Embracing visibility, consistency and control
In this episode, host Raghu Nandakumara sits down with Stephen Coraggio and Greg Tkaczyk, Managing Partner and Executive Consultant at IBM Security, to discuss the business value of cybersecurity, defining your crown jewels, and overcoming “analysis paralysis” and other Zero Trust challenges.
Transcript
00:00 Raghu Nandakumara: Welcome to The Segment: A Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, Head of Industry Solutions at Illumio, the Zero Trust Segmentation Company. Today I'm joined by IBM Security’s Stephen Coraggio and Greg Tkaczyk. At IBM, Stephen is a managing partner who leads their America's financial services cybersecurity practice. With over 22 years of financial services and cyber experience, Stephen focuses on security projects ranging from program strategy and design to implementation and operations. Greg is an executive consultant in the IBM Global Security Center of Competency, focusing on cloud and infrastructure security, including posture management, container security, and microsegmentation technologies. Today, Stephen and Greg are joining us to talk about the business value of cybersecurity, defining your crown jewels, and how to overcome analysis paralysis and other Zero Trust challenges. Hi, welcome. Stephen, it's fantastic to have you here. How you doing?
01:02 Stephen Coraggio: Great. Great. Thank you for having me. I'm excited to be here as well.
01:05 Raghu Nandakumara: It's an absolute pleasure. And Greg, likewise. How you doing today?
01:09 Greg Tkaczyk: Great, Raghu, thanks for having us.
01:11 Raghu Nandakumara: Both of you have got very kind of wide ranging paths to where you are at today. So Stephen, if I may, from a business facing perspective, how have you observed cybersecurity has evolved in its business perception?
01:26 Stephen Coraggio: It's an interesting question. I think, I've been in this space now for 16 years, cybersecurity consulting, working with lots of large global clients, regional clients, and sort of everything in between. And what I've seen in the last, let's say three to four years is a significant shift from a business standpoint, risk standpoint. So we've gotten more and more engaged in the business side of cyber. So business risk up to the Chief Risk Officer, even up through board of directors and the executive team around what is the real business risk impact or enabler of cyber and how it can drive transformation or things like even wide scale enterprise digital transformation and how cybersecurity can enable that. And that's really been a shift in the way clients have engaged us over the last three to, three to four to five years.
02:18 Raghu Nandakumara: That I think is really interesting because I think we see that also that evolution of the CISO and the business-minded CISO. So I want to come back to that in a second. Greg, as a practitioner who's very deep in technical implementations, how have you seen that change, the whole sort of approach to cybersecurity change over the years from a technical and implementation perspective?
02:41 Greg Tkaczyk: When I started in cybersecurity 20 years ago, we were very much focused on assessment work, delivering reports in terms of what can be improved. And really now more the shift is clients are realizing they need support of a trusted advisor to take them through that enterprise implementation of software. Really, it's focusing more from a what traditionally has been an infrastructure-based approach to a software-based approach to cybersecurity.
03:10 Raghu Nandakumara: Awesome. And we'll come onto that. Because that's that natural shift from sort of everything on prem, everything you manage to hybrid cloud, etc., drives that transformation to software. So Steve, I want to come back to what you said about the way we think about cyber changing and being far more aligned to business requirements that now extending to sort of the Chief Risk Officer, etc. What do you think triggered that shift, from it just being an isolated-almost IT discipline to now being a much more business discipline?
03:43 Stephen Coraggio: I think cyber has become mainstream. I think when you look at some of the major incidents that have happened over the last five to seven years, it's become a board conversation. It is no longer isolated to the CISO and boards are now thinking about, what is the impact of cyber to our bottom line? How does it impact our share price, our stockholders, our value, the way that clients, partners think about us in the market? And when we build out cyber programs, a lot of the conversations center around, “Can we share this with our clients as an enabler, as a differentiator so they feel more secure doing business with us? Have we embedded security in the products that we offer, the platforms that we share, and just the way that we go to market?” And I think they've realized that this is an enabler to business value and to the way clients and our partners go to market. I think we're at a very interesting point in our time where security now can be thought of as a business driver, a differentiator at large scale companies, where over five years ago it was a cost center and thought about as a sort of a place where funds go to die. And now it's the opposite.
04:54 Raghu Nandakumara: Yeah, absolutely. And also think it's also been the perception that security functions are always seen as those functions that say no to things or question everything. And that transformation to being able to say, “Okay, this is how I enable your business.” So Greg, can you pay that off and explain from a technical perspective how you show that you are enabling business and transformation?
05:17 Greg Tkaczyk: Yeah, absolutely. So one of the things I usually do to start the conversation with my clients, especially when we're talking about Zero Trust, is really level set on the challenges they're facing. And from my experience, that boils down to three things. It's visibility, consistency, and control. And Zero Trust is a broad topic, but I think ultimately those are the three things that all of our clients are trying to achieve, regardless of what area of Zero Trust we're talking about. So when you think about visibility, we're talking about visibility into assets, into applications, users, data, etc. What are all the cloud resources I'm trying to protect? How are they configured? What are the workloads that make up my applications? How are they communicating? That lack of of visibility can result in blind spots that can allow an attacker to move through your environment or what have you, and ultimately, you can't create security controls if you don't know what you're trying to protect.
06:06 Greg Tkaczyk: But to your point, when you establish visibility, you oftentimes end up creating this shared source of the truth between stakeholders in the environment, within the enterprise, that they can leverage going forward to make their jobs easier. So one of the things that I often try to do anytime I'm involved in an implementation is meet with the different stakeholders across the organization, whether that's compliance teams, usually the CISO and his organization, incident response and all that, and figure out how can they leverage this tooling or this new capability within the enterprise to make their lives easier?
06:43 Raghu Nandakumara: I like the way you described it. As you used three words: visibility, consistency, and control. Essentially being the three pillars of the way you described Zero Trusts. Can you kind of give an example of where... put this in front of a client and they had that “aha moment” about how this is going to essentially accelerate their digital transformation?
07:03 Greg Tkaczyk: Yeah, absolutely. My area of focus right now essentially is microsegmentation and cloud security posture management technologies. I was working with a large client implementing CSPM and the director of engineering at that client essentially said, "Typically, our group would procure this technology and implement it within our own silo and figure out how we're going to manage it. And that's it." We've never really worked with a partner that kind of came in and could reach out to the compliance organization, and understand what are the capabilities that this new tooling could provide them? Can it provide reporting? Are there specific assets they're interested in terms of protecting? We reached out to, like I mentioned, incident response. This is going to identify shortcomings in configuration, how do you deal with that? And so realizing the value from the tuning outside of what is typically your project sponsor, the CISO organization, I think is key. Because as people start to leverage that technology internally, it becomes business as usual, not just within security but for the broad organization.
08:05 Raghu Nandakumara: Yeah. And that sort of kind of brings me onto the sort of, what I wanted to ask you about Steve. Is that Greg mentioned about extending beyond the CISO organization, as part of building out this program. So from an exec sponsorship level, how do you help them build out that sort of cross-functional support for programs like this?
08:31 Stephen Coraggio: One of the big buzzwords, I think, recently is we talked to clients around exposure management. And when we dive into terms like exposure management and overall visibility of an environment, the executives get the aha moment by saying, that we really don't understand how are we truly exposed to vulnerabilities in our infrastructure. What is the true visibility of our environment? Especially now most of our clients are hybrid cloud clients. So they have multiple hyperscalers, they have multiple vendors in the space and around when you think about visibility coverage and then really trying to protect what's most valuable, those conversations at the executive level really help drive these programs. Because back in the day it was around protecting everything, encrypting everything, and really making sure that we scan everything in an environment. Now when we talk to clients, it's around how do we make sure that we are truly looking after the most important things in our environment, making sure that those are properly protected, controlled, we have visibility, we're monitoring that, and then we're responding to threats in those particular environments versus trying to boil the ocean in everything that we do.
09:43 Stephen Coraggio: Exposure management, which sometimes is referred to as attack surface management or attack surface mapping. But it really comes down to visibility, coverage, and then prioritization of the most critical assets. And those conversations at the executive level always resonate in some sort of agreed buy-on, buy-in, around funding, around these sorts of programs.
10:05 Raghu Nandakumara: And we hear that term around the most critical assets, the most important components. How is that typically defined/identified when at the executive level?
10:19 Stephen Coraggio: Yeah, most of the time it's not. And most of the time we have challenges around how it's defined. Every sort of line of business or IT function thinks that they have critical assets. So what we do is we take a consulting approach to defining what we considered crown jewels of an organization - depending on their industry, their business lines, how they go to market, public/private, are they a manufacturing company that deploys products, or are they a FinTech company that really supplies software? We then define their business projects, their imperatives, what's critical to them, and then we take a cross line of business approach to defining what that is, and then we risk rank it. So we take the value of those assets, we take the value to the market, the value to the firm, and then we apply that methodology to help define what is critical or crown jewel to a company. So it is normally not defined until we really try to put together a framework around, or a methodology around, what that actually means to our organization.
11:23 Raghu Nandakumara: And so I'm just going to... Greg, coming over to you from a sort of an execution/implementation perspective. How many cycles does it take typically for an organization just come to an agreement as to “this is the criticality, this is the right prioritization, and this is where we need to start.” How does that map out as a process and timing?
11:45 Greg Tkaczyk: So the first thing to say is nobody has a perfect CMDB or enterprise application list, but usually there's something. Usually there's a starting point that you can leverage. And so when we go into these organizations that obviously to Steve's point, you don't want to boil the ocean. You have to start somewhere. You have to prioritize those things that are most relevant to the business. And typically, we leverage whatever exists. It's usually a quite a cyclical process to get to that agreement, but it's something we know when we walk through the door. That has to be a priority to establish. One of the things that's often a challenge is that nobody wants to make the final decision. And so, trying to steer your client organization to identify a technical project champion that has the authority to make those kind of decisions, and ultimately whether those are decisions around the architecture of the solution or whether those are decisions around prioritization of what are you going to target first. That's a key part of rolling out these types of technologies.
12:47 Raghu Nandakumara: I actually want to ask a bit more about that. Because often, a lot of security projects, as you say, stall on that because of that inertia. That no one wants to take the decision as to, okay, we need to go and do X. So how do you typically actually get clients over that hump? What is the advice you give or what are the levers that you pull on so that progress can start?
13:10 Greg Tkaczyk: Usually we take a two-pronged approach. Usually there's a work stream that we call rapid risk reduction. Typically whatever technology you happen to be implementing, there's something you can do, early in the implementation, that may not be perfect, but it's going to help and you're going to be in a position that's better than where you were prior. So what are those use cases for rapid risk reduction, and don't get caught up in analysis paralysis for that. As you are trying to identify those, you don't want to spend four months deciding what top five policies you want to enforce in a CSPM solution or whatever it is. So make those decisions quickly and reduce risk. So that's the first work stream. And then the second one, in terms of the strategic goal, really focus those use cases and again, see if there are things you can do to still show value with the understanding that perfection is not the key. So if you are trying to protect the 1000 applications, narrow that down to your top 10. And then within those top 10, how granular do you actually have to be? There might be policy decisions you can make that are broader, they're still better, they're not perfect, it's not the end state. Yeah. But let's get moving and show value.
14:26 Stephen Coraggio: And to just add to that, maybe there's a third one that I think we've been adding recently over the last maybe years. We usually bring in the third work stream around risk quantification. And I know it's another widely used term, but risk quantification program has just taken off in terms of the value that our executives like to see from a program in terms of identifying threats, vulnerabilities, risk, ranking of assets. Because we can take what they believe are crown jewels, we can apply quantification to those assets around threats that we see in the market external, threats to a particular industry. We can simulate what an attack would be on those particular assets or environment, and then quantify what it actually would cost that firm if something were to happen. So that risk quantification model, it's a fairly low investment for a lot of companies, but it provides a significant ROI in terms of where they want to spend money on controls, visibility, microsegmentation, asset visibility and all that. It's, to me, that is starting to become baked into a lot of the things that we do, even though they were necessarily not part of a risk quantification program.
15:36 Raghu Nandakumara: Yeah. And actually, you almost answered the question that I was going to ask before I even asked it because I wanted to tie back something that Greg said right at the beginning when he said, when he got into cybersecurity about 20 years ago, it was very much a checkbox exercise. It was very much compliance focused: “I need to be compliant with these requirements, check, check, and I'm compliant.” And we all know that being compliant doesn't mean that I'm secure. Being compliant does not equate to being secure. And that's what I wanted to ask is that, it feels that there is now a greater appreciation, that understanding risk requires some level of threat modeling and scoring associated with that to then identify, "Okay, here is where I'm at greatest risk and that's where I need to focus on from a controls perspective." Is that a significant shift that you've seen over the last few years?
16:22 Stephen Coraggio: Yeah, I would say the cybersecurity is no longer a capability that clients are just thinking about. This has been around for a while. Maybe the late 2000s, we were thinking about everyone was buying technology products and an open checkbook. The last four to five years, and maybe even the last three have been around, “How do I do more with less? How do I really, thinking about rationalization of spend and technology and sprawl?” Our average client has 78 different security products. It's a lot about, “How do I rationalize, provide ROI, quantify risks so we can apply the right technology to the right environment and then save money by de-prioritizing other things?” So when you think about some of the next generation technologies like microsegmentation, that includes visibility, Zero Trust concepts that include AI and automation, those are things that our clients are thinking about because it's really about leveraging investments in the right way and prioritizing spend, versus maybe just going out and buying the next shiny object. And that's really what we're seeing, especially in markets like we are in today.
17:32 Raghu Nandakumara: So that's really interesting, because you spoke about tool consolidation and getting more from less. So I want to, again, ask this question in two parts, Steve, one to you and Greg from a practitioner perspective is that, how do you talk about, let's say you've got... You are in front of that sort of exec sponsor and you say, "Okay, you should invest in this capability, because it's going to give you these benefits." And then equally, Greg paying that off. How do you demonstrate that those benefits are actually going to be realized? So Greg, maybe you want to go first?
18:06 Greg Tkaczyk: Sure. So just to add to what Steve was saying - visibility, consistency, control - the consistency part of it is tool rationalization, choosing technologies that are going to work across your heterogeneous infrastructure. Not just data center, but hybrid applications, multi-cloud, containerized technologies, serverless technologies, etc. So you want to think about selecting those technologies that kind of can work across that ecosystem. In terms of talking to the executive sponsor and showing value, so I would take it a step back. Oftentimes, clients want to jump to the ultimate goal or the full on capability that a technology is going to provide. But during that solutioning and sales process, there are often opportunities to work with them, to still architect a solution that can obtain those business objectives and reduce risk. I mean kind of “What is the licensing, what are the features, what are the modules that you need, when are you going to need them? And what kind of support are you going to need in that rollout?” Whether that's professional services or managed services. So focusing that initial scope on what is the immediate concern, so that you can immediately show value against kind of a goal that is more realistic and practical to achieve versus kind of a targeted end state that may be two or three years out, is key.
19:33 Greg Tkaczyk: And if you think about that in the procurement and solutioning process, you can often reduce risk, reduce cost as well to maximize ROI, what we were speaking about before. Creating a ramp-up model in terms of volume and features and all of that. When I speak to clients, first, I'd want to address it upfront, and then once you were in it is, what are those metrics that you can highlight on an ongoing basis to achieving that success criteria? If you've built it correctly, if you've solutioned the initial scope correctly, measuring against that success criteria should be pretty easy.
20:06 Raghu Nandakumara: Yeah, yep. Definitely. Steve?
20:11 Stephen Coraggio: Yeah, it's interesting. I cover financial services. So for me, our clients are the most mature clients out there. We've been seeing that level of maturity high for many years, and I commend our clients for wanting to be the best of the best, and I think it's shown in what we see from a capability standpoint. We're moving to organizations within my market or even top 10 or 20 in other markets where they want to move to capabilities such as integrated risk centers. Think about how do we integrate fully risk into the cyber controls, cyber fusion center, and some of our next generation, SOC or threat management capabilities. I think it's a great vision where these clients want to be. But to Greg's point, these are three to five-year roadmaps, three to four-year roadmaps.
20:54 Stephen Coraggio: So, our view is, let's take a measured approach to get there. Let's find the right vendors, solutions, and capabilities that have that same vision in mind, that want to get there with you within the next three to five years, and we will build a crawl-walk-run process to get there. But there's foundational elements. There's things that we talked about already on this call around basic visibility, controls, access, management. Those are the foundational items of an organization when they want to get to that next generation integrated risk center. But let's start at the beginning. Let's build the foundational building blocks. Let's make sure that we're covered from a visibility and vulnerability standpoint, have those basic capabilities in place, and then build on that roadmap with product vendors and solution vendors along the way.
21:44 Raghu Nandakumara: Just hearing both of you talk, right, it's like in this conversation Greg at the beginning laid out... Zero Trust is really visibility, consistency, control. And both of you repeated those terms multiple times. And Steve, what you just said, these are the basics. Visibility, consistency, control are the basic building blocks of any good security program. In terms of the programs that you see your clients mapping out, and let's focus on the financial services industry for a bit, what role does Zero Trust or a Zero Trust strategy play in the development of those programs? Is that a real thing that they bring up or is it almost a... And if we do this, it will ladder up to a Zero Trust strategy? How is Zero Trust being discussed and planned within your client group?
22:37 Stephen Coraggio: When we peel back what we think about Zero Trust, and to me and to us, it's a framework. It's a guiding principles to getting somewhere where you can actually help clients provide the visibility, the controls, the identity, and actually continuously verify who has access to what and why. To me, it's really just a framework. It's what NIST was, it's what a lot of these other frameworks are. And then when you look at capabilities within that framework, like visibility and understanding basic things like CMDB, vulnerability coverage, asset management, basic building blocks of a security organization, that's when the whole Zero Trust capability comes together. It's around building those all together.
23:22 Raghu Nandakumara: Right. From a financial, as you said, the financial sector has always been on the cutting edge of security because of the regulations involved, the requirements, the regulator's place. What are you seeing? Are you seeing an increased adoption of Zero Trust and knowing that you don't necessarily call it out because of all the things that you mentioned? Or is it just that, again, that the organizations are just improving those fundamentals and essentially that removal of implicit trust that ultimately leads to a Zero Trust outcome?
23:52 Stephen Coraggio: Yeah, I think the top 10 or 20 CISOs within financial services are leveraging Zero Trust as a board conversation. Because the boards know the term, they understand the term. It's fairly easy to know what Zero Trust means. But what they're taking is the Zero Trust frameworks and implementing that as part of the capabilities and investments that they're making, so that when they summarize it to their boards and their directors and their executive team, they're showing their progress and maturity on a Zero Trust scale to say, "How well are we covered? How well do we have visibility? How well are we protected? Do we have the right resiliency in place? Can we recover from an incident? How well prepared are we to recover from and if an incident actually were to happen?"
24:37 Stephen Coraggio: And so, that is the framework that they're leveraging for a board conversation because, again, it's fairly basic from an understanding standpoint, but it drives the capabilities underneath it from an investment standpoint.
24:48 Raghu Nandakumara: And that's really interesting that Zero Trust is a, in terms of how a security program is presented, it's presented in a Zero Trust framework to the board, whereas the actual execution underlying is more around the basic building blocks. I think that's really interesting because often I think we practitioners almost flip it on its head and say, "Oh, okay, I'm going to apply Zero Trust principles here." And as you said, it kind of gets diluted because everyone's got their own definition of it. Greg, I want to come to you, as a practitioner, when your clients talk to you about Zero Trust, what is the questions that come up and what is your advice, what are your responses?
25:23 Greg Tkaczyk: So I think the first question that always comes up is how do you start. And like we've mentioned, right, the first thing to consider is Zero Trust is a journey. It is in fact a journey. The focus has to be on continuous and incremental improvement that's measurable. And not big bang implementations that are going to disrupt the business. And like I mentioned, often you start developing what controls are you going to do in a very targeted way, but also what controls are you going to apply in a very broad way across your organization to reduce risk? And you can do both of those in parallel and in either approach is fine. But each is a stepping stone towards Zero Trust. So when I speak to my clients about that, I really try to outline whatever technology domain we're talking about, like, how are we going to do that?
26:09 Raghu Nandakumara: Yeah, absolutely. So just shifting gears a bit, Steve, I'm coming back to you, when you look forward in let's say in the financial services sector. What do you see as the driving forces that are going to demand an increased focus on better visibility, better consistency, better control? What do you see from a regulatory perspective, from a technology adoption perspective, what are the key sort of driving forces in that space for sort of the adoption of, or the improvement in these three basic controls?
26:38 Stephen Coraggio: One of the largest areas we've been talking to clients about outside of security is around digital transformation. It is accelerating quicker than I've ever seen it. And then maybe it's because of competition, it's because of investment, it's because of just the sheer volume of companies out there that are in the space. But as we talk to clients around digital transformation, whether that be onboarding process, customer experience, process improvement. The end user knowledge base and how we apply automation to understand what clients are looking for from product, services, expectation. That transformation is truly driving the need for these capabilities. And we are being more and more pulled into the conversations around if we move to these hybrid cloud scenarios and we leverage different hyperscalers and environments, how can we truly apply visibility, coverage, controls, response activities and resiliency in those environments?
27:41 Stephen Coraggio: Because we are extremely scared that our business is moving faster than we can actually apply security and security requirements. So I think keeping up with business transformation, digital transformation and the evolution of the business is probably the most common conversation that we're having from a forward-looking cyber perspective.
28:00 Greg Tkaczyk: I would just add to that, part of that is application modernization. Our clients are going through massive transformations where they're taking these legacy applications and refactoring them into containerized or serverless or lifting and shift them or creating them into hybrid applications. A lot of these technologies can, we've talked about visibility a lot, provide visibility that can help make those decisions easier, but it's the perfect time to embed security into the application. As you're going through that transformation. Why go through that and then think backwards about how am I going to protect my newly factored apps?
28:36 Raghu Nandakumara: Yeah, absolutely. And on that, right, as they're doing that transformation, and we hear this term increasingly, sort of cyber resiliency is such an in vogue term these days. Is that a real sort of discussion point that you're having with your clients? Do they ask you the question, how do I become more cyber resilient? Or is that just an expected outcome of the programs that you're involved in?
29:00 Stephen Coraggio: Yeah, I think it's a conversation. It's not necessarily an offering. It's a conversation because it really drives the sub components and some of the programs underneath it. When we think about cyber resiliency, a lot of conversations are to sort of the right of an incident. Are you prepared? Do you know how to respond and recover from something? How resilient are you if something were to happen? A lot of these conversations are around preparedness, awareness, education, response, backup, recovery. Making sure we have those pieces in place so that if and when something happens, organizations are prepared. So things around like cyber war games, tabletop exercises, immersive experiences around threat scenarios, threat simulations. Those are where clients are really starting to spend money on enterprise-wide preparedness and making sure that they know who the commander is in terms of an incident. What is the right controls and the communication?
30:00 Stephen Coraggio: How do we get back up and running? Do we have the right backup systems and are they protected? So that's a lot of the resiliency conversations. No, certainly to the left of an incident, it's around controls, visibility, monitoring, and that's what's been around for a while. But now we're looking at both sides of that spectrum.
30:17 Raghu Nandakumara: Awesome, awesome. So Greg, coming over to you. Being a bit forward looking, where do you see the interesting next steps from a cyber, whether it's a capability perspective, whether it's a threat perspective that sort of practitioners need to be really wary of?
30:35 Greg Tkaczyk: I think more and more it's about making the automation and remediation aspect optimized and automated. Many of these tools will identify things, will alert you, but requires a human response. Many toolings and integrations with SIEM and SOAR platforms are kind of closing that loop. I don't see that being used extremely heavily in our clients. The capability is there, maybe from a plumbing and technical perspective to make it happen, but having clients really sit down and think about what are those use cases that I am comfortable in fully automating my response. I think that's going to be an area that's going to be a focus going forward.
31:16 Raghu Nandakumara: And there, let's say why there's a gap there is that because sort of clients are not able today to define what those use cases are, or it's because they don't know what data they need in order to instrument and operationalize those use cases?
31:33 Greg Tkaczyk: Yes, but it's scary too. You're giving away control of parts of your infrastructure to something you're inherently trusting to make the right decision. And so that's what I mean. I think you have to start small define use cases that you're very comfortable with. Those use cases don't have to be applied across the entire enterprise. And as you get more comfortable, you build up that capability for automated response.
31:58 Raghu Nandakumara: Yeah, and if I think about like Forrester's sort of pillars of Zero Trust, we have that ring of automation and orchestration that exists there. And tied into sort of visibility and monitoring with the sort of the end goal that it's this sort of, like this ecosystem that is essentially reporting back itself, responding to changes in the environment, etc., and adjusting access along the way. So I guess that that's where everyone wants to get to. But as you said, giving up control is the difficult thing. Steve, like any other sort of significant challenges that you see amongst, whether it's in the financial services space or in general with organizations as they seek to really take their cyber programs to the next level and potentially accelerate that progress towards Zero Trust.
32:46 Stephen Coraggio: I would say the biggest thing that we see from clients is around really providing ROIs and investments in programs and helping them, the CISOs, now deliver that business case to the board around the value of a cybersecurity investment. Whether it be a software or services component. We have done more of a business case/ROI/quantification programs in the last year that we've probably done the 10 previous. Because, it's around being more thoughtful when it comes to spend and being more defined with partners versus spreading the wealth around with too many. So I think we're going to see more and more of that as companies tighten down on budgets and think about how do I transform with the business but also do it in a thoughtful and efficient manner? But I do think there's enough out there in terms of vendors and solutions where clients are seeing more and more of the return of the investment in organizations now than they ever have. So I'm hopeful for where this is going.
33:45 Raghu Nandakumara: And that's really interesting, I think because we touched on ROI in a few places in this conversation. And that's definitely, as you rightly said that been such an important theme over the last 12 months. And we've seen pretty much every sort of security leader whether it's on the vendor side or on the client side talk about needing to demonstrate ROI. Are you able in a nutshell, just to say, when we go out building, let's say an ROI model, here are the key things that we emphasize on to and articulate that well to the board. Can you shed a bit of light on that?
34:16 Stephen Coraggio: A lot of the stuff is around what Greg mentioned is around automation and scoring and dispositioning of threats. When we have a massive client base and we can leverage the power of many and synthesize the data to provide value back and say, "We've seen this threat, we've seen this incident before, and based on our analysis and research, it's a false positive, auto close it." That saves time and money from analysts. That saves time and money from escalation. It actually saves time and money from even hiring a tier one analyst. So we're able to provide more and more of an automated platform, more and more automated response, and really try to build technology into these solutions to take away a lot of the commoditized, say threats or known threat vectors and really focus on the ones that are most important and most valuable to organizations. And to me, we show value by saying, this will reduce X amount of man hours and X amount of resources by replacing it with a platform or a technology or an AI model. That's a lot of the investment that we make.
35:16 Raghu Nandakumara: Greg, if you can, I'd like you to pair that off. So that's the business case. How do you then report and show that, yes, I have automated like this percentage of these tasks. How is that sort of the validation of that done?
35:30 Greg Tkaczyk: Typically kicking off an engagement. Part of defining the success criteria is going to be what are the metrics that we can track and report on basically, weekly against kind of the target. How many of the agents been deployed? What number of assets are being protected? How many use cases have been enabled? What percentage of the environment is in a certain state of security versus the rest. How does that map across different business units or different operating systems or whatever the metric is? So typically part of that process is to identify those metrics and KPIs, measure them on a weekly basis, and then we roll that up on a quarterly basis generally to the executive stakeholders.
36:09 Raghu Nandakumara: Awesome. Steve, Greg, any additional pearls of wisdom you'd like to share with the listeners?
36:15 Stephen Coraggio: My parting thought here is pick a solution partner services vendor that is investing in these capabilities. There's a lot of sort of older technologies and platforms that did things really well but the companies right now that are shining are companies that not only can provide things around microsegmentation and Zero Trust, but also visibility, also to understand what are in those particular containers or areas? And then continuous visibility and coverage within those particular areas. So I think looking at those companies that certainly we partner with and what we're talking about here, is extremely critical for future investment. I think the rip and replace models are challenged. I think we need to think about continuous investments and building on strong strategic partners, building a program of the future. So it's important to pick the right vendor at the onset of these programs.
37:09 Raghu Nandakumara: Thanks, Steve. Greg?
37:10 Greg Tkaczyk: I would say do a production pilot and not a proof of concept. That's the biggest thing that I see the clients of mine that are successful do that. When you do that, you start small, you define the use cases and success criteria for the pilot, you validate the technology, you validate the skills of your implementation partner. And as part of that process, you're going to uncover any insights or dependencies or constraints that are going to be relevant to your implementation. And really inform the approach that you take for an enterprise deployment.
37:41 Raghu Nandakumara: That's really sort of great advice. Production pilot versus proof of concept because you want to validate that this is going to work when the rubber hits the road. Greg, this is a Zero Trust podcast. What's your favorite Zero Trust analogy?
37:55 Greg Tkaczyk: Alright, so I actually have a few if you bear with me.
37:57 Raghu Nandakumara: Oh, okay, okay. You have to let Steve have one as well.
38:00 Greg Tkaczyk: Alright.
38:01 Raghu Nandakumara: So go on then, you can have two.
38:04 Greg Tkaczyk: Well, I'll be quick. The historical security model of the hard candy with a soft center. But when I think about Zero Trust, it's highly granular and distributed trust. So that doesn't apply anymore. So maybe it's a bag of those candies. You still have a perimeter you have to open up. There's controls you have to get in, but inside are many of those candies. Each one's representing security controls. They're closer to the thing you're trying to protect. So that allows for more granular decision-making. The other one is I was actually talking to a friend of mine yesterday and we decided that Zero Trust is like a cheese sandwich. As a concept, it's easy to say, it's just a cheese sandwich. But when you start digging into the details, what type of bread, what type of cheese, what are the toppings, is it grilled? It means something totally different to everyone.
38:48 Raghu Nandakumara: Nice, I actually like those two because on one side you've just explained that the bag of candies is the concept and then the cheese sandwich is actually, there's so many nuances to it and everyone has their own take. And I also like the fact that you're having conversations with your friends on a daily basis about Zero Trust, coming up with new analogies. Steve, can you better bag of candies or cheese sandwich?
39:09 Stephen Coraggio: Yeah, well, I think Greg is hungrier than I am right now. So my analogy is not food related, but I've used this analogy for a while and I think this sort of sector has it right. Like you think about an airport, you think about what it takes to go through an airport, through security checks and validation of an identity and then continuous validation as you move through the terminal, the gate, the plane, the seat. I think that type of methodology, which is it gets granular and granular as you move through the process, you're constantly being validated in terms of security checks, your identity, the gate and the terminal you're supposed to be at. And I think if you look at that from a security standpoint and the amount of people and things that move through, I think they've done it very well. And of course there's hiccups and challenges and there's some things they get through, but for the most part, that stop gap process, continuous validation has worked very well.
40:04 Raghu Nandakumara: I think that's been such a great conversation, Steve, Greg, with yourselves and just really getting an amazing insight from sort of a practitioner's perspective about how right from the board level, all the way through to the technical implementation and program management and sort of reporting about how you deliver successful sort of security programs that deliver true risk reduction outcomes. I think that's what I take as the key takeaway. And then also how ultimately you are really, when we think about Zero Trust, we're thinking about really three key things. Visibility, consistency, control, and applying this across your estate in the right places to affect that risk reduction and essentially improve cyber resiliency. So thank you so much again for your time today. And right, if you're all interested in learning more about how IBM and Illumio are working together to empower organizations to achieve better resilience with enhanced visibility and Zero Trust Segmentation, go and check out our website. Steve, Greg, thank you so much for your time today. I appreciate it.
41:16 Raghu Nandakumara: Thanks for tuning into this week's episode of The Segment. For even more information and Zero Trust resources, check out our website at illumio.com. You can also connect with us on LinkedIn and Twitter @illumio. And if you liked today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Raghu Nandakumara, and we'll be back soon.