SBN

Adopting Zero Trust With Maureen Rosado: Selling Zero Trust

Catch this episode on YouTube, Apple, Spotify, or Amazon.

This week we chat with Maureen Rosado, a Zero Trust Strategist for BT, who has an outstanding history of business development for enterprise companies like IBM and Microsoft. This week we break away from our norms of the technical ins and outs of Zero Trust, and take a look at the ideal way to consult and coach security teams through the process of adopting Zero Trust. For those who have been on the receiving end of cyber security solution pitches, and there are twice as many wrong ways as those that are considered beneficial. Fortunately, Maureen has seen it all, is a wonderful example of being a neutral party, and has a long history of speaking to the subject (including recently with Dr Zero Trust).

Before we jump into it, for those of you on LinkedIn, head on over to Maureen and Andrew’s (our first guest) Zero Trust group if you want to connect with others in the space.

Overcoming the Hype

When it comes to selling Zero Trust, Mauren approaches it from a consultative perspective. It’s not about a transaction or getting a customer a product that has Zero Trust stamped on it, but more so helping teams understand their own needs and the bigger picture. If there is one thing made clear since the launch of AZT is that everyone has their own flavor of Zero Trust, and trying to comprehend the materials from NIST and CISA requires a certain technical understanding of cloud infrastructure, identity management, and all the related language around it. 

Currently, what Maureen and her peers often face is that organizations go into conversations around Zero Trust assuming that they offer a sale point product. You rip something out, plug something in, and preso change-o you have Zero Trust. As listeners to this show, you know that is not the case. 

“A sale point product, which is an IAM product. I’m on my way, you know, it’s like, oh, I’m, I’m Zero Trust now because I got this product and, this product started with Zero Trust, blah, blah, blah. So I must be there. So the reason why the hype is still kind of winning is that people are listening to; it’s just like many, many years ago when everything was fat-free.

Oh, I can eat that because it’s fat-free, right? Yeah. Or I can have that because it’s zero. Right? Mm-hmm, no, you can’t have a box of crackers cuz there are zero carbs. So let’s get over that. And so I think with time it’s actually gonna be now accelerated even more with the federal mandates coming through at the beginning of the year.”

One of the more challenging aspects of implementing Zero Trust tools as of late is not just about the lacking baseline of understanding the principles, but more so that tools are creating more silos instead of fusing them together.

“I’m a huge cook. I love to cook for my kids. Everyone who knows me knows I really like to cook, and when you put things together like more complicated dishes, the end result is you have to have certain products that all come together. And it doesn’t matter if it’s this product or that, a brand from here or a brand from here. The most important thing is that they all have to come together to make the end product,” said Rosado.

In the age of cloud everything, it’s odd that we are back to square one in regards to technology. There are APIs, integrations, and the like, but in the space race to build and achieve an enterprise-level Zero Trust solution, there are still so many niche pieces of the puzzle that stand on their own.

Federal Government Spurring Zero Trust Adoption

In past episodes, it’s been made clear that security leaders in the private sector shy away from usign the term Zero Trust because it’s unweighted and comes with multiple definitions. For the federal government, that may partially be the case, but between NIST, CISA, and the white house memo earlier this year they drew their line in the sand for what it means and how to move it forward. So how does the US federal government’s push to Zero Trust in the next few years impact everyone else?

It creates a snowball effect. What this means is that for government terms, they define secure in parallel to how they’ve defined Zero Trust.

“There’s no question in my mind, and I would have to say with most of our cyber, our cybersecurity community, that that day will come. I think the only differentiator is going to be that there are a handful of people who have been in cybersecurity for many years, and they may, they don’t wanna budge on something new. So they may say, Yes, Zero Trust, but there’s another zero.”

While there may be holdouts that resist change in the federal space, ultimately, like the private sector, they will accept the principles regardless of the naming convention. If it looks like a duck and quacks like a duck… it may still be Zero Trust.

Where Does the Journey Begin?

“You have to do the basics. The hygiene has to be there before you start your Zero Trust. But that’s the truth. And the best way to do it is get one of those vendors out there that’s been hounding you and say, Hey, tell me what’s going on in my landscape. Give me an assessment, give me a lemme do a POC. And that’s when you can start, right?”

This is a great point from Maureen in that the resources you need to start the journey are probably staring right at you. They may be hidden in your spam folder, your LinkedIn in-mails, or that voice mail you’ve not checked in three years. While a dozen brands will simply try to sell you their solution, a good vendor will help you understand where your system stands today, how it can be improved, and how to take inventory of everything. There are all basic stepping stones that lead teams toward adopting Zero Trust.

Coming Up Next

Here’s who we have coming up next:

J.R. Cunningham CSO of Nuspire on Oct 20

As we get towards the holiday season, we’ll likely fit another guest episode or two in, but Neal and I will be sure to get an initial wrap-up for the season before we take a break.

Interested in helping us close out the season as a guest? Send us an email at elliot(at)elliotvolkman[.]com.

Adopting Zero Trust With Maureen Rosado Transcript

As always, this is automatically generated, so please blame the robots for typos and other errors.

Elliot: All right everyone. Thank you and welcome to another episode of Adopting Zero Trust. Today. We have a wonderful guest, and before I hand it off to her to, uh, do a proper introduction, uh, I do just wanna highlight as Neil and I were kind of chatting through exactly how we were gonna build this out, what an ideal, uh, guest would look like.

There were very few people that came to mind, but the very first person that I reached out to is actually our guest today. So with that being said, and we’ll jump into that in just a minute, Maureen, and exactly how I, uh, spotted you on LinkedIn and some of those connections that you have, you know, sent our way.

Um, I’d love to just hear a little bit about your background, what you’ve been up to, um, and then we’ll kind of jump into it. 

Maureen: Sure. Well, so again, Elliot, I’m, I feel so privileged that you chose me to, uh, be your first initial, um, guest. And, you know, I’m a huge zero trust advocate. So yeah, it’s just a delight.

Anytime I get a chance to speak about zero trust, I jumped at it. So, yeah, so basically, you know, um, my big, I’ve been selling software to the enterprise, uh, space, gosh, uh, 25 years. And, uh, I’ve been very privileged. I do live in the Bay Area. I initially lived in Walnut Creek and then gently made it across the Bay Bridge into the marina district in San Francisco.

Uh, and I’ve sold, you know, with some big players, I’ve, I’ve, I’ve sold solutions from ibm. To the enterprise, Microsoft, Oracle. Um, and initially the, the, the, the big jump I had was with bmc and um, basically what I’m finally ended at ibm, that’s when I got into the, uh, cybersecurity space and I sold big fix.

So, you know, just as an intro, um, then in now selling exclusively, uh, a zero trust methodology with the vendors and I’ve been doing that now exclusively for about four or five years. . 

Elliot: Awesome. Nice. So I think you’ve incidentally nailed exactly why I wanted to speak to you. As among our first few episodes, um, there’s probably no one better on this planet, maybe outside of the organizations that are building technology that are specifically adjacent to zero trust.

Uh, then someone like yourself who literally is having conversations is most likely daily and multiple times a day with organizations who are actually interested in implementing Zero Trust. So for us, obviously we’ve had some great conversations. You helped connect us with Andrew, who is, uh, on our first episode, some absolutely amazing background.

Gave us a lot of insight, but, uh, the stories that you are probably privy to is more likely, um, I guess you probably have just a much larger library than probably anyone. So, as I was trying to look around what that would look like, how we can kind of navigate around who would have the most insight, who’s bumped through, you know, the, the most monstrous, uh, implementations from the smallest, uh, you absolutely came up at the top of my list, so that is why you were the very first person I reached out to.

So I’m very excited that we’re able to finally coordinate and get you in. 

Maureen: Yeah. Well, you know, interesting that you say that because when I started my path, uh, my cybersecurity pathway, I did not realize that, um, the, uh, solutions that I actually, uh, were consulting on or selling to, or you know what I have, you were building a zero trust method.

An example would be when I was with ibm, I sold the product called Big Fix, and that’s an endpoint management product. And I was just so blown away at how. This product could give you visibility throughout your entire landscape. I just like, I couldn’t even understand why anyone would even say no to this.

Not only could you go and see what was on your landscape, then to begin to understand if your landscape is broken, you now have this platform from Big Fix to find it. Um, another incident would be with bmc. We had a cmdb, uh, BMC was the, uh, kind. They owned a Remedy Platform. Remedy in back in the day was a really, uh, an amazing help desk slash business management platform that helped people keep the internet up, right?

So they had a cmdb basically. What’s a cmdb? That’s where all the assets live. Right. So again, it started, all started coming to me. If you have a cmdp and then you’re able to, to find out where the endpoints relate to the assets, and then by luck I ended up at a company called Log Rhythm. That’s a SIM platform, right?

So again, almost every vendor that I spent time with, um, I was be beginning. It all began to come together to me. So when I went to Forrester and received my certificate around zero Trust, it wasn’t difficult. It was. Actually, I was always the one that one kid in the classroom that’s always like, I got another question, you know, Because I wanted to know more.

I always wanted to know more. 

Neal: Interesting. 

Elliot: Is that, so just curious, is that maybe where you connected with Andrew? Cause I know that he went through that program as well or was that sort of uh, elsewhere? 

Maureen: No, so very interesting. So, um, I connected with Andrew because he was a guest on, uh, Dr. Chase Cunningham’s, um, podcast.

Mm-hmm. , I think it’s called Dr. Zero Trust. I’m almost right. That’s correct. And so I heard him speak, uh, and that was only a couple months ago cuz I’ve been listening to, to Chase’s podcast for almost two and a half years, but mm-hmm. what? Peaked my interest with Andrews. He was very specific around I am, and he had just come off of a very recent implementation and so I had to reach out and say, Hey, what’s changed in the I Am space?

Because I played in that space about two years ago and we chatted and I think more than what’s changed, we both wanted to understand. This is not as easy as people are beginning to, to, to, to think that it is. Because we notice a lot of companies, many, many companies will say, if you’re gonna go down the zero trust path, you probably should start with Im, and I asked addresses, Do you think that’s true as well?

Because I’m absolutely against that. That’s like the last place that I wanna go. I am is not sexy. I am is boring. It’s necessary, but it’s probably not the first place I would wanna spend my time. So that’s how we met. I had to call him up and say, Listen Andrew, let’s talk. And yeah, we, we, we speak very often.

Elliot: Very cool. So, I mean, I know you sort and I don’t know like the ownership of it, but I do appreciate that y’all are sort of creating a LinkedIn community around your trust. Um, I, I know when Neil and I were chatting, we was like, Hey, maybe we could do this. I don’t know if this exists, but as soon as I got that invite, I was like, All right, we’re not doing that anymore.

Someone else can handle it . 

Maureen: So, Well, I dunno if that’s a good thing or a bad thing, but what I can tell you is when I, when I was with ibm, I started a group called the Big Fix Group, right, uh, in the Bay Area. And, um, I had several customers. I had the EDU group, uh, so the higher ed group as well as commercial, and it was just a no brainer, right?

That group is still meets today. You can go to their big fix LinkedIn site, um, and I, it. One of the most rewarding things that I had ever done, because I always wanted to, but was always nervous. I’m gonna get, am I gonna get participation? Will people be, you know, kind of shy away because they think I wanna sell them something?

But, you know, um, Elliot, it ended up being, again, like I said, very rewarding. And in existence today. So that is why um, I decided to do something like this. And to be very honest as well, Elliot, I wanted it to be global and I’ll tell you why. Mm-hmm. , because I think zero trust, if we’re gonna do it right, it everyone has to be engaged.

We just don’t wanna say, Oh, this is how we do it in the US and we do it so much better than our peers. Right. Or someone like, we don’t wanna fragment. . Let’s keep it whole. Let’s keep everyone having conversations. Um, you know, Neil, you know how it goes. Some people can say, Well, I, I think this is a better way.

Or We have AI influence, or, I get that. Yeah, it’s gonna grow, but we need that solid foundation. 

Neal: So I wanna say real quick, um, You’re the first person I think we’ve really talked to from the, like the sales perspective, like the product perspective outright. Okay. Yeah, that’s right. And, and so kind of thinking of that, I think this is a neat take on the whole construct as a whole.

You’ve been in it for a while. You’ve been doing it from a couple of different vantage points. You’ve been doing it from the product perspective, but uh, from what I’ve seen so far, your mentality isn’t. You’re, you’re personally fixated on trying to overcome the hype, which is what’s really good, like trying to overcome the marketing.

What’s there? And so I’ve seen that already just in that little group on LinkedIn just a little bit as well as in some of the conversations in general. So first off, props for that cuz I have to work with sales teams in my day to day job. And we all know sales can go one of two ways. It can be overly hype or it can be where it actually needs to be and actually get people with the right solutions.

And uh, so it’s kind of neat to get this perspective and understand. So all that to say, uh, how much of this do you think is actually hype versus not? 

Maureen: So that, that is a great question and I wish I had, um, a solid answer and it be something like it’s a sales type because, but the real truth is, the real truth is that we are not as mature as we think we are, are, Lemme say this, the people who are purchasing products are not as mature as they think they are around zero trust architecture because they think I’m gonna buy.

A sale point product, which is an IM product. I’m on my way, you know, it’s like, oh, I’m, I’m zero trust now because I got this product and the, this product started with zero trust, blah, blah, blah. So I must be there. So, so the reason why the hype is still kind of winning is because people are listening to, it’s just like many, many years ago when everything was fat free.

Oh, I, I can eat that because it’s fat free, right? Yeah. Or I can have that because it’s zero. Right? Mm-hmm. , no, you can’t have a box of crackers cuz there’s zero. It’s high, right? So let’s get over that. Um, and, and so I think with time it’s actually gonna be now accelerated even more with the federal mandates coming through at the beginning of, of the year.

But I think now, I think people are starting to realize that I, I just need to learn more about zero trust architecture. So then when we are looking for products and there’s many, many. Places you can visit that will tell you NIST, this suggests this, and these seven things are what you should do, and here’s about 120 products that can help you build your zero trust architecture.

I’m a huge cook. I love to cook my, my kids, they, you know, everyone who knows me knows I really like to cook. And when you put things together like more complicated dishes, the end result is you have to have certain products that all come together. And it doesn’t matter if it’s, uh, this product or that, you know, a brand from here or a brand from here, the most important thing is that they all have to come together to make the end product.

And that’s what zero trust in my mind, the methodology. That’s what it’s all about. So I hope that people will continue to learn, just, you know, continue to learn about, um, the zero trust architecture and you will be on that pathway.

Neal: I think there’s, there’s some neat things like you mentioned like the this framework and then also the class and the SEARCHs that you’ve done. Those are things I think people are missing out on when they go talk to just a vendor who happens to have zero trust or zero something in their name. Uh, I think most people seem to start their adventure into this with one of two approaches.

I. Like you mentioned as a primary course, or they go to a conference and they just look for the word zero on things and they go talk to the vendor. And, and most of them, to be fair to them, are probably talking to multiple vendors. But a good chunk of the vendors I think are still trying to actually really define what it means as a whole.

And then on top of that, We don’t have, like we do with like the cloud security lines structure. You know, the cloud security line says to be a secure cloud provider. This is the basics that you need, right? There’s that brand awareness around that, that, that stamp of approval. Um, same thing with like online advertising and stuff.

There’s different brands of approval for these things, and Zero Trust I don’t think has reached that. That structure yet, but maybe with the government insights and the growth, perhaps, do you think that maybe that could help drive us towards a, a more formalized labeling of what it actually means to do this for the market space?

Yeah. 

Maureen: You nailed it, Neil. That’s exactly what’s gonna happen because as, as a business, you know, um, , this is how I actually see it. When the federal government decides if you as a federal entity, whether you’re a school or a a, a police department, whatever the entity is, if you then say, Listen, if you’re not on that pathway, we’re gonna find you.

We’re gonna find you until you get on that pathway. Because we as a government cannot have things happen. Like the pipeline scenario. We can’t have a hospital go down for four days. We just, these are, you know, a public school. When the sad stories was, there was a college, and I think it’s not mistake, it was Lincoln College and it was on LinkedIn.

I read about My Heart broke because they got, um, you know, they. Affected and they couldn’t have paid the ransomware. And, and half the children that went to that college were African American and it was subsidized. And as I was reading the story, just got Saturn and Saturn. So I’m glad that, um, there’s something that, um, is gonna say, list.

If you don’t take care of this, we’re gonna find you. But the best part about the story is that the vendors they choose now will also have to consider. What? Zero trust A zero either down the pathway or already in it. So when a public entity goes to a commercial entity and say, We wanna buy your product, they should always say, Are you also zero trust authenticated?

Do you follow that? Cuz if you do, we can we, we can collaborate. But if you don’t, I might have to look at. So that’s where it will just all come together anyway, right? Then, then you have these me mega mega companies, or even not mega ones that are what we call now are, are are startups, which are woo, the, the field is getting kind of bloated, you know what I mean?

It’s getting, there’s a lot of vendors out there . Um, but, but then they will take it on immediately cuz they’ll want to get those contracts to where the other people who are not choosing to be more zero trust. more on the Zero trust pathway, won’t get those contracts again. And I, that’s a lot. And I know that, that maybe people are like, Oh, that’s crazy.

That’s not gonna happen. But no, that’s not crazy because I work with a lot of enterprise accounts and they are on the Pathway, Pathway and zero trust. And do not tell them they are not because um, you know, they’re putting in the time and they’re looking at the products, right? Because. When the day comes, they want that multimillion dollar contract again.

Neal: Yeah. So I think you kind of jumped in front of my next thought flow. So we think about how most of the

stamp of approval for some governing entity, one or another, whatever it may be, and there may be some competing standards out there for a time being, Right? Yeah. Then the government tends to pick things up. Uh, and then you kinda get a consolidated government standard. And then what we tend to see a lot then at that point is, and you were kind of getting into this, I think, uh, was once the government picks it up and once the government helps consolidate a standard around it, we get things like FedRAMP and CMMC Correct.

And other things, right? And, uh, what that means, not just to operate in the government space, but what it means to operate in just a generic, more secured environment that the government says. A little bit better than day to day stuff, right? And then it trickles back down to all these various organizations and alliances like Cloud Security Alliance and so on and so forth.

And then they start prompting promoting it into their membership a little bit more directly. And so all that, you know, I, I guess we’re probably at the face since the government is obviously adopting this. And you mentioned this once again, government regulations. So as, as the government spins this up, do you believe that there will come a time in the next couple of years, if not sooner, where the government does finally, officially say, in order to not just do business with us, but to do business in those tertiary realms, you have to have this zero trust mentality for whatever that stamp ends up 

Maureen: looking.

Absolutely. There’s no question in, in, in my mind, and I would have to say with most of our cyber, our cybersecurity community, that that day will come. I think the only differentiator is going to be that there are a handful of people who have been in cybersecurity for many years, and they may, they don’t wanna budge on something new.

So they may say, Yes, zero trust, but there’s another zero. And they might name it differently, right? Yeah. Or maybe there’s a. No need to mention vendors. There are gonna be some vendors who are gonna say, No, no, this is really zero trust, right? Like, we have the products that really support it, or you’ll get the same benefit from our products as you would from the handful that, uh, the government decided would be appropriate.

So at that point, the spinning, and it started to happen with a couple of very large vendors, but they pulled back because they realized that they were not. Completely truthful, right? So if you hear certain words, you know, they, they realize they had to be careful. And I, I appreciate that. And that, and again, I, I would hope that the larger cybersecurity vendors would start putting more education in the front of everything and saying, Listen, why don’t we do?

And, and so, yeah. So that’s one of the things that I really pride myself on, is I love assessments. I like ethical hacking, uh, uh, scenarios. I like to start the zero trust conversation. What’s going on here, right? Because everyone will say, Well, you know, we, we wanna do this or we wanna, you know, we wanna protect our crown jewels.

Oh, that’s appropriate. That’s all very appropriate. But what I’ve learned over the 20 years I’ve been in software, you have to start with a clean slate. If you don’t, you will be spending a lot of mine of time, money, and effort just getting started. And that’s why I go back to, I. If your assets and your database and your cmdb, you call it whatever you like, If that’s not cleaned up, if you still have new hires in there from last year, mm, you gotta clean that up.

It’s gotta be cleaned up, right? And then you can have a successful, Im. Um, implementation, you’ll be rewarded for that. You then can move on to the access management and off we go. Um, interesting story. I always tell the story cuz it’s to my kids. When I went to high school, we had to take geometry, we had to take algebra first, then we took, then you could take geometry and then you could take algebra two and in that order.

And I had a boyfriend that I was spending way too much time flirting with in the algebra and the geometry class. And I did not. , I did not learn the basics, the different, um, processes that you need to have in order to move to algebra two. I did not learn those. I had to go and I had to take that whole course over again because I didn’t retain the basics.

So all I’m saying is at, you know, You have to do the basics. The hygiene has to be there before you start your zero trust. And now I just gave you guys, you know, five, $6,000 worth of, uh, Consulting for free. But that’s the truth. And the best way to do it is get one of those vendors out there that’s been hounding you and say, Hey, tell me what’s going on in my landscape.

Give me an assessment, give me a lemme do a poc. And that’s when you can start, right? Yeah. 

Neal: Yeah, that, that’s a lot. So I, I think, uh, from, from the access controls perspective, right, um, like you mentioned at the very beginning, a lot of people think it’s just as simple as, as putting up, uh, some kind of allow block list, whatever on a device and you’re done.

Um, but you’re right, there’s a lot more to go behind all that. I think people forget. About the human in the loop aspects of this regardless, right? Uh, you, you mentioned access control for the interns or the new hires from a year ago that are still sitting in the system. And I think a lot of people, they may secure a server to server cons, but they always still forget that they’re still a remote login or a rogue login from someone that they forgot just to go.

Expunged the database, right? Stuff like that. Even if they still had zero trust access to that one piece. A lot of people don’t have good basic hygiene at the core of all this. And no matter how much that server can only talk to that other server, if you got 18 different credits that are still in there for individual users and only five of them are still valid, you know what the heck’s the point?

Um, that, that juncture, uh, yeah. So from a a Stepping Stones perspective, you know, we think hygiene first. So what, what will you think is kind of the next steps if you get that vendor to come in there, run that hygiene check for you, maybe as part of a poc? Uh, what are some of the other key components that they should be thinking about as part of those, you know, step 1, 2, 3, process?

Maureen: Yeah, so I’m obviously a huge fan of endpoint management and I will tell you that not all endpoint management product. Fit the the bill, right? Not you. One size does not fit all. So I’m gonna say that right off the gate. Smaller SMBs or corporate accounts, or even some startups or enterprise accounts, the revenue’s high, but the actual, uh, Um, personnel is low, employee counts low, um, but endpoint management, you need to have it cuz you can’t protect what you can’t see.

Right. And no one wants to be the person who doesn’t patch appropriately. Right. Because that’s just, again, back to hygiene. Um, so I would say an endpoint product would be high on my list and I would ha. I seriously doubt that, that there is anyone running a business now and doesn’t have it. So, uh, yeah, that’s probably number two.

And I’m a huge fan also, and I, I don’t know why people don’t talk about this enough, is micro segmentation. Um, I don’t know why people kind of say, Oh yeah, we’re doing that. We have firewalls, net. Like, what, how, how, what? We have to talk about that a little bit more because, uh, micro segmentation is gonna, you know, save you from that, that whole, you know, sinking ship.

I always think about the Titanic. Everyone said, Well, that ship wasn’t supposed to sink. Yeah, but they weren’t, they didn’t completely shut it off either. Right. They had little gaps at the top and the water kept flowing over, flowing over, flown over, and now this shit has sunk. So I would say that’s, Cool.

Yeah. And that one is sexy because you do get, uh, it goes in faster and you get to really review some of the firewalls you have, so you save some money, right? Because you’re gonna micro segment and you don’t have to have as many firewalls. And I just think from an automation perspective, if that is in the future conversations, it lends itself well.

Neal: Oh, automation. That’s another fun one I like to talk about. Uh, yeah, there’s a lot of, a lot of weird things out there for all that, but when you talk about identity access control, when you talk about segmentation of the networks or even just the vulnerability management aspects, I think nowadays, personally, if you’re not considering some form of automation, not, not full blown orchestration, no, but just some modicum of automation in play.

Uh, then I, I think you’re kind of shooting yourself in the foot on the efficiencies that you can have for any of these aspects of security, uh, especially to me, especially vulnerability management and asset, uh, management type stuff. Uh, there’s a lot of wonderful tools out there that help you automate just one or two clicks and there you go.

Drop to the races, right? You are, 

Maureen: you are, Yeah. Because one or two clicks, as our software world continues to develop with ai, et cetera, you know, if you don’t have it now, then when the other products come in, you’re, you gotta catch up to the one or two so that you can take advantage of the one or two in the next series of next generation products.

And then you’re back to where I was, where I’m now having to do a lot of work to understand geometry because I can’t, I couldn’t move on. Right. 

Neal: Yeah. . Yeah, I agree. Yeah, I think that’s, that’s, this is a whole nother topic of discussion that, that I can go down a person and rabbit hole on, but the whole, uh, employee base and skills shortage for what people think it is or isn’t.

Um, I’m, I’m on a particular. Side of this fence that tends to upset most people. Uh, but that being said, you know, back to the automation aspects. If, if you think you’re on one side of that equation and it’s negative and you have issues, then you know you need to really start thinking about that as a whole.

Um, but no, I think automation, access management, things like that all have a good. Cohesive rapper to play into each other. And like you mentioned, if you’re not doing it now, you’re gonna get forced to do it anyways. At some point then you’re gonna have to go back and look at all your legacy things that, that don’t work anymore and congratulations, uh, either rip and replace or, uh, spend a lot more time trying to get up to snuff, especially if this becomes an industry standard and then a legal.

For whatever industry vertical you’re in, so 

Maureen: Absolutely, Absolutely. Absolutely. Yeah. So, yeah, good stuff. I mean, it’s all about reducing the noise and Yeah. Um, I, I know kind of I can, so I under, so I’ll just say this when I speak to enterprise customers, there’s a, there’s two types, there’s two types of people that are in the.

Uh, office, if you will, in, in, in the room. There’s the one type that’s been around for a long time and, and, and they’re not giving up their power. Right. and they don’t really even know what Instagram is. Right. Um, but, but they pretend that they do so they can see the pictures of their grandchildren. Right.

And they’re, they’re off doing this thing where they all as well. And then you got the other group of people who, if that Instagram picture doesn’t show up in about three. They have swiped to something else. So you gotta figure out, you know, and, and the in between is starting that line is literally dissolved now.

So you decide who, you know, if you, if you are in the business development side of the house as I am, or sell and marketing, I have to understand who my customer is. And I also have to understand. The, um, culture, if you will, of that business. And if they’re all, you know, really hyper, everything’s gotta go fast, then you know where you stand.

So you know the challenges you’ll have with those who don’t. And that’s just the world that we live in. I, it’s, it’s. Insecurity is not that easy because people, I know, I know this sounds pretty, but they don’t wanna admit what they don’t know. Oh, oh yeah, I know. Zero trust, let’s move on. You know, I hear that all the time and I’m like, I don’t think they really do, but it’s not my place to, to, to say what they view as zero trust and what they don’t.

But, but what my place is is not to let them make mistakes. Cause at the highest. Level, it’s about people. People can lose their jobs. I don’t wanna talk about the breaches that we have just witnessed in the. 72 hours. They’re mega. They’re huge. I don’t wanna hear about the, those people losing their jobs because the revenue’s gone down.

So I’m just looking from a strategic 0.1 and one. That’s probably one of the main reasons why I’m so passionate about Zero Trust is I want a business. To stay healthy. I wanna help them, you know, be healthy and I don’t want them to have to spend four and $5 million because you know, Greta and HR saw a fishing hook and said, I won and click, and now we’re all.

Spinning down outta control. Right. So, yeah. So, and that, that’s, I’m just playing, I’m making fun of, that’s kinda realistic right now. So, and I know we’re having challenges trying to train people that are, I get that. I, I do get that. . But um, yeah, it’s all about the really the most, uh, highest or ballistic view.

How can we help each other as a community and support each other and make us all live in a very safe world from those cyber pirates out there? Have you guys heard the word cyber pirates? Because I just, I haven’t heard that before. And I was writing out something. I thought that they’re like pirates.

They’re all just hanging out, just trying to, I feel like they’re like, like, like there’s a group of people in the world who just have absolutely nothing else to do. Well, I, I know that is true, but they’re just hanging out and trying to buy and sell and it’s a, like a crazy, wild, wild west out there, you know?

Neal: So I. My, my background, I’ve been doing things in the cyber world and somewhere or another before cyber was the official term, I guess. Yeah, loosely. Yep. I mean, the term came around in the nineties, but it didn’t latch on until like 2000 6, 7, 8, somewhere in that range, really. Uh, so my, one of the first things I did, uh, loosely as a personal project.

I, Well, one, fair disclosure, I pirate in music, like any good person with Gza or Limelight or Napster. Absolutely. When it, before it became officially illegal, I wanna be clear. Uh, but on that same, Um, as, uh, software piracy and things like that became a big issue in the early two thousands. And then moving forward into like 2005, 6, 7, 8 in that range, what was really, really huge courtesy of kaza and all those other tools.

Uh, I actually worked on a volunteer project that was trying to combat online piracy. So when you say cyber pirates, we all were one at one point in time if we had a computer in the two thousands. Um, and then two actually cyber piracy as a whole thing. Uh, I was, I was. Meeting when they started coining the phrase and trying to go out and hunt these people down and, and find all the, uh, before whaling meant getting a ceo.

Whaling meant going after these big cyber pirates and stuff like that Oh, loosely in some of these forums. And so, uh, so yeah, I, I love terminologies and our lexicon shifts and how things go in this world. So it’s kind of fun to think about. Absolutely weird anecdote about a life that, uh, kept me way too busy, , uh, but we didn’t have zero trust back then.

We had P2P networks open trust models, right? And that, that’s kind of the weird thing is I think our bracket of people, uh, you know, if you were around in the 2000 range, early two thousands, nineties, early two thousands, all the way up to probably 2010 ish plus or minus, uh, well, I, I would go as far as to say maybe.

The open trust model probably hit a big ship when a p t one was publicized, I think was probably a huge turning point. I, I would think, uh, from public space, uh, with, with corporate world. But prior to that, you know, we had a lot of just implicit and open trust mentality. I mean, heck, we had wifi networks that you could drive down the neighborhood that weren’t by default locked up even when we got past wet, right?

So you didn’t have to go war driving. You just had to go sit in a park and you had free. Uh, back in the day. Uh, so I don’t know. It’s kind of neat to see how things have shifted so quickly for us from that open trust mentality where everything’s just, just good to go. The internet’s a perfect place and you know, Pre HTML five and all this other stuff, you could just do whatever you want.

And the network said, Yeah, we think everybody’s good. Um, so do you, I mean, kind of thinking about that, moving from that implicit trust model and open trust to zero trust and getting us off into the right world, do you think from an internet coms perspective, how, do you have anything insights wise around how that’s kind of maybe shifted stuff from a, just a general.

Day to day business loop and how the communications networks and stuff like that have kind of maybe started to take part into this loosely. Yeah. 

Maureen: I mean, yeah. So, so just to go one step backwards, my, my father was in the military and we carried a card. It was called an ID card, and that card had our social security number on it, right?

So we was it to everyone. Hey. Anyone wanna see myself? And now, oh my God, if you put even the last four or five, don’t put my social screen number down. Right. Are you crazy? So yeah. So that’s how far we go. Yeah. So I was gonna say, here’s the truth of the matter is if you have a smart phone, you probably bank on your phone.

Uh, you have your health records on your phone. I mean, everything is so accessible on the mobile unit. The applications now, right? Are. So, so numerous and so much data, right? Cause we have just as much bullet in as we have going out, so it makes sense. Yeah. Right. We have to be very, very, We just have to be more careful.

Um, and, and, and I think clearly with Covid businesses, yeah, they focused on it. But now that they have most of their workforce, Coming in two or three times a day, but the other times they’re at home working from home. A lot of engineers are just not even gonna go back. Why would they? They don’t get, they get far more done and you know, they just have a better quality life.

So that’s how I, I. I have no opinions either or, but yeah. You know when your toddler’s now playing on your computer, you know, Cro Theile, Gogo, and you’re having dinner and all of a sudden you’re thinking to yourself, what’s happening here? Right. Why is this all black? So yeah, change with the times. Right.

It’s just, it’s really just that simple. You have to change your habits with the time, all the luxury that you have, being able to have all these things accessible. But there’s a, not a penalty, but there’s a price that you have to pay. Yeah. And that means you have to be far 

Neal: more observant. . So did you see an uptick, uh, courtesy of Covid and outreach around the Zero Trust construct?

Or has, has it just kind of been a nice steady increase, or was there like a, a massive, oh my gosh, we gotta dive into this today because now we’ve got 92% of our staff working from home, uh, kind of thing. Or was it like, say was it a nice just general bell curve ? 

Maureen: It was absolutely, you know, the hockey stick straight up, right?

Yeah, because again, I, I. With larger enterprise companies and, um, their, they had to let people access their tools, which are their laptops from home, and they had very larger networks that they had to protect. So the first thing is remote browser, right? The remote browser access, multifactor authentication immediately.

And those cu CU companies and customers of those companies saw that go up, right? So to answer your question, absolutely, 

Neal: yeah. Yes. From per. , definitely. So Covid helping drive adoption hopefully. Absolutely. And I mean, maybe that’s loosely why the government finally picked it up more specifically. Maybe, uh, they have, you know, they’re dealing with remote workforce to some limited extent as well.

Um, but now they’re also dealing with a more sophisticated, foreign, remote workforce, probably . Um, but yeah. No, that’s, that’s neat. 

Elliot: Uh, considering your background and how long you have been in software and selling to these organizations, uh, you probably have seen a lot of change as far as structure goes.

Uh, obviously the number one person that everyone wants to bark up the tree is the Seeso, but, you know, out of, uh, the time that you have spent there. And Neil, this goes for you too cuz obviously you chat with them as well, but, um, you know, how have you seen organizations change and what does. Committee usually look like as far as like who usually drives implementation in organizations for zero.

Maureen: Now that’s a great, great question because, um, I, there is a difference. Um, so in the past when I would deal with, uh, uh, an enterprise, I, I felt I would just, the person who had the pain, who was actually working or needed the tool and then would go into, uh, a budgetary area, The budget, the budget people, the, you know, and then at some point the person who signs the check, right?

Which would be, uh, if it’s generally would be someone. In technology, but the CIO and then maybe the cfo. Now with zero trust and security, we have the CSO in in the house. Here’s what’s interesting is. Enterprise I work with, pretty much all of them have different structures. The CSO might be a fresh new guy and he has deputies who then listened and gather, right?

And then you have another layer that executes. So it really is a three prong. You’ll have CSOs who are out really being more political. For the company, right? And, and providing, uh, uh, you know, more guidance and a high level out in front of the crowd, right? They’re there, they’re at events, they’re, they’re being thought leaders, et cetera, right?

So, and then you have your IT director. Who very much also wants to be a part or usually is the driver. And then the, the, the cio, he wants to know everything. He rules the kind of the henhouse. He, he, I would have to say most of the CIOs that I deal with feel that they are, they’re the last check mark, right?

I mean, CSO is good, but he’s not, he’s not cio. So that, that’s pretty clear. And then, you know, and then you have your OT division now, which is very hot, which should not. Forgotten because right now in technology, I mean, what is Tesla? Is it a computer or is it a car? Right? Mm-hmm. It’s a computer with wheels, but you know, it needs to be protected equally as much from threat and et cetera as a laptop sitting in the CIO or CFO’s office, right, with all that content.

So it’s evolving, but I would have to say it’s an interesting space because I think there’s gonna be a couple of other. C levels that will be introduced to Right. And and, and they’ll be focused around. Yeah. Not, not as much because of your internal security that you gotta take care of, which, you know, the CSO and the deputies do.

They have external c, you know, group, which could be networks guys, or et cetera. So it’s just a little bit all over the place, and I think they’re still very siloed, but I do see them coming together. One of the first things I always talk about is creating a Z tab, A zero trust advisory board. And you can really call it whatever you want, but you know, you need to have one person from the different units, hr, sales, and marketing, cuz they’re launching new products.

Clearly it O t CFO needs to be a, you have to have that group come together and decide what’s most important. We’re the crown jewels and we need to pull from everyone’s budget because we can’t give, uh, the CISO and security very minimal because we gave so much last year. It doesn’t work that way. You have to spend accordingly.

You just, you have to spend, because quite frankly, ransomware is going up, not down or. , you know, it’s not non growth, so you have to spend accordingly. And sometimes HR has this huge budget around training, Well, clearly training’s not working as well as they thought it was gonna work because they did get breached.

So maybe taking some of the budget. So again, you have to, at some point, those key people need to come together, create a group, uh, an advisory group, and then begin to have conversations. And if that happens, you’ll. Other, probably sea levels created for organizations who can run that or be in charge of that.

Yeah. So, um, but I will tell you, yeah, the legacy guys are hanging on right now because, you know, they’ve been in it for a long time and they have been making all the decisions and, uh, but if they’re not, I’m sorry if they’re not learning and growing, I don’t know. I, I, I, you know, I feel sorry for the companies who have to work through.

Yeah, I think 

Elliot: that’s honestly a general theme that we’ve been hearing even with our last episode with Nick, uh, who’s now kind of off in his own thing and used to be, uh, the first CSO for Space Force. Uh, he was essentially saying the same thing, and that’s the inspiration for why he’s kind of generating content and helping trade people on zero trust today.

Um, but I’m curious even Neil, on your side. Um, I mean, I assume over the age that you’ve been in this space, you’re a very technical person from the thread and to side of the house, but I mean, you probably see the same thing as you’re working with, uh, organizational leaders. See, sos I mean, at what point has, you know, there been a drastic shift from people who have to be technical leaders in almost more of like a business oriented person?

Neal: Yeah, so I think historically we’ve had CISOs. Point we’ve had CISOs who were more, uh, old school, first brand, first layer, CISOs first round, where they were very compliance. Um, coming out of a lot of the big breaches in the early two thousands, right, with Home Depot, Lowe’s, tjx, on and so forth. Um, they were the poor people that were like, either, either just good policy management type individuals, or they were the people that, uh, just incidentally got promoted to CISO so they could get fired when something bad happened.

And, um, yeah, I mean, Companies wanted scapegoats when all this stuff was going on, right? And so that’s how they worked it initially. And thankfully I think we’ve overcome that as a primary. Oh, we, we screwed up fire the CISO and we’ll call it all good at the board. No, thankfully we’ve seen breaches happen today where that’s not the case.

Uh, thankfully. But that first layer brand of CISOs were very compliance driven because in the nineties they had to be business compliance driven and that’s the world they grew up in. But so they weren’t technical. So to get back onto that, they weren’t overly. It type technical people. They were the types that could sit in a room and ask the five other people in the room what needed to be done and they’d go politicize it back up to leadership.

Uh, I think this current generation of CISOs within our various age brackets, right, with, you know, that that 30 to 40 year old groups that are coming out right now, they have to be technical even though now they’re starting to get asked to have a seat at the. In that, that C-suite level, they still need to be technical, and the downside is they also still need to be able to come up and play the politics game.

But all that should map out to some kind of business risk understanding and having those requirements mapped out from business risk requirements and understanding what the dollars are if X, Y, and Z happens, and still being able to have people on your staff and talk with them technically to figure out what your actual product and intel requirements.

Downstream to mitigate those dollars appear. Right. Even if they never actually happen. That’s how you started to get money. And I, I still think today the CISO’s the person who has to be the champion of a zero trust mentality just because it’s still such a fresh construct. Absolutely. And it’s, it’s a culture shift in and of itself.

Right. And you know, Joe Sarah sitting as a L two L three analyst in the, so can’t enact that change. They can maybe voice concern. That would be a good idea. Hopefully that’s the person who becomes CISO in five to 10 years, but they’re not the ones who are gonna be able to lead it, promote it, develop it.

It has to come from, at the very least, to ciso and that CSO has to be able to understand both the technical challenges as much as politicize it and understand the business risks today. Um, if that CISO isn’t adept at both, that CISO’s not gonna be a CISO for very long, in my opinion. I 

Maureen: thank you for saying that.

That’s, that’s a hundred percent correct. That’s the one thing that if I, if, if I get a chance to talk to a ciso, that’s the one thing. I hope he understands that, that if nothing else, if you just begin going down that pathway and put yourself, you need to have that seat at the table because it’s not fair.

because if you do get breached, right, it’s not fair that you’re the let go. If you were at the table, it’s still not fair, but at least if you’re at the table and you knew the business requirements, then you could prepare for it. But if you’re not at the table, how do you do that? So, yeah, good point. Neil.

Neal: Yeah, I as an Intel analyst, Drive for requirements and everything I do, cuz I’m not gonna go spend money, time, and effort on something if someone doesn’t think it’s, it’s a legitimate requirement somewhere, even if it’s my interest or if I think it’s a good value prop, I shouldn’t be wasting my time if nobody else agrees with me, no matter how right or wrong I am.

And then so back to the CISOs and everybody else, if you’ve at least made the promotion and mapped it out and said, Here’s the risk, here’s the dollars that it’ll cost us and here’s how much it cost to mitigate it. And then the board says, You’ve done that due diligence and it actually happens, and then they fire you.

Then you can just walk out the door and you know, do whatever vulgar things you want to do to them because they were wrong, not you at that point, but to your point, if you’ve identified it, but you haven’t promoted it the right direction. Then the stuff happens, then it is on the cso. You know, they didn’t do a good job at being the politician up at the board level, even if they were good technically, and were able to figure it out what needed to be done.

So yeah, it’s a rough world. . Yeah. 

Elliot: Yeah, Totally. Thank you for. . Yeah, seriously. I mean, every time I see someone say anything about being a cso, they’re just like, No, please get me away from this. You do not wanna follow this path. There is no like proper path to get there, but that, that’s why I brought that up with both of y’all is it’s not to dig into CSOs of yesterday and how they’ve evolved, but really to highlight for any organization that’s looking to adopt zero trust or just cyber security in general, um, that they need someone with that background and skill set.

The seed level they need to be in the boardroom having those conversations because at the end of the day, you know, it is not revenue generating, but if you get a breach or you’re impacted in any way, shape or form, and you’ve accepted those risks, uh, obviously it’s going to impact you in a dozen different ways.

So I think from the implementation process in the adoption and doing this type of security the right way, if you don’t want it to obviously hamper or, uh, impact scaling the business, uh, it needs to be a component of business. 

Neal: I don’t know if it’s a real term or not, but revenue loss mitigation. I feel like that’s a real business.

Uh, I feel like, 

Maureen: you know, it actually is. I know when we, when we studied, uh, and, and were becoming licensed, um, one of the, uh, discussions we had was you can prove that you can, um, you know, save the company money just by simply, uh, beginning to understand the products you have in your portfolio and optimize them, right?

And don’t renew because it’s three years and you have to really take a look at the products. A lot of products have. Very similar features, and I always think about the new things that we buy, particularly new software. You don’t really. , maybe use 30, 40% of it. You don’t really use all the features that the software has.

I mean, look at the reporting tools today are mind blowing the data that you can extract and create columns for? Yeah. So there is, uh, that benefit if you decide to go down to zero trust, and I try to share that probably in the first or second time we have a conversation. Let’s try to optimize. That’s kind of, let’s get some money going here.

Let’s show that you don’t need, You can create a return on investment if you can optimize what you have. 

Elliot: Yeah, I think that makes a lot of sense, especially if you’re consolidating from older technology and aspects like that. So it’s pretty easy to balance out that, uh, if there was a languishing resource tool, whatever, just sitting out there and now it’s implemented in something else and you’re capturing it, making use of it, that’s a pretty good argument for, um, your return on investment.

You’re cutting out the junk that was just hanging out there. 

Neal: Right. 

Maureen: Absolutely. . 

Elliot: Yeah. Um, and then I know we skip past this, but I do wanna high. Uh, I have not actually heard organizations coaching, um, the implementing organization on building that advocacy organization internally. So I absolutely love that idea.

Um, you know, Neil, I don’t know if you’ve run into that yourself, but I think that makes perfect sense to basically work with them to have that, uh, internal champion team that kind of pushes things forward. I think externally. Coming from our seat. We, we want that kind of thing. But if you’re actually help coaching them towards that, that just makes 

Neal: perfect sense.

Oh gosh.

Yeah. It, it’s, it’s a good idea. I think anytime you can get so slight back, step, once again as an Intel analyst, uh, I think a good Intel analyst at any org, government or private sector, if you’re letting them do their job, their job is to help tie. All the disparate ends within whatever concept that you’re trying to build, not just cyber security.

So if you’ve got, Most people think of an Intel analyst in the, in this world as the person helping do the research collection, data organization, stuff like that. And that, that’s loosely what an Intel analyst brings to the table. But really that’s more of a research specialist at the end of the day, doing that low level stuff.

An Intel analyst is someone who wants to collaborate, coordinate, and extract additional data from all the people and assets that are available and be. Kind of coordinate efforts or at least insights and, and help make heads or tails of what’s going on. So for me personally, having, having that kind of advisory board mentality when you’re going through this project and getting insights from every single piece of the pie, not just the cybersecurity crew, not just who sits under the CISO, is extremely impactful on these types of project.

By and large. And so that’s a really good insight and really good point to think about. Cuz like you mentioned, HR in particular has a big play in that from training. Um, and most of the time they don’t involve the security guys. Um, most of the time they go out and they buy a third party thing that says, Let me spam you and teach you how to not be bad at answering emails or whatever.

Something like that. Right? And then the security team goes out and buys their little one button click report spam, and then, you know, whoever’s doing training doesn’t know about the one button. Bunch of fun stuff. Some orgs work better, obviously most don’t. And so, yeah, for me it’s all about getting as many people in the room consolidating views and trying to come up with a team approach across multiple organizations within our company.

So 

Elliot: All right. So to wrap things up, um, it has been absolutely lovely to chat with you. Uh, I really appreciate your background and your expertise and your stories that you can share here. But I’m just curious, you know, uh, if you had to 0.1, you know, point anyone towards a resource that’ll help educate them on zero.

Um, you know, is if it’s missed or any of the systems that are in place, uh, where would you point them? 

Maureen: Wow. So, um, yeah, n would be one right off the gate because, you know, that’s in real time, it’s being updated by our community. So that makes me really happy that people who really care, you know, the actual, um, you know, cyber security professionals update and work with that.

But I do, I, I do really do appreciate for. I mean, um, clearly John know John Kinder bag. I don’t even know what to say. Mentor. I’ve met him in person. I’ve spoken to him. I just, the very first time I heard him speak, I realized, okay, that’s, that’s what I need to do. About three or four years ago, he was with Palo Alto, and I said, No, that’s, that’s what I wanna do.

So I would probably have to say Forester, I am a little bit more Yeah. Aligned with that. 

Elliot: I mean, I think that honestly makes sense considering that’s sort of where he birthed it or at least really helped facilitated what Zero Trust is. Uh, I know a certain other very large analyst organization has their own take on things, but uh, they definitely have a more holistic approach, so I can certainly appreciate that as well.

Cool. So, uh, that is, uh, our episode for today. Uh, we will bid back in two weeks next Thursday with another episode. So thank you so much for joining us. Maureen Neil, as always, thank you for doing all the talking. 

Maureen: Yeah, it was absolutely my pleasure. Thank you so much, Elliot. Thank you Neil. Marie, 

Neal: it was wonderful.

I appreciate it. I’m glad we like, like Ellie mentioned, finally got to get you on the phone. 

Maureen: Yeah. Cool. Yeah. 

*** This is a Security Bloggers Network syndicated blog from Adopting Zero Trust authored by Elliot Volkman. Read the original post at: https://www.adoptingzerotrust.com/p/adopting-zero-trust-with-maureen