Fastly’s Andrew Santell on going from the Navy to Netflix and breaking free of bad processes

To kick off season 5 of the Future of Security Operations podcast, Thomas is joined by Mandy Andress. Mandy is the Chief Information Security Officer at Elastic, a leading platform for search-powered solutions, and has more than 25 years of experience in information risk management and security. Before Elastic, Mandy led the information security function at MassMutual and established and built information security programs at TiVo, Evant, and Privada. She also founded an information security consulting company with clients ranging from startups to Fortune 100 companies.

In this episode, Mandy and Thomas discuss:

Her move from accounting to security

Why she was drawn to Elastic's employee-centric culture

How her role at TiVo in the early '00s shaped her view of privacy

Switching from a technology-first to people-first approach to security

Recognizing the human factor in incident response

Embracing asynchronous operations on dispersed teams

The importance of bringing your authentic self to work

Staying technical as you move into leadership

How she puts her law degree to use as a CISO

Balancing compliance and overall security posture

Collaboration and knowledge sharing within the CISO community

Elastic's approach of knowledge sharing by default

How prioritizing analyst time will be critical in the future of SecOps

Adopting an infrastructure-as-code approach

Balancing between proactive security measures and reactive responses

Building a culture of security across the organization

Tips for surviving in security operations in tech

The Future of Security Operations is brought to you by Tines, the platform that powers some of the world’s most important security workflows. https://www.tines.com/solutions/security

Where to find Mandy Andress:

LinkedIn: https://www.linkedin.com/in/mandyandress/

Elastic: https://www.elastic.co/

Where to find Thomas Kinsella:

LinkedIn: https://twitter.com/thomasksec

Twitter/X: https://www.linkedin.com/in/thomas-kinsella/

Resources mentioned:

Surviving Security: How to Integrate People, Process & Technology by Mandy Andress: https://www.amazon.co.uk/Surviving-Security-Integrate-Process-Technology/dp/0672321297

Mandy’s 2001 BlackHat talk on wireless LAN security: https://www.youtube.com/watch?v=XtT2Ta87uow

Elastic’s blog: https://www.elastic.co/blog

In this episode:

[01:57] Moving from accounting to security

[02:43] Finding a company with strong vision, culture and business foundations

[05:26] Working in network security in the early days of TiVo

[07:05] What’s changed in security since 2001?

[09:20] A career-long fascination with the human factor in incident response

[10:30] Embracing empathy in her leadership style

[12:25] Finding a workplace where you can be your authentic self

[16:10] Exercising her technical muscles

[17:45] The decision to study law

[21:18] Balancing compliance and overall security posture

[23:35] Knowledge sharing in the CISO community

[24:22] Elastic's policy of being "radically transparent"

[29:20] The future of security operations

[31:29] How her security team works with product engineering

[34:03] Adopting an infrastructure-as-code approach

[35:01] Building a culture of security across the organization

[38:09] Her advice for others working in security in a high-growth organization

[41:50] Baking off security products in her home lab

[44:37] Connect with Mandy