which is slowly draining the life out of me,” he laughed.
The creation of SecDataOps
Jonathan is known as a jokester to his 8,000-plus social media followers. It’s no surprise, then, that the LinkedIn “Top Cybersecurity Voice” coined a well-known term by “trash-talking online,” he said.
“‘SecDataOps’ I meant as a joke, poking fun at ‘DevSecOps,’” Jonathan said. “I think DevSecOps was a great aspiration to try to reach, to bring developers closer to the fold of security. But while there are success stories, there are a lot more failures.”
Jonathan said, “‘Why mess with the developers when we could make security people into data people?’ And that’s how it turned out.”
“And at a high level, it's about security teams using data to achieve security outcomes and taking ownership of the data,” he said.
Gen AI pros and cons
And speaking of data ownership, Jonathan explained why orgs must also own the accuracy of their data, particularly content produced by generative AI.
“Large language models, if we're looking at it from a natural language processing perspective, are really good at taking big data analytics out of the hands of the end analyst, and it's good to help people author threat models at some perspective,” he said. “But the risk is there for businesses.”
“Google's using Reddit as their training data and so now if you're looking up a medical question, it might tell you to go smoke seven cigarettes and do a backflip off a bridge instead of talk to your doctor, right?,” he said, referencing Reddit’s instigative reputation.
However, Jonathan said there are many pros gen AI offers as well.
If I'm in a SIEM tool, the second I get more than 100 or even 50 results from a specific query, my eyes glaze over.
Jonathan Rau, Query VP and Distinguished Engineer
Multiply that by tens of thousands, and finding context in the results becomes impossible.
“Most of the mainstream gen AI models — GPT-4 and GPT-4o, the new Mistral ones, the Anthropics like the Cloud 3 Sonnet and Haiku — those are great at gaining context and digging through that stuff.”
Ultimately, Jonathan said, it’s still too early in the technology's development to label it as “good” or “bad.”
“There's a lot that we still don't know about AI, and there's a lot more that we're going to continue to learn,” Jonathan said.
The refreshing thing is that as an industry, a lot of people are taking it seriously, or at least trying to educate themselves about it.
Jonathan Rau, Query VP and Distinguished Engineer
Harnessing gen AI for good
Generative AI has changed the game in many ways for productivity and creativity, but also for risk. With gen AI, attackers are faster, stealthier, and can more easily find what they want — your sensitive data.
Varonis’ Athena AI spans the entire Data Security Platform and redefines how security teams protect data — from visibility to action.
Curious to learn how Athena can transform users of all skill levels into formidable defenders? Check out our free Data Risk Assessment to learn exactly where you have security gaps and data exposures, or reach out to request a demo.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.