Risk Recordings with RSA
< Season 2 >
Rapid digital acceleration has been a prevailing theme as 2020 unfolds. Digital Risk, the unpleasant byproduct of digital transformation, remains one of the greatest facets of risk that organizations face. In the second season of the podcast, RSA's Peter Beardmore hosts security and risk thought leaders to discuss some of the massive disruptions organizations are experiencing, and how Digital Risk Management strategies are helping.
Season 2 | Episode 19: Reed Taussig, CEO of RSA Fraud and Risk Intelligence
Listen time: 35 minutes
On December 1st of 2020, RSA announced the appointment of Reed Taussig to CEO of RSA Fraud and Risk Intelligence. Mr. Taussig discusses his background, what drew him to RSA, the opportunities he's identified for the business, and developments in the fraud market throughout the tumultuous year that was 2020. He also discusses 3D Secure payer authentication, GDPR, and the California Consumer Privacy Act.
#RSAFRI #Fraud #3DSecure #GDPR #CCPA #ConsumerPrivacy
Season 2 | Episode 18: Safe Online Holiday Shopping
Listen time: 20 minutes
2020 has been a year of unexpected disasters, from forest fires to a pandemic, election uncertainty, and economic recession on an unprecedented scale. eCommerce dramatically transformed this year due to the pandemic and fraud trends adapted too. This holiday shopping season is projected to be one of the biggest ecommerce years ever, and potentially one of the most heavily targeted by cybercriminals.
Red Curry, Solutions Marketing Manager for the RSA Fraud and Risk Intelligence team, joins the podcast to discuss expectations for the current holiday shopping season, some trends revealed in the newly released RSA Quarterly Fraud Report, and how both businesses and consumers can protect themselves.
On December 7th RSA will host a Fireside Chat: Securing eCommerce During the 2020 Holiday Shopping Season. Speakers will include Angel Grant, CMO of RSA's Fraud and RIsk Intelligence Business unit; Hector “Sabu” Monsegur, Corporate Pen-Tester & Expert Security Researcher; and Sam Curry, Chief Security Officer at Cybereason. Registration for the event is now open to all podcast listeners.
#CyberMonday #RSAFraud
Season 2 | Episode 17: Passwordless Authentication
Listen time: 22 minutes
The episode features a conversation with John Tolbert, Lead Analyst and Managing Director at KuppingerCole and Ingo Shubert, Principal Consultant and Solutions Architect at RSA. John and Ingo discuss Passwordless Authentication. What does it mean? Why pursue it? What are the obstacles and paths to success?
Passwordless Authentication will be one of several topics discussed at the upcoming RSA Evolution of Identity Summit 2020, on December 8 at 10 AM EST. Don't miss this free event - register here.
#IAM #Passwordless
Season 2 | Episode 16: RSA Labs Update
Listen time: 28 minutes
RSA Chief Technology Officer and recently appointed Chief Digital Officer Dr. Zulfikar Ramzan (‘Zully’ as he’s known to many) RSA joins the podcast to discuss happenings at RSA Labs. In his tenure as head of RSA Labs, he has evolved RSA Labs into an incubator within RSA to identify challenges of digital transformation and develop new technologies, features, or even new businesses to address them. He reviews recent RSA Labs’ ‘graduates’, new technologies recently brought to market, and developing projects currently matriculating. Zully also discusses his new role as Chief Digital Officer of RSA.
#RSALabs #IAM #SIEM #IRM #GRC #decentralizedidentity
Season 2 | Episode 15: RSA Quarterly Fraud Report
Listen time: 28 minutes
RSA Anti-Fraud CMO Angel Grant joins this episode to discuss the newest RSA Quarterly Fraud Report. RSA intelligence and anti-fraud teams observed a number of pandemic-related changes in the nature of fraud in Q2 2020, including a sharp spike in fraud related to economic hardship and an increase in breaches/leaks and ransomware attacks. Angel brings her unique insight into the 2020 fraud landscape and suggests strategies organizations should embrace to protect themselves and their customers.
You can find The RSA Q2 2020 Fraud Report on RSA.com.
Read Angel Grant’s blog, How the pandemic is changing cybercrime,
and
European Cybersecurity Month ECSM for resources and tips to Do Your Part and #BeCyberSmart.
Season 2 | Episode 14: Cyber-Risk Management with EY
Listen time: 28 minutes
Cyber Risk Management is the topic for this podcast episode featuring GRC and Cyber-risk leaders from EY. Michael Ruiz is EY’s Americas’ Archer GRC Leader and Carolyn Schreiber is EY’s U.S. Cyber Risk Management Leader. Together they discuss the trends and challenges at the apex of risk and security, selecting the right GRC tools, and requirements for a successful cyber program.
Additional reading from EY thought leaders:
Season 2 | Episode 13: Continuous Integrated Risk Monitoring with Crowe
Listen time: 22 minutes
We’re joined by Josh Reid, GRC Technology Services Leader at Crowe. He discusses how Crowe is elevating Integrated Risk Management practices, moving beyond questionnaire-driven risk information to more consistent, real-time business data coming directly from business systems; then identifying Key Risk Indicators (KRI) from continuous analysis and monitoring of the data.
Crowe is a Platinum Sponsor of RSA Archer Summit, a no-fee event that will be held virtually on October 6, 2020. RSA Archer Suite customers, partners, and prospects are all invited to attend.
#IntegratedRiskManagement, #EnterpriseRiskManagement, #KeyRiskIndicators, #AI, #Crowe, #RSAArcherSummit
Season 2 | Episode 12: KPMG discusses readying DOD Contractors for CMMC
Listen time: 31 minutes
The U.S. Defense Industrial Base is currently addressing a new cybersecurity mandate. The Cybersecurity Maturity Model Certification (CMMC) was released earlier in 2020 and is now finding its way into RFI’s and RFP’s.
KPMG Cybersecurity Practice Directors Chadd Carr, Ellen Ozderman, Chris Koehnecke, and Ryan Millerick join us in this episode to discuss how they are helping to prepare their DoD-contractor clients, and how they leverage RSA Archer Suite to assess, coordinate, document, manage and mitigate compliance. We discuss some of the potential pitfalls and benefits to come as Defense Industrial Base organizations improve upon their compliance and cybersecurity maturity.
KPMG is a Platinum Sponsor of RSA Archer Summit, a no-fee event that will be held virtually on October 6, 2020. RSA Archer Suite customers, partners, and prospects are all invited to attend.
#Cybersecurity, #KPMG, #RSAArcherSummit, #CMMC
Season 2 | Episode 11: GRC-as-a-Service with Tim Carbery from Castle Hill
Listen time: 24 minutes
Tim Carbery, Managing Partner of Castle Hill Managed Risk Solutions joins the podcast to explain how GRC-as-a-Service (GRCaaS) and Castle Hill’s ‘Business Hub’ model is helping regulated organizations of all sizes modernize their GRC programs and accelerate their risk management maturity.
Castle Hill is a Platinum Sponsor of RSA Archer Summit, a no-fee event that will be held virtually on October 6, 2020. RSA Archer Suite customers, partners, and prospects are all invited to attend.
#IntegratedRiskManagement #RSAArcher #CastleHillRisk #RSAArcherSummit #GRCaaS
Season 2 | Episode 10: Securing IoT
Listen time: 32 minutes
Arthur Fontaine, RSA Solutions Manager, joins the podcast for a look into risks involving IoT deployments in organizations; efforts underway in product development and standards bodies to help curb the challenges; and actionable advice for security, risk, and compliance leaders who need to get a handle on this core risk.
Goodmorning Digiville: IoT Risk Report is an upcoming free webinar featuring Art Fontaine and RSA's Steve Schlarman.
Art also recently lead a session on IoT security at RSAConference 2020 Asia Pacific: Managing Digital Risk in the Era of IoT.
He also has an excellent blog post on the topic: Managing Digital Risk in a New Age of Internet of Things.
Season 2 | Episode 10: Securing IoT
Peter Beardmore:
Hello and welcome back to the RSA podcasts. This is Peter Beardmore from RSA Marketing and today we are discussing IoT Security with Arthur Fontaine, Solutions Marketing Manager for RSA. Art, welcome to the podcast.
Arthur Fontaine:
Thank you very much Peter. It's great to be here.
Peter Beardmore:
So Art, you’ve not been on the podcast previously. So before we get started why don’t you, kind of, give me the Art Fontaine back story, what you do at RSA and how did you – what in your career brought you to this exalted point.
Arthur Fontaine:
Sure, I’ll give it a try Peter. So I work in the Solutions Marketing team. Each of us has specializations in the digital risk area. One of things I’ve been concentrating on for the last couple of years now is the Internet of Things or IoT including Industrial Internet of Things, Medical Internet of Things and the different smart cities and other categories of Internet of Things, which really just means devices that attach to the network rather than systems or applications or people. And I previously worked for IBM for 20 years on a number of collaboration, hardware and security projects and offerings, and when I retired in 2015 I joined RSA and I've been here since focused initially on the RSA NetWitness evolved SIEM platform and more recently in the Solutions Group which again looks across the product sets and looks market world for the digital risks that are really concerning our customers.
Obviously, IoT is one that's come up a lot. There's a lot of industry interest in IoT, especially around the predictions that IoT and IT security and risk management will converge. I certainly believe and support that statement. It's going to take a little while, there are some transitions underway that are going to help, and I think that’s what we’re going to talk about today.
Peter Beardmore:
Yes, so the term IoT or Internet of Things, suggest any device that is connected to the Internet and shares data and/or takes instructions from someplace else on the Internet, is that a fair enough description of what we’re talking about when we say IoT.
Arthur Fontaine:
I think that very simple explanation or description describes it very well. You have the device, which is typically a single function piece of machinery and it typically speaks to some sort of cloud or datacenter backend. So, the application is what brings the device and its software together.
Peter Beardmore:
And although the term itself may only be roughly 10 years old, IoT devices as we currently understand them have been around for obviously eons longer than that when we were doing show prep. Art, you and I discussed a conference that I attended back in 2006 about critical infrastructure and some of the risks associated with the devices that control traffic lights and dams and you name it, all of which are connected in one shape or another to a network but don't necessarily have the requisite security capabilities because they were built eons ago and just don't have the hardware to support what you would think as necessary to secure a device on a network.
Arthur Fontaine:
What you're talking about is something we call in the IoT world Brownfield, Brownfield meaning already deployed many of those systems were not designed with particular security risk characteristics in mind. They were built to perform a function typically a critical function that would have characteristics like uptime and reliability and serviceability as their primary considerations. And most of those were deployed as systems that were purchased by a vendor who typically would also sign a service contract to support or even run those systems for the buyer over a period of time. And the other thing that is kind of unique about that category of IoT is those things were designed to have 20, 50, 75 years lifespans as oppose to what we think in IT is the typical lifespan being something five years or less. So these things were not designed to be swapped out when the next great thing came along. They were designed to be used over a long period of time. The systems themselves did not or typically do not have a lot of extra CPU or memory to be able to upgrade them. They are often in places that are difficult to locate geographically or physically, which also makes them difficult to upgrade. So a lot of what – how those systems are going to operate is basically letting them do what they were designed to do.
Now, there are some ways to kind of clean up the hairball of Brownfield devices that tend to make folks in cybersecurity and risk nervous and to integrate them with newer systems like Edge-based computing which we’ll talk about or the emerging world of standards which kind of normalizes the communications and the operation of these systems into a more manageable and predictable way. Some of these systems will probably always be independent. Many of them were importantly designed to be air gapped.
Peter Beardmore:
Right, right.
Arthur Fontaine:
Which means that they were on a subset segment of a network that couldn't talk to anything else, but over time they were enhanced with abilities to use IP-based computing and as such have really kind of spread out and made things like remote administration possible, some analytics, also the things that you would regard as an improvement to the actual solution, but as we know when you do digital transformation you tend to introduce some digital risk so.
Peter Beardmore:
Yes, and it doesn't work so well in an air gapped world when you're adding additional control capabilities or ways to reap benefits from the data or what have you.
Arthur Fontaine:
That's correct.
Peter Beardmore:
So there is the Industrial IoT space which is obviously a space that was historically proprietary, rugged, air gapped, and then as things moved forward into the modern age of Industrial IoT, the newer age devices are not really ever intended to be non-upgradable, air gapped. They are intended to be on modern networks and thus need to be managed and secure.
Arthur Fontaine:
And that would be a true statement about IoT or the industrial, the robots controls they've all been upgraded over time to have more of a consideration and contemplation of where they sit in a network and where other things are around them. There's also a newer generation I think you’re touching upon of devices everything from the light bulbs to the DVRs to cameras. These are not necessarily industrial in nature, they are multipurpose many times, but they were also built, at least in the early generations, kind of with just enough power to do what they are designed to do. More recently based on some of the problems that happened with that first generation of unsecure or less than completely secure devices that could be hacked and taken over and built into botnets like the Mirai botnet in 2016, we are seeing a lot of these newer devices which have a lot more controls built into them, a lot more hooks and APIs to be able to do secure things with them and I think that will improve dramatically going forward.
So you’re always going to have this kind of things that are being produced in the future will be easier to secure and de-risk, where we're still going to have to put a little bit more effort into the Brownfield stuff that's out there can easily be replaced…
Peter Beardmore:
Right.
Arthur Fontaine:
…but still needs to be locked down.
Peter Beardmore:
That Brownfield technical debt so to speak is not going away anytime soon.
Arthur Fontaine:
Exactly.
Peter Beardmore:
That Mirai botnet attack that happened a few years ago for those who might not be familiar, that was essentially going after nanny cams and those types of devices that largely lived in the consumer world but were vulnerable to attack and became taken over by this botnet right that's…
Arthur Fontaine:
Yeah that's exactly what happened. So in the Mirai case, there were some actors who discovered that a lot of the DVRs and cams and other kind of devices out there had default passwords or no passwords that were easy to take over and what they did was they stealthily infected a great number of these, like many, many of these and when the time came they launched a distributed denial of service attack, in that case against a company called Dyn in New Hampshire, that was servicing a lot of the largest websites name servers and when that distributed denial-of-service attack or DDoS attack took place it literally took down many of the largest websites on the Internet for a matter of hours like five or six hours before it was finally fixed and defeated, but it really was a wake-up call for the industry and that's what really started driving some of these requirements in supply chain on how if you want to conform to a standard that says you’ve paid attention to security and risk in your IoT device you need to be able to demonstrate that it wasn't infected with bad malware in the manufacturing supply chain or that there is not an extra hidden chip on a circuit board somewhere that's sending data back somewhere and that it's been engineered in a way where things as simple as default passwords have to be changed when they go into service. So there's a lot more consideration on specifically the botnet use case or the botnet problem, so that it’s much more difficult to take over the newer devices than is the older devices. Having said that, there's always going to be this Brownfield problem where the older devices will remain out there until they age out.
Peter Beardmore:
So let’s talk real briefly about that supply chain certification or attestation that you mentioned. So my understanding is that NIST has kind of gone and done the work in terms of what sort of a minimum level or minimum anti from a security standpoint for these devices and there are some sort of attestation that says that the manufacturer has achieved that threshold and therefore those products meet that minimum level and can be comfortably acquired by both consumers and companies alike. Is that a fair description of the situation?
Arthur Fontaine:
It is. NIST, The National Institute of Standards and Technology from the U.S. Department of Commerce has as we know in the cyber world come up with a number of standards that help organizations conform to best practices and to make sure that the design and operation of things is kind of done with the best knowledge and best practices that are out there at any given time. So the NIST 8259 is the Foundational Cybersecurity Activities for IoT device manufacturers and it's as you pointed out focused on people who actually are creating or delivering these IoT devices and the systems that they run. And they basically give you specific activities that help address customer IoT cybersecurity in their product development processes. So it's a rubric that you would adopt in your product development activities that would embed these best practices in the process. And then there's the NIST 8259A is a baseline and you can measure yourself against this baseline of capabilities and you can either self attest with your own risk management processes, etc. or you can apply for an attestation from NIST on this one. Generally speaking, at this point in time I don't think there is a lot of certified devices coming out of that. It's more that this system of procedures and processes is being adopted by manufacturers and then they can prove to their buyers and their supply chain that they have conformed to the NIST standards as they’ve done their work. The real I would say positive and hopeful thing about it is you're seeing a lot fewer of these devices just hitting the market without any consideration for cyber risk. A lot of them are now baking in into the process and to be successful and to sell successfully you’re going to have to do that going forward.
Peter Beardmore:
And so, the devices themselves are less vulnerable ideally to sabotage or data theft or what have you.
Arthur Fontaine:
Much less so, yes.
Peter Beardmore:
The consumer or even the small business owner or the small manufacturer, give them some level of peace of mind, but let's take it up a level though and think about when you're operating an organization at scale or a large site with potentially hundreds or thousands of IoT devices, this is something that goes beyond the scalability of that one-to-one proprietary relationship that we were talking about of several years ago where we need to add some level of sophistication and management to securing and overseeing this growing IoT infrastructure enter the advent of the Edge server and the Edge management scheme. So talk a little bit about Art, what that means and what the benefits are and how is RSA beginning to participate in that world of Edge management and security of IoT.
Arthur Fontaine:
And that's actually a big breakthrough that has taken place over the last few years in IoT and kind of the easiest way to describe it is a hub. So, right now all of these devices attached directly to their application in the cloud of the data center, they have no awareness of each other and there's no way to integrate them without kind of heavy lifting at the backend at the server level. What the Edge architecture delivers is it's almost middleware, so it is hardware middleware, so what you have is these very small devices that are computer servers. They are either gateways or they are servers running Linux and you deploy them out at the edge close to physically and logically the devices that they serve, and you can connect one or many, you can connect one type or many types to these gateways and when the actual traffic from the device to the application goes through one of these gateways, you have the capability to do things that previously were just impossible.
The gateways are designed to be open and upgradable and future proof to use the term. What they have is the capability to speak multiple protocols. They are aware of lots of different use cases kind of natively and there is a whole ecosystem of companies that are providing modules for them that do things like identify an inventory, different types of devices on your network, discover them so that you can then kind of take control of them and give them some manageability that didn't exist before, and at the same time they give you the ability to work across applications. So you might have an example where a device is overheating and you're getting a report that it's running at a temperature outside of the accepted envelope for that device in that location and it’s going to send off an alert to its application up in the cloud that says, hey, I got a problem here that we have an excessive temperature. And the person in the data center who is responsible for that is going to have to take that data, that information, that intelligence and do something with it, the device is reporting too much heat what's causing it and then they have to troubleshoot.
If you've connected that device to the gateway with other devices that gateway might have the visibility into the problem. So it might see that there's an overheating machine that's in the same room and that's raising the overall heat in the room and then you could apply analytics locally and then you could fix that problem kind of at the gateway level without getting the data center layer involved. That’s a simple example, but it's also representative of the types of things that you can do that now tie all of these siloed IoT systems into something that you can both manage and secure and de-risk in a single layer. A lot of these are open standards projects. There are cloud-based ones. The Edge concept in general is being heavily adopted and very quickly growing in the world and for folks who are in the cybersecurity side of the house especially it's what gives us promise that you will be able to use the IT security tools that we’ve built up over time to also secure IoT.
Peter Beardmore:
Okay, talk a little bit about the standards that are coming into place for these Edge devices themselves. Is there a single standard today and I can just go out and buy an Edge server that I know is going to service me for the foreseeable future or are there things that I need to look out for when I'm looking to invest in an IoT infrastructure that’s serviced by an Edge server.
Arthur Fontaine:
There's a number of, I won’t say competing, there is an ecosystem of Edge software that's out there, the one that we here at RSA and the Dell have kind of allied with is something called EdgeX, the EdgeX Foundry is an open source project that's hosted at the Linux Foundation, has a number of leading industry companies as participants and it's a good example of how this is put together. You’ve got basically a bit of software that it gives you some basic capabilities around understanding protocol, so a lot of the standards work that's going on is around these protocols to allow devices to speak to each other, to use for example 5G, to use wireless capabilities to talk to each other, and those are kind of built in as basic capabilities. Discovery of devices is another one that's built in but it's modular. So you can actually put in any type of technology you want. You can add additional manageability capabilities. You can add analytics. In the case of RSA, we've added a module called RSA IoT Security Monitor that allows you to do two things. One, it allows you to do security monitoring of the devices themselves independent of any IT or SOC kind of cyber assets you are running, but it also gives you the ability to take that and then feed it into those centralized systems. So essentially you're opening up the visibility of your SOC to include things that are IoT based and right now that's been kind of a blind spot for a lot of these SIEMs and SOCs is they can see their IT assets, they can see their applications and their people, but they can't see these devices that kind of just started appearing on IP addresses in their network, first in the industrial world but now in just about every use case you can get a device and hook it into the network. So one anecdote we were talking at Black Hat last year to a large manufacturer in America and we talked with one of the SOC managers and he was saying, I don't even know what IoT devices are in my network because they had a permissive culture. If you need to solve a problem and that's how you do it, you just do it and grab an IP address. And he said the only way to really figure out what I have in my environment is just to unplug something and wait for somebody to scream. And he was laughing….
Peter Beardmore:
An interesting management technique but…
Arthur Fontaine:
He was laughing but that really was the truth. So we spoke to him about the Edge architecture which he found to be the solution to his problem and we continued to have this conversation with them about implementing an Edge architecture strategy, which he believes is going to both discover and manage and kind of organize all those things that he doesn’t know about, but also give him a platform to secure it.
Peter Beardmore:
So he will have gone from essentially a list of unknown or IP addresses that are unknown devices communicating in proprietary language across the network to more or less like a Rosetta Stone for the rest of the network for all of these devices that they can now communicate with and manage them.
Arthur Fontaine:
It is and I would compare it to where we were going into the IT world 20 and 30 years ago where again things were deployed for a need and they weren't really thinking about what they were, but then you started getting these standards where you could add it to your product so you support SNMP right so Simplified Network Manager Protocol and suddenly you had the ability to talk to some centralized thing. Then later on, you saw the emergence of something like a SIEM and a SIEM is a Rosetta Stone, it can talk to all sorts of systems, you can get packets, you can get logs, you can get endpoint, but what it does is it normalizes the information coming from these widely disparate systems and gives you a way to do a common analytics and management layer that really, really kind of brings things under control and kind of lowers everybody's blood pressure and the worry about making sure that these things remain secure and de-risked.
Peter Beardmore:
So, I’m going to ask you a couple of questions Art from the point of view of both a security leader and a risk management leader. So if I’m a security leader in an organization and I know that I've got a bunch of IoT out there that I need to bring under control what should I care about, what should I be looking to accomplish from that point of view?
Arthur Fontaine:
The first thing is to get it under control. I mean that's really where the anxiety comes from today. If you don't know where everything is and what these individual devices do then you don't know how you can defend them. You don’t know how they can be attacked. You don't know what patches they need or require. And so like you would in an IT world you deploy something like a Qualys or another kind of inventorying and management program that's what the Edge device will accomplish for you. So you can put that Edge device out there and point it at an IP address that you know is an IoT device that's unidentified and the Edge server or the gateway will say, oh, I recognize this as a manufacturer X model Y, version Z and that's kind of the starting point to getting things under control. And as you work through that process and gain an inventory of it then you can look at things like securing it with things like the RSA IoT Security Monitor or you could use another one from another company because these things are open and extensible.
Peter Beardmore:
But ultimately you want to not only be able to see it and understand what it is but also have a feel for how it's behaving and who's connecting to it and all of the things security leaders care about.
Arthur Fontaine:
That's a very important point, so it's like anything else you want to make sure that you have access control on these things. Right now, many of them were kind of put out there with one function and they only do one thing. If you see one of these devices start acting in a way that's inconsistent with that so for example in RSA IoT Security Monitor we do User and Entity Behavior Analytics or UEBA and we’ll watch what a device does and if it's downloading a few bytes and uploading a bunch of bytes every day and suddenly it starts downloading a lot more bytes and uploading fewer then that's a change in behavior that you should look into.
Now there is like any other kind of cybersecurity activity there can be explanation, somebody is troubleshooting or somebody is installing some new software or something like that and you can eliminate that but you need to be alert to it so that you can make sure that it's not some sort of exploiter attack. So that's one of the things you have to have a foundation, an Edge Foundation in place before you can do that. There is just really no possibility of doing it across all your different IoT systems until you've got that organizing layer in place.
Peter Beardmore:
So from a security perspective, you certainly got through the discussion around identity and visibility. What about access, is there a path whereby we understand these devices from an identity and access control perspective?
Arthur Fontaine:
There are a number of activities out there. I would point to FIDO, so FIDO is the identity standards group that is really kind of organizing and automating a lot of the authentication and access available to you as an organization across all your systems. They've got an IoT working group that is finalizing recommendations and standards around to simplify things essentially bringing the IoT world into your identity framework. So you'll be able to do things like identify which systems have access to what, decide whether that's appropriate or whether that should be restricted. You can also manage their lifecycle, so you can know over time how they should behave and what changes you should expect and what changes should be prohibited. And you can do all of the same kind of access management you do now with systems and people, but with your IoT devices. Again, all of it on the pathway to the IT‑IoT convergence that are, basically the world all the analysts, all the thinkers in this area are anticipating.
Peter Beardmore:
So let’s pivot to the point of view of the risk manager. If you're a risk compliance person what should you be caring about, what questions should you be asking and where should you be investing with respect to IoT and associated risk.
Arthur Fontaine:
This is similar I would say to how the cyber guys are looking at it right, we’re saying let's figure a way to get these things inventoried and under control and then we can put in place plans to manage it and to de-risk it. So one of the good thing that has come along, we’ve spoken of already a couple of these standards and frameworks, the NIST framework and the FIDO frameworks, there's others from ISO/IEC, from IETF that talk about generally what are the smart things to do as you are both kind of organizing your current IoT systems and then you're planning your rollouts of future IoT systems and these can be plugged into standard risk management tools like RSA Archer. The RSA Archer product has two modules actually already with more in the pipeline to help you do this. The first is the RSA Archer App-Pack for IoT Planning which will allow you to kind of figure out what you're trying to do, where the risks would be to concentrate on as you’re rolling out an IoT system and basically let you manage it in the same way you manage all of the other risk in your organization, which is kind of the point of things. You want to be able to manage IoT risk together with the other risks that are either related or elsewhere in your company and not have a whole different system for doing that.
Peter Beardmore:
Art is there anything else that you might have wanted to mention on the podcast that I may have failed to ask?
Arthur Fontaine:
Just kind of in terms of advice I would say the one thing that we've kind of discovered in talking with customers and it’s one of things that is adding to the anxiety is that the cyber and risk managers have not traditionally been involved in the IoT piece of the business that was an operations function and so I would say that anybody in any of those functions needs to understand that you need each other. So if I’m an operations person deploying or considering deploying a new IoT system to help my business, I'm going to want to make sure that I talk to my security and risk managers now. We certainly don't want to scare them that we’re going to slow them down or make them less able to meet their own business needs because that's not what it is. We’ll be able to help them secure and de-risk these things ahead of time and get them into production faster and more securely if we’re able to do that. So this is something we’ve been saying in kind of our business driven security messages for a while that you can't just do this one silo at a time. The business has to coordinate across functions for us to really do this well.
Peter Beardmore:
So there is obviously a lot to consider here. As it turns out, if you look at the show notes for this episode we will have listed a recent blog that Art put together with respect to many of the topics we've discussed here today on RSA.com. We will link to that. We would also encourage you to check out the recent RSA Conference that took place for Asia Pacific and Japan. Registration and access to that content is still free and available and Art lead a session during that event specifically about IoT complete with visual aids, which come in really handy when you're talking about a topic like this. It doesn't…
Arthur Fontaine:
Yes.
Peter Beardmore:
…necessarily lend itself fully to the podcasting. And then finally Art you'll also be participating in a webinar later this month with RSA's Steve Schlarman, who has been a frequent guest to the podcast in the past, putting IoT in the context of Digiville which is a metaphor that Steve has built to help organizations look at the totality of risk in their organization then and some ideas and ways of managing that and so we encourage people to take a look at that webinar and to participate later this month.
Arthur Fontaine:
That's going to be fun. It actually maps pretty well to the way Digiville is designed, because IoT as a neighborhood is a pretty interesting concept on its own.
Peter Beardmore:
Well we would encourage all of our listeners to take a look at that and familiarize themselves if they haven't already with the concept of Digiville, I know that a lot of the RSA customer base, the leadership in both security and risk have found some benefits in looking at the Digiville model for explaining the totality of risk and security, and introducing some strategies into their organizations for dealing with that.
Arthur Fontaine, Solutions Marketing Manager at RSA, focusing on amongst other things, IoT security and risk, thank you for joining us on the podcast today.
Arthur Fontaine:
Thank you Peter and thank you everybody out there.
Peter Beardmore:
Okay. Talk soon.
Season 2 | Episode 9: RSA Cybersecurity Summit
Listen time: 18 minutes
The inaugural RSA Cybersecurity Summit launches on July 29th. This is a 2-hour, free, virtual event featuring thought-leading keynotes, technical sessions, product demos, and 'meet-the-expert' conversations. This episode of the podcast features two keynote presenters from RSA; Amy Blackshaw, Director of Product Marketing and Steve Schlarman, Portfolio Strategist. Amy and Steve preview the event, their keynotes, and comment on how security operations centers are building resiliency amid continuous disruption.
Listeners can register for the RSA Cybersecurity Summit at: www.rsa.com/cybersecuritysummit. The event goes live at 10:30 AM EDT on Wednesday, July 29th, and again at 8:30 PM. Content will also be available on-demand following the event.
Season 2 | Episode 9: RSA Cybersecurity Summit
Peter Beardmore:
Hello and welcome back to the podcast. This is Peter Beardmore from RSA Marketing, and it is a pleasure today to be joined by two of my favorite colleagues in the RSA Marketing Organization, Steve Schlarman, who is Director of Digital Risk Strategy and Amy Blackshaw, who is Director of Product Marketing. Steve and Amy, welcome both of you.
Steve Schlarman:
Thanks, Peter, great to be here.
Amy Blackshaw:
Hey guys, thanks, Peter.
Peter Beardmore:
So before we get into it, we are here to talk about the RSA Cybersecurity Summit which is happening this week online on July 29th at 10:30 AM Eastern Time and then it is going to be repeated again at 8:30 PM Eastern Time. So folks around the world have the opportunity to join in live, and Steve and Amy are both involved in the Cybersecurity Summit. So, before we get to that though, Amy, this is your first time on the podcast so welcome again. Why don’t you just give us a short description of what you do and how you came about coming into your role here at RSA?
Amy Blackshaw:
Sure, sure, thanks and very excited to be part of the podcast, thanks for having me. I’ve been part of RSA product marketing over the past 10 years. I now have the great honor of leading a team of product marketers across all of our unique product lines and I am really lucky to work with some of the smartest folks in the industry as we help the market, our customers and sales team really understand the unique value that RSA products bring to the market. So, long time RSAer and really happy to be leading the great team of product marketers that we have at RSA.
Peter Beardmore:
Okay, and Amy, you were one of the organizers of the RSA Cybersecurity Summit and both you and Steve are presenting this week in keynote sessions. Amy, tell us a little bit about how the Cybersecurity Summit came about, what we’re intending to do with it and who should be thinking about attending.
Amy Blackshaw:
Sure, sure, well I think as we all know and we’ve been talking about for months now we continue to be in unprecedented times in both our lives as human beings and our lives as security practitioners and as we sort of got around the virtual table and discussed how we could help our customers in the market come together as a community and talk about how we as security and risk professionals need to be thinking about the new normal that we are all living in due to the pandemic crisis and what that’s done to not only a remote from work perspective but from a security operations center perspective. So we came together and thought and let’s pull together the community so that we can share a conversation about how things have changed and how we believe security operation centers and security and risk professionals need to be thinking about thriving in the new normal, and of course RSA is no stranger in bringing folks together in a collaborative form. This is obviously different in our virtual environment but we’re really excited to be bringing forward some great speakers, awesome content, the ability to see technical demos, deep dive technical workshops as well as just opening up a conversation with experts. So very excited about the program, very excited about brings folks together and it really is for anyone who is interested in learning about how we as professionals are continuing to learn about our new normal and what we can do to continue to thrive and be efficient and effective in doing our jobs.
Peter Beardmore:
So listeners to the podcast will see some repeat names if you come to the RSA.com/cybersecurity-summit and look at the program, you'll notice that Percy Tucker and Neil Wyler who were recently on the podcast talking about the RSA conference SOC will be doing a technical session. We have keynotes including which should be a really thoughtful and humorous keynote by Sean and Marco from ITSPMagazine and we also have keynotes from both Steve and Amy. So Steve you're going to be working on a concept that you’ve talked about before, and I think has developed quite a lot over the course of the last year the concept of Digiville and you're also going to be bringing in Neil Wyler into your conversation and Percy Tucker. I guess. Tell us about how that came about – tell us about Digiville first of all, the concept and what this conversation now with Neil and Percy will bring to it.
Steve Schlarman:
Yeah, I am excited about this. We've been doing several webinars to expand on this concept of Digiville, which is a fictional city that is meant to help understand the breadth and depth of the challenges around digital business as you know the digital transformation is a big conversation topic and so forth. But it's a really broad topic and it's helpful sometimes when you have something as complex as moving into this digital world having a metaphor to think about it in terms that go beyond just your own perspective. And so I created this concept of Digiville, as this digital city to represent all of the different pieces and parts of both digital business and digital risk management. So, the city has its own little neighborhoods and districts, things like security operations, risk management, customers, partners all of those components are represented by neighborhoods. And then the core part of Digiville, like all big cities you need to be able to get around, I created a digital risk management transit authority so basically the subway system and that is meant to represent all of the different elements of a digital risk management program. So there are different loops and lines in this subway system, there's a lot of stations and it's really meant to illustrate the fact that managing risk in the digital world has to be a connected endeavor and so when you have elements like internal audit or security operations or your compliance functions or the digital product development all of those things have to combine together to manage risk. So the session that were going to do with Percy and Neil is really a trip through a couple of neighborhoods that are in Digiville, the first is the adversaries neighborhood which represents the unfortunate elements of your digital prosperity is to represent the, you know, the criminal elements and the threats that organizations have to deal with and we’re also taking a short tour of the security operations neighborhood which is a core part of Digiville, obviously, representing all of the security processes and with Percy and Neil's collective experience these are great tour guides to help us walk through those neighborhoods and talk about one of the key elements of the digital risk management transit authority, which is the cyber line and that represents all of the activities within an organization from gathering threat intelligence to technical topics like UEBA and how do you pull that altogether into a strategy to help manage the risk of cyber attacks. So it's a fun little metaphor but it really helps broaden the discussion around digital business and its effect on organizations.
Peter Beardmore:
The digital concept not only does a great job at illustrating all the interconnectivity of risk and how risk managers should be thinking about all of the digital elements that they need to keep some control of, or at least an eye on but also as Steve has put together these cyber lines and all these different transit lines it really shows at some degree of detail all of the things that a risk manager needs to look at when considering any particular aspect of the business or business function and how to ensure that it's secure, and that and risk is properly managed. Steve, you mentioned security operations, which is a great segue into Amy's keynote which is entitled the Lean Mean SOC Machine. Amy, tell us about what a Lean Mean SOC Machine looks like and why we should be talking about it.
Amy Blackshaw:
Yeah, we had fun with that name and I think Mike Adler and I, Mike who leads the product and engineering function for the RSA NetWitness product line at RSA have been talking about I think two key parts of what makes up a Lean Mean SOC Machine which is this idea of efficiency and effectiveness, right. That has always been the goal of a Security Operation Center, of course. However, in our new normal it becomes ever more important to be focusing on how can we really focus on the threats that matter and make sure that what we invested and it’s not just about technology of course by the way, it’s about people and processes as much as it is technology. How can we make sure the way that we are investing enables the security operation center to remain efficient and effective in getting their jobs done which ultimately is about protecting the organization. And so Mike and I have a great plan to just really have a conversation and to talk about what has changed, what has remained the same and really how organizations should be thinking about the changes that have occurred from macro perspective that need to be thought of as they return to work and as they continue to manage remotely the Security Operation Center that has for a very long time been this idyllic room with beautiful screens with analysts looking up at all the data at the same time and being able to share the same space; all of that’s changed. So we really explore how to take advantage of some these changes that have occurred, and what we believe ultimately is security practitioners, security professionals have always had to be resilient, and that in today’s time that does not change and that we believe there is a lot of opportunity out there to come back even stronger than ever.
Peter Beardmore:
Yeah, you said the word resilient attached to Security Operations Center personnel and I was thinking it literally as you were saying it. These individuals that gravitate toward this career are obviously extremely resilient, adaptive, creative people who like everybody else was kind of thrown into this enormous disruption that we all experienced over the course of the last five or six months. These are the people that have been largely responsible for the resilience of the digital elements of the organization. But now they've had to really focus on the resiliency of their own operations. As you said removing from the physical to the virtual all SOCs have had virtual capabilities for years, but I don't think there are too many that have operated at 100% virtual. What do you think, and this question goes to both of you. From a security operations perspective, what are the key characteristics of the successful, resilient SOC as demonstrated over the course of the last five or six months versus the SOC that may have struggled?
Amy Blackshaw:
Yeah, I can take that and it’s a great question. I think we’re having lots of conversations with our customers and with partners to understand the unique challenges across the board. And I think, I’ll echo something that you said, Peter, first which is Security Operation Centers have had some type of remote capability for a while especially very mature ones that have had to Follow the Sun model in which folks are in physical, different countries or locations and need to share information and they’ve already had processes and tools and technology that really enables that seamless integration across time and space, right. And so I think when we have had conversations with our customers what continues to come up about this resilience, this idea of understanding the new normal and the changes has been around A, prioritization, understanding what needs to happen at day zero, right, what has changed in our organization’s network, how do we get folks to work from home rapidly, securely, right, this idea of crisis management at the point of, hey, guys we’ve got to shut down offices, people have to work from home, that had to be a priority. And what we’ve seen from resilient organizations has been the ability to shift, be nimble, understand priority, take action but then go through the cycle of reprioritization, understanding changes that you have made that might introduce new vulnerabilities into the system and start working through this triage. And guess what, we talk about new normal there are going to be lots of new normals and so.
Peter Beardmore:
Right, right.
Amy Blackshaw:
You know, and I think one of the key ideas Zuli is actually taking about this next week at the summit is that there is an introduction challenge, a reintroduction challenge and making sure that our organizations have taken a look at changes they have made and making sure that we remediate and maybe look at things a little bit different moving forward. So, resiliency is about prioritization, about being nimble, being able to look across tools, techniques and people and processes and then again adapting and cycling through that process again because it is ever-changing and ever-evolving.
Peter Beardmore:
And that keynote that Amy mentioned from Zuli, Zuli is our RSA CTO, Dr. Zulfikar Ramzan affectionately known around here as Zuli. He was on the first season of the podcast hopefully we’ll have him back shortly. But his keynote is called Beyond the Curve: Reopening to the Workplace and I think that it's going to touch upon all the, and many more of the issues that Amy just mentioned. Steve, did you have a brief comment about the SOC.
Steve Schlarman
I was just going to mention that and Amy touched on this as well, but I think one of the critical things of resiliency is the blend of people, process and technology. Security operations relies on a lot of technology to have the visibility into what's happening and identify threats but those organizations that have really balanced the people side leveraging the creativity and the resiliency and the talents and skills of the people and building those out and the process side paying attention to the fact that you need to have repeatable sustainable processes, that balance is really a key to resiliency whether you're talking about security operations or other risk management functions like compliance or internal audit or so forth, that blend is really critical. And so I think the way Amy was talking about the Lean Mean SOC Machine which I love that that title, it is a combination of those three elements and I know it sounds like we use that paradigm all the time to talk about things, people, process and technology and it can become cliché at some point, but it really is the essence of building resiliency when it comes to risk management, security, and those functions that are tasked with making sure that the business is running right.
Peter Beardmore:
The RSA Cybersecurity Summit will be happening this week, July 29th on Wednesday starting at 10:30 AM Eastern Time and then again at 8:30 PM Eastern Time, both on July 29th or July 30th if you're tuning into the second portion from somewhere in the Asia-Pacific region. Folks are welcome to join live from anywhere throughout the world. There will be keynotes that we’ve been discussing, technical sessions, product demos, ask the expert sessions, all packed into an extremely informative two hour program featuring our two guests today, Steve Schlarman, and Amy Blackshaw, both from RSA. Please hit that website RSA.com/cybersecurity-summit, register, check out the content, enjoy the keynotes from Steve and Amy. And Steve and Amy thank you both for joining us today on the podcast.
Steve Schlarman:
Thanks, Peter.
Amy Blackshaw:
Thanks, Peter.
Peter Beardmore:
Pleasure having you both. Talk to you soon.
Season 2 | Episode 8: RSA Conference Goes Virtual
Listen time: 25 minutes
RSAConference 2020 APJ has just completed. A first-time, all-virtual, free, global event for RSAC.
Linda Gray Martin, VP and General Manager of RSA Conference, and Britta Glade, Director of Content and Curation for RSA Conference join us to tell the story of what happened when faced with what to do when a global conference must adapt to the realities of a global pandemic. Together they explain the changing face of virtual events; the process by which they curated the program, content, and attendee experience; offer a glimpse into a potential 'hybrid' experience for RSAConference 2021 in San Francisco.
There's also an inside glimpse into their collaboration with the immortal George Takei, who shared his contagiously positive outlook on both the opening and closing of this year's event.
Listeners can access the entire RSAConference 2020 APJ event FOR FREE at www.rsaconference.com.
Season 2 | Episode 8: RSA Conference Goes Virtual
Peter Beardmore:
Welcome back to the podcast. This is Peter Beardmore from RSA marketing, and it is my distinct pleasure today to welcome two of the leaders of RSA Conference, Linda Gray Martin, who is senior director and general manager of RSA Conference, and Britta Glade, director of content and curation for RSA Conference. Ladies, welcome to the podcast.
Britta Glade:
Thank you.
Linda Gray Martin:
Thank you, and thank you for having us.
Peter Beardmore:
Thank you for doing it, Linda. So we are recording this the day after the completion of RSA Conference 2020 Asia Pacific and Japan, and we have a lot to talk about that event, but before we get into the successful completion of RSA Conference APJ, let's get into some introductions. Let's start with Linda. You lead the RSA Conference effort entirely. Tell us about how one gets to the level of leading the world's most preeminent cyber security and risk management conference.
Linda Gray Martin:
Sure. I'd be happy to. So I have actually worked at RSA and for RSA Conference for 14 years now, which doesn't seem possible, but it's true. I started my RSA career actually back over in the UK, in the UK HQ of RSA in Bracknell, and I was initially responsible for RSA Conference Europe, Middle East and Africa. So that was back in 2006, and then over time I took on responsibility for RSA Conference in China, was heavily involved in the launch plans for RSA Conference in Singapore, and then gradually got more and more involved in the US event, and I started traveling over here a lot more. And then about 7 years ago, I actually relocated over to New Hampshire, near to the RSA HQ in Bedford, and then about a year ago, I took on the general manager role for RSA Conference and haven't looked back since.
Peter Beardmore:
And, Britta, you have been also with RSA for quite some time. Tell us about your background.
Britta Glade: In some different capacities, yeah. So I've, since all of us have different winding paths, right, with how we land where we land. I began my career actually working for an e-learning company, which was actually called computer-based training back then and kind of turned in e-learning in the course of that. So by virtue of that got some good background in instructional design and how to use technology as a learning platform and other things. My background- background is communications, and through those two different paths came together. I ran analyst relations at RSA corporate for many years, and through that, met and got to engage with lots of different industry analysts from across the globe and then moved into the RSA Conference role about 5 years ago.
Peter Beardmore:
RSA Conference has been growing physically for years and years. I seem to recall probably when I rejoined RSA 5 years ago, we were probably about 15,000 or 20,000 attendees. Most recently, I think at RSA Conference in San Francisco we had about 40,000. Is that correct?
Peter Beardmore:
Yeah, we actually have about 36,000 people this year ...
Peter Beardmore:
Okay.
Linda Gray Martin:
... in San Francisco, and in Singapore last year, we had about 4,000.
Peter Beardmore:
Linda, tell us about the experience of realizing that a physical event was not going to be possible this summer in Singapore, how you came to the decision to making this a virtual event, and what was the process that you went through to ultimately get to the success that you achieved this week?
Linda Gray Martin:
Yeah, absolutely. So I think it became very clear pretty soon after the US conference this year that there would be no physical event in Singapore this year. So we were like, "Yep, we're going to take this virtual," I think not really probably fully understanding at that point what that entirely meant because, honestly, Peter, when I look back at the events industry, just in 4 months the changes that we've seen are tremendous. Even just kind of February, March time, virtual events weren't really the thing that they've become today. So we did go through quite a monumental effort to figure out how best to do this, and I think virtual events are a very different animal to physical events, and I think you have to go into the organization of them fully understanding that. And everything the team does is done with thought and consideration and a lot of research, and I think we quickly figured out that having a 9-to-5 event over the course of 3 days just wasn't going to fly. So we changed the way we do things. There were definitely some familiar elements. This week we have our traditional speakers and sessions. We have our ... Britta in particular has a vast range of contacts who speak for us, so we kept that, but we made the sessions much more digestible. They were just 30 minutes long. We still continued our tradition of having key notes. People really enjoy them. They were kind of just 20 minutes long. We built lots of networking breaks into the agenda, and the event ran from 9 a.m. to 1 p.m. Singapore time as well, so kind of half days, certainly for the RSAC content anyway. We did partner or continue to partner with some of the great organizations in the ecosystem who did capture the flag events. We had a student event was the last session yesterday that went on a little bit longer, but certainly from what we did, we focused it kind of over a much shorter period of time.
Peter Beardmore:
And I think the audience's view of what should be expected from a virtual event has certainly evolved over the course of the last several months as well, right? This certainly wasn't the first virtual event. You have the benefit of, I think, learning from others.
Linda Gray Martin:
Yeah.
Peter Beardmore:
But I think, as somebody who's not in the events industry, but does attend quite a few conferences and has taken advantage of the availability of a lot of virtual events over the course of the last several months, my expectations have evolved as well. So you've had to kind of do the Wayne Gretzky thing and figure out where that puck was going to be come late July, 2020 ...
Linda Gray Martin:
Yeah.
Peter Beardmore:
... during your planning in March, April and May, I would imagine.
Linda Gray Martin:
Yeah, absolutely, and it's like as I said, when we first started working on this, virtual events weren't really a thing. So it's been months of learning, refining, evolving to get us to the point that we were at today, and I honestly think that we're going to see a lot more technology and innovation in the virtual event space. I really do, and I think we're already seeing changes almost kind of like week-by-week. A new product comes onto the market. It's definitely a hot market, and I honestly believe it's here to stay. So it will be really interesting to see what happens and how everything evolves over the course of the next few months.
Peter Beardmore:
So we'll put a flag there, and I'll ask you shortly to look into your crystal ball for next year's conference in San Francisco. Before that, though, Britta, you lead content and curation for RSA Conference - that includes a program committee. Can you talk about what is a program committee and also what is its role in determining the sessions that will make a conference successful?
Britta Glade:
You bet. With program committee that is comprised of subject domain experts that, depending on where we are, for this one in particular APJ, right, the bulk of our program committee are based there because we want to make sure that the content we create is specific and applicable to people in the region that we're serving. So these are folks who run the gambit of the ecosystem that RSA Conference serves. So people with a background in identity, privacy, GRC, security strategy, etc. So that's matching to the tracks that we have in place. Those folks are responsible for brainstorming, we call it blue skying. So before they even see any of the submissions that come in for our call for speakers process, they are thinking through, “What topics do we think are important to the industry in this region at this time?” So you think about the region and the industry at this time and how much that changed from the time that the call for speakers opened in February time frame to when selections were being made in the late March, early April time frame with everything that we were going through. So that group reviews the call for speakers submissions that come in from individuals and makes the final selections. They're also involved through multiple rounds of reviews of presentation. We want to make sure that the quality of what is presented is the best of the best, so they are able to deliver that perspective and those editing cycles to the speaker to help them to develop the best material possible.
Peter Beardmore:
And so just to be clear: the program committee is not a committee of RSA employees. You lead that committee and organize it, but the actual decision makers are people from throughout the industry, and RSA Conference, albeit a property of RSA, is actually run independently. Is that right?
Britta Glade:
Yes, and that's a really important point. Thank you, Peter. Yes, what's important to RSA Conference is that we serve the community as a whole. We value all of the different perspectives that are brought by many different individuals from across the globe, and the program committee is comprised of people from ... We do have one committee member from RSA because of his domain expertise in a particular area, but he's there because of who he is and his background versus who he works for, which could be said of any of the other 14 members of our program committee in APJ.
Peter Beardmore:
Britta, tell me about your last few months. How did the committee operate differently from what it has done before? What was needed to be done to ensure that you had the content to make this event successful?
Britta Glade:
Yes, so the program committee ... We are so grateful to the program committee. We are always grateful to our program committee, but this one in particular because, again, you look at the time frame in which all of this was happening, and the program committee as well as speakers. I give a lot of credit to the speakers we worked with who were very flexible, who the format changed midstream on them and what they were doing. But the program committee, when we had our kickoff meeting, we had just made the decision we were flipping this virtual. So the discussion we had with them, there were different time frames that we needed them to look at in terms of when decisions needed to be made, when the review cycles would happen for decks, et cetera, and they were, as opposed to being able to predict the time frames that things were going to be coming in for them to look at because we did prerecord our content. That was a decision, as Linda was discussing earlier in our research cycle, and looking at, “How could we assure the best possible experience for our attendees?” Technology introduces unknowns. Someone may have the Internet go down. Someone might have an electrical outage in their neighborhood. There may be a tornado, which did, in fact, happen during one of our recording sessions, so ...
Peter Beardmore:
No kidding. Wow.
Britta Glade:
Oh, yes. Prerecording allows us to fix, air quote, those issues so that it's a best possible experience for the speaker as well as the attendees, and then adding that interactive element that allows the speaker to engage real time with the audience through the chat functionality through the course of the presentation, and then beyond. So there had to be a lot of flexibility. There had to be, as we were working with the speakers ... Again, massive credit to these speakers who were willing to change, join sessions live in order to provide that commentary, some of them 2 o'clock in the morning when they're doing so, but with tremendous vigor and excitement to continue to support their community. But working with these speakers, some of whom had never presented, period, and now you're asking them “Present to a computer, talk to a computer in an animated form.” It's different, but I think, just like for all of us in the last couple months, we've gone from interacting with people in an office setting to interacting with people through a computer. We've all evolved. We all miss the personal interaction, but we've evolved in our understanding and our use of technology. So it was a fun journey working with all of these groups.
Peter Beardmore:
Yeah, and I have to say the integration of some of those tools, I participated all 3 nights together with a group of marketers over here at RSA that participated as part of the audience, and that seamless integration between the recorded presentations, the live chat that went on in parallel to those presentations, and then also some ask-the-expert sessions that occurred afterwards involving Zoom, I believe ...
Britta Glade:
Yep.
Peter Beardmore:
... in addition to ON24, it was really a very well thought out integration of a lot of different tools brought together very seamlessly. So job very well done. Speaking of job well done, Linda, let's talk about what was different this year in terms of participation? This was opened up ... First of all, it was free, and second of all, because it was virtual, people could connect from anywhere. So unlike previous APJ conferences where you were limited to participation from people who were willing to spend the time and money to get themselves to Singapore to participate in this event, we had people from all over the world. So talk about how that played out. What were your expectations going in, and what can you reveal just a day later in terms of what we got for participation?
Linda Gray Martin:
Yeah, so I think I mentioned when we first started chatting that last year we had 4,000 attendees at our physical event in Singapore, which is a great number in itself. However, for the virtual event, we had 14,000 registrations. We're still working through our final attendance and final analytics, but that in itself is a phenomenal number, and I think you hit the nail on the head when you said that. Virtual events, they can just reach people that a physical event normally wouldn't reach, and I think we saw that loud and clear. And it was interesting when just looking at the top five or six countries where we had registrations from, although the split was actually very similar to the physical event, the number, it completely evened out between them because the virtual event format just makes it more accessible. So we had 142 countries represented. We had really high participation from Singapore, India, Australia, Japan, US, the Philippines, Hong Kong, Canada and Malaysia. Those were the highest represented countries. It really has been a truly international experience.
Peter Beardmore:
So looking forward, I believe you've announced that RSA Conference 2021 in San Francisco has been moved from February to May. Is that correct?
Linda Gray Martin:
Yep, that's correct. That's absolutely correct, and we also announced that it would be a hybrid event, so a mixture of physical and virtual. And I think I touched on this earlier, I think honestly, virtual events are here to stay. I don't want to ever take away from the physical event, however the importance of human connection is, and I think physical events will always be attractive because of that, because of what you get out of being with your peers and colleagues together in one place. And I think for that reason, people will be thirsty to get back to physical events as and when we are able, but I think virtual events are going to be part of event strategies moving forward because of what they can bring - because you can reach wider audiences. And certainly with RSA Conference, we can reach people that would never be able to attend in San Francisco, and I think that's one of the great things that has come out of this.
Peter Beardmore:
So let's assume for a moment that we're all a lot more mobile 10 months from now than we are today and that we will be able to have a substantial physical event in San Francisco. Could you illustrate what you think that "hybrid event" will look like from an attendee experience?
Linda Gray Martin:
That is a very good question, and I'm not sure we're quite there yet with our planning. So we certainly don't have all the answers today.
Peter Beardmore:
Okay, sure.
Linda Gray Martin:
But I think, and, Britta, back me up here if you think differently. I think if we are in that position where we can have a robust physical event, I think we will look at how we can broadcast out - livestream out - kind of the majority of the sessions that we run during that physical event. These are early-stage conversations, and it's like I said ...
Peter Beardmore:
Mm-hmm.
Linda Gray Martin:
... again, at the beginning, attending a virtual experience is very different from attending a physical experience. So we have to really think through how we do this, but I think it's capitalizing on all the amazing speakers that we always get at the physical event and just seeing how we can push that out in a virtual way. And, Britta, I don't know if you want to add to that.
Britta Glade:
Yeah, and we learned a lot through this APJ experience. We had wondered, honestly, how interactive some of our ... The audience there doesn't tend to ask as many questions in a physical setting - super interesting in a virtual setting. We discovered some secret sauce. We discovered some ways to get people to engage, and just in the course of the last couple weeks, looking again at how the industry is evolving. Looking at we certainly want for our physical attendees, for them to have a very engaging, robust experience from a learning and networking experience. How can we layer in some virtual elements on top of that? - some of which would be pieces that are only experienced in a virtual setting. The Zoom room breakouts that you talked about, Peter, slam dunk. That was such a great addition and way to have a deeper ... In a physical setting, I would have called that ... Well, we had an Ask-the-Expert session, actually, in APJ last year that happened physically. There's a way to do it virtually. The physical experience of that manifests in birds of a feather in different kinds of conversations. So looking at the blend of, “How do you deliver very impactful content to those who are physical and then enhancing that experience with networking, with learning labs, with other things, but then also for the virtual crowd creating some elements that help them with that stickiness and that networking?” So there will be a blend. I do not profess to have it 100 percent figured out right now, and I do think things will evolve between now and 10 months from now, but I do think that we have a lot of great components and plans in place so that it is a great experience no matter which format you join us in.
Peter Beardmore:
Well, I have to say, as a member of your audience, I am greatly anticipating that, and I am one of those people that are gnawing at the bit to get back to the live events. So personally, I can't wait, and I can't wait to see what you come up with. I want to wrap this up, though, with one ask, and I asked this of Linda last night, so she probably knows what's coming. One of the themes that we've been talking about on the podcast are the great things that we've actually learned from the adaptations that we've had to go through from the COVID crisis. RSA Conference went back to the well for RSA Conference APJ 2020 and invited the opening speaker from San Francisco to do the closing keynote last night or yesterday or today, I guess - my times are all messed up now depending upon what side of the world we're talking from. Anyway, the great George Takei was the closing key note last night, who was spectacular in San Fransisco and was more spectacular in Singapore. My suggestion is let's just make George Takei a regular for RSA Conference and find a way to work him in for the next 20 years. He announced last night that he's planning to live to 105. He's 83 right now, so I think ...
Britta Glade:
Oh, no, 107.
Peter Beardmore:
Oh, was that it?
Britta Glade:
He's going to live until 107. A hundred and five is when Hugh thought he should come back, yes.
Peter Beardmore:
Oh, okay. All right. So I think, my opinion is a little bit different from Hugh Thompson, who interviewed him. I think we just ... obviously a long-term contract is in order. If the Tampa Bay Buccaneers can sign Tom Brady, we can sign George Takei.
Linda Gray Martin:
We can sign George.
Peter Beardmore:
So that's my ask.
Linda Gray Martin:
Yeah, he's great. He's just such a pleasure to work with.
Britta Glade:
He is a delightful human being.
Linda Gray Martin:
Yeah, he's a gem.
Britta Glade:
Yeah, and what I liked, Peter, there, he was that engaged with us from the beginning of the process. When we were working on that opening segment, and we knew the ideas of what we wanted to communicate. Clearly we had a theme of human element. We wanted to make sure we were celebrating diversity and the different pieces of humanity that make then all of us together better, and the interesting elements and insights and passion points that George himself threaded into that opening, that's what made it glitter.
Peter Beardmore:
It really did.
Britta Glade:
That's what made it passionate.
Peter Beardmore:
It really did, yeah.
Britta Glade:
And you weave that into Star Trek and some of those themes that were around in the '60s, for heaven's sake, and it was a really serendipitous, beautiful thing in a year that celebrates the human element.
Peter Beardmore:
It sure did. It was really outstanding, and I personally really appreciate it. I'm a lifelong fan of George, and I was so excited. I actually got to see the dress rehearsal in San Francisco, so I got to see it twice.
Linda Gray Martin:
You did.
Peter Beardmore:
And then the recording again that you ran a couple of days ago, but suffice to say, it was really a beautiful event. Congratulations to you both for the sense to put that together and knowing who to tap into to bring that out with Hugh Thompson and the rest of the committee and all the success that you achieved this week with a really great program. I should mention, before we wrap up, that the program is all available on-demand online. So I'm assuming it's not too late to register. Anybody who's listening can go to the RSA Conference website and register and view any of the content that was created and presented over the last several days, correct?
Britta Glade:
Yes, indeed, and please do do that. These are speakers who have a whole lot of expertise to share with you, a whole lot of passion around that, and there's some great content there waiting for you.
Peter Beardmore:
All right. Britta Glade and Linda Gray Martin, thank you so much for joining the RSA podcast, and I'm really looking forward to hopefully seeing you both in person sometime soon.
Britta Glade:
Thanks, Peter.
Linda Gray Martin:
Absolutely. Thank you for having us.
Peter Beardmore:
All right. Take care.
Season 2 | Episode 7: Maintaining Compliance Amid Disruption
Listen time: 26 minutes
Maintaining compliance while your organization experiences sudden and unanticipated change can be daunting. In this episode we chat with RSA's Marshall Toburen, RSA Risk Management Strategist, who brings decades of experience in compliance leadership. We discuss the strategies that organizations have employed over the past several months, and Marshall discusses "applying risk techniques to compliance itself" (or what you should do when you can't fully satisfy all your obligations).
Check out Marshall's blog on Compliance in a Time of Disruption.
Also read our whitepaper, 8 Steps to Modernize Compliance.
Season 2 | Episode 7: Maintaining Compliance Amid Disruption
Peter Beardmore:
Hello, and welcome back to the RSA podcast. My name is Peter Beardmore from RSA, and I am joined today by Marshall Toburen from RSA. He is a risk management strategist as part of the solutions marketing team and one of our preeminent subject matter experts on all things governance, risk, compliance and integrated risk management. Marshall, thank you for joining us today.
Marshall Toburen:
Hi, Peter. Nice to be here.
Peter Beardmore:
It's a pleasure to have you. Marshall, before we get right into the meat of the discussion around compliance and things that we've been talking about relative to compliance in the wake of the global pandemic, why don't you give us a quick backstory on who you are, where you came from, how you got to this point and what you do for RSA now?
Marshall Toburen:
Sure. Well, I've been with RSA now for about 8 or 9 ... actually coming up on 9 years, and prior to RSA, I had a long career in the financial services industry just prior to coming to work for RSA in the Archer GRC program. I was the direct of enterprise risk management with a financial holding company based in the Midwest where I was responsible for their enterprise risk management program, their practices and technology. I was the designated information security officer for Gramm-Leach-Bliley Act compliance, responsible for their insurance risk transfer program including cyber insurance, loss management including the fraud aspect, the vendor risk management program for the organization and controls management for purposes of the Sarbanes-Oxley Act and the quarterly 302 sub-assertion process, and then prior to that, I've had various positions as director of operational risk. I was a chief audit executive for a number of years in a financial institution and started out as an assistant controller, so I've got a deep background in that, deep background in audit, all things internal control, and so it was a real pleasure for me to go to work for RSA in supporting the Archer team because it's such a powerful tool for helping organizations understand their risk and demonstrating compliance and good risk management practices.
Peter Beardmore:
And like most of our Archer leaders today, you were a customer before you were part of the vendor.
Marshall Toburen:
Yeah. Yes. That's correct.
Peter Beardmore:
So, having been in my current tenure with RSA here about 5 years but in cybersecurity and technology for a couple of decades, the GRC world is relatively new to me, and in full disclosure, I frequently find myself in GRC discussions, like most security, guys quickly lost and my attention span well elapsed, so suffice to say, folks like Marshall, we're glad to have him because he has his way of making things understandable for commoners like myself, and so hopefully, we'll keep this conversation as engaging and as less wonky as possible, I guess is an awkward way to put it. So, Marshall, let's get into what's happened in the world of compliance in the last 4 or 5 months. We've spent many of our season two episodes in the podcast talking about areas of disruption that organizations have experienced as a result of the pandemic, one of which we discussed as business operations, but a gigantic part of that is compliance. As organizations have invariably gone through a whole bunch of changes, some of them really drastic, that has not necessarily lessened their compliance obligations or their need to demonstrate compliance, so can you talk a little bit about kind of how that has evolved over the course of the last several months?
Marshall Toburen:
Sure. Let me frame this before I directly respond to your question. So most organizations that are looking at compliance from an integrated perspective have a pretty broad definition of what compliance means. I think everybody agrees laws and regulations - there's certainly a compliance obligation there, but for publicly traded companies, particularly in the United States, there's financial reporting obligations I mentioned Sarbanes-Oxley, but a lot of organizations consider compliance to also include their internal policies and procedures, whether they're HR-related, code of conduct or they're operational policies and procedures and documented internal controls. That's included within the broad definition of compliance, and then lastly and certainly not least, is a consideration of the contractual obligations that you might have. Most organizations have those special customer relationships where the customer has very onerous obligations imposed upon the company by way of the contractual relationship, so think of uptime or service-level agreement metrics that might be in place on level of quality, number of errors that they will tolerate before there's some kind of financial concession provided to the customer as a result of your maybe inaction or failure to meet those obligations, but then think downstream in terms for your third-party relationships. As an extended enterprise, they also have an obligation to you to follow your policies and procedures and fulfill your regulatory obligations to your regulator and within the industry that you operate, so it's a very ...
Peter Beardmore:
It's an upstream, side-stream, downstream. It's quite complex.
Marshall Toburen:
That's right, and so just understanding what the full pool of your obligations are is extremely important, so to directly respond then to your question, so the pandemic and the crisis that occurred and that we're still going under has affected organizations greatly in part because so many of them had to shift their employees off-site, so the most organization with a strong compliance program, they had documented all of their obligations whether they were external or internal, whether they were contract related, whether they were third party related, so they understood that, and they understood what business processes were associated with how those compliance obligations arose and how they were satisfying those compliance obligations on an operational basis day-to-day. So, for example, if you are onboarding customers, and you have an obligation not to onboard customers that somehow are involved in sanctioned activities, as established by the US government, you have to do background checks on those entities on those third parties, and if your business processes expected that that would be an in-person kind of an activity that you had to take an in-person application, or you needed to be on-site at your organization to evaluate whether or not that compliance obligation was being fulfilled, when you shifted your employees off-site, that process was likely no longer operating, and the controls to ...
Peter Beardmore:
Or at least different.
Marshall Toburen:
That's right, or at least different.
Peter Beardmore:
Or at least different, and probably the means by which you record that information or document that information is different just because you don't have physical access.
Marshall Toburen:
Yeah. Absolutely. So it's highly likely that there are numerous processes that have been documented in organizations that, at a minimum, have changed a little bit, and for purposes of Sarbanes-Oxley, for example, where you're talking about business processes to ensure the integrity and completeness of financial statement reporting, if those business processes relate to the integrity of transactions, the authorization of those transactions, the completeness of those transactions, then you have an obligation under SEC reporting, and they reemphasized it not too long ago, to disclose where you may now have weaknesses that you didn't have before, and do you anticipate weaknesses down the road, as the pandemic continues to unfold, and you make decisions about bringing employees back to work or working with alternative third parties that may affect, again, your financial reporting integrity. So it's ...
Peter Beardmore:
So, Marshall, are these disclosures that need to be made as part of the SOX documentation program part of that Section 302 quarterly certification, or where exactly do these questions get answered?
Marshall Toburen:
Yeah, so there's a process in place that when organizations put their financial statements together, balance sheet, income statement - that's really straightforward, footnote disclosures and so forth. One of those footnotes, interestingly, is item 1A of the 10-K or 10-Q document, and item 1A is really a free-form description provided by management of the risks that that organization faces as the business evolves that would be meaningful information to investors in deciding whether or not to invest in that organization, so this is ... From a pandemic perspective, it's things as broad as, well, we think that our demand for our products and services has declined materially as a result of the pandemic, and we don't expect it to come back for 6 months, 9 months, whatever it may be, so that's one aspect of the guidances. You need to be talking about the pandemic within your risk disclosures. You may also have some impact in terms of reserves. If you're a financial institution, your reserve for loan loss may have changed as a result of the pandemic and the perceived change in creditworthiness of borrowers. Even under the most recent CARES Act, there's still reporting obligations that relate to that from a Sarbanes-Oxley perspective, but the core of Sarbanes-Oxley from a compliance perspective and an internal control perspective is, you will have already documented all of the internal controls that are material to ensure the integrity of your financial statements. Sarbanes-Oxley goes back many, many years, and that's already been done and in place in most organizations, and their public accountants come in on a regular basis and test those controls as do the internal auditors within those organizations, so if those internal controls have been changed or are no longer operating, it's very problematic for the people that have to ensure those internal controls are there to redocument those controls and to obtain assertions for management and from internal auditors and external auditors. So it's almost like organizations have stepped back in where they were in the timeline of implementing Sarbanes-Oxley because now they have to go back and make sure that it's all still as relevant and designed and operating as effectively as it ever was.
Peter Beardmore:
And while in many places, more vertical regulations have perhaps been relaxed on a temporary basis, or they may even be state-level regulations, Sarbanes-Oxley is not one of those. It's very horizontal, applies to every publicly traded organization, and the obligations have not been relaxed.
Marshall Toburen:
No. I don't think they have been relaxed, and so the SEC has been vocal about it, and they continue to be concerned about investors and whether they have complete and accurate information upon which they can make their decisions. That's core to the regulation, so they've actually stepped out and said, "Hey, don't forget you need to be talking about the pandemic as one of the risks that you are experiencing, and what are you going to planning to do about it from a strategic perspective?"
Peter Beardmore:
And when we look at controls and changes that have occurred or changes to controls that have occurred over the course of the last several months, where are the biggest areas of concern or the most top-of-mind issues for GRC leaders or regulators themselves? Is it particularly around privacy and financial transactions and that sort of thing, or are there other areas that also are leading concerns?
Marshall Toburen:
Well, that's an interesting question. There have certainly been some areas that have bubbled up in importance simply as a result of the pandemic, and a few examples are, there's always been concerns about customer safety, your obligation from, if nothing else, a slip-and-fall perspective within an organization. You've always worried about your customers, and you typically would transfer that risk under insurance, but with the pandemic, the safety of customers became even more of a concern, and the safety of employees became a huge concern, so it wasn't just the standard OSHA stuff, but it's now like, "Uh-oh, the pandemic ... We've really got to protect these people," so customer and employee health and safety. Then you got the work-from-home privacy concerns that began to emerge as cyber security professionals began to realize that, “Hey, our risk profile around privacy has really shifted. We still have these privacy obligations, but what are we doing to make sure that the employee's network is not exposed, exposing the company's network?” that they're handling information in the same safe and sound manner as they used to be when they were working on-site. And then particularly within financial services, as an example, they've gotten a lot of heat from regulators around model risk. There were already some regulatory guidance that said, "Hey, you better have a governance process around your models. Make sure your models are operating correctly, and whenever you make a change in a model, that you are evaluating the reasonableness of those changes and sort of what they call back test them to make sure that the model is still an accurate representation of what's going on." So banks and insurance companies are using models all over the place whether it's a life insurance model or it's a model that's predicting credit losses or predicting liquidity or market changes, interest rate changes, changes in equity values and so forth, a huge number of models out there upon which critical business decisions are being made, and so the regulators have said, "Hey, look," and we've been contacted by a lot of customers saying, "Hey, we really need to get our hands around our model risk. Do you have anything to help us out there?" So those are three examples of kind of how the pandemic had shifted focus, but to your broader question, we're huge advocates of applying risk management methodologies to whatever kind of risk is out there, including compliance risk, so most compliance professionals are fairly well aware of the biggest risk compliance obligations, so for example, it might be the Foreign Corrupt Practices Act. Seems like almost every day there is a company somewhere being fined multimillion dollars for Corrupt Practices Act, so that's one. You also see huge fines in the area of handling transactions for terrorists and money launderers. That's a huge risk to most organizations, particularly financial services, so it is possible to look at the fines that have been issued to organizations for violating various laws and regulations, including the privacy laws like the EU GDPR, and kind of get a sense of what the inherent risk is. If your controls have fallen by the wayside, or you never set them up, you could have X million dollars of risk in this particular area and that particular area. So by applying risk-based techniques, you can prioritize those obligations. And if you've been affected by the pandemic in such a way that you're really worried that the processes and internal controls have fallen by the wayside relative to compliance with those particular obligations, those would be the areas that you would focus your limited resources on first to reestablish the baseline that you are in compliance and that you can avoid the worst case fine scenario that may be out there. So that saves a lot of time in applying risk-based processes to compliance because you may be in a situation where you don't have as many compliance employees. Perhaps they were sidelined as a result of the pandemic, so where are you going to use those limited resources? You're going to use those limited resources on the biggest risk, and there are still organizations out there that don't apply risk techniques to compliance. They're just like, "Oh, it's a law. It's a regulation. We have to do it." Well, that may no longer be practical within organizations. You simply cannot do everything. You need to do what is the most important thing and what's in the best interest of your organization.
Peter Beardmore:
And so figuring that out, watching and understanding where the enforcement is taking place is obviously a big variable to consider.
Marshall Toburen:
Yeah. Yeah. There's a long laundry list of things that you ought to be doing, but first and foremost, you ought to have an inventory of what your obligations are, right?
Peter Beardmore:
Right.
Marshall Toburen:
You can't manage what you don't know about, and that's certainly true in compliance, so those things I mentioned, whether they're laws, regulations, standards, customer obligations or third-party obligations, you should have an inventory of those, and that's a starting point for any kind of risk management activity.
Peter Beardmore:
Before we started recording today, Marshall, you mentioned that the Justice Department recently published some new guidance around compliance, guidance to prosecutors around questions to be asking, and it struck me when you were mentioning these that these were good questions that any chief legal counsel or leader of a compliance function organization probably ought to be asking themselves as well, so can you tell me a little bit about that for our audience?
Marshall Toburen:
Yeah. The timing seemed unusual, but on June 1st of this year, the Justice Department issued an update to the principles of federal prosecution of business organizations, and in that document, they spell out the specific factors that prosecutors should consider in conducting an investigation, including the adequacy and effectiveness of the corporation's compliance program, unquote. And there's three questions here that they played out in this updated guidance: Is the compliance program well-designed? Is the program being applied earnestly and in good faith, and does the compliance program work in practice? That last one in particular is what having a well-documented compliance program is all about. Regardless of the obligation, do you know what your obligations are, and are you able to demonstrate that the policies, procedures and controls in your organization are designed and operating effectively so that you're not experiencing compliance violations any material amount.
Peter Beardmore:
And when you start to balance that against complexity that we started our conversation with all of the material changes that organizations have experienced, the various threats of obligation that they need to manage versus upstream, downstream, side-stream, the stuff can be pretty complex to manage. That's where RSA and RSA Archer Suite in particular can be brought to bear to help organizations out with these challenges, I'm assuming.
Marshall Toburen:
Yeah. Absolutely. When I first got involved with banking and the way that bankers would, at the time, demonstrate compliance, they were using Excel or I guess ... give you an idea of my age ... Lotus Notes back in the day, so an Excel-based spreadsheet to document all the obligations, document all the controls. Well, there's just too much of that stuff to make that viable anymore. Plus, particularly when you get in the area of privacy laws, there's multiple overlapping obligations. It's not just GDPR anymore. It's CC ... California Consumer Protection Act, maybe a version two of that coming online next year, lots of similar financial services privacy, and if you're an international organization, you've got ... It's like 77 percent of the countries in the world have either one privacy law or are in the process of putting a privacy law in place, so you got Brazil coming online at the first of next year. The Canadians have done a bunch of stuff, just to name a couple, and a lot of this stuff overlaps, so you can't afford any longer to have separate entries in your spreadsheet showing each one of these compliance obligations and then a separate program demonstrating that you're compliant with Canada, Brazil, GDPR, California and the other 49 states that have some kind of privacy law. You need to find what the common themes are between those laws and then look at your internal controls and see, “Is there a way that we can knock out multiple privacy laws with one control?” And so it really gets to be a matter where you have to have kind of a relational database approach where you can show all of the interactions, and you'll also find organizations layering on top of the laws, their own policies and procedures, and you'll start to see then the common linkages with the contractual obligations that you've agreed to with your customers and perhaps with third parties, and so you can tie all of that together and see the interconnection and then apply your resources in the most efficient manner to ensure that you're fulfilling those compliance obligations, so there's a huge efficiency and cost benefit to using a tool like Archer or your compliance management.
Peter Beardmore:
Marshall Toburen, risk management strategist for RSA and all-around expert in all things GRC and a good friend. Thank you so much for joining today.
Marshall Toburen:
Thank you, Peter. Appreciate it.
Peter Beardmore:
All right. Talk soon.
Season 2 | Episode 6: Lessons from the RSA Conference SOC
Listen time: 30 minutes
You may not believe the data, credentials, images, location data, proprietary communications, etc. that security conference attendees (and some exhibitors) expose to anyone who'd think to look. In this episode we discuss some eye-popping findings gleaned from the RSA Conference 2020 public wifi network. The RSAC SOC is an educational exhibit sponsored by RSA and Cisco that monitors network activity during the course of the RSA Conference Event, held annually in San Francisco. Its three leaders, RSA's Percy Tucker and Neil Wyler (aka Grifter) and Cisco's Jessica Bair join us to discuss their recently published RSA Conference 2020 Security Operations Center Findings Report.Percy, Grifter, and Jessica highlight their findings and share actionable advice for security leaders. Also, check out Percy Tucker's Blog: Behind the Data: Analyzing the SOC Findings from RSA Conference 2020.
Season 2 | Episode 6: Lessons from the RSA Conference SOC
Peter Beardmore:
Hello, and welcome back to the podcast. My name is Peter Beardmore from RSA and today we are talking about the Security Operation Center Findings Report from RSA Conference 2020. This is a report that was just published a couple of weeks ago, is available on websites from RSA and Cisco - we will includes links on our show notes but more importantly I am joined today by the three people that make it happen at RSA Conference every year: Jessica Bair from Cisco, Neil Wyler aka Grifter from RSA and Percy Tucker from RSA. So first thank you all for taking the time to talk with us today. Let's get started just with introduction. So let's start, ladies first, Jessica, you are from Cisco even though I think a lot of RSA people think you are from RSA. Tell us about what you do both at Cisco and in the RSA SOC.
Jessica Bair:
Well, thanks so much for having me, Peter. You’re right, a lot of people think I work with RSA or for them because we spend so much time together in the RSA SOC and otherwise it is an honor to do so. The relationship goes back over seven years. I managed the Cisco ThreatGrid relationship with RSA and malware analysis and that's what kind of brought us all together for this, and in the SOC I managed the Cisco team which has expended from there and we will talk about that as we progress.
Peter Beardmore:
Thank you. And, Grifter, what's your role at RSA andwhat do you do during those long hours in the SOC in San Francisco?
Neil Wyler:
So, by day I am a principal threat hunter for RSA, so that's the day job that's what keeps me busy. By night I run all the technical operations for the Black Hat security briefings. I am one of the main organizers of DEF CON. I have written a couple of books. I travel around the work speaking at conferences and stuff. So I am just an all-around security nerd. It's what I do for work. It's what I do for love. It just runs through my veins, so...
Peter Beardmore:
And well known throughout the security community. And, Percy, I know Percy because I spend most of RSA Conferences and Black Hats in the RSA booth and I get to interact with Percy, who is invariably taking people on tours of the RSA Conference SOC, but I am sure there is more to it than that. So, Percy, why don’t you fill us in?
Percy Tucker:
Man, it is really rough following Grifter for the interest, it's brutal.
Peter Beardmore:
Right.
Percy Tucker:
Thanks for having us Peter. I am Percy Tucker, I am senior manager for RSA, have been with the company almost 20 years now. I manage the pre-sales NetWitness specialist desk for North America. I also manage the RSA SOC with Grifter and partner with Jessica, and this started four years ago at RSA Conference and it’s pretty interesting because this relationship started after we were asked to participate as a partner in the Black Hat NOC and the RSA Conference folks stopped by and took a look at what we were doing and we started from there.
Peter Beardmore:
And so, those of you who may not be familiar or not regularly attend RSA Conference San Francisco, at least the last couple of years as you move from the north hall to the south hall, the SOC is set up over on the left hand side near the escalators. It’s all glass windows, so people can see in and there are frequently tours going on and Percy or Jessica are out front explaining to people what’s happening. Percy, why don’t you kind of give us the 50,000 foot view of, first of all, what is the network that we are running security for and what is the function of the SOC?
Percy Tucker:
Sure. Let me start with the function of the SOC before we get to the network because that will be even more interesting. The RSA Conference Security Operations Center is a educational exhibit. It is not a true SOC. It's purpose is to capture traffic on an open public wireless network and educate the attendees about what is going on in that network, what we are seeing or what, what postures, bad postures, good pastures, anything unusual that we see when connecting to a wireless network. So. in definition, it's not truly a SOC, it is an exhibitional exhibit sponsored by RSA Conference.
So let's talk about the network for a second. The network is no different typically from any public Wi-Fi network available, right? It could be at an airport or at a hotel or Starbucks or anything like that. People have an obsession with connectivity, right? So they take their devices, whether personal or corporate devices and they say, “I want my Wi-Fi.” So we capture the data and we let them know what they can do better. A part of that, as you said, from delivering many, many tours during the RSA Conference. As of two years ago, we started a speaking session - it's the last session of the conference - where we get up in front of everybody and we present our findings. And then it's followed by, of course, the RSA Conference Security Operations Center Findings Report, which is why we're here talking today. So let's talk about the network real quick. When I say it's typical, maybe it's not as typical but the difference being the wireless network at Moscone Center is a flat network with zero host isolation. That means everybody is on the same network and everybody can see everybody else on the network, and that's not typical in today's world. So...
Peter Beardmore:
Why is that, Percy, why do we do it that way?
Percy Tucker:
Well, we don’t control that, right?
Peter Beardmore:
Okay.
Percy Tucker:
That's whoever the Wi-Fi providers are, they have their own setups. Just for example we're not a true SOC, but we have visibility into the traffic and the network. When we see something happening, we can then go to the Moscone NOC and inform them, and in fact that did happen last year where we informed them of some traffic that they needed to take a look at. But a lot of organizations today do segmentation and isolation, meaning you get an IP address but nobody else can see you, which is more secure, right? So if you connect to the network and somebody can listen in on the network, and you have to understand that although we deploy high technology with NetWitness platform and Cisco's platforms, as well, anybody at the conference can do the same thing we're doing at a much smaller scale, right? They can turn their network adapter into promiscuous mode and capture that traffic and analyze it in its freeware tools. So the things that we are seeing, anybody can see and our purpose really is to help educate so that next year our stats and metrics are a little bit better, because you have to understand that it's also a security conference, right. We are a conference of normally about 45,000 to 50,000 attendees and we should be practicing safe security postures and hygiene.
Peter Beardmore:
So, theoretically, the RSA Conference attendee is smarter than the average bear because they're security educated, nevertheless there are some very interesting findings in the report that we are going to get to in a minute. Jessica, you have a comment?
Jessica Bair:
Thank you so much. As Percy talks about this, the SOC, what's really fun about it is the technology that we have that we bring together into the SOC is powerful, and, flipping a couple of switches, would turn it into a full security center where we could do blocking and things like that, but we need to make it open so people can experiment, they can do training courses, they need to be able to show demos but we have the visibility and the power to where, if we needed to, we could turn into a full security center and we have the expertise in there, as well. The only thing that truly would be missing would be endpoint security. Obviously we're not going to ask people to put agents on their devices and mobile or the laptops, but adding endpoints and turning on a couple of switches in the products and they would flip over to a full SOC operation, but that is an educational experience.
Peter Beardmore:
So in terms of the size and scale of a network, it is quite large for a network that only exists for literally a few days in February. In the report, you cited that you had captured 12 billion packets, 88 million logs, 187 million sessions. So this is a pretty widely used network.
Neil Wyler:
So it is, like it seems that way, right? When you look at it on its face, it looks like, “Wow, that's a lot of data,” right? You're getting an incredible amount of traffic from an incredible number of people with a huge amount of logs, but when you look at the number of unique devices that were on the network, you are looking at 13,000. Now, if we have offerings of 50,000 people and 13,000 devices have joined the network, it actually tells a story of a lot of security folks just saying, “You know what, never mind, I’m not getting on the Wi-Fi ,” and this is really a story about those who choose to get on the Wi-Fi.
Peter Beardmore:
Those who choose to jump in the pool...
Neil Wyler:
Right, exactly. And so we see some interesting stuff, but, I mean let's say that's like roughly 20% of the attendees and it's probably more than that, but what does it mean for, again, when your employees go out into the real world? Percy mentioned airports, coffee shops, hotels, anywhere and they just jump on the Wi-Fi and start doing whatever. Again, you made the point earlier, like they should know better in this case, and that's what's really interesting about this is that everybody who is at this conference works in the security field in some form, whether that means that they are in finance or they are in sales or they are somebody who helps get the booth set up or whatever, they work for a security company or something around security. And so they should be more educated, and if we're seeing the types of behavior that we're seeing with people who are security smart, then what does that mean for the users who are outside of this? What would it be like if we went to a conference of 50,000 people who were all there for a dog show or something?
Peter Beardmore:
Right, right.
Neil Wyler:
Like what would that traffic look like and what would be the types of things we saw?
Peter Beardmore:
Jessica?
Jessica Bair:
It really is, thank you. Now, with those users, we had over 37 million DNS requests over the week. By default, we would be blocking everything that was malware related, command and control, call back, phishing attacks. We also could have blocked crypto-mining, tunneling and, for new domains that just popped up, it could be a problem. We also tracked thousands of applications and the use of DNS and those were all categorized and we could have blocked individuals ones who are high risk. Say if you are worried about people doing data exfiltration, if they had an off brand VPN or things like that. So, as Neil talked about, people would jump on their local Wi-Fi and then they start doing DNS queries or things like that. We had complete visibility in that and then in the real world, we could take action and protect these people.
Peter Beardmore:
And in the real world, if you are at a coffee shop or some other place, chances are there is really nobody looking at this and sampling the traffic and analyzing the poor behavior.
Jessica Bair:
Or if you are in the same coffee shop as Grifter, his card is in promiscuous mode and he’s sniffing you...
Peter Beardmore:
That's a good point.
Jessica Bair:
Traffic scan ...
Peter Beardmore:
Right, right.
Jessica Bair:
... Wireshark but ...
Neil Wyler:
How dare you?
Jessica Bair:
You never know.
Percy Tucker:
No, you don’t, that's the truth of is you never know and that is, but I think what Peter is saying is there is probably not somebody who's got your back at the coffee shop. There is not like Kevin over behind the espresso machine who is like oh, I saw a DNS request go out to a malicious site but no worries, Carol, I blocked it for you, like that's not happening, right.
Jessica Bair:
So we actually saw a real world DNS thing happen there where is a device that had made over 2,000 DNS requests to the same domain group over Saturday, Monday and Thursday. That was a malicious domain. So someone came into the network, turned on and started beaconing out, and we were able to learn about that because we have tied in threat intelligence, learned about this command and control infrastructure where it was going, that a lot of the traffic was rush related and then report that to the Moscone network operation center, so they could take action deemed appropriate.
Peter Beardmore:
And I would imagine that intelligence was further leveraged by RSA and Cisco threat response for our own customers as well, right?
Jessica Bair:
Yeah, we usedUmbrella, Cisco Umbrella for ...
Peter Beardmore:
Yeah, okay.
Jessica Bair:
... the DNS.
Peter Beardmore:
Okay. We'll get to the products in a minute. I do want to get into some of the issues around the behavior and particularly the actionable behavior that security leaders who might be listening may have an interest in and may be able to effect. One of the continuing themes in the report was cleartext, unencrypted information crossing the wireless wire, so to speak. Percy, can you tell us a little bit about some of the interesting things that we were able to capture?
Percy Tucker:
Sure. So, we try and keep metrics year over year, not only from the RSA Conference but as being a partner in the Black HatNOCs to determine kind of what the trends are. We originally saw some differences between Asia-based conferences versus India or United States-based conferences but this year we maintained roughly the same percentage of unencrypted data or encrypted data, depending which way you want to look at it, which was about 76% or 78%, I'd have to go back and take a look...
Peter Beardmore:
78...
Percy Tucker:
78%, so that means 22% of the data is in the clear, right? So part of that is from an educational perspective of just bad security profiles. So in cleartext passwords, we saw a high number still of user name and passwords and e-mail being unencrypted, and it's really hard thing to do in today's environment. So if you think of the major service providers, not even the corporate e-mail servers but the major e-mail servers providers, those are all encrypted and it takes a really hard - it's difficult to actually do e-mail that's not encrypted. So most of the e-mail that we did see was from, it seemed to be coming from hosted vendors, maybe small to mid-sized businesses that are paying for a service that they get their e-mail, it works for them but they don’t really know the technology behind it, right? So when you look at the protocols used in the cleartext e-mails, we still saw IMAP, early versions of IMAP and POP3 and those protocols really shouldn’t even be used anymore. So when you got 12 people in the SOC and you're seeing cleartext user names and we have to write a report and we have to educate them, so there is a lot of voyeurism going in the SOC to try and come up with details on what we see in the SOC, so it's a lot of fun.
Peter Beardmore:
And you captured 96,000+ cleartext user names and passwords emanating from over 2,100 different devices and accounts?
Percy Tucker:
And the interesting thing is you, Peter, could have a completely secure e-mail and you could send somebody an e-mail that is using one of these hosted servers that they are not really sure about and they reply and basically the entire chain then becomes cleartext, right?
Peter Beardmore:
Uh-huh.
Percy Tucker:
So although originally we might not have been able to see your e-mail, we get to see it in the end.
Peter Beardmore:
Let's talk a little bit about mobile apps. I think every year I would assume we're seeing more and more use of mobile apps. One of the points that was made in the report is that security in mobile apps is inconsistent, I guess is probably the best way to put it. You have some mobile apps with strong authentication, which subsequently bleed data all over the place. You have mobile apps that give you all kinds of information, basically everything. You even have some mobile apps that are giving location information and location history. Is that something that any of you would like to speak to in a little bit more color?
Neil Wyler:
Yeah, I can talk about that for a second. I think the thing with mobile apps is that there is inherent trust on the user's part that “Oh, well, I’m downloading this thing to my Samsung device. I’m downloading this thing to my Apple device. Oh, I get it from the Google PlayStore. I get it from the Apple App Store. So this is vetted by a large company, right? Or somebody is looking at the security here.” But apps are just written by anyone, right? I mean like say in some cases apps are written by children, right? So they may not have security as the first thing on their mind when they are trying to develop their million dollar application. When it comes to things like the Play Store or the App Store, essentially what's being done there is just “Is this malware?” right? I mean that's the security check that those organizations are doing. They are just like “Is this blatantly malware? Okay, it's not. Yes, it gets to go up on the store.”
Peter Beardmore:
So the hygiene doesn’t necessarily factor into whether it goes or not?
Neil Wyler:
Exactly, exactly. So it's not like “Oh, does this leak data? Does this broadcast location data without encrypting it? What's the communication like end-to-end to its backend servers that it's communicating, that the app communicates with as well?” So there is not a lot of that level of vetting that goes into it and unless you are doing that as a user, as an individual, then you don’t know what you don’t know, which is why we always recommend, whenever we're talking to groups at Black Hat or RSA at the NOC or SOC, we say go home and connect to your own Wi-Fi and capture the traffic. Just start firing up apps on your phone and using them normally and look at them to see what they do, like vet them on your own to say like is this leaking data? Like trust is great, but you have to realize where you're placing that trust. You're not placing that trust with Apple, you're placing it with a random developer, like Carl in his basement somewhere in Montana.
Peter Beardmore:
Yeah. Jessica?
Jessica Bair:
Yeah, so as Percy was talking, we saw about 4,300 mobile apps on the network and one in particularly we saw every hour on the hour there was an old device that was beaconing out to an emulated e-store for a major manufacturer in the European Union and, tracing it back, we're able to see that it was an app that had been deprecated by the developer but it was still active on this person's computer and it had been hijacked to go to this adware serving place again checking every hour. We actually have other manufacturers, they were at the conference and they came in for a tour and we were able to show that to them and they took screenshots and went to take appropriate action. So, as you mentioned about the bleeding location information, there was an app that we saw there that was saying here is your GPS location where you are at. Now, we can start in Chicago, we found out, right, because it came online and said where he was before and then Grifter was watching him walk around San Francisco in the Moscone Center because we could put the GPS coordinates right into the GPS, the latitude and longitude. So he said, “Do you know what's your app is doing?”
Peter Beardmore:
Traveling. Percy?
Percy Tucker:
Yeah. So once again being an educational exhibit, I like to think that this podcast and the publication of the reports actually does help a little bit. When we first started out several years ago, we found that dating applications would authenticate perfectly secure but then we would see who they were swiping left and swiping right. We would see peoples' home cameras, their dogs, their living rooms, things of that nature. We did the first one and all of a sudden about nine months later, everything is encrypted post authentication which is a good thing. DNS exfiltration - and Jessica can speak to this - has been a major force in data exfiltration and I think Apple just announced that this year they're going to start using encrypted DNS. So talking about these things is a good thing, right, because changes eventually get made. We did take little bit a step back this year in terms of some of the mobile apps but for the most part, I think we're in a lot better place than we were in year one, year two.
Peter Beardmore:
So there is a positive trend overall but we do have a tendency to go two steps forward, one step back so to speak.
Percy Tucker:
Absolutely.
Peter Beardmore:
Jessica, can you comment on DNS exfil?
Jessica Bair:
Yes, what he is saying there was lot of time your DNS requests will be in plain text so that people can see where you're going and not only does it say what you're searching for but you can have this entire string out there of where that is and if there is not proper authentication on that server on the endpoint then someone could take it there and go and grab it themselves. So having it being encrypted is really important, and it's something we continue to encourage.
Peter Beardmore:
I want to take a moment to talk about some of the technology that was leveraged in the RSA Conference SOC. Naturally, because this was sponsored by RSA and Cisco, we leveraged a lot of technology from RSA and Cisco. Percy, can you talk a little bit about the role that RSA NetWitness platform had in your operations?
Percy Tucker:
Sure. So because we only have a span of the Moscone wireless network, RSA NetWitness platform of network is the primary tool that we used to view that mirror of the traffic. So we utilized that in a partnership with Cisco by capturing that traffic. We analyze it for malware. As we see files, we do an initial scan, but then we send that up to Cisco and I'll let Jessica talk about Cisco implementations. This year we also brought in some additional Cisco equipment where we're able to collect some logs, but logs from internal devices. So we primarily use RSA NetWitness network and RSA NetWitness orchestrator and this year we added RSA NetWitness logs.
Peter Beardmore:
Okay. And so when we are talking about going to Cisco for analysis, Jessica, I am assuming we're talking about ThreatGrid?
Jessica Bair:
That's correct, so that's where I started is ThreatGrid. So that's malware analysis, integrated threat intelligence. When something would come through, the NetWitness would packet capture that has a potential to be malicious, NetWitness and malware analysis has its own engine to do like our total lookups, the network lookups and some community and things like that but also then send to ThreatGrid for dynamic malware analysis. This is the only partnership in which any NetWitness customer can get ThreatGrid for five samples per day for no cost, plus be able to log into the portal and look at the threat intelligence and do manual uploads. It's because it's been around for seven years, and we've kept it and after Cisco acquired ThreatGrid, and that's just how close our partnership is. So you can do this yourself if you have NetWitness. So we would have it up in the SOC and you would see these VMs popping off and those were what we call glovebox. We could actually click in and go into the virtual machine without getting infected and to interact with the sample just like when the Center for Disease Control and other virologists are working with the coronavirus, they don’t want to get infected, they put their hands in the gloves and work with it. We do the same thing virtually. So with that, we're able to see things that come through. Sometimes we would see plaintext documents which was we would see some personal information but sometimes it would be a malware. Last couple of years we had someone pop in and there is couple of thousand samples just to see the lights go off and everything go red and things like that, but we were able to take that intelligence and see has this ever been seen before, where is it communicating out to, the full packet capture of that and then alert our team members over there on the RSA side if we need to investigate it further. That has since grown to be Umbrella which is the DNS protection and visibility and then this year we also brought into the one at San Francisco the firepower IDS - intrusion detection system. If it would have been a full SOC, we would have flipped on the firewall protection and we've had that ...
Peter Beardmore:
Uh-huh.
Jessica Bair:
... for a couple of years down in Asia in APJC conference and that's worked really well. So that's the core security stack.
Peter Beardmore:
So I have two more questions that I want to touch upon. The first is what advice do you have - and I'll direct this question to Percy - for security leaders who, and obviously there isn’t a whole lot of business travel happening these days but there are a whole lot of people working still from Wi-Fi from their home networks or coffee shops or what have you: what are some tangible things that security leaders can do to help mitigate some of these risks that you folks have clearly identified in the RSA Conference network?
Percy Tucker:
So reconnaissance is the first step in any type of breach, right? And if you read the RSA Conference SOC Findings Report, you can see that we see a lot of information that will satisfy the reconnaissance portion of any attack. We give off too much information both personally, whether it's app based or e-mail based, but also on corporate devices naming information, IP address configuration where certain devices are on your network. A lot of these are misconfigurations. They should never been seen because they should only be seen once the connection is made or should be encrypted, but that information is there. We use old technologies such as SMP Version 1. Those should all be corrected, but if you think about in today's times, the stuff in the report is for security practitioners or, as Neil said, people working for security companies.
In today's new normal, everybody is at home, right? And if you take the small subset of security practitioners away, that's a pretty big population of people that are not security based, right? So they may have corporate devices that are attached to a personal Wi-Fi network but do you have any doubt or any visibility of whether they have ever changed the default user name and password or updated their firmware or who is attached to that network? You’ve got one of the leading social engineers in Grifter here - there is so much information out there that you can just use that information to get the next piece of information and in today's environment from working from home, we are giving off way more than we should.
Peter Beardmore:
So final question, this is sort of a jump ball, but I would imagine this time of the year normally you folks are gearing up for an event in Las Vegas that occurs mid-summer in Black Hat. This year that event is virtual, but you're also participating in another event that RSA is sponsoring: the RSA Cyber Security Summit and I’ve seen your names on some agendas. So curious what you folks are going to be doing to help support the cyber security summit at the end of July?
Percy Tucker:
So Jessica, Grifter and I are part of a ITSP panel discussing the remote workforce. So we're happy to be a part of that conversation. And then Grifter and I are part of Steve Schlarman's Digiville series where we are looking at the threat landscape within Digiville.
Peter Beardmore:
Alright. Well, thank you all, Neil Wyler, Jessica Bair and Percy Tucker, for taking the time to chat with us today on the RSA Podcast. We look forward to seeing and hearing from you again at the RSA Cyber Security Summit at the end of July, which we will also provide a link to. And have a great day. Thank you very much.
Season 2 | Episode 5: Workforce Disruption
Listen time: 27 minutes
We're wrapping up our series on the disruptions resulting from rapid acceleration of digital transformation. In this episode we welcome RSA's Brian Breton, VP for Channel Sales and Operations and Tony Karam, Digital Risk Strategist at RSA. We discuss the myriad of challenges that workforce disruption has brought to security and risk managers; and we look at how RSA and our partners were able to respond to a dramatic spike in demand for identity solutions earlier this year.
Season 2 | Episode 5: Workforce Disruption
Peter Beardmore:
Hi, and welcome back to the podcast. This is Peter Beardmore from RSA Marketing. Truly appreciate you taking the time to listen. Today we are talking about workforce disruption as we continue our conversations about the various disruptions that organizations have faced and are continuing to face as a result of the global pandemic. This is a two part conversation today. First I will be joined by Tony Karam, Senior Solution Strategist at RSA to talk about some of the direct effects that we have seen on workforces and how RSA has been working with organizations to help sustain their operations over the course of the last several months and going forward. The second part of our conversation today will be with Brian Breton who leads RSA’s Global Channel organization and operations to talk about some of the effects that the pandemic and specifically workforce disruption had on RSA, both internally to our own organization as well as needing to continue and actually flex and surge our operations to meet the demands from our customers, particularly during those first stages in the early months of the pandemic to help organizations contain the spread by affecting the move to remote work. So first Tony Karam, thank you for joining me today.
Tony Karam:
Thanks, Peter. Glad to be here.
Peter Beardmore:
So let’s talk a little bit about what you experienced in and, by extension RSA experienced, earlier this year as the pandemic began to spread and organizations realized this was going to be a major inflection point probably mid Q1 for most organizations this year. What did that mean in terms of the need for security products to help facilitate this motion to remote work?
Tony Karam:
Yeah, of course dramatic is an understatement, right. It was certainly a dramatic shift for everybody. We have certainly seen unprecedented levels of remote work and, just to put that in context for our listeners, prior to what many are calling the largest teleworking experiment in history, only about 5% of people in the United States are who aren’t self-employed, work from home at least half-time. Alright. Compare that now with some polls and results that we see, we find upwards of 60%, more than 60% of folks here in the US are working from home, right. So that is a massive shift.
Peter Beardmore:
So when you use the word unprecedented, which has probably been the most overused word in the last few months, you are really not kidding.
Tony Karam:
Yeah.
Peter Beardmore:
That is dramatic.
Tony Karam:
Exactly. And it’s not just the sheer number of people working from home, but it’s the speed at which they were required to do so, right? So that is from an organizational perspective about how quickly organizations and our customers had to stand up, this remote workforce had to stand up: technologies like virtual private networks, cloud applications, collaboration tools like Zoom, let’s say, really quickly. It also was a real challenge for workers or people as well, right, having to acclimate to really working from home, right. So not only were they inundated with new technologies that they had to learn to use rather quickly, but they were learning to use all technologies, maybe home computers or mobile devices in new ways, right, from a work perspective.
Peter Beardmore:
So what does that mean? Obviously that means new devices, new applications, but there is also just how do you connect to the assets that you need to connect to back at work, right? Are we talking VPN as the primary means of access and securing that through old fashioned two factor authentication?
Tony Karam:
Yeah. We are seeing a number of things, of course. Different organizations are at different levels of maturity when it comes to sort of, you know, digital transformation or where they are on their journey to digitize their business. So certainly seeing lots and lots of organizations using VPNs or standing up VPNs, and of course using two factor or what is now known more as multifactor authentication to ensure that they have a high level of confidence that they know who is logging onto their network or to their applications, right? We are also seeing though a number of more mature customers that are using sort of what we call digital work spaces, using single sign-on or virtual environments to connect directly to cloud assets as well, whether those cloud assets are in public clouds or private clouds or some form of hybrid cloud, again turning on strong authentication. It really was the tip of the spear really what we have seen really how organizations reacted. They had to extend access sort of beyond the “castle walls" if you would first and then their first order of business was to be able to secure that access and we saw them do that with technologies like multifactor authentication and, for us, using RSA Secure ID access.
Peter Beardmore:
And since then are organizations beginning to come to grips with the fact that there is a lot of applications out there being used across a lot of different devices and needing to rationalize that from a risk and security standpoint, I would imagine. I mean once you have got authentication figured out, there are orders of magnitude and complexity that are going to take some time and thought to really figure out and begin to add the level of control on oversight that you had when you were doing this all back at the office.
Tony Karam:
Yeah. We have absolutely seen that. I think one of the important points to get across is that the impact on the workforce goes way beyond just changing where people work, right - meaning working from home. It also fundamentally is altering what work is being performed and how we perform it. We have all seen in sort of the headlines, we have seen from talking to, or I have seen from talking to customers directly that they are having employees take on different roles and responsibilities to better respond to their evolving needs of their business and their customers, right? We have all seen stories around manufacturers retooling their plants to provide PPE and lifesaving medical equipment, large banks were temporarily converting thousands of employees into customer service reps. We are actually seeing a new phenomenon where organizations are actually sharing employees across different companies.
Peter Beardmore:
That must be fun from an access management side?
Tony Karam:
Yeah, exactly, exactly. And we have even seen, we have even witnessed and RSA has been on the front lines of helping healthcare organizations literally get physicians to virtually cross state lines via telehealth so that they can care for patients who otherwise wouldn't have received any sort of medical attention or treatment, right.
Peter Beardmore:
So there is really two different phenomenon we are looking at. Number one is we are looking at changes in process just because we are going from physical to virtual. If you were processing a bill that was a paper bill sitting on your inbox, well that obviously is a process that needs to be virtualized if you are working from home. So there is that aspect and probably additional applications and roles and things that people need to do to be able to deal with that but there is also that your job is changing because the needs of our customers or the needs of our organization has changed and, therefore, we need to figure out entirely new roles for people.
Tony Karam:
That’s absolutely spot on. So as that is happening, we are also seeing of course a larger number of furloughed workers coming back to work as well as companies starting to figure out how to bring their sort of first wave of essential workers back to physical offices and job sites, right? And what this all sort of equates to is the shifting around of the workforce causes what we call a revolving door workplace of joiners, movers and leavers. And significantly increases access and compliance risks. Organizations I talk to are looking for help in governing access as workers come back to work, expand their current roles and ultimately change jobs, right.
Peter Beardmore:
So you just brought up another really interesting point here, which is it is not just the controls that need to be taken care of - there’s the governance and compliance aspect of this as well, particularly if you are operating in a regulated industry, right. It’s not just so much patting yourself in the back and saying “I’ve got the appropriate level of controls commensurate with the risk that we perceive to our organization,” you’ve got to show somebody at the end of the day what you have done.
Tony Karam:
That’s right.
Peter Beardmore:
And that's a whole other level of burden that in some cases I would imagine organizations may have overlooked or perhaps the more mature organizations have gotten figured out.
Tony Karam:
Yeah. That’s exactly right. This new workforce requires continual access governance to ensure people have what they need while they are on their job, and that access is updated promptly when they no longer need it. What we are telling companies and customers is, first and foremost, they should be automating things like provisioning and de-provisioning as they are on-boarding and off-boarding workers into their organization, right. And the automation aspect of it enables them to keep pace with the dramatic change that is happening right now. They also want to ensure that they are avoiding granting excess entitlements in what we call accumulation of access. Now this can commonly occur with continually changing workforce, right, as people come and go they change jobs: all of a sudden they are being asked to expand their role with inside an organization so they may be right to new entitlements for an undetermined amount of time and, of course, we also are advising folks that taking a least privileged approach can help them contain the spread of things like malware and risks associated with compromised credentials. Regularly performing reviews and recertifications will also help them limit what we call accidental or intelligent access abuse, as well.
Peter Beardmore:
Tony Karam, Senior Solution Strategist from RSA, thank you again for joining us today. Before I let you go, how can people find you or get a hold of you if they’d like to?
Tony Karam:
Yeah, for sure. Folks can find me certainly up on LinkedIn or can reach out directly by e-mail and can get me at tony.karam@rsa.com.
Peter Beardmore:
And Karam is K-A-R-A-M.
Tony Karam:
That’s correct.
Peter Beardmore:
Alright, Tony. Thank you so much, good talking with you and have a great rest of your day.
Tony Karam:
Thanks Peter, you as well.
Peter Beardmore:
Our next guest on the podcast is Brian Breton, Regional Vice President for America’s Channel Sales and Operations at RSA. I invited Brian to come in and talk with us today about RSA’s experiences as we simultaneously saw a very sharp increase in customer demand, as organizations all over the world were dealing with this rapid shift, this rapid move to enabling their remote workforces, just as RSA and everyone in our supply chain and partner network was also going through the same experience. Unfortunately the date that Brian and I spoke we ran into some technical challenges and realized in editing that we had lost the first two minutes of audio in our conversation. Nevertheless the conversation was certainly worth including. We are just going to have to forgo the typical greetings and salutations that normally happen at the beginning of the conversation and drop into it in progress. So I beg your patience here as we drop into the conversation with Brian Breton, the Regional Vice President for America’s Channel Sales and Operations in progress.
Brian Breton:
So Peter, as the market started to drive the demand for technology to enable the remote workforce, in many companies it’s just now ingrained in their DNA that once you go outside, they need to have an extra level of protection. The bottom line of defense is strong authentication technology but everybody wants to make sure the users are who they say they are and RSA Secure ID is an extremely strong brand in the market such that we are often asked for by name. What we saw here was with everyone else, first a bit of a spike in orders of customers needing some help and I should be clarified that these orders were coming from our resellers because customers are RSA Secure ID customers for the most part are in channel partners and so they started calling up their channel partners which makes a lot of sense because they were calling resellers with basically a grocery list. I need 200 laptops, I need X amount of licences for office software, I need some ERP licences, I need some VPN licenses and I need some strong authentication and that’s what resellers do. They pull that grocery list together for you as the customer so then the customer makes one phone call. And so that started to increase here in RSA, which was great but then - I forget if it was the, I think it was about the middle of the second week in March - when in one day the volume of orders basically spiked through the roof and that spiking of orders didn't let up for three weeks and every request for an order was needed in 24 hours.
Peter Beardmore:
Right.
Brian Breton:
Right?
Peter Beardmore:
And of course this is happening as governors are putting in stay-at-home orders. The stay-at-home orders are affecting the businesses themselves, they are affecting our resellers, our distributors, RSA and our suppliers all at the same time.
Brian Breton:
Absolutely, exactly, right? We are all caught in this whirlwind which is why in some cases companies literally had to close the door, send people home with no means of them connecting to work and over the next week or two as they started to get their resources, told people they drive over to the building, call us when you get here, we will bring a laptop out to you. But that didn't happen overnight, that occurred over the course of a number of weeks.
Peter Beardmore:
Yeah.
Brian Breton:
But, and so here at RSA, our orders spiked and what was really interesting was the customers were all demanding our solution along with other solutions, they all needed everything tomorrow - because they were trying to keep their company going as quick and having all their people working as effectively and as quickly as they could. The resellers were in the middle of this. While they were dealing with this own problem with their own company and then, of course, we were dealing with it all the same way where our people got sent home. We were trying to fulfil orders. Some of our solutions are hardware based that literally need to be packaged and placed in boxes. So it’s not like - we needed people in our plant to do a subset of jobs like many, many companies have been.
Peter Beardmore:
Right.
Brian Breton:
And so we’re now working extended days, we are working through the weekends, but we are doing this along with the resellers and the customers. It was really interesting to see how much of an effort so many customers, so many and companies, IT staffs were trying to get everything lined up by the end of the week so that they could implement and push things out over the course of weekends while they were trying to keep their normal business going during the week, they were trying to do a lot of this business recovery work over the course of weekends.
Peter Beardmore:
Right. Outside of hours so that they are not …
Brian Breton:
Right.
Peter Beardmore:
… interrupting their own customer service.
Brian Breton:
That’s right.
Peter Beardmore:
Right. Now obviously when we are talking about authentication, there are a lot of different options there. You mentioned the hardware tokens that I think most people are familiar with because it is a six digit code that you combine with a pin, the code changes every minute or so. But there are other options out there that are more software based. Tell me a little bit about what you saw in terms of the mix of demand? Was it token demand? Was it multifactor authentication? Is it more risk based were we are seeing different authenticators for different applications? Where was the demand in the case of this particular crisis?
Brian Breton:
Sure. What was interesting about this, Peter, is I think if you polled the market about anyone who knows RSA and knows RSA Secure ID, the majority of people would say oh, yes, the hardware token.
Peter Beardmore:
Right.
Brian Breton:
Right?
Peter Beardmore:
Right.
Brian Breton:
It’s what we are known for but as you mentioned, right, we have what we call software tokens, which you can install on your cell phone, you can install them on your computer. We have mobile authenticators that you can install on your cell phone that will work in a number of different ways from sending you a one time SMS code to a facial scan, to thumb print biometrics on your phone back to our backend server. So what was really interesting was because we have this broad portfolio, and, you know, Peter, if you look at our annual sales you will see a good distribution of the different, what we call, form factors, the different types of authenticators we offer. But during this period of time, what was really interesting was the extreme high demand for the software/mobile authenticators compared to the hardware authenticators. And we attributed this primarily to the ability to actually distribute the technology. When you have a piece of hardware, whether it’s a cell phone or a laptop or security hardware token, that has to ship from point A - from RSA - ultimately to the end customer, and then the end customer or the IT staff has to then get it into the hands of the end user and that takes time.
Peter Beardmore:
Yeah, we wanted to streamline at this time.
Brian Breton:
Right.
Peter Beardmore:
We want to be much faster and more efficient.
Brian Breton:
Right. And normally when people ask for the hardware tokens and then no one is worried about the fact that from the time they place their order to the time they get it in a human being's hand, it might take five or six days, depending on how fast everybody in the process moves. In this case, people needed them tomorrow. And not just receive them from RSA tomorrow but be able to get them in the hands of people tomorrow. So between the RSA sales team, the resellers sales team and fortunately a good amount of our customers out there in the market today who understand - and all these people understand about the portfolio - people were smart enough to realize that if they order the software version of RSA Secure ID in any of the software form factors, when the order is processed here at RSA, the customer receives a link to download the software and when they receive the software, they can then push it out to their end users. So you talk about somewhat instantaneous, you have taken a couple of day process and turned them into a couple hour process.
Peter Beardmore:
Yeah. And I have actually heard that from some of our customers who talked about not necessarily new customers but customers you had RSA in place, using RSA access manager and were able to basically extend their use of RSA using soft tokens and other software based authenticators to go from, in some cases, 5, 10, 15% of their workforce to 95% of their workforce literally in a 24 hour period, which is extraordinary when you think about it …
Brian Breton:
Mind blowing, absolutely mind blowing. Peter, I think about how hard we worked to help our customers keep their companies going. I can’t even fathom how hard the IT staffs and our customers worked during this pandemic to not just pull RSA together and get it out there for their users, but for everything that they had to pull together and get it up for their users.
Peter Beardmore:
And really an extraordinary partnership that exists today between RSA’s customers, our resellers, our distributors and the vendor itself to be able to facilitate some of this in obviously extremely adverse conditions, it was really a testimony to our combined success and the work that we have done over the years to establish this.
Brian Breton:
Well, yes and actually let me give you an example of this, too, which is well, we actually have this option in the security product line called the business continuity option and a lot of customers honestly don’t know about it and when we had people calling us up and saying, “Hey, listen I need help and I need help fast,” we and our partners talked to our customers very quickly about our business continuity option, which basically is a six month solution that helps you put a strong authentication solution in place for six months because we understand that there are customers out there that at times need a solution for a short period of time or they are not sure how many of their users are being impacted and they are trying to over-coverage their area just in case and by using our business continuity option, we say, “Okay, listen, we can help you here for six months with this and during that time you should be able to figure out what you need, if you need more, if you don’t need more after this you are good,” and it’s a nice way of helping your customer in a time when there’s indecisiveness. So along with long term solutions, we are able to offer the market some short term solutions with a lower cost, lower impact but still providing them that extra layer of security that they were looking for and looking for quickly.
Peter Beardmore:
Well, Brian, our time is coming to an end. Anything that I haven’t asked you about that you want to make sure we mention here?
Brian Breton:
No, I think, Peter, just know, we are all in this together and for our customers and our partners, know that RSA is here to help you with insights, thoughts, advice and experience. I hope that everyone who just went through the experience that they did that worked with RSA realize we rose to the challenge to meet everyone’s needs. We weren’t going home on any given day until every order we had was fulfilled. There were a lot of orders. Ppeople worked long and hard. We want to be a trusted business partner. I think time and again we’ve proven that. We’ve got the experience, I like to say I myself have the battle scars. I have been hacked twice and that goes a long way to knowing what to do and how to do things. And I just again want to thank all of our partners and customers out there that are listening. And we are here for you when you need us for anything. Don’t hesitate to ask. If we can’t help you with it, we will happily point you to people who can because our place in the industry, we have got a lot of connection points. Let's say that we know what needs to be done and who can do it, if we can’t.
Peter Beardmore:
Brian Breton leads RSA’s channel sales and operations function. Brian, where can people connect with you, see you online or get a hold of you if they need to?
Brian Breton:
Sure, Peter. Like anybody can find me here at RSA and the easiest place to find me is on LinkedIn. I’m there. I’m a regular poster and anything I can personally do for our customers and partners, I am happy to help. So please don’t hesitate to reach out to me.
Peter Beardmore:
Alright, Brian. Thank you so much for joining us.
Brian Breton:
Peter, thanks for having me today.
Peter Beardmore:
Alright, take care. And thank you our audience for joining us today on the RSA Podcast. Have a great day.
Season 2 | Episode 4: Managing Business Operations Disruption
Listen time: 23 minutes
In this episode we welcome Patrick Potter, RSA Digital Risk Strategist, to discuss resiliency amid acute business disruption. How have business operations functions kept ahead of the title waves of change and disruption? Patrick shares recent stories and timely insights; drawing on his extraordinary experience leading resiliency practices for global finance, hospitality, and transportation brands. Today, in addition to helping guide RSA's solutions marketing function, he works with top customers to help refine and mature their resiliency and compliance strategies.
For more information, check out the RSA Maturity Model for Business Resiliency
and Patrick's Blog: Resilient in Times of Disruption
Season 2 | Episode 4: Managing Business Operations Disruption
Peter Beardmore:
Hello, and welcome back to the podcast. This is Peter Beardmore from RSA and today we are talking about business operations disruption as it relates to many organizations around the world reacting to the extraordinary changes and crisis that we faced over the last several months. My guest today is Patrick Potter, who is a Digital Risk Strategist at RSA. Patrick, welcome.
Patrick Potter:
Thanks, Peter. Glad to be here.
Peter Beardmore:
Patrick, tell us about your backstory. You are one of our preeminent experts when it comes to digital risk management or risk management of all sorts but you have a really interesting background. So why don't we begin by talking about what you've done throughout your career and what brought you to RSA?
Patrick Potter:
Yeah, sure. So I've been with RSA nine years this month, actually last month in May.
Peter Beardmore:
Congratulations. Happy anniversary.
Patrick Potter:
Thank you. Yeah, it's been a great organization, I’ve really enjoyed it. So my background was I started out in financial services in an internal audit function. I did that for about eight years, rose up to the level of Director, did lots and lots of financial operational IT type audits. So I saw the whole underbelly of this global financial services organization I was with and then I moved. Well, actually, I moved from internal audit into reporting to the SISO. So a complete switch what led up to that was I was leading the IT audit function in the Southwest US for the financial services company and loved IT. So I moved into reporting to the SISO kind of a Chief of Staff role and there I helped oversee the IT Disaster Recovery Program, Business Continuity, Six Sigma, IT process improvement, a number of things. Did that for a few years and then moved into a role where I was overseeing re-engineering for the entire IT organization. We had a goal of about 250 billion dollars to take out of the cost space, so really got to understand the IT workings. So I moved from there, Peter, into manufacturing organization. I was there for about a year doing things like Six Sigma process improvement activity based costing, ran my own consulting company for a few years and then moved into Protiviti, a consultancy, was there for about five years and I was a Director in the Phoenix practice where I oversaw starting up a business continuity consulting practice, did a lot of internal audit there again, a lot of Sarbanes-Oxley work and there I was exposed to other industries other than financial services like airlines, energy and utilities, hospitality, media and things like that. And so what brought me to RSA was an opportunity to provide input into RSA Archer product line, specifically into the product roadmap, and so I came in and kind of took over the areas of internal audit and business continuity, two solution areas that we offer, and was able to influence that roadmap for a number of years and have since moved into more of a marketing role across RSA where we help customers understand how they can use the portfolio of products to help manage their digital risks, security and operational.
Peter Beardmore:
So, Patrick, I know you're being very modest, but you talk about business continuity and disaster recovery, you've mentioned financial services and airlines and hospitality and suffice to say, for our audience, Patrick has been the business continuity and disaster recovery guy for marquee names in all three of those industries, which is somewhat interesting when you consider what we've gone through and what's happened in those industries over the course of the last few months, right?
Patrick Potter:
Yeah.
Peter Beardmore:
I mean these are, particularly airlines and hospitality are industries that have been really hard hit.
Patrick Potter:
Yeah, they really have. I mean I look back to the years when I consulted for the Starwood Hotel chain before they merged with Marriott, and, boy, they've, just one example they've really been hit and airlines, too. I consulted for American Airlines and US Airways before they merged and just out of nowhere this pandemic has taken its effect on those industries. In particular healthcare is another I've done some work in, Peter and it's kind of gone the opposite way where they've become busier and more hectic, and that's spurred some interesting changes in delivery models and financial models and things like that, especially in healthcare. So it's just phenomenal, the effects that the pandemic has had really around the world, every geography and every industry and literally every organization. I can't think of one that hasn't been impacted one way or the other.
Peter Beardmore:
As organizations are going through these enormous changes, I would imagine just because of the speed of change, there's a lot that gets lost in the disruption, and I would imagine that that's problematic. What have been your observations in terms of how organizations have been able to maintain a level of sound management through extraordinary change and huge, impactful decisions that are being made in relatively short order?
Patrick Potter:
Yeah, great, great question. I think once the dust settled, organizations looked around and said okay, we've sent our people home, we've figured out if and what's disrupted, have we had any business operations with third parties that are down or we can't rely on,? And then how do we change what we do? I mean one example is a lot of retail stores like Home Depot is one example closed early, and that gives them time to sanitize and stock their shelves, right. And then other companies have furlough, like AMC Theatres, they furloughed their CEO and all their corporate employees at the headquarters just in an effort to stay afloat amid the financial fallout from the pandemic. Who knows how long those measures will go, but I think smart companies quickly looked around and said okay, what do we do and that was holistic, meaning not just recovery from this thing, but in their business operation what do we do to change what we do so that we can stay afloat? I mean I keep going back to healthcare, Peter, but it's really the prime example in telemedicine and telehealth is there, right? When people were home and couldn't go to the doctor, were not allowed to go to the doctor, the federal government and states started to lower the HIPAA requirements so that telemedicine could be performed. Now, probably every doctor and specialist you have, you can see them remotely through Zoom. I've done it a couple of times. Now the trend in healthcare is, the big question is, “Wow, we kind of like this or patients like this, it's lending itself to some good developments in the sector. What do we keep? Do we keep doing this? Do we keep allowing this? And if we do, how do we protect patient data and how do we protect the privilege between the provider and the patient and make sure that the patient has their needs met?” And there's inertia in that industry anyway through what's called the Cures Act and interoperability between all these healthcare systems and portals and wearables and devices that everyone has to make sure that data is more consistent and available to the patient. So those are just some examples where we're seeing some trends that were started by the pandemic but may turn into good business practices, but again, I think those smart companies are adapting as they go, not thinking well, we'll wait till we get back to the way things were because who knows if we'll get back to that point.
Peter Beardmore:
I've noticed in almost every business that I've done business with over the course of the last few months and most of them were small local business as a consumer, but you know, some of the changes have been really good.
Patrick Potter:
Yeah.
Peter Beardmore:
The example that I give is I took my dog to the vet and I never had to wait in the waiting room.
Patrick Potter:
That's right.
Peter Beardmore:
Which to me is, is a total win, right. Like, why would we ever go back to waiting in the waiting room with your dog and having him bark at a cat and so the cat gets mad at you and all that.
Patrick Potter:
That’s right.
Peter Beardmore:
Right, like it seems like a no brainer, but it's a nutshell, it's kind of a ridiculous example but I think those examples are all around us, right? And so organizations have to, is there a methodology that organizations should be thinking about when they analyze this and think about okay, these were good changes, these were not so good changes, these might be future regulatory requirements that we might have to deal with where regulatory requirements were eased, they might come back, so we'll have to deal with them. Is there a process or methodology that organizations should follow when thinking about these things?
Patrick Potter:
The one that comes to mind, as you're asking that question, is, so I led strategic planning for a Fortune 500 manufacturing company a couple of decades ago and did that for a few years and basically what that was, was sitting down with the C-suite and leading them through an exercise of determining what is the horizon hole for our company, right? And when you do strategic planning like that, usually do it over a three year horizon and determine what's the current business state, what are opportunities? Examples of things you talk about are what's the current state? What are opportunities we want to take advantage of? Where's the business heading? Where are our competitors?
Peter Beardmore:
Like a SWOT analysis kind of thing.
Patrick Potter:
More or less, yeah, for the entire business so...
Peter Beardmore:
Yeah.
Patrick Potter:
That's a great analogy is a SWOT analysis. So I would say what needs to be done is on the fly quickly, a light version of that needs to be taking place. What changes have occurred in our operating environment where, like you said, with the SWOT, what are our strengths right now? Where are our weaknesses, opportunities and threats? And let's address those because there could be positive opportunities that you can take advantage of now, but you've got to shore up those areas that may be weak and that's what I would recommend. I think that's the methodology that comes to mind is just that abbreviated strategic planning process, facilitated through a SWOT analysis, like you said.
Peter Beardmore:
I know you've had conversations with probably hundreds of companies over the course of the last few months. What's your sense of organizations’ abilities to keep up with all the changes that have come and particularly from, I'm thinking from a compliance standpoint, is there a big bill coming due, so to speak? Where these audits are coming around and, with all these changes that have been made, are organizations going to be prepared?
Patrick Potter:
Yeah, that's a great question. I think you've got one of two scenarios. You've got the companies that thought that through ahead of time because they have been disrupted in the past and they knew the drill, and then you've got those that didn't. I worked with an energy company years and years ago that they operated, I don't know, 30 dams and a nuclear power plant in the Pacific Northwest in the United States, and they knew what it meant to be disrupted: a dam breaks or something happens. And so they had already planned out with their regulators hey, if this happens, what can we have a bye on? They had to protect a certain breed of fish in this one river and they said “Hey, if a dam breaks, I'm sorry, we're not going to be able to protect that fish for a week or a month” and the regulator said “Okay, we'll give you a bye on that one.” So anyway, they had had that conversation and kind of mapped out what would be the implications of that, including when they would need to get back in compliance and what sort of audit trail would they have to create to show they gave it their best effort and that sort of thing. So that's what needed to happen and I think companies in more regulated iIndustries or more disrupted areas of industries are used to doing that. That's part of the regulatory change process, Peter, I think that maybe some companies don't think all the way through. They think of the front end of, we have lots of regulatory changes coming at us, how do we ingest those and reflect those in our control activities, but on the back end, they need to think that through, if there's a disruption, what are the activities we can let go for a time and then at some point, like you said, the bill is going to come due, but that's a lot easier if you've had those conversations with the regulators and if you've documented what you've let go, why you let go, and maybe some actions that you took instead - and then a plan to get back in compliance. So that's a process that really needs to occur. I don't know a lot of companies that think of that back end though as often as they should.
Peter Beardmore:
Have you seen a measurable difference between the organizations that you've talked to who have really gone through a concerted effort to do business continuity and disaster recovery planning well in advance and exercise it versus those that haven't over the course of the last three months? I don't think anybody could have anticipated a global pandemic to the degree that we've seen in the last few months or at least it was a low probability event, but is there a clear contrast out there between the organizations that have done the homework in advance and those that hadn't?
Patrick Potter:
Oh, absolutely, night and day difference, and surprisingly - so I've done a few webinars lately, Peter, and I've done surveys in each one of those, there were probably 200 to 300 participants in each one of these webinars, so I asked if you had to go back and evaluate your pandemic plan, your crisis management, your preparedness in general, where would you say that you were? Very prepared, somewhat prepared, not prepared or you don't know. And in each case, I would say about 75% of those companies were either very prepared or prepared enough, you know, at that different level. So that was encouraging, right? And maybe it had to do with the industries they're in or they'd been disrupted before or what have you and with the pandemic, I'd say most companies that were mature enough in their resiliency planning had pandemic plans, too. The issue was that it's hard to test those plans and it's hard to test all the assumptions. Think of all the things that have happened as part of COVID that no one anticipated. Everyone's got to work from home or work remotely literally around the world almost at the same time. There's no way to test that and that's an assumption, as a continuity planner, you would have laughed at before COVID. Now nobody is laughing because that was the main effect of COVID and still continues to be to a large extent. So it's just like the adage goes that, how does the adage go?
Peter Beardmore:
Is “Those who fail to plan...
Patrick Potter:
Plan to fail!” Yeah, exactly. That's exactly how it goes here. And it's interesting to see the contrast in different industries because you'll have a highly regulated industry like financial services where resiliency and continuity planning and IT disaster recovery is built in to standards and even regulations like FFIEC and GLBA and banking standards and same with other industries like energy with NERC and FERC and healthcare with HIPAA and then you've got other industries with maybe retail, hospitality where you just don't have the regulations, and you have less of the discipline for resiliency and continuity planning. And you still may have mature organizations that know what they need to do, but having worked in both of those industries, I can vouch for the difference in the maturity of planning and execution and the preparedness and the end result, night and day difference.
Peter Beardmore:
What about organizations that perhaps were not as well prepared and, you know, found themselves scrambling and not as organized as they would prefer to be? What advice do you have to offer for those folks? I mean, it can't ever be too late, right? Is there a way to get on a remedial path, so to speak?
Patrick Potter:
Absolutely, absolutely right, after COVID started I did a presentation and the message there was it is never too late. There are things that you can do and it's a process to go through, Peter. I mean, I think of your SWOT analysis, that's not a bad place to start. What have we had to do, if I were the CEO of a company that had not prepared at all, likely I've had to send my people home. I may have some third parties that aren't available. I may not be able to access a building, maybe a manufacturing location or something. You know so you've got to look around and what are those things that are really critical in order for us to continue to function. I've got to make sure those are operating, right. I've got to make sure those have continuity. Who are my critical resources to performing those processes. Are they available? Who are my critical vendors that I've got to rely on? Maybe I've got a single point of failure. With a vendor, I've got to address those gaps. Do I have redundancy in those vendors where I need them and all up and down that value chain, where are my strengths and weaknesses and what do I need to address to build continuity or resiliency into my processes? And interesting enough, a lot of the companies I've talked to, probably the majority I asked during COVID, what parts of the business were disrupted? I mean did you have some disruptions other than sending people home and most said we really didn't, unless they had shipping disruptions or transportation disruptions or something like that, they had a more complex supply chain. So it's not inconceivable, it's not something that is impossible to do. I mean, anyone at any point in time can kind of stop and take stock of where they are and address those. Now longer term, I would completely recommend kind of doing more of the lifecycle of business continuity planning, business impact analysis to determine what's absolutely critical that you do, documenting recovery plans to recover those things, practicing crisis management, getting that structure in place and then just building resiliency into the business and there's ways to do that, that we talked to companies a lot about, but that's where I would start.
Peter Beardmore:
And we could take guidance from like ISO Standards and ...
Patrick Potter:
Yeah, ISO 22301 is the prevailing standard around BCM, a business continuity planning and then, like I said, if you're in regulated industries, you'll get guidance from, and financial services from the FFIECs and GLBA and healthcare HIPAA has got a lot of guidance and then energy industry, you've got NERC and FERC that have a lot of guidance. And then just best practices, I mean we espouse that a lot in the solutions that we offer. They're built as much on collective best practices of our expertise as well as our customer’s expertise as much as the standards, like I just mentioned, which are built in as well.
Peter Beardmore:
And then obviously if you're a client of RSA or one of our partners that operate in the integrated risk management space, we're certainly, they’re ready, willing and able to help when it comes to helping to manage some of these business continuity risks.
Patrick Potter:
Yeah, especially in that, you mentioned the integrated risk management, I just gave a webinar this morning and talked about that and how critical it is to look at resiliency planning in the context of the bigger picture of risk, because you can't manage that alone. An integrated risk management, the concept is you've got to manage third party risk alongside security risk, alongside resiliency risk and compliance risk, because they all bleed together and it’s very true. So that's our approach that we take in working with customers to help them understand that and build that structure and approach so they get rid of those silos of information and practices and inconsistencies and do it holistically and it really has good effects on managing those risks.
Peter Beardmore:
Patrick, anything else that I failed to ask you about or you’d like to make sure we include here?
Patrick Potter:
You know, think about what's next for your organization, assess where you are today and what that next new normal might look for you. I know that's a term that everyone's using a lot now, so it's getting kind of old, but we’re not at the end of COVID yet and with things going on in the United States, around the protests and riots, that's definitely impacting some organizations and doing so at the same time as COVID and there's weather concerns that are happening now and I was talking to somebody earlier, and my father-in-law lives with us and every day he comes down at lunchtime, he says well, there was an earthquake now in Idaho, and there was one in Arizona. So there's disruptions everywhere all the time. It's never too late to prepare and to shore up those practices, and resiliency is more than just recovery, it's about thinking about the direction of your organization, lining up your resiliency and recovery with your strategic objectives and making sure you're all headed in the same direction so you can enable the business to operate at its highest level. So I could go on and on, Peter, but I'll stop there.
Peter Beardmore:
Alright. Well, I certainly appreciate it and I appreciate your time and your extraordinary expertise and experience. Patrick Potter is Digital Risk Strategist for RSA. Patrick, where can people find you online and get a hold of you if they want to?
Patrick Potter:
Well, send me an e-mail at patrick.potter@rsa.com or LinkedIn or Twitter at PNPotter1017 and I'm happy to have conversations and help you out where I can and I love doing what I do. So I'm happy to help, Peter.
Peter Beardmore:
And we're glad to have you. Thank you so much for joining us and have a great day everybody. Take care.
Season 2 | Episode 3: Supply Chain Disruption
Listen time: 29 minutes
Continuing our series on the disruptions resulting from rapid digital acceleration, we chatted with Chris Patteson, Executive Director for RSA's Risk Transformation Office and Emily Shipman, Sr. Product Marketing Manager for Third-Party Risk Management. Exploring some of the recent challenges in both physical and digital supply chains, Chris and Emily discuss how organizations that have embraced Third-Party Risk Management principles are discovering greater opportunities for success, even amid uncertainty.
Season 2 | Episode 3: Supply Chain Disruption
Peter Beardmore:
Welcome back to the RSA Podcast. This is Peter Beardmore and this is Season 2, Episode 3. Today we are focusing on supply chair disruption. In the previous episodes we spoke with Steve Schlarman about four areas of disruption that organizations are experiencing as a result of the global pandemic crisis. Last week we spoke with Ben Smith in a conversation about security disruption and today we are speaking with Chris Patteson and Emily Shipman, both of RSA, to discuss supply chain disruption. Chris is Executive Director of the Risk Transformation Office at RSA and Emily is Senior Product Manager for third party risk as part of the RSA Archer Suite. Chris and Emily, thank you both for joining us.
Chris Patteson:
Thanks, Peter, excited to be here.
Emily Shipman:
Thanks, Peter, glad to be participating.
Peter Beardmore:
Glad to have you. Chris, why don’t we take a few minutes, why don’t you tell us about how you came to RSA to lead our Risk Transformation Office?
Chris Patteson:
Sure, thanks. So tied to supply chain in the discussion today, I started out in manufacturing logistics and operations back in '80s and '90s and then that eventually brought me into the e-commerce channel. But the last 20 years, I was at FedEx and really started to move into the risk management role, helping with building their GRC program. So I was super excited when the opportunity arose at RSA to move over and share some of that experience with other customers and then also Emily and I work very closely together all in product development and getting new features for kind of this next wave of GRC and integrated risk management that the customers are struggling with.
Peter Beardmore:
Emily, you have been working on the RSA Archer Suite for quite some time. Tell us about what you do with Archer and how you came to RSA?
Emily Shipman:
Sure. So I come from more of a technical engineering background, spent the majority of my decade at RSA working in more of a consulting type engagement with customers who are in a wider range of industry, sizes and different stages on their journey of developing a risk management program, understanding what they need to accomplish, designing that program, putting the tools, technology and people in place to do that, and over the course of about a decade or so doing that type of work, you learn a lot of lessons and best practices from that variety of organizations. So I spent the last few years working in our product design and development team, understanding how can we take those lessons learned and put it into an offering that’s turnkey and available for somebody who has to hit the ground running.
Peter Beardmore:
And why is supply chain risk important to businesses, Emily?
Emily Shipman:
Well, I think we have seen a few changes over the last decade or so. One, we have seen a humongous change in the type of suppliers that companies are engaging. We have seen supply chain move from just being really more of a physical goods to a wider range of services of digital offerings. We have also seen those become increasingly critical in just the day-to-day operations of the business. So now when you go to order a cheeseburger at a fast food restaurant, you may be interacting with a person, you may be interacting with an application, you may be interacting with a touchscreen piece of hardware. More and more of the systems are being provided by external suppliers. One of the outcomes that we have seen about that is that as we diversify the supply chain itself, we diversify the types of risks it is susceptible to. So when we talk about just a traditional raw material supply chain, you are looking really at risk that may come from things like natural disasters or fragile suppliers going out of business. When you diversify the supply chain to be more services oriented, more technology oriented, it brings in a whole new range of risks from geopolitical events, from economic shock, from malicious actors and cyber events. So we have increased our reliance on the supply chain, we diversified the type of suppliers that we are seeing and we have diversified the type of risks as a result which is causing organizations as a whole have to think very differently about how they manage that supply chain.
Peter Beardmore:
Chris, any thoughts on supply chain risk and how we got to where we are?
Chris Patteson:
Yeah, sure, absolutely. For me, I think I saw this trend and the digital transformation that actually started quite early in the '80s and '90 as companies started to employ better technology around managing the supply chains and a lot of that was tied to that push towards just-in-time inventories and reduction, the carrying cost on stocks. So as you move towards that and you reduced that stock, you obviously don't have as much of a buffer to deal with disruptions and changes in a supply chain. I do think that we are seeing a lot of that right now related to some of the things that are going on but that transformation started quite some time ago. And so platforms came online and then it really accelerated I think in the 2000s with the evolution of e-commerce and companies being much more connected than they were in the past where a lot of that may have been manual as well prior to kind of this digital revolution.
Peter Beardmore:
So how has COVID-19 disrupted supply chains?
Chris Patteson:
So I can jump in there, Emily. I experienced some of this back in the '90s in the same models and the just-in-time models, there was one time that our organization kind of got upside down with back orders and it was funny to see that the forecasting models and the software that was designed to deal with the replenishment kind of went whacko, right. It didn't know how to deal with that level of back orders, it was making back decisions. So it really required human intervention. I was working very directly with the plant managers and how we were doing the plant scheduling and in some of the supply chain lead times were from overseas, much like they are right now. So getting that all balanced out was quite a challenge and then once we got the inventory balanced kind of using some spreadsheets and things like that, then the algorithms were able to take back over. What I see even if I go into kind of my local retailer, you can see that is happening right now, right. The models and the forecast that these systems were built on are kind of confused right now, right. So all of a sudden there is a spike in toilet paper and air fryers and different products that probably wouldn't have been there in this traditional seasonality and again if you are looking at three month lead times from an overseas supplier, then you are going to have some challenges in even fulfilling that demands. So the organizations that are looking for those signals and trying to understand what is happening on the front line of their operations and making sure they are looking at adjusting those models, that’s the best opportunity to get ahead of this and potentially for organizations to increase profitability in what's a trying time, right. If you have got a product that nobody else can get a hold of, because you did adjust your modelling and understanding on what's going on in your supply chain, that really could put you ahead from a competitive perspective. So, this idea of risk telemetry that I talk about a lot and we can probably get into that a little bit more as we get further through the podcast.
Peter Beardmore:
Can you take just a moment? I know you mentioned this a little bit earlier, Chris, but there is the physical supply chain that I think everybody is more or less familiar with - If you make a product, you need the components of that product to be able to deliver it to your customers. There is also a digital supply chain, right and the example that Emily talked about of McDonald’s where you may be ordering through an app or you may be ordering through a touchscreen in the restaurant, that's a whole different aspect, some of which you as the organization, as the customer, may be blind to some of the risks that is going on behind the scenes and I am wondering if that's been affected by the organizational disruption in a lot of organizations. How do organizations go about the process of figuring out what is behind that screen and what are the potential risks associated with my organization?
Chris Patteson:
Yeah, you can go take the traditional security kind of view on this and then you really need to be focused on both integrity and availability of those systems, right. So there are two dimensions to it. If you think about the physical supply chain and the interaction between those partners, right below that layer of the physical supply chain is what I typically call your information chain, right. So the information chain is looking at things like forecasts, stock on demand, could be your partner's manufacturing levels. They are generally highly integrated. In some cases those partners are even responsible for holding your safety stocks for your operation, right. So if any of that starts to run into issues there could be a breakdown there because if that information chain is not functioning, there are challenges and I think what we are seeing especially with things that are going on from third party risk management, even what the Department of Defense is doing, kind of with CMMC and looking at contractors there and making sure their third and fourth parties have a certain level of integrity and availability. There is this concept that's emerging of below that information chain there is a compliance chain as well that I need to be sure that my partners are focused on the same level of integrity and availability that I am to make sure that all those pieces are functioning and then the second dimension is really it’s the chain, chain as you get down to the demand side of the supply chain is so much of the front end demand that starts that way through the chain is now driven as Emily was pointing out through e-commerce, right. There are apps, COVID-19 has really changed this concept of pickup the delivery, a lot of folks are nervous to go in the stores especially if they are in one of the target groups. So I think that has changed us and will change us going into the future. I think where people may not have been comfortable with online ordering, I think some of that is going to continue until we get to the point where there is some type of vaccine or solution for the virus, that could continue on for quite a long time especially to protect those that are most at risk from the virus.
Peter Beardmore:
So, speaking of change, this means that there is a lot of change just in terms of the day-to-day activities that risk management professionals are encountering. Emily, for risk management professionals that are constantly seeking to improve the overall resilience of their supply chains, what does COVID-19 mean? How are their lives being affected by this?
Emily Shipman:
I feel like the experience of the last few months has really underscored the importance of a few lessons in risk management we have been talking about for a while now. And one of the most important is the fact that activities around the supply chain have to be rooted in an understanding of what is most important to the business and the business criticality. As the supply chains have grown and diversified, they have simply become too large for us to take a one size fits all approach to managing them. So when we see disruptions, when we see outages, we can't just address all of the suppliers at one time or try and wrap our arms around this massive challenge. We have to be able to pick what is most important, what is most critical about the business, focus our efforts on there and that is the foundation of an agile response. And Chris mentioned that being a competitive advantage, companies that can understand what's most important to the business, where is the greatest chance of disruption to our day-to-day operations and focus efforts specifically there, are able to continue business operations, resume business operations quickly. I think the second lesson that we have learned is the importance of an integrated approach to supply chain management and to risk management as a whole. A lot of traditional risk management programs have been focused on segmenting risk by security risk or legal risk or operational risk and managers in separate teams, they don't always necessarily talk to each other. When we don't know where the next disruption is going to come from - whether that's a natural disaster or whether that's a pandemic, whether that's a cyber-attack - it becomes increasingly important for those teams to be talking to one another for the resiliency programs and the business continuity programs to be in constant communication with security, with legal, with operations to ensure that they are able to respond quickly to the next source of a disruption and then I think the last thing that we have learned is the importance of easy, flexible communication with the suppliers themselves. Supply chain requires a lot of collaboration for you to be able to engage your suppliers to collect information from them quickly, to send the information from them quickly, to have those open channels of communication and if those communication channels do not exist before the disruption occurs, you are not going to be able to quickly stand them up on the fly when you need to. So having those communication channels in place is one of the, I think, last most critical steps organizations can be taking and should be taking in advance of a disruption to make sure they are ready to respond.
Peter Beardmore:
Are these risks quantifiable, Chris?
Chris Patteson:
Yeah, the work that I have been doing around this relates to the open fair framework and it absolutely is, and so the goal here, and this is important, a lot of people try to get an exact engineering approach to this and the sooner you realize that this is an exercise in reduction of uncertainty, you can start to map out scenarios and, as Emily is pointing out, if you know which suppliers you may be single sourced through, which parts of my business process may be tied to those suppliers, you can start to do a deeper quantification on, you know, “If I lost that capability what does that mean to my bottom line?” and then that would lead you to what investments I need to make and I know that they are extending that framework open fair past. It has initially been very focused on cyber risk compliance, but there is a lot of effort by that group and a lot of participants to move it into third party risk, operational risk and these other dimensions. One example that I can think about is that people didn't realize kind of the after effect but if you remember suddenly around late 2012, early 2013, there was a massive spike in the cost of SSD drives, right. So for a company like Dell, that's pretty significant, it’s going to impact cost obviously if suddenly the drives I was buying are like two or three times more expensive and what was the cause of that, it ties back to the Saudi Aramco Shamoon breach. When they were attacked, they had to go back and replace massive amounts of their infrastructure and of course with their capabilities in, with the asserts they have at their disposal, they went out and cornered the market. They bought up every last piece of SSD they could get their hands on. So those are the examples that if you look at your supply chain and if that is a key part of me being able to deliver, maybe I do need to have some protection contracts in place to make sure I am getting my supply chain versus somebody else or what is a second source of that, hold more safety stocks but starting to understand the parts of what is going to impact you the most and then have those plans to attempt to address it, and then outside of that, it gets to be an exercise and there is just too much to go calculate, then you are really into what does recovery look like and I think that's what we are starting to see in COVID right now is, you know, “As I restart my business processes, which ones do I restart first? How do I change things?” - operation in the field - and it gets back to that concept of risk telemetry, that the more data you can get out of your operations to make more informed decisions at the executive level as you are looking at those operational impacts, that data is going to help you remove uncertainty around those decisions and it doesn't have to be perfect information but, big fan of Doug Hubbard, and any information you got is going to be better than no information at all. You are going to have a much more informed decision provided you are feeding that in and that has been a big focus of where Emily, the team and I are taking the product into more continuous monitoring capabilities, understanding of that risk telemetry through feeding data through data gateways, for example. And then the more I can get that in front of the people that have to make the decisions, and it’s going to be different, right? Operation to operation, locality to locality, you’re going to have to have that data to make those better decisions than if you are just trying to guess and bring these things online kind of in a haphazard manner.
Peter Beardmore:
And when you say data for your operations, I just want to emphasise the point that your operations might actually be somebody else’s operations and, therefore, that data, that visibility of what's happening with your suppliers, both physical and digital, has never been more important.
Chris Patteson:
Yeah, absolutely. And again I think that's why with this new directive coming down from the Department of Defense, that's a big part of what's in CMMC that they are not just worried about you as the defense contractor, they are worried about your subs and subs of subs, right. So you are really getting into this fourth and fifth party relationships in some cases and I foresee this as kind of an initial move to improve the security of the supply chains, especially in nature of where so many electronic components are coming in, we are looking at from that digital perspective, longer term I do think that's going to move further into the private sector as well.
Peter Beardmore:
How do you think this is going to change the future of supply chain risk management? That's a question for both of you but why don't we start with Emily? What do you think the future looks like?
Emily Shipman:
There are a lot of lessons that we can learn by looking at the companies that are innovators in the space of supply chain management, who is doing it really well and when you talk to leaders at those innovative organizations, you very consistently hear a key objective and that is that they are taking risk management out of a small team of risk professionals and they are trying to drive an organizational risk culture where employees are empowered to make objective data informed decisions, which sounds great. Everyone would love to have that type of organization but how do we do that? Because that cultural change is one of the hardest that you can take on as a leader. I think there are a few things that really empower that. One is that we can lean into a lot of the technology available for analytics and a lot of some of the capabilities of machine learning, of advanced analytics to help encourage those decisions to make them easier to make for the organization and we can also lean into a lot of the technology capabilities around visualization of risk because people think visually, and if we can put visual dashboards that indicate where risk is coming from, trends and data, maps of geographic impacts of risk, things like that, and make those available to the business, it enables people to think and act a lot faster by visualizing that risk. The other capability that we need to be leaning into is making sure that that risk picture is contextual to each individual. We struggle a lot when we present information to the business to answer the question, “But what does it mean to me? What does it mean to my area of the business, to my specific areas of influence?” So being able to take the risk information that we have and marry it with our understanding of the organization where our asserts are, where our business units are, where our products are and being able to show the snapshot of risk in alignment to each of those area so that a business professional is seeing just really what risk means to them - that enables them to make quick decisions - doing that in advance of the next crisis, getting in front of it and making that just a part of your day-to-day operations really helps put yourself in a position that you are not going to be scrambling when the next pandemic, when the next natural disaster occurs, because it is just part of the ongoing culture.
Peter Beardmore:
Chris, any closing thoughts?
Chris Patteson:
Yeah, I mean really if you abstract it out, it really is something we have been doing in supply chain management for quite a long time and then when things are running fine and everything is perfect in the supply chain, I don't have weather delays, I don't have a supply shortage because of maybe a labour dispute or something along that line, typically these teams in supply chain management would jump into a mode of exception management, exception handling. So really what you are talking about in risk management, and Emily has pointed this as kind of a signal, a noise problem for a data science perspective, the quicker I can identify where situations are out of range or out of bounds and then start to kick into a contingency plan or if I don't have one, at least I know I need to start planning some type of recovery or a way around this and for me in my own role in supply chain management, it may change sourcing materials from a different country or in some cases, we even move whole production loads from onshore to offshore or vice versa. So really it is being able to identify those exceptions and changes as quickly as possible and then getting in to manage it and so that is where we are leaving the ability for humans to kind of manage this just on their own. And that's really, as you get into digital risk management, a lot of it we get these signals but does it get pulled up as Emily is pointing out, kind of into that holistic view and being able to see it. The other big part that I would like to highlight Emily brought up was that cultural shift and I think the biggest challenge I see within organizations is for anybody listening to this podcast just go ask two or three of your different divisions, say, “Hey, how do you define risk?” And the problem is a lot of organizations because they haven't built out kind of that muscle memory around risk management, they get it wrong, right. They will say, “Cloud is a risk” or “Nation states are a risk.” Well, until you can actually label that risk with some loss of value, right, or the magnitude and then look at that from some probability this is going to happen once a year, twice a year, it happens 10 times a day, that's the definition of risk. It's been around since manufacturing engineering really started picking the substance in '40s and '50s so, and that hasn't changed but what shocks me is I go into organizations, I will go look at their risk registers and find out they have just got all kinds of stuff in there that's not risk, which is in itself a danger because they are not looking at kind of the basics of what's the magnitude of loss if this fails and then what are the odds of that happening and that's where a lot of the more advanced modelling and what we have done in manufacturing forever, right? I remember running simulation programs to figure out how to best lay out different manufacturing environments and how flow happens on the floor, hopefully that people start to realize that running simulation around risk, and you have got the variables in the data to do it, that gives you a much better grasp on how to handle this as you look at impact of business processes, what's the likelihood of that happening and what do we need to wrap around that from a preventative or even reactive and in some cases it costs too much to prevent it but if you have to fall back into a reactive mode, what's that going to cost and what does that look like and all of this can take a big learning. If you start to examine it from a risk management perspective how the energy companies deal with this is very impressed with how they model risk from the perspective of, there is potentially loss of life if one of their processes goes awry. So they are very good at not just the preventative side but how quickly can I recover, how quickly can I shut something down after something bad happens to either protect life or assets within the organization. So I do think there is going to be a lot to learn as companies step back from what's going on and start to put as much focus on the recovery side as we do on the preventative side, especially in a digital and cyber realm.
Peter Beardmore:
Chris and Emily, thank you both for taking the time to join us. Chris, where can we find you on Twitter or LinkedIn or …
Chris Patteson:
I am @RiskWrangler on Twitter and I am easily found on LinkedIn because it's Chris Patteson P-A-T-T-E-S-O-N and there aren't many of us around. Some people put the R and they cannot find me but if you do P-A-T-T-E-S-O-N or cpat, sometimes it shows up as kind of my nickname, as well.
Peter Beardmore:
Patteson with no R and Emily?
Emily Shipman:
Same, Emily Shipman on LinkedIn is how you can find me.
Peter Beardmore:
Also with no Rs?
Emily Shipman:
Yes.
Peter Beardmore:
Thank you both so much for joining us today and we will talk to you next time.
Chris Patteson:
Excellent, thanks for your time, Peter.
Emily Shipman:
Thanks, Peter.
Peter Beardmore:
Take care.
Season 2 | Episode 2: Security Disruption
Listen time: 29 minutes
Security is first among the four crisis disruptions that we’ll explore in-depth. Peter Beardmore welcomes Ben Smith, RSA Field CTO to discuss the challenges that security operations leaders and their teams have encountered in recent months. Threat, detection, process, workflows, and automation are all on the agenda. Ben breaks-down how successful SecOps teams have managed to stay ahead, despite the inconveniences (to put it mildly) of working entirely remote.
Follow Ben on Twitter: @Ben_Smith
For more on overcoming the challenges of the “new normal” SOC, check out Security Weekly’s interview with Mike Adler, RSA Vice President of RSA NetWitness Platform..
And check out Jonathan Gregalis’ blog on Preparing for the Risk Challenges of an Uncertain Tomorrow.
Season 2 | Episode 2: Security Disruption
Peter Beardmore:
Hello, and welcome back to the second episode of this new season of the podcast. My name is Peter Beardmore from RSA Marketing and today we're going to talk about security disruption with my friend Ben Smith. Ben, welcome aboard.
Ben Smith:
Peter, thanks for the offer. I really appreciate the opportunity to talk today.
Peter Beardmore:
So Ben is the Field CTO for our North American organization here at RSA. Ben, why don't you take a minute to give us your backstory? How did you come upon working at RSA and what do you do now?
Ben Smith:
Great question, Peter. I have been a pre-sales resource if you will, kind of the technical arm to customer facing teams for a long time, almost a quarter century at this point in a lot of different industries to be honest, systems management, networking and internetworking, which are two different industries and in my current guise in the security and risk management space, I have been very fortunate to be part of the RSA family for just over 10 years, which is a world record for me and started my …
Peter Beardmore:
It’s a very long time in our industry and at RSA, for that matter.
Ben Smith:
Yes.
Peter Beardmore:
Like a dinosaur...
Ben Smith:
Yes, and yes, so thank you for that. I feel even older now, Peter, but you're spot on. It's a long time to be at one company, but one reason that I am still here and still very enthusiastic, it has not been working for one company from my perspective. We've gone through several different iterative stages here at RSA, every couple of years there's something new, interesting/urgent that arrives and in our current path around digital risk management, which we've been doing for more than a couple of years at this point, it's really resonating with customers that I've interacted with up and down the East Coast, in the center of the country, out in the West Coast. So for me, selfishly, it's all around being challenged with new stuff and that is part of what drives me and why I continue to enjoy being a part of the RSA family.
Peter Beardmore:
And you've been a ringer for us for years. I've probably invited you into more executive briefing, center briefings than you'd want to admit to over the course of last few years as well as speaking at a lot of our events, such as RSA Conference and RSA Charge. You're one of our ringers for these executive roundtables that we do frequently as part of our field marketing function. In that role, you get to speak with a lot of top security and risk officers at a lot of Fortune 500 companies, is that correct?
Ben Smith:
Yeah, that is absolutely correct. Those are two way conversations from my perspective, Peter. We are really staging them, as you've said, to try and spread around some knowledge to both customers and prospects. Sometimes those events are vertically focused. So we might have a table full of Security Operations Center managers, sometimes we'll have a table full of lawyers, sometimes we'll have compliance folks, but I mentioned it's a two way street. They get smarter and I get smarter as well, because it is very valuable for me and very fulfilling to kind of listen to the stories that these practitioners, and that's who these attendees tend to be, freely sharing, not for attribution, of course, but freely sharing what's happening inside their own organizations and then just watching those spontaneous conversations bounce off of each other. We all get smarter. We're certainly smarter two hours after that event started than we were at the beginning. So yes, I've been very fortunate Peter to be asked to support a number of those events and we're going to continue doing those as we move on into this calendar year.
Peter Beardmore:
So the topic of today's conversation, Ben, is Security Disruption and in the conversation we had last week with Steve Schlarman, he outlined four areas of disruption that are kind of resulting from the rapid acceleration of digital transformation kind of resulting from the pandemic crisis, areas such as workforce, business operations, supply chain and, of course, security, which is the topic of today's conversation. In general, what are the disruptions that are really the most time consuming and top of mind for security leaders in the wake of the pandemic?
Ben Smith:
Yeah, great place to start, Peter. I would say there are probably two or three major areas that I want to talk about. All three of those kind of flow out of the central concept for me, and that is around resilience. That's what every organization is trying to figure out, that's what every organization is living with right now. So whether it's threat, which I'm going to start with, whether it's the whole concept of how we guard against threats, maybe in a Security Operation Center context around detecting those threats, all of that kind of rolls up into how is your organization being resilient, and maybe more importantly, the conversations we're having today is with customers and prospects around how can we be more resilient. So kind of the first and probably the biggest area, Peter, in terms of what you've just asked, there really has been a dramatic expansion of the attack surface. So threats generically have always been out there. They are continuing to be out there today. We're seeing what I'm hearing about is, I won't call them spikes, but I will call them or characterize these as increased activity around challenges with confirming identities, that's identities, plural, and I'll come back and talk about that. I mean kind of phishing, which also is highly related to identities, but in a lot of cases there's kind of a financial component there. When I talk about identities and threats to identities, a lot of folks that I have spoken with instantly kind of, especially if they're in the corporate world, they kind of snap into the “Okay, you're talking about identity and access management, you're talking about how to authenticate individuals, do I need something stronger than a username and a password?” Absolutely, multifactor authentication which might include a physical device or a virtualized device plus knowledge, that's kind of a very standard talk track that, not just RSA, but many companies, many vendors, many consuming companies have been in for some time, but especially given the nature of the world right now, when I talk about identities, I'm not just talking about enabling or empowering your employees, so that the right people have the right access to the right resources at the right time. All of those rights are important, but it's a little broader than that, because those are employee identities. You might have contractors that are kind of following the very same path. What about your third parties that might have access to your very sensitive resources? Those are identities that have to be tracked.
I have yet to encounter an organization, Peter, that is not relying on some form of machine based identity, whether it's certificates that are running, whether it's automated process and the RPA, the Robotic Process Automation space, that's a hot topic right now for a number of our customers. Those are identity conversations as well and sometimes people especially folks who are not living and breathing security on a daily basis they might kind of overlook the fact that identity is very complicated. It's all around identifying or authenticating an individual. It's around understanding and appreciating what the entitlements are for those individuals, what those roles are for individuals. It's very complicated and threat actors today realize that. Even in the best of times, identity management, identity lifecycle, these are tough concepts to kind of wrap your arms around. So we have threat actors that recognize that, quite frankly employees, who, many of whom, like you and me, have been working remotely for some time, a lot of employees are fatigued right now, a lot of employees are stressed, a lot of employees are distracted right now, simply because we're working from home. Maybe for some of us, that's not a natural state. I suspect for many of us, it's not. This creates an opportunity for bad actors to kind of take advantage whether it is through outright reusing your credentials or phishing, to try and gather up those credentials, and then to use them for their purposes at some future time.
I do want to emphasize, Peter, everything I'm talking about around identity sounds like a very technology oriented conversation and it absolutely is, but there's a very essential and often overlooked fraud component when we talk about the ways that identities can be used or misused, not necessarily getting access to a corporate resource, but using your identity to make money quite explicitly. I have a younger cousin who works at a healthcare oriented state agency in the south and I was talking with his mom about six weeks ago and this very young cousin was quite concerned - he's a few years out of college - quite concerned about losing his job, quite frankly, in the context of the current economy. Six weeks ago, that was his mindset. Today, fast forward six weeks later, he's not at all concerned about his job because at his healthcare oriented state agency, there has been an explosion of fraud. He's very busy right now. The bad guys are very busy right now. We already have the US Congress starting to spin up subcommittees to pay attention to this immense amount of money, all of which is needed, but to confirm has it been spent appropriately. Is there fraud? Well, the answer is there is fraud. There's fraud everywhere in the financial industry specifically. We've got customers today that literally bank on fraud occurring. There is a percentage of business that they nominally accept as, I'm not going to characterize it as acceptable fraud, but it's fraud that's out there and whether it's a consumer trying to get into his bank account, if it's a bad guy trying to maliciously take your Social Security Number and file your tax return before you can, if it's this healthcare angle I've just talked about, there's a huge fraud component. Bad guys are not taking this time off. They are very focused on trying to monetize and maximize what they can make out of this environment. So when we talk about identity, when we talk about threats, let's not forget about fraud as a specific leg there.
Peter Beardmore:
And the attack surface has changed. People are working from home, they're working from BYOD device, part of the time they're sharing networks with their kids who are doing online schooling, an awful lot to consider here and in a lot of cases, the security or fraud prevention functions of the organizations, they're just racing to keep up with the changes, not necessarily thinking strategically about what's happening from a threat perspective.
Ben Smith:
Yeah, I would agree, Peter and it's really hard and maybe easy is the opposite way, easy from a non-practitioner's perspective to say hey, you really should be thinking strategically about all these things. It's really hard to do that when your hair is on fire.
Peter Beardmore:
Right, right.
Ben Smith:
And the good news is a lot of our downstream customers right now have kind of figured out the remote workforce capability, there's a couple of other waves that are coming, but that part of their hair is no longer on fire.
Peter Beardmore:
Let's talk about the security operators themselves, right. Their lives have been disrupted and, therefore, our security operations function, in a lot of our organizations, have been disrupted as well, I'm assuming, right?
Ben Smith:
Yeah, they really have been for organizations large and small. I will say this, Peter, whether we're talking about security operations functions that previously maybe two or three months ago were nominally all on site or teams that might have been remote, one of the things I learned earlier in my engineering career when I was working for the world's largest internet service provider or ISP, we had not necessarily a SOC, but we had a NOC, a Network Operations Center because that was our business and it was like walking into a football stadium. It was huge. There were conference rooms with windows looking down onto literally about 125 seats where our network operations folks would be working. It was tremendously expensive. So I had the conversation with the person who ran that facility and it was only then that my eyes were open to “Hey, this is kind of a tool to demonstrate that we've got cool stuff and there's absolutely work going on here, but we don't really need that. This is the Network Operations Center from several jobs ago. We don't really need this huge stadium size atmosphere. This is really to impress people.” So I want to kind of draw that analogy to even before where we are today, Peter, with some of the more mature Security Operations Centers who might have had a similar setup, something that is, yes, very useful, very important in bringing people together, but at the end of the day, you might not have 100% of your security operators all sitting in that room, there might not be room physically for them. In a lot of organizations, these are people, these are resources where those skills are geographically distributed.
So even prior to the current state of disruption, usually with larger customers that I've interacted with, they've already taken several discreet steps towards virtualizing that function where we can defend my 5,000 person, 10,000 person, 50,000, 100,000 person organization, we can defend that from a security perspective and not necessarily have to have everybody here. And the way that those more mature organizations have started down that path, and they've been very successful is around understanding that what a typical Security Operations Center is doing on a regular basis is they are following workflows or at least they should be following workflows. They should be following runbooks. They should have the tools and technologies in place deeply integrated into these workflows that they can orchestrate those responses. If I'm an analyst, I want to have a ticket or a case arrive at my front desk preferably pre-classified in some way and in the virtualized SOC context, that becomes even more important. It's a little harder to communicate. We have these great technologies that you've mentioned, that you and I use on a regular basis, but it's even more important today that we are clear and that no steps get skipped, and this is why workflow visibility is important. This is why orchestrating, if I know, if I'm that level one analyst in my Security Operations Center, and I've just been handed a ticket that strongly suggests, strongly smells like there's a phishing campaign that's just been launched, because I'm getting it from more than one place in my organization, that is probably a really good time for me to know that in the event of this type of issue coming up, these are the 12 steps that we have already figured out, as an organization, either we did that ourselves or we're relying on companies like RSA to provide best practices, what should those steps look like. I want to just be presented with those 12 steps. I don't want to have to pull something off of my shelf and figure out okay, what are the 12 things I need to do and what's the order and what's the time frame. When you have a Security Operations Center that has these workflows documented and kind of baked into the day-to-day, those are the organizations where right now several months into this disruption, they have had a much easier time transitioning, because in the old days if you had a physical SOC, if I was that overworked analyst, and I haven't met an analyst who is not overworked at this point, I could just turn over to my colleague and say hey, what's step three in this runbook? Can you help me out? I need it right now. That's a lot harder to do today. So having these automated workflows is not just important for remote resources that are rolling up into these virtualized teams. Having those workflows is just as critical for management to be able to see “Hey, it's really interesting inside these 12 steps we are consistently not meeting our goals at step eight. Why is that? Do we have a bad workflow? Have we defined the business process incorrectly? Have we defined the response process incorrectly?” Having that insight is how organizations get smarter. So for those organizations that have already steps towards that virtualized Security Operations Center function, they are well positioned right now to turn this not just into a kind of tough exercise for the human beings that are the employees, but to turn this into a learning experience. How can we make our organization smarter?
If you're listening to me right now, and you're not in one of those more mature organizations, that's okay. Just think about workflows, think about documenting both your tools and what you need to do with them and in that order, we can help you here at RSA with that, but that's something that you can do on your own. Even independent of having an automated tool - that should really be your ultimate end goal - but these are things to think about. These are things, Peter, that have really kind of had a spotlight on them in the context of the current disruption.
Peter Beardmore:
What are some of the symptoms, Ben, that a SOC Director might be able to identify that would indicate that the platform that they're relying on or the tools that they're relying on are not really getting them to where they want to be from an effectiveness and efficiency standpoint?
Ben Smith:
I think the number one symptom that I have heard repeatedly from management and director level SOC folks is what they hear from their frontline analysts who are complaining about I got too many screens, I have too many places that I need to go to piece together the entire picture, I've got five different tools, and it's great, maybe they are even the five different best of breed tools in each of their categories, human beings have a hard time maintaining our focus on a task when there's just one screen in front of us. If you multiply that by I've got to bring up this screen from this tool and that screen from that tool and so forth, that is probably the number one symptom that going back to what we were talking about before, having some sort of an automation orchestration component in place where you can remove some of that tedium, instead of forcing that human being to physically go into those tools, wouldn't it be great when that case arrives is that information has already been consumed, it's already been prepped, it's already been formatted, so that I can start my work immediately and I can use my human brain to line up oh, gosh, I'm seeing that there's a pattern here between this tool and that tool. So that's one big symptom that anytime a management level person that is responsible for that security operations function, once you start hearing that from your folks, that's usually a clue that you need to do a better job with the workflows. You might need to take a look at some sort of an automated orchestration component. That was a long answer, Peter.
Peter Beardmore:
No, that's fine. I would also imagine though that if that's what your folks are complaining about, too many screens, too many tools, from a management reporting standpoint those symptoms must get a lot worse as things start flowing uphill. You might have a vague idea of where any particular case is in terms of a step in the process, but it would be a lot harder to dig down into the details, should you need them as well...
Ben Smith:
I completely agree and this almost leads us into some other topic for a future conversation, Peter, around the importance of defining good metrics.
Peter Beardmore:
Right.
Ben Smith:
What's actually showing up in those reports is important for the frontline, for the first line management, for the executive line, for the board. Those are different languages, those are different things that are being measured. So we spend some time at RSA kind of advising organizations around ways to think about metrics and a lot of times quite frankly, Peter, that's less a conversation about what technology can we sell you or offer you, it's more about holistically, why are these metrics being created? What are you trying to accomplish by reporting this particular metric to that audience? It's very easy to kind of sit back and passively accept metrics that your vendor's report out-of-the-box shows you, you've got to do the hard work. This is the conversation we have, “You've got to do the hard work, Mr. Customer,” to make sure that those metrics meet your needs and too many organizations, Peter, don't take that extra step. That's another way to kind of tighten up your approach, especially when it comes to protecting your organization.
Peter Beardmore:
I want to transition for just a few moments to the topic of detection because while it's very important that our human folks are operating as efficiently as possible, and we spent quite a bit of time on that, ultimately, we also want them to be detecting nefarious activity if it's occurring and not missing the bad stuff. Have the changes of the last couple of months affected our ability to detect malicious activity? Has the change in the attack surface, albeit I think admittedly more porous, has that also affected our ability to actually uncover bad stuff when it occurs?
Ben Smith:
Yeah, I think absolutely is the short answer. The slightly longer version of that answer is it's because that of the infrastructure that we are all relying on today is very different in many cases than the infrastructure looked like three months ago. This is one of the waves for what it's worth, there's a regulatory wave that eventually is going to hit and it's not about new regulations relating to security or non-security functions, it is the existing regulations that you and your organization are maybe struggling with today. When you scoped those out months ago, years ago, your architecture probably looked a little different than it does today. You have a much higher percentage of end users who are now working from home. You mentioned at the very top - which was spot on, Peter - these are not necessarily just end users that are using corporate equipment. In most cases, it's probably the end users using BYOD - Bring Your Own Device. You may not have good visibility. I'm telling you right now, you probably don't have good visibility into what's actually happening on those machines, not just what's happening on those machines, but who's using those machines. If it's a machine that previously was in someone's home office and that person is living in a house with other human beings, is it at all possible if not likely that those other human beings, especially the younger ones are on those same machines when you're not there. These all represent different areas of opportunity, different problem areas for detection, specifically. You don't have as good visibility into those non-corporate owned assets. So the operations of most organizations have just changed because of the physical location of many employees and that means that the traffic flow has changed.
One of the things I am working on right now at the house even though I've been remote for some time is I have come to the reluctant realization that my ISP pipe backup to my cable provider needs to be larger. So there's some infrastructure work that's going on, on my end, and there's a security component to that as well. As I am thinking about increasing my network speed, as I'm thinking about understanding what I've actually got plugged into the network, I had a big awakening just this weekend as I was starting this project and I realized that I have many more devices on my immediate network than I had realized. Is that a security problem? It is a security problem. It is a management problem. I'm pointing at myself here, having too many devices. So this has been a good rationalization exercise for me and the analogy is that there might be a good rationalization exercise for customers who are in the midst of everything that we are struggling with right now. Pay attention - not just to what's happening at the new endpoints originating out of your employee’s homes - pay attention to what's happening on the applications inside your environment. That traffic flow has changed to the point where maybe there are applications that are no longer being used. And why is that? Maybe they're not being used as frequently in the past. This could wind up being an operational answer as opposed to a security answer, but it's hard to kind of step back as our hair is on fire and kind of think about that broader picture. This is a great opportunity to kind of revisit some of the assumptions that you had made: the operational assumptions, the security assumptions, the detection assumptions. Because the landscape has changed so much, there may be things happening that if you just spend a few minutes looking at this part of your network, or if you just spend a few minutes taking a look at your VPN concentrators which might be flooded at this point, that's another area that might not be sized correctly - from a licensing perspective, from a hardware perspective - because I have so many more end users, employees in this example, coming into my environment. These are all things to pay attention to. These are the conversations we're having with RSA's customers today.
Peter Beardmore:
Ben, is there anything else that you'd like to add to this conversation? We've talked about threat. We've talked about security operations. We've talked about detection. Anything else that security or risk managers ought to be thinking about when we're thinking through kind of the second order effects of a pandemic and its effects on security risks?
Ben Smith:
Yeah, I think I'll leave you with kind of two quick, and I promise there'll be brief catchalls. One of the great technologies that we have on our plate that other organizations are starting to consume is this whole User and Entity Behavioral Analytics our UEBA, which plays into, quite frankly, all three of the areas, Peter that you and I just talked about. Thinking about the power of collecting a lot of data, automating the analysis of that data, not just around the U, the users, but the E, the entities, those machines that are on the network, and being able to come up with new discreet, maybe even essential conclusions that are going to drive your detection, that can just drive your response to a problem that's been detected in your environment, UEBA is critical and certainly something we encourage folks to think about. The other catchall that I want to briefly touch on, Peter, is we talked about the remote worker wave. We talked about how companies have struggled, but largely are working through that. The second wave that most organizations are in right now relates back to the detection point that we've already talked about. Organizations are waking up to the reality. They might not have great visibility versus where they were three months ago. So whether that's visibility as it relates to logs or packets, or NetFlow, or endpoint visibility, business process visibility, these are all things that organizations are starting to think about. And then the final wave, which I did mention briefly, is that regulatory wave. And again, I want to emphasize, Peter, I'm not talking about new regulations that spring up outside of this healthcare crisis, I'm talking about the existing regulations and the problem - let me rephrase that - the challenge for organizations is to understand that whatever you had scoped before, that scope has changed, I can almost guarantee it. You want to be thinking about that before the regulators wake up and start to ask you some uncomfortable questions.
Peter Beardmore:
Right.
Ben Smith:
So that relates not just from a security perspective, Peter, but operationally, that's where I would want to leave that as a catchall.
Peter Beardmore:
Well, Ben Smith, thank you so much for taking the time to talk with us today. It's been very enlightening for me. You're always very thorough and looking forward to continuing this conversation with you both in person and perhaps in a subsequent episode not too far.
Ben Smith:
That sounds great. Thanks again for the opportunity, Peter. Have a great day.
Peter Beardmore:
Alright. Thanks, Ben.
Season 2 | Episode 1: Managing Disruption
Listen time: 20 minutes
Operating in a global pandemic has led many organizations to rapid digital acceleration in some areas, and re-prioritization in nearly all. In the first episode of our new season, Peter Beardmore welcomes RSA Portfolio Strategist, Steve Schlarman to discuss the many disruptions that the ongoing crisis caused. In particular the reverberating disruptions in business operations, workforce, supply chain, and security. How does rapid acceleration and reliance on digital lead to new and downstream risks? And how should risk and security leaders think about managing, communicating, and accounting for these risks amid continuous change? Steve brings unique insights to emerging challenges, coming from two decades of digital risk management experience.
Check out Steve’s blog where he discusses what happens when you relax a control and nothing bad happens: Security & Risk Controls: Why You Need Them.
Ben Desjardins, RSA VP of Product Marketing discusses the benefits of well-established standards when navigating uncertainty: Tips for Applying the Known in a Time of Uncertainty.
Season 2 | Episode 1: Managing Disruption
Peter Beardmore:
Hello and welcome back to the RSA Podcast. My name is Peter Beardmore from RSA Marketing and we are in Season 2 as of right now. We have changed the format a little bit. We’ve even changed the name of the podcast and we’ll experiment, will hear back from you and hopefully get some great feedback or some good suggestions and we’ll continue to modify and change things up in response to what you are looking for. So to kick things off, the world has certainly changed since our last season, just concluded only a month or two ago but to kick things off, I have invited my friend and colleague, Steve Schlarman to join the podcast. Steve, welcome.
Steve Schlarman:
Welcome. Thanks, Peter.
Peter Beardmore:
And Steve and I have been working together for several years now and he comes from a really interesting background, a longtime RSAer now, but also a longtime expert and practitioner in the world of compliance and risk management. So Steve, let’s start off by introducing yourself and giving us a little bit of your back story.
Steve Schlarman:
Sure, sure. Thanks Peter. Yeah, so I started my career, oh, jeez, 20 some years ago in IT in the operation side and migrated myself over to the security world and I started with Pricewaterhouse way back in the day doing tack and penetration, pen testing, security audits, those types of activities and kind of as I moved through that circle, I started kind of moving up in the chain, working more on security policy development, security strategies and architectures and in the, believe it or not, the late '90s started working on a product that was a very early ITGRC type of product at PricewaterhouseCoopers at the time. And, long story short, we ended up launching that as its own company and was one of the first product solutions that was focused on governance, risk and compliance. We were very focused in the IT world and since then have been working with risk management and compliance, joined RSA in 2009 actually when my company was bought by Archer Technologies and have been with RSA ever since. And so I have had the privilege, I guess, to really see the GRC market evolve from really the late '90s into what we see it today and along the way, worked with a lot of risk management and compliance practitioners over the time as they look at building out risk management programs, GRC programs, whatever you want to call it. So, yeah, my root is really in the security world but it’s been an interesting ride seeing the different phases of both security evolution, what we’ve seen in the security industry and what we have seen in the risk and the compliance world. When things first came out like Sarbanes-Oxley and PCI really driving this idea of compliance and we've kind of evolved from the check the box compliance world to a much more risk oriented world. So it’s been an interesting ride, that’s for sure.
Peter Beardmore:
So listeners of our podcast are certainly familiar with the concept of digital risk management if they’ve listened to any one of our previous five or six episodes. So I am not going to spend too much time there but obviously things have changed quite a bit over the course of the last several months. They have changed here at RSA and they have certainly changed for our customers and when we talked about digital risk management previous to the current pandemic crisis, we always start from the point of discussing digital transformation.
Steve Schlarman:
Uh-huh.
Peter Beardmore:
What have you seen change with respect to the digital transformations that organizations are experiencing and what that means from a digital risk perspective?
Steve Schlarman:
Yeah, it’s been an interesting year, obviously that’s understatement. The pandemic certainly has shined a light on different elements of digital risk. Organizations who have gone through digital transformation before, that they were positioned or had some level of digital maturity have been able to shift operations quickly into that digital world in response to the pandemic. So, for instance, an organization that has kind of taken the work anywhere, dynamic workforce concepts and have moved them forward obviously could move workers remotely more quickly in response to the pandemic, because that's a big area of disruption. So the digital transformation in some respect has actually helped organizations be better prepared for a disruption. No one expected a disruption of this magnitude, I kind of call this the greatest risk management curve ball in history because pandemics are generally something that’s on the radar from a risk perspective but the likelihood of a global pandemic with this much impact is pretty low and obviously the impact is really broad and we have seen industries really deeply affected in many different ways and we have also seen other industries have some opportunities in this situation as well but our view of digital risk management has remained the same but is shifted a little bit because our definition of digital risk management was really hinged on taking an integrated view not looking at these risks as independent but everything is very connected. Digital risk is as hyper-connected as your enterprise and therefore you have to approach it with an integrated strategy, looking at it broadly but I believe that the pandemic has shifted a few of the priorities and heightened some and not that the other ones have been de-prioritized but certainly organizations have to take care of things immediately as this pandemic has unfolded.
Peter Beardmore:
So what are some of those areas that have been prioritized?
Steve Schlarman:
Yeah, well, I mean obviously the first disruption is business operations. I mean, organizations have been disrupted in countless ways. So this podcast would be 48 hours long if we try to go through any and all the ways but suffice to say some organizations had to enact continuity and recovery plans, other organizations had to go into full crisis mode. Business operations were probably the biggest area of disruption but right behind that is the workforce. I mean obviously, we have all faced challenges and from organization’s perspective, it all starts with health and safety: making sure that your employees are safe and so forth, but when you look at the stay-at-home orders, you look at the travel restrictions, that has been a major area of disruption and the term essential worker has taken on an entirely new meaning but the organizations have to be understanding that it’s not just the work part of those lives that have been disrupted, it’s the work life balance part and so there is a lot of things that have disrupted the workforce. The other thing that we have seen is the supply chain. There’s an amazing ripple effect across the globe because different regions are going through different types of cycles and depending on the organization and the supply chain, you have different effects, you have supply and demand issues and so forth. And then I think the last area really is just in the security and risk management world. This is somewhat of the perfect storm. It’s the time of heightened threats at the same time that the business is increasingly fragile and so the likelihood of something going wrong is up, the impact is increased because of the disruptions and therefore you have this kind of perfect storm of issues that are affecting security and risk management functions, and they were trying to make decisions on the fly to keep the business running but at the same time keeping an eye on what is happening in the security or risk perspective.
Peter Beardmore:
So business operations, workforce, supply chain and security: these you believe are the real major areas of disruption that organizations are wrestling with and reprioritizing with respect to the organization as a whole and its operations but in particular from a digital risk perspective, correct?
Steve Schlarman:
Definitely, yes.
Peter Beardmore:
So let’s go a little bit deeper into each one of those areas. I am going to take them a little bit out of the order that you brought them up. Let’s first talk about workforce.
Steve Schlarman:
Uh-huh.
Peter Beardmore:
IT leaders, risk leaders, security leaders, all have had to flex to be able to enable an increasingly remote workforce. Talk about some of those pressures and challenges that’s brought on to digital risk and security leaders.
Steve Schlarman:
Sure, so I mentioned before the level of digital maturity in this area is really important and organizations that had remote working capabilities, this probably wasn’t on the radar screen from a full effect, but they could shift operations to remote workers where appropriate. But then you had situations where you have to clear your buildings in 48 hours or so and have thousands of workers that all of a sudden need to be enabled to work remotely. So, one, there is just the pure logistics of shifting those workers out of the buildings into their homes and that’s a major concern and issue to deal with, but then when you look at it from a risk management perspective, you are inserting security issues that you may not have worked through all the way and so things like multifactor authentication, desktop or laptop security, the fact that these users are coming in from remote systems, their home networks: it adds a layer of security issues that you have to deal with and so techniques like multifactor authentication and desktop security and laptop encryption and those types of things are very important. The second thing that that affects is, on the security side, if you think of an organization that has built up their understanding, the security function that has built up their understanding of user behaviors based upon the workers being in the building, all of sudden they are coming in from all of these different remote points, it throws out a lot of those behaviors that you think is normal out the window and so the security operations team has to shift on the fly to understand what is normal and what is abnormal in a very fluid situation. So if you have user profiles that are built based on workers performing tasks or using applications at certain times of the day and all of a sudden now they are at home, now they are trying to home school their children and they are working different hours, that throws off all of those behaviors that the security team has earned over the years and so it makes it much more difficult to identify something that’s out of the norm. The other thing is now a security team that is used to potentially working together being in a SOC together or working closely together, now you have them distributed, that adds another layer of complexity. So the disruption of the workforce with all of these things on the table in a very fast manner and organizations have to try to deal with all of those and keep a lid on the security issues.
Peter Beardmore:
So clearly these disruption areas overlap a little bit.
Steve Schlarman:
Oh, absolutely, absolutely.
Peter Beardmore:
You talked a little bit about the security team, they have gone through a major disruption themselves, they are part of the workforce.
Steve Schlarman:
Yeah.
Peter Beardmore:
Obviously SOC are being virtualized, I guess is probably the best way to put it. Can you talk about some of the impacts just in the SOC not only in terms of their daily work like having to deal with behavioral analytics for nearly remote workforce, but just running the SOC, that has to be a challenge.
Steve Schlarman:
Absolutely, yeah, as I mentioned if you have a team that’s used to working together, working problems in close proximity and now you are having to work remotely, there is the technical issue of ensuring that you have all of your tools and your capabilities to use the tools that you need remotely, so that adds a layer of complexity. You have the process side of losing some of that proximity when you are working problems, a lot of SOC teams, they end up white boarding things, they end up doing the things like that to facilitate processes and now you are doing that in the virtual world. You have the added ingredients of the work life balance of the SOC people. Another thing what we have seen is also an uptick, unfortunately the bad guys don’t take these times off and so phishing campaigns and attack vectors like that just have another way to pull, add users. I mean you have users that might be accessing e-mail because they can’t get their corporate system, they are sending e-mails from their personal accounts just to keep the business running but now that just opens up another avenue for a phishing campaign. “Hey Bob, I can’t get my corporate e-mail. This is my home e-mail, can you send me this?” or “Here’s that document that you…”
Peter Beardmore:
Right.
Steve Schlarman:
…were looking for. It just adds a whole another layer of complexity and so it’s not just the SOC teams that would need to respond, it’s also the security functions or the security teams that are doing things like awareness that are managing the e-mail.
Peter Beardmore:
Yeah, there are lots of scenarios that we haven’t previously necessarily trained to be aware of.
Steve Schlarman:
Yeah, yeah and they seem really logical like “Oh, yeah, Bob’s working from home. I’ve had problems with my VPN, he’s probably sending me this document from his personal account just to keep business running,” and it seems logical, so…
Peter Beardmore:
Yeah. Talk a little bit about the supply chain. I would imagine that there are physical aspects of the supply chain, which are pretty obvious but there is also the digital supply chain. We spent a lot of time talking about how we let and manage the risks associated with our digital ecosystem but it's not just our organization that’s changed now or gone through disruption, it’s every organization to include all of our suppliers.
Steve Schlarman:
Yeah. And I think that’s what the massive difference is in most crisis scenarios is the global effect. Now if you are a local company, you will have potentially supply chain issues but it’s exacerbated the bigger you are and so if you didn’t know the who, what, where, why and how of your supply chain before, you definitely need to put on the plan away to better manage third party governance. We have talked with CSOs and CROs that have to fast track alternative vendors and suppliers because their primaries are either disrupted in some way, and so now they are looking for an alternative supplier. Well, if you think of the general on-boarding of a vendor in an organization, especially if it’s something that’s going to be digitally connected, you have a security assessment. You should have these risk processes that vet that out, and now the business is saying we need this right now and so getting that, fast tracking those vendors into your program has been a major part of those companies that have had supply chain disruptions. The other thing that was interesting to talk with a CSO where they had to actually bring in their security team to vet offers by suppliers that were scams. And so they were trying to investigate which of the suppliers that were trying to fill these gaps were actually legitimate and which ones were scam. So again the bad guys don’t take the day off, so that’s an entirely different aspect of supply chain: risk management.
Peter Beardmore:
So as organizations are making all of these on the fly changes to their workforce and all the security aspects associated with that, their security operations, dealing with changes and suppliers and supply chain risk management, it’s really got to shake up the business operations and particularly the risk and compliance folks, to keep track of.
Steve Schlarman:
Uh-huh.
Peter Beardmore:
Can you talk a little bit about that?
Steve Schlarman:
Yeah, I think when you think about the business operation side, you can kind of segment it into two pieces: where when business operations are disrupted and this goes your typical disaster scenario, all the way up to the pandemic that we are seeing today, there are continuity and crisis management efforts that generally most organizations have planned out. I talked with an RSA Archer customer who when they saw the writing on the wall, they used RSA Archer to actually notify all of their business continuity plan owners to make sure all the plans were up to date because they really weren’t sure what was going to unfold and so something like that is generally a function of, if you have a mature BCDR type of program you can anticipate some of these things. So there is definitely a side of managing the disruption on the business operation side that is, I don’t want to say scripted, but is planned in some way. Obviously this is a unique situation but an organization that had solid continuity plans and crisis management processes already defined could deal with that. The second side of the business operations is, which you brought up, is all of these on-the-fly decisions being made to relax controls to keep the business running or bypass controls to keep the business running. We have seen instances where compliance obligations have been relaxed by regulators temporarily and so you have all of these decisions being made to keep the business running, which is absolutely necessary. At a certain point, those decisions are going to either have to be unraveled or fed back into the post-crisis strategy and it's a big burden on compliance risk functions, the business functions to keep track of these things.
Peter Beardmore:
Alright. Steve, is there anything that you would like to add that I might not have asked you about?
Steve Schlarman:
Well the only thing I want to reiterate is I think the key to managing risk in the digital world is to remember that things are as hyper-connected as your enterprise. So as you rely more and more on technology and we have seen organizations lean very hard on technology through this time, whether it's implementing web conferencing or it’s increasing use of SAS applications or whatever it is, organizations are really leaning on technology. And the result of that is the increase of risk around that technology and you have to be smart around which risks you want to tolerate, which risks you’re going to mitigate hard and that requires a good partnership between the technology and the risk functions to deal with that risk and so you have to break down those silos to evolve security and risk management practices to deal with that fast moving digital business and remember that all these risks are connected and you have to deal with it with an integrated approach.
Peter Beardmore:
Steve Schlarman, thank you for joining us on the RSA Podcast and have a great day.
Steve Schlarman:
Thanks, Peter.
< Season 1 >
Digital Risk, the unpleasant byproduct of digital transformation, has rapidly become the greatest facet of risk that organizations now face. This podcast series explores how organizations are meeting the unique challenges of digital risk. Paul Roberts of The Security Ledger and Peter Beardmore of RSA bring thoughtful conversations with leaders in Digital Risk Management.
Season 1 | Episode 5: Cloud Transformation Risk
Listen time: 36 minutes
We discuss the pressures and risks organizations face as they migrate to the cloud, and some strategies for managing them. Guests include Rohit Gupta, Global Segment Leader for Security at Amazon Web Services, Dr. Zulfikar Ramzan, Chief Technology Officer at RSA, and Tony Karam, Sr. Solutions Consultant at RSA.
Season 1 | Episode 5: Cloud Transformation Risk
Paul Roberts:
Welcome to another episode of Risk Recordings with RSA. I'm Paul Roberts, the editor-in-chief at The Security Ledger, and I'm here once again with-
Peter Beardmore:
Peter Beardmore from RSA.
Paul Roberts:
Peter, great to see you again.
Peter Beardmore:
Great to see you too. This is episode five of Risk Recordings with RSA. This is the season finale.
Paul Roberts:
Season finale with the big cliffhanger at the end.
Peter Beardmore:
We need to write that into the script at some point during one of the breaks, because we don't have one yet, but hopefully we will compel you to come back for season two.
Paul Roberts:
That's right. That's right. So this episode, Peter, is focused on cloud transformation risk, and this is the elephant in the living room for many organizations these days, because again the transition, the embrace of cloud is happening. It's inexorable, every company is doing it, and maybe or maybe not understanding the risks that go along with cloud.
Peter Beardmore:
Yeah, it's very closely related to the conversation we had a little ways back about third party risk, which is organizations are looking for the efficiencies and the expertise and the cost savings that come with cloud infrastructure, cloud services, cloud-based applications, and there's no shortage of spending that's happening there. I think IDC reported over $200 billion in 2019 in infrastructure and services related revenues in public cloud.
Paul Roberts:
Yeah, and we know the DOD just assigned a $10 billion, with a B, cloud contract to Microsoft.
Peter Beardmore:
One customer.
Paul Roberts:
One customer, albeit the Department of Defense, but nevertheless, certainly the government, which for years, and the DOD, which for years, were kept cloud at an arm's length, feeling they couldn't protect classified data, sensitive information in public cloud is now moving there at flank speed, as they would say in the navy.
Peter Beardmore:
Good reference.
Paul Roberts:
That's a Dan Geer line, not a Paul Roberts line.
Peter Beardmore:
All right. It was pretty good, though.
Paul Roberts:
Yeah, thanks. So we invited a few people into the studios to talk about this issue, and to start, we invited Zulfikar, Dr. Zulfikar Ramzan, who's the chief technology officer at RSA. He had some interesting things to say just about some of the opportunities around cloud adoption, but also some of the security challenges that are facing companies right now.
Peter Beardmore:
Let's listen in.
Dr. Zulfikar Ramzan:
Zulfikar Ramazan, chief technology officer of RSA. I run the RSA office of the CTO, thinking about some of our latest innovations and advanced development efforts, and I have a chance to meet with amazing customers every day and learn about the challenges they face, and see what RSA can do to help address them.
Peter Beardmore:
So Zuli, we've been talking about digital risk management, and as part of this podcast series, one of the areas that we want to focus in on is the whole topic of cloud transformation risk. So my first question is, what are some of the primary concerns or most frequent concerns that you hear from RSA customers when they're trying to get their arms around the totality of the risk associated with cloud transformation?
Dr. Zulfikar Ramzan:
So I think first thing that has to come up is organizations have to adopt a mindset that the cloud isn't just some abstract theoretical notion. It represents a fundamental extension of an organization's infrastructure, and therefore, any of the same challenges they had in the on-prem world, they'll see analogous challenges that exist in the cloud world. So for example, if you have to have visibility monitoring for your on-prem assets, you have to have the corresponding level of visibility monitoring for your cloud assets. If you have to manage identities for people accessing on-prem assets, you've also got to find a way to manage identities for people accessing cloud assets, and so on and so forth. So almost every security problem that we've looked at historically in the on-prem world, we'll see something similar in the cloud world.
Now having said that, I think one of the challenges I see organizations struggle with is taking, essentially, a bifurcated approach, where they try to adopt two different sets of technologies, one for their on-prem and one for their cloud, and neither [inaudible 00:04:12] shall meet when they actually try to think about it from a security perspective. So what I tell organizations is first and foremost, recognize that cloud is not something you're going to turn on overnight. There is a journey involved. You'll be in some hybrid world, including on-prem and cloud, for quite a while. There'll be a lot of assets and a lot of applications that'll run forever in the on-prem world for a variety of reasons. So consider how to future proof your architecture, think about ways in which you can have one set of systems that can adapt to both your cloud and on-prem needs, and use that as the baseline for your strategy for managing your cloud risks moving forward.
Peter Beardmore:
One of the topics that has come up a couple of times in our conversations is sort of, particularly when it comes to the cloud, ambiguity in who has responsibility for what. So we'll be interviewing a representative from AWS in the next several days. It's a story that people are interested in talking about for no other reason than AWS is ubiquitous out there. They've got extraordinary security capabilities, but not necessarily a whole lot of clarity when you're taking the AWS infrastructure, you're taking another party's application. On top of that, you're perhaps integrating your own controls when it comes to identity management and what have you, and those divisions of responsibilities when it comes to all of these parties coming together. Is there a right approach for organizations to take when trying to rationalize all this, and is there anything that RSA can bring to bear in terms of helping them figure that out?
Dr. Zulfikar Ramzan:
Right. So I think that you're right that there is this element of, what is the right approach? What's the right for me approach? I think that's the key words there, the right for me approach. Ultimately, every organization has a unique risk profile. It has a unique set of areas that matter to it that can create business impact in the wrong ways, potentially, under a given set of circumstances, and the goal should be, from a risk management perspective, is to understand what those levers are and to optimize your strategy from a cyber risk perspective, even from a business perspective, around those particular levers.
With an RSA, certainly, we have the RSA Archer portfolio, which has done a phenomenal job of helping organizations manage risk. To me, though, the real key shift in the sort of risk management landscape is to move away from traditional governance risk and compliance towards integrated risk management. Today's organizations are complex, whether we like to admit it or not, whether they're big or not. The size of the organization does not necessarily define their complexity. If you look at the third parties we rely upon, whether it's AWS or others, they equate a lot of complexity in our landscape. That complexity is not separate from an organization. We have to look at it as part of an organization. It just extends the organization's boundaries in ways that are perhaps novel and not typically thought of in a traditional context.
So having said that, it becomes absolutely crucial to have a singular view of risk across the different facets of risk in an organization rather than taking a siloed view of risk, and I always tell people that if you are facing an audit, the best way to fail an audit is to give the auditor two different answers to the same question when they ask two different people. Guaranteed failure, and that happens a lot in organizations that don't have a single view of risk. They have multiple systems. Typically those systems involve Microsoft Excel on a SharePoint site somewhere, and someone typing in numbers into a spreadsheet without any sort of cohesive view of what's going on. So to me, that would be where I would really begin, interpret thinking about those elements.
The second area that I would think about is, again, that point that I raised earlier, which was how do you ensure that you have a unified view across both cloud and on-prem? A classic case where that happens is identity management. Today, a lot of organizations will have essentially one solution for cloud-based identities and another solution for some of their on-prem identities. That makes no sense to me. The identity is ultimately when things happen that go wrong in an organization, it often boils down to somebody messing up something related to identities.
Wouldn't it make a lot of sense, wouldn't there be tremendous return on investment, a tremendous reduction in risk per dollar spent, if you were to focus on unifying your identity systems to at least eliminate those two silos and unify them in one area? That's something certainly RSA Seeker ID has been a pioneer in that space. We've done identity for decades, done it successfully in the on-prem environment, we've introduced new cloud capabilities, but for the first time, we're able to cover both sets of use cases, as well as a variety of others that prevent organizations from having these siloed islands of identity, and really enable them to take a cohesive view among one of the most critical and most consequential risk factors in the modern era.
Peter Beardmore:
Dr. Zulfikar Ramzan, thank you for joining us.
Dr. Zulfikar Ramzan:
Absolutely. Thank you so much, Peter.
Peter Beardmore:
It was a pleasure having you. Thanks.
Dr. Zulfikar Ramzan:
Likewise.
Paul Roberts:
Some really interesting thoughts and observations there from Dr. Zulfikar Ramzan, who's RSA's chief technology officer. Peter, you had an opportunity to sit down with Tony Karam, who is a senior solutions architect at RSA. He works with RSA customers around very kind of specific challenges and problems related to cloud transformation.
Peter Beardmore:
Yeah. We talked specifically about many of the migration issues that customers run into, many of them unplanned or unanticipated, and also some approaches and ideas that organizations ought to be thinking about as they continue the process of cloud migration and making cloud part of their overall infrastructure, not just an add-on that should be managed separately from a security and risk standpoint.
Paul Roberts:
Yeah, because most of these organizations are not kind of shutting off on-premises and turning on cloud. It's a migration process and they're doing both at once.
Peter Beardmore:
So let's listen to Tony and see what he's got to say about this.
Tony Karam:
Yeah. So my name is Tony Karam. I'm what we call a solutions strategist here at RSA. So I spend most of my time helping customers understand their risks associated with digital transformation at really a core level. So looking at things like workforce transformation risk, cloud transformation risk, holistically and then how RSA can help them across our entire portfolio of products.
Peter Beardmore:
So why don't we start by talking a little bit about where the industry sits in terms of cloud transformation and risk? While we were talking before we started recording, you mentioned to me some thoughts around ... It's a little bit different today when we talk about cloud transformation risk than it was even three or five years ago in terms of what organizations are worried about, so tell me a little bit about that.
Tony Karam:
Just if we look back, there's been sort of an evolutionary change when it comes to cloud and what organizations are increasingly relying on the cloud for. Just a few years ago, it was really about storage, cheap storage, huge capacity, compute, really about driving the cost out of tier two, tier three applications and infrastructure. Today, that's completely changed. Today, most of the organizations I talk with see the cloud as really the tip of the spear for digital transformation initiatives, and moving what they call tier one are mission critical applications to the cloud that carry very sensitive, very confidential data with them. So in doing that, it certainly creates a new set of risks for them.
Peter Beardmore:
What are the risks that organizations are first most concerned with going in, and are those risks different six months, a year later, in terms of what their biggest concerns are?
Tony Karam:
Yeah. So one of the things, unfortunately, we find out is companies are not sort of looking before they leap. There's a lot of companies, like you mentioned early on, a lot of organizations have these cloud first initiatives. So there's a lot of pressure across the organization to get things sort of moved over to the cloud. So what we find is organizations really don't have a real good handle on what all those risks could look like. They've got some ideas, they understand that in the best case world, they are going to try to emulate or extend the security and risk management capabilities to have on-premise to the cloud, but that certainly becomes a challenge for them once they start to dig in and really find out what's in front of them.
It's one of the reasons that RSA's put what we call frameworks together. So we have something called a cloud transformation framework. It goes through a series of domains and it really allows organizations to measure their capabilities against industry standards and best practices. The other thing we hear a lot, all the time when I'm out talking to leaders, certainly CEOs and CSOs, is they always say, "We wish we had more budget." We really need to find a way to make security and risk management a strategic priority for the company and not just a cost center with endless projects.
So one of the things we provide organizations, in addition to a scorecard of where they stand today, we also provide them a tailored roadmap for maturing their cloud security and risk management capabilities based on their business needs. So I like to think of it as, what better way to go get budget, if you would, by then mapping or tightly aligning your investment or your spend to the business need?
Peter Beardmore:
So you're not describing necessarily turning security and risk management into its own P&L? No, it's actually generating revenue.
Tony Karam:
Yeah.
Peter Beardmore:
What I think you're describing is a methodology whereby security and risk management are more tightly combined in all stages of the business planning and execution process so that it's baked in from the onset.
Tony Karam:
That's correct. Yeah, that's right, and another thing we've seen is that there's a fundamental difference between what they did before and now what they need to do. When they hosted everything, when everything was behind their firewall and in their DMZ, in their data center, they had a hundred percent responsibility for everything, and there's this misconception in the marketplace today that if I offload my applications and my workload to the cloud, then I offload my security and risk management responsibilities.
That's not true at all. All public cloud providers out there have what's called a shared responsibility model, where the cloud providers are responsible for security of the cloud. So this is the infrastructure required for their service to run. Networking, virtual machines, containers, operating systems. Organizations, on the other hand, are responsible for security in the cloud, their data, their applications, users, compliance, and companies are really just starting to understand that new sort of reality for them.
Peter Beardmore:
It's confused, to a certain extent, because the public cloud providers are also selling additional add-on security products and services that perhaps confuse things or muddy it up.
Tony Karam:
Yeah. That's a huge issue when we talk about visibility, especially. Everybody I talk to, that's the number one thing they say, is, "Hey, we need more visibility into our cloud state or our cloud environments," regardless of whether it's a hybrid cloud, multicloud, single cloud sort of environment, and I kind of equate that back to ... So think about that from their perspective. What's really changed? So before cloud, I'd have a data center, and regardless of how big or how small the data center was, probably at any given time, I could plug a cable into a port and look at all the data, kind of running on the wire. How do I do that in a cloud environment? I really can't.
So what cloud providers have done is built a set of tools themselves to share sort of that backend data, that sort of log and packet type of data with organizations, but what most organizations found is that wasn't good enough, there wasn't enough there. So now you have third parties also coming in building tools to allow organizations to extract that data, and then we have tools that are great places to capture all that data, like RSA NetWitness. I always think of RSA NetWitness as this big engine with lots of great analytics capabilities in the cloud, regardless of how many instances of the cloud, those instances just become stovepipes into NetWitness.
Peter Beardmore:
It's able to converge that information and collate it and figure out what's [crosstalk 00:17:43] and what's not.
Tony Karam:
That's right. It provides the insight organizations are looking for from that data in the cloud.
Peter Beardmore:
So it becomes incumbent upon vendors like RSA and those cloud service providers to be able to make that data transferable.
Tony Karam:
That's right.
Peter Beardmore:
I would imagine we participate in those partnerships and are trying to make things like that work on behalf of our customers.
Tony Karam:
Absolutely. We're actively engaged with lots of technology companies, certainly Amazon Web Services, certainly Microsoft Azure. We understand that for our customer's sake, we have to get access to that data, so we continually work with them to make sure that one, they're sending us data that's relevant and useful for our customers, and two, that we can ingest it and consume it and make it usable.
Peter Beardmore:
And provide insights to determine what's important, what's not, how it matches up with the threat landscape and those kinds of issues.
Tony Karam:
That's right. To take action, the appropriate action
Peter Beardmore:
How does cloud and cloud transformation change the way that businesses have to think about risk and security?
Tony Karam:
We used to live much more in sort of a binary world. Organizations would stand up computing infrastructure, think about physical access to a data center. Once somebody is inside, they can configure their network with boxes and cables, and that's become completely abstracted today, it's all virtualized. While organizations can more quickly spin up services, it becomes much harder to understand sort of the inner workings between those systems in the services and data.
I think the other thing we always hear when we talk about is the sort of the vanishing perimeter. The fact that most times today, now, we have users using unmanaged devices with direct access to cloud services. So certainly, while identity always played a large role, I think it plays an increasingly larger role when organizations think about how they're going to mitigate risk in the cloud, and again, it comes back down to the speed at which the cloud moves. I read a statistic recently that said between five years, between 2018 and 2023, 500 million new digital services and applications will be created, which actually equals the same number as the entire past 40 years. So we can see how the pace is just escalating tremendously, and that pace is causing lots and lots of issues for folks.
Then lastly, I think it's not just about what happens in the cloud, but across your entire digital estate for organizations, and they can't forget about that. So it's being able to have the tools that allow them clear visibility across their entire ecosystem, the tools that then give them really good and clear insights into the risks that allow them to take the appropriate action.
Peter Beardmore:
Tony Karam, thank you very much for joining us for the podcast.
Tony Karam:
Thanks, Peter.
Peter Beardmore:
So great insight experience from Tony Karam, who's senior solutions architect for cloud transformation risk at RSA. Paul, we also had an opportunity to speak with Rohit Gupta, who's global segment leader for security at, of all places, Amazon Web Services, little company in the public cloud space.
Paul Roberts:
Yes. Where better to go for information on provisioning cloud services securely than Amazon itself? Rohit is kind of the guy to talk to there about that. This is a really interesting conversation. Rohit talks about Amazon's own evolution and the way that they deploy some of these cloud services, and how security has become more kind of part and parcel of that, less a choice than the default, and also just about the ecosystem that Amazon has built up around security, an ecosystem that includes RSA security, among other organizations, to help provide customers with the types of tools and capabilities that they need to secure cloud deployments, and then also some of the guidance and instruction and resources that they have to help kind of lead customers on this journey of cloud transformation. So let's check out what Rohit has to say.
Peter Beardmore:
All right.
Rohit Gupta:
Yes. My name is Rohit Gupta. I'm the global segment leader for security at Amazon Web Services. Yes. So my role at AWS is to work with partners in the security space, companies that are providing technology solutions, consulting or managed security services to customers that are deploying workloads on AWS. So I help these companies develop solutions that are targeted to AWS workload protection. I help them market those solutions and help them sell those jointly with our sales teams to make sure that our customers know which solutions are tailored to AWS workload protection and then how they can find them.
Paul Roberts:
Now these are by and large often existing security technology companies, but presumably some of them are, especially these days, spinning up specifically to address AWS or AWS-like environments.
Rohit Gupta:
That's correct. A lot of our partners have been in the security space for a while and have recognized the opportunity that the cloud brings, where customers are moving workloads in a big way to the cloud and to AWS in particular, that they need to go build solutions that are tailored to the environment, that existing models necessarily don't port the exact same way into the cloud. So there are companies that have built brand new solutions to address cloud-specific security needs, and others that have boarded over existing solutions because they do apply in the cloud, but we also see a large number of startups that are building new solutions that are focused only on modern application development tools like containers and serverless technologies.
Paul Roberts:
What are some of the challenges, specifically, of securing workloads in cloud environments, as you said, serverless container-based workloads and cloud environments, whether you're a new security player or an old one?
Rohit Gupta:
Yeah. So the cloud, I think, has changed the game substantially from the on-premises world that most people are running infrastructure, or even if it was co-located, there are a number of things that are very different about the cloud. There is a fantastic amount of capacity available just because it's elastic, and you can do things for short periods of time without it being really expensive. So think about processing large amounts of data to find security issues. It was simply not possible, because of either cost or capacity reasons, that cloud is removed.
The other thing that is very, very unique and different about the cloud is the automation element. There is native automation built into the platform, where you can actually take action in an automated fashion and have access to the entire infrastructure. You can speed things up, you can turn things off, completely automated, and so that is a great tool for taking care of security issues. So there is an opportunity now to really help the customer react much faster, because you can first find things more quickly and easily, and you can take action to solve the problem more quickly and easily.
Then just overall, the visibility that the cloud gives for things like cloud trail that have access, have the log of all activity that has happened in your environment, that is a fantastic source of data for particularly security use cases that simply just does not exist anywhere else. So what that does is you can now go do things you could not do on-premises, but there are tools that are needed now to take advantage of those capabilities and actually make them easy for customers to go consume and get value from. So I think that the cloud brings a lot of great capability, but there's still work to be done by some of the vendor solutions to take full advantage of that capability.
Paul Roberts:
I know that AWS and RSA are kind of combining forces. What does a vendor like RSA with the sort of breadth and reach that it has, going back some three decades, platforms like Archer, NetWitness and so on, what does that bring to the table for a vendor like Amazon, AWS?
Rohit Gupta:
Look, the way we think about our business is we work backwards from the customer. We start with what the customer needs, and we make sure that their experience is great, and partners like RSA, who've been doing this for a while, have great solutions, and our job is to make sure that the best solutions are in front of our customers so they get the most value they can. For existing investments they've made, for example, maybe using RSA solutions on-premises, and now they're available on AWS for them as well, which means that they don't have to train new people or new technologies, they can use existing capability. They know and like the solution they've been using, and they just want to continue using that. So we really feel that companies who have been in the space for a while and understand security well are really the ones we want to bring to our customers, because they have the experience of dealing with issues and solving them, and RSA is a good example of that.
Paul Roberts:
Can you talk a little bit about the sort of customer migration experience? So for customers who are transitioning over to AWS as a platform, obviously, there are many challenges to that, and there are also sort of a lot of cooks in the kitchen. Of course, there are IT staff, there are the vendors that they've worked with, and then now there's this whole additional layer of Amazon Web Services and the tools and staff and so on to manage the infrastructure that they're going to deploy on. What are some of the challenges that you see customers having, and how is Amazon working to try and make it a seamless process to sort of migrate over from, let's say, an on-premises to a hosted environment, and also to manage the security of that transition?
Rohit Gupta:
Migration is a key part of our strategy around building the business. If you think about the vast majority of applications today are running on-premises or in some sort of a hosted facility, and most customers want to take advantage of the cloud and move those applications into the cloud, and somewhere along the way, they might refactor them using modern application development techniques, we talked about with serverless and containers. So that migration journey is a core part of where we focus our efforts, and so we have a lot of capabilities and sort of thought leadership we have published in the space. If you look up well architected frameworks, the cloud adoption framework, we've also published, and there are security epics inside of those that are focused on the security aspect of that migration.
As a company, we believe very strongly that having an easy process of migrating workloads into AWS is very, very important for our customers, and security is something that comes up in every conversation. People are asking us, "Is my data going to be secure? What should I do to make sure it is?", and so we spend a lot of time in helping customers through that process, both with people and technology, and then just best practices that we showcase to customers.
So one example of that is we had customers that didn't realize that they were opening up S3 buckets to the public, so that was a problem, and we recognize the fact that the platform has the capabilities, always did, to prevent that, but the default was not to prevent it, and so we changed the default. So now when you open an S3 bucket, it is actually not open to the public, and the customer has to explicitly turn it on, and when they do, we still ask them, "Do you really want to do this?", and we go back and tell them periodically when we notice that people have made buckets public. So we are trying to help them understand how to do security right in this journey, and there's an education element to it, there is an ongoing monitoring element to it, there is a security best practices element to it. So it's a fascinating area that we still find that customers are needing to be educated on how to do it, but I really think this is where our partners come in, where they can provide the tools, techniques, and even the resources from a management perspective that customers really need and don't have access to.
I think one of the biggest challenges I see in the security side of this business is just lack of talent. So to the point you raised earlier about automation, I think automation is one way to get over that, is that if you can automate a lot of the security monitoring and even remediation, that is one way to get around from having all the right people in the seats, because you just simply cannot find them.
Paul Roberts:
Rohit, is there anything you wanted to say that we didn't give you a chance to say?
Rohit Gupta:
Firstly, thank you for having me. I really appreciated the chat. It's been fantastic talking to you. RSA is a great partner. We are very excited to work with them on the initiatives and especially on the move to AWS, but really, I think the single biggest thing I wanted to leave everyone with is that the cloud represents a new way of doing things, and security is one of those new things we need to go do differently in the cloud, and there is tremendous opportunity to really improve the state of security for applications in the cloud, and I think we believe we have some of the answers, but there's still a lot of work to be done, and so I would encourage everyone to really take a second look at how to do security right, and tell us, because we work backwards from the customer. You tell us what you want, and we will figure out how to make it happen. So we are very much focused on solving the end customer's problem on making sure that they are secure.
Paul Roberts:
Rohit Gupta, thank you so much for coming on and speaking to us on RSA's podcast.
Rohit Gupta:
Thank you very much for having me.
Paul Roberts:
Some interesting insights there from Rohit Gupta, who's the global segment leader for security at Amazon Web Services. It's really interesting, as more and more companies are migrating to platforms like AWS, increasingly, that's where companies like RSA are doing business, and as an example of that, RSA, I know just announced a SAS version of the RSA Archer suite that's built on top of the AWS platform.
Peter Beardmore:
Yeah, we've been saying for a long time, not only do we help organizations go digital, but we have to go digital ourselves, and it's not just a matter of moving our own infrastructure to the cloud or relying on SAS applications, as every organization is doing, but actually building our products and services for the cloud, because that's where the data is in this whole theory around data gravity. What better place to go and look at managing integrated business risk than the cloud?
So RSA has actually built a SAS version of the RSA Archer suite, which is our integrated risk management suite of products that is built on the Amazon platform, and it provides for a lot of choice for organizations in terms of where and how they want to manage integrated risk and compliance and all the various use cases that Archer brings to bear, and how they want to pay for it, because the business models are a little bit different as well.
Paul Roberts:
Right. I think as we heard Rohit say, companies, cloud providers like Amazon, they're focused on what their core competency is, which is managing this huge global cloud infrastructure. It's looking to companies like RSA to bring their expertise to the table, which is around risk and identity and these other areas.
Peter Beardmore:
Absolutely.
Paul Roberts:
With that, with a little tear rolling down my cheek, we come to the end of our first season of Risk Recordings with RSA. Peter, some thoughts?
Peter Beardmore:
I'm still trying to figure out what the cliffhanger should be. Who shot Paul Roberts?
Paul Roberts:
I knew you were going to bring up Who Shot JR? Just day two. It's just day two. There are two of us left. One of us is going to get voted off the island.
Peter Beardmore:
Oh, that's a good idea. That's a good idea.
Paul Roberts:
I have a feeling it's going to be me.
Peter Beardmore:
So it's been a real pleasure to do this season with you, Paul, and hopefully these conversations will lead to longer conversations, more substantive conversations with you, our listeners, and with folks like myself in RSA marketing and our sales organization, as well.
Paul Roberts:
Yeah, I think some of the topics that we've discussed around digital transformation are ones that are going to be continuing to evolve in the months ahead, so there are certainly a lot more opportunities for you and I to get together and talk about.
Peter Beardmore:
Looking forward to it.
Paul Roberts:
Me too.
Season 1 | Episode 4: Cyber-Attack Risk
Listen time: 38 minutes
We discuss the challenges that cyber-attacks are posing to modern organizations, the resulting pressures on security operations and all digital functions, and some of the opportunities emerging from Threat Detection & Response solutions. Guests include Mike Adler, VP of RSA NetWitness Platform and Adam Vincent, CEO of Threat Connect.
Season 1 | Episode 4: Cyber-Attack Risk
Paul Roberts:
Hey, welcome back. You're listening to Risk Recordings by RSA. I'm Paul Roberts, the editor in chief of The Security Ledger. And I'm here in the studio with...
Peter Beardmore:
Peter Beardmore from RSA.
Paul Roberts:
Peter, great to see you again.
Peter Beardmore:
Good seeing you too. Welcome back from RSA conference.
Paul Roberts:
We're both back. We're both still healthy.
Peter Beardmore:
We're healthy.
Paul Roberts:
I know. It's great. Good show for me. Good show for you?
Peter Beardmore:
I had a great time.
Paul Roberts:
You did a yeoman's work there in the RSA booth. I know. I know, because we are Facebook friends and because I saw you there. So we're talking today, Peter, in episode four, about cyber attack risk. In some ways, I feel like this has been the theme of many of our conversations so far on Risk Recordings, but...
Peter Beardmore:
Yeah, I think if there's one thing that's been clear from our conversations thus far, it's that the risk associated with cyber attacks, thinking of the classical risk formula, probability times impact, is heightened as a result of digital transformation. We're more digitized than we've ever been before. And when stuff goes wrong, the impacts are greater, just because we're more dependent upon it. And the probability is higher, because of the expanded attack surface, because of just more bad stuff out there. Bad guys, more sophisticated, better-funded than they've ever been before. And so it's incumbent upon organizations to protect themselves, to prepare, to respond and to do it in an organized fashion.
Paul Roberts:
So we sat down with a couple experts to talk about how to best address cyber attack risk within an organization. The first of those was Mike Adler, who's the vice president of products for RSA, with NetWitness. And he had some really interesting things to say, I think, about first steps in addressing cyber risk, which as Mike explains, really comes down to understanding your IT environment. What you've got deployed, how it's being used, and who's using it.
Peter Beardmore:
Having the visibility, beginning to understand when bad things are occurring and then formulating, is it important, is it not important, and how to respond to it.
Paul Roberts:
It sounds like pretty much basic blocking and tackling. But I think one of the things that you understand when you get into this is, even then, many organizations still haven't done it or haven't done it to the degree that they need to, to really be prepared for these types of threats.
Peter Beardmore:
Exactly. Well, let's listen to Mike.
Paul Roberts:
Here's Mike Adler.
Mike Adler:
Mike Adler, VP of products for the RSA NetWitness platform. So RSA NetWitness is an evolved SIM, is a platform of visibility, insight, and action tools that can be used to run your SOC.
Peter Beardmore:
Okay, Mike, let's get right into it. Let's discuss how the RSA NetWitness platform has evolved over the last several years to meet the changing needs of today's modern dynamic digital enterprise.
Mike Adler:
So we've really evolved the platform to really integrate all sources of data so that it looks the same, no matter where it comes from. So if we want a security analyst to be successful performing their job, whether that data is coming from a public cloud operator or a private cloud or a virtual cloud or a physical data center, we want to be able to collect all of these key data areas, these data stacks, and present them in a normalized way. So when you think about the really key pieces of visibility, we want to be able to capture application logs, physical security logs, and all the logs that are necessary, whether they're physical data center logs or the same logs that are coming out of your public cloud provider, present them in a way that they can be correlated and traced.
We want to be able to marry that up, also, with network traffic, and there's no other platform that can easily marry up that log data with actual network sessions, so that you can see not just the breadcrumbs that you see in the log file, but you can actually get to the details of what information has been exchanged. And then we marry that, frankly, with end point data, natively stored. Not logs, not something collected third-hand, but actually natively collected end point data that can really show you, "Hey, there's a server. It's behaving in a different way. Do we have a problem?" And we can provide that actual level of visibility, correlated all the way down to the bottom. So you can take the breadcrumbs, see what actually happened from a network perspective, and then investigate the actions that are happening on that end point or server in one investigative session, all completely correlated. We call that really making that triangle of visibility real and making it efficient to be used.
Paul Roberts:
And these days, I mean, and, Peter, we were talking about this, when you talk about the way that attacks happen and compromises happen on enterprise environments, IT environments, these days. And it's no longer just about your exchange server blowing up or something like that, right? These are stealthy attacks and they require you, in essence, to correlate data from multiple different sources, and data that might not, in and of itself, be screaming at you that something's going on. It's the aggregation of all that.
Peter Beardmore:
It's the aggregation, but it's also the ability to see the forest for the trees. Understand what is the important data to actually be looking at and understanding.
Paul Roberts:
And as Mike said, it's end point through to...
Mike Adler:
All the way through, from end point to packet to log becomes critically important. And once you have that great set of visibility, it's also the ability of the platform to help you identify threats, through advanced machine learning and artificial intelligence use cases, where if you have the best set of data, you can have the best set of machine analytics that allows you to help it detect and find threats. At the same time, you want to have the best correlation and rules and pattern-matching so that you can find threats and, frankly, even help the human being who are still some of the most advanced threat hunters.
Also be able to use the tool and see through that information to find threats. And so it's really a multi...
Paul Roberts:
Make that job easy.
Mike Adler:
Make that job easy, but it's a multi-faceted approach. Use rules and information-threat intelligence to help you. Use machine learning and advanced analytics techniques to help you, and still arm the security professionals, the expertise that you're paying for in your organization. Make them efficient, make them operators, make them great at their jobs so that they can perform the functions they need to be able to perform efficiently as well. And that's that entire package that needs to happen on top of this great data that's collected.
Paul Roberts:
Right. So we talked about digital transformation and the migration of, basically, data center to cloud. That, for sure, is a trend that's well underway. I'd say the other thing that maybe is a little bit earlier in its evolution though, is just the growth, the explosion of end points, and the diversity of end points, particularly with connected devices, internet of things. Just as a journalist, at the end of the year, you always get these trends for 2020, and what's going to be a big... And I would say, looking at across those that, IOT risk, the people looking and saying, "This movement from an insecure IOT end point to more valuable data assets on a network, we're going to see more of that." And I agree with that. I think that's probably accurate. But what do you see, again, out there, as you're talking to RSA security and NetWitness customers on the IOT front?
Mike Adler:
So I think there's really two challenges that we see. The first one is the fact that the number of devices that a human being is using to be effective at their jobs or at home has really doubled, if not tripled. I think all of us now have, I think the average I saw recently was 3.2 devices that we might use to do work. That's kind of crazy when you think about it for just a second.
Paul Roberts:
What's a 0.2 device?
Mike Adler:
I don't know what a 0.2 device is, but I think some of us have multiple mobile devices or multiple laptops. But yeah, this increase in growth, it's not just, you come in, sit down, do your nine to five job at the desktop computer that the company provided for you. And so how do we know it's you that's doing all these things? And so this is where security has to talk to the rest of IT, especially in the management [Dionnee 00:08:16] access areas, because being able to correlate and learn from, "Okay, we really have this person authenticating on normal sets of devices in normal locations." We can use that information and site security to decide. It's unlikely that their phone is in the US but their laptop's in China. That feels like an unlikely scenario.
So there's information to be gleaned from identity access that can be used in security. And at the same time, we can reverse that trend and have security tell identity access about users that look like they're inching towards riskier behaviors, and so maybe we want to perform step-up authentications along the way. And so there's some interesting integrations that are there. Not only do we have all these end-user computing devices, but now everything's connected, right? Everything from the light switches and light bulbs in our houses. But even if you think of, in the corporate environment, HVAC systems, light sensors, and energy saving devices. Or even oil rigs. Manufacturing lines. These are now all internet-connected devices that, frankly, need the same level of monitoring.
The threats have become greater, because in this set of devices, the opportunity for a cyber attacker to cause real business harm, imagine shutting down a manufacturing line for 12 hours, or a week or two. In some of our customer bases, that's millions, if not tens of millions, of dollars of business loss. That's real financial impact. Digital risk, introduced by the fact that they've automated all of these manufacturing lines, but they've opened up new digital risk because a cyber attack now can cause them real financial harm.
Paul Roberts:
That's right.
Mike Adler:
And that's where the real challenge is now. Driving this new capability has been hugely efficient and creates great business opportunity, and at the same time introduces new cyber risk that has to be addressed within the enterprise as well.
Paul Roberts:
And my sense is often that there's, not an awareness at the customer level of saying, "Well, ransomware is a problem, but there's no ransomware for our SCADA or ICS system. These are all for... But not maybe not realizing like, "Well, yeah, but your SCADA systems are now managed by a Windows server."
Mike Adler:
By a windows PC. Or a controller. Or maybe it's ransomware that's not even something that's typical Windows ransomware as we think about it, as consumers, but simply a device that simply takes control of the SCADA controller, and says, "I'm locking this down until you pay me a hundred million in Bitcoin." If you've taken down the SCADA controller for the oil refinery, that might be a hundred million in Bitcoin.
Paul Roberts:
That's right. That's right. Or the example I like to use with the NotPetya infection. Just the ripple effects of that, so you have a company like Maersk that can't ship equipment over the world, and all of a sudden you've actually disrupted indirectly thousands of industries.
Mike Adler:
Companies don't even think about it. But the newest thing that we've seen, most recently, is the idea of brand risk that's introduced by cyber attack.
Paul Roberts:
Interesting.
Mike Adler:
An organization has a malware or ransomware that gets into the organization, and not only are they encrypting the files and locking you out, but they're also copying them out as they're making that process. And so now, depending on the particular PC that's been hit, do they have customer data? Do they have customer-identifying information? Are there data plans or things that they can launch on the web and create tremendous brand risk, if they can put 100,000 customers out and their personal contact information. Yes, okay, maybe it's not financial harm, but that's tremendous brand risk that is being exposed due to ransomware, and due to this increased cyber attack economy that exists in the marketplace today.
Paul Roberts:
Yeah. There's always been this willful ignorance of like, "Well, ransomware. They're just encrypting the data and holding it hostage. They're not stealing it. It's not leaving our network. It's just encrypted and we can't get access to it." And it's like, well, you hope that that's all they're doing.
Mike Adler:
You hope that's all they had. And you hoping they didn't take a copy, but if it's running and it's encrypted...
Paul Roberts:
It's on your system.
Mike Adler:
It's on your system. Do you know, from a network point of view, that nothing left the building? If you have a network monitor, you can actually understand exactly what your risk is, because you can see the files that left the building and make an intelligent decision, even a risk-based decision, about, "Well, here's what we know happened. Here's the information that left the building. Listen, I'm not saying you should or shouldn't pay, but at least now you have information to make a good business decision.
Paul Roberts:
Right. So, I mean, you mentioned artificial intelligence ,machine learning. Those two terms get thrown around a lot, but obviously NetWitness has always been at the cutting edge in terms of threat identification, malicious behavior identification. How do you see, let's just say, call it machine learning, being applied now to security, both in NetWitness and more broadly in this sort of risk identification area?
Mike Adler:
So machine learning, really, if you think about having the best information, it's one of the things I think NetWitness excels at, is we have the best data stacks on which to run machine learning algorithms in the marketplace, because we can combine network in its raw form, logs in their raw form, and even end point in its raw form, and be able to correlate the two and extract metadata, which presents a really nice layer for us to do machine learning on, because we can understand past behavior at a meta level and then be able to design some great machine learning. And so I think that's one of our real benefits there, but machine learning really helps find what I call the needle in the needle stack, which is you're looking at a pile of 1,000 needles or 10,000 needles or 100,000 needles. And somehow we're supposed to find the one that's just a little bit longer or a little bit shorter or just a little different.
And that's where machine learning really excels, is it can find the anomalies in what should be considered normal. We can now instantly spot, "That one's just a little different," in a way that a human would never be able to do that. The computer doesn't get tired. It doesn't have to think about it, but it can spot these abnormal pieces. And that's where the analytics have really come in, is that as we identify patterns, we can build really good machine learning techniques and there's a broad range and we're still in the early days of building true effective data models that can learn normal, since my normal and your normal are probably two really different things.
Paul Roberts:
That's for sure.
Mike Adler:
What's normal for you, what's normal for me, what's normal for our organization, and creating the tuned models based on learning that's partially trained, or... And then can be unsupervised at a customer site. And so it's just really early days as those models develop. I think there's more to be done here, but the way that we will get to that experience is by running these data models and getting feedback from security analysts and figuring out as we tune those things out into, these are the kinds of things we want to see. These are the kinds of things that, yes, they're exceptions and they look weird because humans are always doing abnormal things. But these are the ones that are security risks and these are the ones that aren't. It's going to be a journey, but it's one that I think customers need to be investing in now, because until they... The use of these techniques are very new and they change the way that you find threats in the organization.
And so organizations need to be investing in tools now that do analytics, like NetWitness UEBA, which does a lot of modeling on user behavior and end point behavior, so that they can start seeing the results of those things in their environment and start figuring out what data sources maybe they need to add to the analytical model to help it better prioritize. And then how they're going to react to those threats that are found not just by a human, but now by the machine signifying, "Hey, there's this anomalous thread that's running through this pattern of data. We suggest you take a look." And then how are they going to orchestrate the investigation of that threat? All of this is places where companies need to be investing now, into these areas.
Paul Roberts:
Mike, is there anything that you wanted to say that we didn't give you a chance to say?
Mike Adler:
Well, I always like to tell customers that, at the end of the day, the RSA NetWitness platform is going to be there for them as they make their digital transformation journey. We're going to help you normalize your SOC experience that can expand into public cloud, multiple public cloud providers, SAS providers, Office 365, Salesforce. We can bring all of that data together into your SOC, and make it normally approachable for security analysts to be able to find threats in your environment. And it doesn't matter where they occur. And I think if customers can get that from our RSA NetWitness, or find other tools that do it, at the end of the day, I think that's the thing that makes a successful SOC, is one that can bring the greatest visibility to the environment and help them find threats and be successful.
Paul Roberts:
Mike Adler, thank you so much for coming and speaking to us.
Mike Adler:
Thanks for having me.
Paul Roberts:
So we were hearing there from Mike Adler, who's the vice president of products for the RSA NetWitness platform. Mike had some really interesting things to say, I think, about, again, the challenge of visibility within large and complex organizations and the need to really understand your IT environment in order to secure it.
Peter Beardmore:
And the ability to detect bad things amongst a broad swath of data.
Paul Roberts:
That's right. That's right.
Peter Beardmore:
Finding that needle in a stack of needles.
Paul Roberts:
That's right. That's right. Such huge changes in the way that companies consume and use technology, and they definitely are introducing new risks. Our next guest is Adam Vincent, who's the CEO of ThreatConnect, and ThreatConnect is an RSA partner. Talk a little bit about that, Peter.
Peter Beardmore:
Yeah. So fairly recently, RSA announced a partnership with ThreatConnect. It was a company that focuses on security orchestration and automation. And so we have actually taken ThreatConnect technology and imported that, or integrated it, into the RSA NetWitness platform, where it is now effectively functioning as RSA NetWitness orchestrator, the SOAR capabilities of RSA NetWitness.
Obviously, Adam has a great deal of expertise in that space in particular, and, I think ,has some interesting things to talk about, in particular around the need for security operations centers to automate as much as they can when it comes to responding to cyber attacks.
Paul Roberts:
So SOAR is really security, orchestration, automation, and response, is really, I think, what a lot of organizations are looking at now, in terms of tools to address sophisticated cyber threats, right? And maybe 10 years ago, 15 years ago, it's mostly about detect and block. Now it's more of a full lifecycle focus. Detection and blocking, sure, but also for those threats that do penetrate your organization, how do you resolve those incidents and what tools are available to help you do that?
Peter Beardmore:
Yeah, it's a need to resolve incidents as quickly and as efficiently as possible. And when it comes to actual declared incidents, major penetrations, the ability to do it as thoroughly as possible, and in concert with the rest of your organization, because as we both know in the event of a real security breach, it's not just the security operation center that needs to respond. Although those resources are obviously very critical, it can very quickly become an organizational level event and requires coordination across the organization, to include segments of the organization that are not necessarily well-integrated with the data systems and the processes of your security operations center. So needing to balance your broader business information management capabilities with what's actually happening, from a security standpoint.
Paul Roberts:
And we've seen this in many of the high profile incidents that have made headlines, whether it's Marriott Hotels and Starwood, where there was a breach. They thought they'd cleaned it up, and then years later it turns out, well, actually, no. Office of Personnel Management and US Government. Same thing. Breach. Thought they had it under control. And then months, years later, after it spread much more widely, become much more costly, realize, "Oh, actually, we didn't actually have it under control. Thought we did. We didn't." So this is a common theme, particularly in some of these really large and long lived, long lived security breaches, where there's a detection early on, an effort to respond to that, that isn't complete enough. And it comes back and bites you.
Well, let's listen to Adam Vincent.
Adam Vincent:
My name is Adam Vincent. And I'm the CEO of ThreatConnect. ThreatConnect is a intelligence-driven security operations platform. Started the company in 2011 with a mission to help security people do their jobs more effectively.
Paul Roberts:
And what types of services does that entail?
Adam Vincent:
So when we started the company, the idea behind ThreatConnect was to create a technology platform that could allow security organizations to do what they did more quickly and with more confidence. And so we leverage a lot of intelligence and the ability to make data more meaningful and the decision making across the security team. But we're not just supporting people with that data. We also are allowing security processes to be automated and for people to use that data as part of their workflows. And so that knowledge that we're bringing into ThreatConnect from across the security organization is ultimately speeding up a variety of different security processes.
Paul Roberts:
Great. So obviously in, as I'm sure Peter explained, this podcast series, we've been talking about digital transformation and digital risk. How some of the digital transformation initiatives that are taking hold in enterprises engender digital risk, and how organizations, RSA included, are helping companies to deal with that. So I thought maybe a good place to start with you would be to talk about that idea of digital transformation and thinking about ThreatConnect's customer base. What does that really mean for them, and what types of initiatives are bringing them to ThreatConnect's doorstep? What type of problems and concerns are bringing them to your doorstep?
Adam Vincent:
Yeah, so the problem statement of innovation across the business, in particular technology innovation, is the reason I started ThreatConnect. Going back to the 2009, 2010 timeframe, I was working on a variety of projects that were all about how to integrate all the various business systems across a organization and the concept of web services and service-oriented architecture and cloud computing were all primary elements in that transformation that was happening. But what I found was that, while the business was becoming more dynamic and obviously moving at light speed with respect to addressing technology to support the business, security was really lagging behind. And we were doing security the way that we were doing it many years before that, and it needed to be innovated upon itself in order to keep up with the pace of the business.
Paul Roberts:
I mean, this is all really about increasing the efficacy rate of your security operation and your security tools. Give me a use case... Give me an example of the type of... Whether it's a malicious attack or merely just risk reduction. Like, how some of your customers are actually using technology.
Adam Vincent:
Yeah. I'll give you two different examples. One would be alert triage, and gathering all of the alerts coming in off the SIM or the various products that are collecting logs and correlating those logs against known issues that they know to be looking for. In that regard, many organizations, historically, would have people doing that triage process. Hundreds of alerts a day, being dug through by hand. A lot of ancillary data needing to be gathered in order to determine whether the alert is actually posing a risk to the organization. And even when they were doing that successfully, generally, those organizations were still working in silos. Their West Coast data center and their Asia-Pac data center were actually looking at very similar alerts, and they weren't able to share what they were working on fast enough to really bring the bar up for the entire organization.
And so we can automate that process, where all those alerts come into ThreatConnect. They're all analyzed, given the body of knowledge that's already in ThreatConnect from all the previous alerts and response activities across the organization, as well as all the third-party threat intelligence that that organization may be bringing into their decision-making process. And what we'll do is we'll automate the process of triaging those alerts, and then we'll promote just the ones that we view as a high priority to the security organization that needs human review. And depending on what day of the week it is, depending on what kinds of professionals there are that are on call that day, we may make different decisions in terms of what the priority is. Based on the risk that that particular alert could pose to the organization.
Paul Roberts:
Adam, we're also operating in an environment where not only is there more pressure on the SOC and security leadership, but there's also a lot more attention coming from corporate leadership, driven by, among other things, a lot more regulatory attention. How do you see that environment changing, both in the boardroom and with respect to that leadership-security relationship?
Adam Vincent:
So I definitely agree with you that regulation is coming down, and that is forcing everyone to really look at what they're doing. I also think that when I first got into security, there was compliance-based requirements, but there wasn't really a reality check with whether those compliance requirements met up with the real-time threat. And that was why I wanted to start this company. So I think what's changing is that security is being looked at more like a part of the business. In the larger organizations, especially, they're rethinking that status quo, where security was the folks that just kept everything humming behind the curtain. And there was... There's a lot more focus now on looking at security from the perspective of the business and with that, many of our customers are presenting regularly to the board of directors. And the board of directors is asking them hard questions about brand and losses, not only through fraud, which I think was something that everybody was used to talking about, but what are losses related to identity theft and rogue administrators and things like that.
And what I really appreciate is that security is following in the footsteps of other parts of the business. IT, 10-plus years ago, was more of the wild wild West. And today it's very much a core part of the way the business is managed and the people that are doing IT are, in fact, looking at metrics and objectives and business planning kinds of efforts. Security organizations are starting to do that. CISOs are starting to be less of the hacker mindset of, "I'm keeping the bad guys out," and much more business-focused, of, "Here are the requirements that I'm working on. Here's the budgets associated with them, and here are the results that I'm producing for that investment." And I think the vocabulary is changing within the organizations that I'm talking to, and I think we still have a while to go before we're going to have every CISO being able to sit on the executive team's table or at the executive team's table. But I do see them realizing that the job is changing, and in order for them to keep pace, they have to change the way that they communicate.
Peter Beardmore:
Adam, Paul and I talked very briefly about this earlier, but I think you can probably do it better justice than I can. Tell us briefly about your relationship with RSA, and how ThreatConnect and RSA are going to market together to better serve our mutual customers.
Adam Vincent:
So ThreatConnect was chosen to replace the incumbent solution. That was the product underneath something, called a NetWitness orchestrator product. And we are providing both the really powerful capabilities of all of the intelligence based capabilities that ThreatConnect is well known for, and also our orchestration automation and response, or our SOAR capabilities, all in one product. And this aligns super-well into the RSA ecosystem, because RSA is based on a concept of using data and analytics to promote a better security platform. And although today, I think we're really focused on NetWitness and going out and talking to NetWitness customers, we're seeing a huge uptick in conversations from Archer, and the ability to really integrate into the GRC and the risk world, so that real-time SOC decisions can start to be made off of the information that's stored in Archer.
Identity, I mentioned earlier, I think is a huge part of building a more advanced security operations capability. The ability to prioritize response, or protection based on what is going on on the human front is just going to be the next frontier for many security organizations. And with our integration into the RSA identity ecosystem, we're going to be able to do a lot of really exciting things there. And although I don't think there's a lot of use cases for fraud today within the ThreatConnect customer base, I am excited about what that world knows about quantitative measurement of efficacy. And I ultimately do think where we're going to be going as a security industry, on the security operations side, is going to learn a lot from looking at how fraud supported the business before it.
Paul Roberts:
Adam, are there any other questions or anything you wanted to say that we didn't give you a chance to say?
Adam Vincent:
The security world is changing. We, as a security industry, need to allow our products to work more easily together. And because of that need, there's new technologies on the scene: security, orchestration, automation, and response, our solution being the net witness orchestrator OEM by RSA. And our goal is to streamline those processes across the security organization and allow the team to work more effectively. And if we do that, we can save the organization money. And in addition to that, we can also start to bring together the data that allows us to describe what value we're producing across the security industry, or within the security organization at the organization that we're selling to. I know that was probably not well-worded, but...
Paul Roberts:
Worded better than I could have said it. Adam Vincent, CEO of ThreatConnect. Thank you for joining us on Risk Recordings with RSA. It was a real pleasure having you here.
Adam Vincent:
Yeah. Thank you, guys. So it was great meeting you and let me know if you need anything in the future.
Paul Roberts:
Some really interesting observations there from Adam Vincent. He's the CEO of ThreatConnect. I don't know about you, Peter. I mean, I think one of the interesting things that Adam raised was, really the growing need for tighter integration, really, between security operations and the rest of your IT organization, right? That security is no longer this island within your IT group, but that there needs to be tremendous amount of coordination and hand-off between those two functions.
Peter Beardmore:
It cannot operate as a silo anymore, for a few different reasons. Principally, security operations does not have an unlimited budget and unlimited resources, and, therefore, they must be able to prioritize a very long list of work that's never going to get finished. And the best way to do that is by understanding the business value of assets and the business value of different things that are happening in the organization, so that as you see potential threats coming in, that calculus can be part of the prioritization of work. So that's part number one.
Part number two is, is that the rest of the business needs to have insight and understanding as to the ongoing threats to the organization and, in the event of a cyber incident, what needs to be done to respond. So things can be done in a coordinated fashion, rather than a haphazard fashion, which is usually what gets organizations into the most trouble, post-breach. So RSA has really focused on helping organizations to connect the security operations function with the integrated risk management function of the organization, so that both hands know what the other is doing, so to speak. And, therefore, both are able to run more efficiently in concert with the needs of the organization, the value of different functions in the organization, and the ongoing digital risks and cyber threats to the organization.
Paul Roberts:
Right. Right. And we really see this, I think, increasingly, with the focus on IT security and IT risk that really goes up to the boardroom level. That these are becoming issues that are monitored and tracked at the very highest levels of an organization.
Peter Beardmore:
And I think we might've discussed this briefly in episode one, where boards are asking questions that, traditionally, your technical folks in your security operations, or IT functions in organizations, really struggle to answer, because they just don't have that business value perspective.
Paul Roberts:
What's our exposure to this vulnerability? What's the downside risk for us? What are our plans for addressing this new malware that's circulating? Or are we being targeted by this particular [actor 00:36:41] ?
Peter Beardmore:
Some of those things, in fact, are easier for somebody in a security function to answer than what is the actual financial risk to the organization in the event X, Y, or Z happens. Or when we're looking at indicators of X, Y, or Z happening, what is the actual risk to the business? That's where a lot of the challenges are being born and where RSA is focused on helping organizations, not only to answer those questions, but ultimately operate more efficiently and effectively as an organization, in running both business operations and security operations together.
Paul Roberts:
Really good points there, Peter Beardmore, and alas, I think that brings us to the end of our latest episode of Risk Recordings with RSA. We've got one more episode coming up, our fifth in this first season, and we're going to be focusing in that episode, Peter, on...
Peter Beardmore:
Cloud transformation risk.
Paul Roberts:
On cloud transformation risk. A weighty topic.
Peter Beardmore:
Looking forward to that discussion.
Paul Roberts:
As am I, and you can check us out in that episode, coming up soon.
Peter Beardmore:
All right. Thanks, Paul.
Season 1 | Episode 3: Third-Party Risk
Listen time: 31 minutes
Peter and Paul discuss the growing challenges of third-party risk (and some strategy and innovations) with David Walter, Senior Vice-President of RSA Archer Suite, and Eric Blatte, President and Co-Founder of Risk Recon.
Season 1 | Episode 3: Third-Party Risk
Paul Roberts:
Welcome back. This is episode three of RSA Risk Recordings. I'm your host, Paul Roberts, I'm the editor in chief of the Security Ledger.
Peter Beardmore :
And I'm Peter Beardmore, from RSA. And episode three is going to focus on third party risk.
Paul Roberts:
So, I mean, third party risk is really a topic that, certainly as a security journalist, I'm writing about a lot more now, certainly than I was five or 10 years ago. Part of that is that there are many more providers of third party risk services, there more companies doing this, startups and so on, but part of it is and I guess maybe one of the reasons there are more companies in this space right now, is the problem is a lot more big and a lot more acute. And I think you saw it certainly going back a few years, whether it was the target breach that happened through an HVAC contractor or any of the many breaches that you read about, that trace back to cloud services providers, application providers, third party marketing providers, what have you, this is just a problem that I think a lot of companies have woken up to, is one that really not only impacts them from a compliance and regulatory standpoint, depending on what industry they're in, but really from a reputational, business risk and even in some cases, operational capacity as well.
Peter Beardmore :
Yeah. I think, it's been the sleeping giant in a lot of organizations because we've considered that it's been taken care of, largely by our GRC function in our organizations because it was a compliance thing, right? The compliance function ensured that we had paper on our big partners, on our pacing partners, if you will and we updated that paperwork when it needed to be updated, to stay in compliance with whatever mandate we were obligated to, we were ready for our audits and we got on with our day.
It wasn't probably until target, something that was considered an IT risk or a digital transformation related risk and something that not just GRC functions and organizations needed to be aware of, but we needed to cross pass that silo and start involving IT and the business functions and really understanding in particular, where our data is going, who's responsible for it, what's being done to protect it. Fast forward 10 years, we now have lots of new mandates and new compliance regimes that we're responsible for.
Paul Roberts:
GDPR, CCPA.
Peter Beardmore :
Right. So we need to know-
Paul Roberts:
And those old mandates didn't go away, HIPAA, Sarbanes Oxley.
Peter Beardmore :
Certainly not. Certainly not. And they've evolved as well, to account for data privacy sorts of issues. If anything, it's more complex just from a monitoring and reporting standpoint. So that has certainly evolved as well. But it's no longer something that can be handled by somebody with an eye on just governance, risk and compliance and the process of GRC. It's something that now crosses into the technical domains of IT and the strategy of security and it's a shared responsibility across the organization and it's something that senior leadership is acutely aware of now, if for no other reason than the headlines that we've already referred to.
Paul Roberts:
Right. So to get our heads straight on all this, these are complex issues, we had Dave Walter, who's the vice president for the RSA Archer product, into the risk recording studios, to talk about this and talk about how he sees the third party risk landscape right now and some of the innovations going on, both within RSA and within the industry, generally around third party risk monitoring.
Peter Beardmore :
Let's talk to David.
Paul Roberts:
All right.
David Walter:
David Walter, vice president of products for RSA Archer and RSA Cloud Transformation.
Paul Roberts:
David, welcome to this RSA podcast.
David Walter:
Thank you. Great to be here, Paul.
Paul Roberts:
Okay. So David, for folks who are not familiar with it, could you explain just a little bit about the RSA Archer product and what it does?
David Walter:
Sure. RSA Archer is a integrated risk management platform, whose purpose is to help companies identify and manage risk across their organization.
Paul Roberts:
That was very brief.
David Walter:
It's so simple, it's that brief, it's that easy.
Paul Roberts:
Yeah. And talk about, I guess, if we could just take a second and talk about your history with RSA and also, I guess, maybe a little bit of your origin story as it were, if you were a superhero, if you were a comic book character, what your background is.
David Walter:
Yeah, sure. I have been around the product actually for 15 years now and I started as a customer. I acquired RSA Archer for helping me manage Sarbanes Oxley compliance at the Washington Post companies back in 2005. And had the fortune to be able to implement it and then a few months later joined the company. So it's one of those, if you like it so much, you can join forces and I've been with it ever since.
Paul Roberts:
That's fantastic. And I mean, I think that story is indicative, which is RSA Archer has been around, is a product that has, it's been around for a while and evolved to meet the challenges of the time. And you mentioned Sarbanes Oxley, 10 or 15 years ago, the focus in the information security community was very much about compliance, whether that was SARBOX or PCI, or what have you. Talk about how the product has changed or evolved to, with the cyber security landscape and with the threats and risks that organizations are facing.
David Walter:
Yeah, sure. I think many people know, let's talk about the market, I guess, overall, I think the market has changed quite a bit over the last 15 years that I've been involved. Definitely, as you mentioned, Paul, at the beginning, it was much more compliance focused, and companies were acquiring technologies like RSA Archer for helping them understand potential regulatory findings and how to manage that process and how to deal with that, especially as their regulatory landscape increased over time. As that continued, companies saw the value of the data that was being collected within a tool like RSA Archer, as well as the ever expanding risk landscape that they were facing in the changing risk landscape that they were facing. And so therefore they started to mine that data and leverage that, not just for compliance sake, but for more risk management sake and risk intelligence, if you will, more broadly.
And so in the market you'll hear, and we're not here to debate it, I don't think, but there's a debate if you will, or a thought process of the market changing from GRC to IRM governance, risk and compliance, to integrated risk management. And I would like to think that that goes along with the story of changing the focus for more of a compliance leveraged term, to a more of a risk view, if you will.
Paul Roberts:
I mean, one of the things that seems to be part and parcel of digital transformation, is an increased reliance on third parties, whether those are just SaaS providers or gig economy workers, or contractors, what have you, obviously, platform providers as well, Amazon web services, Microsoft, Azure, Google, and others. So the third party risk is another one of those issues, another one of those questions that's seemingly been around for a long time. It's not a new thing that companies are interested in or monitoring the security of their providers and partners and contractors, but it's really evolving pretty quickly and I think the sense of urgency around it is evolving quickly. Talk just a little bit about that and again, how Archer is adapting to address some of the concerns around third party risks, that you hear out there on your customer base.
David Walter:
Yeah. I think you made a key point in that third party does get talked a lot right now, but it's not a new problem, right? It's been around for a long time, mainly because of compliance reasons. And the regulators thought it was very important for largely the financial services organizations in the world, to understand who is doing their payment processing and where is their data going about their customers and things like that. And so RSA Archer has been in the third party business since 2007, when funny little story, one day at lunch at our annual user conference in Orlando, Florida, three customers surrounded me and basically tackled me and said, "David, we need an RSA Archer solution for third party risk and so we're going to work with you and develop that." So within five months, I think it was, that solution became on the market.
So it was a burning need and it was largely driven around a cost efficiency play, actually at the time, each of these three companies had large departments of 50 plus assessors that were going out manually and asking their vendors questions and getting assessment results back and doing audits against those. And there's the whole process of trying to get the answers and get that information back in Excel and review it and validate it and blah, blah, blah, blah, blah. And it took forever for these companies-
Paul Roberts:
These are basically phone surveys or questionnaires-
David Walter:
Or Excel based or what have you, right? And just very inefficient and not really value add because these were largely self assessments by the vendors and sometimes validated by the companies themselves. And so that was fine because it checked the box, right? Now, move forward to today and the name of the game for organizations is to really focus on your core competency and that's it, right? And where are you going to differentiate yourself in the market and everything else around that is just context, if you will, and not really core. And so how are we going to minimize the cost or exposure of our context with an organization that our customers are really not paying for us to be good at? And so that concept is being leveraged a lot, i.e, infrastructure is a great example of that. No one's paying RSA to be good in infrastructure, so we might as well use the SaaS and public cloud platforms and things like that, so we can differentiate on product innovation for example, and focus on that instead.
So you're seeing a large use of third parties now across the whole chain of business processes within organizations, to better focus on what matters most, that then therefore introduces obviously a whole lot of risk. And this is way beyond compliance at this point, this is just about how are we going to stay in business? How are we going to be resilient organizations? How are we going to deliver to customers the service levels that we want to? How are we going to, FinTech is a great example, large, large banks are relying on basically startups in the FinTech world to develop algorithms and AI and risk models for them. And a small company may not have the same scale and process and an ability to operate as these large banks that are relying on them and so the banks are then therefore having to understand that and do something about it. And so that third process, third party risk management process has to change and that's what we're seeing today.
Paul Roberts:
Yeah. I think one of the problems out there that has really highlighted this is the ransomware epidemic, right? Because it's hard to hide it if you're hit and it's hard to sweep it under the rug. I think there was some ransomware outbreak that hit a EMR EHR, electronic health record vendor in Wisconsin, that had a density of customers who were like a dentist's office. And it was something like two thirds of the dentist's office in Wisconsin were offline and closed because of this ransomware outbreak. I mean, it was just, this vendor had mopped up a huge part of the business in that state and this one third party incident pretty much brought that all to a halt. I mean, it was astounding.
David Walter:
Yeah. I think a lot of organizations today are talking about resilience, right? That's a word I hear more and more, and that's related to third party management, but business resilience overall, obviously it gets harder if you don't control it yourself. I think the other big thing I see, alongside ransomware, is privacy, right? So we as a society, are trying to wrestle with what level of privacy are we comfortable with, I think we're quickly as consumers understanding that the companies that we rely on to keep ourselves private and our data secure, don't necessarily have all that data, right? It's being shipped off to someone else and then to someone else, and fourth parties and fifth parties and sixth parties. And so that picture, it's very easy to say that we all want privacy, but when you look at actually what's going on and what organizations has done with our data as consumers, is really to maximize scale and efficiency and actual productivity, they've shared that data with others and so the impact of that becomes very important too.
Paul Roberts:
And if you were to distinguish what it looks like today versus 10 years ago, when maybe you had a spreadsheet of, do you have a firewall? Yes. Are you using desktop antivirus? Yes. And it was this checklist, as you said. What are the types of things that RSA Archer and its partners are doing now to assess third party risk?
David Walter:
Yeah. I think we're doing a couple things. So number one, this past year, in 2019, we released alongside a partner of ours, Risk Recon, a use case called third party security risk monitoring, which is really focused around the security risk aspect of our third parties and actually automatically going out into the internet and looking at internet facing properties that this vendor has and understanding a lot. We can tell a lot from that and understand the risks, like the ones you were just bringing up, firewall exposure, access controls-
Paul Roberts:
And patch systems. Yes. Right.
David Walter:
Yeah. And get that information automatically. And that just makes sense, right? If we can automate that, it will make the process more efficient, it will be more accurate and all that and we can bring that information back into RSA Archer so that we can look at those findings alongside the assessments that we've been doing for years and years, and years and years in this industry. So that's good, that helps us with a little bit of the automation and efficiency here and accuracy. Going forward this year, in the first half of this year, we're really excited because we're bringing out something called vendor portal and vendor portal capabilities will be to completely change the game of that assessment process. Right now, it's all on the companies and the vendors to try to follow up and secure the answers and get all that focus. The vendors get really, really fatigued by all these questionnaires and assessments that they have to fill out and they're all basically the same and they have to manage it all and all that.
So it's just a lot of process that's on both sides of the equation here. We're going to eliminate that by having a vendor portal, which is SaaS based, cloud built, which is for the vendors themselves. So it's not our RSA Archer customers we're building this for, it's for their vendors community. And if you will, a customer has a vendor that they want to sign up, they'll actually just say what that vendor is and the main contact and email goes out. They can get access to this new portal, they can fill out whatever questionnaire that the customer wants, they can delegate questions in their organization, they can understand status and all that across all the customers that they have in this portal that they're trying to answer questionnaires for and all that. And if a question is the same as another customer of theirs question, the system will actually already automatically know that and pick that up, so you only have to answer that once. And basically the vendors then, will be building up a library of answers that they can monitor and manage over time themselves and then the customer's information gets automatically updated.
Paul Roberts:
Yeah. There's a tremendous amount of repetitive work historically, in these types of assessments.
David Walter:
But then the final step is bringing those two sides together, the security risk monitoring and the questionnaire part and this is where we really want to take this industry going forward, because right now the assessments are very static and the monitoring is very static and happens at points of time and it's basically the same things that you're looking at. But what if the questionnaire could inform the monitoring and what if the monitoring can inform the questionnaire? So for example, if a monitoring happens using the Risk Recon and security risk monitoring use case, goes out and sees, hey, this is something that's critical you've told us, and it doesn't have two factor authentication and it probably should, so the risk is higher.
So then automatically within RSA Archer, that would trigger a request out to the vendor portal to make that a high priority item for the vendor to go respond to and say, "Hey, did you ..." and in a lot of cases, we're finding the vendors don't even know about this yet because it's some shadow IT program or some new business operation within their own organization and so we're actually seeing this as a value for the vendors when they're not even our customers and for RSA Archer. And then the flip side is true as well, if we see a questionnaire and we get that answered back, and we see for example, a two factor authentication, they admit that they don't have that or have that, we can actually check that and validate that for a more accurate result by sending out a risk monitoring capability and bringing that information back, contextualize it and calibrate it together to get a true view of actually what's going on.
Paul Roberts:
David Walter, thank you so much for coming on and speaking to us on this RSA podcast.
David Walter:
Thank you, Paul.
Paul Roberts:
Just as we've seen third party risks grow, we've seen a lot of new entrance into the risk monitoring space in the last 10 years or so. And these are companies that really have developed some really interesting new tools and platforms for doing, I guess, what you'd call continuous monitoring of organizations. So I guess at the most basic level, it's taking a hackers eye view on an organization. What do you look like from the outside? What exposures do you have, whether it's a misconfigured web server, or an open port, Telnet port that might be exploitable, that speaks to your risk, just like the store that has the broken window in the basement-
Peter Beardmore :
It speaks to your hygiene, speaks to your ability to show what you claim to your partners and customers, when it comes to stewardship of their data and their assets. And so, the traditional view of third party risks that we talked about earlier, the survey driven information, more static information, we really want to be able to overlay that with continuous monitoring, show me what you're doing. Do I have the ability to actually see that you're maintaining a level of security and stewardship of my assets that you claim, and then layer on top of that ideally, if you're using a sophisticated system like RSA Archer suite, threat intelligence as well, that you can bring all of that information to bear and make very informed, well calculated risk decisions that you can act on, on a continuous basis if you need to. And so we interviewed Eric Blatt, who is president and co founder of Risk Recon, an RSA partner that works very closely with the RSA Archer suite, for a conversation about third party risk monitoring.
Paul Roberts:
Let's here what Eric has to say.
Eric Blatt:
This is Eric Blatt, I am the president and co founder of Risk Recon.
Paul Roberts:
Eric, welcome to this RSA podcast.
Eric Blatt:
Thanks for having us.
Paul Roberts:
Probably a good place to start, Eric, would be for you to give us a, for the people who are listening who may not be familiar with Risk Recon, their technology, just give us a rundown of who Risk Recon is and what you guys do.
Eric Blatt:
Sure. Yeah. Again, thanks for having me in the company today. So we are focused in the third party risk management space, in particular in the cyber portion of third party risk management. And essentially our goal as a technology company is to enable our customers to, as quickly as possible and as effectively as possible, understand and act on their third party cyber risk. And what that means in practice is we have automated solutions that can obtain the security information of any organization in the world, without requiring that organization or our customer to provide us any information.
We have an outside in view, we look at all of their internet infrastructure, we evaluate the actual security and IT configurations that they've implemented on their infrastructure, and we continuously monitor them so that you can understand how that organization has actually implemented security. And then you can integrate that with the other information you may have obtained through questionnaires and attestation data, to get a much more comprehensive view of their actual third party risk management practices and where there may be gaps relative to your expectations.
Paul Roberts:
So this is a growing area of interest in need, certainly within the business community enterprise space, for these risk monitoring. Talk about practically, what risk monitoring entails.
Eric Blatt:
Yeah, sure. It does mean different things to different people, so it's a really good question. I would put it this way. Organizations are in different stages of maturity in terms of their third party risk management programs, so to answer your question, I think you want to think about the different places people may be in their programs. So we have some organizations that have very new programs or programs that are just starting most recently and for them, what monitoring does is it gives them baseline. So imagine that you have a new program and there may be hundreds or thousands or tens of thousands of suppliers that you have very little information on yet because your program's new, a monitoring tool like ours can very quickly evaluate the security practices of every one of those organizations and let you essentially get a baseline or a diagnostic to see on a stack rank basis, who's doing well, who's not doing well and where you may want to begin additional assessment work.
We have clients that have more mature programs that already have a questionnaire process, an attestation process where they're gathering information from their suppliers and where a solution like ours can be effective there, is one to help validate the information. So the questionnaire tells you what the supplier says they're doing and the monitoring tool provided by Risk Recon can enable you to validate what's actually happening in practice. And the other way monitoring can be used in that matured program, is to supplement it with continuous monitoring because of course, when you're doing a questionnaire, that's maybe once a year, maybe even less frequently than that and you can fill those gaps with continuous monitoring to identify if there have been changes, material changes in that vendor's performance in between the annual assessments.
And then for more advanced programs or very mature programs, we have clients that use us to also enable rapid responses. So if there's a new internet vulnerability that emerges that's critical, using our tool to instantly identify for example, where across your entire supply chain, there may be suppliers and specific systems at that supplier, that have vulnerabilities that you want to update very quickly so they're not exploited by that new issue that's been uncovered. So long winded answer to your question, but monitoring is used in different ways, depending on the client's program and the maturity of that program.
Paul Roberts:
When we talk about the changes that are relevant to a company's risk posture, obviously we think of things like vulnerable software running on public facing systems, whether those are web servers, web applications, those types of things, but what other types of stuff do you guys look at and what other red flags are out there for companies like Risk Recon that do third party risk monitoring?
Eric Blatt:
Well, you certainly brought up a very critical one because in our experience just basic software and IT hygiene, much like you just mentioned, software patching and so forth, it is probably one of the most critical areas that can be exploited, so it's certainly a very important piece. And we do look at about 40 to 50 measurements, so software patching is one, but we also look at a broader set of measurements. How are they implementing security on their email systems, which could be spoofed, if they're not protected properly, to fool you into believe you're getting a message from the supplier. We look at the way they've enabled their content management systems and their application servers, so that not just software vulnerabilities, but perhaps poor implementation of encryption or other security measures, are done in a way that leaves you exposed.
So it's actually the same set of metrics that an organization looks at when they're evaluating their own internal security practices, that we try and map to and then we layer in threat intelligence as well. So there are some great providers of real time information about potential stolen information or communication with botnets and so forth and that's just another type of security threat that might be very interesting to a third party risk person.
Paul Roberts:
Eric, thank you so much for coming on and speaking to us on this RSA podcast, and it's really great hearing from you and getting caught up on what's going on with Risk Recon.
Eric Blatt:
Yeah. Thanks guys. Really appreciate you having us and looking forward to the show coming up.
Paul Roberts:
So I mean, one of the things that strikes me, Peter, and I know you and I have been longterm observers of the information security field, is just the huge growth in attention to third party cyber risk, including a number of firms, startups, that have really come into this space in the last 10 years or so, to address just this particular problem and variety of different services, but often they take the form of monitoring services that will go out and look at your organization as a hacker would, determine if you've got vulnerable IT assets that are exposed to the public internet, open ports, unpatched, or misconfigured systems, that type of thing.
Peter Beardmore :
Incredibly important second layer on top of that initial disclosure that you might go through a due diligence around, making that initial partnering decision, but then there's also a need for continuous monitoring throughout the life of the partnership. And you want to be able to make really good decisions around the responsibilities that you're sharing with your partners and their level of stewardship with your data and with your digital assets, because they have become an extension of your infrastructure. And so organizations need to take a really strategic view of this and understand how it's affecting their IT function, their security function, their broader compliance and risk management function. And ultimately our senior executives are the business decision makers, making the best decisions they can for the company clear-eyed about their total risk picture, to include third party-
Paul Roberts:
With the right data.
Peter Beardmore :
With the right data, and as current as possible.
Paul Roberts:
And this matters because there are real dollars behind this, right? This is no longer about, if we don't pass this audit, we could get slapped with a fine, this is about, companies that we all know that have made acquisitions in recent years, that unwittingly acquired a huge breach-
Peter Beardmore :
A gigantic liability.
Paul Roberts:
A gigantic liability to go along with it, that was material to the company, not just in a given quarter, but maybe in a year or multiple years and we're seeing that play out right now. So this is something that clearly the C-suite and the board and investors are saying, it's no longer enough to have an attestation, have an audit. This needs to be something that we're looking at on a continual basis and assessing with every partner, contractor that we're doing business with.
Peter Beardmore :
And to make that information as available and relevant to all of the business functions as possible. And that's where-
Paul Roberts:
Operationalizing it.
Peter Beardmore :
Operationalizing that information. And that's where technology like RSA Archer really can be brought to bear because it can reach out as far as the actual risk itself to gather that information and present it in an organized fashion to whomever needs it, be they an auditor or a senior decision maker or a lawyer.
Paul Roberts:
Way to end by talking about the product.
Peter Beardmore :
Did I mention lawyers? God. Lawyers, lawyers.
Paul Roberts:
All right. Hey, another great episode, Peter. And we'll be back with more in episode four.
Peter Beardmore :
Looking forward to it. Thanks Paul.
Paul Roberts:
Me too.
Season 1 | Episode 2: Dynamic Workforce Risk
Listen time: 33 minutes
Peter and Paul discuss the unique risk and security challenges brought by today's modern digital workforce. Guests include Jim Ducharme, VP of Identity and Fraud and Risk Intelligence Products at RSA; Guido Appenzeller, Chief Product Officer at Yubico; and Dr. Zulfikar Ramzan, Chief Technology Officer at RSA.
Season 1 | Episode 2: Dynamic Workforce Risk
Peter Beardmore:
We had the digital risk one-
Paul Roberts:
Yeah.
Peter Beardmore:
Which is-
Paul Roberts:
The pilot episode.
Peter Beardmore:
... the pilot episode. This is episode where we change the actors after the pilot. And the-
Paul Roberts:
The audience-
Peter Beardmore:
Didn't work out too well.
Paul Roberts:
... The audience test scores come and they say, "We need to change the lead actor."
Peter Beardmore:
It's not too late, Holly, you can still replace this guy. So this is episode two. All right.
Paul Roberts:
Episode two of Risk Recordings. I'm Paul Roberts, the editor-in-chief at The Security Ledger.
Peter Beardmore:
And I'm Peter Beardmore from RSA.
Paul Roberts:
So we're getting together and talking about the various incarnations of enterprise risk, especially in light of digital transformation, which is what every company is engaged in right now, to one degree or another, whether they realize it or not.
Peter Beardmore:
In the last episode we talked about four distinct areas: customers, employees, partners, and infrastructure. And today we're going to focus, in particular, on that second topic, which is employees and the dynamic nature of our workforce, and how that is affecting the way security and risk leaders are thinking about their digital transformation strategy and how they are working dynamic workforce into their total view of enterprise risk. It may be worth taking a minute to look back though, and think about the way that we've been authenticating users to our digital assets over the course of the last couple of decades, maybe even longer perhaps.
Paul Roberts:
Yeah, more like three or four.
Peter Beardmore:
Yeah. So when I started in the industry, which is, of course, the first day that everything started back in-
Paul Roberts:
The big bang.
Peter Beardmore:
The big bang. 1998 is where it all began. I come into the office and tip my hat to the security guard and log in to my Novell NetWare workstation with my username and password and that was my day. And there was really no need for anything else, right? We relied on-
Paul Roberts:
Were taking that workstation home with you.
Peter Beardmore:
Not so much.
Paul Roberts:
Now way. Yeah.
Peter Beardmore:
But not too long after that, I got promoted and was issued a laptop and my...
Paul Roberts:
Which weighed like 15 pounds.
Peter Beardmore:
Yeah, it was a brick. And I was given access to a VPN with, as it turned out, an RSA token. But for a lot of organizations, that was how you authenticated your employees to your digital assets, to your infrastructure was, you poked a single hole in your infrastructure, which was that VPN. You encrypted it out to the end point and the user authenticated themselves using two factor authentication, if that. Probably in most cases, something as simple as a username.
Paul Roberts:
Usernames and passwords have been with us for the better part of four decades. And for a long time, before we decided to hook all of our corporate networks up to this global network of the internet, they were probably good enough, right? But these days, not so much and-
Peter Beardmore:
Not so much.
Paul Roberts:
Yeah. And I think if you peel back the cover on any significant security incident, data breach, what have you, there's an account compromise as step one, almost certainly that in many cases involves a credential theft, either password reuse, so they just harvested your password from some huge dump, from some other location, from some other site and you reuse that password in your current position.
Peter Beardmore:
It's been a pretty consistent stat in the Verizon data breach investigations report for the last five years. They have the breaches involving hacking, which probably excludes excludes DDoS.
Paul Roberts:
Right. It's like French fries involving potatoes.
Peter Beardmore:
Exactly. It always hovers around 80% involve compromised credentials.
Paul Roberts:
Yeah, yeah, right.
Peter Beardmore:
You got to figure that that's a password.
Paul Roberts:
Right. So we actually had Jim Ducharme in, who is the vice president of RSA SecurID, and we talked about this, these very issues with him. And he had some really interesting things to say, both about the state of the art for this, and also where things are headed, both in the industry, generally, and, obviously, with RSA and the SecurID suite.
Peter Beardmore:
Well, let's listen.
Paul Roberts:
Okay.
Jim Ducharme:
Jim Ducharme, Vice President of Identity and Fraud & Risk Intelligence Products at RSA. Yeah. So, again, I run the Identity and Fraud & Risk Intelligence products, and that consists of on the identity side, we have a couple products aimed at identity and access assurance. So identity assurance is all about making sure people are who they claim to be, and access assurance is making sure the folks that access our stuff that, that access is appropriate.
Paul Roberts:
I mean, one of the things that's behind this that is so interesting is just the changing nature of work and employment itself. And I mean, you and I tend to focus on the enterprise context, which of course is important, and is a lot of workers and a lot of companies, but there are so many organizations, whether it's Amazon and their warehouses, or UPS, or retailers gearing for the holiday season, where the employer-employee relationship is much more tenuous and temporary, and yet there's a need for security authentication, all these other things.
So you've got these, what do you call it, gig economy or what, Uber, Lyft, you've got these folks who have a relationship with you as an employer, but it's a much more temporary one. And, yet, you need to provision them, and you need to join them to some part of your corporate environment. Talk just a little bit about how RSA sees that problem and how you're working with some of your customers on that.
Jim Ducharme:
Yeah, absolutely. So you're absolutely right, right? Again, the other evolution is you'd start working for a company, you'd worked there for 25 years, you'd get the gold Rolex and it was great. And so when you joined a company, we built this model based upon decades ago of you have what I call your enterprise birthday. The day you started a new company, you almost start a whole new identity. You fill out a W-4, if you're in the United States. You fill out a W-4, you fill out your benefits, and happy birthday. And we even celebrate your anniversaries, right? And so you almost create this new identity in the enterprise segment.
And then, oh, by the way, when you leave the company, you die, that identity of you dies. So that worked for awhile. But the problem with it is, like you said, in the gig economy or whatever you want to call it, workers are much more... right? We have seasonal workers, we have third-party workers. So again, and much like we talked about the data center transformation, where all these layers existed in protection, we have the same thing about people. We can't rely upon the fact that this is an employee that we've known and gotten to know and have a historical perspective of 10 years of working environment to now these are very temporary.
So we have to think about how that changes things. So that identity proofing comes into play to be even more important. So what do I mean by that. When you onboard these users, how do we not start from zero with people? And this is where I think things like decentralized identity play an important role. The onboarding process for new employees is pretty heavy. Again, and it was based upon an investment from decades ago that this presence is going to work for us for the next decade or two. And so we're doing-
Paul Roberts:
Do ID card, and
Jim Ducharme:
... background.
Paul Roberts:
... right.
Jim Ducharme:
Yep.
Paul Roberts:
Right.
Jim Ducharme:
You got and ID card, you got a background, you got a security background check, a drug test, all these other things, which are all important, but why do we start that every single time? So now the notion of decentralized identities, that when you show up at a new relationship, a new enterprise relationship, that those, what we like to call verifiable claims that, that information, at a station of who you are, can come with you and go with you. It can be just as transient as you can, but still just as secure. So the example I use is, is things like, well, if we do a criminal background on you, why not have a certified background check that's part of your digital identity, that you can then present to a potential employer, even on a temporary basis, without going through that process all over again.
Now, immediately there's privacy concerns, but that's why I think some of the ways that we're going with this, we built privacy into this notion that digital, I'm sorry, into decentralized identity. So it now becomes my choice of, I want to share this... In order for me to work for this employer, even on a... I just want to do a job for a week, I can present these verifiable claims to this person to enable the right level of trust that I need. Here is my criminal background check, here is an at-a-station of my employment history for you, here is an at-a-station that I actually did graduate from the University of New Hampshire, and I'm not faking that. So I think digital identity and this notion of verifiable claims and things that we can carry around has a lot of promise to help in this new economy.
Paul Roberts:
Yeah, and like you said earlier, I mean, the fact that we're all carrying these incredibly powerful, versatile mobile computing devices, even though the company may not own that asset, it can still leverage it.
Jim Ducharme:
Well, I think the important part that I like to make sure folks understand is, you're absolutely right. We do have this wonderful technology in our pocket and it's great. But when we think about enterprise identity in particular, it's not necessarily the answer to everything. And the reason why I say that is a couple of reasons. One, the enterprise didn't buy me my phone, right? There's mostly BYOD out there, so there is a privacy concern. This is my phone, it is part of my identity. I have no problem leveraging it, maybe sometimes, but the enterprise has to be careful about trusting those as well.
It's not an enterprise device, like we used to distribute laptops, and we could control the laptop. You don't know what those 35,000 photos are, or what else is on my phone. So we have to be careful about the trust that we instill in these BYOD devices, that's number one. Number two, to rely upon just mobile as an authentication factor, we also have to remember, there's a lot of enterprise environments where that just doesn't work. Call centers don't allow people, for those very reasons I mentioned, to bring in cell phones. Union shops, there are union rules about, again, I think the unions recognized the personal nature of that technology to the worker, and therefore there's a lot of pushback from the unions on-
Paul Roberts:
Leveraging it.
Jim Ducharme:
[inaudible 00:11:58] enterprise. Yeah, that device isn't yours and no mention... There's also so many other clean room environments, manufacturing, healthcare, things like that. So we have to make sure that we don't keep pigeonholing our thoughts into one way to prove a user is who they say they are. That is probably the biggest negative trend I see in enterprise, is they always want to find that one range to rule them all. And we have to be open to a diversity of ways in which people prove they are who they say they are. Yeah, for some users, it may be, I want to leverage my device, we'll establish a trust relationship, and you can use my integrated biometric with face ID. Great.
For others. There may be other mechanisms we need. SecurID, hardware tokens, OTP, are still a thing that's, it's another trust factor. There are new trust factors with new standards like FIDO coming out. But the real biggest point is stop looking for the one ring to rule them all, stop looking for the one authentication method that solves every identity problem. Embrace, much like we have to embrace the diversity of the workforce, embrace the diversity of how users, what users have, and how we can prove they are who they say they are. And as we talked about earlier, and stop putting as much burden on the end user, put a lot of that burden on your backend infrastructure with risk based analytics and AI machine [inaudible 00:13:27].
Paul Roberts:
Right. And then the challenge is, right, how do we have a diversity of authentication methods and options without having a forest of siloed identity solutions that we now need to hire people to manage, right?
Jim Ducharme:
That's exactly right. But it starts with a recognition that there are different ways to identify folks, passports, digital identities, state issued driver's licenses. We have to embrace that diversity and figure how to interconnect all of those pieces to really establish the right trust.
Paul Roberts:
Okay, Jim Ducharme, thank you so much for coming on and speaking to us on this RSA podcast.
Jim Ducharme:
Great. Thank you so much. Appreciate it.
Paul Roberts:
I mean, one of the problems that you encounter is that there are many, many choices for these second factors, but you end up... Back in the old days, they talked about the token necklace, right, that you're going to have a necklace with all these RSA securities, tokens on it for the different-
Peter Beardmore:
They existed for a while.
Paul Roberts:
They existed, yeah. Different applications, or whatever, that you needed to access buildings or what have you. But these days, you don't have to worry about that so much, because maybe it's just five or six different apps on your mobile phone. But you do have to worry about how you integrate those with the larger identity infrastructure at your organization, right? That you do need rationalize this at some point and, ideally, move from a forest of siloed, strong, second-factor authentication tools to...
Peter Beardmore:
To fewer strong-
Paul Roberts:
Fewer.
Peter Beardmore:
... multifactor authentication tools that are applicable and usable in a variety of different environments.
Paul Roberts:
That's right, that's right. Because, obviously, not all of these are equal. Some are better than others, some are more scalable than others. And ideally, you get the bulk of people onto a smaller number of them. We're not there yet, but anyway. But we had Guido Appenzeller, who's the Chief Product Officer of Yubico, which makes the YubiKey, in to talk about that issue among others and kind of give us a heads up on what's coming from his company.
Peter Beardmore:
Yeah. We struggled with our audio on this one, but I think it's well worth the listen to hear about YubiKey.
Guido Appenzeller:
Hi, Guido Appenzeller, I'm chief product officer, Yubico.
Paul Roberts:
Guido, tell us a little bit about Yubico for those of us who may not be familiar with the company or your technology.
Guido Appenzeller:
Absolutely. So at Yubico, we fundamentally have a very simple mission, which is we want to make the internet more secure for everyone, and then very specifically, want to make authentication more reliable and more secure. If you look today, phishing attacks, people stealing passwords, people breaking into accounts, is something that happens everywhere, both the consumer side, as well as on the enterprise side. And so the main product that we're building is something called the YubiKey. It's a small plastic key. It looks like a little USB drive, and it gives you an extremely secure way to authenticate to online services. This could be anything from Google or Twitter or Facebook on the consumer side, or Salesforce, your internal enterprise system. We have customers in the federal government. We're high security system, so it allows you to log in securely to a very broad range of defense systems.
Paul Roberts:
Yeah, it is a fairly straightforward looking device and looks basically like a USB key. Obviously, it's more sophisticated under the hood. What is the Yubico secret sauce? What makes this particular form factor secure?
Guido Appenzeller:
Yeah. Let me briefly explain how it's being used just to give a little texture here. So typically how you would use a YubiKey is basically that you have an online account, right? And this can be a corporate or consumer. Many accounts today use some form of two factor authentication, right? Just using a password is obviously insecure. Someone steals your password, now they have long term access to your account. So we can use a YubiKey as a second factor. You would [inaudible 00:17:29] registered as a second factor. In most cases, you do a self service. Then the future, after use, you would simply plug it into the USB port of your computer and touch it and prompt it. And it's a single touch. It's a very smooth user experience, very low friction, but it provides it with a very, very high degree of security.
And then just to put that into perspective. So Google Research published a case study where they looked at account takeover attempts against 350,000 accounts. And they were from a very broad range, right? Some of them were your wholesale fishing, just sending out a mass email, but some of them are also very targeted attacks, the spear fishing, social engineering, what you typically see from sophisticated criminal actors or nation states. And I know the end of the day, out of 350,000 accounts, they then benchmark different ways how you can protect these accounts, and security keys were the only method that at the end of the day, not have a single account compromised. It's very resilient against fishing. It's a very, very secure way of authenticating.
The nice thing about a YubiKey is that it supports a very broad range of different authentication options. Every enterprise I've seen in my life looks a little bit like the computer history museum, right? You have to look at enterprise almost as a constant transformation, right? Where you have some very old systems, you have some very new systems. It's very important to have a tool, like an authentication token, that basically covers all these different approaches. And we can... The different functionality of the YubiKey is used differently with different systems, but it works both with your classic legacy IT. So cases where you have to, for example, pass everything through a password field, and you can't make changes to the system, while at the same time working with some very modern services that implement FIDO or FIDO2, the very, very modern authentication protocols that are more user friendly and more secure.
Paul Roberts:
Guido Appenzeller, thank you so much for coming in and speaking to us on the RSA podcast.
Guido Appenzeller:
Thanks, Paul, thank for having me.
Peter Beardmore:
So I think it's also worth mentioning that Yubico has a fantastic go-to-market partnership with RSA, and the idea being that Yubico customers can use their YubiKeys, together with the RSA SecurID infrastructure, giving enterprises fantastic choices around the authenticators that they want to use in a variety of different use cases, and that real ability to find identity assurance that is commensurate with the risk involved, while giving a great deal of flexibility and choice.
Paul Roberts:
I really think just... I mean, I think one of the byproducts of this sort of blurring of the lines between personal and work, between consumer and professional or enterprise IT, it is this blending of identities as well. Obviously, our smartphones are now critical business tools that we're using in our office, but belong to us personally, they're usually not our employers.
And I think this idea that identity just starts and ends with an employer is also much more fluid. Like the identity we're creating when we're at our workplace, increasingly, is continuous with, or contiguous with, our larger identity online, whether it's social media, our smartphone, what have you. And I don't know what you think about that. I mean, I think we're going to see that trend continue and this become a lot more fluid.
Peter Beardmore:
As it turns out, we have that exact discussion in a conversation with Dr. Zulfikar Ramzan, who's the CTO of RSA, and he touched really briefly on this concept of decentralized identity, some of the work that RSA labs is doing in that space, and we should give it a quick listen.
Paul Roberts:
Great.
Zulfikar Ramzan:
Zulfikar Ramzan, chief technology officer of RSA. I run the RSA office of the CTO thinking about some of our latest innovations and advanced development efforts. And I have a chance to meet with amazing customers every day and learn about the challenges they face and see what RSA can do to help address them. Today, there are basically a few different projects you have going on in RSA Labs that I think are very relevant and salient for what the future of identity looks like. In fact, I wouldn't even say future anymore, what the current state of identity looks like that we have to protect for the future, if you will.
To start off with, one notion that comes up is the idea of the bring your own authenticator notion. The reality is that we've got a set of authenticators we provided for years. Certainly people know us for this hardware token. They know us for some of our software tokens. They know us for the ability to use touch ID and facial recognition and a bunch of other variations on theme. But we also realized that there are a ton of authenticators out there, a ton of different ways it makes sense for different types of user populations in different situations, so the transient workforce, the software developer, et cetera.
And what we recognized is that RSA had really built value in two distinct areas. We had certainly built a lot of value in the authenticator area, but we also built tremendous value in the authentication backplane, the thing that the authenticator has to talk to, to actually facilitate this whole process of authentication. And there are many elements there, there's how you deal with registration and enrollment and how you identify situations around risk and can put in a proper risk engine with every authentication. There are elements around the typical life cycle of authenticators and so on and so forth. There's quite a lot that has to go into managing everything in the back office. And we've actually been able to solve those problems successfully for many, many years across some of the most complex and some of the most simple environments in the world.
Very recently, we announced a partnership with Yubico. They built something called a YubiKey. It's basically a FIDO2-enabled authenticator. For a while, by the way, people didn't realize this RSA SecurID, the backend could accept FIDO2 authenticators. So we made a concerted effort to get that message out to the market by partnering with YubiKey, or Yubico rather. People cannot use YubiKeys together with RSA SecurID tokens in the same organization talking to the same backplane. And we believe that's going to be one step of many to enable organizations to simplify how they think about authentication a lot, and to provide the right level or the right type of authenticator for the right user population to solve the right set of problems, without having to rely on multiple vendors and piecing together multiple solutions. We want to make life easier for our customers. So that's one critical area.
The second critical area, which I think will be interesting, maybe more broadly and potentially also in the consumer space, is in the area of decentralized identity management. Today, identity management is very much a centralized function. The person who dictates your identity is a central authority in an organization, and they dictate whether you live or die or what happens to you. Everything, you go into an organization, essentially you have a birthday at that organization, because you're walking in and they're recognizing you for the first time.
Peter Beardmore:
They create a new account-
Zulfikar Ramzan:
Create a new account.
Peter Beardmore:
... and that account follows you during your appointment, and then it goes away when you leave.
Zulfikar Ramzan:
Exactly. And so I think that there's some worth there around whether we can put the control of identities back into the hands of users, not to have them rely on central authorities. Now, there's been a series of work in this area over the course of decades in starting off in the early days of cryptography around PKI, that was sort of the much more centralized model, gradually moved to sort of more decentralized models involving single sign-on and federated identity. But there were still some limitations. But more recently, we've actually done a lot of work on the idea of decentralized IDs that are based on verifiable claims with claims issuers, and there's some interesting mathematics that makes that all a reality. I don't want to dwell in mathematics, but I want to point out why I think now is a time, societally, why these particular ideas are ready to be embraced.
And I want to point this out because we've known how to do this for 35 years. Mathematically, we'd wanted to build these systems, but why is it that now is a time. To first of all, I think if you go back a few decades ago and you asked people if they want to carry around digital credentials, there was no easy way to do that. People didn't carry around smart cards. I mean, people were trying to make smart cards happen, but that never really took off. Today, we all have mobile phones, and mobile phones a natural place to store digital information about yourself that can be used as part of the authentication process, about that part of the process of proving that you have a certain set of attributes, that you're allowed access to a particular situation. That's the first key thing.
The second key element that I think has come up, is that if you go back, again, 25, 30 years ago, look at the earliest of PKI and ask people, "Why did PKI not take off 25, 30 years ago? It solves an important problem, it seems like it's a good technology. What was it that prevented it from taking off?" And I believe the answer is that it was hard to explain to the average person 30 years ago, why PKI was better than a password. Now, the people who are in mathematics and cryptography, they know the answer, they can talk about it ad nauseum, but the average consumer could not get that distinction. Today, people recognize that passwords are annoying. They have too many of them, they can't remember them anymore, they're constantly resetting them. If I can present you with the capability that allows you to reduce your dependence on passwords, most people will be all in on that value proposition.
The third thing, which I think has really also enabled organizations and individuals to potentially embrace the idea of decentralized identity management is a notion that decentralized storage is much more acceptable. We're used to the idea of stuff being stored in some cloud service and accessing when we need to. If you look around, there's things like blockchain and distributed ledger technology. Not that, by the way, you need those technologies to make any of this work, but they've created a level of social acceptance around some of those trends. And again, that also facilitates implementing some of these centralized ID topics I talked about.
So I think for those reasons, we are at a really interesting inflection point in being able to realize and accept those technologies. And as one final and fourth, I'd say societal factor, people today are less trusting of centralized authority, right? They've seen situations go awry. They've seen their data become breached. They've seen their data become abused and misused and sold. So the idea of taking back my identity, putting it back in my own hands, taking control over my data, that is a powerful notion. And again, one that can be enabled by the work we're doing right now in RSA Labs. I'm super excited about this area. I think there's a lot we can do with it. And I'm looking forward to seeing where we can take this area.
Peter Beardmore:
Could you provide, maybe, or try to illustrate what the future could look like in that world? I mean we're all bound by our own frames of reference, right? So if I'm trying to sell you a yam, I might tell you that it looks kind of like a potato, if you've never seen a yam before. Right? But it's very difficult for us to understand if we're just living in a world of passwords and one-time password keys or something like that. What would the user experience potentially be like in that world?
Zulfikar Ramzan:
Right. So let me talk about that in the context of a problem I think we can all relate to. Which is, look at our current healthcare system, right? When you go to your physician, they present you with your medical records, and then they make a determination about what kind of treatment to give you based on a combination of your medical records and what symptoms you're presenting the day you show up to your physician's office. And in that world, if you think about it for a moment, your medical data is not something you control, it is something controlled by the healthcare institution that's taking care of you.
If tomorrow you went to a different institution, you were in an ER or a different country, they would basically start, sometimes, with a blank slate or maybe with an incomplete view of your medical history. And that could cause a whole set of complex problems. I mean, there have been situations of people who have literally died because they've gone to different healthcare institutions for complex emergency issues. Each time they went with whatever they could gather-
Peter Beardmore:
Information that was available.
Zulfikar Ramzan:
... Yeah, and if anybody had been able to look at the entire totality of that picture, they could have made the right medical assessment and saved a life. So it's a true kind of life or death type situation. Now, imagine a world where you can carry your medical information. Maybe it's stored in a cloud service that you can access somehow. Now, imagine a world where you can start to delegate certain pieces of that information to your healthcare providers. You can prove things about your medical data to a provider. All of a sudden you begin to take control over that information, number one.
Number two, it's actually beneficial for the provider, because in many ways, the provider now has to bear the risk of storing your medical data in today's world, right? Today, your hospitals, they have all this medical data. They're not trying to monetize it or sell ads off that data. At least hope they not. Maybe some of them are, but for the most part, I don't imagine that they are.
Peter Beardmore:
They're pulling their hair out just trying to protect it.
Zulfikar Ramzan:
Trying to protect it. They have words like GDPR and CCPA and all sorts of similar regimes. And in their minds, they're more worried because, on the one hand, they have all this data, which they need to provide you with the right level of service, but on the other hand, they're not making money off of that data. So they can't afford, in many ways, the economics don't make sense for them to store that data.
So I believe if you use something like a decentralized identity, we can essentially enable decentralized storage, because you can now create a world where people can access what they need to in a decentralized community. They can share information in an ad hoc basis to the parties who need it at the time that they need it. The parties themselves don't carry the liability, and we can not only implement some interesting technology. We can fundamentally save lives.
Peter Beardmore:
Dr. Zulfikar Ramzan, thank you for joining us.
Zulfikar Ramzan:
Absolutely. Thank you so much, Peter.
Peter Beardmore:
It was a pleasure having you. Thanks.
Zulfikar Ramzan:
Likewise.
Peter Beardmore:
Yeah, so we started this conversation about looking back at how simple things once were and how complex they are today. And when you're talking about dynamic workforce risk, you're really talking about the convergence of all of these factors of digital transformation, applying enormous pressure to IT departments who are responsible for carrying forward a longstanding responsibility that they had around identity and access management, into a brave new world that is just exceedingly complex, and having to rationalize what they're doing with the risk to the broader organization, the security strategy what's happening from a risk management and compliance standpoint. There's an awful lot to consider, and organizations are taking a hard look at this and, hopefully, these conversations are bringing to light some of the factors that they need to be thinking about.
Paul Roberts:
Yeah, I think about the Dickens line, Best of times, worst of times, right? Best of times in that there's tremendous options available to organizations, both on the access to applications and services and very seamless fluid, easy to provision, that's all great. Many different options around securing identities, many different platforms and tools, but also, and a need to rationalize those choices and get your arms around them so that you're managing the risks that they introduced to your organizations, so you understand what your employees are doing and on what platforms and so on. Deliver on your core mission, which is, obviously, protecting sensitive data and IT assets.
Peter Beardmore:
And keeping an eye on the future, and the future needs of the organization-
Paul Roberts:
Exactly.
Peter Beardmore:
... and maybe some of those risks that are going to be coming around, too. All right. Well, Paul, thank you so much. Always a pleasure talking with you.
Paul Roberts:
Once again, great to come in and talk as part of your risk recordings.
Peter Beardmore:
All right, thanks.
Season 1 | Episode 1: Digital Risk
Listen time: 27 minutes
Peter Beardmore and Paul Roberts discuss digital risk with Rohit Ghai, President of RSA and Holly Rollo, SVP and Chief Marketing Officer of RSA. Rohit outlines senior business leaders’ top-of-mind issues pertaining to digital transformation. Holly discusses some of the hidden risks of MarTec, and why organizations need to adopt a risk-based approach to collaborating across the risk domains.
Season 1 | Episode 1: Digital Risk
Paul:
So this is episode one.
Peter:
Episode one season one.
Paul:
Episode one season one.
Peter:
Of Risk Recordings of RSA.
Paul:
This is the pilot. This is the-
Peter:
The pilot episode.
Paul:
It is like Jack Tripper going up to the apartment looking for...
Peter:
I was thinking more like the West Wing than Three's Company myself, but you know.
Paul:
[inaudible 00:00:32].
Peter:
What are the risks associated with Three's Company?
Paul:
There was a lot of risk in that.
Peter:
There was a lot of risk.
Paul:
There was tremendous risk. So we're going to be talking about digital transformation and digital risk. And I think one of the really interesting things to talk about is what exactly we mean by digital transformation and for companies out there in the 21st century marketplace, what digital transformation really means in practice. I mean, I think digital transformation, as we're seeing it play out, is profound and is really for many companies, just a wholesale rethinking of how they do business and even why they're doing business, what they're in business for.
Peter:
Well, companies certainly know that they've got to spend the money on digitization in particular to better engage with their customers, get closer to their customers, better understand them. Make whatever it is they're selling more part of the everyday life and function of the customer. Similar experiences, similar intentions, go to employees and partners as well. Lots of money being spent, lots of investment, lots of technology oriented in those directions, to employees and to partners. And then obviously you need the infrastructure to support that. And we're thinking about how we're going to optimize that infrastructure, and where that infrastructure needs to be.
And so it's not lost on any executive how much money they're spending, the investment that they're spending in digital transformation. What the intended outcomes are or hoped for. But there's also that looming question of what risks am I taking on every step of the way as we do this on all four of those fronts. Customer, employee, partner infrastructure. And these are the conversations that a lot of not just IT and risk management and security leaders are having, but top leadership in organizations. CEOs and boards of directors.
Paul:
Sure. We had a really interesting conversation with Rohit Ghai, RSA president came in and talked to us here in the Risk Recording studio about some of the conversations that he and other RSA executives are having with their customers. And again, RSA works with the largest companies in the world, about this issue of digital transformation and what that means to them. What falls under that umbrella and what he's hearing from them. So why don't we check that out?
Peter:
Let's listen to Rohit.
Rohit Ghai:
Rohit Ghai, president of RSA. Honored to lead this great team, help manage digital risk for the world. So, first of all, I'm delighted that as I've talked to customers, they have defied my expectation. When I go talk to them, I would have expected that when we talk digital transformation, they they'll go right to technology and infrastructure or data as the obvious, because data is such a central concept for digital. But I'm delighted to see that they actually start outside in. They start number one with, "Hey, digital means to me that I must transform the experience of my customers. Digitally engage them as opposed to physically engage them, and give them experiences that are transformative, delightful, and engaging." So that's where they typically start. That's the macro number one goal for the digital agenda for organizations. The second thing I hear a lot is around this idea of the gig economy, API economy, et cetera.
They're saying, "Look in the digital world, what we realized is I have to really focus on my core competency, and as such I should not build anything I don't need to build, and I'm going to harness the ecosystem as much as I can." so that's idea number two, focused ecosystem. And idea number three that they always bring up is their own teams, their own workforce, which is very dynamic, extended, transient in the digital world. And and talent is a top of... Frankly talent is going through a multidimensional transformation. There is millennials and Gen X and Gen Z and Gen Y, and so there's the multitude of generational diversity as well as shall we say the aspect of providing opportunity to the workforce to have anytime, anywhere access to the information. Kind of unleash them, make them productive. So those are the three things that I always hear customers talk about.
Paul:
Right? Well, and of course you're president of RSA security, a 30 year old company that is experiencing these things itself, right?
Rohit Ghai:
Absolutely. My favorite line is in order to earn the right to manage digital risk for our customers, we must be digital ourselves. So it is a big agenda for us to transform digitally as well.
Paul:
Yes. When we're talking about things like customer experience and digital transformation as a way to transform customer experience, as we're breaking that down to look at different types of initiatives, digital initiatives, what are we seeing there? And to what extent are issues like data privacy, data security, cyber risk, a part of those conversations within the organizations that you talk to?
Rohit Ghai:
Absolutely. So at the end of the day, what many of these organizations are trying to do is they're mapping out their customer journey all the way from interests, inquiry consideration, and the buyer's journey, as well as sort of the utility journey of using the products. So they're mapping out this journey and saying each aspect of the journey A, should be connected. It should not be... often organizations in the pre digital era have been guilty of serving, shall we say, discontinuous experiences when a customer engages from the sales side versus the support side. We don't know who they are, and we have to do this whole process of re inventorying their identity, and kind of learning all about them all over again, which is a very frustrating and discontinuous experience for customers.
So providing continuity of experiences across the customer journey. That's the objective number one. Objective number two is to reimagine that touchpoint and make it frictionless as well as engaging. And engagement is sort of a top of mind concept where every company, frankly, is vying for the attention of the customer. And as such, you must be engaging because there's so much stimuli in the digital economy that you're kind of overwhelmed with. So you have to be interesting enough to make sure the customer doesn't get distracted and look at their phone, or look at their... look at a tweet that they just received, et cetera, et cetera. So engagement.
Because continuity and engagement are top of mind concepts, and in order to deliver that these organizations are often collecting data from their customers to profile them so they know who they are, so they can actually personalize it and deliver engaging experiences as well as care for continuity, because you must remember them in order to provide continuity. And when you collect customer data, you become the custodian of customer data and this whole swath of issues around data privacy come in, data custodianship comes in, and PII, PHI. So some of that information may have sort of regulatory implications as well. And that's what we think about in terms of digital risk, in terms of digital transformation, digital engage with customers, digital risk, data privacy, data sovereignty, data governance, all those issues come in.
Paul:
Rohit, thank you so much for coming in and speaking with on the podcast.
Rohit Ghai:
My pleasure, always a pleasure, Paul. I really enjoyed the conversation. Thanks.
Paul:
One of the really interesting things I heard Rohit talking about was this notion of mapping out the customer journey. We talked about the increasing engagement of companies with their customers, wanting to know them better, cultivate a relationship with them in a journey with them, and the need to connect the points in that journey back to key systems or processes within your organization. Make sure people don't fall through the gaps. I thought that was really fascinating. And I think it's something that as a cyber security reporter and also somebody who is a publisher as well, I mean, I think there's just been this huge explosion and mushrooming or blossoming, I guess, is a better word. There's been this huge blossoming of marketing tools and technology and platforms that assist companies in creating this journey, and pulling customers along through it, whether you talk about Marketo or HubSpot or any of the many very powerful platforms that have come up, and then countless other sort of verticalized marketing applications. Hugely powerful, companies love them, but also entail a fair amount of risk.
And we've certainly seen on the flip side of that companies who have had customer data or employee data exposed, not through their own doings, but because they contracted with a small provider of whatever, whether it's brand management, PR, email marketing, who lost track of their data. Who didn't do the basic blocking and tackling.
Peter:
And that brings up a whole other topic that we'll dedicate an episode to shortly around third party risk. But you're absolutely right, and it's incumbent upon marketing organizations to drive the business forward, and invest in these new emerging technologies that are going to help better that engagement with customers. We had a conversation with Holly Rollo, who is the chief marketing officer at RSA, and she's observed a lot of these challenges is as well.
Paul:
It's a big job.
Peter:
It's a huge job. We're all doing something similar in marketing, competing for eyes and ears and attention. We recognize that there's great benefit to be had by harnessing the power of AI and machine learning to better understand customers and to tailor the right content to put in front of them. But with those investments' can come some unintended consequences, and Holly had some really interesting thoughts about that. And let's check in with Holly and hear her story.
Holly Rollo:
I'm Holly Rollo. I am the senior vice president at RSA, and I'm responsible for the marketing team and CMO. I'm also responsible for the conference, which is a phenomenal event, as you know, that we're really excited about. And in addition, I help out with our digital transformation, RSA's digital transformation and modernization as a whole.
Paul:
So, I mean, you've been in senior marketing roles for not only at RSA, but at other technology companies, even other security companies. So I'd be interested, how have you sort of seen that part of the industry evolve in the last 10 years?
Holly Rollo:
Yeah, so RSA's my seventh marketing transformation, and I've seen a lot of different things in every one. Used to be we're just putting systems in place and we're modernizing our website and we're doing some things to make the information more accessible to our customers or our prospects. But over the last, I would say five years, the market has just exploded from MarTech in particular. I think there's something like 7,500 vendors in the space now, and we thought that cybersecurity was really noisy with 1500, but in MarTech it's just crazy. And the reason is there's new app applications for the type of thing that we're doing. There's new use cases. There's a ton of new vendors who are able to provide value through some very, very basic machine learning to various sophisticated machine learning, and even data analytics that helps pull information about our buyers and our customers together in one place and helps us assess real time what content to serve them and what kind of experience we want them to have.
So with this explosion of technology, what happens is marketing people are in this unique position where sometimes at the end of every quarter, our budgets get cut. Sometimes at the end of every quarter, there's a bunch of money that the company wants to spend quickly, and we have to set ourselves up to take advantage of that. And sometimes what happens is we'll get an influx of some budget that we didn't expect where we may have a traunch of things that we want to spend it on. We are always looking for ways to augment our tech stack by implementing new tools that'll help us do the things that I just discussed. The issue is, when we're having conversations with IT about what we're trying to do, we talk about them in terms of tools or trinkets.
This tool is going to help us get inside on our customers or help us with a better scoring model or help us... Whatever it is. Augment our data or whatever it is. And so the language we're using to have this conversation with IT becomes very much tactical. And so when we're onboarding the vendor and having the assessment, the security assessment done, which hopefully everybody's doing, but not everybody's doing on these tools, IT doesn't really understand that actually what we're doing is we are creating a Cloud based infrastructure with hundreds of these quote, tools, that are being stitched together through APIs by third parties. By third parties I mean our agencies, or maybe our agencies have contractors, or maybe we have someone on our tech team or on our web team doing it for who just knows something about it.
So that's the first problem is the disconnect between IT and our security teams, understanding that we're not just buying and implementing tools, we're actually stitching together an infrastructure in the Cloud that they may know nothing about. And it's not like we have this ill intention, like we mean to do it or get away with something. It's just how marketing professionals look at what we're doing in terms of solving a problem, not necessarily rolling out a whole roadmap. And I'm speaking in generic terms. There are certainly teams that are highly sophisticated and have whole MarTech stack teams. Larger companies have whole teams that address this issue, but medium and small companies or startups don't always have that resource. So, I'm speaking kind of in general terms.
The second thing that is happening is because these companies are coming into the market so quickly. So of the 7,500 companies that I discussed, I would say less than half of those companies have been around for a long time. I would say more often than not, half those companies weren't even around two or three years ago. So these are brand new companies that are building code based on potentially open source code bases that have been shared around because they want to get their companies launched quickly. And I don't blame them. That's what they're trying to accomplish. And because it's a MarTech tool, they're typically people who understand the marketing problem, and so they're not necessarily building them with security in mind. So, they're not maybe necessarily coming from a security development mindset, they're coming from you solving a MarTech problem. So sometimes the code can be inherently vulnerable, or maybe not built necessarily with security in mind. So that's kind of the second thing that keeps me up at night.
And so this is why it's important with when you're modernizing a MarTech stack and building a MarTech stack that you're talking to your IT and your security teams in a way that expresses what your longterm roadmap is, and that you're actually laying out a foundation for this Cloud based infrastructure. Why is it Cloud based? It's Cloud based because all of these vendors know that marketing isn't always on the top priority in terms of what the IT teams need to accomplish for the company as a whole. So maybe they're rolling out a new HR system or a new ERP system, or they're doing some kind of larger deployment. And because these things are so consumable in small chunks, it's hard to get on the priority list for IT because it's one little or two little things. So that's why we go around IT and go directly to some of these vendors because we just are trying to solve the problem. Like I said, I don't think anybody's trying to do anything wrong. It's just how it works.
Paul:
I mean, we were talking earlier about giving security a seat at that table. I guess, how do you make that happen? So marketing and sales, those interactions are aligned more or less. They're all pushing towards the same thing. But as we look to some of the challenges you were talking about, how do we take advantage of these new platforms and tools without also really putting ourselves in a bad position vis-a-vis risk? How do you integrate security, IT and security in a way to say, "Hold on a sec. Let's slow this initiative down because we're looking at this platform, for example, or looking at this particular tool and we have some concerns."
Holly Rollo:
Yeah. I think the old mindset was... at least let's take the marketing example. The MarTech example. Marketing has pressures to show value in five minutes, and we're constantly justifying the budget. We're constantly justifying ROI and all those things. So we're highly motivated to get this stuff put in and working and spitting out the right reports. So we're going to want to move as quickly as possible. That goes directly against pulling in IT to... so you have this dynamic where we don't want to do it, but we do it because we have to just hurry up and get through the security review. That's old mindset. Pull them in, have them do the security view. You just build in the two, four, six weeks, however long it takes to get that done, and you're off to the races.
Paul:
Take your medicine.
Holly Rollo:
Just take your medicine and off you go. New mindset has to be.. Because by the way, part of that old mindset was data security isn't my problem. My problem is marketing and campaigns and branding and da, da, da. But when we offload security to somebody else's problem issue in this whole Cloud infrastructure thing that I'm talking about, it's our problem because they don't even know what exists. So this is the weird thing that people maybe haven't put together is it's really not someone else's problem if they don't know what you're doing. If you've assumed the problem and you're ready for the consequence... And you maybe not even know the consequences, but you assume somebody else is going to take care of something they know nothing about. That makes no sense.
So new thinking is, look, we want to implement something as quickly as possible. I want to understand the risks associated with that. Say, it's transitioning to a new, I don't know, CRM platform or marketing automation platform or whatever it is. I want to know the risks associated with the downtime or the data transfer or whatever is that's happening so that we can determine are we willing to take that risk or not? And we can't have that conversation if they're not involved in the planning and the strategy upfront. Because again, like I said, we're just doing tactical tool purchasing. And so then they can help us say, "Look, we can minimize this risk. We can get it down to this and that because we're doing it in these hours, or we've done these things before, or we put in additional controls during the transition." Because it's the transition period that is the period that is the most risky.
So by having them involved and having them play a more strategic role in the overall strategy of what we're trying to accomplish from a business perspective, we put ourselves in a position where we can take mindful risks. We know what we are assuming, and we are willing to take that on and we have mitigation in place to manage it in case something happens. I think that's a really important new mindset with designing secure... designing a business process with security built in, understanding that the applications that you're taking on have been built with security in mind too, or at least mitigating for that. It's important to have people do code reviews and things like that. And then understanding that you're building a new business process where you're taking a risk based perspective on what it's going to take to move to that new future state.
Paul:
Holly, thanks so much for coming in and speaking to us on the podcast.
Holly Rollo:
Thank you. Thanks very much.
Paul:
Great talking to you. So I mean, what I'm hearing Holly say there is really that this is a visibility and awareness problem. So maybe historically IT and IT security would be concerned with securing the employees who work within the marketing group and their... as members, as people who are on the network and have IT assets and so on. They might not be so focused on the platforms, tools, services that they use to do their job and what risk is inherent in those. But these days, as we talked about, those are concerns that both the IT group, IT security all the way up to the CISO and the C-Suite need to be thinking about.
Peter:
Yeah, it's not just a awareness and visibility problem. It's a collaboration challenge. And as Holly brought up, security, it's hard to make them feel... it's hard for them to feel responsible for something they're completely unaware of.
Paul:
That's right.
Peter:
And so how do we foster a culture and processes in our organizations to ensure that the right hand knows what the left is doing. Particularly about the most important stuff, where there might be sensitive data exposed and that sort of thing. And this theme, and Holly's example was from marketing, there are probably similar examples in every other business function, and all of the various ways through all of the vertical markets that operations have become digitized. And we'll talk about that as well in some other episodes, but we're invariably talking about Cloud. We're talking about workforce. We're talking about third parties. We're talking about cyber security risks. And those are the themes-
Paul:
Software supply chain.
Peter:
Software supply chain. And so those are the themes that I would like to touch upon in the coming episodes. And we've got some other great conversations lined up to explore those very issues.
Paul:
Peter, if that's what you want to talk about, then that's what we're going to talk about.
Peter:
That's what we're going to talk about. Come and knock on our door. We'll talk about digital risk.
Paul:
Guest appearance by Mr. Roper. Okay. Peter, that was great conversation.
Peter:
It was, thank you so much. And please join us for our following episodes. Subscribe, comment, and let us know what you think.
Paul:
And tell your friends.
Peter:
Please do. Thank you.
Paul:
Thank you. Bye.
Season 1 | Episode 0.1: Preview Episode
Listen time: 19 minutes
Peter Beardmore and Paul Roberts test out their new podcast studio, introduce themselves, and chat informally about the effects of digital transformation on both people and organizations.
Season 1 | Episode 0.1: Preview Episode
Paul Roberts:
You know what's really interesting is I went to a holiday party, I don't know if you've had this experience, but I was having small talk with, this is in Jamaica Plain, and it was a friend of mine who's a musician, so it was a party full of people who are musicians and artists-
Peter Beardmore:
You were hanging out with the cool kids.
Paul Roberts:
I was hanging out with the cool kids. Yes. This is a friend of mine from college who is much cooler than me and teaches at Berkeley. Somebody asked me what I did and if you start talking about cybersecurity or cyber risk, I don't know if you've noticed this, but ears perk up and people gravitate towards you in a conversation and everybody has a story to tell about this. Whether it's my data was stolen or I got a letter in the mail and it said, I'm getting these email messages with crazy stuff in them or my identity's stolen. Everybody is affected by this. It's like the slow burn public health crisis.
Peter Beardmore:
People want to know what to do.
Paul Roberts:
People want to know what to do, there's a real information, disequilibrium, yes.
Peter Beardmore:
Who do I call?
Paul Roberts:
Who do I call? Yeah. At the consumer level with the people I think most people would think to call their local PD, police department.
Peter Beardmore:
Good luck with that.
Paul Roberts:
Good luck with that, yeah. They're not really-
Peter Beardmore:
They're nice to call, they're nice to talk to.
Paul Roberts:
They will answer the call and they'll be more than happy to take a police report for whatever happened to you, but they do not have anybody who is going to be able to help you in the least. That skill set has not percolated down to the local PD level yet.
Peter Beardmore:
Yeah, when we talk about the challenges of digital risk at RSA we talk about this on the order of magnitude of corporations.
Paul Roberts:
Right.
Peter Beardmore:
Your consumer examples, multiply exponentially.
Paul Roberts:
Right.
Peter Beardmore:
We talk about three pressures, the pressure of modernization, meaning do I have all the right technology and digital gadgetry and advancement to get as close as I possibly can to my customers, my employees, my partners, my ecosystem. When I do that I'm invariably opening myself to vulnerabilities because all this stuff runs on software and those vulnerabilities are being exploited by bad guys. Malice, modernization leads to malice and the problem there is, is that there's no enforcement. There's nobody out there to stop the bad guys. Occasionally, you and I were talking earlier, you see a DOJ announcement that they're prosecuting some Chinese national someplace, that'll never probably come to anything, but it's incumbent upon us as individuals or as organizations to have to protect ourselves and to figure out how to go about doing that.
Paul Roberts:
That's really true, yeah.
Peter Beardmore:
Given that we've got our lives to live, we've got to take the kids to soccer practice and buy groceries and go to work. But we got to protect ourselves somehow along the way, and corporations are saddled with the same challenges, but they also have an additional set of pressures. The third M, modernization, malice, the third is mandates. New regulation regimes coming into place. GDPR has been out a couple of years, CCPA we're now all wrestling with.
Paul Roberts:
Just last month, yeah.
Peter Beardmore:
The nature of mandates is changing as well. We're going from very prescriptive mandates to very qualitative mandates, outcome-based mandates. Organizations are really struggling with the challenges of digital risk. We can frame it a little bit from our personal lives, I think in the example that you gave. The net though, is that 15, 20 years ago we never anticipated that every time we pulled this thing out of our pocket, we would have to be mindful all the time of the inherent risks that come with this computer that's become attached to us. Organizations are really no different. A trucking company still wants to be a trucking company. A medical research company still wants to be a medical research company. An investments company still wants to be an investments company, which is great, but we're also all technology companies now as a means of just having to compete. How we manage the risks that come along with that is now and will continue to be a critical success factor for all organizations. In most cases, organizations either have it or are just at the cusp of coming to grips with that.
Paul Roberts:
Yeah, what strikes me too, is that on the one hand you talked about enterprises dealing with the same types of risks that the consumers are dealing with, but at a much larger scale. I think one of the things that's really become clear in the last decade, certainly since the iPhone came out, is that organizations are really, or enterprises are really just collections of individual consumers. While tools like iPhones and Android phones have been huge productivity boosters for their employers, they've also just obliterated the notion of that there's going to be this corporate IT environment that's separate from your personal technology use and personal and home environment. Remote working and VPNs and so on, have really obliterated that and now enterprises need to be very much concerned about the security of their individual employees in their individual lives, because there's a solid line connection between their home network and their personal devices and corporate assets, corporate data, and so on.
Peter Beardmore:
And needing to have a clear understanding of what needs to be protected and what doesn't matter because you can't protect everything, which is why the old prescriptive mandates are dead. You can't apply this long list of technologies to every piece of data and still have a functioning business. You have to make decisions about where the keys to the kingdom are, where the important stuff is and all the other stuff that's really not important that we don't need to think about. If that stuff is running on your employee's phone, you need to be able to accept that risk. It's a difficult thing to figure out-
Paul Roberts:
It is.
Peter Beardmore:
In a lot of organizations. A lot of organizations are still getting their heads around that they don't have a perimeter anymore.
Paul Roberts:
Right.
Peter Beardmore:
These are tough challenges. Well, the good news is in this podcast series, we're going to help people solve all these problems. By the time we're done listening, they'll have it solved.
Paul Roberts:
You're just going to know. You're going to have a checklist. They're going to be five items on it and when you complete that, you will be a 100% secure.
Peter Beardmore:
Yes, that's exactly right.
Paul Roberts:
We'll sell that, your checklist for $50 million.
Peter Beardmore:
I've been waiting my whole career to figure this out. Finally, had this-
Paul Roberts:
And you'll get a certificate.
Peter Beardmore:
A-ha moment.
Paul Roberts:
You'll get a certificate and some letters put next to your name.
Peter Beardmore:
So we should probably introduce ourselves.
Paul Roberts:
Yep, my name is Paul Roberts and I'm the editor in chief and publisher of the Security Ledger. I'm a long time cybersecurity journalist. I started covering the cybersecurity beat in 2002 and have been writing about it ever since as a journalist and as an analyst. And thinking and writing and talking all the time about these very issues of digital risk, digital transformation, whether that's internet of things, cloud embedded devices, supply chain, those types of issues.
Peter Beardmore:
My name is Peter Beardmore. I'm a marketing person at RSA. I work in the marketing strategy function here. I do a lot of security and risk evangelism, a lot of messaging work. I also helped the organization put together a lot of the major events that we have such as RSA Conference, which is coming up just in a couple of weeks from when we're recording.
Paul Roberts:
Indeed it is.
Peter Beardmore:
Was given an opportunity here at RSA to experiment a little bit and help to reintroduce the RSA podcast, which we're going to be calling, or we are calling Risk Recordings With RSA. Interestingly, RSA was a pioneer in podcasting, believe it or not, not just a pioneer in encryption and identity management and integrated risk management. RSA is a pioneer in many things, not the least of which is podcasting. In my first lap at RSA back in '06, '07, '08, we had a podcast called Speaking of Security, which I think several years ago back when I think that there was some skepticism around the future of podcasting, some genius executive decided to spike it and here we are-
Paul Roberts:
Podcasting's never going to go anywhere.
Peter Beardmore:
[crosstalk 00:10:31] Never nothing. What a silly idea. So here we are and Paul, I think you and I met, must've been in '08, '09, you were at 451, I think when we first crossed paths.
Paul Roberts:
I think that's right.
Peter Beardmore:
Then we connected again, not too long after that-
Paul Roberts:
At Kaspersky-
Peter Beardmore:
At Kaspersky I was running product marketing and you were brought in to be the editor of Threatpost.
Paul Roberts:
That's right.
Peter Beardmore:
Then you went off on your own and I hung around there for a little while longer and then found my way back to RSA. We've had opportunities along the way to connect and collaborate and here we are again.
Paul Roberts:
You know what's really interesting about RSA is just that RSA is really the [inaudible 00:11:16] security company. The company was founded in what, 1982-
Peter Beardmore:
'82 I believe.
Paul Roberts:
Right? Really before RSA, there was no information security industry to speak of. There wasn't a notion that you could have a whole company just based around the idea of securing computers.
Peter Beardmore:
Yeah, these guys were geniuses, when you think about it. The foresight to understand the need to be able to secure transactions and communications across an electronic medium.
Paul Roberts:
Yeah, and to commercialize that.
Peter Beardmore:
The wherewithal to figure out a way of doing it, that has literally lasted, although it's been iterated on a little bit along the way, but it's basically lasted for four decades. It's the underlying technology of what's used to secure virtually every transaction online today. The RSA BSAFE software package we believe it's difficult to substantiate, but we believe is the most widely used single piece of software in the history of the world.
It's an area that RSA has taken and then innovated with that core technology into areas like identity and security operations and risk management. Some of the ways that that innovation is compounded particularly around the areas of machine learning now and AI, particularly around risk is mind boggling in its magnitude and really inspiring at the same time.
Paul Roberts:
Yeah, so let's just talk about a little bit about the format that we're going to use in this podcast. We've got a number of really interesting guests that we've brought in and interviewed and we're going to be basically pursuing a number of different themes under the big umbrella of digital transformation and the digital risk that goes along with digital transformation. The first order of business for you and I, and our guests, is to really define what digital risk is, what we're talking about when we talk about digital risk. I think most people have a basic understanding of what we're talking about, right? Cyber attacks, software vulnerabilities and people who would seek to exploit them and steal data and intellectual property or extort companies, what have you, those types of problems, but actually digital risk is a much bigger topic.
Peter Beardmore:
We'll discuss digital risk with some thought leaders from RSA, both at that high level, where does digital risk come from and how are organizations wrestling with these challenges, but also bring it down to the practical level and have a conversation about how modernization of the marketing function in an organization, for example, is accelerating the organization forward and simultaneously introducing new risks and vulnerabilities in how organizations ought to be thinking that as they're planning to take advantage of new and emerging and disruptive technologies. Then we're going to focus on a number of other, what we call at RSA, the core risk areas that have merged from our own primary research.
We'll have some clips that talk about that primary research, but cyber attack risk, which is still at the top of everybody's list in terms of the digital risks that they're dealing with. Third party risk management, that's really the fog of battle when it comes to digital risk. Cloud transformations, speaking of fog, but all of the unknowns that come from this motion to the cloud and understanding how to go about managing risk and security in a bifurcated world where you're dealing with a mixture of on-prem applications and infrastructure and multi-cloud applications and infrastructure, and how all that comes together into something that you can actually say, we've got risk rationalized and understood.
We'll talk about workforce. Organizations, workforces are not what they were 20, 30 years ago when-
Paul Roberts:
Huge changes, yeah.
Peter Beardmore:
When we'd show up on day one and fill out all the paperwork, get our ID card, and then check out 20 or 30 years later with a Rolex or a Seiko, probably at my level. That's no longer the case, it's a lot more dynamic. It's a lot more difficult to manage. There're inherent risks that come with all of the digital stuff that employees are coming and going with. How we're managing their access privileges and authentication mechanisms, we'll have a conversation about that.
Paul Roberts:
What the nature of employment is itself. Forget about people don't stay at one company for 30 years, which is of course true, but the relationship between employer and employee is in many cases, depending on the industry you're in, transformed radically and with digital risk implications, gig economy. The need that many companies have and in sectors like retail to spin up and spin down headcount in a very agile way, but how to do that practically and how to manage the risks that go along with it.
Peter Beardmore:
So we hope that you'll continue to join us for these conversations. You're already listening, so thanks for joining us I guess-
Paul Roberts:
We're so charming, how could you not listen to all five episodes?
Peter Beardmore:
I could sit here and talk to you all day.
Paul Roberts:
All day.
Peter Beardmore:
We do in fact have five episodes planned after this meandering conversation and we'll be releasing them periodically over the next few weeks and-
Paul Roberts:
It's a season, it's season one really.
Peter Beardmore:
Season one of Risk-
Paul Roberts:
Risk Recordings With RSA.
Peter Beardmore:
Risk Recordings With RSA, I got to commit that to memory now that we have a title. We'll get season one out, please subscribe, please give us your feedback, let us know what you think of it. We will continue to improve based on your feedback. We'll see where this takes us, but-
Paul Roberts:
Are we going to need our own Twitter handle?
Peter Beardmore:
We probably do. That's something we need to figure out.
Paul Roberts:
I'm really looking forward to it, we've got some really great conversations already. I'm really looking forward to exploring this terrain with you.
Peter Beardmore:
All right. Well, thanks, Paul. Thanks for doing this with us.
Paul Roberts:
Yeah, I'm thrilled.
Peter Beardmore:
All right, let's go.
Paul Roberts:
Ciao.