So with me here, I've got Paul from KuppingerCole and he's one second, we need some more time. He'll be taking us again on a fresh look to the basics that what we know we need, but need a fresher approach to it. So he'll take us on reinforcing the cybersecurity fundamentals for resilience. Thanks Annie. Over to you. So the last guy's slide, hang on, yeah, back to basics.
So yeah, so everything that I'm going to talk about now is kind of undermines everything you've heard everywhere else at this conference, because I'm saying basically this table's no good for glasses. So what I want to say is we can actually get a little bit hung up on frameworks, on zero trust and everything else that we're supposed to do or you're supposed to do to make your lives more secure or your businesses more secure. So I will be talking about what I see as the fundamentals of security, which most people have kind of forgotten about.
And then I want to talk a little bit about zero trust in the more abstract sense. I did a panel yesterday on zero trust. We only had 20 minutes to talk about it, which is ridiculous to talk about zero trust. But anyway, it just struck me like what a mammoth thing zero trust has become. And I think that's worrying people. And then finally to end with some ideas about data is more important than identity, which again goes against the grain of much of what we've been saying in recent years, identities at the center, et cetera, et cetera. So let's kick off.
So this might seem like kind of like kindergarten stuff. But anyway, what is foundational security? It's basically everything that you probably learned or should have learned way back when. So it's basically core practices, principles for IT security that underpin general computing. In other words, what the IT security department does on a day-to-day basis to support the business.
And within that, we have all the usual things like access controls, authentication, data protection, but also we have things like firewalls, et cetera, which have also kind of not even talked about now, they're just there. I've also put in security training in there because again, some people think security training is fundamental. Other people think it's a complete waste of time that if you keep telling people not to do things, they still do it anyway. My opinion is more to this towards that it's probably okay and nice to have, but it's not that important.
And then governance is a fundamental, not just of security, but of business in general. Now you hear a lot about frameworks and models. Everyone talks about NIST, everyone talks about ISO 27001. We talk about our own identity fabric framework.
Again, frameworks are fundamental and I think they do help. And most people at this conference who have talked about frameworks of one sort or another, they say the right thing. Having a framework to base your security plan on does help to actually just have it mapped out. But the problem with that though is that we can't be too rigid about the frameworks and how we use them. This quote here is quite typical of what we see in the vendor world, in the analyst world, we often say to people that they should maybe stick to a platform or one set of suppliers, et cetera.
But this guy here who is, this is a real quote, says that he wants to know how long, not just how long it takes to deploy a product, but how long it takes to undeploy it because he expects to use only, he expects to use a security product for only around two years, which is I don't know if any of you, reverberates with you, but I think that is quite typical and I think that's part of the reason we have so much confusion in the industry because on one hand we have vendors, we have us in the middle, and then we have customers trying to make sense of all that.
So a framework can help you plan ahead. It can help you think, decide that you'll get a point solution or a platform that's going to last. But of course in the real world that still doesn't happen, as we know, because people just keep on adding stuff. So I mentioned just some of the frameworks like NIST is the one that everybody kind of like refers to these days, the U.S. NIST framework is tended to be seen as the standard. Its core functions are the attack chain thing, identity protect, detect, respond, recover, and so on.
But again, if you actually look at these frameworks, if you actually look at the documentation about NIST, it's really, really quite complicated stuff. You can't just suddenly open the book and deploy it. But in terms of industry recognition or industry focus, NIST seems to be the one that most people are interested in. And then we have some more. We have all these frameworks and blueprints, and I'm not going to go through all of those.
But again, these are more probably frameworks more for governance. So you need to, for example, if you work in the payment industry, PCI, DSS, something that I've been hearing about for 16 years and still don't know what it is. But all those things can help you understand the basics of your infrastructure. So let's now talk a bit more about what I really wanted to talk about, which is zero trust. We all know the story of zero trust, that a guy called John Kindervag, I think that's his name, Annie. Is that right? Yeah. I'm not.
Yeah, it is. It's Kindervag, something like that. And he came up with this term, I think 10 years ago, which was never trust, always verify. And then he came up with the concept of a network that is completely without trust. So that anything trying to enter that network has to be untrusted until it's verified. Which is a very simple description of what zero trust has turned into. It does indeed do the things here, the pros that we've listed, the enhanced security posture, it should reduce lateral movements and data breaches.
But to do it properly, or to do it in the way that we now talk about it, and the other problem is that we all talk about it in slightly different ways, a bit like identity fabric. Everybody has a slightly different version of what identity fabric is. So excuse me, everybody also has a different idea of what zero trust is. And of course, when it was first implemented, zero trust was very much a perimeter based ideas because everything came from the outside, and then went into the network. But to create what is now considered a zero trust network is actually quite expensive.
It also brings in to play the other challenge that we have, which is balancing user convenience with increased security. If you start telling people that they have to be checked every time they want to go somewhere in a network, and it's going to stop them down so there will be friction, they're not going to like it. And that is really true.
I mean, I've spoken to CISOs of various companies, and that is a real problem. And that is why people in departments are buying their own infrastructure, they're buying bits of cloud, they're even buying things like identity and access management just for one department. There are some scalability issues, it's hard to actually deploy or create zero trust in an existing network. And then the big problem for me is, although I'm coming from a company that specializes in identity, it focuses too much on identity, that the only way to have secure access is to make sure that the identity is okay.
But it overlooks what I see should be now the focus of what we do in identity and access management, in privilege access management, is to start looking at what people wanting to access. And we should switch the focus of the access, the privilege access, to the thing or the data that they're trying to access. So you have then perhaps like a privilege value attached to things.
And if we say that identity is the center of everything, it really doesn't take into account this need to think about the nuances, the different types of stuff that's now, for example, if you access one server, you'll probably be able to access another, and then you might go in and out. It doesn't really make much allowance for the new world of contracts. It doesn't make allowance for multi-cloud, et cetera. So the zero trust of 10 years ago is out of date. What I kind of sum it up as, you can't have zero trust. There has to be, Joseph Carson said this, it's like chasing a dream.
You'll never ever get a zero trust environment, because it's always changing. There's always going to be another opening somewhere that could be exploited. So the best you can hope for is some kind of zero trust.
And again, you should think about zero trust for various parts of your organization and not for the whole organization. Some stuff it doesn't matter if people get access to. So you need to think about data sensitivity. When I talk about data, I mean everything. I don't mean literally data, I mean applications, servers, hardware, everything. So that's my problem with zero trust. I'm now put this in a more focused way of how this is a kind of framework, I suppose. But this is looking at data and identity. So we have basically right now seven identity types, which we kind of established.
So we have traditional admins, increasingly developers, end users, machines, etc. And they're all now being handled by a zoo of identity tools. And I've included ITDR in there, which is like the new kid on the block, which also is debatable whether that's actually a long term solution, because in the end, it's kind of doing detection and response that other tools can do anyway. And so finally, so yeah, the identities are all trying to get into that data. So and as I said, the data includes files, workloads, code, everything. And of course, it's backwards and forwards.
So some of that data is also accessing stuff the other way. And then underneath, you can put your foundational elements up zero trust design with a question mark because you don't want to focus on that too much. Zero standing privilege.
Again, that's like the zero trust of privilege access management. Is that even a good idea? Because some privilege is more privileged than others. So if you just suddenly switch to everything has to be just in time, and zero standing privilege basis, you're going to make things slow down. So some privilege access is less privileged than others. But we're moving to a world where at some point, every identity or every user is likely to want some kind of privilege access at some time.
And again, data governance, again, I mean, we call it data governance, but I think it's again, putting data at the center of this new world, and XDR, EDR. So last year at this conference, all anyone ever talked about was AI. It doesn't seem to have happened quite so much this year. But you know, we're moving into this AI world. So can AI help with building fundamental frameworks, help with building more secure environments? The thing is that at the moment, we probably overstate the accuracy or the reliability of artificial intelligence. And you can see what I put on the right there.
It sometimes gets things wrong. Where AI, I think, will make an immediate impact is in assessing what is sensitive and what isn't. And AI should be, through some kind of machine learning, should be able to look at your network much faster and be able to see vulnerabilities much faster than we can right now. So AI will certainly help. But overtrust in AI is something that is probably already happening. So on the one hand, AI is very clever, but if we as humans decide to offload too much to AI without really thinking about it, that's probably not good either.
So this is really how you should treat AI. And this is three lines from a user case study of how AI could help an organization. So it wasn't actually talking about security in this situation, it wasn't talking about access management. It was talking about what AI could do for the business to make the business better. So I substituted the word customers for employees using machines. And you could ask, how will we use AI?
What parts of AI could be used to solve the problem that at the moment our identities rely on human intervention or rely on some kind of dashboard control and someone physically flicking a switch? Instead, how is it possible, I think, maybe in the future, that identities would be able to give themselves access to something in a secure manner because AI of some form has already worked out that that's okay.
It's already worked out that at this precise moment, that identity is doing something which is okay, that person is doing a particular task which is okay, that person is perhaps a contractor and needs access for one hour. All that stuff, which is what Pam does right now, could become automated, I'm pretty sure. We also need to think about, I know this is a cliche, but obviously there is quite a lot that's been said already at the conference about how AI is being used by attackers or criminals, cyber criminals, et cetera.
So we need to think about what could we offload to AI to make sure that every time they do something we can either meet it or we're prepared to do something about it. And then finally, this actually worked both ways, this one. Which assets can we build or augment to enhance our ability to stay competitive? Well actually, I substituted the word competitive for secure, but actually the two are the same because if you're not secure, you're not competitive. So that's where business and security overlap.
So again, probably in some golden future, the security people will actually, in the famous phrase, talk the language of the board, which as Andre, my friend over there, knows that we've been talking about for about 20 years. But it is an area where you should see a chance to think more about the business and less about the security because if we have these tools, then both parts will benefit.
And I think this is my closing slide, which has got nothing to do with what I said, but it just occurred to me when I was putting these slides together, we all come to these conferences like if you're in access management, if you're in identity, if you're in security, people go to those conferences. But do you ever maybe go to something completely out of your comfort zone or perhaps just something that's a hobby? Because you do find that you can actually pick up some good ideas randomly from things which aren't the focus of what you do day to day.
So I would urge people to maybe go to different things. The other thing, do you talk to your colleagues? Do you email or blog them, sorry, blog or email them about these trends and ideas and things that you may have picked up? Because that, again, that can influence the way that you do security. It can influence the way that you tell your employees about security awareness and stuff.
And again, do you talk to, and this was business focus, so how often do you meet with parties outside your company who are not directly involved in what you do day to day? So what I'm saying is just read a bit more, read books, read stuff that might be about psychology, it might be about, I don't know, trains. But you can get ideas from different places, not just these conferences. And I think that is the end you're thinking, thank God. Thank you very much. Any questions?
