Listen in as our experts explore the changing risk landscape and the potential implications for organizations across industries. Find out how leaders are responding, and what’s driving the growing trend towards a zero-trust response.
The world is increasingly unpredictable –and every global health crisis, extreme weather event, and geopolitical conflict exposes your business to increased risk. Listen in as our experts explore the changing risk landscape and the potential implications for organizations across industries. Find out how leaders are responding, and what’s driving the growing trend towards a zero-trust response. We’ll discuss the pros and cons of zero trust and share how to overcome common challenges with a practical approach to enterprise adoption.
Hear from our guests Kris Lovejoy, Global Practice Leader, Security & Resiliency, Kyndryl; Bryan Sartin, Vice President, Security & Resiliency, Kyndryl; Jimmy Nilsson, Director, Advisory & Implementation Services, Kyndryl.
Nel Akoth [00:00:02] Thank you so much for joining our very first podcast! My name is Nel Akoth, Kyndryl's Chief Transformation Officer. On today's episode, we will be discussing the changing threat landscape and how continuous global instability might impact your cybersecurity strategy. As we all experience in our daily lives, the world is getting more and more unpredictable. With every global health crisis, with every extreme weather event, the geopolitical conflict, whatever it may be businesses are exposed to volatility and increased risk. Today, we'll explore the changing risk landscape and the potential implications for organizations across industries. Without further ado, I am honored and excited to be joined today with three great experts: Kris Lovejoy, Kyndryl's Global Practice Leader for Security Resilience; Bryan Sartin, Kyndryl's Vice President for Security and Resilience; and Jimmy Nilsson Kyndryl's Director of Advisory and Implementation Services. Kris, Bryan and Jimmy, welcome. We are so eager to hear from you as deep experts in this space. So let's get started with a little bit of introduction of yourselves. Kris, let me start with you.
Kris Lovejoy [00:01:33] Sure, and Nel, first of all, thank you for having me. And second, this is so cool. I'm really very honored to be part of your first podcast, and I know this is going to be a great conversation. I'm looking forward to lots of other conversations to come.
Nel Akoth [00:01:51] Kris, I'm really happy to have you here. Bryan?
Bryan Sartin [00:01:54] Yes. Thank you, Nel. Bryan Sartin, advisory and implementation services, security and resiliency leader. I'm based in Dallas. And I'm excited to be here and a good opportunity to talk leading edge and bleeding edge in the security world and look forward to the conversation.
Nel Akoth [00:02:09] Really great to have you, Bryan. Thanks for joining. Jim, welcome.
Jimmy Nilsson [00:02:13] Thank you, Nel. I'm also very excited to be here. Our first podcast and the topic is Zero Trust, which is very dear to my heart. So very excited.
Nel Akoth [00:02:23] Really, really great. And we are all so eager to hear from you again as deep experts in this space of cybersecurity. So I'd love to start our conversation today by actually talking about our listeners. Now, I expect we have folks listening in today from across a multitude of backgrounds deep technologists, developers, cybersecurity specialists and C-suite business executives. So Kris, my first question is really for them. How should our different audiences, whether it's the C-suite business, C-suite versus the cybersecurity practitioner, how should they be thinking about this topic?
Kris Lovejoy [00:03:08] That's a that's a great question. And I think one of the most perplexing parts of being a CISO. And, you know, just from a background perspective, I spent many years as a CISO, CISO of IBM, and I've been a practitioner for almost 30 now. One of the hardest jobs that we as practitioners have is communicating risk and the value of remediating risk to c-suites. Part of the problem is that there's a lot of news and there's a lot of, you know, fear, uncertainty and doubt that is spread in the news. And a lot of executives and practitioners have a hard time in sort of separating, you know, what's in the news for reality. Managing security is all about managing a business risk. And I want to emphasize that, because that is one of the hard things for us to talk about as a field. And when you think about that risk, you know, how does it work? As a practitioner, when I'm thinking about managing cyber risk. I'm thinking about it within the context of what is essentially a mathematical formula. If there's a threat and that threat actor has some capability to exploit a vulnerability, and that vulnerability can be a weakness in security configuration - missing a patch could be, you know, whatever the case may be - and create an impact that could be stealing data or disrupting the services, then there is a cyber risk that one needs to pay attention to. Now, the question is, do you spend money in that process? Now, if the threat is big enough and the vulnerability exploit is big enough and the impact is big enough, then yes. Threat, times vulnerability, times impact, then you as a practitioner need to implement the controls to mitigate the threat or reduce the number of vulnerabilities that are exposed or reduce the impact that all makes sense, right? People can get their heads around that part. Now, how do you actually quantify the value of the thing you implement to keep something from happening? That's really hard conversation to have. And so the security practitioners that are out there listening to this, you're probably shaking your head and saying, "Yeah, how do I prove the fact that the money I spend today to mitigate the risk tomorrow actually makes sense?" The business of security is hard simply because of that reason, that kind of disconnection, the cognitive dissonance, if you will, between the C-suite and the practitioners.
Nel Akoth [00:05:40] Yeah, Kris, you're very right. I mean, that what I really honed in on is really that value of remediating risk. It's hard for most of these practitioners to really say how much is enough or too much. So it really resonates the value of remediating risks. Bryan, we've again this different audience that is in mind. How have you seen the threat landscape changing from just a decade ago? What are some of the things that continue to evolve?
Bryan Sartin [00:06:08] You know, you rewind the clock ten years ago when you look at the real world breaches, what you heard about it, what was an immediate what had the greatest splash in the public spectrum were financially motivated cyber attacks. Attacks against credit card, debit card data, check, wire transfer, also combinations of publicly identifiable or personally identifiable information together with consumer records that together set the stage for, you know, more impactful, more insidious forms of identity fraud. And it was, you know, all about back then compromising unauthorized access, compromising data that could be easily converted into cash. And that's changed. Now you look at these attacks and these are different. There are so many ways to disrupt, to damage, to take off line to publicly humiliate a particular victim: be that an individual, be it an executive at an enterprise or a government agency. Stealing information is one of the many hundreds or thousands of ways that you can negatively impact an enterprise in the public spectrum. And that's something that we've seen so much of lately, especially in a shift towards different types of victim enterprises.
Nel Akoth [00:07:16] But, you know, you talked about people and said too many ways of negatively impacting a business. Now, are there certain industries that are being affected more than others? And, why might this be?
Bryan Sartin [00:07:31] Oh, unquestionably. And the answer to that question is not unlike the evolution that we've seen in breaches over the last ten years. You know, back in the days of 97 plus percent of the attack landscape involving financial data or, let's say, involving financially motivated attacks anyway, the victims predominantly back then, they were banks, they were data processors, credit card processors. You also saw insurance, largely financial services, but retailers also played such a big role in that. And it's incredible how all of that has shifted. We've seen a very big over the last 5 to 7 years, especially as you've had a rollout of CHIP and PIN or EMV type technologies around the globe. They're traditional brick and mortar retailers are suffering far fewer breaches these days. And almost all of that attack surface has now shifted towards the e-commerce merchant, anybody with a shopping cart accepting payments online very much in the crosshairs these days. But as you look across to other sectors now, I think some of the items that I want to point out are public sector, federal, state and local government agencies, cities, municipalities, for example, and espionage and ideological motivated attacks. These things are typically targeting critical infrastructure, and this has been the case and will continue to be for the next several years. So oil and gas, utilities, water districts power - just to name a few - transportation and logistics, for instance, some manufacturing, food processing, some of the very same services that citizens, you know, in a given country or part of the world depend on everyday these traditionally are the targets. Expect that type of thing to continue.
Nel Akoth [00:09:04] Oh, my goodness. Kris, I saw you shaking your head and I don't know if you had something to add, but I have a question for you, too, which is you talked about the news and just picking off of what Bryan just said, that, you know, you hear a lot of these breaches and attacks publicly, but you don't get to see many. And I'm just wondering why is it that they are so pervasive and growing every day? Is it just a hype or are there things that the audience here should really be honing in on?
Kris Lovejoy [00:09:33] Typically speaking, what we see in the industry is that those organizations that are more highly regulated tend to do a more effective job of managing security because they are required to implement controls. That's kind of the good and the bad about, you know, sort of compliance regulations. So you would say in general, those that aren't regulated tend to have more issues. Now, one of the challenges that Bryan was pointing out and that you're just indicating is that what we see in the news is not reflective of what's really happening. Statistically, to look at the sort of disclosure reports and say, "oh, because of the disclosures, this particular industry is in the crosshairs," but that's not actually how it works. I mean, the problem is that if you look at ransomware - and this is something that most people don't understand - is ransomware is typically not a discloseable event. The way the regulations are written is you must disclose if data has been exfiltrated from the organization. So that is proving that the attacker got in and not only saw the data, took the data. Now within a lot of ransomware events, they just looked at it; they encrypted it. It's not like it got exfiltrated. So these are what's happening is they're not feeling the obligation to actually disclose under those requirements. What we're seeing in the news is only the tip of the kind of the tip of the iceberg. There is a whole lot more that's going on underneath. And in fact, for every one disclosure, there's probably 99 organizations that are actually paying the ransom.
Nel Akoth [00:11:06] Jimmy, I'm going to turn this to you and say,.
Jimmy Nilsson [00:11:08] Yeah.
Nel Akoth [00:11:08] You and your teams advise business leaders on cybersecurity best practices. So, you know, just listening in on, you know, the exchange with Bryan and I would just having here and all the things going on how do you see leaders responding to this changing threat landscape? And in other words, you know, how has their approach to cybersecurity evolved?
Jimmy Nilsson [00:11:28] Yeah, it's a good question. And I want to expand a little bit before I answer your question on the drivers. We have talked so far a lot about the sophistication of the threats. Bryan mentioned the ATPs of the world, but also social engineering and ransomware, which is fairly simple to execute. Kris mentioned the regulatory requirements differently and expansions there. So we have GDPR, PCI, DSS as long time. But we also have a new era where governments are now starting to regulate the mandate agencies, in this case to adopt zero trust as an example. And then you have digital transformation, right? We have the adoption of cloud, which is not something new; it has been going on for years. But there are a few other trends that are emerging now. And customers I see customers start adopting more of this IT/OT convergence. But I see now clients are actually taking an opportunity to advance their business by connecting IT and OT environments. And then you have 5G and edge compute will also open up new doors for companies, but also make the environment to protect much more complex. And then last but not least, the workload and workforce distribution. With the ongoing pandemic, we're now seeing that, you know, more or less everybody is working from home or from different locations. I don't think that will change any time soon even when the pandemic is behind us, we will have a different environment to protect going forward. And therefore, I think we also need to see calls for a new architecture, security architecture than what we have historically been used to and implement that in enterprises.
Nel Akoth [00:13:23] As our listeners may know, Kyndryl modernizes and manages the world's most mission critical systems. And I want to talk about the attacks against the critical infrastructure. So, Jimmy, you mentioned Zero Trust. And to me, zero trust is upside down in my head because, you know, as you build, you're protecting yourself. I would imagine that you trust the structure you have in place, but it says you really should not trust it. So, Kris, you know, there is also a growing trend around this zero trust. I think it's coming around more and more. What really is zero trust or let's say it is upside down in my head, but can you help explain it in layman's terms so that, you know, myself and probably a lot of the community, the listeners today can also get a sense of it.
Kris Lovejoy [00:14:10] Once upon a time, when we first started in security in this world, this is me 30 years ago, you know, the way security worked as you basically trusted everybody. So everything was wide open on the Internet. If you know, some organization or country, if you will, became dangerous, what you would do is you would block them from accessing your systems. And so that was called an accept all policy. And then we discovered, okay, if you went into the technologies and you saw the rules that had been established to block different sites, different countries, etc., the rules became just excessively long. And so what we did is we said, okay, well, we're not going to trust everybody and then deny a few people. We're going to change. We're going to shift to something called default-deny and default-deny basically says that we're going to basically distrust everybody and accept only those whom we accept in. Here's the problem. Even though default-deny is a kind of common construct, we never really implemented it. What we said is we're not going to distrust the Internet, but in our own infrastructure we're going to trust everything. So if you're an employee and you get a keycard, guess what? When you get to the building, which is the network, you can get into everything except those things that we lock. Now what we're saying is we're extending that principle of default-deny to our own internal networks and saying, even if you're an employee, even if I trust you, everything is locked except that which I open up. So it's an old concept, but it's a implementation that is now kind of taking root. The problem, however, and the irony and I think where your head is upside down in a lot of the executives who are listening in, you know, you like me are saying, well, isn't there an irony to this discussion? Because you're saying if you want default-deny zero trust, does that mean that no one can get access to anything? So then what's the point of actually having a digitally enabled business? You're going to lock it all down. Does that actually make sense? And then from a practitioner's perspective, the other irony is, in order for you to actually implement Zero Trust, you have to know who your employees are. You have to know where your systems are. And guess what? We don't. So that's another very practical issue that we have, is that this this journey to zero trust that we're talking about, this is not an easy journey, it's a fantastic philosophy, but it's hard.
Nel Akoth [00:16:50] Totally agree. I've got it. Thank you so much, Kris. That's very enlightening. And you're not. Again talking about the practicality around adopting it. Jimmy, if I could just, you know, tap when you a little bit more when you're advising customers on this, what do you call out as the pros and cons? Because clearly, I don't think Kris was trying to help you explain, you tell blocking people out on other things. What what are some of the ways in which the businesses should look at it from a pro and con perspective?
Jimmy Nilsson [00:17:16] Zero trust as an architecture can quickly become a very complex and expensive project that takes years to to accomplish. Right. That could take a long time before you reap the benefit of the investment you're making. And if you do it the wrong way, it can also hinder your your business, right? So it can be a blocker instead of an enabler. If you think about it to the adoption of cloud, it was all about enabling business, create new opportunities, allow for a different way to collaborate, right? So the purpose behind Cloud was to get those benefits and with it came a need to have a different way of secure. I want to stress the importance of looking at Zero Trust as an enabler as a way to improve user experience, as a way to improve productivity. So if you go into - with that mindset - into a zero trust program it will be a program that is going to take years to achieve. It's going to probably be multiple smaller projects along the way. But if you go in with the mindset that this is done to enable the business or open up new, new ways, right. And I think it's important that you educate not only the practitioners that will engineer the solutions, but it starts in the boardroom, it starts in the C-level and starts with the business units it's definitely something that you need to expand outside of the security in the department, right. You need to get the business with you on that journey. Otherwise it's likely going to fail.
Nel Akoth [00:18:58] Yeah, makes sense. So are there early adopters, Bryan? What do you think? Are there some lessons, you know, that of some of the early adopters we can share with our audience here that might be helpful as as they as they get into the zero trust?
Bryan Sartin [00:19:12] Yeah, I think there are definitely some lessons and that's an interesting question. Lessons from those that are doing it well that lessons those that aren't. Something that is part of sort of the underlayment of zero trust is that idea of making islands on the network. For example, you have parts of the network that third parties and supply chain connect to. You have parts that can user sit in, other parts isolated or enclaves within a network where critical business systems and servers and sensitive data resides. And it enables you to institute, you know, the right level of controls and authentication between all those little checkpoints. These are earmarks of companies who do it well. Earmarks of those who don't is a great example, in my mind, is like the campus network, the great big open campus network, and everybody's connected to the same network, the servers, the machines, the intelligent garbage cans and lighting fixtures that they have these days. All the server farms and things like that all just connected to the same big open network. And they're helpless to identify an attack in motion and even more helpless if they did, to actually do something about it in a reasonable amount of time.
Jimmy Nilsson [00:20:17] I can add to that. I mean, I meet a lot of customers that are trying to to implement zero trust. Some of them have been successful. But I think it starts with how we invest in security. If you think about it, zero trust just on a high level that that goes across a number of pillars. We typically refer to it as five. So identity, endpoint security, network security, you have application workload and data and then you have, you know, across those five pillars, they're monitoring analytics, automation, orchestration. And then if you think about how we are organized, how the security within an enterprise typically are organized, right? You have in a department that focused on identity access management, you have a department that focuses on endpoints and you have another department that focused on your network security and so forth. How enterprises typically decide on their security investments is within those departments. So the IAM organization, right, they're thinking about what is the next great IAM solution and then they try to deploy that enterprise wide. I think we need to change that way. So when we deploy new security technologies, instead of trying to do that enterprise wide, we should break it down and align it to the projects, the IT projects. Right. And based on priority, you have IT systems that are critical to either host critical data or perform critical functions for the enterprise or you have major IT initiatives that as may be not high on your risk register. But it's a big transformation that's going to happen with that system. Therefore, a good opportunity to layer on top of your new zero trust architecture. And when you do that, you do it across the five or six pillars, depending on how you see it, right? So you build an architecture that the end to end can cover all of this zero trust architectures. That way you can also quicker get to a return on your investment.
Kris Lovejoy [00:22:24] I want to make sure that we're making the conversation actionable, though, right. Because we're talking there is a lot of complexity here. Let's just ask ourselves the why the why question. Why do we care about Zero Trust? Why are we talking about this today? Why is it so important? We care because coming out of the COVID period, we had an extraordinary amount of transformation that happened in a very short amount of time. And this was following an extraordinary amount of transformation that happened even pre-pandemic. Now, unfortunately, most of the technology that was thrown out there during the COVID pandemic was thrown out with almost no security control wrapped around it. So from our from a layman's perspective, what that means is the attack surface increased the number of things that could be attacked increased. Meanwhile, we're talking about the human factor. You got a lot more people using a lot more assets. And so therefore, that 10%, that 12% Bryan talked about, you're talking about a huge number that has been increased and included in that number. So now you've got more people touching, more technology that is less secured. And then meanwhile, you've got the threat actors who are using disruptive means like ransomware to achieve their goals. So you're seeing a lot of just bad stuff happen. That's why we care about security. Now, Zero Trust as a philosophy helps us transform that right. And it helps us limit the number of threats that can get in, the number of mistakes that can happen and the impacts. However, as we're pointing out, this is a journey, right? There is no tool that solves this problem. And I promise you, there are a billion companies out there, and I'm sure you're going to go to a wedding and sit next to somebody whose wife, cousin, whatever, girlfriend is working for a company that does this. There is no company that can solve this problem magically. It doesn't work that way. This is a slog. It's hard. It has to be focused on critical business services first, and you work your way from the beginning to the end.
Nel Akoth [00:24:25] So, you know, I'm going to end with a little bit of a wild card. And it's a topic that every listener, especially as they were going down the road on COVID and how it changed the world and transformed how we all operate and can relate to and that is privacy. Now in your opinion, do businesses and especially consumers really care about privacy in an era where information is digitally stored and abundant? How do you think about privacy, both businesswise and also personally? Kris, I'm going to start with you. What's your thoughts?
Kris Lovejoy [00:25:00] So let me first of all, I don't think most people understand what privacy is versus security. So let me just spend a second, because that is one of the most confusing things. And when I ask senior executives, "do you get the difference?" they're like, "no, actually, can you please tell me what it is. Privacy is a personal right. It is your right as a as an individual, such that when you give your data, your personal identifiable data to a third party, that third party has the obligation to maintain the confidentiality, meaning no one sees it that shouldn't see it. The integrity, meaning no one changes it, that shouldn't change it and the availability. So if you ask for it, you can get it back. That's the concept of privacy. The right of privacy is instantiated many jurisdictions in law in the United States, there's 250 laws that guide privacy in the States, in pieces of sectoral information like banking sector, etc., etc.. Very confusing, huge patchwork. Now, here's the thing. In Europe, as an example, you're pointing out GDPR privacy is recognized as a human right. By default, there is the European Union recognizes that individuals and to some extent corporations have the right of privacy. Not all countries like the United States of America recognize that right. We in the United States do not have the right to privacy. We only have the right to privacy within the context of pieces of legislation like a state, legislation that defines in that state or within that context. What is privacy? The reason that there's a difference country by country, sector by sector is that particularly when you think about different countries, there's a different experience. In the United States we had 9/11. So national security to us is an incredibly important thing. So we balance national security with privacy. Other jurisdictions who have not had those kinds of experiences tend to weigh privacy over national security. Why that's important for a business leader is that the interpretation of privacy requirement, jurisdiction-by-jurisdiction, is incredibly hard. You have to be thoughtful. So if you are operating across sector, you're operating across state boundaries, you're operating multinational you must understand what those obligations are. And you need somebody to help you. On the question, let me answer your question. Do people care? Again, depends on the country you live in. Some people care. Some people don't. I can tell you in the United States, specifically, it depends on your generation. It depends on your political party. It depends on what you're going to get in exchange for providing your data. By and large, the general rule is give people control. That's what they want. You give people, individuals, the ability to control what elements of their data are collected or expressed. They will be happy. That's the big issue; it's control.
Nel Akoth [00:27:56] Jimmy, what do you think? Do you have a different perspective or similar one?
Jimmy Nilsson [00:28:00] I couldn't state it better than what she already did. What was in my mind when she was talking is, you know, being a technical person, right, is how difficult it is for an enterprise to to care for the data in the privacy of their consumers, right? Within the connected world, we're living the connections we have with partners, the distributed IT environment, it is very difficult. But understand where your data is and have a view that is based on classification. I think it's basics that we all need to do. And similar to to what I said earlier with Zero Trust, I think privacy is something that you can't do within the security department alone. You need to involve your business. Again, C-level board level, everybody needs to be shooting to towards the same target for it to be successful.
Nel Akoth [00:28:54] Makes a lot of sense. This is really great. It has been a really such an enlightening discussion. It has highlighted just how important it is for every business leader, whether inside of a security organization or not, to be thinking about the evolving threat landscape and how they will respond to it. It's clear that Zero Trust is a valuable approach to helping protect companies from threat actors. So Kris, Bryan and Jimmy, I cannot thank you enough for joining us as our inaugural guests today and for such a great dialog on this important topic. I mean, for me, I'm so enlightened. I don't know if I should say I'm enlightened or I'm worried because part of as you talk and I'm like I'm really one of those culprits will be the 12 something that Bryan was talking about. But again, really enlightening. Our audience, I'm sure we're going to really get a lot of lighting from it. And if anything, know that we as Kyndryl are here to help them through this journey that's very complex, as you all rightfully stated. And to our audience, thank you very much for listening. Until next time, I'm Nel Akoth, again, Kyndryl's Chief Transformation Officer. Thank you very much.