Skip to content
 
Episode 84

The Best of RSAC & Cybersecurity Strategies with Bob Burns

EPISODE SUMMARY

The RSA Conference is an annual cybersecurity conference that brings together experts and professionals to showcase new cybersecurity trends and insights. We’re diving into the key takeaways from our favorite RSAC 2023 sessions with Bob Burns, Chief Product Security Officer at Thales. We also highlight remarkable stories of networking and human connections that took place at this year’s event.

Watch the video or scroll down to listen to the podcast:

 

Subscribe or listen now:  Apple Podcasts   Spotify   iHeartRadio

Hello from Cybrary and Delinea, and welcome to the show. If you've been enjoying the Cybrary Podcast or 401 Access Denied, make sure to like, follow and, subscribe so that you don't miss any future episodes. We'd love to hear from you. Join the discussion by leaving us a comment or a view on your platform of choice or emailing us at Podcast@Cybrary.it. From all of us at Cybrary and Delinea, thank you and enjoy the show.

Joseph Carson:

Hello, everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm the host, Joe Carson. It's a pleasure to be here. I'm really excited about today's episode. We're always looking to bring really educational, fun, knowledgeable content to you, and today we've got a returning guest and is amazing person. I'm going to pass it over to Bob to introduce yourself. Tell us about who you are, what you do, and a little bit of background about yourself.

Bob Burns:

Yeah, sure. Thanks, Joseph. Appreciate the invite, and thanks for bringing me back again. I'm Bob Burns. I'm chief product security officer with a company called Thales, in particular their cloud security division. I run and manage a team of very talented individuals who we look after the product security, security engineering, our service cloud security, as well as certification and compliance. All that just to say is we're sort of entrusted with making sure that we're meeting all the promises that we're making our customers from a security standpoint. I actually got my start as a software engineer back in the day many, many, many years ago before security was a keyword in our industry. I spent a lot of time mucking around in cryptography and doing security that way and eventually sort of found my way into this position where I get to sort of bring these teams together, get the right people focused on the right problems. We get to tackle some really cool challenges across our product line and services.

Joseph Carson:

Fantastic. That's... What was the code... What was the language you started off with? Just curious.

Bob Burns:

Really C. I mean, everything was... Yeah, everything back in the day was low level. Anytime you're doing crypto, it was smart cards or embedded processors, microcontrollers, all of that stuff, so we did a lot of hardware. But I've cut the gamut, but now I really leave the hardcore coding to the experts these days. I just try to focus on the security side of things.

Joseph Carson:

Yeah. Absolutely security was always an afterthought or something we did at the end rather than something we did at the beginning. Okay, we are changing it a bit. One of the things we've got a habit of doing is meeting up at different events, and most recently we did get to catch up again during BSides and RSA.

Bob Burns:

Yes.

Joseph Carson:

I'm just curious to get kind of your viewpoint. Was there any interesting talks or topics? What did you find some of the key takeaways from both BSides and RSA?

Bob Burns:

Yeah, that's a great question. I did have to go back and look at my notes a little bit to reflect because it feels like it was yesterday, but it was like drinking from a fire hose again, just lots and lots of interesting people, lots and lots of topics, really, really cut across the gamut. I'm not challenging your readers, I mean your viewers, to necessarily go back and look at our episode from last year, but in general my takeaway from last year was that it was really about sort of the human element. There were a lot of things that spoke to me as far as sort of we were coming out of COVID, there was really a lot about teams and about managing burnout and dealing with sort of bringing people together. I really came energized out of that with that same feel.

However, this year I didn't get the same vibe, I didn't get the same feeling. I felt it was a little bit more... For me personally, it was more scattershot. I found that the sessions I went to were a little less deep in my perspective. But having said that, what I did really resonate with and what I really did sort of connect with was still around the team aspect. There were a lot of good topics on scaling, so how do you take something that you know how to do well and make it bigger, make it more? How do you affect more teams? How do you affect more people without burning out your own team and without really sort of dragging those dimensions down? Overall I found some of the best ones that I had still really focused on the team aspect and focused on scaling and being able to better secure cloud environments. That was the other big focus that I focused on, was really thinking about cloud services and being able to provide security on a large scale for all of your customers.

Joseph Carson:

Yeah. I think one of the big things I noticed between last year and this year was also it was almost back to what RSAC originally was from an attendance perspective, so where last year you had a bit more flexibility in choosing the sessions where this year you had to think ahead because there was a lot of long lines, a lot of the main sessions were... There was a lot of queues and even the standby queue was quite large, so there was a lot more planning. You had to really be selective into the sessions attending this year because you might not have gone to the one that you wanted to see.

The good thing as well is a lot of the sessions are now becoming... They're now becoming available online as well so you can go back. If you did miss them, you can go back and at least watch them now, which is great as well. But you mentioned about... I think that's a really important thing is about scaling. That's always a challenge we've had is doing something really well. Did that also incorporate into things... Because we're still in that little... The post-COVID, which we're still in hybrid mode. Did it kind of go into some of those things about remote teams and hybrid and about how to keep connected and how to make sure people aren't feeling in their own little silo to make sure that they feel part of a team? Did it cover any of those aspects of things?

Bob Burns:

Interestingly enough, I didn't hit any sessions that were about that, but one of my biggest joys in this past session was really meeting people outside of the sessions. In addition to connecting and reconnecting with folks like you and other industry folks that I'm friends with across the businesses, I really got most of my energy and excitement out of meeting people in social settings and doing things. To your point about sort of post-COVID scaling, one of the gentlemen I met was actually from Industrial Light & Magic. We just sort of randomly bumped into each other, "Hey, what do you do? What do you do?" We really got into the sort of what happened during COVID, and it hadn't occurred to me but ILM had some really, really interesting challenges around remote.

They instantly went remote. Unlike a traditional enterprise, their assets, number one, are hugely expensive. You don't want those leaking on the internet. Number two, they are terabytes in size. You can't instantly ask all of your employees at home to all of a sudden deal with having to render huge media files on their kid's home computer that they just happened to have sitting around. I had a really great conversation with him about the transition to remote and how that looked very different to what our teams did and the types of security challenges. His role obviously was on the security side, but they really had to think about how did that go, and then also how are they transitioning back to the office and how do they support that hybrid mode?

Going back to your point about sort of that moving towards that way, I can think of things in my team's perspective and my enterprise's perspective, but you get to meet at these shows people who have a completely different problem set that they have to solve for and things that they have to sort of think of from a security standpoint that really blows your mind. You think, "Oh my God, that's completely different from a Word file or a source code file or something like that or a threat model to oh my gosh, you've got something that if it got out onto the internet would be hugely damaging or at least expensive for a company like ILM."

Joseph Carson:

Yeah, absolutely. I've seen... I mean, one of the... Absolutely you had... An important part is that for me, RSA is mostly about the networking. The sessions are the add-on. That's the additional part, but meeting the people because as we hear, the sessions are great for that general view and kind of give you some outline or some direction, but meeting the people and hearing their experiences and challenges, that's what really gives you a bit of more perspective into, and you can learn from each other as well, how they're doing things on a much more kind of detailed level.

I also find the same as well when you're working. A lot of friends of mine work in the entertainment media industry as well and they're having to do rendering lots of images. To do those, you can't do them remotely. It's very, very difficult and the processing part to do it is large. Even... Yeah. They had a more of an office rotation scenario so the people can come in, do the rendering, at least having fewer people in the office at any one time and also having that controlled ledger of who was at the office at that time as well.

But definitely finding a lot of interesting things is always kind of to learn from those and other industries where working hybrid or working remote is sometimes not possible. There's a lot of industries where it's either very highly secure that you're working in let's say not so much work systems, but very, very sensitive environments where you have to be physically there in person and you don't want to have them open. Public access or remote access becomes very, very challenging. We still... Those environments do exist and it means that you have to think about a way to keep them operating.

What other things did you learn about... You talked a bit about cloud security, and one big takeaway that I saw in cloud security was around API security, which was a big hot topic. It was around basically we started seeing where API has become the glue to keep things holding together. Sometimes I've seen hard-coded credentials, I've seen tokenized credentials, APIs, and then if you're in between clouds it's what's keeping the clouds connected together, these hybrid clouds and multi-clouds. What was the big takeaway kind of when you were looking from a cloud security perspective? What was the kind of hot topics there?

Bob Burns:

Yeah. You hit on probably one of the biggest at least visible trends that I saw at RSAC and BSides a little bit as well, was the API is the new perimeter for services, right?

Joseph Carson:

Yes.

Bob Burns:

It's the new buzzword, and rightfully so. It is the connection point. The reality is is that now businesses and services are connecting less through sales and more through consuming APIs. It becomes that your developers are now the ones making the decisions of who you're going to connect with and why and what that interface looks like. That becomes the primary touch point and it's just natural that that becomes the point at which a service can become vulnerable or you could end up losing money because someone steals your credentials or uses your API or over consumes. There was a great deal of... I would say a lot more marketing and certainly a lot more buzz around products and services that could secure that interface.

From my personal perspective, I think that we're seeing a little bit of hype in that area. I think it's probably a little bit overhyped, is that there's certainly a lot of energy and marketing around it. However, APIs have a fairly well-understood mechanism for doing authentication and access and limiting and certainly hiding behind proxies and gateways. I think that overall it is important. I think overall it is something that needs to be taken seriously. I think each enterprise has to look at it differently, but ultimately it's one of those things that doesn't cause me to lose any sleep overnight thinking about those types of things. But generally it is something that I think the difference now is that it is the interface. It has moved from login selections to being able to automate and pull stuff off so it is the primary touch point between enterprises and services now, so it is getting a lot of attention.

Joseph Carson:

Yeah, absolutely. Absolutely. Talking about the hype, there was a lot of talk around AI and machine learning and other types of things. What was your viewpoint? Or did you attend any sessions on AI or ML in it or did you... I know a lot of the vendors had a lot of AI... Was it solutions? What was your takeaway from an AI perspective from RSA?

Bob Burns:

Yeah, that was actually a good point and I brought that up to my teams when I came back. I feel like the attendance or I should say the submissions at RSAC kind of missed or predated the AI hype window, so there weren't actually a lot of talks that necessarily titled or focused on AI. However, there were a lot of people who were bringing it into it, especially in the keynotes. There were a lot of clever uses of AI and video AI and deepfake AI to just sort of make a point about security. I think probably next year will be the year at RSAC where you'll see a lot of marketing materials on that topic. To answer your question, no I didn't see anything specific, any specific topics on it. However, for the few things that I did see, I think it's an emerging technology. I think it's going to be really interesting.

I think it has a lot of impact on the security industry, especially in our business. There's a lot of motion around things like Copilot or things that are autogenerating code for you, what's the impact of feeding some of your own code snippets into it, especially if it's sensitive code snippets? There's a lot of privacy information around that. I think we're really early days. I think there's just still a lot to come and a lot to learn. I've done a little experimenting myself and had a little bit of fun. I'm certainly not as afraid of large language models as a lot of people would make it out to be. It's a great technology as long as you're using it for what it's designed for and as long as you understand the limitations, but I'm not predicting any sort of AI Armageddon anytime soon from a hyperintense autocomplete language engine.

Joseph Carson:

Yeah, so predictive texting...

Bob Burns:

Yeah. And it's good. It's amazing. I love it.

Joseph Carson:

It is good. Yeah.

Bob Burns:

It is really interesting. I mean, I've seen... It's great to see that, and especially the artistic ones. The artwork ones I think are very interesting, but there's a lot of ethical concerns. There's also concerns about licensing, where are they getting the source material to feed this, et cetera, et cetera, but-

Joseph Carson:

Yes, the copyright, data rights management issues, privacy issues and-

Bob Burns:

Exactly. But from a security standpoint, we think about things like code provenance or even source material provenance. Are we consuming data that could cause an issue or create a security issue? Conversely, are we leaking information if we're using these types of tools and these types of engines? Is this potentially sending sensitive information or intellectual property to somewhere that would not treat it as such and end up inadvertently exposing it elsewhere? Those are our primary security concerns around using those types of tools.

Joseph Carson:

Yeah. I've heard a lot of organizations going and putting a lot of policies around their development kind of processes about restrictive use and what they can and can't do, so until it's been... Becomes more clear about how you can use it in a secure private way. Absolutely. One of the big things I found... Even from day one of RSA, I thought that was quite interesting. A lot of the day one sessions I found was very focused around the C-level side of kind of the topics. It got into lots of things around getting budget and communicating with the board and communicating with executives and there's a bit of insurance in there. It was very much around the communication side of things. I thought it was interesting because absolutely we do need to become better communicators, especially at being able to translate security challenges and security priorities into something that boards understand. Is there anything that you found around those topics that was interesting or that was valuable for you?

Bob Burns:

I actually didn't attend those sessions. I did see them, but it actually makes up a large part of my life, is being the translator between real security risk and convincing boards. I do find it interesting in this. I think there was a plethora of sessions on that topic. I think part of it is probably driven by some of the contraction in our industry. There were a lot of companies who were certainly tightening belts and changing their financial posture. I think when that happens, what you need is you need a voice who can make sure that the priorities are being brought to the decision-makers in the most efficient way possible.

That's constantly been a struggle, is that we always think that CEOs are the pinnacle of thinking about risk all the time, they run their business like risk. If you can just talk in risk and speak in the risk language, they'll make the right decisions. But the reality is they're all human, like anybody else, and they have to make decisions with lots of inputs, with lots of different things, and they're balancing it based upon where their business is at. It's more than just being able to talk about risk. It's more... It's being able to tell the story in the context of what the business mission is and what you're trying to achieve and what the current pressures on the business are.

A lot of times you've got to sort of give and take. It's not black and white. As much as we want a red light, green light for security that just say, "This is secure and this is not secure. If it's not secure, fix it." It's never that easy, especially at scale. Being able to bridge that gap between your technical experts and the people who actually are running the ship and making sure that you're being safe and you're doing the right things and translating that into actionable plans and costs and budgets for the C-level I think is a really important underutilized skill. I'm really glad to see that they've done a lot of sessions and we're starting to see more of that conversation of bridging that gap between "what do we do" to "how do we make sure it fits within the bigger plan".

Joseph Carson:

Yeah. Absolutely. I think I attended a workshop as well during RSAC which was all about risk quantification, which was all for me was really interesting to get a CFO's perspective and the CEO's perspective into risk quantification. To your point, it was really about kind of into, "Where are our risks related to the business? Not related to security, but to the business and Then translating those from the security into that business element." Then also, "Where's the business resiliency? How are we applying that side of things?" I think it's probably... I think some of the sessions I attended which were that focus, it was a lot of new people who were just going into the CISO because I think the CISO and the BISO (Business Information Security Officer) have been two areas of significant growth, and I think a lot of new... Kind of in the last year, a lot of organizations have decided to take on that as a significant role.

There was a lot of let's say one or two year experience CISOs that were attending the sessions that were really I think finding it challenging to communicate and not... They don't have the experience about... They've a very technical background but not so much the business element. I think that's where they were kind of learning. I think it was great to see that because it is important to make sure that we have that continuous education knowledge sharing in order to... Those who are starting the roles because there's very few resources around. There's some good books in there. There's very few resources that teach you the business element of it, especially if you're coming from a technical background, so finding those is really important. Any other highlights? Any other things that was kind of significant or memorable moments that...?

Bob Burns:

Well, I mean, besides the amazing session on gamifying hacking that I happened to see that I attended, I'm not... I can't remember the person, but they were quite good. They did a great demo, they were very risky and took on the demo gods and came through very well. I think that... Again, I'm struggling a little bit just because I really came away and none of the sessions necessarily really kind of came at me hard. It really was the personal conversations and the connections I made.

Joseph Carson:

The personal conversations.

Bob Burns:

It cut across the gamut. It was really, really things... The things I loved, it's people with very different backgrounds than me that came up in different ways. One in particular was I met a woman who started in a help desk at a construction company out on the West Coast and she is essentially the CISO now over many, many years of just sort of caring and being the one who really sort of thought about what was the right thing to do versus the wrong thing to do and just sort of plowed her way through and took on the company and took on the responsibility and ultimately ended up driving that. Those are the things I learned when I see these different stories from different people, and that's the thing that really I think I take away from these sessions and really inspire me to make changes and focus on other things in my team. I think on that... Oh, sorry. Go ahead.

Joseph Carson:

A lot of times... Yeah. Yeah. A lot of times the help desk is that in between the tech and the business side of things, so they're the ones that know... When certain things aren't working in the business, they're the ones that identify where the tech is failing so they do become very good at being able to make that connection.

Bob Burns:

Exactly. Exactly.

Joseph Carson:

And are potentially very good BISOs and CISOs of the future for sure.

Bob Burns:

Yeah, for sure. Yeah, exactly. I think along those topics, so when we go back and just even though I can't narrow and focus in on one specific session, a number of the sessions that I was at least drawn to attend were really around scalability, about how you do this from a secure standpoint, so whether you're taking a service that maybe hasn't had security to start with and you're trying to make it bigger or you're taking your security function and trying to scale it much more broadly. It covered a lot of topics, but in retrospect when I started sort of dissecting it and peeling it apart, the things I took away from it is that the language and the systems that people were describing to help with scalability of security in these systems really boiled down to empathy. It had to do with the fact that...

It wasn't stated explicitly, but when you start thinking about DevSecOps or some way of being able to build security champion programs or being able to get more advocates in your organization who care about security or even to the point where you're communicating at the CEO level, at the end of the day success is either done by sort of one or a small group of people who can understand a vertical intimately and can do it top to bottom and ultimately they care so they deliver the security from top to bottom or you end up having a very large swath of people who all care and can bring security across. But you can't do that. You've got to be able to break that down. For me, the point is for security people to understand and empathize with the real problem that other people are trying to solve.

DevOps or DevSecOps was really about taking devs and making them care about ops by making them have skin in the game. Security champion programs when you look at them, they're really about embedding inside the developers someone who cares about security. It really is about how do you take an empathetic view to making sure that you are not just foisting security on people and you're not just throwing it over the fence and you're not just writing policies, but you're actually striving to empathize with the problems up and down the stack and figure out how to build advocates, champions, people who care about it or you just caring about their problems so that you're not introducing toil, right?

Joseph Carson:

Yeah. Absolutely.

Bob Burns:

That's sort of what I've pivoted to coming out of this show a little bit is really helping to find ways to strengthen empathy between what we're trying to do and how we can help the teams start in a more default secure state and add security without introducing toil. Yeah.

Joseph Carson:

Default. That's... Default is the important thing because that's one of the things I've been kind of... Is we always talk about this shifting left and security by design, but for me it needs to be more than that. It needs to be security by default. It needs to be always on, it needs to be... I remember seeing one of the cloud companies saying that you need to turn the default security on and I laughed. I was like, "Shouldn't it be on already? Why do I need to turn the default basic security settings on? That's my expectation if you call it default."

Bob Burns:

Yeah.

Joseph Carson:

I shouldn't need to turn it on.

Bob Burns:

You're using that word wrong.

Joseph Carson:

But your most important point... Your most important point is that we really need to pull down the silos, and security's been a... We always look at security as an IT problem as in we direct it to IT. I learned an important lesson when I was doing... It was a risk assessment for a large transportation company. Ultimately one of the lessons I learned was that we can't operate in security as a separate silo anymore. It needs to be... We need to realize that security is something that, yes, we do have IT security related needs, but we also have HR security needs, we have seal security needs, we have financial security needs.

This gets into... I recently did some large kind of research in the business resiliency side of things. As I was going down that path, I realized that resiliency is many things. You have financial resiliency, which could be going down the path of cyber insurance, you have business resiliency, which goes down the path of maybe having a good backup and this response and kind of backup strategy plan and business resiliency about you've got operational resiliency. "Okay, do we have two of everything? Do we have manual systems?" It really gets into kind of thinking about those and looking at how you can look at the different lines of business or different business operations and then trying to get security as part of those.

I think you brought an important part is that we're... I look at cyber ambassadors or cyber mentors or really looking to get people in other parts of the business to become your advocate in those areas, and it doesn't necessarily need to be a tech person. It needs to be somebody who understands the business that they're operating in, whether it being in the financial team or whether it being in the sales team, and they can understand... To your point, empathy is really... They believe in what they're doing and they believe security is an important part of it and they become your communicator, your way into those businesses and it becomes really important.

One of the things I remember when I first did this, the best people to actually become those mentors and ambassadors were victims of cybercrime. It was the people who actually had something... They knew what it meant to become a victim, they knew the damage it could cause, and they wanted to make sure that it wouldn't happen again. They became some of the best advocates to really taking that message on and then becoming one of the best ways to... It's getting that security by default and by culture because ultimately they start kind of messaging and sharing with the people around them and caring about it as well.

Bob Burns:

Yeah, and because they felt the pain, right?

Joseph Carson:

Yeah.

Bob Burns:

I mean those people who've had experience. That's one form of empathy because they've been through it and they've done it. Part of it is it's kind of two ways. You have to... They care about what you're trying to achieve, but sometimes you've got to care about what faces them, right?

Joseph Carson:

Yeah.

Bob Burns:

What are their problems, what are their business goals, and what are they trying to achieve? What is in their day-to-day? It may be simple to say, "Oh, well, we've created this really good security onboarding system. Just create this Jira ticket." But if you go to somebody whose day-to-day job doesn't afford them the opportunity to easily create a ticket or if creating a ticket is not... They're not a developer, they're somewhere else in the organization and to them Jira is just some funny word that you're making up, that's not really understanding their problem or how they want to do it. Sometimes you might think you're automating it or making it easy, but if you don't actually empathize and understand what it takes in an organization to be able to do that, you're not necessarily taking it all into account. It's going both ways. Again, I don't have a specific recipe, but I think that empathy is one of the key messages that I think is going to play an important role in ensuring scalability across a diverse population.

Joseph Carson:

Yeah, absolutely. It becomes an enabler when people start seeing security is helping them. This is one of the things that we've had a lot of discussions with some peers of mine as well, is that we have a security image problem that we've always been the no people, we're the ones that slow machines down and we put all these processes and barriers in front of them, but we really need to get to the point where we have to change that image, that they they see it as more of an enabler that helps them do their job. This is an important part. I think you're absolutely right, it is a two-way communication because... And it does mean that in our roles in cybersecurity, we have to become much better listeners because we've always been historically policy enforcers. We're looking at, "Here's the framework and here's the policies that support that framework, and therefore everybody must follow it. If you go outside it then you know you're basically creating risk."

So became policy enforcers, and I do believe that we need to become much more better listeners because we had to realize that... It's always great, is we are here to not just protect computer systems and IT systems, but we're here to protect the services that they deliver and the people that's using them. It really gets into where we need to be understanding about what the people using them, what they get measured on, what does success look like for them, what's their metrics that says that they're doing their job well. We can't put things that actually slow them down at achieving those goals or that preventing them from achieving those goals, so it really means that we have to become... How do I help them do that in a better way, in a safe way that actually even accelerates them on that path and makes it much more achievable?

That's where you get to the point where it becomes that bidirectional, is if you're able to achieve that for people, they will in turn accept you more and be willing to support you and voice you and promote you. I think that's one of the things we have the change is we'd take down this image problem that we've got of being the feared policy enforcers to really being enablers. We have a long way to go, but absolutely people like yourself that have the ability to change that in organizations will really make a big difference. The more we get doing, that will over time take security from being this scary place to being actually something that's fun that people enjoy and that is actually helping us do our jobs better.

I think that's a really important topic, and it's a difficult one to do because in organizations culture is one thing and behavior, those are things that take time. It's not something you can simply do overnight. It's a very well-thought-through strategy that you have to do it in little pieces and pieces over time to... And sometimes in one department first in another department next. How's your strategy going and have you already kind of seen any progress so far? Are you in the early phase of this? How are you seeing progress so far?

Bob Burns:

It's been a constant journey and I would say progress is slow, but it has always moved forward. I think part of it is I think the industry is helping somewhat, is the security is becoming more and more of an important topic at all levels in the business as the risks increase and the news talks about ransomware a lot and risks to businesses, et cetera. That sort of accelerates some of the conversations that we need to have, and frankly I think the technology is changing. I think that we're getting better and better capabilities to be able to make these things, as you say, the default by having vendors and our own implementations that we start from a more secure set of guardrails or paved roads. I think that that has gone, but there's still a lot more to do.

I think especially as we expand into the cloud and we get much broader surface areas, much bigger as states of compute and data and you mix in other compliance challenges like GDPR and privacy and a few other things, it's really sort of... It's been a challenge, but I will say I think things have changed. I've seen a lot of different improvements. I think one of the... Just sort of a prototypical example, and this isn't necessarily our organization, but I always think of the prototype of phishing emails and the classic security, "Hey, let's test all the users by sending out the scary email and see who clicks on it." I mean, that was the control du jour many years ago, but thinking has really come around and said, "We really shouldn't tell users whose job it is to click on things to not click on things. Instead, let's make some tools and techniques, let's put some filters in, let's put some proxies in. Let's try to just transparently stop them from doing something really bad and let them get on with their jobs."

I think that's just sort of a prototype and that's a lot of the stuff we're doing. Like I said, we had Jira tickets. That's prevalent for software developers so it's very easy for us to tell the dev teams, "Hey, you need to do this." But when we're onboarding cloud IAM accounts for people who are not in the dev community, having to do that isn't easy so we're creating portals that make this a lot easier that it just becomes a click and it already knows the SSO and says, "This is who I am and you don't have to fill in all kinds of information." It's finding those little bits of technology that you can connect together, hopefully through cool APIs like we talked about earlier, that sort of make it so that it fits within the framework of what people are trying to achieve. I think that's really...

Joseph Carson:

Yeah. Getting familiar with what they're used to.

Bob Burns:

Exactly.

Joseph Carson:

Rather than changing to something that's completely different.

Bob Burns:

Exactly.

Joseph Carson:

I think that's a really critical kind of direction. Kind of curious what... What would you like to see more of? What was missing at RSAC that you were expecting to see more of that you didn't see?

Bob Burns:

I think... Generally speaking, I think that some of the sessions went a little bit more shallow this year. I'd like to see some deeper sessions. Your session was particularly good, it was very technical. It talked about the why and then showed how. I really am attracted to those sorts of deep dive sessions, but even for the softer things or the human things or even the CEO type discussions, I felt that it went back to an old template from a few years ago, which was not enough information density in some of these sessions.

Joseph Carson:

It's the actionable side of things. That's what really kind of the key part is, is that. Thank you for the feedback. I mean, I wish I could have done my session better. I wish I... If I was to change, I would start the demo much earlier. I ran out of time for the demo portion, so that's what I kind of realized that coming back I was like, "Oh, the demo worked great but I should've started it much earlier because that's the more interesting aspect."

Bob Burns:

Yeah.

Joseph Carson:

When you're doing those, you always learn from it...

Bob Burns:

Of course. But I always find-

... again, the important thing is the why, and that's what really draws me in is when the audience can understand why something is happening or why something needs to be done or why it was done a certain way. For me it's just a lot more compelling, so moving forward I would like to see RSA sessions that I would like to see some on the AI side. I think that again is... It's an emerging topic. I think I've seen some really interesting information coming out recently around threat modeling of AI, what do those models look like, where are your risks, which I think are important to understanding any of these systems. I'd really like to continue the trend on being able to secure a more broadly set of assets. I won't use the ZT acronym around what it is, but the reality is is that our data and our assets and our people are no longer constrained inside of a castle and behind a moat, right?

Joseph Carson:

Yes.

Bob Burns:

The days of us living in an office and sitting all together where you can put up hard defenses doesn't make sense and not just from an IT perspective, really from all kinds of assets, whether it's development or it's data or it's compute. I'd really like to see a lot more focus on techniques for being able to make sure that you can understand where your assets and data are, how you scale that to multi-cloud, and then also deal with regional and sovereignty issues because that's the other big trend I see coming is that countries and nation states are really taking a much more keen interest not only on your assets and data, but also on your process, your security.

A completely different set of organizations want to take an interest in how you do things. I think it's starting to sort of move the industry towards siloing again where we're going to start putting up borders and boundaries and all of that brings security. It changes the security landscape. Your threat model is no longer a pretty picture with just a couple of AWS blobs on it. It becomes a much bigger beast with its own circulatory system and living and breathing systems that keep everything in check, and trying to secure that is always going to be a challenge.

Joseph Carson:

Yeah. The regulatory... Very much the nation states are all kind of looking to kind of keep certain data related to their citizens within their land borders. For those listening, definitely go look for the episode that I talked about the data embassy. It's also something that Estonia has been utilizing in order to do... At least to allow their citizens' data to be outside the physical land of the country and be still under the sovereign law within other locations. It's always an interesting episode to listen to. Bob, it's been fantastic having you on. It was very insightful, very educational as always, getting your feedback and your views and what you learned from RSAC and the networking side of things and some of the outlooks and how you're putting those into action within your organization. It's always fantastic listening in. Any final thoughts? Any final takeaways for the audience that you kind of want [inaudible 00:41:46]?

Bob Burns:

I would say my big takeaway is I would say find something that works for you and do try to attend events like this. RSAC is the big one, but it doesn't have to be the bigger one. Find one in your region. I think... I'm a particular fan of BSides. I think that they're very regional. They usually reflect the community that they're being run in so you can usually connect with a lot of people with similar things, but it doesn't have to be those. I'd say really find some folks that are convenient for you to geographically get with because as fun as consuming these stuff on YouTube after they publish them or make them live afterwards, there's really no substitute for having a face-to-face conversation with somebody who has some shared experience but also can bring a different perspective.

Joseph Carson:

Absolutely. The conveRSACtions in the hallways sometimes are the most valuable from events. I definitely cherish and value all of the lessons I've learned from the hallways and the networking, especially people like yourself and others that I've met. I've learned a lot from those interactions so very much appreciate it.

For the audience, I hope you really enjoyed this. This was another fantastic education, getting the key takeaways and some of the top trends that we're looking at and some things that Bob has put into place that really looking in order to kind of... From the empathy and the culture side of things, which I think is vital to our industry. Again, tune every two weeks for the 401 Access Denied podcast. I'm the host, Joe Carson, and, again, many thanks Bob for being here and sharing your insights and really great experience and knowledge with the audience.

Bob Burns:

My pleasure.

Joseph Carson:

Again, thank you very much. For everyone, take care, stay safe, and see you in two weeks' time.