Patch Me If You Can by Iru

Episode 009 - RBAC is Broken (Here's Why) with Dmitri Altum, GitLab, ex-Ramp

Arek Dreyer — Fri, 19 Sep 2025 13:53:55 GMT

Dmitri Altum from GitLab breaks down why role based access control is failing modern businesses and shares how his team achieved 93% automation with just a 3 second delay.

Episode 008 - Standard Users in an Admin World with Collin Elliott, Capital One

Iru Team — Wed, 20 Aug 2025 16:00:00 GMT

In this episode of Patch Me If You Can™, host Arek Dreyer welcomes Collin Elliott, Senior Platform Engineer at Capital One, to explore the complex relationship between security best practices and user experience in endpoint management. Collin’s background—spanning hands-on Mac support in large nonprofits to engineering roles at fast-growing startups—gives him a broad and practical view of the challenges enterprises face when shifting from an admin-centric to a least privilege approach on their endpoints.

The conversation centers around the persistent hurdles of implementing standard user accounts in environments where operating systems and app developers still assume admin rights by default. Collin discusses various strategies, from self-service elevation scripts and the SAP Privileges app to more advanced privilege management tools like Beyond Trust and CyberArk. A recurring theme is the balance between enforcing strong security without sacrificing productivity or creating a support nightmare. Collin and Arek also touch on the critical role of user and leadership buy-in, thoughtful automation, and the often-overlooked importance of minimizing friction—like reducing unnecessary clicks—to streamline processes.

Additionally, the episode delves into the realities of macOS privilege evolution, highlighting both improvements and ongoing obstacles such as limitations around certificate installations and bypassing Gatekeeper. Collin emphasizes the move toward engineering-focused solutions and automation to keep up with organizational growth and complexity. Ultimately, this episode offers an in-depth look at the push-and-pull between tight security controls and the need to empower end users, providing valuable insights for IT teams navigating similar terrain.

Episode 007 - Why 99% Hit Defer Every Time with Robert Hammen, SAP, ex-SpaceX

Iru Team — Thu, 07 Aug 2025 14:29:38 GMT

In this episode of Patch Me If You Can™, Arek Dreyer sits down with Robert Hammen, Principal Mac Consultant at SAP and former IT systems engineer at SpaceX, to dig into the sometimes frustrating world of enterprise patch management. The conversation kicks off with Robert outlining why patching remains a challenge, touching on common pain points like less-than-perfect tools, end users tinkering with applications, and the need to validate that updates actually get applied. He explains that in high-security environments, timely patching is crucial, but the process must be carefully managed to avoid disrupting users—especially those engaged in mission-critical work.

The discussion moves into the strategies Robert has developed to strike a balance between enforcement and user flexibility. He highlights a system of deferrals, where users are given multiple chances to postpone updates before enforcement kicks in, while keeping clear lines of communication open about why the updates matter. Robert also stresses the importance of automation, noting that having robust patching infrastructure frees up IT teams to focus on broader automations and remediations. This is particularly critical in organizations with thousands of devices, where deploying untested updates at scale could lead to a flood of help desk tickets and disruptions.

Both speakers touch on the persistent challenge of documentation, describing how vendor materials often fall short and require IT professionals to seek out answers from a patchwork of sources. Robert closes the conversation by advocating for IT teams to regularly reevaluate their processes and embrace change proactively, rather than waiting for technology to force their hand. His practical advice underscores that a smart, user-focused approach to patch management can make IT’s job smoother while keeping large organizations secure.

Episode 006 - Mac Malware: The Cat & Mouse Game with Patrick Wardle

Iru Team — Wed, 23 Jul 2025 19:05:22 GMT

In this episode of Patch Me If You Can™, Arek Dreyer welcomes Patrick Wardle, a leading figure in macOS security. Patrick, who founded the Objective-See Foundation and the Objective by the Sea security conference, brings years of frontline experience from organizations like NASA and the NSA. He’s also the author of the Art of Mac Malware book series and has created several widely used open-source macOS security tools, giving him a unique perspective on both defending and attacking modern Mac systems.

Episode 005 - AI Driven IT for Less Toil with Emanuele Sparvoli, Director of IT at Intercom

Iru Team — Wed, 09 Jul 2025 16:07:07 GMT

In this episode of Patch Me If You Can™, Arek Dreyer welcomes Emanuele Sparvoli, the Director of IT at Intercom. Emanuele’s background is rooted in transforming the way IT contributes to business value. At Intercom, he’s driven a cultural and technical shift to treat IT not simply as a support function, but as a strategic driver, focusing on designing systems that are secure, automated, intuitive, and built around the needs of users.

The conversation covers key challenges and solutions facing modern IT teams. Emanuele discusses the complexities of securing non-human service accounts—like bots and automated systems—and the shortcomings of industry-standard security approaches. He shares how Intercom addressed these pain points by developing internal tools and leaning heavily on automation to manage access more efficiently. This includes the adoption of platforms like Lumos and integrating with communications channels such as Slack, which enable faster, more secure, and less frustrating experiences for users requesting access or support.

Throughout the episode, there is a strong emphasis on evolving the IT mindset: Emanuele explains how automation and AI are freeing IT professionals to spend less time on repetitive tasks and more time improving systems and processes. By deploying enterprise search and conversational AI agents, his team boosts efficiency, reduces toil for both IT and business users, and helps the company scale securely. Emanuele closes with a call for industry-wide adoption of standards like SAML and SCIM, which he sees as essential for unlocking the next level of automation and seamless user experience across the business technology stack.

Episode 004 - Non-Human Crisis with Kane Narraway, Head of Enterprise Security at Canva

Iru Team — Wed, 25 Jun 2025 16:05:16 GMT

In this episode of Patch Me If You Can™, host Arek Dreyer welcomes Kane Narraway, Head of Enterprise Security at Canva, to unpack some of security’s most pressing and often overlooked issues. Kane has a wealth of experience, having switched between IT and security leadership positions at notable organizations like Shopify, Atlassian, and even within the UK government. This background informs his balanced, pragmatic approach to solving complex security problems in fast-paced technology environments.

The conversation delves into the concept of Zero Trust architecture, zooming in on what Kane calls the “last mile”: the challenge of securing non-human identities-namely, service accounts and API tokens. Kane explains that while industries have made giant strides in securing human users, the proliferation of automated service accounts has quietly expanded the attack surface. He outlines three primary strategies that organizations can employ to tighten controls around these identities: traditional IP allow-listing for sensitive services, the use of short-lived token proxies (as demonstrated by companies like Chainguard), and the much more complex route of building native integrations for automatic credential management. By improving these controls, teams can shift their focus from constantly reacting to exposures toward more proactive and strategic security work.

Beyond non-human identity, Kane weighs in on the secure adoption of AI and automation in the workplace, discussing opportunities and emerging protocols like Model Context Protocol (MCP). He also shares his career philosophy of alternating between IT and security roles to foster empathy, collaboration, and more practical solutions. Kane advises teams stuck in reactive workflows to revisit first principles, focus on high-impact outcomes, and don’t be afraid to trim unnecessary tasks in order to create real leverage. All in all, the episode offers actionable insights on bridging the practical and strategic sides of modern enterprise security.

Episode 003 - People, Process, Tech with Eric Pittman, VP of Cybersecurity at Teradata

Iru Team — Wed, 11 Jun 2025 16:07:49 GMT

In this episode of Patch Me If You Can™, Arek Dreyer sits down with Eric Pittman, the Vice President of Cybersecurity at Teradata, to discuss the evolving world of cybersecurity and vulnerability management. Eric brings a wealth of experience from years on the cybersecurity frontlines, including leading teams through critical incidents like major ransomware attacks and collaborating with agencies such as the FBI. The conversation sets the stage by exploring Eric’s work in streamlining Teradata’s patch management processes to deal with the ever-increasing volume of security updates, cloud adoption, and the challenges of tool sprawl and split responsibilities within organizations.

Throughout the episode, Eric emphasizes the importance of a holistic, people-first approach to security, built on the pillars of people, process, technology, and business value. He highlights strategies such as conducting awareness campaigns, tailoring patching processes to different user groups, and automating routine tasks to reduce human error and accelerate response times. The discussion expands to broader vulnerability management, from integrating security tools in the software development lifecycle to ensuring coverage of first-party code, third-party libraries, and new technologies like containers and infrastructure as code.

Eric also shares practical lessons learned from high-stakes incidents, advocating for well-rehearsed response plans, immutable backups, and continuous improvement. Beyond the technical, he draws on his background as a former DJ to illustrate how skills like reading a room and public speaking translate to effective leadership in cybersecurity. As a parting thought, Eric notes he would love to “patch” human awareness against phishing as well as simplify updates for complex platforms, illustrating both the human and technical sides of security and resilience.

Episode 002 - The Problem No One Patches with Aaron Morin, ex-Nike

Iru Team — Wed, 04 Jun 2025 16:11:40 GMT

In this episode of Patch Me If You Can™, Arek Dreyer welcomes Aaron Morin, currently the GM of Platform at Kandji and formerly the lead mobility engineer at Nike. Aaron’s diverse experience—both in hands-on IT engineering at a global corporation and at the strategic leadership table—sets the stage for a candid discussion about modern IT challenges and opportunities. His background gives him a unique perspective on how technical teams collaborate, adapt, and innovate in organizations where the complexity of systems can be overwhelming.

Episode 001 - Balancing Security vs. User Experience with Richard Hiralal, Grammarly

Iru Team — Wed, 28 May 2025 07:00:00 GMT

In this episode of Patch Me If You Can™, Arek Dreyer welcomes Richard Hiralal, a Systems Engineer at Grammarly, for a revealing conversation about the realities of maintaining secure systems without sacrificing user experience. Dreyer introduces Richard as someone who not only understands the technical demands of endpoint security but also has a keen sense for how organizational friction arises between users, IT, and security teams. Richard’s background in keeping critical systems protected while ensuring productivity sets the stage for an exploration of what it takes to design and uphold modern, user-friendly security practices.

A central theme of the discussion is the delicate balance between enforcing strong security measures and enabling a smooth user experience. Richard shares detailed examples, such as the challenges of Chrome patching at Grammarly—where repeated urgent updates threatened to frustrate users. He highlights how transparent communication about “the why,” collaboration across teams, and thoughtful rollout strategies (including deferral mechanisms and pilot user groups) led to higher compliance and greater trust between IT, security, and end users. They also unpack the dangers of working in silos, recounting past missteps where the lack of cross-team input resulted in cumbersome processes and negative user feedback, particularly during the implementation of privilege access management tools.

Throughout the episode, Richard emphasizes the vital role of empathy, communication, and collaboration in IT. By involving help desks in policy formulation, demystifying the rationale behind controls for end users, and designing documentation with the non-technical employee in mind, organizations can ensure both security and usability. The conversation ends on a big-picture note, with Richard advocating for a shift in how companies perceive IT—not just as a cost center, but as an enabler of productivity, trust, and business success, underscoring the strategic value that proactive, user-centric IT teams bring to the table.