February 21, 2024

00:40:34

Episode 244 Deep Dive: Mark McClain | Enhancing Security Resilience: Identity as the Key Accelerant for Business Success

Episode 244 Deep Dive: Mark McClain | Enhancing Security Resilience: Identity as the Key Accelerant for Business Success
KBKAST
Episode 244 Deep Dive: Mark McClain | Enhancing Security Resilience: Identity as the Key Accelerant for Business Success

Feb 21 2024 | 00:40:34

/

Show Notes

In this episode, we are joined by Mark McClain (CEO and Founder of SailPoint), as we dive deep into the pivotal role of identity as a fundamental control point and lens for understanding security in organizations. Mark emphasises that while traditional security measures such as firewalls and network security remain vital, identity security is equally critical for protecting data and driving business momentum. Moreover, the conversation delves into the challenges of balancing convenience and security, particularly with the rise of AI and machine learning in security measures. Mark highlights the limitations of current security tools in being “identity blind,” stressing the need for better tooling and processes to identify and respond to security threats more efficiently.

In his role as CEO and Founder of SailPoint, Mark brings almost 35 years of experience in technology, with over 20 years as a founder and leader of innovative identity management companies. Under Mark’s direction, the company has grown into a publicly recognized leader in its market. Mark directs and drives the overall vision and strategy for SailPoint, which is underpinned by his commitment and passion for building top-performing teams, creating a collaborative and innovative work environment, and focusing continuously on the needs of customers.

Teaming is a concept that Mark promotes throughout the company: teaming with forward-thinking customers to understand their needs, with partners to ensure customer success, and ultimately within SailPoint to develop innovative, market-leading solutions. Mark is passionate about maintaining the spirit of teamwork, even as SailPoint grows its employee base and its global presence to offices around the world.

Prior to SailPoint, he co-founded Waveset Technologies, which was ultimately acquired by Sun Microsystems. Mark’s career also includes diverse experience in international sales and marketing with Hewlett-Packard and IBM/Tivoli Systems.

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You've got to begin to get your arms around the importance of identity as a fundamental control point, a fundamental lens for understanding security in the organization. It's not to the exclusion of others. You still need firewalls, you still need network security, you still need device security, but you also need identity security. You also need to understand the access privileges and how those map to data and how that either leaves your data protected or exposed. [00:00:30] Speaker B: This is KBCAt as a primary target. [00:00:34] Speaker C: For ransomware campaigns, security and testing and. [00:00:37] Speaker B: Performance risk and compliance. [00:00:39] Speaker D: We can actually automate that, take that. [00:00:41] Speaker E: Data and use it. [00:00:44] Speaker B: Joining me in person is Mark McClain, chief executive officer and founder from Sailpoint. And today we're discussing driving business momentum. [00:00:52] Speaker E: With identity as the accelerant. So, Mark, lovely to meet you and welcome. [00:00:57] Speaker D: Thank you, Krista, nice to meet you as well. [00:00:59] Speaker E: So you've been in the game for a while, 35 years and change maybe. [00:01:03] Speaker B: Let's start with your view then on. [00:01:05] Speaker E: The industry, and then what are you. [00:01:08] Speaker B: Sort of seeing now after leaving the US coming to Australia? [00:01:11] Speaker A: Is there anything that sort of stands out for know? It's been a fascinating journey, Chris. [00:01:15] Speaker D: I think in many ways identity wasn't even thought of as its own unique. [00:01:20] Speaker A: Space when I first got into this marketplace. [00:01:23] Speaker D: And it was more about kind of users. [00:01:26] Speaker A: How did users access systems with the term, we used to literally use the term user management. [00:01:31] Speaker D: And I always like to say, by. [00:01:32] Speaker A: The way, the only two fields in the world where we refer to users are it and drugs, and that doesn't seem like a good thing. But anyways, we'll leave that for another day. [00:01:39] Speaker D: But when you get down to it. [00:01:41] Speaker A: Identity has transformed in many ways as an important dialogue, particularly in the realm of security, partly because of other fundamental shifts in technology. And the big ones we're all quite. [00:01:51] Speaker D: Familiar with, right, the rise of the Internet and now cloud based computing, mobile computing, it shifted so much of the. [00:02:00] Speaker A: Core structure of the IT industry. [00:02:02] Speaker D: When I got in this industry a. [00:02:04] Speaker A: Long time ago, right, big important customers had all their important data and applications on their own proprietary mainframe running over. [00:02:11] Speaker D: Their own proprietary network to desktops, really at the time, terminals that they controlled, right? [00:02:17] Speaker A: So if you think about it, they owned and controlled that entire technology value chain. [00:02:22] Speaker D: So while they cared about the users. [00:02:24] Speaker A: That were on that value chain using that technology, they didn't really worry about. [00:02:29] Speaker D: It because it was such a protected path, if you will. Right? [00:02:33] Speaker A: And over time, what's happened is now, in a typical large enterprise, the applications they run are in the cloud. Maybe they control them likely they don't, because they're from a SaaS vendor. The Internet they're running over is the big eye Internet that everybody shares. And the device that's being used to access it is not belonging to the company. [00:02:51] Speaker D: It's probably a personal device. So one of the things that's emerged. [00:02:54] Speaker A: Out of that is identity has become kind of the common factor that links that person, or increasingly that non human entity, to that organization and its important data. [00:03:04] Speaker D: And I think if you think about it, that's been the rise of the focus on identity. [00:03:08] Speaker A: That, plus the attackers have figured out it's their most lucrative and fruitful area of attack. So because it's the place where we can kind of most retain a sense. [00:03:18] Speaker D: Of who is actually accessing the data. [00:03:21] Speaker A: This organization cares about. [00:03:22] Speaker D: And the attackers have figured out, if. [00:03:23] Speaker A: I can compromise identity, I get access to that data. It's put all this focus on it from a security and business value standpoint. [00:03:30] Speaker D: And then real quickly at the end. [00:03:32] Speaker A: You asked about Australia. I would say, thus far, in my. [00:03:34] Speaker D: Exposure to the australian market, I really. [00:03:36] Speaker A: Don'T see a lot of uniqueness, and that's actually a good thing. [00:03:39] Speaker D: What I mean is I think the. [00:03:41] Speaker A: Australian government, the australian business community, is. [00:03:44] Speaker D: Looking at this problem pretty similarly to the way large organizations and governments are. [00:03:49] Speaker A: Looking at it everywhere. Right? They're trying to control and protect identity. [00:03:54] Speaker D: And access to data. [00:03:56] Speaker A: There's a lot of regulatory backdrop to all of this. And so I think we can kind of talk about various things that are happening globally, and I think it's going to pretty easily map to what I'm. [00:04:06] Speaker D: Seeing in Australia as well. [00:04:07] Speaker B: So over the years, was there any. [00:04:09] Speaker E: Sort of pivotal moment that identities had a big shift? Is there anything that sort of stands out? [00:04:15] Speaker B: And do you think we're going through something similar at the moment? [00:04:18] Speaker E: Again, good question. [00:04:20] Speaker A: The second part of that, particularly the first part, I'd say there were a few along the way, and I'll date myself a bit. [00:04:26] Speaker D: Some of these are older stories, but there was a famous internal breach of. [00:04:31] Speaker A: A big french bank called Sosete Generell, which I can't do French very well, but Sock Gen was the way all of the Americans refer to that. And it was this famous story of an unusual circumstance where a guy had been in the technology organization, had migrated to being an actual trader banker, but still retained access privileges that he used to have in his old job. [00:04:52] Speaker D: He started to go rogue. He started to make some risky bets. [00:04:55] Speaker A: He started to do things that were not working out well financially and because. [00:04:59] Speaker D: He had inappropriate access, he was able. [00:05:02] Speaker A: To cover his tracks for a long time, and ultimately this thing was hidden for far too long. [00:05:08] Speaker D: And then when it was exposed, it. [00:05:10] Speaker A: Literally almost ruined the bank. It was like a $7 billion loss. [00:05:14] Speaker D: To the bank, and he was able. [00:05:15] Speaker A: To kind of protect himself from discovery because of poor identity and access management. [00:05:21] Speaker D: That was probably one of the first. [00:05:22] Speaker A: Big stories in, like, the late 2000s, probably. That was an 910 somewhere in that range story. [00:05:28] Speaker D: The next big one, I think, and. [00:05:29] Speaker A: I know this was in the US, but I think it rippled around the world. There was a significant breach at Target. [00:05:34] Speaker D: The big retailer, and ultimately that cost. [00:05:36] Speaker A: The CISO and the CIO and the. [00:05:39] Speaker D: CEO their jobs because it was such. [00:05:42] Speaker A: A clear failure to protect the organization's information. [00:05:45] Speaker D: I'd say those were two of the most seminal shifts that kind of highlighted. [00:05:50] Speaker A: The security risk related to identity and. [00:05:52] Speaker D: Access, honestly, Chris said, the other has. [00:05:54] Speaker A: Been the pandemic and the ripple effects from the pandemic, because when we suddenly. [00:05:59] Speaker D: And drastically shoved everybody out of their. [00:06:02] Speaker A: Offices and told them to go work. [00:06:03] Speaker D: From home, a lot of the protections. [00:06:05] Speaker A: That security organizations had put in place. [00:06:07] Speaker D: Became not relevant because they assumed you were working from an office on equipment. [00:06:13] Speaker A: That they had vetted and were sure was protected. And all of a sudden, you're going home, logging in from your kid's laptop, trying to access the corporate systems, and guess what? That wasn't as protected. [00:06:23] Speaker D: And all of a sudden, we saw. [00:06:24] Speaker A: A lot of bad behavior from the evil guys and just awareness. Even if there wasn't a breach or bad behavior, the security professionals literally, I feel like all around the world, woke. [00:06:34] Speaker D: Up and went, this is bad. [00:06:36] Speaker A: This is not good. That all these people are now accessing. [00:06:40] Speaker D: Important data from systems we don't understand. [00:06:43] Speaker A: Necessarily or control, and we cannot see, I e. We don't have the visibility to understand what exactly they're doing. [00:06:50] Speaker D: And everybody quickly understood that's risk. That represents significant risk, and it wasn't. [00:06:55] Speaker A: A point in time. Chris, I think the last thing I'd point to is the rise of phishing. Right? [00:06:59] Speaker D: Like, clearly the bad guys have figured. [00:07:02] Speaker A: Out that is one of their best attack vectors because ultimately of bad IAM practices. If I can phish you and get. [00:07:09] Speaker D: You to give me a credential, that may not be that important, but like. [00:07:13] Speaker A: So many people, you use that same. [00:07:15] Speaker D: Password at home for Facebook that you do at work for a bunch of important systems. There's this concept of a blast radius. [00:07:23] Speaker A: Which is a newer concept in identity. If I compromise this credential, how broad. [00:07:28] Speaker D: Is the blast radius? [00:07:30] Speaker A: What kind of damage can I do? And it turns out quite often the. [00:07:33] Speaker D: Blast radius is very large because there's. [00:07:36] Speaker A: Poor practices and people aren't protecting unique authentication methods. And all of a sudden I compromised you here. Now I can leverage that in a completely different environment and do a lot of damage. [00:07:48] Speaker D: I think those are some of the. [00:07:49] Speaker A: Key points along this journey that have woken everyone up. Is there something your last part of your question was, is there something today? I think it's this continued rise of the focus on phishing as an attack vector, on identity effectively as an attack. [00:08:02] Speaker D: Vector, and the recognition and large corporations. [00:08:05] Speaker A: They are not well prepared to fight this. They don't have the right technology and. [00:08:10] Speaker D: The visibility to understand who exactly has the right access to the data they care about. [00:08:16] Speaker A: And is it well managed and protected? [00:08:18] Speaker E: I want to come back to that. [00:08:19] Speaker B: Point you made, but just before that you said going rogue. I've been reading a lot of articles. [00:08:24] Speaker E: Lately of a lot of insider threats. Do you think from your experience that. [00:08:29] Speaker B: We are starting to see more people going rogue now? I think the impetus for this person doing this was because they didn't get a pay rise. With all how much things are going up and the cost of living and. [00:08:41] Speaker E: Person went rogue, do you think that. [00:08:43] Speaker B: Will start to creep in more because obviously we want to trust our employees. Of course you get the occasional rogue. [00:08:48] Speaker E: Player, but will that become more prevalent. [00:08:51] Speaker B: Would you say, moving forward? [00:08:52] Speaker A: I think it's a great observation. My sense is it will become slightly more prevalent. [00:08:58] Speaker D: It will still be dwarfed by compromised identities, by bad actors. So today when we use the term. [00:09:04] Speaker A: Insider threat, we sort of have incorporated not only a true insider going rogue. [00:09:09] Speaker D: Or we used to say sometimes they. [00:09:12] Speaker A: Do something intentionally wrong, quite often they do something unintentionally wrong and break something or accidental deletion of data, whatever. But we kind of today, in that umbrella term insider threat, wrap in what appears to be an insider, which might actually be an outsider, right. Someone's gotten inside compromised credentials and now they are behaving as an insider doing bad things. [00:09:32] Speaker D: The famous case on this one that. [00:09:34] Speaker A: We mostly haven't been familiar with, even though it was also a us story. [00:09:37] Speaker D: Was Jeffrey Snowden, Right, who as a valid military employee had a lot of. [00:09:43] Speaker A: Powerful access and abused that access privilege and did a bunch of bad stuff with that data. Those stories make the headlines and they can be quite disturbing. [00:09:52] Speaker D: But from our sense and somewhat data, we have some data on this. [00:09:57] Speaker A: We probably don't have full visibility on. [00:09:58] Speaker D: This far more compromises and breaches happen. [00:10:00] Speaker A: By fake insiders than real insiders going rogue. But I think you're right. [00:10:04] Speaker D: Tough economic conditions. [00:10:06] Speaker A: Organized crime is a bigger factor than it used to be. [00:10:09] Speaker D: When I'm a run of the mill. [00:10:12] Speaker A: Employee making moderate income, and I get a call from somebody who says, hey. [00:10:16] Speaker D: Here'S $20,000 to give me a key password, they might consider that. [00:10:21] Speaker A: And so you see kind of crime. [00:10:23] Speaker D: As another factor in this as well. [00:10:25] Speaker E: Yeah, I guess because of just everything. [00:10:27] Speaker B: That'S happening now, it's more enticing for. [00:10:28] Speaker E: Someone they are on making what they want. It could be a driving factor, but. [00:10:34] Speaker B: Going maybe back toward the compromised credentials. [00:10:37] Speaker E: Interesting thing about that is just say. [00:10:39] Speaker B: I'm the accidental employee and I didn't mean to click on something phishing link. [00:10:44] Speaker E: Compromise the credentials and then security team. [00:10:47] Speaker B: Get alert and say, hey, Chris, have. [00:10:48] Speaker E: Been dodgy, she's gone rogue. What then happens? [00:10:52] Speaker B: Because obviously you've got to quarantine that person to make sure that they wasn't an accidental rogue person. [00:10:57] Speaker E: Or was it intentional? How does that then play out? Because that's going to be pretty awkward. [00:11:03] Speaker B: If I'm getting accused of doing something which was unintentional. [00:11:07] Speaker E: So how fast do you sort of see that scenario playing out? [00:11:11] Speaker A: No, that you are at the crux of some of the most painful parts. [00:11:14] Speaker D: Of this arena, which is, on the one hand, the trend toward digital transformation. [00:11:20] Speaker A: And rapid evolution of technology says make it as fast and easy to do things as possible. [00:11:25] Speaker D: And then good security says slow down and be careful. Those things are clearly in conflict. So to your .1 of the things. [00:11:32] Speaker A: That'S difficult about this space today is when an operation security operations center, network operations center, sees what appears to be some bad things happening, data being exfiltrated on the network. They're pretty hesitant to say, shut that down because they don't always know if that's actually a valid actor just doing something unusual, downloading a lot of data for an upcoming meeting or report, or is it a bad actor exporting data in an unhealthy way? And so the downside risk of cutting off access and realizing you just cut off the CFO who's now very angry. [00:12:03] Speaker D: At you and might fire you, causes. [00:12:05] Speaker A: Many people to say, I will raise a flag to say, that doesn't look. [00:12:08] Speaker D: Good, but I'm not stopping it immediately. So one of the tensions we have. [00:12:12] Speaker A: Today is that tension. Another, what you just said in your example is, okay, so maybe I really. [00:12:17] Speaker D: Do figure out someone who appears to. [00:12:20] Speaker A: Be Carissa seems to be doing something bad. [00:12:23] Speaker D: So I'd like to put a stop. [00:12:24] Speaker A: To that right away. Here's one of the big challenges today without good visibility, what we consider the rudiments of our space, which is, do you understand everything Carissa has access to. [00:12:34] Speaker D: At any point in time, back to our blast radius point. [00:12:37] Speaker A: Even if I can shut you down right now, because I see you doing something bad, and maybe it's not you. [00:12:42] Speaker D: It appears to be you doing something. [00:12:44] Speaker A: Bad on one system. What I really ought to do is simultaneously shut down every access you have. [00:12:49] Speaker D: Just in case you have been compromised. But to do that, I have to know everything you have, and I have to have it kept in one consistent space that doesn't exist for almost every. [00:12:59] Speaker A: Large organization in the world. [00:13:00] Speaker D: There is no single data point in the organization that says, here's Carissa. [00:13:05] Speaker A: Here's what she does for our organization. [00:13:07] Speaker D: She could be an employee. [00:13:08] Speaker A: She could be a contractor. She could be an external third party. She could be a non human identity. [00:13:12] Speaker D: Who'S just a program, right? [00:13:15] Speaker A: And ideally, I'd like to have in one place every connection point, every data. [00:13:19] Speaker D: Access that you have, so that if I believe you've been compromised, I can either flag it at least, and maybe. [00:13:26] Speaker A: At most, just shut it down, cut. [00:13:27] Speaker D: It off until I can go do. [00:13:29] Speaker A: Some forensics and understand how bad this is, right? That's almost impossible for most large organizations because they don't have that visibility. [00:13:35] Speaker D: They don't have a single repository of. [00:13:38] Speaker A: All the identities they care about and all the access those identities have. That's one of the things that people are freaking out about today in our. [00:13:45] Speaker D: Space, is I don't even have that data. So I can't take action to say. [00:13:49] Speaker A: Carissa appears to have been compromised. [00:13:51] Speaker D: I better shut down everything she has access to. [00:13:53] Speaker E: So going back to the point of Carissa looks suspicious, even if she's not. It gets flagged. But then what about that lead time? That could be days, weeks, hours. [00:14:05] Speaker B: What if it actually was compromised? [00:14:08] Speaker E: Credentials gets flagged. No one does anything, though, starts to. [00:14:12] Speaker B: Obviously move laterally, then throughout the organization. [00:14:14] Speaker E: What happens then? [00:14:15] Speaker A: Breaches happen and data gets stolen and people pay money. [00:14:19] Speaker D: That's what we're all reading about today, right? [00:14:21] Speaker A: That is what happens. [00:14:22] Speaker D: Because we aren't currently equipped well with. [00:14:27] Speaker A: Tooling and processes to identify those things quickly, understand the connection points, and ideally, shut them down, which is why we have some of the problems we have today. [00:14:35] Speaker D: So these are the things we have to get better and better at in the security landscape. [00:14:39] Speaker A: One of the big ones. Chris, I know you have a security. [00:14:41] Speaker D: Background is quite often many of the. [00:14:44] Speaker A: Security tools are what we call identity blind. [00:14:46] Speaker D: Right? They're network monitoring tools. [00:14:49] Speaker A: There's device monitoring tools. [00:14:51] Speaker D: Think of vendors like Palo Alto and. [00:14:54] Speaker A: Crowdstrike and other really competent, great vendors in the realm of security. But quite often they see something that doesn't look right, or they see a behavior or something that concerns them. They usually can only connect that to an IP address, a Mac address of a system. [00:15:08] Speaker D: They don't know who is doing that. [00:15:10] Speaker A: And without that knowledge of who they are. Also kind of unsure what to do other than to flag it and escalate it up into a security operations center somewhere. [00:15:19] Speaker D: Say, this doesn't look good. You should figure out what's happening here. [00:15:23] Speaker A: And again, most cisos will say that's. [00:15:25] Speaker D: When they quickly have to try to map. I guess that's the right term here. [00:15:30] Speaker A: Map this, what appears to be a security problem, over to an identity to figure out what exactly is this? And do I have a problem right. [00:15:37] Speaker D: Now or do I not? [00:15:39] Speaker E: Would your advice be, I get flagged for being suspicious, get a human to look at it. [00:15:47] Speaker B: But then that depends on lead time. Maybe the guy that looks at it's away on a holiday. [00:15:51] Speaker E: How does that all then work? Because you don't know what, in terms. [00:15:56] Speaker B: Of volatility of the person or potential. [00:16:00] Speaker E: Person you're dealing with or issues. [00:16:03] Speaker B: How does that sort of look then? Because isn't that when, if that lead. [00:16:06] Speaker E: Time is too slow, not long enough. [00:16:08] Speaker B: To do proper forensics, then you've got a problem. How are people addressing that from your experience? [00:16:13] Speaker A: Well, you said it. And all kidding aside, I think this is one of the many areas, and. [00:16:17] Speaker D: There are many, that security vendors in. [00:16:19] Speaker A: General, sailpoint, particularly other identity vendors, are looking at to leverage some of these emerging technologies, to do a lot of pattern recognition with large language models that can process reams and reams of data and say, okay, that thing that looked like it might have been Carissa going rogue, well, I've now got maybe patterns over months of your behavior, other people in your similar job roles, behavior. [00:16:43] Speaker D: And if I can go, look, I'll. [00:16:45] Speaker A: Just make this up. Instead of you being security, you're a financial analyst and you're downloading a bunch of data. It's the end of the quarter, and everybody in your group is downloading a bunch of data because they're preparing financial reporting. [00:16:55] Speaker D: Right. [00:16:55] Speaker A: You could start to see how the. [00:16:57] Speaker D: Intelligence of understanding patterns of access patterns of data movement, mapping that against something. [00:17:03] Speaker A: That maybe a network tool says, hey, this looks like it's a problem. And the AI tool could say, no, it's not. [00:17:09] Speaker D: This is a normal thing. Another example we used to use all the time. Say if you see a bunch of. [00:17:13] Speaker A: Data getting downloaded from a laptop in the middle of the night in China. [00:17:17] Speaker D: You might be nervous unless you also. [00:17:19] Speaker A: Had the data that the CFO was. [00:17:20] Speaker D: On a business trip in Shanghai and. [00:17:22] Speaker A: It was his laptop, and you'd say. [00:17:24] Speaker D: That'S probably legitimately the CFO. But today, good luck mapping those two pieces of data. [00:17:30] Speaker A: Right? [00:17:30] Speaker D: They're existent. You could literally tap his calendar and. [00:17:34] Speaker A: Tap the data system and tap the network security tool. [00:17:38] Speaker D: Just think of the intelligence that kind. [00:17:40] Speaker A: Of potentially exists out there to do things like that. [00:17:42] Speaker D: We have nowhere near that today, but scale and just those systems aren't all tied together in any typical enterprise. [00:17:49] Speaker A: Do you know anybody who ties in. [00:17:51] Speaker D: Outlook calendar information into security breaches? I don't, but I believe we're going. [00:17:56] Speaker A: To get to things like that in the not too distant future. [00:17:59] Speaker D: So we can start to say, how. [00:18:00] Speaker A: Many pieces of information do I have. [00:18:03] Speaker D: That I can map against this real time activity that I'm seeing and see. [00:18:08] Speaker A: If that actually looks like it might. [00:18:10] Speaker D: Be a problem, or maybe it's not a problem. I think we're going to get better. [00:18:14] Speaker A: And better at real time because you started with, how long does this go undetected? [00:18:18] Speaker D: Or once it is detected, how long. [00:18:19] Speaker A: Before I take action? And what action do I take? [00:18:22] Speaker D: I think we're going to. [00:18:22] Speaker E: That's the gap where bad things can happen. Then I also understand to be like, well, we don't know. [00:18:28] Speaker B: We got to take an educated guess. Maybe someone's not there that day and they've missed it, and then we got a problem. [00:18:35] Speaker E: But then also I understand that AI. [00:18:36] Speaker B: Is not going to solve world hunger. [00:18:38] Speaker E: Either, so therefore, how does all that work? [00:18:43] Speaker B: There still has to be a little bit of gray there. [00:18:44] Speaker A: Yeah, we're still always going to have AI. We've all seen some of these writings. The term augmented intelligence is out there as well is another unpacking of the acronym from artificial. I love that term because I think in many cases that's what we're actually going to see. [00:18:58] Speaker D: We're going to see the system and. [00:19:00] Speaker A: All its data gathering and data analyzing. [00:19:02] Speaker D: Capabilities using AI concepts and machine learning. [00:19:06] Speaker A: To quickly identify things that could be problematic or look anomalous or whatever. But then we'll probably in many cases, insert real intelligent humans who know how. [00:19:16] Speaker D: To map something or they have some. [00:19:19] Speaker A: Context that maybe the systems haven't yet. [00:19:21] Speaker D: Been made aware of yet. [00:19:23] Speaker A: That I think in many cases we'll still see the technology used to escalate and gather more intelligence very rapidly, but not necessarily to make an unaided decision. [00:19:33] Speaker D: We still may want to pull a. [00:19:35] Speaker A: Human with great levels of expertise who knows this business well to say, oh. [00:19:39] Speaker D: I know what's happening, right? [00:19:41] Speaker A: Because it's going to be a while before the systems can mimic all the intelligence that a team has that's been working in that organization for years and. [00:19:49] Speaker D: Knows the business cycle, for instance, of that organization. I think AI is going to solve. [00:19:53] Speaker A: A lot of problems. We're very bullish on how much AI will accelerate and help us in this arena, but very seriously, we don't think AI is going to solve it all. [00:20:01] Speaker D: In the next five or ten years. [00:20:02] Speaker E: It's not sure that's fair enough. And then just quickly as I'm talking to you, Mark, what about privilege account management? [00:20:11] Speaker B: Like, going back to what level of access people have? I've experienced this myself. Working in a large enterprise, you get a random email from someone in identity access management saying, hey, you have very high access for this system. Why is that? You put a whole business case together. [00:20:26] Speaker E: About why you have it. How do people handle that? If you've got like 50,000 people and. [00:20:31] Speaker B: People need certain credentials, people move, get fired, they get demoted, promoted, how does. [00:20:36] Speaker E: Someone handle all of that? [00:20:39] Speaker A: I think we're going to see somewhat of a shift. You asked about trends, and this is one of the ones we think is. [00:20:43] Speaker D: Going to be a bit of a trend. Historically, the way this industry evolved, like privilege became its own specialized area of the technology. [00:20:52] Speaker A: Right. There was kind of general IAM, identity. [00:20:54] Speaker D: And access management, all users, all applications and data. And then there was sort of this. [00:20:59] Speaker A: Specialized focus on a set of privileged users. Usually that was things like database administrators. [00:21:05] Speaker D: Or systems administrators, even application administrators who. [00:21:09] Speaker A: Had tremendous power in the technology. [00:21:11] Speaker D: So we wanted to be sure we. [00:21:12] Speaker A: Knew exactly who was doing what. [00:21:15] Speaker D: That's where things like session recording and. [00:21:18] Speaker A: Identity vaulting came from. So we could be sure that when Carissa logged in as the system admin, I knew it was Carissa, and I watched every keystroke Carissa did, so that if something bad happened, I knew exactly where it came from. [00:21:30] Speaker D: Right. [00:21:31] Speaker A: I think where privilege is headed is. [00:21:33] Speaker D: Going to be far more dynamic than that. Static. What I mean is, to your point. [00:21:38] Speaker A: Today, we have thought of it traditionally as static. You either are or are not a. [00:21:42] Speaker D: Privileged user on some system. I think where we're going to head over time is privilege will be kind. [00:21:48] Speaker A: Of, I'll call it a grayscale attribute that can be dialed up or down. [00:21:52] Speaker D: Depending on the person, the system, the data that's being accessed, the context of that access. Right. [00:21:59] Speaker A: In an ideal world, back to our. [00:22:01] Speaker D: Covid example, if you're a financial analyst. [00:22:04] Speaker A: And you were working in the office on a secure system, secure network, and then Covid hit and I sent you home and you might have logged in from your kid's system, I'd like to escalate the privilege. I'd like to demand greater authentication or higher levels of validation before I let you onto that system because I don't see that. [00:22:21] Speaker D: I know that laptop. It's not the laptop you usually log in from. [00:22:24] Speaker A: So in real time, I would quote, escalate privilege. [00:22:27] Speaker D: Right. I think that's just, again, a simple example of privilege as a concept we. [00:22:33] Speaker A: Think is going to be far more dynamic in the coming years. [00:22:35] Speaker D: It won't be you are or are. [00:22:37] Speaker A: Not a privileged user, or this is or is not a privileged account. [00:22:40] Speaker D: It'll be, are you in a situation. [00:22:43] Speaker A: Where privileged access is required? And for some systems it will be. [00:22:46] Speaker D: Every time privileged access is required. [00:22:49] Speaker A: For many others, I think it'll be contextual. [00:22:51] Speaker D: Time of day, location, system, other patterns. [00:22:55] Speaker A: Again, maybe I have another piece of data that Chris on a completely different system appears to be compromised. I'd like to quickly replicate that over and go. I'm going to demand a second level of authentication when Carissa tries to log. [00:23:06] Speaker D: Into the Unix server because on outlook, I think I see some compromise with Carissa's account again today. [00:23:12] Speaker A: These are not systems that are even tied together. [00:23:14] Speaker D: But if you just think of it. [00:23:15] Speaker A: As an intelligent security person, you can see where that would be great to. [00:23:19] Speaker D: Know before Carissa or who appears to. [00:23:21] Speaker A: Be Carissa logs in and does this very important thing on a privileged system. [00:23:25] Speaker D: If I've seen evidence in some other. [00:23:27] Speaker A: System that Carissa might be compromised, I'd like to quickly map that over here and possibly block it or demand a higher level of authentication. That's where the kinds of things I. [00:23:36] Speaker D: Think we're going to see in privilege. [00:23:37] Speaker A: Very real time, very dynamic, very contextual. [00:23:41] Speaker E: So just to have this correct, I go home. [00:23:45] Speaker B: Then going back to your comment before. [00:23:47] Speaker E: About dialing up or down if it's after hours, maybe I'm not allowed to access certain systems. [00:23:54] Speaker A: Or maybe you just have to have a second factor of authentication to access that. [00:23:57] Speaker D: Maybe you can still access it, but. Right. [00:23:59] Speaker A: Normally you don't have to give me a thumbprint, but now I want a. [00:24:02] Speaker D: Thumbprint because I want to make sure. [00:24:03] Speaker B: It'S you on the time of the. [00:24:04] Speaker E: Day I'm trying to access this. [00:24:06] Speaker A: That could be a factor. Location could be a factor. The hardware from which you're trying to access it. What if your laptop broke? This might happen all day, every day in companies that I know of. Your laptop isn't working. [00:24:16] Speaker D: So I get to my iPad, which. [00:24:18] Speaker A: I don't normally use to access my systems, and I come into the SaaS application, and all of a sudden, the. [00:24:23] Speaker D: SaaS application goes, that sounds kind of. [00:24:26] Speaker A: Looks like Carissa, but I'm not used to seeing Carissa come from that system. Let me just ask her for another piece of information to verify that it's Carissa. Were you a privileged user at that. [00:24:35] Speaker D: Point, or was I just wanting to. [00:24:37] Speaker A: Verify strongly that it was really you? [00:24:39] Speaker D: Because something was different. I think that's the level of dynamism we're going to see coming. [00:24:44] Speaker E: So then why do you think, historically. [00:24:45] Speaker B: We'Ve had this very binary approach. [00:24:47] Speaker E: Yes or no? [00:24:48] Speaker D: The way we evolved. [00:24:49] Speaker A: You know what? The nature of technology is that it evolves. And if we were really smart, this is a bad example. Here in Australia, your country isn't that old. Like, my country of America is not that old. But if you go to places like. [00:25:00] Speaker D: England and you're on these crazy, twisty roads, you're like, what drunk civil architect designed this road? [00:25:07] Speaker E: Well, you know, pretty bad here in Sydney. [00:25:08] Speaker A: Okay, well, and you're only a couple hundred years old, so shame on you. But here's my point. [00:25:13] Speaker D: There's this great phrase. [00:25:14] Speaker A: I heard this in a talk years ago. [00:25:16] Speaker D: Paving the cow path, right? [00:25:18] Speaker A: Like many roads in old countries were. [00:25:21] Speaker D: Once a cow path, and then they. [00:25:23] Speaker A: Became a cobblestone road. And later on, they got paved with. [00:25:26] Speaker D: Pavement, but they still track that same. [00:25:29] Speaker A: Journey because somebody didn't take the time to go, you know what we really should do? We should knock all that down and. [00:25:34] Speaker D: Build a really straight road. [00:25:35] Speaker A: And so you see that in organizations, as they evolve technology all the time. [00:25:39] Speaker D: They kind of evolve, and they develop. [00:25:42] Speaker A: Ways to do things with whatever they have currently available in their business processes and technology. And ten years later, somebody new walks in and goes, why are we doing it that way? [00:25:51] Speaker D: And it's paving the cow path. [00:25:52] Speaker A: And we used to see that all. [00:25:53] Speaker D: The time in technology, right, where things. [00:25:56] Speaker A: Evolved along a journey. And people said, oh, I've got this new important account. I need some special system to make sure that's very secure. And we developed that system to solve that problem. [00:26:06] Speaker D: But when I paint these pictures of. [00:26:07] Speaker A: The way the world is all interconnected. [00:26:09] Speaker D: And interrelated, now why would that be. [00:26:11] Speaker A: A specialized system for that one unique access? Why would you, Carissa, be managed with one tool for nine of your login systems, but another tool? [00:26:20] Speaker D: Because it was Unix, for instance. Right? Like, why would we do that? [00:26:24] Speaker A: Oh, because that's the way we evolved. But if I designed it from scratch. [00:26:27] Speaker D: I probably wouldn't have done that. [00:26:29] Speaker B: I guess we've got more systems that we log into. [00:26:31] Speaker E: Now. Back in the day it was like two systems. [00:26:33] Speaker D: Exactly. [00:26:34] Speaker A: And by the way, back in the day, my organization built all those systems, right? And then commercial software packages begin to evolve. Then SaaS has shown up where now it with the famous shadow it term. Now the IT team often doesn't even know all the systems you're accessing to do your job. How are they supposed to control and manage that? They don't even know what they are. [00:26:52] Speaker D: Right. So back to evolution, because we've evolved. [00:26:57] Speaker A: In ways people might not have predicted 20 years ago. [00:27:00] Speaker D: We've got approaches to security that may. [00:27:02] Speaker A: Or may not make very good sense based on the way technology is used today, but that's because it wasn't designed. [00:27:07] Speaker D: For that 20 years ago. [00:27:09] Speaker E: So going back to your visibility point. [00:27:11] Speaker B: This is something that I often think about, especially now with people working from anywhere, working from home. You get told you can't use that. [00:27:19] Speaker E: System, it's not secure. But going the rigmarold way of this security person's journey is too hard. [00:27:26] Speaker B: Basket couldn't be bothered because I want. [00:27:28] Speaker E: To finish my work day and watch television or whatever. So then I start to find another. [00:27:34] Speaker B: System which then becomes shadow it. How does that then work with gaining the visibility? Because then, of course, you don't even know because people aren't even in office. You can't even walk over and say. [00:27:44] Speaker E: Well, that's a bit of a dodgy system there, Mark. So how are people going to start. [00:27:48] Speaker B: Monitoring that when you've got people logging. [00:27:50] Speaker E: In from wherever, wherever, at home, in cafes now it's going to get harder to manage that. [00:27:57] Speaker B: And I understand from a consumer point. [00:27:59] Speaker E: Of view of shadow, it occurs because things are hard to do and that. [00:28:06] Speaker B: Security person talks down to someone and. [00:28:08] Speaker E: Says, hey, you can't do that. How does that then look moving forward? [00:28:12] Speaker B: Because there are, especially now, cloud and everything like that. There's so many systems we're logging into. [00:28:17] Speaker E: And they're going to keep spinning up. [00:28:19] Speaker B: The way in which everything's moving and people's jobs now are not so just static, to your point earlier. [00:28:25] Speaker E: So I'm just curious how that's going to sort of pan out to go. [00:28:29] Speaker A: Back in time a little again. I think forever in the security technology. [00:28:33] Speaker D: Industry, there's been a tension between convenience. [00:28:36] Speaker A: And control, is the way I always use the terms, right. [00:28:39] Speaker D: Like anything that's convenient usually means less restrictive, therefore less controlled. And that's generally what users want, right. They want to just get their job. [00:28:49] Speaker A: Done, as you said, as quickly and efficiently and effectively as possible. [00:28:53] Speaker D: And the nature of most control systems. [00:28:56] Speaker A: Which is underneath the realm of security and others, right. Is to potentially put friction in place, sometimes quite intentionally. [00:29:03] Speaker D: Right. We put friction in place to slow you down so you can't do something. [00:29:07] Speaker A: Too fast that I don't want you. [00:29:09] Speaker D: To do that might cause damage. [00:29:10] Speaker A: A security analyst famously once said, why do race cars have brakes? [00:29:14] Speaker D: So they can go fast, is the unintuitive answer. Right. [00:29:17] Speaker A: If you're coming up against a wall, a race car driver is only comfortable going very fast into a tough turn because they know at the last second they can break and make that turn. [00:29:25] Speaker D: So they have the control to go. [00:29:28] Speaker A: Fast, knowing that when they need to, they can break and turn. I think it's a beautiful analogy for security. So what we need increasingly is systems that give people the assurance of control so they can go fast. And ideally, those systems are increasingly invisible. Right. [00:29:44] Speaker D: What we really want is things that. [00:29:46] Speaker A: Are ensuring you are, in fact, secure. [00:29:49] Speaker D: But they don't feel restrictive. Right. [00:29:52] Speaker A: If users feel like they can move rapidly to do creative things and get their job done, and quote, unquote, unbeknownst to them, there are monitoring and tracking. [00:30:01] Speaker D: Things happening, so that, in fact, everything. [00:30:05] Speaker A: You'Re doing, I'm at least paying attention to. [00:30:08] Speaker D: So some of these examples we use. [00:30:09] Speaker A: If something looks anomalous, all of a sudden I pop up and throw a. [00:30:12] Speaker D: Flag and go, I think you might be doing something you're not supposed to right now. Right. So to your point, because you said. [00:30:18] Speaker A: It'S very difficult because users will circumvent or, I mean, look, I'll out our little company, right? We insisted on vpns for everybody. And when you're on a Zoom call, sometimes the VPN slows your network down. And if you're at home, I'm not getting a good connection, I'll just turn off the VPN. [00:30:33] Speaker D: And then, of course, we have the. [00:30:34] Speaker A: Issue of, did you remember to turn the VPN back on after your Zoom call when you went back onto your important business application. [00:30:41] Speaker D: So we know that, right? [00:30:43] Speaker A: Our technology can monitor, is the VPN active or not? For that person who works for us working from a remote site? [00:30:49] Speaker D: What we're going to have to do. [00:30:50] Speaker A: Is figure out when do we determine. [00:30:53] Speaker D: That based on what you're currently doing. [00:30:55] Speaker A: You cannot turn off the VPN. And if it's not on, I will shut you down until you turn it back on. That'd be the kind of control system. [00:31:01] Speaker D: Right, where we'd say, I'm paying attention. [00:31:04] Speaker A: That you're adhering to a policy I care about. And if needed, I will put friction. [00:31:09] Speaker D: I will put restrictions in place to. [00:31:11] Speaker A: Protect the organization, making it slightly less convenient. Back to our tension. [00:31:15] Speaker D: Right, slightly less convenient, but assured. I have the control that I want. I think that's what we're going to. [00:31:20] Speaker A: Continue to see as this game evolves. [00:31:22] Speaker D: Is how do we get better and better at security and control systems, but not slow down user convenience. [00:31:29] Speaker A: And the pandemic, again, was such a great example. We swung the pendulum very hard toward convenience. [00:31:34] Speaker D: We sent everybody home and go try to get your work done as best you can. And we really didn't pay a lot. [00:31:39] Speaker A: Of attention to security and control for a few months. [00:31:41] Speaker E: I started seeing people scrambling, oh, we better go investigate that vendor. [00:31:46] Speaker D: Exactly. [00:31:47] Speaker E: Better go look at Zoom. [00:31:48] Speaker A: Exactly, right. So convenience, we swung over hard because people just had to get their job done somehow, some way in an unexpected situation. [00:31:56] Speaker D: Then we went, oh, all the security professionals went, oh, no, we don't have good control. [00:32:00] Speaker A: We better fix that now. [00:32:01] Speaker D: Right. So I think what you want over. [00:32:04] Speaker A: Time is to kind of manage that pendulum relatively in the middle, right? We swung over to lots of convenience in the pandemic. [00:32:10] Speaker D: I think many of the users felt. [00:32:11] Speaker A: Like we swung control over too hard the other direction in response. [00:32:15] Speaker D: And I think where we're going to. [00:32:16] Speaker A: Try to go in the future as much as we can is like, look, I've got to keep those intention. [00:32:20] Speaker D: I've got to give you the speed. [00:32:22] Speaker A: And convenience you need to move quickly, competitively as a vendor, to do technology. [00:32:26] Speaker D: Things as a company, I should say. But I've got to make sure I'm. [00:32:30] Speaker A: Protecting my information and data. [00:32:31] Speaker D: And I think we just aren't balancing. [00:32:33] Speaker A: That tension very well today in most. [00:32:35] Speaker D: Organizations because it's always tough to be. [00:32:38] Speaker A: The person who says, I want you. [00:32:39] Speaker D: To go a little slower and protect because it appeals to people like, yeah. [00:32:43] Speaker A: But that's not going to happen to me. [00:32:44] Speaker D: You ever had a 16 year old. [00:32:46] Speaker A: Learning to drive who thinks they don't need to break as often as their parents do. Turns out there's times when people say, look, I've got some experience. [00:32:54] Speaker D: You don't. [00:32:54] Speaker A: I think this is important. You might want to slow down there and be careful going into that hard turn. [00:32:59] Speaker D: Right. So I think this idea that security, I think, increasingly has to be invisible. [00:33:06] Speaker A: Or embedded or like inherent, I should. [00:33:09] Speaker D: Maybe say, in systems, so that we. [00:33:11] Speaker A: Feel safe and protected. [00:33:13] Speaker D: The organization's data feels safe and protected. [00:33:16] Speaker A: But we're getting the advantages of technology. [00:33:18] Speaker D: You asked what inflection points. [00:33:20] Speaker A: How about AI and LLms itself? [00:33:22] Speaker D: Right? Like, people are like, oh, wow, we. [00:33:23] Speaker A: Got to start using this rapidly because it can help our organization go really fast and do some great stuff. [00:33:28] Speaker D: And a bunch of security and even legal professionals are hitting the timeout saying, wait a minute, you better understand where. [00:33:35] Speaker A: That data came from, how that analysis, what algorithms were used to determine that. [00:33:40] Speaker D: Outcome and be careful. Right. [00:33:42] Speaker A: One of my new favorite terms that emerged in the last year was hallucinations. [00:33:45] Speaker D: I didn't know technology could hallucinate. [00:33:47] Speaker E: Wow, what's that about? [00:33:48] Speaker A: A hallucination is where an AI tool. [00:33:51] Speaker D: Literally makes something up and it happens. [00:33:55] Speaker E: How does that work? [00:33:57] Speaker A: It does pattern matching, it does algorithms. [00:34:00] Speaker D: And all of a sudden it goes, I think I see a pattern there and there is no pattern. It literally thinks that. [00:34:06] Speaker E: Isn't it based off. [00:34:08] Speaker A: Now you're at a level of computer. [00:34:09] Speaker B: Science beyond me now going rogue. [00:34:12] Speaker A: Yeah, it's not so much going rogue. It's that these models are still evolving and not completely built out. And so sometimes the model infers is. [00:34:21] Speaker D: Probably the right technology, makes assumptions, and. [00:34:24] Speaker A: As a result says, here's a conclusion. [00:34:26] Speaker D: I mean, we literally had this happen. [00:34:27] Speaker A: Just as an example, we were running tests internally for looking at risky profiles. [00:34:32] Speaker D: Of user access, and we pointed at. [00:34:35] Speaker A: Some data sets, some test data sets, and it literally says, here's a risky profile. [00:34:40] Speaker D: And we're like, that doesn't even exist. There is no profile like that. And we all went, oh. So the only point here being the. [00:34:48] Speaker A: LLM and AI technology is evolving so. [00:34:50] Speaker D: Rapidly that that thing that I just. [00:34:53] Speaker A: Described probably won't happen six months from now. [00:34:55] Speaker E: Probably won't. [00:34:56] Speaker D: No, probably won't. [00:34:57] Speaker A: And probably a year from now, definitely won't because they're continuing to refine these models and these tools. But it's just another point of tension between let's go fast, let's take advantage of this great new technology like shadow. [00:35:08] Speaker D: It users saying, oh, I found this. [00:35:10] Speaker A: Great SaaS app that solves my problem. Are you sure that that SaaS app. [00:35:14] Speaker D: Is protecting our data that you uploaded. [00:35:16] Speaker A: To do analytics or whatever you're doing. [00:35:18] Speaker D: With that SaaS app? [00:35:19] Speaker A: So it's, how do you ensure that people have access to technology for convenience. [00:35:24] Speaker D: And speed, but that you didn't, all. [00:35:26] Speaker A: Of a sudden accidentally lose control and breach security? [00:35:29] Speaker D: That's the tension. [00:35:30] Speaker E: So what frustrates you today about identity? [00:35:35] Speaker D: I think because of this rapid evolution. [00:35:38] Speaker A: This is me after 20 years in the industry. But what's still frustrating is so many. [00:35:43] Speaker D: People and companies think of the industry. [00:35:46] Speaker A: As where it was about ten years ago. [00:35:48] Speaker D: This is about simply automating provisioning, which. [00:35:52] Speaker A: Is a common use case for a. [00:35:53] Speaker D: Lot of folks like you join an. [00:35:55] Speaker A: Organization and somebody has to take the time and energy to figure out all the stuff you need access to so you can do your job. [00:36:01] Speaker D: Yeah. Right. [00:36:02] Speaker A: And the other big use case, of course, is compliance and audit. [00:36:05] Speaker D: Right. [00:36:06] Speaker A: Let's run certification processes once a quarter or once a year to make sure everything is right. These are good things, both of these capabilities, but they really aren't dramatically advancing security. And what's frustrating today is we're kind. [00:36:20] Speaker D: Of partly evangelistic here, I suppose, helping. [00:36:23] Speaker A: People understand, you've got to understand all these identity relationships and the access to data that these identities represent if you're going to protect your enterprise. [00:36:32] Speaker D: And if you're worried about just passing an audit, which is important, if you're. [00:36:35] Speaker A: Worried about getting each new employee access. [00:36:37] Speaker D: Which is also important, but not worrying. [00:36:40] Speaker A: About all these other things, you have a ton of risk, you're not managing well in your organization. [00:36:44] Speaker D: And we're trying to help people understand. [00:36:46] Speaker A: How important it is to look through what we call the lens of identity at security. [00:36:51] Speaker D: Right. [00:36:51] Speaker A: People have looked at other lenses for security networks, data systems, devices. We've had those disciplines for ten or 20 years now. We haven't had a discipline called identity security, but for the last few years, it's like a new thought for people. [00:37:05] Speaker D: To go, what are the security risks in my organization relative to identity? [00:37:10] Speaker A: And people are just beginning to get their arms around that. [00:37:13] Speaker D: But back to my frustration, many people. [00:37:15] Speaker A: Are like, oh, yeah, no, identity is important. [00:37:16] Speaker D: We need to pass our audits once a year. If that's all you're doing, you're probably not very secure. [00:37:22] Speaker B: So is there anything specific, Mark, you'd like to leave our audience with today? [00:37:25] Speaker E: I know we went on a lovely. [00:37:27] Speaker B: Tangent in the journey. [00:37:28] Speaker A: I think what we are encouraging people is to start to dig in. I know your audience is largely security. [00:37:34] Speaker D: Professionals, and quite often security professionals have. [00:37:37] Speaker A: Been exposed to many disciplines, but less so. [00:37:40] Speaker D: Identity. Right? [00:37:41] Speaker A: And we're saying, look, you've got to begin to get your arms around the importance of identity as a fundamental control point, a fundamental lens for understanding security in the organization. [00:37:52] Speaker D: It's not to the exclusion of others. [00:37:54] Speaker A: I think sometimes people hear saying, oh. [00:37:56] Speaker D: It'S not important to have firewalls. [00:37:58] Speaker A: Of course it is. You still need firewalls, you still need network security, you still need device security. [00:38:03] Speaker D: But you also need identity security. [00:38:05] Speaker A: You also need to understand the access privileges and how those map to data. [00:38:10] Speaker D: And how that either leaves your data protected or exposed. Let me give you another classic example, Chrissy. You work in a large tons of. [00:38:17] Speaker A: Energy goes into making sure that people. [00:38:19] Speaker D: Have protected access to critical business financial applications. SAP, Oracle. Right. [00:38:25] Speaker A: Every organization that has those tools is very clear. Starbanes Oxley was the US thing, but it kind of got replicated around the. [00:38:31] Speaker D: World where you have to prove people. [00:38:33] Speaker A: Understand access to key financial systems. [00:38:36] Speaker D: But what happens all day, every day. [00:38:38] Speaker A: In those organizations, people download, export data. [00:38:42] Speaker D: From those systems into spreadsheets, and they manipulate those spreadsheets, and they share them. [00:38:46] Speaker A: With their friends or their colleagues, I should say not their friends, their colleagues. [00:38:49] Speaker D: In email, and they store them on sharepoint or Dropbox. Same data, same risk to the organization of being exposed. Super tight controls over SAP or Oracle. [00:38:59] Speaker A: Almost no controls over all that data and where it is, how many copies. [00:39:03] Speaker D: Of it are there, who has access to it? [00:39:06] Speaker A: That's the kind of thing we're trying to help people start to think about. [00:39:08] Speaker D: Like, if your goal is to truly. [00:39:10] Speaker A: Protect your organization, it's not just about. [00:39:13] Speaker D: Ensuring that the right people have access to SAP. That's a good step, but you really. [00:39:18] Speaker A: Haven'T finished the job at that point at all. [00:39:20] Speaker D: So I think we're trying to get people to think beyond what have been. [00:39:24] Speaker A: Kind of the traditional limitations of this industry to the real issue of are you protecting your organization? That's why security exists as a discipline at all, right? We're supposed to be protecting the organization and protecting the organization's data. Well, start thinking about it through that lens if you're really going to do your job, and we'd love to be there to help you do that. That's part of why we exist as an organization. [00:39:51] Speaker C: This is KVCast, the voice of cyber. [00:39:55] Speaker B: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. [00:40:04] Speaker C: This episode is brought to you by Mercksec, your smarter route to security talent. Mercksec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and midsize businesses scale faster and more efficiently. Find out [email protected] today our.

Other Episodes