So how to talk about zero trust in 15 minutes. That's already the first challenge, but I'll try to, so honestly, the, the title of this slide is really influenced from this specific finding from PWC Digital Trust Inside Survey. For those who doesn't know this survey, this is a survey where more than 4,000 technical and business executive were surveyed last year. And one of the finding that actually really, really get my attention is actually this one here. And what this says 21%. And if we take 21% from 4,000, that's 800 something.
These are the people that are actually, can expedite their business, can grow their business, can, can do transformation projects because they do trust their IT systems. So I dunno how you interpret this, but for me I think that more than 3000 maybe are not, and I would like to just explain why is that.
So this is how we really think our digital landscape look like, you know, our users, our devices, the ones that we manage and everything like look like beautiful landscape.
However, in reality, the digital landscape actually can, can look like something like this. And what I mean by this, it's really, it's like we're not often aware of where the business is really happening.
So we, we know that my organization is partnering with PWDC to do PAM project or whatever, but we're not aware about where our business actually partnering with whom about business. I'm talking now partnering with whom to do certain activities. We're not always aware about, you know, all the digital landscape that we currently have. We've always seen this SaaS application that when did we ever have this or, or this specific asset that when did I ever get this specific asset in my, so you just look at your digital landscape and you're just surprised like, what is this?
Because we often not really aware about everything is happening. And sometime this is where business is happening, this is where attack attackers are after about the things that you don't know about, the things that you never discovered.
And, and this is also, it may be where business is actually focusing on. So at the end of the day, this is the CEO here is looking just something like this and he's just like really freaking out because everything is on fire.
And of course us as cybersecurity people, we're always really equipped with these heavy suits and, and we look cool by the way, we, you know, we are really running behind fire trying to, you know, ex extinguish every fire, possible patching every hole, zero days, you name it, you just, we are just after this looking at these threats and trying to stop it and it just like really difficult.
Now these are other security people. These are the compliance people with their nice suits and also people who call themselves architects like myself.
But really what we do is we just use Microsoft paint to paint stuff. That's what we do.
So anyway, at the end of the day, our daily life, it doesn't matter if you're an architect or you're an engineer or you're a soc, blue, red, whatever, at the end of the day it's really, this is what, how we look like. So it's, it's really tiring and it's really, I don't think it's really sustainable to keep doing the things we currently do. Running behind vulnerabilities, running behind threats and and and so on. So I think this presentation is really about really just us pausing and stepping back and asking ourselves what are we really doing here?
So are we are this operation mode is really the right way we're operating here and the question is why are we firefighting, why we are running behind things that, and we're already of course late on it, so why not, you know, just again, stepping back and looking for the root cause and sometime it can be as simple as really stepping back, step outta the fire and go, you know, and look at the landscape in front of you and, and, and change our approach.
So in this case, maybe it's actually really easy just to switch off the gas and switch off the fire and that's it, it's done.
So if we do translate this into zero trust and, and cybersecurity really what, what that mean? Because zero trust is really an opportunity for us as well to change this paradigm. So what does that mean? That mean that in zero trust, what we're really trying to achieve here is aligned security business. I've mentioned in the last talk is about how do we generate revenue? How our organization is generating revenue, how do we make money here?
You know, go after these processes, not after the things that I think that I need to protect this. It's actually talking to this CFO or talking to the CEO.
Hey, what are you really after? What, what is your really fear here? What is your risk?
Get a poster and stick it on the wall and these are the risks that I need to stop staff mitigating. Now once I know this, then I can actually start getting all of my security controls and protect the business. And what I mean by this, I don't mean only protect what the CEO want to be protected, but at least put some sensitivity there and then decrease sensitivity where it's not required. Then of course we need to focus on what we can control.
And again, what can we control is our assets, our systems. We can control vulnerabilities. We cannot control threats. We need to be aware of them, but we cannot control them. And what I mean by control is also about really shifting from, I'm assuming that I know you, assuming that you're an employee, therefore I trust you. Stop assuming that because this device I manage it then is safe into how can I continuously verify and to do this, assuming in a little bit more we know this beautiful concepts, principles verify explicitly what does that mean?
That mean we have this lady here that she's a visitor to this nice castle here. Then really we are checking her documentations, we're checking the car she came with, we're checking, you know, the history or whatever before actually giving we, before we just assuming that yeah, okay, she looks like she's not gonna do any harm and let, let her in. So it's really about checking, verifying. And then I take her to another step and I check her back. Why do you need all of these tools to get into the building? I mean honestly, why do you need all of this? It's really about actually checking.
She only needs maybe a cell phone to take a picture and that's it. So get the cell phone and remove everything else. So give only the least privilege. And then what does assume breach mean? Assume breach mean that I'm going actually to escort the visitor to each and certain room because I need to ensure that nothing weird is gonna happen because yeah, maybe she look nice but maybe she's disguising.
So I just need to ensure that, you know, accompany with her. And whenever I hear or I see something weird, then I can also escort her out.
It's the same exact concept that need to be applied and how users access systems or, or how machine talk to other machine or how app talk to another app. So this can seems a little bit overwhelming and, and too much work, but honestly we've seen it work, it works. So we are not running, it's sustainable tomorrow we have TU and you have Dora and you can actually, you don't need to tick the boxes because you're already ticked.
And, and also we also need to remember if this look too much work, then do you remember this? Because that's not easy, that's not sustainable. That's really tiring. That's a little a lot of work and you're going to continue doing this, but you don't need to freak out because there is a zero day. So it's going to be a little bit more easy, we hope.
So now the question is what about we say it from firefighters into business enablers. So how do we actually now enable the business? What do I mean by this?
What I mean by this is really about getting into this room, into the boardroom and actually have a presence there. Meaning that, you know, I need to understand what is the business and never assume anything. I need to understand the risk. I need to frame cybersecurity as more than just a defense. It's really, we are enabling the business here. We're partnering with the business. We need to this succeed and not just a defense.
And then of course there's the use AI and many services because this is how you're going to free to free your team to deal with this business enablement rather than doing day to day activities. And then of course this way you're going to protect the business.
Now, if you remember the original code, it's all about trust and confidence over time will build up and hopefully the growth will start and we going to be trusted by our leadership teams. So there's one more thing here and I think that it's really easy to talk about this, but how do you actually do it? Because it's not, that's not, I, I don't think this is an easy thing to do. So what we do advise is to have an architectural framework in mind that really how to move into the practicality of things and stop just talking about it.
And we in pwc, we've designed our own framework and really what, and it's really in collaboration with csa, Microsoft and US Department of Defense and Nest and Forster. These are the, the, the non zero trust frameworks. And what we did is we, we took all the domains of cybersecurity and divided into these specific areas and each area has a lot of capabilities that we work on.
So of course if you're interested to look at this specific framework and spend more time in it, then please do reach out and we can talk a lot about it.
I can, I cannot stop talking about it. So, but this is how we are dividing it and we are really seeing, so how do you implement this is once you know the business and once you know what you're going to protect and what, what, what capabilities you actually need to have in your organization to protect you from, from all of this, then only then you can start assessing where I am today. So I dunno, in identity maybe you'll say I don't have JML and JML is important, then of course I know where I'm today, I know what I want to be. And then we can work on on some gap analysis.
And depending on your maturity and network, your maturity and identity, your maturity and data or what is your biggest risk, then we're going to start and develop a kind of a roadmap or a strategy that will take you from point A to point B. So maybe you already have a project about consolidation of your IDP, so maybe we'll start with this and if you do that then you can actually do, I don't know, MFA for all or maybe you can do a password this. So it's just like a frame of a, a roadmap that will really take you from moving you to solve your or mitigate your risks.
So really this is about, you know, at the end of the day really the aim here is really to get the trust of our leadership and eventually enable the business to grow. So before closing, I would like to leave you with these takeaways and, and I think zero trust can be described in many ways, but I think the most important way, most important way here is about aligning it with the business because that's how you are going to get sponsorship. You're going to have an easy time actually convincing the C level on, on funding your projects and actually making them feel hurt.
I have a lot of stories about doing these kind of things and some people will stand up and will say, I finally feel that I'm hurt. So these people sometime they're not even hurt and we are, we're talking about our leaders.
So second thing is of course is establish a strong foundation and an ongoing operation because yeah you do, maybe you get funding and you deploy this, but then when once what after, you need to keep it going.
So, and this is the whole operation commitment. So maybe have a zero trust central office to ensure that your change management process and everything is in control.
Again, this is a journey. It's might sounds very difficult, but I think once you take the first step then you'll get used to it and then you'll, it'll get easy with time. Of course external expertise are available to have it from managed service but also from training, from reaching out, from talking from collaborating as well.
So again, it's not easy but I think the current model is not like a game at the end of the day. So it's really about approaching it from a strategic point of view. Thank you very much.
Anybody have a question in the room? Anything online?
Yeah, we have one question from our online audience. So is zero trust driven by any regulations? Like for example NIS two?
Very, very good question. I have to say it's not, but yeah, so in in two we, I'm actually we're releasing a white paper talking in, answering in details this specific answer and I can answer it very quickly.
Now, N two is not really our DORA or all of these frameworks, they're really behind us to ensure that we have a good secure systems. And I don't think that, you know, I think the question is, is it sustainable to keep running behind regulation? Because today there is N two and tomorrow there is N three and then there is N four and I don't know where we're going to reach. I think zero trust can kind of enable what we call proactive compliance because if you do remove trust then you are kind of automatically ticking the boxes that needs two is after, at least from ICT change man risk management.
So from ICT operation you're already ticking a lot of boxes there and we, we did in PWC mapping between NIS two and and zero trust and we can clearly see that you are really ticking a lot of boxes there. And things like, for example, incident response zero trust is not going to help you do, sorry, it's going to tick the box, but it's going to enable you because you'll have better logging, better monitoring. So it's going to make your life in instead response much easier. So certain things, you're actually really ticking the box. Some other things will help you facilitate that.
But the whole concept is we don't need to be running behind vulnerabilities, compliance and everything. You need to start working from Remo, going to the root cause and remove trust. It's a bad to say it this way, but yeah, because that's the way that you're going eventually to have compliance.
Okay, great. Thank you very much. Thank
You. Thank you.
