End-to-End Security - Exploring Key Industry Trends & Initiatives

Nov 17, 2021 3:00 pm4:00 PM EST

Summary

PAM, IAM, and IGA modernization is progressing steadily this year. Organizations are responding to recent breaches and known vulnerabilities with hardened identity and privileged access policies. These discussions are permeating C-suites and board-level discussions. The appreciation of a unified, end-to-end PAM, IAM, and IGA stack is discernibly rising, even if some organizations plan to continue using disparate tools in the near-term.

SailPoint, BeyondTrust and BWG Connect conducted a survey of 100+ executive and security-focused professionals for an update on how businesses are developing comprehensive, end-to-end, security deployments, initiatives!

BWG Connect, SailPoint & BeyondTrust invite you to participate in an interactive discussion with your peers, exploring this shifting landscape.

As always, there will be no sales pitches and there is no cost to join.

Discussion Topics

  • How have organizations altered key security priorities since the onset of the pandemic
  • What is the propensity for organizations to make key upgrades to their PAM, IAM, and IGA rollouts - How do these initiatives bind together
  • What are the key influences informing organizations’ privileged access and identity strategies
  • Exploring Organizational roadmaps and initiatives - Modernization of tools and feature sets within enterprises
  • What do organizations see as the greatest vulnerability or security threat - What is the organizational impact

Event Partners

Guest Speaker

Christopher Hills

Chief Security Strategist (CSS), Americas at BeyondTrust

Christopher Hills is the Chief Security Strategist (CSS) for Americas at BeyondTrust, the global authority on Privileged Access Management (PAM). BeyondTrust’s integrated products and platform help organizations quickly shrink their attack surface across traditional, cloud, and hybrid environments. At BeyondTrust, Christopher specializes in IAM/PAM focus, strategy, mentorship, leadership, and customer and prospect liaison. Before joining BeyondTrust, Christopher was the Technical Director for Charles Schwab and the Senior Windows Systems Engineer at Jawa.

Dana Reed

Distinguished Engineer, Office of the CTO at SailPoint

Dana Reed is a Distinguished Sales Engineer at SailPoint. SailPoint is ​committed to solving its customers’ most pressing security and identity challenges using innovative technology. Dana has over 15 years of experience in identity management across a wide breadth of industries, including health care, retail, finance, defense, and higher education. Previously, Dana was a Chief Identity Management Architect at AegisUSA and a Senior Consultant of Security Services at Deloitte & Touche.

Event Moderator

Greg Irwin

COO at BWG Strategy LLC

BWG Strategy is a research platform that provides market intelligence through Event Services, Business Development initiatives, and Market Research services. BWG hosts over 1,800 interactive executive strategy sessions (conference calls and in-person forums) annually that allow senior industry professionals across all sectors to debate fundamental business topics with peers, build brand awareness, gather market intelligence, network with customers/suppliers/partners, and pursue business development opportunities.

Please enter your information below to request a copy of the post-event written summary or recording.

Event Information

Nov 17, 2021 3:00 pm - 4:00 PM EST

Event format

Roundtable Layout
Featuring 20+ executives, where everyone can contribute, ask questions and learn from peers
On-Topic Discussions
Q&A format, moderated by BWG Connect with group interaction throughout
Make Connections
Opportunities to network before and after

BRINGING TOGETHER INFLUENTIAL EXECUTIVES AND SENIOR PROFESSIONALS

What is BWG Connect?

BWG Connect provides executive strategy & networking sessions that help brands from any industry with their overall business planning and execution. BWG has built an exclusive network of 125,000+ senior professionals and hosts over 2,000 virtual and in-person networking events on an annual basis.

Key Discussion Takeaways

Most security teams are overwhelmed by the accelerated digital transformation of the last few years. How can you stay up to date with the latest cybersecurity practices?

Cybersecurity experts Christopher Hills and Dana Reed recommend taking it one step at a time. Rather than trying to boil the whole ocean, find small projects within your company where you can increase security measures. Every step forward counts — and in the end, it could save you millions of dollars by preventing a breach.

In this virtual event, Greg Irwin is joined by Christopher Hills from BeyondTrust and Dana Reed from SailPoint, to discuss strategies for strengthening your company's cybersecurity strategies. They share examples of how they solved diverse businesses' security issues, why spending the money to implement cybersecurity measures is worth every penny, and how to implement new security practices.

Here’s a glimpse of what you’ll learn:

  • Christopher Hills explains how BeyondTrust’s team helped a group of anesthesiologists block ransomware attacks
  • Christopher describes the massive expense of security breaches
  • Dana Reed shares how SailPoint helped an oil and gas company embrace an AI approach to access governance
  • Try accomplishing smaller projects before trying to boil the ocean
  • Why AI is beginning to replace hard-to-fill roles
  • Measuring ROI from your company’s proactive security expenses
  • The biggest challenges of implementing cybersecurity practices
  • How the digital transformation has prompted the evolution of stronger security measures

Discussion Transcription

Greg Irwin 0:18

Let's get to the Co-hosts, and Dana I’ll ask you to, to jump in. And please give a little, really, to the group.

Dana Reed 0:29

Sure. So Dana Reed a 10 and a half year veteran here at SailPoint. work a lot on our AI machine learning aspect of our product, which will be called Predictive identity, you know, been kind of through the gamut of sales services, sales engineering, I've kind of seen all of it here over the past 10 years, but an identity about 20. And really here to just kind of give you some insights and experience that I've shared in the gauntlet I've run through over the past 20 years, and hopefully, you'll find some value in it.

Greg Irwin 1:02

Awesome, Dana. Thank you, Chris. First, Chris, or Christopher, that's the most important thing.

Christopher Hills 1:09

My mom's not here joining us. So Chris is fine. So yeah, so So Chris Hills, Chief Security Strategist of BeyondTrust, very similar to Dana, right, been through the gamut, I kind of have a unique background I've been with BeyondTrust. For two and a half, almost three years, I've been working with BeyondTrust, a total of almost six, going on six and a half years. So I actually came from the client side, I was at Charles Schwab for eight, almost nine years working there as a technical director leading everything relative to Pam, architecture, strategy, maturity, operations, engineering, you name it, I've had my hands dirty in it, along with several other of our Pam vendors, I should say that are out there competitors came over to be on trust started on the pre sales team, as Senior Solutions Architect and kind of made my way up while we build out the office of the CTO have doubled and dabbled with the deputy CISO title. So I've been with the GRC been doing a lot of our compliance and regulatory and even the business model aspect of that, and so really have my finger on the pulse relative to our sales and the customer. And basically tying that piece together with them, rather than them trying to understand, hey, I'm coming in here trying to sell you something from the sales side versus the let me break this down and let you know, let me just bring the true part coming from the client side of the aspect where I came from. So I really helped bridge that gap. And I feel like I'm an extension of the customer as a result of being an employee here.

Greg Irwin 2:44

Hey, Chris, let's get right into it. All right, I think overwhelmed is probably a reasonable word to use here, in terms of just what security teams and professionals are dealing with. So let's kind of hone in on maybe one project, one initiative that one of your clients is pursuing. Something that moves the needle, something that's actionable is nothing but a quick win. So I think we're all looking for some wins. Maybe you can share one, one example with us, we can name that's

Christopher Hills 3:24

No, here's a great example. I don't know if somebody is not on mute or not.

Greg Irwin 3:29

Sure, but I'm just gonna mute your line. Folks, I want people jumping in. So you can raise a hand, I want to encourage it. But I in the meantime, I'm going to mute just for background noise. But yeah, Chris, let's, you

Christopher Hills 3:42

know, perfect case in point, one of the things that comes up, and it's not just one customer, right? So we dabble, honestly, down, but we deal with a lot of different risks and mitigating factors that companies are challenged with. And as a result of the pandemic, and as a result of everybody, let's say working from home, even more so than what they used to. The biggest challenge that we see or have seen at the beginning of the pandemic was, how do we enable the end users but more likely now, is it a very real use case. And it's funny, because we were on with one of our partners with CW and we were talking about this use case. And we were working with a group of anesthesiologists, and it's a large group 20-30, some anesthesiologists, they have their own platform that they log into. But the issue they have is that all of the anesthesiologists are local administrators on their workstations that they use to do business. And the challenge is, is you know, being remote connecting and remotely. endpoints are a huge target right now for these bad actors, the cyber adversaries and when you think about the malware, you think about the zero day attacks, the exploits and spyware, the ransomware that's occurring, and then you think of these People that are connecting back into potentially a corporate network or an application. And these endpoints have privileges on them, they become a very prime target, you know, in terms of an attack vector for these, these people. And it's funny, because we were, like I said, we were on the CW, and we had a bunch of their, their engineering folks on and they just didn't understand. How are these people? Why is that a problem? How do they have admin rights. And so for them, it's like, man, we don't have any admin rights, we're locked down. And I think for some people, it's the challenge of not been able to comprehend where different companies are on the scale of security and where they are in terms of their overall maturity and posture in terms of that. And so for them, it really was an eye opener for them to understand, hey, this is a real problem. And this is occurring, yes, you may be secure, and you might not even believe it's going on. But it really is a true and a real thing that occurred. So for us that that use case really was making sure, especially when you're dealing with HIPAA, you know, in some compliance things when you have a local administrator, and local rights, and these are the computers in the endpoints that you're using, and those get compromised, the amount of records or what they access, you know, I mean, that the sky's the limit, right? We've seen the breaches, and we've seen what has occurred, whether we talk about manufacturing breaches, whether we talk about the colonial solar winds, the Florida Water Treatment Facility, if you talk about T Mobile, I mean, they it is just an opportunistic area where these bad actors, if we leave those attack vectors open, they will absolutely leverage them against us and embarrass our companies and ultimately cost money.

Greg Irwin 6:51

Hey, Chris, can you can you demonstrate it after the fact in terms of show the the proactive attacks that have been blocked? Because the people who have attempted to maliciously gain access through those endpoints? Because it's a tough thing? Right? It's insurance. And it's a hard thing to justify, are you able to justify?

Christopher Hills 7:17

The justification comes in multiple factors, right? You have the how do you justify a cost on an ROI? When you're not? You don't know what what it really the monetary value is, I go back to two references. And the two references that stand out the most is the Verizon data breach, where we look at the pricing data breach and the cost per record that they assessed, which was $152 per record. If we look at the 2021 2020 statistics, depending on which industry vertical you look at, it slightly ranges. But on average, when a company gets compromised, the average compromised amount of records is 25,005 75. So even if you were to take 25,000 Records times $152. That's $3.8 million. If that's not enough to get you swinging on how much could this potentially cost us? You can quantify that with the Equifax breach, which everybody typically nose about $125 per record. Question is, how many people did that affect? That was 147 million people. So again, from a math aspect, 140 7 million times $125, you're $18 billion. And those are just some of the things of you know, when it comes to the CISOs having to write the checks, or the board having to approve on an amount, hey, we need to spend 100,000, half a million a million on security. How do you justify that when you when you haven't been breached, or you haven't been compromised? And that is one of the biggest hurdles and obstacles because when it comes down to it, and it comes down to mitigating risk, we always talk about, you know, we have our high priorities, we have our low priorities, I tend to follow that there's three areas that you know, have in terms of risk, and is your risk appetite, your risk acceptance and your risk tolerance. And depending on how you view and look at each one of those will depend on what's important to you. And what's one of the things especially when we deal with PAM, we talk about PAM, if you were to look at somebody you know, let's say they're documented PAM strategy, and you were to compare that with a comp with a different company, no matter what the industry is. There's no two PAM strategies that are identical. And the reason why is because there's different priorities for different companies. And it's a balance. And exactly we haven't even gotten into that but the cyber insurance deal is really starting to I want to say explode. The security professionals are really starting to get more involved with the the brokers and the insurance premiums. And now what's happening is they're actually sending security questionnaires out to their clients. And based upon how the clients are answering how they're mitigating risks or what products they're using, or what they're doing for PAM, or what they're doing for endpoint protection, or what they're doing for network security, there either increasing premiums dropping coverages or denying the ability to protect you for ransomware malware, spyware. It's, it's something very real and very true. That's going on right now.

Greg Irwin 10:33

Great stuff Chris, Chris. Thank you. Um, let's, let's layer this on. Dana, jump into the mix here. Tell us about a one one one enterprise that you're supporting, in what they're doing to address the risk. We could stay we could talk about you're the GM. I hear SailPoint I think governance and implement implementation, but doesn't have to be right in your sweet spot.

Dana Reed 10:59

No, but I think you're right, would you think at least either 10 or half years for what I think of SailPoint? I had the question yesterday, what's the difference between SailPoint Nocta. And the difference is we are authorization level security. And they are authentication level security. And so we play in the in the governance space where we really at the highest level, we play in the authorization space, right? Who should have access to what and the Chris and I have done a lot of these online together. So we kind of play off each other well, but you know, to piggyback quickly on what Chris was saying, you brought up the Equifax breach the Equifax breach, the one thing he didn't tell you is that the CISO, there not only lost his job, but got death threats about the whole thing. And so it personally affected obviously, the fact that all these people have X number of bucks per, you know, per user. But what happened to their market cap? What happened to every investor that's out there that was investing in something like Equifax? What happened to their money? What happened to you know, what it cost most of the executives their job? How much did that cost them personally, with these breaches? Right? So there's a lot more. I think that computation is very small, when you look at the actual effect of what happens to an organization when a breach when a breach penetrates them. To address your question directly, though, I think, you know, Greg, the, what the client I think of immediately is a oil and gas company that that we've been working with for a while through one of our partners. Their issue, it kind of goes back to what Chris was saying their issue is it was about moving their users to the rule of least privilege, role mining, for lack of a better term, right? They had all kinds of roles. And they had a very small team to manage these roles very much in a situation of one roll per person, which everybody a lot of folks have real explosion was a big issue, how do we get properly what I call right size users, while still maintaining some sort of compliance around that ie a role model. And so what we've done inside of SailPoint, is we are moving towards it and really embracing a book called Predictive identity or AI and machine learning data science lead, a essentially approach to access governance.

Greg Irwin 13:12

Sorry, sorry, Dana. Hey, Chris, I just muted your line for a moment. Thanks, Chris.

Dana Reed 13:17

The real result there was that they were able to limit their their roles down to a very much more manageable state. But here's the interesting thing, what they still found was they had a problem, they still had a very small team that had to Manage Roles. Well, the solution is actually to push role management out to the business. And through AI machine learning, the machine itself can look for insights as to how to adjust roles, and then put those insights in front of the proper role owner, the person closest to that access, which is essentially the manager or the department had, the location had whoever that person may be. And so this client really was able to reduce the amount of roles they had while still increasing the amount of coverage. To give you an example, a client out in Australia had a conversation yesterday, we they have I think, 35,000 roles in this bank in Australia. What was interesting was we looked at it through data science, we figured out that through 350 rolls that simply 350 rolls, we can account for 7% of the access across the entire organization. Now that doesn't seem like a lot. here's the here's the here's the kicker, though, the 35,000 rolls only accounted for about 41% of the access. So we were looking at essentially 25% of their access can be accounted for by by a very small amount. And so what we're doing inside of SailPoint with our clients is now this ability to essentially put a program in place right? It's not about role mining, role mining is the cornerstone, but the real process we're putting in place is an infinite kind of feedback loop around identifying what I call over entitlement or obsolete actions. says obsolescence risk, you're not on the project anymore. So why do you have the access? We can look at your peers now. And we can specify Wait a minute, your peers can do their jobs, but you have access they don't have. So why do you have it? If they can do it? Why can't you do it as well? Why do you need it. And so we're starting to be able to identify access, which I call electives, just like in high school, things that you requested that you still need to do your job. But there's a fundamental difference between an elective that requires approval or some sort of training. That's why you have to request it, and an elective that simply is an elective, because the roles old, right, and we're now able to really look at peers and figure out what are they requesting? When are they doing it? What how are they using it, and now create a create a much better infinite feedback loop around roles, the more over entitlement you can identify and remediate, the better your roles get, the better your roles getting, the less you have to certify, the easier it is to identify over entitlement. The list goes on and on and on. And so we're really seeing with, you know, with our we've sold ai 125 times now we're seeing with a lot of our early adopters, that they're finally getting to a stage where including this gas company that their role program really is showing high ROI. The ROI is not only on efficiency of provisioning and de provisioning, but it's around reduction in in certifications, it's around increasing rebar, relocation rates and certifications, because you have less to look at you don't auto approve and select all things. Obviously, risk mitigation, which I always I hate putting that inside of any sort of business value assessment, because, you know, they're made up numbers, but they're very real numbers. Right? And Chris, just hit hit those with the Verizon breach and the Equifax breach earlier. And then, of course, what does that do? It moves your client now towards the rule of least privilege. And when you look at the news, you know, the buzzwords of digital transformation and zero trust, what is it right, it's about providing our users, consumers, employees, contractors, vendors, partners, anyone to interact with us bots, the right access, they need to access one of our services. And so if I shop at Whole Foods, work at Amazon and shop online, I'm interfacing with a lot of different services from Amazon, AWS, but the rule of least privilege still is is kind of as this convergence is happening, it's the rule of least privilege. Now that becomes core to the whole problem.

Greg Irwin 17:29

Hey Dana, I'm gonna, by the way, before I go on here, folks, you can raise a hand, you could just jump right in with a question. And I promise you, your questions are probably going to be better than mine. But I'm going to take a shot with one here is a guy guy I've worked for a long time ago had this saying the other side of the desert might be great, but crossing the desert wil kill ya So and I think about that here, because I when I when I look at the folks who are on the line today, I'm going to venture that most of them are not going to err on the side of the benefits of least privilege. And the question is, how the heck do we do it? Is it worth you know, how do I operationalize it with the team? I've got? How do I sell it up the stack? And is this the thing I really want to be carrying up the stack? And do I want to deprioritize that other priority? We've got to do this one? Maybe what do you say, Well, what maybe maybe what success look like, think about one who you know, not enough, not not the glowing golden child, but you know, a reasonable scenario of an organization that when that took the journey, how, how long did it take? And how was life better on the other side of the desert? Yeah, I think you know,

Dana Reed 18:53

Yeah, I think you know it's kind of throw a couple of allergies or proverbs or whatever, back at you the one that came to mind. Many you said that was the old adage of if you think hiring a professional is expensive, try hiring a manager in amateur and see how much that actually cost, right. So I think leadership matters, right? Having someone to help you across the desert, certainly, you know, is something that that we need to do. What does success look like? I think, you know, you start you start slow. You win identity projects. We all started wanting to boil the ocean, right? But the reality is we couldn't boil the ocean. And so we took on Easy, easy projects ourselves. The low hanging fruit in this zero trust game in the least privileged game has a lot of juice. Figure out what all your employees get figure. I mean, it's not that hard to start really high. We have this we have this tendency to feel like if something is difficult, it's worth it. That's where the value is. That's not necessarily true and what we're doing right and I think we can start with with a lot of the easy stuff and get inertia and that will then bring us through the It's getting worse, right? Your ot it manufacturing environments, they're only converging more. And so this threat is just getting way, way out of hand. And we have to have controls programs and I think leadership from and this is where a power partner model helps us right. When we work with our consultancies and things, they offer good insight, not only how, you know we bring the product, but they bring how to use it, they wrap around that quality, and that that program that says, to your point, here's how we can get you across the desert without, you know, without it killing you. So I'll open it, I'll pass this over to Chris, but that's kind of my it's my initial take on what your question was.

Greg Irwin 20:42

But let's do this, Chris, I'm gonna let's bring some others. But broad net and try and mix, stir, stir the pot, trumpet, Charlie, your your your box is right, just to the right of Dana's here on my screen. So thank you for turning on your camera, maybe you can tell us a little bit of your story and your your health equity. So they text number of health payer providers here. So

Charlie 21:10

right now, we're the banking Institute, where the non banking banking thing, where more of the benefits are more the benefits, pre, you know, pre post tax kind of stuff. We are actually in, in initiatives with, for instance, identity management, and such as well. So and you're and, as Dana said, boiling the ocean, it is it's a little piece at a time, um, some organizations that I have been attached to have been better at the role based personnel identifying function that Dana can maybe commiserate with that, you know, it's not, well, if you need that go to Joe. Right, everybody knows who Joe is, and that they do X position or x function. But what happens when you add somebody, you need to have that ability to just say, give all the jobs specific rights to that person, without hampering them while you figure it out? Right, because maybe you don't have everything written down. And in this case, we're in the process of doing identity access through authentication authorizations, and taking step by step, we're hitting department by department and having to do them and implementing them that way. So, but it is, it's a it's a, it's a project based, semi sloggy kind of kind of event that takes about 11 months.

Greg Irwin 22:43

Right? Now, you're gonna define how do you define success? Right, in terms of your support, you're more secure now than you were when you started

Charlie 22:51

based on our ability to hit the metrics, where we know exactly who's accessing what, where, and when, ultimately, ultimately, right. That's, that's where the timing is coming in. So they are hitting milestones in between, based on departments and specific accesses, more specific tools, most risky being the first ones they're attacking. So it's, it's, again, it's a planning thing. And for companies that are running as if they're startups, it's really hard to be patient. It's a very, very, it's a patient's, you know, eating a little bit of the Apple as you go, and yet they want to go yesterday. So how many ways are you? Ah, we're about well, and with mergers and acquisitions, we're at about 4000. Coming up soon. Yeah. I mean, it's, it's between three and four. Plus, we're getting we're getting new people all the time. Right. Now, new new positions.

Greg Irwin 23:59

So tactically, very tactically, what's one of the toughest challenges of rolling out one of these programs?

Charlie 24:06

I'm having the knowledge of having this kind of program, previously, having people who are aware of it, and then also how it pertains, as Dana was saying, AWS as your whatever your flavor of choices, um, where are you going with that? That cloud environment to be able to hit all endpoints, both remote and, you know, wherever your premises are, or wherever your presence is. That's what we've run into

Greg Irwin 24:43

You're saying covering the cloud environments you're on? Is that

Charlie 24:47

Yeah being able to have the knowledge of people who are experienced with having that. That process? Yeah, having the knowledge of that and where you don't have that knowledge, being able to maybe you know, retain somebody.

Greg Irwin 25:02

So it’s the skills you're talking about team

Charlie 25:04

skills, the skills, because of course everybody wants, everybody wants cloud. Everybody thinks, oh, well, let's let's cry, the non data center, which is kind of an oxymoron, but I get it. The non data center data center. Yeah, yeah,

Greg Irwin 25:19

Let’s bring Chris in on this one. Because this is, I think, a real challenge, right? You want to hit it, you want to secure your environment, but your environment is growing faster in AWS and Azure. And you know, how hard it is to get skilled cloud engineers, let alone cloud security engineers.

Charlie 25:38

We're actually using BeyondTrust as well. Okay, thank you.

Christopher Hills 25:44

Now, you know what I mean, with today's industry standard, we this comes up as a as a huge topic all the time. How are we expected to do more with less the amount of qualified individuals that are coming through just aren't at the the quality or the quantity that they used to have done round tables with university professors that teach cybersecurity and this generation and even the millennial generation, for the most part, they just don't have the interest focused on security anymore. So that ultimately means from a prediction standpoint, it means a couple of things, right? It means that we have to take on more, or we have to find people with the right aptitude and the right personality that will blend with our company in our culture, and then train them to work on or to do what it is we need them to do.

Charlie 26:36

That is actually Yeah, and that is actually the big thing. I mean, I've been doing this since forever. I am not the beginning. But I am one of the early adopters. I was actually one of the members of meta info when checkpoint purchased them. And so I I've been doing and way back even farther, when Spry, and de pool with the meta info browsers and all that stuff. I was doing IRC chat is remote support from home into a cow. Oh, god, yes. So So I have seen these things come and go and come back and everything. I, I got my master's degree online before we had them. And now we're going through this influx of you're right, the, I want to be in security, because it's kind of sexy, but I don't want to get into the nitty gritty analysts, but unquote, have become the new phrase catchphrase. But when I was I was looking, and a lot of the analysts are being asked to do technical cloud based and software. So all they've done is changed the name. Right? You know, that. So, and we are going through, in fact, we've gone through several positions where we have actually removed the rack and had to reissue it. Even for some of the medium, you know, intermediate senior technicians, because what they're looking for, they were hardcore on, they couldn't find anybody. So they're actually, you know, revamping those requirements. And so it's very difficult.

Christopher Hills 28:23

And I think Dana can agree, you know, the Dana's real heavy into the AI ml stuff. And one of the things that I think you're gonna see, and we've already seen the trend, look at what's happening with fast food, look at all these kiosks that are being automated to take the place of humans, you're gonna see the exact same thing occur in the security space, the analyst space, the AI and ML, that is going to replace the analyst, because we don't have enough bodies. And I think that what that's going to do is that's actually going to help drive the security solutions and the integration points to be more holistic to be able to adopt and consume more. So that way, they can integrate better, and they're easier to integrate, because we don't have the bodies, the skill sets, and the people to actually do the clicking and the configuring and all of the engineering aspect of it. And it's it's going to be a huge challenge. And going back to what you had said, Charlie, and even Dana, we've recognized the cloud. And we've recognized what we're seeing now is that the strategy for Cloud as this, if you want to call it post pandemic era, is diversifying in the cloud. Don't put all of your eggs in one basket. It's now put some in Google, put some in AWS, put some in Azure, Oracle, whatever it may be. And oh, by the way, we need to keep a backup on prem. That's kind of the new strategy that we're seeing. But the problem is, is that we're essentially taking the exact same problem that we have on prem with privilege. And we're exacerbating that in the cloud in a way that we can do it at lightning speed for assets, resources, and everything else. And we're doing it across multiple cloud platforms, how are we accounting for that? And it's just a matter of time before that gets ahead of us. And it's something that becomes so big that it's where do you start to manage it.

Charlie 30:23

And this is where the, the one last point that Chris had said was, you know, taking what you've been doing in your, quote, data centers, standard Institute implementations, and replicating it in the cloud, which also means replicating things that you want, don't need. And two are bad practices for that cloud. So that's the other. And that's where the knowledge comes in.

Dana Reed 30:49

I think one of the things that we're, I've spent a lot of time recently researching this and trying to understand more about it, but is this entire, you know, we're talking about the divergence, if you will, of it out into the cloud. But there's also this convergence of ITC IQ world, into the OT world. And then we're recognizing that we can manufacture things better, we can do all kinds of stuff better if our IT systems are not connected to our OT systems. The problem is our OT systems don't understand the fact that internet exists, they don't understand the fact that more than one user needs a username and password on their systems, they don't understand that they need to be upgraded from Windows seven, version two, from 1985. And they can't be and so what's funny, it's like, we're literally I talked to a guy the other day about their, their problem was that their microscopes were getting there, right? They were running like Windows, and they were getting a virus that had been, you know, and had been removed 15 years ago. But now that I know that OT environment is susceptible, it's like seeing, you know, smallpox come back up again, or I mean, we're just seeing these these inoculated virus, this all of a sudden, Bell popping up in OT environments. But here's the problem. If you think that taking down a IT environment in an organization is expensive. Watch when someone takes down the OT environment and one, think about what it's going to cost an oil manufacturer, when they can't pump oil for two days, think about what it's going to cost a electric company, when all of a sudden we take down every person's thermostat in a way that the only way to fix it is to go on site and fix it. And we do it to 15 20 million people think about what that's going to happen or someone opens up a dam. And they and they don't, and no one knows about it, they overheat the air conditioning in a in a Tesla factory or whatever it is

Greg Irwin 32:39

all I can think is Colonial Pipeline, every everything you're saying exactly like homeopathy.

Dana Reed 32:43

And you know, you'll look at Stuxnet and what happened a long, long time ago. And that's all coming. But I think this is where we just need to be careful of like, the the conversation is going in two directions like this universe is expanding, in all ways. Always. Right. And so I think one of the things that was said earlier is, you know, what's the biggest problem? I think the biggest problem right now is the hell do I start? Where do I start? Right? It's the pizza. What's the you know, where do you start eating a pizza? The answer is you just pick a place. I mean, you pick a place that ideally, you get the biggest, the biggest piece, that's the easiest to pull off of off of the pie, right. And that's, that's where we need to start going now is for all of you on the phone, your starting point may be different. But it doesn't mean you're wrong. It means that you're probably right, you just got to figure out what's right for you, and then start there, because the benefit is equal no matter where you start. Yeah.

Charlie 33:42

Dana, thank you.

Christopher Hills 33:44

You know, what goes back to your point, how do you measure success, and I hate to see it at the end of the day, making sure your company's not breached a compromise that success. Because, I mean, that's ultimately what we're here to do. As security professionals, our goal is to make sure that we do right by our company, and ensure that whether we're taking a laptop home and connecting in, right, we're doing our part to make sure that our company stays secure by not downloading not going to you know malicious websites or doing things or storing our personal stuff on our on our work or corporate computer that we could be using in a way that might present a risk to the company.

Greg Irwin 34:28

I mean, it's a it's all about ensuring us doesn't get breached. Let's bring Kevin in for a sec. As I was in that comment in the side, I think I think I agree with you in terms of there's a bit of when you talk about the catastrophic risks, it can. It can seem like a shallow argument because you can apply that to any situation any any action. You can always compare it it's true, but I'm wondering what else you can be doing beyond Beyond the you know the true risks of the of the cameras, catastrophic outage. Okay, I would love to hear your your thoughts on how you tackle.

Kevin 35:09

That was my next comment right after that one because what I view is information security is kind of like washing your windows. If you spend hours washing windows, no one's going to notice. But if you don't wash them, people are going to notice information security is kind of the same thing. You spend a bunch of money. And the VP is trying to think, what am I getting my money's worth? While you're not getting breached? It's hard to measure a non event, right? Well, you aren't the next Colonial Pipeline, you weren't the next SolarWinds. So what I think the basic things in this one finding people just aren't doing is Do you understand your idea matory In our doing vulnerability, vulnerability management, or you do have a policy says that criticals need to be patched, tested and patch within two or three weeks or whatever else. And then you have a compliance team run around to make sure you're actually within within those windows. If you're doing the basics, and I say vulnerability management, I'm also talking about your version control. For instance, if you're still using Java sticks, or Oracle 11, you're in trouble. Yet, that's not really covered on a vulnerability management, your tools will find it, the people are thinking security patches, and they're not thinking ancient software. If you've got a DB two system out there, you probably should consider getting rid of it. And I think that's the challenge is that we're not current, if you just current on your patches, and your versions, or at least no more than two versions back, I think you're gonna knock out most everything except for the nation states.

Charlie 36:42

Yeah. You know what?

Christopher Hills 36:46

Follow up on that point. It's funny, because we laugh about it. And this is one of the critical reasons why zero trust has become so popular, because there are companies out there, as David mentioned, that still have a Windows 2000 operating system that can't be patched, that's running some old process that they, for whatever reason, can't seem to modernize. And so it's sitting in this corner doing what it does, and either you know about it, or you don't know about it. And if you do know about it, trying to get that behind the zero trust model to ensure the fact of once again, trying to prevent the security breach from that is where you know, and even NIST calls it out with some other architectures, right? And some other things when it talks about I think it's five or six different architectures where, hey, look, we know these systems need to be sunset, but we can't get rid of them. Because they're running critical processes for our company. Chris, you're right. But he knows right, it doesn't stop the technical debt aspect of that.

Kevin 37:45

I hear that all the time. We can't do this, because we use it in Mike answer back to them. And I want to see your high level security architecture that tells me how you're going to defend it, and monitor it. So if you've got to keep it, you've got to defend it, and you got to monitor it. And that's where the next question comes in. And you'll find to defend it and and monitor it might be more than than actually just replacing the system. Right. But you so you got a choice. But you're the answer is I we can't turn off doesn't mean just leave it there.

Greg Irwin 38:19

Right. Kevin, what are you working on? Next I, what's a 12 month project for you?

Kevin 38:24

Well, I work for T Mobile, and we had a breach in one of our labs. And so what we're doing now is going to all our databases and making sure we don't have things that are not current and so forth. Part of the merger we had we had some we inherited some vulnerabilities we didn't detect. And unfortunately a hacker found one. And so now we're going back through with the merger to find out what the systems are that we probably don't need, probably need to turn off and making sure that our databases are secure. So that's a big project. We got working on it now. And I think we're doing a good job in found any horrible things. I think we generally did a pretty good job. But you still got your lab area, by definition, especially like here's something a message to the group, the lab that you use to test your security patches, make sure that's secure because by definition, they're not patched. Yes. And if you need to monitor those and make sure that your patch testing labs are not being used for exfiltration. So your your labs you used for patching your systems, make sure those are well monitored and well protected.

Charlie 39:34

Hmm.

Greg Irwin 39:36

I have a question. It's a little off from the core but they're scanning the tag. But then there's also scanning The thinking business business scanning your security scorecards and risk recons to know the nature of the people who are connecting to your environment. As you may be perfectly I'm fine on the tech side, but it may it may be the the reputation of the people connecting might be a problem. So I'm just wondering if people are looking beyond beyond the tech scores on their IP scan?

Kevin 40:14

Well, let me before you go there, let me say that when you have your wrist registered, make sure that's locked up. And make sure that's not used by your attacker as a roadmap for attacking you. Because your risk register is telling him all the things that are wrong. It's it's a, it's a roadmap for an attacker. So make sure that is locked up and secured. And then after you do that, then just go ask your personnel management control. Yes.

Greg Irwin 40:37

Kevin, great stuff. Thank you. Thank you very much for joining us sharing here. Folks, reminder, we've got 15 minutes, let's make it a strong 15 minutes. I know people probably have a meeting after this probably had a meeting before it. But we've got a great group assembled here. So let's, let's take full advantage drop questions in raise a hand, ask a question. And please make make contact. I'm gonna invite a couple others in here. Bruce, Bruce, crypt. And Bruce, it's been a little while since since we spoke, are you in a spot where you can share a story with the group?

Bruce 41:15

Hey, good afternoon, Greg in the group, Bruce script self in San Diego. And sadly, I am in a in between place for a while, as you might imagine, you are coming out of our events. So I'm not going to be able to chat about quite a few things for the very near future anyway.

Greg Irwin 41:31

No, no worries. Beyond and good to hear your voice.

Bruce 41:35

You as well. Thank you so much.

Greg Irwin 41:37

Let's let's try a couple others. How about Shauvik? Shauvik? I just saw West America bank that popped out at me. Shauvik I think are you on the line with us.

Shauvik 41:49

Somebody's much am. You know, that's if you're a member had to be muted because I'm of course in the office. So we've got many things going on.

Greg Irwin 41:59

And show I'm sorry to cut you off. I'm just having a I think we're having a little hard time here. And your audio may just be the mic. I'll bet it is just the mic your volumes.

Shauvik 42:08

Fine. Is this any better? An exam?

Greg Irwin 42:12

Yeah, let's let's do it. Give us give a little interim start there.

Charlie 42:16

Let me just see.

Shauvik 42:20

Okay, let me know if this is getting better. Because I think

Greg Irwin 42:24

it's good. It's good. Thank you for that. Yeah, I guess we can start with an intro.

Shauvik 42:36

Okay, hopefully. So yeah, I manage, actually the info security, certainly, for us, Miko bank, but also in my portfolio is enterprise IT, and also vendor management. So it's a little broader. And that's why I have to have a dual reporting, because of the need for independence for information security, because I'm also running it. Yeah, very exciting times, I guess, with the amount of, you know, complexity. We've heard enough about the breaches and how we really don't want to be in the newspaper for those reasons. And that's, that's what, you know, is the primary goal. And as somebody said, you know, success looks great, as long as you're not breached. And we also hear that, you know, it's not a question of whether you are breached, because you are, it's only about when you know, and when do others know, because you all are breached, we also hear that. So I think one of the probably unique things that we have, and it's not easy to probably copy back in budgets, historically we built on it is that our crown jewels on our production system are all air gapped. So we are, obviously that brings in other complexities, because you still have to have, you know, SaaS applications, you still have to have all the other things and sometimes you have duplications or replications of networks, and hence supporting resources. So it's hard to replicate, I believe, for a bank our size, or I mean, we don't believe anybody can have our size and certainly bigger than us have that kind of setup. So that's there. But are we doing pretty much the same thing? I would say that all of us here by talking about it still, you know, I think some of the key things obviously are continually moving the start raising the bar for identity and access management. So that continues to be you know, an area where we are looking at more, I would say stronger technology and doing more multi factor authentication wherever, you know, we seem to have our risk assessments calling out a little bit more work. Obviously we do. You know, my work guys a lot of technical technology risk overall. So that includes you know, the controls and control processes. We're looking add those all the time. And of course, we have regulators in our back in our backyard through the year. And between the Fed and the FDIC in the California, DB O, or what they now call as the FBI, and so on, don't want to bore everyone with those acronyms. But that is what you know becomes a focus, because you don't want to, you know, just keeping the license for banking is dependent on passing those exams. And a lot of that now, is way more on cybersecurity, if you know how to fill in, actually, now the regulator's come and ask you filling in ransomware readiness forms, for example, and showing what are you doing about it. So that, thankfully, actually helps me get the investment that we need for certain things? So I'll actually be thankful to the regulators as much as we crib about it.

Greg Irwin 45:57

Nothing better than then. Yeah. Then a an audit flag to to help something along. Should I check? What's the biggest challenge here of putting these in place? Maybe it's operational? We've talked to people we've talked, we've talked process change? What from your perspective, something you have to work for?

Shauvik 46:17

Yeah, I think, for us people is still, you know, quite a bit, because we have a very unique set set up. So people challenges are certainly critical. Operational. Yes. Because as I said, when you are unique, I think, between people processes and systems, I would say it's more the people thing that you have to work with. And certainly, between processes and systems, continually improving on the technology, with banks, like setting the challenges. On one side, you have to deal with legacy, you just can't get away with legacy technology, because you know, just scan over night, change all of that. So how do you keep that safe? How do you go up the chain on technology, and still be able to continually prove that, you know, you're keeping the bottom lines, correct. And because I have both the IT and Infosecurity had, it's like, I'm responsible for the balance as well. Typically, you can have the two sides fighting, right, but I'm myself so I can fight with myself much. So you're forced to keep the balance.

Greg Irwin 47:27

So what's gonna happen next year to your budget, you've got to go and you want to either you're the regulator's saying you have to put in this system, you have your marketing team saying you have to do this on the web, you have your your backhand, saying you need a new loan origination system, you've got 100, you know, you have you have a big list, and you have to draw a line, maybe just a benchmark, what's going to happen to your overall budget next year? Are you is the pie increasing? At least?

Shauvik 47:57

It's, you know, the first thing that you're always required to do it, where can you squeeze if you want something else elsewhere, right, that's always what you're going to be thrown at. And then you're going to, really, it's the ability to fight an influence is always going to be the case, when you are trying to, you know, get Garner resources, nobody's just going to come and give it to you on a platter saying, oh, yeah, I understand that and very well. So you always have to, and that is how I look at it. So there are in that list of things. It's a prioritization, I think I've worked in, you know, previous words where you'd have a broader management group that would sit across, you know, different priorities, and then say, Okay, this is the overall goal. And these are the five things when that, you know, forward, and these are the three will keep in the back burner, and then we continuously look under paralyzation. Here, I think I have the benefit that's relatively smaller bank, when again, it's all relative. So we are able to make quick decisions and judgments on those saying, okay, you know, this is something that's needed. And thankfully, we do get those approvals quickly, when we know that this is a must have. So that works out the quick answer. Yes. You know, the pie will increase. Certainly slightly. Yeah. She should never expect that it's going to go significantly higher, though. Yes. From a financial standpoint, I think this is more from the banking industry standpoint. Yeah, we've been going strong within, you know, the given parameters of the pandemic and the overall market, I think we've done pretty well financially. And that allows us to, also, I would say, We're breathing a little better as a bank when the interest rates slightly climb up, as opposed to most others. So that's actually a good thing for us. And is gives us an environment where we can hopefully put in some more investments.

Greg Irwin 49:52

Pretty good. You know, I was thinking about just the cost of all of this and I was thinking back I've been through a couple cycles It's really only an economic downturn where we're going to see this budget squeeze. And fortunately, we're not there. Fortunately, these are good times for the, for the most part, at least economically. So I think we're in a reasonable spot where we have at least more budget to play with across these priorities to this. It'll be that's what that's when

Shauvik 50:21

Yeah, really. And you don't know how big the window of opportunity is, really. And of course, depends on what industry and what company and what situation you are in. So you can't use a broad stroke for everyone. But certainly, for those who are in a good spot, I'll say this might be a small window of opportunity, and one should look at investing in the right places at this time, if that opportunity exists, which certainly is, you know, around security and the right kind of technologies and people.

Greg Irwin 50:49

I agree with that anyone who's running an IT budget, you know, no one knows that these these these are, these things are very difficult to justify Well, in a tightening in a tightening environment, things that you need in place. Very good. Shauvik, thank you very much. I'm gonna try one other and bring back and come back here to Dana and Chris, to wrap up, but do me a favor. We're just a couple minutes left here, drop a question. What's one question you have for others on the group? Drop it in there, we might be able to cover them. And so we'll watch it as we go. But Dana, let me come to you next, Chris. I'll wrap up. And do me a favor, folks. Oh, Kevin, I like that one. Data. What's the number one question that you see from that you're getting from your clients? Oh, Dana, sorry, we're missing your we're missing your audio?

Dana Reed 51:59

I would say it depends on the vertical. But here's the one that I think intrigues me the most is, now that we're here. We've given people a bunch of access, we skirted all the rules, we got everybody up to date with what they need to do their jobs from home. A, where the hell are we? And B? How do we get back to a state that we're confident that what we're giving our people what we've given our people is, okay, and so I'm seeing, as I talked about earlier, it's a lot of this was driven through, you know, digital transformation, the rule of least privilege, etc. But on the internal, you look at like some of the healthcare, they're just like, we just gave people whatever they needed to do their jobs, right. And for the past year, and we have no idea what controls we've, we've circumvented and think about that, in the context of health care. Think of that in the context of when, you know, I was out in Australia when COVID happened, and the number of people rolling out tools like effect that was with BeyondTrust. As a matter of fact, the people that were that were rolling out BeyondTrust, it was stalking you. I mean, that just was like, Hey, we got to figure something out now. And I know Beatrice even gave it away for free for a while, because they just had so many people that were that needed their software. And now everybody is stopping and going, Whoa, it's like it's like the end of Forrest Gump. You know, where he ran and ran and ran, and just focus on running. And then he stopped and he's like, I'm ready to go home now. You know, and I think that's where we're at is like, I'm ready to go home now. But we don't even know how far away we are from home. And that's the, to me, that's the one question that I'm hearing a lot. There's ot IT convergence. So all the other stuff, the digital, digital fabric, all these things are out there, but that's the one that intrigues me the most of like, wow, like we've, we, we've been thinking about a very serious problem. And now we've walked ourselves into another one.

Greg Irwin 53:52

And totally, I mean, that resonates with me. What's the work from home environment gonna look like you have to start with real real basics. What's the workflow and process and engagement with contractors gonna live like that?

Dana Reed 54:08

I just gave a talk on this and I think that one of the lines in the presentation was that the people that are thinking about work from home are thinking about they are the emphasis on the wrong syllable. Right? What it's an operations anywhere discussion it's not a work from home discussion, its operations anywhere and that's what the people that the smart money right now is putting their efforts and understanding operations anywhere with work from home being a catalyst to work from home it's not the problem work from home it's it's a symptomatic thing we need to deal with have an operations anywhere problem.

Greg Irwin 54:43

Rather, you can brand that maybe maybe you got that. I like that.

Dana Reed 54:47

That role. I'm full of obsolescence risk electives, you name them. I want to know what's heard of these things as I've made up my bedroom

Greg Irwin 54:58

are in this room Let's go over to Chris to wrap this up. And before I do I know people are gonna jump here in a minute. Do us a favor, remember, make one contact across the group. And of course, BeyondTrust SailPoint BWG, we'd love to build more of a relationship. So we'll be reaching out and and hopefully, we have something good to keep a dialogue on. Chris, let's do it. Give us a big wide open thing. So, you know, one key takeaway you want to you want to drive home?

Christopher Hills 55:32

It's great. There's some really, really good questions that these guys in the group has actually put out there. And I mean, I would love to have the answers to some of those questions. Look, at the end of the day, you know, ultimately, it boils down to what are we doing to better secure ourselves? And it was said earlier, right? It's not, I think it's sad. But it's not a matter of if it's a matter of when we we've actually accepted that. And it's how prepared are we for when that win comes? And I think that's been the race some of the questions that are that are out there that are asking, you know, what's big in 2022. And to be honest with you, I think with all with this huge push, I mean, we saw it pre pandemic, it was this, you know, cloud first approach now it's, Hey, let's diversify in the cloud, let's get more in the cloud. Why? Because we want to be more agile, it's not a let's go to cloud first, because this is what we need to do. Now it's a we're trying to enable more and be more and do more with less. And the cloud seems to be the way to do it. Why? Because we don't have to do end of life upgrades, we don't have to do back end processing, right. It's being handled by those mssps by the SaaS models and things like that. So for me, I think one of the biggest things that we're going to see, we're going to see, cyber insurance really take a huge shift. And we're going to see companies who, fortunately, or unfortunately, however, you want to look at it, have had policies that are either going to get dropped, or they're not going to be able to have cyber insurance, because they're not using the right tools are not doing the right thing. And I think there's something big that's around the corner, that's going to happen with one of the major cloud providers, I think something's going to happen, where whether it's an outage, whether it's a breach, whether it's a compromise, and it's it's unfortunate, but nobody ever expected what happened with colonial right, and these things evolve, and they go around. And it's funny, because we talked about evolution. And we talked about what happens. And it seems about every three years, we go from a point solution to a platform solution. Right now we're in more of this platform solution, we don't want the best in breed, because it only focuses on one thing. We want something that spans a broad, and can cover and reduce multiple risks, rather than a pinpoint of risk. And that seems to be the era we're in. And then to kind of comment on what was mentioned earlier, as far as what some of the the biggest challenges are the people, people have the biggest challenge at the end of the day, it's trying to overcome that human behavior aspect, then anything involved with security, involves overcoming that person of why are you doing this to me? Why are you punishing me? I'm not the bad person. And I always go back to the analogy of if you have kids, or if you have loved ones, your wife, your significant other, whoever it may be, then you're going to a new city or they're driving maybe it's you know, they're going to a football game. And there's 1000s of people, right, or you have a new new teenager who's driving, and it's they're out there on the road, and you're worried for them. And it's kind of like the same analogy for people, Hey, I'm worried about you. But I'm not worried about you. I'm worried about everyone else around you. And it's that concept and that mentality that you have to bridge to be like, Look, I'm not punishing you. I'm worried about your safety because of somebody else doing something bad. And it's the same way. In today's world, if you can get that mindset and get people to understand that you're not punishing them and what you're doing and how you're doing it, just for the benefit of them to protect them against everyone else. And the benefit of the company, you start to see that behavior modification, kind of turn around and change and you get more support for it.

Greg Irwin 59:23

All right. Great, great stuff. Hey, Chris. Thank you very much, Dana. Thank you. Thank you all. We're gonna wrap it up here. Keep in touch and let's let's build the relationships. I look forward to it. Thank you, everybody. Thanks.

envelopeusercartphone-handsetcrossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram