Artwork for podcast 401 Access Denied
401 Access Denied Podcast Ep. 116 | Security by Design: A Risk Based Approach with Nathan Wenzler
Episode 1162nd October 2024 • 401 Access Denied • Delinea
00:00:00 00:40:33

Share Episode

Shownotes

If you started viewing your cybersecurity program through a risk lens, rather than a technical lens, how would that change the conversations you have with business leadership? You might be asking questions like, “How valuable is the thing we’re trying to protect?” “What does it mean to the business?” “What would be the impact if it were compromised?” And, of course, “How much are we willing to invest to protect it?” In this episode, Nathan Wenzler, field CISO and advisor, shares his perspective on the meaning of “Security-by-Design.” More than guiding how you implement security tools or write code, he views it as a mindset shift to view your security program through a risk lens, not purely a technical lens. He and Joe share recommendations for a risk-based security strategy and communicating metrics in the language of the business. Tune in to learn how you can build the case for security investments and a program that’s going to be successful in the long term.

Connect with Delinea:

Delinea Website: https://delinea.com/

Delinea LinkedIn: https://www.linkedin.com/company/delinea/

Delinea X: https://x.com/delineainc

Delinea Facebook: https://www.facebook.com/delineainc

Delinea YouTube: https://www.youtube.com/c/delinea

Transcripts

Joseph Carson:

Hello, everyone. Welcome back to another episode of the 401 Access Denied Podcast. I'm the host of the show, Joe Carson, Chief Security Scientist Advisory CISO at Delinea, and it's really exciting. I'm always... I love doing these, because I get to talk to amazing people. It's one of the things that, it's one of the reasons why I started the episodes was to continue being able to interact and learn things.

I'm really excited to introduce the guest of today's show, which is Nathan, which we've known quite a long time. It must be almost 10 years now.

Nathan Wenzler:

Almost 10 years. Yeah.

Joseph Carson:

Absolutely. Nathan, welcome to the episode and the show. Do you want to give the audience a bit of a background about yourself, who you are, what you do, and maybe some interesting things about yourself?

Nathan Wenzler:

Yeah, first of all, thanks for having me. This is, I think, a long time coming. You and I have been discussing this for a while, so I'm very happy to finally be here. Yeah, I've been in the security industry now almost 30 years, as it's sneaking up on me here a little bit. Been kind of all over the place. I started in government, did my career a little backwards. Instead of retiring into government, I started there as a security analyst, and building security programs from scratch for a lot of state and local government agencies.

Moved into the private sector. I did advisory work for a long time, was a CISO at a few companies as well. More recently, I've been more focused on the field, CISO, advisory CISO kind of roles for consulting firms, and some of the security vendors as well. I've had a really great opportunity to be on both sides of the fence, if you will, from a leadership perspective and a tech perspective. Yeah, that's where I've been the last several years.

In terms of my hobbies, you want to talk about that, the Legos in the back, that's a big thing for me. I've been collecting and building Legos for probably my entire life. I haven't given that one up at all. That's what usually keeps me pretty busy in the off days.

Joseph Carson:

That's a good hobby to keep yourself focused. In our world, sometimes it's a very scary world, and sometimes you need something to take you away from that, and put your energy into other things that allows you to start also sometimes get the creativity. When you're doing those, it allows you to get ideas.

Nathan Wenzler:

Exactly it. Yeah, exactly.

Joseph Carson:

Fantastic. Back to the episode and the theme for today's podcast is all about security by design. It's a big theme. CISO is always driving it and securing our digital world, and it's also about how do we secure the future, especially in an AI-driven world?

We're starting to see AI coming in from both the tech perspective and the defensive side of things. When you think about securing by default, what comes to mind? What's the things that get into your mind when you think about strategies, threats, and risks when it comes to security by default?

Nathan Wenzler:

Well, I think in general, before I even jump into the AI part of it, which I think has its own whole section of this conversation, if you will. No, I think in general, what we have to really keep forefront of our minds when we're talking about security by design is that it's imperative that security programs and the practitioners out there really start to embrace everything they look at through a risk lens, and not from an IT technical lens.

I think that we sometimes have a misunderstanding of when CISA, these folks are talking about secure by design, they're not necessarily talking about how you implement your security tools by design, or how you write code for your applications by design, small part. It's really that we're not, we need to be looking at our entire security program from that risk lens, from the what are we trying to protect? How valuable is the thing that we're trying to protect? How much are we willing to put into protecting it? What does it mean to the business?

It's all of those business level risk decisions. That's the part of design that you want to build around. You build policies around that procedure, then you start to decide what tools support that kind of process. I think for a lot of organizations even today, I still see a lot of folks that struggle with that. They approach the secure by design process from a tools of implementation standpoint purely.

Joseph Carson:

Absolutely.

Nathan Wenzler:

While that's a part, you've got to really start with the risk leads. You've got to have the business engaged, understand what you're trying to protect, then you can design the right tools and processes around that. That's got to be the foundation. If we can do that, you've got a much better chance of building a security program that's going to be successful in the long term.

Joseph Carson:

Absolutely. When you think about it, what you're saying is that's the evolution of what security has been. We were born out of IT. That was the history. That's where we came from. We have evolved and matured that it's no longer an IT problem. It's actually a business problem. It's a business risk, because when those security controls fail, it impacts the business.

It always gets me thinking about when, I always try to use metaphors, I always think you can sometimes look at it from our perspective. You can do all of the security protection of that car sitting in your garage, and you're not using it. You will have a different approach if it's a tools approach to making that car safe. The moment you start driving in the road with all the vehicles, with maybe different terrains, different conditions, different speeds, then the risk changes.

To your point is that what you're thinking about is that we need to move away from doing security from a tools perspective, a static perspective, to something that is context-based, that is based on the environment that that actually is being used in. That might change some of the ways, and policies, and enforcements of how you measure risk.

Absolutely, I think that we are through this... Not every organization's there yet. It's a journey, and many organizations-

Nathan Wenzler:

Absolutely.

Joseph Carson:

... Are in different stages of that, but it is a maturity that we're seeing that security is not an IT-driven perspective, and it's moving into business-driven and business resiliency side.

Nathan Wenzler:

Yeah, 100%. I want to echo what you just said in the sense of not everyone's there, for sure, and if you're working for an organization that's not there, make that part of your effort, start to build those education sessions with leadership or other security folks. Start to build that mentality of being risk-focused instead of just purely on an IT technical side, because that is the future for security.

That's absolutely where we're going to live in every organization is that risk advisory function, rather than here, you're the guys who implement, deployed our firewalls, right?

Joseph Carson:

I think every time, even when you get into that, it's how you measure and how you do the measurements has always been wrong as well. We always think about things as availability of the system, but what does that system actually functioning to the business, what's the service that it's supporting? You can think about, well, if that service is, let's say, generating revenue, then you're not protecting the system. You're protecting this revenue, and therefore, depending on how much downtime that that system has, that's the... that you've got business revenue.

We need to reverse how we look at measuring and metrics, because I believe that we've been doing them wrong way too long. To your point, we've been doing it from an IT and a tools perspective, and not from a business perspective. We also sometimes get too heavy into the methodology and terminology from that side. We need to learn how to communicate in the business language, in some regards, to getting better at... One is getting the exact set of teams, first of all.

Nathan Wenzler:

Well, it's funny, many times in my career, I've talked to CISOs all over the place who say things to me like, "Well, my security program's not working. I can't get any executive buy-in. No one wants to give me budget. None of them seem to get what I do." I've reached a point in my career where I literally will just look at that person and say, "Oh, I bet it's because your metrics that you're doing for your report to the board are things like total number of vulnerabilities found last month, total number of probe attempts on the perimeter last month, total number of patches deployed last month."

They look at me and go, "How did you know that? That's exactly what I do." You have to try to walk people through that process of like, "Well, first of all, look: volume-based metrics that you're talking about, that's an IT metric. That's a workload measurement. How much work did you do?"

Joseph Carson:

If you're presenting to the CTO or CIO, that's the right metrics.

Nathan Wenzler:

Right, exactly, because you're trying to tell the technical folks, "Here's how much work we have to do this month or this quarter. These are the numbers of vulnerabilities or the number of patches we have to deploy." For technical people, yeah, that's a reasonable metric. For a business person, so you deployed 5,000 patches this month. Is that good? Is that bad? Is that... Tell me how much money we made. That's all they really care about.

Getting away from those volume-based metrics, to your point, that's how we did it 20 years ago. 20 years ago, when security programs were just starting, we were operational, we were just implementing tools. As we've evolved and matured, those metrics have to go, at least for the board, those metrics have to go away. We have to get to that place where we're saying percentages and risk scoring, use letter grades. I don't care. Use something to just represent the state of risk for the whole environment. That's where you want to start to live.

Joseph Carson:

Absolutely. Really, one of the things I've admired over the years was Paul Proctor, you know Paul, he's one of the Gartner analysts who he's really driving the business outcome-driven metrics from a security perspective. I love that initiative. I remember talking with Paul years ago about this, and I really admired the research he was getting into. It made the realization is that that's where we need to be getting into is business outcome.

How was it helping the business? When I was talking with Paul about this years ago, it was also the realization that I came to the... years ago on a power station, and it was me and the CISO to present it to the board. Those were the types of metrics. There's... place to be fine. What was the incidence? What was misconfigurations? We took it from a tool IT perspective, and the CISO and the CFO said, when we went through and we did a presentation, the CEO said to us, "Great presentation. ....budget tonight."

I'm going, I was like, I was in shock. It was a time for me, what I was realizing was I feel ... and I wanted to know why. We got the talk afterwards, and literally CFO and CEO said to us, it was like, "You didn't show us how you're helping us do the business better. How are you helping employees?" That was a fundamental turning point in my career when I realized, actually, my job is now changing. That was the time where it's me moving from IT security-focused tools person, to realizing that actually, my skill set's still that.

My skill set's cyber security knowledge and experience, but my job has changed to being, helping basically businesses reduce risk and becoming more resilient, protecting the brand, protecting the revenue. That was an evolution. It was a realization that my job was helping employees be successful, but by doing it in a much safer, less riskier approach. That was a fundamental change, and my mindset changed.

Nathan Wenzler:

Yeah. We need more of that. We need more people to embrace that. I think for what I've always suggested to people is if you're in a security practitioner role, take the time and go out to the other business units in your organization, and ask them, "How do you see securities role in the organization?" Don't tell them what you do. Let them tell you what they think you do. What you're going to find really quickly is everybody's got a different answer.

If you go and talk to legal, they're going to tell you something like, "Oh, you all help us with policy compliance, or regulatory compliance, right?" If you go talk to HR, they're like, "Oh, you're the people who do forensic stuff for us when we let somebody go," or everyone's going to have a slightly different answer. That should tell you that your role in the organization is sort of this translation team. You're there to take all this security data, all this information you've pulled together about risk, and you've got to translate it to different people in the organization in different ways, with different words, to ways that are relevant to them.

The minute you start to realize that everyone thinks about risk a slightly different way, or values a certain part of the business differently, it will let you as a security practitioner better communicate to each of those groups in the ways that are more relevant to them. That's, again, that's a game changer from a communication standpoint to get you aligned to the business and get everybody to get excited about, "Oh, security's here to help me. Every time I talk to them, they're telling me stuff that's relevant to my business unit." Yeah, that's where budgets open up. That's where you start to win.

Joseph Carson:

Absolutely. One of the fun questions I learned that was very impactful was that I started asking people, "Well, what does success look like for you and your team?" Then getting into, "What metrics are you measured on, and how those metrics mean, what does those metrics success look like for you to get your bonus?" That's what drives people, the motivation.

It was really interesting, because when you start getting those answers... that's completely conflicting with the security approach, just because they're measured very different from the security side.

Nathan Wenzler:

Right.

Joseph Carson:

What that meant was that you had to align, how can you align your security strategy, and policy and goals to helping them be successful meeting their metrics, and their success, and getting their bonus? Ultimately that's where you start working together. That's where the interoperability, and that's where zero friction comes into play, is that you start working as a team.

It was really interesting, when you start hearing those metrics coming back and just... That's completely opposite of what we're trying to achieve from a security side. It's sometimes quite shocking, but those are important questions that we need to be asking, because that's their motivation. That's how they get measured for success.

Nathan Wenzler:

Yeah. Well, I think for me, I always frame this as part of that risk mindset, because while every employee achieving their bonus is not necessarily a business risk, it is a personal risk. That person has a personal investment in getting their bonus. If something happens that prevents it, that's a risk to them.

Again, if we move out of the IT mindset where we're just, "This is the one way we implement, this is the one way we do security, this is the one way policies are written, that's all we ever do," you move away from that into a risk mindset, where everything is fluid, everything's dynamic, it changes all the time, changes every day, and the risks change all the time. You're talking to the CEO, they're thinking of different risks than the database admin down the way who's been resisting deploying patches. They have a different concern in their head.

Joseph Carson:

Yeah, they'll focus on availability, and also integrity, which can sometimes mean that you don't want to make changes too much. You want to minimize that.

Nathan Wenzler:

Right. How do you help those two people? Well, it's going to be different. If you embrace that idea that they're looking at different risks, the risks mean different things, they're measured differently, they're rewarded differently, then you have a better chance to start building answers for them that are relevant, and they see you as a partner. It's a whole big change.

Joseph Carson:

Going to the topic from the security by design, which for me is I'm always like, I think it's a great idea, and I think it's a great initiative. I think though you have to look at it to make sure that we're not just thinking by design, because design is one. I always say that it should be secure by default, but then when you go down that process of securing by default, meaning that it should be turned off, one of the things we don't do well, and what we need to start doing really well is security.

We start thinking about the business side, and who our customers are, is that anytime we put a security control in place, one methodology I've heard, and I know a few CISOs who they get measured on this, and they actually have a metric about user experience, is that they want to make sure that as they're putting something in place, it has to be better than what they're currently doing today or yesterday. It should not be more difficult to do their job and be successful with security in place.

We actually should be looking at how do we make it more efficient? How do we make it much more usable and fun, and that they want to use it, not just in the workplace, but also at home, and with their family? For me, secure by design and secure by default is where we start actually not just doing it in our job, but where you get to the point where it's actually doing it in our society, where we as people, we learn it from our workplace, we learn it from our peers and organization, and the strategy that we got in place, but we actually take that back into our family, into our society.

Security, one thing I learned was that security doesn't start in the office. It doesn't start on the organization's computers. It starts in the social sphere of our employees, and contractors, parties and suppliers. We see that time and time again, that the risk doesn't just sit in the systems we own. It sits in supply chains. We've seen that. We've seen that with the CrowdStrike recently. Even it was a cybersecurity company that had an... that it wasn't an IT-related issue, because it was a security-related issue.

It brought lots of organizations to a standstill. What's your thoughts around the security by design concept, and any thoughts around how can we make sure that organizations can make it successful and can do it around the right way?

Nathan Wenzler:

Well, I hate to echo a little bit what we've been talking about, but I think, again, we're at a place here where if you think there's only one set way of doing this right, you're doing it wrong. Every organization's going to approach the by design part of that statement a little differently. They're going to have different requirements. You bring up that some companies have requirements about the user experience.

Well, some companies don't. Some companies have said, "We don't care. If it's harder for the employees, we don't care as long as these assets are protected, or these things are secured," because that's their priority for the business.

Joseph Carson:

The assets, the data might be the defining value of business.

Nathan Wenzler:

Correct, absolutely. That's part of it is we have to start approaching this problem from a very flexible sort of position. Not that we want to give up on our integrity or give up on the strength of the program, but you have to... There's no single answer to what design you use or what is the definition, singular. The real, the answer is, you've got to figure out the priorities of the business, and that's not always easy. Then you start to build from there.

If user experience is a big part of it, which I will say, I'm an advocate for that. I think it's a very important part of the process. If people don't buy in, they won't do it. They'll find a way around it. They've been doing this forever. We know that that'll happen, but you've got to understand those priorities and build accordingly. It may make you make different decisions. It forces the issue of, "Well, we can't require everyone to use 16 character passwords because no one will use it.

That means we have to implement some sort of simple MFA, one-click sign-on kind of functionality, because that'll be easier for people, we'll get more buy-in." Is it more expensive?

Joseph Carson:

Finding... Yeah.

Nathan Wenzler:

Yeah, but that's what the business wants.

Joseph Carson:

Finding the balance, I've seen organizations who had very complex 10 character passwords, and as they move to 16 because longer is better, they had to reduce the complexity down because people had to choose passwords of 16 character or more that they could easily remember with complexity.

Finding that balance is always a challenge. To your point, absolutely, we should not rely on passwords being the only factor of security. If humans are creating them, we're going to create them so that we can remember them.

Nathan Wenzler:

Yeah 100%.

Joseph Carson:

Therefore, finding and tracking them becomes an easy task. We're getting into the world of AI has been on the trending upwards. For me, I just see AI is advanced automation, augmented intelligence. We're getting there and it is maturing. It is becoming much more normalized, much more practical in regards to where it's actually helping, both from a defensive perspective, but also from an offensive side.

What's your views around how do we make sure as we're going down this reality of a future where AI is going to become part of everything, what do you see from a security perspective, the risks and maybe some of the benefits?

Nathan Wenzler:

Well, so it's funny that we're going to talk about this today. This is something I've been spending probably the last year or so at various conferences and events across the world here, I've been giving a talk specifically about this problem. What amazes me is that though the rise of ChatGPT really kind of the beginning of last year put a lot of attention on AI, we're still, a year and a half later, we are still consumed by hype. Even security professionals I find are still consumed by the hype of the whole thing.

One of the big challenges right out of the gate is how do we get people past the hype? Everyone's worried about the hackers, and they're using it to defeat all of our defenses. Okay, well, why aren't you talking about how it can help you? Why aren't you talking about ways to build tools inside your environment that are AI-based that can help you defend against these things? We need a big mindset shift there. AI, at the end of the day, it's just another tool in the toolbox. It is, I fully 100% agree with you, it's an advanced form of automation. It's an efficiency multiplier, great.

Joseph Carson:

Absolutely.

Nathan Wenzler:

How do you use it better?

Joseph Carson:

It can help me find things much faster than I would. What I can do is I can put the parameters in place to say, "Go look for these, let's say, attributes on prompts," and it will do it much faster than I could do manually.

Nathan Wenzler:

Yeah.

Joseph Carson:

Absolutely, it's an acceleration of an efficiency model. There's two types. I think we're going to have two types of AI models. There's going to be basically kinetic and non-kinetic, meaning that you'll have kinetic, where basically, you will say the algorithm itself, the AI algorithm, can actually make decisions and act in those decisions. What you end up having is the auditability, explainability going and saying, "Why did they make the decisions?" Maybe you need to improve or alternate.

You've got the non-kinetic, which means that it's going to provide humans with options, and provide transparency into what those option outcomes potentially are, so that we can make the decision. Where I say that this going is where you've got the fully autonomous algorithms which are kinetic-based, and the non-fully autonomous, meaning that humans will make the ultimate final decision.

Some of those, what all this comes down to, I really think that EU AI act is really up there... principles, where it focuses around the human life risk from it's physically a risk-based approach, meaning that if you have an algorithm that has potentially impacted human life, then you need to go through these basically rigorous, really strict controls.

If it doesn't, then you have less controls you need to go through. I think this is really where it's getting exciting, because it's definitely, I've seen it helping me and doing lots of things much faster, and it's making me more efficient. A lot of it comes down to, it still makes lots of mistakes, so you don't want to rely on it for accuracy. I think what's missing is definitely a level of accuracy, confidence in it, the output.

I still have the argue of how many Rs are in the strawberry, or what's higher, 9.11 or 9.9? It gets into these arguments. I always loved the one with Marcus earlier last year, where he was arguing about the release of Deadpool, where it was arguing that it was already released and it was calling him a liar. I love that yes, sometimes it's getting there, at least. It's improving along. I haven't seen, the only thing I've seen from an attacker perspective is where they're using it for language translations really well.

Nathan Wenzler:

Primarily, yeah. Same.

Joseph Carson:

That's where I've seen significant improvements into whether they're doing campaigns, that language used to be a barrier for some countries and attackers, and now that barrier is gone.

Nathan Wenzler:

Yeah, I've seen the exact same thing. A lot of the fears that AI was just going to write perfect malware code out of the gate, just all you have to say is, "Write a piece of code that cracks into Company A." It doesn't do that. Now, its efficiency tool, if you want to get some code written and you're not a developer, you can start with something that won't work, but you're 80% of the way there, and you could start to work on it, right?

Most crafty attackers don't really need that. It's just going to make what they do a little bit faster, which goes back to the whole automation efficiency thing. I think for me, one of the big focuses needs to be on the quantification of that efficiency. When you talk about, and I love your description of the kinetic and non-kinetic uses of it, the value proposition for a lot of organizations around the non-kinetic uses of AI tools can not, can not to be expressed enough.

When you look at something as simple as managing a SOC, you've got a team of people who are essentially looking at a lot of data from different sources, and they're trying to make good decisions about everything they're seeing. Okay. Now-

Joseph Carson:

Everything's red.

Nathan Wenzler:

Yeah, right. I have got to be consistent-

... About what do I do? You start to think about things like, "Okay, but if I have to pull a log file from something, I have to interpret that log file, I have to figure out what it means. I might not be familiar with the systems. I need to go search, look up what that thing is or what that application is." Let's say that takes you half an hour, an hour, whatever the time is.

An hour of research times however many incidents per day, times how many per month, per year, how many hours are being spent by your SOC analyst just trying to figure out the problem, so that they can then make the decision they need to make to help lower risk? This is one of those places where AI can be really good. This is where machine learning can step in and help convert some of this data, or GenAI can start to convert some of this into easy language to understand.

If you're working on smaller data sets without public data noise in it, your data is going to be cleaner. The results are going to be more specific. You're going to be able to say like, "Hey, what is that server?" It can just spit back and say, "Oh, here's what the server is. It's a domain controller that has all these things." The reduction of time to answer the question of, "What is the thing or what is the problem?" That's tangible ROI for a business-

Joseph Carson:

It's huge.

Nathan Wenzler:

... Over time.

Joseph Carson:

If you're looking at a specific an event and you're thinking, "Where's this all connected to?" You can simply ask, "I'm looking at this specific event. Show me the origin of the original source of where all this came from." If they can take you all back to that original initial session or initial, basically... that's huge, it's huge savings. I do see this from a SOC perspective.

It's going to create lots of SOC assistance. I could be a generalist in certain areas, but then I've now got my mini me is an expertise in certain areas that are my assistants. All I need to be able to do is understand about how to ask the questions in the right way for them to be effective for me. That's huge.

Whether it being a detection engineer, whether it being an instant responder, whether it being somebody who's looking at a specific password change event, or a log on session, or an IP address... ever been seen before in my environment, and I can go and search through all the evidence and find, you say, "Well, here's the dates and here's the sessions that I can address..." that's a huge value.

Also, attackers are also using the other side is that when they do data dumps into the Extraction, they're saying to the algorithms, "Go and tell me how much ransomware I can demand from this organization. What's their financial results look like?" They're analyzing data, accelerating that as well. It's happening in both sides where you got that efficiencies. I really loved, one of the episodes I did earlier this year with Nico, and he called it, we're in the era of battle of algorithms.

Algorithms are going to be... It's not humans going to be fighting, it's all the algorithms, and who has the most efficient algorithm will win.

Nathan Wenzler:

Well, because it all comes down to data. If you can make the better decision faster over essentially the same data, you win. That's going to be the trick.

Joseph Carson:

Absolutely. It's the game of chess. The person who makes the decision faster, makes the move quicker, will actually have the upper hand. That's what we're in, and that's what we're seeing, algorithms being really good at those types of very specific types of games that have rules of basically lots of history of models. If you know all the possibilities and you can do them much faster, you have the upper hand.

Nathan Wenzler:

Yeah, and I think we talk about models and especially model training, this is where I think some of that secure by design stuff starts to bleed back into the conversation a little bit. If we start from one extreme, which is we're still buying the hype, and we're scared of it all, and we don't really understand it, well, yeah, it looks really bad and completely unuseful. It's not accurate.

If I hear another executive say to me, "Well, my kids showed me ChatGPT and it doesn't do anything right, so I'm not ever going to use AI." Stop with that right there. When we start to look like, "Okay, well if I want to take advantage of efficiency, how can I implement an AI model, an AI tooling in such a way, but by design, it's safe, it's secure, I can trust the results, and I get the operational benefits out of it?"

I think that that is starting to lean a lot of companies into smaller, purpose-built AI data sets and AI models. We're seeing a lot of the security vendors are starting to go down this route.

Joseph Carson:

Yeah, normalization of what they're doing. Rather than the powered by, they're actually saying what it's doing.

Nathan Wenzler:

Yeah, and it's their data, right? They're doing like, "This is our data set, so we're not trying to be ChatGPT, we're not pulling public data." You might see some of it, especially with the SIM kind of tools. They're obviously aggregating data together, but it's a controlled data set. I think that's fundamentally one of the places to start.

If we realize that the front of it, this is just an application, and the back end of it is a database, "Well, hey, we've got really good best practices around how to secure both of those things. Let's just ensure the data we've got is well controlled, well understood, and it's relevant to the business function we're trying to make more efficient."

Joseph Carson:

Absolutely.

Nathan Wenzler:

Secure that data set, build your AI front end. It's a chat box, a search box, some kind of small user interface. It's just an application. Secure that the way that you want to secure other applications, limit access control, all that good stuff. When you start to close that model a little bit, it gives you a place to focus your training of the models. It gives you a place to better control the integrity of the results, and that's going to make the thing actually useful...

Joseph Carson:

It adds ROI and value.

Nathan Wenzler:

... In that function.

Joseph Carson:

ROI and value. That's what it's going to provide and accelerate those. When you think about, it definitely means that organizations and executives in leadership, they need to be thinking about their strategies and policies for those right now, and thinking about... They need to have some type of oversight, decision-making for how they're going to leverage AI from a securing by design, securing by default, and also how they can get those efficiencies.

We talked about Paul and Gartner earlier. It's about how you get basically AI-driven outcomes with the efficiency sitting in that place as well. A question I've got for you, how do you stay up to date? This world is so... In our industry, we've been quite a long time. We've seen lots of evolutions and changes. What do you use to stay up to date? How do you stay kind of knowledgeable? Is there any places you go to stay current?

Nathan Wenzler:

A lot of caffeine, and I don't sleep primarily. No. No, it has gotten harder. You've been doing this as long as I have, you know. There was a time, I want to say in the early part of my career, where things like Slashdot, remember good old Slashdot? That was like, "Oh, that's all I need to do. I just need to read Slashdot once a day. I can stay up on all this stuff. It's cool." Obviously, those days are over. I think in a lot of ways, for me, it's a twofold part.

Obviously, I read a lot, and I think I still encourage people to hit the news sites, go to the places you know, go to the dark readings and whatever else, or even just the broader news. Cybersecurity has become mainstream enough that significant issues make it to the mainstream news kind of thing. That's a little bit of a time investment, but you need to see how the world is looking at these things.

The other side of it, I realize what I'm about to say is a little bit of a conflict of interest to some extent, but listen to the vendors. The security vendors have a vested interest in a lot of ways about doing this right, because it's a credibility game.

Joseph Carson:

Especially vendors who do it from an education perspective.

Nathan Wenzler:

Yeah, it's a credibility game. We all know the vendors who shill, and we also know the ones who've invested in smart people who, and they believe in thought leadership, they believe in trying to educate people. It can be a little hard sometimes, but also it's kind of easy when you hear somebody just pitch products 24/7, you know what that person's doing.

There's a lot of really incredibly smart people who have, because they are with vendors, they have the opportunity to talk to lots of different companies in lots of different verticals. You're tapping into a resource that has a lot of visibility in the industry, that if you, working within just your own company, you may not have that same kind of visibility. Find a couple of trusted sources, people that have proven they're good thought leaders. I'm sitting here with one right now, so I'll-

Joseph Carson:

Likewise.

Nathan Wenzler:

... I'll hype your talks here, my friend. Find those people. There's several really great folks out there that I've loved listening to even 30 years into a career. There's folks out there that I just listened and like, "Man, that's freaking smart. I didn't think about it that way." That's the kind of stuff that really, I think, takes you for the longer run.

Once you hear somebody frame the problem or frame the solution in a way you hadn't quite thought of, you start to apply it to your problems, your challenges. A lot of those folks are really good at that. That's kind of what I do. I don't have a stack of books. I don't have a magic list of things I can recommend on Amazon.

Joseph Carson:

It's networking and putting in the hard work, taking the time to read, to listen to. I do a lot of audiobooks. A lot of my time is spent listening to audiobooks and taking notes, meeting people like yourself at different events, and listen to the talks and the knowledge that has been shared.

I think you make a great point as well, is that, yeah, every time I go to a major event where there's an expo area, I will walk and listen to every single vendor as much as I can to hear their story. You're playing buzzword bingo many times. You're going through and-

Nathan Wenzler:

For sure.

Joseph Carson:

... You're listening to the buzzwords, because they like to hit buzzwords, but you want to see what's behind that buzzword, if they have anything that is really tangible that changes the game. You're absolutely spot on. I think taking the time during events and going and seeing what's new and what's out there, not just going to the ones that you're used to going to, but expand it sometimes, make it different.

Nathan Wenzler:

Well, and again, you might find some interesting folks. Even for a junior, if you're brand new to the industry, sales is sales no matter what industry you're in. If you walk up to a booth and you say, talk to somebody, like, "Hey, tell me about what's going on," and they start giving you finger guns a little bit, and they're telling you about how cool they're going to solve all your problems, you know you're talking to somebody in sales.

Don't take that too seriously. You should probably walk away. I also, I love having conversations with some of the folks at startups, because often it's somebody who's been in the industry a long time-

Joseph Carson:

Technical, or somebody who's...

Nathan Wenzler:

... Just building their own thing. Yeah, absolutely. They're really passionate about it. They think they've got a solution for a problem. Cool. Tell me what you're seeing, because you've been doing this a long time and you believed in it so much, you're starting off a company with five of you. Boy, I may not always agree with what they're doing, but I learned so much about how they see it, how they're tackling the problem.

So much to be learned there if you, to your point, strip away a little bit of the buzzwords and all the rest of it, give me some ideas about how you're thinking about the problem, because then that's going to help me think about the problem better too.

Joseph Carson:

Absolutely. Nathan, it's been awesome having you on. I always really enjoy listening to you always have the conversations, and I do admire what you do in the industry and see you're making the world a safe place. Thank you for everything you do. Any final words of wisdom for the audience that you want to share?

Nathan Wenzler:

I think the thing I love to echo the most is just really embrace that risk mindset. The world is changing under our feet every minute of every day. If we're going to take an approach that everything is very technical, and it's all ones, and zeros, and it's absolute, we're going to fail in trying to protect our organizations and trying to rest ourselves.

The more that we embrace that dynamic ever-changing landscape, and it's hard, but the more we do that, the more we'll be successful in this, and the better we're all going to be off for taking that approach.

Joseph Carson:

Absolutely. Security is no longer an IT issue, it's a business issue, and we have to move to that ideology.

Nathan Wenzler:

100%.

Joseph Carson:

It's been awesome having you on. For the audience, again, tune in every two weeks for the 401 Access Denied podcast. Nathan, many thanks for being on. Really enjoyed listening and talking with you. For the audience, follow up, catch up with Nathan on social media. I'm pretty sure that we'll make sure that your contact details are available, so if people have questions or want to learn more, can connect with you. We'll make sure that's available. Thank you, everyone. Take care, stay safe, and see you soon in another episode.

Nathan Wenzler:

Cheers. Thanks for having me, by the way. Thank you.

Links

Chapters

Video

More from YouTube