Subscribe
Share
Share
Embed
HPE news. Tech insights. World-class innovations. We take you straight to the source — interviewing tech's foremost thought leaders and change-makers that are propelling businesses and industries forward.
Aubrey Lovell (00:09):
Hello friends and welcome back to Technology Now, a weekly show from Hewlett Packard Enterprise where we take what's happening in the world and explore how it's changing the way organizations are using technology. We're your hosts, Aubrey Lovell.
Michael Bird (00:22):
And Michael Bird. Now in this episode, we are looking once again at our digital security, particularly around the state of the industry in 2025 and the way threats and consumer behaviors are evolving. We'll be looking at the adoption of new kinds of security. We'll be looking at how VPNs are still an evolving part of the security equation, and we'll be examining what this all means for our security and our organizations.
Aubrey Lovell (00:51):
Very good. And if you're the kind of person who needs to know why, what's going on in the world matters to your organization, this podcast is for you. And if you haven't yet, subscribe to your podcast app of choice so you don't miss out. All right, Michael, let's get into it.
Michael Bird (01:06):
Let's do it. The cybersecurity landscape in 2025 is in a period of flux. As both attackers and security professionals work to weaponize AI, new threats, weak points and opportunities are evolving. According to a report from the World Economic Forum, which we've linked to in the show notes, there are multiple competing factors in security right now, escalating geopolitical tensions, more complex supply chains leading to a more unpredictable risk landscape, the continued adoption of emerging technologies like AI, and somewhat ironically, the ever-changing landscape of international security regulations intended to keep us all safe, which is making it hard for organizations to keep up.
Aubrey Lovell (01:55):
And that's before we talk about the digital skills gap and cyber inequality causing a two tier security landscape, which the report also mentions. Now it's an interesting time to be in cybersecurity. And yes, the word interesting is doing a lot of heavy lifting here.
Michael Bird (02:11):
So to help us unravel things, we are joined by Jaye Tillson, Field CTO and Distinguished Technologist at HPEJ. Welcome to Technology Now.
Jaye Tillson (02:21):
Thank you. Thank you for having me back on.
Michael Bird (02:23):
So Jaye, we are approaching the end of the first quarter of 2025. What is the current state of play in the cybersecurity field?
Jaye Tillson (02:33):
I think that's a really good question. So I think that the factors that were on people's minds last year are things like ransomware and insider threat and really the risk of VPNs. And we spoke about that on the show before, but I think the geopolitical uncertainty that we have at the moment is really putting people on edge in general across all fields of IT and specifically around cyber. People don't really know what direction to go in or what's going to happen. There's obviously conversations around tariffs and stuff like that and pricing and budgets and all those kinds of things. So I think the hot topics right now are very similar to what they were last year. I still think ransomware is on people's minds, the risk of insider threat and more and more really the risk of VPN.
Michael Bird (03:14):
And are we seeing an increase or a decrease in the types of threats, attacks happening around the world?
Jaye Tillson (03:23):
We are definitely seeing an increase. The attacks are becoming more sophisticated. I think people are specifically pinpointing VPNs as there's a lot going on at the moment with specific hacking groups that are targeting legacy kind of SSL VPNs and the attacks are becoming more and more sophisticated. I think with the rise of AI, it's become easier for people to come up with more sophisticated attacks. It's easier and quicker. And so we're definitely seeing a rise in that. We are seeing the targets of ransomware move a little bit from specific verticals that are maybe becoming a bit more protected because they were the target before. So once you become a bit more protected, then the attackers just focus their attention on the people that are less protected. So we are seeing a shift across verticals, but I still see a rise in ransomware and attacks against VPNs.
Michael Bird (04:14):
So those organizations that are on older technology, older systems, older software, they are more susceptible or right now they're more susceptible to coming under attack?
Jaye Tillson (04:27):
Yeah, I like to use the analogy of walking along the street. If you're a car thief, you're going to look at the cars that are older and have the old-fashioned alarm systems or even the ones that are unlocked. And if you see a car that's unlocked, even if it may be cheaper than a car across the street that's more valuable, it may be very easy to go after those low hanging fruit. And right now that appears to be VPNs.
Michael Bird (04:49):
I suppose once you can get into a VPN, your access to systems can be quite impactful to an organization.
Jaye Tillson (04:57):
There's really two main concerns around VPNs. One is being able to break straight in the front door. So for instance, legacy VPNs run on hardware and that hardware sits on the internet and their report's open. So you can either just break in because it's sitting there and it's exposed, or you can jump onto the back of the VPN, i.e. get into the user's machine and traverse through that tunnel. Both of those attacks are quite prevalent. A lot of the legacy VPNs are based on the same kind of technology SSL VPNs. And if you can compromise one of them because they all run very similar ways, then you can get into almost all of them.
Michael Bird (05:36):
And if you know there's a vulnerability but there's not a patch for it, presumably you still need to, users will still need VPN access, so you've got to make a decision there.
Jaye Tillson (05:44):
Yeah, funnily enough, I have spoken to some companies recently that have got vulnerabilities in their VPN and they've actually decided to shut the VPN completely and enforce that all of their users coming back into the office every day. And that creates all kinds of other problems. That creates a problem with morale. People are not excited about doing that. Obviously the IT team then have people pointing fingers at them and saying, "We're having to do this because your technology's failed." Et cetera, et cetera. So it creates a whole wide raft of other problems.
Michael Bird (06:15):
Gosh, yeah, some unintended consequences because of that.
Jaye Tillson (06:18):
Yeah.
Michael Bird (06:19):
So you've been working on two major surveys at the moment, one into SSE adoption and one into VPN rescue. Let's just quickly start with SSE adoption. Can you just briefly remind listeners what is SSE?
Jaye Tillson (06:32):
Okay. So SSE stands for Security Service Edge, and when you combine it with WAN technologies like SD-WAN and WAN optimization, it makes up the wider SASE architecture and really it's the security part. So it's taken security and networking and combining the two together. And SSE is made up of a number of other tool sets or architectures such as CASB, cloud access security broker, secure web gateway, and ZTNA, which is really the new version of remote access. So zero trust network access.
Michael Bird (07:04):
Got it. Got it. Okay. So can you tell me a little bit more about the survey then?
Jaye Tillson (07:09):
Yeah, so the survey we've done several years in a row now. So this is the third year we've done it and it's done with a third party called Cybersecurity Insiders. It's a number of questions. I think it's around 20 questions and we ask a bunch of people simple questions like what is the size of your company? What are your security team's priorities? Those kind of things to kind of set the scene. And then we dig more into how are you going about adopting SASE? Why are you adopting SASE? What is critical around it? Are you adopting SSE? What do you believe are the key components of SSE that you are starting with? Do you see it as an architecture or not? What are your business benefits? The aim of the survey really is to gather understanding ourselves, but also for other people to see what their peers are doing and how they are doing it, what's working well, what's not working so well.
Michael Bird (07:57):
And what have been the main findings from the survey?
Jaye Tillson (08:00):
I've only really had a draft response at the moment, but the findings, and actually some of it came as a little surprise, some of it didn't. So in last year's survey we asked the question around where are you starting your kind of SASE journey? Is it with SSE so the security part, or was it the networking part? And it was 57% to 42% we're starting with SSE. This year it's increased to 59%. So more people are going on this SASE journey, starting with SSE. It's also gone up as well in regards to the number of people adopting SSE. So it's gone up from 69% of respondents to 79% of respondents are going to be adopting SSE.
(08:41):
But I think really the real shock for me was budget. So last year people were saying that they were unsure what was going to happen with their budget. This year people are saying 43% said they thought the security budget was going to go up, 46% believed it was going to stay the same and only 11% of people said it was going to go down. Those numbers have shifted a bit. So it says that the industry is aware of risks. It says that they are aware of VPN being a concern and therefore they're going to need more money to fix these problems, which is why budgets are changing.
Michael Bird (09:15):
Okay. So let's look at the VPN piece of this survey. So can you tell me a little bit more about that survey? Who are you talking to and what are you trying to find out?
Jaye Tillson (09:24):
So it's also done with Cybersecurity Insiders. It's the VPN risk report. It digs deeper into what the people think around VPNs. We did this survey last year and the statistics showed last year that people were extremely concerned around their VPNs with 97% of businesses knowing that their VPNs are potentially a target and 92% believing that it was VPN that was going to jeopardize their environment. So there was an element of concern around risk. There was also a big concern around user experience and poor experience of VPNs with 80% of respondents saying they were dissatisfied with their current VPN. And then there was that element where organizations were talking about complexity.
(10:06):
65% of organizations said they had three or more VPNs, which adds to this kind of concern around complexity. We haven't got the results back yet. The survey's out, people are filling out the survey. I'd be really interested in the results from this one because 97% is a significant number of people that believe their VPNs are under threat. And that number, I mean I honestly think that number could go higher. It could even be a hundred percent. I definitely think this is an interesting survey that's going to come out and I think those risks definitely will be higher.
Aubrey Lovell (10:37):
Thanks, Jaye. As you know, cybersecurity evolves so quickly, so it's great to have you back with us.
Michael Bird (10:45):
All right. Well now it is time for Today I Learned the part of the show where we take a look at something happening in the world that we think you should know about. Aubrey, I think it's one from you this week.
Aubrey Lovell (10:55):
So we're talking nuclear energy. As you know, it is one of the cleanest sources of energy going and it generates a fair chunk of the world's electricity around 10% according to the International Energy Agency. However, it also produces a lot of harmful waste products which need to be stored for hundreds or even thousands of years. Now, researchers in Ohio may have found a use for nuclear waste as a battery to power electronics. They have been experimenting with using tiny amounts of waste product in this case, Cesium-137 and Cobalt-60 whose radioactive emissions are strong enough to activate special crystals called scintillators, which then emit light. That light can be used to power a solar cell. It's not an efficient process though. The team's battery cells wear approximately the size of a grape and generated from 288 nanowatts to about 1.5 microwatts. That's not a lot, but with some refinement, could provide a nearly endless power supply for sensors and equipment within nuclear processing and storage facilities. That is places where humans aren't going to be for obvious radioactive reasons. You can find the team's findings were published in the journal Optical Materials: X.
Michael Bird (12:08):
Thank you for that Aubrey. Very illuminating.
Aubrey Lovell (12:10):
I'm sure you are very grateful for that story, Michael.
Michael Bird (12:10):
Even better. Even better.
Aubrey Lovell (12:21):
Okay, well now it's time to return to our guest, Jaye Tillson to talk about the cybersecurity landscape in 2025.
Michael Bird (12:28):
So do you think the VPN in its traditional sense is dead?
Jaye Tillson (12:32):
I think the requirement in the world we live in today, the hybrid world we live in where people still need some form of remote access is still there. There is still a requirement for remote access. I think the legacy way we've done it with a firewall or a VPN concentrator sat on the edge of the network, that's certainly dying. I'd like to see it die completely because of the risks. However, I also believe that it's a technology that people are very familiar with and very comfortable with.
(13:04):
So ZTNA was being pushed quite hard by the security people, by the CISO as a security tool that people needed to adopt. The networking team have historically been responsible for VPN technology. So there's always been a little bit of a battle between those two teams. Some of them have money or resources, some of them don't. There's always been that struggle. What I'm starting to see now is the networking teams understand the risks of the tools that they own and they're starting to go to the security teams and say, "Please, can you help me get a tool?" Because they know if they get compromised through that tool, they're going to be the ones dealing with the fallout. So the teams are now beginning to work together, which is very powerful.
Michael Bird (13:50):
So looking at these two surveys, how does that leave you feeling going into the rest of 2025 and beyond?
Jaye Tillson (13:56):
It gives me some confidence that people are aware of the threats from cyber. It wasn't that long ago I would talk on stage and I would ask people to put their hand up if they knew what SASE was or what SSE was. There were very few people would put their hands up. Now if I ask the same question, way more people put their hands up. It's gone from maybe 10% to 90%. Historically, security has been very much seen as a blocker in the industry. It's now beginning to be an imperative thing and it can actually help businesses become more efficient. If you deploy the right secure tools, you can create a world that's much more simple and therefore it's much more efficient for users.
Michael Bird (14:42):
Jaye, do you think as a whole, organizations are prepared for today's security threats? And I say that very aware that the geopolitics around us is changing and changing quite rapidly and so I'm guessing, or I'm going to assume that security threats are also potentially changing and potentially changing quite rapidly.
Jaye Tillson (15:04):
I think it's a really good question. I think people are more aware of the threats. I don't think we will ever be 100% prepared for every attack because as we become more prepared for what is happening today, threats naturally change. Ransomware has been that biggest concern for a large period of time. I think we are, or the industry is more aware of the ways in which they can protect themselves. And also Zero Trust very much talks about assume breach. And people used to talk about, "I'm never going to be breached. I'm secure." People's mindset is changing now so that they will do absolutely everything they can to be protected, but also they are being much more proactive in planning for when they do get compromised, how do we recover? So those two have to go hand-in-hand because as I've said, I think as we start to be more protected, the attackers will change their focus. So we need to just be aware of how do we recover if something does happen?
Michael Bird (16:07):
Yeah, and so I suppose if you as an organization set yourselves up from a perspective of like, well, it's not if, it's when we'll be compromised, I suppose you would then architect your environments in a different way. I suppose you'd probably build. Presumably you'll look at things like better disaster recovery, as you said, probably some sort of insurance policy.
Jaye Tillson (16:31):
Zero Trust very much talks around segmenting people's environments, whether that's segmented the hybrid workforce using something like ZTNA or whether it's using microsegmentation on prem. It really is about giving access from the user just to the server or service they need access to. So therefore, inherently the attack vector is smaller, the attack surface is smaller because of that segmentation. But yes, people are starting to talk about Back up in recovery. They're still going through playbooks to protect themselves or at least understand if they do get attacked, who needs to know? Who do we need to tell? How do we react to this? What is our strategy for recovering? So although people are kind of segmenting their environments and reducing that attack surface, they're also being prepared for recovery if it does happen.
Michael Bird (17:22):
Let me wrap up then. Why should organizations be paying attention to the results of surveys like this?
Jaye Tillson (17:27):
One of the things that I always found really useful when I was on the customer side was understanding what other people in the industry are doing. What is working well? What isn't working so well? Why are they doing things? Why are they moving in a certain direction? Zero Trust is, it's not a want anymore, it's a need. You have to do it because of regulation, because of the cyber environment we live in. So really anything that can help people move in that direction is good. It's a relatively new concept, so very few people have done it successfully today. So learning how people are taking steps in that direction from people that have done it, I think is really useful for everybody. So that's why I think these surveys are important.
Aubrey Lovell (18:16):
Thanks so much, Jaye. It's been great to talk to you again and you can find more on the topics discussed in today's episode in the show notes. Okay. Well, we're getting towards the end of the show, which means it's time for this week in history, a look at monumental events in the world of business and technology, which has changed our lives. Michael, what do you have for us today?
Michael Bird (18:38):
Well, the clue last week was it's 1930, and this celestial discovery caused a small stir. Did you get it Aubrey ? I don't think we did.
Aubrey Lovell (18:50):
I don't think we did either.
Michael Bird (18:51):
It was the discovery of Pluto, which was announced this week 95 years ago now. Pluto was discovered by Clyde Tombaugh, a Kansas farm boy with no formal scientific training, but a passion for building telescopes and searching the night sky, which had earned him a job at the Lowell Observatory in Arizona. Now Clyde's job was to search for Planet X, a theorized Neptune-sized planet orbiting far outside the known solar system. Planet X was never found, though some theories still support its existence. However, after months spent in unheated observatory, painstakingly observing photos of the night sky for any noticeable movements suggesting a planet, Clyde found a dot and the dot was moving, suggesting an orbit, and it was exactly where Planet X was thought to be.
(19:43):
That dot was Pluto. It wasn't Neptune-sized. It had just 0.002, the mass of Earth, but it was definitely there. Unfortunately, and Aubrey, you might remember this when you're at school, as I do, Pluto was relegated to a dwarf planet status in 2006, and all the charts we had on all the walls at school had to sort of be black marked out. Anyway. For some of us, it holds a special place. It's a planet in all of our hearts.
Aubrey Lovell (20:13):
Long live Pluto.
Michael Bird (20:15):
Gone but not forgotten.
Aubrey Lovell (20:16):
Amazing. Thanks, Michael. And the clue for next week? It's 1903, and this discovery was certainly a hot one.
Michael Bird (20:17):
Okay. Okay.
Aubrey Lovell (20:26):
Maybe star related.
Michael Bird (20:29):
Maybe.
Aubrey Lovell (20:29):
I'm not sure. We'll have to find out.
Michael Bird (20:31):
Fun next week.
Aubrey Lovell (20:32):
Indeed. And that brings us to the end of Technology Now for this week, thank you to our guest, Jaye Tillson, Field CTO and Distinguished Technologist at HPE. And to you, our audience, thank you so much for joining us.
Michael Bird (20:44):
Technology Now is hosted by Aubrey Lovell and Michael Bird. And this episode was produced by Sam Datta-Paulin and Lincoln Van der Westhuizen with production support from Harry Morton, Zoe Anderson, Alysha Kempson-Taylor, Alison Paisley, and Alyssa Mitry.
Aubrey Lovell (20:58):
Our social editorial team is Rebecca Wissinger, Judy-Anne Goldman, Katie Guarino, and our social media designers are Alejandro Garcia and Ambar Maldonado.
Michael Bird (21:08):
Technology Now is the lowest street production for Hewlett Packard Enterprise. And we'll see you at the same time, the same place next week. Cheers.