Alter Everything

[00:00:00] Megan: Hi, everyone. We recently launched a short engagement feedback survey for the alter everything podcast. Click the link in the episode description wherever you're listening to let us know what you think and help us improve our show. Welcome to alter everything a podcast about data science and analytics culture.

I'm Megan dibble. And today I'm talking with Lucas Moody Chief Information Security Officer at Alteryx and Casey Essary, the Deputy Chief Information Security Officer at Bill. com. We chat about why information security is important today, how Alteryx can underlie a security organization in powerful ways, and how Bill.

com is using Alteryx for their security needs and more. Let's get started.

Hi, Casey. Hi, Lucas. Thanks so much for joining me today on the podcast. I'd love if you could give a little introduction to yourself. for our listeners and we'll start with Casey. Hello there. 

[00:00:58] Casey: Thanks for having me. Casey Essary. I'm the deputy CISO at Bill. Been here for about a year and a half. Lucas? 

[00:01:06] Lucas: Yeah.

Thanks, Megan. Uh, Lucas Moody. I'm the CISO here at Alteryx. I've been, been here at Alteryx for about two years, but, uh, I've been in the security space for a couple of centuries now from the time before it was even a real thing. But yeah, thrilled to be here and thrilled to, to have a chance to chat with Casey around security in general and security with Alteryx as an underlayment.

So yeah, I look forward to the conversation. 

[00:01:31] Megan: Yeah, me too. I'm looking forward to learning from both of you, excited to talk to some experts on this. So let's just start off with why is information security important and relevant in business today in your opinion? 

[00:01:44] Lucas: I mean, information security has been relevant in business for a long time.

The reason I think it's getting a little more time and attention today is because companies are now faced with existential threat. That stems from security related things, whether it's a breach, a theft of customer or employee information, whether it's around the protection of intellectual property or the rules and regulations on what companies are being held accountable to.

There's a lot that can impact the actual health of a company that's security related. So it's, I think it's top of mind for executives today, security organizations are getting a little bit more in the way of. Attention from executives to ensure that companies stay safe. So it's gotten crazier and I anticipate that in the coming years, things will get even more wild as it relates to cyber and it's related areas of discipline.

[00:02:38] Casey: I will second all of that. I feel like security is literally everywhere now. When I first started in security, it was like, okay, what do you do? What, what is that? But now it doesn't just affect the products that we're putting out to market. It affects our own internal employees from an organization or enterprise level.

It literally affects everyone now. And it's at the forefront. It's in the, it's in the phone in our hands. It's everywhere. And it's almost impossible to avoid now. And so what we do is important, I think, from the top down and businesses being able to react to that and pay attention to that and be proactive with that is, I think it gives them an edge, to be honest.

[00:03:13] Lucas: Yeah, and Casey, I've got to react to what you said there. This isn't for necessarily the community listeners, but it's for security folks out there the world over. What we do is not reviewing of the phishing emails that you've got in your Gmail. That is something that we can do, but it's not our core job.

So, so please stop forwarding your phishing emails. We've seen them all. 

[00:03:37] Casey: Yes, I agree. 

[00:03:38] Megan: Inundated with phishing emails, part of the job description. That's super funny. I love that though. I mean, information security is everywhere and shifting into Alteryx adoption. Why do you both think security is important when it comes to our customers adopting all tricks?

[00:03:58] Lucas: Yeah, I'll start and then Casey, whatever color you want to add. But I mean, as we talked about with your last question, security is just important all in. For any enterprise doing business in the digital world, I don't think anybody can escape having to do their due diligence around security. So everybody that's adopting Alteryx is in the digital space, doing enterprise related things with data.

And so it matters to them as well. I engage with customers all the time that are either existing customers of Alteryx or considering adoption of Alteryx and anybody like myself, that's on the buy side, if I'm buying technology or my company's buying technology, I'm scrutinizing them to make sure that, Hey, they're doing the right thing is securing their product or securing their customers and securing their own enterprise.

And then furthermore, and the reason we're here and chatting with Casey, I love what Casey and the Bill team are doing with Alteryx. I've said for a long time that Alteryx, uh, can do a lot for security organizations, but it's not known as a security tool, which is why I'm excited to have this dialogue, because I actually think Alteryx can underlie A security organization in powerful ways.

We do that internally here, but we're also first customer. And so having a company like bill come to the table and talk about this, I think is, is super exciting and is a path that other companies can take to really beef up their own security organizations. 

[00:05:20] Casey: Yeah, the things I'll add there security, any security team doesn't matter how big or small can process a massive amount of data on a daily basis.

I always surprise people with literally the terabytes of data that can come through a security organization in on a daily basis that you have to process. And so I think there's endless opportunity for a product like Alteryx to help us do our jobs better, whether that's prioritizing threats that we're seeing, whether it's watching trends.

Helping prioritize where we need to spend our resources. And those resources are both dollar based, but also people and time based because we talk about scalability all the time in security, we can't just add people to make things easier. There's no endless funds there. And so being able to optimize how a company is spending those valuable resources in prioritizing a project or a new feature or function that we want to add for security, or whether it's.

Truly protecting that product from new threats that are hitting. I think a product like Alteryx gives us the ability to look at that data in an unbiased way. We get out of our kind of security gut a little bit and we get to actual data that can help us make those objective based decisions and then help communicate those back to the business.

We were talking about this earlier. Security in business is important. And I think that those pieces of data that we can understand, not only about the security data that we're seeing, but about the product itself can help educate the other parts of the business as well. 

[00:06:42] Lucas: And Casey, what I love about that is a lot of what you're saying is what we actually hear from other verticals.

And I know Bill or at Bill security is first customer as it relates to the adoption of Alteryx. But when we talk to I. T. organizations or when we talk to finance teams or accounting teams. Or HR teams for that matter that have adopted product. We hear a lot of the same things We need to get to the root of the data We need the data to help us make a decision and we need the data to do that quickly Uh, and it's cool to hear that you're having that same experience as it relates to you know, security related decisioning Or getting to a security related outcome.

I love it. And it makes me excited to hear that. That's the experience that you're having as well. 

[00:07:22] Casey: Yeah. I'll talk a little bit about how we started with Alteryx first in our security department and it spread. We implemented it. We shared some information with our IT team, which we sit very closely with from a department perspective.

And before I knew it, I was getting slacks and pings from those individuals saying, Hey, I want to know, I want to know more about how you implemented this. I want to know more about our licensing because I want, I'm interested and I want to try this for some challenges that we're seeing. We've got a lot of manual processes that have to pull data from multiple places.

And I said, Hey, go connect with this person. They'll show you everything you need to know. And before I knew it, he had implemented it, shown that information to the finance department and now the finance department is actually utilizing Alteryx in some of their own financial data. So even though we're security first, it has very quickly spread to those other business areas and they're already showing.

Hours of savings a week on data that was either being manually pulled from multiple systems or analysis that had to be done and now it's being done in minutes. So kudos to the product. 

[00:08:19] Megan: Yeah, that's really awesome to hear. We talk about a lot of different use cases on our podcast and like when you drill down into them, a lot of times.

They're all data problems. It can look a lot different depending on the field you're in, but I love hearing about some people at an organization getting their hands on all tricks. And then it just spreads like wildfire because people can unlock so many data problems across the org. So it's like super exciting place to be for sure.

[00:08:44] Lucas: And one of the things that makes it even more exciting for me, Casey, sharing some of these stories around how this can also be a force multiplier for your security teams. 

[00:08:54] Casey: Absolutely. 

[00:08:55] Megan: A while back, Lucas, you mentioned like when you're reviewing software to implement that you're you look for them doing the right things when it comes to security.

So I would love to hear from both of you about what you keep in mind when you're prioritizing security functions and features and how you choose. 

[00:09:16] Lucas: Yeah, it's a good question and it's a broad one. We're plugged into pretty much all the technology that we adopt. And the reason we are is to, to ensure that we're making good decisions to look at how these technologies are deployed.

The way that they use data, where that data goes, how they transmit data, who are they sharing this data with, what underlying principles have they put in place to ensure that their platforms are safe and that their enterprise is safe, right? Because if we're doing business with the company and we're leveraging their tech, I mean, they are fundamentally an extension of us and we feel the same way on the flip side.

So when a customer comes in. To adopt Alteryx, we see ourselves as an extension of their ecosystem, which is why we take security so seriously here at Alteryx.

[00:10:03] Casey: I agree. And I think at the forefront of my mind, when me or my team has been pulled into, hey, we want to use this thing or product. One of the first questions I ask is what data are we sharing with that service or product?

How long are they going to have our data? Who has access to our data? What are they going to do with it? Does it have a lifetime? Does that data have a life to it? Meaning, are they going to be able to purge that data or delete that data upon request? Are they going to be able to do what we ask? Because the answers you might get up front, you want to make sure that those answers stay true through the relationship that you might have with this service or this vendor.

So it almost always starts with data for me once I understand what type of data is it confidential? Is it PII? What data are we sharing with that vendor that will guide most of the other questions that that we need answered? And what kind of security? What kind of architecture? Where is it going to live?

Is it going to live in the cloud? Is it going to live on a server in our own environment that they have access to? The data always is the first question that, that I ask because it will drive the importance of all the other questions that come after it. So I couldn't agree more there. 

[00:11:03] Megan: That's great. Yeah.

It sounds like the flow of data and the storage of data are really important. Are there any principles you keep in mind when it comes to the flow and storage of data or tips and tricks for making things more secure? 

[00:11:18] Lucas: Yeah, I don't know that there's tips or tricks outside of direct and early engagement security teams.

We've got experts in a number of different verticals. We've got folks that are like internal hackers. We've got folks that are aligned around, uh, rules and regulations and compliance related spaces. We've got folks that are involved in risk management. We've got folks that are involved in detection and containment and monitoring and ensuring that transactionally that we're staying safe.

And so all of those teams plug in to offer their discipline to help ensure that when we make an incremental decision, whether it's. Buying a product or engaging with a new partner that we do so with eyes wide open, that we understand what the risks are and that we mitigate those risks to get it to an acceptable.

Level of noise and and then we move forward to push the business incrementally forward. So yeah, I would say more principally make sure that security teams are engaged. It's more important now than it has ever been and it's going to be more important tomorrow than it is today. 

[00:12:16] Casey: Yeah, certainly engage security early and often.

I know that sometimes we can be viewed as a roadblock to some of those decisions, but the earlier we can be plugged in and actually, in my opinion, goes more seamless, even if you're talking with a vendor or service provider, you get those questions out of the way early, you write those in the contractor, you write those into whatever, thinking about it from the flip side, if I'm the customer, the more transparent you can make the data about your product or the health of that product as it sits in your organization and can make that available, whether that's to provide to your security team or to provide to your third party assessment team, Like I said, this is an ongoing relationship that has to be monitored over time.

So you can show that as a product, who has access to that system, both internally to your system, but also from your vendor's perspective. Unfortunately, third party risk is, it's a big risk in our environment and, and so I think the more transparent you can be as a product in showing that health over time, the more seamless and more likely that your product is going to be used in that way over time.

[00:13:13] Lucas: And Casey, I don't know where you're hearing that security can ever be a roadblock. 

[00:13:18] Casey: We try to squash that rumor. 

[00:13:20] Megan: Probably the same people that send you guys the phishing emails. Awesome. Well, then I would love to hear a little bit more from you, Casey, about bill. com's journey with Alteryx, how you guys have implemented Alteryx for your security needs.

[00:13:38] Casey: Yeah, we went into conversations with Alteryx with I'll say two different use cases in mind. One was around identity and access management and the other was around application security. We settled on identity and access management. We needed more information. Actually, if we needed, I'll call it the denominator.

We needed more hard data around identity and access management to figure out where we should actually focus from a risk perspective. We'd had a lot of conversations on privileged accounts. We felt like we needed more hands on data. We also were doing already some things in that space that were requiring a lot of manual data gathering day over day.

We were spending roughly 30 to 40 minutes a day during the height of a project trying to analyze data and kind of figure out what we were going to work on that day. And so we focused there and within a matter of literally a week, we had the product up and running on a couple of users machines. They were able to turn what we were doing already manually into an automated process and that 30 to 40 minute a day process turned into minutes, if not seconds, and that data was readily available to anyone that needed to pull it.

It took literally the drop of a file pulling of information. And now we had a whole team of people who had access to that data. Anytime they needed it to be able to make decisions whether we're going to prioritize their day. And so that was our first initial use case was just making that process so much easier.

It freed up IT's hands in that manual process and it gave us that ability to prioritize. But from there, of course, that door opened into all the other things that we were doing. We used that as our proof of concept. And as soon as we saw what it did there, we knew we had more to uncover in IAM. I'll say our objectives for the year have actually fundamentally changed as it, as it relates to the data we've seen from Alteryx.

We went into the year thinking we were going to prioritize a few things, like I said, related to IAM. We've changed the order of those things based on the data and what it showed us around how many people had access to certain things, what we considered a privileged account versus now what we consider a privileged account and how we prioritize certain applications and the tiering of those applications and the data that they have.

How we're going to prioritize handing out role based access or even birthright access, the review and entitlement of access. So we've learned a lot from, from the data that we've seen and it's caused us to go back and actually reassess what order in which we thought we were going to do things to try to kill out some risk.

And then of course, from there, like I said, IT heard about this and they started doing their own implementations. And we are going to actually circle back to the application security story as well, because Anybody who has to deal with application security knows that data can come from a lot of different products.

You've got source code analysis, you've got all of these different products that kind of are niche products in those areas, but how to draw that data together. And we've already worked with Alteryx to kind of see their proof of concept there. And so that's going to be our next focus is what we can do there to help our engineers, help our partner teams with their prioritization, not just security's prioritization, but their prioritization of how they need to fix certain risks.

So. It's, it's already been a great early journey and it's already helping us prioritize the next roadmap that we're looking at. It's really cool. 

[00:16:42] Lucas: Yeah. And Megan, if I may, there's a million things I love about that, Casey. Uh, one, it really enables organizations and teams to be very self sufficient with data.

Two, if there's anybody in, in the security team here at Alteryx that hasn't implemented some of the things that Casey's talking about yet, you better get to work cause, uh, I'm going to start the comparing parent thing here, but no, joking aside, I look forward to where you guys take things next. 

[00:17:07] Casey: Yeah, I think it's endless.

I mean. Yes, we started in identity and access management, but I will tell you that even some of the information that we were able to glean from that has fed to alerts we've written for the SOC and it's spread to other ways. We have an operations meeting every week where we talk about trends and things that we're seeing and Alteryx has come up in those conversations because again, some of this data is being pulled manually and some of those other teams as well.

And they're like, wait a minute, we can do this faster. We can do this in a more automated way. And it can actually lead to hard and fast alerts that the SOC is writing based on changes in people's access and whether that should create an alert for the SOC or any number of other things that we see. So we started out with this one intent of getting more information on where we should focus, but it's actually created all of these other kind of ancillary benefits to getting that data on our hands.

[00:17:55] Megan: That's really great. I thought it was really interesting how. You talked about your team's objectives even changing as you got more information, the fact that not only were you able to automate processes, save time, but actually change your strategy, be more strategic, understand risk in different ways. I think that's Really huge.

And I don't hear about that all the time. 

[00:18:18] Casey: In security, we're like anywhere else. We have a finite set of resources, whether it's money or people or whatever. And we can always make our case from a risk based perspective, but we want to do that with data. We don't want to, we don't want to do that based on a gut feeling or a trend that's happening in the market that we want to pile onto or a buzzword.

We want to do that data and risk based approach. And I think that to the point we're talking about earlier about changing objectives, you go into it with an assumption. You directionally think that you're making the right choices, but once you have that data in your hands, you go, well, I don't think the directionally it was wrong.

I think maybe it just helped me prioritize or draw risk down faster by realizing that the data was pointing me in a slightly different direction. And when you have to prioritize, when you have to be strategic, not only for the next quarter, but for the next year and how much money you're going to spend in a certain place.

having that data at your fingertips makes me feel like I can be more strategic, not just with our resources, but with my team's time and where they can best help the organization. 

[00:19:14] Megan: That's great. Thanks so much for sharing about your team's journey and excited to see what continues to come out of that. I did want to just give a shout out to some resources that listeners can access.

If they want to learn more, we'll be including a white paper and security blueprint in our episode show notes. As well as they have the opportunity if they're Alteryx customers to talk to their account team. To learn more about some of these security use cases, and of course, they want to share about their own security use case or ask questions to you all, listeners are welcome to comment on this episode on the community and just keep the conversation going.

[00:19:55] Lucas: Thank you for saying that, Megan. One, I'd love for folks to look at the security blueprints that we have just to get a sense for some of the things that we've done internally. But I'd also love to hear from folks that have some ideas on how better to leverage Alteryx for security related things where Alteryx can actually be a force multiplier.

For security teams. So definitely look forward to some engagement on the topic. 

[00:20:17] Megan: Well, thank you both so much for joining me today. It's been a really fun conversation and thanks for your time. 

[00:20:23] Lucas: Thank you both for having me. Thank you. And thank you, Casey. Bill is an important customer of ours. So thanks for spending the time with us today.

[00:20:31] Casey: Thank you. And we'd love to plug into the community as well and hear what others are doing with it. Great. See you next time. Thanks, Megan. 

[00:20:39] Megan: Thanks for listening. Check out topics mentioned in this episode, including a white paper on security at Alteryx. Head over to our show notes on community. altryx. com slash podcast.

See you next time.