Favoriser la visibilité, la cohérence et le contrôle

00:00 Raghu Nandakumara: Welcome to The Segment: A Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, Head of Industry Solutions at Illumio, the Zero Trust Segmentation Company. Today I'm joined by IBM Security’s Stephen Coraggio and Greg Tkaczyk. At IBM, Stephen is a managing partner who leads their America's financial services cybersecurity practice. With over 22 years of financial services and cyber experience, Stephen focuses on security projects ranging from program strategy and design to implementation and operations. Greg is an executive consultant in the IBM Global Security Center of Competency, focusing on cloud and infrastructure security, including posture management, container security, and microsegmentation technologies. Today, Stephen and Greg are joining us to talk about the business value of cybersecurity, defining your crown jewels, and how to overcome analysis paralysis and other Zero Trust challenges. Hi, welcome. Stephen, it's fantastic to have you here. How you doing?

01:02 Stephen Coraggio: Great. Great. Thank you for having me. I'm excited to be here as well.

01:05 Raghu Nandakumara: It's an absolute pleasure. And Greg, likewise. How you doing today?

01:09 Greg Tkaczyk: Great, Raghu, thanks for having us.

01:11 Raghu Nandakumara: Both of you have got very kind of wide ranging paths to where you are at today. So Stephen, if I may, from a business facing perspective, how have you observed cybersecurity has evolved in its business perception?

01:26 Stephen Coraggio: It's an interesting question. I think, I've been in this space now for 16 years, cybersecurity consulting, working with lots of large global clients, regional clients, and sort of everything in between. And what I've seen in the last, let's say three to four years is a significant shift from a business standpoint, risk standpoint. So we've gotten more and more engaged in the business side of cyber. So business risk up to the Chief Risk Officer, even up through board of directors and the executive team around what is the real business risk impact or enabler of cyber and how it can drive transformation or things like even wide scale enterprise digital transformation and how cybersecurity can enable that. And that's really been a shift in the way clients have engaged us over the last three to, three to four to five years.

02:18 Raghu Nandakumara: That I think is really interesting because I think we see that also that evolution of the CISO and the business-minded CISO. So I want to come back to that in a second. Greg, as a practitioner who's very deep in technical implementations, how have you seen that change, the whole sort of approach to cybersecurity change over the years from a technical and implementation perspective?

02:41 Greg Tkaczyk: When I started in cybersecurity 20 years ago, we were very much focused on assessment work, delivering reports in terms of what can be improved. And really now more the shift is clients are realizing they need support of a trusted advisor to take them through that enterprise implementation of software. Really, it's focusing more from a what traditionally has been an infrastructure-based approach to a software-based approach to cybersecurity.

03:10 Raghu Nandakumara: Awesome. And we'll come onto that. Because that's that natural shift from sort of everything on prem, everything you manage to hybrid cloud, etc., drives that transformation to software. So Steve, I want to come back to what you said about the way we think about cyber changing and being far more aligned to business requirements that now extending to sort of the Chief Risk Officer, etc. What do you think triggered that shift, from it just being an isolated-almost IT discipline to now being a much more business discipline?

03:43 Stephen Coraggio: I think cyber has become mainstream. I think when you look at some of the major incidents that have happened over the last five to seven years, it's become a board conversation. It is no longer isolated to the CISO and boards are now thinking about, what is the impact of cyber to our bottom line? How does it impact our share price, our stockholders, our value, the way that clients, partners think about us in the market? And when we build out cyber programs, a lot of the conversations center around, “Can we share this with our clients as an enabler, as a differentiator so they feel more secure doing business with us? Have we embedded security in the products that we offer, the platforms that we share, and just the way that we go to market?” And I think they've realized that this is an enabler to business value and to the way clients and our partners go to market. I think we're at a very interesting point in our time where security now can be thought of as a business driver, a differentiator at large scale companies, where over five years ago it was a cost center and thought about as a sort of a place where funds go to die. And now it's the opposite.

04:54 Raghu Nandakumara: Yeah, absolutely. And also think it's also been the perception that security functions are always seen as those functions that say no to things or question everything. And that transformation to being able to say, “Okay, this is how I enable your business.” So Greg, can you pay that off and explain from a technical perspective how you show that you are enabling business and transformation?

05:17 Greg Tkaczyk: Yeah, absolutely. So one of the things I usually do to start the conversation with my clients, especially when we're talking about Zero Trust, is really level set on the challenges they're facing. And from my experience, that boils down to three things. It's visibility, consistency, and control. And Zero Trust is a broad topic, but I think ultimately those are the three things that all of our clients are trying to achieve, regardless of what area of Zero Trust we're talking about. So when you think about visibility, we're talking about visibility into assets, into applications, users, data, etc. What are all the cloud resources I'm trying to protect? How are they configured? What are the workloads that make up my applications? How are they communicating? That lack of of visibility can result in blind spots that can allow an attacker to move through your environment or what have you, and ultimately, you can't create security controls if you don't know what you're trying to protect.

06:06 Greg Tkaczyk: But to your point, when you establish visibility, you oftentimes end up creating this shared source of the truth between stakeholders in the environment, within the enterprise, that they can leverage going forward to make their jobs easier. So one of the things that I often try to do anytime I'm involved in an implementation is meet with the different stakeholders across the organization, whether that's compliance teams, usually the CISO and his organization, incident response and all that, and figure out how can they leverage this tooling or this new capability within the enterprise to make their lives easier?

06:43 Raghu Nandakumara: I like the way you described it. As you used three words: visibility, consistency, and control. Essentially being the three pillars of the way you described Zero Trusts. Can you kind of give an example of where... put this in front of a client and they had that “aha moment” about how this is going to essentially accelerate their digital transformation?

07:03 Greg Tkaczyk: Yeah, absolutely. My area of focus right now essentially is microsegmentation and cloud security posture management technologies. I was working with a large client implementing CSPM and the director of engineering at that client essentially said, "Typically, our group would procure this technology and implement it within our own silo and figure out how we're going to manage it. And that's it." We've never really worked with a partner that kind of came in and could reach out to the compliance organization, and understand what are the capabilities that this new tooling could provide them? Can it provide reporting? Are there specific assets they're interested in terms of protecting? We reached out to, like I mentioned, incident response. This is going to identify shortcomings in configuration, how do you deal with that? And so realizing the value from the tuning outside of what is typically your project sponsor, the CISO organization, I think is key. Because as people start to leverage that technology internally, it becomes business as usual, not just within security but for the broad organization.

08:05 Raghu Nandakumara: Yeah. And that sort of kind of brings me onto the sort of, what I wanted to ask you about Steve. Is that Greg mentioned about extending beyond the CISO organization, as part of building out this program. So from an exec sponsorship level, how do you help them build out that sort of cross-functional support for programs like this?

08:31 Stephen Coraggio: One of the big buzzwords, I think, recently is we talked to clients around exposure management. And when we dive into terms like exposure management and overall visibility of an environment, the executives get the aha moment by saying, that we really don't understand how are we truly exposed to vulnerabilities in our infrastructure. What is the true visibility of our environment? Especially now most of our clients are hybrid cloud clients. So they have multiple hyperscalers, they have multiple vendors in the space and around when you think about visibility coverage and then really trying to protect what's most valuable, those conversations at the executive level really help drive these programs. Because back in the day it was around protecting everything, encrypting everything, and really making sure that we scan everything in an environment. Now when we talk to clients, it's around how do we make sure that we are truly looking after the most important things in our environment, making sure that those are properly protected, controlled, we have visibility, we're monitoring that, and then we're responding to threats in those particular environments versus trying to boil the ocean in everything that we do.

09:43 Stephen Coraggio: Exposure management, which sometimes is referred to as attack surface management or attack surface mapping. But it really comes down to visibility, coverage, and then prioritization of the most critical assets. And those conversations at the executive level always resonate in some sort of agreed buy-on, buy-in, around funding, around these sorts of programs.

10:05 Raghu Nandakumara: And we hear that term around the most critical assets, the most important components. How is that typically defined/identified when at the executive level?

10:19 Stephen Coraggio: Yeah, most of the time it's not. And most of the time we have challenges around how it's defined. Every sort of line of business or IT function thinks that they have critical assets. So what we do is we take a consulting approach to defining what we considered crown jewels of an organization - depending on their industry, their business lines, how they go to market, public/private, are they a manufacturing company that deploys products, or are they a FinTech company that really supplies software? We then define their business projects, their imperatives, what's critical to them, and then we take a cross line of business approach to defining what that is, and then we risk rank it. So we take the value of those assets, we take the value to the market, the value to the firm, and then we apply that methodology to help define what is critical or crown jewel to a company. So it is normally not defined until we really try to put together a framework around, or a methodology around, what that actually means to our organization.

11:23 Raghu Nandakumara: And so I'm just going to... Greg, coming over to you from a sort of an execution/implementation perspective. How many cycles does it take typically for an organization just come to an agreement as to “this is the criticality, this is the right prioritization, and this is where we need to start.” How does that map out as a process and timing?

11:45 Greg Tkaczyk: So the first thing to say is nobody has a perfect CMDB or enterprise application list, but usually there's something. Usually there's a starting point that you can leverage. And so when we go into these organizations that obviously to Steve's point, you don't want to boil the ocean. You have to start somewhere. You have to prioritize those things that are most relevant to the business. And typically, we leverage whatever exists. It's usually a quite a cyclical process to get to that agreement, but it's something we know when we walk through the door. That has to be a priority to establish. One of the things that's often a challenge is that nobody wants to make the final decision. And so, trying to steer your client organization to identify a technical project champion that has the authority to make those kind of decisions, and ultimately whether those are decisions around the architecture of the solution or whether those are decisions around prioritization of what are you going to target first. That's a key part of rolling out these types of technologies.

12:47 Raghu Nandakumara: I actually want to ask a bit more about that. Because often, a lot of security projects, as you say, stall on that because of that inertia. That no one wants to take the decision as to, okay, we need to go and do X. So how do you typically actually get clients over that hump? What is the advice you give or what are the levers that you pull on so that progress can start?

13:10 Greg Tkaczyk: Usually we take a two-pronged approach. Usually there's a work stream that we call rapid risk reduction. Typically whatever technology you happen to be implementing, there's something you can do, early in the implementation, that may not be perfect, but it's going to help and you're going to be in a position that's better than where you were prior. So what are those use cases for rapid risk reduction, and don't get caught up in analysis paralysis for that. As you are trying to identify those, you don't want to spend four months deciding what top five policies you want to enforce in a CSPM solution or whatever it is. So make those decisions quickly and reduce risk. So that's the first work stream. And then the second one, in terms of the strategic goal, really focus those use cases and again, see if there are things you can do to still show value with the understanding that perfection is not the key. So if you are trying to protect the 1000 applications, narrow that down to your top 10. And then within those top 10, how granular do you actually have to be? There might be policy decisions you can make that are broader, they're still better, they're not perfect, it's not the end state. Yeah. But let's get moving and show value.

14:26 Stephen Coraggio: And to just add to that, maybe there's a third one that I think we've been adding recently over the last maybe years. We usually bring in the third work stream around risk quantification. And I know it's another widely used term, but risk quantification program has just taken off in terms of the value that our executives like to see from a program in terms of identifying threats, vulnerabilities, risk, ranking of assets. Because we can take what they believe are crown jewels, we can apply quantification to those assets around threats that we see in the market external, threats to a particular industry. We can simulate what an attack would be on those particular assets or environment, and then quantify what it actually would cost that firm if something were to happen. So that risk quantification model, it's a fairly low investment for a lot of companies, but it provides a significant ROI in terms of where they want to spend money on controls, visibility, microsegmentation, asset visibility and all that. It's, to me, that is starting to become baked into a lot of the things that we do, even though they were necessarily not part of a risk quantification program.

15:36 Raghu Nandakumara: Yeah. And actually, you almost answered the question that I was going to ask before I even asked it because I wanted to tie back something that Greg said right at the beginning when he said, when he got into cybersecurity about 20 years ago, it was very much a checkbox exercise. It was very much compliance focused: “I need to be compliant with these requirements, check, check, and I'm compliant.” And we all know that being compliant doesn't mean that I'm secure. Being compliant does not equate to being secure. And that's what I wanted to ask is that, it feels that there is now a greater appreciation, that understanding risk requires some level of threat modeling and scoring associated with that to then identify, "Okay, here is where I'm at greatest risk and that's where I need to focus on from a controls perspective." Is that a significant shift that you've seen over the last few years?

16:22 Stephen Coraggio: Yeah, I would say the cybersecurity is no longer a capability that clients are just thinking about. This has been around for a while. Maybe the late 2000s, we were thinking about everyone was buying technology products and an open checkbook. The last four to five years, and maybe even the last three have been around, “How do I do more with less? How do I really, thinking about rationalization of spend and technology and sprawl?” Our average client has 78 different security products. It's a lot about, “How do I rationalize, provide ROI, quantify risks so we can apply the right technology to the right environment and then save money by de-prioritizing other things?” So when you think about some of the next generation technologies like microsegmentation, that includes visibility, Zero Trust concepts that include AI and automation, those are things that our clients are thinking about because it's really about leveraging investments in the right way and prioritizing spend, versus maybe just going out and buying the next shiny object. And that's really what we're seeing, especially in markets like we are in today.

17:32 Raghu Nandakumara: So that's really interesting, because you spoke about tool consolidation and getting more from less. So I want to, again, ask this question in two parts, Steve, one to you and Greg from a practitioner perspective is that, how do you talk about, let's say you've got... You are in front of that sort of exec sponsor and you say, "Okay, you should invest in this capability, because it's going to give you these benefits." And then equally, Greg paying that off. How do you demonstrate that those benefits are actually going to be realized? So Greg, maybe you want to go first?

18:06 Greg Tkaczyk: Sure. So just to add to what Steve was saying - visibility, consistency, control - the consistency part of it is tool rationalization, choosing technologies that are going to work across your heterogeneous infrastructure. Not just data center, but hybrid applications, multi-cloud, containerized technologies, serverless technologies, etc. So you want to think about selecting those technologies that kind of can work across that ecosystem. In terms of talking to the executive sponsor and showing value, so I would take it a step back. Oftentimes, clients want to jump to the ultimate goal or the full on capability that a technology is going to provide. But during that solutioning and sales process, there are often opportunities to work with them, to still architect a solution that can obtain those business objectives and reduce risk. I mean kind of “What is the licensing, what are the features, what are the modules that you need, when are you going to need them? And what kind of support are you going to need in that rollout?” Whether that's professional services or managed services. So focusing that initial scope on what is the immediate concern, so that you can immediately show value against kind of a goal that is more realistic and practical to achieve versus kind of a targeted end state that may be two or three years out, is key.

19:33 Greg Tkaczyk: And if you think about that in the procurement and solutioning process, you can often reduce risk, reduce cost as well to maximize ROI, what we were speaking about before. Creating a ramp-up model in terms of volume and features and all of that. When I speak to clients, first, I'd want to address it upfront, and then once you were in it is, what are those metrics that you can highlight on an ongoing basis to achieving that success criteria? If you've built it correctly, if you've solutioned the initial scope correctly, measuring against that success criteria should be pretty easy.

20:06 Raghu Nandakumara: Yeah, yep. Definitely. Steve?

20:11 Stephen Coraggio: Yeah, it's interesting. I cover financial services. So for me, our clients are the most mature clients out there. We've been seeing that level of maturity high for many years, and I commend our clients for wanting to be the best of the best, and I think it's shown in what we see from a capability standpoint. We're moving to organizations within my market or even top 10 or 20 in other markets where they want to move to capabilities such as integrated risk centers. Think about how do we integrate fully risk into the cyber controls, cyber fusion center, and some of our next generation, SOC or threat management capabilities. I think it's a great vision where these clients want to be. But to Greg's point, these are three to five-year roadmaps, three to four-year roadmaps.

20:54 Stephen Coraggio: So, our view is, let's take a measured approach to get there. Let's find the right vendors, solutions, and capabilities that have that same vision in mind, that want to get there with you within the next three to five years, and we will build a crawl-walk-run process to get there. But there's foundational elements. There's things that we talked about already on this call around basic visibility, controls, access, management. Those are the foundational items of an organization when they want to get to that next generation integrated risk center. But let's start at the beginning. Let's build the foundational building blocks. Let's make sure that we're covered from a visibility and vulnerability standpoint, have those basic capabilities in place, and then build on that roadmap with product vendors and solution vendors along the way.

21:44 Raghu Nandakumara: Just hearing both of you talk, right, it's like in this conversation Greg at the beginning laid out... Zero Trust is really visibility, consistency, control. And both of you repeated those terms multiple times. And Steve, what you just said, these are the basics. Visibility, consistency, control are the basic building blocks of any good security program. In terms of the programs that you see your clients mapping out, and let's focus on the financial services industry for a bit, what role does Zero Trust or a Zero Trust strategy play in the development of those programs? Is that a real thing that they bring up or is it almost a... And if we do this, it will ladder up to a Zero Trust strategy? How is Zero Trust being discussed and planned within your client group?

22:37 Stephen Coraggio: When we peel back what we think about Zero Trust, and to me and to us, it's a framework. It's a guiding principles to getting somewhere where you can actually help clients provide the visibility, the controls, the identity, and actually continuously verify who has access to what and why. To me, it's really just a framework. It's what NIST was, it's what a lot of these other frameworks are. And then when you look at capabilities within that framework, like visibility and understanding basic things like CMDB, vulnerability coverage, asset management, basic building blocks of a security organization, that's when the whole Zero Trust capability comes together. It's around building those all together.

23:22 Raghu Nandakumara: Right. From a financial, as you said, the financial sector has always been on the cutting edge of security because of the regulations involved, the requirements, the regulator's place. What are you seeing? Are you seeing an increased adoption of Zero Trust and knowing that you don't necessarily call it out because of all the things that you mentioned? Or is it just that, again, that the organizations are just improving those fundamentals and essentially that removal of implicit trust that ultimately leads to a Zero Trust outcome?

23:52 Stephen Coraggio: Yeah, I think the top 10 or 20 CISOs within financial services are leveraging Zero Trust as a board conversation. Because the boards know the term, they understand the term. It's fairly easy to know what Zero Trust means. But what they're taking is the Zero Trust frameworks and implementing that as part of the capabilities and investments that they're making, so that when they summarize it to their boards and their directors and their executive team, they're showing their progress and maturity on a Zero Trust scale to say, "How well are we covered? How well do we have visibility? How well are we protected? Do we have the right resiliency in place? Can we recover from an incident? How well prepared are we to recover from and if an incident actually were to happen?"

24:37 Stephen Coraggio: And so, that is the framework that they're leveraging for a board conversation because, again, it's fairly basic from an understanding standpoint, but it drives the capabilities underneath it from an investment standpoint.

24:48 Raghu Nandakumara: And that's really interesting that Zero Trust is a, in terms of how a security program is presented, it's presented in a Zero Trust framework to the board, whereas the actual execution underlying is more around the basic building blocks. I think that's really interesting because often I think we practitioners almost flip it on its head and say, "Oh, okay, I'm going to apply Zero Trust principles here." And as you said, it kind of gets diluted because everyone's got their own definition of it. Greg, I want to come to you, as a practitioner, when your clients talk to you about Zero Trust, what is the questions that come up and what is your advice, what are your responses?

25:23 Greg Tkaczyk: So I think the first question that always comes up is how do you start. And like we've mentioned, right, the first thing to consider is Zero Trust is a journey. It is in fact a journey. The focus has to be on continuous and incremental improvement that's measurable. And not big bang implementations that are going to disrupt the business. And like I mentioned, often you start developing what controls are you going to do in a very targeted way, but also what controls are you going to apply in a very broad way across your organization to reduce risk? And you can do both of those in parallel and in either approach is fine. But each is a stepping stone towards Zero Trust. So when I speak to my clients about that, I really try to outline whatever technology domain we're talking about, like, how are we going to do that?

26:09 Raghu Nandakumara: Yeah, absolutely. So just shifting gears a bit, Steve, I'm coming back to you, when you look forward in let's say in the financial services sector. What do you see as the driving forces that are going to demand an increased focus on better visibility, better consistency, better control? What do you see from a regulatory perspective, from a technology adoption perspective, what are the key sort of driving forces in that space for sort of the adoption of, or the improvement in these three basic controls?

26:38 Stephen Coraggio: One of the largest areas we've been talking to clients about outside of security is around digital transformation. It is accelerating quicker than I've ever seen it. And then maybe it's because of competition, it's because of investment, it's because of just the sheer volume of companies out there that are in the space. But as we talk to clients around digital transformation, whether that be onboarding process, customer experience, process improvement. The end user knowledge base and how we apply automation to understand what clients are looking for from product, services, expectation. That transformation is truly driving the need for these capabilities. And we are being more and more pulled into the conversations around if we move to these hybrid cloud scenarios and we leverage different hyperscalers and environments, how can we truly apply visibility, coverage, controls, response activities and resiliency in those environments?

27:41 Stephen Coraggio: Because we are extremely scared that our business is moving faster than we can actually apply security and security requirements. So I think keeping up with business transformation, digital transformation and the evolution of the business is probably the most common conversation that we're having from a forward-looking cyber perspective.

28:00 Greg Tkaczyk: I would just add to that, part of that is application modernization. Our clients are going through massive transformations where they're taking these legacy applications and refactoring them into containerized or serverless or lifting and shift them or creating them into hybrid applications. A lot of these technologies can, we've talked about visibility a lot, provide visibility that can help make those decisions easier, but it's the perfect time to embed security into the application. As you're going through that transformation. Why go through that and then think backwards about how am I going to protect my newly factored apps?

28:36 Raghu Nandakumara: Yeah, absolutely. And on that, right, as they're doing that transformation, and we hear this term increasingly, sort of cyber resiliency is such an in vogue term these days. Is that a real sort of discussion point that you're having with your clients? Do they ask you the question, how do I become more cyber resilient? Or is that just an expected outcome of the programs that you're involved in?

29:00 Stephen Coraggio: Yeah, I think it's a conversation. It's not necessarily an offering. It's a conversation because it really drives the sub components and some of the programs underneath it. When we think about cyber resiliency, a lot of conversations are to sort of the right of an incident. Are you prepared? Do you know how to respond and recover from something? How resilient are you if something were to happen? A lot of these conversations are around preparedness, awareness, education, response, backup, recovery. Making sure we have those pieces in place so that if and when something happens, organizations are prepared. So things around like cyber war games, tabletop exercises, immersive experiences around threat scenarios, threat simulations. Those are where clients are really starting to spend money on enterprise-wide preparedness and making sure that they know who the commander is in terms of an incident. What is the right controls and the communication?

30:00 Stephen Coraggio: How do we get back up and running? Do we have the right backup systems and are they protected? So that's a lot of the resiliency conversations. No, certainly to the left of an incident, it's around controls, visibility, monitoring, and that's what's been around for a while. But now we're looking at both sides of that spectrum.

30:17 Raghu Nandakumara: Awesome, awesome. So Greg, coming over to you. Being a bit forward looking, where do you see the interesting next steps from a cyber, whether it's a capability perspective, whether it's a threat perspective that sort of practitioners need to be really wary of?

30:35 Greg Tkaczyk : Je pense qu'il s'agit de plus en plus d'optimiser et d'automatiser l'aspect automatisation et remédiation. Beaucoup de ces outils permettent d'identifier des choses, de vous alerter, mais nécessitent une réponse humaine. De nombreux outils et intégrations avec les plateformes SIEM et SOAR permettent en quelque sorte de boucler cette boucle. Je ne pense pas que cela soit très utilisé par nos clients. La capacité est là, peut-être du point de vue de la plomberie et de la technique, pour y parvenir, mais lorsque les clients réfléchissent réellement à ces cas d'utilisation, je suis à l'aise pour automatiser entièrement ma réponse. Je pense que ce sera un domaine sur lequel nous allons nous concentrer à l'avenir.

31:16 Raghu Nandakumara : Et là, disons pourquoi il y a une lacune, c'est parce que certains clients ne sont pas en mesure aujourd'hui de définir quels sont ces cas d'utilisation, ou parce qu'ils ne savent pas de quelles données ils ont besoin pour instrumenter et opérationnaliser ces cas d'utilisation ?

31:33 Greg Tkaczyk : Oui, mais ça fait peur aussi. Vous cédez le contrôle de certaines parties de votre infrastructure à une entité en laquelle vous avez confiance pour prendre la bonne décision. C'est donc ce que je veux dire. Je pense que vous devez commencer par définir de petits cas d'utilisation avec lesquels vous êtes très à l'aise. Ces cas d'utilisation ne doivent pas nécessairement être appliqués à l'ensemble de l'entreprise. Et au fur et à mesure que vous vous sentez à l'aise, vous développez cette capacité de réponse automatisée.

31:58 Raghu Nandakumara : Oui, et si je pense aux piliers Zero Trust de Forrester, nous avons cet anneau d'automatisation et d'orchestration qui existe là-bas. Et lié à une sorte de visibilité et de surveillance avec un objectif final tel qu'il est, comme cet écosystème qui se rapporte lui-même, réagit aux changements de l'environnement, etc., et ajuste l'accès en cours de route. Je suppose que c'est là que tout le monde veut en arriver. Mais comme vous l'avez dit, abandonner le contrôle est la chose la plus difficile. Steve, comme tous les autres types de défis importants que vous rencontrez, que ce soit dans le secteur des services financiers ou en général, avec les organisations qui cherchent à réellement faire passer leurs programmes cybernétiques au niveau supérieur et à accélérer potentiellement leur progression vers Zero Trust.

32:46 Stephen Coraggio : Je dirais que ce que nous constatons le plus chez les clients, c'est de réellement fournir des retours sur investissement et des investissements dans des programmes et de les aider, les RSSI, à présenter au conseil d'administration cette analyse de rentabilisation concernant la valeur d'un investissement dans la cybersécurité. Qu'il s'agisse d'un composant logiciel ou de services. Nous avons réalisé plus de programmes d'analyse de rentabilisation, de retour sur investissement et de quantification au cours de l'année dernière que nous n'en avons probablement fait les 10 précédentes. Parce qu'il s'agit d'être plus attentionné lorsqu'il s'agit de dépenser et d'être plus défini avec ses partenaires plutôt que de répartir la richesse avec trop de personnes. Je pense donc que cela va se produire de plus en plus à mesure que les entreprises réduisent leurs budgets et réfléchissent à la manière dont je peux transformer leur activité tout en le faisant de manière réfléchie et efficace. Mais je pense qu'il existe suffisamment de fournisseurs et de solutions pour que les clients constatent de plus en plus que jamais le retour sur investissement dans les organisations. J'ai donc bon espoir quant à la direction que cela prendra.

33:45 Raghu Nandakumara : Et c'est très intéressant, je pense parce que nous avons abordé la question du retour sur investissement à quelques reprises au cours de cette conversation. Et comme vous l'avez dit à juste titre, cela a certainement été un thème très important au cours des 12 derniers mois. Et nous avons vu à peu près tous les types de responsables de la sécurité, que ce soit du côté fournisseur ou du côté client, parler de la nécessité de démontrer le retour sur investissement. Êtes-vous capable, en résumé, de dire que lorsque nous élaborons, disons, un modèle de retour sur investissement, voici les éléments clés sur lesquels nous mettons l'accent et les expliquons bien au conseil d'administration. Peux-tu nous éclairer un peu là-dessus ?

34:16 Stephen Coraggio : Beaucoup de choses concernent ce que Greg a mentionné à propos de l'automatisation, de la notation et de l'élimination des menaces. Lorsque nous disposons d'une vaste base de clients et que nous pouvons tirer parti de la puissance de nombreux clients et synthétiser les données pour fournir de la valeur en retour, en disant : « Nous avons déjà vu cette menace, nous avons déjà été témoins de cet incident et, sur la base de nos analyses et de nos recherches, il s'agit d'un faux positif, fermez automatiquement le dossier ». Cela permet aux analystes d'économiser du temps et de l'argent. Cela permet d'économiser du temps et de l'argent face à l'escalade. En fait, l'embauche d'un analyste de niveau 1 permet d'économiser du temps et de l'argent. Nous sommes donc en mesure de fournir de plus en plus de plateformes automatisées, de réponses de plus en plus automatisées, et d'essayer réellement d'intégrer la technologie à ces solutions afin d'éliminer une grande partie des menaces banalisées, par exemple, ou des vecteurs de menaces connus, et de nous concentrer réellement sur ceux qui sont les plus importants et les plus précieux pour les organisations. Et pour moi, nous montrons de la valeur en disant que cela réduira X heures de travail et X quantité de ressources en les remplaçant par une plateforme, une technologie ou un modèle d'IA. Cela représente une grande partie de l'investissement que nous faisons.

35:16 Raghu Nandakumara : Greg, si tu peux, j'aimerais que tu fasses la paire. C'est donc l'analyse de rentabilisation. Comment pouvez-vous alors signaler et montrer que, oui, j'ai automatisé un tel pourcentage de ces tâches. Comment se fait ce type de validation ?

35h30 Greg Tkaczyk : C'est généralement le coup d'envoi d'un engagement. Une partie de la définition des critères de réussite consistera à déterminer quels sont les indicateurs que nous pouvons suivre et sur lesquels nous pouvons établir des rapports, essentiellement, chaque semaine par rapport au type d'objectif. Combien d'agents ont été déployés ? Quel est le nombre d'actifs protégés ? Combien de cas d'utilisation ont été activés ? Quel pourcentage de l'environnement est dans un certain état de sécurité par rapport au reste ? Comment cela se répercute-t-il sur les différentes unités commerciales ou les différents systèmes d'exploitation ou quelle que soit la métrique ? Une partie de ce processus consiste donc généralement à identifier ces indicateurs et ces KPI, à les mesurer sur une base hebdomadaire, puis à les transmettre tous les trimestres aux parties prenantes de la direction.

36:09 Raghu Nandakumara : Génial. Steve, Greg, d'autres perles de sagesse que vous aimeriez partager avec les auditeurs ?

36:15 Stephen Coraggio : Ma dernière pensée est de choisir un fournisseur de services partenaires qui investit dans ces fonctionnalités. Il existe de nombreuses technologies et plateformes anciennes qui fonctionnaient vraiment bien, mais les entreprises qui brillent actuellement sont des entreprises qui peuvent non seulement fournir des informations sur la microsegmentation et le Zero Trust, mais aussi de la visibilité, notamment pour comprendre ce que contiennent ces conteneurs ou ces zones en particulier. Et puis une visibilité et une couverture continues dans ces zones particulières. Je pense donc que l'examen des entreprises avec lesquelles nous travaillons certainement en partenariat et dont nous parlons ici est extrêmement essentiel pour les investissements futurs. Je pense que les modèles Rip and Replace sont difficiles. Je pense que nous devons réfléchir à des investissements continus et à la mise en place de partenaires stratégiques solides pour élaborer un programme d'avenir. Il est donc important de choisir le bon fournisseur dès le début de ces programmes.

37:09 Raghu Nandakumara : Merci, Steve. Greg ?

37:10 Greg Tkaczyk : Je dirais de faire un pilote de production et non une preuve de concept. C'est la chose la plus importante que je vois faire chez mes clients qui réussissent. Lorsque vous faites cela, vous commencez modestement, vous définissez les cas d'utilisation et les critères de réussite du projet pilote, vous validez la technologie, vous validez les compétences de votre partenaire de mise en œuvre. Et dans le cadre de ce processus, vous allez découvrir toutes les informations, dépendances ou contraintes qui seront pertinentes pour votre mise en œuvre. Et déterminez réellement l'approche que vous adoptez pour un déploiement en entreprise.

37:41 Raghu Nandakumara : C'est vraiment un bon conseil. Pilote de production ou preuve de concept, car vous voulez vous assurer que cela fonctionnera une fois la machine mise en service. Greg, c'est un podcast Zero Trust. Quelle est votre analogie préférée avec Zero Trust ?

37:55 Greg Tkaczyk : Très bien, j'en ai quelques-uns, si vous êtes indulgents.

37:57 Raghu Nandakumara : Oh, d'accord, d'accord. Tu dois laisser Steve en avoir un aussi.

38:00 Greg Tkaczyk : Très bien.

38:01 Raghu Nandakumara : Alors vas-y, tu peux en avoir deux.

38:04 Greg Tkaczyk : Eh bien, je vais être rapide. Le modèle de sécurité historique du bonbon dur au centre souple. Mais quand je pense à Zero Trust, il s'agit d'une confiance très granulaire et distribuée. Cela ne s'applique donc plus. C'est peut-être un sac de bonbons. Vous avez encore un périmètre à ouvrir. Il y a des contrôles pour entrer, mais à l'intérieur se trouvent beaucoup de ces bonbons. Chacun représente les contrôles de sécurité. Ils sont plus proches de ce que vous essayez de protéger. Cela permet une prise de décision plus précise. L'autre, c'est que je discutais avec un de mes amis hier et nous avons décidé que Zero Trust était comme un sandwich au fromage. En tant que concept, il est facile de dire que c'est juste un sandwich au fromage. Mais lorsque vous commencez à étudier les détails, quel type de pain, quel type de fromage, quelles sont les garnitures, est-ce qu'il est grillé ? Cela signifie quelque chose de totalement différent pour chacun.

38:48 Raghu Nandakumara : Super, j'aime bien ces deux-là parce que d'un côté, vous venez d'expliquer que le concept est le sac de bonbons et que le sandwich au fromage l'est en fait. Il y a tellement de nuances et chacun a son propre point de vue. Et j'aime aussi le fait que vous discutiez quotidiennement de Zero Trust avec vos amis et que vous trouviez de nouvelles analogies. Steve, tu peux mieux choisir un sac de bonbons ou un sandwich au fromage ?

39:09 Stephen Coraggio : Oui, eh bien, je pense que Greg a plus faim que moi en ce moment. Mon analogie n'est donc pas liée à l'alimentation, mais je l'utilise depuis un certain temps et je pense que ce type de secteur a raison. Comme vous pensez à un aéroport, vous pensez à ce qu'il faut pour passer par un aéroport, passer des contrôles de sécurité et valider une identité, puis une validation continue lorsque vous franchissez le terminal, la porte d'embarquement, l'avion, le siège. Je pense que ce type de méthodologie, qui devient de plus en plus granulaire au fur et à mesure que vous avancez dans le processus, vous êtes constamment validé en termes de contrôles de sécurité, de votre identité, de la porte et du terminal où vous êtes censé vous trouver. Et je pense que si vous considérez cela du point de vue de la sécurité et du nombre de personnes et d'objets qui transitent, je pense qu'ils s'en sont très bien sortis. Bien sûr, il y a des difficultés et certaines difficultés qu'ils surmontent, mais dans l'ensemble, ce processus d'interruption et de validation continue a très bien fonctionné.

40:04 Raghu Nandakumara : Je pense que cela a été une très bonne conversation avec vous, Steve, Greg, et j'ai vraiment pu avoir une idée incroyable, du point de vue d'un praticien, sur la manière dont vous pouvez procéder, depuis le niveau du conseil d'administration, jusqu'à la mise en œuvre technique et à la gestion des programmes, en passant par les rapports sur la manière dont vous mettez en œuvre des programmes de sécurité efficaces qui offrent de véritables résultats en matière de réduction des risques. Je pense que c'est ce que je considère comme le principal point à retenir. Et puis, en fin de compte, comment vous vous sentez réellement, lorsque nous pensons à Zero Trust, nous pensons à trois éléments clés. Visibilité, cohérence, contrôle et application de ces principes à l'ensemble de votre parc aux bons endroits pour réduire les risques et, essentiellement, améliorer la cyberrésilience. Merci encore une fois pour le temps que vous m'avez accordé aujourd'hui. Et bien, si vous souhaitez tous en savoir plus sur la manière dont IBM et Illumio travaillent ensemble pour permettre aux organisations d'améliorer leur résilience grâce à une visibilité accrue et à une segmentation Zero Trust, consultez notre site Web. Steve, Greg, merci beaucoup pour le temps que vous m'avez accordé aujourd'hui. J'apprécie.

41:16 Raghu Nandakumara : Merci d'avoir écouté l'épisode de cette semaine de The Segment. Pour encore plus d'informations et des ressources Zero Trust, consultez notre site web à l'adresse illumio.com. Vous pouvez également communiquer avec nous sur LinkedIn et Twitter @illumio. Et si vous avez aimé la conversation d'aujourd'hui, vous pouvez retrouver nos autres épisodes partout où vous pouvez accéder à vos podcasts. Je suis votre hôte, Raghu Nandakumara, et nous reviendrons bientôt.

‍