Having worked in the tech industry for over 25 years, James is fascinated by the impact that technology, and particularly data, has on organisations and the people they serve.
In this podcast series, James talks to industry experts about how data can be used the improve the world we live in, as well as the risks and moral challenges inherent in data when it comes to consumer privacy and security.
This episode’s guests are data security experts Julie Evans and Gareth Tranter. They join James to answer the question what is zero trust in data security? And to shed some light on the concept. According to a report in the US about three quarters of organisations plan to implement zero trust strategies in 2020. But only half have confidence to apply it. So, what does this concept mean to organisations and why is it so hard to implement?
Tune in to find out.
If you’d rather read the transcript than listen to the podcast (we’d always encourage you to listen!), here are the words:
Hi, and welcome to the business of data podcast series. My name is James McCarthy and I’ve been part of the tech industry for over 25 years, which frankly makes me feel pretty old. For years now, I’ve been fascinated by the impacts of technology on the world we live in. And that includes the growing topic of data. Every company is now a data company. And we’re going to be talking about the impact of that on organisations and the people they serve. We’re going to talk about how data should be used to improve the world we live in, as well as the risks and moral challenges surrounding data when it comes to consumer privacy and security. If talking about the business of data, sounds like your kind of podcast then sit back and enjoy. We’ve got some cracking conversations coming right up.
In today’s episode, we talk about a concept called zero trust in data security. Now, I’m no expert and I don’t really like the phrase. I thought it’d be interesting to find out what zero trust actually means. According to a recent report in the US about three-quarters of organisations plan to implement zero-trust strategies in 2020, but only half of cybersecurity professionals have confidence in applying it. What does this concept mean to organisations and why is it so hard to implement? To help me I’ve asked a couple of data security experts to join us Julie Evans and Gareth Tranter. Due to the Coronavirus outbreak, we’re all connected over a call. So hopefully the audio quality will hold up and it’ll be almost as good as sitting next to each other.
Welcome, Julie and Gareth. Thanks for being here. Julie, can you give us a quick overview of your career in data security?
Hi, good morning. And thank you for having me. I spent some time running fraud, risk and security for Vodafone in the UK before moving into the global organisation of Africa, the Middle East and Asia Pacific. I have also been with EY, running the cybersecurity resilience function in the UK and Ireland and have worked with Exonar as a start-up and other organisations. So I’ve got a very broad view of security.
You certainly have Julie, it’s always good to have you with us. Hello Gareth.
Welcome. Hello. Good morning, James. Good morning, Julie. And likewise. Thanks for having me. So yeah, I’ve had a fairly broad technology career over the last 14 years starting out in technical account management, but I very rapidly honed in on networking and security matters. I’ve worked with BT, and several large SIs over the last few years and I’m currently with a large enterprise-grade vendor. But predominantly, my roles have been in sales leadership and consulting around matters or cybersecurity and technology implementation.
Okay, so we’re all here. Thank you for joining us. Let’s talk about this zero-trust thing, then. I don’t like the word very much. It sounds really quite unpleasant. But, Gareth, can you just take us through what this zero-trust concept is actually about?
Yeah, absolutely. Zero-trust has been around for quite some time. It was a term first coined by Forrester nearly 10 years ago now. But ultimately, what it is a security concept that’s built on the ideology that organisations should not automatically trust anybody, or anything inside or outside of its traditional perimeter. Everything must be verified, and everything must be trusted before it’s allowed to connect to the systems and the data contained within those systems and before, before any form of access is granted.
Would you add people to that then – we’re not to trust our employees?
Sadly, that is the ideology. That’s the concept.
And you have these three audiences, then you have these three groups of people.
Yeah, absolutely. I mean, typically, when we talk about insider threat, you know, we’re talking about three groups of users as compromised users, as malicious users and negligent users. They are very three distinct categories, with very three distinct risks to the enterprise.
And Julie, this is interesting. I don’t know what you think of the word, but maybe it’s just me. But is it another one of these big ideas just invented by consulting firms, or are companies actually putting this into practice?
I know what you mean about the terminology. It’s not great. I’ve heard it described in other ways. We also talk about how companies used to have a hard perimeter like an egg and then once you were inside, you could move around quite freely on the inside.
Now we’re talking omelettes, I much prefer omelettes!
It might be nicer than zero trust! There are different ways of describing it but absolutely it is being adopted by organisations using different types of terminology. But to go back to the three examples that Gareth mentioned earlier, we do have to protect ourselves in organisations against external people wanting to get in. But unfortunately, there are so many bad actors now out there that they do get in, they do break through that eggshell they get inside organisations. What zero trust is all about is trying to prevent them from moving around once they are inside. And the other two groups that Gareth mentioned are also really important. We will have employees who do not realise that what they’re doing is actually creating a threat to the organisation. They are inadvertently doing it, which I think Gareth described as negligence. And, of course, insider threats. People who are quite deliberately using their position within an organisation in order to exploit that organisation for their own personal gain. And all three of those types of people exist. And that’s what organisations are trying to protect themselves from in this zero-trust environment.
All right, so that’s great. Gareth, I think I’ve heard before that Forrester coined the phrase ages ago and then and then it went away a little bit. Are there any organisations out there today that are really implementing what you could call a proper zero-trust environment?
I think it did. You know, the term absolutely became quite unfashionable, because a lot of the technologies that are required to build a zero-trust environment were either too expensive or too difficult to implement or operate an IT operations level. I think it is now a little bit more available to organisations. The technologies came down in price and become a little bit more commoditised in some areas. And that means that organisations can focus more on trying to become a bit more proactive in terms of how they approach the cyber risks and the threats that are coming towards their organisations.
I genuinely believe with my futurist hat on, that zero-trust will absolutely become the foundation of every organisation’s cybersecurity and risk prevention approach. But it will look slightly different in almost every organisation based upon the technology stack and the processes that are layered around it.
To make it really successful, obviously, we have to think about the technology. And to just build on Gareth’s point, I think one of the reasons that it didn’t work so well when organisations tried it in the past, is because the technology was difficult to use. And if you think about everyday life when we as users of technology, which the vast majority of employees in any organisation are, we want it to be straightforward. If we’re putting barriers in their way, they will find ways around them without realising the threat that they are introducing to the organisation.
The consumerization of IT is making users expect things to be frictionless. If I’ve forgotten the password, I just want to go to a portal or click a link and reset my password with some form of two-factor authentication. I don’t want to ring a helpdesk, I don’t need to speak to someone to do that. That’s the very tip of the iceberg. That goes all the way down the stack people who don’t want to encounter friction when they’re trying to access systems and resources. And it doesn’t matter whether that’s a corporate device, or their own device. It doesn’t matter whether it’s inside the four walls of an organisation or they are sat in Costa for instance, and they just want access and are very intolerant to blockers that get in the way.
Is it fair to say that these negligent users, the employees who are busy, they’re overworked, they’ve got customer data that they’ve got to handle or they’ve got sensitive documents that they’re creating and storing and having to share with colleagues to get comments and whatever. People often say that it’s the employees that cause the problem, have sensitive data that then gets left lying around, but then of course, is vulnerable to be stolen. Are we saying that the tools are there now? How do we get the employees to stop creating the problem fundamentally?
I think, history shows that the vast majority of issues that happen from negligent employees, is genuine mistakes or with them really trying to get the job done. And they are finding a workaround because there is a barrier in their way, whether that barrier has been put there because of IT technology that doesn’t perform well enough or because of a deliberate policy decision, they’re just trying to get the job done.
So yes, it happens. And I think probably the most effective way of trying to help employees understand their role is really by using very good, very strong communication across the whole organisation. And clearly, there are a number of areas where you need to get buy-in.
But if we’re thinking from a user perspective, those individuals need to understand their role in this. But that can be quite challenging because if somebody is doing a very specific day to day job, for example James, they might be in a marketing role similar to yours in a company. They might need to work with a third party and want to do some profiling of customers or whatever it is. That data, they genuinely have to share it with another organisation, they need to get a subset of data. They’re trying to do the right thing and it’s really critical that we help them understand the sensitivity of that data.
I think most of us are probably aware of personal data and how impactful that is. But if you look historically at how companies have dealt with that, we’ve probably had people who are very good at security, who are trying to send a very dry message about risk and compliance and those kinds of things across an organisation. And it’s not landing and having the impact that they need it to have. We need to be really imaginative, really creative about how we get the message out there to our employees.
I’ve seen all sorts of things work from companies with bigger budgets, perhaps a news reel, where it looks like this the introduction of a news programme they’re talking about, around what’s happened to individuals after their data has been taken over. And it’s really impactful and it’s appearing on screens around the organisation or across the whole call centre.
But of course, if you haven’t got that kind of budget, then there’s still nothing to stop you setting up a display in your staff canteen, or your reception area with loads of crime scene tape all around it. And big posters or there are things that you can do that will be dramatic and eye-catching and really catch people’s imagination. It doesn’t have to be dry and dull.
Let’s use our communication experts such as yourself James, to communicate the message around security and compliance and privacy in the same way that we would use them to communicate the message about the wonderful commercial benefits of our products.
Absolutely. I’m all for that as well. I think there are some very creative examples out there that I’ve heard of as well. If people are running internal comms campaigns, that’s fabulous.
In terms of where that takes companies, though, even if employees have a better understanding of the data and everything else, and they start behaving better, the reality is there’s a whole bunch of data already in the organisation, right? It’s littered all over the data stores and the email accounts and repositories and file shares of the organisation.
Gareth, where do we start? I mean given we’ve got lumps under the carpet, and the lumps under the carpet are the old bits of sensitive data that really shouldn’t be there. Everyone knows they’re there. How do we tackle the elephant in the room, which is actually dealing with it?
I think that’s a really good point. The lumps in the carpet is a great analogy. And I think there are two elements to that discussion, Whilst some organisations have made vast steps towards approaching cybersecurity as a cultural problem, and how they address that and there’s some really good stuff in the market happening, it’s still probably not as prevalent as it needs to be.
There’s a YouTube video that I tend to show to my customers when I meet with them and it’s around the coffee shop giving out free coffee if you like their Facebook page. You like the Facebook page and there’s a team of people sat outside in a van doing some packet sniffing. They pick up the ‘like’, immediately use your Facebook permissions to drill into who you are. And all your PII is available. They drill into your LinkedIn profile, any Twitter accounts, associated media, and all of a sudden, the person in the coffee shop orders his or her free coffee. And the barista is writing down all the personal information, the people in the van are feeding back to it through an earpiece.
Fundamentally there’s still this issue that a lot of people still think that their cyber hygiene actually rests as a responsibility with other people – with Facebook or Apple or Google and so on and so forth,
In the same way they think that that they don’t own the data, nobody wants to take responsibility for the data that’s not theirs. They don’t want to own it. They don’t be responsible for it and yet they do create it.
That’s always a very, very challenging conversation in any organisation – who is the data owner? And it’s quite interesting, particularly in consumer-facing organisations. Sometimes it might end up being the marketing director. Certainly, when I was in security people said, well, it’s you, isn’t it? You own the data. Nobody wants to have that ultimate responsibility. It’s a really challenging one. But until you can really get a culture in your organisation where individuals feel like they have a role to play, and in what they do, then actually, it doesn’t matter who owns the data, because every individual person who has access to any of it could be the spoiler and could be the one who is the cause of the breach.
I think it’s all very well having these identified roles, but individuals have to understand that within the organisation, you need to create a culture that is about everyone taking their own individual accountability.
Around this idea of where do you start, one of my favourite examples of the principles of zero-trust was published only a few months ago by the NCSC, as part of their small business cyber campaign. They list 10 areas that you need to focus on to get towards the zero-trust framework. And the first point is: know your architecture, including your users, devices, data and services. You put that into to a real-world organisational concept where in a bigger organisation, some people are still struggling to identify who owns the data, let alone where that data is resting. And then throw in all of the extra micro services that are borrowing and pouring from those data silos.
Fintechs are a really good example – there’s a fintech startup in the UK that I saw who published their micro service architecture and they’re running 1500 micro services to all of their customers. The sprawl of these estates and the sprawl of that data all of a sudden, particularly in this digital era proliferates at such a volume.
I was having some conversations recently. It’s a very different a different project, but I was talking to people in everything from insurance to telecoms, and lots of different industries, asking them what keeps them awake at night? What are they worried about? They all talked about legacy systems. They all talked about old data, about areas where they had didn’t have a connection between databases that were sitting there, but they couldn’t really delete them. Or systems that didn’t quite integrate fully.
What I took away from talking to lots of different organisations is they don’t really know what’s in the legacy data particularly, and they don’t really have a single view of their customer. There might be stuff sitting in eight or nine different places. It all comes back to the challenge of implementing GDPR, which is obviously very different from and the topic that we’re talking about today. But finding all of the data that you’ve got about specific individuals – it’s a challenge from the perspective of securing it, but it’s actually also a challenge from the perspective of needing to access it and share it at the right time as well. There are a lot of challenges within legacy infrastructure in organisations.
Julie, I’ve got a teaser for you here. Would you want to be a CISO in the modern world? I know that you were head of fraud, risk and security a few years ago at a big organisation, but if would you want to be one now in 2020, and if you were one, in the context of zero-trust and the stuff we’re talking about, where would you start?
No is the short answer!
Where would I start? I think I know from talking to people who are CISOs, that the thing that they are most concerned about at the moment, on the negative side, is what data they’ve got, where it’s stored and how they protect it. And whether that’s commercially sensitive data or data about individuals. All of those things keep them awake and worry them.
On the positive side, as I understand it from talking to ex-colleagues and people still working in very large organisations, cybersecurity is at the board table. It is generally getting really good backing from boards who do see it as a real threat and do want to give it some attention. There are positives and negatives, I would say.
Where I would start is to really think about how do I align my objectives as a CISO to the objectives of the organisation? We talk a lot about needing a business case for different things but unless you really understand what your organisation is trying to achieve commercially. Unless you are able to use the same language that your CEO or your CFO is using, about what it is that you are going to do that will contribute to the commercial success of the organisation, then I don’t think you will get your message across. I don’t think you’ll get the funding and the backing that you need and in order to be successful in your role. It’s probably a very non-technical answer, but ultimately, I think the biggest focus for me if I went into an organisation now in a senior security position, would be to really think about how do I articulate in terms of the overall goals of the organisation? Why it is important for me to be really successful in my goals, because if I don’t, the CEO will fail. And I think that’s where I would start. That would be the start of my 30-day plan.
You’re hired Julie, you’re hired!
I think you just used a phrase that I thought was really interesting. It’s kind of a non-technical response. I think part of the reason that cyber has remained an absolute mystery at board level, is because people typically operating in the CISO role can often be of a very technical nature. And it’s very easy to forget that people are not necessarily technically minded. We’re all good at what we do for a reason. If you go banding around words like zero-trust, then you’re not helping yourself either way. The board wants to know who are our main threat actors? Who is it that is after some of what we’ve got, that makes us money? If you start talking about those threat actors, use terminology inside your infosec community about the ways in which they are looking to infiltrate your organisation at a technical level, you very, very quickly lose your audience.
It’s really counterproductive. I’ve witnessed people many times in boardrooms, really trying to build their own credibility by using very complex technical terms and to show everyone that they really understand it. “Let me tell you about it and in a really complex way.” And it’s counterproductive, because I think unless you can really get the passion of those board members around the table, you are not going to get your backing they will see you as the geek in the corner. And that is not helpful. You will not get what you need.
You need to be able to use a common language to express it in a way that the board will understand. If that’s something that doesn’t come naturally to you, then sit down with somebody that you know really well in the commercial part of the organisation, ask them to challenge you so that you can translate this fight into good language because otherwise it’s counterproductive. I have seen people in the past perhaps try and put themselves on a bit of a pedestal to say “I get it and I understand it and leave it with me. It’s all fine.” It won’t work. You’ve got to get their buy-in and you can’t just stand there being an island.
That’s a whole new podcast episode! I’m a CISO get me out of here! I realised we’re talking about the wrong topic, aren’t we? We’re going to have to reconvene over another cup of tea and talk about the whole the whole “Why would you want to be a CISO?” topic and how to do it well.
I was at a recent event with a well-known security interest group in the UK. The chair was talking about a recent statistic that showed the average tenure of a CISO at the moment is about 18 months. I was chatting to a couple of CISOs over a cup of tea and a biscuit following that session and I asked them why did they feel that 18 months has become the new norm.
One of them very eloquently said, well, it takes three months to figure out what you’ve got, six months to build a business case for what you need, three months to put it forward to the board in a language that they understand, three months to get the response of “we’ve not been hacked, so you can’t get any of the money that you want” and then six months to find another job.
Unfortunately, I still think that is a communication thing. I think if you’re not communicating in a language the board understand those requests for funding to plug the gaps often just get put into a bucket of “it is not a problem yet, so let’s not fix it.”
The language that the board will understand is the language that they use in the organisation about what their goals are and what they want to achieve over the next quarter, 12 months or the long-term plan. Pick the bits out that you contribute to, and replay their language back to them.
I’ve got an interesting thought on that. Turning this back towards the zero-trust discussion, I’ve noticed a lot that the cybersecurity industry has focused and continues to focus it seems on perimeter security. The kind of monitoring that involves building even thicker walls, higher walls, more lookouts on the top of the walls of the castle as it were, rather than the data on the inside, which is the kind of zero-trust environment that we’re talking about today.
Do you see that changing and is some of the fatigue from the board related to that? In the sense that the CISO keeps coming to the board and going, I need more budget, I need to implement more things to make my walls higher, to put more monitoring in to have real time threat protection to tell us exactly when someone’s breached, and all of that sort of stuff. Is there enough emphasis on that?
And are CISOs, or information security communities generally thinking enough about the data on the inside from a zero-trust point of view? That’s an interesting question.
I think that the focus has always been on perimeter security. And I do think that’s a big part of the jaded response from the infosec community as a whole. There are only so many years you can go through the same cycle of refreshing the rules and the software on the firewall only to find that you’ve still been breached.
I think zero-trust is changing the game but the building blocks that form the foundation for moving towards zero-trust is now becoming very, very clear to a lot of CISOs. That actually visibility is your first step. And getting visibility of your users. Getting visibility of your infrastructure. And getting visibility of your data is absolutely the first step. The tools that most organisations have invested in year over year over year for the last five to 10 years, they don’t do any of that, not adequately enough, and not in a multi-vendor, multi-cloud environment.
I agree with you. I think once you understand what data you’ve got, and you if you’ve got a clear set of rules, a clear set of governance around what data you want to have, then you really do get the opportunity to start tidying that up.
You can think about “do I need all of this data for?” a start. Very few organisations ever delete anything, and we probably all ought to, but actually start to think about it. Where can I secure some of the most sensitive data, and make sure that only those people who need it in my organisation gain access to it? It will sound really basic to many organisations who are following that model already. But actually, they might be doing that for 50% of the bulk data. If you ask them honestly how well they’re doing on legacy data legacy systems, I think it might be a different response.
And, of course, there’s complexity. We are still talking about securing perimeters, but at the same time, we’re trying to encourage people to bring their own device. People are using mobile devices a lot more frequently. And a huge amount of working from home is going on. All of that changes what the perimeter of the organisation is, so it’s just too difficult to put a wall around the perimeter now.
When Forrester first brought this paper to market, the perimeter was really quite straightforward. Most organisations had an office where 95% of their employees came every day. They had a corporate issue desktop that was tethered to a desk somewhere. Controlling the policy and the flow of information in and out of those machines was quite straightforward when you try and bake that into a zero-trust principle, because the machine never went anywhere only the user did. Users couldn’t take the data off that machine, there was no way to do it.
But this advent of cloud and mobile BYOD, and increasingly IoT, as well, has changed that so much. Fundamentally, the organisation is a very, very different place now to the one it was four, even five years ago. That does have an impact on the idea of “can I build a wall around my organisation?” Now you just can’t do that. You’ve got to be able to find a way to see what is within that invisible boundary of your organisation.
Your point on IoT I think is a really interesting one as well, because it is one of those areas where there is becoming quite a lot of public understanding just because of the amount of news reports that I’ve seen on mainstream media. People talking about Wi Fi access to baby monitors, for example. And that kind of thing. People have been really shocked about the fact that an external person can access their home through their baby monitor or through their Alexa or whatever. And because so many things are now connected to the internet, even washing machines and tumble dryers – everything is being connected. Which provides somebody with access into your home Wi Fi. Think about that on the scale of a company!
I’ve dabbled a little bit in ethical hacking. I’m not that technical. I don’t want to make myself sound looking really clever because I’m not, but I’ve dabbled a bit in ethical hacking and actually, taking a brute force attack to a home-based wireless router is about a three or four minute job. If you’ve got the tools, it’s not difficult. But in fact a lot of criminals aren’t really targeting that area because they’re after organisations, not an individual user. But they will go after an individual user if they think they’re a high-profile target inside an organisation.
Tying those two things together, I’ve definitely taken brute force attacks to household appliances before! It’s more with a hammer or a spanner or something.
Listen, it’s been fabulous to have this conversation. We’ve covered a lot of ground. I think we’ve covered zero-trust. We’ve also talked about why we wouldn’t want to be a CISO or what we would do if we were a CISO and how to make that successful. We’ve talked about a whole load of different things. So Julie, Gareth, it’s been fabulous having you here. Thank you very much for coming along.
I really hope you enjoyed that conversation as much as I did. Great to have Julie and Gareth along. We covered lots of ground. I feel like I understand a bit more about the zero-trust concept. It seems to make sense as an idea, but it also seems like the information security folks today really do have a headache in securing the organisation and its data.
In the next episode, we’re going to talk about another data-related topic, but something quite different. I’ll be talking to Pregasen Morgan, partner of the data governance practice at EY in London, and his theory that data governance is dead, and that we need to flip our approach into a more data-centric view of the world. It’ll be great to hear what Pragasen has to say. Finally, a reminder. If you like what you hear, you can subscribe to our other episodes using your preferred podcast app.
Goodbye for now and I hope you’ll join us again soon.
Stay in the loop
Sign up for news, opinion and useful resources on data governance