I’d like to introduce my cohost, Camille Morhardt, Technical Assistant, and Chief of Staff at Intel’s Product Assurance and Security Division. She’s a co-director of Intel’s Compute Lifecycle Assurance, an industry initiative to increase supply chain transparency. Camille’s conducted hundreds of interviews with leaders in technology and engineering, including many in the C suite of the Fortune 500.
Camille, welcome today.
Camille: Hello, Tom, how are you doing?
Tom: I am doing well. So for those of the audience here, our first segment in each podcast is called Security Matters, where we discuss items that have caught our eye or peaked our interest in some way. So Camille in our very first podcast, what’s on your mind for today’s Security Matters segment.
Camille: What I’m interested in is really what is a security mindset and is it something that can be developed? So just to explain that a little bit, I’m thinking, I hear terms like, “Hey, this company has security in the DNA of its organization.” Um, and then I hear, “and that company really treats security, like a check the box exercise.” So what I’m wondering is if a company hasn’t organically developed this sense of security in the DNA, is it possible for them to get there?
Tom: Interesting. So what do you mean by “security in the DNA?” I think that seems like a, one of those buzz terms that might mean something different to whoever you talk to?
Camille: Yeah. To me “security in the DNA” means that there’s no question in anybody’s mind within the organization or anybody who encounters the organization that security is always at the forefront of anything anybody’s doing. And it’s always something that is held in high regard. So it’s never something to be dismissed.
So for example, like I can tell Intel, uh, to choose a slightly different topic: safety. There’s never a question. Safety is always top of mind for everybody to the point where it borders on the ridiculous, right? You can walk up a stairwell at Intel and it says “Are your hands free? Be sure you can grab the railing,” you know, “get a cup holder for yourself.” Or even “it’s summer time, but sure you’ve got sunscreen on. It overflows to beyond what’s even reasonable, right? There’s no question that matters.
Tom: No, I laugh. Because I’ve seen those signs. So it is absolutely built into the culture.
Camille: And I think beyond that, there’s no question that say any executive you might happen to find in the stairwell is also following that behavior.
Tom: That’s right.
Camille: So it’s not something that people preach and then it only grassroots; it’s really embedded top to bottom in an organization. And anybody new who comes in, you know, quickly realizes that it’s not a joke.
Tom: Right. And I think that’s true on a safety sense, but we started off with security. So what would that look like? If security were to the same extent that safety was built into the way everybody thinks, what would that look like?
Camille: I’m not sure that you can guarantee security in the same way that you can guarantee safety. So in other words, you have a controlled environment in many safety situations. Let’s say not probably if you’re driving down the road or something, but if you’re operating a manufacturing facility, you’ve got a pretty controlled environment. You can make sure that people are never walking where a robotic arm is swinging or something like that, right?
When you talk about security, particularly in the compute space, you’re by definition, you’re releasing that product out into the ethers and then one step worse, you’re connecting it to the internet. And if you’re not doing that, you’re probably not leading on the sophisticated end of things anyway, right? So if you want to be, you know, internet of things, or even just generally operational these days, you’re connected to the internet to some degree. Well, how do you guarantee that? Because there’s no perimeter security, right? You can’t lock the door and everything’s safe. You are accessing the outside world. So how did you go and do that?
Tom: It’s a bit, not almost, non-deterministic like it’s a never ending and journey with regards to security in that sense, like how paranoid do you need to be? What are the threats that you are concerned about? And it seems like that list would be at least always evolving, if not, never ending.
Camille: So how, how do you get your organization to put security first if it’s not doing it already?
Tom: Well, I think, you know, you’re raising a good question. There’s no single answer for sure, but I think first and foremost, people have to realize security is everybody’s business. It’s not the security team’s job to keep the product safe. It’s everybody’s job.
It starts from initial product inception all the way through manufacturing and even out into the customer real world. And then the other element I think is, yeah, maybe, you know, the stick approach, you know, the keratin stick, the stick approach is just, dollarize what happens when you’re not secure and what happens to your brand reputation and what happens to, you know, the costs that you incur as a company they’re significant.
Camille: I like it. So submit your, your budget of “I’m going to need this much money because we’ve had a breach.”
Camille: As opposed to…
Tom: Yeah, write the headline the day after the breach, and that might motivate people. This is a good topic. We should talk about security and what people should be thinking about and maybe what isn’t so obvious. I think that’s the podcast for today. Let’s, let’s go with that as a podcast.
Camille: Sounds good.
Tom: In today’s podcast we’re going to explore the key elements of cyber security that you just can’t ignore. And for that topic, we’ve got a guest I’m really excited about: Maribel Lopez. She is a founder and Principal Analyst at Lopez Research focused on digital transformation. Maribel Lopez founded the Emerging Technology Research Council, which is a community of business and technical leaders in Fortune 1000 companies focused on driving innovation and business value with mobile and other emerging technologies.
So welcome Maribel.
Maribel: Thanks, Tom, excited to be here.
Tom: Could you tell us more about this research council?
Maribel: The research council is a group of technology leaders. They come together to talk about best practices and deploying technology. Some of it’s emerging tech, but some of it’s tech we’ve talked about a long time that just continues to change.
Tom: That’s interesting. So, you know, in today’s topic, I mentioned earlier, we wanted to talk about the items about security that people just can’t ignore. I wonder if you could talk a bit about the overall security landscape.
Maribel: I think one of the things that’s really interesting about security is that I look at it as a layer cake. There are multiple layers of security that you need in an organization. And sadly, there’s no one-size-fits-all. You have to basically block and tackle every single layer of that. And we hear that from the customer base. They’re continually asking us, “Hey, do I need to deploy this? Should I be looking at that? There are all these new tools. I don’t know which ones I should really be diving into. What do you think.”
Tom: Can you say more about how customers view just standard security?
Maribel: I think they want what everybody wants. They want a silver bullet. They want to just throw in one tool, it’d be one and done maybe two and done. But if you look at the average corporation, there’s somewhere between 40 and 80 security tools. There’s definitely a sense of fatigue, particularly as we continue to get more and more new threats that seem to have an never ending set of tools. It’s like how many security widgets is enough already?
Tom: Uh-huh. No, I, I definitely myself, in talking to customers, run into all the time, the, just the complexity of how one security tool impacts and influences another security tool. And just keeping that as you call it, the layer cake upright is a huge challenge.
Camille: Hey Maribel, it’s Camille here. So is it just networks that we need to be concerned about or also in points?
Maribel: Actually, that’s a great point, Camille, because you know, the, one of the other real security challenges we’ve seen–particularly as people have gone to remote work–is this concept of aging PCs devices that don’t have a trusted security stacks on them. They could be tablets, they could be PCs, it could be mobile phones. So really the end point has become very wide open and open for attack and compromise.
Camille: Do you have advice for companies now everybody’s working from home, how they can boost security in those home environments?
Maribel: Yeah. So the first thing I think we have to figure out is are they using personal hardware or not? Is that hardware compromised? Because let’s just say you give somebody a VPN and they’re tunneling into your network, but their actual machine is compromised. You’ve just let somebody into the network inadvertently.
So. finding ways that you can test the health of the device, finding ways to manage devices that are personally owned, but in a way that you can separate the corporate data from the personal data, I think is one of the low hanging fruits. And then hopefully getting to the point where you actually have hardware that you provided to your employees that you know, is safe and secure and that you can manage and having that ability to manage.
But I think the other thing we have to think about as patching in general, Just making sure that everybody’s machines are passionate up to date. And then finally, I’d say we forgot about security training. A lot of people were sent home very quickly and they just didn’t have that set of best practices of knowing not to click on links or other things. Particularly a lot of people are getting caught in the early days with the concept of, you know, click on this link to hear more about COVID and what it means for you. A lot of machines were compromised that way.
Camille: So there’s depth, right? And then there’s also breadth, which we may not have considered so much in hardware until recently. True? I don’t know, Tom, are you seeing product portfolios starting to address system health after manufacturer, after we ship?
Tom: We have. Actually, what we’re seeing is a realization that a device has multiple phases over its existence. It has really the build phase, which there’s a lot of focus on the build phase. And then there is a transfer phase when a device moves from its manufacturing location to ultimately to the user of the device; then there’s the operate phase; and then finally the retirement phase. And security means something different in each of those phases.
And so we’re starting to see customers. Paying attention to what kinds of capabilities does the platform you need to be able to support in order to stay safe in these various ranges? Like for example, understanding has the device been tampered with before you provision it and put it on your network? And increasingly we’re seeing companies work in this case with Intel to do that.
Another area is around IOT. The devices don’t have users attached to them. So they sit on a telephone pole or in a factory somewhere; they don’t have a human sort of managing them and looking for anomalous behavior. And so IOT is a whole category of use cases that is very much concerned about physical security, because somebody can tamper with the device physically and just making sure that the device is operating the way we would expect it to be.
So Maribel, I wonder what kinds of protections are you seeing customers implement on IOT besides the ability to update?
Maribel: Yeah, so the first thing I think we have to actually do very basic things, like change the names, change the passwords. Well, let’s just assume you did that. What would you be looking for next?
You’d be looking for, you’d be looking for encryption. What’s the behavior of that device intrusion detection and make sure that that bias hasn’t been compromised and taken over and being used to send traffic that it shouldn’t be sending. So those are a few of the things that we’ve been talking to people about is like go the first mile, but then go the second and the third to make sure that you’re really assessing the behavior of those devices and understand what they should be doing and then understand what they are doing. And if there’s a difference between those two, make sure that you’re turning on the right kinds of security stacks to make sure that those devices don’t get compromised or remediate them if they have.
Camille: What risks should companies be looking at in their supply chains that they might not be tuned into right now?
Maribel: Great point, Camille. I mean, the supply chain is sort of the initial thread factor before it’s even at the person. So when we talk to people about the supply chain, it’s important that you understand several things. First is like, what are the components within that supply chain? And can we verify that those are actually the right components–that they’ve been signed by those individuals saying, yes, this is the component. It’s the right component.
The second one that we need to think about is your suppliers themselves. They could be compromised. And if they have your data, then that compromises you.
The third we should be looking at is I know, particularly now–while there might be hardware shortages or where there might be some sensitivity to budgets–we see organizations starting to buy in different channels that they might not have purchased in before. And they in fact might be getting counterfeit hardware.
You know, there have been examples, many examples of, for example, networking equipment that people saw that they were buying a specific brand of networking equipment, but it turns out that they were buying a very compelling fake. And imagine that, you know, in the deep part of your network, you have hardware that is not the right product. What could that do if somebody put software that to take over your network, steal all of your data?
So you really have to think on a component level. Or if you’re purchasing who you’re purchasing from and being able to validate that that whole system is the whole system that you bought or validating specific components of it. So there’s a lot in the supply chain that I think we have to think about that we didn’t necessarily consider before.
Tom: So I, I wonder if maybe we transition just a little bit here and look now into the future over the next several years. I wonder if you could talk, maybe a little bit about some of the major shifts you expect to see over the next year or two.
Maribel: Well, I think the big shift that we’ve been talking about for a while now, but has not really permeated into organizations is around this concept of “zero trust.” And so this is where you’re doing a user behavior analytics or in the user could be a person or it could be devices, but think about creating a profile of what your known behavior is and then being able to say–using machine learning and deep learning–saying that behavior we’re seeing now, it doesn’t look like normal behavior for that user, for that entity. What should I do now? Well, usually you want to quarantine that person or thing, and then do some security checks to see if she’ll allow them back into the network.
That concept of what normal user behavior is, is a bit topsy-turvy in a world where people are working remotely or even worse they’re going back and forth between work and home, some other place. So when that happens, predicting what “normal behavior” looks like can be difficult, but that zero trust concept seems to be where we’re going right now.
Camille: What are some of the issues that IT departments might be facing right now, as people are struggling to figure out how to get things set up in a kind of unusual environment quickly?
Maribel: So they’ve had a couple of challenges. One is obviously figuring out how to support remote work, you know, how do we get devices into hands? How do we VPN clients scale? Do we want to do things like virtual desktop so that we can have better security? How do we think about that whole portfolio then?
Then I think we’re going into a secondary layer of when we’re starting to think about zero trust or when we’re starting to think about connecting more devices, how do we construct roles? How do we construct policies around those roles? What looks like normal behavior?
And then I think we’re also looking at, I need intelligent hardware that has intelligent software so I’m not drowning in alerts. You can see a world where people are drowning in alerts continually, particularly with more tiny devices, sending lots of information.
So we’re now being tasked with finding solutions that will be more predictive and prescriptive on behalf of us and say, “Hey, I think there’s a problem that might be happening here. And here’s what you should go look at to see if there’s an actual problem.”
So we talk about automation, but we’re not necessarily automating the human. What we’re trying to automate is getting the right information to individuals so that they can act accordingly.
Tom: Yeah, I think there’s also the other element on top of that, which is the experience from the user standpoint has to still be good because if it isn’t good, we’ve known for years and years now that employees will go around the IT solution and effectively sort of create their own platform, their own set of how they get things done maybe as like a shadow IT problem.
Maribel: Yeah, we’re seeing shadow IT. Shadow IT is real. And what I think it really gets to is that user experience part that you talked about. So now I think the imperative for business leaders is to say, “Hey, we know that people are going to be using a set of their own solutions. Let’s make sure we know what they’re using. Let’s make sure that we protect the data that shouldn’t be in. Say some. Third party documents, storage that shouldn’t be in some third party, email client.”
Really, it’s also one of the things that I think is so important about the postcode world work. We have an understanding and a need now to say, “we have to support multiple platforms. How do we do that in a secure way?” Because we also have the data imperative where we have to make sure that we’ve secured the data because. There are penalties around that there’s regulation around that. And we have to be able to marry the user experience and the regulation and the security
Tom: To me, this seems like we’re just at the beginning of a fairly significant transition when you think about security forced into it in the near term and COVID, but we’ll likely in my opinion, at least continue on behind that.
Tom: Let’s, let’s try to have some fun now and talk a little bit about what do you think are some of the things that you just cannot wait to get away from now in this current COVID-19 scenario? And then I’m going to follow it up–I’ll just tell you right now–I’m going to follow it up by what are the things that you hope to preserve that were maybe some surprises from having to work from home or all the other things that we’re doing with COVID?
Maribel: I think we need to have a more balanced meeting where it’s some video audio, and sometimes it just might be some messaging cause you don’t need to see anybody that day (laughs). So that’s one.
You know, on the security side, one of the things. I don’t think we’ll get away from that we’re sort of forced into, but maybe it was a good force. And that’s the concept of, he’s got to check the settings on everything. So things like we saw in the video conferencing area, where we had, you know, video bombing, so to speak, where people were coming in and where it’s supposed to be coming in.
There’s a lot more sensitivity now of making sure that you have your settings. Right. And then when things update, your settings are still there. So things don’t turn on automatically or you’ve put in the right security so that people can stay out of your meetings. Things of that nature, I think are good.
Tom: That’s a good list. I have a couple of things, myself. One thing I can’t wait to be done with at some point is the fact that every time I dial into either a video meeting or now audio meeting or whatever, my computer cannot remember what audio and video device, it thinks it’s talking to, it just drives me crazy. Like, why can’t we solve this problem? It seems like such a solvable problem.
And then the thing that I really, really love about this time is I don’t have to drive to work. I love that video for me is, yeah, it’s a substitute for actual face to face contact, but I have a hellacious commute and I love the fact that I don’t have to do it.
So Camille, you have anything?
Camille: I think we’re going to see more and more communications or interaction, style apps emerging–both for fun. Um, and also education and also work related. Everybody’s got this issue with video. So what kinds of interesting things are we going to see emerge? So I’m very much looking forward to that.
And I’m also concerned as Maribel said that we are able to make sure we have, we maintain privacy and appropriate security and confidentiality with those new emerging apps.
Tom: The one thing’s for sure is that we won’t be going back to the way it was pre. COVID-19 there’s definitely going to be changes.
So with that, I think we can draw this podcast to a close I’d like to thank Maribel for joining us. Your insight today was great. I think it gave us a perspective on customers and, and in particular, some of the things that people aren’t necessarily thinking of when they think about security. So Maribel, thank you again for joining us.
Maribel: Thank you.
Tom: We invite people to please subscribe to our podcast. It is going to be published on an every two-week basis. So we’ll have topics that are relevant for cyber security coming to you every two weeks, a subscribe, wherever you get your podcasts, and we will see you next time.