Hi. This is Kevin Donahue with Protiviti, happy to welcome you to a new edition of Powerful Insights and our series on Cybersecurity Awareness. Protiviti has a series of webinars on cybersecurity awareness that, along with these accompanying podcasts, are intended to highlight ways organisations can be proactive in addressing these critical security challenges today. We explore how leaders can dynamically build cyber resilience while maximising value.
In the series, I’m talking to our cybersecurity leaders and experts who are speaking on our webinars and are in the market daily working with organisations to address these challenges. I invite everyone to visit protiviti.com/security where you can find and listen to webinars we’ve held on these topics as well as find our many other pieces of content addressing these issues.
With that, I’m happy to welcome my two guests today. Randy Armknecht is a Managing Director with the Security and Privacy practise of Protiviti based out of Chicago, and Isaac Zapata is a Senior Consultant also with our Security and Privacy Group and Isaac’s out of Seattle. Randy, thanks for joining me today.
Yes. Great to be here, guys. Appreciate it.
It’s a fun one. It’s always interesting to try and clear this up and try to bring it down as far as what I do here, but I think that my usual response there is I do my best to prevent bad decisions from being made and also implement good decisions as it pertains to security and IT, kind of working with clients and understanding what the issues are and making sure that we go the right path. I think that’s pretty much where I’m at there.
Yes, well put, so Randy, you’re up. How would your parents describe what you do for a living?
I actually asked my mom this recently and she told me that I work with computers. I pushed her a little more on what specifically do I do with them, and she did get around to, I help companies protect their information from hackers.
I think cloud is really helping businesses transform the way they run IT and when they do that, they’re able to create more value in a condensed period of time. They can often move faster. They can better connect with and collaborate both internally with their own workers as well as with their customers, and the amount of data that can be produced in the cloud allows them to use cool new technologies like predictive analytics, machine learning, AI, et cetera, to analyse that data and make better decisions faster. While this is all great and all in the cloud, if they don’t secure it, those benefits are all at risk, so I view cloud security as helping businesses maintain that extra value that they’re trying to capture by operating it in the cloud.
I think the biggest thing I would say is the idea that security is kind of a zero-to-a-hundred game. You’re either 100% secure or you’re not secure at all. I think one of the biggest things that we have to educate clients on, customers on, is that security is really a trade-off in the cloud. Randy has talked about all the major benefits you can get in the cloud and all these great things you can do. We have to secure those things but when you secure as well, it does have impacts as far as what you’re doing, how you’re operating, and it’s definitely a process that’s ongoing. It’s not something you just flip a switch on and it runs. I think that’s the main myth that you can turn on certain features, certain capabilities, but it doesn’t mean you are 100% protected and in some cases, you have to make the trade-off decision, economical decision to determine how far you can go and how far you can’t go and what you’re willing to accept and try to do. I think that’s probably the most common myth I see, is that you can be 100% secure to turn everything on when that is definitely not the case.
Yes, I definitely agree with what Isaac said and I’ll just mention another common myth that, thankfully, has become less common this year. This year, I haven’t heard it as much. In prior years, I heard it quite often and that’s that an organisation’s data was always safer if it was in their on-premise data center than if it was in the cloud. The view that moving to the cloud had these business benefits but they were always sacrificing security that they would be safer if they kept it in their own data center. That’s in most cases simply not true. Unfortunately, a lot of clients have underfunded, understaffed, and sometimes even underskilled security teams and infrastructure teams supporting those environments, and so they can actually gain quite a bit of security by moving to the cloud.
Absolutely. All of the major players are making very significant investments into their cloud platforms to make sure that they are operated in a secure fashion. There’s a concept we covered on our webinar around the shared responsibility model, which says that there are certain things that the cloud providers are responsible for securing and there are other things that the customers are responsible for and massive investments in the things that the cloud provider is responsible for.
The latest challenge that I see in a lot of clients is that of staffing or scaling up their teams. Finding qualified cloud security resources on the market that are looking to make a move is difficult and when you do find them, they often command a premium in their salary, so that can be challenging for a lot of organisations. Then the other challenge is they have teams of people that know their jobs well and are very good at it and when you move to cloud, it’s a lot of the same concepts but things have been twisted slightly, so it’s almost like you’re learning something entirely new but not quite. It feels familiar but if you go forward with your same familiar assumptions, you’ll miss some things. It’s a challenging thing for a lot of teams to learn and scale up on and it definitely creates a challenge for clients that are moving to the cloud as they need to reeducate their workforce.
That’s 100% my thoughts as well. The good thing is there are plenty of vendors out there on the market that try to assist and they are scaling up their teams and it’s just key there for our clients to understand and plan for scaling their teams up along with their cloud journey, not just focusing on the infrastructure aspect but also the business office aspect, making sure that their teams are ready for the ride and not left behind.
Isaac, that actually is a good segue to my next question which is for you. What’s the one question you are asked most often by companies or your clients and then how do you answer that?
I’ll mention a few different things here. First off, there are two commercial products that I’ve seen at a large percentage of my clients and the client satisfaction with these products is quite high and I think they do a nice job of addressing security within the cloud environment. The first one being Prisma Cloud by Palo Alto. It really helps clients understand where their configuration compliance is at and where are other issues that the team needs to address. It’s cloud-agnostic so it will work across all your cloud environments.
The other one of is Twistlock which helps really dive into the security around your containers. They’re organisations that are taking a containerised approach to building out their infrastructure. Twistlock is just fundamental and something that I’ve seen at a very large number of clients in terms of container security, so two great products there.
With Microsoft Azure, they’ve recently released a product called Sentinel. Sentinel is a security logging and monitoring tool that gives you visibility into the environments and it natively pulls in your Azure logs and the O-365 logs, and uses AI to highlight events that are going to be of interest to your security team. It, of course, integrates with other systems and products and logs that you may want to pull in. A great product there.
Then within AWS, there is a product that I’m a big fan of called GuardDuty. GuardDuty is similar to Sentinel, will go ahead and use artificial intelligence to comb through your logs and look for events of interest that your security team would probably want to go ahead and look at. One of the cool things with GuardDuty when they announced it at Re:Invent a few years ago was they were like, “Okay. We’re going to demo how to turn this on,” and they clicked one checkbox and they were like, “Okay, it’s on.” It’s a very straightforward tool. They had a great presentation with it and I’ve seen a lot of clients get value from it.
Randy and Isaac, I want to thank you both for joining me today. I have one more question for each of you. First, let me remind our audience to visit protiviti.com/security where, again, you can find our webinar series on Cybersecurity, as well as other content and research from Protiviti.
A final question for both of you. Isaac, I’ll have you respond first. With regard to this field of cloud security, what are you most curious about right now? I guess I would add to that, what are you most curious about in terms of how things are changing and developing that might change over the next decade or so?