David Moulton (3:39)

Isaiah, can you Give an example of a client who turned things around through a particular strategy or approach.

Isaiah (3:46)

Sure. I can share a powerful story about one of the major financial institutions that I've worked with. And that's a common story, but it's also very relatable with other customers as well. They had the traditional castle and mold security model pretty much everything. It's focused on those outside limits where you have the moat pretty much to get into the castle, which is the internal customer infrastructure. And with that model, we know thinking everything inside the network was safe brings some points that you need to be concerned with and you need to take into consideration when searching for your strategy going to the cloud. With that approach, they have developed massive blind spots into their architecture, leading to a significant data breach from a simple misconfiguration. Because the way castle node traditional architecture works is you pretty much ensure that you secure the outbound limits to access your infrastructure. So if something is disguised as something that's not supposed to be that particular thing, which is being tested again, a security policy, then you are vulnerable and all your internal perimeter gets compromised because of that. So after that incident, that was their wake up call, right? And working with Palo Alto Networks, our strategy was to help them shift to a more proactive cloud native security model. And with that, we start bringing to the customer the implementation of a true zero trust model, which is, imagine to better illustrate what the zero trust security model is, is in comparison to a Tesla and moat approach, imagine that. You know, first example I already explained here, and the zero trust model would be you are in a very big museum, a very technological one, with a lot of things implemented, and each piece of that museum has its own dedicated control. So to access each one of those individual art pieces, you have different types of security and different groups that can access that, that particular item at the museum. So that's more or less what the zero trust is. Trust nobody, everything has its own control. And no matter what it is, you have that comprehensive, secure layer applied to each element on your network. The outcome to that customer was remarkable. Their incidents dropped dramatically and the security team's confidence just soared after their competition. That was a good example of security leading the way for a faster, safer digital transformation, I would say.

David Moulton (6:46)

So you said that their confidence soared and the direction I wanted to go in was like, what does it look like for a client who's truly winning when they put these policies into practice? Can you talk more about some of the things that you've seen, what they're able to do, what they can Stop doing and maybe even go into that idea of like what does does the confidence going up, how does that impact a team?

Isaiah (7:13)

So when a customer is winning, it's all about achieving its digital confidence and operational resilience. Which brings to the points that I mentioned and a few things that I can talk about is verified access. Their users get access to what they need from anywhere on any device. Every connection is always checked and based on the principle of network trust, always verify. Which is making a comparison to the museum case illustrating zero trust. You know, never trust nobody, always verify to everyone getting to those different places where they want to go. They have unified security helping them to have a centralized management, simplified operations and much faster approach to how to manage their network and infrastructure security across the whole landscape. That also creates a strong security foundation that lets them build up on top of those security solutions without constantly having to look over its shoulders. Because the whole architecture, the whole zero trust platform brings them functionality and elements of the updates and elements that will keep them always in the game. They are always looking to the next. Especially now in times where we have so many zero days vulnerabilities. That brings the customer the capability to be always updated and always ready for what comes next.

David Moulton (8:52)

So let's shift gears a little bit and talk about collaboration both internally and externally. What role do cross functional teams and partnerships play in a client's success?

Isaiah (9:06)

Collaboration is everything you can achieve. Real security wins in a vacuum without proper collaboration from other areas. Without having your users and your remote users, all the companies people, without proper collaboration and from them. One of example of collaboration would be the security awareness. And that's a both way sort of collaboration. You cannot depend only on customers being aware and know what to do at all time. A good security awareness program. It's key inside this model of collaboration between users and operations. Another example is internally success on that will depend on departments working together. Not just IT, but also you have a great infrastructure set between your legal, your operations and business leadership. And that brings to the point that I mentioned that IT strategy needs to be aligned from the top, going down to the organization and sharing all the objectives. Once those things are aligned, the security program actually fits the business needs. And another great example is open communication that will ensure your clients and users to get the most value and support as threats evolve. So communication is key for enablement and communication is key for awareness. Communication is key for that alignment from the top down to every aspect from the business. Ensuring that you have proper alignment with IT objectives and business and making that cross functional Partnership and collaboration play effectively in customer success.

David Moulton (11:03)

You know, I know the cartoon that you're talking about and you know, it's like a boxing match and you've got millions in spend on one side and then you've got one user, Dave. And I've always felt seen as a guy that shared the name with the guy in the cartoon that you're talking about. And I think that you're absolutely right there where you know, all those tools don't collaborate. It really doesn't matter if you know, the end user is not able to participate in that security for themselves and for the organization. So you know, Isaiah, have you seen a customer successfully break down silos between security it and those lines of business?

Isaiah (11:44)

Sure. Customers that I observed that I had the opportunity to, to seeing them breaking down those silos are the ones that we can say they are truly winning because often involves a cultural shift and you know, culture eats a strategy for breakfast. That's another phrase I like to say on that. But when you're able to break that, that culture, to break that and have that cultural shift, it pays off enormously. So, meaning with the culture change, you can bring improvement on the way you utilize your tools. You can bring improvement the way users will utilize those tools. Because it's not just about the tools, it's about behaviors. You cannot expect someone to achieve the objective. And I'm going to give you a very simplistic example here. You cannot achieve someone, you cannot expect someone to achieve, to kind of properly hit the nail on the head. If they don't know how to use the hammer, they might be hitting with the handle or I don't know. So that's a very simplistic example about. It's not about the tools, it's about the behavior. And that's one of the biggest shifts that comes often from the culture and having the right program to set the new behavior into customers, to lead the culture to a point that you have communications that will flow freely through regular cross functional meetings and share platforms. And when an incident happens, you have that collaborative problem solving, not finger pointing. That type of integrated approach is what is essential in complex environments and is often the biggest indicator of a mature secure program. And consequently one good example of how organizations broke the silo between it and the business.

David Moulton (13:59)

No, I really like that and I think that your example is really right. You can imagine somebody picking up a hammer and holding it right near the head and trying to tap something in or getting their hand further back so they get the actual leverage of the tool and you know, you could put the same amount of work in in fact, you might be able to put in less work if you use the tool right and get better results. And not having everyone know what to do, not having everyone work together likely means that there's more work and poor results versus you know, going with this idea of like how do we reset so everyone knows how to work together. From from your vantage point, are there some common missteps that really do slow down security maturity even for the most well funded organizations?

Isaiah (14:45)

Yes. And even with a big budget, organizations can stumble. I can see and I can mention some common pitfalls that can slow down the security maturity on organizations. I can mention missing a clear strategy which means to the point that I being repetitive on IT so far is without a plan that is aligned with business goals and without an IT plan or IT and secure plan align with those goals, the security investments can become scattered and ineffective. Meaning sometimes organizations, they will buy solutions that they are doing patches and just trying to tackle pinpoints and isolated needs that they have in terms of security. Other important thing I'd like to mention is ignoring the people. You can have the best tools in the world, but if you don't invest in user training and awareness, you are still vulnerable to your network. And that brings us to that meme where you have the fighting ring man.

David Moulton (15:54)

For a second I thought you were going a different direction with that. You're saying that one of the things you needed to do is ignore the people. You had me going there in the first half.

Isaiah (16:04)

Yeah. Now that's the common pitfalls organization might take when acquiring secured solutions. That's like one problem that would slow down security maturity. It's often seen like organizations just ignoring the people in the sense, well let's implement this, let's just push to everyone. But we are not taking any clear and effective awareness program or the proper enablement just to have users utilizing properly that solution which bring to the previous answer about culture, behaviors and tools. Overly complex tools is another example. They can slow down security maturity. Too many disconnected security tools that will create confusion, will reduce visibility, the IT staff will encounter problems while using it. There'll be compatibility issues. It's overly complex, they need to do integrations, they don't have that flexibility that can leave dangerous gaps. And lastly here maybe failing to measure results. So if you don't track metrics, you cannot prove the value of your security investments and know where you need to improve. It's like having a map. You're navigating the seas but you have this map or there's nothing there, or if there is something there, you don't have a clear direction where you're going to. So without proper measurements, without proper KPIs, measures, leading and lagging measures, you might, you might be in that situation.

David Moulton (18:26)

So when we set this up, one of the things I was most excited about was to hear a story of client success, something positive. Can you share maybe what happened and why you think it worked in one of these customer success stories?

Isaiah (18:41)

That's a good question. And I can relate to an example from a fast growing tech company that was being slowed down by its own clunky security infrastructure. They had that sort of messy VPNs, frustrating types of connectivity, all sort of stitched together types of solutions in VPN concentrators here, internal gate is in one side and inconsistent policies. And their security team, because of that, they were always playing defense, unfortunately. Right. So they decided to make the change and embrace the Zero Trust mindset. Also being powered by a modern SASE architecture, secure access, service edge. Right. But this doesn't happen about the new technology. Right. It was a complete strategic overhaul underneath that, meaning they had to get everyone on the same page, security, it, the business with a clear plan from day one to avoid the pitfalls we discuss here, where they would be ultimately rendered ineffective if they were creating the plan and laying down the strategy and they had those gaps. So what worked well in that case? What was the positive client success history over there? So Zero Trust brought them that strong foundation. Right. Everything was very fine. And that dramatically reduced their risk, their inherited risk for users connecting to their systems and business applications. Right. Second, the SAASA platform was the engine that was providing them with security and secure fast access for everyone, no matter what they were. So SASE was providing that with the elements that they so much needed and in a way that it was far better integrated, consolidated and centralized and flexible in comparison to what they had before. And third, that whole change, that success they were achieving was helping them breaking down the internal silos, meaning that they start having security as a business driver and not a blocker anymore. They shift into that, oh, it's an IT problem. Oh, you know, we need to connect here. Oh, this is slow, this is pervading me to connect over here, over there. So if that whole integration of tools with that SaaS platform, with the visibility achieved, the management, they went from being vulnerable and slow to being confident and resilient. So they could now innovate and grow at full speed, knowing their secure program is now an advantage as an opposed being something cumbersome and in something just, just there because they need it.

David Moulton (22:23)

So let's look ahead. What are some of the trends that you see coming or maybe you're most excited about or hopeful for right now?

Isaiah (22:33)

So I'm most excited about the convergence of advanced technology into a more proactive and human centric approach to security and what that means. Now we have AI as a force multiplier for defense. And while we hear a lot about AI powered attacks, the use of AI in defensive tools is incredibly promising and big example. Let's look at our own solutions. Palo Alto Networks Precision AI. Now it's time to fight AI with AI. So what that means, that means that AI is now helping to automate tasks. It's helping with a lot of prediction models, helping to predict those threats, those zero days attacks, or if something happens based on all that new approach to security data and threat vectors, it'll help to predict those threats and vulnerabilities and allow security teams to be more strategic and less reactive. Because as AI is taking care of the commonly known existing threats in a reactive way that allow the IT teams to be more strategic about IT and use AI as a tool to kind of forecast and be ahead of those threats the best way they can. I'm also very excited and in a way like I want to learn, I'm always trying to learn new stuff. Power ops is great because it's every second I have something new going on. And another thing that's very exciting is the proactive approach that we have towards quantum readiness and quantum security. So the threat coming from quantum computing to current encryption models is real. And it's inspiring to see for example in common center inside starter cloud manager tools how we are having solutions that start giving recommendation and start analyzing customers quantum readiness before that becomes a crisis. Right. Let's say this foresight about building crypto agility into our infrastructure today, it's a very exciting thing. It's a very nice thing to see and to have for organizations. And finally beyond technology, I have great hope in growing recognition that cybersecurity is sort of like a team sport. Right. And that what sums up a lot of points that we discussed here, the focus on breaking down silos, fostering collaboration and prioritizing user enablement awareness education is this powerful shift towards this team support for cybersecurity. When organizations invest in their people and build a security aware culture, the technology truly gains its purpose. It truly gets utilized to the best way. This whole move toward shared responsibility is what will automatically make us all more secure.

David Moulton (26:16)

So I think you just introduced a new term to me, crypto agility. I hadn't heard this before, and I want to go back to it because I'm guessing that it might be something that I'm either way behind or you're way ahead head on and maybe spend a moment on that while you were talking. And forgive me, Isaiah, I had to look it up. Crypto agility is the ability to rapidly replace or adapt cryptographic algorithms, keys and protocols within a system without disrupting its ongoing operations. So if you're a listener and you're thinking, did Isaiah just drop a new phrase on me? Yeah, it seems like he did. Props to you for doing that right here on Threatvector. And if you were wondering what it was I just gave you the AI definition. What an insane idea. But one that I think is a real positive to be able to swap out those algorithms very quickly, especially in that context, Whether you're on the camp that says quantum compute is never coming and it's been one of those things that is something to not be worried about. We've had folks on the podcast near in particular who had that point of view, and then on the other side is like, you might as well be ready for it. And we've got some of the different tools that are necessary to help. As we've said with Richu, you know, like, you don't want to cram right before the test. So start that process today. And that way when Q Day hits, you're not struggling to keep up, because that's an impossible ask. Isaiah, thanks for this awesome conversation today. I really appreciate how much prep you did for our show and that you came on and you shared so many of your insights into cyber security, into customer success, and I'm looking forward to hearing from you again on the types of wins customers have as we advance on some of these technologies.

Isaiah (28:11)

Absolutely. Thank you so much for having me here. It was a pleasure. Foreign.

David Moulton (28:27)

If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcasts and Spotify. Your reviews and your feedback really do help us understand what you want to hear about. If you want to reach out to me directly about the show, email me at threatvectoraltonetworks.com I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenny Miller, Joe Benedict, Court in Virginia Tran, original music and mix by Elliot Peltzman. We'll be back next week. Until then, stay secure, stay vigilant Goodbye for now.

Isaiah (29:14)

Sam.