Who Do You Need to Trust When You Build a Zero Trust Architecture?

Who Do You Need to Trust When You Build a Zero Trust Architecture?

Uggh, just saying “zero trust” sends shivers down security professionals’ spines. The term is fraught with so many misnomers. The most important is who are you going to trust to actually help you build that darn zero trust program? Are you going to look at a vendor that’s consolidated solutions and has built programs like this repeatedly or are you going to look for the best solutions yourself and try to figure out how best to piece it together to create that “zero trust” program?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our sponsored guest is David Chow, global chief technology strategy officer, Trend Micro.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Trend Micro

Trend Micro
Trend Micro Cloud One, a security services platform for cloud builders, delivers the broadest and deepest cloud security offering in one solution, enabling you to secure your cloud infrastructure with clarity and simplicity. Discover your dynamic attack surface, assess your risk, and respond with the right security at the right time. Discover more!

Full transcript

[Voiceover] Best advice for a CISO. Go!

[David Chow] Just because you made it to the CISO, continue to network. Continue to learn and continue to work with people within the industry. That will help you down the road when you start looking for a new job.

[Voiceover] It’s time to begin the CISO Series podcast.

[David Spark] Welcome to the CISO Series podcast. My name is David Spark. I am the producer of the CISO Series. And my cohost for this very episode, you’ve heard him before. His name is Andy Ellis, and he is the operating partner over at YL Ventures. Andy, if you were to make a noise with your mouth, it would sound like what?

[Andy Ellis] Like what?

[David Spark] A classic right there.

[Andy Ellis] It’s like who’s on first. My voice sounds like what?

[David Spark] It’s also like the old joke – walk this way. They do the same stupid, silly walk.

[Andy Ellis] Oh, we did that when I was a kid all the time.

[David Spark] It’s a classic. By the way, for the audience whose first time tuning in with us, where the heck have you been? But welcome at the same time. We’re available at CISOseries.com. This is just one of many programs we have on our network. We also have a live show on every available Friday, so please join us there. That’s Super Cyber Friday. Please join us. It’s a ton of fun. It’s one PM eastern every Friday. Our sponsor for today’s episode, who has been an early, early and repeat sponsor with the CISO Series… We adore them. They have been very supportive of us, so we are supportive of them as well. It is Trend Micro. You know they do a lot, and they brought our guest today, which we will be speaking about situations to consolidating vendors and how that applies to zero trust and where is advantages and maybe disadvantages. We’ll discuss. But first, Andy, I have something I want to discuss with you. You have noticed that your LinkedIn feed or I’m assuming is filled with people announcing a promotion. They’ve left a job. They got a certificate. They won an award. Something of that ilk. It becomes sort of like and comment baiting if you will, but it’s gotten so overwhelming that pretty much it’s become wallpaper, and I can’t respond to it all. But it is I think 95% of my feed now.

[Andy Ellis] Maybe that’s because you voted down all the stuff that was content, and so now all you get is the updates.

[David Spark] That could be it. No, there is not the option to vote it down. Does your feed look similar? Let me ask that.

[Andy Ellis] I think it does, and I think that what we’re really seeing is people are curating their LinkedIn content a little bit more right now. Maybe that does mean that people are changing jobs or looking to change jobs a little bit more, and so that’s what we’re seeing. That’s my current hypothesis. But I don’t have any data to back up that.

[David Spark] Well, also LinkedIn has made it kind of automated like when you change a job, it creates that post for you.

[Andy Ellis] Right, it creates one for you, and you have to carefully tell it no. I’ve run into a bunch of people who had corrected what they’d put in for the job they’ve been at for a while. And all of a sudden they’re like, “Oh, I’m sorry, I didn’t mean to tell you all I have this job. I’ve had it for six months.”

[David Spark] Yeah, I’ve noticed that, too. I remember changing actually on Facebook where I lived. I hadn’t realized it created a post, and then I got a flood of responses from that as well. The bottom line is I just don’t have time to respond to all of this.

[Andy Ellis] Right. And I run into this because I invest in a bunch of early stage companies, and most of them want me to just put it on LinkedIn so that it shows up that I’m a connection. Yeah, I have to remember to click no, no, no, don’t announce this as a new job. Partly because I don’t want any of the people who pay me to be like, “Andy, did you quit?”

[David Spark] [Laughs] That’s never a good sign. Then he goes, “No, blame LinkedIn.” But again, perception is not good. And once the perception is out there, ouch. Yeah, it would not be good. Enough of this. Let’s bring in our guest, who I believe has won many recent awards. Just got a lot of certificates. Changed his job five times. I don’t know. He’s posted all of these things on LinkedIn. But currently I believe his title is global chief technology strategy officer for Trend Micro. Thrilled to have our sponsor guest of David Chow. David, thank you so much for joining us.

[David Chow] Great to be here.

Why is everyone talking about this now?

 4:32.825

[David Spark] “Is there such a thing as privacy anymore?” asked a Redditor on the cyber security subreddit. There was a flurry of response with the most popular response being, “Yes, but it’s less of a binary thing and more of a spectrum.” And there’s a “good enough” factor that can be achieved if you’re willing to put in the hours needed. Which seems a little depressing. So, Andy, I will start with you. Do you agree that there can be a good enough privacy level? What is that good enough factor? What does it entail, and what should we expect from that?

[Andy Ellis] So, I think the first challenge is that we’ve never really defined privacy well. I think historically it’s like privacy was, “Did you have an expectation of privacy?” And therefore you had privacy. But that basically means that privacy will trend to zero because at some point you don’t have any expectation of privacy anymore. And as an example, I just bought Airtags. Very controversial thing, but I lost my luggage over my recent trip. We eventually got it back. I had a friend who didn’t get their luggage back. I said, “Well, I’m going to buy Airtags because I have another trip coming up. I’m going to stick them all in my luggage so then I know exactly where my luggage wanders off to.” But in a sense, I have immediately given up any expectation of privacy because I’m sharing with Apple, who says they will share with law enforcement where my bags are. And so I think as long as we root privacy in this expectation concept, like you only get privacy if you took some reasonable step to hide, I think we have a problem. So, I think we need to redefine privacy because you can’t define good enough in a world where you don’t have any rights to be private. You just have this expectation of privacy.

[David Spark] I like that. that’s interesting. David, what do you think? Is that what our expectations are? Is that sort of the shift in our understanding of privacy?

[David Chow] I think from practical standpoint, when you look at how we’re leveraging browsers and we’re leveraging Google Maps, it’s actually helping us to live our lives better or easier, more efficient. But at the same time we’re giving up information.

[David Spark] Right, and this becomes a huge tradeoff. People find themselves giving up a lot of privacy for convenience. A lot.

[David Chow] Oh, exactly. Because what I’m seeing right now is that everything that we do, we’re giving up privacy. We’re giving up our information in order for us to obtain something. Even if you were to get a mortgage. The mortgage data… I used to work for a financial technology company. Mortgage data gets sold over, and over, and over. That’s how companies are making money. But at the same time, how would you be able to find ways to hide your data? You can sign whatever consent, whatever forms, but it’s still not going to get you to the point that you can hide yourself from the general public. I can assure you that there are people that can easily Google my information, my personal information even though I try to hide my personal information as well. To me, this is just a tradeoff that we’re signing up for more conveniences.

[David Spark] But is it like the cat is out of the bag? Because people said, “Oh, there’s a good enough factor if you’re willing to put in the hours needed.” I wouldn’t know what I’d be able to do to pull all this stuff back. Andy?

[Andy Ellis] Yeah, so I was at a law enforcement conference in the early days of social media, and I basically took a group of people whose job is to be very private… There’s nothing about them out there. I basically go tup on stage, and I’d had the permission of the people who were at the conference. It was a closed door thing. But I’d taken high ranking law enforcement folks from the US, UK, and elsewhere, and I basically put up a slide in which I basically doxed them in front of this group. I had their permission because it was a trust group, and they’re all like, “How did you get this?” And I’m like, “This is all open source intelligence. But I’ve got your kids’ names, your home address, all of it because it’s all a matter of public record because those public records laws were written for a time when there was no internet.” And so you want to get what house somebody lived in, you’d have to go to the town hall to pull a record. Well, those records are all online now. You don’t have to go to town hall.

[David Spark] So, there isn’t a sense that we can pull this stuff back, can we?

[David Chow] I worked in government for 20 years, and it was nice seeing how a government operates. I think this requires really… There is a bipartisan sponsored bill in legislation that really pushed through and started to penalize companies that are selling those private…your information. Because if those companies are not being penalized then they’ll just continue to do the same. That’s the way that they’re generating revenue. To me, that’s probably one of the most efficient ways to make sure that we’re able to bring this cat back into the bag.

Are we making the situation better or worse?

9:30.895

[David Spark] What has the United States done the most to improve national cyber security? A little over a year ago the White House issued an executive order on improving the nation’s cyber security. In addition, homeland security tried to focus on six critical areas with 60-day sprints. Those six areas are ransomware, cyber security workforce, industrial control systems, cyber security in transportation, election security, and international cyber security. In addition, President Biden has implored all businesses to move towards building a zero trust architecture. We are all aware of the problems in these areas, and it’s impossible for any of us to know how we’re improving overall. But I’m going to start with you, David. I’m just looking for some anecdotal evidence you think that shows we’re moving in the right direction in any of these areas. What do you think?

[David Chow] I think we are. I think we have to give credit where credit is due. I think for the first part, President Biden actually starting to look at the impact from ransomwares and cyber attacks, cyber threats by putting this executive order together…putting together bills and budget dedicated for solving cyber security issues. So, I think that’s where we need to start with, and that’s recognizing that we have a problem. The subsequence to that is how we execute. That’s where I have my doubts. Obviously working in government for 20 years, are we truly going to achieve the maturity of the zero trust model? I highly doubt that. especially by 2024. This is not just the technology change. There is also a huge aspect on people and process. That’s very difficult in a government that’s being entrenched with the same culture over and over. But I do see where we’re going in terms of having a really good start.

[David Spark] What do you think, Andy? Anything anecdotally you can tell me on any of these?

[Andy Ellis] I think it’s really too early to tell. The United States is in a sense sort of like the Titanic – a really big ship continuously moving. Hopefully we don’t run into too many icebergs. I’ve done a lot of work on government agencies and with bodies like the NIAC, the National Infrastructure Advisory Council and the FCC’s Communication and Security Reliability and Inoperability Council. Talk about a mouthful there. And what you tend to see is two sorts of effects that will show up. One is just the government has a really big bully pulpit. When the president of the United States says, “Hey, we’ve got to solve ransomware,” that’s a signal to a lot of companies that you can’t just ignoring ransomware. Your problem is the country’s problem now, and so you do have to tackle it. You don’t just get to wait and say, “Oh, well, now it’s the president’s problem to deal with.”

The government has historically been pretty good at using the bully pulpit to make changes. The place that it’s really good at is as a buyer and occasionally some implementor of technologies. So, what we need to look at here is not is the government solving the ransomware problem for some random company, but it’s are they solving the ransomware problem for themselves and creating this roadmap where people can say, “Oh, if I buy this technology from here and combine it with this best practice from there, that worked for my state and local who got the guidance from the federal government. And so I can do that for my local business. Because if it worked for my town that doesn’t have a big IT budget then it will probably work for me.” I think historically we’ve seen a lot of moves like that.

[David Spark] David, just to be hyper simplistic here, it’s kind of just like the CEO and upper management finally getting it and saying, “Guys, we’ve got to worry about cyber security.” But now we’re talking on the national scale, yes?

[David Chow] Oh, exactly. And for years. That’s somewhat of a conversation that’s been neglected. But with the Colonial Pipeline ransomware with the Russian cyber attacks on Ukraine, this is really…the current illustration is leveraging the current events to really push this awareness. A lot of times, this is what needs to be started to start moving towards the right direction. We hear about how SCC is going to change the ruling to make sure that there’s disclosure on breach, as well as making sure that the board has some sort of a cyber expert. In a way, this is to focus on reducing the risk for any organization and also reducing the risk for US government.

It’s time to play, “What’s worse?”

14:03.242

[David Spark] David, you’ve heard the show before, yes? You’re familiar with this game. It is a risk management exercise. I give two bad situations. You have to decide which one is worse. This one comes from someone who we have had on the show many times before. It is Jerich Beason, who is the commercial CISO over at Capital One.

[Andy Ellis] Jerich is awful. By the way, Jerich, I’m starting to hate you for all of these because they make it painful or me.

[David Spark] A good one that Andy struggles with one that we love. I love it when people disagree with Andy. I’ll just leave it at that. All right, here we go, Andy – what’s worse? Getting hired onto a new CISO role and finding out your entire team is about to jump ship because of a toxic organizational culture? And I’m going to say that that toxic culture…I’m going to sort of amend this…is just that team.

[Andy Ellis] Oh, okay. So, the team was toxic, not the company was toxic. Okay.

[David Spark] Or having to report to a brilliant jerk in an organization with a great culture?Now, the way I see it is you could in the first case if they all jumped ship then you can replace them, but that’s going to take a hell of a long time. That’s going to be a lot of no fun. But there will be an end solution to that over time. The other one is you’ve got a great organization, a great culture, but you have to deal with the brilliant jerk that you must report to. So, which situation is worse?

[Andy Ellis] I sort of have to be careful about describing these ones because it is possible that I have some experience with one or the other of these.

[David Spark] [Laughs] Feel free to drop company names. That’s quite all right.

[Andy Ellis] Yeah. No, I don’t think I’ll quite do that. But the challenge for this one is these are so very different. It’s not even that I’m comparing, “Okay, I have one bad apple and another bad apple.” Like, “Oh, I’ve got a bad apple, and I’ve got awful tequila.” And so normally I’d be like, “Well, I’ll take the bad tequila over the bad apple.” But it’s really awful tequila. I think it comes down to who you are in this one. I have been in places where I worked for a toxic individual. I wouldn’t even say a brilliant jerk. I’d remove the brilliant from that. But I actually got a lot of fulfillment out of creating a nontoxic environment for the people who work for me. But it was draining and exhausting for a while. So, that’s really painful for you. I actually think I’m going to go with that is the worst one because, look, if I came into a place, and everybody jumps ship, and I get to start all over again…

[David Spark] But you were also dealing with nothing. The place is going to come crashing down pretty darn quick.

[Andy Ellis] Sure. That’s a challenge. That’s not that I’m burning myself, and my mental stress, and my cope [Phonetic 00:16:46].

[David Spark] You don’t think everyone jumping ship and you alone trying to manage everything isn’t going to burn you out?

[Andy Ellis] It’s actually really powerful because I get to take steps that I could not take otherwise. How many CISOs walk into an organization and have the budget freedom to basically go hire whoever they want to? Because literally day one I’m calling a consultant up. I’m calling somebody up like Dave Kennedy. I’m going to say, “Hey, Dave, who do you have that’s free? Because I need to borrow your best people for however long you can spare them while I hire an organization.”

[David Spark] So, you’d do like an MSSP patch?

[Andy Ellis] Somewhere between MSSP and literally it’s like I want all of your best people that you can loan me as consultants. I will just put them to work while I go hire. Do totally novel things. I’d get to write a book about it. That other situation, I guess I could also write a book about that and say, “Here’s how not to lead,” by writing a leadership book.

[David Spark] Which is coming up soon.

[Andy Ellis] Oh, hey, wait. I wrote one of those.

[David Spark] Yes. Yes. We’ve plugged this enough, and we will plug it more. Don’t worry, Andy. David Chow, do you agree or disagree? I’m going to guess you agree because there was a lot of head nodding going on while Andy was talking.

[David Chow] I have to say that I was the brilliant jerk, so I think that’s the worst situation for myself to be in.

[David Spark] If you were the brilliant jerk, or you have to report to the brilliant jerk?

[David Chow] For me to have to report to a brilliant jerk.

[David Spark] Okay, so what Andy said – you’re agreeing. Now, are you agreeing for the same reason, different principles? Explain.

[David Chow] I look at it more from the typical CISO risk management perspective. I can go into an environment, a bad culture, people know that’s a bad culture environment. I can present to the board. I can say, “Hey, I need to do what I need to do in order to make this environment better.” Everybody will know that there’s a reason for it – for me to be hired on. For the CISO to be hired on. So, the risk for me is actually lower compared to going to an environment, reporting to a person that knows everything, and then as well as having people to be able to support him or her. So, I would definitely choose the first scenario to be my scenario to move into. A bad environment where I can hire my people and be able to move my agenda forward. I actually have done that many times.

[David Spark] Yeah, but you walk into a place that was fully staffed. It’s now empty. Are you doing the same thing Andy does? Because the walls are going to come crashing down pretty darn fast.

[David Chow] Actually it’s not difficult to… Because I was the brilliant jerk that had a huge following, so I can steal people from those areas and come work for me again.

[Andy Ellis] I think I want to make this harder for the next one for doing this, which is what would be much worse is if you showed up, and that was actually a brilliant team with a great internal culture that they’re all leaving because the company is toxic. And so now you’re in a position where you have just lost the team that you came to lead except you’re not going to get great quality people coming in because you’re in a really, really bad situation where, “Oh, they left because…”

[David Spark] That seems like kind of a no win situation.

[Andy Ellis] That’s an awful situation, I think.

[David Spark] You’re never going to win there ever.

[Andy Ellis] Nope.

Please, enough. No, more.

20:02.093

[David Spark] Today’s topic is vendor consolidation. And within that, comprehensive solutions for zero trust architecture, which seems that most organizations are aiming for that. So, let’s start off and just say we’ve heard the debate for best of breed versus single or minimum vendors and the pro of consolidating vendors is dealing with the issue of integration. At the same time, we also know that multiple vendors also offer overlapping solutions as well. So, Andy, I’ll start with you. What have you heard enough about when it comes to vendor consolidation, and what would you like to hear a lot more?

[Andy Ellis] So, I think I’m tired about hearing this is a binary choice that you either are doing one or you are doing the other because the reality is you’re doing both. So, what I want to hear more about is how do you make that decision? I think one of the biggest conversation points I’ve heard in talking to peer CISOs about this is you often want vendor consolidation in places that are well understood. There’s not a ton of surprising innovation. I don’t want to say that, “Oh my God, if you built a commoditized product there’s no innovation.” I’m just saying there’s not like this niche that’s completely unaddressed. The vendors are incremental. Fantastic. You have things. But I generally am not going to say, “Oh, look, my end point security, I’ve got one thing on it, and I want to add 17 point solutions.” No. The point solutions are often the, “Hey, there’s some surprising opportunity here.” And so I want somebody who’s going to move fast with the expectation that in about three or four years either they’re going to build a big enough company to be the vendor consolidating into or they’re going to be acquired by a larger vendor and be consolidated into someone else.

[David Spark] All right, David, I throw this to you. I think you bring up a good point, Andy. It needs to be less of a binary discussion. Agree or disagree, David?

[David Chow] I would say that there is no comprehensive solution for zero trust. The statement itself is basically there needs to be a multivendor approach. But then the multiapproach needs to be able to seamlessly work with each other to present the necessary picture of the dashboard, the single pane of glass for CISOs or cyber security specialists to be able to take action very quickly. I know there are vendors out there. They’re advertising, saying that, “We’re the zero trust solution. We’re this, or we’re that.” There are actually multiple pillars. If you were just to look at President Biden’s executive order, there are five pillars in five different areas. There is no one single vendor in the world that offers all five areas. Even for the company that I work for, we don’t offer all five areas. But what needs to happen is that there needs to be a solution that can actually easily integrate with all the components, especially whatever that’s currently within the IT environment so that the CISOs are not wasting money or wasting any resources. But then having a way to aggregate data to be able to start achieving the zero trust goals. That’s probably at the lower maturity. If we need to get to the higher level of maturity of zero trust, there’s going to need to be a lot more resources needed to accomplish that as well as a lot more capabilities.

[Andy Ellis] I think, David, you’re really onto something. Zero trust isn’t a solution space. It’s a lot of solution space because zero trust is a concept, and it’s not a concept about an architecture. I even have a problem with zero trust architecture. Zero trust is a set of principles about minimizing back to giving appropriate privilege to various entities. That’s it. Whether that’s zero trust network access with products that are about intermediating, getting your end users to your corporate network or whether it’s around identity governance, or whether it’s around administrative access to things… There’s a whole bunch of different things that there’s no vendor who covers all of that. It wouldn’t even make sense to try to find one vendor to do every pillar. But yes, each pillar you probably do want to start to look for things that interoperate well.

[David Spark] So, let me ask you this, David – what are your customers saying when they come to you? What is the situation they’re in, or what is their stress level that they need your help in specifically? And does it run the gamut, or are there certain themes you’re hearing again, and again, and again?

[David Chow] It really depends on the maturity of that organization on cyber security aspects. You’ll have the likes of major companies…if I can name the company, Johnson and Johnson, that they actually have a fairly mature cyber security team. They’re even doing threat hunting because it’s critical. The information, the IP information, the privacy information, manufacturing blueprints, those are critical for their organization. What they’re looking for is looking for a way to mature their SOC, their security operating center. And then having a way to leverage the likes of XPR or the likes of having automation as well as machine learning built into part of their cyber security policy building that went into to their organizational risk management or risk tolerance. As opposed to for a much lesser mature organization, which is probably 80% of the organizations out there.

[David Spark] I think you’re being polite on that, by the way.

[David Chow] Oh, exactly. They’re struggling to build a SOC. Even when I was working at HUD, we didn’t have a SOC, security operating center, in place. We had to outsource and start out with a managed SOC. And then later on, we start building our internal SOC.

[David Spark] Just like our “what’s worse” scenario.

[David Chow] Oh, exactly. So, if the CISOs do not know what’s in their environment, how would you be able to defend that? So, to me it really depends on the complexity of the organization, the maturity of their cyber security practice, as well as the resources that they’re going to put in as part of their risk management in the enterprises.

[David Spark] Just quickly for the ones that are on the less mature side… Because I’m sure it’s a lot easier to work with the ones that are more mature. You have more advanced sort of conversations with them. But the less mature side, they’re just like, “I know we have to do this architecture. I’m not fully grasping it. I don’t know what we do have that’s dealing with this.” Is that the level of conversation that you’re having? Like, “All right, let’s sit down and see what you got and see what our roadmap would be to get there.” Because that seems like kind of the logical progression, yes?

[David Chow] Yeah. So, very simple example. Actually I was talking to a South Africa financial company, and what they’re struggling with is actually to start out understanding their parameter, understanding their boundaries. And so our recommendation…my recommendation to them is to start out with a managed SOC. Once you have a managed SOC, once you start maturing the initial steps of managed SOC, you’ll be able to have visibility within your environment. And then based on the environment, start refining the process, the security policy, organizational risk tolerance, as well as potentially starting communication with the board on investing into a self managed SOC. A lot of it is really, like you said…a lot of the conversation with 80% of the companies is to start out with those initial concepts and understanding what’s within their environment, how do they secure it, having the necessary practice, and then starting to mature it.

That’s something I’d like to avoid.

27:35.413

[David Spark] Andy, is the introduction of low code/no code programming tools the next wave of Shadow IT? This is the way I perceive it. Or maybe Shadow IT 2.0. Low code or no code tools are web based applications that allow a nonprogrammer to develop simple, often drag and drop applications and deploy them. In an article on Dark Reading, Steve Durbin of Information Security Forum notes that according to Gartner, 70% of new applications will be developed using low code and no code technologies by 2025. That seems a little scary to me. If that’s even half true, that’s going to be an enormous problem. First, do you agree? And if so, should you just roll up the security training you have for developers into the overall security awareness training you do for the entire company? I’m not getting the sense that more security training is going to sit well with the masses. What’s going to stop this potentially very hazardous situation? And do you agree this is hazardous? Where do you stand, Andy?

[Andy Ellis] I think it’s somewhat hazardous, but it’s also not surprising. I do love calling it Shadow IT, but that’s mostly because I have a different definition of Shadow IT than most people. To me, Shadow IT is created because the CIO organization has a bunch of lampposts that they put out where they say, “This is the work that we will support. If you don’t operate under our lamppost, you are Shadow IT. You’re a problem.” Not, “We’re the problem because we didn’t put a lamppost where the business needs us to be.” We’ve seen this idea of low code/no code apps for a long time. Let’s be honest – Salesforce is a low code/no code app. It’s not really a visual app. There’s a little more, “Okay, you have to go do different things.” But we’re seeing better and better visual tools on a lot more platforms. We see integration platforms like Zapier or Ricotta. We see all these different things that connect that create business application workflows that anybody can put in. The real problem is that we are making anybody put them in rather than having people who understand process and application engineering supporting our business. So, if you want to solve this problem, it is not by yelling at the people who are moving the business forward and telling them to do it more slowly. It is because we’re not actually helping to move the business even faster. Then on the point of the security training, I think I’ve made it very clear on a lot of past shows the very negative view that I have of most standardized security training. I do not think that we would get this one right.

[David Spark] Okay, so that is not the answer. David, how do you feel about sort of the next wave of low code/no code? Andy does make a good point that Salesforce is kind of that. Is this a new mountain problem that is looming if it does grow to the 70% level that is perceived by Gartner?

[David Chow] I actually disagree with this statement here. I agree with Andy. When I was working at HUD as the CIO, we actually leveraged low code/no code using Salesforce to deploy capability to migrate away from the mainframe, which the agency tried for the past 20 years without success. But by leveraging Salesforce configuration, we were able to get it done within 18 months. We’re actually saving the industry 200 million a year for a mortgage industry with transaction of 1.3 trillion dollars.

[David Spark] So, you’re saying the opposite. This could be a boom to security.

[David Chow] I would say that it has to be controlled. There needs to be gates. There needs to be ways that we’re controlling the provisioning as well as deployment of the low code/no code capabilities. So, as a CIO, I was able to really control the security authorization to operate assessments and making sure that I’m abiding by the security policy that our team put together before we actually deployed. That makes a huge difference because not only were we able to expedite and accelerate with greater velocity on achieving digital modernization, but we also leveraged a government [Inaudible 00:31:51] certified capability to reduce the overall time needed for security assessments. So, I think that this is actually…if this is controlled properly and also with the right security policy in place, this is actually a great tool for the CIO to accelerate and leapfrog a lot of the legacy environment that’s currently existing within any corporations.

Closing

32:14.788

[David Spark] Excellent point. And a good point to close out today’s episode. Thank you very much, David Chow. And thank you very much, Andy. David, I let you have the very last word. Please make any plugs, or offers, or anything special you want to make for Trend Micro. And the question I always ask our guests is are you hiring, so make sure you have an answer for that. I do want to thank your company, Trend Micro, for sponsoring this episode and just being a spectacular sponsor of the CISO Series. We greatly appreciate it, your long-term sponsorship. I want people to know, they were the first company to sponsor the very first episode of our new show, Cyber Security Headline, which has been our fastest growing show. It has grown tenfold in two years. It’s been unbelievable. So, they took a chance when it was completely unknown, so thank you to Trend Micro. Andy, any last words on today’s episode?

[Andy Ellis] I want to do a shameless plug for an idea for a product I want, and I want David to go build it. So, this is a great time to build it. I want zero trust EDR. I want an end point defensive solution that does not give administrative access to the company. That’s what I’m looking for. It can report out and say, “Hey, here’s what’s going on here.” But my devices are connected to me, not to some random system admin somewhere. I think that so many of our vulnerabilities are tied to rampant administrative access. Just go look at Solar Winds, Notpatcha [Phonetic 00:33:38], you name it. So, that’s the plug that I want. I want zero trust EDR where the people I don’t trust are the admins, not the users.

[David Spark] Aw, very, very good. David, you may or may not answer that response? Is there a zero trust EDR on the horizon for Trend Micro?

[David Chow] Yes, absolutely. Thank you for the great plug. Our XPR capability, Trend Micro Vision 1, actually offers the necessary control for cyber security specialists, SOC specialists to be able to take away those administrative nightmares or any vulnerabilities from people with system admin rights. But also it’s given the dashboard, the single pane of glass that I was talking about, as well as API integration with our competitors, existing capabilities so that we’re able to present an overall view for any IT environment and be able to take the necessary action and uniform actions based on the cyber security policy as well as the risk tolerance within an organization. Yes, we are looking to hire. We know that this is a really hot field within the cyber security area. We’re always looking to hire good people. Definitely reach out to me through LinkedIn. Or go to our website. We have our jobs posted there as well.

[David Spark] And will it help if they said they heard you here on the CISO Series podcast, David?

[David Chow] Most definitely.

[David Spark] There you go. That’s what I wanted to hear.

[David Chow] I will pay special attention if it’s mentioned.

[David Spark] There you go. Maybe put it in the subject line, “I heard you on CISO Series podcast.”

[Andy Ellis] Yeah, but we only want you to do that if you’ll make the CISO Series podcast look good as a listener. If you say that and then don’t get hired, David is going to be like, “Dang it, why did I show up there?” So, make sure you get hired.

[David Spark] Yeah. Oh, yeah, make sure. Yeah, as simple as that. just make sure you get hired. I have, by the way, heard many, many stories of listeners getting hired through our programming. In particular our weekend show, because it’s live. People get face to face time. It’s even better. So, yes, this is great. But also come to our weekend shows as well. Or our Friday shows. David, anything else you want to plug about Trend Micro?

[David Chow] I’m good. The one other part is that I started out talking about CISOs continuing to network. So, we are actually in the process of looking at establishing an advisory board with CISOs and CIOs. So, definitely that’s a good way to start having this conversation. And thank you for having me.

[David Spark] We loved having you on. You were fantastic. Thank you, Andy, as well. And thank you, Trend Micro. And thank you to our audience. We love your contributions. Please keep them coming in. I could use a lot more “what’s worse” scenarios. Keep those rolling in. I love getting those. And as always we appreciate you listening and contributing to the CISO Series podcast.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headline – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series podcast.