Get Cyber Resilient Ep 107 | ZT in hybrid working world with Aaron Robinson, Head of Presales and Security Specialist for Citrix
This week we are joined by the Head of Presales and Security Specialist at Citrix, Aaron Robinson.
In this episode we talk about the rise of zero trust in a hybrid working world. Aaron shares what he hearing from his customers, and provides some advice for business and cyber leaders as they balance security with employee experience and tips for secure remote working.
The Get Cyber Resilient Show Episode #107 Transcript
Garrett O'Hara: Welcome to the Get Cyber Resilient Podcast, I'm Garrett O'Hara. Today we are speaking with Aaron Robinson, the head of presale and security specialist for Citrix. Aaron has been in the IT industry for nearly 20 years focused on how technology enables business outcomes. He's dedicated to transforming how people work by re-imagining the employee experience and increasing productivity and engagement without sacrificing security. Aaron and I speak about the rise of Zero Trust in a hybrid working world and he has a great [laughs] pub analogy for Zero Trust. We talk through with Aaron, his hearing from his customers, advice for business and cyber leaders as they balance security with employee experience and tips for secure remote working.
Over to the conversation.
Welcome to the Get Cyber Resilient podcast, I'm Garrett O'Hara. Today we are joined by Aaron Robinson, the head of presales for Citrix. How you going today Aaron?
Aaron Robinson: Yeah, doing very well. Thanks for having me on the show today.
Garrett O'Hara: Absolute pleasure, absolute pleasure. Really, we haven't actually met before, so, yeah, really good to, to have you on and yeah, looking forward to, to the conversation today. So, Aaron, look the first question we, we ask pretty much everybody is just how did you get to where you are today? So obviously you're head of presales for Citrix, but I'm guessing you have a journey to get there?
Aaron Robinson: Yeah, pretty much. So, I started my IT career on, on a help desk really working for CSC, which is now DXC. Fast forward a few years and, and got into solution architecture which I really loved, designing solutions for lots and lots of different customers. And then the opportunity came up to join Citrix as a presales engineer so I've been at Citrix now for just over se- just coming up to seven years and in my time here joined the presales team. It's a fantastic company to work for, a fantastic team. And then I was lucky enough to move into the, to manage the Southern presales team. After being with Citrix for about two and a half years. Really loved that and then from there was given the opportunity to move into becoming head of presales for Citrix and so I've been doing this role now for about two and a half years.
Garrett O'Hara: Fantastic. We are going to talk about Zero Trust. It's one of the we're actually going to talk about quite a few different things, but we're gonna, we're gonna start with Zero Trust. A very, very popular topic I would say these days. I think, you know, many of the cyber security conferences where, you know, we're seeing this stuff talked about more and more. You guys do a particular kind of version of this so I think I'm keen to kind of get your, your comments or your thoughts about the kind of rise of Zero Trust in a hybrid working world?
Aaron Robinson: Yeah, it's it's an interesting space. So Zero Trust is sort of really starting to become a necessity for most organizations today. You know, research is showing that by 2023, 60% of enterprises will phase out most VPN's in favor of Zero Trust Network Access. And the reason for this is that we're finding workers and students constantly mobile now, they're not tethered to the office anymore. They're typically working up to three different locations a week and they're doing all of this while they're working across like two to three different devices. And they're also incorporating personal devices in their work life. So, we need new security systems or, or, or, or frameworks to be able to really accommodate and incorporate that.
Applications have started to move to the cloud, to where they've been lifted and shifted from, you know, on premise to more of an Ayaz type solution in the cloud and so that sort of sits outside the traditional perimeter that most organizations have in place today. All this starting to consume that software, as software is a service so that it's should, you know, ditch that in-house developed application. And then they've, you know, taken something off the shelf and they've got to put that trust into that software provider that's giving back that SAS application. And what we're finding in most instances is that the traditional security that we have in our organizations, whether it be the VPN or just the corporate internet that goes out from, from the office, is providing us sub-standard level of quality to that SAS application, and then they can get by just going directly to the internet.
And so when we've been talking to lots of business users when we try and understand some of their end user experience challenges, because it's another big focus of what, you know, I sort of talk to we're finding that they're actually disconnecting from things like VPNs so they can go and access certain applications. Whether it be corporate sanctions or an app that's being delivered by the actual organization or it's an application that they've gone and bought themselves through Shuttle IT just to be productive. And in the midst of all this the reason we, why we see Zero Trust being really important is that threats are continuing to evolve they're becoming more auto- automated and I think Zero Trust is really key to being able to predict those deviations in people's behavior and prevent those threats from spreading across organizations.
Garrett O'Hara: Yeah, those deviations are, are kind of an interesting one. I've been talking to some security leaders who use things like end user behavior analysis and, you know? We were doing that pre-COVID, but when [laughs] COVID kicked in obviously all the patterns that had built up just got, blew up because they didn't make any sense. To a point where people were working, you know, in three locations, different devices, but you know, it's a completely different set of patterns than, you know, arriving to the office at 8:30 and, and leaving at 5:00 from the same sort of IP ranges et cetera. Have you seen like have, has that kind of been on your radar like in terms of that, how end user pattern, you know, patterns of life I think is what they describe it as, you know? Like, what does Aaron do every day? Like how has that changed as COVID has arrived? And work from home has just become much more normal.
Aaron Robinson: Yeah. It, sort of two areas, two key areas for us in term of the conversations that we're having in the market. The first one's specifically around security, in terms of what is a standard behavior in the way that I interact with our IT and the product systems? And if that behavior starts to deviate, how do we start to automate actions to lockdown that behavior if we deem it to be inappropriate?
Garrett O'Hara: Yep.
Aaron Robinson: But what we found is that the, you know, we swung the, the pendulum a little too far the other way in terms of, or great at locking things down that are, really impact the daily end user experience? So then, how do we put processes and things in place so that we can allow users to self-remediate? Simple, a very simple example that I talk to customers about and that space is around you know, you, you go to work from home, you log on late one night, which is not typical for you and rather than just block that access, because it's outside of the defined normal paradigm that we've, you know, mapped within that talk we might send an additional level of authentication, or we might just give you a much more restricted access to that particular level of that, so.
And then on the other side of that it's more around the performance of the platform. So, we're able to tell how it's performing and what becomes normal for the user working from home, rather than tracking levels of productivity, for example.
Garrett O'Hara: Yeah. It's funny the, the tracking levels of productivity, the BOSS where, it's just that starting to kind of emerge because of COVID [laughs] it's kind of creepy. I, you know, I've been thinking about this more and more, the overlap with BOSS where, you know, that kind of productivity monitoring stuff? I mean there's pretty substantial overlap between that and end user behavior analysis, you know? The security use case is definitely there, but a lot of the telemetry you collect you could absolutely repurpose it and, and kind of, you know, "Is Garrett working [laughs], or is he, has he buggered off for you know, a nap in the middle of the day?" Or, whatever. It's it's an interesting one to watch, I think.
Aaron Robinson: Yeah, it, it, it definitely is and yeah, we do hear that a little bit from the field as well, yeah.
Garrett O'Hara: Definitely. With the with the sort of, the work that you guys do, I'm guessing you like, you, in your role you would speak to lots of different organizations and, and, you know, spend a lot of time in the field having conversations with security leadership. Very keen to get get your sense of what the latest trends in security are and, and even actually the challenges that you're seeing in our industry from your customers?
Aaron Robinson: Yeah, so cyber security holistically at the moment is probably the front of mind of every customer that we speak to today. I mean there are a few trends that come out of this, but it's not surprising because man, I was reading some reports last, last night and, you know, 67 000 cyber crimes have been reported in Australia between 2020 and 2021. And you know, that costs an estimated $33 billion to private citizens, but organizations as well. So we're starting to see this become more of a business risk in a lot of the organizations and customers that we speak to and not just the focus of IT. And boards are now incentivizing their executives in those organizations to be more proactive in that cyber security and reducing risk space.
So those big conversations are becoming more holistic across the customer base that we're speaking to.
Garrett O'Hara: Mm.
Aaron Robinson: So I guess some of the key things that have come out of that from both conversations that have been put in at, at board level. We're seeing organizations focused on mitigra- mitigation strategies like, the Essential Eight that's being developed by the Australian government through just cyber incidents.
Garrett O'Hara: Yep.
Aaron Robinson: And so government departments and, you know, critical infrastructure for example, are really focused on how do they meet those three levels of maturity to, to get to, to get to that little to, it's a standard requirement now.
The other area that we're spending a lot of time talking to customers about is application security, which has become a really big focus and building that security directly into the application or bolstering the application security that sits in front of it. Because applications are really becoming that focus point for the automated attacks. So you think BOSS or cross scripting and tax and things like that. 'cause historically when developers go and develop all these applications, leaves a lot of opensource software and tools and then vulnerabilities pop up in them like the ones that we've seen in the market today. And people are able to go and exploit those quite quickly. And then as people leave and they don't follow best-practice in, you know, developing that, that application supply chain for example that sometimes they're not even aware of those vulnerabilities that sit in, in that application until it's too late.
So that's, that's another key trend that we're seeing there. But I think the most important for me and the topic of today's sort of discussion and what I'm hearing the most in the market is that Zero Trust security. And I kind of like to liken that to a pub and I sort of talk to that in three key steps. And so, you know, the three steps that I related it back to a pub is, you know? You need to provide ID so you at the door before you can get in and show that you're trusted. The next thing is that you need to be- behave appropriately when you're inside the pub.
Garrett O'Hara: Mm.
Aaron Robinson: And then thirdly, depending on the credentials or the level of access that you've been given when you go in only certain people can gain access to the VIP area.
Garrett O'Hara: That's a very cool analogy. Can you kind of unpack that analogy in a bit more detail for us?
Aaron Robinson: You know, so the way that I like to describe it is, you think of when you first walk up to a pub the first thing that happens is you've got to line up behind the velvet rope and the bouncer walks up and down to check, to make sure that you're not intoxicated, that's you're dressed appropriately and he'll allow you to go in. So, that's the first thing that we do from a Zero Trust perspective before we allow you to get access. The next thing that you do that I touched on before, is that you hold up, you hand over your ID to the bouncer, they have a look at the card and if they don't trust, or your ph-, you know, your photo's a little bit old you don't quite look like who you say you are, they ask you some follow-up questions. And so that's the second factor, or [inaudible 00:11:45] that I sort of relate it to.
Once you've passed that you're allowed to go into, into the bar or the nightclub but the security doesn't end there. So, once you go inside the bar or the nightclub there's a whole bunch of bouncers that are inside watching the crowd and the audience and specifically you, to make sure that you're having a good time. So, accessing your apps and doing your work but you're not doing anything malicious that may cause any disruption. Dancing on the bar, getting too drunk, things like that. And if you do do something malicious that's seen by the bouncers they grab you out, they throw you out the back and you're not allowed to come back in. And that's the same thing that we do in the Zero Trust controls that we have. We're continuously watching you once you're inside the organization, continuously checking. And then if you continue to behave you're more than welcome. You step out of line we terminate your access and we kick you out of the network.
And then, you know, to stretch that analogy a little bit further, there's obviously high levels of security or private areas that some users need to go and get access to, like the VIP area for example in a nightclub or a bar. So when you go up to the VIP area you might be wearing a wristband for example that the bouncer checks “Yes, you're good to come in.” And allows you in that's the same principles that we apply in our Zero Trust Network as well. So we allow users that may need to access a sensitive, particular application to if they meet a certain criteria, to go and access that ap- application, whether they're working in the office or working from home. So that's kind of how I liken it from Zero Trust Network Access to when people go out to a nightclub, or to a bar.
Garrett O'Hara: It's a great, great analogy. Very, [laughs] very cool. I'm imagining myself in a bar in Dublin, just absolutely hammered on Guinness and thinking like, yeah, no one, no one should trust me in in a pub. Definitely not that kind of guy. Yeah, it's interesting and you mentioned there, you know, about the the application security and then the sort of vulnerabilities through supply chain and, and sort of I suppose we're inferring [inaudible 00:13:39], you know? If, you know if I had to fill in the [laughs] blanks here, you know? The, then the story but like spot on, I think that's something that, you know, we've been talking about quite a lot lately actually is the, the huge amount of open source libraries that are out there and used and maintained by, you know, one person sitting in in an apartment somewhere around the world, you know, doing the work voluntarily. Producing, you know, some cool little bit of code that every, you know, ends up in, in just a bazaar amount of places if it's good.
It's and, and what blows my mind is though, like there is no Q&A you can call your insurance there's, there's nothing, you know? People just kind of reuse the code and away you go. I also think and I say this is a very lazy ex-developer, I think a lot of people just jump on Stack Exchange when they want to solve a problem [laughs] and literally copy, paste the code and, and you know? You don't really put in as much thought as you probably should do sometimes into the, what does this mean? Is there necessarily any vulnerabilities? That it just, you know, there's a deadline, “Let's get this thing out there and going.” And then, you know, afterwards you potentially realize that Sack Exchange, as good as it is might not be the, you know, the infallible source of truth.
What, what do you recon on supply chain like, for, for you guys obviously, you know, [inaudible 00:14:49] happened loo-, you know, de- I think the department of Homeland Security in the US, didn't they say recently it's going to be like 10 years before we can mop up [inaudible 00:14:58]. He's going to play out the future, you know, in term of other libraries and, and I suppose it is a huge question, but like how would an organization even understand? Like, do, do you have those conversations with customers about how they, they start to unpack where those libraries might be?
Aaron Robinson: Yeah, so we don't sort of talk to them about where those libraries might be we, we sort of take a different approach in terms of building security into the application that you're delivering. And then when you're front-ending it out to the application, putting security controls in place to protect them. So, if you do have that potential vulnerability that sits in your application, we're able to prevent that attack, or that [inaudible 00:15:36] injection, or something like that before it actually gets inside the network and then gets into that application. So when, we can do that a few ways, it's whether doing it through the traditional application where you've got, you know, the front door where the user comes in and logs in to the app. Or we can do it through things like service mesh and APR protection as well.
So those are the kind of areas that we're th- that we're talking to customers about in more detail, rather than focusing speci cifically into the open libraries. The other thing that we do to, talk to them as well is, you know, should you be using open libraries in all of your application and development? Does it make sense, especially when you're trying to build that security framework around those applications? That you're using something that you can get from a trusted vendor that provides that history, login, auditing trail, monitoring, all that sort of stuff in the backend as well.
Garrett O'Hara: No, definitely that makes sense. Like until you, and you guys obviously operate in, in sort of this ZTNA which is, you know, that's funny because I think when people think Zero Trust, that's often what they're thinking about is that, you know, sort of Zero Trust Network Access rather than, you know, the full kind of philosophical approach of Zero Trust. But what are you guys able to do with the, the services that you guys run in ZTNA?
Aaron Robinson: Yes. So, there's a lot we can do in that space. So I guess ultimately what it allows organizations to do when they come and use Citrix ZTNA framework, is move away from really managing the device and start to focus on what's most important to the business. And from our perspective that's really putting the security around the application at the end point and the data as well. And it, it's interesting I, I often ask this question when I'm talking to news, news people and, and security people and cyber customers. I purposely ask the question sometimes to be provocative, but I'll say to them, you know, “Why do you care about managing the device?” Or, “Why is that important to you especially in today's day and age?” And I usually get a few seconds of stunned silence before they then start to try and almost justify it in a way, which is interesting.
So it, it's, it's, it's, it's really interesting to hear them sort of stumble over why they need to manage that device when you can start with DOT using security principles like Zero Trust Network Access. It can also be a very cost effective way for security sorry it can also be a very effective way to provide security over unsecured networks.
Garrett O'Hara: Yep.
Aaron Robinson: So now the businesses at the moment they're not opening any new offices at all at the moment, from our perspective when we go and talk to them.
Garrett O'Hara: Yep.
Aaron Robinson: If anything they're starting to look to reduce their real estate footprint but they have opened thousands of branches of one and they're putting in enterpr- and they're not going to go in and put enterprise grade firewalls in at each location. They've got challenges associated with trying to manage these devices that and secure those devices that are sitting out at these locations that are always connected to their network, right?
And so, do you really want the device that [inaudible 00:18:39] comes back into the office that could be sitting on someone's desk unlocked, fully connected to your network to, to have unfettered access once that VPN has been established? So Zero Trust goes a long way in providing that security in that space. So it only effectively allows that single application to connect directly back to your organization, or to that crowd host and application. And the benefit of that too is it's, it's not on- it's not only a user initiated connection, it's connecting from your organization out to a central termination point, so it provides high levels of security that way as well.
I guess from my perspective really simply, it's a higher security posture than traditional security methods the, than tr- traditional security methods do for remote work.
Garrett O'Hara: Yep.
Aaron Robinson: And it's largely transparent to the end user. And I think that's really key in terms of balancing high levels of security with user experience, because as I touched on before when we were chatting from our perspective what we find, if security is too obtrusive or too obstructive users will actively try and seek out ways to get around it just to get work done. But typically not trying to be malicious, they're just frustrated with the processes and they just want to get their job done, so.
Garrett O'Hara: It's, it's such a funny one to watch that, isn't it? The, the absolute explosion of shadow IT, but the ability for, you know, somebody in HR department or marketing to just drop a credit card and get access to stuff that you know, potentially is exposing, you know, company IP or PII, or whatever it may be. But trying to get the you know, the toothpaste back in the tube is, [laughs] it's difficult sometimes, you know? Once it's sort of out there and, and people get to your point, you know? They're looking for ways to do their job and do it better like, they're, th- there's so little malicious intent often but I don't think, you know, people fully comprehend what it means when, when they do use third party tools to, to kind of get their job done as quickly as possible.
By the way, I'm going to steal your they're, you know, "Opening thousands of branches of one." So hopefully that's okay? I will be stealing that [laughs] that phrase whatever.
Aaron Robinson: Yeah, right. I like that one.
Garrett O'Hara: It is, it's, but it's such a good reflection of, of what, how people work today, you know? That's the funny thing we, like we have an office space we go there, but honestly the only thing that it's providing now is hook onto the internet. It doesn't really matter where we are, you know? The, the setup for our machines in, in [inaudible 00:21:04] like, it's absolutely you know, mobile. The office doesn't serve any purpose so that, you know, there's no extra protection by being there other than the protection from the elements [laughs] is probably like the only protection it's providing at the moment and a nice printer. But yeah, we're, compared to like, you know 15, 20 years ago where the experience was, you know, going in and probably being a bit more cavalier if I'm honest, you know? Where, when you're in that environment because well, it's protected versus at home. You guys...
Aaron Robinson: I was just going to add to that. You, you add an interesting point to the office you know, going in where there was, used to be all this extra protection and, you know? One of the things that I think is the benefit of this Zero Trust technology and these technologies that are being released is that it, it allows customers to really reduce that IT complexity that sits in their data centers and sits out at their offices. And it can be a significant cost saver as well, especially as they need less office space, they need less security equipment at, at office and they can take on cloud services that provide better than the current security framework that they've got in place today, so.
Garrett O'Hara: Yeah, it all, it's all sort of going in the right direction I think in terms of easy use and, and security, definitely. Could you just talk about and it's, you, it's something I kind of, when I think Citrix I often think of this, but like desktop as a service I know you guys do a ton of stuff but, you know, sort of from, from [laughs] having used your, your stuff over the years. To, to get a sense of like, how do you, how organizations go about kind of protecting access to virtualized apps?
Aaron Robinson: Yeah, it's a really good question and, and something that I always sort of talk about Citrix that people don't initially think of when they think Citrix, is that we've been a security company, you know, since day one for the last 30 years, since we've been created. 'cause the entire purpose for Citrix to exist and for people to use DDoS, is that it's an incredibly secure way for organizations to protect their applications and data. Whether it be across any device or, or, or any network. And with that idea applications are, you know, the, the idea behind that is that applications are safe within the data center or in the public cloud where a lot of customers are starting to deploy those workloads today behind, you know, lawyers of security. Whether that be you know, [inaudible 00:23:23] that sit up within, you know, your public cloud provider between firewalls that sit more specifically within your data center. And then there's security we supply on the actual endpoint to ensure that nothing from the endpoint can jump into that virtual application.
But we definitely have seen threats evolve over time, you know? Malicious codes getting smarter, automated attacks are coming in more and more and they are focusing it on the endpoint more and more. That's probably the number one attack victor at the moment that we're seeing. And so we've had to adapt our security controls too, in a way that customers can trust Citrix I guess, to protect their data services. And so, from our perspective we've built into our DDoS service those direct trust principles that people expect. Whether that's offering additional capabilities like, things like adaptive authentication or contextual access. We try and take it a little bit a little bit of a step further too, instead of, rather than just allowing an explicit, allow, or explicit, deny.
We might for example lay or access that application, but we might do something like a session recording or we'll watermark the screen or, you know, we'll do things like, block, cut, copy, paste. Or even control what level of access within the application you get as well, so. And then I, I touched on it at the start bout about, you know, security analytics or machine analytics platform that sits underneath it you know? We can trigger actions if we start to detect threats when they're accessing those virtual applications as well.
Garrett O'Hara: Yeah.
Aaron Robinson: And then add extra layers of protection as well. So, we can block things like key logging and then turn off screen captures and recordings and stuff like that to really clamp down on that attack, if it's detected, for example.
Garrett O'Hara: Interesting. Yeah. It's an, kind of an interesting approach and thinking about this thing correctly, but like, it's almost like browser isolation sessions where you know, you can virtual browser in a data center, so if anything kind of detonates it happens, you know, away from the, you know, the device to the endpoints, or potentially even the network that the organizations are in. Or is, is that the way, is that a kind of good analogy, or am I missing it?
Aaron Robinson: Yeah. H- h- h- hundred percent we see a lot of benefit of that. Especially in in a virtual desktop, when you click on a link for example, that may be a zero day attack it opens up in that browser isolation service.
Garrett O'Hara: Yeah.
Aaron Robinson: And yeah, if something detonates or it shouldn't be doing what, you know, it's a risky website and it's made it's way through all the extra layers of protection it can't jump out of that browser isolation and get into corporate network. It just as you said, detonates in that container and then it gets deleted and thrown away.
Garrett O'Hara: Yeah.
Aaron Robinson: So we, we've also got the ability to do that sort of locally on the users' device through an embedded browser and it's exactly the same concept. It just runs local as well.
Garrett O'Hara: Yes, sir. Yeah, very cool. I think there's a lot of stuff that's gonna happen in the browser space in the future. Because I think more and more, when you think about what, what it means to work these days apart from like, you know, installed productivity tools office ware machines. I spend most of my day in a browser, and that means something different than it was like 15 years ago. If I had of said that, you know, I'd probably get fired, because [laughs] yeah, realistically I was probably just wasting time. But like, it's am- it's amazing to me like, so many of our tools are SAS platforms and if I need to do something I'm logging into a browser application, you know? It's not it's, nothing sits on my desktop anymore so yeah, interesting space.
Aaron Robinson: It becomes key as well in terms of, you know, just because it's a SAS application do we cede control entirely to the vendor? Or, do we now want to start to apply some controls in terms of what parts of that application that we can give to the user? So you know, that is CASB type functions in terms of, you know a very simple example of that might be you've got someone in HR who needs to use LinkedIn for example. So we're going to allow that, but we don't want the rest of the organization to go and search for jobs on company time so, you know? You start to provide that delineation of control for example, in terms of what they can do in certain cyber space applications, so.
Garrett O'Hara: Yeah. It's it's it's interesting when you see that in flight, where you can do things like kind of blocking like, I don't know like personal G, G what do you call it? Google drive, but let, you know, allow access to corporate et cetera. So pretty kind of exciting space here. A little bit of a pivot and sort of maybe like, interesting like big question again, but you know, for business leaders when it comes to the balance between security protocols and probably processes and then that ex- the, the employee experience which like traditionally has been a challenge because it, you know, we all get it, you know? The more secure you are, quite often there's more friction there for people to kind of go about their, their day.
I, and like, the second part of this question would be, what's your experience of that in terms of employees feeling, “We get it.” You know? “We know we need to do [inaudible 00:28:16] and sort of re-authenticate, because it's for security." like, or are they kind of pushing back? But, yeah, like, any advice for business leaders, that balance between security protocols and employee experience?
Aaron Robinson: Yeah. Most, most organizations think it needs to be high levels of security or employee experience. They don't sort of think that there's a balance that can be struck there. But the truth is if you don't get that balance right people just try and fire away around, find a way around it. Like I said they, they understand that, you know, there needs to be multifactor and they need to follow the right protocols. Sometimes people just get frustrated and they just find a way. As they say, "Life finds a way." People will find a way. There are a number of security controls that you've got. So for me I think to get the balance right it is, security needs to work really closely with IT and lines of business. And they need to be really clear I think, on the security framework that they've got across their organization. And then give some semblance of control back to those lines of business and IT, to meet that framework.
And then I think it's the security organizations role then, to go and review those, that new application that they're trying to bring in that new process that they're trying to deliver, that new outcome that they, they're working on to make sure that it meets, meets that security policy, you know, risk, governance, compliance type framework that the organization is comfortable with. And they need to do that in a timely manner as well. They can't spend, you know, weeks and weeks to get an answer back to them. And if the person that has submitted that request for example, has done the right due diligence and followed the right frameworks and templates, that should become a fairly automated and seamless process. Because the last thing that you really want is security and, and we hear this joke floating around all the time when we talk to customers is, you know, "I've got to go to the office of, no to get this approved."
Garrett O'Hara: Yep.
Aaron Robinson: So you really want to be, see that security team is enabling the organization not, you know, holding them back for being able to be in really deliver on their outcomes.
Garrett O'Hara: Yep. Yeah, I totally agree with you. I think that, definitely that evolution of, hey to use your term like, the office of, no. I think security and leadership to me these days, seems to be more and more moving into the kind of navigation of politics and, and becoming, the you know, the department, or the office of, yes, you know? Figure out how to get to business outcomes yeah, I definitely think that's been a change.
And probably our last question I think just based on the time like you guys obviously, you know, you, you sort of said you've been disciplined in a way, a security company for 30 years or you know, that certainly has been a large consideration for you guys. And you're also kind of known for, you know, the ability to do things remotely in virtualize desktops and, and stuff like that, but what would you consider like, if you got tips for IT teams and that are going out looking to enable secure remote work, you know? The folks who are doing digital transformation projects and, and trying to get to a position where if COVID, you have 21 hits, or, you know, the next pandemic or the next thing that happens, that they've got a resilience built into their organization, because they're already go that secure remote work. But like what, what tips would you give for IT teams?
Aaron Robinson: Yeah. I, I guess my three top tips and, and the three that I usually talk to customers about is, you know, technology is only one piece of the puzzle to enable secure remote work. But I guess building on that and this being a technical talk you know, build a secure remote work strategy and Zero Trust is that goal standard. And I think it must be included in any strategy that you're trying to deliver.
Garrett O'Hara: Yep.
Aaron Robinson: You always want to work to simplify the user access as much as possible. So, whatever the re- remote work strategy is, it needs to be a single place that they can go and access, is all of their applications, but it needs to be flexible as well to meet the way that these like to work. Whether that's integrating with the desktop, or it's a portal that they can go to, to lodge all their applications. And the security that sits behind that needs to be intuitive. Users don't want to have to jump through 30 different, you know, levels of authentication to get work done. The, the next point that I sort of talk to and, and this is sort of where we move away from technology a little bit. But you need to create a culture for all employees to really thrive in and feel comfortable when they're working from home and they're working remote. Both from just a day-to-day interaction with their line managers, their employees and their peers, but from a corporate responsibility and I'd say security risk and governance perspective as well.
And so it, it doesn't just become IT's responsibility, they've got to spend time working with the business. And they've also got to fit in time and, and the best person I'd typically say to work with is HR because they can be your best friend in terms of helping. You know, managers learn how to run and operate people that are working remotely and the managers need training since before kind of work from home. Employers need to feel comfortable as well, what's the new appropriate levels of, "When can I work from home? How do I work from home?" What's acceptable and what's not. And then the last point I guess for me, is to really start thinking of the role, and you touched on this in sort of the way that you asked the question. What role technology plays in the future at work? And is what we're doing today adaptable in terms of being able to meet the demands of tomorrow?
So, you know, the, Zero Trust at the moment is very flexible and adaptable in the way that we bring in all of our different applications and apply security around them and it extracts that away from the device and makes it ea- very easy for a user to go and pick things up off the shelf like, another device off the shelf, get that high level of security and then be- become productive. And the reason that I sort of use that is this specific example, is that we're going through chip shortages at the moment.
Garrett O'Hara: Mm.
Aaron Robinson: So, as users are working from home and a machine dies, you know, how do they get a new machine out? Can they just go and pick up [inaudible 00:34:02] device plug it into the network connect, get their applications and they're good to go? As long as it, you know, meets the security posture checks for example. Or are they going to be stuck twiddling their thumbs until they ship out a repurposed device from the organization? Or until, you know, there's a chip shortage, what do they do then?
So those are the type of things I think, they need to start to think about as they look at these remote strategies is how do they play into our future plans and how do we, you know, prepare for that future and what it might require? Can, how adaptable and easy to update is it? So.
Garrett O'Hara: Fantastic advice. And the, the one thing that we can be absolutely sure of is that the future will arrive and it will probably surprise us as it has done the last few years consistently. Aaron, so nice to have you join us today. Really, really do appreciate you taking the time and, and sort of giving us the insights yeah, based on your experience. So, thank you.
Aaron Robinson: No, I was really happy to be here, thanks for having me.
Garrett O'Hara: Thanks so much to you Aaron, for joining us and as always, thank you for listening to the Get Cyber Resilient Podcast. Jump into a back catalog of episodes and like, subscribe and please do leave us a review. For now stay safe and I look forward to catching you on the next episode.