Podcast
    Email Security

    Get Cyber Resilient Ep 105 | Getting to know Zero Trust with Lee Roebig Customer CISO for Sekuro

    Lee Roebig, Customer CISO for Sekuro joins the podcast this week to talk everything Zero Trust.

    CR_podcast_LeeRoebig.png

    We talk through what Zero Trust really is, the lesser thought of benefits and how Zero Trust aligns with other well known frameworks.

    We then delve into what type of organisation Zero Trust works for and then we round out the episode with Lee’s advice for pursuing a Zero Trust strategy.

     

    The Get Cyber Resilient Show Episode #105 Transcript

    Garrett O'Hara: Welcome to the Get Cyber Resilient podcast, I'm Garr O'Hara. Today, we have Lee Roebig, customer CISO for Sekuro joining us. Lee comes to his current role having been on the other side of the table. He's done the work of securing organizations as a practitioner, having built and led cyber security strategy, architecture, security teams, and end-to-end security programs in large enterprises across the APAC region. These days, he helps Sekuro's clients with cyber security strategy architecture, exec advisory, zero trust, and its associated technologies. We talk through what ZT really is, Lester thought of benefits, how ZT aligns with other well known frameworks, what type of orgs ZT works for. And we round out with Lee's advice for pursuing a ZT strategy. Over to the conversation.

    Welcome to the Get Cyber Resilient podcast. I'm Garr O'Hara, and today I am joined by Lee Roebig, who is the customer CSO for Sekuro. How are you doing today, Lee?

    Lee Roebig: Going good thanks, Garr. Thanks for having me on.

    Garrett O'Hara: Absolute pleasure. We got to speak, oh, it's a couple of months ago now. And there was a, a very obvious sense of excitement about the work you're doing in Zero Trust. And yeah, luckily, we were able to kinda line this up to have the conversation, so thanks so much for joining us today.

    Lee Roebig: Great.

    Garrett O'Hara: So the... Look, the first question we, we pretty much ask everybody is how did you get to where you are today? I think it's a useful one, just so people can understand your perspective and, and how you've arrived to, to be somebody that, you know, we should all listen to.

    Lee Roebig: Yeah, okay. It's a good question. So I'm the Customer CSO for Sekuro, as you mentioned. Bit of a strange title, so I can probably explain what that means first. So I help our clients directly with cybersecurity strategy risk advisory, and any associated technologies to help them on their, their cybersecurity roadmap as well. Also, our internal SME around zero trust as well consultant on numerous zero trust strategies for a lot of different industries in Australia; so health, insurance, banking, construction, manufacturing, and, and multiple ASX-listed companies as well. In terms of how I got here I've spent the majority of my career on, I guess you'd say the, the non consultancy side of the fence. So the customer side, I, I like to call it where I've been in technology and cybersecurity and also leadership roles for around 16 years.

    And in terms of what, how I got here, so I had finished up at gig as the the head of information security from a global organization in APAC. And basically, at that time, kind of took a bit of a break and went, "Okay, what's next for me? Do I..." At first, I started going for similar to roles to what I'd been doing. And then I got I think it was approached by a recruiter and they mentioned sort of, there was a a cybersecurity consultancy that was interested in someone like me. Sort of sat down and, and worked out well, what do I love about my role? And what I love loved the most about it was sort of by protecting an organization you protect... You could potentially protect thousands of employees and millions of customers, and I think that's a very rewarding part of the role.

    And I figured that I can still get that satisfaction and even at a larger scale, doing this in a consultancy fashion where I could do it for a lot of different organizations. So that's kind of how I landed where I am today. And yeah, I've been loving it. I'm a year into this now.

    Garrett O'Hara: That's very cool. And bringing the kind of in the trenches experience, I think is gonna be critical, right, in a role like that, where you've kind of lived and breathed it from the other side. So kind of know what it's like to be on the other side of the table. I suspect that helps a lot.

    Lee Roebig: Yeah, absolutely. So I think it, it, it builds up a lot of rapport with with any kind of clients or other peers in the industry that I speak to pretty much immediately 'cause we can, we can trade war stories, and we know that we're both both ba- battling the same battles to some extent or we've been through the same battles.

    Garrett O'Hara: Definitely. And Sekuro is... It's kinda interesting watching that trajectory over the last kind little while. I've seen many friends in the industry you know, through kind of had that organization came together from, you know, the subset of companies you know, very interesting play you guys are doing?

    Lee Roebig: Yeah. It's it's really interesting. So a, a lot of people may not know, but Sekuro as they are kind of cybersecurity and digital transformation solutions provider. The main thing we do is help clients take a strategic approach to cyber security and risk mitigation whilst also achieving digital transformation at the same time. The, the key thing with us is, we're a merger of four companies that have come together and found our own lead as well. And as a result, we've got, like, the best parts of these four different companies that have come together and formed Sekuro, allowing us to kind of... And, and those sorry, those four companies all did different things in terms of cybersecurity.

    So now, we've got this well experienced GRC team technology and platforms, team, offensive security team managed security services, and also team augmentation teams so that we can kind of be there for that whole 360 degree-journey that any client needs. Whereas, in the past, a lot of these brands would've had to, they'd be able to help the client with some things, but have to hand off to a completely different partner or send them somewhere else. But now we can sort of help them end to end no matter what they need, which is, which is quite good.

    Garrett O'Hara: Yeah. Very cool. Yeah. Shamans Hann was one of the first people that was on the pod. I think she was like one of the, yeah, certainly the single digit episodes-

    Lee Roebig: Yeah.

    Garrett O'Hara: ... way back in the day. So good to kind of like continue the conversation with you guys which is awesome. So what got you into zero trust?

    Lee Roebig: Yeah, it was actually by accident. So [laughs] one of... As I was saying,

    Garrett O'Hara: Okay.

    Lee Roebig: Yeah. Is so I headed up security for an organization for a number of years, and they were completely on premise everything. 100% of every important asset or piece of data for the organization was inside the perimeter. So our security program matched that. Then I moved from that organization into another, in another cyber security leadership role. And I had this sudden rude awakening when I realized that there were no assets that were on premise for this company, users worked remotely all the time. There were no static IPS, there were no static domains. There were no-

    Garrett O'Hara: Mm-hmm.

    Lee Roebig: ... Standard operating environments and images for workstations and servers. There were no group policies and firewalls at every site, and this was all spread across about five countries as well. So I kind of... My old bag of tricks really wouldn't work anymore. So I kind of had to take a step back and thought, "Okay, I have to adapt my approach now." So I sort of did a bunch of research and came up with this plan on how we kind of protect the organization globally without reliance on, you know, networks, domains, and/or direct access to things. And we sort of... It was a bit painstaking at the time, 'cause this was a reasonably new approach a number of years ago. But we found the technologies to match, you know, our plan and our cybersecurity program. So we started on this and worked through, through, through the through this, with my team for, for over a year. And we'd had a lot of great success. And then at that time, even though zero trust has been around for a long time, zero trust really started to gain some traction and be talked about in a lot of different circles.

    So I went and looked into zero trust as I would for any kind of buzzwords, and went, "Oh. Actually, hey, that's what we've been doing." and so from that point forward, I was all in. I was like, "Okay, great. There is a name for this modern approach to to security where you don't make those assumptions and rely on those internal networks and perimeters anymore." And so that was pretty much it. Sort of by accident. But now I'm I'm known as Mr. Zero Trust around the traps because I I never stopped talking about it. [laughs]

    Garrett O'Hara: Good stuff. Look, it is a funny one in the industry, right. And I think you know, the comment would be that in cyber, we tend to get excited about things and, and to use your word, like buzz words, you know, it's amazing something comes out and it's in every brochure when you go to ORSA or Black Hat, you know, everyone's got it you know, AI as zero trust. And I think the, the thing I've observed is, quite often, the really, really useful approaches, but we kind of get ahead of ourselves with the brochures. And actually, like, to your point, these are sometimes things that have been around for quite some time, but actually we just, you know, haven't really spoken about, or there wasn't really a name or a label for it. What, what is... Like, so zero trust, I... It's, it's such a funny one because, you know, being on panels and I know you have too, and, and this is a conversation that many people have it, what is it really? There's different flavors. Like, there's no definition, right, of zero trust. Like, for you, what is zero trust actually really all about?

    Lee Roebig: Yeah. I think you, you hit the nail on the head there that everybody claims to, to know it or maybe have the answer to it and all that sort of thing. And it's, it's a lot more than something that can be kind of easily summed up. I always say to people that if we need to boil it down to the most shortest possible one sentence concept, I, I say in quotes, it's a concept that no one and nothing has access until it's proven it should be trusted. And we have to take as much context into account when making that trust decision.

    Garrett O'Hara: Mm-hmm.

    Lee Roebig: But that's not terribly helpful. So what I go on to explain is that it's kind of... It's a lot more than that. It's also a mindset that should empower how we approach and think about security in our organizations, kind of both now and in the future, of course, as well. And it's overall a, a modern approach to security in a world where data users and devices are kind of no longer within our perimeter and controllable and reachable by direct network access at all times. If you go back and look at the old approach, we took to security where we have image computers with SOEs, file servers on sites, on premise exchange, the, the analogy that's, you know, commonly used, but very apt to explain it is an organization and assets were more like a castle. There was one bridge in, or maybe two ID-

    Garrett O'Hara: Yep.

    Lee Roebig: ... the physical building or the V- or a VPN that you'd hand out sparingly. And then there was huge walls around anything of value inside. And for us cybersecurity teams and latest, it was easier to stop and attack 'cause we knew there was only one or two places that they'd come in. And if you're building secure, and you hand out that VPN very sparingly, or you can configure it properly, then we've mitigated most of our external-facing threats. So back then, we invested in technologies and controls that made like one key assumption. We would have access to all these things at all times to be able to secure them. And at that time, the very thought that people could or would expect to be able to get up, walk out of the office and, and pick up where they left off was reasonably unheard of, except for maybe in the most cutting edge companies.

    But if you look at where we are now, and obviously the, the pandemic has accelerated this exponentially, which is why now everybody's talking about it. Companies have used technology to enable unparalleled productivity, in my view. And they've gained a lot of strong-

    Garrett O'Hara: Yep.

    Lee Roebig: ... kind of business value from that, but a lot of risk exposure as a side effect. So now, the analogy like I used to explain what an organization typically looks like now as more like a skyscraper part of a city, rather than that castle with walls around it. And the reason we say that is 'cause like a city, there's so much activity everywhere now that it's hard to distinguish what's a threat and what is innocent. There's multiple ways in and out of our skyscraper from all directions. And lastly, our information is stored in many surrounding buildings out of our control, where it's difficult for-

    Garrett O'Hara: Mm-hmm.

    Lee Roebig: ... us to just look at their building from outside and go, "Yes, that seems secure. But if I'm not in there, I don't really know how secure the inside of that building is." And, and what that is really a big analogy for is that email and file storage are available everywhere now. Most of our critical data is now hosted by third-parties accessible in a browser from anywhere in the world. Portable devices as well are, are now like we're talking laptops, phones, tablets are now the, the norm rather than the exception. I remember it wasn't too long ago where execs and IT were the only people who got nice portable laptops. And now, I don't know any employee that doesn't get a laptop on day one.

    And employees as well expect to be able to work from anywhere, anytime, and even us in the cybersecurity teams, the most risk-adverse people in an organization are using that for talent acquisition, right? It's hard to hire people at the moment. So we're going-

    Garrett O'Hara: Mm-hmm.

    Lee Roebig: ... "You can work from anywhere you like, you can work from another country. You don't have to be in the same capital city as the as the head office now." So basically, with all of that to, to reiterate the main issue is that our security controls relied on that assumption. Everything important was at arm's length, and thus, our kind of security controls only had arm to reach too. So what I'm talking about there in practical terms is, we are relied on a lot of proxies and hardware and network filtering and antivirus and group policies that, that only really worked when users were on premise and assets were on premise.

    Garrett O'Hara: Yep.

    Lee Roebig: Now when people venture outside that reach, we've... These things either get very limited protection and visibility and in some cases they get none at all. And that used to sort of be our main security nightmare and particularly the pandemic really accelerated this. But technology started coming along over the years that recognized that, probably before we started to talk a lot about zero trust so much. And these technologies allow that kind of secure anywhere in the world type approach using kind of cloud based security technologies. And then that's when zero trust really gained its time to shine, I think.

    Garrett O'Hara: Definitely. You, you... So you mentioned the word there, which I'm obsessed with at the moment, which is context. And, and you know, the, the idea of zero trust to me, a big part of it is, as you said, it's context. It's, you know, what, what is in this moment going on for this particular user or this even a device, you know, depending on, on what we're talking about. What, what are some of the contextual things that, you know, an organization like you guys would be looking at feeding in to make those decisions around in that moment, you know, just in time permissions or, you know, is this okay to do or not as the case may be? What do you think are like the... Is there a laundry list of the best things you can use to inform that decision in the moment?

    Lee Roebig: Yeah, I would say we, used to just kind of... We used to rely on end user passwords, and it was long proven proven before zero trust came about that's not sufficient anymore, right? So.

    Garrett O'Hara: Yeah.

    Lee Roebig: Then we added multifactor on top. But then we've, we, we went the path of least resistance and we went down the, what's the easiest thing we can roll out to users? And we usually kind of leaned on SMS. Now, SIM swapping attacks are, are a thing. But they're not quite as commonplace, but how much time have we got until they become very commonplace, and we start to have concerns around that or other weaknesses are found in that. So I believe as well that when a user connects to an to an system both externally and also internally that we need to take into account the device they're connecting from. Is this a corporate device as just a BYOD type device, and treat their access differently depending on that. We also needed to look at the location they're connecting from.

    Just 'cause they're on a company device, if they're connecting from somewhere that they've never connected from before or that, you know, what we call them possible travel, they've connected from Brisbane today and Los Angeles and a few hours, that's faster than the than Superman. They need to be Superman to get there that fast, right? So we, we treat those differently. And sometimes we would deny them altogether. And those are the kind of context that you take into account, I believe. So what the users accessing? What level of a multifactor they've passed in terms of its security? What device they're connecting from, and also is that device actually in compliance? And so you can get a lot of other tools and systems to, to talk to your your identity system or whatever you are using to, to make a decision on whether that user should be granted access or not.

    Garrett O'Hara: Definitely. I know... I love the idea of you know, the device in compliance or not. And I was speaking to somebody a couple of weeks ago who had a very elegant approach, which was literally denying network access if a device, you know, in that case, you were talking about laptops fell out of compliance because people weren't rebooting laptops. And I know many of my colleagues here, you know, can be guilty of that thing where, you know, they, they joke about how long their, their laptop has been up without a there, reboot. And yeah, this person was saying that they actually... They sort of push out a toaster pop up on the machine and say, "Hey, you, you- you've got basically today, and then tomorrow your machine is getting rebooted or you're losing network access, take your pick sort of thing." And and they've seen the kind of drop off rate for non-compliant devices, just, yeah, being, being kind of impressive. So yeah, very cool.

    The... Look, the way you're talking, Lee, and, you know, I think it's kind of fairly well understood. We're not talking about products here, right? You, you kind of mentioned, you built out, this is a strategy pre the terminology zero trust, but it sounded like you, you went and looked for sort of technical control solutions to build out what you saw as a, a solid way to kind of protect the organization. Like, what's, what's your thinking there in terms of zero trust. Like, we're not talking about product, right. Can't go buy zero trust.

    Lee Roebig: That's right, yeah. It definitely isn't a product. And this is a conversation I have quite often with people, and even people who admit or agree that it's not a product. They think it's just a few products that they need to buy.

    Garrett O'Hara: Mm-hmm.

    Lee Roebig: So they think maybe I'll just get like a good identity system and I'll, I'll do some network segmentation then I've achieved zero trust, right? And I have to keep sort of reminding people that it definitely isn't. So, and I, I don't actually blame people for having that misconception as well, because I think ZT, as a term it's unfortunately been used enough in the market that cyber security practitioners have grown tired of hearing about it. Believing it to be just another buzzword as, as you said, Garr, or, or marketing fluff or, or something along those lines, which I think is a shame because if, if an organization fully understands it and, and embraces it, it will actually pay really strong dividends for any organization for years to come.

    And it'll kind of in a way, I mean, I hate to say the word future-proof, but it's the best thing I can think of to explain it. It'll future-proof for security program a lot better than some of our security approaches involved. So, but to be clear as well, I mean, you can't really achieve a lot of the controls you need to, without some technology to help you, right. But that's, that's-

    Garrett O'Hara: Yes.

    Lee Roebig: ... it's always been the case. This isn't like a new thing with zero trust. It's any kind of cybersecurity program. It's gonna be pretty difficult without controls the technologies to back you up. So what I'll say here is that, many vendors technologies will give you alignment with parts of an overall zero trust strategy. But none can do it all end-to-end. And the, the... To get people thinking in the right frame of mind, what the, the kind of... I don't know if you call it an analogy, but what I kind of bring to the forefront of their mind is all security technology has always claimed to secure our organization, right? But we all know automatically that, of course, my organization's not gonna be secured 'cause I bought that one technology that said it would secure my organization. Just apply that same thinking you've always had for that kind of thing to zero trust. And you'll remember every time.

    Garrett O'Hara: Yep. Yeah. A really good point. So like I've heard it describe, and I think you actually even used the words earlier, but it's a philosophy, it's an approach rather than a-

    Lee Roebig: Yeah.

    Garrett O'Hara: ... a product or even a set of products, yeah. You know, we- we've talked a lot about the security side of this and that's obviously a very strong outcome here. But what else? I mean the, you know, presumably, this kind of approach is gonna give you more than just security.

    Lee Roebig: Yeah, absolutely. So... And that's, that's actually what I... It's my favorite thing about zero trust. I mean, you can talk about all day about, you know, the cool security architecture and protection you get from and stuff like that. But I think something... The problem we've all had in the past as security leaders is that we often can kind of... The, the... A common sentiment, I guess, that was always had is the more flexibility of business ads, the more risks they take on. So-

    Garrett O'Hara: Mm-hmm.

    Lee Roebig: ... security and security leaders ended up being known as the stick in the mud a lot of the time of the past and maybe now in many organizations 'cause we were the ones saying, "Slow down. Hang on. You can't just do that. That's going to add an enormous amount of risk and, and so on and so forth." but now with zero trust, we can kind of say, "Sure, let's help... Let... Like, here's how we can help you do what you want to do, but securely."

    Garrett O'Hara: Mm-hmm.

    Lee Roebig: Which is good for security team's reputation and also the business itself. So some examples of... And some of that comes under as secure business enablement is what I call it. So some examples are mergers and acquisitions. So there're always a bit of a security nightmare when a business goes through them or security is often the afterthought. And that used to be because security would have to wait for networks to be connected, domains to be added, work stations to be imaged, and all sorts of other moving parts that had to go together before security could even get its tentacles in there to start protecting. And generally, once the paper's signed, anything that happens after that, security breach or anything like that does become the responsibility of the parent company.

    So we can't really afford for security to be left so far last. And [laughs] I don't know about others, but any mergers and acquisitions that I've worked for an organization and, and seen happen, it's wishful thinking to think that the technical integration is even gonna be done in one year, let alone, you know, in, in, in a few months where you'd hope security would come in. So because we're not relying on those things anymore, like networks and domains and images of workstations and stuff, we can... Security really can come first. And we can just get that day zero security basically, which is the most important thing I think to happen when a merger or acquisition occurs. And I suppose that connects well to employee experience as well. You kind of think improved-

    Garrett O'Hara: Mm-hmm.

    Lee Roebig: ... employee experience and security, those two things, it's like a, an oxymoron or something they don't go together, right. But because we no longer assume a perimeter approach users now get this thing where they can go work securely anywhere they like. Security isn't gonna be the ones to tell them no. So both the employees and the business benefit from kind of productivity and flexibility enabled by the security program, which is quite good. Other than that, I would say team retention. So I think a common problem with cybersecurity teams, like everyone talks in the industry about burnout and all that sort of thing, and it's hard to hold all the talent.

    Garrett O'Hara: Mm-hmm.

    Lee Roebig: And I think that's because security teams can often get stuck. M- most people who are in a security team are, are heavily experienced. They've probably been in IT and technology related roles for years before they finally moved over to cybersecurity. So they're really smart folks, right?

    Garrett O'Hara: Mm-hmm.

    Lee Roebig: And if you just tell them to work through patching and giant list of vulnerabilities for months and months on end, they're not going to find that work very rewarding and they're gonna wanna move on because they'll feel like they're spinning their wheels 'cause what happens when you finally sort out the list of vulnerabilities, and then two months go by, the list grows again, right? So it never gets better. Whereas, generally, any, any time I work walk an organization through a zero trust strategy, we focus more on preventative controls rather than kind of corrective and detective. So they're part of it, but they come later. And so I feel it refocuses security efforts on more enjoyable kind rewarding areas, you know, of things like network segmentation and identity and access management, application control. What those things do is, they'll reduce the exposure of assets on a network which means there's a lot less times spent on that more laborious kind of mind numbing work like the vulnerability management and patching, which I think are the key to kind of burning a team out. So yeah. I could probably actually, you know, just share one last story of seeing this in action.

    Garrett O'Hara: Mm-hmm.

    Lee Roebig: At an organization I worked for where I said we kind of did zero trust by accident. I was both fortunate and unfortunate to be working for that organization when COVID hit, right? And it was an organization where a lot of people were required to be onside at all times. So it was heavily hit by this sudden everybody has to work remotely type of thing. And there were 10,000 employees, so it wasn't easy. Now, every- every part of the business, not just technology and cybersecurity teams, but everywhere else had to scramble to think, how are we going to make this work? How are we going to make these, these, this business function remotely?

    And something that a lot of business leaders were doing is going through the business and, and consulting with specific departments about what was gonna be required to make this work. And they were dreading coming to the cybersecurity team 'cause they're like, "That's the one person, or people that are going to have a lot of bad things to say about this." But we were the ones that when they came to us, we said, "Yep, there's not really much for us left to do. Just give someone a laptop and go home and they will remain protected the same way they are when they're on premise." And that was actually a highlight of my career because they went, "What do you mean is that we really need to do it?" I said, "Yes. That's exactly right." Cause we, we don't rely on that [laughs] to provide security. So it's a first hand story there of how it can enable that business securely.

    Garrett O'Hara: Oh, good. Is that you... I- I'm guessing people were like cheering you in the streets for that one. 'Cause I know there was other stories where organizations were not set up like that at all. And you know, horror stories of like scrambled to try and even buy laptops 'cause people were on, you know, these big desktop, old towers kind of thing. And and, and to your point, everything was set up kind of legacy architectures with, you know, perimeter and, and you had to be there to be secure with no concept of ever working from home. So yeah, good to hear that one. If there's, if this frameworks already in place and from many organizations, right, that's part of the deal. You run some sort of a program, you get, I don't know, some sort of CSF and ISO, whatever one you wanna think about or, or sort of work against some kind of framework. Wh- what are the benefits of kind of looking at ZT in those situations?

    Lee Roebig: Yeah. I would say that, and that, that is question I get asked recently often. We're already compliant with X, so why do we need zero trust, or-

    Garrett O'Hara: Mm-hmm.

    Lee Roebig: ... we need to comply with X's zero trust going to solve that problem.

    Garrett O'Hara: Yep.

    Lee Roebig: ... what I would say there is, and what I would say to people when they ask, is well, is that a lot of the frameworks in the industry are heavily compliance-focused, which, you know, don't get me wrong. It's important for businesses and, and for cyber security function, but we can't... People often mistake compliance for security. Zero trust is, in my view, very focused on security involved in controls and prevention. And if you look at some of the, the largest companies, or even, even the small ones getting breached around the world, every single one of them, excuse me, every single one of them was compliant with any-

    Garrett O'Hara: Yep.

    Lee Roebig: ... framework they could get their hands on, and yet it wasn't enough because I think an issue is some of those kind of well-known frameworks is that they need to app- apply very broadly and high level. Which means some of the findings in the reporter a little bit unclear with exactly what you need to do. And so with... And, and taking that compliance based on only approach as well as, as well as a kind of unclear end goal or at least how to get there, it, it can often be treated as a bit of a finding the path of least resistance just to tick a box. And-

    Garrett O'Hara: Yep.

    Lee Roebig: ... an organization may be no more secure as a result despite spending who knows how much money and time to, to become compliant and whatever they need to do. And I think with a ZT strategy, it should be heavily controls-focus and look to kind of integrate technology in the right places whilst also bolstering what you currently have. It's not about refreshing everything you have and by all new staff. You can definitely apply zero trust principles into a lot of what we already have as well. And that's certainly how we do zero trust strategy at Sekuro and how I do it with clients. A general motto that I always keep in mind when doing these is, every recommendation in a zero trust strategy or approach needs to be clear, realistic, beneficial and actionable. It can't be just time the sky that would be nice to have one day, but an organization can't hope to achieve. It has to be broken down into something digestible with that-

    Garrett O'Hara: Yep, yep.

    Lee Roebig: ... I reckon I can achieve that.

    Garrett O'Hara: Yeah. And really like your point around the sort of idea of control existence versus effectiveness. And you know, I think that's a huge problem when you look at any framework. It's... You know, you talk to people and they, they sit through, you know, huge audits produced documentation on what they've done and, you know, point to the, point to the box, but it doesn't say any of that configuration or effectiveness, and I think that's and I think that's-

    Lee Roebig: Mm-hmm.

    Garrett O'Hara: ... like, such a spot-on kind of observation. And here's another question. Like, I think when people think of things like zero trust, they probably think large organization, you know, this is something for, you know, the huge organizations because it sounds like a lot to take on, but-

    Lee Roebig: Yeah.

    Garrett O'Hara: ... what's your take on that? Like, how does this fit in with other sized organizations or even smaller organizations?

    Lee Roebig: Yeah, it's, it's a good question. And I suppose to cover out of the way first a huge chunk of zero trust strategies that I've done are on smaller organizations as well, as well as-

    Garrett O'Hara: Right.

    Lee Roebig: ... the huge end town. And you can always take-

    Garrett O'Hara: Yep.

    Lee Roebig: We take different approaches for each one, but both can achieve what the appropriate level of zero trust for that type of organization. But I think what's, what's most important to cover here is that zero trust isn't kind of an all-or-nothing approach and it isn't a 100% set in stone out come. So smaller organizations can still gain really large benefits, even if they only aligned with some area of zero trust where it makes sense and they have budget and resourcing. And they can also still take on the zero trust mindset in every, in everything they do as well and gain benefits just in, in decision-making and what they, what they plan and programming work. In- in fact, like, one of things that I... when we were putting as zero trust kind of strategy framework type thing together, we saw that coming a mile away, there'd be heaps of organizations that aren't gonna have the same level of capability and resourcing and whatnot as others. So with the way we did it was created multiple maturity levels so like a maturity level one, two, three across eight different pillars of, of zero trust.

    And that's kind of how you can make it by adjustable and doable, and obviously, the difficulty in what needs to be achieved gets higher as you go up towards level three. And organization can take that sort of approach as well, and finding out where it makes sense for them and doing that. And some advice I gave the other night, actually, when I was doing a talk about zero trust in front of an audience, was it... you don't have to do everything zero trust now, and just kind of scrap everything you've got. What you can look at in terms of thinking, "Okay, where should it make sense for me to do zero trust?" Look at your, your, your entire cybersecurity posture, which any se- security leader will know very well in their organization. They... What they will know more than anything is that weak spot. There, those, those spots that have been left behind because they've been neglected for various reasons.

    That is the area that you should focus on first, and think about how you can do a zero trust aligned approach there. The example is, if a, if the organization has very good identity practices, they were managing their, the people security very well and they were doing really well with things like endpoint security and, and stuff like that, but they know for a fact that they've left their network very flat internally. Well, if they're already doing okay with the others, even if they're not fully aligned with zero trust, but their network is in a terrible state, then that scenario that they can go all, "Well, how do I take a zero trust approach? And do I need technology to help me take that approach inside my networks? Because as far as I'm concerned, even if someone spends six months working on an area in their business to align a zero trust where they were very weak beforehand," that's going to add way more value to the overall cybersecurity program rather than trying to improve areas that they're already 60, 70 percent aligned with.

    Garrett O'Hara: Yeah. It sort of leads to me... I think it's probably our last question, but you know, you guys do the practical side of this. I know you've sort of, I think covered it softly there, but it would be interesting to hear what's the practical approach like you and your team go in and secure, and you've gotta sort of build a strategy for an organization. What does that actually look like, you know, time-wise how long it takes? You know, what's, what, what does that practically look like when you and your team go into an organization that Sekuro can help with the ZT strategy?

    Lee Roebig: Yeah so I think what... We're in an advantageous position at Sekuro as well because there's a lot of vendors in the like out there that offer some sort of kind of zero trust alignment or, or something like that. But the problem is that they're always inevitably going to have an agenda that, of course, their solution is what's going to be recommended to give you that better alignment with zero trust, right. And vendors also don't like probably going into an area where they're recommending other vendors, so to speak, unless a specific partnerships and that in place. And sometimes as well, vendors won't go into that advisory realm. Like, you know, the quote, I like to use for this which is kind of a bit of a joke is that we all remember when we call up our financial institution. And the first thing they say to you is you know, "Our information's general in nature and does not take into account your personal situation." And, you know, the list goes on, and we all have to acknowledge that before we can proceed, right.

    That's, I think, what our vendors are, unfortunately, in that kind of situation where they, they- they're any information they give you outside of what they offer is general in nature. It doesn't really look at the personal situation of the organization. Whereas at Sekuro, we can kind of... Because we're not tied to any specific vendors or technologies or anything like that, and we've got like that strategic sort of background it's kind of the opposite to that. Our information's quite specific in nature and takes into account exactly an organization's personal situation. So it... Look, our approach to zero trust, to kind of go back to, to answering your question is we believe zero trust needs to be looked at holistically in an organization. And so we came up with, with eight pillars of zero trust, and I do realize there's other approaches out there that maybe have a little bit less pillars and that sort of thing as well.

    But our pillars, in our view, are kind of people identities, endpoints, networks, infrastructure, applications, data, and analytics. And then as I said before, there's those three maturity levels so that an organization can choose to align with across any one of those pillars. Generally, we give everyone... Just because an organization's small, it doesn't mean that they can't align with high maturity levels because it's actually a bit of a catch 22, where, yes, it may seem like a small organization has less capabilities, but the also have less complexity as well. And sometimes-

    Garrett O'Hara: Yep.

    Lee Roebig: ... that is the blocker to being able to achieve high levels of security maturity, right?

    Garrett O'Hara: Mm-hmm.

    Lee Roebig: When you got 50,000 users, and, and who knows how many stakeholders to, to keep happy while you, you roll this stuff out, you may be able to achieve a, a heck of a lot less than your cybersecurity program versus someone that's got 500 staff, and,

    Garrett O'Hara: Yeah.

    Lee Roebig: ... you know, a couple of people in the security team driving this. And we see that over and over again. So generally what we'll do is kind of ask a series of questions. I think we got over 155 different controls. We take them through and then there's yeses or nos as we work out from level one, two or three across each one of those pillars, they get a feel along the way. And certainly we do as well. What'll make the most sense to them-

    Garrett O'Hara: Yeah,

    Lee Roebig: ... because as we start to reach kind of the level three questions, they'll go, "Hmm, yes. We're not doing no, Nope. That doesn't sound like something we can do," and all that sort of thing. And then we, we help them decide on our future state as well, and then kind of give them a strategy that kind of will map them to whatever they've kind of wanted to align with. And, and generally, like, it's controls focus, right? So it tells it... I believe that the, you know, a zero trust strategy and would need to be quite practical and quite literal with what they need to do, right. Tell them exactly-

    Garrett O'Hara: Yeah.

    Lee Roebig: ... what they need to. Don't give them a very airy recommendation, like asset manage your assets. Like what does that really mean, right. Tell them exactly what they should do, suggest a technology if they don't know what to look for to help that kind of thing. And also suggest timelines. Another probably problem that I certainly received getting any kind of external reporting done when I was kind of on the customer side was that you get this giant report of recommendations and everything is high-risk, and there's medium risk, and there's low risk. But what isn't clear is that there's 50 high risk or critical things. Are they actually critical because it's 50 of them? What's more critical than another? And so what we set out to do is specifically don't use that sort of terminology on a, on ZT strategy. And we go down the route of going timelines, what do you need to sort out before something else? So in the first-

    Garrett O'Hara: Yeah.

    Lee Roebig: ... what's, what's, first of all, quick wins, what can you do with what you currently have that isn't going to cause any issues in your business, it's just gonna get you security for free, basically? And then start from, what do you need to start looking at and sorting out in the next three to six months, six to 12 12 to 18 and then 12 to 20 sorry, 18 to 24. And so generally, it's a, it's a two to two and a half year sort of roadmap that most organizations look through just depending on how much they're lacking and, and what they're kind of aligning with.

    Garrett O'Hara: Yeah. Excellent. I love the the practical approach. Lee it's been an absolute pleasure. I- I'm very glad we finally got to do this. It's taken a little, a little while to line up, but,

    Lee Roebig: Yeah.

    Garrett O'Hara: ... very much appreciate your, your time today and, and, you know, on behalf of the audience, thank you very, very much for for your insights.

    Lee Roebig: Thank you, Garr. Appreciate you having me.

    Garrett O'Hara: Thanks, Lee, for joining us. And as always, thank you for listening to the Get Cyber Resilient podcast. And jump into our back catalog of episodes and Like, Subscribe, and please do leave us a review. For now, stay safe. And I look forward to catching you on the next episode.

    Haut de la page