WEBVTT

00:00:06.669 --> 00:00:09.230
Welcome to the Azure Security Podcast, where

00:00:09.230 --> 00:00:11.710
we discuss topics relating to security, privacy,

00:00:12.029 --> 00:00:14.449
reliability, and compliance on the Microsoft

00:00:14.449 --> 00:00:18.949
Cloud Platform. Hey everybody, welcome to episode

00:00:18.949 --> 00:00:22.530
121. This week it's myself, Michael, with Mark

00:00:22.530 --> 00:00:25.730
and Sarah. And we don't actually have a special

00:00:25.730 --> 00:00:29.269
guest, we actually have Mark. If you've been

00:00:29.269 --> 00:00:31.149
paying attention, you'll notice that over the

00:00:31.149 --> 00:00:35.210
years, really, Sarah and I tend to speak about

00:00:35.210 --> 00:00:38.030
low -level technologies and products and so on.

00:00:38.090 --> 00:00:40.729
And Mark tends to talk about process people,

00:00:40.869 --> 00:00:43.469
strategy, and architecture, especially with the

00:00:43.469 --> 00:00:44.890
work that he's been doing over the years with

00:00:44.890 --> 00:00:47.009
the Open Group. And we thought that since it's

00:00:47.009 --> 00:00:49.630
such an important topic, why don't we just have

00:00:49.630 --> 00:00:52.229
a special episode just on the open group and

00:00:52.229 --> 00:00:55.450
what they're doing around this kind of work?

00:00:55.729 --> 00:00:57.770
So the reason why we're recording this is in

00:00:57.770 --> 00:00:59.829
part because the open group has just published

00:00:59.829 --> 00:01:03.350
the security rules and glossary standard. So

00:01:03.350 --> 00:01:05.390
that's going to be the topic of this week's episode,

00:01:05.530 --> 00:01:07.969
a little bit different. But I think for a lot

00:01:07.969 --> 00:01:09.549
of people out there, this will be a very important

00:01:09.549 --> 00:01:11.870
and very interesting topic. But before we get

00:01:11.870 --> 00:01:14.269
to Mark, let's take a little lap around the news.

00:01:14.409 --> 00:01:16.569
By the way, Mark will have no news because basically

00:01:16.569 --> 00:01:19.750
his whole section is the news that he has. So

00:01:19.750 --> 00:01:21.890
I'll kick things off. Got a couple of news items

00:01:21.890 --> 00:01:25.049
about private endpoints. We've now made available

00:01:25.049 --> 00:01:27.650
in general availability, high scale private endpoints.

00:01:27.730 --> 00:01:31.390
I didn't even know this, but historically you

00:01:31.390 --> 00:01:33.670
could only have a thousand private endpoints

00:01:33.670 --> 00:01:36.769
per virtual network. I don't know, seems like

00:01:36.769 --> 00:01:38.670
a good number to me, but apparently it's not.

00:01:38.989 --> 00:01:43.290
You can now deploy 5 ,000 private endpoints in

00:01:43.290 --> 00:01:46.269
a single VNet. It is recommended that you stick

00:01:46.269 --> 00:01:50.989
to 4 ,000 for reasons I don't know, but the max

00:01:50.989 --> 00:01:54.049
limit now is 5 ,000 using high -scale private

00:01:54.049 --> 00:01:57.340
endpoints. We're now having public preview, private

00:01:57.340 --> 00:01:59.900
link service direct connect. So the private link

00:01:59.900 --> 00:02:02.140
service allows you to make your applications

00:02:02.140 --> 00:02:04.239
available to your customers privately and securely.

00:02:04.379 --> 00:02:07.079
I think we all know that. The way it currently

00:02:07.079 --> 00:02:09.800
works requires you to configure a private link

00:02:09.800 --> 00:02:12.620
service and place the applications behind a standard

00:02:12.620 --> 00:02:16.729
load balancer. Now with PrivateLink Service Direct

00:02:16.729 --> 00:02:19.009
Connect, you can expand that functionality. It

00:02:19.009 --> 00:02:22.210
allows you to connect your services directly

00:02:22.210 --> 00:02:26.509
to the PrivateLink itself. So great to see a

00:02:26.509 --> 00:02:28.530
lot more flexibility there in the way you use

00:02:28.530 --> 00:02:32.240
PrivateLink. In public preview, we have signed

00:02:32.240 --> 00:02:35.560
requests on Azure Front Door. This allows you

00:02:35.560 --> 00:02:40.259
to have essentially URL signing. It allows you

00:02:40.259 --> 00:02:42.900
to have really secure access to resources by

00:02:42.900 --> 00:02:47.400
using only signed URLs that are digitally signed

00:02:47.400 --> 00:02:49.759
by Front Door. I can think of a lot of scenarios

00:02:49.759 --> 00:02:53.479
where that would be really important. We also

00:02:53.479 --> 00:02:55.939
have, for Azure Front Door, we now have a web

00:02:55.939 --> 00:03:00.469
application, Firewall Capture. I didn't know

00:03:00.469 --> 00:03:04.090
we didn't have it, but now we do. Azure Sphere

00:03:04.090 --> 00:03:10.189
OS 25 .10 is now available generally. This, if

00:03:10.189 --> 00:03:11.889
you're not familiar with Azure Sphere, actually

00:03:11.889 --> 00:03:13.590
it's been a while since I've spoken about Azure

00:03:13.590 --> 00:03:16.449
Sphere. It's essentially a very small chip, runs

00:03:16.449 --> 00:03:18.969
a very restricted version of Linux, and it's

00:03:18.969 --> 00:03:21.330
designed in highly secure environments that require

00:03:21.330 --> 00:03:24.009
essentially a system on a chip. So that's available

00:03:24.009 --> 00:03:27.879
version 25 .10. Yeah, I love Azure Sphere. It's

00:03:27.879 --> 00:03:30.300
like everybody complains, like, we don't have

00:03:30.300 --> 00:03:32.379
any secure IoT devices. Well, if you used Azure

00:03:32.379 --> 00:03:35.039
Sphere, you would. It's actually designed from

00:03:35.039 --> 00:03:37.199
the ground up using everything we learned from

00:03:37.199 --> 00:03:39.039
Xbox and everything else about keeping hardware

00:03:39.039 --> 00:03:41.400
secure in a hostile environment. Actually, that's

00:03:41.400 --> 00:03:43.000
a key thing. I'm glad you brought it up. Actually,

00:03:43.080 --> 00:03:45.539
you're going to regret bringing up the Xbox thing.

00:03:46.360 --> 00:03:47.840
I don't know if you know it, but I actually worked

00:03:47.840 --> 00:03:50.580
on Xbox 360 security. And what was interesting

00:03:50.580 --> 00:03:53.919
about the 360, and same with all consoles, is

00:03:53.919 --> 00:03:58.400
that we treat the normal user as the adversary,

00:03:58.580 --> 00:04:02.180
which is a really interesting threat model. And

00:04:02.180 --> 00:04:04.000
literally the threat models are quite interesting

00:04:04.000 --> 00:04:07.159
that were built by the Xbox team. But yeah, you're

00:04:07.159 --> 00:04:08.620
absolutely right. A lot of stuff that we learned

00:04:08.620 --> 00:04:11.620
from hardware security has found its way into

00:04:11.620 --> 00:04:14.419
Azure Sphere. Actually, I've got one around here

00:04:14.419 --> 00:04:16.220
somewhere. I've got an Azure Sphere SDK somewhere.

00:04:16.459 --> 00:04:19.779
I'll dig it out. It'll be fun to play with. It's

00:04:19.779 --> 00:04:22.060
been a while. Anyway, last one, and this is my

00:04:22.060 --> 00:04:23.759
favorite thing of the whole lot, is in public

00:04:23.759 --> 00:04:26.560
preview, we now have the Azure Integrated Hardware

00:04:26.560 --> 00:04:29.959
Security Module, HSM. I'm honestly so excited

00:04:29.959 --> 00:04:32.259
for this. When we announced that it was publicly

00:04:32.259 --> 00:04:34.620
available, sorry, in public preview, I immediately

00:04:34.620 --> 00:04:37.620
emailed the person who's running the project,

00:04:37.720 --> 00:04:40.180
saying, hey, can you give me access to the VMs

00:04:40.180 --> 00:04:44.000
that have this? So this is available, like I

00:04:44.000 --> 00:04:47.740
say, in preview on certain AMD version 7 -based

00:04:47.740 --> 00:04:54.639
VMs. They are the DAS -V7 series, the DADS -V7

00:04:54.639 --> 00:05:01.120
series, the EAS -V7 series, and the EADS -V7

00:05:01.120 --> 00:05:04.779
series. All the way from little VMs up to big

00:05:04.779 --> 00:05:07.160
VMs. What it is, is essentially it's a hardware

00:05:07.160 --> 00:05:11.800
accelerator on the motherboard, on the actual

00:05:11.800 --> 00:05:15.170
hardware itself. This is really, really cool

00:05:15.170 --> 00:05:16.670
because you can use it for acceleration, right?

00:05:16.709 --> 00:05:18.509
You can do crypto in hardware as opposed to being

00:05:18.509 --> 00:05:20.389
in software. And then also you get all the things

00:05:20.389 --> 00:05:27.230
like key isolation. It is also FIPS 140 -3 Level

00:05:27.230 --> 00:05:31.410
3 validated hardware. So you can offload things

00:05:31.410 --> 00:05:33.970
like encryption, decryption, signing, verification

00:05:33.970 --> 00:05:36.509
operations, depending on what you're doing, all

00:05:36.509 --> 00:05:39.610
within the confines of the HSM. And the keys

00:05:39.610 --> 00:05:42.829
don't leave the HSM. If you squint a little bit,

00:05:42.870 --> 00:05:46.329
it's like a mini Key Vault in hardware, locally

00:05:46.329 --> 00:05:49.649
accessible to the VM. The APIs that you access

00:05:49.649 --> 00:05:52.290
it, though I've been experimenting with it, they're

00:05:52.290 --> 00:05:54.949
not the Key Vault APIs. They're actually the

00:05:54.949 --> 00:05:58.350
Windows Crypto Next Generation, the CNG APIs.

00:05:58.990 --> 00:06:01.050
Either way, I mean, it's very well understood.

00:06:01.250 --> 00:06:04.689
So right now, the HSM is available only on Windows,

00:06:04.889 --> 00:06:07.920
but Linux support is coming very soon. Fantastic

00:06:07.920 --> 00:06:10.019
to see, super excited about this because now

00:06:10.019 --> 00:06:12.959
you can store secrets and so on in the VM, in

00:06:12.959 --> 00:06:15.120
the hardware, as opposed to like in software

00:06:15.120 --> 00:06:17.899
or in configuration files. So this is really

00:06:17.899 --> 00:06:19.759
great to see. Anyway, that's all I got. Sarah,

00:06:19.899 --> 00:06:22.980
what you got? Okay, so I've got a couple of things

00:06:22.980 --> 00:06:26.740
about Azure Firewall, old faithful there. So

00:06:26.740 --> 00:06:30.069
they... We've just seen the GA of pre -scaling.

00:06:30.129 --> 00:06:32.970
So if you're not familiar with the phrase, it's

00:06:32.970 --> 00:06:36.850
a feature that enables admins to provision and

00:06:36.850 --> 00:06:41.670
reserve capacity in advance for if you're going

00:06:41.670 --> 00:06:44.189
to have higher traffic loads. So, you know, seasonal

00:06:44.189 --> 00:06:47.199
peaks, planned business events. I always... Think

00:06:47.199 --> 00:06:50.879
of buying concert tickets for this personally,

00:06:51.100 --> 00:06:54.180
but it could be many different things. So that's

00:06:54.180 --> 00:06:58.600
now GA if you randomly get very high peaks. And

00:06:58.600 --> 00:07:01.439
probably the flip side of that is the other thing

00:07:01.439 --> 00:07:05.699
that's GA is the observed capacity metric in

00:07:05.699 --> 00:07:08.560
Azure Firewall. So it's a new signal that you

00:07:08.560 --> 00:07:13.000
can get that lets you understand actually. how

00:07:13.000 --> 00:07:15.720
your firewalls are actually scaling in real life.

00:07:15.899 --> 00:07:19.399
So that means that you can actually monitor your

00:07:19.399 --> 00:07:21.540
scaling, which will of course help you predict

00:07:21.540 --> 00:07:24.819
traffic patterns, et cetera. So two very cool

00:07:24.819 --> 00:07:28.500
things that as someone who was back in the day,

00:07:28.560 --> 00:07:31.579
a network engineer a very long time ago, well,

00:07:31.720 --> 00:07:34.920
I think it was a very long time ago. I do appreciate

00:07:34.920 --> 00:07:38.199
that they're quite handy to know, to be able

00:07:38.199 --> 00:07:42.000
to control your traffic. So the other one, the

00:07:42.000 --> 00:07:44.500
elephant in the room at the time that we should

00:07:44.500 --> 00:07:47.259
publish this, it's nearly time for Microsoft

00:07:47.259 --> 00:07:50.639
Ignite. So you know me, I love my events. So

00:07:50.639 --> 00:07:53.600
of course, you should tune into Ignite. I know

00:07:53.600 --> 00:07:56.199
there will be, I can't give anything away, but

00:07:56.199 --> 00:07:57.980
of course, there are announcements in the security

00:07:57.980 --> 00:08:01.439
space. If you're going to Ignite, come and say

00:08:01.439 --> 00:08:04.120
hello. I will be there, although I will largely

00:08:04.120 --> 00:08:07.779
be locked up in a studio, I believe. But... If

00:08:07.779 --> 00:08:10.279
you see me, come and say hello. I'll be hosting

00:08:10.279 --> 00:08:13.339
the live stream again. And for those of you who

00:08:13.339 --> 00:08:15.639
aren't able to travel to San Francisco, of course,

00:08:15.639 --> 00:08:19.100
you can register online for the live stream for

00:08:19.100 --> 00:08:21.920
free. And if you're in a part of the world that

00:08:21.920 --> 00:08:25.199
isn't necessarily super friendly for the whole

00:08:25.199 --> 00:08:27.839
thing, because it is US friendly hours, of course,

00:08:27.839 --> 00:08:30.860
there will be things put on demand as well. So

00:08:30.860 --> 00:08:33.259
you can watch it later. So of course, make sure

00:08:33.259 --> 00:08:35.789
you do that. All right. Now we've got the news

00:08:35.789 --> 00:08:37.929
out of the way. Let's talk to Mark. I mean, this

00:08:37.929 --> 00:08:40.389
is basically your show at this point, Mark. So

00:08:40.389 --> 00:08:42.669
we're here to talk about, and correct me if I'm

00:08:42.669 --> 00:08:43.990
wrong here, we're here to talk about the open

00:08:43.990 --> 00:08:45.710
group and the fact that they've now released

00:08:45.710 --> 00:08:50.389
the security roles and glossary standard. So

00:08:50.389 --> 00:08:52.169
why don't we start at the very, very beginning,

00:08:52.289 --> 00:08:56.110
which is, you know, what is the open group? Why,

00:08:56.309 --> 00:08:58.029
you know, what is this standard we're talking

00:08:58.029 --> 00:09:00.730
about? Why was it put together? If you want to

00:09:00.730 --> 00:09:03.250
just give us that lowdown and then we'll see

00:09:03.250 --> 00:09:05.629
where this thing goes. So the open group is a

00:09:05.629 --> 00:09:08.049
standards body. And they've been putting out

00:09:08.049 --> 00:09:10.629
security standards since the 1990s, actually.

00:09:10.769 --> 00:09:14.049
They also do a number of other popular standards

00:09:14.049 --> 00:09:16.710
as well as some obscure ones and industry specific

00:09:16.710 --> 00:09:19.250
ones. The thing that they're most known for is

00:09:19.250 --> 00:09:21.230
the TOGAF standard, the Open Group Architecture

00:09:21.230 --> 00:09:24.210
Forum standard for enterprise architecture. That's

00:09:24.210 --> 00:09:26.330
one of the big ones probably going to get yelled

00:09:26.330 --> 00:09:27.850
at because I forgot a few of the other ones off

00:09:27.850 --> 00:09:29.870
the top of my head. The ones that I primarily

00:09:29.870 --> 00:09:32.690
work on are the security and zero trust standards.

00:09:32.809 --> 00:09:35.610
I actually been doing this for about, I think,

00:09:35.610 --> 00:09:38.120
three, four years. now. And I recently actually

00:09:38.120 --> 00:09:42.000
was getting so involved in it that, hey, we need

00:09:42.000 --> 00:09:44.620
someone to be the forum chair. And I was like,

00:09:44.659 --> 00:09:46.100
what the heck? I'll run for it. And I got it.

00:09:46.159 --> 00:09:49.820
And then I was like, I don't have a responsibility.

00:09:49.980 --> 00:09:51.919
I should probably have some sort of vision or

00:09:51.919 --> 00:09:53.659
roadmap or whatever we're trying to do because

00:09:53.659 --> 00:09:57.600
this is my forum now. And so we put together

00:09:57.600 --> 00:10:00.019
a body of knowledge and a plan for security and

00:10:00.019 --> 00:10:02.539
zero trust and how it all relates together. And

00:10:02.539 --> 00:10:05.940
that sort of led to a lot of good thinking and

00:10:05.940 --> 00:10:08.940
strategy, including this roles and glossary standard

00:10:08.940 --> 00:10:11.379
that we're about to release. The intent of the

00:10:11.379 --> 00:10:13.120
whole body of knowledge, I'll just start with

00:10:13.120 --> 00:10:15.139
the big picture. Actually, I'll step back one

00:10:15.139 --> 00:10:18.419
more thing. The focus of the open group is really

00:10:18.419 --> 00:10:21.980
just openness, consensus. They've actually got

00:10:21.980 --> 00:10:25.080
a really rigorous set of processes to go through

00:10:25.080 --> 00:10:27.419
and release these standards to make sure that

00:10:27.419 --> 00:10:30.659
even if you're business competitors, that people

00:10:30.659 --> 00:10:32.440
can work together, come up with a standard that

00:10:32.440 --> 00:10:35.500
works, and then everyone can use and adopt it.

00:10:35.960 --> 00:10:39.399
It's got a lot of really, really valuable attributes.

00:10:39.759 --> 00:10:41.500
from the perspective of driving the industry

00:10:41.500 --> 00:10:43.500
forward. So that's one of the reasons that I've

00:10:43.500 --> 00:10:49.399
invested a lot of my time into it. The security

00:10:49.399 --> 00:10:54.700
rules and glossary standard, as folks from the

00:10:54.700 --> 00:10:58.120
former British Empire would say, the name is

00:10:58.120 --> 00:11:02.340
on the tin. Security glossary is the first part

00:11:02.340 --> 00:11:06.299
of it, and it just defines terms. This sounds

00:11:06.299 --> 00:11:08.320
kind of boring, like, ooh, you're writing a dictionary,

00:11:08.480 --> 00:11:11.039
yay. Well, in the security industry, there's

00:11:11.039 --> 00:11:14.399
a lot of terms that people use wrong. There's

00:11:14.399 --> 00:11:16.779
a lot of people using the same term for various

00:11:16.779 --> 00:11:18.679
reasons. different things. There's a whole lot

00:11:18.679 --> 00:11:22.139
of conflict and just mess, quite frankly, in

00:11:22.139 --> 00:11:25.500
the terminology space. And so this one actually

00:11:25.500 --> 00:11:27.100
ended up being a much more interesting project

00:11:27.100 --> 00:11:29.879
than I thought. Some of the things that we took

00:11:29.879 --> 00:11:33.620
from real world examples is Dart, our detection

00:11:33.620 --> 00:11:37.429
response team at Microsoft. In that glossary,

00:11:37.509 --> 00:11:40.049
we included some of the learnings from that,

00:11:40.090 --> 00:11:41.950
which is there is a very big difference between

00:11:41.950 --> 00:11:44.169
an incident, which means something happens we

00:11:44.169 --> 00:11:46.990
have to investigate just in general, versus a

00:11:46.990 --> 00:11:49.269
compromise that we know the security was violated

00:11:49.269 --> 00:11:53.190
in some way or form or fashion, versus a breach,

00:11:53.409 --> 00:11:56.809
which is there is a legally reportable event

00:11:56.809 --> 00:11:58.789
that we now have to go through a legal process

00:11:58.789 --> 00:12:02.710
on. Those three things are very, very, very different,

00:12:02.789 --> 00:12:05.919
but people use them interchangeably. And so it

00:12:05.919 --> 00:12:07.820
was really kind of an interesting project to

00:12:07.820 --> 00:12:10.379
go through the glossary piece of it. And then

00:12:10.379 --> 00:12:12.500
the roles is defining the roles in security.

00:12:12.679 --> 00:12:17.509
We initially set out to do the security roles.

00:12:17.950 --> 00:12:20.990
But what we found is that security is not just

00:12:20.990 --> 00:12:23.690
the security team's job. Think about it from

00:12:23.690 --> 00:12:26.450
an IT perspective. Is the IT team going to let

00:12:26.450 --> 00:12:28.830
someone patch and reboot their servers on the

00:12:28.830 --> 00:12:31.009
security team because it needs a patch? And the

00:12:31.009 --> 00:12:32.629
answer is, oh, heck no, because they have other

00:12:32.629 --> 00:12:34.649
requirements. They have availability, resiliency,

00:12:35.070 --> 00:12:36.509
meeting the business requirements, and all sorts

00:12:36.509 --> 00:12:37.710
of stuff. And they're going to get blamed if

00:12:37.710 --> 00:12:40.529
something goes wrong. And so, well, the only

00:12:40.529 --> 00:12:42.090
people that can actually apply those patches

00:12:42.090 --> 00:12:44.710
are the security people. And it goes a lot deeper

00:12:44.710 --> 00:12:46.190
than that. So we ended up covering all these

00:12:46.190 --> 00:12:49.309
roles. And we got to this point where we sort

00:12:49.309 --> 00:12:51.169
of realized that, you know, I was doing this

00:12:51.169 --> 00:12:53.370
work on my Zero Trust Playbook series, as well

00:12:53.370 --> 00:12:55.529
as all my Microsoft work. And I'm like, you know

00:12:55.529 --> 00:12:57.129
what, we just need to all be operating off the

00:12:57.129 --> 00:12:59.169
same set of roles. And so my co -author and I,

00:12:59.230 --> 00:13:01.970
Nikhil Kumar, who was on the show before, we

00:13:01.970 --> 00:13:03.970
just decided to contribute that list of roles

00:13:03.970 --> 00:13:06.529
to the open group and then, you know, develop

00:13:06.529 --> 00:13:09.860
those there. into an open standard for all to

00:13:09.860 --> 00:13:13.559
use. So Mark, what is actually being released

00:13:13.559 --> 00:13:18.240
then? Very good question. There's about 73 roles

00:13:18.240 --> 00:13:22.960
so far total that we've found. And there's been

00:13:22.960 --> 00:13:25.340
a lot of interesting things like... You know,

00:13:25.399 --> 00:13:27.519
as we go through it, because that list does go

00:13:27.519 --> 00:13:29.600
up and down as we sort of define the details

00:13:29.600 --> 00:13:31.879
of it. So everybody knows that there's a CIO

00:13:31.879 --> 00:13:34.039
role and that's sort of the existing, you know,

00:13:34.039 --> 00:13:36.340
job that you have to do. And then there's a CTO

00:13:36.340 --> 00:13:38.779
role, which is the new technology versus, you

00:13:38.779 --> 00:13:41.399
know, the CIO running the existing stuff. But,

00:13:41.500 --> 00:13:43.240
you know, what is a chief digital officer? And

00:13:43.240 --> 00:13:44.679
we're still kind of working through that. And

00:13:44.679 --> 00:13:46.279
is it an overlap or a combination of the two?

00:13:46.320 --> 00:13:48.179
Is it a virtual role or is it just a title that

00:13:48.179 --> 00:13:50.539
some people take? And so there's an interesting

00:13:50.539 --> 00:13:54.460
sort of number change thing to it. But at the

00:13:54.460 --> 00:13:57.399
end of the day, there's about 73 roles total.

00:13:57.740 --> 00:13:59.720
And we knew we couldn't get all the details out

00:13:59.720 --> 00:14:01.740
for all of them on the first pass. And so we

00:14:01.740 --> 00:14:03.460
wanted to start with the ones that were the most

00:14:03.460 --> 00:14:06.960
important, the highest impact. And those are

00:14:06.960 --> 00:14:09.639
in two areas. One is in the depth and the heart

00:14:09.639 --> 00:14:11.659
of security and the security operations center

00:14:11.659 --> 00:14:16.039
or SecOps or SOC. Um, and there's a lot of mystery,

00:14:16.159 --> 00:14:18.840
a lot of confusion. It's, I mean, it's, it's

00:14:18.840 --> 00:14:20.940
essentially the front line, right? It's where

00:14:20.940 --> 00:14:23.779
the actual real time conflict happens with the

00:14:23.779 --> 00:14:25.759
adversaries that you've been prepping for, or

00:14:25.759 --> 00:14:28.100
hopefully been prepping for. Um, and there's

00:14:28.100 --> 00:14:29.679
a lot of confusion around that. So we spent a

00:14:29.679 --> 00:14:31.779
lot of time, you know, uh, making sure that that

00:14:31.779 --> 00:14:33.860
one was clean and clear. And so that, that section

00:14:33.860 --> 00:14:37.240
came out first. Um, and of course the glossary

00:14:37.240 --> 00:14:38.860
I mentioned earlier. So we have the first version

00:14:38.860 --> 00:14:41.299
of the glossary and we expect that to have additional

00:14:41.299 --> 00:14:44.059
terms added as we go. And then the other one

00:14:44.059 --> 00:14:47.220
that we decided to focus on is the business leader

00:14:47.220 --> 00:14:50.679
roles. Because one of the things that we've found

00:14:50.679 --> 00:14:53.019
is it's not just within the IT versus security

00:14:53.019 --> 00:14:56.519
that there's a lot of confusion and there's a

00:14:56.519 --> 00:14:58.080
lot of security responsibilities that people

00:14:58.080 --> 00:15:00.220
don't realize are their accountabilities, actually.

00:15:01.700 --> 00:15:04.460
We also realize that if you think about it this

00:15:04.460 --> 00:15:08.159
way, a business leader can create security risk

00:15:08.159 --> 00:15:09.919
through their decisions without even knowing.

00:15:11.029 --> 00:15:13.529
Anything about security or without even knowing

00:15:13.529 --> 00:15:15.690
that they're creating that risk to the organization,

00:15:15.909 --> 00:15:20.190
to the shareholders' value, right? So say I'm

00:15:20.190 --> 00:15:22.929
a business leader and I set a target that I want

00:15:22.929 --> 00:15:26.549
to get this particular revenue level, which means

00:15:26.549 --> 00:15:29.919
I have to run my systems at 100 % uptime. And

00:15:29.919 --> 00:15:32.320
that seems like it's a business decision on its

00:15:32.320 --> 00:15:33.980
face, right? You're going to be aggressive about

00:15:33.980 --> 00:15:36.580
it, right? And that seems like a valid business

00:15:36.580 --> 00:15:39.139
decision. But what's not in the mix is like,

00:15:39.240 --> 00:15:40.860
well, that means there's no maintenance windows.

00:15:41.139 --> 00:15:44.620
That means that we can't apply patches for things

00:15:44.620 --> 00:15:46.899
that we know adversaries can use to take those

00:15:46.899 --> 00:15:51.419
systems down. Business leader says, you know,

00:15:51.440 --> 00:15:54.019
I want 100 % uptime, you know, and they say,

00:15:54.080 --> 00:15:55.679
well, we don't have any maintenance once it was

00:15:55.679 --> 00:15:58.000
too bad. Well, can we get some money to fund

00:15:58.000 --> 00:16:01.259
some redundancy or cloud systems or something

00:16:01.259 --> 00:16:03.100
that's modern like that, that we can patch it

00:16:03.100 --> 00:16:05.519
on the fly and hot patch it? And they say, no,

00:16:05.700 --> 00:16:08.590
they have just created security risk. And at

00:16:08.590 --> 00:16:10.909
that point in time, if the security team doesn't

00:16:10.909 --> 00:16:15.710
stand up and push back, then that risk is going

00:16:15.710 --> 00:16:17.190
to go forward. And what happens when there's

00:16:17.190 --> 00:16:18.409
an incident? Well, they're going to blame the

00:16:18.409 --> 00:16:20.269
security team, right? Because why didn't you

00:16:20.269 --> 00:16:22.929
stop these attackers? And that just doesn't make

00:16:22.929 --> 00:16:24.429
sense because the security team doesn't have

00:16:24.429 --> 00:16:26.850
any control or influence over the decisions and

00:16:26.850 --> 00:16:29.350
actions that led to the breach, to the exploitation

00:16:29.350 --> 00:16:32.399
of that very well -known. attack path, essentially.

00:16:32.639 --> 00:16:35.879
And so we really wanted to demystify that aspect

00:16:35.879 --> 00:16:38.500
of where security goes wrong and really kind

00:16:38.500 --> 00:16:41.899
of correct that. And so that led to two different

00:16:41.899 --> 00:16:46.179
things. One is the literal business leaders like,

00:16:46.200 --> 00:16:48.850
hey, member of a board of directors, CEO, chief

00:16:48.850 --> 00:16:51.330
executive officer, chief operating officer, chief

00:16:51.330 --> 00:16:53.750
financial officer, chief counsel, chief legal

00:16:53.750 --> 00:16:56.570
officer, et cetera. For those senior leadership

00:16:56.570 --> 00:17:00.090
roles, what is your security job to do? And then

00:17:00.090 --> 00:17:03.240
that also led us to... that we had to tie this

00:17:03.240 --> 00:17:05.759
in so that they understood that this is part

00:17:05.759 --> 00:17:08.119
of their fiduciary duty. Now, I know a lot of

00:17:08.119 --> 00:17:10.920
people don't know that term fiduciary. Essentially,

00:17:11.119 --> 00:17:13.920
a fiduciary is someone that is an agent that

00:17:13.920 --> 00:17:17.640
is acting in a trusted way. So as a shareholder,

00:17:17.740 --> 00:17:20.140
say I own a company and then I appoint a CEO

00:17:20.140 --> 00:17:22.720
to run it, I am trusting that that CEO is going

00:17:22.720 --> 00:17:26.359
to take good care of the assets that I own, that

00:17:26.359 --> 00:17:28.940
they're running on my behalf. And that's essentially

00:17:28.940 --> 00:17:31.819
the relationship between shareholders and a CEO,

00:17:31.859 --> 00:17:34.259
and of course the board that oversees them. And

00:17:34.259 --> 00:17:36.680
so that fiduciary relationship and the fiduciary

00:17:36.680 --> 00:17:40.400
duty that they have to the owners of the company

00:17:40.400 --> 00:17:43.579
is super, super important because that is a legal

00:17:43.579 --> 00:17:46.339
and ethical obligation in many countries. Different

00:17:46.339 --> 00:17:48.480
law systems mean slightly different between common

00:17:48.480 --> 00:17:51.299
law and others. But that is a very, very powerful,

00:17:51.400 --> 00:17:55.599
important core part of being a member of a board

00:17:55.599 --> 00:17:58.200
of directors, being an officer of a company.

00:17:59.150 --> 00:18:04.150
And so what happens is people don't understand

00:18:04.150 --> 00:18:08.109
that there's security aspects of their fiduciary

00:18:08.109 --> 00:18:09.710
duty. And so one of the things we did was we

00:18:09.710 --> 00:18:11.769
took the fiduciary duty, and there's a certain

00:18:11.769 --> 00:18:13.869
set of duties underneath it, the duty of care.

00:18:14.150 --> 00:18:16.829
You're going to take care of those assets, the

00:18:16.829 --> 00:18:19.980
duty of loyalty that you're going to. treat the

00:18:19.980 --> 00:18:22.220
interests of the shareholders first before you

00:18:22.220 --> 00:18:24.440
do your own personal and other interests. There's

00:18:24.440 --> 00:18:26.039
a bunch of different duties in there. And so

00:18:26.039 --> 00:18:29.579
we took those duties and then we explained what

00:18:29.579 --> 00:18:33.839
does that mean from a security standpoint? What

00:18:33.839 --> 00:18:35.839
is the fiduciary duty of a board of director,

00:18:35.900 --> 00:18:38.900
of a CEO in regards to security when you're looking

00:18:38.900 --> 00:18:40.640
at duty of care, duty of loyalty, and what are

00:18:40.640 --> 00:18:42.839
the things you have to do to make sure you're

00:18:42.839 --> 00:18:45.940
fulfilling that duty correctly? And so we really

00:18:45.940 --> 00:18:48.920
took that time to anchor that so that all of

00:18:48.920 --> 00:18:52.099
this is coming from a really core foundational

00:18:52.099 --> 00:18:54.720
piece. And it's not just, hey, the security team

00:18:54.720 --> 00:18:57.779
is complaining. This is actually part of taking

00:18:57.779 --> 00:19:00.240
care of the shareholders because, you know, say

00:19:00.240 --> 00:19:03.579
a company loses, you know, whatever, 10 % of

00:19:03.579 --> 00:19:05.680
their revenue for the year because of these decisions.

00:19:06.140 --> 00:19:08.099
If that was something that could be anticipated,

00:19:08.339 --> 00:19:10.259
then that's something that is really a part of

00:19:10.259 --> 00:19:15.529
those business leaders' jobs. this guidance?

00:19:15.769 --> 00:19:18.509
What is provided for each of the roles? Honestly,

00:19:19.150 --> 00:19:23.349
how are people going to use this material? Good

00:19:23.349 --> 00:19:25.970
question. Effectively, the way we addressed each

00:19:25.970 --> 00:19:27.849
of the roles, obviously, aside from the special

00:19:27.849 --> 00:19:31.329
fiduciary duty parts of it, is we really focused

00:19:31.329 --> 00:19:35.490
on a couple different things for the roles. It's

00:19:35.490 --> 00:19:36.750
either three or four. I can't remember off the

00:19:36.750 --> 00:19:40.509
top of my head. The first is, what are the job

00:19:40.509 --> 00:19:44.750
functions? If you're a non -security role, That's

00:19:44.750 --> 00:19:46.750
an accountability, right? Because if I own risk,

00:19:46.829 --> 00:19:49.750
I own security risk. It's like a tattoo. It just

00:19:49.750 --> 00:19:51.490
automatically comes with it. It's not something

00:19:51.490 --> 00:19:53.609
you can decide whether or not you do. If you

00:19:53.609 --> 00:19:55.890
own risk, you own security risk. And so those

00:19:55.890 --> 00:19:59.250
job functions are accountabilities for a non

00:19:59.250 --> 00:20:03.289
-security role. So for a CEO, for a CIO, for

00:20:03.289 --> 00:20:05.829
a developer, et cetera. What are the different

00:20:05.829 --> 00:20:07.609
job functions that you have to do for security?

00:20:07.730 --> 00:20:12.309
For example, on the CEO one. You have to set

00:20:12.309 --> 00:20:14.450
up the accountability of the organization and

00:20:14.450 --> 00:20:15.809
make sure you're holding the business leaders

00:20:15.809 --> 00:20:17.430
accountable for the decisions they make. Because

00:20:17.430 --> 00:20:18.769
if you make a decision, you own the outcomes

00:20:18.769 --> 00:20:20.690
of it. Whether it's legal, whether it's financial,

00:20:20.950 --> 00:20:22.430
whether it's security, it doesn't matter. You

00:20:22.430 --> 00:20:27.259
own the decisions that you make. the CEO has

00:20:27.259 --> 00:20:29.240
to set that up correctly. They have to set the

00:20:29.240 --> 00:20:31.259
culture of the organization. Nobody else can

00:20:31.259 --> 00:20:33.700
set the culture of the organization or set the

00:20:33.700 --> 00:20:35.920
accountability structure of the organization.

00:20:36.720 --> 00:20:39.299
And so there's certain things like that. In the

00:20:39.299 --> 00:20:44.039
case of a security operations, say a tier two,

00:20:44.059 --> 00:20:46.980
an investigation analyst, that's more like, hey,

00:20:47.000 --> 00:20:49.000
you're going to investigate the incidents and

00:20:49.000 --> 00:20:53.299
remediate them and then work with the... with

00:20:53.299 --> 00:20:55.660
the IT folks and whatnot to get them remediated

00:20:55.660 --> 00:20:58.859
and cleaned up. And so the job duties is the

00:20:58.859 --> 00:21:00.619
first and most important part. And what are the

00:21:00.619 --> 00:21:04.019
different jobs that have to be done, quite frankly,

00:21:04.099 --> 00:21:08.420
as this role? And so that's the first part. And

00:21:08.420 --> 00:21:11.299
then for each of those. We wanted to have a really

00:21:11.299 --> 00:21:13.500
powerful why so that this wasn't just here's

00:21:13.500 --> 00:21:15.759
a random opinion. So what we did was we defined

00:21:15.759 --> 00:21:18.700
a risk of neglect for each of those. So if this

00:21:18.700 --> 00:21:21.740
is not happening or it's not being executed well,

00:21:21.980 --> 00:21:24.759
what goes wrong? Do you have more security incidents?

00:21:25.019 --> 00:21:27.380
Do you have more severe incidents? More business

00:21:27.380 --> 00:21:30.039
damage? Do you have more reputational damage

00:21:30.039 --> 00:21:32.500
because the comms person isn't explaining this

00:21:32.500 --> 00:21:35.480
well publicly or following best practices during

00:21:35.480 --> 00:21:40.460
an incident? So that's like the first part is

00:21:40.460 --> 00:21:43.740
like what literally is the job to be done. The

00:21:43.740 --> 00:21:48.319
other things that we covered was, hey, what assets

00:21:48.319 --> 00:21:52.319
is this role accountable for? Because, for example,

00:21:52.559 --> 00:21:55.059
if I'm an IT person, I'm working on servers and

00:21:55.059 --> 00:21:57.579
cloud assets and containers, then it's my job

00:21:57.579 --> 00:22:00.579
to patch and maintain and configure those correctly,

00:22:00.799 --> 00:22:03.319
et cetera, because I'm the one that's managing

00:22:03.319 --> 00:22:05.839
that asset. If I'm a chief financial officer,

00:22:06.059 --> 00:22:08.420
there's a sort of a different. meaning of the

00:22:08.420 --> 00:22:12.400
term asset, that I own the accounts payable process.

00:22:12.480 --> 00:22:14.380
I own the accounts receivable process. That means

00:22:14.380 --> 00:22:18.079
I own the risk of fraud, or my people do, and

00:22:18.079 --> 00:22:21.579
working through that with the organization. And

00:22:21.579 --> 00:22:26.319
so as a security team, I can't fix business email

00:22:26.319 --> 00:22:28.660
compromise because that's someone tricking someone

00:22:28.660 --> 00:22:31.119
into paying something. That's a financial process

00:22:31.119 --> 00:22:34.509
that's owned by the CFO. or one of their delegates,

00:22:34.630 --> 00:22:36.789
and they need to make sure that that process

00:22:36.789 --> 00:22:40.829
is actually resistant to a scammer, right? Just

00:22:40.829 --> 00:22:45.109
like fax or phone or someone walking in. All

00:22:45.109 --> 00:22:47.769
those forms of fraud. Email fraud is basically

00:22:47.769 --> 00:22:50.349
just email fraud, right? And so that's the second

00:22:50.349 --> 00:22:53.349
piece. So jobs to be done, the assets. And then

00:22:53.349 --> 00:22:55.750
the other thing that we realized is in order

00:22:55.750 --> 00:23:00.589
to actually secure these assets, You need to

00:23:00.589 --> 00:23:02.230
have some knowledge. You can't just walk in off

00:23:02.230 --> 00:23:04.250
the street and I came out of finance school or

00:23:04.250 --> 00:23:06.109
I came out of, you know, I got my law degree

00:23:06.109 --> 00:23:08.549
and then I automatically know security. You need

00:23:08.549 --> 00:23:10.730
to have a security education. You need to have

00:23:10.730 --> 00:23:12.490
some knowledge so you know how to protect those

00:23:12.490 --> 00:23:15.289
assets and you know how to do those duties. And

00:23:15.289 --> 00:23:17.190
so that's another section that we define and,

00:23:17.230 --> 00:23:18.730
you know, provide some bullet points on this

00:23:18.730 --> 00:23:20.910
is the knowledge that you need as a business

00:23:20.910 --> 00:23:23.089
leader, as a lawyer, as a marketing person, as

00:23:23.089 --> 00:23:25.910
a comms person, as a technology person, as a

00:23:25.910 --> 00:23:29.809
developer, as a SOC person or a GRC. C person,

00:23:29.890 --> 00:23:35.029
et cetera. So that's the third one. And then

00:23:35.029 --> 00:23:37.230
the fourth one is just how does this tie into

00:23:37.230 --> 00:23:39.049
the capabilities, which is part of a different

00:23:39.049 --> 00:23:41.009
open group standard, the Zero Trust Reference

00:23:41.009 --> 00:23:43.910
Model, because the capabilities are basically

00:23:43.910 --> 00:23:49.430
what are the things you do in security that you

00:23:49.430 --> 00:23:51.230
do all the time. So if you take like a business

00:23:51.230 --> 00:23:53.410
capability, for example, you buy raw material.

00:23:53.880 --> 00:23:56.279
You make a product, you sell a product, you ship

00:23:56.279 --> 00:23:58.599
a product. Now, the capability of shipping a

00:23:58.599 --> 00:24:00.299
product, you might ship it with a plane, a train,

00:24:00.359 --> 00:24:02.660
or an automobile, but you're still shipping a

00:24:02.660 --> 00:24:04.440
product. It goes from my facility to their facility.

00:24:04.960 --> 00:24:08.259
And so that was, we realized we needed to define

00:24:08.259 --> 00:24:10.039
that for security. What is that durable outcome?

00:24:10.299 --> 00:24:11.859
And that's in this Air Trust Reference Model.

00:24:12.200 --> 00:24:14.200
And then you need people -processed tech to make

00:24:14.200 --> 00:24:16.759
that come to life. And so, you know, whether

00:24:16.759 --> 00:24:20.309
it's responding to incidents or... or patching

00:24:20.309 --> 00:24:23.190
systems or doing secure asset management or all

00:24:23.190 --> 00:24:25.130
the different security capabilities that are

00:24:25.130 --> 00:24:27.490
defined in there, you need people, process, and

00:24:27.490 --> 00:24:29.470
tech. And so the process and tech are defined

00:24:29.470 --> 00:24:32.730
as architecture building blocks in that other

00:24:32.730 --> 00:24:35.049
Zero Trust Reference Model standard. But within

00:24:35.049 --> 00:24:37.450
the role standard, We need to map that back in

00:24:37.450 --> 00:24:39.369
and say, these people work on these capabilities.

00:24:39.890 --> 00:24:42.269
And so that's really what we're giving for each

00:24:42.269 --> 00:24:44.730
role. So what's the job to be done? What assets

00:24:44.730 --> 00:24:47.029
do you own? What knowledge do you need? And how

00:24:47.029 --> 00:24:49.289
does this relate to the overall security capabilities

00:24:49.289 --> 00:24:53.569
that are being defined that don't change in security,

00:24:53.710 --> 00:24:56.789
regardless of AI and cloud and every other thing

00:24:56.789 --> 00:25:00.069
that's happening? Mark, so obviously you've done

00:25:00.069 --> 00:25:02.980
a lot already, but... Is there more coming? Is

00:25:02.980 --> 00:25:05.640
this part of something bigger, a bigger piece

00:25:05.640 --> 00:25:07.859
of work? Because I know you don't do things by

00:25:07.859 --> 00:25:10.880
halves. Yeah, the big part is really just that

00:25:10.880 --> 00:25:13.819
security and zero trust body of knowledge, right?

00:25:13.900 --> 00:25:17.039
We want to have a coherent way of looking at

00:25:17.039 --> 00:25:20.440
security and, you know, having those capabilities

00:25:20.440 --> 00:25:22.220
I mentioned, having the roles defined. These

00:25:22.220 --> 00:25:24.559
are very foundational components because security

00:25:24.559 --> 00:25:26.920
is, quite frankly, a very new discipline. It's

00:25:26.920 --> 00:25:29.019
only, what, three, four decades old compared

00:25:29.019 --> 00:25:31.680
to like, you know. buildings and energy and all

00:25:31.680 --> 00:25:33.119
these other things that we've been doing for

00:25:33.119 --> 00:25:36.960
hundreds of years, if not thousands, as a human

00:25:36.960 --> 00:25:40.980
society. And so what we wanted to do is help

00:25:40.980 --> 00:25:44.079
professionalize this with that security and zero

00:25:44.079 --> 00:25:47.259
trust body of knowledge. And so one of the things

00:25:47.259 --> 00:25:49.200
that we're documenting there as part of this

00:25:49.200 --> 00:25:53.079
is, hey, what do the attackers do? And MITRE

00:25:53.079 --> 00:25:54.859
ATT &CK is a part of that. It's like the technical

00:25:54.859 --> 00:25:57.119
proven attacks that are out there. But there's

00:25:57.119 --> 00:26:01.140
also a bigger picture thing with Um, What are

00:26:01.140 --> 00:26:03.119
their motivations? Because they're either doing

00:26:03.119 --> 00:26:05.140
it for money or mission or both. And there's

00:26:05.140 --> 00:26:08.119
criminals, there's nation states, there's hacktivists,

00:26:08.140 --> 00:26:10.519
right? There's a finite amount of stable things

00:26:10.519 --> 00:26:12.319
that we've seen over the past couple of decades

00:26:12.319 --> 00:26:14.240
that have stabilized. And then what are their

00:26:14.240 --> 00:26:16.019
operating models and how do they make money off

00:26:16.019 --> 00:26:20.799
of you? And so we want to document and standardize

00:26:20.799 --> 00:26:22.940
the attackers. And not standardize because we

00:26:22.940 --> 00:26:26.660
want to make them conform to this, but standardize

00:26:26.660 --> 00:26:28.579
so that we have a standard definition of these

00:26:28.579 --> 00:26:30.700
that we can then say, okay. is what they do,

00:26:30.779 --> 00:26:33.200
then what does that mean to us? And then we want

00:26:33.200 --> 00:26:34.740
to do the same thing on the business side. Like

00:26:34.740 --> 00:26:36.440
how does a business operate? It makes decisions

00:26:36.440 --> 00:26:39.160
about risk using money. There's all these different

00:26:39.160 --> 00:26:41.160
things about how a business operates. And we

00:26:41.160 --> 00:26:42.940
also need to document that so that we can then

00:26:42.940 --> 00:26:44.619
say, what does the security team need to do because

00:26:44.619 --> 00:26:47.039
of that? And so those are some of the different

00:26:47.039 --> 00:26:48.759
things that we're kind of covering as part of

00:26:48.759 --> 00:26:51.519
this body of knowledge with the security matrix

00:26:51.519 --> 00:26:54.240
and enterprise risk integration. And then we

00:26:54.240 --> 00:26:56.599
have the zero trust commandments and the security

00:26:56.599 --> 00:26:59.680
principles for architecture. There's about eight

00:26:59.680 --> 00:27:01.359
or 10 different components that we're putting

00:27:01.359 --> 00:27:04.359
together as like one holistic system. And we're

00:27:04.359 --> 00:27:06.779
embracing as much of the work out there from

00:27:06.779 --> 00:27:09.940
MITRE, from NIST, from Center for Inherent Security,

00:27:10.160 --> 00:27:12.779
OWASP, et cetera. We're really trying to connect

00:27:12.779 --> 00:27:16.920
and fill in all the gaps, but use the stuff that's

00:27:16.920 --> 00:27:18.799
out there that's great, that works, and then

00:27:18.799 --> 00:27:21.400
fill in and put all the gaps in and the foundations

00:27:21.400 --> 00:27:25.000
underneath the. those houses. So, I mean, this

00:27:25.000 --> 00:27:26.880
has been quite a while being created, I guess.

00:27:27.059 --> 00:27:28.579
I mean, I can't imagine you guys came up with

00:27:28.579 --> 00:27:30.460
this overnight. So what sort of things did you

00:27:30.460 --> 00:27:32.440
learn along the way? I mean, things change as

00:27:32.440 --> 00:27:35.240
you're building this out. So any sort of lessons

00:27:35.240 --> 00:27:37.819
learned along the way? This has been an intense

00:27:37.819 --> 00:27:42.079
source of learning. I'll kind of go from the

00:27:42.079 --> 00:27:45.240
top a little bit. One of the big learnings for

00:27:45.240 --> 00:27:48.759
me was the fiduciary duty aspect and how important

00:27:48.759 --> 00:27:51.079
that was. Because I always knew that there was

00:27:51.079 --> 00:27:53.799
like this legal relationship that like officers

00:27:53.799 --> 00:27:56.740
have for a company as well as boards of directors.

00:27:57.000 --> 00:28:00.759
But I really wasn't as well versed in what fiduciary

00:28:00.759 --> 00:28:02.799
duty is, how it works, what the different duties

00:28:02.799 --> 00:28:05.599
are and whatnot. So that was a big learning.

00:28:06.200 --> 00:28:09.660
And especially because of how well it actually

00:28:09.660 --> 00:28:14.799
reflected. what security should be at an organization

00:28:14.799 --> 00:28:18.680
because it really allowed us to show that, you

00:28:18.680 --> 00:28:21.000
know what, this is a risk to shareholder value.

00:28:21.200 --> 00:28:22.900
Now, at the end of the day, you know, those people

00:28:22.900 --> 00:28:25.059
in those seats, you know, if I'm a CEO, if I'm

00:28:25.059 --> 00:28:27.380
a board of directors, have to make judgment calls,

00:28:27.519 --> 00:28:30.160
right? Is this, you know, or even, you know,

00:28:30.180 --> 00:28:32.220
business line leaders or whatever, but is this

00:28:32.220 --> 00:28:34.799
something, a risk I want to accept? You know,

00:28:34.819 --> 00:28:36.619
because you've got different situations, right?

00:28:36.680 --> 00:28:39.619
If I'm looking at making, you know, if I can

00:28:39.619 --> 00:28:43.299
make $100 million with this business initiative,

00:28:44.029 --> 00:28:48.369
And I could have a $2 million incident. I'm going

00:28:48.369 --> 00:28:50.750
to make a certain kind of decision. Now, if it's

00:28:50.750 --> 00:28:52.309
the other way around, and this business initiative

00:28:52.309 --> 00:28:55.250
can make $2 million, but it could cost me $100

00:28:55.250 --> 00:28:58.029
million, and there's a good 60%, 70 % chance

00:28:58.029 --> 00:29:01.329
that it's in that $100 million or $50 to $150

00:29:01.329 --> 00:29:05.230
million range, then... that doesn't that's going

00:29:05.230 --> 00:29:07.450
to make you drive to a different decision and

00:29:07.450 --> 00:29:10.170
so like really kind of getting in the heads of

00:29:10.170 --> 00:29:12.450
these different roles and working with them and

00:29:12.450 --> 00:29:14.289
kind of understanding that thought process as

00:29:14.289 --> 00:29:16.809
well as their fiduciary duty obligations that

00:29:16.809 --> 00:29:18.430
was like the that was one of the big ones for

00:29:18.430 --> 00:29:20.390
me because i always knew that there was a reason

00:29:20.390 --> 00:29:22.410
why people were making these bad security decisions

00:29:22.410 --> 00:29:24.829
but it was really for a lack of understanding

00:29:24.829 --> 00:29:29.599
in a way And then oftentimes a lack of understanding

00:29:29.599 --> 00:29:33.619
of the security risk. This is another learning

00:29:33.619 --> 00:29:35.240
for me, is the lack of it being communicated

00:29:35.240 --> 00:29:37.920
well. I threw something out on social media for

00:29:37.920 --> 00:29:41.559
the fun of it a couple weeks back. I've learned

00:29:41.559 --> 00:29:46.160
that when a security leader or a technology leader

00:29:46.160 --> 00:29:48.839
is talking a bunch of technical terms that business

00:29:48.839 --> 00:29:51.140
leaders don't understand, they kind of sound

00:29:51.140 --> 00:29:54.500
like Charlie Brown's mom. um or charlie brown's

00:29:54.500 --> 00:29:56.980
teacher um so you know there's this you know

00:29:56.980 --> 00:30:00.119
cartoon series called um peanuts um and they

00:30:00.119 --> 00:30:02.400
had some various movies and tv specials and whatnot

00:30:02.400 --> 00:30:05.140
and it was all about kids talking to each other

00:30:05.140 --> 00:30:07.380
and so when the adults talk they didn't really

00:30:07.380 --> 00:30:09.500
want the adults to take over the show so they

00:30:09.500 --> 00:30:13.460
had this like kind of sound that they made from

00:30:13.460 --> 00:30:17.519
a trumpet and When security people are talking

00:30:17.519 --> 00:30:19.900
to the business leaders, it sounds like that.

00:30:21.559 --> 00:30:23.740
And the security leaders are thinking in their

00:30:23.740 --> 00:30:25.599
head, I'm sorry, the business leaders are thinking

00:30:25.599 --> 00:30:28.160
in their head, I don't understand a word they

00:30:28.160 --> 00:30:30.779
said. I have no idea what they mean because we're

00:30:30.779 --> 00:30:32.619
talking about all sorts of IP addresses and port

00:30:32.619 --> 00:30:34.559
scans and crap that I have no idea what it is.

00:30:34.819 --> 00:30:36.880
So the only thing I'm taking away from this is

00:30:36.880 --> 00:30:39.769
it's a technical problem. And therefore, I'm

00:30:39.769 --> 00:30:41.849
expecting you to solve this technical problem.

00:30:42.190 --> 00:30:44.049
And so if there's an incident, I'm just going

00:30:44.049 --> 00:30:45.789
to blame you and hire someone that can solve

00:30:45.789 --> 00:30:48.349
this technical problem. But it's actually not

00:30:48.349 --> 00:30:50.809
a technical problem. It's a problem. And so you

00:30:50.809 --> 00:30:53.150
end up with this. The miscommunication is a huge,

00:30:53.210 --> 00:30:55.549
huge part of it. So that was a big thing that

00:30:55.549 --> 00:30:57.569
I saw. And then, of course, that accountability

00:30:57.569 --> 00:30:59.890
responsibility thing of the business leader making

00:30:59.890 --> 00:31:03.690
that decision and causing that risk. And then

00:31:03.690 --> 00:31:06.589
the security people being blamed for it. What

00:31:06.589 --> 00:31:09.769
that helped me understand was just that people

00:31:09.769 --> 00:31:13.289
don't understand a RACI, an R -A -C -I, or responsible,

00:31:13.529 --> 00:31:15.849
accountable, consulted, informed. People don't

00:31:15.849 --> 00:31:17.190
understand the difference between the decision

00:31:17.190 --> 00:31:20.390
maker and the experts that advise them and recommend

00:31:20.390 --> 00:31:23.750
things for them. And so there's a lot of confusion

00:31:23.750 --> 00:31:25.630
around that. That actually led to an entire part

00:31:25.630 --> 00:31:27.309
in the security rules and glossary standard.

00:31:27.569 --> 00:31:30.170
So the part one is the glossary, part two is...

00:31:30.599 --> 00:31:33.099
basically how to think about responsibility and

00:31:33.099 --> 00:31:36.000
accountability because we so often see security

00:31:36.000 --> 00:31:38.180
blame for things out of their control because

00:31:38.180 --> 00:31:39.900
they aren't able to communicate in terms that

00:31:39.900 --> 00:31:42.480
make sense and or those business leaders just

00:31:42.480 --> 00:31:44.279
don't feel accountable for it and don't feel

00:31:44.279 --> 00:31:45.880
like it's part of their job and it's just easier

00:31:45.880 --> 00:31:48.339
to blame the CISO or blame the security team.

00:31:49.420 --> 00:31:51.539
So those kind of things really kind of came into

00:31:51.539 --> 00:31:55.099
focus was some big learnings. Another one is

00:31:55.759 --> 00:31:59.440
These things are complicated, and you can't really

00:31:59.440 --> 00:32:02.259
effectively manage security risk without a security

00:32:02.259 --> 00:32:06.500
counsel. So when you think about a ransomware

00:32:06.500 --> 00:32:08.200
incident, for example, and this is either preparing

00:32:08.200 --> 00:32:09.920
for one and getting the organization ready and

00:32:09.920 --> 00:32:12.059
fixing the process ahead of time or dealing with

00:32:12.059 --> 00:32:14.960
one in a crisis, a ransomware attack is technical

00:32:14.960 --> 00:32:17.039
because it's going to affect the technical systems.

00:32:17.099 --> 00:32:19.670
You have to recover them. It's security because

00:32:19.670 --> 00:32:21.230
there's the threats and what do they do and what

00:32:21.230 --> 00:32:23.710
are they likely to ask for and this and that

00:32:23.710 --> 00:32:26.190
and can we negotiate with all that kind of security

00:32:26.190 --> 00:32:29.509
stuff, right? And then it's financial because

00:32:29.509 --> 00:32:31.049
they want to be paid on it and you have to figure

00:32:31.049 --> 00:32:32.970
out how to actually pay them Bitcoin and transfer

00:32:32.970 --> 00:32:34.609
the money from your accounts or whatever into

00:32:34.609 --> 00:32:38.900
it if you need to. We have to pay these criminals

00:32:38.900 --> 00:32:41.200
in order to do it. And, you know, are they associated

00:32:41.200 --> 00:32:42.859
with the terrorists? We're paying criminals,

00:32:43.259 --> 00:32:46.240
right? Is there legal aspects? Is that even legal,

00:32:46.380 --> 00:32:49.559
right? So, like, you can't possibly deal with

00:32:49.559 --> 00:32:51.539
security risk without all of those stakeholders

00:32:51.539 --> 00:32:54.119
working together and figuring out a policy and

00:32:54.119 --> 00:32:56.640
a process and how you're going to deal with this.

00:32:56.759 --> 00:32:58.920
And so, like, the importance of a security council

00:32:58.920 --> 00:33:00.799
is not just a nice -to -have thing. It's not

00:33:00.799 --> 00:33:03.319
like, oh, it would be good if they talked. No,

00:33:03.380 --> 00:33:05.319
it's, like, existential if you're going to be

00:33:05.319 --> 00:33:08.609
able to actually deal with these. business -disrupting

00:33:08.609 --> 00:33:11.769
types of attacks. I mentioned earlier the words

00:33:11.769 --> 00:33:13.849
matter, right? That was a big learning about

00:33:13.849 --> 00:33:17.549
the incident, the compromise, the breach. I picked

00:33:17.549 --> 00:33:19.190
up some interesting learnings about trust and

00:33:19.190 --> 00:33:21.690
trustworthiness, because trust is a human feeling

00:33:21.690 --> 00:33:24.250
about whether or not I'm going to trust you and

00:33:24.250 --> 00:33:27.990
take your information at face value. But trustworthiness

00:33:27.990 --> 00:33:31.549
is much more of a technical specific thing that

00:33:31.549 --> 00:33:33.609
you can actually have measurable attributes of.

00:33:33.710 --> 00:33:35.789
These are some different things about trustworthiness

00:33:35.789 --> 00:33:38.049
that then inform that decision of trust by somebody

00:33:38.049 --> 00:33:40.950
else. And so that was a really interesting insight

00:33:40.950 --> 00:33:45.029
I picked up along the way. Oh, this one was really

00:33:45.029 --> 00:33:47.690
interesting. Going through the SOC one. I didn't

00:33:47.690 --> 00:33:49.210
realize until we were writing up some of the

00:33:49.210 --> 00:33:51.539
things that, hey. Security operations really

00:33:51.539 --> 00:33:53.960
needs to be part of your architecture review

00:33:53.960 --> 00:33:55.539
board, your solution review board, whatever you

00:33:55.539 --> 00:33:57.299
call it when your solutions go through and they

00:33:57.299 --> 00:33:59.740
get approved to go on the production environment.

00:34:00.220 --> 00:34:03.400
If you don't have security operations either

00:34:03.400 --> 00:34:07.440
as a stakeholder there or as represented by an

00:34:07.440 --> 00:34:10.139
architect that knows about it, they're not going

00:34:10.139 --> 00:34:13.300
to turn on logs. That's just going to often happen.

00:34:13.360 --> 00:34:16.179
People skip the logs. And the interesting thing

00:34:16.179 --> 00:34:18.440
that we learned there is if you don't turn on

00:34:18.440 --> 00:34:20.280
the logs, you're signing up for a minimum of

00:34:20.280 --> 00:34:22.659
two incidents because you're going to have one.

00:34:23.179 --> 00:34:25.039
You're not going to know what happens. You can't

00:34:25.039 --> 00:34:27.460
investigate it. And therefore, you know, after

00:34:27.460 --> 00:34:30.960
you get the very, very sloppy cleanup done, you

00:34:30.960 --> 00:34:33.199
can't do a root cause analysis to figure out

00:34:33.199 --> 00:34:34.880
what the heck went wrong and how did they get

00:34:34.880 --> 00:34:37.719
into that system. And so you're signing up for

00:34:37.719 --> 00:34:40.119
a second one after you turn on the logs or enable

00:34:40.119 --> 00:34:42.059
the logs or turn it on in the code or actually

00:34:42.059 --> 00:34:46.940
put the logging code into your software. And

00:34:46.940 --> 00:34:50.260
then you're going to have a second incident where

00:34:50.260 --> 00:34:51.480
you're actually going to find out what it was.

00:34:51.519 --> 00:34:53.000
Then you can do the root cause analysis. Then

00:34:53.000 --> 00:34:55.400
you can block it. So even if you do everything

00:34:55.400 --> 00:34:57.360
right when you don't have logs, you're signing

00:34:57.360 --> 00:34:59.460
up for two incidents. And that one was like a

00:34:59.460 --> 00:35:03.340
whoa kind of moment, like wow. Logs are really,

00:35:03.480 --> 00:35:05.789
really important. So those are kind of the big

00:35:05.789 --> 00:35:08.150
learnings that I picked up. Yeah, I'm working

00:35:08.150 --> 00:35:10.409
on some material right now for the red team.

00:35:10.750 --> 00:35:14.090
And I think I mentioned this before, but when

00:35:14.090 --> 00:35:17.409
we do a readout of a red team operation, it's

00:35:17.409 --> 00:35:19.829
amazing how many times there are weaknesses in

00:35:19.829 --> 00:35:22.510
the log files. Something's not logged, or perhaps

00:35:22.510 --> 00:35:24.630
there's a column missing in the logs that would

00:35:24.630 --> 00:35:27.010
have been really interesting, or perhaps there's

00:35:27.010 --> 00:35:31.429
not a correct alert set up on the logs. One thing

00:35:31.429 --> 00:35:34.590
that we have, an event is deemed, air quotes,

00:35:34.769 --> 00:35:38.730
detected when someone is actually alerted to

00:35:38.730 --> 00:35:41.489
it and responds to it, accepts that they've received

00:35:41.489 --> 00:35:45.130
it. So yeah, we found that just simple logging

00:35:45.130 --> 00:35:48.130
is incredibly beneficial. By logging, I mean

00:35:48.130 --> 00:35:50.889
like secure logging. So for example, storing

00:35:50.889 --> 00:35:53.570
logs in perhaps immutable storage or having them

00:35:53.570 --> 00:35:57.769
shipped off to some kind of monitoring environment

00:35:57.769 --> 00:36:01.030
so that are away from the actual air quotes,

00:36:01.030 --> 00:36:03.570
you know, sort of battle zone. Yeah, logging

00:36:03.570 --> 00:36:06.690
is huge, absolutely huge. Oh, yeah, and the adversaries

00:36:06.690 --> 00:36:09.230
love to wipe those, right? Because, I mean, it's

00:36:09.230 --> 00:36:11.650
just like, you know, they wipe the security cameras

00:36:11.650 --> 00:36:14.110
and all the, you know, the badge ins and the

00:36:14.110 --> 00:36:16.090
badge outs of the building for a physical break

00:36:16.090 --> 00:36:18.150
-in so that people don't know when and how they

00:36:18.150 --> 00:36:20.909
got in, right? Like, it's the same exact concept.

00:36:21.010 --> 00:36:22.530
Like, if you don't have a record, you don't know

00:36:22.530 --> 00:36:24.530
what the heck happened. But remember, collection

00:36:24.530 --> 00:36:27.070
is not detection, Mark, which is your favorite

00:36:27.070 --> 00:36:31.420
phrase. Yeah, and logging off is blindness. And

00:36:31.420 --> 00:36:35.099
that's why the red team has a very hard definition

00:36:35.099 --> 00:36:38.199
of if something's been responded to or not detected.

00:36:38.719 --> 00:36:40.739
It's not just the fact that it's logged, it's

00:36:40.739 --> 00:36:42.679
the fact that someone was alerted to it and someone

00:36:42.679 --> 00:36:45.739
actually responded to it. When you think about

00:36:45.739 --> 00:36:51.000
the overall industry at large, security and the

00:36:51.000 --> 00:36:53.920
level of knowledge that we have today about how

00:36:53.920 --> 00:36:57.809
determined the attackers are. That was not a

00:36:57.809 --> 00:37:00.329
priority, and we didn't know that much about

00:37:00.329 --> 00:37:02.809
where the threats would actually go to 20, 30,

00:37:02.869 --> 00:37:05.690
40 years ago. So all these systems are built

00:37:05.690 --> 00:37:07.949
with the assumption that it's a safe internet,

00:37:08.250 --> 00:37:12.130
right? And so it takes a while to retrofit that

00:37:12.130 --> 00:37:14.670
stuff back into every system that we designed

00:37:14.670 --> 00:37:17.409
as a society for the past 20, 30 years, and the

00:37:17.409 --> 00:37:19.389
people that are doing it, because it's ultimately

00:37:19.389 --> 00:37:21.690
the people that are coding this stuff. Yeah,

00:37:21.789 --> 00:37:23.750
actually talking about coding stuff and alerting

00:37:23.750 --> 00:37:27.030
and et cetera, et cetera. Under the Secure Future

00:37:27.030 --> 00:37:30.190
initiative at Microsoft, there's a huge initiative

00:37:30.190 --> 00:37:33.730
going on to get product groups to focus on using

00:37:33.730 --> 00:37:37.489
OpenTelemetry or OTEL for their logging infrastructure.

00:37:38.170 --> 00:37:41.010
And the reason for doing that is that way it's

00:37:41.010 --> 00:37:47.349
a very well -respected library and format. And

00:37:47.349 --> 00:37:50.329
it also allows you to log to all sorts of different,

00:37:51.610 --> 00:37:54.309
and you can change it on the fly without changing

00:37:54.309 --> 00:37:57.010
code. So that's actually really cool as well.

00:37:57.130 --> 00:38:02.070
So yeah, if you're looking at a way of logging

00:38:02.070 --> 00:38:05.070
in your own applications, then do look at OpenTelemetry.

00:38:05.429 --> 00:38:09.909
So what do we expect people to use this glossary,

00:38:09.969 --> 00:38:14.369
all of this for? What's the vision there, Mark?

00:38:15.559 --> 00:38:19.219
We're fairly ambitious on this because the number

00:38:19.219 --> 00:38:21.260
one thing, and it's not the one that's literally

00:38:21.260 --> 00:38:25.079
written into the standards, but we want to have

00:38:25.079 --> 00:38:27.860
people have better and more informed conversations.

00:38:28.500 --> 00:38:31.780
So instead of the CISO sort of being on the defense

00:38:31.780 --> 00:38:33.780
and being stuck with trying to influence people

00:38:33.780 --> 00:38:36.980
that don't care and aren't paid to care. We want

00:38:36.980 --> 00:38:40.659
to see the conversation change where, listen,

00:38:40.820 --> 00:38:42.920
this is a part of your fiduciary duty and I'm

00:38:42.920 --> 00:38:46.380
here to help you. Think of me as a subject matter

00:38:46.380 --> 00:38:48.800
expert to help keep you from going into jail.

00:38:49.500 --> 00:38:52.960
I'm your friend to help you here. As opposed

00:38:52.960 --> 00:38:54.800
to, I'm the scapegoat you're going to fire every

00:38:54.800 --> 00:38:59.630
18 to 24 months when something goes wrong. We

00:38:59.630 --> 00:39:02.530
really want to catalyze that different kind of

00:39:02.530 --> 00:39:04.429
conversation to a much more healthy, productive

00:39:04.429 --> 00:39:09.750
conversation. A more professional way of describing

00:39:09.750 --> 00:39:12.769
that is just doing organizational planning better

00:39:12.769 --> 00:39:15.050
for those business leaders and technology leaders

00:39:15.050 --> 00:39:20.269
and security leaders as well. We want to see

00:39:20.269 --> 00:39:23.449
people use these to influence how they do the

00:39:23.449 --> 00:39:26.670
entire life cycle of security jobs, right? Because

00:39:26.670 --> 00:39:29.769
you want to make sure that you're structuring

00:39:29.769 --> 00:39:31.650
the jobs that you're going to be hiring people

00:39:31.650 --> 00:39:34.550
for and as you're creating for, that you're evaluating

00:39:34.550 --> 00:39:37.170
people of can you as a candidate actually do

00:39:37.170 --> 00:39:39.309
this? And these are some objective things that

00:39:39.309 --> 00:39:41.909
you can learn and master and get good at so that

00:39:41.909 --> 00:39:45.110
the expectations are a lot clearer for candidates

00:39:45.110 --> 00:39:47.489
and employers, et cetera. And then how are you

00:39:47.489 --> 00:39:49.900
doing as an employee against? from a performance

00:39:49.900 --> 00:39:51.739
-wise, and are you actually meeting what the

00:39:51.739 --> 00:39:54.760
requirements of the job are? And then if I'm

00:39:54.760 --> 00:39:57.760
an individual, my career planning, where do I

00:39:57.760 --> 00:40:00.019
go next after this job, and how do I plan for

00:40:00.019 --> 00:40:03.360
it, and what skills do I learn? And even if you're

00:40:03.360 --> 00:40:06.539
doing outsourcing, the jobs to be done don't

00:40:06.539 --> 00:40:09.400
change, whether it's done by a contractor or

00:40:09.400 --> 00:40:11.300
done by an external company or an organization.

00:40:11.559 --> 00:40:14.239
So this gives you a lot of clarity for what...

00:40:14.460 --> 00:40:16.960
what am I actually asking for when I'm trying

00:40:16.960 --> 00:40:19.960
to do an outsourcing contractor? They gave me

00:40:19.960 --> 00:40:22.679
a proposal. So which jobs are you actually doing

00:40:22.679 --> 00:40:25.059
and how much of these are you doing? So we were

00:40:25.059 --> 00:40:27.679
really trying to get to much clearer, much more

00:40:27.679 --> 00:40:31.619
effective conversations on this. And then the

00:40:31.619 --> 00:40:33.380
other thing I've been thinking about a lot lately

00:40:33.380 --> 00:40:36.820
is as AI comes in and it's starting to be able

00:40:36.820 --> 00:40:41.239
to automate some tasks, A job is just a collection

00:40:41.239 --> 00:40:44.400
of functions, right? It's just those responsibilities

00:40:44.400 --> 00:40:48.840
or accountabilities that you do as a tier one

00:40:48.840 --> 00:40:52.519
triage analyst or a tier two investigation analyst

00:40:52.519 --> 00:40:54.559
or a threat hunter or a threat intelligence role

00:40:54.559 --> 00:40:58.920
or whatever. And so as these things, you know,

00:40:58.920 --> 00:41:00.780
as you define it, that's the role. And then they

00:41:00.780 --> 00:41:02.300
have these tasks, right? Because it's that collection

00:41:02.300 --> 00:41:05.800
of tasks. But then, I'm sorry. The role is a

00:41:05.800 --> 00:41:08.980
collection of functions, responsibilities or

00:41:08.980 --> 00:41:11.699
accountabilities. And so those functions, in

00:41:11.699 --> 00:41:14.179
order to do them, you need to have and execute

00:41:14.179 --> 00:41:16.820
a bunch of different tasks, which depend on your

00:41:16.820 --> 00:41:19.179
organization and your tools and your process

00:41:19.179 --> 00:41:20.679
and whatever. What are the tasks to actually

00:41:20.679 --> 00:41:22.840
investigate are going to be a little different

00:41:22.840 --> 00:41:25.780
depending on that. And then the AI is what is

00:41:25.780 --> 00:41:27.820
going to be partially or fully automating the

00:41:27.820 --> 00:41:30.400
task. So this helps give you a structure that's

00:41:30.400 --> 00:41:32.599
a little bit clearer that says, at least I know

00:41:32.599 --> 00:41:34.420
what this person's job is and the functions of

00:41:34.420 --> 00:41:35.940
it. Then I can say, these are the tasks to do

00:41:35.940 --> 00:41:39.699
it in our world, in our company. And then you

00:41:39.699 --> 00:41:41.980
can say, okay, is AI going to do 10 % of this

00:41:41.980 --> 00:41:44.840
task, 20 % of this, 60 % of this, 0 % of this,

00:41:44.920 --> 00:41:48.159
100 % of this task. And you can make those much

00:41:48.159 --> 00:41:50.960
more informed decisions because you can put those

00:41:50.960 --> 00:41:54.639
tasks against. one of those job functions for

00:41:54.639 --> 00:41:57.500
a role and see, okay, well, this is on average

00:41:57.500 --> 00:42:00.840
about 12 % impact for AI that they can automate

00:42:00.840 --> 00:42:02.900
this as opposed to, oh, this looks like something

00:42:02.900 --> 00:42:05.460
we can just outsource and dump. And so it gives

00:42:05.460 --> 00:42:07.260
you the ability to have a much more informed

00:42:07.260 --> 00:42:09.960
and thoughtful and structured conversation. Now,

00:42:09.960 --> 00:42:11.480
the standards don't take it down to that task

00:42:11.480 --> 00:42:14.800
level, but at least you have something to map

00:42:14.800 --> 00:42:17.219
the tasks in your organization too. And then

00:42:17.219 --> 00:42:19.179
you can say how much of AI is doing this and

00:42:19.179 --> 00:42:21.639
do we want to outsource it to AI? Because great,

00:42:21.679 --> 00:42:24.099
it makes everything faster or do we actually

00:42:24.099 --> 00:42:26.079
really really want to pay a human to do this

00:42:26.079 --> 00:42:29.000
because if we lose this institutional knowledge

00:42:29.000 --> 00:42:32.219
on how to do this we're toast or you know do

00:42:32.219 --> 00:42:34.380
if we take a human out of the loop then are they

00:42:34.380 --> 00:42:37.900
going to be making immoral unethical and or um

00:42:38.969 --> 00:42:41.369
decisions we can't actually defend in a court

00:42:41.369 --> 00:42:43.889
of law if something goes wrong right like because

00:42:43.889 --> 00:42:45.710
you need to have a human in there to approve

00:42:45.710 --> 00:42:48.530
that otherwise why did you trust the computer

00:42:48.530 --> 00:42:51.170
to do this when it wouldn't when it wouldn't

00:42:51.170 --> 00:42:54.050
do the same thing every time and so you know

00:42:54.050 --> 00:42:57.250
we're really looking to help bring a lot of clarity

00:42:57.250 --> 00:43:00.360
for like both the human side of it, but also

00:43:00.360 --> 00:43:02.860
like what AI is starting to do to those roles

00:43:02.860 --> 00:43:04.880
to give it some structure so you can understand

00:43:04.880 --> 00:43:07.599
that impact and having meaningful structured

00:43:07.599 --> 00:43:10.519
conversation rather than kind of an ad hoc. I

00:43:10.519 --> 00:43:12.500
don't know. It seems like it does what Joe does,

00:43:12.519 --> 00:43:14.880
right? Like that's not a good way to do stuff.

00:43:16.360 --> 00:43:19.059
So, Mark, seeing as you are technically our guest

00:43:19.059 --> 00:43:21.659
this week, we're going to hit you with the...

00:43:21.659 --> 00:43:23.619
But I'm not a special guest, as Michael reminded

00:43:23.619 --> 00:43:25.559
me, by the way. No, you're not a special guest,

00:43:25.679 --> 00:43:30.300
but you are the guest. So, I'm going to hit you

00:43:30.300 --> 00:43:32.320
with the questions we hit everyone with, which

00:43:32.320 --> 00:43:37.719
is, what's a day in the life of Mark like? And

00:43:37.719 --> 00:43:40.500
you can take them in whichever order you want.

00:43:42.279 --> 00:43:44.179
If you had a final thought for the listeners,

00:43:44.400 --> 00:43:48.199
what would it be? I'm going to be a bit of a

00:43:48.199 --> 00:43:49.760
rebel and I'm going to take the final thought

00:43:49.760 --> 00:43:51.579
first because, you know, what the hey, I'm not

00:43:51.579 --> 00:43:55.360
a special guest, but I am a host normally. The

00:43:55.360 --> 00:43:58.079
big thing, my final thought on this one is really,

00:43:58.519 --> 00:44:02.920
I would just ask people to take a look at these.

00:44:04.059 --> 00:44:06.460
and give us some feedback and think through this

00:44:06.460 --> 00:44:08.840
and tell us how you would use it. That's sort

00:44:08.840 --> 00:44:11.099
of my big thing on this one is that we're really,

00:44:11.159 --> 00:44:13.699
really interested to see how people are seeing

00:44:13.699 --> 00:44:16.579
this, how they're going to use it. That's my

00:44:16.579 --> 00:44:20.019
big thing is we're hoping that this has a significant

00:44:20.019 --> 00:44:23.059
positive impact in the industry and makes everybody's

00:44:23.059 --> 00:44:25.599
lives better. But in order to do that, We need

00:44:25.599 --> 00:44:27.559
folks to read it, to share it, to talk about

00:44:27.559 --> 00:44:30.420
it, to use it in their conversations at work.

00:44:30.559 --> 00:44:32.920
And so very, very interested in people's thoughts

00:44:32.920 --> 00:44:36.679
and feedback on that. So a day in the life for

00:44:36.679 --> 00:44:40.860
me is very interesting. I'm sure like every other

00:44:40.860 --> 00:44:43.760
architect, there isn't one day in the life. It's

00:44:43.760 --> 00:44:46.880
sort of an aggregate and each day is a little

00:44:46.880 --> 00:44:50.619
bit or a lot different than the other ones. For

00:44:50.619 --> 00:44:54.949
me, it's kind of a mix of different things. There's

00:44:54.949 --> 00:44:56.690
a lot of different kinds of content creation.

00:44:57.429 --> 00:45:00.570
So either for my Microsoft day job in the security

00:45:00.570 --> 00:45:03.010
adoption framework and MCRA and CISO workshop

00:45:03.010 --> 00:45:08.110
and whatnot, creating content there to help our

00:45:08.110 --> 00:45:12.409
field help our customers, quite frankly. Sometimes

00:45:12.409 --> 00:45:14.389
I'm doing some training and readiness events.

00:45:14.710 --> 00:45:16.630
Sometimes I'm working directly with customers

00:45:16.630 --> 00:45:19.489
on how do we plan our AI security and whatnot.

00:45:19.630 --> 00:45:22.190
I've got a couple of customer engagements coming

00:45:22.190 --> 00:45:28.070
up on that. So there's a lot of those kind of

00:45:28.070 --> 00:45:29.809
things. There's the field readiness, the customer

00:45:29.809 --> 00:45:32.869
direct pieces. There's the working on these standards

00:45:32.869 --> 00:45:35.969
as well. And then sometimes mapping to those

00:45:35.969 --> 00:45:38.210
standards with the Microsoft guidance and whatnot

00:45:38.210 --> 00:45:40.369
to make sure that we're staying compliant with

00:45:40.369 --> 00:45:43.190
both, not compliant, but mapping to and aligned

00:45:43.190 --> 00:45:47.869
with the various different standards from the

00:45:47.869 --> 00:45:50.110
open group, from CIS, from NIST, et cetera, and

00:45:50.110 --> 00:45:53.710
helping people connect the dots on that. Just

00:45:53.710 --> 00:45:57.030
random internal kind of administrative stuff

00:45:57.030 --> 00:46:01.190
like every job has. I've got some events here

00:46:01.190 --> 00:46:06.809
and there from the open group and announcing

00:46:06.809 --> 00:46:08.590
this at the open group conference and whatnot.

00:46:09.250 --> 00:46:11.070
So it's just kind of a hodgepodge of different

00:46:11.070 --> 00:46:13.489
things, all sort of thematically aligned around

00:46:13.489 --> 00:46:15.849
how do we help customers get better at security

00:46:15.849 --> 00:46:19.170
and then see how to use Microsoft products to

00:46:19.170 --> 00:46:21.510
do that. So yeah, it's kind of a day in the life.

00:46:22.349 --> 00:46:24.469
Very cool. All right, let's wrap this episode

00:46:24.469 --> 00:46:29.650
up. As always, we always learn something on each

00:46:29.650 --> 00:46:32.650
episode. I think what sets this episode apart

00:46:32.650 --> 00:46:34.650
is we didn't really talk about products, other

00:46:34.650 --> 00:46:38.690
than in the news. And this is such an important

00:46:38.690 --> 00:46:41.769
part of the overarching cybersecurity landscape.

00:46:43.090 --> 00:46:45.010
Certainly when I was in Microsoft Services, I

00:46:45.010 --> 00:46:47.590
certainly learned a lot about this kind of stuff,

00:46:47.650 --> 00:46:51.440
basically from customers. And most people learned

00:46:51.440 --> 00:46:53.340
it from a lot of the material that you had written.

00:46:53.960 --> 00:46:57.179
I know that guy. So anyway, let's bring this

00:46:57.179 --> 00:46:58.679
episode to an end. Again, thank you, Mark, for

00:46:58.679 --> 00:47:00.099
joining us, even though you were going to be

00:47:00.099 --> 00:47:01.860
here anyway because you're a co -host. But hey,

00:47:01.920 --> 00:47:03.860
you're not a special guest. You're just a guest.

00:47:04.400 --> 00:47:06.639
I'm just saying that tongue -in -cheek. And to

00:47:06.639 --> 00:47:08.039
all our listeners out there, we hope you found

00:47:08.039 --> 00:47:10.539
this episode of interest. If you'd like to hear

00:47:10.539 --> 00:47:12.980
more stuff that's not just product -related,

00:47:13.000 --> 00:47:17.889
let us know. We will go. wherever people want

00:47:17.889 --> 00:47:19.889
to take us. I mean, if they want to learn certain

00:47:19.889 --> 00:47:22.650
things, then we will happily cover those topics.

00:47:23.010 --> 00:47:26.030
So stay safe and we'll see you next time. Thanks

00:47:26.030 --> 00:47:27.989
for listening to the Azure Security Podcast.

00:47:28.449 --> 00:47:31.409
You can find show notes and other resources at

00:47:31.409 --> 00:47:35.989
our website, azsecuritypodcast .net. If you have

00:47:35.989 --> 00:47:39.170
any questions, please find us on Twitter at AzureSecPod.

00:47:40.199 --> 00:47:43.760
Background music is from ccmixter .com and licensed

00:47:43.760 --> 00:47:45.719
under the Creative Commons License.