1
00:00:00,000 --> 00:00:07,500
Well today on our type for business podcast, we're joined by Kyle, our president and CEO,

2
00:00:07,500 --> 00:00:10,680
and Nate, our director of cybersecurity and VC so.

3
00:00:10,680 --> 00:00:16,920
So this episode is kind of continuing our audience question series from the tech fair,

4
00:00:16,920 --> 00:00:19,280
and today we're talking about zero trust.

5
00:00:19,280 --> 00:00:24,840
So if you don't know anything about zero trust, I'm going to have a bunch of links in the description,

6
00:00:24,840 --> 00:00:28,400
a bunch of old podcasts just so you can kind of get a little caught up.

7
00:00:28,400 --> 00:00:35,040
I'm going to start with Kyle, and I'm going to start not on our list of questions and ask,

8
00:00:35,040 --> 00:00:42,480
of all the things you could have talked about at the tech fair, why was zero trust the thing that you chose?

9
00:00:42,480 --> 00:00:51,600
I chose it because it was so close to our, we're recently been deploying in our final stages of implementation at CIT.

10
00:00:51,600 --> 00:00:57,720
So it was very well, it was very personalized to what I was experiencing as a leader within our organization

11
00:00:57,720 --> 00:01:01,560
and working with Nate and his counterparts on our internal efforts around it.

12
00:01:01,560 --> 00:01:11,280
So I really felt I could add a lot of additional input as to the leadership view of why this was important

13
00:01:11,280 --> 00:01:19,320
and what the journey looked like, because it does take a big effort and a lot of time and a lot of commitment.

14
00:01:19,320 --> 00:01:24,600
And I was hoping to emphasize that it takes a lot of leadership involvement behind it as well,

15
00:01:24,600 --> 00:01:30,680
because it is a big organizational shift, it is not just an IT department initiative.

16
00:01:30,680 --> 00:01:32,520
Yeah, for sure.

17
00:01:32,520 --> 00:01:39,160
Hi, you didn't ask me, but just writing on, writing on at the tech fair,

18
00:01:39,160 --> 00:01:47,120
one of the things that we had told our customers is that CIT is a steward of many of these organizations and networks.

19
00:01:47,120 --> 00:01:52,680
And so we feel the weight of that responsibility to first protect our own network,

20
00:01:52,680 --> 00:01:57,000
because we know that we are interconnected with so many other networks.

21
00:01:57,000 --> 00:02:02,880
And so you read about these data breaches left and right or ransomware, anything like that.

22
00:02:02,880 --> 00:02:06,200
And that's something that we never want to happen here.

23
00:02:06,200 --> 00:02:14,480
And so we put a ton of effort and time and money into protecting our own internal network,

24
00:02:14,480 --> 00:02:20,080
removing all these different servers off the network so we can't have something like ransomware.

25
00:02:20,080 --> 00:02:26,040
I could go deeper and deeper and deeper, but the biggest thing there was you trust us with your networks.

26
00:02:26,040 --> 00:02:33,520
Therefore, we bear that weight and responsibility to help protect ours, to better protect you along the same way.

27
00:02:33,520 --> 00:02:37,200
Yeah, yeah, quite simply protecting us protects them.

28
00:02:37,200 --> 00:02:40,720
And that's a big effort on our part.

29
00:02:40,720 --> 00:02:45,360
And we take that responsibility very seriously.

30
00:02:45,360 --> 00:02:52,280
With that comes with a ton of knowledge of implementing and budget and all the things we're talking about today.

31
00:02:52,280 --> 00:03:00,800
So diving into our first question, can ZeroTrust be implemented alongside other existing security measures?

32
00:03:00,800 --> 00:03:04,800
Or is it kind of an all or nothing approach?

33
00:03:04,800 --> 00:03:11,600
Yeah, I guess the way that I rephrase this is I kind of hate the term ZeroTrust altogether.

34
00:03:11,600 --> 00:03:18,480
You know, it is a great buzzword, but it's one of those things where you'll see that term thrown around all over the place.

35
00:03:18,480 --> 00:03:21,400
But the biggest thing is ZeroTrust is a mentality.

36
00:03:21,400 --> 00:03:26,400
It's not a avenue or a tool or something along those lines.

37
00:03:26,400 --> 00:03:32,320
You know, similar with cybersecurity and security maturity of an organization.

38
00:03:32,320 --> 00:03:35,880
It's not just the responsibility of the IT and the security team.

39
00:03:35,880 --> 00:03:39,880
It is the culture of every individual in that organization, right?

40
00:03:39,880 --> 00:03:44,160
It could be everything from do you have the proper procedures for wire transfer requests?

41
00:03:44,160 --> 00:03:47,080
That's pretty basic things like marketing team.

42
00:03:47,080 --> 00:03:49,720
If you see something suspicious, do you report it?

43
00:03:49,720 --> 00:03:53,080
Right? That's the culture that is tied behind that.

44
00:03:53,080 --> 00:04:00,840
So if we take that same concept and apply it to ZeroTrust, it's not the tool.

45
00:04:00,840 --> 00:04:09,680
Kind of if I rephrase that question, it is can ZeroTrust or can the culture be implemented along with other security tools?

46
00:04:09,680 --> 00:04:11,040
Or is it all or nothing?

47
00:04:11,040 --> 00:04:11,960
The answer is 100%.

48
00:04:11,960 --> 00:04:25,400
You are going to have multiple tools for the different multiple layers, you know, what we call security in depth to be able to get to a state that people typically considers ZeroTrust.

49
00:04:25,400 --> 00:04:30,440
It's an all or nothing approach similar to kind of what Kyle is saying is it comes from the leadership.

50
00:04:30,440 --> 00:04:31,600
It's push downstream.

51
00:04:31,600 --> 00:04:34,240
You have to have the full buy-in of the organization.

52
00:04:34,240 --> 00:04:36,680
There just happens to be a lot of tech behind it as well.

53
00:04:36,680 --> 00:04:39,920
Yeah, I think that sums up that it isn't just one product.

54
00:04:39,920 --> 00:04:46,160
So, you know, by its very nature, you are going to have multiple security measures in place.

55
00:04:46,160 --> 00:04:57,440
And there is definitely the way to approach it in phases or layering of those based upon typically what produces the highest return is where to start.

56
00:04:57,440 --> 00:04:57,800
Right?

57
00:04:57,800 --> 00:05:03,800
So things like EDR and a lot of components of those things are, you know, in multi-factor.

58
00:05:03,800 --> 00:05:10,120
You start the year and then you start layering in the other components that help protect at a more granular level.

59
00:05:10,120 --> 00:05:19,120
But there are ways to definitely continue to move those down and continue to close the gaps.

60
00:05:19,120 --> 00:05:25,800
And it's by its very nature is going to be alongside everything.

61
00:05:25,800 --> 00:05:26,520
Shameless plug.

62
00:05:26,520 --> 00:05:29,160
We do have multiple podcasts about ZeroTrust.

63
00:05:29,160 --> 00:05:33,960
And this first couple of steps you could start doing to start implementing it.

64
00:05:33,960 --> 00:05:39,600
One of the big things here was how do you get rid of your on-premise critical servers?

65
00:05:39,600 --> 00:05:39,880
Right?

66
00:05:39,880 --> 00:05:41,760
Those are so dependent.

67
00:05:41,760 --> 00:05:46,880
Or sorry, those are so critical where other servers have dependencies on them.

68
00:05:46,880 --> 00:05:49,640
So if those are compromised, the rest of the system starts crumbling.

69
00:05:49,640 --> 00:05:52,760
You know, we see this all the time with like ransomware.

70
00:05:52,760 --> 00:06:01,320
The main, let's say a domain controller, which is running the main area where all your user accounts and passwords and where everything's logged into.

71
00:06:01,320 --> 00:06:08,440
If that goes down, all these other systems that we're trying to log into, you know, check your password and everything,

72
00:06:08,440 --> 00:06:11,080
you bring down multiple systems along the way.

73
00:06:11,080 --> 00:06:19,640
And so it's trying to remove those, which means all your workstations have to start getting moved somewhere else for, you know, logins.

74
00:06:19,640 --> 00:06:22,800
You can tell this is a subject I'm really passionate about, so I can just keep going.

75
00:06:22,800 --> 00:06:23,480
Yeah.

76
00:06:23,480 --> 00:06:28,560
It's been a lot of effort here, and it's been really exciting.

77
00:06:28,560 --> 00:06:32,720
So our next question is, and we might have to rephrase it a little bit.

78
00:06:32,720 --> 00:06:36,400
Is there any concern that ZeroTrust addresses?

79
00:06:36,400 --> 00:06:41,160
So I'm going to throw that to Nate, quite where they were going for it.

80
00:06:41,160 --> 00:06:42,480
Yeah.

81
00:06:42,480 --> 00:06:56,600
It's really intended to say, how can we validate that every action that someone or a device is doing is legitimate behavior and intended in the proper scope of what they need access to?

82
00:06:56,600 --> 00:07:04,080
And so the intent here is that, for example, let's say, Ario, you gave up your password, right?

83
00:07:04,080 --> 00:07:08,560
And then someone else comes in and tries to access those systems.

84
00:07:08,560 --> 00:07:19,560
If you don't have a control in place to validate that your user account is still you, which is, you know, the first layer of the multi-factor, then someone can come in and do whatever they want.

85
00:07:19,560 --> 00:07:23,360
So that's where you put in that first layer with things like multi-factor.

86
00:07:23,360 --> 00:07:29,240
I'm not going to quite tip my hand because I know there's a question that I want to talk a little bit deeper on in a little bit.

87
00:07:29,240 --> 00:07:34,800
But you can start bringing those into things like, can you trust the user account?

88
00:07:34,800 --> 00:07:37,880
Can you trust the device that they're coming in on?

89
00:07:37,880 --> 00:07:44,360
Maybe you're trying to work off of a home computer that's infected rather than your work computer that's all nice and clean and locked down.

90
00:07:44,360 --> 00:07:47,000
What happens if malware is introduced there, right?

91
00:07:47,000 --> 00:07:51,720
We've seen that actually with the big, well-known data breaches.

92
00:07:51,720 --> 00:08:07,840
I'm not going to call it the name specifically, but an employee working on their home computer got phished, had a keylogger installed, and then came in and compromised through the corporate network because it gathered a bunch of passwords while they were typing at home.

93
00:08:07,840 --> 00:08:09,640
So you could bring all that type of stuff.

94
00:08:09,640 --> 00:08:15,440
And then are the files and the times and the behaviors also legitimate?

95
00:08:15,440 --> 00:08:24,200
So for example, if you logged in in New York and then all of a sudden logged in in California in five seconds, it's probably not legitimate.

96
00:08:24,200 --> 00:08:28,320
Can you put in additional verifications surrounding something like that?

97
00:08:28,320 --> 00:08:36,000
And then also, Ariel, if you're trying to access board reports here at CIT, that's probably not going to be allowed.

98
00:08:36,000 --> 00:08:41,800
There has to be identification, notification, and action on that as well.

99
00:08:41,800 --> 00:08:48,880
So taking all those into consideration starts to develop that zero trust, and that's truly what it's trying to address.

100
00:08:48,880 --> 00:08:51,760
Does everything check out and is it legitimate?

101
00:08:51,760 --> 00:09:02,160
Yeah, I think just when you look at the user permission sides of where you start to filter down to and looking at role-based access on the system sides,

102
00:09:02,160 --> 00:09:07,560
knowing that somebody again could be potentially compromised in some level of access,

103
00:09:07,560 --> 00:09:12,200
which is usually what we see when they come in at some kind of account takeover,

104
00:09:12,200 --> 00:09:17,960
as Nate was alluding to some kind of credential harvesting that was done to get into the system sides with it.

105
00:09:17,960 --> 00:09:24,520
So now it's at that person's level permissions dictates a lot of the risks that the organization's facing.

106
00:09:24,520 --> 00:09:33,200
So with what their user account has trusted access to starts to become at risk.

107
00:09:33,200 --> 00:09:37,840
And inherently, we find with many of our customers that we're trying to get them off.

108
00:09:37,840 --> 00:09:40,560
The very nature has been a pretty open structure.

109
00:09:40,560 --> 00:09:48,200
You had open file shares, you had company shares, you had department shares, and a lot of information is very wide open and obtainable.

110
00:09:48,200 --> 00:09:52,760
And through that method sides of it, it induces a lot of risk.

111
00:09:52,760 --> 00:10:00,120
And just where the state of things are in this day and age, that is no longer, you know, really the advice.

112
00:10:00,120 --> 00:10:08,000
You have to really bring that back down and start scrutinizing that and have more filtering in layers to do validations,

113
00:10:08,000 --> 00:10:15,160
that point of access instead of just saying, using passwords good enough, now you have access to everything.

114
00:10:15,160 --> 00:10:18,960
And it's got to be far more scrutinized down to that.

115
00:10:18,960 --> 00:10:25,680
I'm so interested in this next question when I read all of these, this was the one that I was like, that I feel like this is a good question.

116
00:10:25,680 --> 00:10:36,280
And I know we're going to go down the rabbit hole, but they're asking what are good strategies for using Zero Trust with a global workforce,

117
00:10:36,280 --> 00:10:43,280
especially when you have employees that are coming from those bad actor countries?

118
00:10:43,280 --> 00:10:47,880
This is the one that I was alluding to that I wanted to withhold info on.

119
00:10:47,880 --> 00:10:49,880
You guys have a move?

120
00:10:49,880 --> 00:10:51,880
Have a move, yeah.

121
00:10:51,880 --> 00:11:01,560
Well, I'll make a joke and say, well, do as the British and just ship everyone to Australia or something.

122
00:11:01,560 --> 00:11:03,560
Relocate.

123
00:11:03,560 --> 00:11:15,560
But, yeah, no, the, let me just, I think there's also a little explanation that I need to do before this is the specific part of bad actor countries.

124
00:11:15,560 --> 00:11:17,960
There is no bad actor country.

125
00:11:17,960 --> 00:11:21,520
Every country is a bad actor country.

126
00:11:21,520 --> 00:11:28,360
It's just saying, where do we see most of our employees and inherently distrust everyone else?

127
00:11:28,360 --> 00:11:39,280
If you go take a look at actually logs of where people are trying to get into your networks, it is your state, your city, you know, the next state over.

128
00:11:39,280 --> 00:11:40,560
It's all over the place.

129
00:11:40,560 --> 00:11:43,280
People are scanning brute forcing all the time.

130
00:11:43,280 --> 00:12:02,200
Also, if they know that US countries are going to inherently trust the United States, I'll just come in with the VPN or actually what we oftentimes see is someone will compromise the network and then use their resources to go project another attack somewhere else.

131
00:12:02,200 --> 00:12:04,600
I actually just dealt with this is.

132
00:12:04,600 --> 00:12:12,960
And so what happens is one account compromise comes in and then, you know, maybe it's through a VPN or, you know, something like, you know,

133
00:12:12,960 --> 00:12:15,040
an online server running somewhere.

134
00:12:15,040 --> 00:12:17,240
It could be a website, something along those lines.

135
00:12:17,240 --> 00:12:18,520
They hop on there.

136
00:12:18,520 --> 00:12:26,760
You start paying for all the credit card fees as they spin up new resources and then they use your environment to go attack the next person.

137
00:12:26,760 --> 00:12:30,320
All the logs look like it's coming from your location.

138
00:12:30,320 --> 00:12:39,120
So think about that when it comes to a legal component is it's going to look like it's coming from your organization trying to attack another one.

139
00:12:39,120 --> 00:12:44,240
And they might be sitting somewhere like Romania and Netherlands or literally right down the street from it.

140
00:12:44,240 --> 00:12:45,040
You just don't know.

141
00:12:45,040 --> 00:12:54,680
So with that being said, this is where zero trust comes in and it attempts to say, again, trust every action no matter who it is.

142
00:12:54,680 --> 00:12:59,840
But the one critical component of this is multi factor all the time everywhere.

143
00:12:59,840 --> 00:13:03,440
Right is even if the employee is outside of the nation.

144
00:13:03,440 --> 00:13:08,840
If you have to have something like VPN, we're trying to get rid of VPNs altogether.

145
00:13:08,840 --> 00:13:10,320
VPNs are terrible.

146
00:13:10,320 --> 00:13:10,640
Right.

147
00:13:10,640 --> 00:13:14,320
You have a hole on your network that someone can probe all day.

148
00:13:14,320 --> 00:13:17,400
There's better ways of doing that.

149
00:13:17,400 --> 00:13:19,680
That could be a whole nother podcast.

150
00:13:19,680 --> 00:13:24,480
But the other critical thing is device trust.

151
00:13:24,480 --> 00:13:38,760
And so this is what I was talking about earlier about your home computer is there's ways to say, I can validate that this is a work computer when someone is actively logging on and don't grant access unless both that user account.

152
00:13:38,760 --> 00:13:42,120
And the device are met.

153
00:13:42,120 --> 00:13:48,920
And then grant the access so you could still have someone logging in from overseas and be just fine.

154
00:13:48,920 --> 00:13:50,480
But that's a long winded answer.

155
00:13:50,480 --> 00:13:55,080
But my biggest thing here is every country is a bad country.

156
00:13:55,080 --> 00:13:56,880
Yeah, I think that's well stated.

157
00:13:56,880 --> 00:14:07,520
I also think things like and you and I have had this discussion hardware based keys like UB keys and those things as the requirement on the authentication side of it.

158
00:14:07,520 --> 00:14:27,240
So even enhances that multi factor beyond just a software key or something potentially be intercepted side of it when it's an actual physical plug in or introduces the biometric side into that authentication side of it really makes that very difficult to be hijacked.

159
00:14:27,240 --> 00:14:34,120
I mean, it's almost a point of presence where the person would be having to be having some kind of physical threat logging in to get in.

160
00:14:34,120 --> 00:14:41,080
Those even your most renowned hackers will tell you that is pretty much they don't have a way around that hardware key.

161
00:14:41,080 --> 00:14:46,440
You know, so in looking at those authentications and all those other tools do the other layering on the software side.

162
00:14:46,440 --> 00:14:57,080
But if you really add a if you don't if you feel there's a high risk of potential account intercept or take over stuff, just look at hardware keys would be another way to enhance that further.

163
00:14:57,080 --> 00:15:08,880
And this is also a really interesting time in the industry where you may have heard that key or the term past keys floating around today is a lot of these websites are adopting past keys.

164
00:15:08,880 --> 00:15:11,960
So if you're on Windows, that could be something like Windows. Hello.

165
00:15:11,960 --> 00:15:23,800
So taking your biometrics and turning that into essentially not a password, but an authorization authentication token to allow you in because it trusts that user with that device again.

166
00:15:23,800 --> 00:15:27,880
Max, you know, Face ID, Touch ID here at CIT.

167
00:15:27,880 --> 00:15:32,120
I just got a new phone today and I was logging into our system.

168
00:15:32,120 --> 00:15:36,080
It took my face print with the face ID.

169
00:15:36,080 --> 00:15:38,000
It's matched to this phone.

170
00:15:38,000 --> 00:15:44,160
If someone captured my phone, let's say, you know, my spouse or anything wanted to try and log into CIT.

171
00:15:44,160 --> 00:15:45,960
It doesn't have their face.

172
00:15:45,960 --> 00:15:52,600
And then also if I tried logging into a different device, you know, and someone tried using a picture of me,

173
00:15:52,600 --> 00:15:53,880
they didn't enroll my phone.

174
00:15:53,880 --> 00:15:57,240
So everything gets paired to this device essentially.

175
00:15:57,240 --> 00:15:58,760
No one else can compromise that.

176
00:15:58,760 --> 00:16:00,920
And there's no password associated with it.

177
00:16:00,920 --> 00:16:02,200
So I can't be phished.

178
00:16:02,200 --> 00:16:05,040
So it's a really, really powerful combination.

179
00:16:05,040 --> 00:16:07,320
We're seeing the industry move that direction.

180
00:16:07,320 --> 00:16:08,920
Yeah.

181
00:16:08,920 --> 00:16:11,040
So kind of zooming out a little bit.

182
00:16:11,040 --> 00:16:16,200
Someone asked, how does Zero Trust align with compliance regulations?

183
00:16:16,200 --> 00:16:18,960
And I'll kind of tag something on.

184
00:16:18,960 --> 00:16:24,280
And is it just blanket across the board or how might that change based on industry?

185
00:16:24,280 --> 00:16:25,160
Sorry.

186
00:16:25,160 --> 00:16:28,960
I feel like this is going to turn into a Nate Soapbox episode here.

187
00:16:31,960 --> 00:16:33,320
That's why I waited for you to answer.

188
00:16:33,320 --> 00:16:35,360
I was like, I don't let Nate go with this one.

189
00:16:35,360 --> 00:16:38,280
You can tell I'm really passionate about this kind of stuff.

190
00:16:38,280 --> 00:16:40,360
So this is still pretty early.

191
00:16:40,360 --> 00:16:41,840
I will say that, right?

192
00:16:41,840 --> 00:16:48,760
And so back in, oh shoot, I want to say it's 2021 now, but it might be 2020.

193
00:16:48,760 --> 00:16:52,400
I'm totally blanking right now is the federal government pushed out their

194
00:16:52,400 --> 00:16:55,480
executive orders, improving the nation's cybersecurity posture.

195
00:16:55,480 --> 00:16:59,000
And one of the things that they did was mandating that the federal

196
00:16:59,000 --> 00:17:03,320
government start to mandate a Zero Trust approach to their networks.

197
00:17:03,320 --> 00:17:07,360
First things were pushing down the EDR and then better architecture of those

198
00:17:07,360 --> 00:17:07,960
networks.

199
00:17:07,960 --> 00:17:11,280
It's going to take a lot of time to get all those switched over to this.

200
00:17:11,280 --> 00:17:18,280
But when you see the federal government make a decision first, that is a giant

201
00:17:18,280 --> 00:17:22,280
stone that's rolling and it's going to be very hard to stop that, right?

202
00:17:22,280 --> 00:17:27,280
And so what we did see was now insurance providers are asking a lot of these

203
00:17:27,280 --> 00:17:29,680
same questions such as, do you have the EDR?

204
00:17:29,680 --> 00:17:30,880
Do you have the multi-factor?

205
00:17:30,880 --> 00:17:33,280
Are you protecting administrator of accounts?

206
00:17:33,280 --> 00:17:37,280
Are you protecting your critical networking infrastructure?

207
00:17:37,280 --> 00:17:43,280
We haven't seen it get into a full implementation at this small, medium

208
00:17:43,280 --> 00:17:47,280
business level quite yet, but we do continue to expect to see these

209
00:17:47,280 --> 00:17:49,280
regulations continue to adopt it.

210
00:17:49,280 --> 00:17:50,280
Government did that.

211
00:17:50,280 --> 00:17:55,280
And then we also see things like CISA pushed out their Zero Trust framework

212
00:17:55,280 --> 00:17:56,280
and everything like that.

213
00:17:56,280 --> 00:18:02,280
So get ahead of it, but even the slow government is pushing it.

214
00:18:02,280 --> 00:18:07,280
Yeah, and I think you kind of said it.

215
00:18:07,280 --> 00:18:12,280
I mean, there are pieces of us that have already been rolling through many

216
00:18:12,280 --> 00:18:15,280
compliance regulations out there.

217
00:18:15,280 --> 00:18:17,280
It's just a matter of time.

218
00:18:17,280 --> 00:18:20,280
You're just going to be more and more of it just because many of the other

219
00:18:20,280 --> 00:18:26,280
tools and ability to do things like application ring fencing and network

220
00:18:26,280 --> 00:18:30,280
access control and number of these components are really just a little

221
00:18:30,280 --> 00:18:33,280
bit more of a risk control and number of these components are really just

222
00:18:33,280 --> 00:18:35,280
starting to become added to the questionnaire every year.

223
00:18:35,280 --> 00:18:39,280
We see more on each one of these get adopted and for good reason because

224
00:18:39,280 --> 00:18:41,280
it's all about risk reduction and it's how you do it.

225
00:18:41,280 --> 00:18:47,280
So continuing our Zoom out, I'm going to throw this question to Kyle.

226
00:18:47,280 --> 00:18:52,280
Obviously Nate can share as well, but we had someone ask what kind of

227
00:18:52,280 --> 00:18:55,280
financial investment do you need to start Zero Trust?

228
00:18:55,280 --> 00:19:00,280
I'm going to add on what kind of time investment is someone maybe looking

229
00:19:00,280 --> 00:19:02,280
at for Zero Trust?

230
00:19:02,280 --> 00:19:06,280
Certainly organizational size dictates a lot of what the investment looks like.

231
00:19:06,280 --> 00:19:07,280
Of course.

232
00:19:07,280 --> 00:19:09,280
Where it's at.

233
00:19:09,280 --> 00:19:12,280
It is not free and it's not inexpensive.

234
00:19:12,280 --> 00:19:17,280
I mean, that goes for people's time and for different software and solutions

235
00:19:17,280 --> 00:19:20,280
that you deploy.

236
00:19:20,280 --> 00:19:25,280
There's no exact one price to kind of place on those things, but they definitely

237
00:19:25,280 --> 00:19:31,280
come in at a cost, but I would bring it with, it is far less than an incident.

238
00:19:31,280 --> 00:19:37,280
And if you had an incident, the cost of not only the cost of insurance,

239
00:19:37,280 --> 00:19:41,280
but reputation, those things is way far greater than anything you would ever

240
00:19:41,280 --> 00:19:43,280
spend for these tools.

241
00:19:43,280 --> 00:19:49,280
So that kind of frames my decision process around it is there's

242
00:19:49,280 --> 00:19:55,280
the cost of any of these solutions in the time is so much far less than

243
00:19:55,280 --> 00:20:01,280
the overall risk to the organization that it deserved its priority to be high.

244
00:20:01,280 --> 00:20:07,280
And I think it's all about planning to me and the sooner you plan and the

245
00:20:07,280 --> 00:20:10,280
sooner you can work through it, again, it's not at all, you're not going to do

246
00:20:10,280 --> 00:20:12,280
this in 90 days.

247
00:20:12,280 --> 00:20:15,280
This is not a 90 day process.

248
00:20:15,280 --> 00:20:17,280
It's a layer in his name, Lutie.

249
00:20:17,280 --> 00:20:20,280
And I think that's where the other podcasts say, where do you start?

250
00:20:20,280 --> 00:20:22,280
You need to start if you haven't.

251
00:20:22,280 --> 00:20:25,280
You probably most people are priority have some steps are along the way,

252
00:20:25,280 --> 00:20:27,280
which goes that first question.

253
00:20:27,280 --> 00:20:30,280
There is a layering approach to get through those things.

254
00:20:30,280 --> 00:20:33,280
And it's understanding where your largest risks are, because again,

255
00:20:33,280 --> 00:20:37,280
every customer is different in every organization is different as far as

256
00:20:37,280 --> 00:20:42,280
where they're at and where their risk exposures are at finding the different

257
00:20:42,280 --> 00:20:47,280
solutions and tools that will give you the greatest reduction in risk exposure

258
00:20:47,280 --> 00:20:49,280
is where you start.

259
00:20:49,280 --> 00:20:53,280
And then you start layering on from there to go through it.

260
00:20:53,280 --> 00:20:56,280
It does help spread the cost.

261
00:20:56,280 --> 00:21:00,280
You will layer on costs, you go, but they become organizationally adopted

262
00:21:00,280 --> 00:21:02,280
and they become part of your operational expenditures.

263
00:21:02,280 --> 00:21:08,280
You don't necessarily have to have a huge capital outlay to get started with it.

264
00:21:08,280 --> 00:21:12,280
And then it's also good on the time and the people side of it.

265
00:21:12,280 --> 00:21:14,280
And the people aspect of it is multiple.

266
00:21:14,280 --> 00:21:18,280
You have, you know, we have the, we have the blessings of having people like

267
00:21:18,280 --> 00:21:21,280
need on staff to help oversee these things.

268
00:21:21,280 --> 00:21:25,280
And, but as you roll these out, I mean, it isn't all just needs impact to

269
00:21:25,280 --> 00:21:30,280
or the people, the users in the systems too, because many of these, you know,

270
00:21:30,280 --> 00:21:32,280
it's going to disrupt their, their, their work.

271
00:21:32,280 --> 00:21:35,280
They're going to have to have a change in the way that they do their job.

272
00:21:35,280 --> 00:21:37,280
We're going to ask them to do some additional steps.

273
00:21:37,280 --> 00:21:40,280
There's going to be some changing processes that have to be adopted.

274
00:21:40,280 --> 00:21:46,280
And that has to be done in a, in a controlled manner as well to allow people to,

275
00:21:46,280 --> 00:21:48,280
to come along with it.

276
00:21:48,280 --> 00:21:51,280
Not only in just education, but just also in time to learn,

277
00:21:51,280 --> 00:21:56,280
because you don't want to impact your organization's profitability or ability to service

278
00:21:56,280 --> 00:21:58,280
their, your customers.

279
00:21:58,280 --> 00:22:03,280
So, you know, there's a lot of steps there, but the big question side of it is,

280
00:22:03,280 --> 00:22:05,280
I don't think you can afford not to do it.

281
00:22:05,280 --> 00:22:09,280
That's the kind of the general my view on it.

282
00:22:09,280 --> 00:22:10,280
Yeah.

283
00:22:10,280 --> 00:22:17,280
The, yeah, the two things that come to mind for myself is I think one of the challenges

284
00:22:17,280 --> 00:22:22,280
that a lot of these organizations faces that they're chasing annual budgets, right,

285
00:22:22,280 --> 00:22:24,280
is they say, what's my budget for this year?

286
00:22:24,280 --> 00:22:28,280
What's my, you know, and then as that year expires, they say, okay, in October,

287
00:22:28,280 --> 00:22:30,280
what am I going to spend in the following year?

288
00:22:30,280 --> 00:22:34,280
This is a multi-year initiative to implement.

289
00:22:34,280 --> 00:22:41,280
And so if you're, you know, if you are setting your sights on something and you're just changing

290
00:22:41,280 --> 00:22:47,280
direction annually, it's going to be very, very difficult to trudge forward efficiently

291
00:22:47,280 --> 00:22:49,280
in the straight line to the end goal.

292
00:22:49,280 --> 00:22:56,280
And so here at CIT, Kyle had visions, you know, five years ago to start implementing stuff like this.

293
00:22:56,280 --> 00:23:03,280
And then I'd say over the last two years has been 100% dedicated focus trying to make it a reality.

294
00:23:03,280 --> 00:23:10,280
And so that was a multi-year initiative that took a lot, a lot, a lot of time and effort.

295
00:23:10,280 --> 00:23:18,280
And then because Kyle had mentioned that it also is potentially impactful to your organization.

296
00:23:18,280 --> 00:23:24,280
One of the things you have to do is have a lot of empathy during this process is when your users say,

297
00:23:24,280 --> 00:23:26,280
this is so frustrating.

298
00:23:26,280 --> 00:23:28,280
I hate all these changes, right?

299
00:23:28,280 --> 00:23:31,280
Empathizing with them and say, yes, I know.

300
00:23:31,280 --> 00:23:35,280
But also trying to have that influence to start guiding them.

301
00:23:35,280 --> 00:23:36,280
Why? Right?

302
00:23:36,280 --> 00:23:38,280
Why do we do these types of things?

303
00:23:38,280 --> 00:23:40,280
How does it better protect us?

304
00:23:40,280 --> 00:23:41,280
Everything like that.

305
00:23:41,280 --> 00:23:47,280
So if one of our CIT employees is listening to this, I have one that I have always called my squeaky wheel.

306
00:23:47,280 --> 00:23:55,280
But he has now been self-proclaimed as the best beta tester we have because over years of influence,

307
00:23:55,280 --> 00:24:02,280
we've built a great relationship of saying, if I can get something implemented and you don't become that squeaky wheel,

308
00:24:02,280 --> 00:24:04,280
we know that we're successful.

309
00:24:04,280 --> 00:24:05,280
Right?

310
00:24:05,280 --> 00:24:06,280
That's awesome.

311
00:24:06,280 --> 00:24:07,280
I love it.

312
00:24:07,280 --> 00:24:11,280
To end out today, I'll kind of open it up to both of you if there's anything else you wanted to share.

313
00:24:11,280 --> 00:24:16,280
But my kind of last question is, we're talking about zero trust.

314
00:24:16,280 --> 00:24:26,280
It feels like such a big, you mentioned it being almost like a culture thing, a company culture and mindset.

315
00:24:26,280 --> 00:24:33,280
Is there ever a point in which you feel like you plateaued, not finished,

316
00:24:33,280 --> 00:24:35,280
because I think this is something maybe that's never done.

317
00:24:35,280 --> 00:24:40,280
But is there a point in where you feel like you've met a goal and you're just maintaining,

318
00:24:40,280 --> 00:24:43,280
or is this something where the goalpost is always moving?

319
00:24:43,280 --> 00:24:50,280
It'll always shift a little bit, but I do feel like you can get to a spot that actually does make a lot of sense.

320
00:24:50,280 --> 00:24:53,280
And you can start to sustain that.

321
00:24:53,280 --> 00:24:54,280
Right?

322
00:24:54,280 --> 00:25:04,280
So I'm not going to say that I'm 100% done because I still want to keep influencing Kyle for more money on our team's budget for fun tools.

323
00:25:04,280 --> 00:25:10,280
But no, here at CIT, we are getting to a very nice point of saying,

324
00:25:10,280 --> 00:25:17,280
I can validate the users, the devices, you know, essentially go completely passwordless so you can't be phished

325
00:25:17,280 --> 00:25:25,280
and reducing that major risk that tends to happen, or tends to be involved with almost every single type of data breach.

326
00:25:25,280 --> 00:25:29,280
And so there's a lot of really, really fun stuff you can do to get that point.

327
00:25:29,280 --> 00:25:38,280
And then once you get to that point, it's kind of fine tuning all these different tools and then fully utilizing the licensing that maybe you're paying for.

328
00:25:38,280 --> 00:25:43,280
And then at that point, you can maybe potentially take a look at new tools if needed.

329
00:25:43,280 --> 00:25:55,280
Yeah, I think that just given the very nature of technology and how quickly things change on there, there is always a moving component to it where it's another lego in the stack.

330
00:25:55,280 --> 00:25:57,280
You just continue to build on it.

331
00:25:57,280 --> 00:25:58,280
It doesn't.

332
00:25:58,280 --> 00:26:03,280
But you do reach a point where your maturity level is high.

333
00:26:03,280 --> 00:26:13,280
So you're, again, you're covering a high percent of those things and now you're just adapting to the shifts in the space and where things are going.

334
00:26:13,280 --> 00:26:23,280
You know, since it is a defensive stance side with it, the whatever is being done on the offensive matter would dictate what we need to do on many things.

335
00:26:23,280 --> 00:26:26,280
Because again, that part seems to be changing at all times.

336
00:26:26,280 --> 00:26:34,280
And bringing AI and machine learning and other things, there's a lot of things always in motion side of it, which he just always have taken account.

337
00:26:34,280 --> 00:26:43,280
But I do feel like where we're at and what made it a little too over the multiple year side of it, we are, we are very close to, you know, the high maturity side of rolling through.

338
00:26:43,280 --> 00:26:51,280
Where now we just, it's optimizations of that and continuing to build on to what we already have, which greatly helps.

339
00:26:51,280 --> 00:27:02,280
And the only last thing I'd say on when we talk about the multiple year initiative sides of it, the reason that that is so helpful is that you reach business decisions you need to make over multi year periods.

340
00:27:02,280 --> 00:27:11,280
We changed our, you know, our main accounting system that aligned with the strategic nature of what we wanted to do.

341
00:27:11,280 --> 00:27:19,280
You know, so you make other decisions that may not necessarily seem like they're related to zero trust at all, but they have to fit within that structure.

342
00:27:19,280 --> 00:27:29,280
And so when we looked at where we were going for our main accounting system, it had to work in that structure, which eliminated many vendors.

343
00:27:29,280 --> 00:27:39,280
You know, and that's true of everything is to go through those things as we were rolling out new desktops, the desktops and how we deployed them were rolled out in the new methodology and new, new, new approach.

344
00:27:39,280 --> 00:27:50,280
But that allowed that again to be spread over a period of multiple years, but we were making the decisions with the end game in mind.

345
00:27:50,280 --> 00:27:59,280
So it wasn't just this, you know, you're not flipping a switch and trying to do the sledgehammer. It was a long term decision that we were able to weigh into the other decisions we made.

346
00:27:59,280 --> 00:28:11,280
And the one thing I'd say is once you get to this really high level of maturity within your organization, First Cybersecurity is now it's holding others accountable to the same level of security.

347
00:28:11,280 --> 00:28:23,280
And so we see this from time to time is, you know, robust security solution has some type of data breach, and it's usually due to some type of third party that they offer, you know, use.

348
00:28:23,280 --> 00:28:41,280
And so it's the having the robust vendor due diligence processes to ensure that they're doing what they can. But also if you're granting the max is to your network, again, taking the same zero trust approaches, can you limit the potential exposure in case that did come in.

349
00:28:41,280 --> 00:28:51,280
So I won't get too deep into it. I have a lot of different examples, but that's where the shift then focuses a little more externally.

350
00:28:51,280 --> 00:28:56,280
I think we can, you know, deep dive into this for a long time.

351
00:28:56,280 --> 00:29:02,280
Yeah, come join me on the soapbox series with Nate Schmidt.

352
00:29:02,280 --> 00:29:03,280
Yes, for sure.

353
00:29:03,280 --> 00:29:12,280
Thank you so much, Kyle and Nate for joining us today. Thank you all the audience who submitted these questions. This is really great. And I loved it.

354
00:29:12,280 --> 00:29:25,280
If you have a question or a podcast idea, you can reach out to us at info at CIT-net.com or head out to our website CIT-net.com slash podcast.

355
00:29:25,280 --> 00:29:44,280
And we'll be back next week with an all new back to CIT.