Speaker 1: 0:09

Welcome to Simple Talks, the new podcast by Securonix. I am your host, augusto Barros. Today is the first edition of Simple Talks and our first guest is Scott McCready, ceo of Sol Cyber. Scott is an old friend of Securonics and it's an honor to have him here with us. Scott, why don't you say hi and introduce yourself and Solcyber, of course?

Speaker 2: 0:33

Yeah of course. Thanks, Augusto. Always a pleasure. You and I talk relatively regularly, but to be the first guest is always a cool thing To everybody out there. Scott McCready, CEO founder of SoulCyber. I've been in the managed security services space most of my career, because I was actually an engineer by trade and training and, just by happenstance, when I came out of university, there was a world of web hosting was getting started and security was trying to be figured out. For those who have been around, a minute, I got my teeth. Got my teeth on the old Nokia appliances where you'd hit one for checkpoint and two for ISS real secure and I was deploying those all around the world for EDS. At the time we didn't know what to do with the data and so EDS had a lot of Knox network operating centers really cool NASA things, where you pull the screen back you see all the big, huge screens.

Speaker 2: 1:28

But there was no such thing really as a SOC, and so I started setting up security operation centers for them, which led me into working for a company called RipTech and Symantec, which was the very first MSSP Back in the day SIEMS, if anybody's familiar with SIEMS. But SIEMS are the tools that take the data, that do the analytics. They were so heavy that you sort of had to. They were difficult to put onto enterprises, even large enterprises, and so we got started in managing firewalls and then data collection analytics like very early stages of ML, in order to try to find when malicious actors were getting into organizations. So it's been a great run.

Speaker 1: 2:08

Right, yeah, you know you triggered some kind of PTSD on me. Here mentioned kind of Nokia appliances. I remember staying kind of in those cold data centers in the middle of the night trying to figure out what to put on the ARP tables to make the load balance work. Everything is coming back now.

Speaker 2: 2:27

We didn't have Google yet that sort of believed that data centers didn't have to be 55, 60 degrees. So you'd wear these big, huge jackets and be inside trying to figure out how to make all the internal networking work.

Speaker 1: 2:40

Yeah, it was going to be fun times. I think one thing that I'd like to ask you kind of you kind of being with a service provider and in the cybersecurity space, many organizations are often kind of looking into that discussion about doing things internally versus relying on service providers. So what is the actual value of a managed cybersecurity or managed security service provider? What do you think is the major value that an MSSP can bring to a customer?

Speaker 2: 3:22

Sure, I think it's really morphed over time and part of the reason for SoulCyber is we're trying to continue to morph it. But if you think about maybe like three or four buckets. The first one is large, sophisticated organizations. They oftentimes have the capability to do sort of everything they need to do from a security standpoint, but they're also in a position to have the financial advantage to be able to say it would be helpful to have a set of people who do this all the time as a second pair of eyes to make sure that we're not missing something, and to consume the stuff that the MSSP provides. So I think large organizations that really are looking for, you know, belt and suspenders to make sure that things are working. The second type of organization is an organization that says, okay, I've got a couple of good people, but I definitely don't have 24 by seven. There's no way I'm going to build it, it doesn't make sense to have it, I'm not going to have staff people over the weekend. It's just not, you know, doing high level security, detection and response. It's just not something that is our. You know, all of us went to business school like our. You know, stick to the knitting. It's not core to what we do, and so they're looking for someone that can really tell when something bad happens, you know, especially off hours, weekends, things like that and so those are pretty linear value props, which is like we need. We have a reason. That's very clear. I think.

Speaker 2: 4:44

The third type, which is where we spend a lot of time, is organizations that have a couple of good people but they're looking to up-level their security sort of more holistically. Sure, they want to be able to have advanced detections. They need people that are really good at doing response. They need a set of skills that traditionally a large organization would hire out, or staff from four or five or six different people. They need skills across those, but they're never going to be able to get that in the two people that they hire.

Speaker 2: 5:15

The third group is saying I need the detection and response, but I also want somebody I can call, ask questions to, I can tap them on the shoulder, I can get advice around other things. We call it peacetime. So if you assume and the data sort of shows that you know you get most organizations have sort of one-ish type of sort of more aggressive type of attack a month. They've got a lot of other types of attacks that you can block. But outside of that, how is the MSSP helping them? And I think that's really the third area which is saying okay, there's a lot of other things most organizations are looking for advice and information about, and I think that's the third value piece which is okay. In peacetime, how do we continue to ratchet that security program into a better place?

Speaker 1: 6:00

Yeah, I love this piece that you mentioned about during peacetime and I believe if we look into the MSS pieces as different generations, I think the first generation was basically that device management kind of thing, and I think that was because we inherited that model from the old telecom times. So it was kind of oh, the company's going to do and manage services for telecom devices, so OK, you're going to manage that box, making sure that the lights are still blinking, et cetera, and then we move into managing alerts. Ok, the box spits out an alert and then you call someone to do something with that alert. But I'm happy we are moving beyond that point. And I think this point you mentioned about the peacetime advice and also probably holding the hand of the customer when they're trying to do or to take a more continuous improvement approach, it's something that wasn't something that was there in the past and I think it's really increasing the value of MSSPs these days.

Speaker 2: 7:09

Customers will say you're a modern MSSP. I think third generation may be a great way of phrasing it up too.

Speaker 1: 7:15

That's right. Or the old question about MDR or what MDR is. I think, if we start seeing, I was still a Gartner when MDR started to become more popular and it was interesting to see how the R piece came into play, because before that you couldn't imagine unless it was part of a major IT outsourcing contract, like those with EDS, ibm, hp, etc at that time. But usually you wouldn't see the service provider putting their hands on the environment. I think at MDR kind of had changed that kind of quite a lot.

Speaker 2: 7:54

But this too, like I remember when we first we were at Symantec, and so they were like, hey, can you do something with Symantec endpoint protection? And we're like, well, the only option we have is to hit the button that says scan the machine. There's not a lot of value we can add. And so that was really the genesis of the transition of the endpoint tech to be able to do obviously EPP and EDR, but the detect piece but also the response tooling. But in order to do the response, well, you have to have people that know those pieces. But ironically, one of the things with MDR- you get is.

Speaker 2: 8:28

it's manage, detect and respond, and so a lot of customers that use it say the response is great from other people, but who's doing the management and the detection piece right? And so to your overall point it's been great that there can be higher levels of service delivered through the tooling, because there's some great tooling out there these days.

Speaker 1: 8:47

Yeah, I think the EDR was really almost a big difference in the moment, because how would you respond into a customer environment before EDR? I think EDR brought those capabilities where you could do something in the customer environment. It was not just kind of bringing someone physically there right With a USB drive or a disc, right For us, right For a little more time around.

Speaker 2: 9:12

yeah, Scripts right. I mean, if you think back to, like you know, the Mandiant days, they would land on site and they'd have a bunch of scripts. They would run right. And so EDR was like this you like this process. That over time was like okay, how do we take the scripts and move it into something productized? That is actually much more sophisticated.

Speaker 1: 9:35

I think we see the MSSPs have evolved quite a lot. And there was something that I noticed. I was in one of those event forums forums that kind of have kind of those big kind of boardroom discussions with multiple CISOs right and they talk about their problems et cetera and there was something that happened in the last discussion I was part of and I noticed that there were really kind of very large enterprises in that room. There were really very large enterprises in that room. Many of them, if not most, were actually relying on MSSPs. That struck me as different, because a few years ago I think it was common to see mid-market or the average organization relying on MSSP, but there was always this of this impression that the larger organizations would do things by themselves, right, but then kind of in that room I had this kind of large number of large organizations that were actually relying on MSSP. Why do you think this is happening now?

Speaker 2: 10:41

Yeah. So the irony is so take any large organization and let's assume that they have essentially enough budget to do whatever they really need around security. Whatever they feel is important, they're going to be able to get the budget because, relatively speaking, for a large company it's a relatively small dollar amount. Come to find out is, even if you have four or 500 people in your security organization or more, there's still a set of skills and capabilities that is kind of hard to have on demand all the time, Right? So think of it as, as we used to joke, like the security team was a baseball team, right? So you had your your pitcher or your batter, who is like world-class, like, you know, all-star player, and then you had your a few people that were really solid, and then you had other people that are really good because they're still professional level baseball players but they're not going to the all-star league every year, and so getting access to the talent and then getting access to the consistency and the repeatability is something that a lot of these organizations backstop themselves with. So what we joke about is it's super sexy when you find something like really nefarious happening and you catch it and you get them out of the organization. That is super sexy.

Speaker 2: 11:58

But there's a sad reality of security operations which is really what we do, which is a lot of what we do is very unsexy.

Speaker 2: 12:06

So it's this consistency of repeatability of the program that is a lot of time what organizations are paying us to do.

Speaker 2: 12:13

And so I make this joke like do you know, running phishing simulation, security awareness training, super basic, everybody can do it.

Speaker 2: 12:21

We do it for a lot of companies because they just got to a point where they're like it just doesn't make sense to have my people doing that. And so I think what's happened over time is that these large organizations have gotten a lot smarter about the use of their resources and the ability to backstop those resources with managed security services providers, because they just know it makes sense. Because they just know it makes sense. Sure, it's great that they have people that can be looking at dashboards and reviewing incidents, but does it make sense to have them do that all the time? Or does it make sense to take some of those resources and shift them left and push security more into the productization of their service offerings that they're building that, their SaaS or something like that? And so we see a lot more of that happening in organizations trying to get their smart, talented people into the higher value aspects of security and then maybe a little bit less out of the day-to-day operational programmatic aspects.

Speaker 1: 13:14

Perfect. You mentioned something about the different skill sets and specialization. I remember when we were writing the first edition of, we wrote a document back in Gartner a few years ago. That was how to build your SOC. One of the things that we mentioned in that document was every SOC these days is an hybrid SOC. It is because of all the skill sets that you would need, depending on what type of technology is affected by a breach, by an incident, and everything that could happen in your organization and all the requirements now related to threat intelligence collection, et cetera. You need these services, this almost satellite services around your SOC. For the situations where you need to debug an Android malware, we will have an Android malware reverse engineer on the bench just waiting to be deployed. We can probably count on the fingers the types of organizations that will have that type of resource. I think that for those cases, for the large organizations, that was something that we used to see already those satellite services that will come to complement the core of the SOC that you have there.

Speaker 1: 14:26

But what surprised me in that last discussion was that these large organizations were also interested in relying on service providers for those core components as well, and one thing that I believe is one of the main reasons there is the increasing complexity of the tool set. With Securonix, we have our SIM UPA. It's a secure operations platform. We do everything to make the user experience the best possible, but it still does a lot of things. The complexity is there and anyone that will come, any competitor, will come and say we can eliminate that complexity. They're just lying. There is an intrinsic level of complexity in what our solution does and I think my impression is these large organizations are starting to think like oh, the level of complexity that the core components of my SOC have is so high that I need someone. Regardless of having the ability to do that on my own, on my needs to customize things to my business, I still need someone that will manage that complexity for me.

Speaker 2: 15:46

That's right. I think you're right. The care and feeding of the tools these days is significantly higher than it used to be. So back in the day we were all networking people and we would figure out how firewalls work, because we could sort of understand that. But you think about the care and feeding of a complex SIM that has user behavior analytics. That is not trivial. You think about the ability to do response, like deep level of response on an EDR tool. That is not trivial. That is significantly more advanced than the old AV tools.

Speaker 2: 16:19

You think about SOAR integrations and API connectivity and the ability to do response across a wide variety of different types of components. You think about UEBA and how it ties into identity and then you say, okay, well, if that's tying into identity, then how do we look at fraud and tie in a process to a response capability? And so I think the ability to have people inside of an organization that understand all those components is challenging. Especially I love the Android, like reverse engineer, android malware, especially when they're not a regular function Right, and so obviously organizations like us can have people that do that for different companies. So we get a lot more.

Speaker 2: 16:55

We get them off the bench right they're. They have a higher level of utility because they can be utilized against a variety of different companies, and that really is, is useful, and so you can get a broader skill set at your fingertips as an organization by using somebody like us. It's funny, because we still run into sort of, especially in the mid market. No, you know, a thousand employees, two thousand, five thousand, or they'll still have a few people that want to do it all. We're're like knock yourself out, go for it. Then, after a while, they're like it's great that I can do it all, but it is also nice to be able to call somebody.

Speaker 1: 17:26

I think that's a similar scenario of build your own stuff, the same in UPA space. I've seen many organizations look at the tool set that they have for data management, for analytics, and say, hey, I will build my own.

Speaker 1: 17:39

I don't need an off-the-shelf solution for this. They will go, they will do all the effort. They can say you know what it's working, but it takes a lot of effort. That's right. I got to go back to the shelf because there's a lot of complexity at work behind the scenes than many times these organizations do not realize it's there. That's right. We're talking about services and how they can help organizations, but there is another component that is now essentially in all discussions about security operations or maybe security in general. That is AI. But I think we're hitting 20 minutes, so probably I'm allowed to say AI by now. Yeah, but what do you see as the role for AI and how it will evolve on the context of security operations? Is this the end of the sock as we know it? How do you think this thing will evolve?

Speaker 2: 18:41

Obviously a topic that comes up all the time, and it makes sense that it comes up in our world because we're a people-heavy business. I mean, running security operations and having security operations centers involves a lot of people. It involves people at weird hours, at weird times of the day. You've got to have people that are sharp at three in the morning. How do you do that? And then also there's a lot of institutional and sophistication in hunting down knowledge. So when you see a set of data and a set of alerts, how do you validate that? And how do you validate and then figure out who it actually is? And do you need to get the attribution? Is this a nation state or somebody else? So it's just a lot of work. There's a lot of training that goes into all these pieces, and so it's a natural place for people to ask does AI? So I think to me, obviously, the key piece is the adversaries are gonna be using AI, already are using AI. So we already know that the aggressiveness, the breadth and the cleverness of the adversary is going to get more sophisticated because of AI and they can throw stuff at the wall and see if it sticks faster than we can, sort of like properly plumb AI through an operations center. So what do we know? We know that they're going to get better. They're going to get more sophisticated, probably find more zero days. They're going to be able to have breakthrough and breakout of of machines that they have access to faster.

Speaker 2: 20:09

So then the question is, what are the defenders do? Well, I think you're going to see AI sort of in in the onion model. So the first is going to be in the tooling. I mean, you got you guys already do stuff in it, some of the other tools that we use. So you're going to see it in sophistication of the analytics, first of all, out of the variety of different tools. Then the second place I think you're going to see it is in the ability to gather data. So if you think of chat, gpt, what does it do? It gathers data and it presents it to someone in an easier to consume manner.

Speaker 2: 20:37

So I think you're going to see threat in the ability to detect threats and detect unique types of threats described to a SOC analyst faster. And so, hey, I see all these alerts. Ai says, hey, we've seen that before. Here's who it is. It's most likely this nation state or this type of attacker. And this is how the TTP the tools and techniques and the processes that they use and that's how we validate. So I think you're going to see the data presented similar to chat GPT, but think chat GPT threat to an analyst. And then I think the third thing which is going to be harder to do is if you think of an AI assistant for an analyst, it would be great and most of the analysts would like the process of saying, okay, is there a mini me? Right, that's an AI assistant, and I think that's going to be harder to recreate. But I think that would probably be like step three as you plumb through AI throughout the SOC operation process.

Speaker 1: 21:36

Yeah, I think that's going to work. I was reading today a couple of articles about agentic AI and how that can help on the SOC. I think it's a promising space. There's still a lot to go. There is also the confusion about what LLMs can do. I think the impression of kind of cognitive capabilities that we have from these things right, kind of throwing out kind of very good text right Sometimes are deceiving because you start believing that that's very large, auto-glorified, auto-complete can actually kind of produce detection logic. It may be able to for things that, things that are very close or related to the training data set, but if you bring a completely novel threat and ask it to produce a piece of detection logic, will it be able to do that? And that's something that I believe we're still far distant from and I think the humans that are involved in detection engineering, for example, they are safe for now.

Speaker 2: 22:41

Their jobs are safe.

Speaker 1: 22:44

They would be far more productive because these tools will help on productivity. But a lot of that cognitive load that you have in translating what you're seeing from the threat behavior to what you need to put together from the detection logic perspective is still something that we can replicate with a machine.

Speaker 2: 23:03

So I think that term uses productivity. I think we're going to see it impact productivity faster than any kind of impact to people as far as, like you know, replacing humans on the detect and respond side. So I think productivity is a great way, is a great buzzword that you're going to see. I think that's going to be the first major place that you see impact on the SOCs.

Speaker 1: 23:23

Yeah, and if I can tie this back right to where we began the conversation today, do you think that technologies leveraging more of these AI capabilities can become a competitor to managed security services?

Speaker 2: 23:40

It's a great question. Obviously it's something that we talk about in the industry quite a bit. I think what you're going to see is the detection respond. You sort of have to assume the attacker is going to get better, so that means the detection response is going to have to get better, which is kind of hard to see. How that disrupts the traditional SOC capability because you're still going to have to have some layer of people over the top of that.

Speaker 2: 24:06

But what I don't see and this is why I think call it third gen managed services or modern managed services where a lot of the strategy and support and tying into frameworks and all these other things I don't think that goes away. I think maybe the MSSP has become more consultative and a little bit less primarily dominated by data analytics, which is really where Gen 1 and Gen 2 was. Gen 1 was like hands-on keyboard let's change all the firewalls. Gen 2 was data analytics. I think you're going to see a combination of those two play out with a more consultative aspect, which is, I think, where we are in Gen 3. And you got to imagine that's got a few years to run.

Speaker 1: 24:48

Right. Do you think that AI can help us with the skill shortage we have on this space?

Speaker 2: 24:56

This is one of those things where I think the skill shortage is really a byproduct of sort of the, the haves and the have-nots. I'm drawing a complete blank on the, the famous line of the um the poverty poverty line yes, sir, thank you, thank you, thank you, and so we do for the larger companies.

Speaker 2: 25:15

They're just sort of like they can get the people. It's just whether or not they want to pay the price. So you have that aspect we can get the people because we know how to go find them and we can train them and all these other things. The third area is whether or not companies sort of want to take security seriously, because it's a lot of companies out there trying to do bare minimum levels of security, and so I think the skill shortage is a solvable problem. It really gets driven by whether or not a lot of the organizations that we work with and talk with want to solve that problem, because you can get that through leverage. You can get that through leverage of whether or not it's AI or MSSPs or all these other places, but I think there are enough leverage points these days to really get ahead of that.

Speaker 2: 25:58

Where I think we still do have a skill shortage is what I'd call the architect the smart, creative type person that really has the ability to understand the different tiers, and this is sort of what everybody's looking for. It's like okay, do they understand the heart of architecture? Okay, then do they understand cloud architecture, then do they understand how security fits into it, and then do they understand how you put security into the coding and so you can shift all that left. That is where I think, when we talk security skill shortage, I think that is a significant one and we're still going to struggle to see that. And again, I don't know if AI sort of solves that or not.

Speaker 1: 26:34

Right, I don't think it will solve it right, because I think we will end up going back to that discussion about replacing humans. But, as we mentioned before, it is a matter of productivity and I always brought up when you have those internal or those large stocks with 20, 30 people there, there's a point where the CISO cannot go anymore right To go up upstairs and say, hey, I need more people. There is a point where, kind of the right, either the board or the CEO just laugh and said come on, you have, I cannot have more security analysts than I have people selling my product. Right, that's right.

Speaker 1: 27:14

So, there is a point where productivity needs to improve and I think that's really a very strong component where AI will help us, either for the organization that does things on their own, because they will be able to keep up to the threats without becoming an unbearable cost center, and also for the service providers, because that would actually help you with the bottom line, but you can actually kind of deliver a higher quality service and still kind of being able to keep the price in a in a reasonable level. That's right.

Speaker 2: 27:50

And that's really the key piece on our side is we know that the pricing. We have to keep it as competitive as possible, because that's the only way certain companies can get into this. They want better security, but they still have to. You know, it's a competitive world that they live in, right? They're competing against other people, so they're trying to keep their costs down and, at the end of the day, security is a cost, and so I think that's a really big aspect is if we can drive down the cost, especially for, like you know, our world of managed security services, that Right.

Speaker 1: 28:24

So far we've been talking about the defense side, but I'm very biased toward the defense side. I think that we have enough people talking about threats etc. But let me ask you how do you see threats evolving, going into the typical beginning of paragraph, anything that you ask, security for, chat, tpt it starts with the evolving threat landscape. What does the evolving threat landscape look for you?

Speaker 2: 28:49

I'm sort of lucky because on my board I have a variety of people that live and breathe this, from an ex-general, a four-star general, to people on the VC side. In this conversation I ask a lot. I think there's a couple things that are super interesting. So one you look at, for better or for worse, nation state conflicts tend to engender creativity. When it comes to threats, you can Russia and Israel around, how people start trying to think about threats, drones and AI, and so just a the first thing I'd say is organizations we talked to are asking us a lot more, just like you are saying OK, do we need to be worried about things that we've never actually thought about in the past when it comes to the modern, because we can all see with our own eyes that things are changing quickly when it comes to technology on the threat side, so physical and cyber. So I think that's just one thing that we all are feeling, and that feeling, I think, engenders some level of uncertainty, which obviously all of us don't really like uncertainty. So first thing I'd say is that. Second thing I'd say is, if you think about the intelligence that can be built into AI, for the defenders it's hard to plumb it through, because we have to plumb it through in a way that's repeatable and processable. If you're an attacker, you can literally just say, okay, I'm going to have artificial intelligence and a bunch of different bots and agents that can talk to each other and say, okay, I want you to go play capture the flag, and you can literally have them spin themselves up and spin up other patterns.

Speaker 2: 30:30

And so I think the thing that terrifies most of the people with whom we speak, and even on the defense side and even the tooling side, they get very nervous about what is that going to look like, because we sort of don't know. But you can imagine like if I were putting my you know, black hat side on, that would be the way I'd go about it. I'd start playing capture the flag games with AIs and pulling out the processes of what they're doing, and I think the ability to do that at speed and at scale is something we've never, ever seen. And so I think you're going to see the ability to have more successful attacks because of the fact that you can really dial into primary levels of beachhead locations, whether or not that's socially engineered VAI or whether or not that's actually technical gaps that are out there.

Speaker 2: 31:17

The ability to scan the internet we all know is fast. Can you do that faster? Can you see? Could you see if somebody fat fingers RDP somewhere? Can you know about that instantaneously, versus actually getting lucky because you stumbled across it on a scan that you're running? So I think all of that is going to lead to faster and more sophisticated threat attack patterns and I think it's TBD on how we sort of defend against those. What's your take on it? You live in this space too. Similar feeling, have a different take on it.

Speaker 1: 31:52

Yeah, it is a similar feeling, I think. First, there is one thing I usually kind of am conservative in terms of expectations of big leaps in capabilities for threat actors, because usually what they need is just going to be able to be slightly better than the defenses. So they usually will not put much effort into developing capabilities when they do not need those. They're very cost-effective in general. But an interesting thing and I think you referred to that is the threat actors with AI in their hands. They have the luxury of being able to put that AI to work and to learn from its mistakes while it is attacking the entire internet. So it just kind of, as I said, throw it out and say, okay, go find something to breach and if you are locked out or if you lose access, learn from that and keep going. They have almost the entire internet as a play field to learn and to maximize the results of the techniques, et cetera. So having actors that will take that approach of a massive use of this entire target area that is the internet to make these models, or these malicious models to learn how to attack in a more efficient manner, that can really become more serious. You'll see script kids evolve into an APT level of capabilities in a very short period of time and how we will react to that as a defense side is something that we really need to put a lot of thinking to find how to best address that. It's still being productive, as we were saying before, that's right. As we were saying before, that's right. Let me go lighter here, scott. We are kind of getting close to the time here.

Speaker 1: 33:54

I was kind of on LinkedIn one of these days and I found an interesting post from SoulCyber. Right, there was a quote there and kind of asking for people's perspectives. Right, it was saying as the world is increasingly interconnected, everyone shares the responsibility of securing cyberspace. So he was asking okay, how do you interpret this quote in your daily work? Right, what's this one small action everyone can take to contribute to a more secure cyberspace? What would be your answer for that?

Speaker 2: 34:25

There's a couple things that I'm like. These are like the basic basics which a lot of people don't don't, do you know? First of all, ironically, mfa is still something we talk about to organizations all the time and I talk about it to people all the time, which is multi-factor authentication, for I'm assuming your audience, like this, is podcast number one. So but for, if they don't know, but it's the ability to have some sort of third party text message or say you know, ability to validate that you are who you say you are when you're logging into stuff. It's probably the the biggest bang for your buck that you can get out there, as far as something inexpensive that's and you can. That applies both to people and organizations.

Speaker 2: 35:08

And so because a lot of times people are like, well, you know, I'm not goldman sachs, I can't, I can't afford this cool whiz bang security thing. But you know, everybody can do mfa, whether or not, that's, you know, at your home, on your own personal you know work account or your own personal accounts or obviously inside your work organization. And so to me that's that's sort of the starting point for a lot of like. How do you move forward when you look at some of the standards like NIST or any of these other standards, amazing stuff. But you're always like okay, what is what gets me to 80? What's gets you that Pareto principle Like, what is it that I can do first that gets me the biggest bang for my buck? And so that's sort of the way I tend to think about it. What about yourself? What's the easiest uptake?

Speaker 1: 35:49

You know, I think the interesting thing now that you asked me and I was starting to think about the response and I noticed how my response for that question has evolved over time as well, because I believe that if you asked me that, probably say 10, 15 years ago, I would probably say make sure you have kind of passwords on everything.

Speaker 1: 36:10

Kind of authentication is enabled everywhere, passwords and individual accounts, right. So if you think kind of a long time ago, kind of the administrator accounts on Windows and half of the company kind of was using that thing right and it is interesting to see that that's probably not such a prevalent problem anymore, think of the practices around identity and access control have evolved substantially to the point that now, when you think about what would be the next first advice to give, we think about multifactor authentication. That's pretty interesting. It probably could be something that would be part of a group of tips or a set of advice to give, but it was probably later in the list and today it's probably the first thing that we'll put there. I think there is one. We have probably a more mature scenario today where, okay, people have all their individual accounts right, kind of authentication is enabled everywhere, but password is not enough anymore, right.

Speaker 1: 37:11

So now there's another thing that has to be done. But there is also a scenario of kind of the threats evolving right, kind of where we're going to just have in passwords, right, it's not enough anymore. So the pressure has also kind of increased substantially. But to try to finish on a better light right, instead of just kind of talking about threats, is our technology evolved as well, in the sense that enabling multi-factor authentication is not something that is so challenging as it used to be, right? Remember kind of having to integrate to integrate the old secure ID tokens in your environment before, and the authentication systems were not compatible with that. It was a pain.

Speaker 2: 37:54

You lose one, you have to remail it. The whole process was just a difficult process.

Speaker 1: 38:00

The entire logistics around the physical tokens and distributing them. You're providing that to a supplier and you have to get that back. Now. We've all heard how practical with the cell phones, with the authenticator apps, etc. The higher standardization level as well. It's not like you're moving from one supplier to the other and now everything is different. You have to replace software, so that's a good thing.

Speaker 2: 38:28

I think that's a great way to sort of like we are working really hard, like we as a cybersecurity community to try to make we sort of recognize that it's hard for humans, like security is not where we want to spend all of our time as humans, and so we're trying to figure out ways to make the processes of securing stuff much easier for everyone, and I think that's a really, really good thing. And it's one of those things where you can see it very clearly If you've been in the space for any length of time it's way easier to secure things in a manner that is much less intrusive, much less invasive and easier for everybody to do, easier for the admins, easier for the people designing it and, most importantly, easier for the people to consume it. It's great that the community as a whole continues to say how do we make this easier? Because we know that we're going to have a better uptake if we do.

Speaker 1: 39:21

I'm happy that you're saying that, because we should be recognizing this more often, because I think in our space, because you're dealing with threats, it's always all doom and gloom. Now they can do this, now they can do that, but come on, see how easier it is to perform certain security actions and to implement certain controls today versus how it was some time ago. We did a pretty good job, I think, as a community.

Speaker 2: 39:48

It was funny because we actually spent a decent amount of time talking with customers about single sign-on and just how to make that easy, because they're like I didn't realize it was as easy as it is, and we actually helped them explain to them that it's probably way easier now than even five years ago and the last time they sort of looked at it. And so you know kudos to the entities, and then you can see customers sort of like catching on to the fact of, okay, a lot of the stuff that maybe was heavy and difficult appears to be a lot easier these days.

Speaker 1: 40:14

Right, perfect Scott, not on burples but we managed to get to the end here in a very good note, in an optimistic tone. Right're not just gonna go on and kind of cry and let's have a drink and forget about cybersecurity. We're all doomed. No, we're not on that point. I think that we are finishing here and with a perspective. Right, the things are improving. I think that's always good. So I'd like to thank you for being our first guest here. Conversation with you is always amazing. We could keep going for hours and hours, but really appreciate your time and we should get a good rest of 2024. And I hope 2025 will be continuous to be fun in our cybersecurity space.

Speaker 2: 41:02

Augusto, thanks for having me. I don't know when this gets released, but obviously we're coming up on Thanksgiving when we recorded it, so hope you have a good Thanksgiving and, to everybody out there, hope you had a good Thanksgiving and you have a great Christmas and New Year's as we head into the holiday season.