Kirstin Burke: Welcome! We would like to wish you a happy Cybersecurity Awareness Month. Gosh, this, it seems like that this celebration, if you will, this awareness month has been going on for forever, and as we talked about our topic this month, certainly we want to tie into that a little bit. I don’t know about you, Shahin, I guess I’m more of a user where you are more of the security pro, but I’m thinking back on Cybersecurity Awareness Month and it’s kind of like, oh, yeah, remember to change your password, or remember to, you know, not leave your laptop in an airport, or something like that, right? And it has turned into something that is so big and so global. And I think we just wanted to take some time to really talk about it isn’t just Cybersecurity Awareness Month.
If you take a look at the convergence of data, of cloud, of applications there’s really been this convergence of IT and cybersecurity. And it’s really not just Cybersecurity Awareness Month, but it really is an awareness of, for organizations and the people in them, you know, how is it that you’re doing business, and how is it that as you are building out your stack, as you are working on business transformation, as you are thinking about deploying AI across your organization, where is it that you need to think about not only how what you’re doing affects that initiative, but where and how it might open up a security gap?
And, we’ve just seen a very interesting situation with AWS just this week where something very simple like DNS has such a broad-ranging impact on people that, you know, these weren’t security people working in a dark room. These were people trying to book airline tickets. These were people, you know, working with crypto. These were people, these were school students trying to get to their homework. And so, so many… there are so many intricacies in what we do today, and each one of those, while they boost performance and efficiency, they also can be potential risks. And so we just wanted to take some time. Shahin, I’ll open it up to you.
How does this convergence really come into play? And as we think about IT and security, clearly we’ve seen kind of everything coming together over time, but what’s new and different that you’re seeing today that really stands out to you?
Shahin Pirooz: Well, just like everything in technology, we have a contraction, an expansion, a contraction, an expansion, and it’s these cycles keep repeating. And I’ll talk about it like centralized compute, decentralized compute, centralized compute, decentralized compute. Same thing has been in place with security and IT. It’s the same team. It’s a separate team. It’s the same team. It’s a separate team. It belongs in the board. It doesn’t belong in the board. It’s these things have created a kind of dyslexia in terms of identifying what’s going on in the corporate environment, trying to keep up with what the industry is trying to tell us. And I think that there’s this inflection that we’re seeing right now.
We keep saying, and we’ve been saying, the new business imperative is cyber resilience. But at the same time, nothing has changed in terms of operational resilience. That has to happen too. And what we’re seeing now is a convergence of those two terms where cyber resilience and operational resilience are hand in hand. There is no focus on the left of boom or focus on the right of boom. They’ve come together. You really should pay attention to if boom happens, you better be ready. But let’s do everything we can to prevent boom to begin with.
So we’re back on the convergence path right now where things try to come together again. And it happens with every innovation. And why is this one a big one, and why is this convergence happening? It’s because technology has outpaced our ability to keep up with it again. And there’s a Moore’s law for how much we’re able to process and how fast we’re able to compute and the capabilities of CPUs and what they’re able to do and how much more we can do from a compute perspective, and how fast those leaps are.
The same thing happens in terms of technology. There’s a kind of a Moore’s law with technology. It’s outpacing our human ability to keep up with it, and we keep throwing stuff at the wall trying to separate that technology enhancement and advancement with how are people gonna adapt to it and how are we gonna build that into our operational and compliance control sets, if you will.
So what’s changed is AI and automation have been this big leap that’s happened. And it’s not the things that you think. It’s not AI has access to our data, and AI is going to take over the world, and AI is exposing information that it shouldn’t because people are making mistakes. Those are security risks, but those aren’t the real security risk and business operational risk. It’s this reliance on machine-to-machine communication, which we talked about in our last TECH Talk.
Kirstin Burke: Right.
Shahin Pirooz: More than 50% of the internet is now bots. It is not humans. And why is that the case? That’s the case because we’re no longer talking to websites. We are talking to the underlying fabric of commerce, the APIs underneath those websites. So when machine-to-machine conversation goes API-to-API, and humans aren’t in that cycle, there’s additional, let’s call it instead of man in the middle, let’s call it bot in the middle type of attacks that can happen. And the infrastructure resilience becomes that much more critical because now there’s no human to say, “Hey, this site’s down.”
Kirstin Burke: Right.
Shahin Pirooz: There’s bots that are interacting and things just stop. The AWS situation that happened last week with their DNS outage is a perfect example of that. We didn’t notice the impact happening slowly. We noticed it because humans saw it. But what if there was no human interface problem? What if the problem was an API problem on the backend, and there was no websites to those APIs? We wouldn’t see it for days, and how many millions of dollars would we lose every second?
Kirstin Burke: Right. Well, and it’s interesting, you talked about when boom happens, and we talk about here about things that are happening when humans are maybe engineered out, if you will, for whatever reason. There was a recent quote that I saw. A woman who heads up the cybersecurity for Great Britain said, “We can’t keep simply building higher walls or throwing tools or whatever.” She said, “Our infrastructure cloud, data automation strategies, all must assume the breaches will happen, and we have to design for recovery, continuity, and resilience from day one.”
And so it’s interesting to me that from a cybersecurity point, you’ve got security people who are thinking about designing for security. But you know, when you think about everything from infrastructure to cloud to store, you know, all of that, how do you think about designing for recovery and designing for continuity and designing for resilience when we have the situations that you’ve just explained?
Shahin Pirooz: Well, I think the commentary is spot on because we’re redefining secure and fully operational is what’s happening. And the problem is when we do these redefinitions, these are the inflection points I was talking about earlier, we get everybody shifting left or everybody shifting right instead of let’s come together and figure out how to make this thing happen.
And the example I’ll give you is, we used to think about securing an environment in terms of locking it down so bad guys can’t get in. That’s what secure meant. And then we used to talk about operational or fully operational in the context of everything is working and we have some level of operational resilience in terms of backups and redundant data centers and whatever, so that if this data center stops, we can shift to another data center and continue working. The convergence that I talked about is shifting us towards a continuous operations equating with cyber resilience. So it is no longer two separate things. Cyber resilience means continuous operations. We no longer are assuming that we can stop the breaches. It’s not just avoiding the breaches or doing everything we can to prevent them. This doesn’t mean don’t focus on that.
Kirstin Burke: Right.
Shahin Pirooz: I’m not saying that. So please don’t read between the lines and, you know, come out and say, “Shahin said you don’t have to secure anymore.” That’s not what I’m saying. What I’m saying is look to manage service providers that can manage your security and focus on operational procedures in terms of how do you get your business back up and running while trying to prevent those attacks.
So, having that convergence of right and left of boom is the critical part of, how do we make this happen? So secure now means it’s recoverable, it’s adaptive, it’s prepared for rapid threat response when something happens. And it doesn’t mean it’s necessarily a cyberattack. It can be the DNS outage that happened at AWS. It can be the pandemic that pushed us all home, and we had to figure out how to continue to work. It can be we had a massive power grid outage, and all of the data centers in that power grid are out and happen to be where we were hosting our applications.
It can be a lot of disasters, but we need to be able to respond to those things in a rapid way, those events that happen in a rapid way. And secure means being recoverable, adaptive, and being able to, or be prepared to respond. So it’s not so much about cybersecurity. It is about the convergence of what we have to do from a security perspective. But cybersecurity is shifting towards a commoditization that IT did 10, 15 years ago.
And what that means is cybersecurity isn’t your core business. Put your energy into what’s your core business. There is no outsource provider that is gonna understand which applications are critical to your business and operating any better than the people who have architected and designed it and manage it on a day-to-day basis. Put your energy in how do we make those systems resilient and recoverable in the event that a cyber thing issue happens, in the event that a natural disaster happens, in the event that a physical disaster happens.
Those are the areas where energy should be put in, and this is not a new topic. This is not a new conversation. Like I said, we keep doing cycles in technology, and we’re back at resilience is so important.
Kirstin Burke: What are the gaps when we talk about this? What are some of the gaps when we talk about secure and operational? Through all of the folks you’re talking to, you speak at a lot of events, you talk to a lot of prospects and customers and partners. What are some of the common gaps that you’re seeing that prevent organizations from achieving this?
Shahin Pirooz: So it isn’t that there are gaps. It’s gaps that are created through complexity. So it isn’t a specific gap.
I’ve been looking at technology platforms for 30 years, and there’s really smart engineers that come up with a great idea and go to build it, but they may not be developers. They have an idea. They may be developers, and they don’t know how to operate. There’s lots of different factors that go into why the things I’m about to say happen. But we create very complex environments without the intention of doing so. We don’t know how to optimize because we don’t bring in, we don’t prioritize when we’re develop[ing]… And let me be clear. When I’m saying we, I’m not trying to say that we as in me and somebody else. I’m saying the industry as a whole. Because of the way we innovate, because of the way we energize innovators, we have created this construct of creating this notion of technical debt and have expected that technical debt will happen in every organization that is built. It’s a fundamental flaw.
It’s you have to design operational streamlining and technology streamlining to reduce any unnecessary complexity from the ground up. And if you’re not doing that, if you’re putting that off ’til later because you’re building this cool thing, you will have technical debt. And there is very few companies in any industry that don’t have technical debt because we, as innovators, always put innovating ahead of operations.
Kirstin Burke: Sure.
Shahin Pirooz: So we said for years, “Shift left, put security at the front of operations,” because we wanted developers to be thinking about security from the start. I think we also need to think about putting operations, shifting left the operations to the start, not just the innovation. So shift left both security and operations, and this convergence of secure shifting to cyber resilience and operational resilience in one term means let’s shift both of those things left to remove the complexities, the unnecessary complexities, which will, by extension, eliminate the security gaps.
Kirstin Burke: Interesting. So, you’re talking about complexities across the environment. And, clearly, the more complicated something is, the more links that can break, the weakest link. And the more things that you miss, the updates, you can’t get through everything. So streamlining your stack is important, as I would imagine is future-proofing.
And when you talk about technology debt, when you’ve already sunk so much cost into something, the more and more cost that goes into that, the harder and harder it is for you to back out of it. Or the harder and harder it is for you to do something else. I kind of liken it to buying a new car, right? The minute you drive it off the lot you lose whatever, 20% of the value or however much. And if you think about how long it’s taking someone in theory to develop whatever they are for the business, right?
You put your strategy together, the recommendations, you’ve gone out and done POCs, and you’re using all of this stuff to build it. And by the time you’ve built it, you could be 3, 6, 12, 18 months down the path in this investment, and in that time, life is still happening. Business is still happening. Technology is still happening. And so the time often that it takes to get something from concept or need to execution, first of all, can be part of that time and complexity, but then if you’re trying to integrate it with something that is 2, 5, 10, 15 years old, it gets very hard to be nimble, and it gets very hard to be responsive, and to really ensure resilience goes through that whole business stack.
Shahin Pirooz: Well, it’s two things in addition to that. It’s not just the refresh cycles, it’s not just that we’re breeding technology complexity in with the way we build things. It’s also that the manufacturers we’re using have technical debt for the same reasons we do. So, as you compound technical debt and don’t have a way to figure out how to change that quickly and be able to adjust and adapt, which is the key thing I said earlier [about] what we end up seeing.
Let me give you a simple example of what I’m talking about. Let’s say that we’re developing an app for securing APIs. And that app, we decide that we have to be able to process, we have to create a bridge that processes all inbound communications to the APIs and separate those into humans and bots and other things and then be able to classify those other things. And as we start getting into operations, we start adding functions and features based on what our customers ask us to.
We start adding a capability that takes people and says, “Where do they come from?” We start adding a capability and saying, “Are these good bots or bad bots?” We start adding a capability that takes the classification of the other things and figures out if they are people or bots and then reclassifies them. So we keep adding functionality. And as we go, we prioritize those feature requests that customers are asking for because we feel if we’re doing what people want, they will buy our stuff more. So we put off… Now that we know these are bad bots, what do we do with them? Anything? Do we block them? “No, let’s come back to that. We’ve classified them, that’s good enough.”
And 10 years goes by and we still haven’t done the core thing that we set out to do, which is protect APIs. All we’ve done is created a classification engine. So that’s an example of technical debt that continues to drag and build capability and seems like it’s getting richer and richer and richer. And in the end, you stand there and you’re like, “Did this really do anything? Did we solve any real problem?”
Well, we classified, now somebody else has to write the tool to block the things we classified.
Kirstin Burke: So if we go back to the title of what we’re talking about here, which is IT and security needs to evolve together, right? They may be in the same organization, they may even have the same leader, but a lot of cases they’re on different paths.
What would your advice be to an organization that says, “You know, I get it.” I get how functionally all of this has come together, how operationally all of this has come together. And I really need to change either my mindset or my team’s mindset or our business mindset to really treat this as one business. It’s like we’ve got these things, but how do we get them to work together? What would your advice be? How is it that maybe DataEndure helps organizations really look at where they are and help the shift, help make the shift happen?
Shahin Pirooz: So I’m not gonna answer that last part of that question first. I’m gonna talk about the advice first, and then I’ll come back around at the end and talk about how DataEndure can help.
The short answer to the challenge that we’re facing is we’re dealing with technologists that like to build things. And we all like to build things. And when we build something, we take energy and effort away from the core context of what the company is. So, if your business is not a managed detection and response business, why are you building a managed detection and response capability? If your business is not patching systems, why are you building a patching capability? If your business is not a vulnerability scanning company, why are you trying to build a better way to do vulnerability scanning?
The context I’ll give you is the way to solve these problems is refocus both IT and security on what is your business and how do those two functions that need to merge together move that agenda forward. You know, there’s 4,000 companies out there that are doing security. There’s another three or 4,000 companies out there that are doing managed IT. So bring in the managed services functions for the IT, the core IT functions. Bring in the managed detection and response functions for monitoring, identifying the security gaps and alerting on those things. And focus your team on how to operationalize and streamline that stack, and how to recover in the event of a failure, how to identify what key applications are the core to the business that have to come up in what order.
There’s so many times where I talk to companies and they say, “We want everything back in six hours.”
Really, every single application you own has a six-hour RTO? Does that make sense?
And they say, “Yes.”
And as we go through one of our resiliency workshops, which is where DataEndure comes in. Our resiliency workshop will help figure out you can’t survive for more than two hours with this application down. So your RTO on this application is two hours. This other application on the other end of the spectrum can come back up in a week, and you’ll continue doing operations and business and you won’t you lose a tiny bit of revenue with that application being down. So you create human processes to cover the gaps that might happen because that application is down, and you put all your energy into how do I get recoverable on the two-hour app in two hours?
Kirstin Burke: Right.
Shahin Pirooz: So it’s that spectrum that we’re not focusing on because we’re focusing on building things that are fun, as opposed to helping fix real-world business problems. And the real-world business problems are, how do I keep my company making money every single second? And then moving forward, advancing what our mission is.
And where DataEndure comes in to help is, we can come in and do security assessments and set our resiliency workshop, both for cyber and for disaster recovery. And the outcome of that resiliency workshop is really for you to understand, how do we prioritize the things we need to prioritize and then put in the operational metrics and procedures to be able to achieve that thing we’ve prioritized?
Kirstin Burke: Last question, ’cause I know we’re coming up on the end of our time.
I think ever since outsourcing became a word, outsourcing managed services, whatever you wanna call it, there’s always been that tension between an internal team and whoever it is that’s coming in, really to help the business, but you’ve got an environment of people and a function that like to build things, right? “That’s what I like to do, that’s what I’ve learned how to do, that’s where I feel my value is.”
And now you’ve got a business leader saying, “Hey, I need you to think about your value different. I’m bringing this person in.”
So instead of you building things, I’m bringing this organization in to do it. How does an organization think about winning the hearts and minds of those IT and security people who, they’re builders, how do you help so that there’s support behind that initiative, that their skill set maybe grows and changes, and that you really can make that change where all talent is going towards building revenue, growing the business. And then you’re using the experts from a managed service perspective to do those things that really the business doesn’t need to do?
Shahin Pirooz: Part of the problem is the business leadership. And what I’m gonna say is unpopular. If you want to be a builder of IT and security, go work for IT and security companies. If you want to move forward the agenda of a business that you’re excited about, let’s say they’re in the textile industry, let’s say they’re in the agriculture industry, then focus on what moves the agenda for that type of company, that industry forward.
And the outcomes of that resiliency workshop that I talked about help to identify what things to build to move that agenda forward. They’re not building the best SOC in the world. They’re not building the best patching systems in the world. They are about, how do I recover? What are the procedures? How do I train people? How do I do tabletop exercises around when a disaster happens? How do I recover? Those are not the components that you should be outsourcing. Those are the components that the IT team should be the experts on and bringing in resources, whether they’re internal or outsourced, to help solve those problems.
Nobody, not one single person on this planet worries about, how do I generate electricity? They walk up to a light switch and flick it on and the light comes on and a bill shows up at the end of the month. Nobody cares about, other than the people who work for the electric company, who are figuring out how to generate electricity so that the rest of us can appreciate it. IT and security should be the same thing.
I don’t feel this is gonna be a super popular answer to the question but it is what it is. If you want to generate electricity, go work for the electric company. If you want to do something powerful with the light that comes out of the light bulb and do something different for your business, focus on what your business needs.
Kirstin Burke: So with that happy note. With that honest note, right? I mean, I think that’s where the world is going. And I think if you’re an organization that really wants to embrace that and grow, that’s one thing. And if you don’t, then your business might still do what it does, but you just may not have the opportunities to grow the way you’d like to if you kind of continue to stay within the operational processes that you’ve been working in for a long time.
Shahin Pirooz: And we’re no different. I’ll make sure that this is clear. I’m not suggesting that we do anything different. We are a consultative advisory group that helps businesses align what those needs are with those things that move the agenda forward for a company.
We are outcome-focused business trying to help you achieve those things that make your business better versus your competition, against the industry, so on and so forth. We bring in skill sets that solve the problems that we don’t have ourselves for the exact same reason I’m saying to all the listeners out there: Bring in the people who are specialized and focused in the space that you’re trying to close the gap on. Don’t try to build everything. Build those things that move your agenda forward.
Kirstin Burke: Well, and it sounds like as we wrap up, really for an organization that is curious about this and whether you’re taking cybersecurity month to think about it or just listening here has kind of started some light bulbs for you. If you’re thinking about how to bring these two functions together, if you’re thinking about how your entire environment is working either for or against this resiliency objective, we’d love to talk to you.
And Shahin mentioned the resiliency workshop. We have other ways depending like he said depending on the outcome that you’re looking at, depending on your business. There are all sorts of different ways that we can get started with you that are no strings attached but to really help you get your mind around where it is that you need to focus on. None of us wants to waste time. None of us want to waste money. So let’s kind of sharpen in and focus on what really needs to happen that will affect your business the most.
Shahin Pirooz: And I think, to end on a more clean note than what’s my opinion on the state of the world, if I were to give three takeaways from today’s conversation number one is that cybersecurity has become and needs to become if it hasn’t a business metric in your organization not a division, not a tool, not a whatever. It needs to be a business metric that says we are or are not secure. We understand who’s regulating us and we have controls to address that.
The second thing is that, we’ve talked about this before, AI is a double-edged sword and leverage it for automation, for defense, for productivity but recognize that as you’re moving forward your adversaries are also using it and moving faster so you have to take advantage of it. So that double-edged sword is not something to be scared of. It’s something to embrace. And embrace it in the right ways with the right controls and with the right security.
The last piece that I left you with when we were talking about it before we jumped into the outsourcing pitch, if you will, was you have to future proof your environment. And you do that through simplicity and through training.
So simplify your stack. Simplify by removing complexity in your stack. Optimize how you operate. Optimize your procedures and your policies but at the same time, you have to do those roundtable exercises that I talked about for disasters, for a security incident, for whatever, so that your team knows how to react and respond in those situations. So be able to respond rapidly but don’t ignore that you have to also try to prevent at the same time.
So cybersecurity is a key metric. AI is a necessity even though it’s a double-edged sword, and you have to future-proof by simplifying and training.
Kirstin Burke: Fantastic wrap-up. Thank you, Shahin. Thanks for joining us, as always, and we will see everyone next month.