Akeyless Executive Conversations
James Azar, CISO at AP4 and Oded Hareven, Akeyless CEO & Co-founder
Oded: Hello! Welcome to our next episode of a fireside chat with Akeyless. Today we’re with James Azar, the CISO of AP4 and the host of the CyberHub podcast. James.
James: Oded, great to be here.
Oded: Yeah. I’m so, so happy that you made it right.
James: Yeah, well, you know who doesn’t like to come to New York City?
Oded: Yeah, but especially in those days, right, of Christmas, it’s like…
James: It’s freezing.
Oded: It’s freezing. How was travel? You know, I travel a lot, right? Like 200 days a year. I travel because my job requires a lot of travel.
James: And I remember why I hate traveling during holidays. Because you can sit in the nicest seat on the airplane and you’ll still have a kid behind you kicking the seat. Going like, “Mom!”
Oded: Well, you know, it comes with the territory.
James: Oh, yeah, it does.
Oded: I mean, we both have kids. We know, we know it, but, you know, still, you get so used to it when you’re traveling for business, right? There’s rarely — you never take a kid’s flight.
James: And then, you know, during the holidays, there’s nothing but kid flights, right?
Oded: Yeah. Well, it is what it is. But then again, you came here for business, so, yeah. Anyway, good. So it’s good to see you.
James: You too buddy.
Oded: Thank you once again.
Oded: Before we started, you kind of shared with me something that I found that, as, you know, groundbreaking even. Wow. With the way that, you know, I asked you about the challenges of CISOs right, chief security officers. And I asked you about the way that you prioritize and you told me that you think that there’s, there’s a mistake.
James: I don’t know if there is a mistake. I think the conversation is driven. So let’s talk about the security onion that most CISOs are kind of trained to think about, from perimeter security to network security to data security, to application security, to, you know, your IP, right? It’s a really famous — like there’s 500 of these images rolling around the internet that you can find. And all of those kind of talk about different security methods and tools and ideations that you have to do.
But securing an enterprise isn’t about just those things, but it’s about looking at the business process that the business does as a whole, and then understanding what business processes help the business generate revenue.
Oded: And why is that different? Sorry to interrupt. So why is that different?
James: Because when you think of what security is, you know, we have a tendency sometimes in security to, to, to really want to kind of focus on DevOps or application security or identity.
Oded: Or a certain solution on that end.
James: Or a certain solution or a tool or whatever the case may be. But I want to look at security from a different perspective. Right. So go and sit with the CEO for a second and go, I want to invest in application security. The CEO is going to look at you and go like, I don’t know what you’re talking about, right? Maybe the CTO will be the person to talk to about this. I’m not the guy to talk about it, but when you go to the CEO or the COO or the CFO and you go, we have this business process, and this business process generates 70% of our company’s revenue. And these risks exist in this business process. And in order to reduce this risk and keep this fraction of the revenue available, we have to do these three things.
And this will help keep this part of this business process that generates 70% of our revenue, resilient against specific types of cyber incidents or events that could happen to our company that would impact our bottom line of revenue.
Oded: Okay, so what you’re now referring to can explain how to better prioritize, right? And also how to get a better buy in by changing language of a certain CISO instead of talking about DevOps or a certain tool or a certain problem that we as professionals discuss, what you’re saying, communicate that using a different language, that speaks the business language, right?
James: Correct.
Oded: Well, if I’m hearing right, it’s not just reflecting on the way that you get the buy in and the budget. It also reflects on the way that you think about implementation and adoption of the technology.
James: That’s exactly what we’re talking about, before, before we sat on this beautiful, velvety couch, by the way.
Oded: It’s not for sale.
James: It’s not for sale? No, no. I was going to see if I can get Delta to ship this home with me today. Honey, I brought a new couch.
Oded: Merry Christmas, happy Hanukkah. Well, and you’ll sit all alone on that couch?
James: I might. I may start doing my podcast off a blue couch.
Oded: All right? Right. But —
James: It’s a good trade mark.
Oded: It’s a great trade mark. But non beholding to that you’re right, is oftentimes we as security practitioners we’re so hyper focused on — on a specific solution, we’re missing the bottom line business. And when we speak business we win more.
James: So when you think of implementation, right? Oftentimes when we buy a tool we’re trying to implement it enterprise wide. Yeah. And it makes sense.
Oded: Well, in specific cases. Yeah.
James: But what if you did a staged implementation. What if what you did is — and by the way, the most successful implementations when you speak to CISOs are these staged implementations — is, part one, we went and we implemented the tool with team A, and team A implemented the tool. It went through successfully. We’ve ran the tool for six months. We’re reviewing the logs. We’re getting events. We’re understanding the risks. We fine-tuned the policy engine within the tool.
Oded: Yeah.
James: And now I can roll it out to all of my other teams. But you’re saying something even more granular than this. It’s not — it’s not just within a team. You’re saying think of the business process and finding the right places in which the technology should fit.
James: Correct.
Oded: And that’s even more granular. It’s not — it’s not even the whole team.
James: I think as a as a cybersecurity professional, the very good CISOs will echo what I say, right? The echo is you have to be extremely granular with how you select a tool, how you implement a tool, and how you deploy that tool within your environment. Now, EDR, MDR, XDR, that’s enterprise wide. I’m not talking about that. I’m talking about more specific tools that really kind of go into the granularity of teams as operations and the reason you want to do very hyper-focused types of implementations and deployments is because then your team is able to build relationships in the implementation process and in the deployment process to reduce noise.
And the moment, you know, you and I both come from Israel, right? And I always use this example with my board and with my executives, I go, what’s the best security? What airport has the best security in the world?
Oded: All right. Ben-Gurion. All right.
James: Right, when you think of Ben-Gurion airport outside, once you walk in through the doors, do you ever see a security guard?
Oded: After?
James: After you walk through the doors, do you ever see a security guard at Ben-Gurion airport?
Oded: Well, you don’t see them, but they’re there.
James: See, now you’re playing into my hands, right? The best security is invisible. The user doesn’t even know it’s there. So the best implementations are ones where they kind of see the checkpoint booth right when you’re driving into the airport. That’s deterrent number one. Deterrent number two is that armed security guard with the metal detector at the door going into the airport.
Oded: Yeah.
James: And after that you don’t see any more security, but security’s there. You wouldn’t know it, but it’s there.
Oded: It’s all over the place. And you’re seeing that it’s tailored for the places for the right interactions with the right moment and not necessarily enterprise-wide.
James: Correct. So you have security in the places you need to have security. And in other places you’re observing, you’re implementing, you’re deploying differently to where the user doesn’t even know security is there but security is there. Security’s monitoring. It’s logging, it’s even securing. And it could be even, you know, preventing specific types of incidents from taking place. Or the deployment of, you know, bad code or, or you know, really poor certificate management, etc.
Oded: What you’re saying to your fellow CISOs, which is quite interesting. You’re saying, look, it’s not about selecting tools according to a certain criteria, as we’re certain, or the onion, you know, through the onion. All right. We need a perimeter firewall, a network firewall, an application firewall. It’s, you know, check boxing.
James: Right.
Oded: And then for each one of those, the traditional ways to go enterprise wide and, and say, okay, let’s go through the entire, entire stacks or entire environments or entire teams that I have. And I’m going to implement that within — You’re saying, look, it’s you can’t finish like that. You won’t be able to beat, to be able to win the entire war. Right? With that, it will take you forever. And it might not necessarily prioritize or your certain force that you have according to what’s more important. So you’re saying choose the right places to put it according to the business process. Now, what does it mean in terms of the number of vendors that play here, as allegedly, from what you’re saying, is that I should pick the best of breed in each one of those problems or challenges that they have.
James: That’s often what a lot of companies do. And again, different strategies. There’s specific aspects where you pick best of breed and you roll it out across the enterprise, right? Like, you know MDR, XDR, best in breed and and you move it through because that’s what you need. A firewall could be the same, right, across, you know, you want to have similar firewalls across your entire environment because it’s easier to manage. Okay. But when we get to more the granular aspects of security, you want to pick best in suite, right? Because I’ve always run micro teams. You know that, I mean…
Oded: Yeah. You know.
James: Even when I implemented Akeyless years ago.
Oded: Right.
James: When you guys were early on, I had a very small team. And so I wasn’t looking for just I didn’t want best in class. I wanted best in suite. The reason for it is because if I’ve got best in suite and I’m able to expand the tool as I deploy it, I’m able to deploy version one of the tool with one aspect and then I need aspect number 2, 3 or 4. It’s easier to continue to deploy the tool, because one: Now the company’s familiar with my environment. So the adoption and the implementation is much, much smoother or should be if the vendor is responsible. That’s not always the case.
Oded: Right.
James: So that’s one. Number two, my team doesn’t have to go learn a whole new tool.
Oded: Oh.
James: They don’t have to build a whole new relationship. They’ve already got the relationship.
Oded: So you’re looking for best suite of solutions from a company rather than best in class.
James: And, and and I think that’s in specific cases. You know, I don’t want it to be like, oh, I’m looking for best in suite across my entire enterprise. In some aspects of the business, want, you know, best of breed. Okay. But in other aspects I want best in suite.
Oded: So to what extent do you feel like reducing the amount of vendors is something that you feel like can seriously save you time? or is this something that people just talk about, which is like 5000 vendors in cybersecurity. And you know, when you need to pay and you need to pick, you know, either best of breed or best in suite, depending on how you analyze it. But do you experience like, that reducing the number of vendors is something that your CISO peers should look at?
James: Well, it’s not about saving time, but it’s also about how, you know, you and I go to a lot of events. How many events do we go to where you hear a CISO talk about failed implementations or deploying a tool that completely slowed down and fell apart?
Oded: Yeah, right.
James: Those horror stories exist at every dinner, you know? Right? Every dinner, every event, even this morning coming in, meeting with some with some colleagues. That was a discussion point, right?
Oded: Yeah.
James: And the reason for it is because we’re picking all these different tools. Our teams often don’t know how to utilize those tools effectively. So when they’re not utilizing and deploying the tools effectively, we have a tool that we’re spending money on that we’re not getting value for. And so you end up just collecting a whole bunch of tools that don’t do anything for you. Meanwhile, 20% of your tools are doing 80% of your work.
Oded: Yeah, the 80-20 rule.
James: Right. And you’re spending money because you have budget and you’re spending tool. And I know a lot of systems that do this. They’ll buy a tool not because they’re going to use it. They’re going to do a very small implementation of it. Just very, very small. But keep it there because they’ve got the budget. You’ll keep it around for a year or two until someone comes and says, hey, we’ve got to take away money from your budget or whatnot, and you’re fighting it, right? And I’d rather invest in people.
So I look at best in suite, I look at building a really good team across the teams that are going to be using this tool. So if it’s DevOps, if it’s applications, you know what I mean? Like I want to hire good security architects or good security engineers. So rather than buying a whole bunch of tools, I’d rather invest in people that are really dedicated to the teams that are maximizing that tool’s ability to help secure the business process and secure the enterprise as a whole, because then, that employee becomes a really critical part of the business and any sort of play to eventually try to dismiss those employees becomes moot, because the CTO or the VP of engineering, or other people within the organizations now have a relationship with one of my guys or two of my guys or gals, right? And they see those folks and they go, they’re a critical part of how we build product. They help speed up our time to delivery. They help ensure that we’re delivering a more secure, a more efficient, a better product to our customers. We can’t afford to lose these people. And so when you have best in suite with really smart people doing the work, you really do end up having a better overall security program.
Oded: And at the end of the day — It sounds like a secret sauce. When you invest more in people, then you have more flexible, more capable, and people that basically within your team that represent you better. Right? They’re able to, communicate much more effectively with the key stakeholders, like CTOs, like others, right, and you combine it with tools with a lower number of vendors, allegedly, or according to what you’re saying, that would be able to provide more flexibility with wider solutions.
James: Well, because if you have best in suite right now, best in breed engineers and architects are working with the different teams, building these products and deploying these products. They’re not approaching it from “let’s go buy something else,” but, “how can we utilize what we already have?” Because you become so familiar with the tool, all right, that you’re able to really maximize the value that you invest in it.
Oded: Yeah.
James: And so you really get use every you get value for the dollar you invest in the security tool you have.
Oded: Yeah. Which results with — Now I understand the result with higher adoption rates, right, with you know, so that again the dollars that you spend you get more out of it. Right, so if you ever hire someone who comes and tells you, you know, I don’t want to name drop, I’m an — I’ve done five implementations of product X.
James: Yeah.
Oded: So you bring that person who has product X because you have product X, and they come in and they start to look at the way you’ve implemented product X, And then they say these are all great, but they have these seven things that you didn’t know about because you didn’t have the experience and the knowledge of product X and your Customer Success manager, as good as they can be with product X, doesn’t understand your business. But now you’ve hired someone who’s really smart, an architect, an engineer who understands product X in and out. So when you get bust in suite and you invest a few people to really become extremely familiar with that product, and with the suite of options and the way to implement it, and now they’re understand — now they’re with your teams, right? So they’re deployed with your DevOps, they’re deployed with your application. They’re deployed with your CFO, with your finance team, with your operations teams. And now they’re looking at the enterprise as a whole and not just.
James: I.T. We’re not just network or not just infrastructure, but how does infrastructure support DevOps, that supports application, that supports the product team, that supports customer success, that supports finance, which delivers the invoice right to accounts payable to the customer who’s enjoying the product, right? and security’s role is across that entire process. You touch every single aspect of it. And so if you just step away from the onion, which I love, the onion, right?
Oded: I love it.
James: I have my own version of it.
Oded: Yeah.
James: But my onion is mapped to a business process. My onion is not mapped to a specific security definition.
Oded: Yeah. That you know, Gartner comes up with, some analyst at Gartner comes up with after a conversation with someone. I like it as a snippet for this Fireside Chat.
James: I like my onion to be business oriented, right?
Oded: Yeah, I want them —
James: I want all of my layers to be surrounding the business. And, you know, that’s something you hear a lot of security practitioners talk about.
James: We don’t talk business. Well, the reason we don’t talk business is because we still talk security. We talk engineering.
Oded: This is the language. But that’s not the only thing. Either risk or engineering. It might be that, you know, what you’re referring to is —
James: Is the balance between risk, engineering, compliance, privacy, but then the most important one: the R-word.
Oded: The R-word, that everyone that’s not a cybersecurity founder absolutely despises.
James: What is it? Risk?
Oded: Revenue. Revenue?
James: Well, right.
Oded: That comes with the territory as well.
James: It comes with the territory of a cybersecurity founder. But as a CISO, how many CISOs look at revenue? How many CISOs know EBITDA?
Oded: No, they’re not into that, I guess.
James: Right. But you should, because at the end of the day, when you’re having lunch with your CFO, your CFO is asking you you’re going to want to talk about EBITDA and company health and performance and shareholder value and concerns that the board is expressing who interacts with the board more than the CEO and CFO. Anyone?
Oded: CISO?
James: Not always. Okay.
Oded: Not always.
James: Oftentimes depending on who the CISO reports to in an organization, you’re relegated to meeting with the board once a year or once every six months.
Oded: All right.
James: Right, for five minutes in a presentation that’s so tightly controlled. Right? You don’t get the purview. But if you talk business process and you go in front of the board, and when you’re in front of the board, you’re talking about, here’s our most valuable business process. And it’s just one slide. This is the business process as outlined by our business operations team, by our ERP team.
Here’s where it ends.
Oded: Yes.
James: And these are the areas that carry the most risk for the business. And this process is 40% of our revenue. 50% of our revenue. What we’ve done this year is we’ve secured and reduced risk among these stages of the business process. We spent $1 million and we reduced risk by $30 million.
James: You look like a superstar.
Oded: And you’re and you’re more effective not just becoming a superstar.
James: And and no one else is saying security shut us down or we couldn’t do this because of compliance issues, because you’re deploying the right tools to address the right risk that resonates with the business.
Oded: Yeah.
James: And the moment you do that, you will likely win more battles than you will lose, because everyone in the business is looking at you and going, you’re a business driver.
Conflicts and Collaboration
Oded: You know, you keep bringing to the — to this very complex of, you know, of motivations and requirements, the different teams. You spoke about the platform team, the DevOps, engineering and the IT and the business and the finance, etc. Do you remember during your career anything like — can you share with us maybe a conflict that, you know, and a lot of time it can be with security and application and or DevOps. Those kind of things happen a lot. Anything that you found, you know, maybe to, somehow, to connect between them better.
James: So you always have the butting of heads, over how someone wants to build it to how you want to secure it, to how someone wants to deploy it that exists in every single organization. and in my career, I’ve probably failed more times than I’ve succeeded in those situations because, again, I kept going back to that onion. I have to do X to secure Y instead of thinking, how do I secure the entire process with the minimal amount of work I need to do to reduce the highest amount of risk?
And, you know, one thing we didn’t talk about yet is frameworks, Right? So there’s the basic controls framework like CIS. And if you do the CIS 11 then you reduce, I’d say 80 to 90 percent of your risk from a I.T network perspective, right? It controls perspective, identity, etc. Then you get into the more sophisticated types of risks that come from building applications and processes. And so this is where we go to your question. Every time you have a conflict, it’s because we’re not mapping it to a business process. Additionally, and I’ll say this, additionally, in my career, we’ve always had to bridge those gaps. We’ve always had to go sit with teams, and you always have to negotiate and make compromises and find, you know, a solution.
And again, this is part of the problem with sometimes having best in breed — having best in breed means you’re spending top dollar for something that only does one thing, but it does that thing really, really, really, really, really good. But then when you need it to do all those other things, it doesn’t do them good enough, because it’s really good at this one thing, but it’s not very good at everything else. And that’s why sometimes best in suite comes in really, really handy. Because, if it can do 4 or 5 things good enough. That’s what you really need.
Now, I’ve been in situations where someone from your board will come in and say I was in, you know, because most people in your board sit on other boards or talk to people in other boards and hey, someone told me these, their company has X, why don’t we have X? I don’t, I’m sure a logo, a certain product…
Oded: Right.
James: Now you’ve got to go explain, Well that’s best in breed. We’ve taken a different strategy of best in suite, meaning that a product does this very well. But I want to do all these things very good because I get more bank for my dollar. And that’s a conversation that sometimes some CISOs aren’t comfortable having.
Oded: Yeah.
James: Because again, we speak engineering or risk but we don’t speak business.
Oded: Yeah. So you’re saying when you also leverage that way of thinking of business processes, it helps also to ease conversations within the organization by connecting teams to the higher good or to the higher initiative that you’re trying to protect.
James: Yes, and once they’re comfortable using a product like, let’s say I’m in DevOps, right? And I use product X to secure this process, right? And now as we’re moving along I got to add an additional layer of security, which product X offers as part of their suite. And I already have a good experience with X. So the chances of them actually wanting to implement X and use it is higher because they’re comfortable using the product. They’ve had success using the product. They trust the product.
So yes. Is it best in class? No. Is it best in breed? No. But does it get the job done? Yes. And at the end of the day, you’re trying to secure a business process and you’re trying to make it seamless within budget and ease of deployment and easy user interaction.
Oded: So I truly wonder, and I would love to hear more about the current challenges that you’re facing. You’ve told me about very interesting factory or, you know, challenges that you now having with, you know, securing energy and stuff like, as such, right? And I’m sure that most of the things that you cannot share for obvious reasons, but it sounds very unique, right? The network is not very much connected. The technologies are not necessarily, you know, of the 2024 —
James: If people knew what keeps the lights on — Yeah. I don’t think they would sleep at night.
Oded: Well, they don’t need the lights on at night, so…
James: Yeah, but you do need heat when it’s cold outside.
Oded: You’re right. Right, right.
James: And that only comes with energy. But the reason I say that is, you know, the energy sector is very, very unique and it’s unique because one regulation makes it extremely, extremely difficult to operate, because —
Oded: Operate in secure, I guess.
James: Right. Operate to begin with. So from an operation perspective, let’s say, Southern Company, while Southern Company may own generation power generation plants, it also owns transmission. And then distribution could be done by a whole bunch of different affiliates. Right? However, the Everett power generation plant, it’s actually a standalone unit. And the generation and transmission can’t really talk because irregulation and because of conflict of interest around rates.
Oded: All right.
James: So how do you… So you know, if your policy so communication is limited in scope and the way you can deploy it. So there’s inherently the way our regulation around energy is today is it’s — I think it’s broken. Right? Because we’ve kind of built regulation in order to keep price fixing and price kind of manipulation from happening. We’ve introduced risks that come with security and operations and so forth.
Now, the big difference between energy sector and maybe all other sectors is our number one priority is safety.
Oded: Safety. Safety. Okay.
James: Nothing trumps safety. Safety wins every single time. No one wants to have to call someone’s wife and say, your husband isn’t coming home today because of a tragic accident at a powerful event. All right, that’s just not a thing. Right? So safety trumps everything.
Oded: So in the name of safety, that would all be —
James: In the name of safety and security. Everything else takes a backseat to safety.
Oded: Of course. That’s number one.
James: And then because of the way the systems are essentially built and designed, these are systems that get upgraded very often. A lot of the systems you buy, could be in there for 10, 15, 20 years. Some systems have been running since the 50s and 60s and 40s. And, you know, there’s stuff out here in Manhattan that, you know, you see the smoke coming out of the…
Oded: Out of those Seven FAs and HAs and whatnot.
James: Then you go, oh.. old school, right?
Oded: Yeah.
James: Some systems aren’t even internet facing, or if they are internet facing, they’re — it’s kind of like data diodes. Like, that’s not a thing. You know, I spent 15 — when I met Joe, I was 15 years in FinTech.
Oded: Yeah.
James: Like, FinTech were groundbreaking. We’re running towards new technology.
Oded: Yeah.
James: In energy we run away from new technology. We go — You know, there’s that Drake meme, right? Show me the cloud.
Oded: Yeah. And FinTech and energy.
James: We’re like, no, we’re not in the cloud. But those are good reasons. Well, you know, to take the time with with technology also there’s not a lot of incentive in that sector, correct me if I’m wrong, to go through technology. There’s some incentives in terms of security. We obviously, you know, since October 7th, we’ve seen Iran really increase its threats on water facilities in the US. The Salt Typhoon breach that just happened in Telco. Critical infrastructure is a prime target, right? We know that China was trolling and building backdoors in power plants.
Rockwell Automation, also known as Bradley Allen, they’re under a DOJ investigation because they write their code for their machines that are in power plants and on manufacturing floors in China. There’s a lot of risks that exist in this industry, and a lot of times people will say, well, we’re air-gapped. Well, you’re air-gapped until you’re not air-gapped anymore.
Oded: Until someone opens a port.
James: Then guess what? You’re not air gapped anymore. Well, we have a firewall.
James: I can’t tell you how many times I’ve heard the thing from power plant managers. “We have a firewall. We’re secure.”
Oded: No.
James: You have a firewall. That’s like having an armed guard at the door. If he’s not checking anyone coming in with a gun, guess what’s going to happen inside when someone’s inside with a gun?
Oded: Yeah, you’re kind of seeing traditional, obviously traditional – I call it this way, traditional technologies. That were adopted somewhere in the either early 2000s and maybe even before. And when they meet, you know, a person like yourself that is way into technology and looking for also not under the — not for the name of technology, rather than in order to solve the challenges and to solve for the business processes, right? To basically secure the right things. I guess that it brings a lot of interesting conversations. I’ll call it this way. How do you overcome that challenge?
James: Well, in the power industry, the business process is pretty much identical, right? The business processes don’t change like they do in a SAS type of business, where the business is constantly updating processes, changing applications, etc. and optimizing. In the energy sector, the way we optimize is energy efficiency. Can I do this process at a lower cost in order to increase my margins? Right? But even your rates are predetermined by the regulators. I don’t determine the rates of energy. That’s something that a power company does with the state regulators. You’re very limited in scope of operations, and, you know, the OT security marketplace is a very, very lonely place. There’s maybe a about a happy dozen of really big operators in that field, and no one else is there because it’s a hardware gain. It’s rare that you would have, you know, kind of software.
Oded: It’s true, and yet given what you — what we discussed at the beginning of our talk, which is around securing the business process, I believe that you mentioned that it’s not always the technology to solve it, rather than maybe changing a plant.
James: Control. Right.
Oded: Right.
James: The energy sector is all about controls. It’s all about controls. Every aspect of it is controls. It’s how do I implement a good policy to control these systems, and then how do I allow it. So in some power plants, for example, when GE wants to log in and update something, we actually have a physical device you go to and you put in a key and you turn it and you go to On, and that opens an RTP port for them to log in remotely, do the updates they need to do to the GE system, then you turn it off and it’s air-gapped again.
Oded: That’s some James Bond stuff.
James: Yeah… That’s like not recent James Bond, right?
Oded: This is an EV Pierce — Well, the viewers like the class —
James: Like Shaun Connery James Bond, all right? Like that’s how far back we’re going.
Oded: Like Mr. Evil as well…
James: Okay, but at the end of the day, you know — So okay, that’s a certain technology that does solve whatever you need. But when is it that the process that you need to change or maybe you have an example that sometimes you change the process, and not necessarily, well, a tool.
James: So the processes are never run by corporate. So that’s the big difference in the energy sector. So in finance, right? If we wanted to change a process that was never up to the engineers, that will typically come from the COO or CTO or VP of Engineering, they’ll say we’re changing this business process with the finance team, and then this is how we’re going to change it, and that everyone has to go along with it, right?
In the energy sector, it’s my engineers that make the determination. It’s bottom up, not top down. Right — that’s the difference in the power industry, and that goes again to safety. My engineers, my mechanical engineers and electrical engineers in the power plants — they’re the people you listen to. You’re not listening to anyone else. The CEO of the company can come down and say I want us to do X. If the engineer says we’re not doing it, guess what? We’re not doing it. Because they know they have safety in mind, right? And safety trumps everything. Remember what I said? Safety trumps it all. That’s what applies here, right? It’s the same thing.
Oded: So look, I’m thinking of your team. We talked about technology and we spoke about, you know, number of vendors, and we spoke about this business-oriented way of thinking and prioritizing. And now, obviously, you know, I’m going to take us to the world of identity and the world of machine identity and the world of secrets management. And then you’ve been known — We’ve known, me and us for a long time now. What was your way of thinking of machine identities and the fact that, you know, there’s a number of machines that are currently rising? that is, you know, comparing to the number of humans we have, the number of machines rising up more and more. And that challenge of securing them is now becoming more and more urgent. How do you see that? And also, in the eyes of the business process?
James: You know, when you look at machine identities, you think of a machine identity almost the same way I’d say you think of the onion, right? We have all these machines and we’ve got to issue certificates for every single machine, and we’ve got to manage the API keys for every single machine, and the interconnectivity and the scaling and the very technical way to —
Oded: You’re right.
James: But if you look at an overall business process. So why am I turning on more machines? Why am I increasing more workloads, more technology, more data? Why am I turning on more machines? Why am I increasing more non human machines?
Oded: In many cases it happens because of the way that we, you know, the general systems software, right?
James: Now with microservices and micro functions, we have much more identities within our network. Rather if — even if it’s connected to a certain business process or not. Like, I guess what you what you would say is that the business process here is the digital transformation, right? on that end, I guess.
James: Right. But at the end of the day, you know, when you look at it, I just wonder how this is related to the prioritization of solving, because, you know, identity for a long, long time was very much focused on the human aspect.
James: Still is.
Oded: And still is while machine identity is coming. And I wonder, how do you approach that particular challenge, given its urgency and that, you know, in the way that you look at it, the way that you analyze it with some guys?
James: So again, I’m going to go back to, to the business process side of it, right? Because at the end of the day, every machine that turns on is part of a business process. Every machine is part of a business process. No one turns on a machine by their own will. They’re either developing something that that machine is going to operate on, or it’s supporting an existing revenue generating business process that’s going to keep a customer online. And so, that’s the only way I think about it.
So I don’t care if the machine has a human identity or a non-human identity. It’s part of a business process. Now, how do I ensure that whatever machine comes on reduces the risk to the business when it comes on period. And whichever way that is, that’s what I’m going about doing it. So if it’s this machine’s coming on and it’s only coming on temporarily, right? It’s my, black Friday machine because we are going to see an increase in volume, and we’re going to have to turn on a whole lot more machines. We’re going to have to increase processing, power and availability, and our load balancing, and all that. Those are what I like to call unique business processes.
In banking, we used to build on that all the time around our fraud team, during the holidays. Times like these. Right? I mean, we’re a few days from Christmas and come after Christmas, you have a whole new set of challenges for every single business in the world. What is that?
Oded: I got a gift I don’t want, or I’m defrauding the business by trying to return something I stole or never got.
James: Right? Yeah, but — And so you’ve got these business processes that are seasonal. And a lot of times we see the risk increase in seasonal businesses in that seasonal shift from, you know, Black Friday to the day after Thanksgiving all the way through January 2nd, you see a whole bunch of commerce happening in the banking sector. It’s huge. Right? This morning, when I landed in New York, I’m ordering an Uber. It got declined. Why? I travel all the time. So why would my card get declined? Because my credit card company, right, Amex goes, Wait a minute. It’s a seasonal fraud. Why are you all of a sudden in New York at 10 a.m. on a on the day before Christmas?
Oded: That’s — No, that’s a question your your wife would ask.
James: I don’t know, right. But I get a text message saying, hey, we’re getting this request on your card. Do you approve it? Yeah. Oh yes. That’s a business process. That’s a mapped out business process to reduce risk and to increase the profile. They’ve added more workload in their business process in order to do that very transaction. So when I look at non-human identities, that’s all non-human, right? There’s no human interaction there. Five years ago my phone would’ve rang. Hi, this is Oded with Amex. Hey, James, I see you ordered a taxi — an Uber at LaGuardia, right. Is that you? Yes. Okay. I’ll go ahead and approve the transaction. Today, that’s a text message. Non-human identity interacting with a human on the other end to validate that transaction. And whether I put up more machines, added more computing, added more logic in order to get this to go check, I need to go ahead and — and validate that this transaction is real for James, so that I don’t have to take the the liability.
Oded: Yeah.
James: Of the loss.
Oded: So at the end of the day you’re saying, look, obviously there are a lot of tools, different methods to secure certain challenges or certain needs. Right? But when you’re taking this approach of the way that you analyze it, it doesn’t really matter if this is a human interaction, a human identity, or a non-human identity, for that sense. You’re saying, look, what matters the most is that whenever a new threat is coming up to my business process, this is where I will address it, right? I will look at when does my primary business process, when does it being threatened by a new threat. And this is where I’ll face it. And I’ll try to mitigate that using whatever tools.
James: So, yes. So I’m going to — so I’m going to give it to you the layer approach that I look at it. Yeah. I start off with my CIS top 11, right? CIS has 18. I start with the top 11, the top 11 is basic blocking and tackling of setting up a really good I.T network and identity type of policies around your security tools that rarely require you to deploy any tools. I don’t need to buy a lot to make the CIS top 18 work. I can use my Microsoft suite or my Google suite and use policies around those in order to harden my environment. That’s hardening my shell.
Then I start to look at what business processes generate the most revenue for the business. Okay. And I map out those processes. If they’re not mapped out, we map them out. And if they’re mapped out, that’s typically done by your ERP team or your BI team or your data team, right. So it requires you to kind of reach across the aisle and really go, hey, could you show me your process of how you manage data from order to delivery or from creation to delivery, and you kind of get an idea of that process. Now you go, what controls can I implement to reduce risk?
I don’t have any controls to implement because this requires a whole new set of tools. So now we look at the entire process of our top two, three, 4 or 510 business processes that generate the most revenue, where the company stands to either lose the most money or impact operations and reputation because that’s what matters, right? So when I look at all of those, I go, these are those business processes. Now I need to deal with certificate management, I’ve got to deal with, Dast and SaaS, and I’ve got to deal with code review, and I’ve got to deal with all these different aspects that are part of the security onion. We’re talking about application security. Now we’re talking about network security. We’re talking about data security, data encryption, data in motion, etc. right?
And I start to go, what tools do I really need in order to reduce risk? Where does the risk exist the most that every single one of these business processes. And where, if it broke, everything else breaks. What’s the part — Where’s the piece of a pipe that if that broke, I can’t do business? I can’t operate tomorrow?
Oded: Well, with that question, I think that we would conclude for today. James, I’d like to thank you.
James: Thank you for having me on.
Oded: All right. That has been awesome. And, I hope to see you soon in whatever next conference that I have —
James: We’re going to have a good time.
Oded: Yeah.
James: All right. Thanks again.
Oded: Absolutely. For being with us today.
James: Thanks for having me, Oded.
