TechTalk
Crucial Security Considerations
for the Modern Enterprise
By Insight Editor / 21 Feb 2022 / Topics: Storage Data and AI
By Insight Editor / 21 Feb 2022 / Topics: Storage Data and AI
Join Insight’s global Chief Information Security Officer, Jason Rader, and National Field Sales Director, Shawn Ambrose, for the conclusion to our three-part TechTalk series on data, storage and security for the modern enterprise. In this session, our experts expand upon the data security strategies from part 2, including encryption, network segmentation, and compliance to reveal critical security considerations for the overall enterprise.
To experience this week’s episode, listen on the player above, watch the conversation below or scroll down to read a complete transcript. You can also subscribe to Insight TechTalk on iTunes, Spotify, Stitcher and Google Play.
Transcript of audio:
Published February 21, 2022
SHAWN
Hello, and welcome to Insight's Tech Talk. I'm Shawn Ambrose and I lead our field sales business for Insight Canada. With me today is Jason Rader, Insight's global chief information security officer. This is part three of our three-part series on data, storage, and security. In part one, we dove into the topic of data, it's relevance and value, and ways to harness the value for competitive advantage. We then touched on some considerations for storing this valuable data. In part two, we dove have much deeper into modern approaches for data storage, and then touched on key considerations around securing the data. This included areas such as encryption, network segmentation, and compliance. In part three, we're going to go deeper into the security discussion and look at considerations around security and the overall enterprise. Jason, I'm delighted to have you join us today to share your insights on this important topic. Let's start out by helping our audience get to know you a little bit. As Insight's global CISO, I see your role as twofold. First, helping to protect Insight, a global, publicly-traded Fortune 300 company. And then second, overseeing our strategy and capabilities for our client facing security practice, enabling us to offer solutions to help our clients be protected. Can you help our audience understand how you balance these two very large responsibilities, and some of the interplays you see between them?
JASON
Sure, Shawn. Thanks for having me. So we're very, very fortunate at Insight to have the type of business that we've got. We, of course, ourselves want to be the best at what we do from a security perspective and a technology perspective, and then we want to offer very excellent services, cutting edge services to our clients, as well as the cutting edge technology. So luckily, I set up a place where my mandate of CISO is to make sure that Insight has all of those things and those capabilities for ourselves. And that's a journey as well. A lot of folks think that, oh, Fortune 500 companies, or very large organizations, global organizations have this stuff all dialed in. It's always a maturity that is taking place. No matter who I talk to, and I talk to lots of CISOs and C-level folks every day, they want to take where they are now and transform, and continue to transform and get better every year. So we're fortunate enough to take those things that we do internally, and those things that are excellent services, teams, and technology teams out in the field do, and take those things directly to our clients. So although it seems like two separate things that would pull at each other are really right in line. And I love talking to clients and solving challenging problems.
SHAWN
Yeah, thanks for that. Thanks as well for being here today, Jason, and thanks for that overview. And that totally makes sense of here you are thinking all day, every day, about Insight, large global organization, 11,000 plus teammates, how do we make sure we're secure? But those best practices that you work through, we can certainly turn that and face that to our client community. And maybe we'll go a little deeper into the security discussion. In the past, we've seen all kinds of malicious activities disrupting business. Why is ransomware taking the center stage now?
JASON
And that's a great question. Ransomware is one of those things that has captured an audience right now. And I think there are a couple of things. First of all, it's kind of glamorous, and it's easy for the media and other folks to kind of talk about it. And the second thing is it's kind of mysterious, and it scares a lot of people. So those two things make people kind of talk about it a lot. In essence, these are people that have done their homework and they understand the inner workings of organizations and they understand what's the most valuable thing to organizations, and that's usually the data. As you have said before in previous sessions, it's the new currency. So these adversaries come in. They know what you need to run your business, and they know what you're required from a legal perspective to keep private. And in doing that, they'll go after that data, they'll go after the mechanisms that you use to protect it, the mechanisms that you use to use it, and they will disrupt that in some way. Interestingly enough, a lot of folks have shifted from a data protection perspective to have a very effective data protection strategy, where they have immutable backups and those types of things, which you've mentioned before in your sessions. These guys now have kind of shifted a little bit to do this double extortion type deal where if you can restore your data and you choose not to pay the ransom, they're like, "Well fine." They're now extricating that data. So they're exfiltrating that data to another location. And even if you can restore, they're like, "Well, we're going to publish this to a location where everybody can see it." And then you're going to be in a situation where you've got to do disclosures and those kinds of things anyway. So it's a really interesting situation. So just that data protection strategy isn't enough these days.
SHAWN
Yeah. So what are some of the other key patterns of attack that you're seeing? You're saying just a ransomware protection solution itself isn't enough. So what else are you seeing out there?
JASON
And those solutions themselves... And I do want to say a ransomware solution is a difficult thing to pitch to a client, for example, or to anybody, because it's such an all-encompassing thing to solve for ransomware. And when this stuff started making the headlines, I had a lot of folks come to me and say, "Jason, tell us what to do for ransomware." And there was no... I'd love to say there's a turnkey solution where, oh, buy this product or do this thing, and you're completely covered. It's an overall security program. And that's one of the difficult things about it, is it's hard to explain, well, do all of the security things. It's more than just technology. It's the people side, it's the process side. It's all of these things. And that's what makes it mysterious. But yeah, they'll go after your backup first and make sure that that's not available to you, if they're able to do that, if it's not an immutable situation. Even if you've got that backup handy, and you can restore within a credible amount of time to keep your business going, there are places... What I try to talk to people about... And if you're familiar with NIST, and I know that's a US-based thing, but a lot of folks refer to it. The NIST, National Institute of Standards and Technology cybersecurity framework basically divides your security controls into these five categories, identify, protect, detect, respond, and recover. And recover is the area where most of that data protection conversation, that backup and recover strategy sits. But realize that there's all of these other areas where... And the dwell time that the bad guys are sitting in your organization is typically a number of days. It depends on the campaigns that we've looked at. Sometimes it's 40 days, but it's at least 10 that they're going around looking, 'cause they'll look for a little while to see how you protect yourself. And then they'll try to circumvent those controls. So realizing that there's these five areas, kind of like an attack chain or a kill chain if you've heard of those before, that you could identify, protect, detect, and respond before you get to that recover option, those are better strategies as well. So not that you shouldn't do the recover option, that's definitely something we have covered. But thinking about moving forward, those other areas where you could see what was going on and potentially respond and protect before you have to deal with that recovery strategy.
SHAWN
Right. Thanks for that explanation of NIST and thinking about those five areas. So it sounds like recovery is kind of the fifth area to consider, but we've got to think about the previous four. When you think about your role, as you do all day, every day, Jason, of our global CISO, and then also turning that around to client-facing capabilities to help our clients be secure, what might you recommend for our clients when we think about beyond kind of that NIST framework? I want to you to take it just a little bit deeper. What guidance might you have to our clients when they think about mitigating this accelerating risk that's in front of them? <./p>
JASON
Yeah, absolutely. And I use the NIST strategy to talk about it at a high level, but you're right. We've got to put some meat into this thing to be able to help people out. And I think overall, the vast majority of these types of... Just about any type of infiltration into an organization starts at the frontline, and that's your people. A lot of folks look for simply these technology solutions, and that's what we're good at. Security evolved out of the IT organizations in most cases, and a lot of those people will have grown and matured within those organizations. And a lot of our first effort is to just go straight to this technology aspect. One of the things that my platforms hint at is our security team isn't just the people in InfoSec or the people in compliance or audit. It's everybody in the organization. And most of those attack vectors on the front end up... Just about every infiltration comes from somebody clicking something or doing something that has allowed that attacker to take advantage of it. You hear about zero-days and those kinds of things that exist. But the reality is majority of the time, they're not going to waste a zero-day because using a zero-day means that potentially, people see it, and then that's not a zero-day anymore. A patch will be issued by the manufacturers. So getting in through people is an easy way to do it. So making sure that everybody... Those awareness campaigns are just as important as that technology that's out there, because the technology lets things in by design. But what happens once it gets in like an email, for example? The emails have to get to your inbox. What happens after they're in your inbox and can potentially execute as you, when you click a link is really important. So those are things that... It's the people side, 'cause that tells people the processes that exist. A lot of things are related to the way that the process works. And then of course that technology, and all up-to-date, it is. I mean, now technology changes so much, especially in security. There are new acronyms that come out that people... A lot of things in infrastructure haven't changed a lot. There's nuances, but with security, we're talking about things like SASE and CASB and things that we've never talked about before, and the hybrid cloud aspects of things. There's a lot of layers to this thing that we've got to deal with. So making sure that you understand the balance of the best technology that exists, keeping those processes intact, and when new technology is added, making sure that those processes are aligned with that new technology. And then making sure your people, first, your people that are frontline are aware and know how to deal with security when it comes in, but also your security teams having that appropriate skill set to leverage that technology and operationalize it.
SHAWN
That's a lot to take in, Jason. As you were sharing that, I was thinking to myself this slide that I've seen many times that has literally over 1000 security solution manufacturers on that. How do we take that and distill that down to something that's meaningful? For you, as our global CISO, both when you look at that in terms of securing Insight, but then also our guidance of how we would serve and help our clients through this journey, how do we take this monstrous page of logos, if you will, that all have their own... They've all got some great technology going on there or they wouldn't be there in the first place. But how do we take this sea of thousands of logos and distill it down to that technology side? We think about the people and the process, but this tech, it's overwhelming. How do we just take it down a little bit?
JASON
I know that slide very well. It's been around for a while and it is frightening. Back to that framework I talked about, and I don't care whether it's NIST or what you use from a framework perspective, but what I believe is there should be some technology that helps you in each of those areas. And categorizing those different, and what we have endeavored to do as Insight is to help our clients understand what technology is best to deal with the use cases that our clients are going through. For ransomware, for example, we have a ransomware aligned against that framework. And we talked to clients, which things do you have on the identify side, which do you have on the protect side? They take a look. And if all of their stuff sits in the data protection side, well, then they probably should look at some other technologies that can help them on the front end. Another thing that I think clients get overwhelmed with, CISOs get overwhelmed with is the bake-off that typically has to take place when there are competing technologies in the same space, who's best. A lot of folks are like, "I've done my due diligence." That means they've gone to the website. They read the marketing materials. I do, everybody does those things. But the reality of, then what would somebody do if they were on their own? They'd go and have these proof of concepts with each one. And that could take six months to get all those things lined up and to make those selections. That's one of the reasons I think our architects are so strong, and their discipline, security, infrastructure, data protection, because those guys know all the major players. Insight, one of the reasons I work here is because of the relationships we have, which we can leverage. We see into the roadmaps of these technology companies to really see where they're going, and we can help. You're not just buying technology for what situation you're dealing with today. You're buying that technology strategically for how it's going to operationalize within your organization as you move forward, and how it's all going to come together. Your data points earlier in the sessions. This disparate pieces of data are great, but bringing those things together and enriching those things and being able to leverage that data, especially from a security perspective across multiple platforms, is the way. And that doesn't happen by accident. Making sure that you've planned appropriately and acquired that technology appropriately is key to that.
SHAWN
Right, great. I think that brings our conversation full circle, Jason. We started in part one of the three-part series talking about the data. What is data? What is big data? Why is that relevant? Why is that important? How is it that organizations can leverage that for their own competitive advantage, and in their ecosystem? We then talked about the different ways to store that. But as we talked about that, this conversation came up of that data, that valuable data is exactly what the bad guys are looking for, right? So the commerce has come full circle in terms of your thoughts and contributions of how to navigate that, the people, the process, the technology. And I think what I take away from this last couple of minutes here, Jason, is just that massive complexity of that. A good fortune, we have as Insight of being a large organization and having a mature security practice that set capabilities. And those capabilities are seeing what's happening in the market over and over and over again, and being able to take that and understand, maybe I'll call it situationally best in class, because like a golf game, there's never two that are exactly same. I would imagine through your lens, Jason, there probably isn't two exactly the same security posture profiles that you see out there. Is that a fair statement?
JASON
You have said it exactly how I would have said it. I do this role because security is hard. I've been doing this for 25 years, and it's gotten harder. It hasn't gotten any easier. And those complexities exist every single day. And the thing that I would say is there's no macaroni and cheese recipe for security. It's different even the same vertical, even with the same equipment. The same technology in the same vertical, in a similar-sized organization, depending on how they work and the processes that they operate under from a business process perspective could be a completely different ball game.
SHAWN
Right. So we're going to take it one step at a time. Thank you, Jason, so much for your contributions today. And thank you to our audience for tuning in to part three of this three-part series around data, storage, and security. I've definitely learned a ton from Kiran Arunin Shah, and then Jason here today. Thank you. I hope all of you did as well, and have a great day.
JASON
Thank you.