Hello and welcome. I hate to break it to you, but you know, bad things are gonna always happen. And you know, one of the things that we deal with in security is dealing with bad things and trying to prevent them from happening in the first place. Right?
Well, no matter what we do, even with our best efforts, we still run into problems and we're not gonna be able to prevent everything like that from, from being the case. So really what we're talking about when we start talking about cyber resilience is the strategy around what are we going to do to survive those bad things from happening? What are we going to put in place to make sure that we get through this, you know, relatively unscathed? Okay.
So, so this is the, the, the whole notion that, that we're trying to take forward as we carry this, this concept of cyber resilience forward.
One of the definitions that I found that I, that really resonates with me around this notion of resilience is this idea that this is actually a process. It's a dynamic process, encompassing positive adaptation within the context of adversity. Okay. So think about that for just a moment. This was actually a quote from a paper that was written talking about the construct of resilience by Luther Chichetti and baker, you know, back in year 2000. Okay.
And this was talking about resilience in a lot of different contexts, not just within security, but I think it really applies to what we deal with on a daily basis as cybersecurity experts. And when we talk about adversity, well, you know, there's a lot of adversity out there that we're having to deal with. Okay.
So, so this is something that, that is facing us on a daily basis, whether we're dealing with all of the, the different changes that are happening within the landscape, we have all these ongoing threats, as well as we're trying to achieve, you know, a lot of different goals.
We're trying to push things forward and, and digitally transform while dealing with all of these challenges.
So this is a very, you know, difficult problem to, to work through and, you know, really taking this from a more holistic approach and not trying to just address this as, as a single technology or a, a point solution, you know, is really important. You know, it's, it's, you know, actually there was a study that was done by the MIT Sloan Institute, not too long ago, where they talked about, you know, the, the negative feedback loop that is generated when, when, when you just go ahead and try to solve a problem just by jumping straight to a technology selection.
And what ends up happening is is a lot of times you end up, you know, building on that and you miss the point of where this fits in and you, you miss the connections that need to be put in place to really make the solution effective. And so it starts to spiral out of control. You end up having to try to fix those problems with other technology problems. And really the way to break the cycle is to take a step back and look at the process and think about this in terms of, of what are you doing, you know, from a, a larger picture strategy.
So, one thing that we found is when we look at just these point solutions by themselves, you're addressing a symptom. You're not addressing the cause. Okay.
And, you know, on average, as we build up all of these different point solutions, we start building up a whole bunch of gaps. And so from this Z net survey, they found that on average organizations have 70 different security vendors within their environments. So imagine that for just a second. So different enterprises are going out there and selecting point solutions from 70 plus different vendors that, you know, are all addressing different parts of the problem. And imagine, you know, we're all the gaps between that and how these products probably aren't integrated.
They're probably not working well together. So what is exactly the, you know, you know, the way you're going to deal with this, you know, this is, this is actually a very difficult challenge.
So one thing that we see is that when you approach this without actually coming together and forming a plan to begin with, you end up getting kind of the, the opposite of what you're trying to strive for. So first off, you're trying to have a much more effective solution. You're trying to, you know, be more agile and, and respond quickly.
But over time, as this builds up, it's actually causing drag to your progress. And while you're also doing this, it's also increasing the complexity and increasing the cost within your environment.
And so, so overall, you know, this, this, this approach to just sort of reacting and not being proactive and, and sort of only looking at this as, as you know, band-aid solutions to very narrow point problems actually ends up working against you in the long haul. So when we think about this, this puts us in context of what what's going on with cyber resiliency.
So, so as I mentioned earlier, this is an approach. This is a strategy for how we can survive.
You know, you know, the, the storm that's coming, how do we weather the storm? And, and so identifying first off is that generally today with the kinds of threat landscapes that we are dealing with, if an organization is targeted, it eventually will be compromised.
So recognizing that and accepting that helps you prepare for what that, when that actually occurs.
Secondly, is it's not, you know, it's more about how does the organization come out of this on the other side. So if they can withstand the attack and make sure that their critical infrastructure is still together and functioning, the organization can, can live another day, right?
So, so minimizing the impact, minimizing the damage done is really key to, you know, putting the strategy in place. And then, you know, also as part of this, you know, resiliency, can't be just something that's an afterthought. It can't be just tacked on. It's something that you have to build into your, your thought process.
This is, this is a strategy and a philosophy that needs to be internalized that, so that way you can carry this forward. And, you know, also because there's so many different dimensions of this, you want to make sure that you're looking at this more holistically and recognizing that it's gonna require quite a few different elements working in concert to make this really effective.
So resiliency is built up by following the process of incremental, continuous improvement. You don't need to bite off the whole thing all at once.
You can actually work on it a little bit at a time and build up and mature over time. So, so starting at one point, isn't, isn't a bad thing.
And, and maybe starting with the point solution is okay, but understanding its context and where it relates to the other solutions and how you build this out is what's key. Okay. And it also requires, like I said, you know, you need to think about where, where are these other disciplines coming in to really help from, from this perspective where, how are they going to reinforce each other and provide you with an overall solution that that's going to be sustainable and, and carry you forward?
So, one of these concepts also that really, I think, dovetails very well with cyber resilience is this notion of zero trust. And again, zero trust is also, you know, if you can think of it as, as a philosophy of, of how do you approach this problem.
And, you know, recently ACOM did a, a survey of roughly 1300 companies worldwide, and this is becoming much more popular and in a lot of organizations are really embracing these concepts, you know, so, so 68 or 0.3%, you know, strongly agree that zero trust is a necessary strategy while also, you know, they're looking at this 52% are, are, are seeing this as the more proactive approach while 32% really feels that this is the only way you can protect yourself, you know, in, in, in the context of, of these kinds of sophisticated attacks that are going on.
So, so this notion of understanding what zero trust can do for them is starting to really resonate with many organizations.
The other key part to this is while a lot of the, the conversation around zero trust had started with network security, it's really identity and access management that is really starting to, I think, become the, the key point of what zero trust is all about. So in this, you know, part of the survey, they, they recognize that, you know, and 42.9% are saying that this is the first thing that you need to be thinking about when you start implementing a zero trust strategy.
So how do you go about doing this? Well, first off, you know, just, you know, reviewing real quick, what zero trust means. So first off again, you know, and most of you should be familiar with this is that, you know, it it's, it's not a difficult concept, really. Okay.
It's, it's the fact is, is that we just don't want to assume anything.
We don't wanna assume that that an entity is, is a trusted element. We wanna make sure that we're verifying it every step, right.
You know, concepts like least privilege is very important and, and is a way of, of really guaranteeing that you're following that model is, you know, really making sure that, that you're adopting that that philosophy of only granting access to what's needed, you know, don't, don't put in any more access than, than what's required and, and, you know, keeping it tight like that actually helps, you know, so revoking access when, when it's no longer necessary and only granting it for the, the duration of the time that it, that it needs to be there.
Also the thought about, you know, this notion of micro segmentation, if you will, again, this was more of a network security concept, but it applies in many security domains as well.
So it, the whole idea here is, is that, can you minimize the attack surface? Can you break it down into a smaller, you know, security domain, if you will, that if it gets compromised, it's not going to impact everybody else.
How do you slow the attacker down is really the idea, you know, so, so if we can make sure that we're keeping this tight, then, you know, a, an attacker can't make very much progress, which gives us more time to basically, you know, either prevent, stop the attack in progress or, or, you know, at least prevent further damage from being done. And then of course, you know, verify it every step. So guaranteeing that a high level of assurance is in place between each of these security zones. Okay.
So once you do that, you can actually go through and start to look at, you know, all of these, these notions, you know, these different elements as part of an architecture, if you will.
Okay.
So implementing lease privilege access, making sure that you IM, you know, implement microsegmentation, you know, maintaining separate security controls around each security domain and, and guaranteeing that, that, that they're not something that, so if somebody breaks one that they can get free reign throughout the environment using multifactor authentication, also recognizing that this isn't just about, you know, carbon based life forms.
This is about identities relative to, to other things like service accounts or, or other kinds of, you know, software that, that, that might be calling APIs and other services. And then lastly, being able to make sure that this is a dynamic process.
So, so we're, we're not doing this in a static fashion. We're constantly looking at what's going on and what's changing in the environment and responding to it.
Now, when I talked about earlier that this is something that requires, you know, more than one discipline as part of this, you know, looking at this in a broad sense, and taking a broader portfolio approach actually helps quite a bit. And so when we talk about least privilege, for instance, you know, this idea of granting only the, the minimum amount of permissions necessary, well, there's many different products that can be involved in that.
And so as part of the net IQ portfolio, we have things like our identity governance offering that, that helps review application entitlements, you know, decide helps the organization decide on what appropriate access should be and manages the, the, the types of access requests there might be for those times when you need to, you know, deal with an exception relative to, you know, what kind of entitlement somebody might be given as birthright entitlements, also net IQ, identity manager, you know, takes this and manages the identity life cycle and ensures that, you know, that not only are you providing and setting the right entitlements at the right time, but you can revoke them at the right time.
And then also, you know, our access management, you know, is around really enforcing the, those entitlements. And then when you talk about dealing with, you know, elevated privileges, you know, a privileged access management solution is required to provide that tighter control and that greater, you know, inspection of what's going on for those more sensitive operations.
When we talk about micro segmentation, it's similar again, is that many of these products can be used at different levels to, to provide this, this breaking down of the environment and into these smaller security zones.
So providing, you know, tighter control, you know, managing the, the right levels at the right time, you know, and through, you know, the same products that I just mentioned earlier can perform this function as well. When we talk about multifactor authentication, this is where again, if it's the whole notion of, of how do we make sure that we're getting the right level of assurance, making sure that, that when, you know, an entity or is, is engaging with the environment, that, that we know that they're at the level that I need for me to allow them to progress.
And so, so providing that, that verification step at every step along the way is very crucial.
When we start talking about programmatic access, this is really where the API control and monitoring comes into place.
You know, so, you know, ensuring that the control is appropriate at the programmatic level, you know, as well as if the user interaction level. And so, so with using our, you know, secure API manager, this is something that we can leverage to create and manage, you know, how these APIs are being accessed and making sure that that only the right services can call the, the, the right APIs from other services as part of this.
So, so breaking down this authorization capability down to the actual API level,
And then lastly, of course, making sure that this whole thing is adaptive. And so having the right, you know, context awareness, making sure that there's a continuous evaluation of risk and enabling early detection of threats and, and enabling rapid response.
So aspects about this is, you know, to be able to collect this information, watch what's going on, and actually being able to recognize when things are, are basically going off the, the normal path, if you will, you know, if you, if there's anomalous behavior, if there's, you know, things that, that are going on, that that are outside of what your expectations are, then you can actually, you know, be much more responsive and react to it.
And we have a couple of offerings within our portfolio, both with our risk service, as well as our interset unsupervised machine learning technologies to provide that context. So really when you start looking at this as a whole it's, you know, think about where are the gaps that you need to fill the most?
You know, so many organizations have, have done aspects of this, but have you looked at this holistically and identifying where those gaps are, is a good place to start to really help go down this path of maturity.
And so for, for example, this is a really, I think, good illustration of, of what this kind of maturity curve looks like.
So, you know, a lot of times we start with, with implementing, you know, aspects of trust, right? We, you know, as I mentioned earlier, a lot of these concepts started out from a network centric perspective, but, you know, and it's okay to start with point solutions, but you can't end there. So taking it further where you're actually implementing these zero trust architectures to help do the verification necessary takes you, you know, down this path.
So, so you're starting to implement least privilege access. You're starting to do, you know, risk based controls, but ultimately where, where you can get to is actually taking it further to actually make it easier to use and, and leverage, we start to actually employ recognition. And so now it's, it's more about not just, you know, verifying it every step, but recognizing, you know, what's going on and, and who's interacting with the system and whether they're behaving the way that you expect them to behave.
So that way, if they're, you know, going off the reservation, you can actually, you know, put in, you know, a tighter control around that to, to prevent any, you know, ano or, you know, erroneous behavior.
And, you know, it takes a lot of these different products at each of these steps to sort of build up this kind of maturity, you know?
And so, so from our perspective is that, that we see a lot of our customers that, that, and it doesn't have to be an all or nothing proposition, but, you know, figure out where these gaps are, what parts of this are, are missing within your environment, and then look to see how you can fill those gaps.
So, so from our perspective, we see this as something where you might have, you know, offerings from other vendors that, that solve parts of these problems, but recognizing that, that you need to fill the gaps with, with other technologies to help address the problems, gives us an opportunity to come in and provide greater value. So with that, you know, I'll conclude my, my presentation. Thank
You.
Thanks very much of you, Nick.
We have a couple of questions, but we're probably only gonna have time for one strategy previously meant a minimum of five years now, a long term strategy does not seem to be especially helpful the way things are changing. What do you recommend?
Really good question.
I mean, so strategy comes at all levels, right? I mean, so, so part of it is having a plan now, as we all know, you know, a good plan, never really survives engagement with the enemy, you know, so, so it's, it's about being adaptive, you know, and, and some of this is, you know, taking a step back thinking about this, you know, so, so the, what I was describing as far as this process goes is something that's, that's, you know, easy to implement really.
I mean, you just follow this process, recognizing that you need to address. What's the most immediate part that, that that's going to give you the biggest bang for the buck now, and then see what you can do next. And part of that gives you the opportunity also to adapt and react to what the changing nature of the environment, maybe a priority changes. And you start to focus on one part versus another, but keeping the bigger picture that you have, this roadmap that you're gonna continue to, you know, improve upon, gives you a path forward. So it's not just ad hoc, throwing things at the problem.
It's not seeing what's gonna stick on the wall. It's more, less, okay. I see that's happening. Okay. I changed my plan slightly, but I've still got a direction that I can carry forward and I can see a good outcome.
Okay. Thank you very much, Nick Nichols.
