Greg Irwin 0:18

Good to speak with everybody, thanks for taking some time. Ah, so happy to have the chance to, to co host this with SailPoint and BeyondTrust. You know, that's Dana Reed and Christopher Hills. And from BWG. My name is Greg Irwin. And we've got Kyle, who was really doing the legwork on this on this market survey that we just kicked off. So our agenda here, super simple. We're going to spend, I don't know, maybe 510 minutes talking through some of the findings of this survey, we're gonna do a little bit of q&a with Christopher and Dana talk about some of the key trends that they're seeing. And, you know, I hate the word trends, because it sounds, I don't know, not impactful, not not personal. So I'm going to try and drive it to how it really results into stories of how it's changing what companies are really doing in terms of allocating budget, or taking off project. And that's my push for this call. And all of my calls, is tell me the story. You know, ransomware is up okay? Are you doing about it? How are you? How are you addressing it? How are you improving your risk posture. So, as we go here, we have a chat window, I really want to encourage everyone to use it. Drop in your questions. If you have your own side story, drop it in there. And let's make sure that this is a productive hour, you've you've all been kind enough to to sign in, let's make sure that we start to use the real leverage the real expertise of everybody here on the line. And then lastly, I have I'm going to ask you all to make a personal goal. Come out of this meeting with one new relationship. It doesn't have to be BWG doesn't have to be BeyondTrust, or SailPoint. But look across this grid. It's really an impressive group, and reach out to one person, improve your personal network. And I promise you'll be you'll be richer for it. So let's do quick intros. I'm one of the founders of BWG or a 40 person research shop. We do an awful lot around security, but all areas of tech, and I'll kind of leave it at that. Kyle, you'll hear from him in a minute. But let's go over to Christopher Christopher, take just, you know, 30 seconds, introduce yourself and introduce BeyondTrust.

Christopher Hills 2:55

Awesome. So my name is Chris Hills. You can call me Chris Greg, my mom's not on this call. So we're out. I wouldn't be BeyondTrust. I'm the chief security strategist, I kind of have a unique role here at BeyondTrust, where I actually came from the customer side. I was at Charles Schwab for eight, almost nine years as a technical director leaving everything relative to Pam have gone through legacy Pam, I've been in some of our competitors stuff, and ended up working with BeyondTrust for two, two and a half years prior to coming over here. I've been with BeyondTrust now for two and a half years, have gone to the deputy CTO deputy CIO and now chief security strategist.

Greg Irwin 3:36

Super, thanks. Thanks, Chris. Dana, let's do the same thing. Please give an intro.

Dana Reed 3:41

Sure. So Dana Reed, based out of Denver, Colorado, but it's SailPoint, a little over 10, almost 10 and a half years at this point. So one of the early folks here been an identity almost 20 give you an idea how small this world is working back at Anderson consulting, what am I, my colleagues I worked with is now the Chief Marketing Officer at BeyondTrust. So it's quite a quite a small world that we live in here. But if you don't know who SailPoint is, the best way for me to explain it is we deal with authorization level security. So the okta's the pings of the world are authentication level security, getting you into the doors. Once you're in the subway, where can you go, what can you do? That is what what SailPoint manages. Across the scope. We'll talk more about this as I about identity becoming more center to security. But we really manage that authorization level, which I think for those of us that are in it, understand really how complex and difficult it is and how the combination of something like BeyondTrust and SailPoint together really is a crucial aspect of your security infrastructure.

Greg Irwin 4:45

Right. Dana? Thank you very much. All right, so I hate slides. But with that, we're going to spend some time to talk through some because, frankly, Kyle together with the guys at BeyondTrust guys, gals BeyondTrust and SailPoint, did some really good work, just soliciting some input across the security landscape. We've got about, I'd venture to say 5000 active security professionals who touch BWG events every year. We went out to them with some questions. And this is some of the answers that they gave us. So Kyle, turn on your mic, and do us a favor and walk through some of the things that we asked and some of the things that we heard through that survey. We heard back from 103 professionals across C suite, you know, security laid the obvious the obvious stuff, and of course, security engineers. Basically, the focus was where what's happening to your budget? And where are you spending that budget? So let's keep let's keep flipping here if we can, because I think we can go through this pretty quickly. I think I have it, okay, um, security, it's no, it's no mystery. But if you're having a conversation with your management on whether or how much you should be increasing your budget, it's pretty clear that we're seeing well over half of the organizations, look at that 70% of folks are spending, look at that, it's 15 to 30%, ahead of budget on security. So it is clearly getting more than originally planned. I don't think that's a surprise given, you know, what's happening on staffing and staffing costs. But I'll tell you, what I hear on my sessions is the importance of managed services. So on a product by product or service by service basis, going back to vendors or bars, or other specialized partners to help with specific tasks. I know that's driving a lot of the budget here. And of course, a lot of a lot of the automation work to help invest to basically, again, reduce some of the workflow requirements of the teams.

Kyle 7:11

Hey, Greg, I just want to see if you can hear me now.

Greg Irwin 7:14

Yeah, we got you now Kyle. My apologies about

Kyle 7:17

that. I'm not sure what happened. And that was some great improv improvisation start. I can continue to take us through for a quick moment, if that helps you, and then turn it right back to you. Let's do it, man. Yeah, great. So we'll avoid death by PowerPoint slide. I'll keep this nice and quick before I exit stage left. But as Greg was saying, the backdrop is extremely robust security spending, in our most recent iteration of our monthly it survey tracker that we do, we found security being that top priority in terms of reprioritization in a positive way. So I think everybody's seeing and feeling that but, but of course, just wanted to set that groundwork. If we keep moving on, you know, within security initiatives, all that we're hearing in our chatter on and offline, is just extremely, you know, extreme excitement and vigor around identity projects. It's a cornerstone within strategies, what's been happening is, and we'll get into this during the call, I'm sure, but a lot of those emergency initiatives are rolling off, you know, setting up remote access, setting up your your remote end user compute, and just having the nuts and bolts working, that was all completed late last year, it basically set us up for more strategic work. So organizations realize we have a more porous, you know, security environment. Now with the hybrid work environment, it's still very immature hardening these identity strategies, even in large enterprises. And they're ready now to finally turn to some of those longer term initiatives. And you see that in the stats here. So for instance, folks who are likely to expand company mandates over the next 12 months within identity 63%, Pam 58%, IGA 48%, very strong shown. So just moving forward, just reprioritization. Again, we had the full identity suite, whether it be IBM, whether it be Pam, whether it be IGA all gaining priority, clear net gainers, almost nothing's falling back. Again, that's the rising tide environment that we're all in around security at large. And, and, again, emergency upgrades, giving way to more strategic project work. So again, this is just a second representation of that. We just moved back one, I just got it I want to identify and I think everyone appreciates this, but just look at the number of stacks. And this is frankly, I think we all know, just one small aspect of the security, all the different parameters and the attack fabric, but here you've called out in your work. What is it Nine, nine areas nine feature nine functions, I'll bet you that they're realistically probably closer to 30 or 40. And then you replicate that by datacenter by region, you know, by division. And that's our problem. That's one of the major problems is just this, this sprawl of security products and services, and trying to make sure that that critical adjacent tools communicate to one another. And that you've got really the team, the team in place to be able to report back on key insights and share that. I see that as one of the major problems with without absolutely coming out of our sessions. But 100% Yeah,

Kyle 10:50

that brings us here, there's actually a couple key trends that tie into that. So what's what's driving upgrades and just new activity around the identity stack. Clearly, it's hybrid work environments a lot to talk about there, we could spend an entire hour but that was the number one driver. And actually there's over 70% of people saying that the moderate were a major influence and their decision to upgrade right now. Recent cyber breaches, no brainer there. But you know, every time there's a notable breach, that makes it out into the public, the public sphere, you know, that is, is another reminder to see so of the the sense of urgency here, we could go through Equifax, solar winds, Microsoft Exchange, any of the others that have been circulating, but obviously, that's high on people's minds. And it's caused the more risk averse and proactive approach in terms of the sea level, giving more authority and autonomy to the security leaders in their organizations. The last key drivers those staffing challenges that we hear Greg on pretty much every one of our b2b ge calls. And it's not just in house, it's even at service providers, it's getting so busy out there, the demand is so strong, that people need to come up with these novel and creative ways to automate. And also, like you said, reduce sprawl across the different parameters within security. And, and again, we could spend a whole hour on that today. But it's really those three chief pain points that came out most in the survey, you can also see these very important secondary and tertiary drivers that were also referenced. I don't think anything was downplayed as a, as a, an afterthought. They're all important, but I identified those top three on the screen. If we just keep going, the last thing that I wanted to talk about is cohesion within that identity stack. So it's a mixed bag right now, we didn't find that everybody's on one side or the other, they're unified, we're taking a full disparate or best of breed, as it's sometimes called strategy, it was really split close to 5050 down the middle. However, what we found was forward looking spend intentions are heavily weighted towards towards going to a more unified set of tools, that doesn't have to mean one vendor, it just means that the vendors have to be on point. And the solutions have to talk to each other extremely well. That's what everybody is hungry for. And I think that's a perfect segue into, into our conversation today. So Greg, I'll leave it there. But I am on standby to answer any other questions for us. Let's do this. Let's

Greg Irwin 13:23

take down the slides for now, Kyle. And what we're going to do is pour to follow up, we'll send you the salad, send everybody the full report. And the way to think about it is if there's information that's helpful for you and your organization, as you're putting together a business case, or, or trying to research a certain product or service, we have a lot of primary feedback from organizations doing exactly that. So if you need a reference, a customer reference on any aspect of security, we'll be happy to see if we can help address that. Also, following the call. We're going to have everybody's name. So again, use this as a point to use this as a point to again, make the connections and and learn from each other's experiences. Which is where I want to start right now with Dana. Dana, you you have obviously you are a part of this work that we did, but also you have your own conversations with with clients. And I'll ask you this simple question. Tell us a story or two of a security challenge that you think is fairly typical of what's happening. Something that you think the group the group here might really resonate with.

Dana Reed 14:49

Me I think the most obvious one, right? I mean, you can kind of see this in all of the numbers right? What you saw was the a desire to spend more money on identity, but the only The reason because of that was because of all of these other challenges around we're moving out to the cloud, we're moving, you know, we have a shadow IT etc. I think the most obvious challenge right now is everyone is moving from on prem applications out to the cloud. And I think what they're what they're recognized again, even with our own identity platform solutions is that the secret sauce in the company never was there, their complexity or their workflow, if they can now figure out the challenge of saying, Let's simplify what our IT world looks like, we can actually do a better job. I was talking to a gentleman the other day about, he is friends with with the CFO at Coca Cola. And the Coca Cola CFO said, Look, we're not a development shop, we are a syrup manufacturer. So like, let's stop and look at our IT world. And stop trying to have this build verse by conversation, let's move ourselves out to a cloud based best of breed SaaS products that we don't have to manage, and then build better syrup and focus on building better better syrup, or more syrup or expanding the market doing what our core competency core competency is, instead of bogging ourselves down with with it. Now the challenge there is, of course, now I've just taken all of my data, all of my users all of my accounts, and I've moved them out to to the cloud in a way COVID flip this on its head, right? Instead of putting the application in the cloud, you put your user to the cloud, right? And so now, but it's the same challenge of how do I enable someone that's on prem into something that's that's offered? it? So what we're seeing in the identity world in the authorization world is that the the authorization paradigm completely changes. And you have to now excuse me start to look at how do we solidify these people with the rule of least privilege. We all talk about zero trust, digital transformation, like, that's only there to enable the business, right? There's a whole value chain there of this all goes back to better customer relationship management. And that means getting users the access they need, at the right time, and only that from a security perspective. So I think that's the real challenge that that they're seeing. I'll stop there, but hopefully that was a that was helpful.

Greg Irwin 17:05

It it is. And how do you make it? So the other question, I think he came through in the service, how do you make it easier from from an overall portfolio perspective?

So Okay, I got it. So points gonna be my go to for IGA I'm in I'm going to go and I'm going to deploy identity now. But how do I know that that's really well integrated with what I'm doing around my active directory on prem? Or really well integrated with what I'm doing around workday are really well integrated with BeyondTrust? How do you How does your team basically manage effectively in lots of different apps? So I

Dana Reed 17:47

think the at the high level, we're seeing this inside of Salesforce platform products as well of meeting the user where they work, the best governance is governance, no one knows what they've been doing, right? So part of that, how do you make it easy is for people like Chris and myself to talk and figure out how does BeyondTrust and SailPoint work together without anybody even recognizing that it's two separate products? What I think is interesting right now is the the platform player that we used to see 1015 years ago, you'd buy the entire Oracle platform, or whatever it is, that's not necessarily interesting to people anymore. And what's interesting is how does BeyondTrust, talk to SailPoint. And as two separate companies focusing on best in breed, how do you then talk in a way that makes it easy for the customers to really not not recognize, all they recognize is that they're integrated into a security fabric and that security fabric, the leaders are responsible for making that, that knowledge transfer and knowledge share seamless to the end user. And it goes back to even as simple as if I want to change my password on a privileged account, which you're going through SailPoint on to be BeyondTrust, I can now do that through a slack message. So the user just goes in and clicks. Yeah, I want to get a password slack done in the same way they extend their extended contractor and update workday or do whatever we now meeting them where they work. So the new the new security UI, it's actually teams in slack. It's not a BeyondTrust ui or a SailPoint. UI. It's a single place where if we can interject to our users with a single point and click the number of governance activities or security activities, we can interject into their day increases five tenfold because they don't they don't really recognize they're doing it. And I think that's the best. That's the best guy. I'm Chris, would you agree with that? I would use it on the on the BeyondTrust

Christopher Hills 19:33

side. I think you're right in and you know, Greg kind of hit the point where we talked about integration, right? How do you integrate, how do you take advantage of what your existing solutions are to work better together in order to take advantage of maybe less resources, maybe less bodies, maybe less people to manipulate, manage, and you know, do the day to day operations so the better integration you get, which is another huge aspect for a lot of people go into the cloud, right? They don't want to have to do the updates, they don't want to have to do the management msps. Ms. SPS are getting even heavily more popular right now. But at some point, they're gonna start hurting for resources. Everybody's heard for resources, right now, a lot of the folks that we're talking to, they're wanting to go to the cloud, and they're wanting to manage service in the cloud. Because even they can't find the resources to actually bring them on with the skill or with the knowledge or to even be able to train to be able to have them manage the product. So one of the things that I always try to stress to either customers, new customers, existing customers, whether you're looking at a pan Prop, you know, solution, whether you're looking at an IGA solution, evaluate where your integration points are, maximize the solution that can integrate with what you currently have, the last thing anybody wants to do is to log in 234567 different applications to accomplish a common task that could have been done with workflows, resources and integrations across a couple of different platforms.

Dana Reed 21:06

I think the world's recognizing the value of best practice in the security realm, and this is what's said, as you're speaking, it's got popped in my head is like, you know, I could clean my own house. But my core competency is working. It's in computer security. So I hire someone to clean my house for me, and I pay them for a service for that. I don't know what cleaning supplies, they do the methodology of how they want to clean, but I just trust the fact that these people know how to clean my house better than I can clean my house, which is undoubtedly true, right? But they're they're instilling best practice, maybe I would have focused on the bathrooms more or whatever, but I have to trust them. I think people are recognizing now that best practice joiner mover, lever, best practice integration with with privileged security tools, you know, UAB tools, etc, sim tools, that's the way to go. Because what's the point of trying to do it myself, I think it's, as we see now in this in this employment cycle, is so hard to hire good people. And in all fairness, a lot of those good people are going to the best in practice vendors, because that's where they're challenged the most. And so get the benefit out of those people by essentially hiring their service instead of trying to clean your own house.

Greg Irwin 22:13

Right. So what is it? We set up a lot of topics here that I can I can read through have organizations altered their priorities, since the onset of the pandemic? Yes, we know that the, you know, what I want to get at is what does success look like? With we hear very loudly from our teams, the challenges, we see the incidents that we have to try to solve and try and solve them faster? We see the pain points. But I'm wondering, you know, what's, what's the benchmark to feel like we're actually making some progress. So hey, Chris, let me go to you first, think about some of the customers you're supporting. And can you tell us what real world success looks like? Like one organization that's doing a decent job that you say, you know, what they made headway? Life isn't perfect, but you know, out there, there are a heck of a lot better than than most and better than where they were a couple years ago.

Christopher Hills 23:11

I mean, yeah, the list can go on and on right now that I'll make, I'll start off with a blanket statement. I think everybody can agree. At the end of the day, the goal is to not be breached, not be compromised, and not be embarrassed, right. And understanding and having all of the security tools in place to prevent that from happening is what the goal is, right? So the idea is, how do we get to a point where we're comfortable enough that our C cells or CIOs or CTOs and our security professionals and practitioners are sleeping well at night? And one of the things that I talked to a lot of different companies about and I say, look, here is the threat landscape. Nobody knows it better than you The Insider, right? You know, where your company's weak at, you know, where the permissions lie, you know, when you have siloed, you know, environments and servers and applications, you know, that, hey, we're not managing these service accounts, or, hey, here's a section of admin rights that are being thrown to the servers are these laptops and desktop tricks, you know, this, you are your worst enemy. And part of the biggest challenge that we deal with is a behavior challenge. It's a behavior modification. And ultimately, we're the people that everyone loves to hate. Right? Because at the end of the day, we're trying to protect the company. But in the same sense, we're implementing tools that the common user looks as you're infringing on me, right, you're, I'm going to be less productive because now I have to do this or and obviously, as Dana mentioned earlier, the idea is to become as frictionless and in ensuring that when you try when you input Manage security tool, right? Obviously, it's not always the case, but you're trying to be least intrusive to them, you don't even want them knowing if you're going to go and you're going to implement a endpoint privilege management, and remove admin rights, you don't want them to know that that's occurred. And instead, they're working with the product side by side. So whether you talk about you know, I mean, I can I can name drop a ton of names, right? Or don't,

Greg Irwin 25:28

don't even don't even share the actual name, just 10,000 person Consumer Products Company, here's what they did.

Christopher Hills 25:35

Yeah, I mean, a lot of them 10,000, we're talking manufacturing versus here's a, here's a great, here's a great security scenario for you and getting to, you know, a better place a large manufacturing motor vehicles plant came and said, Hey, we have a bunch of kiosks that are not connected to the internet, right, but are connected to a point where the users have to log into the kiosks. And so the idea was, is that they're going to start managing the passwords for those users that walk around the plant that have to log in, and the security professional there was arguing with his leadership, and they didn't want to do password rotations. They wanted to give their users a 30 day password checkout for their identities and their privilege. And he kept arguing the fact because they had to go to every kiosk can type it in, that it was intrusive, right? It was taking them longer. They didn't want to have to and he's like, Look, we're trying to better position ourselves in our security posture, right to get to a better place. Because at the end of the day, once again, nobody wants to be compromised. So he was arguing with them that you know, what, 30 days is not acceptable. And he called us and say, Hey, I really need some help I, you know, am I crazy here? What's going on? How do it is? And I was like, No, absolutely not. One of the things that I go that I talked to them about, I say, look, you, you really have to go back to your leadership, whether it's your board, whether it's your executive committee, and I said, there's three, I always tell everybody, there's three things you have to look at, when it comes down to what makes different companies and their security, posture and maturity vary. And so at the end of the day, it all falls down to the risk appetite, the risk acceptance, and the risk tolerance. And when you turn around in you, it's not a one size fits all, Every company has to evaluate those three pieces to truly understand where their priorities are, and where maybe some of the lower hanging fruit is, when it comes to prioritizing what's important. And what's important for one company, as you know, acceptable or tolerable, right? may not be that of another. But how do you address that you can't just say, hey, you need to do this. Instead, we talked about, you know, security, maturity, and it's a constant evolution of getting to a point where you're comfortable, everybody is comfortable, you're not worried about being compromised late at night. And ultimately, that's the goal. And Dana could probably talk about this too, you know, we always get well, what is best practice? What should we be doing? Right? I mean, great. If you have that you asked the same thing. What what's the right answer? And when I was at Schwab, before I came, to be honest, I did the same thing. I'm looking at the vendor going, look, we're using stuff we've never used before we're trying to get to a mature place. What do we do? Like, what do you want to do? Oh, what are we supposed to do? What? I love your comment on

Greg Irwin 28:56

risk scoring it? So

Christopher Hills 29:00

you go back to the CISSP. And you look at you have to evaluate that right? I tell everybody I said look, cybersecurity, cybersecurity criminals, these bad actors. They're not done. But they are very lazy. They will take the path of least resistance, right? That actor is not going to go and beat their head up against coding and whatnot to try and break something, right? When yet. Here's an account that sitting out on the web that hasn't been changed in 60 days, 90 days. What do you think they're gonna do? They're gonna go around, they're gonna find the path of least resistance. So going back to the point of, hey, look, I know you, you you look at these high or critical or important items as priorities that you want to mitigate the risks to. But don't forget about the low hanging fruit because the low hanging fruit could easily turn into something that you know might embarrass the company. compromise, or even an attack vector that you didn't even realize? Because you thought it was low hanging fruit? Correct, Chris, thank

Greg Irwin 30:07

you very much. Let's do this. Dana, I'm going to come to you in a second. But I want to I want to start stirring the pot. We've got some tremendous folks on the line here. So let's I'm pulling people in. Because basically, why not? Let's do it. James. James, no, I always love seeing you on here. So good to see you. Do us a favor, get a little seal.

James 30:33

So yeah, my name is James. And I'm currently cybersecurity technical operations manager at BestBuy. I come from a background of mostly finance, but also healthcare and analytics. I've been doing this type of thing for about 25 plus years. And I think if I hadn't met Dana or Chris before, it's probably a miracle, I've deployed both tools side by side, at times, at different companies, they're there, they are different, they're very complimentary tools. And, you know, Dana, you've talked about Schwab, the financial industries, they don't mess around with that. And you need to be able to not only you know, test and test and review and audit, but you have to be able to prove you do it with it with a world class product, otherwise you will fail on and when you fail at a bank, they can come and take your business over the OCC so they'll be the stakes are pretty high. And you know, it's been interesting going into into retail, because I agree with a lot of what you guys are saying, um, you know, in regards to be BeyondTrust, and, and whatnot, it's all about user friction. Um, and, you know, just to throw a point out that what I'm finding is that, you know, there's opportunities to streamline your environment, but they have indeed been flipped on their head by COVID. So, the luxuries of large brick and mortar organization, which we, you know, centrally are on it, if you can, you can deal with the complexity of you've got boots on the ground, but if you don't have boots on the ground, and you're not making these face to face relationships, this sprawl that was acceptable before is no longer acceptable. And so building a cohesive end to end toolset on is difficult. But, you know, going back to the end user, you know, we had a kiosk at the campus where if an end user had a problem with security tool, they could just run down there. And then we would, you know, everybody would jump on and help and things like that, with that gone, you know, we're expecting a much higher level of rigor in in the endpoint management, but at the same time, we talked about Slack and Microsoft Teams, you're shifting your your work input to that, so it's not just the managers trying to figure it out. It's it's the end users as well. And then to track security and this whole on evolutionary period is quite a challenge. Definitely.

Greg Irwin 33:05

James I'm going to guide you here for one one. What's one initiative that you and your organization are doing homework on we there's a big attack fabric we're talking about clearly, you know, identity access governance privileged accounts, but it can be broader than that in terms of zero trust or at least privileged least privilege access, what's one area that you're doing homework

James 33:34

and you know, ironically that you say that because if you were to roll back the clock two years pre COVID our strategy goals were the same we were going to embrace and fully operation are fully operational lines ourselves from security point of view in all three cloud environments and we were going to make a real commitment to zero trust and then COVID came and the landscape entirely changed and contrary to what everybody at Best Buy thought you know, our business basically doubled and so when you take into that account that we're operating in the news, this new environment, but it is highly profitable. So we are deciding to re reevaluate those more expensive, more involved security initiatives because at the end of the day, that's the new infrastructure that we have to deal with if that makes sense

Dana Reed 34:29

yeah, it's funny you say this interrupt real quickly there was a systems integrator while back did a study on what they call digital masters right? They want to see the effect of your point you know, investing in these security tools on on engaging and basically performing digital digital integration better, and modernizing their their tool sets and what they found. But what was interesting was, I had the numbers right here it was people that did did did digital, digital transformation, the best increased revenue by 9%, the people that actually did it poorly decreased revenue by 4%. And the interesting thing was, to your point, the people that did it best increased profitability by 26%. And those that did it both port, but the most poorly, decreased profitability by 24%. So literally, to your point, like, your business doubled, because you're taking money out of the hands of the people that are doing it poorly, like literally, it's a 26% increase to a 24% decrease. And so I think it's interesting to hear that that's really what's going on inside of your business is recognizing, wow, these investments in these tools are supporting a new business model, that is literally increasing our profitability by a considerable amount. So it's interesting to hear,

James 35:43

yeah, and when when I think, you know, when I talk to other leaders in the industry, and built it within the company, you know, because I've got a lot of varied experience, and you know, people are worried about, we need to solve for x. And it has to be this razor laser tool that we that we use to solve for x. But I think what we're finding with this is weird dichotomy. Because all my guys are working from home, our productivity has gone up 30%. So we've had the time to talk about compensatory controls, and what a suite of controls versus tools looks like. And that's where I'd lean toward going more native and whatnot. But yeah, I mean, it's it the pendulum swinging both ways. I it's a tragedy, this entire event has been a tragedy, but at the same time, it cooks that's to get it right.

Dana Reed 36:33

Yeah, it's taken security of 10 years in a year. Right. But that's the class. Absolutely, absolutely. We're, and I've been on some of these calls around Asia and other places of Ed, it is just as effective. A transformative down there as it has been here, maybe even more so because, you know, in the Philippines, they're still working on on ATM machines not operating, right? Like, there's a difference there. But the what they are embracing from a digital transformation perspective, even on just like COVID tracing or whatever, it's incredible as to how effective these these programs

James 37:06

really are. Yeah, yeah. And, you know, when, when you talk about, you know, friction against digital adoption and things like that, we all do it at home now. Well, I've home networks, no, you know, I don't need to tell somebody how to print, you know, things like that. And so I think the world is kind of maybe it's the next generation is coming up, or we're born with the technology and therefore don't need that hands on. And that helps offset some of the generous staffing challenges that we're having right now.

Christopher Hills 37:36

So I have a funny story to follow up with that on James that hopefully everybody will get a kick out. I was actually wrote a blog article specific to this and what we should be doing relative to this, but I was working with an education, we were doing a round table. This was I want to say mid academic right? schools in session, teachers are trying to enable the kids all the kids are working virtually right, trying to get connected, whether it's Google classroom and everything. And one of the teachers said that the this the younger generation, not the millennials, but our 10 a 12 year olds that are attending online schools are really being challenged right now with cybersecurity, look, we give them an iPad, and we give them an Android, they can work the crap out of it, right? But security is has it's just gone to law, she's helping a student trying to get connected into our Google Classroom, there's obviously a lot of liability and, you know, legal pieces, the teacher can't physically remote into the computer to help. So as in kids are on camera, as the teacher is telling the student, hey, you need to clear the cache. The student stood up, put her hands in her pockets and pull out her money and take out my money. And so I always tell that story. It's you know, it's funny, but I think it's it's the true reality of one of the things that we are going to suffer from, with maybe the next two generations. And I kind of wrote a blog article about this. We talked about Look, when we all went to school and we had Home Economics, right? We were taught how to work around the kitchen, how to prevent fires, if we had a grease fire with baking soda on it, a lot of the common safety practices around get in the kitchen when especially if parents are not at home. And I wrote an article that look as we start to digitally transform. I honestly believe that home economics should include some form of security practices, teaching our kids what they should be doing right? How many these kids have access, Instagram, Snapchat, Facebook, I mean the list goes on and on. They all have an account tied with it. We've all been Then the recipient of a Facebook Messenger message saying, hey, so and so click Listen, we're back channeling our friend saying, I think your Facebook got hacked, right? The kids are not going to be prepared. And I think it starts back to the school. And I think the schools need to start implementing better security practices like home economics to better prepare the kids. Look, we're we're using more and more technology. But what are we doing to teach these kids about safety and security concerns about it,

Dana Reed 40:31

they should just take the time that they used to spend helping me learn how to write a check and turn that into cash.

Greg Irwin 40:43

All you need to do is basically do a run a, what's it called the, you know, a fake attack that shuts down their, their ex bots are about to cower. And suddenly, they're gonna take security very seriously, or their Instagram or their tik tok, shut it down for an hour because of a fake hack. And I think they're gonna sit up and pay real close attention.

Christopher Hills 41:09

They actually make tools for mom and dad's for that purpose. So

Greg Irwin 41:15

let's, let's keep stirring the pot, it Michael Lanham, I'd love to call you duty, are you in a spot where you can tell us a little bit of a story of maybe how things are changing over West Point or some of your some of your priorities?

Michael 41:29

Sure, yep, there I am. So, so actually, my challenges are a little bit different. And I'm a federal college. So there are there, I don't have some profit motivations. And as a matter of fact, I get punished if I don't actually spend my entire budget. Likewise, if other people don't spend their entire budget, I get to steal some of their budget and then spend it because they were, they were slower to the punch than I was. So I live in a regulatory space, that is weird, because I, I do have some God things that I must do, or at least we continue to assess, that we must do. And yet at the same time, a lot of that structure does not avail itself of, of being a dynamic college environment. So we end up having to tell other, especially external auditors, you know, talk to the hand, because we're just not going to do that. Where my biggest challenges is actually it's not directly related to what we've been talking about here. But it's, it's how to get other individuals in the organization to agree with what I think the problem is, I think it's one example is, let's say, I've got, say, six and a half years of technical debt that I that I think really needs to get paid down, because we're just sitting on it. And we keep baking it into brand new systems and services we bring online that have technical debt on day one coming into production. I have a collection of individuals who think that that's not a problem. I've been doing this for 25 years, what's the issue? We've never been hacked yet. Holy shit, why would you say that out loud. So trying to establish that, that agreement of what is the problem statement, and is is something that we haven't cracked the nut on. Likewise, I think it was Dana had previously mentioned, you know, prioritizing what you want to do, even going through a list of 4000 deficiencies that you know, because of qualis, or tenable, or whatever else, even prioritizing a list of 4000 medium deficiencies takes an enormous amount of time. So we continue to not do that. And we keep trying to come up with shortcuts. And those shortcuts always resist land against that resistance of why are we bothering with this because we've been doing this for 25 years, and we've never been hacked, I'm gonna shut up now and let other people tell me that a year I got the same problem and they fixed it. I think you've been the nail on the head, though. It's like security problems are not arterial slices of one vulnerability, right? It's death by 1000 cuts. And so the fact that you have 4000 vulnerabilities that you need to look at, yeah, it's super difficult. But it also tells you

Dana Reed 44:00

why the integration of all these products actually is important, right? And why we need to do our jobs better as as software vendors to provide that because if you're leaning on us for best practice, you are also waiting on us for best practice and integrations and those types of things. And we're even fighting on the SailPoint side. It's for me in my job, it's all about over entitlement. It's what I call obsolescence risk, like your need for that project is obsolete. So let's get rid of it. And we can finally through AI ml we can recognize those things but we're finding that it's not one person that makes the organization vulnerable. It's everyone that's over entitled in some way makes it vulnerable. Chris made the point about people being lazy like when they teach it I'm from Colorado, they teach you how to ski moguls they say look, this be water go where water goes because water takes the simplest path. And I think it's the same way with with hackers is they take the simplest path, they go where the water goes because that's the easiest way to manipulate a very hard landscape. So it's your numbers were interested, I also will say I saw your comment about 20% of your incoming class had no computer access at home. And when I look at who your students are, that is shocking to me, actually, I would think it would be 100% would have had access to be that quality of a student is really shocking that I mean, it says a lot about them, that one out of five that has never had access to a computer and pretty, pretty wild. But but the understanding that these people have a knowledge gap is huge. I mean, in addition, my father is 79. And and unless you said earlier about having to teach someone how to use a printer, I still teach my dad how to use a printer on a daily basis, right? It's so there's still that population of people, the aging population, even in organizations that just they don't, you know, my dad was an architect, and he quit when CAD came because he just didn't know how to use a computer. But there's still a large population of people that are working, but just have no concept of of security and to Chris's point how we teach them that? Or maybe we don't teach them, maybe the answer is we integrate security in such a blind way that they have no idea they're even doing it. And I think that maybe it's the best, it's the best answer, but I'll be quite doubtful, let someone else talk

Paul 46:08

as well. All right, I'm gonna dump in. Michael, I think you're right, I'm still not finding the right answer for helping the engagement. But across the different industries that I've worked in, it's the same issue of, I feel like we have we have a responsibility more as an evangelist, or building that consensus towards getting the business to understand what the need of that is. And quite often we come in, we say we have this problem, the knee jerk reaction is no, you have this problem. And it's getting that transition of understanding. We have a we have a vulnerability on the radar system, which maps that mountain over there. No, you have a vulnerability. Okay, well, let me explain when that stops working, everybody has to evacuate because that mountain will fall on everybody. Now what's our problem and we can go and move forward to to fix it. But it does seem like we have tons of tools and opportunities, but they all get stymied at that, at that point of making sure the business has the will to move it in. Because at the end of the day, we are causing disruption and how business is done. And I do enjoy daily that statement of well, this has never happened before. And the list that you pull out of your back pocket of all the things that we also are have never done before that, you know counter that argument, but it seems like it is a individual by individual basis of making sure you are building your cadre of people that are willing to help you make that change that happens in the in the business.

Greg Irwin 47:25

A Paul, what's one magic wand project that you would love to kick off? It could be process change, it could be system, what have you

Paul 47:36

every place that so I've bounced around to too many places to place them that now is awesome. They've actually implemented a lot of things that were my, on my wish list of other places. I mean, I've been at financial institutions that are still doing single factor authentication, or don't have Pam meaningfully installed, deployed, I come over to a smaller company, they're already doing MFA for everyone, not just for admin accounts, we already have Pim that set up. My favorite one that is just never happened is a sorry, is doing that classification. With an engine as well as getting the in everybody understanding as to why you classify. It's one of my private, it's one of my private little pet things that I'd love to see happen just because it understand, it gets to the point where the entire the entire group understands. I'm classifying this one because I know that it's important, but to it helps everybody else understand how this is supposed to be treated. And because that involves everybody. It's the it's the panacea I have not yet.

Greg Irwin 48:33

Paul, I've got to give you a shout out that's, that's the finest microphone I've seen on one of these calls going back years. And it sounds it sounds killer, it works beautifully.

Paul 48:44

It doesn't hurt that it's closer to the camera than I am. So it looks like it's the size of my head, but it's also running a pop filter. So you can see that that's why my peas in my case are so soft.

Greg Irwin 48:54

Very nice. Thank you, Paul. let's get let's get a couple other stuff. We got 10 minutes, these calls go two different ways. They can kind of petered out. And people kind of bleed off and they you know, get ready for their next meeting and start responding to emails and all of that. But that's not this meeting. We're gonna go strong for the next 10 minutes. Take advantage of everybody that we have here, drop a question or comment into the side chat. And we're going to take advantage of the last 10 minutes. With that Paul rebels. Let's get you in. Paul, I hope you're still with us. It looks like you are telling one, one initiative that you're pushing for your organization.

Paul 49:36

Well, I'm I'm actually pushing a series of 12 projects and four programs because we had a ransomware event last year. So I've been asked to help the program manager. Some of these activities I was responsible for the cert. So we're running a bunch. Some of these representations of vendors and solutions are in the mix. The most interesting thing though, was I was teaching a class at a local university last night on security. And despite my own small survey, it doesn't appear that we're going to solve the, the, you know, the talent issue anytime soon, I asked the class 50 students, how many are going to go into security, and it was less than 10%. So I think that trends will continue. It was fun to teach. I was teaching forensics and incident response. And, but they're still not the talent pool that we can draw from and including, including my own children, both online, and the tech industry and other adult, my adult children. But only one of them's gone in security. So

Greg Irwin 50:46

definitely, you can say that it's a pretty fun job. What what what, what's the impression that you think the students have that they don't want to pursue it or not? Not as excited

Paul 50:56

to pursue it? Well, the educators won't like my answer, but they're still not aligned with what the industry needs, and they're still pushing 1980s 1990s educational agenda, and it's not mapped to what the skills that are really needed in the industry, right. I mean, I learned cloud over the last 10 years. And now, you know, it was some great questions by the students, but the educational institutions definitely have not caught up, man, a bunch of friends of mine are all teaching now, either ad hoc or as adjunct professors, and we're trying to give back, but the educational, you know, colleges and universities just haven't caught up. So we go, so and then you know, I'm, we're all pulling from the same group talent. And so, in my particular company, we've hired over 100 staff in the last year, we've swept up a lot of talent, you know, from other companies, so you're not inventing new talent, you're just taking from within the pool that's already there. And, you know, raising salaries and all of that good stuff, which is great, but companies will continue to suffer. And so, you know, I was like, like you all I was in consulting, I was at PwC. I was at Intuit, Intuit closest last data center three years ago, just before I left. And so I'm a big believer in just going full cloud because it reduces the amount of, you know, activities that you have to manage in and infrastructure you have to manage. And so we're getting a huge influx of customers in these centers, like the one right behind me, which is in Sunnyvale, coming into our environment, because they just don't have the staff to manage all this, you know, the, the systems I was pointing to go completely digital, so,

Greg Irwin 52:58

right. Right, well, thank you, and lot's of luck, let us know if this group can be a resource for you. Thank you. I'm gonna invite in Mike to for one more voice. And then we'll come back to Dana and Chris to to wrap it up. Mike, good to see you. Um, what's what's one initiative that you're focusing on homework, you're you're doing in this area somewhere, this group can be helpful.

Mike 53:28

You know, one area that, that I've been kind of wondering about, just recently, because we're, we're moving both to Azure and AWS, is the whole Active Directory premise, you know, do I want Active Directory on prem? Or do I want to start looking at leaving it behind? And just using, you know, as your ad and yeah, there's the obvious downside, right? If If zero goes down, are my internet goes down or whatever, then, you know, I'm gonna be in trouble. But but we're, we're split shot, we're actually still heavily on prem, we're moving rapidly to both AWS and Azure. And, you know, my boss just kind of leaning more towards AWS. And for that reason, he's looking at, you know, just staying on prem, because he can keep those Active Directory servers in AWS but, you know, I see a lot of shifts within Microsoft towards, you know, as your ad and away from on prem ad, which makes sense, you know, from a Microsoft point of view. But I'd really like to hear, you know, what, what's going on in people's heads when they consider, you know, that option, you know, is there some compelling reason to you know, for now Way to stay with ad on prem or, or not?

Greg Irwin 55:04

Love it, Mike, thank you very much. Hey, Dana, I'm gonna tee you up on this one. What's, what's some of the conversations and gives and takes? are around preserving ad on prem? You know, I,

Dana Reed 55:18

my short answer would be would be no, I don't think you have to have ad on prem any longer for what it's doing. And in fact, a lot of the work that we're doing right now most of our clients have a combination of on prem ad and Azure. To be fair, I don't know what is holding them on to keeping a crisp, you know, please tell me what's making them stay with Azure, but all group management things, that all seems to be happening now in in Azure. In fact, we're doing a lot of work now about like group management and things. Because the way which groups to be managed in Azure is different than the way they were managed on prem. And so the manager can't create groups, it's following it on the admins to do that. So beyond like just legacy applications, utilizing, you know, on prem ad, the beyond that you just can't change those apps, because they've been around since the you know, since the 80s, or whatever. I don't know, if you have any major reason from a high level. To do it, there may be some tactical reasons why you need to get rid of certain applications for that to happen. But right now, most environments that we get to are hybrid, we're either provisioning to them each directly, or we're provisioning to Active Directory, which does ad sync out to out to Azure to that synchronize those together. So it may just be kind of a gradual transition, even though there's no real reason beyond, you know, interference with the business. Chris, would you agree with it? What's your thoughts? on it? It's, it's, it's that whole, I'm not disagreeing

Christopher Hills 56:49

with anything you're saying data, I think where you start to, you know, run into is, you always have that, it's that, you know, the good devil the bad. What if, right, and Mike mentioned it? He, every customers have that, right? What if that goes down? Right? What if Azure goes down, there's always those that are going to be out there. And there's nothing wrong with that. We have some companies and we see some companies diversify. Look, if they want to put Pam in the cloud, like a something breaks or goes down and we lose that internet connection, it's happened, we've seen it, how do we continue to function with our passwords and everything else? So they come up with an on prem and a cloud and a hybrid? And I think ad is kind of falls along that same lines, right? We, we know that the Azure aspect of it becomes very dynamic, very fluid, very flexible, as compared to, we have aging domain controllers in order to upgrade our forest level, right? There's a lot of things that come along with an ad. But at the end of the day, if something happens, or something goes wrong, right, we want we want that security blanket of, we're good, we're covered. We're on prem. So you know, I mentioned earlier, it kind of goes back to that risk, appetite, risk tolerance aspect of it, right? Is it something if those what if scenarios happen, that your company can continue to tolerate, right, you can continue to do business, there might be some things that are shortened you can't do and then are limited, but as long as the business can keep working, and we're talking an extreme scenario, right? Yeah, there's no reason and you know, there's other companies that say, look, we can't, we can't jeopardize herself in that situation. And it's the same thing with Pam, or anything else as a service in the cloud that offers an on prem, they want that comfort and that security blanket, so it really goes back. I know, Mike, that might not be the answer that you know, you're wanting to hear as far as you know, hey, you need to go to Azure AD ditch the on prem. But from, from a business perspective, only you can answer the question of whether or not if Azure AD truly goes down or you lose that internet connection, or that pipe or whatever. Can your company continue to function? I don't know the answer that only you do. And if the answer is yes, you can continue to function. Even if it's for a limited amount of time as part of your business continuity plan, then yeah, I mean, the right answer would be sure let's do this. But if there's too much risk associated with Hey, I'm not sure if we can truly function the way we need to function and still generate revenue and still work as a business. Then you need

Greg Irwin 59:46

to keep that on parameters. Hey, Chris, I'm gonna Thank you. We're at our hour, so

Christopher Hills 59:52

Well, yeah, man, it

Greg Irwin 59:53

goes by quick right? Hey, my dad. So guys think that thank you all so much. I'm gonna send Around a list of everybody's name, you want to connect across LinkedIn. Brilliant for it. If you need help you hit up the guys here. BWG obviously BeyondTrust and SailPoint. It Chris. Dana, thank you so much great session and it was really a lot of fun co hosting with you here today. Thank you. That was fine.

Christopher Hills 1:00:21

It's nice getting everybody. Yeah,

Greg Irwin 1:00:23

I hope we get to do it again. Please, everybody stay in touch and I look forward to speaking with everybody here on a future call. Thanks, everybody takes great care. Bye Bye, guys.