Episode 277 Deep Dive: Jagdish Mahapatra | Microsegmentation and the Path Forward

[00:00:00] Speaker A: Businesses must realize there is no constant state of security. And we've always had this mindset about looking at security as the cyber war. I would like to say it's not a war. It's a game of chess. In a game of chess, you're constantly looking to make moves so that you're ahead of the adversary, so they can protect the king. And the king is the data, your crown jewels? [00:00:29] Speaker B: This is KBC as a primary target for ransomware campaigns, security and testing and. [00:00:36] Speaker C: Performance and scalability, risk and compliance. We can actually automatically take that data and use it. Joining me today is Jag Dish Mahapatra, commonly known as JAG chief revenue officer from color tokens. And today we're discussing micro segmentation and the path forward. So, JAG, thanks for joining and welcome. [00:00:56] Speaker A: Thank you, Keri. Sir. It's my pleasure to be in your podcast. [00:00:59] Speaker C: Okay, so I want to get into it straight away. I want to know your version of micro segmentation. Now, I asked this question because, again, there's terms out there that vendors, etcetera, people use. Everyone's got a different version of what it means. So I get various answers, but. So everyone's on the same foot on this interview. I want to hear your thoughts. [00:01:21] Speaker A: Yeah, let's kick it off with that. I mean, I'm going to dig into the why of micro segmentation, because that's very important. And let's for a moment think like an attacker, like an adversary or a hacker. And if I were to have a hypothetical conversation with their adversary, what would he or she tell me? Well, this is how I think it'll go. That for last 20 years, businesses around the world have been hiring the hackers. They want us to find exploitable loopholes in their armor and break in as far as we can and try to figure out where we are. So, are we impenetrable? Is the universal question. I think it's time you might as well be asking the same about your organization. And as a hacker, I can say with confidence that most certainly there is always a way in. And I think if I were to play it back from a defender's mindset, from or for the organization, I will say this is one advice that can we can take it very seriously, is can we stop trying to keep the bad guys out because they have enough motivation, and there is a business model that justifies why they will be in. So, can we assume that they are in and they'll find a way to move inside and look at our crown jewels? The answer we should be seeking for is as businesses is. Can we make it hard for the adversaries to move inside once they're in? Because they will try and exploit the relationship that allow them to move laterally through the corporate network. They can do this by distrusting anyone, right? The first thing they can do is distrusting anyone within their data environment and repeatedly corroborating that all users are who they say they are. So I think at the core, what microsegmentation does, it doesn't allow the adversaries to move laterally. It buys time for the defenders to really slow them down and use that time to protect their crown jewels. In the scheme of things, when breakout time, as it's popularly used by crowdstrike to define how it moves from patient zero to patient one, the breakout times are shrinking, with the shortest one being in two and a half minutes. I think this is where businesses have to focus on and micro segmentation at the foundational level addresses this core issue. [00:03:57] Speaker C: Okay, there's a couple of things in there which is interesting. When you say at the foundational level, what do you mean by that? When you say that? [00:04:02] Speaker A: Well, at the foundational level, it starts to create the segments and zones in the network that creates friction for adversaries to move. And that's the core value that it offers back to the security practitioner. [00:04:17] Speaker C: And then you also said by doing this, it buys time. How much time are we talking in. [00:04:23] Speaker A: The scheme of things where the breakout times are shrinking by minutes? And I said, on an average, it's come down to 64 minutes now, and the fastest one can be two and a half minutes. You really are playing in seconds here. Right? So if you can buy seconds and minutes now, you're basically going to do a massive favor to entire business continuity and digital resilience. [00:04:44] Speaker C: I heard the two and a half minutes, but what can happen in two and a half minutes? Like, I can't even drink a cup of coffee within that time? [00:04:51] Speaker A: Absolutely. If you're dealing with the nation state actors, and let's say if you're dealing with russian adversary, they are extremely sophisticated. This is exactly the time they would need to inject a payload or move from patient zero to patient one and move laterally, and then it's game over. And that the challenge now for organizations is to have defenses that can help them prevent this, to detect this faster and remediate faster. But hence, I believe that this whole constant energy and technology that we've been spending in this industry for the last ten years into detect, detection and prevention is done. Well, it's done us well, but that's not the only place we should stop. We got to now move beyond detection and prevention technologies with that assumption that they will move in and find ways to slow them down. I think this is where the biggest problem in the Mitre framework has not been solved, which is a lateral movement. And at the core, micro segmentation does that. [00:05:43] Speaker C: Okay, this is interesting. So you said people are going to move beyond this. Would you say that? Why aren't people moving beyond this? Is it that they don't know? They're unsure, they're confused. They got a thousand other things they need to do and this just feels like something else that they need to get their head around. What are your thoughts? [00:05:59] Speaker A: The whole micro segmentation has been misunderstood by it and security for a while. Well, why is it so the start of segmentation started with the network segmentation in Scarissa. I worked in Cisco 15 years back and we would talk about network segmentation then. And those were days when Vlans were used to segment the computing systems in the same network. But they couldn't discern the malicious traffic. Right. So any lateral movement that would happen within the VLAN, that was a problem. But as we started to move from network segmentation, I would say in the second generation, started talking about software based segmentation. Now, software based segmentation were a little better. They could stop the lateral movement within the VLAN. But obviously the problem was there were long observation periods to discern what is a good traffic against what's a bad traffic to create. The segments and the zones were based on network departments, sometimes asset types, which can be very basic. What I'm trying to say where the real value of breach ready micro segmentation is your ability to detect and respond. You could stop the attack, proliferation, you can ensure business continuity and you can determine material impact. I think this is where the value starts to come in what I would say the breach ready segmentation. Fundamentally, this helps organizations be ready for the eventuality of breach, which we know in today's time. It's not a matter of if, but when. [00:07:28] Speaker C: So would you say people are just under the proviso? Well, that's nice, Jag, but I'm just going to go with the theory of I'm just going to keep the bad guys out completely. Is that what people are sort of saying when you're speaking to customers and people in the, in the industry? [00:07:42] Speaker A: Well, this has been the wisdom of the industry for last 15 years. I've worked in similar organizations in the past. And by the way, don't get me wrong, that's important. We have to continue to improve our detection prevention capabilities. We have to try to keep them out. But I think what I'm trying to say is we can start to shift our capabilities, our technologies and energies with the assumption that they will move in. Because the business model is a massive industry. It's a trillion dollar industry. This could be the fourth largest economy. Cybercrime is the fourth largest economy. They have enough motivation to get in. So why not? We assume that they will get in and find ways now to really slow them down. So I'm saying that continue to do what you've been doing, but don't live in the notion that's enough. Because security is always a journey. And I think the energies need to shift into really saying how we can slow them down. Because that will change the game. And to me this is an asymmetric warfare and it will bring in some symmetry by giving us time. [00:08:44] Speaker C: Would you say that people just, they're just not there yet? Because I know, look, I asked that question because as you know, things take time and there's adoption, then there's understanding, there's awareness, there's education. And I hate to say it, but the last 20 plus years, people can't even do patch management correctly. So now we're trying to introduce something, you know, that that is perhaps not as ubiquitous. Is that going to be hard, would you say? Because again, like people are creatures of nature, et cetera, so they don't like to think, well, I've got to learn something new, I've got to think differently. What are your thoughts then on that? [00:09:17] Speaker A: I think I'm starting to see the adoption going up across the globe significantly. I think there is a realization in different sectors, definitely in the financial segment, in the healthcare segment to the breaches are brutal. But again, it needs to be positioned correctly. In one of the things we believed in color tokens is stop talking about micro segmentation as much as we should talk about what it can do. And that makes a lot of difference. So firstly, what's the goal? We've always been saying that microsegmentation is a breach readiness tool. So how can we reduce the breach impact and make it easier for adoption? When I say adoption, the value realization. Can we get a value realization in the first 60, 90 days of material impact? Can I reduce the attack surface? Can we reduce the blast radius so eventually give metrics that the business can be proud saying, you know what, we feel far more comfortable. And then eventually improve the partner capabilities. Right. And it has to be managed well, but find ways to make it even easier, or I would say frictionless consumption models. I think those are areas that are improving. And I believe that the adoption of this, of this technology is right across the corner. And we're starting to see early signs in Asia pack as well. [00:10:27] Speaker C: Going back, I know you sort of mentioned it before, but what do you sort of think that people are confused by? Do you think it's just a misrepresentation and they're sort of comparing it to a vlan, would you say? And then therefore they're like, oh, well, that's outdated. Is that sort of where people are drawing comparison? [00:10:43] Speaker A: If I were to unpack, and you're right, I mean, like I said, there's a confusion with network segmentation and some of the old things that I had, by the way, there's nothing wrong in that. But I think the moment we pivot the conversation of segmentation, micro segmentation, to breach steadiness, it means entirely different. And if I were to unpack that for you, I think the first part is, can we build pervasive defenses? When I say pervasive defenses, you should be able to address potential points of breach across it OT. And this is important because as we're living in a world where the OT world is probably three to five times of it, and that's going to get bigger and bigger, and that's becoming a significant threat vector in supply chain healthcare, and you can't afford to ignore it. And of course, the cloud, right, we're living in the world of cloud. While you build pervasive defenses, it's important that the visualization improves. In our world, we call this panoptic visibility. You should be able to get detailed visibility across the attack path of what is fixed and what's moving. And that's something that wasn't available. And these are all innovation happening as we speak. But progressively reducing the impact is important, which means you're improving the security posture, but you're reducing any impact of any attack that comes in while you do that. This is when the real zones and conduits start to make meaning. It should be possible to simplify the internal attack surface by intelligence zoning techniques. Now, to your question, in the past, it was very rudimentary. The returns against the effort were not in place. I think with a lot more advent of AI and more tools and more technologies available, this is getting much more easier to predict. And that basically helps us to prepare for the cyber attack models. So it should be possible for cybersecurity teams to foresee the possibilities of cyber attacks and the impact it can have. And that can help what I would say help organizations ensure business continuity. And I think that's the part we start to get in. But eventually, I think the real promise of this technology is in helping organizations achieve adaptive breach response, which means it should be possible to adapt to changes due to an attack. And then you redefine your controls and parameters to defeat the attacker. That's the ideal outcome this technology is now capable of. And that's the journey we're in, in color tokens to really articulate this value journey. And whenever we've had this conversation with our customers, it's really gone down extremely, positively because this is lifting up back to all the stakeholders. I haven't heard a single CFO, CoO or a CIO coming back saying, you know what, this doesn't make sense. This is absolutely the most important thing businesses want to really listen about. [00:13:36] Speaker C: Okay, so there's a couple of things in there that I want to get into a bit more. So what I'm hearing from what you're saying is there needs to be a mindset shift around. Like historically it was like, okay, we've got to keep these people out. These people are getting in regardless whether we like it, we agree, we disagree, it doesn't matter, these people are still getting in. So then you're saying there needs to be an extra barrier or control there because they, they will. And as you said, quite a large industry. You can, someone can sit at home in the middle of nowhere and, you know, make a lot of money. So then there's that. Then the second thing would be the business continuity side of things. As we've seen in recent outages, this is a big problem and people not being able to operate their business, how much money that they are losing. And this will continue to happen because of how reliant we are now on technology. And, you know, businesses are built upon this. So is that what you're sort of seeing now in terms of the shift? And I mean, I've been in this game for ten years and the conversation that you and I are having now, this wasn't really a conversation even a couple of years ago, really. But ever since we've seen a lot of these outages, we are starting to see people move away from the old. [00:14:44] Speaker A: Adage, absolutely every bank, every healthcare customer, every large complex environment that I've had conversation in last ten months. In color tokens. This has come out as to be the most important part. Every time we've spoken. We've taken the conversation away from technology to a breach impact reduction or breach readiness. It has resonated particularly. They understand that the threat vectors are not just the data center or the it workloads, but it pans across ot as well as cloud. And as long as we can give them that whole pervasive defense model, they start to make sense because the attacks are coming from everywhere, everywhere else. And despite putting in the best of the technologies, the breaches continue to happen. That's the problem we are dealing with. [00:15:32] Speaker C: And just to sort of touch on a little bit more in terms of business continuity, is this something that is starting to, even in recent sort of couple of weeks when I've been interviewing people, I can see the conversation and dialogue changing. This is what is worrying people like. If you think about even like Delta Airlines, for example, not being able to operate x amount of flights for even that amount of time, that impacts people planning as well as, you know, as a rep, you know, reputationally as well. Even though it wasn't really their fault, people on the front line are still blaming them effectively to be like, well, I can't, I can't fly home now because your system isn't working. So are we trying to see organizations like people don't want to be in this situation? So what does that then sort of look like from a conversation point of view that you're having with customers, for example? [00:16:22] Speaker A: That's a great question, Carissa, and I'm going to respond that in two ways. Number one is a step ahead of business continuity is what I would like to say as digital resiliency. And why do I want to make sure I say that very clearly? Because I believe we are living in times. Not a single organization can say that they are not digital. In fact, any form of brick and mortal business models that you and I might have grown up on are digital in most part of their value chain now. And most part of a customer's perception about a brand actually is starting and emanating from the digital experience of the brand. I mean, it's an airline or a hospital or a bank or a what have you, if thats the world we are living in, I think the most important metrics that starts to be important to the CEO is digital resilience. Now let me tell you this interesting conversation ive had in last nine or ten months. Absolutely consistently ive heard this. So ive asked CEO's saying if you had a disruption in your operations, whatever the reason may be, lets tail cyber attacks. But weve seen outages and everything impacting. And the first question I've always said, when do you, how much time do you think your business will be up by most of the CEO answer expectation is 24 hours. You're going to ask that to the, to the CISO, probably say seven days. If you ask that to the CIO, it goes down to months. The reality is that if your business is running at hundred percent level before a disruption or an attack, it never comes back to 100% for next six months. So we are talking about it falling down to 20% level for next few weeks, and it starts to crawl up back to 80% in months. And if I were to translate this back to what the economic impact of that is, I think you understand wealth. And if there is a cyber attack, that makes you limp at 20% levels for months, which usually comes with a bit of a blind spot for the leaders. And when they realize that, oh, is that true? And they start to react very differently. To me, I'm elevating this problem to saying that, can we talk about how we can help businesses achieve 80% operating minimum value business? I'm going to call it the 80% level. And I think micro separation can play a massive role there. So what I'm trying to say here is that can we help organizations achieve digital resiliency by making sure 80% of their operations are up and running in hours? And what I would say the maximum possible operations are running by quarantining the cyber attacks into micro segments rather than the current standards of 20% of acceptable operational running in case of disruption. I think as long as we can hit that most important business outcome for our customers, and that's the path we are in. Color tokens. We would do a great lot of benefit back. They can continue to invest with all the prevention technologies, have a lot of respect for them. I think they need to start understanding that this is where the real value starts to come in, which is digital resiliency. [00:19:51] Speaker C: You said before, if it makes companies limp, but we've already seen people limp in recent times. The part that got me was, and I interviewed g two Patel from Cisco about this, and I was sort of looking at, you've got a young student that couldn't fly home, and she's like, I don't have any money left in my account. That was a problem. But then you've also got people that couldn't even operate their businesses, and that that wasn't even 24 hours. So you, could you imagine when we're getting up to that 24 hours and how there's so many interdependencies as well on companies. So would you say organizations are fearful because they have this reliance on these technology, software companies? So for example, if they're relying of x company, something goes wrong, which it can do. Not everything's perfect. Do they have that anxiety and that fear constantly because that's problem in their supply chain. Right. Like they kind of need this person to be their oxygen to do certain things. But then they're also fearful at the same time that if something goes wrong, to your point, it's going to make them limp. [00:20:53] Speaker A: Yeah, I mean, see, the fear is coming in from what they're seeing. And most of the time the attacks are, you know, you could be on the headline next. So that's not going to go away. But I don't think we can live in the state of fear. I think the right way to look at this is how can you augment your cybersecurity controls with a breach readiness mindset and microsegmentation does that. Exactly right. And how does that do it? Like most serious organizations who plan for security well, or cybersecurity well, they know their critical digital assets and where the data is and where they are to some extent because of the information as a basis of cybersecurity investment, they know what it is. Such organizations, they also have a very mature incident response programs. I have to tell you that despite some of the successful attacks that ive seen, ive seen pretty mature incident response programs and they also test it periodically. So im not here coming back saying, you know what, none of that is working. I mean, some of these things are very mature as well. But adding micro segmentation to this would mean that it would be possible to contain a cyber attack by quarantine it to the zone where the attack has been detected. What does that mean? This would mean that the rest of the enterprise continue doing business as usual while the SoC manages the cyber attack within a very small micro perimeter of where it was detected. This changes the whole business continuity paradigm that you are alluding to. So instead of planning to continue business at 20%, what I was telling you, it's possible to plan for 80% continuity. And even if the systems are compromised, cyber forensics will be limited. So you'll not have time. But when it is a small micro perimeter, it's much easier for businesses to thrive under the attack. And I'm using the word thrive because just imagine if I were to give you metaphorically, I'm sitting in a restaurant and there is an attack there, by the way, I've seen this live in earlier part of life. I don't want to talk about that now. Another time that if the attackers get inside of. And you could on the fly, create micro zones in the restaurant, that instead of seeing hundreds of people on hundreds of tables there, they could actually end up seeing only probably a micro corner of that restaurant. They could only destroy because nothing else is visible. That's what micro segmentation does. It basically then allows the resources and people skills to solve a much smaller part of the problem while making sure the rest of the business is working. And I think that fundamentally is the game changing technology that businesses need now. [00:23:27] Speaker C: But what happens if it's not detected? [00:23:29] Speaker A: That's exactly what I'm trying to say. It's when your detections fail. But if you. So what happens in a breach? Ready? Micro segmentation. Let me just walk you through some of the parameters. Why it is important, because when we say it's digital resilience and micro segmentation can help there. Let's look at some building blocks. Resight is important because the listeners should get that part. You need pervasive defensibility, which means it should be possible to address all points of breaches across it. Ot and cloud. Very important. Okay. And if you got identity or repetition or API, all of that, right. You need panoptic visibility, which means it should be possible to combine the semantics and the instance information of the compute landscape to ensure that there's a complete visualization from east west and north south traffic. Then you got to model the defenses. It should be possible to simplify the computing landscape into defensible zones that restrict lateral movement. And that needs a fair amount of readiness. Right. And that should be. And you should be able to do that in 1st 90 days. And then you achieve what I could so call a breach ready zoning. Which means you should be possible to design these zones that can be segregated, quarantined and isolated while the attacks are on, which is I call the ghost shields up. Right. And so. And that you can achieve, obviously with more progressive hardening, more granular quarantining. And I think if you follow these practices, it becomes much easier to reduce that impact even if the preventions and detections fail. [00:25:02] Speaker C: Yeah. Okay, that makes sense. So, okay, so let's, let's get into this a little bit more. What do you think people need to know more about this? We've obviously discussed as misconceptions. People are making parallels to Vlan, et cetera. But what's the one thing that people listening on this show today really need to know about micro segmentation. From your perspective. [00:25:26] Speaker A: I think they should focus on the real outcome. And the biggest real outcome that we can provide is help them be completely digitally resilient from cyberattacks. And I think that's one goal that resonates with business stakeholders and tech stakeholders. This is the tech to really go to. But what's important then from there is to really have the right partner, have the right vendor that can walk you through the whole mile, get them ready around all these parameters I talked about, but most importantly, be able to deliver a value in the first 60, 90 days window. That that's very important because attacks are going up every day. So that's one big outcome we can bring on. Tim. [00:26:09] Speaker C: Okay, so you were saying people need to focus on the one big outcome, but aren't people focused on this? [00:26:14] Speaker A: Would you say they are? Business continuity and digital resilience are. But what are the solutions? If you look at the, you know, I'm going to go back to the Mitre framework. If you look at the Mitre framework, the biggest gap right now in mitre framework is, you know, if. Okay, let me, let me just pour to simplify that. There are four parts to the Mitre framework, ATT and CK framework. Right. The first part is to find victims and build the resources, which is a reconnaissance part. You and I can't do much about it. The business model of cybercrime has enough motivation that they will do this. You, we don't have a, we don't have a control over that. The first block, the second part is initial cyber attack and access. This is where most of the tools and technologies are. Prevention, detection, identity. It's very well invested. So the second blocks, we've done very well, but that's not enough because the third block is where they move laterally and extend the axis. Now, this is the part, this is the problem that's not been solved. And I think at color tokens, we are focusing in this bucket of problem. And if that can be done, then their ability to really steal and exit with our data and whatever their motivations are really reduces significantly. So we are solving a biggest missing gap right now in Mitre framework. And I think if organizations understand that, which I think most organizations do, they will start to see value here. And in the past, probably, I would say the industry has been talking a lot about the tech. And in color tokens, we have shifted our conversation saying, forget the tech part, this is a real value we can bring in and we can bring it pretty quick. That's important. [00:27:51] Speaker C: Ok, so you mentioned something before. Jag around, right vendor. The part that gets me perhaps at times is I've spoken to, I would say every single major vendor in the world multiple times. And one of the things that often comes up with customers is, hey, I went and procured this stuff from X vendor once the deal's done, never heard from them. Not telling us about the latest features and functions and not having that ongoing sort of support and communication. I'm hearing that a lot from customers who are leveraging quite large vendors as well. So it's not like they don't have any resources. They do. So what, what's your view on how customers can pick the right vendor? Because there's thousands and thousands of them out there and people are getting bombarded every day by a vendor. But this is the part where I've often seen frustration from clients to say we don't actually hear from them once the sale is done. [00:28:47] Speaker A: Yeah, the curse of the industry, isn't it? The sales guys promise a lot of things and then that doesn't try to get transferred back to the delivery team. And there is always a gap that comes from the delivery team as well as even the partner that's going to manage that, whether it's a system integrator or global side. I've been fortunate to work with organizations who haven't done that. Okay. And I'm not here to talk about them, but I'm going to talk about what I've learned from the best. And this is exactly what we are promising in color tokens. The first thing is what does the tech say isn't important. What does it, how does it translate back to you from business outcome is important. What's the business outcome will help you be ready for breach, will help you reduce your breach impact, will help you achieve business continuity, will help you achieve digital resilience. We'll stay on those four. While we do that, we also give you economic benefits. We do have business value assessment with our prospects at the beginning of the conversation, so that when we do a proof of value, it aligns with the business value assessment and the business goals. That's very important. But once we start to adopt, the adoption starts, we are very clear about our execution. What are we going to do in the first 30 days? How will we help reduce the attack surface? This is a clear metrics that we commit in the first 30 days. And that's important because most of the vendors have not been saying that reducing attack surface is important. Because the ability to change the communication between systems using zero trust. Right. I'm not going to spend a lot of time on zero trust. You know about that. That is qualify what communication is, right. And what's not. Most organizations don't know that and that happens directly from color tokens. With our own team. We've got a specialized team that works on it that does that in the first 30 days. In the next 30 days, we reduce the blast radius. Okay, this is what, this is when you don't really allow infection from patient zero to move to patient one and ahead. We do that ourselves in the first 60 days. In the first 90 days, we make sure we can reduce the breach impact score from x to 0.5 x, which was 50% breech impact reduction. And that's the promise we make upfront. Then after that, there are two choices. We got our own managed services that we can run and operate it for the whole year of next few years for the customer. And that's pretty much the choice the customer has, or we've got our partners, our global sis and local partners that can run it for them. And we make sure that through the first year of the partner managing it, we do a fair amount of mentoring because understand, the technology has not been well understood or adopted by the partner community as well. That's a work in progress. So we give both the models. And that's important because end of the day, when we talk about digital resiliency, it is not a goal of today, tomorrow, it's a continuity goal. It is important that as a vendor we give a choice. Either we can do that for the customer directly, but we make sure. And some of our largest customer in last two, three years have been the one where we've imparted the skills internal and then let them lead it up front. There have been some people who have said, you know, we are capable of doing it on our own, or we bring in a partner who do that. I think this is a part, we are solving it right from day one. Learn from all the best with organization in my past, I think this is something we are pretty committed to. [00:32:07] Speaker C: Okay, so what I'm hearing from what you're saying is companies should try with the vendor before they buy it, rather than companies saying, all right, vendor, we're going to, we're going to hand you over all this money and then we never see you ever again. And they walk off into the sunset and that was. And they call it a day. Is that what you see saying? Would you say that is a better approach to finding the right vendor because everyone's going to say we can do this and that and we're 24/7 but in actuality I've seen that not be the case. And this is the part like that I really want to understand is would you say that that would be a clear driver for companies out there that are looking at procuring vendors, that they be working with companies and saying, look, okay, let's trial this out for a couple of months or 90 days to what you're saying and then see what happens, rather than we're going to sell you, promised you the world and then deliver not what we sold you, for example. [00:32:56] Speaker A: Yeah, I mean, and that's pragmatic. Let's say you've got 10,000 servers in your data center. I'm going to say, you know what, give me the first thousand to start with. These are the value metrics that I'm signing up that I will definitely commit to achieve for you in the first 90 days. And one of the biggest goal would be 50% reduction in breach impact. And if we can achieve that for 4000 servers, let's go all out because it's important for all the servers and that's one way of doing it. And I think we are very clear, our value realization guarantee, we are so clear about that that if we can achieve it for a smaller subset, it makes it much easier for the customer also to take it back to the stakeholders. Because understand for the CISO, they've been up in this state many times when they have gone up to the board and said, you know what, I'm, this technology will change the game and it hasn't. It's important that we find them. We become their friends in articulating this back saying how can they be confident that this one will deliver? And if you can show that with a clear value realization metrics in 1st 90 days with a small subset, it gives them confidence and also gives them early wins that they can take back home and get for the entire scope. In fact, that's something we advocate very strongly. [00:34:06] Speaker C: So what you're also saying is people need to have that skin in the game. So example, going back to the 90 days, guys don't deliver for example, or there's probably other companies that are doing that out there as well. Therefore it's like, well you guys didn't deliver, therefore we're out. So there is showing that there's that extra layer of assurance is what I'm hearing from what you're saying. [00:34:26] Speaker A: 100% in fact if we're so confident of our technology that in the first 90 days, if we don't hit the value metrics that we signed upon, we will take it back. [00:34:35] Speaker C: And so are you seeing, generally speaking, in the industry, as you mentioned before, like, that's been the problem of people selling something. Never hear from these people ever again. Are we starting to see a shift in terms of how buyers are buying now that this, this is going to be quite, you know, the new way forward? People aren't going to just hand over money to vendors and say, okay, well, we trust you to do the thing. Like, you're going to have to prove it first before we're willing to decide on for longer terms. [00:34:58] Speaker A: Would you say 100%, Carissa? I mean, I've been meeting quite a few of customers across the globe. I'm right now in us and I've been spending last seven, eight months in this, in us and Europe and of course in Asia PAc. And one consistent feedback that comes in, particularly for micro segmentation, and I'm not trying to take a shot, anyone here particularly, is they haven't been able to complete the journey for which they started. And then I go back and say, what was the goal that you had in mind? And the goal is fuzzy. So if the goal is clear, if the goal is simple, let's just stop the lateral movement. That's what technical goal. But the real business goal is help the organization be digitally resilient. If that's the goal, let's break it down into four or five metrics. That's important to achieve. And let's do that in the first 90 days instead of making that a NASA project or a rocket launch. We aren't in that business. I think that's fundamentally what you have tried to address. And that's exactly the conversation I want to have with ten out of ten customers that I meet in forthcoming future, because I think that's really has been the missing gap. [00:36:02] Speaker C: So I want to sort of just quickly touch on the path forward. What do you think happens now? So obviously, we're seeing a shift in the mindset around understanding that people are going to get in regardless. We're also seeing a shift on how to pick the right vendor and this sort of try before you buy type of thing. What else do you sort of see moving forward? [00:36:19] Speaker A: I think, as we all know, that tax are going to get more and more sophisticated. This game is not getting over. Okay. And if I were to have one message for the businesses, is this right? Businesses must realize there is no constant state of security. And we've always had this mindset about looking at security as a cyber war. I would like to say it's not a war, it's a game of chess. In a game of chess, you're constantly looking to make moves so that you're ahead of the adversary so they can protect the king. And the king is the data your crown jewels? I think it's a mindset shift. And the moment we have this mindset shift of not using a mental model of a war here, rather than a game of chess, it constantly puts us in the game saying, I could keep getting better and better. So next. The next ahead of it, next step of micro segmentation, I would say, is far deeper micro controls, which makes it even sharper in terms of what value metrics you could bring. So if I could protect, if I'm exposing 1% for attack, can I make it 0.5%? So make it even harder and harder. I think that's what you would expect from color tokens moving forward, even more tighter controls so that we allow no room for the adversaries to move. And that basically comes from we changing our mental model of thinking of this as a war rather than a chess game. I believe it's the. It's the latter. [00:37:47] Speaker C: So, JaG, is there any sort of closing comments or final thoughts you'd like to leave our audience with today? [00:37:52] Speaker A: Despite all the doom and gloom talk that we mostly end up in these conversations, I still think that the industry, and I want to speak on behalf of my peers, we've done a great job in mostly try and keep the organization safe, the government safe. The world would have been a very different situation if it was not the case. So I think, first, let's all applaud ourselves that we haven't been that bad. But the only thing we should know is it's not going to stay where it is, because adversaries are always a step ahead. And I'm going to again go back and say that this whole fight is not symmetric. They have more information about us than we have about them. So if we can know more about them and make sure that our cyber defenses are up with respect to where we are expected to be attacked, I think that mindset shift will do a lot of, lot of good for the whole community. [00:38:47] Speaker B: This is KBCast, the voice of cyber. [00:38:52] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. [00:39:00] Speaker B: This episode is brought to you by Mercsec, your smarter route to security talent. Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out [email protected] today.