B (3:13)

Oh yeah.

A (3:14)

Like SharePoint.

B (3:14)

So you know all about technical debt.

A (3:17)

Oh, yes.

B (3:18)

Oh, yeah. Yeah. You went through some doozies.

A (3:22)

Yep. Novell migrations, all sorts of fun things over the years. But you know, it got me, got me working in cyber security pretty early on. I had a great mentor that I still get to work with today, having exposed in that front, started being able to build teams, building things around practices and kind of understanding how to build market solutions that work with businesses and bring those to scale. And today I have a wonderful role of being both a CTO and a ciso. So I have kind of a dual headed challenge.

B (4:02)

Dual headed challenge. So let's talk about the CISO part of it, because there's an. And I'm glad you have both roles because I think there's an interesting dynamic between CISOs which tend to be more operational day to day, protect the company, and a cto which is more exploratory. And looking at new technologies, do you feel like those need to be two different roles? It could be the same person, but they're two different roles.

A (4:35)

I kind of blend it all together. I mean, it's, it. I'd say from a business perspective it has a little bit of an operational impact. When you say you're the CISO or the cto, people have different contexts associated with that. So it sometimes helps set the table of what I want to talk about. But for me personally, I operate them together. I find that there is actually a balance between those things because just like when we're dealing with any sort of architecture, I think that you have to balance your security needs and you have to balance the business needs and you have to balance what your long term goals are with things. And so it's the same, same approach that I take with, with my role and responsibilities is making sure that it's balanced and it's really about the business.

B (5:20)

I, I like that you brought up the balance because I've talked to some CSOs that are. Security is everything, but then the business gets. What's the right word? Strangled. Under, under the security measures that are put into place because. And the most secure thing we could do was, you know, put everything in a vault disconnected from the Internet, right?

A (5:45)

Yep.

B (5:47)

But you can't run a business that way.

A (5:51)

You can't run a modern business that way.

B (5:53)

Okay, there you go. You can't run a modern business. I guess if I have A buggy whip company. I could probably still run it that way. Right. I probably don't even need a computer.

A (6:03)

For a buggy whip company.

B (6:05)

I know who all my customers are.

A (6:06)

I can call them on the phone.

B (6:09)

No, there's no new customers in the buggy whip industry, probably.

A (6:14)

No, not, not too many at least. You know, I think there's probably a small market share to be taken there. But that's something where I think that, you know, you have to truly understand what the business needs are. And if you're going to be. I don't see a security as a gatekeeper. I see security as an accelerator. Right. And, and we all have some sort of regulations, right. Maybe we're not in a regulated business, but to do business in America today, you have to have some sort of controls in place because. Right. You're talking about Salt Typhoon we started this conversation with. Right. They have access to all this information. Well, Salt Typhoon doesn't have to do business reporting and report back to their local states around privacy violations. Right, but all of you do. So those are all things that we all have to adhere to, even, even in a small area. Right.

B (7:08)

So does that get, does that give the hackers a head, a head start?

A (7:13)

Sure. I mean, they can use that information for whatever they want, right?

B (7:18)

Yeah, yeah, that's true. So let's talk about, let's talk about security from a holistic point of view. Because when we originally talked, we thought, hey, let's, let, let's spin this into like an enterprise architectural conversation. Security can't just be bolted on, on the side. It's. It's an enterprise effort, right?

A (7:52)

It is. And I kind of see it as like three tiers. Maybe it would be the best way to describe it. Right. So you have your enterprise architecture, which is your blueprint. You have your digital estate. Right. And I'm using that term where. Which is probably more widely used in the past couple years by Gartner and like Microsoft. But your digital states, all of your assets, your identities, systems, data out there, because everything, it's not just an asset anymore. Right. You can have different information and then your third part being your security architecture. And security architecture I think is evolving. Right. We might think of security architecture as your foundational controls that are needed in place today. But I think with the evolution of where we're going with AI, we do need to maybe consider some future changes to security architecture that might be more broadening. Right. Things that can move easily with these new agents. Right. Because the agent doesn't necessarily live in one spot. And it doesn't necessarily do just one thing. It can have access to a myriad of different tools.

B (9:00)

And so let's talk a little bit about that. If I were to take an organization 20 years ago, what would my security architecture look like 20 years ago? And then let's compare it to today.

A (9:14)

Yeah. Okay, so 20 years ago, right, you're going to have your perimeter firewalls, right. You're protecting your on premise infrastructure. You might have a web application firewall if you're a little bit more advanced. Right. At this point 20 years ago, you would be leveraging your local active directory, maybe doing some group policy hardenings on there to secure that information. You might be doing some database hardening as well or. But I can tell you most, most people weren't at that point. Right? They're still.

B (9:47)

Yeah, there, there was only one user account on databases. Yeah, there was an admin account and user account and that's how everyone connected to it, right.

A (9:56)

Your DB admin or whatever it was in MySQL et cetera. So yeah, you have some things on there and really didn't have really many things to protect. You had your database and your web app and pen testing was immature, I would say, at that point. Right. And being able to kind of expose where the risks are. But we, we still had a number of breaches, but they were looking more at gaining access to the, the, I would say it was less information driven at that point. It was more about control of your environment. Right. And somewhere about five years, you know, 15 years ago, right, we started getting that ransom side of it kind of popping in. And that's when people became a little bit more conscientious about what are the other security architecture pieces that I need to have in place.

B (10:46)

So in, in 20 years ago, it was all about controlling my machines.

A (10:50)

Right.

B (10:51)

And bringing them down or you know, you know, all that. But you said about maybe 10, 5, 10, 15 years ago, it shifted to ransomware. Now people have my data, which is very different because the data, I can't physically touch a machine, I can go over and unplug or replace. But data, it floats around there, there's an issue there.

A (11:17)

Yeah. I remember the first time a customer of mine had gotten ransomware. I want to say it was somewhere probably around 2010, something like that. Okay.

B (11:25)

Yeah. So about 15 years ago.

A (11:26)

Wow. Directly on, on a device, installed something or downloaded something, clicked a link, ran something, right. That, that put this piece of malware on there. And the first one I saw only did local Encryption. So it was only stuff on their device. And for that, for that particular customer, it wasn't that big a deal. Right. They had, they had S and P shares out there and accessing it, that quickly evolved because I remember six months later responding to someone saying, well, you know, my, my server for file share is, you know, completely down. Everything's encrypted. Right. Antivirus didn't detect, it didn't stop it through the encryption side. Right. We didn't have any behavioral types of detection capabilities at that point was really about signatures.

B (12:19)

So, so detection. Would that be the next thing? That kind of kicked in about 15 years ago for these ransomware attacks. We had to come up with new strategies. So instead, my hardened shell, just my hardened shell and protection from, from the outside. What did, what was the next step that I moved to protect against, you know, this new threat?

A (12:41)

Yeah, they, they started. I, I'd say that's probably the earlier phases of, of detecting new methods of encryption. Um, that was kind of some of the things that were being done. Right. So looking at the behavior of a, of an encryption type verse, maybe a malware signature, looking at the files that were being executed on there, it took a while for that to actually get pretty decent. It wasn't probably until about five years after that that the behavioral types of platforms started coming out with Defend for Endpoint or CrowdStrike. So folks, et cetera, they started building those detection capabilities.

B (13:18)

All right, so let's talk about security today then. What does security day look like compared to back then? I mean, have we moved far, far along? And then we'll, then we'll talk about the future.

A (13:32)

Yeah. So when I, when I generally, and I've done a few talks this year around, what are we seeing as a, as, as a MSSP or provider of cybersecurity services, and where can businesses reduce their risk the most? So the number one thing I see today as a problem is identity. Identity is by far a lack of proper identity controls in place. And that's where threat actors are really taking advantage today. Right.

B (14:05)

We can look at, well, we say identity. I mean, the first thing that hits my mind is user identity. That's the first thing that comes to mind. Is that what you're talking about? It's just user identity or.

A (14:16)

Well, not just user identity. Machine identities. OAuth tokens for being able to access from, from one SaaS app to another SaaS app.

B (14:28)

So application identity, user identity, machine identity. So very sophisticated.

A (14:35)

Right. Agentic identities. Right. We gotta be able to treat these things as their own identity, right. They're gonna be able to have access there. So that. That is a big area. People are still leaving doors wide open for threat actors. By doing that, they're not looking at reducing privileges to the minimum of what is needed to do. The role of responsibility.

B (15:14)

What would you blame that on? Because I'm a developer and when I'm asking for OAuth tokens, they always get asked me for scope, which is basically roles that open things. And I always ask for everything because it's easy, right. I don't want to have to go get another token that's such a pain to do. And I don't know exactly what I need when I first start developing. So I just. I just ask for everything, right?

A (15:41)

And maybe in a development side that is okay. When we start getting into production, then we have to have.

B (15:47)

That's the problem. No one, no one, no one does anything before they go to production. Right?

A (15:53)

I agree. I mean, I think you really have to understand what it is that you're developing and what you really want to be able to do. And once you have that, then you can really kind of scope that better. But my first question when someone's asking for an OAuth is what is your scope? What do you need to be able to do? Because I'm not giving you what you want unless you. You got to get more granular, right? There's this fallout that's happening right now. I'm sure you saw the sales loft.

B (16:21)

Oh, yeah.

A (16:22)

Reach. Right. Of all these OAuth tokens and Palo Alto's affected. Zscaler is affected. All these other silicone giants that use Salesforce and their data is exfiltrated out of Salesforce. And another giant breach, right? We don't even know what the fallout is yet. But when proper security of the identities, it wasn't done, right. Whether that was keeping it in the key vault or it is just too many permissions, right? If Salesloft needs access to everything in Salesforce, why, what is it doing in there? But it needs to be able to dump everything.

B (16:59)

Well, it's because of lazy software developers like me. I mean, that's what it boils down to, right? And not baking security. I don't have a CISO sitting next to me when I'm developing.

A (17:12)

Right.

B (17:12)

I know the right thing to do, but boy, you know, I get lazy. I get. And before I push a production, I go, oh yeah, I forgot to do that. And all of a sudden it's too late.

A (17:24)

Yeah. And maybe it's a state of where we're at, right? We are in a crux of rapid development, rapid change. Things are evolving very quickly, right? People are pressed for time. This entire AI side is evolving probably more rapidly than any other piece of technology we've ever had in history. So people are trying to do more or less, but they don't have a blueprint either, which I think is the challenge.

B (17:50)

So I'm glad you brought that up, because anyone that. Anyone that works in application development, when it comes to security, it's always kind of a pain to do, because there isn't. OAuth2 was supposed to make it easier. It made it harder to do development. And it's not just application development we have to worry about. There's a whole bunch of other layers of security. So why is it so hard?

A (18:23)

Well, I think it's because there's. If we went through the process and defined a plan of this is the way that we want to do software development, right? And this is the thing that we can hand to all of our employees that do development and they follow it, and these are the standards, things will be a lot easier. What people don't want to do is go back and run into some sort of security gate and then have to fix that problem, right? That slows things down. So if we do it in the beginning and we say, this is how we're going to develop this app, right now, this is theoretical, right? Everything's greenfield and we're building that new ideal world, right? But that would give us the ability to not have to go back and retrofit, which I think is probably the developer's biggest pain points, right? Who wants to keep going back into the security gate and saying, hey, I gotta go fix this now, right? If we build it from the beginning, it won't be as painful.

B (19:22)

So what you're saying is it's a lot about education then?

A (19:26)

Yeah, it is. And I think building those plans, right, of how you're going to secure your app from the beginning, what's your storyline on there? And do you have a security journey that you want to put that app through? And I think that's probably even more important as we get into like the agentic side of. Of building stuff. Because what's the scope of the agent that you're building? Because I can tell you, once we start, we're in the process of doing one right now, and internally, and the ideas are freely flowing and there's about a million things that this agent's agentic system is going to Be capable of all the different tools that you have access to. And you know, I get scared thinking about.

B (20:12)

Well I, I bet, I bet you do. Because I've stood up on my home network. I stood up some MCP servers, right, that I, I authenticated with some third party applications like email and a CRM system and an accounting system and all that. And all of a sudden, so I just set, I set that all up. I wrote a little agent that I can just ask any question I want and it could, it grabs all the data, no problem, right? So there's no, there's no security there. Zero. So I can see the big fear with these things. But also the benefit, like you said at the beginning, the business benefit of this is massive. Yeah, it used to take me a long time to get reports out of, out of those three systems and, and getting all the data and merging it all together and manipulating it the way I needed it for reporting. I can do that with a couple of prompts now. But I still need all that, all that access. So what's, how am I going to stop this? Because the business benefits are huge. But no one's, no one's concerned about the security aspect yet. They will be, but. So what do I do? Teach me then I need some help.

A (21:47)

I don't know if I have the complete story here, but I would, How I'm approaching it is right. I'm, I'm thinking about it from the perspective of assuming that this agent, right, is going to be compromised at all points. Right. We used to have this thing in cyber security called assume breach, right. And I think we just have to make that assumption that whatever agent is out there, you're is going to be able to be compromised. This in America because there's just not enough controls in place today that, that can stop free thought. Right? That's, that's the beauty of AI. And I don't think we want to stop the, the, the, the push towards like it being able to make decisions and, and do stuff. But we do have to have some light guard rails in place on there. So if we start building out that story of assuming that everything that we do is going to have some sort of compromise, then we can start worrying about where can those threats be. So there's a concept called threat modeling in cybersecurity where you look at kind of what's the art of the possible, right? Assuming that this can be breached and this is the permissions that it has, right? So you do have to think about your permissions at that point. Now we can start worrying about what are some of those guardrails that we have to put in place on there. And then, you know, let's, let's forget about how to stop it at this point. Right. Because the technology is going to be evolving and I think there's some interesting things out there today where you can kind of look at that tech and say, well, I can put this guardrail in place or this other one, et cetera. But if you have that threat model now, you have an understanding of where your greatest risks are, your greatest risks, and then have compensated controls put in place on those. And then we can figure out, hey, do we need to go back and maybe slim down some of these permission sets? Right. Because if, if this agent is capable of making changes to user accounts. Right.

B (23:33)

Yeah, that's. Or I can even imagine a weird side attack where this, Tell me if this is even reasonable. Let's say that I do have an agent that is reading through my emails.

A (23:49)

Yep. Right.

B (23:51)

Everyone wants this one because we get inundated with emails reading through my emails. And I, I set it up so it can read through my emails and then perform actions for me. We're at return an email, create a file, a whole bunch of things. I would love to interact with the computer just by typing emails and sending.

A (24:10)

It off to it.

B (24:13)

Someone can maliciously send me an email that if they knew I had a gen in the back end reading emails, it could do a lot of different things, especially if they figured out or if they just kept probing to see what other things this agent was connected to through an MCP server just by trying things out.

A (24:34)

Yeah. And people are going to do that. They're going to explore it.

B (24:37)

Well, I already have.

A (24:39)

Right. Yeah. We're building AI red teaming internally to be doing our testing because this is, this is something that we need to know where those threats are. We need people to be exploring and thinking about new ways.

B (24:53)

And that's like a zero, that's like a no click. That's a zero click attack, right?

A (25:00)

Yeah. That's active in the wild today. Right. It's crazy. Copilot and so forth.

B (25:07)

Yeah. So where do you see, let's talk five years in the future. AI is everywhere. Agentic AI probably that's what it's looking like today. Blockchain is probably going to be thrown in the mix even more as we get things. Let's not even touch quantum. Let's pretend that Quantum's out another 10 years. What do I have to prepare for a tax five years from now what do you think? Crystal ball.

A (25:39)

Me, crystal ball. I think that from an AI perspective we are going to be facing agents that are out there that will be attacking at all points. Right. They're going to be doom probing, they'll be compromising larger compute nodes to be able to take advantage of those agents. So we're going to have to think about protecting the hardware and the infrastructure that that is. I think we're seeing kind of a little bit of an evolution already in that space where these threat actors, they're going after cloud providers, right? They are going after the big jewels right there. Yeah. And so whether it's Microsoft or Google or the Salesforces or Oracles, et cetera, right. They're looking at those things. They want access to that information. They're going to use that to build new more powerful agentic ones that are going to be broader attacks. Right. They may not be even attacking your infrastructure. They're going to attack your integrated partners. Right. And your SaaS vendors out there. So we're going to just continue down that path. Right. It's going to get bigger and bigger. The types of attacks. Right. And the volume of data that's being lost is going to be I think exponential compared to where we are at today.

B (26:58)

So what do I do?

A (27:00)

I think the thing that we can do most is try to really protect the information that we've seen as sensitive. Know where your information is, know what, what's sensitive to your business. So start down that journey today. It takes a long time for a business to figure out what data is important to them and to kind of understand from a security perspective, hey, this is sensitive information or it's intellectual property or something along those lines. Especially these mid sized orgs out there. I can tell you we're as a society in the US that is the larger enterprises probably have a good scope already on their data security and data loss prevention. Mid sized businesses and small businesses don't. So we gotta, we gotta start there.

B (27:58)

And the cost of not doing it is, is super high. Right. I mean probably ransomware is the biggest threat. Would you say that's true?

A (28:09)

Ransomware is certainly a threat on there. I feel like they're, you're.

B (28:14)

It seems to cost most though.

A (28:16)

Yeah, right. It's, it's certainly like the number of attacks is going up and the cost is going down. So it's getting cheaper to get your data back but it's also more frequent because your data is in more spots. Right. And that's going to continue to be in more spots and more and more systems are going to have access to that information.

B (28:37)

So do you feel like retracting away from the cloud, away from SaaS is a better way to go? Because I mean, that's the first thing I would think is, oh, hold my critical data. And having a data strategy might be super critical. Right. Super proprietary data. I don't want to use a SaaS provider for that.

A (29:01)

I think, I think there's a, I don't know necessarily about retracting off the cloud, but I think that there is, especially in regulated industry keeping a hybrid state for that, you know, you know, AI uses of your data on prem. I think that that's at least a moving forward block for the, for some of the short term side. I think once we get a little farther ahead. Right. We start talking about quantum stuff. Right. I don't know if any of that matters anymore.

B (29:31)

Yeah, yeah, exactly, exactly. I've, I've had, I've had a couple episodes on the show with some quantum computing guys and some quantum safe. Quantum safe. It's ridiculous. Call it quantum safe. Quantum. What's the right word that people are using now? Quantum resilient type of strategies. It just slows the quantum computing and the hackers that have them down. It doesn't prevent it.

A (30:02)

Yeah, I mean that's, I think in the future state, once quantum's around, we'll have to see where we're at. That opens up a whole other set of questions for me around how do we even protect against that and what does the cloud look like and do we even want to be on there?

B (30:20)

Yeah, exactly. Hey Ben, this has been great. I've loved to go through the history of things to see how things have progressed and where we're headed. So thank you for coming on the show for this. If people want to find out more about this, especially these small and mid sized companies which you, which you brought up, they're a big target right now because they're more exposed than others. Where do they find out more information from you and about your company?

A (30:48)

Yeah, so I work for ProArc, ProArc Technologies headquartered out of Atlanta. Www.proarch.com also LinkedIn. Very active on there. Ben-Wilcox is my username on there frequently. I do have posts on there probably about four or five times a week around current security situations or technology. A lot of stuff on AI these days. Also I do have some upcoming speaking engagements. We will be hosting the Rochester Security Summit as a platinum sponsor. I'm speaking there around AI cybersecurity that is October 8th and 9th. And we also have a number of webinars coming up on AI in uses in organizations that have compliance obligations. So we want to make sure we kind of break down those barriers right, and get to a point where we can leverage AI successfully in regulated industries. It's kind of hard today.

B (31:49)

Well, Ben, you will always have a job because there's always bad guys out there. And thanks for coming on the show, people. Reach out to Ben and I most definitely need to have you come back next time we have a major breach. I'm going to give Ben a call and say, Ben, please help us through this.

A (32:06)

I would love to. Yeah, let's, let's talk about it.

B (32:10)

I love doing kind of the post mortem of these big attacks. All right, what happened? How did it happen? What was the impact? I think that, I think those are good episodes. So there's a lot.

A (32:22)

That sounds great. Darren, I appreciate your time today.

B (32:29)

Thanks for listening to Embracing Digital Transformation. If you enjoyed today's conversation, give us five stars on your favorite podcasting app or on YouTube. It really helps others discover the show. If you want to go deeper, join our exclusive community@patreon.com embracing digital, where we share bonus content. And you can always connect with other change makers like yourself. You can always find more resources@embracingdigital.org until next time, keep Embracing the digital Transformation.