Wir sorgen für Transparenz, Konsistenz und Kontrolle

00:00 Raghu Nandakumara: Welcome to The Segment: A Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, Head of Industry Solutions at Illumio, the Zero Trust Segmentation Company. Today I'm joined by IBM Security’s Stephen Coraggio and Greg Tkaczyk. At IBM, Stephen is a managing partner who leads their America's financial services cybersecurity practice. With over 22 years of financial services and cyber experience, Stephen focuses on security projects ranging from program strategy and design to implementation and operations. Greg is an executive consultant in the IBM Global Security Center of Competency, focusing on cloud and infrastructure security, including posture management, container security, and microsegmentation technologies. Today, Stephen and Greg are joining us to talk about the business value of cybersecurity, defining your crown jewels, and how to overcome analysis paralysis and other Zero Trust challenges. Hi, welcome. Stephen, it's fantastic to have you here. How you doing?

01:02 Stephen Coraggio: Great. Great. Thank you for having me. I'm excited to be here as well.

01:05 Raghu Nandakumara: It's an absolute pleasure. And Greg, likewise. How you doing today?

01:09 Greg Tkaczyk: Great, Raghu, thanks for having us.

01:11 Raghu Nandakumara: Both of you have got very kind of wide ranging paths to where you are at today. So Stephen, if I may, from a business facing perspective, how have you observed cybersecurity has evolved in its business perception?

01:26 Stephen Coraggio: It's an interesting question. I think, I've been in this space now for 16 years, cybersecurity consulting, working with lots of large global clients, regional clients, and sort of everything in between. And what I've seen in the last, let's say three to four years is a significant shift from a business standpoint, risk standpoint. So we've gotten more and more engaged in the business side of cyber. So business risk up to the Chief Risk Officer, even up through board of directors and the executive team around what is the real business risk impact or enabler of cyber and how it can drive transformation or things like even wide scale enterprise digital transformation and how cybersecurity can enable that. And that's really been a shift in the way clients have engaged us over the last three to, three to four to five years.

02:18 Raghu Nandakumara: That I think is really interesting because I think we see that also that evolution of the CISO and the business-minded CISO. So I want to come back to that in a second. Greg, as a practitioner who's very deep in technical implementations, how have you seen that change, the whole sort of approach to cybersecurity change over the years from a technical and implementation perspective?

02:41 Greg Tkaczyk: When I started in cybersecurity 20 years ago, we were very much focused on assessment work, delivering reports in terms of what can be improved. And really now more the shift is clients are realizing they need support of a trusted advisor to take them through that enterprise implementation of software. Really, it's focusing more from a what traditionally has been an infrastructure-based approach to a software-based approach to cybersecurity.

03:10 Raghu Nandakumara: Awesome. And we'll come onto that. Because that's that natural shift from sort of everything on prem, everything you manage to hybrid cloud, etc., drives that transformation to software. So Steve, I want to come back to what you said about the way we think about cyber changing and being far more aligned to business requirements that now extending to sort of the Chief Risk Officer, etc. What do you think triggered that shift, from it just being an isolated-almost IT discipline to now being a much more business discipline?

03:43 Stephen Coraggio: I think cyber has become mainstream. I think when you look at some of the major incidents that have happened over the last five to seven years, it's become a board conversation. It is no longer isolated to the CISO and boards are now thinking about, what is the impact of cyber to our bottom line? How does it impact our share price, our stockholders, our value, the way that clients, partners think about us in the market? And when we build out cyber programs, a lot of the conversations center around, “Can we share this with our clients as an enabler, as a differentiator so they feel more secure doing business with us? Have we embedded security in the products that we offer, the platforms that we share, and just the way that we go to market?” And I think they've realized that this is an enabler to business value and to the way clients and our partners go to market. I think we're at a very interesting point in our time where security now can be thought of as a business driver, a differentiator at large scale companies, where over five years ago it was a cost center and thought about as a sort of a place where funds go to die. And now it's the opposite.

04:54 Raghu Nandakumara: Yeah, absolutely. And also think it's also been the perception that security functions are always seen as those functions that say no to things or question everything. And that transformation to being able to say, “Okay, this is how I enable your business.” So Greg, can you pay that off and explain from a technical perspective how you show that you are enabling business and transformation?

05:17 Greg Tkaczyk: Yeah, absolutely. So one of the things I usually do to start the conversation with my clients, especially when we're talking about Zero Trust, is really level set on the challenges they're facing. And from my experience, that boils down to three things. It's visibility, consistency, and control. And Zero Trust is a broad topic, but I think ultimately those are the three things that all of our clients are trying to achieve, regardless of what area of Zero Trust we're talking about. So when you think about visibility, we're talking about visibility into assets, into applications, users, data, etc. What are all the cloud resources I'm trying to protect? How are they configured? What are the workloads that make up my applications? How are they communicating? That lack of of visibility can result in blind spots that can allow an attacker to move through your environment or what have you, and ultimately, you can't create security controls if you don't know what you're trying to protect.

06:06 Greg Tkaczyk: But to your point, when you establish visibility, you oftentimes end up creating this shared source of the truth between stakeholders in the environment, within the enterprise, that they can leverage going forward to make their jobs easier. So one of the things that I often try to do anytime I'm involved in an implementation is meet with the different stakeholders across the organization, whether that's compliance teams, usually the CISO and his organization, incident response and all that, and figure out how can they leverage this tooling or this new capability within the enterprise to make their lives easier?

06:43 Raghu Nandakumara: I like the way you described it. As you used three words: visibility, consistency, and control. Essentially being the three pillars of the way you described Zero Trusts. Can you kind of give an example of where... put this in front of a client and they had that “aha moment” about how this is going to essentially accelerate their digital transformation?

07:03 Greg Tkaczyk: Yeah, absolutely. My area of focus right now essentially is microsegmentation and cloud security posture management technologies. I was working with a large client implementing CSPM and the director of engineering at that client essentially said, "Typically, our group would procure this technology and implement it within our own silo and figure out how we're going to manage it. And that's it." We've never really worked with a partner that kind of came in and could reach out to the compliance organization, and understand what are the capabilities that this new tooling could provide them? Can it provide reporting? Are there specific assets they're interested in terms of protecting? We reached out to, like I mentioned, incident response. This is going to identify shortcomings in configuration, how do you deal with that? And so realizing the value from the tuning outside of what is typically your project sponsor, the CISO organization, I think is key. Because as people start to leverage that technology internally, it becomes business as usual, not just within security but for the broad organization.

08:05 Raghu Nandakumara: Yeah. And that sort of kind of brings me onto the sort of, what I wanted to ask you about Steve. Is that Greg mentioned about extending beyond the CISO organization, as part of building out this program. So from an exec sponsorship level, how do you help them build out that sort of cross-functional support for programs like this?

08:31 Stephen Coraggio: One of the big buzzwords, I think, recently is we talked to clients around exposure management. And when we dive into terms like exposure management and overall visibility of an environment, the executives get the aha moment by saying, that we really don't understand how are we truly exposed to vulnerabilities in our infrastructure. What is the true visibility of our environment? Especially now most of our clients are hybrid cloud clients. So they have multiple hyperscalers, they have multiple vendors in the space and around when you think about visibility coverage and then really trying to protect what's most valuable, those conversations at the executive level really help drive these programs. Because back in the day it was around protecting everything, encrypting everything, and really making sure that we scan everything in an environment. Now when we talk to clients, it's around how do we make sure that we are truly looking after the most important things in our environment, making sure that those are properly protected, controlled, we have visibility, we're monitoring that, and then we're responding to threats in those particular environments versus trying to boil the ocean in everything that we do.

09:43 Stephen Coraggio: Exposure management, which sometimes is referred to as attack surface management or attack surface mapping. But it really comes down to visibility, coverage, and then prioritization of the most critical assets. And those conversations at the executive level always resonate in some sort of agreed buy-on, buy-in, around funding, around these sorts of programs.

10:05 Raghu Nandakumara: And we hear that term around the most critical assets, the most important components. How is that typically defined/identified when at the executive level?

10:19 Stephen Coraggio: Yeah, most of the time it's not. And most of the time we have challenges around how it's defined. Every sort of line of business or IT function thinks that they have critical assets. So what we do is we take a consulting approach to defining what we considered crown jewels of an organization - depending on their industry, their business lines, how they go to market, public/private, are they a manufacturing company that deploys products, or are they a FinTech company that really supplies software? We then define their business projects, their imperatives, what's critical to them, and then we take a cross line of business approach to defining what that is, and then we risk rank it. So we take the value of those assets, we take the value to the market, the value to the firm, and then we apply that methodology to help define what is critical or crown jewel to a company. So it is normally not defined until we really try to put together a framework around, or a methodology around, what that actually means to our organization.

11:23 Raghu Nandakumara: And so I'm just going to... Greg, coming over to you from a sort of an execution/implementation perspective. How many cycles does it take typically for an organization just come to an agreement as to “this is the criticality, this is the right prioritization, and this is where we need to start.” How does that map out as a process and timing?

11:45 Greg Tkaczyk: So the first thing to say is nobody has a perfect CMDB or enterprise application list, but usually there's something. Usually there's a starting point that you can leverage. And so when we go into these organizations that obviously to Steve's point, you don't want to boil the ocean. You have to start somewhere. You have to prioritize those things that are most relevant to the business. And typically, we leverage whatever exists. It's usually a quite a cyclical process to get to that agreement, but it's something we know when we walk through the door. That has to be a priority to establish. One of the things that's often a challenge is that nobody wants to make the final decision. And so, trying to steer your client organization to identify a technical project champion that has the authority to make those kind of decisions, and ultimately whether those are decisions around the architecture of the solution or whether those are decisions around prioritization of what are you going to target first. That's a key part of rolling out these types of technologies.

12:47 Raghu Nandakumara: I actually want to ask a bit more about that. Because often, a lot of security projects, as you say, stall on that because of that inertia. That no one wants to take the decision as to, okay, we need to go and do X. So how do you typically actually get clients over that hump? What is the advice you give or what are the levers that you pull on so that progress can start?

13:10 Greg Tkaczyk: Usually we take a two-pronged approach. Usually there's a work stream that we call rapid risk reduction. Typically whatever technology you happen to be implementing, there's something you can do, early in the implementation, that may not be perfect, but it's going to help and you're going to be in a position that's better than where you were prior. So what are those use cases for rapid risk reduction, and don't get caught up in analysis paralysis for that. As you are trying to identify those, you don't want to spend four months deciding what top five policies you want to enforce in a CSPM solution or whatever it is. So make those decisions quickly and reduce risk. So that's the first work stream. And then the second one, in terms of the strategic goal, really focus those use cases and again, see if there are things you can do to still show value with the understanding that perfection is not the key. So if you are trying to protect the 1000 applications, narrow that down to your top 10. And then within those top 10, how granular do you actually have to be? There might be policy decisions you can make that are broader, they're still better, they're not perfect, it's not the end state. Yeah. But let's get moving and show value.

14:26 Stephen Coraggio: And to just add to that, maybe there's a third one that I think we've been adding recently over the last maybe years. We usually bring in the third work stream around risk quantification. And I know it's another widely used term, but risk quantification program has just taken off in terms of the value that our executives like to see from a program in terms of identifying threats, vulnerabilities, risk, ranking of assets. Because we can take what they believe are crown jewels, we can apply quantification to those assets around threats that we see in the market external, threats to a particular industry. We can simulate what an attack would be on those particular assets or environment, and then quantify what it actually would cost that firm if something were to happen. So that risk quantification model, it's a fairly low investment for a lot of companies, but it provides a significant ROI in terms of where they want to spend money on controls, visibility, microsegmentation, asset visibility and all that. It's, to me, that is starting to become baked into a lot of the things that we do, even though they were necessarily not part of a risk quantification program.

15:36 Raghu Nandakumara: Yeah. And actually, you almost answered the question that I was going to ask before I even asked it because I wanted to tie back something that Greg said right at the beginning when he said, when he got into cybersecurity about 20 years ago, it was very much a checkbox exercise. It was very much compliance focused: “I need to be compliant with these requirements, check, check, and I'm compliant.” And we all know that being compliant doesn't mean that I'm secure. Being compliant does not equate to being secure. And that's what I wanted to ask is that, it feels that there is now a greater appreciation, that understanding risk requires some level of threat modeling and scoring associated with that to then identify, "Okay, here is where I'm at greatest risk and that's where I need to focus on from a controls perspective." Is that a significant shift that you've seen over the last few years?

16:22 Stephen Coraggio: Yeah, I would say the cybersecurity is no longer a capability that clients are just thinking about. This has been around for a while. Maybe the late 2000s, we were thinking about everyone was buying technology products and an open checkbook. The last four to five years, and maybe even the last three have been around, “How do I do more with less? How do I really, thinking about rationalization of spend and technology and sprawl?” Our average client has 78 different security products. It's a lot about, “How do I rationalize, provide ROI, quantify risks so we can apply the right technology to the right environment and then save money by de-prioritizing other things?” So when you think about some of the next generation technologies like microsegmentation, that includes visibility, Zero Trust concepts that include AI and automation, those are things that our clients are thinking about because it's really about leveraging investments in the right way and prioritizing spend, versus maybe just going out and buying the next shiny object. And that's really what we're seeing, especially in markets like we are in today.

17:32 Raghu Nandakumara: So that's really interesting, because you spoke about tool consolidation and getting more from less. So I want to, again, ask this question in two parts, Steve, one to you and Greg from a practitioner perspective is that, how do you talk about, let's say you've got... You are in front of that sort of exec sponsor and you say, "Okay, you should invest in this capability, because it's going to give you these benefits." And then equally, Greg paying that off. How do you demonstrate that those benefits are actually going to be realized? So Greg, maybe you want to go first?

18:06 Greg Tkaczyk: Sure. So just to add to what Steve was saying - visibility, consistency, control - the consistency part of it is tool rationalization, choosing technologies that are going to work across your heterogeneous infrastructure. Not just data center, but hybrid applications, multi-cloud, containerized technologies, serverless technologies, etc. So you want to think about selecting those technologies that kind of can work across that ecosystem. In terms of talking to the executive sponsor and showing value, so I would take it a step back. Oftentimes, clients want to jump to the ultimate goal or the full on capability that a technology is going to provide. But during that solutioning and sales process, there are often opportunities to work with them, to still architect a solution that can obtain those business objectives and reduce risk. I mean kind of “What is the licensing, what are the features, what are the modules that you need, when are you going to need them? And what kind of support are you going to need in that rollout?” Whether that's professional services or managed services. So focusing that initial scope on what is the immediate concern, so that you can immediately show value against kind of a goal that is more realistic and practical to achieve versus kind of a targeted end state that may be two or three years out, is key.

19:33 Greg Tkaczyk: And if you think about that in the procurement and solutioning process, you can often reduce risk, reduce cost as well to maximize ROI, what we were speaking about before. Creating a ramp-up model in terms of volume and features and all of that. When I speak to clients, first, I'd want to address it upfront, and then once you were in it is, what are those metrics that you can highlight on an ongoing basis to achieving that success criteria? If you've built it correctly, if you've solutioned the initial scope correctly, measuring against that success criteria should be pretty easy.

20:06 Raghu Nandakumara: Yeah, yep. Definitely. Steve?

20:11 Stephen Coraggio: Yeah, it's interesting. I cover financial services. So for me, our clients are the most mature clients out there. We've been seeing that level of maturity high for many years, and I commend our clients for wanting to be the best of the best, and I think it's shown in what we see from a capability standpoint. We're moving to organizations within my market or even top 10 or 20 in other markets where they want to move to capabilities such as integrated risk centers. Think about how do we integrate fully risk into the cyber controls, cyber fusion center, and some of our next generation, SOC or threat management capabilities. I think it's a great vision where these clients want to be. But to Greg's point, these are three to five-year roadmaps, three to four-year roadmaps.

20:54 Stephen Coraggio: So, our view is, let's take a measured approach to get there. Let's find the right vendors, solutions, and capabilities that have that same vision in mind, that want to get there with you within the next three to five years, and we will build a crawl-walk-run process to get there. But there's foundational elements. There's things that we talked about already on this call around basic visibility, controls, access, management. Those are the foundational items of an organization when they want to get to that next generation integrated risk center. But let's start at the beginning. Let's build the foundational building blocks. Let's make sure that we're covered from a visibility and vulnerability standpoint, have those basic capabilities in place, and then build on that roadmap with product vendors and solution vendors along the way.

21:44 Raghu Nandakumara: Just hearing both of you talk, right, it's like in this conversation Greg at the beginning laid out... Zero Trust is really visibility, consistency, control. And both of you repeated those terms multiple times. And Steve, what you just said, these are the basics. Visibility, consistency, control are the basic building blocks of any good security program. In terms of the programs that you see your clients mapping out, and let's focus on the financial services industry for a bit, what role does Zero Trust or a Zero Trust strategy play in the development of those programs? Is that a real thing that they bring up or is it almost a... And if we do this, it will ladder up to a Zero Trust strategy? How is Zero Trust being discussed and planned within your client group?

22:37 Stephen Coraggio: When we peel back what we think about Zero Trust, and to me and to us, it's a framework. It's a guiding principles to getting somewhere where you can actually help clients provide the visibility, the controls, the identity, and actually continuously verify who has access to what and why. To me, it's really just a framework. It's what NIST was, it's what a lot of these other frameworks are. And then when you look at capabilities within that framework, like visibility and understanding basic things like CMDB, vulnerability coverage, asset management, basic building blocks of a security organization, that's when the whole Zero Trust capability comes together. It's around building those all together.

23:22 Raghu Nandakumara: Right. From a financial, as you said, the financial sector has always been on the cutting edge of security because of the regulations involved, the requirements, the regulator's place. What are you seeing? Are you seeing an increased adoption of Zero Trust and knowing that you don't necessarily call it out because of all the things that you mentioned? Or is it just that, again, that the organizations are just improving those fundamentals and essentially that removal of implicit trust that ultimately leads to a Zero Trust outcome?

23:52 Stephen Coraggio: Yeah, I think the top 10 or 20 CISOs within financial services are leveraging Zero Trust as a board conversation. Because the boards know the term, they understand the term. It's fairly easy to know what Zero Trust means. But what they're taking is the Zero Trust frameworks and implementing that as part of the capabilities and investments that they're making, so that when they summarize it to their boards and their directors and their executive team, they're showing their progress and maturity on a Zero Trust scale to say, "How well are we covered? How well do we have visibility? How well are we protected? Do we have the right resiliency in place? Can we recover from an incident? How well prepared are we to recover from and if an incident actually were to happen?"

24:37 Stephen Coraggio: And so, that is the framework that they're leveraging for a board conversation because, again, it's fairly basic from an understanding standpoint, but it drives the capabilities underneath it from an investment standpoint.

24:48 Raghu Nandakumara: And that's really interesting that Zero Trust is a, in terms of how a security program is presented, it's presented in a Zero Trust framework to the board, whereas the actual execution underlying is more around the basic building blocks. I think that's really interesting because often I think we practitioners almost flip it on its head and say, "Oh, okay, I'm going to apply Zero Trust principles here." And as you said, it kind of gets diluted because everyone's got their own definition of it. Greg, I want to come to you, as a practitioner, when your clients talk to you about Zero Trust, what is the questions that come up and what is your advice, what are your responses?

25:23 Greg Tkaczyk: So I think the first question that always comes up is how do you start. And like we've mentioned, right, the first thing to consider is Zero Trust is a journey. It is in fact a journey. The focus has to be on continuous and incremental improvement that's measurable. And not big bang implementations that are going to disrupt the business. And like I mentioned, often you start developing what controls are you going to do in a very targeted way, but also what controls are you going to apply in a very broad way across your organization to reduce risk? And you can do both of those in parallel and in either approach is fine. But each is a stepping stone towards Zero Trust. So when I speak to my clients about that, I really try to outline whatever technology domain we're talking about, like, how are we going to do that?

26:09 Raghu Nandakumara: Yeah, absolutely. So just shifting gears a bit, Steve, I'm coming back to you, when you look forward in let's say in the financial services sector. What do you see as the driving forces that are going to demand an increased focus on better visibility, better consistency, better control? What do you see from a regulatory perspective, from a technology adoption perspective, what are the key sort of driving forces in that space for sort of the adoption of, or the improvement in these three basic controls?

26:38 Stephen Coraggio: One of the largest areas we've been talking to clients about outside of security is around digital transformation. It is accelerating quicker than I've ever seen it. And then maybe it's because of competition, it's because of investment, it's because of just the sheer volume of companies out there that are in the space. But as we talk to clients around digital transformation, whether that be onboarding process, customer experience, process improvement. The end user knowledge base and how we apply automation to understand what clients are looking for from product, services, expectation. That transformation is truly driving the need for these capabilities. And we are being more and more pulled into the conversations around if we move to these hybrid cloud scenarios and we leverage different hyperscalers and environments, how can we truly apply visibility, coverage, controls, response activities and resiliency in those environments?

27:41 Stephen Coraggio: Because we are extremely scared that our business is moving faster than we can actually apply security and security requirements. So I think keeping up with business transformation, digital transformation and the evolution of the business is probably the most common conversation that we're having from a forward-looking cyber perspective.

28:00 Greg Tkaczyk: I would just add to that, part of that is application modernization. Our clients are going through massive transformations where they're taking these legacy applications and refactoring them into containerized or serverless or lifting and shift them or creating them into hybrid applications. A lot of these technologies can, we've talked about visibility a lot, provide visibility that can help make those decisions easier, but it's the perfect time to embed security into the application. As you're going through that transformation. Why go through that and then think backwards about how am I going to protect my newly factored apps?

28:36 Raghu Nandakumara: Yeah, absolutely. And on that, right, as they're doing that transformation, and we hear this term increasingly, sort of cyber resiliency is such an in vogue term these days. Is that a real sort of discussion point that you're having with your clients? Do they ask you the question, how do I become more cyber resilient? Or is that just an expected outcome of the programs that you're involved in?

29:00 Stephen Coraggio: Yeah, I think it's a conversation. It's not necessarily an offering. It's a conversation because it really drives the sub components and some of the programs underneath it. When we think about cyber resiliency, a lot of conversations are to sort of the right of an incident. Are you prepared? Do you know how to respond and recover from something? How resilient are you if something were to happen? A lot of these conversations are around preparedness, awareness, education, response, backup, recovery. Making sure we have those pieces in place so that if and when something happens, organizations are prepared. So things around like cyber war games, tabletop exercises, immersive experiences around threat scenarios, threat simulations. Those are where clients are really starting to spend money on enterprise-wide preparedness and making sure that they know who the commander is in terms of an incident. What is the right controls and the communication?

30:00 Stephen Coraggio: How do we get back up and running? Do we have the right backup systems and are they protected? So that's a lot of the resiliency conversations. No, certainly to the left of an incident, it's around controls, visibility, monitoring, and that's what's been around for a while. But now we're looking at both sides of that spectrum.

30:17 Raghu Nandakumara: Awesome, awesome. So Greg, coming over to you. Being a bit forward looking, where do you see the interesting next steps from a cyber, whether it's a capability perspective, whether it's a threat perspective that sort of practitioners need to be really wary of?

30:35 Greg Tkaczyk: Ich denke, es geht immer mehr darum, den Automatisierungs- und Behebungsaspekt zu optimieren und zu automatisieren. Viele dieser Tools identifizieren Dinge, warnen Sie, erfordern aber eine menschliche Reaktion. Viele Tools und Integrationen mit SIEM- und SOAR-Plattformen schließen quasi diesen Kreislauf. Ich glaube nicht, dass das bei unseren Kunden extrem stark genutzt wird. Die Möglichkeiten, dies zu verwirklichen, vielleicht aus sanitärtechnischer und technischer Sicht, sind vorhanden, aber wenn sich die Kunden wirklich hinsetzen und darüber nachdenken, welche Anwendungsfälle ich gerne vollautomatisieren würde. Ich denke, das wird ein Bereich sein, auf den wir uns in Zukunft konzentrieren werden.

31:16 Raghu Nandakumara: Nehmen wir an, warum es da eine Lücke gibt, weil die Kunden heute nicht in der Lage sind, diese Anwendungsfälle zu definieren, oder weil sie nicht wissen, welche Daten sie benötigen, um diese Anwendungsfälle zu instrumentieren und zu operationalisieren?

31:33 Greg Tkaczyk: Ja, aber es ist auch beängstigend. Sie geben die Kontrolle über Teile Ihrer Infrastruktur an etwas ab, dem Sie von Natur aus vertrauen, dass es die richtige Entscheidung trifft. Und genau das meine ich. Ich denke, Sie müssen kleine Anwendungsfälle definieren, mit denen Sie sich sehr wohl fühlen. Diese Anwendungsfälle müssen nicht im gesamten Unternehmen angewendet werden. Und wenn Sie sich wohler fühlen, bauen Sie diese Fähigkeit zur automatisierten Reaktion auf.

31:58 Raghu Nandakumara: Ja, und wenn ich an die Zero Trust-Säulen von Forrester denke, haben wir diesen Klang von Automatisierung und Orchestrierung, der da existiert. Und verbunden mit einer Art von Transparenz und Überwachung mit dem Endziel, das es ist, wie dieses Ökosystem, das im Wesentlichen über sich selbst Bericht erstattet, auf Veränderungen in der Umgebung usw. reagiert und den Zugriff im Laufe der Zeit anpasst. Ich schätze, da will jeder hin. Aber wie du schon sagtest, die Kontrolle aufzugeben ist das Schwierige. Steve, wie bei allen anderen bedeutenden Herausforderungen, die Sie darunter sehen, sei es im Finanzdienstleistungsbereich oder allgemein bei Unternehmen, die versuchen, ihre Cyberprogramme wirklich auf die nächste Stufe zu heben und diesen Fortschritt in Richtung Zero Trust möglicherweise zu beschleunigen.

32:46 Stephen Coraggio: Ich würde sagen, das Wichtigste, was wir von Kunden sehen, ist, wirklich ROIs und Investitionen in Programme bereitzustellen und ihnen, den CISOs, jetzt zu helfen, dem Vorstand diesen Business Case rund um den Wert einer Cybersicherheitsinvestition vorzulegen. Egal, ob es sich um eine Software- oder Servicekomponente handelt. Wir haben im letzten Jahr mehr Programme zum Thema Geschäftsszenario, ROI und Quantifizierung durchgeführt als in den letzten zehn Jahren. Weil es darum geht, rücksichtsvoller zu sein, wenn es um Ausgaben geht, und mehr Klarheit mit Partnern zu haben, als das Vermögen mit zu vielen zu verteilen. Ich denke, wir werden mehr und mehr davon erleben, wenn Unternehmen ihre Budgets kürzen und darüber nachdenken, wie ich mich mit dem Unternehmen transformieren kann, aber auch auf durchdachte und effiziente Weise? Aber ich denke, es gibt genug Anbieter und Lösungen, bei denen Kunden heute mehr und mehr von der Rendite ihrer Investitionen in Unternehmen sehen als je zuvor. Ich bin also zuversichtlich, wohin das führen wird.

33:45 Raghu Nandakumara: Und das ist wirklich interessant, ich denke, weil wir in diesem Gespräch an einigen Stellen den ROI angesprochen haben. Und das ist definitiv, wie Sie zu Recht sagten, das war in den letzten 12 Monaten ein so wichtiges Thema. Und wir haben so ziemlich alle Sicherheitsverantwortlichen, ob auf der Anbieter- oder auf der Kundenseite, darüber gesprochen haben, dass sie ihren ROI nachweisen müssen. Können Sie auf den Punkt bringen, einfach zu sagen, wenn wir, sagen wir, ein ROI-Modell entwickeln, sind hier die wichtigsten Dinge, auf die wir Wert legen und die wir dem Vorstand gegenüber gut artikulieren. Können Sie das etwas näher beleuchten?

34:16 Stephen Coraggio: Viele Dinge drehen sich um das, was Greg erwähnt hat, um Automatisierung, Bewertung und Beseitigung von Bedrohungen. Wenn wir einen riesigen Kundenstamm haben und das Potenzial vieler nutzen und die Daten synthetisieren können, um einen Mehrwert zu bieten und zu sagen: „Wir haben diese Bedrohung gesehen, wir haben diesen Vorfall schon einmal gesehen, und basierend auf unseren Analysen und Recherchen handelt es sich um ein falsches Positiv, schließen Sie sie automatisch.“ Das spart den Analysten Zeit und Geld. Das spart Zeit und Geld vor einer Eskalation. Es spart tatsächlich Zeit und Geld, wenn Sie überhaupt einen Tier-1-Analysten einstellen würden. Wir sind also in der Lage, mehr und mehr automatisierte Plattformen bereitzustellen, immer mehr automatisierte Reaktionen anzubieten und wirklich zu versuchen, Technologie in diese Lösungen zu integrieren, um einen Großteil der kommerzialisierten, sagen wir Bedrohungen oder bekannten Bedrohungsvektoren, zu beseitigen und uns wirklich auf die zu konzentrieren, die für Unternehmen am wichtigsten und wertvollsten sind. Und für mich zeigen wir einen Mehrwert, indem wir sagen, dass dies X Arbeitsstunden und X Ressourcen reduzieren wird, indem es durch eine Plattform, eine Technologie oder ein KI-Modell ersetzt wird. Das ist ein großer Teil der Investitionen, die wir tätigen.

35:16 Raghu Nandakumara: Greg, wenn du kannst, möchte ich, dass du das kombinierst. Das ist also der Geschäftsszenario. Wie berichten Sie dann und zeigen Sie, dass, ja, ich ungefähr diesen Prozentsatz dieser Aufgaben automatisiert habe. Wie wird das auf diese Weise validiert?

35:30 Greg Tkaczyk: Normalerweise der Beginn einer Verlobung. Ein Teil der Definition der Erfolgskriterien wird darin bestehen, welche Kennzahlen wir verfolgen und über die wir im Wesentlichen wöchentlich berichten können, bezogen auf die Art des Ziels. Wie viele der Agenten wurden eingesetzt? Wie viele Vermögenswerte werden geschützt? Wie viele Anwendungsfälle wurden aktiviert? Welcher Prozentsatz der Umgebung befindet sich in einem bestimmten Sicherheitszustand im Vergleich zum Rest. Wie lässt sich das auf verschiedene Geschäftsbereiche oder Betriebssysteme oder was auch immer die Kennzahl ist, verteilen? Typischerweise besteht ein Teil dieses Prozesses darin, diese Kennzahlen und KPIs zu identifizieren, sie auf wöchentlicher Basis zu messen und diese dann vierteljährlich in der Regel an die Stakeholder der Geschäftsleitung weiterzuleiten.

36:09 Raghu Nandakumara: Fantastisch. Steve, Greg, gibt es noch weitere Perlen der Weisheit, die du mit den Zuhörern teilen möchtest?

36:15 Stephen Coraggio: Mein letzter Gedanke hier ist, einen Lösungspartner auszuwählen, der in diese Funktionen investiert. Es gibt eine Menge älterer Technologien und Plattformen, die die Dinge wirklich gut gemacht haben, aber die Unternehmen, die derzeit glänzen, sind Unternehmen, die nicht nur Dinge rund um Mikrosegmentierung und Zero Trust bieten können, sondern auch Sichtbarkeit bieten, um auch zu verstehen, was sich in diesen bestimmten Containern oder Bereichen befindet? Und dann kontinuierliche Sichtbarkeit und Abdeckung in diesen bestimmten Bereichen. Daher denke ich, dass es für zukünftige Investitionen äußerst wichtig ist, sich die Unternehmen anzusehen, mit denen wir sicherlich zusammenarbeiten und worüber wir hier sprechen. Ich denke, dass die Modelle, die einfach ausgetauscht werden müssen, in Frage gestellt werden. Ich denke, wir müssen über kontinuierliche Investitionen nachdenken und auf starken strategischen Partnern aufbauen, um ein Programm für die Zukunft zu entwickeln. Daher ist es wichtig, zu Beginn dieser Programme den richtigen Anbieter auszuwählen.

37:09 Raghu Nandakumara: Danke, Steve. Greg?

37:10 Greg Tkaczyk: Ich würde sagen, mach einen Produktionspilot und keinen Machbarkeitsnachweis. Das ist das Wichtigste, dass ich sehe, dass meine Kunden, die erfolgreich sind, das tun. Wenn Sie das tun, fangen Sie klein an, Sie definieren die Anwendungsfälle und Erfolgskriterien für das Pilotprojekt, Sie validieren die Technologie, Sie validieren die Fähigkeiten Ihres Implementierungspartners. Und im Rahmen dieses Prozesses werden Sie alle Erkenntnisse, Abhängigkeiten oder Einschränkungen aufdecken, die für Ihre Implementierung relevant sein könnten. Und informieren Sie wirklich über den Ansatz, den Sie für eine Unternehmensbereitstellung verfolgen.

37:41 Raghu Nandakumara: Das ist wirklich ein guter Rat. Produktionspilotprojekt versus Machbarkeitsnachweis, weil Sie überprüfen möchten, ob das funktioniert, wenn das Gummi auf die Straße kommt. Greg, das ist ein Zero Trust-Podcast. Was ist Ihre Lieblings-Zero-Trust-Analogie?

37:55 Greg Tkaczyk: In Ordnung, also ich habe tatsächlich ein paar, wenn du etwas Geduld mit mir hast.

37:57 Raghu Nandakumara: Oh, okay, okay. Du musst Steve auch einen geben.

38:00 Greg Tkaczyk: In Ordnung.

38:01 Raghu Nandakumara: Dann mach weiter, du kannst zwei haben.

38:04 Greg Tkaczyk: Nun, ich werde schnell sein. Das historische Sicherheitsmodell der harten Bonbons mit weicher Mitte. Aber wenn ich an Zero Trust denke, ist das hochgradig granulares und verteiltes Vertrauen. Das gilt also nicht mehr. Also vielleicht ist es eine Tüte mit diesen Bonbons. Es gibt immer noch einen Umkreis, den Sie öffnen müssen. Es gibt Kontrollen, in die du rein musst, aber drinnen sind viele dieser Süßigkeiten. Jeder steht für Sicherheitskontrollen. Sie sind näher an dem, was du zu schützen versuchst. Das ermöglicht also eine detailliertere Entscheidungsfindung. Die andere ist, dass ich gestern tatsächlich mit einem Freund von mir gesprochen habe und wir beschlossen, dass Zero Trust wie ein Käsesandwich ist. Als Konzept ist es leicht zu sagen, es ist nur ein Käsesandwich. Aber wenn Sie anfangen, sich mit den Details zu befassen, welche Art von Brot, welche Käsesorte, was sind die Beläge, ist es gegrillt? Es bedeutet für jeden etwas völlig anderes.

38:48 Raghu Nandakumara: Nett, ich mag die beiden, weil du auf der einen Seite gerade erklärt hast, dass die Tüte mit Süßigkeiten das Konzept ist und dann das Käsesandwich eigentlich, es gibt so viele Nuancen und jeder hat seine eigene Einstellung. Und ich mag auch die Tatsache, dass du täglich mit deinen Freunden Gespräche über Zero Trust führst und dir neue Analogien einfallen lässt. Steve, kannst du besser eine Tüte Süßigkeiten oder ein Käsesandwich haben?

39:09 Stephen Coraggio: Ja, nun, ich glaube, Greg ist hungriger als ich gerade. Meine Analogie hat nichts mit Lebensmitteln zu tun, aber ich verwende diese Analogie schon eine Weile und ich denke, diese Art von Branche hat es richtig gemacht. So wie Sie an einen Flughafen denken, denken Sie darüber nach, was es braucht, um einen Flughafen zu passieren, Sicherheitskontrollen und die Validierung einer Identität und dann die kontinuierliche Validierung, während Sie sich durch das Terminal, das Gate, das Flugzeug, den Sitz bewegen. Ich denke, diese Art von Methodik, das heißt, sie wird im Laufe des Prozesses granular und granular, Sie werden ständig in Bezug auf Sicherheitskontrollen, Ihre Identität, das Gate und das Terminal, an dem Sie sein sollten, validiert. Und ich denke, wenn man das aus Sicherheitsgründen betrachtet und die Anzahl der Personen und Dinge, die den Prozess durchlaufen, denke ich, dass sie das sehr gut gemacht haben. Und natürlich gibt es Schluckauf und Herausforderungen und es gibt einige Dinge, die sie durchstehen, aber in den meisten Fällen hat dieser Stop-Gap-Prozess, die kontinuierliche Validierung, sehr gut funktioniert.

40:04 Raghu Nandakumara: Ich denke, das war ein großartiges Gespräch, Steve, Greg, mit euch selbst und ich habe einfach aus der Sicht eines Praktikers einen tollen Einblick bekommen, von der Vorstandsebene über die technische Implementierung und das Programmmanagement bis hin zur Berichterstattung darüber, wie Sie erfolgreiche Sicherheitsprogramme umsetzen, die echte Ergebnisse zur Risikominderung liefern. Ich denke, das halte ich für die wichtigste Erkenntnis. Und dann auch, wie es Ihnen letztlich wirklich geht. Wenn wir an Zero Trust denken, denken wir wirklich über drei wichtige Dinge nach. Transparenz, Konsistenz, Kontrolle und deren Anwendung in Ihrem gesamten Unternehmen an den richtigen Stellen, um das Risiko zu reduzieren und die Cyber-Resilienz erheblich zu verbessern. Nochmals vielen Dank für Ihre Zeit heute. Und richtig, wenn Sie alle daran interessiert sind, mehr darüber zu erfahren, wie IBM und Illumio zusammenarbeiten, um Unternehmen zu einer besseren Widerstandsfähigkeit durch verbesserte Sichtbarkeit und Zero-Trust-Segmentierung zu befähigen, besuchen Sie unsere Website. Steve, Greg, vielen Dank für Ihre Zeit heute. Ich weiß das zu schätzen.

41:16 Raghu Nandakumara: Danke, dass du dir die dieswöchige Folge von The Segment angesehen hast. Noch mehr Informationen und Zero-Trust-Ressourcen finden Sie auf unserer Website unter illumio.com. Sie können sich auch auf LinkedIn und Twitter mit uns in Verbindung setzen @illumio. Und wenn dir das heutige Gespräch gefallen hat, findest du unsere anderen Folgen überall dort, wo du deine Podcasts bekommst. Ich bin dein Gastgeber, Raghu Nandakumara, und wir werden bald zurück sein.

‍