A

Welcome to to the Point Cybersecurity Podcast. Each week, join Jonathan Neffer and Rachel Lyon to explore the latest in global cybersecurity news, trending topics and cyber industry initiatives impacting businesses, governments and our way of life. Now, let's get to the Point. Hello, everyone. Welcome to this week's episode of to the Point podcast. I'm Rachel Lyon here with my co host, John Knepper. Good morning, John.

B

Good morning, Rachel.

A

So I was doing a little reading this morning and there was an interesting article on ransomware. Ransomware is still that really great thing for attackers, but it was talking about how legitimate credentials and identity is now replacing malware in terms of the threat vector, opening the door for ransomware. And I thought that was kind of an interesting thing, getting back to legitimate credentials. And I feel like it's a blast from the past. I don't know.

B

Yeah, I think it is. I think, you know, finding ways to compromise systems with valid credentials is, is. Is definitely a major attack vector. And people, people let their credentials, you know, out there in the wild inadvertently through so many different vectors.

A

Yeah, it's old as time, like harkens back to the days of putting your password, called password, on your monitor so people can see it. Yes.

B

Oh, now everybody knows my password.

C

Thanks. Shh.

A

Well, I am so excited for today's guest. He brings over two decades of experience across technology, commercial and operations roles. He currently serves as Chief Product and technology officer at RealVNC. He's responsible for defining and delivering the company's product vision. His career began in strategy consulting at BSG and PwC where he led value creation programs and some supported M and A deals across the TMT sector and beyond. Since then, he has gone on to lead technology supported technology functions at both large corporations and startups, building high performing teams with a sharp focus on customer value. On the academic side, he holds a first class mechanical engineering degree from Cardiff University. I think it's a Master's of engineering, a mechanical engineering degree. I don't want to take away from you, Neil. And has more recently taught himself Python to develop deep learning models for forecasting applications. Welcome. Welcome to the show, Neil. Gad.

C

Thank you for having me.

B

Hey, Neil. So let's kick this off by tell us a bit about how framing remote access is a critical boundary for the cybersecurity industry today.

C

Sure. So remote access, by definition is creating a way to access devices across networks, between different users, different environments. So that's often in conflict with what a cybersecurity professional is trying to do. In terms of locking down access. So by definition we have an instant problem. So working in remote access, we have to therefore understand what the potential threats are and understand how we can align the concept of access, but actually under controls such that we can operate in secure environments.

A

So then this seems to parlay pretty well then into, I would suspect, a secure by design conversation. Right. Which is always fascinating. Right. On how we approach such things.

C

Sure. Whilst we design our software products in remote access for legitimate use cases, obviously there are malicious use cases, bad actors that could then hijack that access for their own purposes. So the design principles really have to be at the core of these kinds of software packages. So that means it's not like an afterthought, it has to be from the ground up, built around secure design principles and the bar has to be set really high. If you want to be credible in the remote access space, you have to have some table stakes basic security architecture that allow you to say that yes, this is not going to be hijacked and taken into the wrong hands and then expose data of your enterprise. So I'll give you some examples. So I hear all the time about industrial machines in factories, on oil rigs, for example, that use open source unencrypted remote access solutions. So when remote access was invented over two decades ago, it was open source, it was unencrypted, and only latterly in the last 15 years has encryption and other security wrappers been applied around it. But the number of times I have conversations with customers where they've got this open source legacy type of remote access, that's the first kind of thing where it's an obvious threat vector. So that's the first thing. Secondly, there's this concept of granular permissions or role based access control. So clearly in order to identify and keep out bad actors, you need to know who the good actors are and you need to know who has access to what and when. All right, so it's really important that organizations are able to identify who has access to devices, what access should they have, what's their role, what kind of things can they do? And then thirdly, after the fact, there needs to be an audit trail to know who connected to which device, when and what did they do, and preferably with a recording of what happened on the screen and on the device at the time. So those are some examples of secure by design principles which should be, as I said, table stakes in all kinds of remote access solutions, but they're not always there.

B

I think it's interesting that you bring up the unencrypted open source bit with the recent telnet vulnerability for unauthenticated root access coming out lately. But talk some more about what are the new risks that are emerging right now and, and what do you think people are overlooking like on that telnet thing, like who still has telnet out there in 2026, right?

C

Yeah, I'm not sure. There's a whole bunch of new threat vectors, right? Everyone's talking about AI, agentic AI and what it can do in the power of it. But unfortunately there are some things that are closer to home and more common. So if you think about what I call application sprawl, on any device you have many number of applications, users have different logins, different credentials for many different systems, and each of those is its own attack surface. And again, the number of customers that I speak to where that stuff is not locked down or not as clear as it should be, is very high. And therefore you're providing an instant potential vulnerability for a bad actor to take control. And via this legitimate pathway, using legitimate credentials, they can take control of your data and system. So unfortunately that's very common. So one of the other things that that also does is if it's increasingly common that in the age of LLMs and AI agents, an organization's data can be easily or more easily exfiltrated into an LLM. So again, a very common thing that I see is an employee uploads a bunch of data, proprietary information could be source code for a software vendor into an LLM to generate some results in terms of more code or a summary of what they ingested and that contains proprietary information. So all organizations should have enterprise data protection when they're using these kind of tools. That means that that data is not being sent to a cloud and used to train the LLMs and then is accessible by other organizations. So again, this is like a table stakes thing, but again it's fairly common and that's a new frontier where in my experience, cybersecurity professionals are paying close attention, but it's not always as locked down as it should be.

A

It's a really good point. I mean, I think our organizations today, thinking about remote access in the context of securing data, particularly right as data is moving so quickly and being created and going through LLMs and flying everywhere, are they thinking about it through this lens?

C

I don't think so. I think that the main way of thinking is to lock down access to applications, to devices. And this permissions control is really, really important. Lots of organizations do this very well, but all it takes is an unauthorized remote access application to be on someone's machine and all of a sudden you have a backdoor out of that organization to somewhere else. Right. So I talk about these secure by design principles in our remote access solution and in others, but then all it takes is a human to install an unauthorized remote access application or something that's unencrypted open source, as I mentioned, and all of a sudden you have a channel by which data can be exfiltrated. And that in my experience is something that's not always considered, or it might be considered untraceable. You can trace when an employee installs an application that they shouldn't, but perhaps then it's too late because they've already exfiltrated data away somewhere else. There's this shorter cycle in my experience, with which cybersecurity professionals have to react and the speed at which threats come is increasing and therefore the vigilance that's required is higher.

B

So you've brought up an interesting attack vector with the uploading data out to the large language models. I think a lot of folks are also now kind of as response to that, also evaluating their whole cloud versus on premise stance of most of their infrastructure and as some of the recent actions in the world have taken one of the major cloud providers, some of their locations offline, which has been newsworthy as well. So what's your opinion on cloud based versus on prem based, especially when it comes to securing remote access and in securing your systems and how your data's flowing?

C

Yeah, yeah, really, really good question. So cloud remote access is pretty secure, right? So as it goes with the protections that I mentioned, where you have end to end encryption, you have granular permissions, access control, these layers of security do provide a layer of protection, but however, at the end of the day, those connections are still happening over the Internet through a cloud. So whilst the end to end data traffic might be encrypted and cannot be accessed in transit, actually the devices that are either end could be accessed by a bad actor. Right. So because of those organizational attack vectors that we talked about in terms of using legitimate credentials or other ways of accessing the endpoints, it kind of devalues the encryption that you have. So a lot of organizations therefore prefer to have all of their connections on their own local network behind the firewall with completely air gapped infrastructure, and then it's basically hiding, they're just saying, hey, you know what, we're just gonna hide all of our stuff. Behind this firewall. So very commonly what I see is in industrial settings where you have critical infrastructure that's on the IT OT boundary, that tends to be on premise and it has to adhere to what's called the Purdue model, which is a set of guidelines around industrial control systems that have to be secured in a certain way and there are all kinds of regulatory standards around those. That's usually more prevalent where you have unattended access or a mix of attended and unattended access. So where you have unattended access to machines, especially if they're in an industrial environment, that's a higher risk factor because there's no user the other end in those circumstances, I tend to find that customers prefer on premise because it aligns with their overall posture on cybersecurity. Where you have attended usage of our laptops that we're looking through right now, those are going to be connected to the Internet anyway. Right. So it tends to kind of fall along those two lines in terms of how organizations think about whether to go for cloud or on premise. But I have seen a mixture of both. On premises is by design more secure because there's no Internet connection. But also cloud with the right controls and the right secure by design principles can also be equally as effective as long as your organization's security posture controls. Risk management is also aligned to that and doesn't become the weakest thing whilst you've got all this encryption, all this fancy stuff going on in your remote access solution.

A

I'm curious because I like to apply the AI lens to everything. Neil, Just ask John. As we know through Covid, everybody was in this rush to cloud hybrid environments and now with AI explosion, I've been kind of hearing different pockets of conversation of some organizations almost going kind of back to the past and doubling down on premises. Right. Versus the cloud. I'm curious if you're seeing the same or what you're hearing.

C

Yeah, similar over the last decade. I think that's certainly true. So more organizations that would have put more infrastructure in a cloud have gone the other way and have gone more towards on premise precisely for that reason. So if you think back 10 years ago, everything was going to be cloud based, all applications were going to be hosted somewhere in the ether and everyone was talking about data center and ramping up their AWS capacity and how all of that stuff worked. And there is a definite trend in the last five years post Covid with proliferation of remote working, remote access, there's definitely a higher risk factor. And so I do hear more from Customers and the industry more of a tendency to go for on premise to provide this kind of hiding as I call it,

B

kind of on this whole on prem versus cloud element as well. Right. Not only the AI exfiltration, but what about have you seen backdoors being implemented in on prem? Things like back channels out and how do you prevent those?

C

It's actually quite common. So a lot of on prem solutions, not just in remote access but other types of software, a lot of them do have a backdoor, they do have a connection from could be just like a single machine that can talk back to the software vendor's cloud and usually that's for the purposes of either tracking the data and analytics about the customer usage profile or it's to provide updates so you can kind of download updates to the software from the cloud. That is quite dangerous if you think you are on premise but actually you're able to download packages because that package could of course have a payload that's malicious within it. So some solutions just have a one way gateway outbound, especially in industrial environments. Often you get a sometimes hardware controlled gateway where there's only a one way data outbound flow and it's kind of read only. So that's a bit more secure than two way. But still it has a way in which an outsider can look at data on the inside of an organization that you thought was on premise. So in my role we spend a lot of time actually thinking about how to do fully on premise, which actually makes my life a lot harder. It's actually a lot harder to do software that is fully on premise with no cloud connection because it puts more work on the customer and they have to do more by way of setup because it's not talking back to back to the cloud somewhere. So whilst it's harder, it is actually more valuable and often it's essential and mission critical in particularly as I said in industrial settings manufacturing where the cybersecurity posture has to say it's fully on prem.

A

We've kind of joked a little bit in some past conversations on critical infrastructure, just let's go back to the stone age, right? Let's just take everything offline, make it manual.

C

Well yeah, like I said, there's a definite trend that way but I do think over time I think it's going to have to go the other way. So I think that organizations need to be thinking about how in an AI enabled world where I've got AI agentic workflows that is going to depend on a cloud somewhere down the line. So I think that what we're going to see in the next five years, or could be shorter, everything's happening lightning fast these days. So I think what we're going to see is actually organizations like mine are going to have to think harder about how they enable this same level of security that On Premise grants, whilst having some kind of cloud connectivity and a hybrid model. I think that's going to become more important because I think it's going to get harder and harder in the age of AI and agentic workflows to be fully on premise.

B

Yeah, I think too the whole cloud connectivity and the kind of velocity everybody's expecting has changed. But I think your point about secure by design and how that's basically a requirement, how do we go about making that a priority and how do we get engineering teams and so on to basically make that their priority?

C

Right, Yeah. I think it has to come from the cybersecurity organization laying down the ground rules. So we have a cyber security team. They tell me what I cannot and can do, right? So they set the guardrails around the architecture that I'm allowed or not allowed to build. Before I build anything, before anybody writes a line of code, we have to establish the boundary conditions and the parameters within which I have to work. And doing stuff in that order is really, really essential. There's no good building stuff and then going to the cybersecurity team and saying, hey, what do you think of this? You kind of have to do it the other way around. And I think if organizations adopt that posture, I think they will be more successful in achieving secure by design principles, because they had to think that way before they wrote anything.

A

But I mean, there's always this tension though, right, between are we slowing down innovation, are we not moving as quickly as we need, particularly in the age of AI. How do you have those conversations, Neil?

C

Yeah, they're hard. So my job as a product leader is to create customer value. I want to create seamless workflows that reduce friction for my customers. Right. And that is always in tension with, aha. But you have to have two factor authentication. You have to have these security guardrails that are going to protect the customer. And whilst it might be great that you save them a bunch of clicks or a bunch of elements of a workflow to accelerate their value creation, actually, you're also exposing them up to threat vectors. So this is the constant dialogue that I have with my cybersecurity organization, who are really, really talented, they are really, really skilled at what they do and Working out creative solutions on how we can achieve customer value without compromising on security. And that's really important. And I would advise all software organizations to think that way in this space.

A

Absolutely, yeah.

B

And I mean, with regard to that tension, are there frameworks in place that kind of help define this relationship and is that a way that will help a lot of organizations kind of get past that tension?

C

Yeah, there are some frameworks, like what's called zero trust or least privilege. There are standards like NIST which have their own software development lifecycle guidelines. So these are good starting points. We like to say that we comply with various different standards, as do other remote access providers. And it's really, really important that you're able to say, yeah, we developed our software in accordance with these principles. Principles. And it then becomes that. It's not a debate, actually. You have to comply with these frameworks and then you are recognized for them as organizations that could be trusted.

A

Speaking of NIST too, and this is getting into one of my favorite topics, quantum computing. Oh, it's so far away. But is it, Neil? But how should. I mean, in the remote access world, right? I mean, how should we be thinking about this? This?

C

Yeah, it may not be that far away. So depending on who you speak to, it could be anything from next week to 2035. Okay. So definitely in the next decade. This is something that all remote access vendors will have to think about. At some point in that time frame, a quantum computer of the future is going to be able to crack all encryption as we know it. So 256 bit encryption is going to be indefensible, potentially against a future quantum computer. So we're okay now, but all financial systems and WhatsApp and remote access solutions that use this kind of encryption become vulnerable and have zero enterprise value overnight if this kind of encryption is cracked. So nist has in 2024 published standards for post quantum cryptography that all remote access providers I'm sure are looking into. But there is no guarantee as of now that these will be quantum safe because we don't know what the quantum computers will be able to do. It's the best guess that is available at the moment to NIST and to the industry. But we are definitely thinking about it. I'm sure all other software vendors that use this kind of encryption are thinking about it. And there's going to be a, a point in time where this shift will happen and a quantum computer will crack this kind of encryption. It's based on this ridiculous maths at the moment, but It'll become not so ridiculous at some point in the future. So, yeah, it's really, really interesting. It's unclear what to do. I haven't seen any remote access providers actually move to these NIST standards yet because I think it might be too early. We don't know whether they're actually going to solve the problem. So it's kind of a waiting game. But you don't want to wait too long because it might be too late.

A

Exactly.

B

So with all of these, like, there's basically a confluence of basically threats on the horizon here, right? Quantum computing, the AI threats, the political unrest that's going on right now, what's kind of the most important of these things to be focusing on right now?

C

Yeah, I think right now certainly my organization, we are spending a lot of time thinking about AI and agentic workflows. Lots of organizations are thinking about and adopting AI agents to do lots of business processes. And that is creating a new way that remote access providers have to think about how agents interact with computers. So AI agents are actually really good at checking the box that says I'm not a robot, for example. They're actually really good at interacting with screens. In the last decade, there's been a wide proliferation of endpoint management, remote management and monitoring software. Platforms that basically remediate issues with devices at scale. Deploy this patch to these 1,000 devices. Done. So those kind of scale processes have proliferated in the last decade. But you do need a human in the loop to look at what's going on on a screen at some point because it provides richer information. So sooner or later, agents are going to be used at scale to do this in place of humans doing it. And they're going to get really good at interpreting the information that's on screen, because that user interface and that way of interacting with a device is actually the common currency of all devices. Not all applications have APIs. They don't have common APIs. So AI agents have to just get good at interacting with a screen which is designed to be interacted with. And so what we're going to see is a couple of things. We're going to see the volume of agents increasing massively. So instead of being limited by humans, human technicians looking at machines, you can scale up workflows that have thousands of agents looking at screens and interacting with applications simultaneously. That creates different threats. Then in terms of how do you keep pace with what's going on on all these devices in your organization? Because all of a sudden it's not limited by the number of humans that are looking at them. And then secondly, AI agents are also getting really good at understanding the vulnerabilities in software. So we use AI to detect vulnerabilities. So it's actually really good to our CyberSecurity team. Build AI agents, point AI agents, say, find the vulnerabilities in our source code, in our software. What are the threat vectors here? So if we can do that, then bad actors can also do that. And so the speed at which they were able to identify and exploit vulnerabilities in software, in applications is also going to increase. So from both sides there is an AI agentic arms race that's going on in terms of the number and volume of AI agents that are going to be interacting with computers is going to increase and also the way in which they're able to exploit vulnerabilities, some of which are often human, as I mentioned earlier. So those two things are going to create a bigger headache for cybersecurity professionals. And so I think that is the new battleground that we are facing, certainly in remote access space and I'm sure in the wider cybersecurity space more broadly,

A

how should organizations be thinking about, I guess meaningfully managing this? Because the scale that you're talking about and the speed is astronomical. How do you even get ahead of that, Neil?

C

Yeah, so I think some safeguards like enterprise data protection when using AI agents and LLMs, that's table stakes. Limiting access to sandbox environments, locking down networks and sub compartmentalizing your assets, your infrastructure, your data. So I think those things are meaningful controls that can limit the impact that AI agents can have and the proliferation that they can have into organizations. And also I think retaining human in the loop interactions. And so whilst it's great to automate a lot of workflows and have AI agents that you build to increase productivity, actually there is a quality control issue first and foremost. But also it's really, really important to have humans in the loop at various checkpoints in order to make sure that actually what's coming out is meaningful, meets quality standards, it doesn't introduce other vulnerabilities.

A

Have you heard, I was reading an article, I may be getting the name wrong, like Ironclaw or something like that, but it was because you give them all this access. Here's free access to everything. And I think Ironclaw was looking at more like a virtualized environment, right, to try to manage some of that. What are your thoughts on that approach?

C

Yeah, I mean this whole direction of travel is an inevitability Right. One fears. So I think that as organizations, as leaders in cybersecurity world, we have to be thinking about how we retain controls that don't just let the AI loose. And I do think that that is the way in which organizations are going to be successful in their use of AI or unsuccessful. Hopefully not.

A

Did you have another question, Jonathan? Because I was going to take a little, a left hand turn real quick.

B

Go for it, take the left hand

A

turn as I do. So coming back to authentication, Neil, this is another one of my favorite topics because multifactor drives me crazy. I'm not going to lie. The phone that is required to authenticate is always in the car or something. And, and I'm curious of what the future looks like because obviously you need it and thank goodness I have it because it has saved my bacon many times. But golly, golly, I just want it to be a little less intensive in terms of steps and effort.

C

I don't think it's going away, unfortunately. I think it is a key defense, especially biometric multifactor authentication where you need your face. I think in a world where credentials are not enough and in a world where an AI agent can easily behave like a human when it's interacting with a device, I think there's no substitute for your face, your biometrics, you're the human, you have to retain some control. So I think there's no way around it.

A

So you're saying there's probably more steps coming. So instead of two or three, we're talking like five, six, seven, just to really make sure you are who you are.

C

I'm not sure of the number, what it's going to look like, but I can tell you this checkbox, I'm not a robot is not a defense anymore. We need a new version of that that actually says, hey look, is there really a human here? What's going on? Websites have to defend themselves by rate limiting the number of calls that are made to them to avoid agents scraping them and so on and so forth. So it's going to be an arms race. And I do think that the multifactor authentication protects against this credential sprawl application, sprawl leaky defenses in terms of understanding who your employees are and who's still around, who's not. So I think that MFA is here to stay and I think it will get tougher in terms of more prevalence of biometric.

A

Awesome. And then I guess on that thread, what do the next five years look like? 5, 10 years for remote access in terms of evolution and integration into how organizations secure data secure infrastructure, et cetera.

C

So I think that the security stakes are going to get higher. Like I said, I think having some kind of hybrid on premise cloud setup that provides the security that an on premise product provides, whilst also allowing some kind of connectivity with AI agentic workflow for LLM access, I think solving that problem is going to be key. I also think that you have these two opposing vectors, as I mentioned, you have being able to interact with devices at scale without looking at the screen to manage them, but also you're going to have this increase in agentic interaction with screenshots. And so these two things are going to be tough problems to solve. How do you solve for and optimize a remote access product to be used by AI agents in a secure way? Right. That, I think is a really fascinating question for remote access providers and one that my team and I are thinking about hard.

A

I'm excited for the future, a little scared, as I think a lot of us are, because, you know, it's just moving so quickly and evolving so quickly and it's hard to kind of keep up with the cracks in the system at that kind of velocity. Right?

C

Yeah, yeah. I think it's really important that the cybersecurity folks that are out there, you know, their role is going to become ever more powerful. As I mentioned, I have a great team. I think they are going to become more and more powerful as they have to advise me and other professionals how to work around these increasing threats that are out there from AI. So I'm pretty confident that I can say we are very, very secure. We have lots of security by design ingrained in the way we do things, as I'm sure lots of remote access providers do. And so I think as long as that can keep pace with development, I think that remote access is here to stay and will become more powerful and we'll keep up with these threats and provide the assurance that customers need.

A

Wonderful. And then I like to kind of end our podcast a little more personally. And one of the things I'm always thinking about, I think we all are, is kind of the next wave of talent coming up and how they're going to be the ones that help us move forward and solve a lot of problems. And so those that are perhaps getting ready to embark on their professional care career, I hear a lot of what skills do I need? How do I, you know, what should I be thinking about in order to start being able to contribute to this industry? And I'd be curious on your perspective there.

C

Yeah, it's really interesting. It's a tough market. If you're a graduate right now going into the job market, what skills do you need? I think it's moved beyond being able to code Python or have a specific skill. I think what's really valuable is critical thinking, is empathy. I think these interpersonal skills are amplified in a world where a lot of the actual underlying what were skills two decades ago, they are becoming increasingly solved problems.

A

Right, right.

C

But the thing, the thing that AI is not good at is empathy, critical thinking, orchestration with a big, big picture worldview across multiple things. So you tell an AI agent something and all it has is the context that you've given it in a prompt.

A

Right.

C

It doesn't have the world experience of how is this going to work in practice, it's just responding to prompts. And even though you can set up wide array of AI agents and give it lots of wider context, it's never going to be as good as a human that has the worldly experience of how is this thing going to work in the hands of real people. And I do think that the critical thinking, empathy, interpersonal interactions, I think are going to become amplified. And so I think the way of using the AI tools as the knowledge inputs and then learning how to take that and applying it to real world situations, I think is the new world skill.

A

Yeah, I like that perspective. I think you're right. You're 100% right. Wow. Lots to think about. So you've given our listeners a lot to think about. So, Neil, thank you, thank you for joining us and sharing these wonderful insights. I don't know, do you have any other kind of parting comments that you'd like to share with our audience?

C

No, just thank you for having me.

A

Awesome. Thank you. And to all of our listeners out there, thanks again for joining us for another awesome conversation. And John is going to do the drum roll.

B

Please smash that subscribe button and you

A

get a fresh episode every single Tuesday. So until next time, everybody stay secure. Thanks for joining us on the to the Point Cyber Security podcast, brought to you by forcepoint. For more information and show notes from today's episode, please visit forcepoint.com podcast and don't forget to subscribe and leave a review on Apple Podcasts or your favorite listening platform.