A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
The Security Challenges of Modernization
Season Two
· Episode

The Security Challenges of Modernization

 In this episode, host Raghu Nandakumara sits down with Stephen J. White, the CEO of Viking Technology Advisors to discuss the critical role of Zero Trust Network Access (ZTNA), cloud adoption, and AI in modernizing network security. He emphasizes the importance of visibility, automation, and holistic approaches to enhance operational efficiency and security.


00:00 Raghu Nanadakumara

Hi, everyone, on this episode of The Segment, I'm so excited to be joined by Steve White, a very storied network and security engineer and architect. He spent many years, especially in financial services, building out network and security infrastructure for some of the world's largest banks. And now as founder and CEO of Viking Technology Advisors, he brings all those years of experience to help his clients in their digital transformation efforts. So, Steve, welcome to The Segment. It's great to have you.

00:36 Steve White  

It's great to be here. Raghu, thank you so much for the opportunity to have this exciting conversation with you today.  

00:43 Raghu Nanadakumara

It's my pleasure. It's always a pleasure to speak to someone with so much practitioner experience. So I think just looking at your background, right, and your and your long career that you've had in network and security engineering, when you look at where we are today with the state of network security, and you look back, it must make you very excited that we're now solving problems that you've probably wanted to solve for many years.

01:08 Steve White

Yeah, you know, it's funny you say that. My go-to-market business plan for Viking Technology Advisors has been evolving over the past seven months since I initiated the company. And one of the interesting things I did is to look at that historical time period that's happened over the past, believe it or not, over the past 30 years. And there have been major new technology injection, that's been business impacting over those 30 years. So, in my mind, digital transformation really isn't new. It's something that's been, we've been living through many, many years. And each of those new technologies has actually had one thing in common: increased pressure and demand on networks and cybersecurity. And what that's also done is it's actually caused a massive sprawl of point solutions and increased complexity. That's made it very difficult for information, networks, and cybersecurity to stay ahead of the business demand. And that is only increasing now.  When you look at cloud, although cloud is not really new, it's been around for, unbelievable, it's been around for almost 20 years, but it's really seems like companies are in earnest are going after it over the past five to eight years. And now with AI and generative AI, now the rate and pace is even, is picked up even more. And there are some really new exciting technologies out there that are in cloud-based network and security controls that are going to dramatically change the way companies need to think about their perimeters. Their perimeters are going to be very different than what we've traditionally looked at. And traditionally, what we've thought of as the key control points. So, from that aspect, it's people, process, and technology, all needs to come together to make this transition. And I really liked the word modernization is what we're using now in our marketing materials because it's not necessarily about transformation; it really needs to be modernized for today and the future. And that's the challenge. How do you deliver what customers need today or what your company needs today, and also be able to support the future? I've built this company around the model of if I was going to go to work for a large enterprise, this is how I would approach my management of that enterprise. And that's really the value proposition that we bring to any of our customers is that point of view is, we've walked a mile in your shoes, we know exactly where you are. And we're bringing the best of breed partnerships and automation to help come to help realize that modernization goal?  

03:53 Raghu Nanadakumara

Well, I think, I think to that, to paraphrase your own expression that you've walked a mile in, hopefully many of our listeners shoes, right? So, they'll be eagerly listening to the insights you're going to provide. I won't go back to something that you mentioned about how you, whether you call it digital transformation or modernization, right, your choice of words, but what you said was that each of these steps actually results in new challenges to network and cybersecurity. So, the first question is do you think that as we are embarking on that step of each step of that modernization? Do you think we are aware enough of those cybersecurity challenges? Or is it just hindsight is a wonderful thing?

04:37 Steve White

It really seems like everything's being done in a hindsight manner. It, to me, it feels like roadmaps and strategies are all based on cloud adoption. One of the interesting things, and what's really exciting about the cloud, is actually the automation capabilities, cloud-native capabilities, and the standards. Think about the amount of standardization that's in the cloud. Workloads cannot run in the cloud unless they can meet the structured standards that exist from the on-prem and legacy environments or traditional infrastructure environments have all been built custom to meet specific application needs. That includes the cybersecurity components as well. So, those cybersecurity components are all point-based solutions. And then when you get these new application or new business requirements layered on top of that, the first thing you know, enterprise executives or infrastructure operations leaders need to do and cybersecurity partners is to assess the current portfolio of tools and technologies. Oftentimes, you end up finding yourself trying to jam a square peg into a round hole to try to make something work. And it doesn't necessarily; it might just be good enough. But sometimes good enough isn't all that's required. And there's the risk and regulatory aspects of these decisions that end up playing significant roles here. So, if you don't do it right up front, you end up with a risk and regulatory hangover associated with that we have accepted risks or risks that are unmanaged. And then they become a continual drag on the organization's ability to be successful.  

06:19 Raghu Nanadakumara

So do you think that modernization transformation allows, enables for security, not just to be done better, but also more simply, because when I look at or when I read, in the popular media, in the trade media about the challenges with security, a lot of what I see is, "Security is really complex when you move to cloud"... "Security is very complex as part of your digital transformation journey." What's your perspective on that?

06:53 Steve White

Well, it's interesting in the in the industry landscape. One important data point I'd like to share with the audiences is that I'm a CXO advisor for Netskope. And very, very fond of the technology in the, in the approach that Netskope was trying was brought to the market to help solve this problem. There are obviously other competitors in that space. But the true cloud adoption, the remote worker, all the COVID impacts, and the adoption of ZTNA, Zero Trust Network Access, and moving away from perimeter-based security controls, but doing that based on identity and seven different parameters to make an intelligent decision on whether or not access should be allowed, blocked, coached, or reprovision, these are really exciting things because now the opportunity to actually deliver the capabilities of today, but also scale to support the future, is right at our doorstep. Right? And, and, you know, think about the introduction of AI in the past, and I won't embellish the timeframe on this, but technologies like that are being delivered by companies like Netskope to solve that problem even before it existed, right? Because they have the capabilities with Zero Trust access, to be able to provide the business-enabling capabilities based upon intelligence of identity and other controls. That is super powerful, because in the network space and cybersecurity space, there was always an allow or block, we never had the option to say, "Well, what other intelligence can we bring to that decision making?" Those are game changing capabilities that companies really need to take a serious look at. And what that does is that takes the pressure off your perimeter security architecture. So now you're moving those controls up into the cloud, you're bringing better proximity to the applications where they're hosted, improving that customer experience in the colleague experience. And that colleague experience from it is super important because you want them to feel exactly the same way, whether they're in the office, the remote, they're in the airport, wherever they are to perform their business, right, because we work everywhere now. We're not just working in one location; we work everywhere and be able to have a unique consistent policy. I often look back on the legacy firewall-based approaches, and I was always trying to find ways to leverage like Illumio and combine Illumio with all SEC policies to be able to bring transparency to segmentation strategies and whether or not the level of maturity and segmentation within a particular company and a few of the companies I worked for that was a big regulatory control that we needed to put in place. But the management of policies is just so draconian from 20 years ago. Port destination access, port destination, and the source IP and destination IP port. It just doesn't. It's not granular enough to keep the rate up with the pace, as companies are trying to adopt their migration or transformation to the cloud and modernization to the cloud.

10:06 Raghu Nanadakumara

Yeah, absolutely. And I think that that's such a great perspective, because what you're really getting to here is that in order to truly accelerate modernization you need not just, you're not just the technologies that are really kind of part and parcel part and parcel of modernization to sort of be able to be dynamic and scale and be automated and as much as you need them to, but also you need the security capabilities, security technologies that are supporting that to also be the same. Because once when you have a set of security capabilities, that is able to be that you suddenly kind of hit this point where that sort of that cliche of security becoming an enabler, that truly happens versus security becoming something that is actually slowing down your progress. And I think you're absolutely right that trying to port over security capabilities that were essentially work for best of breed 25 years ago, and expecting that they're still capable of doing what we need them to do today is, I mean, I'd say that that's madness, to expect that. But it's interesting because you were talking about ZTNA. And so let's sort of, upper level of it. And let's talk about Zero Trust and frame it in the conversation of modernization. Firstly, as a long-standing practitioner, when did you first come across Zero Trust? And what was your reaction to it?

11:39 Steve White

We stumbled across the Zero Trust strategy a few years ago as we were considering a transformation from a traditional on-prem SWG to cloud-based access. And that's what really became the visibility that that brought to us. This isn't just about replacing one component within your environment. This is a holistic change and strategic shift. From point solutions delivering certain access controls, like VPN and SWG for web access, to actually migrating to a cloud strategy where ZTNA is a security component that's overlaid on top of that, that allows you to provision access to on-prem solutions without those traditional controls, right? Because, and it's a good transition state. Because what it does is it allows you to actually move workloads around and still without necessarily a customer being aware that something's changed, right. They don't even know the applications move. Because traditional ZTE and a process, it's the same controllers on premises, same that's in cloud. I mean, that's one of the challenges I see within the architectures that exists today is everything's been replicated in the cloud as a separate trial, separate set of processes, separate set of controls and separate and, and there's on prem. And that's just kind of running as it's running today. But not having the full integration of the on-prem in the cloud, what it does is your on prem environment becomes a barrier to success. And by integrating ZTNA, in that, you can actually start to bring both of these things together because now you can deliver microsegmentation controls with Illumio on-prem, delivering the same capabilities and controls in the cloud. And you can do that with the same policy. It's like how cool that would be right? And I know there's a partnership; I'm not sure if it's been fully announced yet, but it's a partnership with Netskope and Illumio, right? I mean, there's some exciting stuff happening there, where these two technologies would play very well and complement each other. And at the end of the day, it's about making security the enable over rules. Like you just said, it is the enabler, but then it's also making it invisible. So the user community, so that it's secured, controlled, managed, but they can do their jobs as effectively no matter where they are. And it's just that this is a really pivotal time. I remember I probably aged myself a little bit with this story, but I worked for a company called International Network Services back in the late '90s. And when I graduated college, IP networking was in its infancy. And I remember INS, their professional services model, was built around helping customers modernize their IP network environments because everybody was fumbling through it. They were trying to figure out how to make it work. They struggled with the various protocols, and there was, there must have been a myriad of different protocols. And that's why Cisco really landed as being the premier networking providers because they had regression support for all of those things. We're at a very similar time right now with these new technology adoptions, and specifically cloud-based network security, ZTNA, and microsegmentation. It's a shift from the traditional thinking like, you know, and being a practitioner in though in the network space and having grown up with my hands on the keyboard, and then evolving into senior management roles, we'd always gravitate towards physical firewalls, architecture of the network around creating isolation and segmentation. But that's just not a reality. You know, most companies don't have the time and effort to spend to do that. And be able to utilize software-based controls, to be able to deliver that virtually, and improve the security posture of the company isn't it is a tremendous opportunity. I'm super excited about where it's at. And that's really one of the key reasons why I had the inspiration to start Viking Technology Advisors, is to start with the assessment phase, do that fourth full automation and do that light touch within 30, 60, 90 days, and help the customers build that roadmap and strategy to adopt these technologies. Because this stuff is a multi-phased, multi-year effort. But it also needs to be managed in compliance with budget availability, and a customer's interest or willingness for change risk, right? Management of change risk is important. So you have to manage those two aspects. We bring both of those things because I've done that's what I've done in my career; my whole career has all been about the business aspects of technology adoption, but really, how does it drive the business outcome? And these capabilities are all about driving business outcome. And this is really what I think this is the transition to true infrastructure platform engineering, this is the product right? What you know, that's one of the things I struggle with, Raghu, too, and I think about this as if everybody talks about platform engineering. Okay, it makes sense. It's all about products, right? I get that. But what's the product in network and security? like, can you make that a product, and how do you transition to infrastructure platform engineering? That was a big topic of conversation at the Gartner conference back in December, the infrastructure and operations cloud strategy.  

17:05 Raghu Nanadakumara

There's so much that you shared there, and I'd love to unpick bits and pieces of it. Let's start actually, with what you said really about being very outcome focused. Because that is, I think, if I look back at my own sort of background as a network security engineer, the business outcome piece often wasn't what you really connected to. You kind of, you very much kind of, very focused on, okay, what is the security outcome you're trying to drive towards? Right? Or even like, you mentioned the thing about well, that's sort of what is the five-tuple that I need to construct in order to enable you to do this. But can you talk to us a bit about how you uplevel the conversation with your clients, to folks start with the business outcome, and then ultimately, get down to the, to the how, from a security perspective,

18:01 Steve White

I think the key thing is to understand, we meet the customer, we understand, we begin by understanding where they are in their journey, having that visibility, and having that detailed conversation with their stakeholders. But then what we what we do is we combined automated discovery of their environment to bring real data points to that as far as the network infrastructure, including inventory, configuration, vulnerability, and patch, topology, and current state investments. And we also do that with a view of their telecom expense management performance, I can't lose sight of the fact that a telecom that a budget and append a financial services firm, a big part of a network budget is telecom expense. And then the last piece of the puzzle, and I've also got a recent new partnership, that's budding that I'm working on with a company called X Analytics, that it's bringing transparency to end data to the measurement of their cybersecurity risk, maturity, and a score associated. Now, you can have conversations with the C-suite executives about really what is the business status? Where is the risk associated with security, and what levers can actually be pulled to actually improve that maturity score? By doing that now, you've actually connected the dots to real data that's business related. And the other thing you've done, what that is, is now you can actually have a discussion and build a plan that will deliver that outcome and be able to measure the success of that outcome. The measurement of success is a tremendously important element. You asked for millions of dollars for budget, when is it done? Right, like by going to ZTNA-based cloud network security adoption program, when is that done? Like if you're going to bring up a business case forward, you want to bring that business case forward with a point of view of the totality of the project so that you can plan the budget for that. The other thing you can do too, is you can look at the consolidation opportunities. As we talked about earlier in our conversation, this is probably somewhere in most enterprises could be 30 or 40 different points solutions that are being that are being managed, deployed. So, you've got licenses, hardware, knowledge, and people. The power of this is to consolidate all of that, improve the efficiencies of how things are delivered, deliver real time, and the outcomes of that is also delivering self-service where they don't need to open a ticket or call somebody on network team, I don't have access to this. It's all about enabling that self-service. If you take the metrics of the maturity score from a security perspective, and you combine that with how the capabilities of network and security automation are delivered to enabling application developer, developers to perform their jobs more seamlessly. That's how we think about it. And that's how we have those conversations because then it's measurable and deterministic.

21:14 Raghu Nanadakumara

So, as part of that, right, and the whole, the measurability is so important. Being, having a very deterministic path to success is super important. How do you see the introduction of Zero Trust and the adoption of a Zero Trust strategy? When does that come into the conversation? Or is that a conversation that your, that your customers, your clients are already having, and the projects then typically aligned to that strategy.

21:45 Steve White

The strategy is all built around the adoption of Zero Trust, because that's the big pivot, right? And technologies like Illumio enable you to do that very seamlessly, both on-prem and in the cloud. And you can do that, using an iterative process, right? The deployment, I've been using Illumio, at two different firms over the past, at least over the past ten years, had tremendous success with the product in that capability on its own, not having to physically change the topology of the network, or the infrastructure to deliver those outcomes is tremendous. The visibility that Illumio provides, within the policy of the compute engine of all the application flows, you've got the foundation, then you can layer in each of these components on top of that as a strategic journey. So, it's the end state, in my mind, is Zero Trust. There's a journey to get there, the path on that journey of a roadmap for that journey is exactly what we spend our time with our customers to help them understand each of the steps along that path. That's exactly how we approach it.

22:54 Raghu Nanadakumara

Right, and I might come back actually, the way you describe sort of the foundation of the whole Zero Trust strategy is visibility. And then you sort of use that visibility to identify what controls you sort of need to layer up in order to, let's say, remove the amount of implicit trust in your environment to better protect your environment. But the actual sort of decision to adopt a Zero Trust strategy, is that on the back of conversations, and you talked about sort of assessment services, right, that that you sort of bring into a customer? Or is the adoption of a Zero Trust strategy, something that they are already bought into? And now it's like, "Hey, Steve, how do I execute on this?"

23:38 Steve White

Great question, Raghu. So, I would say it's both, right? Some customers have a level of maturity, where they may have deployed Illumio, they may have deployed that scope, but they might not have taken full advantage of the transition of ZTNA. They might have been, they might have deployed a SWIG component, thinking about, you know, VPN replacement. But when you think about VPN place, you're not really replacing the VPN; you're holistically changing your access methodology, and the outcome of that is replacing the VPN, but it's not a light for like replacement. In the same thing, within the, within the Illumio space, if a customer already has Illumio there, where are they on their journey? Have they implemented controls on-prem? Are they doing monitoring in the cloud? But what's the next step to get to a consistent policy between on-prem and the cloud? So now you're provisioning access, you're provisioning access, with the view of the totality of the of the access requirement, not just the individual unique component. "Oh, I need a firewall change in my cloud on-ramp. And I'm going to need an access control is changed in my AWS instance. And oh, by the way, I'm going to have to push a change on-prem as well", right? That, you know, there's five or six different points in that in that one example. That's really the value proposition. The output here is this ZTNA you could provision that ubiquitously and make it seamless, right off the bat. But you need to do the planning upfront. And you need to layer in all of the dependent elements to be able to deliver that. Sometimes that takes time. Sometimes you have to slow down to go faster, you have to do that. But one of the things we try to focus on is helping the customers continue to maintain their rate and pace, while they're working on that journey. Because the opportunity to actually stop doing what they're doing is, that's not an option. So yeah, that's really the automation piece. Like networks, people talked about automation, and networks and networks and in reality, are pretty stagnant. They don't really change that often. If they are changing quite a bit, then then there's most likely a design or an architecture challenge that needs to be addressed that's causing that need, right? Because you really shouldn't have to do that.

25:50 Raghu Nanadakumara

Absolutely. And they're just there. If you've watched sort of other podcast episodes, I start to smile more and more as I hear the guests say things that I sort of feel like I've been preaching for a long time. And sort of, and it makes me very happy. So, I want to come back to a few things that you just said, right? I think that the first thing that I think is really important for listeners to understand is that you may have technologies that help you achieve, essentially a Zero Trust posture. But just because you've got them, it doesn't mean you're truly on the path towards Zero Trust. And I think your point about "Oh, well, hey, I've replaced my VPN with a ZTNA technology, right? So, I must be doing, I must be on that Zero Trust path. Because one of my technologies has got Zero Trust in the name or equally, I've got a microsegmentation technology, but I'm not really doing any segmentation with it. So, I'm not truly doing Zero Trust." I think what you like is that part of it is not just about having technologies that are capable of doing this, but also then really looking at it holistically and focusing on building those security policies where you are truly sort of reducing the trust in the environment. Right. And the other thing I think is that that was really important was ultimately looking at it holistically, right? Because it can't be a strategy if you then have different strategies for every little pocket of your environment, right? This is truly your opportunity, I think about how can I get to a much more unified security posture across my environment, which will take like baby steps, right, which will take incremental changes to achieve, but I need to be thinking about that greater sort of picture that I am really aiming towards. Is that a good summary?

27:43 Steve White

Yeah. 100%? Yep, absolutely. What was said, and the overall architecture of the network is a critical component of this shift from traditional hubs, both designs, to you know, SD LAN adoption. But really, SD LAN enabled by business class internet services. That's the key, right? You need to, you need to bring both of those things together. And that's, I want to highlight one important point around the people and process thing that we talked about earlier, Raghu; as far as bringing these teams together, each of these projects and initiatives around ZTNA really require multiple stakeholders, you've got the Chief Information Security Office, right? You've got the network infrastructure team, you've got the endpoint and desktop engineering teams, you also have the cloud teams is there's multiple stakeholders there, each of those stakeholders are all going to have their own opinions about how to solve the problem. Yeah, but the reality of it is, is they all need to come together and agree on what that vision and the strategy is. Right. So, I mean, I've been recently started to participate in the open network users group, ONUG. In the ONUG session back in October, this was a big point of conversation: should cybersecurity and network teams be coming together and merge? My answer to that question would be yes; that's the fundamental shift. You start to adopt a ZTNA and a based delivery model, that you're going to bring these teams together, they no longer can operate in silos. And that's almost the more difficult aspect of it. But the technology is going to force it, it's going to make the conversation happen. And I think it is kind of starting to see more and more companies think about their organizational transformation and modernization of the way their organizations are structured to adopt these technologies because traditional models are not going to work. That was a big part of what Gartner talked about at their conference back in December.

29:48 Raghu Nanadakumara

Yeah, I think that that's such a great point because, and it's a point that many of the other guests have made George Finney's book, Project Zero Trust. Then John Kindervag, who is the Chief Evangelist at Illumio and sort of one of the founding fathers of Zero Trust kind of really speak about is, is that when this is done properly, it is not just a transformation in how you're doing security, it is truly a transformation in how you're organizing yourselves. Right. And in order to achieve that, as you just so eloquently put it, everyone needs to be involved in that process. Right? It is not just the security team, it is the network team. It is the infrastructure team. It is the application team, right? It is your risk team, like every part of your organization in some way or another, that is involved in this, let's say, the RACI that sort of governs how you do this. And that's the only way you're going to be able to drive sustained transformation. But is that how you see it?  

30:47 Steve White

Yeah, 100%? Yeah, exactly. Exactly. Nice job summarizing.

30:52 Raghu Nanadakumara

So, I think like just moving on. And you spoke about the possibilities that AI and generative AI offers. As a network security practitioner, right, and putting aside Zero Trust for a second, what are the exciting things that you see that AI is going to bring to our discipline?

31:15 Steve White

It is a super exciting time, I think, early on, maybe, maybe some people might be scared of it, like it's going to replace their jobs, or they're going to be replaced, like, like an autonomous vehicle, right? But think about the level of administration that goes into managing DevSecOps at the organization or the level of effort that it takes to actually build templates and configurations and standards and making that available to NetSecOps team, right? They, having the automation of AI and generative AI, you will automate all the functions that usually never get done, right? Everybody talks a good story about having SOPs, automating responsiveness to incidents and events, and improving the ultimate availability because, let's face it, if IT fails, it's always going to fail right now. Everybody's expectation is five nines availability. But the key here is, is that when something does go wrong, it's how quickly you can respond to it, how effectively respond to it, and how you minimize the business impact through the right design of the infrastructure. AI in generative AI is going to drive significant improvements in those areas. And it's going to enable teams that are bogged down and managing that administration to focus on more higher-value tasks. And that is like super exciting stuff. And the, you know, I'm aware of a few different startups that have popped up and some partnerships that have some friends of mine that are doing these startups, and they're building exact models around what I'm talking about, that helps large enterprises improve efficiencies in these areas without necessarily having to build it on their own. Right, because, the other, the other component I'd like to share too is the do-it-yourself-based approach for some of the stuff just doesn't make sense, right. So as a, I'm also sprinkle another company in there that I'm a strategic advisor for is, Blue Air. Blue Air is the only intelligent-based, low-code, no-code network automation platform on the market, and it eliminates the do-it-yourself-based approach. Improves significantly the efficiencies of an organization. And networks are pretty stagnant, right? And they're also highly complex. It's not like automating a server or automating an application. And you got 6000 of them. You got 3-4000 individual components that have unique attributes to them. To automate those requires customization and scripting; if you're going to do it, it is to do it yourself is the glue that eliminates all of that complexity. And that is, that's like one of your first steps on that journey towards AI enablement and approving efficiencies because now you've taken all these engineers that are focused on doing day to day administration, you've eliminated that by introducing the automation now you can have them start to really focus on higher value tasks. AI, generative AI, continuous improvement, new technologies, Zero Trust adoption. These are big projects and initiatives. And your current teams that are on the ground, would love nothing more than to be to be part of these projects and initiatives. They will love nothing more to learn these because then it becomes stickiness for the company that they're part of because they're learning new things. It's helping them evolve their resumes, and they're staying challenged, right? Nobody wants to continue to have to do the same thing over and over again. But I think a lot of infrastructure operations leaders are really struggling in that space because they've got one foot, you know, on the dock and one foot in the boat and they're about ready to fall in the water because it can't possibly keep both of them. I can't possibly keep afloat on both of those at the same time.

35:10 Raghu Nanadakumara

As you're saying that, I was actually visualizing that, that exact scene, so that's really funny. But I agree. And actually I think that's the that's the key thing to the possibilities that development AI, I think really offer, right? I really around, "how is this going to take a lot of those mundane tasks that I do, essentially, to keep the lights on that in terms of actual value, are not adding value?" They're kind of just bringing me to zero, right? How can I take those tasks that just bring me to zero and offload them, whether that's sort of reducing outages across my infrastructure, just by being much more diligent in terms of configuration deployments, right, or sort of making those failure domains much more, much more robust, and in a way, and I hope this is not too much of a leap, right? I actually feel that zero, like the adoption of Zero Trust, in many ways, gives organizations the same level of resiliency in their infrastructure, in that you're effectively trying to create as small sort of failure domains as possible, but in a highly dynamic way, right? So that you essentially have, even if you've got a failure by a failure, I mean, it could be a misconfiguration. But it could be an attacker, right? I mean, failure, sometimes it's very difficult to differentiate between those two events because the unexpected happens, but by having a security approach in place, which really limits sort of limits, the abuse of privileges, right, limits the abuse of access, you're able to contain that, which means that your security team, rather than being overwhelmed by an incident that truly just gets out of hand is able to focus on putting out that much smaller fire, while they continue to sort of do the rest of their value add tasks. And I think, I hope that analogies not to sort of out there, right? But I feel that sort of AI, in many ways, provides the same that Zero Trust provides from a security perspective.  

37:14 Steve White

It absolutely does. And you've what's really cool about it, right, AI, artificial intelligence, it's human thought, to the use of data. Think about all the different data points that exist out there, right? You've got Illumio, you've got logs, you've got Splunk, and all the logs from all these different various systems. Being able to make that data useful in a traditional mode of methodology you have to have some way to offload it into a database and then build a script to be able to extract the data, and you're going to need a subject matter expert to do that. And it's, "Oh my god, it's going to take weeks to do that." You know, one of the challenges that infrastructure and operations leaders houses get is actually obtaining the data that they need to make a decision on what to do. AI really eliminates the complexity of doing that analysis and helps, you know, an engineer that might not be able to script, obtain the information that they need to be able to make a decision about where they want to go. Right. So that's around solution engineering and delivery. Also in the operation space, that we're just talking about dev SEC ops, having a well defined SOPs for different incidents, but you can't possibly have an SOP bill for every single incident. A cybersecurity ransomware Oh, my God. With an event like that, we often would do tabletop exercises, we test ourselves and prepare ourselves. But there are always nuances here. AI helps with bringing full transparency to what data points that are necessary to figure out exactly what's happened and react to it reduce the amount of time that it takes to react because it's, as I mentioned earlier, it's all about reduction of risk, reduction of impact and maintaining the business. Right. So those elements is all about how you respond and AI is going to be a very, very important component of that. And then generative AI more specifically to your particular company's environment, there's also going to be more transparency.  

39:26 Raghu Nanadakumara

Yeah, absolutely. I think one thing that you said just now about the reduction of risk, reduction of impact, reduction of cost, right. I think that's, that's a really interesting thing, because the shift that I've seen from a prioritization perspective for organizations is, I think, as sort of particularly cyber attacks have become increasingly targeting the stability and availability of applications and of services and of infrastructure. I think there's definitely been a shift in terms of how we think about the AIC or CIA triad of security, and really putting a lot of premium on the availability pillar of that triad. Right. And I think that's the with sort of the increased I mean, I'd say like the term cyber resilience is now sort of very ubiquitous. And I think that's because of that of that focus now on how I limit the damage, right, and sort of prioritizing that not that, of course, that integrity and confidential confidentiality are not important. But availability, which has always felt put a bit on the backburner, is now really coming up trumps as something that cyber practitioners are prioritizing.  

40:44 Steve White

And that really, that really reinforces, at least in my mind, the importance of bringing those two teams together. Because maybe we always have strong collaborative relationships. That is, I've always had strong collaborative relationships at my firm and previous firms in cybersecurity. And we were always locked at the hips on every major incident that was happening because they would always bring knowledge and experience around the incident event and have the ability to help control or contain it. But then the network team was really instrumental in that as well because they were the ones that might know maybe it's a better way to implement that control in the environment. But Zero Trust brings a whole level a whole different level of control here, which is micro segmentation on steroids. Right? Now, you're not in now; you're not thinking about, you know, traditional microsegmentation models; we're all about creating a moat around the workload. Now, obviously, you'll still have those base set of controls there. But now you're with Zero Trust. It's only based on a finite number of users that have access to those workloads. And it's much easier to manage that, and you're not doing it again, relying on 20-year-old isolation-based approaches using physical aspects of network and security. In truly doing this in software now, which is really kind of cool. It seems like the network and security have caught up to where everybody else is from. Yeah, from a capabilities perspective.

42:16 Raghu Nanadakumara

Absolutely right. And I think actually, the when you when you do it, you have the ability with Zero Trust, and whichever pillar you're focusing on within the Zero Trust sort of framework, that you have the ability to instrument, a significantly more granular and more dynamic policy in a way that is way simpler than you would ever be able to do with traditional approaches, which is, which is feels contradictory. But it's the truth if you do it properly.

42:52 Steve White

In the threat actors are going to have the same access to right, they're going to have access to AI, generative AI, they're going to use automation to improve their efficiencies. Zero Trust-based model is how you stay ahead, right? It's all about what we do today. And how do we deliver today? And then how do we? How do we plan for the future? Are we ready to deal with the unknown that's going to happen in the future? That's what these technologists really play. That's why it's important for companies to look at it from the security, physical infrastructure, and the applications that are around it, and have a holistic based approach for policy, regardless of where the workloads sit. Because most firms are going to end up in a hybrid model where they're going to have on-prem workloads, you're going to have cloud workloads, and, and a lot of the selection of products is a little bit of religion and politics, your people have their, you know, have the things that they like, and others have things that they like. At the end of the day, I think everybody can agree that having consistency in policy and administration improves the effectiveness of the infrastructure operations teams and security, to manage this. And availability is what it's all about. That's the outcome, right? Because at the end of the day, if it's not done right, that's really the impact of availability.  

44:19 Raghu Nanadakumara

Yeah, absolutely. You said it so well, right? Because ultimately, as an application owner, I don't care where my application is running, right? I just want to be confident that when I want to run it, I'm able to run it, and it's got all the right security around it. And I think that's really what Zero Trust is about, is it one of the things is about being able to guarantee that you're able to run an application with the right level of security around it in whatever environment confident and only those who should be able to access it or things as other actors that should be able to access that are able to access it. That is ultimately what Zero Trust is about. It's not about the infrastructure that you're running. Right? It's not about the environment or the technology; it's about being able to essentially guarantee that for the application owner.

45:11 Steve White

I like what you just said, I just want to double click on that for a second. The key component here is creating the separation between the physical infrastructure and the control. Yeah. Because if everything depended on the execution of delivery of architectural change within the physical topology, huge expense, lot of time, and the business needs it now. Right? So none of that is going to work, right? So it really, it creates that layer of abstraction between your link between traditional legacy infrastructures as an overlay, if you will. I'm not sure that I know what an overlay is, but I'm not sure if that's the right term for what we're talking about. I'll use it anyway. You know, it's like an overlay on top of that environment on top of the physical environment. And it's a fast track to, you know, even on parts of your environment that might be in the life, you know, a lot of companies are struggling with end of life patch management, a lot of challenges. And all of those things take time, right? And you only think about the number of maintenance windows that large companies have. And then, if you're in the healthcare industry, you don't even have maintenance windows, right? Like there's, you can't take anything down because you can't tell, you can't tell a doctor, they can't do what they need to do, because I'm doing maintenance on this. That's not going to work.  

46:34 Raghu Nanadakumara

Yeah, I like that. Because it, you you're now reframing the, you're reframing it from the perspective of when you think about what, how can I apply this approach and where it's going to give me benefits. It truly has benefits, not just in terms of your modern in terms of your transformation, your modernization, but also has relevance in your existing legacy infrastructure, as well. And I love that word that you used, overlay. And I love that because you are abstracting away from essentially all the things that constrain what you can do, right, which is the infrastructure, the infrastructure constraints, what you can do. And now, if you're able to essentially up level and say, “Actually, I'm not going to worry about the infrastructure. It can do what it needs to do, and run whatever technology, but I'm going to uplevel that and actually shift my control to as close to the thing that I'm trying to protect, then I have far more flexibility and capability to be consistent to have coverage and to improve that security posture that I've always wanted to do.”

47:43 Steve White

Yep, 100%, and just a plug for Illumio. They've been doing that for a while, right? I mean, that that was one of the things that was really exciting about that technology when I learned about it, seven, eight years ago, was this was the simplicity of being able to deploy it on every workload in the environment, establish a set of tags create visibility on the flows that are associated with that move to execution of policy, both in monitoring and as well as in containment. And do that at scale. The simplicity of that is really building on that simplicity. You can overlay the next level of containment and control, which is ZTNA on top of that fabric that's already in place. It's super cool, right? And it's really the wave of the future, in my opinion, that moves you fundamentally away from traditional control access with firewalls to true policy-based access. And you're not managing this other firewall, right. And it's just the concept of firewalls like zero that goes for the borderless networks. I've been hearing that term for many, many years. And I actually think for the first time we are actually there, like, I think these are the technologies that actually enable that. And I'm a visual learner, and someone that thinks of things logically, and I can see it like in my mind, I can see that that true borderless network, where an enterprise doesn't really have doesn't even manage their own perimeter anymore. That perimeter is up in the cloud, that perimeter is at the application control. And it doesn't really matter where the users are coming from; you're not worried about creating a trust zone between a cloud instance and an on-prem instance and managing the firewall policy between the two. It really is super exciting. And the key, the key to all of this success is having the right plan, having the right transparency on the starting point of where you are on that journey and layering it out over time so that it can be adopted with consideration for willingness to consume risks associated with change and the ability fund. Because that's the most important element here is the cost aspects on it. The and how those cost aspects deliver business value, what it meant in being able to bring transparency to the C suite executives on exactly what they're getting for what they're spending. That's huge, right? Because at the end of the day, that's why they have infrastructure and operations teams. That's why they have technologists, the technologists worry about that, C suite executives worry about the worry about the business. And everybody working together delivers on that outcome. It's pretty cool stuff. I mean, this is a really great time in the industry, and I'm super excited and pretty passionate about it. And having a lot of fun right now on having conversations like this, and being part of Executive Advisory and spending time talking to other customers and helping customers solve these problems is really great stuff.  

50:54 Raghu Nanadakumara

Well, I mean, Steve, you just gave us such a great line to wrap up on. Zero Trust provides the entire organization with transparency across its security posture, maturity, and spending. So, when adopted and done properly, it is essentially a value creator for an organization and an enabler for modernization. I think that's the gist of your message today.

51:28 Steve White

100%. Yep. Well said, well said.  

51:32 Raghu Nanadakumara

Steve, it's been an absolute pleasure to have this conversation with you to really tap into your experience and your real, practical technical experience about how you're making this real for your customers today. And it's been such an eye-opening conversation. It's great to have deeply technical individuals like yourself on this podcast. So, thank you so much for joining us.  

51:58 Steve White

You're welcome, thank you so much. Thank you very much for inviting me. And I'd love to come back for another conversation in the future sometime. We'll talk more about some of the outcomes that we're realizing.

52:09 Raghu Nanadakumara

I'm sure with all the changes happening in the technology landscape, in the security landscape. I'm sure we'll talk months from now. We'll have lots more to converse on. So yeah, I'd love that.

52:22 Steve White

Fantastic. Great. Thank you so much for your time. I really appreciate it.

52:25 Raghu Nanadakumara

Thank you, Steve.