Illumio named a Leader in The Forrester Wave™: Microsegmentation Solutions, Q3 2024.

GET THE REPORT
A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
The CISO's Playbook
Season Two
· Episode
12

The CISO's Playbook

In this episode, host Raghu Nandakumara sits down with Neil Thacker, CISO EMEA at Netskope. Neil joined the show to discuss the evolving role of the CISO, as well as the challenges and opportunities they face in the context of new technologies.

mini:

Transcript

00:00

All right, so as we wrap up season two of The Segment, and we're at the tail end of Cybersecurity Awareness Month this year. It's great to have as our final guest for this season, a real chief information security officer (CISO), CISO for EMEA here from Netskope, Neil Thacker. Neil, so happy for you to join us today.

00:21

Well, it's my privilege to be here. Thank you, Raghu for the invitation.

00:26

It's our pleasure. It's always good to have representation from one of our partners with us. So double thanks for that. So, CISO, CSO (chief security officer), right, it’s a really, I'd say, high profile title, and super important nowadays across organizations of every size. But Neil, how did you end up becoming a CISO?  

00:50

Well, it's been a long journey. Let's just say that I kind of grew up in the computer age, right? So, as a kid, I became familiar with computers. Computers were kind of the new thing coming into homes and offices and those kinds of things. So, I kind of grew up and I became familiar with, kind of the whole like dealing with computers and dealing with the commuter age. And then, one of my first roles was I was kind of looking after connecting people to the internet. So, I kind of my, my first career steps were in the internet age. Back in the day when we still had dial up modems and those kinds of things. And over time, of course, security came in, right? We had to secure how we connected people to services, etc., and we had now remote workers and all those kinds of things. So, I kind of, I lived that life as well. And it was really, it wasn't until the mid 2000s that I kind of moved into the more of the executive side rather than just the technical side. I still have a technical background. Yeah, I kind of moved into the executive side. And it was really around the cloud age where we started seeing more and more organizations kind of moving to the big hyperscale’s, their data centers and their kind of, their future, their strategy was in the cloud, right? And then we had this explosion of SaaS, and that's ultimately where, again, for me, it became a, again, a big challenge to get another thing to secure organizations I was working for at the time, secure their adoption of cloud. And that's really how, that's what that was one of my first CISO roles was kind of in that age. And, yeah, being a, being experienced in that that era was, was really important. So yeah, that's how I kind of moved and became a CISO. But if I look back at my background, I've worked on a service desk, I've and I learned some really good skills there in terms of communication and dealing with issues and incidents. And obviously, that's also good to have as a CISO today. I've kind of worked in roles, where again, it's been about risk. I work for large financial service organizations dealing with risk, like reinsurance is all about risk. So, I've worked in those roles for those organizations too. So I've kind of taken all of those learnings over the last 25 years. I still use many of those thing’s day to day, the things I've learned, day to day in my role as again as a CISO.  

02:58

Love to hear it, right? You started off your career as connecting people to the internet, and now you work for a company that secures how they access the internet and how to be secure as they access work from the internet. It's almost come full circle and complete. So, let's talk about the role of the CISO. In your opinion, in your experience, as you've kind of matured in this, in this role over the years and developed, how has that function changed, and how much has essentially stayed the same?

03:32

Yeah, I mean, I would say, I think, definitely, I think going through the cloud era, has definitely changed things, right? We sort of prior to that, we it was all about again, securing the perimeter, securing the organization. It was all about, again, securing what we could by using, of course, the perimeter. But it's funny because I actually recall sitting down; I went to an event in the mid-2000s. It was a Jericho forum when they talked about the perimeter dissolving. And they spoke about cloud, even though we didn't call it cloud at that point in time, it was this was like pre the pre-cloud. But ultimately, this is what was happening. Organizations were seeing this perimeter dissolve. And I think for me, anyway, it became more about, less focus on some of the technical aspects and the technical skill set, and more about better understanding kind of agreements and contracts and terms and conditions. But also, ultimately, all about risk, right? So it was interesting at that point in time that we had this; we had discussions internally in one of our previous organizations, do we trust the cloud? And of course, you then have that same discussion where it's just somebody else's data center, which we have, we had third parties that we use prior to that, but now it's like it's now growing on a scale that perhaps we hadn't really predicted, and it happened really quickly. And I think that's where typically I see even today. I see the CISO role, again, having to focus on risk, looking at new tech, new innovation. Of course, we've been dealing with AI for many years. But of course, there's been an explosion in the last few years around the use of AI. So again, but all that comes down to risk, ultimately. And also, it comes down to a better understanding of data. I always talk about this, right? It is about data, and it's about risk. If you can, as a CISO today, if you're great at understanding the risks associated to data, then you're already kind of, you have a great opportunity as a CISO and a career path, right? If you're looking to become a CISO, just having that knowledge is really, really impactful.

05:33

Absolutely agree. And I think when you talk about understanding data, I think what you really mean is really understanding how it ties to business objectives, right? Is that being able to understand sort of the things that you're protecting, why are they important to the business? That must be a key part of the CSOs role today.

05:53

Yeah. I mean, thing is, it was always that discussion. It was about, can we protect all the data? All the data this organization transacts with on a daily basis. Yeah. Ultimately, the Nirvana is that you try to do that. But in summary, the only real way to do this is to prioritize. Is to look at risk prioritization. So, looking at what, where are the biggest risks coming from, the highest risks, in terms of what impact it will have on my organization if, for instance, I lose access to that data. I no longer have access to that data. We had this with, obviously, the with ransomware for many, many years. But it's also around, what is the value of that data? Because if I lose that data, what's the true impact, from a financial perspective, for instance, in relation to that data, not just the fines and the penalties, but ultimately, again, I’m I losing intellectual property? Am I losing reputation? Is there a damage there in terms of that? So, for me, it is always talking about, again, putting where possible, controls around the data. And to your point, yeah, absolutely, getting very good at identifying that data. I've seen a number of organizations do this really well. I mean, I've been involved with data classification and data loss prevention tools for many, many years, and you kind of really have to, I think, almost rip up the rule book when it comes down to this. It is almost, yes, classification is a nice thing to do. You have to look at data categorization. So, what category of data are we talking about? But then also, again, putting controls around that data so that ultimately the controls follow that data wherever it goes, and you can maintain some kind of, I guess, perimeter around that data. Kind of, that's how I see the kind of roles and responsibilities of security teams changing. And, of course, as a CISO leading that team, you need to be kind of innovating and being the pioneer in that space.

07:39

Absolutely, that whole challenge of classification, categorization to then drive, I guess, kind of the basis on which you're then driving the outcomes you're seeking to drive. That's kind of, it's so foundational to it. So, let's talk about, from your perspective, challenges that you've had to overcome in your role. I mean, we'll come on to sort of challenges in the industry as a whole, but let's talk about again, right, your own development path as a CISO and things that you've had to overcome.  

08:09

Yeah, I think, I mean, for me, the first was around. I mean, I recall going into my first board meeting again many years ago. I took on a role, and I presented basically what the previous person had been presenting for many years. And I guess it was the opportunity for the board to ask, "Why are you presenting this?" And I said, "Well, it's a continuation." I was relatively new; I think I'm in the role for six or seven weeks preparing for this board meeting. This is what has been presented today, and I had the opportunity to go into the boardroom and present it. And again, the first question was, "Why? What's the what's the importance of all of this?" So, I assume that question hadn't been asked before. And I was very clear. I was very candid. I said, again, to that point, this is what has been presented previously. But yeah, we can change it if you're interested in looking at other metrics. And we then had this discussion: what is the value of the security team? So, it was a, I mean, it was a great first board meeting, right? I was thrown in at the deep end. But for me, of course, it highlighted that we need to like for metrics and for measurements, we need to be more business aligned. That was my, that was my first finding. It wasn't about how many systems we patch and how many incidents we've had. It was ultimately how are, for instance, the security team supporting the business, driving the business, helping with the business move forward. I obviously came back at the next board meeting and presented a whole different, a whole different series of metrics in relation to that. So that was my first finding. I also realized quite quickly that, of course, communication, we can never really use buzzwords and acronyms in those environments. And I'd spent probably the last 10-15, years dealing with that type of terminology. So, I need, I know, I needed quickly, to improve my communication. And, of course, make it more kind of more business value driven. And ultimately, again, going back to supporting the business. Supporting the business, in terms of new revenue streams, new ideas, M&A type engagements, how quickly could we spin up and secure organizations that we've gone through and acquired. And ultimately make that presentable to again, a business leader? So that's that was the, perhaps the some of the first challenges and improvements I felt I needed to make as a CISO. Again, looking back at the last 10-15, years, that's how I've seen value in having those types of discussions, less so focusing on the technical side.

10:30

That's a great point you make, because, and given that experience was very early on in your in your CISO career, sort of going back more than a decade. I still find it quite tiring when I look at whenever you see sort of CISO in inverted comments, thought leadership articles, and there's a commentary about CISO/CSOs need to be better aligned with board priorities. Need to communicate better to boards and make them understand why. If you're being asked these questions 10-15 years ago, why is this even still a conversation, right? We should have moved beyond this, the need for this, and it's no one should need to be told or retold that it's important. It should be taken as given. Why is still this debate happening?

11:18

Yeah, it's a really good point. I mean, I, by the way, I still believe that we are again, we are listening. We are being educated by the board in organizations. I still believe like many C level, many other roles are also being educated, right? It's like, I've been in board meetings where you haven't been the person that's been called out for not supplying the right type of information that they want to see. So, it's always a learning curve. It's always a learner, for instance, going into these sessions. And I think it's also the point is we need to my next role was, was to go in and not go in with the same type of information, the same types of metrics, and just go in and ask that first meeting, go in and ask, "What do you want to how can I assist in supporting this organization and providing you the information you require as a board to, of course, improve." So, I think that's where we're all still learning, right? There is no, I guess, there is no answer. There is no single answer to engaging with the board. It's different in every organization, and there's different requirements for every organization, I think, and also in every organization has their own challenges or has their own kind of strategies in place that, yeah, you can't just go and take that to the next organization. So, I think that's probably the reason why. I think more discussions about this not being a problem. But some of the examples right we hear about this, all we should be talking about, we should be talking and using business languages, and we should be using this type of level of communication. But nobody actually gives examples. There are a few, by the way, out there. But yeah, we need to keep pushing those to the forefront so that, so that people understand, like, what is a good metric to communicate to the board?

12:55

Yeah, absolutely. I think examples would be much greater than just stating the obvious of "do a better job." But I like what your kind of, going back to what you started with, we're almost a board member asking the question is, like, why should I care about this, right? And I think that's, I feel that's always a good question to have in the back of your mind, not just for board presentations, but pretty much for any presentation, is that, why should my audience care about what I what I'm telling them? It may be the greatest idea in the world, but if the audience doesn't care, it doesn't, it doesn't matter.

13:28

It's that book, right? Start with, why? If you're presenting using a slide deck, or if you're having a discussion, it's all, why are we talking about this? Why? Why is this important? Again, why are we investing our time and our energy into this? That's always a good starting point. I mean, I talk about this in terms of, like, new business opportunities, and when we start thinking about this, like even looking at business of the future, well, what are we trying to resolve in terms of this? So, yeah, it's always good to start with. Why?

13:53

Yeah, absolutely. So, I know when we're sort of discussing in the lead-up to this conversation, you spend a lot of time. I mean, of course, you're a CISO for Netskope, but you also spend a lot of your time talking to CISOs of your customers. So, what are they excited about? And do they feel that "Hey, actually, you know what, we're doing these things right." Because I think a positive message is also important because we have enough negativity in cyber.  

14:20

Yeah, true, yes. I mean, actually, last week we had our customer advisory board, which gave me, again, a great opportunity to speak with, kind of my peers in the industry, other CISOs, in some amazing organizations. And always, always interesting to hear the two sides, the challenges, but also kind of, what's working, what's what are they seeing in terms of great things like innovation in terms of cybersecurity as well. And I think it is great to see so many organizations as a positive, really start to consolidate many of their technologies, their security stack that they've perhaps had in the past that have been in many cases complex and difficult to manage. So as an example, we had a quick discussion about moving away from corporate networks, and if, again, if I go back 20 years, we were talking about this with like the Jericho Forum and the Cloud Security Alliance when we talked about moving to a perimeter-less world. And the interesting thing is, it's happening, right? We're now seeing all more and more organizations absolutely doing this, saying our goal, if it's not already in place, is to ultimately remove our corporate network and again, allow our employees and whatever device they want to use, direct connectivity to their services they want to consume, without having to go and VPN and connect back to networks and then on to their services. I mean, there are still a few use cases and certain industries that that perhaps need to maintain that, but it is great to see, I mean, speaking to one of the largest financial service organizations last week, that was their goal. They are looking to move away from that difficult to manage and difficult to scale corporate network. So that was a good thing, and I'm seeing a more consistent message around how organizations have done that, and are sharing how they've done that, how they've been able to do that, and also looking at all the benefits, like the cost reduction, the cost consolidation in many areas, looking at risk reduction, and ultimately looking at improving general productivity for the for their employees and their end users.

16:16

That's a really interesting thing and I think the whole moving from whether it's perimeter-less, or whether it's kind of moving towards, like micro perimeters, like whatever, whichever way you want to you kind of want to frame that. I think that they're essentially two sides of the same coin. I think why that's efficient from a security perspective is that you then don't have this quandary of, is this trusted? Is this not trusted? That kind of goes away, because if, like, this is not a lead into Zero Trust, that that will come later, right? But I think, I think that's the beauty of it, is that you can then suddenly say, well, everything is accessed via the internet. I'm treating everything that way. Then I can bring a very consistent way by which I apply security. I mean, I can use all the context, etc., right? And something coming from a Starbucks may be treated differently to something coming from the hotel lounge, right? But still, I can still apply the same principles rather than having to make assumptions. And I think that’s quite a powerful sort of place to be in.  

17:20

yeah, yeah. I think, absolutely. I think when we talk about the Zero Trust principles being adopted generally. So as an example, I worked with a good friend of mine as a CIO for a large, very large organization, and he shared a great story. Obviously, during the pandemic, everyone was working remotely, and they set up this whole Zero Trust principle and policy set, so to better secure their remote workers. And what was interesting was when he said, "When everyone started coming back into the office, we realized we had better security when everyone was remote because of the changes that we made. So, we wanted to apply those same principles to our internal network. And then we realized, well, again, can we just get rid of our internal network, our corporate network."  and it ultimately that is there that is their goal. So, in this example, this organization, they've seen this as being a great way to justify this move, this transformation into this type of approach, because again, looking at their security posture, looking at the security controls, they realized they actually had more granular, more specific controls for their remote workers. So but the way that they did this, and this was almost becoming now a fundamental, is moving beyond just identity as a means to assess or use identity only as a signal as part of Zero Trust. It was, of course, considering the device that the person is using. Is it corporate? Is it a personal or any other type of device, for instance, beyond just laptop and mobile, etc.? But understanding a bit more around the device itself, doing some posture checks on the device, but also understanding the device, and then looking at location. So where is that person connecting from, and also where are they connecting to, and then some of the details around which application? Because everything is now about application. It's not really; you're not connecting to a network. You're connecting to an application. And then it was, well, what instance of the application? Because a corporate instance of an application is very different to a personal instance, and in some cases, of course, they're the same. If I look at the obvious examples, like OneDrive and Google Drive and all those kinds of things. It really does matter what type of instance you're connecting to. If you're moving corporate data to a personal OneDrive instance, then that's probably a big deal, right? And then it's the activity. So, what happened before and afterwards? And then also, of course, going back to the data piece. Our advisory board, last week, we were talking about this, and there was a comment made around, what about time? Because time, data, and access to data at certain times, and is obviously could be an anomaly, but also, ultimately, when you're building out a Zero Trust kind of set of principles, you want to consider time as well because data has its own life cycle. So, data, there could be certain data assets, etc., that are highly confidential at a certain point in time, but perhaps such as, like any kind of work on M&A type activity, but after that point in time, it's yeah, perhaps no longer as confidential. So time is also a kind of a signal that we need to consider as part of this. But that was, as I said, that really kind of opened my eyes to thinking about this beyond identity. And again, this was something that we've adopted, of course, at Netskope and as part of our internal security function, is a whole Zero Trust. And looking at that maturity model and moving up as far as we can in terms of the optimal stance, and including all of these signals, because they are all critical.  

20:41

Yeah, no, I absolutely agree. And I think they I feel identity is important, but I also feel that in many ways, there's probably been an over rotation and focus on identity and not enough focus on other signals and other pillars. And as you were talking, and you're sort of going through, sort of various other sources of signals, network, application, device, etc. It actually got me thinking, when we're thinking about sort of the pillars of Zero Trust, and we have, like the device, the application, the user, the network, I think it's the workload or the data, I can't remember. And often we talk about sort of maturity, of maturing controls in each of those pillars. But as you're talking about, actually, each of those pillars are also sources of signals. And like you sort of think of those both as properties of everything, but also things that you're protecting and kind of there's a lot of interrelation between the two as you build, as you kind of align and mature your Zero Trust strategy, yeah, I agree, right? Think beyond identity, right, when you're thinking about these signals.

21:48

I ran a security operations team for many years, and you always wanted context. Again, this is, this is really kind of crude example, but we had somebody that took data, really confidential, high-value data, and they put it onto a USB drive. They were about to leave the organization, and we called it, and we identified it. We said, "Okay, we need that USB drive back because we need to securely wipe it." Apparently, they were doing it for backup purposes, which already triggered alarm bells. Why would you back up onto USB when you had file servers, etc., and GitHub repositories, all those kinds of things. This was, again, in a previous role, but it was interesting, because when the device came back, well, it was a different device to what was actually being used to copy the data off. So that was, again, an immediate alarm, and we actually stopped the person. They said, "Oh yeah, I gave back a different USB drive." But again, that's just one real crude example, and of why that context is really important, because we actually stopped at that point in time when it would be considered a significant data breach at the organization. We stopped that from happening. And, of course, we all know as security practitioners, we want to stop as many breaches as possible because we know what happens as part of the response to recovery, etc.; it also consumes lots of time and effort. So, this is why, again, from security operations team, and I ask for any security operations team that I work with, I meet with, I talk with today is again, looking at what context you can gain from these things. And you kind of, yeah, you need to have at least of those eight or nine signals, in some cases, to really determine the impact and the assessment of the event.  

23:22

I think you didn't give this person the benefit of the doubt. I think that they had done is they've taken the USB and then they backed it up to another USB, which is what they gave to you. So, they were just making redundant backups, just in case.

23:34

It was, of course, to, yeah, to hide the fact that they had this data that they were taking with them. We, of course, didn't want them to take with them the corporate data. That was the, ultimately, the scenario that we had, and that, yeah, we were able to mitigate that. But again, based on the context it was, you look at the device, and it's like, well, this wasn't the device that triggered the alert. Therefore, you know, immediately there is a bigger issue at play. Yeah, I think it's the same with cloud today. I have this discussion with many, many other CISOs talking about the challenges of cloud — it's like we don't always, or in the early days, we didn't always have full visibility into which cloud services were being used by our organization, what had been approved, what had gone through vendor assessments and third-party assessments, etc. And I still think we have that challenge today for many organizations; that's the feedback they give me. We don't know exactly what is being used. We have our approved public cloud services that we have like we're an Azure or AWS or GCP, but for SaaS, the feedback I usually get is we don't really know what we're using in terms of SaaS, like you wouldn't be able to get a comprehensive inventory of what's being used day to day in terms of cloud services. But of course, there are tools like Netskope, for instance, that can help with helping an organization identify that and then putting controls around that. And I think that's a really good starting point. But then it does come back down to the data. So okay, well, what data is going up to those services? Because if I lose access to those services, such as that service is unavailable. What is the impact? Again, going back to the board level discussion, that's now what we talk about, if we lose access to this data, what is the impact of that to us as an organization, we're having that same discussion right now around AI services. As AI services are becoming more embedded into business processes, it's like, well, what happens if that service is no longer available, what is the impact? So, yeah, we have to start thinking about those ways. It's a form of, of course, resiliency, but it's now thinking like, do I know how resilient my services are, and what happens if they are going to be unavailable or if they have been compromised?  

25:35

Just going back to what you said about shadow IT usage, right? And sort of whatever, let's say mid 2010s when this was sort of the infancy of the CASB market. And I remember actually having actually visiting your development center in Bangalore and sitting down with members of your product team and going through and saying, "It would be great, we're in the middle of an evaluation, I'd be great if you could do this, this, this and this, because that would then give me all the visibility I needed into SaaS usage." But like we talked about, sort of AI, you sort of just touched on like AI usage, right? And I think that this is really interesting, because I think with AI becoming such as AI models becoming such a key component of business applications, it is now the AI model is a critical application. So like, we need to be thinking about how we secure that in the same way that we would have maybe applied to if I'm a banking provider, my core banking system, right? My AI model is now fundamental for both the A, the I, and the C, right? I need to protect all three in the AI model.

26:43

Yeah. Again, as I said, I've lived through many ages, like the computer age, the internet age, the cloud age, and then the AI age now. I don't know if I've got another age in me to be honest. I may even be replaced by AI, we don’t know. But I think you're right, every time we enter a new age, or we're in transition into another age, we start thinking, well again, obviously, how do we better secure that? And I had the same discussion with the internet age, where actually it was a case of, well, we're only going to give certain people access to the internet. And of course, within a few months, everyone had access. And the same for cloud. It's like we're only going to limit the number of cloud services we use. And then within a few months, we had the shadow IT issue. And I think we're living, of course, in the AI age now. I mean, one thing we focus heavily on it. So I’m a member of our AI Governance Committee, and I co-authored our responsible AI policy and our AI security standard, and work closely with our teams across Netscape. In terms of, again, our use of AI, both from a company perspective but also from what we have within our product. We have a record, we have an accurate record of usage, and we tie all this back into what are the use cases, for instance. So, yeah, we have this great capability that we can do that right? We have this as an organization. AI is our key focus to identify and also make sure we put in controls, for instance, to better protect the use of AI. We're also, of course, I work closely with our threat research team, and of course, we've seen an increase in the use of AI to drive innovation in terms of kind of launching threats and attacks and using new types of techniques, etc. So we’ve already seen that. And from a defense's perspective, again, supporting the product team in terms of building those defenses that are AI back, so yeah, we're already kind of seeing this. But as I said, from our organizational perspective, you have to take a like an umbrella approach to this. You have to look at all of those different use cases, and also, what is the impact, if any of those are affected. It is critical to us as an organization already in terms of, again, controlling, governing the use of AI. And we also have regulation is, is now, now here as well. We have of the EU AI Act, which was came into effect in August. And it's interesting as well, because I speak to other organizations on a regular basis, and sometimes the feedback I get is, "It's okay, we don't need to do anything for three years." And my response is, "Well, no, actually, the first kind of milestone, and the first thing, first enforcement, is coming soon, in February 2025, right? So we can't wait." Really, it's becoming ready for that first milestone around the use of prohibited AI, systems and services. So that is, yeah, that's, I think regulation is going to play a role, but ultimately, it's going back to what we know, right? What do we have? How are we securing it? How do we ensure governance is applied?

29:35

Yeah, absolutely. So kind of tying in this AI conversation back to the conversations that you're having with CISOs, and we spoke about some of the things they're excited about and positive about. What are they struggling with, right? What do they get frustrated about?

29:52

Yeah, so I think, I still think the number one is, I guess, the challenges of the current regulatory landscape. And also, yeah, upcoming new regulations and changes to standards and frameworks. I mean, we've lived those for many years, right? But yeah, it just seems to be at the moment that there's lots of regulations that are coming into effect. How do they all align to each other? Like, is there overlaps? And what is it, what takes priority and those kinds of things. And, I mean, yeah, I deal with these things on a regular basis. I’ve been with NIS2 and DORA, for instance, since they were kind of first announced. And the EU AI act again, I wrote a paper on this back in back in August, once the text was formally published in the EU journal. So, all those kinds of things. So, I’m aware of these kinds of things, but it is difficult. It is really difficult for organizations today in CISOs to understand what they need to do in terms of the regulation. So, I think how to solve for this, because I'm also, I'm happy to talk about problems and challenges, but I also think, well, how do we solve that quickly? And again, the way that I typically approach this is that we build out, or improve, our current standard control framework. So we have a series of common controls that we can apply, for instance, that meet the requirements of many of these regulations and standards and frameworks that are coming in. And by applying something like either an organizational control or a technical control, we can meet the requirements of that. But it's you don't just apply per regulation or standard framework. You apply that, and that then, therefore, applies to multiple. So that's the kind of way that I've been actually sharing. I've written a series of, well, my team I work with at Netscape; we've all been working on this compliance series of guides that can ultimately help organizations understand what they need to do. Whereas the kind of the low-hanging fruit, as we say, and also how, if you apply, if you apply this control, what impact does that have across the regulatory landscape? So, yeah, those are the challenges I'm hearing about, and then also kind of how we think about helping resolve some of those challenges.  

31:53

Yeah, and I can absolutely see how onerous it can become when you have so many different regulations to go and essentially solve for, right? And each of them asks for kind of the same thing, but a slightly different color. And you're saying, "Do I need to do all the colors, or do I just need to do some of them?" But I do agree, right, that having a maybe some kind of consistent framework on top of which it's kind of regulations then built, or just extensions of would then, at least, you then have the comment saying, "Okay, well, if I'm adopting this framework, right, I know I've got all the basics covered." And I feel, to some extent, and I kind of nod towards DORA, specifically, in this case, that it very much, points back to ISO 27001 and the NIST cybersecurity framework as essentially a source of inspiration. It's built on that. Do you see that that's a bit of we could take some hope in that, in that regulatory organization saying we don't need to reinvent the wheel here, there is plenty of good, like standards and frameworks to build on, and that's how we're going to mature, rather than making our own thing up individually.

33:04

Yeah, it's also the maturity. And when new versions of these standards and frameworks are launched as well, it's always good to see. I mean, I was championing ISO 270001 updates for many, many years to include things such as web and cloud and data security. I didn’t really go into the details of what that actually meant. So I was very excited when, I'm one of those people who gets excited when a new, updated standard is released, you can tell. When they launched 2022, I was like, great, they finally addressed web security and cloud security and data security. I was championing DLP, for many, many years, since my QSA came in and I showed him how DLP was helping me identify any card data outside of my card data environment. He was like, "Okay, what is that technology called?" I said, "It's called DLP." He's like, “Interesting, perhaps we can consider that as a compensating control." I was like, yeah, it should, yeah, it should be, really, shouldn't it." So that was, again, that shows my age now, that was in the mid 2000s. But yeah, it's great that standards and frameworks are kind of catching up to those controls that are available. And again, I completely agree, if we can, we always need to simplify security. I mean, complexity is always our enemy. Going back to the ball discretion, there's also no right answer, there’s no perfect fit. So we can take even if we go, we have to comply with a multitude of regulation standards and frameworks, in many cases, they're still going to be unique to us and our organization. So yeah, it's how we apply them, it’s how we consider them. So yeah, but if we're going through and spending most of our time trying to meet the compliance requirements, then yeah, unfortunately, we're not, we don't always have the time then to look at innovation and the latest threat and data, and yeah, the advancements in other areas as well. So I think, yeah, yeah, if you can simplify the compliance piece, it will, it will pay its dues in terms of allowing you to focus on other things as well.

34:56

Absolutely, right? I think absolutely simplifying compliance and everyone is going to welcome that. But I think it would also be exciting to see compliance driving innovation right beyond just making it easy to report on compliance. That that's not innovation, that's just better reporting, but really compliance as a way to drive more innovation the security space. I see that there's opportunity for that. What's your perspective?

35:20

Yeah. I mean, I do read the EU AI Act multiple times to really understand, again, how this could be leveraged in an organization to ensure that you're meeting the requirements. But also, making sure that, for instance, if you're implementing any cybersecurity controls that you're also going to do is in accordance with the legislation. So in that regard, of course, it's very high level. It’s very vague in certain areas, but it does talk about certain types of activities, certain types of monitoring, etc. That is ultimately what you can do if it's based on machine rather than a human inspecting certain things, right? So that’s of course, from an innovation perspective, it's important to understand, but also understand that, again, you can use AI/ML in your organization to help secure your organization. It's not, it's not trying to call out and focus on that you can't do that, for instance, because it is considered profiling or something like this, right? So that is really important. I think there is always great best practice guides out there today as well. When I go to an event, and I'll see, I'll hear about one of the keynote speakers, or go to one of the sessions that I'm interested in, there's always lots of people that have gone through this and have innovated, and they've perhaps used a platform of meeting a certain compliance requirement, but how they've, for instance, taken, perhaps that budget that was allocated to help the organization meet that compliance requirement, and then met the compliance requirement, and then have used or repurposed some of the kind of the spend, the technology investment to also do other things as well. And again, I think that's really, really important for any organization to consider this, right? It is another change I've had. I hear from CISOs is, again, they're looking to consolidate. They're looking to where they can look at cost reduction. And for me, there are some great opportunities to do that. I mean, I recall starting an organization they had like, 70 technologies, and I looked around the team and we and we had, like, 10 people. I was like, okay, seven each. Okay, even if we just patch and update them and keep them up to date with the rules and config, it's not going to be possible, right? We're going to have to start reducing the number of technologies that we have, different vendors, etc. We have to really consolidate to a more manageable tech kind of stack, really, and that's where I saw this good opportunity as, okay, what is the compliance requirement to have this? What is it helping us from a threat or data protection perspective? How is this securing our infrastructure? How is this securing our people? Because, yeah, we need to also help secure people. How is it helping educate and raise awareness. So I shortlisted the requirements really hitting those key, key areas, and then I was able to, yeah, absolutely, start looking to reduce the number of technology vendors I was using, and ultimately make it more manageable. And I've tried to do that in every organization that I've joined, to really focus on that. Because as long as you're meeting those requirements, that's great, but there's, there is a lot of technical debt. I think that's the common phrase we all talk about as one of the biggest challenges. There are ways that we can absolutely look to reduce that complexity. And I think when you reduce complexity, you can start focusing more time. I’d rather my whole team focus more about again, tuning, configuring, improving technologies, spending more time on looking at events and looking at metrics and trending and analysis and analytics and those kinds of things, rather than having to go and yeah, update a piece of tech, because it's scheduled for an update. Those kinds of things, I really want to and that, I mean, that's, of course, the joy, the joy of SSC and SASE is that you can ultimately let your provider do that and just take advantages of the time spent to, again, maintain and configure those policies so that that is really, really important, from my perspective. Again, just how we manage the resources in our terms.  

39:17

I think one thing that just about around that consolidation, I think that's also an opportunity, particularly when you've got sort of vendors who are coming to saying, “Hey, we have this capability.” Often, I think, and I know being on the vendor side that the pushback from prospects to customers is, “well, I've already got 30 other tools”, or in your case, you said 70 other tools, right? But I think that consolidation exercise really allows you to then map out exactly what capabilities you have, because I think that's the biggest challenge for organizations when they're presented with a new technology, is that they actually don't have an understanding of what their current stack does, right? Where it provides value and where it's actually, despite having 70, there are still gaps in capabilities and key capabilities. And I think it offers an opportunity to essentially discover those and say, “Ah, okay, now I realize why I need this.”

40:11

Yeah, exactly. So, I mean, it's one of the first things I did was to bring supplier partners in, in previous roles. I mean, the great thing is at Netskope, I obviously came into Netskope, six and a half, seven years ago. We're a cloud company providing a product to technology. So, I didn't have that, that issue. But that's what I have to say in previous organizations, because I know that this is, this is a big challenge. But yeah, I would bring suppliers and partners in and say, “Okay, we have a renewal coming up in six months’ time.” And the first thing that they would always say was, “Okay, well contact you closer to the time.” And I said, “No, I need to know why now we are using this technology. What benefit am seeing from this technology?” And we've had that discussion, and of course, I'll go back and say, “yeah, we can probably start thinking about consolidating that.” And I've even got a, I mean, I've still got the worksheet, and I've actually worked with a number of other organizations, again, at Netskope, who have had that same challenge. And I've kind of said we have this list of like 250 different technologies, and kind of how they ultimately can be, perhaps be consolidated, like in phases. So your phase one will be this, phase two, phase three. Now you can start looking to consolidate, because there's lots of things that overlap, right? There's lots of capabilities when we look at critical capabilities that potentially overlap with other technologies you may already have, I completely agree with you. It's not, it's not always visible to somebody. And it could be that you hear about this new, shiny, new thing, you think, okay, well, that, that would be great, we can bring that in, but actually now that perhaps overlaps with something else I've got. So, do I need to, like, replace? I have this as an analogy. I have the same thing with my wife and my wardrobe is like, I can't get any more in, so if I'm going to bring anything new in, I have to get rid of something. So, it’s currently, like, it's very similar to that, right? But in this case, I think from our from our perspective as a CISO, it's like, well, if I bring one thing in, I probably need to get rid of three things. Ultimately, I kind of see this sweet spot I had, we had this great discussion last week, again, our customer advisory board, and kind of the sweet spot is to get below 10, right? If you can get below 10 technologies, they're all doing, again, they're all doing what they can, and they're integrated, and they're open, and they're talking to each other, and they're utilizing, of course, the latest benefits of these kind of things. So you’re covering this from a from a tech stack, and you're reducing it down to that kind of, that more manageable level. That's kind of the sweet spot, really. I know other organizations will say, “Well, yeah, we can never get to 10, but we're going to try and get down to 20.” That's ultimately where you, you kind of want to be. And I think the, I think there's still a need for point products if you have a specific use case, but you're now seeing all this consolidation and this platform play that we're talking about. There is this capability where everything is microservices based, and you can ultimately run, yeah, microservices on platforms. It's a smarter way of doing these things.  

42:57

Yeah absolutely. So we’ve got a few minutes left, so coming to the end. We’ve obviously spoken about sort of like, like things that are exciting, and equally, things that are challenging. But what about things that are unexpected? What have you kind of come across in the last year or maybe before that? It's like you kind of looked at and think,” Hmm, that was completely the opposite of what I expected to happen.”

43:22

Yeah, I think with, I mean, I can go back to AI, and I kind of knew AI was going to explode. I knew AI was going to take off. I think I wrote an article on this in like, 2014 ready for the AI age. And, yeah, we all kind of waited for it, waited for it, waited for it, and it was, “it's going to happen soon, it's going to happen soon.” I guess it wasn't, I mean, not this year, but, yeah, in previous years, well, didn't quite expect it, it felt like it was, it was never going to happen perhaps. It was like the use cases were not there for, I mean, ML, yes, we've had ML for many, many years. You know, we've seen value there, for instance. But the whole kind of, when we talk about things such as GenAI, we didn't, I mean, I was using a GenAI service many years ago, and it was, it was helpful. I was helpful from a note perspective and journaling all those kinds of things. It's really super helpful. And I was like, great. This is a great use case. But I didn't really quite expect all of a sudden, this kind of, the explosion of GenAI and AI usage. And it happened that quickly and almost as a surprise when I knew it was going to happen. But I guess that was a thing that was kind of the unexpected, how quickly in within weeks, it felt like whole organizations were now doing like originally, they were doing vendor assessments on cloud services providers and those kinds of things. And then two weeks later, they're now doing this on new vendors, and then also existing vendors who keep adding new features, which I think is one of the biggest challenges. So, like now it's like when I talk to any other CISO, they just say our team are just being inundated with new technologies, or existing technologies that have added this. It’s just, there's just been this explosion. So, I guess that was the most recent unexpected challenge. But yeah, so that was, that was a few years ago. We couldn’t live that a few years ago, but it's still here.

45:15

Nice. awesome. I hope you when you made that prediction, I hope you also bought a ton of Nvidia stock back then and making good on it now. Let's wrap up, right? You've got great experience as a CISO. You spend a whole ton of time chatting to other CISOs, CIOs, key decision makers. For someone who's kind of starting their career in cyber and has an ambition of one day becoming like a CISO or a CSO. What's the bit of advice you would give them?

45:43

I think for me it would always be, I mean, say yes when you're given opportunities, even if it's not perhaps you think is your kind of in your career path, and you perhaps, say yes to it. And again, I would say, definitely, get out there. Speak to other CISOs, learn from other CISOs, right? When I started in this career, I wish I had, we really didn't have CISOs that I could ask. We had to kind of learn on the job. Yeah, I think now we have this great opportunity for, and I think most CISOs are quite open, happy to share thoughts, right? I mean, well, on this podcast, right? Sharing thoughts and experiences and these kinds of things, we're all, I think we're I, for me anyway, personally, I'd love to leave the industry in a better place than when I joined this industry, right? That's always a good sign that you're trying to give back. So for me, it would be, yeah, going, if you're thinking and you really want to be a CISO, go and talk to other CISOs and try and spend as much time around them. But also go to events. Go to if you get the opportunity to go to even like a dinner or something like this, and just understand how, hear about the challenges, and start thinking about how you potentially could help solve some of these challenges. We definitely need problem solvers in this industry, right? The more problem solvers, the better. If you have that kind of skill set or that appetite or that interest in the field, and you're a great problem solver, then this is definitely the career for you.

47:05

Awesome. Well, Neil, with that, thank you so much for your time today and you and your wisdom. It's been great having this conversation with you. Really appreciate it. Cheers.

47:15

Yeah, no. Thank you, Raghu.  

Back to top
Read more