1
00:00:00,000 --> 00:00:08,880
Welcome to today's CIT Tech for Business podcast. Today we are sitting down with Todd, Nate,

2
00:00:08,880 --> 00:00:14,420
and Ashley and we're going to be discussing Zero Trust Part 2. So if you guys are one

3
00:00:14,420 --> 00:00:20,720
of our lovely followers and listeners, we already discussed Zero Trust a while ago,

4
00:00:20,720 --> 00:00:24,880
but now we're going to bring in the Part 2. Before we get it kicked off, I always have

5
00:00:24,880 --> 00:00:32,480
to pose a question. So we all know all three of you are super passionate about cybersecurity,

6
00:00:32,480 --> 00:00:38,480
but tell me something else that you're passionate about outside of work. Todd, I'll kick it

7
00:00:38,480 --> 00:00:40,480
off to you first.

8
00:00:40,480 --> 00:00:45,420
Hello, I'm Todd Sorg. I was going to say good morning, but I have no idea what time of day

9
00:00:45,420 --> 00:00:51,080
it is that you'll be talking to us or listening to us. I am CIT's Chief Operations Officer.

10
00:00:51,080 --> 00:00:56,800
I am also the CISO. One other thing that I'm incredibly passionate about is music. Before

11
00:00:56,800 --> 00:01:02,200
I actually got into technology and cybersecurity, I thought I was going to be a rock star. So

12
00:01:02,200 --> 00:01:07,000
that is where my career actually started. Surprisingly, I'm not one. In case anybody

13
00:01:07,000 --> 00:01:09,760
is aware of me, I'm not a rock star.

14
00:01:09,760 --> 00:01:19,720
I guess I can go next. My name is Nate. I'm our Security Director at CIT. Something that

15
00:01:19,720 --> 00:01:26,240
I'm really passionate about is classic cars. I actually have two of them and love fixing

16
00:01:26,240 --> 00:01:31,800
them up, restoring them, bringing them into car shows. So actually in a car show this

17
00:01:31,800 --> 00:01:33,800
weekend too.

18
00:01:33,800 --> 00:01:45,480
I'm Ashley. I am a cybersecurity analyst here at CIT. I am super passionate about cooking,

19
00:01:45,480 --> 00:01:53,080
love trying new things, different types of food. Recently bought a 20 pound bag of dent

20
00:01:53,080 --> 00:01:59,400
corn to make homemade corn tortillas. So I really enjoy doing that kind of stuff.

21
00:01:59,400 --> 00:02:03,880
That's awesome. I've never done that yet.

22
00:02:03,880 --> 00:02:07,680
I'm learning a lot about you guys and I feel like I've worked with you for several years

23
00:02:07,680 --> 00:02:14,640
now. This is great. I did want to kind of get us kicked off of, you know, we talked

24
00:02:14,640 --> 00:02:19,080
about before the part one, but now we're at the part two of how do we get started with

25
00:02:19,080 --> 00:02:24,160
this? Tell me more. Let's dive into that for our listeners today.

26
00:02:24,160 --> 00:02:28,480
Awesome. Thank you. So before we go too far down the path, I just kind of wanted to do

27
00:02:28,480 --> 00:02:32,400
a real, real brief recap of what we talked about. It has been a little while since we

28
00:02:32,400 --> 00:02:37,200
did the last one. And one of the very first things that I kind of wanted to touch on was

29
00:02:37,200 --> 00:02:43,960
why do organizations care? And I'll let Nate and Ashley chip in anytime they want. But

30
00:02:43,960 --> 00:02:48,620
the biggest reason is the cybersecurity threat landscape just continues to evolve. It continues

31
00:02:48,620 --> 00:02:53,000
to grow. It just gets worse and worse. So you're seeing a lot more ransomware. And one

32
00:02:53,000 --> 00:02:57,240
of the other things that's been a major player in why people care is you're seeing a big

33
00:02:57,240 --> 00:03:01,820
uptick in having Internet of Things on networks. And more importantly, you're seeing a lot

34
00:03:01,820 --> 00:03:07,720
of people at home, which also introduces a lot more of Internet of Things. Expanding

35
00:03:07,720 --> 00:03:14,360
the quote unquote edge of the network has now gone from the traditional building slash

36
00:03:14,360 --> 00:03:19,520
castle, if you will, to a more spread out workforce. And I think that's probably the

37
00:03:19,520 --> 00:03:24,840
next biggest reason. And then we've talked about some of the other stuff from the previous

38
00:03:24,840 --> 00:03:30,800
one is what is zero trust? And zero trust was really it's not trusting anybody. The

39
00:03:30,800 --> 00:03:35,440
traditional castle mentality was if you're inside the walls of the building, we trust

40
00:03:35,440 --> 00:03:40,400
you, you can connect to our systems and anything else. And now it's really more of a it's no

41
00:03:40,400 --> 00:03:45,520
longer a trust but verify it's we don't trust anything anytime anyway. So that's the whole

42
00:03:45,520 --> 00:03:51,040
point of going nothing secure. There's no reason to assume that it is. Let's start there.

43
00:03:51,040 --> 00:03:56,640
A couple other little things. It is not as simple as a single tool. You can't just go,

44
00:03:56,640 --> 00:04:01,720
hey, I bought this thing off the shelf, put it in. Off we go. It's not as simple as turning

45
00:04:01,720 --> 00:04:08,160
on multifactor. It's a lot more complex than that. So I'll pause there and I'll let Ashley

46
00:04:08,160 --> 00:04:12,160
and Nate kick in anything else that they'd like to add to that recap.

47
00:04:12,160 --> 00:04:17,960
Yeah, I guess the one thing that really comes to mind, and I don't remember if we use this

48
00:04:17,960 --> 00:04:26,080
language in the first podcast, but I think zero trust and again, I'm not a huge fan of

49
00:04:26,080 --> 00:04:33,200
the language because it's such a buzzword today. But zero trust overall, if I could

50
00:04:33,200 --> 00:04:37,640
condense it down to a single thing is it's a culture, it's a mentality, it's not the

51
00:04:37,640 --> 00:04:44,040
tools that you put in place. It should even be ingrained in the processes that you take

52
00:04:44,040 --> 00:04:50,680
in order to do the job. So if that's the way I could condense it, that's probably the best

53
00:04:50,680 --> 00:04:51,680
way I could phrase that.

54
00:04:51,680 --> 00:04:58,120
Yeah, and it's definitely more of not really like a one and done, you know, we've implemented

55
00:04:58,120 --> 00:05:05,320
zero trust, it's got to be something that's you're evolving over time and adapting to

56
00:05:05,320 --> 00:05:12,440
new security threats, adapting with new technology, things like that. So it's not something that

57
00:05:12,440 --> 00:05:17,080
you're going to implement once and then you're done.

58
00:05:17,080 --> 00:05:25,100
I think the last thing that I was going to add to that potentially is Todd mentioned

59
00:05:25,100 --> 00:05:30,600
just now that there's the sprawling edge, and we'll get into a little bit of the topics

60
00:05:30,600 --> 00:05:37,560
of different components to try and focus on to actually help lock things down or secure

61
00:05:37,560 --> 00:05:43,860
things. But, you know, I know we talked a little bit about the users, but it's going

62
00:05:43,860 --> 00:05:48,440
to go beyond that and to actually the data, your vendors, all this kind of stuff. And

63
00:05:48,440 --> 00:05:56,160
so there's a saying from our CEO that he says all the time is IT these days takes a village

64
00:05:56,160 --> 00:06:02,360
to do it properly. This shouldn't just be the one item for that one individual, maybe

65
00:06:02,360 --> 00:06:08,200
the help desk person, net admin, security admin. It's a joint effort for the entire

66
00:06:08,200 --> 00:06:12,120
organization. So everyone has their different specialties.

67
00:06:12,120 --> 00:06:20,240
Yeah, what I was going to add on to that was we've kind of preempted all of this conversation

68
00:06:20,240 --> 00:06:25,000
of culture and it's a village and so on and so forth. So you can obviously tell that this

69
00:06:25,000 --> 00:06:29,680
is not a simple process. You don't just buy something off the shelf, implement it, off

70
00:06:29,680 --> 00:06:35,760
you go. So long story short with this, really what we're talking about is here it comes.

71
00:06:35,760 --> 00:06:40,480
It's a journey. So the question today is how do you even get started? And it's a great

72
00:06:40,480 --> 00:06:45,480
question. We're going to dig into it. We're not going to get super, super granular, but

73
00:06:45,480 --> 00:06:48,640
we are going to kind of dig into this a little bit. One of the first things that we did as

74
00:06:48,640 --> 00:06:53,320
we were talking about what we were going to cover today is just what does that look like?

75
00:06:53,320 --> 00:06:57,200
And one of the things that we wanted to cover in particular is we would suggest that as

76
00:06:57,200 --> 00:07:02,520
it was preempted preemptively set is this is a big deal. So this should be treated like

77
00:07:02,520 --> 00:07:08,560
it is a full blown entire organization project. And what does that mean? That means you bring

78
00:07:08,560 --> 00:07:13,200
in all the tenants of project manage. That means you get your core implementation team

79
00:07:13,200 --> 00:07:16,440
in place, although you probably need to start much sooner than that, right? You needed to

80
00:07:16,440 --> 00:07:21,040
find what is the scope? So you got to bring in that visionary group and you got to get

81
00:07:21,040 --> 00:07:26,120
your buy in from your leadership team and so forth. That's where I would start. Again,

82
00:07:26,120 --> 00:07:35,960
I'll pause and let Ashley and Nate jump in as to what that kind of looks like.

83
00:07:35,960 --> 00:07:42,600
The I guess Ashley, feel free to chime in afterwards with some of the maybe the work

84
00:07:42,600 --> 00:07:50,080
that you've been doing with CIT over the last couple of years. But in terms of the big project,

85
00:07:50,080 --> 00:07:56,080
this has been a multi-year effort even for CIT. We've been talking about zero trust

86
00:07:56,080 --> 00:08:06,280
or that concept and culture that we want to adhere to is I remember talking about this

87
00:08:06,280 --> 00:08:12,280
back in 2018, 2019. We're still not 100% there. So we don't claim to be perfect at this by

88
00:08:12,280 --> 00:08:18,120
any means. But again, that's the like Ashley mentioned that the constant reinventing yourself

89
00:08:18,120 --> 00:08:24,720
and reinventing the processes. So what that looks like, I say at least a three to five

90
00:08:24,720 --> 00:08:31,960
year plan on how you want to roll this out. And then also the budgeting to you know, your

91
00:08:31,960 --> 00:08:36,920
employees are going to have time that they're not working on other projects. So how do you

92
00:08:36,920 --> 00:08:41,920
incorporate that? There is a cost to it as well. So Ashley, anything else you wanted

93
00:08:41,920 --> 00:08:42,920
to chime in?

94
00:08:42,920 --> 00:08:50,680
Yeah, I mean, you definitely need to consider before I mean, deploying anything that affects

95
00:08:50,680 --> 00:08:57,560
users, what that user implementation is going to be like. A lot of times when I do these

96
00:08:57,560 --> 00:09:06,880
types of projects, we're rolling something out like an identity access management solution.

97
00:09:06,880 --> 00:09:14,200
A good chunk of it is just getting the user sort of invested in what they're doing and

98
00:09:14,200 --> 00:09:20,160
understanding why it is that they're being asked to do these things. And then just kind

99
00:09:20,160 --> 00:09:25,880
of teaching them about the technology and helping them understand how it works and making

100
00:09:25,880 --> 00:09:31,560
sure that they don't have any issues using it and then sort of going from there and you

101
00:09:31,560 --> 00:09:36,960
know, people get used to things but making sure you have that plan in place prior to

102
00:09:36,960 --> 00:09:46,360
doing those types of rollouts that you got understanding from users and that they understand

103
00:09:46,360 --> 00:09:51,280
why this is being done. You're always going to get pushed back from people because the

104
00:09:51,280 --> 00:09:58,880
change is hard. But having some type of plan in place to sort of ease that transition with

105
00:09:58,880 --> 00:09:59,880
users.

106
00:09:59,880 --> 00:10:06,320
Yeah, I guess as you're talking about some of that and also you mentioned, you know,

107
00:10:06,320 --> 00:10:12,200
identity and I know identity and I think we talked about this in the first podcast is

108
00:10:12,200 --> 00:10:15,440
that's one of the main steps, right? Just because people are typically the ones that

109
00:10:15,440 --> 00:10:23,320
you're going to trust the least. At the risk of doing acronym soup and maybe Ashley, I'll

110
00:10:23,320 --> 00:10:29,640
have you call off a little bit of the different services that organizations should think about.

111
00:10:29,640 --> 00:10:33,960
So you know, we talked about, hey, you should think about the products or the solutions

112
00:10:33,960 --> 00:10:40,080
that you want to put in place to actually lock a lot of the stuff down. And I guess

113
00:10:40,080 --> 00:10:45,000
before Ashley does her alphabet soup and Todd and I maybe try and pick up a few extra letters

114
00:10:45,000 --> 00:10:51,920
is, you want to think long term about this. So there are solutions. So if you're talking

115
00:10:51,920 --> 00:10:56,700
about multifactor, you can put a multifactor solution in place. You don't want to rip it

116
00:10:56,700 --> 00:11:00,840
out down the road because it didn't fit with something. You should think long term of what

117
00:11:00,840 --> 00:11:06,520
the strategy is. So yeah, actually, if you want to maybe call up some of the different

118
00:11:06,520 --> 00:11:12,280
like solutions, not necessarily products, but the solutions that organizations should

119
00:11:12,280 --> 00:11:19,720
start considering before they start off with some of these different initiatives.

120
00:11:19,720 --> 00:11:28,280
Sure. Can I interrupt real quick? Oh, sure. So, so well, the reason why I wanted to is

121
00:11:28,280 --> 00:11:30,640
because you guys brought up a lot of really good things. And I thought maybe this will

122
00:11:30,640 --> 00:11:34,360
help with organizations as they're trying to think about this and put it into context.

123
00:11:34,360 --> 00:11:39,200
So when we did this for CIT, the first thing we did is we sat down and said, what does

124
00:11:39,200 --> 00:11:44,000
this look like for us long term? Okay, so that's really broad. But we looked at the

125
00:11:44,000 --> 00:11:48,240
architecture of our company and said, traditionally, we were that organization that had a lot of

126
00:11:48,240 --> 00:11:52,440
servers on premise, and we had some of them in a co location. And the question is, does

127
00:11:52,440 --> 00:11:56,280
it continue to be that? And the answer has been no, we've continued to move to cloud

128
00:11:56,280 --> 00:12:01,200
apps and so on and so forth. So as we're looking at that context and saying, our people are

129
00:12:01,200 --> 00:12:05,960
remote, our content, all of our content is in the cloud, the traditional tools that we

130
00:12:05,960 --> 00:12:10,040
may have had in place may not actually be appropriate. And we'll get we'll get into

131
00:12:10,040 --> 00:12:14,440
this VPN hopes, I was gonna say we'll get into the alphabet soup, which is VPN and so

132
00:12:14,440 --> 00:12:21,260
on. But but what that looked like for us is, okay, so if we're looking at multifactor,

133
00:12:21,260 --> 00:12:28,360
is it as simple as x tool or y tool? Or does that tool actually meet what our long term

134
00:12:28,360 --> 00:12:34,560
goal is? And then again, Ashley and Nate brought up excellent comments of, as we're going through

135
00:12:34,560 --> 00:12:38,800
this, this constant communication, the seven times seven ways of just making sure that

136
00:12:38,800 --> 00:12:43,120
we're constantly updating and giving people the context of what are we doing? And why

137
00:12:43,120 --> 00:12:47,880
are we doing this is something that's very important. So sorry, I interrupted, but I

138
00:12:47,880 --> 00:12:52,440
just wanted to make sure people understood that for us, that's how that process began.

139
00:12:52,440 --> 00:12:57,040
And as we were looking at our multifactors, we were starting to go, what does our identity

140
00:12:57,040 --> 00:13:02,000
look like long term? Is it active directory? Is it something else? So I'll be quiet and

141
00:13:02,000 --> 00:13:06,400
go ahead. You can go ahead, Ashley. Yeah, I mean, I totally agree with that. Like, it

142
00:13:06,400 --> 00:13:13,240
doesn't really make sense to implement a product that is more meant to be used for on premise

143
00:13:13,240 --> 00:13:20,760
applications when five years from now, your plan is to be solely in the cloud. So, you

144
00:13:20,760 --> 00:13:27,760
know, wanting to plan out where, where you want to be in over a certain number of years,

145
00:13:27,760 --> 00:13:34,000
making sure that the tools and products that you're looking at that you're implementing

146
00:13:34,000 --> 00:13:38,620
fit that plan. Because yeah, you don't want to spend a lot of time and effort into rolling

147
00:13:38,620 --> 00:13:43,440
something out only to essentially have to rip it out a short time later because you've

148
00:13:43,440 --> 00:13:50,000
decided, you know, going forward, we're going to go solely cloud and now I'm using a product

149
00:13:50,000 --> 00:13:57,640
that's really meant more for on premise functionality. So, but when we're talking about, you know,

150
00:13:57,640 --> 00:14:11,400
tools, products, different types of technology. In the last podcast, we kind of talked about,

151
00:14:11,400 --> 00:14:18,240
you know, once you implement identity and access management, which can be a whole podcast

152
00:14:18,240 --> 00:14:25,240
in and of itself, that's a whole big thing. You really start moving into more of the context

153
00:14:25,240 --> 00:14:34,360
based analysis. So, looking at various different signals that you're collecting via various

154
00:14:34,360 --> 00:14:44,720
tools, some which cover multiple sections of that sort of context space that we kind

155
00:14:44,720 --> 00:14:49,840
of went through, I think it was user context, application context, device context, location

156
00:14:49,840 --> 00:14:58,840
context, network context. So, implementing tools, here's the alphabet soup. So, like

157
00:14:58,840 --> 00:15:10,240
a cathby or a sassy in terms of network context. So, any type of ZTNA, zero trust network access,

158
00:15:10,240 --> 00:15:24,640
MDM solution. So, for device context, where we're looking at and deploying different applications,

159
00:15:24,640 --> 00:15:33,200
software to devices using an MDM solution, like Jamf, like Intune, things like that.

160
00:15:33,200 --> 00:15:40,560
So obviously, you're looking at a lot of different tools that are going to be, some which cover

161
00:15:40,560 --> 00:15:47,400
a wide range of those contexts, but some which are kind of niche and are specific to certain

162
00:15:47,400 --> 00:15:56,240
types of data that you may be wanting to pull in. You know, tools like an EDR solution,

163
00:15:56,240 --> 00:16:02,960
a SIM solution, pulling in some of that more of that risk based information. That's going

164
00:16:02,960 --> 00:16:09,000
to be sort of a step beyond the context based analysis where we're doing more risk based

165
00:16:09,000 --> 00:16:18,720
analysis, looking at some of the ongoing risk of that, of those authentication sessions,

166
00:16:18,720 --> 00:16:24,720
you know, making sure that a device isn't jailbroken, and just continuing to analyze

167
00:16:24,720 --> 00:16:30,760
that risk data even after someone has authenticated and making sure that we're not just saying,

168
00:16:30,760 --> 00:16:36,040
okay, you've authenticated, you're good, we're now going to leave you alone. We're continuing

169
00:16:36,040 --> 00:16:42,680
to look at that information. So if something changes, we can say, hey, this is different

170
00:16:42,680 --> 00:16:50,560
now, this is not good, we're going to tell you that you're cut off from your connection.

171
00:16:50,560 --> 00:16:59,400
So lots of various different tools that can be used for that context based analysis and

172
00:16:59,400 --> 00:17:03,000
also for that more risk based analysis.

173
00:17:03,000 --> 00:17:13,200
I'm gonna let Ashley get a drink of water there. Yeah. So I'm gonna quick pick up a

174
00:17:13,200 --> 00:17:17,960
couple extra letters again on the alphabet soup. I know there's a couple floating. I

175
00:17:17,960 --> 00:17:21,220
internally we joke that there's going to be a whole podcast where I read acronyms for

176
00:17:21,220 --> 00:17:29,920
half hour. So maybe keep in tune on April fools or something like that. But quick other

177
00:17:29,920 --> 00:17:34,000
things and then I'm going to kind of condense that down a little bit further and say, here's

178
00:17:34,000 --> 00:17:38,240
the areas where people tend to go wrong of the implement the wrong solution. And it's

179
00:17:38,240 --> 00:17:46,000
a lot of work to redo. So some of the acronyms that I don't believe Ashley mentioned, a

180
00:17:46,000 --> 00:17:53,520
system collects logs, the some type of application whitelisting tool, a web app firewall or WAF,

181
00:17:53,520 --> 00:18:00,360
vulnerability scanners, network access control, mobile application management, privilege identity

182
00:18:00,360 --> 00:18:05,300
management, privilege access management, data classification policies. There's a lot of

183
00:18:05,300 --> 00:18:14,440
other tools out there that you can bring into the collective strategy. However, I'd say

184
00:18:14,440 --> 00:18:20,080
the ones that most people go wrong on and have to rip it all out is identity and access

185
00:18:20,080 --> 00:18:24,640
management, which we're going to get to of that's why that's our number one recommendation

186
00:18:24,640 --> 00:18:32,200
to start with. And mobile device management and how you actually control your assets within

187
00:18:32,200 --> 00:18:39,320
the environment. With you have some type of mobile device management solution. It doesn't

188
00:18:39,320 --> 00:18:45,360
matter if you're going on prem or on more of a SaaS solution, you can still implement

189
00:18:45,360 --> 00:18:50,360
zero trust. It's just different tool sets. So just from the MDM standpoint, I'm going

190
00:18:50,360 --> 00:18:55,780
to throw out a couple names just because they are widely known. MDT, SCCM for the more on

191
00:18:55,780 --> 00:19:03,160
prem, Intune, Jamf, like Ashley mentioned, you really do not want to have to redo how

192
00:19:03,160 --> 00:19:07,600
you manage all your devices and push it out. That is a ton of work. Most of the other ones

193
00:19:07,600 --> 00:19:12,680
you can rip out pretty easily. But identity access management, mobile device management,

194
00:19:12,680 --> 00:19:21,640
you need to get right off the bat. So I guess the last thing that I had and maybe I'll turn

195
00:19:21,640 --> 00:19:29,480
it over to Todd for some comments before we move on is there's a lot of stuff here, you

196
00:19:29,480 --> 00:19:34,440
know, again, that we can't stress that enough. But there's a couple frameworks that you can

197
00:19:34,440 --> 00:19:38,880
at least start with. So if you don't know where to start, use something that already

198
00:19:38,880 --> 00:19:45,040
exists, right? Don't have to, you don't reinvent the wheel. So Todd, Ashley, I don't know if

199
00:19:45,040 --> 00:19:48,720
there's anything else that you had. But, Taryn?

200
00:19:48,720 --> 00:19:54,960
I would say one thing that's kind of good to know is there are, like I sort of alluded

201
00:19:54,960 --> 00:20:02,720
to, I guess a little bit. But there are certainly tools that you can implement that cover a

202
00:20:02,720 --> 00:20:09,680
wide range of things. So even like an identity access management solution that then can provide

203
00:20:09,680 --> 00:20:17,160
certain types of context-based analysis. So when you're looking at certain tools, just

204
00:20:17,160 --> 00:20:25,920
kind of being able to go through and determine, okay, what context-based abilities does this

205
00:20:25,920 --> 00:20:34,400
tool provide me in addition to certain identity access management tools as well? So it's kind

206
00:20:34,400 --> 00:20:41,280
of nice to look at some of those tools that are more wide ranging and overlapping. So

207
00:20:41,280 --> 00:20:46,840
you're not having to deploy tool after tool after tool after tool. They're very specific

208
00:20:46,840 --> 00:20:50,720
to their little niche.

209
00:20:50,720 --> 00:20:58,200
So one of the things that I kind of wanted to touch on is we covered a ton of ground

210
00:20:58,200 --> 00:21:02,400
there. And I actually love the idea of the acronym thing. At first I was kind of like,

211
00:21:02,400 --> 00:21:05,880
I'm not really sure. But now I'm thinking if we put in a little ding and then had a

212
00:21:05,880 --> 00:21:10,320
definition for each acronym we threw out there, I think it would be fantastic. So we'll pause

213
00:21:10,320 --> 00:21:15,200
the video every time we've got an acronym we slipped in. Circling back to a couple of

214
00:21:15,200 --> 00:21:18,880
the things that we did is because there was so much there when we talked about putting

215
00:21:18,880 --> 00:21:22,360
together the scope of where do you go and where do you find out where we're coming from.

216
00:21:22,360 --> 00:21:26,440
Ultimately what we're talking about is trust. What do you trust? Who do you trust? When

217
00:21:26,440 --> 00:21:32,960
do you do so? So some of the core takeaways are we jumbled it up a little bit. In my opinion,

218
00:21:32,960 --> 00:21:35,500
one of the very first things you need to do is you need to figure out what your asset

219
00:21:35,500 --> 00:21:41,040
management is. And more often than not, that's your JMP, your SCCM, WSUS. A lot of other

220
00:21:41,040 --> 00:21:45,640
partners may use a tool like an automate that comes from an MSP or something like that.

221
00:21:45,640 --> 00:21:49,580
That's the core of what are the things that are on my network? What are the things that

222
00:21:49,580 --> 00:21:54,520
are connecting to my systems? And then ultimately, like we said, it's almost all identity. How

223
00:21:54,520 --> 00:21:59,320
do I identify that? How do I assure that it is the person that they said they are and

224
00:21:59,320 --> 00:22:04,440
how do we move forward from there? And then the last piece, so that's kind of why we talked

225
00:22:04,440 --> 00:22:08,840
about it in that order where we're like identity is number one for us is if you can't identify

226
00:22:08,840 --> 00:22:12,920
who the person is, what the device is and where it's connecting from, you can't implicitly

227
00:22:12,920 --> 00:22:17,520
trust it. And if you can't trust it, it shouldn't be on your network. You kind of have to start

228
00:22:17,520 --> 00:22:22,740
there. But as you're going through this process, again, doing those tenants of project management,

229
00:22:22,740 --> 00:22:27,340
you should always have that component of life cycle. And it's right. So you get a portion

230
00:22:27,340 --> 00:22:31,920
of the way of the implementation and identity and access management as Ashley alluded to

231
00:22:31,920 --> 00:22:36,140
is it's going to be another podcast. It's just too big to not be. But there's components

232
00:22:36,140 --> 00:22:40,480
of it where you say, how do I do this one piece? You implement that piece, you pause

233
00:22:40,480 --> 00:22:45,820
and go, okay, what's changed? Has the world changed? Has security changed? Are threats

234
00:22:45,820 --> 00:22:50,120
different than they were before? What do we now know that we didn't when we started this

235
00:22:50,120 --> 00:22:54,000
process? So that whole life cycle is something we absolutely want to keep in mind as we go

236
00:22:54,000 --> 00:22:59,280
through this. I do have a question that I kind of want to throw out there for the group

237
00:22:59,280 --> 00:23:03,520
too. But I think Tara had a comment. So I'll wait for that comment first. And then I'll

238
00:23:03,520 --> 00:23:06,080
circle back with my my super great question.

239
00:23:06,080 --> 00:23:14,080
Well, I have a super great question too. But I think but just as my question, I'm like

240
00:23:14,080 --> 00:23:20,720
over here, okay, I'm eating the acronym soup, I got it. But a lot of times I think to cybersecurity

241
00:23:20,720 --> 00:23:24,720
can be overwhelming. Because you guys went through all these acronyms, you're like, hey,

242
00:23:24,720 --> 00:23:30,400
there's a lot of frameworks to follow. But if I start with one, you know, of the frameworks,

243
00:23:30,400 --> 00:23:35,680
is that going to be enough? Because we talk about it's ever changing. So if I do that,

244
00:23:35,680 --> 00:23:41,160
then where do I go next? And you know, kind of the logical step and, you know, talk to

245
00:23:41,160 --> 00:23:46,160
me about CIT at work. And they, you know, come into play to help me because if I'm,

246
00:23:46,160 --> 00:23:50,720
you know, one of a potential customers, and I'm, you know, overseeing IT, and I know I

247
00:23:50,720 --> 00:23:55,200
need to get these implemented, but how can you guys help me get through all this? Because

248
00:23:55,200 --> 00:24:00,480
I'm like, all right, which acronym do I need to check off the list to make sure I'm adhering

249
00:24:00,480 --> 00:24:01,480
to all of that?

250
00:24:01,480 --> 00:24:11,640
Yeah, right off the bat, I'm going to call out NIST. NIST is government sector, they

251
00:24:11,640 --> 00:24:17,000
provide framework after framework after framework. Basically, no matter what you're looking for,

252
00:24:17,000 --> 00:24:24,760
there's a framework for it. That's the entire intent of it. So CIT, we tend to tell people

253
00:24:24,760 --> 00:24:30,800
if you don't have any type of compliance that you are mandated to follow, go look at NIST.

254
00:24:30,800 --> 00:24:36,200
It applies to everyone. It's intended to apply to everyone. There are other ones out there.

255
00:24:36,200 --> 00:24:41,400
However, what you'll find is security is security. It doesn't matter if you're in healthcare,

256
00:24:41,400 --> 00:24:50,120
finance, manufacturing, technology, retail, you still got to do the same stuff. And so

257
00:24:50,120 --> 00:24:55,760
there are different frameworks out there, but they all do tie to the same concepts.

258
00:24:55,760 --> 00:25:02,280
And then the reason why I also call out NIST is they do revisions to it over time as well.

259
00:25:02,280 --> 00:25:08,000
So if you are talking about the long term strategy, you need to stay up to date on it.

260
00:25:08,000 --> 00:25:12,480
Great, there's a revision one, there's a revision two, there's a revision three. You don't need

261
00:25:12,480 --> 00:25:17,560
to reinvent it every single time. Now you can cross reference things to say, well, this

262
00:25:17,560 --> 00:25:22,040
one I like how they phrase that. Maybe let's pull in components of it, but it's the same

263
00:25:22,040 --> 00:25:28,200
data at the end of the day that you're trying to protect. So a couple of frameworks. I would

264
00:25:28,200 --> 00:25:33,920
say if you had to start with one at all, and maybe Ashley has some other ones that she

265
00:25:33,920 --> 00:25:40,320
has preferences on, but NIST Zero Trust architecture tenants, that's one of the big ones. There's

266
00:25:40,320 --> 00:25:47,600
a CISA, that's another government sector. There's a whole executive mandate. I believe

267
00:25:47,600 --> 00:25:52,400
that was, gosh, now October or something like last year where the federal government is

268
00:25:52,400 --> 00:25:57,560
adopting Zero Trust. There's Forester's, ZTX framework pillars. But again, at the end of

269
00:25:57,560 --> 00:26:02,960
the day, just start with NIST and you got to start somewhere.

270
00:26:02,960 --> 00:26:09,820
Yeah, CISA one is the one that I feel like is well laid out, but like the name, the word

271
00:26:09,820 --> 00:26:16,440
framework suggests, it's not so specific that it's constantly needing to be updated. It's

272
00:26:16,440 --> 00:26:26,000
written broadly enough so it can be used as sort of a, I guess, a map for all types of

273
00:26:26,000 --> 00:26:32,840
different organizations. So it's not so specific that it needs to be updated every other week.

274
00:26:32,840 --> 00:26:39,440
So yeah, I'm going to circle back to Tara's question and I just want to say, excellent

275
00:26:39,440 --> 00:26:44,240
question. It's a great one, right? If you go through this process, we've talked for

276
00:26:44,240 --> 00:26:50,160
almost a half an hour already and I feel like we've hardly scratched the surface. So obviously

277
00:26:50,160 --> 00:26:55,880
it's a complicated conversation. It's not easy to figure out what, where, how, etc.,

278
00:26:55,880 --> 00:26:59,540
etc. And so when you're asking stuff like that, one of the things I was going to say

279
00:26:59,540 --> 00:27:02,960
at some point too is you're not in it alone. There are people that have gone through this

280
00:27:02,960 --> 00:27:07,160
process before. There's people that are going through it now and there are organizations

281
00:27:07,160 --> 00:27:11,640
out there or coworkers or friends that are more than happy to help you through the process.

282
00:27:11,640 --> 00:27:18,520
So there are plenty of resources available. As Nate and Ashley mentioned, NIST, CISA,

283
00:27:18,520 --> 00:27:22,640
we're using the United States government as kind of our core of this is where we pull

284
00:27:22,640 --> 00:27:27,240
our information is. But the reality is, is most industries are doing more or less the

285
00:27:27,240 --> 00:27:31,560
same thing. Anyway, summary of the story is there's plenty of help out there and there's

286
00:27:31,560 --> 00:27:37,140
plenty of people that can help you with it as well. Kind of answering my own question,

287
00:27:37,140 --> 00:27:42,240
the one that I had hanging out there was as this continues to change and it's really tailing

288
00:27:42,240 --> 00:27:48,280
off of what Tara said was things are changing so quickly. Security is changing. The tools

289
00:27:48,280 --> 00:27:53,760
are changing. So for example, Ashley threw out SASE, which is S-A-S-E. And now they're

290
00:27:53,760 --> 00:27:58,520
actually starting to change the acronym on that too is how do you keep up with that?

291
00:27:58,520 --> 00:28:02,420
And what happens when you start to see a convergence of tools? If you're looking at the market

292
00:28:02,420 --> 00:28:07,760
and cybersecurity, you're seeing acquisitions happen. There are vendors out there that say

293
00:28:07,760 --> 00:28:12,360
traditionally I'll use an example of they used to be SD-WAN in case anybody doesn't

294
00:28:12,360 --> 00:28:18,000
know what that is. That was software defined wireless, I'm sorry, wide area network. So

295
00:28:18,000 --> 00:28:22,720
that was how do I connect my multiple sites without using the traditional infrastructure

296
00:28:22,720 --> 00:28:27,120
that was there? Those organizations are starting to gobble up bits and pieces and they're starting

297
00:28:27,120 --> 00:28:31,920
to put in the CASB, which is your cloud brokers and so on and so forth. And they're trying

298
00:28:31,920 --> 00:28:37,040
to say my network is secure, I'll manage it. And the question I had for the group is what

299
00:28:37,040 --> 00:28:41,440
do you do when this is changing so rapidly? How do you know you've picked the right tool

300
00:28:41,440 --> 00:28:44,120
and how do you keep up with it?

301
00:28:44,120 --> 00:28:54,200
It's a great question. And I really hate this question because it's going to play into one

302
00:28:54,200 --> 00:29:00,240
of those things where we said try and pick tools that fit this long term solution. At

303
00:29:00,240 --> 00:29:08,040
the end of the day, you can't foresee where some of these companies are going. But there

304
00:29:08,040 --> 00:29:13,640
may be a possibility that you rip a tool out. Even at CIT, we've done that. I think this

305
00:29:13,640 --> 00:29:19,480
is there's a couple jokes at CIT internally. We've gone through I think four different

306
00:29:19,480 --> 00:29:24,920
password managers and three different multifactor solutions. And not necessarily the last couple

307
00:29:24,920 --> 00:29:31,240
years. But historically, we've cycled through things. Now we've been on longer term solutions

308
00:29:31,240 --> 00:29:38,600
because we've had quite a bit more forethought into the strategy, into where we're going

309
00:29:38,600 --> 00:29:48,040
over the last couple years. But yes, you may rip out a tool, unfortunately. It's just one

310
00:29:48,040 --> 00:29:54,400
of those ones where if the strategy has changed, you need to be able to shift to keep up with

311
00:29:54,400 --> 00:29:59,960
the strategy. If a vendor is falling behind and not meeting what your strategy looks like,

312
00:29:59,960 --> 00:30:05,000
that's not the vendor for you because it's only going to slow you down. So I'm not an

313
00:30:05,000 --> 00:30:09,680
advocate of just rip and replace all the time, but it will happen at the same time.

314
00:30:09,680 --> 00:30:15,400
Sometimes it can be helpful to just take a look at the types of technology that certain

315
00:30:15,400 --> 00:30:21,000
tools are using. You've seen a particular technology that something is using has been

316
00:30:21,000 --> 00:30:29,320
around for 20 years and now slowly a new type of technology is replacing it. You can kind

317
00:30:29,320 --> 00:30:35,640
of see the writing on the wall that, okay, well maybe down the road this is not, you

318
00:30:35,640 --> 00:30:39,720
know, this 20 year old technology is probably not something that's going to stick around

319
00:30:39,720 --> 00:30:46,560
forever. And so being able to sort of take a look at some of those tools and obviously

320
00:30:46,560 --> 00:30:50,680
see how they fit in with what your plan is, but then taking a look at those technologies

321
00:30:50,680 --> 00:30:56,200
and seeing, okay, in 10 years is this still going to be viable?

322
00:30:56,200 --> 00:31:02,480
Yeah, so to wrap that up, just my feedback on it as well is I agree with everything that

323
00:31:02,480 --> 00:31:08,560
both Ashley and Nate said is the reality is as tools do change, threats change. For example,

324
00:31:08,560 --> 00:31:12,960
a couple years ago everybody was like, antivirus is gold. I don't have to worry about it. It's

325
00:31:12,960 --> 00:31:17,040
not anymore. It just isn't. So that's kind of the way things are. So how do you address

326
00:31:17,040 --> 00:31:21,720
it? I kind of mentioned it before. One of them is you keep doing that refresh of where

327
00:31:21,720 --> 00:31:25,760
are we at today? How did that go? What did we learn that we didn't know a couple days,

328
00:31:25,760 --> 00:31:30,680
couple months ago? That process of keep looking back and revisiting is a way to go. And then

329
00:31:30,680 --> 00:31:36,040
also lean on the partners that you have or your friends and everybody else. It does matter.

330
00:31:36,040 --> 00:31:40,160
So like Nate said, I mean, there's some things where we're like, well, this is the best tool

331
00:31:40,160 --> 00:31:44,160
out there and you kind of shift and move as the world changes. But a lot of times they're

332
00:31:44,160 --> 00:31:48,960
not long agreements or they're not long-term investments. So just doing the best you can,

333
00:31:48,960 --> 00:31:52,760
doing the research, finding the resources around you that help you make that. What is

334
00:31:52,760 --> 00:31:56,680
the vision? What is the strategic objective and connecting the dots for you is great too.

335
00:31:56,680 --> 00:32:01,120
Which hey, by the way, we've got podcasts for that too.

336
00:32:01,120 --> 00:32:08,040
I guess I had one final thing just riding off of Todd. And I think the most important

337
00:32:08,040 --> 00:32:15,080
thing from my takeaway as Todd was talking is collaboration, talking to the peers, talking

338
00:32:15,080 --> 00:32:23,160
to others in the industry. It's no surprise. CIT, we are a MSP. We have competitors. I

339
00:32:23,160 --> 00:32:28,000
talk to other MSPs all the time about the security stacks that they have, what they're

340
00:32:28,000 --> 00:32:35,760
doing, evaluating the competition, not necessarily even from a sales perspective, but just the,

341
00:32:35,760 --> 00:32:41,600
how are we all staying secure together? Because, and we've seen this over and over and over

342
00:32:41,600 --> 00:32:49,680
in the past is when one company gets compromised, it builds distrust against that entire industry

343
00:32:49,680 --> 00:32:57,880
experience. If they had their hack, now the Equifax and all those other ones, Transamerica,

344
00:32:57,880 --> 00:33:04,920
there's a stain on the industry. So as long as we're working together to collaboratively

345
00:33:04,920 --> 00:33:10,960
start security posture over time, that's only a benefit for everyone. So putting a little

346
00:33:10,960 --> 00:33:16,440
bit of pride aside as well and just saying, yes, we're going to work together because

347
00:33:16,440 --> 00:33:18,440
we all benefit together.

348
00:33:18,440 --> 00:33:31,720
Great. I was just going to say, Nate makes a good point about collaboration, understanding

349
00:33:31,720 --> 00:33:41,200
that we can't know, security is a very complicated thing. There are tons of different domains,

350
00:33:41,200 --> 00:33:48,440
different technologies. It continuously evolves and you just kind of have to understand that

351
00:33:48,440 --> 00:33:55,000
you're not going to be able to understand it yourself most of the time. So being able

352
00:33:55,000 --> 00:34:01,280
to collaborate with others and people that have more experience working with particular

353
00:34:01,280 --> 00:34:05,960
technology, have done different deployments of different tools, seeing, getting their

354
00:34:05,960 --> 00:34:15,080
perspectives on how a tool works and how that could potentially work with your plan for

355
00:34:15,080 --> 00:34:22,320
the future and collaborating with lots of different people from different industries,

356
00:34:22,320 --> 00:34:29,800
partners, whatever, so that you're getting enough perspective on something and not just

357
00:34:29,800 --> 00:34:34,880
trying to learn it all yourself, I think it's really important.

358
00:34:34,880 --> 00:34:43,040
Wonderful. Very valid point there, Ashley. I did want to kind of help wrap up the podcast.

359
00:34:43,040 --> 00:34:49,200
I know we talked a lot today and hopefully everybody is full as we all ate the acronym

360
00:34:49,200 --> 00:34:54,680
soup. So I think we're good there. And kind of to that point, it's really just never trust

361
00:34:54,680 --> 00:34:59,760
and always verify with some of these tools and moving that forward. But a big thank you

362
00:34:59,760 --> 00:35:06,480
again to Todd, Nate and Ashley. As you guys can tell, we do love to talk and very passionate

363
00:35:06,480 --> 00:35:13,640
about our certain services that we offer. But if you guys have any feedback ideas for

364
00:35:13,640 --> 00:35:21,520
us in marketing, Kelsey and Sarah, let us know. You can visit cit-net backslash podcast

365
00:35:21,520 --> 00:35:29,960
or you can email info at cit-net.com. And as always, we look forward to chatting with

366
00:35:29,960 --> 00:35:50,240
you about home documentation.