Subscribe
Share
Share
Embed
HPE news. Tech insights. World-class innovations. We take you straight to the source — interviewing tech's foremost thought leaders and change-makers that are propelling businesses and industries forward.
Hello, hello and welcome back to Technology Now, a weekly show from Hewlett Packard Enterprise, where we take what's happening in the world around us and explore how it's changing the way that organizations are using technology. We are hosts Michael Bird-
And Aubrey Lovell. In this episode we're doing something a little bit different. We're putting ourselves in the shoes of a CTO or Chief Security Officer and asking the expert the questions they wish they'd get asked about all things zero trust. We'll be discussing how to start your zero trust journey and also talking about how to balance the books and frame conversations around funding for your security needs. We'll also be talking about the greatest threats facing organizations today.
Sounds like it's going to be a great conversation, so do not go anywhere. And as always, if you're the kind of person who needs to know why what's going on in the world matters to your organization, then this podcast is for you. And if you haven't yet, subscribe on your podcast app of choice so you don't miss out. Right. Let's get on with the show.
Okay. Cybersecurity is something that comes up time and time again as a major and ever evolving challenge. Preparing for and fighting ransomware and other attacks is an exhausting prospect for organizations both large and small.
But fortunately, there are things you can do to defend yourself, be that zero trust architecture where you only grant access to the tools that really need them, or secure access service edge, better known as SASE. That solution ties security to the devices accessing systems rather than simply protecting the data center.
And the stakes couldn't be higher. Last year is estimated that globally cyber crime costs the economy more than $7 trillion in 2022, and that number is set to go up by around a trillion a year until 2025.
Now, cybersecurity solutions don't come cheap. Other than the potential cost implications in terms of both investing in protection and potential losses, what should organizations be doing or what questions should they be asking?
Well, this week we are playing the part of a C-suite exec at a major enterprise IT firm to find out, asking an expert the questions he wished more people would ask. That expert is Jaye Tilson, a field CTO at Axis, who have recently been acquired by HPE. So Jaye, welcome to the show. First question, I suppose, what on earth is a field CTO?
That's a question I get asked quite a lot. It's a relatively new role I think in the industry. Most field CTOs have come out of businesses, so they've been on the customer side. It's really about going out and evangelizing the technology and not necessarily the product.
Obviously I came from the customer side, so it's about having empathy with CISOs and CTOs and people in businesses because we've worn their shoes. So being able to understand more than just the technology about understanding things like budgeting, resourcing, et cetera, and all the other issues that you have in those roles rather than just the technology element.
So Jaye, what do you see as the biggest threat to an organization from a cybersecurity perspective?
Maybe I'm going to be a little bit controversial here and say the human element. Technology can only do so much, and I'm a nerd and I'm a geek, and I've worked in technology a long time. We are starting to see a shift in people's awareness of ransomware, but security has always been seen as slowing a business down. It's always been seen as the area that says no.
We as cyber leaders need to help educate and change the culture, not just in businesses, but across the globe to explain what the risks are because yes, if you get compromised in an office, you might not care. It's not your money, it's not your business. But people are starting to get compromised in their personal lives as well.
So really there needs to be education at school level, college level throughout society on the damage that having your identity stolen can be or getting compromised or getting your credit card cloned or whatever it might be, because the technology, like I said, can only go so far. That's not to point fingers at people because these things are really hard to spot, but we really need to help educate people on why and what will happen. That's my opinion at least.
Okay, so Jaye, big question, what is zero trust to you?
Very good question and one I've heard a lot. I guess really most people will think it was invented by John Kindervag when he was back at Forrester, I think 2009, 2010. It really stands for never trust, always verify. So what it means to me is a completely flip of the way we've ever done things before. We used to have open networks and we used to really make it easy for everyone to get everywhere and access everything because we were all on the LAN, we were all on the WAN.
The concept of never trust, always verify is really connecting people just to the services or applications that they need access to. And whether that be remotely, which is a big push towards kind of the ZTNA or whether it be on the LAN or WAN, it really is allowing people just to get to the systems they need to access to reduce any kind of form of attack. So if a user does get compromised, they can only compromise the systems that they have access to, which is very limited versus what we did in the past where they could go everywhere.
There's probably some listeners who haven't started their zero trust journey. Where would they start and how would they approach this?
Another good question. We actually interviewed John Kindervag maybe a year ago. We did a bit of a journey on our podcast and we interviewed a whole bunch of people around zero trust, and I asked him that exact question. His answer was, and a very good answer, he said, "It doesn't matter where you start, it matters that you start."
I think what he meant by that was we have a tendency of investigate, investigate, investigate, and investigate, and then not doing anything. And the risk we have with that is ransomware is on the rise. If you wait too long, you will get compromised. Paul Simmons, we also interviewed, and he recommended looking at what your business risks are, tying it all back into the business.
For me, where should you start? With your highest risks. Look around your business, evaluate the highest risks. That could be anything that affects share price, anything that stops you shipping goods, if you're in healthcare, anything around medical data, patient data. What are your kind of crown jewels and put your arms around them and start the zero trust journey there.
But it is very important that you do start. Do not wait a year, do not wait two years because compromises are on the rise and attackers are going to target the weakest, unfortunately, but that's the facts.
These days budgets are particularly tight and security can sometimes be one of those things that whilst it is really important, can sometimes feel a little bit, I guess intangible. So how should organizations figure out how to budget for this sort of stuff?
Another very good question I get asked. It's a difficult one. Generally security tools cost more than anything else for whatever reason. The journey that I took was looking at my whole infrastructure and security budget and seeing how I could move forward with a digital transformation, changing everything and what I could save costs on somewhere. We reduced our MPLS costs, we went SD-WAN, we reduced those costs and I used some of that money to enhance security.
Now, if you have a large environment and you have those kind of low hanging fruit where you can reduce some cost and spend it on security, you're in a good position. Do that. Look at your total spend. If you've already reduced those costs and we are in tight budget concerns at the moment and constraints, then you need to sit down and think about what are the risks of not doing things.
A lot of CISOs and CIOs at the moment are going through consolidation. We see consolidation in the market as well, but we definitely see CISOs and CIOs consolidating the number of tools they have. Use that as a mechanism to reduce your budget. If you currently have 50 tools and you are paying 50 vendors, why not try and reduce them first to 40 and then to 30 and then downwards?
Try and do more with the tools you've got. A lot of us will have many tools that we only use 10% or 15% of. Why not use 80%, 90% of those tools or consolidate to a lower number and use that to reduce your budget?
I think also sometimes you just have to acknowledge that your budget will increase, but if you get simple tools that are easier to use, the people that you free up and the resources you free up from making those things more simple, you can allocate to do other things that can make your business step forward. So rather than keep the lights on, free up some of those resources, allocate them to things that can help you move in the right direction.
Can you give a couple of practical tips to our listeners who are maybe interested in trying to figure out what to do next? What should be their first couple of steps?
Again, I work in an SSE environment, so security service edge. We are seeing a lot of people move because SSE is about consolidation. SSE is kind of made up of a load more acronyms, zero trust network access, secure web gateway, CASB, DLP, all of these acronyms, but it's all about consolidation. It's all about taking those point products that we've had in the past and bringing them into an SSE platform.
That's a good place to start because that goes back to consolidation, reducing the number of point products and simplicity. We are seeing most people start their SSE journey with ZTNA, zero trust network access, which is really the replacement of VPN.
Obviously we are now our workforce are remote or hybrid. We work in an environment where people are being encouraged to go back to the office, but they're not going back full time. So the biggest risks are still those remote users. A lot of people still have legacy VPN technologies. They come with their own inherent risks, they put people on the network. So people are starting the kind of zero trust journey with ZTNA then moving up to the wider SSE platform. That to me is really still a good place to start.
That's fantastic. Thank you so much, Jaye. We'll come back to you in a moment, so do not go anywhere.
All righty. Next up it's down to you, our audience. We open the floor for you to give your recommendations on books which have changed the way you look at the world, life, and business in the last 12 months. They could be technology-based, have changed the way you work, or they could just have made you look at the world in a totally different way.
If you want to share your recommendations, there's a link in the podcast description. Just record a voice note on your phone and send it over.
Hello, my name is Devrim Celal. I am the CEO of Kraken Flex. A book that I read this year that has a major impact on the way I think about things is a book by Elizabeth Kolbert. It's called Under a White Sky. What struck me is she gives lots of great stories of in recent history where humans have tried to engineer nature and failed miserably and gives you enough examples for us to hopefully stop trying to do that and let the world be.
Thank you for that. Okay.
Well, ordinarily it would be time for questions from the audience, but this time, since we're playing the part of C-Suite exec asking Jaye questions, we thought that might sound a little odd. So instead we're firing straight back in with part two of the interview.
Jaye, during the pandemic, everyone moved to working from home almost overnight. What impact do you think that has had on the world of cybersecurity and on the world of remote access?
Oh, that's a good question. I'm going to struggle to answer that in a short period of time.
That's fine.
I think there were a lot of positives from an innovation point of view. The world really moved on. I mean, it moved on with things like Teams and Zooms and all of those kind of conferencing solutions. It moved on in the remit of remote access because legacy VPNs couldn't cope with the requirements. Suddenly people had to go and buy 1,000 licenses, 20,000 licenses, 100,000 licenses. They had to get hardware and all of those things. So those struggled.
Then you had kind of the uptick of ZTNA doing it a different way. That was a positive as well. I think take away the fact that the pandemic was catastrophic across the world for a lot of people, I don't want to devalue that, but from an IT and security point of view, that innovation was huge. I don't think people will go back to 100% in an office any longer.
And if you are only home, even if it's only one day a month you are home, you need remote access. So companies have had to take the leap of faith, and they took a leap of faith right at the start of the pandemic. They either went out and just bought a load more licenses for their legacy VPN and acknowledged there were risks, or they went and bought a ZTNA 1.0 player. But they did it without any real investigation or really going through their normal process. They didn't really do the purchasing process in the right way.
What we are seeing today is those people are circling back now. Those kind of three-year terms are coming up for renewal. We are seeing them have to follow the correct process, have to go out and look at all the technologies that exist, and have to look at purchasing in the right way. That's given everyone an opportunity. Customers want choice, and the pandemic created that choice. That's really, for me, key.
Gosh, that's interesting. You're right because a lot of software agreements are three years. And yeah, it's three years since the pandemic. So those people that had to make quick snap decisions, it's now coming around for renewal.
Do you think it impacted the way that organizations made decisions? Have they proven that you can make good decisions quickly, or did it actually prove that actually you should take a little longer to make a decision?
In some cases, I think people made really good decisions, and therefore I think if you are in a company where you are very technology led and you know technology very well, I think you could have made very good decisions. I'm not saying everybody did, but there were a lot of decisions that were forced upon people. I know a lot of people that were sharing VPN logins, for instance, for a period of time, or just went out and bought more licenses for VPN.
So I'm kind of sitting on the fence with the answer. I think in some cases, yeah, it proved that quick decisions are valuable. And I hope that people continue to do that, but it's not what I'm seeing from everyone at the moment. I'm definitely seeing people trying to go back to the old way of doing it and maybe even slower than they were before. I really hope that we do have a proper look at the way we made decisions and realize that some of them were good ones.
Brilliant. Thanks, Jaye. Again, we'll drop a couple of links in the podcast description for more on these topics. Right then, we're getting towards the end of the show, which means that it's time for-
This week in history.
This week in history, which is a look at the monumental events in the world of business and technology, which has changed our lives.
I think we need some reverb on that, Michael. I think it would just the perfect touch.
And an orchestral backing as well.
The clue from last week was the bird has touched down, and no, it's not Michael. It was of course the landing of the Apollo 11 Lunar Module, better known as the Eagle, on the moon this week in 1969. Touching down in an area known as the Sea of Tranquility, the module spent just shy of 24 hours on the surface of the moon, in which astronauts Neil Armstrong and Buzz Aldrin bounced around, said something pretty famous about small steps, and got a few hours of sleep.
I don't think I'd manage to sleep on the moon, just saying. There might be some nervous energy just keeping me up. Anyway, next week, it's 1914 and the clue is ring, ring.
Hello?
Hello. That, ladies and gentlemen, was our first ever two person clue. How exciting. Well, anyway, that wonderful clue brings us to the end of Technology Now for this week. So do keep those suggestions for life-changing books coming in, using the link in the podcast description.
In the meantime, thank you so much to our guest, Jaye Tilson, field CTO at Axis. And to our listeners, thank you guys so much for joining us.
Technology Now is hosted by Michael Bird and myself, Aubrey Lovell. This episode was produced by Sam Datta-Paulin and Zoe Anderson with production support from Harry Morton, Alicia Kempson, Alison Paisley, Camilla Patel, and Alex Podmore. Technology Now is a Lower Street production for Hewlett Packard Enterprise. We'll see you next week.
Cheers.