Episode 64
EPISODE SUMMARY
Subscribe or listen now: 
Joseph Carson:
Hello everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm the host for today's episode, Joe Carson, Chief Security Scientist and advisory CISO with Delinea and I'm really excited about today's podcast. As always, it's so great to have amazing guests on the show and I'm joined by no other than the awesome industry rockstar, Rik Ferguson. So over to Rik. If you can give us a bit of introduction about yourself and also feel free to give us some background into some of your hobbies and probably why I referred to you as a rockstar.
Rik Ferguson:
Sure. It's funny, none of you know but we were just talking off camera of course before we started and being described as rockstar. We were talking about age and gray hair and this is the first podcast I'm doing with my glasses on. I've decided to accept reality and age. So, yeah, being described as a rockstar at 52, I'll take it. Thank you very much for that. So yeah, I mean as a result I suppose of my advancing years, that means I've been around and in the industry for a long time. I mean my career per se started back in 94, so that's when TCPIP was still an option, not a default. And I spent over a decade in technical support. So my day job was basically people would phone me up with broken stuff and I had to work out why it was broken, what I had to do to get it fixed again and also talk people down off the ledge who were extremely angry about the fact that it had broken at the worst possible time for them.
But we were dealing with TCPIP, we were dealing with IPX/SPX, we were dealing with Token ring. I was getting people to grab network traces and having to kind of put those back together and work out why something wasn't working. And more often than not actually back then, it's probably still the case now. People who are working in support today will probably sympathize. It's because somebody hadn't engineered according to RFC and I'm sure that still happens all the time today, but that was a really common thing. So yeah, I spent a decade doing that and there comes a point in a tech support career when you are too valuable for people to let you go because you are the person that's been there the longest. You are the person that everyone else goes to for quick answers to save them going through troubleshooting and you've encountered most problems.
So you hit this kind of glass ceiling where you are too valuable in the support role to actually be able to bust your way out of it into something more challenging after you've been there that long. So I had to quit employer and shift a bit and I moved into security and privacy architecture design. So I was actually, instead of having to fix something that had gone wrong, I could try to design things that were less inclined to go wrong, let's say. And that was for a company that doesn't exist anymore called EDS. They were acquired by HP sometime ago.
Joseph Carson:
I remember EDS, yes.
Rik Ferguson:
Yeah. So they were a systems integrator and I was working on sort of government and law enforcement type projects mostly around identity and access management and specifically around intrusion prevention at the time. And then I spent almost 15 years at Trend Micro. And if you don't already know, I started a new role with a new employer in August of this year. So that's been a big change for me. After 15 years in one company, I'm now working for Forescout as the vice president of Security Intelligence and it's allowing me to, well I'm going to do a lot of the same kind of things that you are used to me doing. So I'm here to talk about stuff and engage and do things like this podcast and create research and compelling content and bring the world of security to life and to light. But also I'm having much more of an influence on where for Forescout is going, what the strategic direction is and how we can as an organization think of new ways to approach old problems.
Because I think one of the biggest things in Cybersecurity, one of the biggest causes of issues for practitioners but also for vendors is complacency. People who look at a problem and look at a way of doing things to say, well, this is the way that we've always done it. We are not going to deviate from that because we are comfortable with doing it this way. The fact is that use cases change, technologies change, society changes the way that your users and your developers and your board members and your investors see what you're doing or approach what they're doing changes over time.
So your approach to solving those problems needs to evolve too. And to achieve that, you need that kind of, you've got to be able to stand back from the issue at hand and just passionately look at it and say okay, I'm going to unlearn the ways that I was doing things before. I'm going to approach this problem with all of my knowledge and experience but with none of my preconceptions and think is there a new and different way to approach this? And for me, switching employers after such a long time at one and then even longer time in the industry, it's more than 25 years now. It's really refreshing to be able to give myself that perspective.
Joseph Carson:
And I have a question. For you, I mean I think changing roles after so long is something, it's a strange thing to be doing sometimes and one thing I've always regretted over the time and I think most of the audience, I would love them to take a lesson from this, is taking some time in between roles. My roles, I've always, the day you finish, you're starting the next week for a new role and I always regret not taking some time, personal time in between changing companies. Is there something you've taken the opportunity to do yourself to take a little bit time for yourself and family?
Rik Ferguson:
Yeah, I was obligated to do it, which is cool. I probably wouldn't have done because like I said, it was 15 years ago when I started a Trend and I was a very different person at a very different point in my career. I was not in a position to say, you know what, I'm not going to work for three months. I mean who is? Right? Very few people that are like... the cool thing about I'm located in Warsaw, in Poland, employment law here is such that after you've been, I forget how many, but I think three, five years at one employer then you must have three months notice. But obviously Trend Micro didn't want me around with access to information and systems for that three months and that's the right thing to do. So that meant that for a part of that I was effectively on garden leave and that meant I could focus on other stuff. So that's been great.
I can't say that I focused on one particular thing and used my time in order to be able to learn to speak Punjabi. I don't know. I did what I wanted to do at the time, which changed on a day to day basis. Some of it was music related, the focus will tell you what's behind me. Some of it was family related. We're in the middle of building a house as well. So some of it was dedicated to that. But yes, it's been great to have that time to lose focus on an employer, any employer and just take some time to take stock and reassess.
Joseph Carson:
Absolutely. For me it's always something that I've looked back in my career and the times, I mean I've been at companies for a quite long time as well, but in those moments where I've changed roles, I wish I took the month or three months just to recuperate the energy and get the excitement going. So when you do start, you've starting fresh, you're starting with the energy that you need to and I think mostly the industry...
Rik Ferguson:
Yeah, you're kind of raring to go. It's like okay, I've been out of the game for a while now and I'm ready, give me a challenge, let me take something on.
Joseph Carson:
And you get rested. And you get rested and also get the balance back as well because it's the thing that's important to do a proper reset during that time as well. As you've changed roles, what do you see currently? Because a lot's happened in the last couple of years. I think for the first part of my career security kind of stagnant, it was evolving but I think in the last couple of years it's really accelerated and evolved where I think one of the great with Miko stating recently, I think one of his tweets was that we're no longer securing computer systems or our computers, what we're doing is we're securing society. I think that was a powerful kind of message and I think it was a realization that how security has changed even the last few years. What do you see the current state of cybersecurity today and what do you think is kind of... where's the places we need to make changes to in order to really catch up and get back on track?
Rik Ferguson:
It's interesting, another thing that Miko said a few years before, the one that you just quoted and that's been a thought process evolution of his, that has been nice to watch, is that every company is a software company that absolutely that trend has continued, it doesn't matter really what you do, you're a software company somewhere along the way. And that has led to the point where now cybersecurity is securing society arguably to a greater or lesser extent it always has been securing society but only that part of society which is reliant on digital technology to offer its goods, services, whatever it might be, and the society is that, that forms that group has been growing until it's become all encompassing. So that's kind of why that's come true. What I was saying just yesterday, I think it was, in a conversation is what strikes me as being one of the really important things that we have to focus on right now is how we as security practitioners and enterprises, how we learn our lessons.
Because it's definitely true to say at the moment, and I'm thinking specifically about ransomware, but I don't think this applies only to ransomware, is that we see the same attack and the same methodology being successful against different victims over and over again. So the lessons that we are learning, we are learning in silos of individual organizations. Hopefully if you get hit badly by ransomware you are going to learn a whole load of lessons from that. Not just how do I respond to the incident and how do I deal with a ransom demand and how do I successfully back up my data so that I don't have to pay the ransom. But also you learn how do I successfully encrypt my data so that it can't be leaked because that's become a standard part of a ransomware attack.
Hopefully you learn how do I architect and better segment networks so that natural movement becomes less possible within that environment. Many, many lessons can be learned from those, but we learn them right now in silos of individual organizations. So if you've been hit, you learn your lessons and hopefully it doesn't happen to you again, but then someone else even in the same industry vertical as you, because we know that ransomware crime groups focus on industry verticals, they'll focus on government, they'll focus on healthcare for example, education that knowledge is not, and those best practices are not effectively being shared. Either they're not effectively being shared across industry verticals or even just across potential victim populations in general, or they're not being successfully received.
I don't know where the blame squarely lies and I'm sure it's six or one half dozen that's the other my mom would say. But there is definitely a problem in how we learn from our experiences, good or bad to be honest. And if we could go some way towards addressing that short term, that would be extremely helpful. The other thing though that I think we don't do very well in security is that we don't come out of firefighting mode very often. We are so focused on fixing the problems of today and by necessity we are in response mode a lot of the time. You know, got to look at the statistics around security operations center and alert fatigue and burnout and all of the other stats. We're stuck in response mode because we have a hell of a lot to respond to.
We are not able to make the space to step back and get that broader view of not just where is my employer going and what's the five year plan for my employer, but where is my industry going and what are the technologies that are pertinent to my industry that are emerging right now? What's the adoption plan within my organization and therefore what are the security implications of that adoption and how do I build a longer term plan? But also there are societal developments that have implications, there are governmental and legislative developments that have implications and we need to be able to create the space within our profession where CIOs, CSOs are have time built into their calendars that is forward looking time, not firefighting time.
Joseph Carson:
Absolutely. So by creating a fine balance and you make a very important point, I think it's one of the things that is structuralized organizational wise. Many organizations still have security into the IT kind of structured infrastructure departmental side of things. And for me it's going is that we should start to see a much more convergence of cybersecurity evolving more into a business operational kind of approach. We're focusing more on the business risk and business resiliency rather than looking to an IT technology problem where something that actually should be across all departments of the organization. We really need to bring down some of the silos departmental wise and make sure that cybersecurity gets embedded. I think one of the great things, I think the book that Adrian and Jessica and Ciaran did a few years ago, the ABCs of cybersecurity, which was all about awareness, behavior and culture.
And I really think that to your point that we definitely need one is better communication, better visibility and better longer term thinking. Because that brings up another area that I listened to a talk that you did a while back, which I think that many organizations who are in that fire finding mode, what they end up doing is they incur lots of technical debt.
Rik Ferguson:
Yeah.
Joseph Carson:
Because in the firefighting mode you're only looking at what's right in front of you and you end up choosing a tool that does one thing, that solves that one problem. And if you're not thinking more strategically or thinking longer term or where you need to be next year or where you need to be in two years, that technical debt can become a problem for you being able to actually get budget and get resources that you need to then transform or move from those point solutions or non integrated solutions to much more strategic approach. How big is the problem with technical debt today as a result of this?
Rik Ferguson:
So technical debt is an interesting one. It's a term that originally comes out of agile development and the meaning of it has kind of morphed over time. In its original sense it was saying that you start a new project, you really don't know very much about the tools that you're using, the thing that you're trying to build because the thing doesn't exist. So you're learning as you go and as you progress you use that and you incur technical debt as you go along. As you're doing this development process, you use the knowledge that you gain having gone through that process to go back and repay that debt by revisiting and fixing the stuff that you got wrong earlier in the process. That was kind of the original definition of technical debt that was termed and some argue that it's overused now, I would argue probably that it's not used enough because if it were overused it would be top of mind for people.
People would be thinking about it when they make decisions. But really they're not. In the way that you described it. It's more now than just software coding development of a product. It's planning and implementation of a product or a service or an architecture, whatever it might be. And if you are obliged to... basically it's taking decisions quickly in order to get something out the door to meet a deadline. That's how you incur technical debt now. And whether that's the product team at your organization has decided that this new service must be released on this date come hell or high water, then all the teams in security will only be one of those responsible for making that happen, will pull out all the stops to get to that drop dead date and that will mean that they will make short term decisions. Short-term decision making is the root of technical debt.
If you are not in a position where you can accurately build a register of all of those product and implementation and coding decisions that are made, as you go through that process of building a service or a product or whatever it may be, then it's effectively losing track of all your loans and never knowing when your repayments are due or what interest is being charged on those. Because that's the thing with technical debt, over time you do build up interest on the debt that you've accrued through your decision making process.
So if you're not in a position to be able to pay back that technical debt, there will come a time when it will come back to bite you because of all the interest that's accrued on the decisions that you made. Suddenly you find that one of the underlying authentication mechanisms for the thing that you built is only capable of handling, I don't know, an eight character password or something and then every other thing that system does is tainted by the fact that the authentication is architecturally weak underlying that. But because you've built this complex interconnected system on top of that your now current ability to repay that technical debt is extremely low because of the interconnected nature of any change that you have to make.
Joseph Carson:
I love that metaphor, just like having hundreds of credit cards and you can only use that credit card for shopping at one thing or buying one good and you lose track of the interest rates and all of those. That's a fantastic comparison to how you can really see how impactful technical debt can be to an organization. If you start losing visibility and losing accountability of all of those...
Rik Ferguson:
You end up with governance issues because you've lost the audit trail or even the decision trail, you end up with really poor strategic alignment within an organization because people are making spur, not spur of the moment, but short term decisions to fix issues. And then what you end up with at the end of that, actually probably one of the greatest interest on technical debt things is you end up having to neglect or delay any kind of modernization on the thing that you've built because it becomes massively complex and incredibly difficult to change stuff because it's all interrelated.
Joseph Carson:
And it could slow down innovation for business as well because all of that organizations looking to new business opportunities, new services or new technology that really helps accelerate. Sometimes we can't go there because it's not compatible with this or we would have to do this major upgrade or digital transformation in order to be able to achieve that. So it also can be an impact not just about incurring costs from a security perspective and stopping you from innovating to newer technologies but also from a business impact as well. It can actually slow the business down.
Rik Ferguson:
Yeah. It's inherent complexity, isn't it? If your decision making it has to be rapid fire because of you're being driven in that direction by the way the project is evolving or the implementation or whatever it may be. Then kind of like you said when we started this topic is you are deploying point solutions to resolve a problem so you can move on to the next challenge. They're right, I've ticked that box, I've got a solution in place that offers me that functionality. What's the next problem? And you end up with this hugely complex but massively interconnected beast, which is very difficult then to do anything with whether that's governance, testing or modernization.
Joseph Carson:
Quick question in this, there's a lot of different deployment models from traditional on-premise to licensing and, does cloud somewhat reduce the impact of technical debt by making it a little bit more portable or not or easier to change or easier to deploy?
Rik Ferguson:
It's a good question. I suppose it depends on the choices you make when it comes to your cloud vendor. If it's something you're building yourself in the cloud and you have had the luxury of being able to build from scratch, then absolutely it definitely allows you greater portability. It definitely allows you things like containerization to segment things away along with their dependencies and you know exactly what's where hopefully if you're managing it correctly, when it comes to services from a third party, then of course you need to do that due diligence upfront and you need to request access and knowledge to assure yourself that that is the case. One of the worst things that could happen is that you sign up with a particular cloud provider for a service and then you find that they're using a proprietary data format so you are kind of locked into that platform and you are totally unable to move to another.
One of the great possible answers to that kind of question is the question of encryption, which is another technology. Way way back earlier in my career I was working for PGP and obviously encryption was a big part. It was encryption and VPNs and actually firewalls too. Gauntlet firewall all the way back then. Encryption is still massively under deployed, particularly searchable symmetric encryption, homomorphic encryption, all of those much newer advances in the field of encryption. But those sorts of technologies should allow you ultimate portability. If you can drop your encrypted data into a cloud service and it's never has to be decrypted because you're using it in its encrypted form, searchable symmetric or homomorphic or whatever it might be.
Then any cloud platform that allows you to drop that data in means that you can pull that data out because it's still your data in your encrypted format and you can go take it somewhere else at any point. So cloud definitely should improve governance, portability and at least hide away the complexity from the customer and make it somebody else's problem.
Joseph Carson:
Absolutely.
Rik Ferguson:
That's the crux of a platform as a service or a software as a service offering is that someone else has to take care of the detail. But it's a question of how that someone else, the complexity doesn't go away, it just becomes someone else's problem.
Joseph Carson:
It becomes another area of fiscal responsibility. To your point, brings up some of the lessons I learned here in Estonia was that I remember going into the government more than 10 years ago, we were talking about software defined networks, that's the way to go. And the Estonian government went, no, that's yesterday, we were already doing service defined networks. And I was like, wow, what's that? And they basically went through and that's when I learned about a new approach was that it's not about the software, it's about how the software basically creates a service together. It's about the interoperability, it's about those connectivity, the APIs, it's about the data flow and ultimately to the end, it's but the service that you're offering that is basically a collaboration of all of those technologies together. And for me that was kind of enlightening and I also got, that's where you start thinking about the bigger picture to your point as you mentioned earlier, but stepping back and seeing that bigger picture, but how does everything work together? What's the role? Do we have any areas of potential failures or single points of failure that could impact it?
Rik Ferguson:
One of my last pieces of work at Trend Micro was project 2030 and that's kind of exactly the point of doing that kind of project is very rarely in our industry do you get a chance to look at something like a 10 year timeframe to say what are the potential technological, societal, legislative, governmental changes, what are the implications in terms of behavior and technology of those changes and what are the implications of that for cybersecurity stakeholders? If these things come true and in all of their interrelated glory, what are the consequences of that? What should we as cybersecurity stakeholders be bearing in mind and how do we get to build a more nuanced plan for that 10 year timeline? 10 years is a... I'm sure you know and probably everybody listening knows, 10 years is an eternity in technology. It's probably twice as long as that in cybersecurity.
Joseph Carson:
Absolutely. Another thing that's kind of one of the things you pointed earlier and it brought to mind is about how we communicate cybersecurity. I think that's one of the things I've lessons I've learned in recent years that we really need to, and again, I'm watching as we're doing this, a lot of people are going to conferences and a lot of the vendors are in the expo halls doing their messages. And for me, I think every time I go to the expo halls, it's a bit of a... it's all about fear, it's about scaring, it's about that.
Rik Ferguson:
Yeah.
Joseph Carson:
And it's still that. And it frustrates me because I always think about how do we make it positive? How do we start communicating it much more of how does security help the business? How does it help employees be successful? And ultimately when we're making those decisions, going back to if you're thinking strategic is about what I'm putting in place today, what technology am I replacing or what process am I replacing and is it better, is the security implementation of this better than the employee's experience with the older solution? Is it helping?
Rik Ferguson:
And for me a lot of it's about visibility and risk. It's about having conversations that are more visibility focused and risk focused. How do I gain ultimate visibility over everything that I'm responsible for? Because one of the perennial problems for security is that you can't secure what you can't see. And very often our visibility within any organization is incredibly constrained, usually to traditional platforms that we are used to dealing with, whether that's Linux, Windows, Mac OS, those kinds of things. And we are increasingly, particularly with rapid adoption of 5G, we're increasingly moving to an enterprise environment that is way beyond those endpoints. You know you think about the kind of stuff that you might find in a medical environment. You think about the kind of stuff that you might find in an industrial environment or just in a standard office environment to manage lighting and air conditioning and temperature and ventilation, all those kinds of things.
They're all connected to the network too. They all represent potential points of entry. So definitely we need to move the conversation onto one that's much more about visibility. And that doesn't have to be about fear, uncertainty and doubt. That's just about how do I first of all accept that I don't have it right now and what steps do I need to take in order to uncover and discover all of those things that I'm currently blind to.
And then associated with that conversation about visibility, we need to then frame the actions to be taken in terms of risk. Because risk in itself isn't a bad thing and you get to make your own decisions about risk. One of which, and it's perfectly valid, is to accept risk. As long as you know about it, it might be exactly the right business decision to make to say, okay, I'm aware of that risk now and it's in my risk register and I accept that risk. Or you might say, I'm going to mitigate that risk and here's my strategy to do that. Or you say I'm going to offset that risk and get some insurance or whatever is and have somebody else take on the financial and responsibility for that risk because I pay them some money. But you have those choices to make. None of those are about fear, uncertainty and doubt. They're about certainty, they're about being informed and then making the right decision for your business.
Joseph Carson:
Absolutely. And now when you're mentioning that, I always remember going back to... this was a pinnacle change in my career was, it was during a penetration test where I was helping a CSO basically do a penetration test, during assessment and we found some vulnerabilities. But when we presented it back to the board, because the CSO wanted to basically to get an increase in budget to be able to install some new tools in the following budget year. And we basically, the plan was to scare the board to getting the budget. And basically when we went in and we presented it was a realization actually ultimately the budget was denied and the CEO and CFO came and sat down and says, the budget's been denied, he did a great presentation, he scared us and we now know a lot more about security but we don't measure our basically budget decisions based on how you present it.
You didn't have a return on investment, you didn't have a tangible value that you were presenting and you just basically presented the flaws and the vulnerabilities but you didn't turn it into how does it make the employees lives better? How does it actually make our customers with better services? How does that actually reduce the risk of the business? And it turned into, that was the moment, it was a pinnacle moment in my career when I started realizing that my job is no longer, I'm not a cybersecurity professional, I'm actually a person that has skills in that area and knowledge and experience in that area. But my actually job role today is about reducing the risk of the business.
Rik Ferguson:
Yep. And it's absolutely about how do I enable my business to do more, go faster, more successfully with lower risk, those are the questions that you get to answer. It's about the business. It's never been about security and that's why security has been in a silo for so long. 'Cause the mindset with insecurity is that it's all about security, but actually it's not at all about security. It's all about the business.
Joseph Carson:
I always get upset when we had the cybersecurity awareness month last year, we had a week that was cybersecurity first. And for me that was so frustrating because that week, it's not about cybersecurity first, cybersecurity is never first. It's always a supporting element to something else. It's supporting to the business services doing or infrastructure or whatever it might be or the systems or software. But it's not first.
Rik Ferguson:
It's not embedded from the outset though, right? Hopefully rather than being added on last. Hopefully something that is at least on the starting line with all the rest of the project and gets to have a say and talk about systemic risk within any endeavor.
Joseph Carson:
I mean, I think for me, I think the big realization was having the discussion with the CFO and I think more CSOs and more security leaders should be sitting down and listening to the financial team at about how they measure things. Because typically the financial team typically are the ones that see... they basically are the commandant between sales and marketing and development and management and operations and the ones that's defining the budgets and the metrics and everything that supports those businesses. I really think that we need to start having security leaders more involved, more embedded and more listening to how those teams measure their success. Because ultimately how we help them be successful is ultimately how we should be measuring ourselves rather than just measuring vulnerabilities and attacks stopped. And we should be measuring how we have helped the business save money or helped them improve or better the services. So becoming much more listeners to the business rather than actually loud speakers of enforcement, which we have been in the past.
Rik Ferguson:
A long time ago when I knew less and was certainly more naive but probably had a bigger mouth, I was talking about when do you know that you're getting it right as someone responsible for security within an organization, whatever that job title might be, when do, when you're getting it right. And I said, I think you are really getting it right when you don't think that you need a security team anymore, when you don't have a team of yours that's directly dedicated to security, when actually your team is embedded in everybody else's team. They understand the business reasons for why a project is initiated, why the timeline is what it is, what the goals of that project are, and that they are able to facilitate reaching those goals as a part of that team or with a dotted line into the person responsible for security. I might have known less and had a bigger mouth, but I think my idea was right and I still stand by that.
Joseph Carson:
Absolutely. And for me, I'm a big advocate of having teams, having cyber ambassadors or cyber mentors or whatever they want to call it. There's this different names and different terms that's been used in the past for that. I think that's where you really start embedding security into and that's where you start also getting feedback and hearing about other measurement and also how they're communicating it to the broader teams as well. I think that's really important. And to your point absolutely it's all about did getting it was part of the company culture eventually and you're basically just becoming the orchestrator or the conductor of that to make sure that it's fitting to the business and to point as well, one of the things I learned from the CFO was also about how they look at risk reduction, whether they choose cyber insurance or whether they choose to offset the risk, to document it, to accept it to.
And they always look at what's the cost of doing something versus the cost of doing nothing. If we didn't do anything, what's the financial impact or the impact of the service that we're providing, whatever it might be, what is that impact and what's the cost of doing something? And they were even, the CFO was, depending on the value of that impact, of the cost, they'd be willing to spend anywhere 10% to even up to 30% depending of course the size of that, you know if it's a 100 million, they'd be willing to spend 10 million to offset that risk. So they would walk away with 90 million guaranteed, was this financial profit...
Rik Ferguson:
And the CFO was the person to make those decisions, right? Because it is, at the end of the day, it's a mathematical calculation. What's the value of the asset that I'm protecting? What's the likelihood that this particular eventuality will come to pass as regards to a threat to this asset and what will it cost the business if that comes to pass? And that mathematical calculation allows you to say, well in that case I should be spending upwards of this or no more than that to protect the asset in question currently.
Joseph Carson:
Exactly.
Rik Ferguson:
So CFOs are perfectly placed to make those decisions, but security professional are perfectly placed to give the CFO the data they need to make the right decision.
Joseph Carson:
Oh absolutely. I think that's the direction we need to be getting. And that alignment, so as I saying, is so important for security leaders to be really working together with the financial team to really get that conversions together.
Rik Ferguson:
Yeah.
Joseph Carson:
Where do you think, so I mean, where do you think the direction security's going? What's our future look like? 'Cause I know you mentioned you did the vision 2030, I think, was that one you were spaceman or something?
Rik Ferguson:
Project 2030 was... so project 2030 was just a look at, we did a base learning exercise of what does the world look like today? And then myself and co-author Vic Baines.
Joseph Carson:
Yeah. Which fantastic did, she did the cybersecurity image problem, which is one of the things I'm referring to as well.
Rik Ferguson:
She's fantastic. I mean that's not the first time that we've worked together and it won't be the last. She's absolutely brilliant. And then, yeah, we did a lot of horizon scanning of what technologies are on the horizon, what patent applications are we seeing right now? We ended up in Project 2030 talking about things like the Metaverse without calling it the Metaverse 'cause nobody else had been talking about it until that point.
We'd released it and suddenly Facebook changes its name and Microsoft starts talking about the Metaverse and we're like, wow, that's basically what we're talking about in this document. So one of the big implications for me, and I think, so when you're writing a document like that, and it was a big one, it was 30 something pages long in the end, when you're in the middle of writing it, you are consumed by the bit that you're working on right now and trying to make sure that you don't miss any of the threads back to the bits you've already written. And then when it's finished you read it with another set of eyes that are just looking for typos and spelling mistakes and punctuation errors and that kind of thing. And then you send it to somebody else, in my case anyway, you send it to somebody else who can make it look pretty in terms of images and colors and things.
Joseph Carson:
Good designer or a copywriter.
Rik Ferguson:
And it's not until he comes back from that process where you get to read it with fresh eyes as a document. And I tried to sit back and before I started reading and said, okay, the purpose of me reading this now, I have confidence in the fact that I've caught all the stuff that I needed to catch. So I'm going to read it and try and work out what is the one overriding thing that we were writing about in this document. What's the most important point of it for me?
And what came to me at the end was that what we were writing about is a problem of truth, trust, and authenticity. And I think those are going to be our biggest problems in security going forwards. How do we distinguish fact from fiction, reality from fantasy, and how do we maintain an objective record of truth within an organization and within security, obviously there's a much wider societal problem that I couldn't even attempt to solve about an objective record of truth. You know you have to look at recent historical events to see how necessary that is. But that's not my area. But certainly within cybersecurity, within an organization, if you are ever going to have an effective incident response mechanism, but also threat hunting and incident detection mechanisms, you need a good baseline and a means of effectively being able to establish this objective record of truth within your organization. Otherwise you never see deviations from that. And that's your early warning system.
Joseph Carson:
Absolutely. Absolutely. It's all about context. I think it's all about understanding. I think for me, one of the things is if we can bring more sensors and alerts together and collectively make sense of that from context based security, I think that's definitely where we start making better decisions. Because...
Rik Ferguson:
More Information, fewer alerts, that would be great, please.
Joseph Carson:
Yep, exactly. And there is that path going forward. I think a lot of things with automation integration, APIs that's making that possible, it will come down to humans. AI will have some play in it. I don't like calling it artificial intelligence. I prefer calling it augmented intelligence or it's more of supporting the human side of things rather than taking over. Because ultimately I believe that a human will need to create the algorithms. They will need to go through the data, they will need to make the decisions to determine what more can they automate and add to that going forward. But getting to a point where...
Rik Ferguson:
We said within 2030, actually one of the things within 2030 that's very pertinent to that point is that the role of frontline SOC analysts in the future will be more around explaining and validating the decisions taken by a computer.
Joseph Carson:
Yep.
Rik Ferguson:
Because you'll, you'll be using machine learning and other forms of AI at the frontline to do proactive decision making based on incoming data. But as a SOC analyst, you are going to have to look at the outcome of the AI and decide why the action was taken and whether it was the right action and what the human learning that needs to then be applied to the machine learning is that comes out of those activities, so...
Joseph Carson:
Absolutely you become the conductor. You're just making sure it's staying within the lines and that everything is...
Rik Ferguson:
Yeah, frontline SOC...
Joseph Carson:
...is continuous improvement.
Rik Ferguson:
....a data scientist much more so than now.
Joseph Carson:
Absolutely.
Rik Ferguson:
And which is a good thing. 'Cause another question, people are saying, what does that mean? Does that mean that frontline SOC, those jobs go away and no, they develop and they get better. You end up with a much more fulfilling role as frontline SOC than maybe you have now.
Joseph Carson:
Yep. You get to work in kind of more interesting things more frequently rather than, I think I remember when I was in frontline...
Rik Ferguson:
Triage.
Joseph Carson:
...basically operations, it just becomes the same. Every day is the same thing. You just, it's like, or you're working in the same thing and you have the same problems multiple times. You're just basically resetting it, rebooting it...
Rik Ferguson:
False positive, false positive, false positive. Downgrade. Downgrade, upgrade. Yeah.
Joseph Carson:
I remember one time somebody came in and said, "why is the screen red?" It's always red...
Rik Ferguson:
Do you need another color?
Joseph Carson:
We're always interested in the green when it comes through once in a while. What was that? Something worked.
Rik Ferguson:
Something happened to me, yeah. That's suspicious.
Joseph Carson:
Something positive happened. And I think that's one of the challenges that yeah, the false positives, I think you're absolutely right. I think the skillset will evolve as well. I think the data analysts and data scientists, algorithm scientists will become some of the most important roles in those frontline to make sure that we're able to continually kind of future proofing security. We're looking at all that intelligent data coming through and we're making sure that we're not just securing of all the things we know about the past, but we're augmenting it to be flexible for the threats that we're seeing coming in the future as well.
Rik Ferguson:
Yeah, that's another little focus and soundbite is you've often heard it said that data is the new oil. And to a large extent I agree with that, especially even though it's very hackneyed by now. But what I would add onto that is if data is the new oil, then algorithms are the new refineries. Algorithms are what turned that data into a useful product at the end of the day.
Joseph Carson:
Yep. And for me it comes down to as well as that, then it gets into automation, which for me the most valuable asset in this world is people's time. And that's what the algorithms are all about, is to save our time and allow us to focus the most things that are more valuable in our world and get balance. So absolutely...
Rik Ferguson:
Then we end in the world of Ian M Rankin's books where it's the post scarcity world where humans don't need to work anymore, but the machines recognize that working makes us feel good. So they let us do it occasionally.
Joseph Carson:
Absolutely. We're definitely moving to those one hour weeks instead of four day work weeks. Work becomes a hobby for everyone I hope. That's ultimately the goal, so.
Rik Ferguson:
That would be fantastic.
Joseph Carson:
Rik, it's been awesome having you on the show and really insightful and definitely for me it's always great conversation, always great insights and everything. I mean, I just want to let you know, I mean everything you've been doing in the industry is making the world a safer place. You definitely educate. The videos you do sometimes you are just standing at the top of Mike Denver's or whoever it is. But I think it does translate into making security understandable and making a much broader knowledge the important things, so, and everything you're also doing in society as well, taking care of people and some of the things you've been doing recent months I think it's phenomenal. So keep up the great work and look forward to seeing you...
Rik Ferguson:
Thank you very much. Hopefully we'll do...
Joseph Carson:
... events in your future.
Rik Ferguson:
Yeah, do that in person at some point. That would be great.
Joseph Carson:
Absolutely. Any words of wisdom that you would like to leave the audience? Final thoughts?
Rik Ferguson:
Yeah, always use moisturizers, it's really dry in those data centers.
Joseph Carson:
Absolutely. And always bring a set of earmuffs as well, because it can get quite cold. But yeah, absolutely. Moisturizer is important. Not even just in the data center.
Rik Ferguson:
Yes.
Joseph Carson:
But it's been fantastic having you in this show. Hopefully everything's well. Hopefully you're all excited about kind of the journey ahead.
Rik Ferguson:
Yes, looking forward to it.
Joseph Carson:
And I'm looking forward to catching up in person sometime in the future. So for the audience, again, it's been awesome having definitely the most famous rockstar in the security industry on the show today and really out there. Make sure you just tune in every two weeks for your basically thought leadership education knowledge transfer to keep you up to date on all things cybersecurity. So stay safe, take care. And again, many thanks for being on the 401 Access Denied podcast.
