[00:00:00] Speaker A: If there are policies and procedures that aren't adequately protecting the organization, those are things that need to be looked at. And all of that takes time. But it's an investment well worth the resources that it takes, because what it does in the long run is it actually reduces day to day putting out fires, if you will. But it requires management and executive buy in with the understanding that fixing these problems long term, so that the security team can be the most effective and the most efficient, requires an investment in time and resources upfront. As hard as that is, it's very important.
[00:00:36] Speaker B: This is KBC. Are they completely sized as a primary target for ransomware campaigns, security and testing.
[00:00:43] Speaker A: And performance and scalability, we can actually.
[00:00:45] Speaker B: Automatically take that data and use it.
Joining me today is Josh Goldfarb, global solutions architect security from F five. And today we're discussing visibility and blindness in complex environments. So, Josh, I, thanks for joining and welcome.
[00:01:02] Speaker A: Thank you for having me. Very pleased to be here.
[00:01:04] Speaker B: Okay, so, Josh, I want to talk about, you say visibility and blindness in complex environments are the most pressing threat facing within organizations. So talk to me a little bit more about this. What does this mean to you?
[00:01:17] Speaker A: Yeah, so I think this is an interesting point that maybe doesn't get enough attention in the security community today. Way back when, going back, say, 1520 years, during my time in the security operations role, we knew how to instrument the enterprise on premise network and collect telemetry data for the purposes of compliance and continuous security monitoring and other types of uses for that telemetry data. And then what happened, I would say, over the last ten to 15 years, is that gradually services and applications and infrastructure began to move from a solely on premise, or maybe private data center type environment into a cloud, or in many cases, multiple cloud environments. When that happened, we as a community took a step back and became a little bit blind in terms of our visibility into those environments. We lost that visibility, that high quality telemetry data that we had honed our ability to collect on the enterprise network. And when it came to cloud environments, we were basically running applications and services and infrastructure without that visibility. So if there was a breach or there was some type of inappropriate usage or abuse type behavior, we didn't have that visibility to be able to detect and respond to that, nor did we have the visibility required to be able to analyze the traffic and data going to the multiple different environments for the purpose of improving our preventive controls alongside our detective controls. And that's something that's now starting to change that visibility, the need for visibility in cloud and multiple different cloud environments is getting some attention while we didn't have it, or for organizations or businesses that still don't have it, it is a risk because obviously an attacker can do any number of malicious or suspicious activities in an environment where we don't have that visibility and that telemetry data. And when they do that, we have no way to detect and respond to that, putting aside, of course, the compliance and regulatory issues that it creates. So I think for that reason, the lack of visibility or the blindness that many organizations have in the cloud, including multiple different cloud environments, is a significant risk. And it is something that, in my opinion, I don't think we as a community, security community, give enough attention to.
[00:03:47] Speaker B: Yes. What do you think that is, though? Why do you think it hasn't got the attention? Do you think just other things have just captured the attention? Or do you think it's something that people perhaps don't think about and therefore wasn't intentional? What are your thoughts on that?
[00:03:59] Speaker A: You know, to use an analogy, when, when we see somebody walking down the street doing what they're supposed to be doing, engaging as a respectful member of society, quite unremarkable. When somebody does something they're not supposed to be doing, for example, if they were to stop in the middle of the sidewalk and begin screaming, or they were to throw something at somebody else, for example, that would get our attention. So I think that because visibility and telemetry are, they're not sexy, they're not unusual. There's no real hype cycle around them. It's just something we need to be doing. But because it's not sexy, because it's just sort of everyday, mundane day to day type of activities that need to be done, I don't think that we as a community remember to give it enough attention. And I think that instead, unfortunately, I would say much of what grabs the attention of those in the security community are things that are maybe trends for a particular day or week or months or, you know, they're things that, that maybe have, have quite a bit of a hype cycle around them. But the question is, operationally, in a security sense, what is the impact? And that is a question that is not always clear what the answer is. And I think that it's just continuous security monitoring, telemetry, visibility, these are things that are just, you could say, mundane day to day activities that need to be done, and they just don't get that hype cycle attention like some of the other issues that we're seeing.
[00:05:28] Speaker B: So obviously, this is a problem, you care about it. You're in this space, you get it. What are you sort of doing within your own organization but with clients and as well, to get this more on the radar? I do hear what you're saying, and it's interesting. Like, I've almost conducted 300 interviews on the show, and every person I interview, it's a broad range of security topics, and everything that everyone says is interesting. Right. But of course, there are priorities and different environments and maturation, all these things. But what are things that you're sort of doing, even with a customer that's getting this problem on their radar?
[00:06:02] Speaker A: Yeah. So I think one of the best ways I've seen, I, you know, as I've traveled globally, meeting with our incredible partners and customers around the world, one of the ways I've seen that is one of the best ways to get the attention of, certainly a customer, but also the management and executives that, that our particular contact that a customer or contacts at a customer will be reporting to. One of the best ways to get their attention is by showing them their own data. And I think that when organizations see the lack of visibility and what that means, for example, if we're talking about APIs and we have 50% of our API inventory that's not been discovered, that's completely unknown, not inventory, not managed, not secured. Or if we have a certain high percentage of our cloud environment where we're not seeing telemetry data, when we can show that ground truth data to our customers and to their management and executives, that makes an impression, because lots of people come in and talk about security problems. The question is, in my particular case, if I put on my customer hat, in my particular case, in my specific environment, whatever that environment looks like, no matter how complex, what do my data show me in terms of where I have risk, where I have blindness, where I need improved visibility, things like that.
[00:07:27] Speaker B: Yeah. So what I'm hearing, what you're saying, Josh, is it's sort of like holding a mirror up to yourself. Right? So sometimes people are perhaps to your earlier point, you know, they're, they're off focusing on other, other things, and then this is maybe a little bit more mundane. So it sort of gets pushed to the bottom of the list. So what do you think people need to sort of understand just at this point in the interview that they need to sort of take away in terms of, you know, what Josh is saying makes sense. How can people start to hold that mirror up and say, well, I need to start looking at the data to your earlier point. And really perhaps that's what's going to spur people onto taking action or to even pay attention at all.
[00:08:04] Speaker A: Right? So I think that a lot of the security practitioners out there, and perhaps many of whom will be listening to this particular podcast, I think a lot of them know what needs to be done. And I think what they struggle with is getting buy in or getting attention for that from the people who are setting the priorities. I think that having been a security analyst for many years, most security analysts, most security engineering types, they understand the need to instrument the infrastructure, no matter where that infrastructure lives. And I think what's stopping that from happening or what's perhaps a roadblock in the way of that happening is perhaps a lack of education on the part of people who are setting the priorities, maybe the management and executives in a particular enterprise. So the question is, given that, what can we do about it as security practitioners? And this is where I think reporting and metrics plays an important role. I remember for many years when I was a security analyst, when I was working in security operations, looking back on it having been around a bit now, the metrics that we were reporting up to our management were not particularly informative or helpful to them. Many people report number of tickets opened and closed, number of incidents by category, perhaps spikes in traffic or percentage of attacks by type or percentage risk or priority based on signature type or things like that. Those are interesting for us as practitioners because they allow us to tune our false positives to improve our true positive or detection rates. They allow us to hone technology to better identify where we need to focus. But for our management and executives, it doesn't tell them a whole lot. And in order for us to really tell that story in specifically in this case, we're talking about telling the story around visibility. We can report percentage of environment that we don't have visibility into or that we're blind into. We can report infrastructure, services, applications and APIs that we don't have requisite visibility into. We can do that all day long, and many organizations do. What's missing, I think, is that translation. Translation to what? Translation to things that matter to management and executives. So management and executives are primarily focused on risk, risk to the business and risk to brand reputation and things like that. And that at the end of the day, translates into regulatory and compliance, fines and monetary repercussions from things like intrusions, loss of customer data, things like that.
That translation going from here's the percent of my infrastructure that I want to better monitor. Here's the percent of my applications or my APIs that I'm lacking visibility into, or that I don't have proper inventory and management over translating from that into risk in terms of dollars, in terms of financial repercussions for inappropriate or improper security.
That is something that we as a community still struggle with. There have been improvements in recent years that I've definitely seen as I've traveled the globe. But I think that we as a community, need to get better at speaking the language of the executives. And I think if we can learn how to do that, how to translate from the blindness or visibility challenges into the language that our management and executives speak, I think that will allow us to get the requisite attention placed on this problem of visibility.
[00:11:39] Speaker B: Okay, so you said something before around presenting, like, facts and figures to executives perhaps were not informative. So what would informative facts and figures look like from your point of view?
[00:11:52] Speaker A: What informative facts and figures look like are typically, theyre typically data points that speak to the audience theyre intended for. So for network engineering types, things like latency, things like outage information and uptime information, those things are very relevant for security analysts and security operations practitioners. Things like where the majority of the false positives are coming from, where the majority of the false negatives are coming from, which technologies are doing more for us or doing less for us. These are data points that are very interesting for security engineers. Things like which technologies are requiring an excessive amount of cost to operate and maintain, which technologies have a high fail rate. Things like that become very informative. And when we look at executives, they're really looking at risk in dollar terms. They want to know if I have a security breach, or I'm not compliant with a given regulation, or I lose customer data, or I have, let's say, a problem with my site availability or the availability of my inventory. If we're talking e commerce type of situation, what does that cost me in terms of fines? What does it cost me in terms of lost potential revenue? What does it cost me in terms of loss of customers? What does it cost me in terms of downtime and outages?
You know, those data points, they vary from depending on the audience. And I think that as security professionals, when we look at producing those data points, we need to make sure that we tailor them for the audience that we intend them for.
[00:13:31] Speaker B: So you're saying that people and I, look, I was a reporting analyst probably about a decade ago, so I'm very, very familiar with this subject and how wrong we've been doing things over the years. So I can relate. So what you're saying is that basically just historically just people have focus on the wrong things, okay. They want to try to, I don't know, maybe get some more money for their security department, but they presented the wrong facts and figures and executives like, well, who cares about that? They haven't positioned it or framed it in a way that makes sense. They can't quantify it. To your earlier point around, well, if we don't do this thing, potentially we're going to lose this revenue. Or if we don't do that, potentially we lose more customers. Is that really the gap that you're sort of identifying here? And then if so, like, I, you know, for the last decade, we've been talking about this problem, but like, yes, I think the needle's moving, but like, why don't people understand yet and sort of connect the dots a little bit more? Because what you're saying makes sense, right? And people, an executive is not going to hand over money to a security department because the security guy says so, like, you obviously have to, like, back it up. Like, you have to have, like, a justification that makes sense. So this is the part that I, and I've been speaking to people all this week, and it's actually around this topic specifically. So what do we do from here?
[00:14:43] Speaker A: First off, to answer your question, I agree. I think your summary is accurate in terms of where do we go from here. I think that obviously there's a delicate balance here because on the one hand, security professionals, I haven't met too many that have a lot of idle time, a lot of free hours during the day. It's well known to be a somewhat high stress profession with professionals who are running around busy pretty much on a daily basis with more tasks to complete than there are, than there is time in the day to complete them. So it's a little bit of a challenge because for a security professional to say, look, I'm going to take 20% of my time away from putting out fires to focus on the fact that if we were a little bit more strategic as an organization, we would maybe have less fires, but we would also be able to get support for some of the things that are holding us back and making things take longer than they need to take. One of the reasons that security professionals are so busy is because when they go to investigate a potential breach or an incident or a data loss or any of the other potential incidents they may need to investigate, they often struggle to find the data that will allow them to reach the conclusion, the correct conclusion based on ground truth and facts, not based on assumptions or inferences.
That sort of running around like a chicken with your head cut off takes a lot of time. And unfortunately, it is part of what contributes to the sort of hectic, stressful situation that many security teams find themselves in day to day on a continuous basis. So I think the better security teams I've come across, and by better, I mean the ones that have more of a handle on this visibility challenge and have better processes for both preventive controls, but also for detective controls, meaning detection, investigation and response, they have management and executives that support and understand the need to allow the team to focus also on strategic problems. So I think, unfortunately, bottom up, in my experience, while bottom up, meaning the operational security professionals who are doing the work day to day, while bottom up, can solve many problems, unfortunately for this one, I believe that top down is also needed, which means that we need executives and management and security leadership that understand the need to give the team a certain amount of time to have them focus on strategic problems that need to be fixed. For example, if there are visibility gaps, the understanding that those visibility gaps are likely causing some of the stress or some of the inefficiency in time. That's one example. If, for example, technologies are inadequate, meaning that technologies aren't producing the results that the security team needs in order to operate with the most efficacy and the most efficiency, there needs to be time put aside to focus on finding the right technologies.
The list goes on. But another good example, perhaps, is procedures, policies and procedures. If there are policies and procedures that aren't and adequately protecting the organization and aren't allowing the security team to effectively and efficiently respond to security incidents and prevent them to begin with, those are things that need to be looked at. And all of that takes time. But it's an investment. I think that's well worth the resources that it takes, because what it does in the long run is it actually reduces this sort of day to day hecticness and sort of putting out fires, if you will. But it requires management and executive buy in the with the understanding that fixing these problems long term so that the security team can be the most effective and the most efficient, requires an investment in time and resources upfront. As hard as that is, it's very important.
[00:18:34] Speaker B: Okay, I want to follow this a little bit more. This is really interesting. So, okay, I'm going to give you an example. So I get your point around. Okay, an executive. Okay, there are two buckets. Executives that get it and, you know, care about security, want to invest in it and the people who perhaps don't get it or whatever, but let's just say the executive that does get it, but then the sizer comes up to them and says, well, it's going to cost you, like, $10 million. Then I feel like people start to backtrack. Security's not cheap, as you know. It's not chump change. It's expensive stuff. It's complex stuff as well. It's not this or that. So it's not a binary decision. So then I feel, in my experience of speaking to people on the front line every day on the show, but this generally in the industry, it thinks that sometimes I've heard that, yes, an executive may hear the security executives say, well, yes, it's important. But then when it's like, when it comes to like, well, you've got to give me all this money to do the thing and hire all these vendors and all these people and all this stuff, I feel like there's a bit of backtracking that happens. So how would you approach someone to manage that? Whereas, yeah, they still think it's important. However, it's like, yeah, but I only feel it's 20% of important when you give me that figure in front of my. In front of my eyes.
[00:19:41] Speaker A: Yeah, that's an excellent question. And thankfully, I had an annoying call from somebody trying to sell me a maintenance contract for an appliance I have recently. And little did I know that it prepped me very well for this call. So while I was on the phone with this person who called me trying to sell me a maintenance contract for an appliance I bought several years ago where the factory warranty had already expired, I quickly found myself doing calculations in my head. I was calculating how much I've spent on replacement parts and maintenance type of activities for this particular appliance versus how much they wanted me to commit to for a two year contract that would cover some of these expenses, but at a cost. What I quickly realized was that the cost to pay a la carte or out of pocket when and if I have a problem was far lower than getting locked into a two year service contract. This is not a surprise. This is something that's well known, a well known calculation with most extended warranties and service contracts on appliances and things like that. So I think the same is in security. If, as an executive, you are asking me to put 1 million, 5 million, $10 million into the security program on top of what I've already committed to, let's say, for last year, I need to understand what I'm getting for that. And is it worth it to me? For example, if you want $10 million to mitigate $2 million of risk, while nobody wants to have a breach and nobody wants to lose customer data financially, it doesn't make sense, right? And an executive may, and in my opinion, may justifiably say, I need to put that money elsewhere where I have significantly higher risk than, let's say, the $10 million I'm being asked for, I can apply that 10 million to another problem where, say, my risk is 100 million or something like that. I think we need to understand that when we, as a security team or we equip our CISO to go in and make that budget request from the executives, I think we need to understand that at the end of the day, the business needs to make money. And the business, while strategic, is also somewhat transactional, and security is no different. And I think that's where what I was alluding to or coming to a bit earlier was that this calculation, this translation from the risks that we identify and the risks that we track in our risk register along with any mitigation that we have in place, we need to translate that into real potential loss, real risk in terms of dollars. And when we do that, that allows us to go to the executives and say, for example, I know $10 million is a big ask, but because of a new regulation or because of a change in the, in the attacker or threat landscape, or because of a change or a recent acquisition in the business, we now have an additional risk of 50 million or $100 million that we can mitigate or mitigate 90% of it for a $10 million investment. And therefore, it makes sense as a business for us to do that. When we go with that type of a calculation or that type of a return on investment argument, the results, in my experience, are often more favorable.
[00:22:42] Speaker B: Do you also think as well, Josh, that perhaps people don't know what they don't know now, what I mean by that is, I'll give you an example. So I got married around almost two months ago now. And when we were, you know, a lot of stuff that goes into getting married, as, you know, you know, the few days sort of thing that we did. But anyway, I obviously have never got married before. I haven't really helped anyone get married. So then when you're asking these, these wedding vendors like how much these things cost, sometimes it surprises you. Like, that's a lot or wasn't as much as I thought, because I don't know what I don't know. And the reason why I'm telling you that is, do you think sometimes with an executive, like, they don't know how much, like, you know, f five stuff costs? Like, they could be like, oh, my gosh, that was so expensive. And I also say this because my brother in law is a CFO, and I remember a few years ago, he was asking me, like, is this a lot for this company that's charging me? So do you think that people just don't know what they don't know? So therefore, even if you put any figure, people always probably going to think it's always lower. So even if you put something that's higher and technology's not cheap, as we know, people are going to always be a little bit taken aback by that.
[00:23:42] Speaker A: Yeah. So. So first off, congratulations. It's very exciting, uh, very exciting time in your life, and sounds like it was wonderful. Regarding your question, I think that this is an area where competition is a good thing. I think that getting competitive bids and comparing the commercial offering or the financial cost of a particular solution with its capability and being able to matrix that with which of the requirements that I have or which of the risks that I'm looking to mitigate, does this solution address. I think that allows us to really objectively understand if something's truly expensive. What do I mean by that? Let's say a vendor comes and says to a business or an enterprise, our solution, based on your traffic volumes and based on the number of locations you have, it costs $1 million. That's what this particular solution will cost to mitigate. To address the issue that we've been discussing in this case, let's say we have a matrix of requirements and risks that we're looking to mitigate and looking to address, and the solution addresses 80% of them. That's a data point that is very helpful. Versus if we have a second solution that's maybe a little bit cheaper, but only addresses 50% of the requirements, meaning that then we're going to have to probably go out and get another solution or develop in house, which also has a cost to it that allows us to really process. What does it mean, expensive? Because to your point, an absolute number is not very informative.
Executives are not going to be able to, if something costs a million dollars or $2 million or half a million dollars, they're not going to really be able to understand what that means. But what they can understand is what percentage of the risk will it mitigate and what is the return on that investment in terms of the reduction of risk into residual risk that remains, if it's significant, it makes it easier to process. We're not processing an absolute number. We're processing a relative number relative to the risk to the business that we're looking to offset.
[00:25:40] Speaker B: Yeah, that's interesting because I just think from the people that I've spoken to over the years, it's just, you know, they're just like, well, that's just this stuff costs a lot. And I was like, well, I think it depends, of course, but I think, like, to your point, competitive. You know, people coming up, if you've got one player that's presented a number, but then two other sort of players have said maybe a similar number, it gives you that barometer. Right. So I think that, again, when you're an internal size, though, it's like, well, every company's different, so it's going to be hard then to compare apples with apples then. So I think sometimes I've just seen people get a little bit sort of blindsided by these numbers that these security people are putting forward because they just don't know. They didn't really grow up in it. They're driven by numbers. If they're a CFO, they don't really understand the space. They don't know whether this service should cost 4 million or 4 billion. So I think that that's just the part that I've also seen that people say they care, but when it's like, well, you care, but then here's the cost that you're going to have to front the bill for, then I just see the conversation starts to change direction very quickly.
[00:26:40] Speaker A: Yeah, I mean, that's a fair point. I think that, again, this is something that we as a security community struggle with. It's nothing new. I mean, you mentioned going back a decade or so that this was something that you were familiar with. And yes, the needles moved, but not as much as it should have. I'm hoping that as security continues to mature as a field and becomes more of a core business function, which I really believe it has in recent years, much more so than, say, 2025 years ago when I was starting out in the field, I think that we will need to learn how to operate as partners to and part of the business rather than this eclectic group of people on the side. Like, is maybe how people thought about us historically. I think we're becoming part of the business. We're becoming more mainstream, if you will, something that's more accepted as an essential or core function of the business rather than just a sunk cost. And I think that with that on our behalf comes tremendous responsibility in understanding how to be a partner to the business, how to facilitate the business in a secure way, but also how to function in the language of the business, understanding the lines of business that our employers or our enterprises have. Helping address risk, but helping the business operate securely at the same time, not causing detriment to the business or reduction in revenue because of inefficiencies or because of our inability to function as partners. I think as we mature as a field, we need to almost think more like business people as opposed to security professionals in many cases.
[00:28:14] Speaker B: Yeah, this is interesting when you say like, core business functions. So when you were speaking, my mind was thinking about, you know, let's look at HR as a core business function. Like, I don't know, maybe some of the things that HR people buydevelop, I don't know, some of these things that they. And I'm not a HR person. Maybe there's something that, you know, you might look at and go, why would we just spend a million dollars on some HR system that no one cares about? So it's kind of like, I feel like that the maturation is getting there because, again, it's like everyone's going to look at everyone else's business unit and say, why would we spend money on that thing when it's like no one cares about it? So it's like, I feel like security is just becoming like, you know, it's always been at the little kids table a bit. So now I feel like as an industry, we are sort of getting on the adults table, kind of not there yet, but we're getting there. But I just think that, you know, perhaps we just need to approach this mathematically. I'm definitely not a maths person. I mean, you know, I'm a speaker and I prefer my, you know, preferred topic at school was every English, but just what you're saying. And even over this week, I've probably done about five or six interviews. There's a common theme here, and it's talked about, you know, quantification, but then also the mathematical, analytical side of it. So perhaps that needs to come more to the forefront of the conversation.
[00:29:21] Speaker A: Yeah, I agree with that. I think that, look, an executive may not be a security professional, and in many businesses, the executives are not security professionals. Right. Their core business is something else entirely. The executives, while they may not be security professionals and they don't have that security domain expertise, they're not. They're not idiots. Right. Many of them have been in their particular fields for a very long time, have risen through the ranks, understand how their business runs, understand how they can optimize the business and make more money or a higher profit or whatever the shareholders need from that particular business. And many of them are quite good at understanding risk.
Like you said, as we begin to get a seat at the adult table, we need to understand that we need to approach them in a way that is appropriate for their level, speaks to the things that they care about, risk and other things like that. And remember that these are, these are serious professionals in their own right. They may not be familiar with security, but they do understand risk quite well in most cases. And if we can posit to them in risk terms and in financial terms what it is we're looking to accomplish. And that includes, by the way, clearly articulating not only what we want from our security initiatives and what we think we need to do in the coming year or two years, but also to translate that into what is it mean for the business. If I say that I need to increase visibility in my hybrid and multi cloud environments to an executive that is thinking in terms of the lines of business, running the business profitably and mitigating risk, it doesn't mean anything to them. What we need to help them understand is that we have blindness or gaps in visibility that are introducing risk. And we need to, at a high level, enumerate the ways in which that's happening and what that means in terms of dollar terms and what the potential exposure there is. And only then can we gain acceptance or support for that type of initiative that we can then take down to the security team and say, okay, now that we have approval for this, let's figure out what we need to do and how we need to do it.
[00:31:25] Speaker B: I think as soon as someone starts talking like that, I think an executive knows that that's going to cost a lot of money. So you mentioned before, executives are not idiots. I agree. You don't get to the top by being a fool. Right. So would you say, and this is just my experience, do you think unintentionally security practitioners have perhaps been a little patronizing to these people? Just because the guy didn't grow up, you know, learning security doesn't mean he's an idiot.
[00:31:49] Speaker A: You're being polite. I think a little patronizing is an understatement. I think that we as a. I think that we as a field have had some challenges in not looking down on or patronizing people who are talented professionals in their own right, but just maybe don't have a security background. And that includes positions like CIO's where you may have people who have long histories of successfully running it infrastructure, but just may not have had that security element to it and therefore need to be educated. And so I've always found that a more constructive or a more helpful approach is to be a partner to the business, to focus on outreach, to focus on education, to focus on gaining trust. Trust is huge. The minute you have an issue or some type of snafu that sets you back significantly. That outreach, that building trust, that working as a partner, creating a network of constructive relationships within the business and externally. Oftentimes we need external partnerships as well in order to be successful. That allows a security team to be the most effective, to function as a partner to the business and not merely sometimes what were called the department of. No, sometimes people call the security team, and thats not a good place to be. It doesn't help the business and it certainly doesn't help to gain trust, buy in and budget for security initiatives that in many cases are extremely necessary.
[00:33:13] Speaker B: So you make an interesting point around guidance from governments and advisory boards that need to be modernized. I just want to stop there for a moment, because the operative word here that I'm focused on is modernized. Now, the whole reason why I got into what I was doing is because I wanted to have a modern approach on the industry. There are things out there look like that was born in the nineties. I was over it. So I love this word because I think people do need to have that approach of being modern, being more fresh, more, you know, in this, you know, in this year, that I think sometimes people are operating really backwards. So what does that then mean to you? What does modernized approach look like?
[00:33:49] Speaker A: I think a modernized approach is, is really taking best practices or core principles of security and adapting them for the world now, which is a bit different than it was 10, 20, 30 years ago. So, for example, in Australia, a well known framework is the essential eight. This is something that many people are familiar with, myself included. The essential eight is a good core guidance, but it's a bit dated in the sense that it really focuses on endpoint workstations within an enterprise on premise environment or a VPN type of environment, perhaps, if you will. That's obviously extremely important, and by no means should we throw that guidance out and start over. What we did here at f five is we adapted the essential eight to a white paper offering some perspective and perhaps guidance on how the essential eight is relevant to hybrid and multi cloud environments, which is a challenge that many of our many customers and many businesses around the world are struggling with, is how do I adequately protect and defend my hybrid and multi cloud infrastructure and environment, given that many of the pieces of guidance that are out there are focused more on an on premise or an enterprise world and not on the modern types of architectures that we see. So that's an area to me, that's what modernizing means. It means staying true to our core principles, to our professional values, to best practices that have worked time and time again, but adapting them to suit the more modern types of environments that we now find ourselves in.
[00:35:28] Speaker B: So what would happen if people just weren't modern about it? And I mean, look, I asked that because, again, it's the reason why I wanted to do what I'm doing now. Like, you know, back when I started this show, like, there were not many podcasts out there, not like they are today at all. I wanted to be, you know, ask the hard questions that perhaps people weren't asking. I think that's more of a modern, outspoken approach. It's a little different. But what would happen if people don't take your advice, for example? Where would we be?
[00:35:55] Speaker A: Well, that's an interesting question. I think that if people depend on external guidance from governments, from industry, bodies and parties, and they don't modernize it or adapt it to suit the particular situation that they find themselves in, the what you'll get is a lot of partial coverage. What I mean by that is that if there's guidance that's focused on endpoint workstations in an enterprise environment, and we're only following that guidance, we'll probably do quite well in that area. But we may not realize that we have certain types of threats in the cloud or certain types of threats to our SaaS solutions or our APIs or what have you, and we'll get a lot of really good partial coverage or perhaps a lot of siloed point solutions partially covering the risk that we need to cover, but we really won't get that strategic, overarching approach to risk mitigation that the security team really needs to be focused on.
[00:36:53] Speaker B: So, Josh, do you have any sort of closing comments or final thoughts you'd like to leave our audience with today?
[00:36:59] Speaker A: One thing I found over the course of my career is that there's a lot of good best practices. There's a lot of good data out there. There's a lot of good expertise and knowledge. Many people, like myself, write periodically for different publications people share on blogs or on social media, different approaches. And I think that sort of following on to this discussion around visibility and around modernizing approaches, I think that there's really good information out there. There are best practices and core principles and professional values that have been tried and true that work for us as a community repeatedly. And rather than, I would say, following the hype cycle or the, or the buzz item of the day, what we as community should do is go back to basics, take those best practices, core principle, core principles and professional values and apply them to solving problems in our environments, no matter how complex those environments are. And I think that is how we understand how to translate from the language of security to the language of risk and the executives. And that's how we can really going about breaking through some of these barriers and solving some of these problems that have been around for quite some time now.
[00:38:21] Speaker B: This is kbcast, the voice of cyber. Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
[00:38:34] Speaker A: This episode is brought to you by.
[00:38:36] Speaker B: MercSec, your smarter route to security talent.
[00:38:39] Speaker A: Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps.
[00:38:50] Speaker B: Startups and mid sized businesses scale faster and more efficiently. Find out
[email protected] today.