Q&A With A CISO: What Keeps Security Leaders Up At Night

Myke Lyons is the CISO of data infrastructure company Cribl.

Myke Lyons is the CISO of data infrastructure company Cribl. With more than 20 years of experience in the industry, Lyons has led security strategies and teams at companies including ServiceNow, Snyk and Collibra.

MES Computing spoke with Lyons about cybersecurity professionals’ top priorities, what to expect in the security threat landscape in 2025 and why he believes Cribl is a fit for the midmarket.

What does Cribl do?

Cribl is actually a technology that helps IT and security organizations deal with their logging data, which is a constant, growing quantity of data that has varying levels of value to businesses. And we are the data pipeline for IT and security, so effectively we can help companies deal with their log data. We send it to various locations.

Think like a quarterback throwing multiple passes, something along those lines, and we help them put it into places that are appropriate for the usage, whether it’s observability data or data going into your security information event management system, or what we call SIEM, or it’s going to sort of a cold storage or ... a lower-cost storage for auditing purposes, regulatory purposes or both.

[Related: Alkira, RestorePoint.AI Team Up To Deliver AI-Driven Data Management To The Midmarket]

So the solution is specifically for logged data?

It is for log data ... that could be generated by your health-care system or think about an e-commerce system or a banking system—those all generate logs to ensure that they’re behaving properly.

Then Cribl isn’t a cybersecurity company? You’re doing data integration.

That's right, although ... there are some cybersecurity use cases for our systems, we’re very close to a cybersecurity company. Obviously, I’m the CISO here, so I have a pretty strong understanding of that. But I would also say, as a security person, I got my start dealing with logs. You could almost say we are cybersecurity just by proxy.

[Related: 10 Hot Cybersecurity Companies With Midmarket Solutions]

Is Cribl a fit for midmarket organizations, and if so, can you tell me how some of your midmarket customers are using Cribl?

We have companies that are customers of ours, from small, startup size companies all the way through to the biggest companies in the world.

The use cases are quite similar across all our customers, which obviously [benefits] them because we’re not going to be building bespoke systems for a large company or bespoke systems for a small company. But what they’re tending to do is they’ll take information like ‘Samara is logged on to a system, and then Samara is logged off to a system,’ and they’ll take [that] data and they’ll send it for certain archival purposes. They might keep [that] data if they’re a midmarket bank, for example, a small bank that’s based in New York, that's under the New York Department of Financial Services regulations. They have to keep all those, maybe trade data, or those log on, log off data for seven years.

[Related: The 2024 MES Midmarket 100: Top Companies Serving The Midmarket]

Now, if you were to put that data in your security system for seven years, it would cost you an arm and a leg, so to speak, right? But if you were able to put it into a cheaper storage location ... think like Amazon S3 or something along those lines, then the cost to you would be significantly reduced, and it would match the value of the data for that duration. Now, that same ‘Samara logged on, Samara logged off’ data could be really important for, say, 90 days in your SIEM, and so you keep the data live in your system for 90 days. So, it allows you to do those things that would be perfect for a midmarket company.

What are some concerns that you feel that CISOs, like you, had to face this past year?

I would say the some of the larger challenges we’re dealing with are obviously AI technologies, and that’s on multiple fronts. Some of those technologies are being brought in in a stealth way to a business. And maybe someone who’s in the go-to market side of the house is trying to bring something on because they’re under the gun to meet a quota. In other instances, the company itself is sort of making a decision that we’re going to make a push forward in a new GenAI solution for, I don’t know, enterprise search, or something along those lines.

The other side is that we’re trying to build technologies that might be using and leveraging LLMs to help our customers get better, and then maybe last, but not least, as a security person, I know there’s a lot of value in LLMs and there’s a lot of value in GenAI, and I have to think about how I can use it. And it’s keeping me up at night. What’s the data that’s getting into these things? How can I leverage these things to their fullest extent [while] also at the same time having a better understanding of what risks I’m taking on as I’m moving forward.

One of the problems with giving employees wanton access to these GenAI tools: They don’t flag if you’re inputting some sort of corporate secret or your company’s IP.

Predominantly, they don’t. So, a lot of what we have to do is educate and trust.

Last month was National Cyber Security Awareness Month, and we went and ran a really solid program, the first big program for Cribl to run. We’ve obviously done awareness campaigns, but ... we did a combination of myth busting, if you will. My kids and I have been watching ‘MythBusters,’ so it’s just fascinating. So, we’ve been doing a bit of myth busting.

And what that really means is, think about something that somebody told you, like sharing a power supply for a laptop. ‘Oh, you can’t do that because they’ve invented a chip and they’re going to hack your laptop if you borrow a power supply.’ Now, is that technically possible? Yes, it is technically possible. Is it reasonable for that to be a top-of-mind security concern for one of your end users? I don’t think so, not in most of the industries that we operate in.

The second thing is we have to give our employees some agency around making solid decisions, but they don’t necessarily know what those bad people are thinking about or what they’re trying to do to exploit those users. And so, we have to educate those people. We hired them. They’re smart people, right? That’s why they work for us. So we have to empower them, give them the tools, give them the ways to interact with security people, IT people and other significant folks within the business that might understand risk, also just telling them, you know, ‘Hey, [this] data here that you have, you can use these data with a lot of these LLMs that are out there and you want to test out ChatGPT, perhaps there’s a way to just put in a prompt that doesn’t share our intellectual property, or PII or PHI, or something along those lines.’

[If] you think you need to share [that] data, you need to include the other parts of the business, and we’ll vet those solutions also. It’s on us to show what it is that is available to them when it comes to GenAI. Do we have a contract with OpenAI regarding ChatGPT? Do we have a contract with Microsoft? Do we have a contract with Google for Gemini or Anthropic for Claude?

[We need to] provide ways that a lot of these users can understand and leverage these AI technologies and give them the right path forward.

What do security leaders need to focus on in 2025?

I think a big one is—I use this analogy often when it comes to talking to my team and talking to the executive team here at the company and our board members. The analogy is we have $10 to spend, and that’s what we get. Right? Sure, there’s emergency funding and things like that, but our general security budget, we’ll just say, is $10 and we have to spend that $10 in the best way to reduce the amount of risk that our business is exposed to. And how does that happen? Well, you're going to run a prioritization exercise, in which there are a lot of really solid programs out there, like Crown Jewels Analysis, CJA. You run a crown jewels analysis: What are the most important things in your business? ... And this is a good exercise to go through, and then you’ll apply those funds to protecting each one of those various crown jewels, if you will, and spend them in that way. Now, what are we going to protect them from? I hate to say it, but the deepfake stuff that I kind of thought was a little bit overblown, we’re definitely seeing deepfakes in the wild. Are they perfect? Not by a long shot, but are they coming? Yes. ... and so we have to heavily rely on our user population to identify these things, not click or react to things that are out of the blue

[Ransomware] I think in the midmarket, it’s still a large challenge. I do think that there’s some pretty good technologies out there that can help mitigate some of the threat, but unfortunately, yes, there’s a lot of legacy systems that are a little bit resistant to patching, to say it nicely, right, that are still going to be vulnerable to ransomware. So the defense in depth, zero trust, being able to isolate those systems and apply the best security controls that you have, that’s going to be the way forward. I think the risk is generally coming down, but it will still be prevalent in 2025.

[Related: ‘Tis The Season For Ransomware: New Report Shows Spikes During Holidays]