Podcast 79 | Zero Trust With Dr. Chase Cunningham

Podcast 79 | Zero Trust With Dr. Chase Cunningham
Podcast-Visual-System-IAT-Landing-Page

Podcast-Visual-System-IATCSpotify-Icon

Subscribe to Identity at the Center

Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With a combined 30+ years of IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry.

Do you know who has access to what?

 

Subscribe


Protiviti Podcast Transcript Transcript
Male
You’re listening to the Identity at the Center podcast. This is a show that talks about identity and access management and making sure you know who has access to what. Let’s get started.
Jeff
Welcome to the Identity at the Center podcast. I’m Jeff and that’s Jim.
Jim
I’m excited about today’s episode. We’ve been talking about zero trust so much in past episodes, and our guest — well, I’ll wait for you to do the introduction — but he was the first person to explain it to me in a way that I understood. Fortunately, what I can say that for myself is that was many years ago, but still I’ve been hearing about zero trust for what feels like over a decade now, and this person can really distill it for us. So, without further ado, I’ll turn it back to you. 
Jeff

Yes. Let’s go ahead and introduce Dr. Chase Cunningham. He’s the chief strategy officer at Ericom Software. He’s also the author of the book Cyber Warfare: Truth, Tactics and Strategies. Welcome to the show, Chase.

Chase Cunningham

Hey, thank you all for having me.
Jeff
Well, thanks for joining us. Jim is right. Zero trust has definitely been top of mind. I think it has only just kind of grown in mindshare, especially over the last year or two, especially with the pandemic and people trying to figure out how to get people access to resources in a safe and secure manner. Maybe they planned on this type of approach, or maybe they didn’t, and they’re being forced into it. So, I’m looking forward to having this type of conversation with you to help educate our listeners and ourselves around some of the capabilities and things that go along with zero trust. Before we get into that, anytime we have a guest on the show, we always like to find out a little bit more about their identity and access management background. So, I’m curious, how did you get into the identity space? Is it something that chose you, or did you choose it? 
Chase Cunningham
Well, I would say, like most other things in my life, I’ve been blessed to stumble into spaces that seem to be beneficial, and identity has always been something that’s been core to my perspective on cybersecurity. I came out of the military and the government. I did a lot of red-team type of things there, and then I did a bunch of that on the consulting side after. For me, I always was wrapped around the perspective of “I’m not going after firewalls. I’m going after users, accesses, passwords, hashes and those types of things.” So, that’s where I would say I really became specific to thinking about how critical identity is to the whole cybersecurity paradigm. 
Jim

Chase, before we jump into the whole piece about zero trust, tell us a little bit more about this book.

Chase Cunningham

I was lucky that Packt asked me to write it. They basically said, “What kind of topic would you want to write?” I was like, “Well, I would like to write a book about strategy in cyberspace and about what I consider to be the historical proof that this is a battlefield environment, not that it is a place for sending kiddie pictures to Grandma.” Obviously, it happens and it’s necessary, but it’s really a combat field, and the only way you survive combat is to have a strategy where you outlast the adversary, and that was the approach I took in the book. I think all the feedback I’ve gotten has been very positive. It’s been nominated for the Cybersecurity Canon Hall of Fame, and the focus of it was really about “If you do these things, this is what you should expect, and this is the reality of the space in which you operate.” 

Jeff

So, how do you get started writing a book? This is something that’s always interesting to me. How do you sit down and buckle down and put pen to paper or finger to keyboard to get something started? 

Chase Cunningham

For me, it was really one of those deals where they reached out to me and said, “Look, we’d like somebody to write a book about cyberwarfare.” Then they said, “Go at it however you like.” I mean, that’s the fourth book that I’ve been published or copublished. I’m working on another one now, and it’s one of those deals where I’ve always found that you just start. It doesn’t really matter if you think you’ve got Hemingway in your blood or whatever. You just word-vomit and work your way forward from there, and eventually, you can keep polishing that thing until it becomes a good piece of literature. I mean, that’s where you’re trying to get to. I would say, to be totally honest, I have never started a writing project with an end state in mind. I just start writing. 

Jim

Chase, I haven’t read the book yet, but I just threw it in my shopping cart on Amazon. So, I am going to get it. One of the things about security, and identity and access management, that I always found was that if you’re in an industry, your companies are competing with other companies. However, as security practitioners, we are in the same boat together. I’ve been willing to share not inside secrets per se, but at least approaches, frameworks and information that we’re all in this together. So, I’m wondering, how does that strike you, that statement that I just made there? Then, also, were you interacting a lot with other folks in the industry to get information, to cite them, as you were going, or was it just really you sitting down and just going from your brain? 

Chase Cunningham
No, I reached out to a whole lot of different folks. I was very fortunate that I had the first PIO for the federal government, retired General Gregory Touhill, who wrote my foreword, and he gave me some insights too. I talked with a whole bunch of other folks, including the founding father of ZT, John Kindervag, and others as far as getting that. I always want to make sure that when I’m working on something, I never do it in a vacuum. I know there are a billion people way smarter than me, so I love to pick other folks’ brains. That was where you can start seeing trends. It’s interesting to me when you say that we’re all connected and everything else, because we are. We’re even more connected nowadays, but when you get into looking at the trends, data and indications of where this space gravitates, you have to try to ignore how vital identity is to this whole thing. I mean, it is key and core to the entirety of cybersecurity. 
Jim
Let’s shift a little bit toward zero trust, because as I mentioned before, you were the first person to explain it to me in a way that I really started to get it and understand. At the time, you were with Forrester. One of the things you did was, you gave a little bit of historical background of zero trust. Maybe we’ll start there. What is the historical background? Who is it the brainchild of? Then, how did it evolve from that point? 
Chase Cunningham
 If you go back to the very earliest reference to ZT, it was in 2003, 2004 with a group of CSOs and academics in the APAC region that were called the Jericho Forum, and what they were doing was thinking about “Well, what did security look like when you looked at the fundamental requirements of an infrastructure, and would that work when people weren’t inside of an office?” At that time, they weren’t necessarily thinking about big cloud and the postpandemic society, but they were thinking about “There is going to be more remote work. People are going to be outside of the corporate office. Everybody is moving with their laptops.” That was where it began. 
 
Then, if you go forward from that a little bit more, John Kindervag, who was an analyst at Forrester prior to me being there, he saw what they were talking about. He thought it made a lot of sense. He can see the trends going in this space, and he said, “Well, what are the fundamental things we’re dealing with at large within an infrastructure? It’s trust relationships. In order to be more secure, we should strive to get toward zero of established trust relationships. Therefore, let’s call it zero trust.” Earlier on, it was called deparameterized security, and that’s just not good marketing, to be perfectly frank. Zero trust is much more succinct. Then, from there, it was like firewall, data identification, etc. As we’ve evolved over time, now it has become an all-encompassing strategy that gravitates around what users do, how they access things, access their privileges, all those other sides of it
Jim

Well, you are on the Identity at the Center podcast, and I feel like identity really is at the core of a good zero trust approach. I’m wondering if you agree with that. How do you see identity fitting into taking that zero trust approach? 

Chase Cunningham

 I published this a while ago: Identity is the mechanism around which the gears of zero trust revolve. Sean Ryan and I, and other analysts at Forrester, published a paper on identities beyond human, which is also interesting, because if you think about it, machines have identities now. Robots have identities. Cars have identities. I mean, if it has a unique identifier and it does something digitally, it has an identity, and all of those things are potential avenues of compromise. It’s not necessarily the human issue, but it is an identity. You hear people say all the time too, “Well, the most secure system in the world is the one no person has ever touched.” Correct. The reason that is, is because no identity, no access, no user of any type has ever been on that system. So, if that’s the reality, then it must mean that identity is the central point of this thing. 

Jeff

Obviously, we named the podcast for a reason. So, it works out pretty well from that perspective. With all this talk around zero trust, something that gets lost sometimes is, who is zero trust right for? Is there a certain type of organization? Is it based on size? Is it based on resource? Is it based on vertical, or is it really something that spreads across pretty much everywhere? 

Chase Cunningham

Well, it’s one of these things where it’s about security strategy, and I do workshops with folks all over the world, talking about how this can be applied to them. It’s OK if you’re one of those organizations that doesn’t like the term zero trust because you think it might hurt your relationship with employees or whatever. Fine, but the basics of it are, what you’re trying to focus on is what you should consider, like the physics of what’s required to cause compromise — which is inherent trust relationships, default configurations, all those things that we talked about — and removing those by the practices that you’re putting in place. 

You can call that strategy whatever you want. However, the industry has accepted ZT as kind of the common point of conversation. This is not something that is inherent only to mega enterprises. This works for mom-and-pop shops. I have a zero trust environment here in my house. This is something that can be applied to anybody, everywhere, and that is the real beauty of an actual strategy. It’s that it’s something that can be translated between organizations or even between users. 

Jeff
All right. So, now you’ve got me interested. You mentioned zero trust in your house. You’ve got to explain what you mean by that. 
Chase Cunningham

 I’ve got my firewalls and everything else. Then I’ve got a Wi-Fi network working for my kids and everybody else, but me, in my office, I run on my own separate LAN. I connect direct to where I need to go. Everything has got MFA on it, na-na-na-na-na. I’ve got my own little corporate setup. For my kids, they’re all running on Chromebooks. They all run through all their own segment of the network. They can only go out to where they need to go, and they have MFA applied to everything they need, and it is where I am in control of the router, firewall, switching infrastructure. So, when I see stuff — and I get a report every day on everything going on in my network — if there’s an anomaly, I’m investigating it. It’s one of these deals where it took me maybe two days to get it configured the way I wanted it, but it’s up and running, and I can look literally right now and see that one of my kids upstairs has got too many scans running on their machine. So, later on today, I’m going to have to figure out what’s going on with that thing. 

Jim

 I think about when I got into IT many moons ago, and the approach of the corporate network was “There’s a firewall. Outside of the firewall are outsiders. Inside of the firewall are the insiders, aka the people we trust.” I think what zero trust is about is that just because you’re inside the firewall, it doesn’t mean that you can be trusted. Not that you’re not a trustworthy person. It’s just that, number one, people can get past firewalls. There are many entry points into a network. Number two, when you look at data breaches that are occurring, something like a third of them are insiders that are performing data breaches. Here’s another point that I want to make. It’s that I don’t think that the firewall is not something useful. I mean, heck, you just gave a breakdown of your — 

Chase Cunningham
You’ve got to have firewalls, yes.
Jim

Yes, the firewall is not going away. It’s just that just because somebody is inside of the firewall or just because an identity is inside the firewall, it doesn’t mean that its activities can be trusted. That’s the way I’ve been thinking about it. 

Chase Cunningham

I like to think about it too as far as, if you’re thinking about zero trust at the broad, strategic level, it’s like if I think about what goes on when I’m driving my vehicle somewhere. This is a little bit crazy, if you think about it, but when I get in my car, I don’t have to do things to make myself safer. It’s about as safe as it’s going to get, because I have airbags that are automatic. I have a GPS, which is built into the system. I know where I’m going. I’ve got a seatbelt. The engine has got governors on it that will only allow me to go so fast. 

Then, when I get on my network — quote-unquote, the street — that is owned by the state, and the state and the federal government have made it where I can get where I’m going and pipe me directly to what I need to do, and then I do what I’ve got to do, and I come home. That’s kind of what you’re talking about when you think about what it should look like as far as firewall, network infrastructure and moving a user from somewhere to somewhere else. You don’t, hopefully, just jump into your car — you don’t do any security or anything, no safety, whatever — and you just bag it down the road and hope that you’re going to get where you’re going safely. It’s about leveraging the resources that are in front of you and having security and safety built into the apparatus that you’re using. 

Jim

About a year and a half or two years ago, I started seeing a lot of IAM and security products saying, in other words, “We’re zero trust certified.” Not really, but — 

Chase Cunningham

Yes, because there’s no certification. Yes. 

Jim

Yes. They’re packaging and they’re marketing around zero trust, which is cool, because it started to create that mindshare where a lot of the clients that Jeff and I work with were saying, “Our target is zero trust. We’re working toward a zero trust framework.” You’ve mentioned you’re consulting with organizations and telling them how to get toward zero trust. You run into clients at all ends of the spectrum in terms of how mature they are and how ready they are. Talk to us about how you approach that and how an organization might get started down the zero trust route. 

Chase Cunningham

Well, it really boils down to, there is a maturity curve here. The maturity curve is based off of where you are in the space around compliance. While I’m not necessarily a fan of compliance being your end state, it is a good line in the sand for where you are. So, if you’re an organization that has been heavily compliant — healthcare, banking, whatever — you probably have solved a lot of some of the more intricate problems in cyber. At least, hopefully, you have. You’re probably further along the road toward a more zero-trusty-type infrastructure. Whereas, if you’re new to cyber — you’re a small business, you’re outside of those heavily compliant frameworks — you’re probably solving for what you would consider to be the earlier problems in ZT, and that’s OK. The thing about this is, solve for what you need to solve for — it’s not everything all the time — and continue to invest in the things that solve those problems strategically as you progress going forward. 

Jeff

There’s really an order of operations, then, to getting zero trust in place. You have to have the basic blocking and tackling in place to be able to get to zero trust, or do you see it as being able to start at either end of the spectrum, whether they’re immature or not? 

Chase Cunningham

If you look at where the market has been trending, the smart play is to try to move more to the cloud faster because that is your greenfield environment, and you can do so much more. Google just published their BeyondCorp stuff — you could build a zero trust infrastructure in Google and be good to go. Microsoft has got their zero trust thing for Azure. It’s starting to show up in more places. The better place to be if you do it correctly — let me make sure I caveat that — is the cloud. However, you can still enable ZT in legacy infrastructure, but it’s probably a bit of a heavier lift. 

Jeff

Yes, there are probably more legacy decisions that would be made that need to be unwound and unspun within an organization. Is there a particular type of organization or company that you see has been doing zero trusts pretty well? I’m not talking about things like Google and Microsoft, where they obviously have their own type of implementation approaches. That, we can talk about in a minute, but I’m curious from a real-world example, do you have any that you can talk about? 

Chase Cunningham

Well, a really great example, as far as the long focus on this is, we’ve been doing a bunch of work with the federal government — specifically the U.S. Navy and the U.S. Air Force — on their migration to ZT. For them, I mean, this is a giant infrastructure, a 400,000-node network. They say, “Our plan is to be a manageable zero trust infrastructure by 2030.” So, they’re talking 10 years or nine years of evolution, and they’re very, very pragmatic about it. The leadership there has said, “We’re going to start from scratch as we move into this GovCloud infrastructure,” which is super. 

Then there have been some banks that I’ve worked with that have said — an interesting point for them was — “We want to move to ZT, but we’re going to start with 5,000 users.” My response to them during those workshops was, “Let’s start with 50, all right? Five thousand is huge. That’s boiling the ocean. Let’s make sure we have everything right — entitlements, accesses, privileges, logins, MFA, na-na-na, for 50 users. When we have that, then we can go to 100, and then we’ll just continue to replicate that going to forward.” To their credit, they said, “Look, this is going to take us —” I think double what they had estimated in time, but they’ve been getting it right. 

Jeff

 Yes, I would imagine that a lot of it is predicated on the concept of roles, which are applied to the rules within the zero trust framework. 

Chase Cunningham

Role-based access.

Jeff

 Yes. If you’ve got a 400,000-node network, in the case of the government, that’s going to take some time to slot people into the right roles.

Chase Cunningham

Those networks were built in the ’60s. 

Jeff

Yes. Is there a zero trust for punch cards? That might be a good one.

Chase Cunningham

It’s funny you mentioned that, because I did do a workshop with a government organization that still has punch cards. For that, it was like, “I think you just segment that off.” 

Jeff

Let’s talk a little bit more detail around BeyondCorp, which is Google’s version of zero trust. I want to say it was just a couple of days ago. (We’re recording this on January 28, for those who are interested in the fourth wall.) That has now become generally available. I think that’s a good starting step for folks, at least who are on the Google Cloud Platform, but I believe it still works across other clouds and maybe even on-premise applications as well. One of the things that is important to their implementation of this, and to all of them is, this concept of an identity-aware proxy that sits in front of applications that basically translates the rules or the roles that are assigned and then matches that up with the resources. Is that the correct way to think about it, at least in the BeyondCorp version of it? 

Chase Cunningham

Yes. What’s a really good point to take away there is, Google started putting things together for an infrastructure a few years ago, after the Operation Aurora thing. You notice that you haven’t heard Google in the news in the last couple of years as far as compromise or breach activity, and they’ve deployed BeyondCorp for them, their zero trust implementation, globally, and it’s been a real game-changer. So, when you see a corporate entity that’s that big, that’s that diverse, that that’s fast to do these types of things and it works for them, it’s a good thing — we can aspire to that too. BeyondCorp as a service is actually pretty slick. I haven’t gotten my hands on it yet to play with it, but I’ve seen the demo, and I’ve had briefings from Google. It’s a pretty cool system. I’m a big fan of the GCP infrastructure because you can do lots of things. They’re making it where it’s you don’t have to be a zero trust PhD to do zero trust things. 

Jeff

Yes. I think one of the benefits, too, from the Google side is, they have YouTube. They have scale, and they have the latency issues figured out because they’re running it internally at least for Gmail and their YouTube infrastructure. I will include a video that I found that explains how you get started with BeyondCorp, and what are the different components around it so that, hopefully, that’ll help people as well. Are there any differences between what Microsoft is pitching as zero trust versus Google’s version of it?

Chase Cunningham

 Well, I think Microsoft’s one thing that they’ve done different, besides the Titan Key, as part of their authentication protocol is, Microsoft has set up — I guess you’d call it a work center for organizations and businesses to talk with them, and they have people there that are dedicated to help you figure out how to use Azure, set stuff up with Azure, leverage the resources there correctly. It’s one of those deals where it’s kind of cool. Well, it’s not kind of cool. It is cool, because it’s a way of guiding people through the process of using Azure to do it. While Google is good because it gives you the capability and that breadth of offering across an infrastructure, they just drop it on your lap and say, “Here’s how it works.” Whereas, what I like about Microsoft is, it’s big and it’s complex, but they do have dedicated resources where you can go and say, “Hey, I don’t know how to do this.” Then an actual human will get there and go, “Look.let me walk you through that process.” 

Jim

Chase, I thought it was really interesting how when Jeff asked about organizations that are leading the charge, you mentioned some of the military and banks. I think to myself, “OK, yes, the benefit for them, the risk profile, it’s kind of obvious,” but what I’ve been seeing is that attacks are heading downstream toward smaller, midsized businesses. I think for those organizations, a lot of times, the security and identity practitioners are having to convince their upper management that “Hey, we need to be secure. Maybe not as secure as a bank, but we’re at risk as well.” So, maybe you can talk about changing mind-sets, and what you’re seeing in terms of small and midsized businesses needing an approach like zero trust. 

Chase Cunningham

Yes. That’s also a funny thing you would say that because chapter three, page 55 in my book — literally, the title of that is “Attacks Move Downstream.” I think what we’re seeing is that the adversaries have realized that the government, big banks, big healthcare, they have figured out the way to make themselves a harder target, and obviously, they can still be got, because anybody can, but they’re at least typically a more difficult target. What does that mean for the adversaries, especially the adversaries that are not government-related, hardcore EAT, persistent-threat-type operators? That means you go after the slow gazelles, and the slow gazelles on the cyber Serengeti are small and midsized businesses. You go after them with things like phishing, drive-by download, ransomware and those types of acts. 

The goal there is to get in and then weasel your way up into those bigger infrastructures because of shared privileges, excess access, bad passwords, all the things that we know will eat your lunch. From the adversary perspective, why would I waste my time trying to bang down the door of the FBI when I could work my way through a business that has access to something that does bigger work within the federal government or a big bank? That’s what we saw with SolarWinds — SolarWinds isn’t a small company, but what did they do to get in there? They worked through the software vendor’s supply chain to get in, and then they worked their way into infrastructure. It’s a great example of moving downstream to go upstream. 

Jeff

So, for our Talladega Nights, they’ll say, “If you’re not first, you’re last.” In this case, if you’re not last, you’re first, right? It’s about not being the lowest-hanging fruit and the easiest target for people. As long as you’re faster than the other person that the bear is chasing after, you’ve got a pretty good shot of getting away. Is that accurate? 

Chase Cunningham

Yes. It’s also one of those things where people need to remember, like I said, that this is a warfare environment, and there are no allies. There’s no Geneva Convention in cyber. There is no rule or law that says that you can’t be gotten by somebody. It is literally whoever isn’t the harder target is going to go down sooner or later. It’s not a matter of being afraid. It’s just that’s the reality of what it is. You’re transiting an environment that is the only place in history where every human, every access, every business, every government is all at play in the world of trying to get one-up on each other, and that’s where the slow gazelle gets eaten by the faster lion. 

Jeff

Yes. I guess that’s probably also important to note too, if someone is specifically targeted, then — 

Chase Cunningham

You’re going to get got. That’s it. You’re going to get got. 

Jeff

Let’s talk a little bit about what Ericom does, because I find it very interesting around the remote-browser isolation concept that you’ve worked into zero trust. Can you talk a little bit about, at a high level, what is it, and how does it fit into that zero trust framework? 

Chase Cunningham

Sure. We have a new offering that’s going to be launched, I think, in March, which is specific to small and midsized enterprise. It’s all obviously interrelated. I wrote about this a couple of years ago at Forrester. I was interested in it as far as I thought it made sense in the context of ZT: What does everybody use to access the internet? Well, they use a browser. Then, where would you get attacked most likely? Via the browser. So, it just makes sense, based on the historical context of endpoints not doing well and antivirus failing when adversaries go after you, to try to run protection when the software is actually on your machine. Or, can I use the cloud, put an emulator up there, and the user doesn’t know that they’re actually operating in a cloud-based virtual browser? Then all the bad stuff happens there, and I’m removed from it. 

In the context of ZT, it’s one of those deals where I don’t trust that my users might not interact with malicious content. So, I’m going to push them to remote browsing, and that way, I can protect them in that remote instance. I use our RBI all day, every day. I don’t notice weird, blippy stuff. The only time that you might see a little bit of a blip is if you’re doing heavy-duty gaming through the browser, which most people typically don’t do. The regular old stuff — YouTube and everything else — I have never noticed an issue with me being able to access stuff and see it. It looks like it is in the regular old Chrome browser.

Jim

 Yes, that’s very cool. For those who are not familiar with the acronym RBI, it stands for “remote browser isolation.” I’m glad you mentioned gaming, because I am a bit of a gamer, and I have used quite a few of the gaming services, or the cloud gaming services, I should say — things like Google Stadia, Shadow PC, GeForceNOW, and that is one of the biggest problems that most people have with that concept. You’re essentially streaming all this data and video. Sometimes, it’s on 1080p HD, and sometimes you’re trying to get it up to 4K. That’s a lot of bandwidth. You mentioned that you haven’t experienced any major blips in that. I think that is really interesting because that’s also one of the things that when I think about from a privilege access management perspective, and session recording and monitoring and things like that, where you’re setting up these sessions, that’s been a historical kind of pain point that administrators face as well. The performance just isn’t as good as if it was native. 

Chase Cunningham

Right.

Jim

It sounds like you’re able to work around and that it works across browsers too. Does this require a certain browser like Chrome or — 

Chase Cunningham

No, you use whatever browser you want. It doesn’t matter. Once it’s up and running, it’s a proxy configuration. It takes 30 seconds, and then you’re done — if that long. If you’ve configured a proxy, it’s less. Once you’re up and running and you’re there, you really don’t know it. 

I never want to tell people that something is perfect. Every once in a while, you run into some old, outdated, weird site or something like that, and you might see a little bit of a rendering issue, but in general, for the average, everyday stuff that you use a browser for, I’ve never run into an issue. We have a capability in there called crystal rendering. That basically eliminates a lot of that kludginess that you would get with some of the other RBI solutions. You don’t notice that it’s there, and that is where you get a lot of value in the security. It’s the users just doing what they do. They’re not having to configure anything, change it. I’m not saying, “Turn the VPN on” or whatever. Just use this plug-in and go browsing in it. Problem solved. 

Jeff

Is there a certain bandwidth requirement to be able to achieve that kind of experience? 

Chase Cunningham

 We’ve got PoPs and everything all set up all over the world so that we have the connectivity that’s needed there. Other than every once in a while, you might run into if everybody in the house is — my kids are on the Net and I’m on the Net, we have gig speed. Every once in a while, I’ve gone on to something, and I’ve seen a little bit of a blip in it, but nothing where it’s been degrading my user experience. .

Interviewer

 That is cool, and I’ll put a link to Ericom in the show notes, too, so that people can check it out. I definitely recommend taking a look at it. Chase, I know you’ve been really generous with your time with us, and I want to start getting things closed out here for us on this episode, but before we go, are there any final words of wisdom from the doctor that you can give out to everyone? 

Chase Cunningham
Well, the most important thing in this space is — and this is from a guy that now works for a vendor — don’t focus on the technology. Focus on the strategy that you’re putting in place first, and then find technology that enables that strategy. It’s literally the difference between survival and being the slow gazelle. If you really look at what you need versus what you think you need, there’s a lot of value there. Take your time. Be very formulaic as to what problems you’re trying to solve. Once you know that and you’ve got a good grounding into what you’re trying to do and why it’s of value to you, then go look for technology that helps you do that. If you do those things and you continue to progress going forward in that manner, you get to a better place. When you do get to a better place, the user experience gets better. Everybody gets happier. You become more secure. All those good things occur.

 

Jeff
That’s a great advice. I think that’s something that’s worth repeating. It’s making sure that you understand what are your actual requirements and making sure that those align with whatever that strategy is. You don’t want to get blinded by the shiny bell or whistle that is a 1% thing when you consolidate 80% of your issues in another area. That’s great advice. Jim, is there anything that you’d like to close out with? 

 

Jim

 I’m sitting here listening to Chase, and I was thinking. I think I had a great idea, which is that I want to put together a blog article of the top 10 people to follow on LinkedIn, and Chase is up there, Brian Krebs — there are a few others. So, I’m going to put that list together. Jackson Shaw is another one who we’ve actually had on the podcast — people who put a lot of great content out on LinkedIn. Chase, I know that you’re very open in networking. If you’re listening to this podcast, Chase Cunningham is somebody you should be connected to on LinkedIn. 

I have a follow-up question. It’s tangential to that because I get a lot of great articles, webcasts and things that you publicize on LinkedIn, but I’m wondering, what are you reading right now? What are one or two things for the practitioners who are listening to this podcast that they could tune in to to enhance their knowledge? 

 

 Chase Cunningham
I think there’s a really good book that was published recently by the CSO at SMU — Southern Methodist University. His name is George Finney. He wrote a really great book called Well Aware. He has a podcast called Well Aware as well. I think everybody should check that out because he did a good job of boiling down the hard stuff into the basics of habits and practices to make you better in cyber security. I would say that that’s definitely one. Then, if you also would look at anyone that has been deeply entrenched in the mantra around security strategy, I’d say read their stuff all the time. There are great articles from Josh Zelonis, from Jeff Pollard, Joseph Blankenship, John Kindervag, all around how this whole thing is applied, built and put together. Those folks put out quality content that’s not hardcore vendor-biased, and I can’t read enough of what they publish. 

 

Interviewer
I’ll be sure to put links to that stuff in our show notes so that people can check it out. We’ll have a whole bunch of stuff that people can check out as far as reading material, zero trust, connecting with Chase, his book. Let me make sure I get the title again here correctly: It’s Cyber Warfare: Truth, Tactics and Strategies, which you can find on Amazon. 
 
Chase, we definitely appreciate your time, and we hope to have you back on the show at some point here. With that, we’re going to go ahead and close it out for this week. Thanks, everybody, for listening, and we’ll talk with you all in the next one. 

 

Male
Thanks for listening to the Identity at the Center podcast. If you like what you heard, don’t forget to subscribe, and visit us on the web at IdentityattheCenter.com

 

Ready to work with us?