GreenSky's Ken Bowles on Auditing Controls Before They Silently Fail

Over his 15-year journey through healthcare and financial services security, Ken Bowles, now Director of Security Operations at GreenSky, has collected a plethora of practical strategies for prioritizing crown jewels, managing cloud over-permissions, and building SOCs that scale effectively. He reflects on transforming security operations through AI and intelligent automation and discusses how AI is reducing analyst investigation time dramatically.

Ken also asserts the importance of auditing security controls before they silently fail. The conversation touches on the evolving role of the MITRE framework, the concept of signaling versus alerting, and why embracing AI might be the best career move for security professionals navigating rapid technological change in cloud environments.

Topics discussed:

• Building security operations programs around crown jewels and scaling outward to manage the most critical assets first.

• Managing over-permissions in cloud environments that have snowballed across multiple administrators without proper governance.

• Using AI to reduce analyst investigation time from 30 minutes to seconds through intelligent data enrichment and context.

• Creating true single-pane-of-glass visibility by connecting security tools and data sources for more effective threat detection.

• Training new security analysts with AI assistance to bridge knowledge gaps in SQL, SOAR platforms, and log analysis.

• Documenting institutional knowledge while encouraging analysts to trust their intuition when something doesn't look right.

• Understanding the limitations of impossible travel alerts and using AI to establish user behavior baselines for accurate detection.

• Applying the MITRE framework as a guideline rather than gospel, adapting detection strategies to specific organizational needs.

• Implementing signaling approaches that label security-relevant events without creating alert fatigue for security operations teams.

• Auditing security controls regularly to catch configuration drift and ensure protective measures remain effective over time.