Explore pressing cybersecurity challenges and innovative solutions in Identity Radicals episode with Rachel Wilson of Morgan Stanley. Uncover the risks of identity-based targeting, the practicality of scaling security, and the power of automation. Gain valuable insights into balancing risk, compliance, and talent recruitment in safeguarding digital assets.
This week, Identity Radicals brings you an insightful episode, with Rachel Wilson, head of Cyber Security at Morgan Stanley Wealth Management, delving into the critical aspects of cybersecurity and information protection. Rachel explores with host, Jason Garoutte, about the ever-growing concern of identity-based targeting, shedding light on the vulnerabilities that persist in our interconnected world.
Rachel characterizes how Multifactor Authentication (MFA) alone falls short of guaranteeing robust security. We dive into the critical scaling security measures practically while maintaining an optimum balance between risk management and compliance adherence.
They also provide invaluable insights into addressing security queries from the board of organizations. Moreover, the hosts highlight the transformative power of automation in fortifying cybersecurity defenses and discuss the ongoing challenge of recruiting and nurturing new talent in the field.
Key Quotes
-We've gotta be reconciled to the idea that our employees, and I tell this to people all the time, they are both our first line of defense and our greatest point of risk. This is why, you know, as you and I have discussed, the monitoring both internally and externally is crucial, and I think that people give short shrift.To that internal monitoring, recognizing that if you can identify an employee whose behavior is abnormal, either because they are doing something strange, or to your point, Jason, their identity has been co-opted in a way that indicates that you've got a problem. These kinds of detective controls are crucial in today's environment.
- Those of us who come from government. We're very used to living in a world where your internal network does not touch the external internet, where you're not bringing personal devices. You know, into a classified environment.Now, obviously that does not work in a private sector environment, and it certainly does not work with our new generation of employees who can't imagine a world in which I left my cell phone in my car all day
-The clients that I work with now, we're telling all of them, they have to assume that it's a when, not an if, right? And that the idea being that in a world where there is no perimeter anymore, where all of us are accessing sensitive data, proprietary data from personal devices on your local home network, your traveling, we've gotta be able to give our employees all of that functionality anywhere in the world on virtually any device, but we've gotta secure it as well.
-If I have someone who is accessing customer data that they really shouldn't be seeing to perform their job function, I've got a bad seed in my midst, right? And I've gotta address that quickly.I can't afford to have a bad apple
Time Stamps
Links
Identity Radicals is sponsored by Veza, the Identity Security Company. Learn more about Veza by checking out:
Or, schedule a demo with our identity security experts to learn how Veza's Access Control Platform can lead your organization to least privilege.
Narrator: [00:00:00] Welcome to Identity Radicals, Conversations with Cybersecurity Experts, the podcast that gives you exclusive access to the latest insights and strategies in the world of ever evolving identity threats, brought to you by VESA. And now here's your host, Jason Garoutte.
Jason: Welcome to Identity Radicals, the show where we have candid conversations with today's leaders on the front lines of identity access and security.
My name is Jason Garoutte. I am the CMO at VESA, an identity security company headquartered here in the San Francisco Bay Area. I'm happy today to welcome our guest joining from the other side of the country. This is Rachel Wilson, Head of Cybersecurity for Morgan Stanley Wealth Management. She's been doing that job for six years, which includes leading field and client education on cyber threats and mitigation.
Rachel's team also drives innovation for new technology, so I can't wait to [00:01:00] ask about that. That's not all. Rachel spent the first 15 years of her career working at the National Security Agency. Uh, from 2000 to eight to 2010. She ran NSAs. Counterterrorism operations, right? And led a global enterprise in detecting and disrupting terrorist threats.
That sounds exotic and exciting. She served as NSA's chief of operations in the UK, working with intelligence services there to counter terrorist threats against the 2012 Olympics. She later spent five years at NSA's cyber exploitation operations within tailored access operations, and she was planning things there against foreign intelligence.
And military targets. So I think it's safe to say that Rachel has worked on both offense and defense. She lives in New York City with her husband and two children. Rachel, welcome to the show.
Rachel: Well, Jason, thank you so much for having me. You know, I have been so looking forward to this and it has been such a pleasure getting to know you over the last few weeks [00:02:00] and months.
Really excited about our conversation today.
Jason: I think that this could go in any number of directions and we will let it, but, uh, I would view this as a success if at the conclusion of this, our audience was able to walk away with one or two concrete ideas that they haven't really thought about before for protecting their business.
And I think people tend to know the basics, we know that we should patch our software and that we can't rely entirely on multi factor authentication, but we should make sure everybody uses it. So maybe we don't, you know, need to cover all those basics again, but get to some new things. And because of where I work, I'm especially interested in identity based threads.
And depending on who you ask... Uh, people might say that 75 or 80 percent of actual data breaches are coming from identity roots, either the misuse of passwords or [00:03:00] the, the, the theft of passwords. And uh, I, I don't know if you subscribe to that, those numbers, but I think we could say it's safe to say that identity is at the root of the majority of attacks today.
I
Rachel: would certainly agree with you. And, you know, I don't know if we could put a number on it, although I'm sure you guys have done some research to, to hone in on that fact. But I can tell you, you know, looking back at my, you know, 20 plus years in this space now, you know, going back to my years in the counterterrorism operations space, Base, which you know, you know, as you ar articulated, and thank you for getting through all that government jargon.
I know that's a lot to chunk through, but you know, those years when we were getting onto the devices used by terrorists, right? Their tablets, their smartphones, their laptops, the whole goal right, was to read their email and listen to their phone calls and geolocate them. All of that work was really at the crux of identity based targeting, right?
Who are we going after? What do they know? What are they doing? Where are they? What do they have [00:04:00] access to? Uh, and so everything we've discussed, you know, in the last few weeks and months has really resonated with me, that identity's at the core. You know, I think about my time then in London getting ready for the Olympics.
All kinds of threats to those Olympics. So we could, as you would expect, Jason, we had, you know, the Chinese trying to hack into the clocks and the timers at the Olympic venues. They had just hosted their very successful Olympics in Beijing and were definitely looking to rub a little grit in the eyes of the British going into those games.
We had the Russians trying to get into the databases that house the Olympic drug testing records. What was that targeting all about? Again, All about identity. Who were the database administers that could really change those records? They, of course, were trying to change those numbers, getting ahead of the doping scandals that broke later.
And then the last five years, my time at the NSA, all running the cyber exploitation operations mission. You know, [00:05:00] very near and dear to our hearts, Jason, where, you know, I was recruiting really smart computer scientists and computer engineers from all over the country, obviously couldn't pay them what, you know, the big tech and big finance companies were paying them, you know, was paying them government peanuts, but had that opportunity.
That pitch, right, where I could offer them the chance that would be, you know, to do something that would be illegal anywhere else. You know some of these young people for whom that opportunity to no longer be beholden to the Computer Fraud and Abuses Act was a really alluring proposal. We'd bring them in, give them 18 months of highly classified training, and then conduct hundreds of operations a day, going after the networks of the North Koreans, the Iranians, the Russians, the Chinese.
Identity was at the core of that targeting. So to your point, having seen it both 15 years on offense, and now these last six years at Morgan Stanley playing defense. I think you've nailed it in terms of where teams need to [00:06:00] be focused. I also agree with you that, you know, most of the companies I work with, they're doing the hygiene things well.
They've got those table stakes controls around patching. They recognize, right, that they can't be, you know, as I tell people all the time, the sickest gazelle in the herd. They've got to be making themselves a harder target. I do think we learned a lot from the pandemic, right? A lot of the controls that.
These are all things that seemed too onerous in a pre pandemic world. You mentioned multi factor authentication. Lots of boards were very apprehensive about applying more rigorous authentication controls pre pandemic. Now? We've all learned, right, that people actually can handle all of that, that the world does not end when you insist on higher authentication standards.
And this is our opportunity today and more broadly to just keep raising that waterline. So I agree with you. We've got a lot of ground to cover today. In your
Jason: [00:07:00] experience, because you've talked to a lot of people in the industry, CISOs, CIOs, InfoSec people, have they come to the realization that multi factor is not a cure all?
I know that one of your personal fears is, uh, some malware called Marcher, right? And this has a way of... Obviously getting in between us and our phones and capturing things that we think we're entering in to maybe a banking application. So have, has a broader community come to this realization that MFA is not going to solve identity?
Rachel: So I think they have, Jason, although I would argue that Probably financial services, and I'm biased here, it's probably a little ahead of the game in this place. I mean, we've got money on the line, and so the two points you made, right, you look at a piece of malware like Marcher that, you know, socially engineers someone into downloading it onto their phone, gets themselves admin level privileges on the phone.
The person logs in, of course, you know, they're not logging into their legitimate [00:08:00] banking app. They're logging into this lookalike site. They're entering their username and password. They've got that one time passcode that they're entering, but of course, because Marcher has admin level privileges, that's...
being scraped right out of their text message queue, that whole MFA that was supposed to be that panacea, then turns out to be not nearly that, you know, perfect silver bullet that we hoped for. Even just in the last few weeks, and Jason, we haven't had a chance to talk about this, but it absolutely gets to the points you're making.
So many of us in financial services are now seeing all of these domain spoofing campaigns. So you could imagine, you know, a domain that looks Just like yours, but is not quite the same. So, one character off, they're using a lot of foreign language characters in this. One character off, they register those domains in, you know, again, very rare jurisdictions where I can't use my normal [00:09:00] legal mechanisms to take them down.
These bulletproof domains, then they pay. The internet service providers, they pay the ad providers to propagate their results to the top of the results search stack. Now, all of a sudden, people are searching for my login, they're seeing a whole list of illegitimate logins. And exactly to your point, Jason, how do these work?
They're in real time. They're very sophisticated. Hacker has this fake login website. They scrape all the content off of my legitimate website. It looks just like my website and it's the very first Google result. My client enters their username and password. Hacker takes that username and password, enters it on my legitimate I think I'm good because I've got multi factor, but what happens, right?
Of course, then the hacker prompts my legitimate client on the fake website for that one time passcode. My client's expecting it. She enters the one time passcode, [00:10:00] hacker takes it, uses it to meet my legitimate step up authentication challenge. Now, all of a sudden, despite that MFA. The hacker has access to my legitimate client logins.
This is happening across the board in industry, and it means that we really need to be focused on all of the preeminent, post eminent steps to that MFA. The MFA is not enough in today's environment. I
Jason: agree, and I know from, you know, hearing you speak in the past that within your own personal house, you run a very strict ship, and you have...
Bifurcation of your devices and you have bifurcation of your networks and you talk you have talked about separating your high Risk activities like banking from you know Maybe what your kids are doing or my kids are doing with the video games and the social media Putting those on separate devices and just having basically a red zone where you assume infection, but that's in one house With, you know, [00:11:00] four family members, imagine if your house now has tens of thousands of employees as Morgan Stanley does.
Like, I think you basically have to assume that some or someone is going to make a mistake. And so I hear more people talking about assuming the breach and being prepared to mitigate what you know is inevitable. Is that a fair
Rachel: assumption? I think it absolutely is, Jason, and you know, all of the clients that I work with now, we're telling all of them they have to assume that it's a when, not an if, right?
And that the idea being... That in a world where there is no perimeter anymore, where all of us are accessing sensitive data, proprietary data, from personal devices, on, you know, your local home network, you're traveling, we've got to be able to give our employees just All of that functionality, anywhere in the world, on virtually any device, but we've got to secure it as well.
You know, I, I would argue, and I know you agree, that identity is at [00:12:00] the core of that, but you're absolutely right, that, you know, I have taken a highly, obviously, given my background, paranoid approach to the way that I live my life, you know, my son's laptop. Uh, you know, 17 year old boy playing all of his games, going to all of his websites to meet the other gamers, downloading his mods and his skins and his cheats.
I would not touch his laptop with a 10 foot pole. Likewise, he knows that mommy's devices are untouchable to him. I think what you're describing, and, and Jason, I'm surprised we don't see more of it. Network segmentation, you know, this is table stakes, core cyber security, those of us who come from government, right, we're, we're very used to living in a world where your internal network does not touch the external internet, where you're not being bringing personal devices, you know, into a classified environment.
Now, obviously, that does not work, uh, in a private sector environment, and it certainly does not work with our new generation of employees who can't imagine a world [00:13:00] in which I left my cell phone in my car all day. But the fact is, right, those kinds of segmentation controls really are crucial, and I think the point you're making, that if we're not going to live in a skiff at the NSA, then we've got to be reconciled to the idea that our employees, and I tell this to people all the time, they are both our first line of defense and our greatest point of risk.
This is why, you know, as you and I have discussed, the monitoring both internally and externally is crucial. And I think that people give short shrift. to that internal monitoring, recognizing that if you can identify an employee whose behavior is abnormal, either because they are doing something strange or to your point, Jason, their identity has been co opted in a way that indicates that you've got a problem.
These kinds of detective controls are crucial in today's environment. Because
Jason: we have this kind of environment now, and I think people accept it, and, and the pandemic probably even made it accelerate more [00:14:00] with more work from home. Um, I, my sense is that Zero Trust is largely an accepted goal that people aspire to.
I don't think everyone feels like they're there, but Zero Trust is accepted as a goal. Do you feel like that that term is still popular roadmaps of most CISOs?
Rachel: So, I think it is, right? And I think it will be for a while. And certainly, there are people who are branding it in different ways and thinking about it in different ways.
But I think the core concept is there. And I would argue, Jason, not everyone would agree, that this is not a novel way of approaching the world. This is the natural extension of the things that You know, we've been talking about in the cybersecurity and data protection space for a long time. I mean, what is least privilege at its core, right?
It's getting to a place where, uh, you really have, you know, zero trust ad infinitum, right? It is the last manifestation of what we've been talking about for 20 years. I don't think this is net new.
Jason: As a marketer, I have to be careful. We sometimes get [00:15:00] praised by our customers here at VESA because we don't talk about zero trust explicitly in our pitch.
And I think for the customers, their, their, um, beleaguered by vendors talking about zero trust. So we try to take it easy on them, but the core principle of assuming that people inside your network are not necessarily safe seems very sound and kind of irrefutable, but then you need the right tools to get visibility to what people are authorized to do.
And at Vaisa, we talk a lot about Authorization, and we distinguish that from authentication, right? Authentication is who you are, but authorization is what you're allowed to do. And the tools, historically, have not been that good for figuring out what the state of authorization is across a company. It gets worse as you have more and more apps, more and more systems and databases.
So I'm just kind of curious what you hear when you talk to colleagues [00:16:00] about authorization and the state of visibility into what people can see, what
Rachel: people can do. What you've just articulated, and you said it very, very well, is the crux of the conversation we're having now. That five years ago, We were all focused on authentication.
Do we know that this person is who they say they are? Right? And very, very worried about that identity hijacking and those sorts of things. Now, and again, I think about the conversations we're having with our boards of directors. They understand authentication as a concept. We've been educating them these last two years that authorization is every bit as crucial, that I've got to know not just that that person is who they say they are, but I need to understand what they have authorization to do and are they acting within those norms.
The other thing we've had to really educate our boards on is that authorization is not your old school concept of application level authorization, that that's insufficient. [00:17:00] That, of course, you have employees that are authorized to use certain applications, but that if you're really going to honor leased privilege, not just lip service, Jason, but actual demonstrable leased privilege, and you're going to take a trust but verify approach to that.
You're not going to rely on human attestation to tell you what people need access to, but that you're really going to have, to your point, the right visibility in your environment to be able to say. In a demonstrable way, Jason needs access to this. I see how he's using it. I see that it is being used in a way that is appropriate and aligned with his work role and that he's using it in a way that is cohesive and consistent with his peers in this work role.
That's the kind of visibility that we're articulating as being really crucial. And then, of course, the automation that comes with that, that we can't have human beings trying to look at whether Jason is behaving in an [00:18:00] appropriate and expected way, that we've got to be able to detect outliers from that expected behavior in an automated way.
And so, as we've explained this to boards, Again, if five years ago I was saying Jason has access to this application, he's using this application, thus all is well. Now I've got to get to the place where I'm understanding much more at the data level. Is Jason authorized to see this set of data within this application?
Very granularly, right? So, at the field level. This is the data that Jason needs to see to do his job, and this is why we think, you know, again, this sort of work role level access is crucial, given Jason's job. We know that it's Jason, but what is he authorized to see? Is he operating within those norms? Is he outside of the norms and parameters for our expectations for his work role?
And then you think about what that means, Jason. Once I know what the expectations, what [00:19:00] the normal parameters are, For an individual within a work role, I've got that, uh, visibility into what they do, what they can see, how they're operating on a day to day basis. If I've got the automation baked in, then all of a sudden, behaviors that are outside of that norm start to stand out.
And again, I would argue that when you're seeing those behaviors that stand out, that's telling you one of two things. Either... You've got an insider who's doing something they shouldn't be doing. And you could imagine in my world, that matters a lot, right? If I have someone who is accessing customer data that they really shouldn't be seeing to perform their job function, I've got a bad seed in my midst, right?
And I've got to address that quickly. I can't afford to have a bad apple. Likewise, though, if that person's identity has been co opted by an external actor, and that access, that authorization is being leveraged to do more and beyond, that's going to be, in many cases, [00:20:00] my very first indication that I have a cyber intrusion.
And as we all know, Jason, like, getting to that identification of a cyber intrusion quickly Maybe the most important thing in this, right? If, to your point, 70 to 80 percent of these cyber intrusions are being driven by these identity related problems, looking at identity in terms of that indicator of compromise can be crucial in getting there quickly.
It's
Jason: hard to imagine large enterprises keeping on top of this with the tools that they've had so far. It's really a question of scale, right? And if you think about the math of, you know, how many employees you have, each with potential access to many different tables across hundreds of apps, hundreds of databases.
Uh, it's easy to imagine tens of millions of rows of authorization data, and you can't really expect human beings to go through tens of millions of rows and make decisions. Yes, [00:21:00] Jason should have access to this. No, let's take away Jason's access to that. And so, We talk about this principle all the time of least privilege, right?
And NIST tells everyone you should adhere to least privilege, and everybody agrees, but nobody achieves it. And I don't know, do you, do you hear other people talking about the, uh, The practicality of least privilege as a goal, or is it more of a poetic aspiration?
Rachel: I do think there's some poetry behind it, Jason.
I mean, it's certainly something that when we talk to shareholders, when we talk to boards, when we talk to, you know, C level executives, It's intuitive, right? This idea that we only want people to see what they need to see to do their jobs, that we want to mask and minimize and tokenize whatever data we can, that we want entitlements and identity and access to be really, really granular.
But the point you're making is spot on, right? When you're thinking about thousands of employees, thousands of applications, millions of rows of data underpinning those, huge numbers of [00:22:00] fields. Even, you know, even if I say Jason's allowed to see this customer's data. Well, is it all of that customer's data?
No, I mean, Jason, you don't need to see everything associated with that customer. In fact, maybe you only need to see a very few things associated with them. And then Jason, I would argue, you know, of course, everything we've been talking about so far is very much in the structured data place, right? We're talking about databases.
We're talking about data that's housed within the safety and confines of our applications. What about when that data is exported or extracted and now all of a sudden it's living in a raw file? What are my controls around that? That is what I'm hearing more and more from my peers, is that we've been very, very focused on how do we control access, you know, obviously for system administrators, for those with Privileged access.
How do we control it for those that have access to sensitive data at broad scale? But more and more we're being asked the question of, okay, Rachel, but what [00:23:00] about when that data is now in an Excel file? What about when it's in a PDF? What are my controls around it there? Couldn't I simply email it to anyone?
What do we do about the control environment in the unstructured space? I don't know that anyone's cracked the code on that. This podcast is brought to you by VASA, the identity security company. 75 percent of breaches can be traced back to identities that were either compromised or abused. That's why companies use VASA to find and remove the risky access permissions that legacy tools just can't see.
Secure your data wherever it lives with vasa. Learn more@vasa.com.
Jason: Yeah. And, uh, I, I've heard customers talking about, um, I'll say CISOs talking about data sovereignty. Now it's a, it's a new phrase to me, but they're data sovereignty. Like, uh, if we have unstructured data like you're describing and it's in box or, um, You know, some other cloud environment, maybe S3, but unstructured [00:24:00] documents, who can access that and are we, are we, are we sticking with the rules about which people in which country can see data in other countries?
For example, uh, people in China may not want seeing documents that reside in the U. S. and vice versa. And CISO simply cannot answer the question of who in which country can access. on structured data in other countries.
Rachel: Jason, I vehemently agree with you on this. You know, if you think about from a data perspective, we all used to be obsessed with lineage.
We're still obsessed with lineage. We were obsessed with provenance, right? We were obsessed with integrity, all of that. But, but I would argue that even more so if from a security perspective, you want those employees in China to necessarily see all of your data. When you look at the global Privacy regulations, right?
I mean, I'm potentially incurring massive fines from a GDPR [00:25:00] perspective if I'm creating files in Europe that then are visible within the United States. Those fines are gargantuan. And so you're exactly right. This unstructured data question and having the governance to say, you know, where was this data born?
Where was this file, you know, first created? And what does that mean in terms of where it should go and what it should This is why I think, you know, you're going to see all of us pivoting hard to file level encryption, right, which was too hard for too long, but now is finally getting viable. So file level encryption and file level entitlements.
That you, Jason, create a file. That doesn't mean that PDF is accessible to the world. Like, you're going to delimit the five people who can see that file, and you're going to make decisions in terms of privacy legislation, and data lineage, and that data sovereignty question. We're going to have to become much more granular, and much more controlled at the file level, I think, to be compliant with privacy law, and to get our [00:26:00] boards content that we're, you know, to your point, actually applying to this idea of least privilege.
Jason: It's interesting that you bring up compliance, uh, and for me, kind of the age old debate is, what do our customers care about more? Is it staying compliant and avoiding fines, or is it pursuing least privilege and reducing your risk posture? And I, like, I can't answer this question. It seems like it's a tie.
And, you know, it depends on what's happened most recently to the company. I think most people would, would say if they were threatened with You know, exposure in the newspaper for something that looked like negligence, that would probably be their top priority. But on a day to day basis, the forcing function more often seems to be the upcoming access review or the upcoming audit, and the fear that maybe some problem was discovered last time has not yet been resolved.
Do you think there's a, do you think it's a balance between risk and compliance? Just got to do both?
Rachel: So, I think [00:27:00] you're exactly right, Jason. I, I mean, I was talking to a group of young people who are coming up in the cybersecurity and data protection space, and, you know, we were doing a pretty rudimentary conversation about the CIA, CIA triad, right, and I was explaining to them that, you know, for me, my job encompasses both, you know, we've got to make sure the, we have the integrity of the data, we've got to have the confidentiality of the data, but that all too often, the point you're making, that the availability of that data.
is in direct contrast, priority wise, to its, uh, to its confidentiality. That, you know, you think about your, your compliance people that want to make sure that you are truly minimizing the number of people with access to that data, that you are, uh, you know, going to ensure that nobody sees anything they're not supposed to see.
Then you've got your very same people thinking about the resilience of your business operations saying, well, but no, I need many, many copies of this data in many places with many people having the opportunity to see it. [00:28:00] And so I think this is our challenge, right? And it's the age old challenge in this space that maximizing the availability of our data inherently reduces its security if we don't have the right controls around it.
And I think, you know, this is a, it's an age old challenge. It's one we're certainly seeing now. I also think it speaks to the importance, your point, around the role of identity, where if I can tell our board, we've got maximum availability of our data to the people who need to see it. That's a much more comforting message than saying, you know, your old message of, yeah, I've got three copies geographically dispersed, one of which is off the grid, one of which is cloud based.
That's not nearly as satisfying as being able to say. The right people have access at the right time for the right reasons, with the right visibility, the right monitoring, and the right automation to detect when I've got something untoward going on.
Jason: Board reporting is super interesting. Let's talk more about that.
Uh, it seems to be coming up more and more in the conversations I'm having. Boards are [00:29:00] asking security leaders for some kind of dashboard that, that indicates progress over time. Challenge is pulling all that information together to populate the dashboard. I think people like you and I can imagine what the dashboard should look like.
Getting the information to populate that is really time consuming. I feel like you maybe told me a story once about it taking, taking several years to get a particular chunk of information about who could access what. And that wasn't surprising to me at all, because traditional identity tools weren't built to answer that question for the modern...
So, what do you think is the biggest challenge for security professionals in answering the board, the very basic board question, how much risk do we have and is it getting
Rachel: better? Well, I mean, Jason, that is, that is. The crux of the issue right now, you know, if you look at what CISOs did, and, and [00:30:00] I say this with love and affection, right, what they used to do five years ago, the role of your corporate CISO was to walk into the boardroom once a corner and scare the living daylights out of the board, right?
It was sort of like a lot of jazz hands, flash dance, lots and lots of myth and legend. You'd come in, you'd be talking about North Korea and Iran, you'd scare the bejesus out of the board, you'd get your, like, new check to go buy your latest. And greatest product that was gonna save the day. And then you'd come back the very next quarter and say, oh my God, things are worse.
Let me tell you why they're worse and why I need another check. That was the methodology for years. And you know, CISOs, to their credit, they made a lot of hay and that's. I don't know, Jason. You and I joked, right, that the average CISO lifespan now is only 18 months. I think that's in no small part because the board got real fed up with that kind of messaging, right?
Don't come in here and, like, bamboozle me. Tell me, to your point, where we [00:31:00] are, what we need to do, and how we know when we're better. So my boards and the boards of my peers, they're asking exactly the question that you articulated. And so... The way we've characterized it is how many people in our environment have a level of access that would create, you know, per our risk level standards, a critical incident.
And every firm is going to define that differently, right? You've got to figure out your own risk appetite, your own threshold. What would you consider as a firm, a no kidding critical incident? Either your regulators are going to care, your shareholders are going to care, your customer base is going to care.
Maybe your employees would deem that untenable. What is that critical level incident and who in your environment has the level of access that they could, you know, take or expose that volume of data? So it's not, and this is important for boards to understand, it's not. Everyone with access, right? Of course, Jason, [00:32:00] everybody's got some level of access, but for someone like me, right, who doesn't interact with clients, doesn't have a client facing role, my level of access to data that would be considered, you know, critical is zero, and it should be zero, and I should be able to tell the board that the Rachels of this firm should have zero access to sensitive data.
Now, for those people, well, and Jason, just to continue that shot, that thought, I should be able to verify for the board that not only Should Rachel have zero access, but she does, in fact, have zero access, and I can tell you every single day of the week that that has not changed. That for that population, these are your developers, these are your people that are not in your production environment, they don't have that customer facing role.
Zero access all the time, verifiable, demonstrable, and articulable in an automated way. Then you add to that, who are the people that actually need [00:33:00] access? What are we doing to minimize that? Who's left at the end of the day, that high risk population that actually has the level of access that could, again, defined as however your firm sees it.
create that critical incident? And what are you doing around those people? This is again where, you know, we talked before, Jason, okay, MFA, not the panacea. For that high risk population, what are you doing to go above and beyond? What additional controls have you applied in a bespoke way, whether it's additional monitoring?
Whether it's, you know, additional controls in their environment, what are you doing to monitor their configurations, their provisioning to ensure that that high risk population really is held to a heightened standard in terms of supervision and surveillance, that you have a sense of what those people are doing.
That's the population that I think where automation kicks in is crucial. I don't need to monitor everyone all the time. If I know that some [00:34:00] people have no access and so that's good, Fine, but for that high risk population, maybe, well first I need to know who they are, I need to know that they're behaving, and maybe I do want to apply additional controls.
And a lot of firms are thinking about this, Jason, like, if I know who that high risk population is, those people with lots of access to lots of sensitive data. Maybe they don't have the ability to send email externally. Ooh, that would be crazy, right? Maybe we revoke that. Maybe these people don't have simple things like printers, right?
There are some basic things we can do for that population that has high risk access to reduce their ability to weaponize that access. And that, I think, is the next step that a lot of CISOs are taking, is once I know who my high risk population is, How do I box them in and make it more difficult for them, not to do their jobs, but to get that data to a place where it's scary?
So maybe they don't have things like print to [00:35:00] PDF, maybe they don't have export function, maybe they don't have external email, maybe You've got them going through purely a corporate browser, so you know exactly what sites they can go to and what they're seeing and doing. Maybe their proxy policies are dramatically different than the rest of your population.
But the point, Jason, is until you know what high risk means to you, and until you know who your high risk population is in terms of their identities and the access you've given them, You're, you're in a one size fits no one from a control environment, and I think what CISOs are trying to do is get to a place where they've got much more tailored, customized controls at an individuated level, versed on identity based risk.
Jason: I love that. I love that you're... You're quantifying risk at the level of identity and you're saying, how many identities have the ability to inflict a serious critical incident? Uh, and you know, some people are going to have a 30 percent chance or a 40 percent chance. It seems like you need some kind of [00:36:00] risk score, uh, at the level of identity and you could imagine a dashboard with some little dial that's tracking the total risk points in your organization.
And like, just guessing off the cuff, do you feel like. More than half or fewer than half of CISOs would have some kind of dashboard with a risk
Rachel: number on it. So, I think it's well under half, Jason. I mean, I think a lot of folks are still, you know, again, very focused on these boilerplate, uh, peanut butter style controls that they've applied to everyone.
So they're reporting things to the board like, we implemented MFA, we implemented isolated browsing. You know, they're, they're going to sort of point to a set of probably NIST standard based controls that they've applied to everyone, as opposed to, you know, and again, you know I have religion on this. That the more individuated the controls can be, the more you're not worrying about your people where, you know, their identity, their structure, [00:37:00] their authorization, right, is putting them in a low risk category.
And you can really up the ante in terms of the control environment for the people that are going to present that most risk. But I think, you know, the question you're asking is the right one. Could people point to dials and knobs today? Would they even know? I mean, what if my board said, Rachel, that's too many people?
What do I do with that information, right? What's the next step when you think it's too many? This is where, you know, I think, again, your point around tooling and having it been insufficient over the years, it's not always given us the next logical step. So even if I know where I stand, if I don't, if I'm not comfortable with my risk profile, Where's my instrumentation to say, well, Rachel, if you did these three things, you would reduce your risk in the following ways.
I don't think CISOs are well informed on that space. Even if they've decided that they are above their risk appetite statement, where do they go from that awareness?
Jason: I think the key word is automation. It has to be [00:38:00] to operate the scale of any reasonable enterprise. And, you know, there's been a category that Gartner calls IGA for a long time.
Like, there's been companies like SailPoint around and the IGA stands for Identity, Governance, and Administration. Right? I happen to think that that A should change and instead of being Administration, it should be Automation because there has to be an automated system that's watching your identities and taking action on behalf of your governance policies.
So, if somebody has access to data, and they haven't used it in 90 days... It could be your policy to automatically suspend that access and make the person re request it. I don't think that happens at any company I've ever worked for today. People are really good at asking for new access, and there's people who have a job of evaluating and granting, but there's really nobody that has a job of like going through and removing access except maybe a once [00:39:00] a year periodic access review, which tends to be kind of a theatrical performance.
Uh, with a lot of rubber stamping and how could it be otherwise because of people being asked to make these decisions don't have the context. They don't have the full picture of the authorization data and how Jason got access to a particular piece of data. So how can they really change it? So I think automation has to be.
The future of identity, otherwise, I don't know how people in your line of work are going to keep up.
Rachel: Well, I mean, Jason, you're right. And I think everyone who is doing the A for administration today, everyone in security administration would agree with you, right? That they need better automation to do their jobs.
For years, That one time, you know, entitlement review, every manager at every firm is just clicking yes, yes, yes. Because the last thing they want to do is create some kind of production issue, some kind of outage, because they [00:40:00] inadvertently revoked an access that someone needed. But to your point, moving to that use it or lose it model, which I can tell you, we always have had in government, right?
You talk to anyone who came from the intelligence community. This was table stakes, right? That if you had a compartmented access and you didn't need access to it and you didn't use it for 90 days, it was revoked in an automated way and you had to re justify that access. Same thing for, you know, someone who has changed jobs.
How many of us are truly rigorous about saying Jason moved from this role to this role, we're going to wipe his access clean and rebuild him from the ground up? We all know that's what we should be doing, but how many of us can point to that employee in our firm that's had six jobs in the last ten years and have every bit of access from all six of those roles all stacked up on top of each other?
Unconscionable. Unconscionable. Unconscionable. But really, really expeditious when all you're looking to [00:41:00] do is avoid an outage. Again, it's that same tension between confidentiality and availability. People don't want to break anything, so they go with the rubber stamp, even though they know they shouldn't.
Jason: I do believe companies are pretty disciplined about removing an employee from the SSO tool like Okta. And I do believe that companies, you know, deactivate them in Workday. But the truth is that authorization lives at a much deeper level in the stack. And you know, there might be a little JSON account that's in Salesforce or a little JSON local user that's in Snowflake.
And those things get missed. When you just deactivate a person in Okta, so I think the future is going to have to be able to automate and go to a deeper level across all these different systems, not just the superficial, because every time you leave one of those behind, you're leaving avenues open [00:42:00] for lateral movement later when somebody finally does get into the system.
Rachel: Totally agree, Jason. And that needs to be baked into the whole off boarding process, that you're looking at the totality of that person's access, not just what's through single sign on, not what's just going to be, you know, IP allow listed from their local desktop, but that you're burning down that whole access profile, including the little things, right?
It's it's the the portal that they use to submit an invoice. These things, they get left... behind. And we see this a lot at small and mid sized companies, those things can really come back to bite you. You're absolutely right.
Jason: I want to ask you about something a little bit different, uh, which is, I think that the number one challenge facing people in security is talent.
I think it's just hard to hire talent. You see, you agree. So like, you know, what should the industry be doing differently? To cultivate the next generation of talent. I've heard you talk about how North Korea does it. We know what North Korea does. [00:43:00] I don't think we can, uh, embrace that same system here. No,
Rachel: no, you're right, Jason.
I don't think the North Korean approach of just giving an aptitude test to every 11 year old American. I know our kids wouldn't go for that, right? My kids already think that having me as a mom feels like living in North Korea. They are definitely not going to sign up for being, you know, conscripted into the U.
S. government. But it's a huge problem. And I actually You know how I feel about this. I think this is existential, you know, and it's a, it's an American problem, but it's really a global problem. Are the good guys winning in a world where we have 800, 000 open cyber security positions at any given time? You know, I have the benefit, and it's a selfish benefit, right, of being able to, uh, frankly, hire mostly people who worked with me and for me in my NSA days, so my team are all really, uh, again, I'm biased, but superstar hackers that have done, they have walked the walk, they have done the job, like, they have done it.
It's almost an intuitive [00:44:00] level, Jason. They now know what they're doing. But I think what I've seen is that, you know, you get much below, like, the Fortune 50, and you fall below the poverty line, you know, the cyber security poverty line pretty quickly. Just because there's no talent available to hire. And then of course, as we people all commiserate, the second you bring someone in, you train them for six months, they're immediately worth three times what they were when you brought them in the door and they're off to the next job.
I mean, the idea that you're going to bring in, you know, entry level SOC people and that they are going to stick around and you're going to build a career with them. Almost impossible to imagine in the current environment. I mean, people are sticking around six months, 12 months. If I can keep an entry level person for two years in the cybersecurity and data protection space, I consider that a gift.
Like, I consider that person a lifer in a way that, you know, my 15 years at the NSA would have been. I think the answer is a couple things. First, I mean, obviously, we got to be cultivating STEM [00:45:00] skills much earlier on, you know this, Jason, because, you know, we've become friends in this process, but my personal passion is talking to young people about cybersecurity as a career, as a field, why I think it's The best job ever, right?
Again, my bias, but also about their own cybersecurity best practices, you know, safe use of social media, what they should be doing on the internet and not. They're all doing stupid things. So I spent a lot of time talking to high school students about how to be safer citizens on the internet, hoping that a couple of them, you know, we plant that seed that say they want to get that degree in cybersecurity, which of course wasn't even a thing when you and I were going to school.
But I think there's another piece of it, and this whole conversation about identity really plays into this. Maybe 10 years ago, CISOs felt that everyone in the cybersecurity space needed to have a degree in computer science, a degree in computer engineering. Absolutely not. What we found is that we need smart people who [00:46:00] can learn new things.
Because I tell my mentees all the time, all I can guarantee is that whatever you were doing two years ago, is largely not relevant now. This space is moving so fast. I don't care what you studied in college. If you are someone with a curious mind who wants to dive in to that new tech, that new plan, that new risk, Come on board.
I mean, we're hiring people with all kinds of different skill sets, different backgrounds, but if they've got that tenacity where they, they just, you know, that stick to itiveness that says, I want to understand this problem in depth, and they want to become experts in the tooling, experts in the data, experts in the automation.
Again, I don't need that computer science degree. What I need is that creativity and that ingenuity. Give me 10 of those folks every day, um, and I think we could really solve this problem.
Jason: Finding the aptitude is critical and, uh, I think it is something that even, you know, companies like VESA can support [00:47:00] in the industry by, by, um, sponsoring students who want to go through a certification program and, uh, start their journey.
I don't know how to, um, Identify the early talent that's going to have the ongoing learning that you're looking for. But, um, uh, I would imagine that, uh, you have ways of isolating them as you, uh, interview and, uh, train them and that the cream rises to the top.
Rachel: I think that's absolutely fair.
Jason: Rachel, I want to ask you a more of a fun question for a second.
You must read. So are there, is there a book that you would recommend to our listeners for people who are trying to get on top of the emerging threat landscape? Or by the time books come out, is it too late and things have already changed?
Rachel: Well, so I do think, and it's something we should talk about more, Jason, you know, there are, books probably aren't the right medium for this.
I actually think that's why it's so cool that we're doing this right now. Because what I [00:48:00] see is that the podcast space is much further ahead in terms of content that's going to be like real time actionable for people who are living in these trenches with us. Again, why I was excited to do this with you today because I think, yes, I mean, it's what I said, right?
Anything that was relevant even six months ago, we're just moving so fast. I mean, you look at the ransomware environment right now and even just the nature of the way the ransoms are being levied. Who could have imagined this going back six months ago? We are, we are set for job security. That's for sure.
Rachel,
Jason: this was great. I learned so much today and I always enjoy talking to you, so I want to thank you for spending the time with me. I'm grateful and you can come back anytime.
Rachel: Well, Jason, it has been a pleasure getting to know you, being part of this and learning more and more about what VESA is offering in this space.
I think you guys are a key part of the solution to hopefully what was a, you know, good conversation, at least about the problem set. I don't know if we solved anything, but I think we worried people. Always,
Jason: Rachel, you have given us something to think [00:49:00] about. And just in case, I'm going to go reboot my router in case there's any malware sitting on it.
This has been Jason Garoutte, and you've been listening to Identity Radicals. Be sure to subscribe if you'd like to see future episodes. And until next time, let's all be careful out there.
Thanks for listening to Identity Radicals, brought to you by VESA, the identity security company. To learn how to secure your organization's identity access, visit VESA.
com. Please leave us a rating and review and subscribe to the podcast to get each new episode as they're released. See you again next time!