Showing posts with label cybersecurity. Show all posts
Showing posts with label cybersecurity. Show all posts

Thursday, March 30, 2023

For UK MSP, optimizing customer experience is key to successful security posture and productivity

Transcript of a discussion on how Scottish MSP Grant McGregor takes the customer experience imperative to new heights, especially as its users move increasingly to hybrid IT models.

Listen to the podcast. Find it on iTunesDownload the transcript. Sponsor: Bitdefender.

 

Dana Gardner: Welcome to the next edition of the BriefingsDirect podcast series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator.

 

Gardner

For managed service providers (MSPs), making the IT infrastructure as invisible as possible isn’t just a “nice-to-have" — it's also elemental to delivering the best customer experience.

 

Securing IT for these tech services and support users is no different. The less complexity and interference with productivity from the underlying security apparatus — the better.

 

Today’s BriefingsDirect security innovations discussion examines how Scottish MSP Grant McGregor Ltd. has taken the customer experience imperative to new heights — even as its users move increasingly to hybrid IT models.

 

Here to share their story of better managing the security experience as a means of enhancing the overall IT services value are our guests, David Lawrence, Co-Founder and Director of IT Support Services and Advice at Grant McGregor in Edinburgh. Welcome, David.

 

David Lawrence: Thank you for having us.

Gardner: We are also joined by Paul Sinclair, Head of IT Service at Grant McGregor. Welcome, Paul.

 

Paul Sinclair: Hi, Dana. Many thanks for allowing us to have this opportunity to share our story.

 

Gardner: David, what are some of the top trends driving the need for MSPs like yourselves to provide risk management solutions that go beyond just endpoint security?

 

Lawrence: We typically talk about the threat landscape in the context of the threat actor. What  we’ve seen over the last couple of years -- with the need for hybrid working – is really focusing now on keeping the honest, honest -- and the right, right. That’s the knowledge worker, the poor person in the organization who’s trying to do the best they can in a challenging environment.

 

Lawrence
We see organizations doubling down and asking for our advice on helping them stay right, and that’s through conditional-access policies to protect the organization while away from the central network and with security-awareness training that helps educate those people on best practices.

 

With cloud protection and cloud backup, a lot of organizations have made further grounds into the cloud landscape on how they can best protect their organizational data. Critically, people are more aware now of managed detection and response (MDR) and extended detection and response (XDR)

 services. They feel that they want a security [blanket] on their organization wherever those people might be working.

 

Gardner: Tell us about Grant McGregor. What distinguishes you in your mind from other MSPs? How do you enhance your customer experience in particular?

 

Work safely with right tech support

 

Lawrence: With 20 years of experience in delivering world-class people support and technology services, we’ve now grown to 21 people who deliver support and advice to more than 1,500 customers and their endpoints.

 

We want our customers to thrive by creating better and safer places for them to work. And that’s critical. People want to be productive. They want to feel that they have an MSP like us watching out for them. Our service desk team delivers people-centric support, protecting the people themselves and their endpoints. We provide proactive support and administration -- just like an outsourced IT department would.

 

Our professional services team delivers what we consider a standard practice, but I’m amazed that sometimes it’s not. That’s the quarterly business reviews. Those are really important for providing the advice and guidance for our customers as they make and continue the journey to Microsoft Azure cloud – with security as a service (SECaaS), cloud as a service (CaaS). I think our strength is triage with all their other partners in that sort of technology ecosystem.

 

Gardner: Paul, how are your needs for securely delivering IT services and support different from three years ago? What are some of the trends driving your ability to adjust and improve to deliver the best possible experience for your customers?

 

Sinclair: Well, as you know, the world is a much different place than it was three years ago. We’ve had to adjust our own practices. We’ve had a pandemic; we have other crises in the world at the moment as well.

 

Sinclair
So, we’ve had to adjust as a business and learn how to work remotely, work in a hybrid model, but at the same time deliver that high-end, 100 percent world-class service that we too strive to do. Not only that, but we’ve also had to support our own client base and our client users with their hybrid and remote working needs by identifying and delivering the right security products that keep our customers safe – and their customers safe, as well.

 

Lawrence: It takes a layered approach. For example, only yesterday we had a threat actor maliciously trying to sneak through. So it requires a number of protection measures in place -- from email protection, to education, to security awareness training, and filtering, as well as using Bitdefender’s Managed Detection and Response (MDR).

 

And it was only at the last minute through the human firewall, of clicking on the link to remove that email, using Bitdefender, in this case, and the MDR service. It had our back and blocked it. So, again, we’re very focused on educating our customer base. No one size fits all. What we need is a layered approach to security.

 

Gardner: Because you’re servicing different regions of the UK and you’re servicing different-sized organizations, you need to readily scale up and scale down. How difficult is it to serve the biggest and smallest of your customers?

 

The future is co-management

 

Lawrence: There are some challenges. Our sweet spot is probably the 20- to 70-seat-sized organizations. And we’ve strategically made our people-centric services agile enough for those numbers.

 

The criticality of that is that we want strong partners and strong solutions. We need to know how those solutions work to gain the best out of them. Then all of our people can know what they’re meant to be doing. That’s always been a bit of a journey.

 

Where we are now is we’re very confident that in using providers like BitdefenderProofpoint, and N-Able that we are using leading-edge solutions. But critically, there needs to be a partnership, and that needs to come from our providers.

Our next growth is through co-managed IT services. That's a really great place to be over the next couple of years. We can take what we've learned, the tools we have, and our partnerships and deliver those at scale to help our customers.

Our next growth is through co-managed IT services. That’s a really great place to be over the next couple of years. That’s because we can take what we’ve learned, the tool sets we have, and our partnerships – such as we have with Bitdefender -- and deliver and scale those co-managed security services to help our customers’ stressed and time-strapped IT departments.

 

Gardner: What do those co-managed services typically consist of?

 

Lawrence: You’ve seen the data. It’s incredible in this day and age that a lot of organizations -- even still in the UK -- are not patching the way they should. You would think that would be the number-one priority for these IT departments, to patch with the latest Windows updates, and on the applications, too. But that still isn’t the case. We’re cyber essentials assessors, and we see that for our non-support customers.

 

So, we want to help them and allow them to focus on the strategic side of their organizations. We have the tool sets to enable them to patch their endpoint devices effectively and attain that very minimal first-level knowledge that they’re secure. And then we can work with them on the SECaaS value. That’s where we can add real value from the experiences we’ve learned from and from the partnerships that we have.

 

Gardner: Paul, how do you overcome the challenges your customers have with integrating security tools? So often security consists of many different tools, many different underlying technologies. How do you go about that making that all invisible to them?

 

Sinclair: When David and I first started out many years ago, you needed different applications from different vendors to secure all the threats that were out there. But it was a lot of work and took a lot of time and effort using different products. Over the years, Bitdefender has given us the capability to have a security suite of web protection, a firewall, endpoint protection, USB control, and other security options.

 

Having this one product as a cloud-based solution -- and that has the integration options with our professional services automation (PSA) and remote monitoring and management (RMM) system as well -- allows us to deploy basically one RMM agent that allows several different security controls to be deployed to any PC at any company very, very quickly. It makes the technical support of that extremely easy. It also makes the deployment and the onboarding of new customers very efficient.

 

Gardner: Yes, as more of us are more remote across organizations, that has hastened the movement to a remote control agent approach to security. Do you agree, Paul?

 

Sinclair: Absolutely, yes. It certainly makes it easier than back in the old days of running around to different PCs and asking users to give up their time during the day to allow us to do that. Now we can do that remotely, silently, and very effectively.

Lawrence: We have seen in our MSP peer group in Scotland, and in the UK, that they are cementing their processes and procedures around one or two key products, and in some cases the customer solution. I’m sure this is the same in the United States among mature MSPs. You can only support what you know. You can only train and certify on one key product and in one key area to be the master of one, but not necessarily the master of many.

 

With Bitdefender, and the other security partners we have, this allows us to focus -- but also put that known stack in place for customers, knowing that we have their backs. And sometimes there are awkward questions from the customers, saying, “Well, you know, I kind of prefer to do it this way” … or “Can I keep this or that security solution?”

Well, we learned from maturity and having the right security posture that the answer needs to be, “No, the answer is no. We’re putting our security stack in to best protect you. And you can hold us accountable, but it needs to be our technology, provided by our partners.”

 

Gardner: Even as so many organizations are moving to the cloud model, so much of security issues comes back to email. Especially in smaller organizations, email remains the source of a lot of security hiccups.

 

How important is picking the right email partner and tools in your overall security posture? What  have you found as the right approach to a steady path of productivity given the inherent risks of email?

 

Lawrence: So, as recently as six years ago, we were probably spending about 60 percent of our day managing email security. You know, the false positives, the stuff that shouldn’t be getting through, and all of the headaches that come from malware and ransomware. It was causing us real pain points.

 

Manage email to educate users

 

Sinclair: There are global threats and new sophisticated ways that we’re seeing daily through which criminals are trying to harvest your data. You need the right email security solution that keeps up with the times. Those providers can figure out for you what the new threats are on the back end. Also, we’re no longer having to log on to the systems daily or weekly and tweaking the settings here and there like we used to.

Email security training for end users is a big must now, and we're promoting that to our clients. It only takes one lapse in concentration. Then before you know it, you can be in some serious bother. I'm a big champion of email security training.

One point I would emphasize as well is email security training for the end users. It’s a big must now, and we’re promoting that to our clients. It only takes one lapse in concentration when some of these busy workers remove a dodgy email from quarantine. Then, before you know it, you can be in some real serious bother. So, I’m a big champion of email security training as well as being on top of your security solution updates.

 

Gardner: Right. Even using the best technology, being successful at security reverts back to behavior. It’s an intangible aspect to all of this. Also, as providers of the best customer experience, you want to embed security measures, make them invisible. That means you need to have the instant visibility into what’s going on in order to react.

 

So, how well do your tools provide the insights needed to fully exploit the security technology?

 

Lawrence: There are two sides of the coin when it comes to visibility. One is the proactive nature of being able to look at the data in real time and to make assessments, and the other is to then feed that back to the client.

 

The reactive nature of the security tools is probably most important because you want to jump on that quickly and effectively to remove threats and then to communicate that to the customer --  what’s happening real time -- and how we’re helping them to quickly get back to a safe place.


We’re choosing solutions that are mature, are a good fit for us, and that also integrate into our PSA and RMM systems. And, you know, Bitdefender, Proofpoint, and other solutions that we use all have APIs (Application Programming Interfaces) that allow us then to interconnect services whereby we can build automation and remove the noise.


A lot of the time now, the artificial intelligence (AI) solves problems for us. Other times, we still need the technology support officers in our organization to see the threats and react quickly. Again, only yesterday we had an incident. Thankfully, the third layer of security jumped in -- and that was Bitdefender. We were all over it very quickly, and we could jump into the ConnectWise and other systems and say, “Yeah, we know exactly how that threat transpired and where it came from.”

 

The first gate was closed, but the user opened it. The second gate was closed, but the user decided to open that one, too. And lastly, the third gate was definitely shut and was definitely not opening. And that was Bitdefender MDR.

 

Everything in the world is so quick now, much quicker that it was 10 or 20 years ago. Everybody wants to be able to report data and jump on things quickly. So, yeah, it’s just the right tool set that integrates into our solutions.

 

Gardner: Paul, what do you look for when it comes to consoles and a management overview? Or even taking the next step to provide compliance and auditing requirements? How do those fit into your customer experience needs when it comes to visibility?

 

A single pane of transparent glass

 

Sinclair: We use a reporting service that hooks into our PSA and different security solutions. We send these reports automatically and directly from the product set to the clients on a monthly basis. It shows the non-human tickets, but it also demonstrates the trust in the security services because it shows items that have technically been blocked, deleted, or quarantined. As part of the AI process that David was talking about, these tickets are logged, the product has done the job, and then the ticket is closed.

 

For us, we’re showing the added value that the security solutions are providing for the client. So then, they have transparency of the tickets that we are doing -- and the security solutions that we’ve put in place as well. That’s automated so we are not using the time on the person’s device to do fault finding. And, for us, we found that is really valuable, these reports, and the clients certainly do as well. They look forward each month to receiving them, and we get feedback on them every month. It’s a great service and tool that we’ve built for that.

 

Gardner: David, you mentioned Bitdefender and the tools you’re using from them. Give us an overview of what you’re using and how they fit together to meet your needs as an MSP. I’m also wondering if you’re relying on the Bitdefender Security Operations Center (SOC).

 

Lawrence: We’ve been with Bitdefender for a number of years now. The irony is we were using malware solutions in the past that had a Bitdefender engine. The irony was the vendor just wasn’t just cutting it for us. So, we went to work with Bitdefender directly. We have the confidence that it’s a grown-up solution.

 

They have been around for many years, and they’re always at the forefront of the technology. The way Bitdefender works for us is we use Bitdefender GravityZone, so every one of our customers will have that standard stack. And then, on top of that, we use Bitdefender EDR and advanced threat technology to secure the endpoints. So, for us, that’s just a given. It’s got that great layer of protection.

The solution doesn't just reactively address threats. They do threat hunting for us. ... There have been so many occasions this year that Bitdefender has jumped onto alerts and challenges with endpoints. ... They really have delivered on the MDR service.

I think of those horrible words in our industry, the “single pane of glass” expression, but that’s what it provides. The Bitdefender GravityZone always evolves, changes, and develops. And, for us, that single pane of glass is a very good system to go in there and see what’s going on in that environment. Last year, we adopted the MDR service from Bitdefender and dipped our toes in that with a couple of our professional services customers.

 

The solution doesn’t just reactively address threats. They do threat hunting for us. We give them a lot of information on the customer. They look at domain names, their threat landscape, and provide that in a security center so that we can resell that to our customers. We were open to our customers about who ultimately was providing that, and we would work with that partner to have our customers’ back.

 

There have been so many occasions this year that Bitdefender has jumped onto alerts and challenges with endpoints. And then ultimately we’ve worked together, even saying, "That’s fine, let’s exclude that," or as was the case yesterday, they blocked that threat -- and that’s what we want. Sometimes when you hear technology providers say, “Here’s the service,” and they describe it, you think it’s too good to be true. And actually, that’s not been the case for Bitdefender. It really has worked, and they really have delivered on the MDR service.

 

Gardner: Paul, anything you’d like to add to your use of Bitdefender, and then also the SOC opportunity?

 

Sinclair: In terms of the SOC, once we are able to give the right information to Bitdefender, do you know what that allows us to do? It gives us the confidence that the user habits on the PCs are being monitored, and anything that’s unusual is being picked up on.

 

One of the first things I remember saying to David, once we started seeing the results coming through, was, “Do you know what? I can go to bed at night now and have that good night’s sleep that we never used to get.” You know, you had something niggling in the background. But now I go to bed at night – or on the weekends – with that confidence that user habits are being monitored and looked at and picked up on. And that’s whether that user is in the office, working late, or it’s irrelevant of whatever location in the world they’re in. We know it’s being monitored. For that, and what we did, it’s just second to none.

Gardner: A lot of the benefit that large, sophisticated enterprises had when it came to monitoring behavior and analyzing it didn’t translate down to the smaller organizations, of say 40 to 50 seats. But now with SOC-as-a-service, if you will, the very best of analysis and behavior tracking can be brought to just about anyone.

Sinclair: Absolutely, because when you go to smaller clients than that of 10, 20, or 25, where the user behavior is not necessarily at a company level, they’re still being monitored -- and they’re able to work elsewhere.

 

We had an example not long ago where an end user decided that they were going to go on holiday and still work, but not let the organization know that they were away. They couldn’t do anything because Bitdefender realized the PC was out of the country and was trying to connect through unsecured networks -- at hotels, restaurants, and things like that. It just blocked them from being able to do anything. So, we were approached by that user, and we were able to then pass that information back on to the client organization ourselves. We acted as the eyes and ears for them.

 

Lawrence: When we integrated our organization using the Bitdefender MDR service, they had the goal of securing and providing us a SOC capability to the smaller businesses.

 

Before that, a couple of years ago, there was a manual process between us and the team in the States. We were filling in a spreadsheet, giving them as much customer information -- with the customers’ support -- to understand their organization and ultimately the threat landscape.

 

Fast-forward a couple of years, and Bitdefender has given us the maturity and MDR foundation so that the process for us as an MSP is a lot easier to get our customers on board with that SOC service. Now we don’t need to spin up a spreadsheet and fill it in. We can jump into the single pane of glass that Bitdefender provides and put up that service straight away and provide them all the information to get those customers secure and enjoying that SOC center.


Gardner: I’d like to quantify some of what we’ve talked about. So, I’m looking for metrics of success. What ways do you measure the overall impact on your customers and their experience? How do you know you’re doing it right and whether your suppliers like Bitdefender are getting the job done?

 
For happy clients, take their temperature

 

Lawrence: As an organization, we’re really focused on customer experience, and we have a customer improvement board in our ConnectWise system. We’re consciously seeking that and adjusting feedback from our customers accordingly.

 

And what’s great with the right tool set in place is it’s so different from the noise that we were describing earlier, about having the wrong security product years ago, and all the wrong malware and ransomware protection in place. It really caused us headaches.

Years ago, our customer happiness was around 94 percent. But over the last 12 months, we've had a score of 97.8 percent. That's telling us we're doing as good of a job as we can. ... We're very happy.

Now, when we review our customer happiness factor, we use Customer Thermometer. And years ago, our customer happiness was probably around 94 percent. But over the last 12 months, we’ve had a customer happiness score of 97.8 percent. That’s telling us weekly, monthly, quarterly, and annually that we’re doing as good a job as we can.

 

We also survey the key contacts, our key client IT partners within the organization, every six months on the net promoter score (NPS). Again, that’s very positive compared to where it had been. We’re at 69 now, which I think is world class, and 75 percent of promoters. So again, we’re very happy.

 

And that’s not all just down to selecting the right security tools. That’s having all people that can communicate in English and set the right expectations. But again, so much of our frustrations -- and probably the industry’s frustrations -- come from the wrong tool set. We need the right tools to do our job. That’s critical.

 

Gardner: Paul, any favorite indicators that assure you of that good night sleep?

 

Sinclair: Absolutely. Looking at the numbers, we’re seeing a 47 percent decrease in malware infections between our clients from last year to this year. That’s a massive number in a single year.

 

And that’s not just malware numbers. That has knock-on numbers in terms of technical administration cost savings by using Bitdefender and effectively creating and closing tickets on our PSA system. That’s a 23 percent improvement so far from last year.

 

What it shows us is we are evolving, and Bitdefender and that technology is evolving with us in the right direction. As long as we see these numbers constantly where they need to be, then yeah, that’s amazing.

 

Lawrence: The old frustrations were sticking an antivirus malware protection tool on the machines and having the opposite effect for productivity. The wrong malware protection was dragging the poor machines down. I think Paul told me earlier that it was a 10 percent performance gain that we’ve had since using Bitdefender.

 

Sinclair: Just having that smaller footprint is a big improvement, isn’t it? That smaller footprint from three, four, or five different security products now wrapped down into one. Between the two of us, David and I have been working in this industry for 60 years. We’ve reviewed our security products so often over our 21 years at Grant McGregor from the start and across different technologies. But if the tools weren’t working for the customer, they won’t work for us.

So far with Bitdefender, we have confidence year after year. We’re no longer sitting down and reviewing the Bitdefender technology and stack. We just recommend them as our first product whenever we onboard a new client or user. Bitdefender is the first product that’s recommended and it’s the first product that goes in. Not one client ever has said no. 

Gardner: Those are very impressive numbers, and I commend you for them. But, of course, we can’t rest on our laurels. We have to look for where we go next. For security, it’s never good enough, right?


So, what comes next for Grant McGregor? You mentioned co-managed services, for example. What solutions do you look to next, and how can your providers help you get there?

 

Keep the honest, honest

 

Lawrence: We’re in exciting times with exciting new technology. Without the distractions of what’s happening for us in Britain and in Europe, I think there are two trends.

 

As an organization, we’re focused on helping the end user stay right and honest -- and that means helping put in the right tool set. Those will be focused on data loss protection, enforcing policies for the endpoint, and education systems for security awareness.

 

Rather than focus – as the industry often does – on external threats, we want to keep the honest, honest. That’s, first off, an easier sell. Second of all, that means living up to our values. We are supporting the end users and the organization to navigate all the threats out there, but from internally and then outward.

 

The co-managed space is going to be huge. As an MSP – and there are a lot of us out there – maybe not all of us are doing the right things, but we’re all competing and trying to grab each other’s customers.

 

The natural direction is to the co-managed space, where we can pass on those years of experience with using the right tool sets. Unfortunately, soon in the UK, that will be to the cash-strapped IT department and the time-poor departments. They are going to need and want our expertise and advice so they can get on with doing the strategic work that they want to focus on. We’ll be providing to them the patching-as-a-service, the co-managed IT support-as-a-service (SaaS), the email-as-a-service (EaaS), and the backup-as-a-service (BaaS).

 

We’re already making traction in that space, and we’re excited about that. So, those two growth spots are there for us.

 

Gardner: David mentioned the unfortunate predictions across the globe for difficult economic times ahead. Doing more with less becomes the imperative across the board. So, that usually means higher productivity -- and that usually means working smarter, not necessarily harder.

 

What do you see in the next stages in terms of how you can help your customers do more with less from the MSP perspective?

 

Sinclair: It is all about being smarter, isn’t it? For us with the technology that David has touched on, I think we need to look a bit further into the future. And where does that take us? It takes us down that AI route and getting the users to try and help themselves along that route while we keep ourselves up to date with the latest technologies. It means watching for the new threats -- because they are constant. I see us soon taking on more AI and use more of that intelligence to keep the productivity levels where they need to be.

Lawrence: Digital transformation is a big space for customers to get their heads around -- and productivity is absolutely a must as they move to cloud services and platforms. Again, only recently Microsoft released more products and services. And, again, it’s our job as a technology provider to help educate our customers on that new landscape and to use tools such as business intelligence and to get the best from the Microsoft applications.
 

There’s a lot of new automation there that the customers can build upon, and I think their fear is just how they can get their heads around it. For us, it’s about partnering with the right people to pass on those skill sets to the smaller businesses.

 

Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on making the security infrastructure as invisible as possible as an essential ingredient to delivering the best overall IT customer experience.

 

We’ve learned how Scottish MSP Grant McGregor has taken the end users’ productivity and satisfaction to new heights, even as these customers increasingly move to hybrid IT models and face new forms of security risks.

 

So please join me in thanking our guests, David Lawrence, Co-founder and Director of IT Support Services and Advice at Grant McGregor. Thank you so much, David.

 

Lawrence: Thank you very much.

Gardner: And a big thank you to Paul Sinclair, Head of IT Service at Grant McGregor. Thank you, sir.

 

Sinclair: Thank you, Dana, it’s been an absolute pleasure.

 

Gardner: I’m Dana Gardner, Principal Analyst at Interarbor Solutions. Your host and moderator for this ongoing series of BriefingsDirect discussions. A big thank you as well to our sponsor, Bitdefender, for supporting these presentations.

 

I extend a thank you as well to our audience for joining. Please pass this on to your IT and security communities, and do come back next time.

 

Listen to the podcastFind it on iTunesDownload the transcript. Sponsor: Bitdefender.

 

Transcript of a discussion on how Scottish MSP Grant McGregor takes the customer experience imperative to new heights, especially as its users move increasingly to hybrid IT models. Copyright Interarbor Solutions, LLC, 2005-2023. All rights reserved.

 

You may also be interested in:

Monday, August 30, 2021

How to Migrate Your Organization to a More Security-Minded Culture

Transcript of a discussion on creating broader awareness of security risks and building a security-minded culture across organizations and ecosystems.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: TraceableAI.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Bringing broader awareness of security risks and building a security-minded culture within any public or private organization has been a top priority for years. Yet halfway through 2021, IT security remains as much a threat as ever -- with multiple major breaches and attacks costing tens of millions of dollars occurring nearly weekly.

Why are the threat vectors not declining? Why, with all the tools and investment, are businesses still regularly being held up for ransom or having their data breached? To what degree are behavior, culture, attitude, and organizational dissonance to blame?

Stay with us now as we probe into these more human elements of IT security with a leading chief information security officer (CISO).


To learn more about adjusting the culture of security to make organizations more resilient, please join me in welcoming Adrian Ludwig, CISO at Atlassian. Welcome, Adrian.

Adrian Ludwig: Hi, Dana. Glad to be here.

Gardner: Adrian, we are constantly bombarded with headlines showing how IT security is failing. Yet, for many people, they continue on their merry way -- business as usual.

Are we now living in a world where such breaches amount to acceptable losses? Are people not concerned because the attacks are perceived as someone else’s problem?

Security on the forefront

Ludwig

Ludwig: A lot of that is probably true, depending on whom you ask and what their state of mind is on a given day. We’re definitely seeing a lot more than we’ve seen in the past. And there’s some interesting twists to the language. What we’re seeing does not necessarily imply that there is more exploitation going on or that there are more problems -- but it’s definitely the case that we’re getting a lot more visibility.

I think it’s a little bit of both. There probably are more attacks going on, and we also have better visibility.

Gardner: Isn’t security something we should all be thinking about, not just the CISOs?

Ludwig: It’s interesting how people don’t want to think about it. They appoint somebody, give them a title, and then say that person is now responsible for making security happen.

But the reality is, within any organization, doing the right thing -- whether that be security, keeping track of the money, or making sure that things are going the way you’re expecting -- is a responsibility that’s shared across the entire organization. That’s something that we are now becoming more accustomed to. The security space is realizing it’s not just about the security folks doing a good job. It’s about enabling the entire organization to understand what’s important to be more secure and making that as easy as possible. So, there’s an element of culture change and of improving the entire organization.

Gardner: What’s making these softer approaches -- behavior, culture, management, and attitude – more important now? Is there something about security technology that has changed that makes us now need to look at how people think?

Ludwig: We’re beginning to realize that technology is not going to solve all our problems. When I first went into the security business, the company I worked for, a government agency, still had posters on the wall from World War II: Loose lips sink ships.

Learn More 

The idea of security culture is not new, but the awareness is, across organizations that any person could be subject to phishing, or any person could have their credentials taken -- those mistakes could be originating at any place in the organization. That broad-based awareness is relatively new. It probably helps that we’ve all been locked in our houses for the last year, paying a lot more attention to the media, and hearing about attacks that have been going on at governments, the hacking, and all those things. That has raised awareness as well.

Gardner:  It’s confounding that people authenticate better in their personal lives. They don’t want their credit cards or bank accounts pillaged. They have a double standard when it comes to what they think about protecting themselves versus protecting the company they work for.

Data safer at home or work?

Ludwig: Yes, it’s interesting. We used to think enterprise security could be more difficult from the user experience standpoint because people would put up with it because it was work.

But the opposite might be true, that people are more self-motivated in the consumer space and they’re willing to put up with something more challenging than they would in an enterprise. There might be some truth to that, Dana.

Gardner: The passwords I use for my bank account are long and complex, and the passwords I use when I’m in the business environment … maybe not so much. It gets us back to how you think and your attitude for improved security. How do we get people to think differently?

Ludwig: There’s a few different things to consider. One is that the security people need to think differently. It’s not necessarily about changing the behavior of every employee in the company. Some of it is about figuring out how to implement critical solutions that provide security without changing behavior.

Security people need to think differently. It's not necessarily about changing the behavior of every employee in the company. It's about implementing solutions that provide security without changing behavior.

There is a phrase, the paved path or road; so, making the secure way the easy way to do something. When people started using YubiKey U2F [an open authentication standard that enables internet users to securely access any number of online services with a single security key] as a second-factor authentication, it was actually a lot easier than having to input your password all over the place -- and it’s more secure.

That’s the kind of thing we’re looking for. How do we enable enhanced security while also having a better user experience? What’s true in authentication could be true in any number of other places as well.

Second, we need to focus on developers. We need to make the developer experience more secure and build more confidence and trustworthiness in the software we’re building, as well as  in the types of tools used to build.

Developers find strength

Gardner: You brought up another point of interest to me. There’s a mindset that when you hand something off in an organization -- it could be from app development into production, or from product design into manufacturing -- people like to move on. But with security, that type of hand-off can be a risk factor.

Beginning with developers, how would you change that hand-off? Should developers be thinking about security in the same way that the IT production people do?

Ludwig: It’s tricky. Security is about having the whole system work the way that everybody expects it to. If there’s a breakdown anywhere in that system, and it doesn’t work the way you’re expecting, then you say, “Oh, it’s insecure.” But no one has figured out what those hidden expectations are.

A developer expects the code they write isn’t going to have vulnerabilities. Even if they make a mistake, even if there’s a performance bug, that shouldn’t introduce a security problem. And there are improvements being made in programming languages to help with that.

Certain languages are highly prone to security being a common failure. I grew up using C and C++. Security wasn’t something that was even thought of in the design of those languages. Java, a lot more security was thought of in the design of that language, so it’s intrinsically safer. Does that mean there are no security issues that can happen if you’re using Java? No.

Similar types of expectations exist at other places in the development pipeline as well.

Gardner: I suppose another shift has been from applications developed to reside in a data center, behind firewalls and security perimeters. But now -- with microservices, cloud-native applications, and multiple application programming interfaces (APIs) being brought together interdependently -- we’re no longer aware of where the code is running.

Don’t you have to think differently as a developer because of the way applications in production have shifted?

Ludwig: Yes, it’s definitely made a big difference. We used to describe applications as being monoliths. There were very few parts of the application that were exposed.

At this point, most applications are microservices. And that means across an application, there might be 1,000 different parts of the application that are publicly exposed. They all must have some level of security checks being done on them to make sure that if they’re handling an input that might be coming from the other side of the world that it’s being handled correctly.

Learn More 

So, yes, the design and the architecture have definitely exposed a lot more of the app’s surface. There’s been a bit of a race to make the tools better, but the architectures are getting more complicated. And I don’t know, it’s neck and neck on whether things are getting more secure or they’re getting less secure as these architectures get bigger and more exposed.

We have to think about that. How do we design processes to deal with that? How do you design technology, and what’s the culture that needs to be in place? I think part of it is having a culture of every single developer being conscious of the fact that the decisions they’re making have security implications. So that’s a lot of work to do.

Gardner: Another attitude adjustment that’s necessary is assuming that breaches are going to happen and to stifle them as quickly as possible. It’s a little different mindset, but the more people involved with looking for anomalies, who are willing to have their data or behaviors examined for anomalies makes sense.

Is there a needed cultural shift that goes with assuming you’re going to be breached and making sure the damage is limited?

Assume the worst to limit damage

Ludwig: Yes. A big part of the cultural shift is being comfortable taking feedback from anybody that you have a problem and that there’s something that you need to fix. That’s the first step.

Companies should let anybody identify a security problem -- and that could be anybody inside or outside of the company. Bug bounties. We’re in a bit of a revolution in terms of enabling better visibility into potential security problems.

But once you have that sort of culture, you start thinking, “Okay. How do I actually monitor what’s going on in each of the different areas?” With that visibility, exposure, and understanding what’s going in and out of specific applications, you can detect when there’s something you’re not expecting. That turns out to be really difficult, if what you’re looking at is very big and very, very complicated.

Decomposing an application down into smaller pieces, being able to trace the behaviors within those pieces, and understanding which APIs each of those different microservices is exposing turns out to be really important.

If you combine decomposing applications into smaller pieces with monitoring what’s going on in them and creating a culture where anybody can find a potential security flaw, surface it, and react to it -- those are good building blocks for having an environment where you have a lot more security than you would have otherwise.

Gardner: Another shift we’ve seen in the past several years is the advent of big data. Not only can we manage big data quickly, but we can also do it at a reasonable cost. That has brought about machine learning (ML) and movement to artificial intelligence (AI). So, now there’s an opportunity to put another arrow in our quiver of tools and use big data ML to buttress our security and provide a new culture of awareness as a result.

Most applications are so complicated -- and have been developed in such a chaotic manner -- it's impossible to understand what's going on inside of them.Give the robots a shot and see if we can figure it out by turning the machines on themselves.

Ludwig: I think so. There are a bunch of companies trying to do that, to look at the patterns that exist within applications, and understand what those patterns look like. In some instances, they can alert you when there’s something not operating the way that is expected and maybe guide you to rearchitecting and make your applications more efficient and secure.

There are a few different approaches being explored. Ultimately, at this point, most applications are so complicated -- and have been developed in such a chaotic manner -- it’s impossible to understand what’s going on inside of them. That’s the right time that the robots give it a shot and see if we can figure it out by turning the machines on themselves.

Gardner: Yes. Fight fire with fire.

Let’s get back to the culture of security. If you ask the people in the company to think differently about security, they all nod their heads and say they’ll try. But there has to be a leadership shift, too. Who is in charge of such security messaging? Who has the best voice for having the whole company think differently and better about security? Who’s in charge of security?

C-suite must take the lead

Ludwig: Not the security people. That will be a surprise for a lot of people to hear me say that. The reality is if you’re in security, you’re not normal. And the normal people don’t want to hear from the not-normal person who’s paranoid that they need to be more paranoid.

That’s a realization it took me several years to realize. If the security person keeps saying, “The sky is falling, the sky is falling,” people aren’t going to listen. They say, “Security is important.” And the others reply, “Yes, of course, security is important to you, you’re the security guy.”

If the head of the business, or the CEO, consistently says, “We need to make this a priority. Security is really important, and these are the people who are going to help us understand what that means and how to execute on it,” then that ends up being a really healthy relationship.

The companies I’ve seen turn themselves around to become good at security are the ones such as Microsoft, Google, or others where the CEO made it personal, and said, “We’re going to fix this, and it’s my number-one priority. We’re going to invest in it, and I’m going to hire a great team of security professionals to help us make that happen. I’m going to work with them and enable them to be successful.”

Learn More 

Alternatively, there are companies where the CEO says, “Oh, the board has asked us to get a good security person, so I’ve hired this person and you should do what he says.” That’s the path to a disgruntled bunch of folks across the entire organization. They will conclude that security is just lip service, it’s not that important. “We’re just doing it because we have to,” they will say. And that is not where you want to end up.

Gardner: You can’t just talk the talk, you have to walk the walk and do it all the time, over and over again, with a loud voice, right?

Ludwig: Yes. And eventually it gets quieter. Eventually, you don’t need to have the top level saying this is the most important thing. It becomes part of the culture. People realize that’s just the way – and it’s not that it’s just the way we do things, but it is a number-one value for us. It’s the number-one thing for our customers, too, and so culture shift ends up happening.

Gardner: Security mindfulness becomes the fabric within the organization. But to get there requires change and changing behaviors has always been hard.

Are there carrots? Are there sticks? When the top echelon of the organization, public or private, commits to security, how do you then execute on that? Are there some steps that you’ve learned or seen that help people get incentivized -- or whacked upside the head, so to speak, when necessary?

Talk the security talk and listen up

Ludwig: We definitely haven’t gone for “whacked upside the head.” I’m not sure that works for anybody at this point, but maybe I’m just a progressive when it comes to how to properly train employees.

What we have seen work is just talking about it on a regular basis, asking about the things that we’re doing from a security standpoint. Are they working? Are they getting in your way? Honestly, showing that there’s thoughtfulness and concern going into the development of those security improvements goes a long way toward making people more comfortable with following through on them.

A great example is … You roll out two-factor authentication, and then you ask, “Is it getting in the way? Is there anything that we can do to make this better? This is not the be-all and end-all. We want to improve this over time.”

That type of introspection by the security organization is surprising to some people. The idea that the security team doesn’t want it to be disruptive, that they don’t want to get in the way, can go a long way toward it feeling as though these new protections are less disruptive and less problematic than they might otherwise feel.

Gardner: And when the organization is focused on developers? Developers can be, you know …

Ludwig: Ornery?

Gardner: “Ornery” works. If you can make developers work toward a fabric of security mindedness and culture, you can probably do it to anyone. What have you learned on injecting a better security culture within the developer corps?

Ludwig: A lot of it starts, again, at the top. You know, we have core values that invoke vulgarity to both emphasize how important they are, but also how simple they are.

One of Atlassian’s values is, “Don’t fuck the customer.” And as a result of that, it’s very easy to remember, and it’s very easy to invoke. “Hey, if we don’t do this correctly, that’s going to hurt the customer.” We can’t let that happen as a top-level value.

We also have “Open company, no-bullshit”. If somebody says, “I see a problem over here,” then we need to follow up on it, right? There’s not a temptation to cover it up, to hide it, to pretend it’s not an issue. It’s about driving change and making sure that we’re implementing solutions that actually fix things.

There are countless examples of a feature that was built, and we really want to ship it, but it turns out it’s got a problem and we can’t do it because that would actually be a problem for the customer. So, we back off and go from there.

How to talk about security

Gardner: Words are powerful. Brands are powerful. Messaging is powerful. What you just said made me think, “Maybe the word security isn’t the right word.” If we use the words “customer experience,” maybe that’s better. Have you found that? Is “security” the wrong word nowadays? Maybe we should be thinking about creating an experience at a larger level that connotes success and progress.

Ludwig: Super interesting. Apple doesn’t use the word “security” very much at all. As a consumer brand, what they focus on is privacy, right? The idea that they’ve built highly secure products is motivated by the users’ right to privacy and the users’ desire to have their information remain private. But they don’t talk about security.

Apple doesn't use the word security very much at all. The idea that they've built highly secure products is motivated by the users' right to privacy and  the users' desire to have their information remain private. But they don't talk about security.

I always thought that was a really an interesting decision on their part. When I was at Google, we did some branding analysis, and we also came up with insights about how we talked about security. It’s a negative from a customer’s standpoint. And so, most of the references that you’ll see coming out of Google are security and privacy. They always attach those two things together. It’s not a coincidence. I think you’re right that the branding is problematic.

Microsoft uses trustworthy, as in trustworthy computing. So, I guess the rest of us are a little bit slow to pick up on that, but ultimately, it’s a combination of security and a bunch of other things that we’re trying to enable to make sure that the products do what we’re expecting them to do.

Gardner: I like resilience. I think that cuts across these terms because it’s not just the security, it’s how well the product is architected, how well it performs. Is it hardened, in a sense, so that it performs in trying circumstances – even when there are issues of scale or outside threats, and so forth. How do you like “resilience,” and how does that notion of business continuity come into play when we are trying to improve the culture?

Ludwig: Yes, “resilience” is a pretty good term. It comes up in the pop psychology space as well. You can try to make your children more resilient. Those are the ones that end up being the most successful, right? It certainly is an element of what you’re trying to build.

Learn More 

A “resilient” system is one in which there’s an understanding that it’s not going to be perfect. It’s going to have some setbacks, and you need to have it recoverable when there are setbacks. You need to design with an expectation that there are going to be problems. I still remember the first time I heard about a squirrel shorting out a data center and taking down the whole data center. It can happen, right? It does happen. Or, you know, you get a solar event and that takes down computers.

There are lots of different things that you need to build to recover from accidental threats, and there are ones that are more intentional -- like when somebody deploys ransomware and tries to take your pipeline offline.

Gardner: To be more resilient in our organizations, one of the things that we’ve seen with developers and IT operations is DevOps. Has DevOps been a good lesson for broader resilience? Is there something we can do with other silos in organization to make them more resilient?

DevOps derives from experience

Ludwig: I think so. Ultimately, there are lots of different ways people describe DevOps, but I think about taking what used to be a very big thing and acknowledging that you can’t comprehend the complexity of that big thing. Choosing instead to embrace the idea that you should do lots of little things, in aggregate, and that they’re going to end up being a big thing.

And that is a core ethos of DevOps, that each individual developer is going to write a little bit of code and then they’re going to ship it. You’re going to do that over and over and over. You are going to do that very, very, very quickly. And they’re going to be responsible for running their own thing. That’s the operations part of the development. But the result is, over time, you get closer to a good product because you can gain feedback from customers, you’re able to see how it’s working in reality, and you’ll be able to get testing that takes place with real data. There are lots of advantages to that. But the critical part of it, from a security standpoint, is it makes it possible to respond to security flaws in near real-time.

Often, organizations just aren’t pushing code frequently enough to be able to know how to fix a security problem. They are like, “Oh, our next release window is 90 days from now. I can’t possibly do anything between now and then.” Getting to a point where you have an improvement process that’s really flexible and that’s being exercised every single day is what you get by having DevOps.

And so, if you think about that same mentality for other parts of your organization, it definitely makes them able to react when something unexpected happens.

Gardner: Perhaps we should be looking to our software development organizations for lessons on cultural methods that we can apply elsewhere. They’re on the bleeding edge of being more secure, more productive, and they’re doing it through better communications and culture.

Ludwig: It’s interesting to phrase it that way because that sounds highfalutin, and that they achieved it out of expertise and brilliance. What it really is, is the humbleness of realizing that the compiler tells you your code is wrong every single day. There’s a new user bug every single day. And eventually you get beaten down by all those, and you decide you’re just going to react every single day instead of having this big thing build up.

So, yes, I think DevOps is a good example but it’s a result of realizing how many flaws there are more than anything highfalutin, that’s for sure.

Gardner: The software doesn’t just eat the world; the software can show the world the new, better way.

Ludwig: Yes, hopefully so.

Future best security practices

Gardner: Adrian, any thoughts about the future of better security, privacy, and resilience? How will ML and AI provide more analysis and improvements to come?

Ludwig: Probably the most important thing going on right now in the context of security is the realization by the senior executives and boards that security is something they need to be proponents for. They are pushing to make it possible for organizations to be more secure. That has fascinating ramifications all the way down the line.

If you look at the best security organizations, they know the best way to enable security within their companies and for their customers is to make security as easy as possible. You get a combination of the non-security executive saying, “Security is the number-one thing,” and at the same time, the security executive realizes the number-one thing to implement security is to make it as easy as possible to embrace and to not be disruptive.

And so, we are seeing faster investment in security that works because it’s easier. And I think that’s going to make a huge difference.

There are also several foundational technology shifts that have turned out to be very pro-security, which wasn’t why they were built -- but it’s turning out to be the case. For example, in the consumer space the move toward the web rather than desktop applications has enabled greater security. We saw a movement toward mobile operating systems as a primary mechanism for interacting with the web versus desktop operating systems. It turns out that those had a fundamentally more secure design, and so the risks there have gone down.

The enterprise has been a little slow, but I see the shift away from behind-the-firewall software toward cloud-based and software as a service (SaaS) software as enabling a lot better security for most organizations. Eventually, I think it will be for all organizations.

Those shifts are happening at the same time as we have cultural shifts. I’m really optimistic that over the next decade or two we’re going to get to a point where security is not something we talk about. It’s just something built-in and expected in much the same way as we don’t spend too much time now talking about having access to the Internet. That used to be a critical stumbling block. It’s hard to find a place now that doesn’t or won’t soon have access.

Gardner: These security practices and capabilities become part-and-parcel of good business conduct. We’ll just think of it as doing a good job, and those companies that don’t do a good job will suffer the consequences and the Darwinian nature of capitalism will take over.

Ludwig: I think it will.

Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on building security-minded cultures within public and private organizations.

And we’ve learned how behavior, culture, attitude, and organizational shifts create both hurdles and solutions for making businesses more intrinsically resilient by nature.


So, join me in thanking our guest, Adrian Ludwig, CISO at Atlassian. Thank you so much, Adrian, I really enjoyed it.

Ludwig: Thanks, Dana. I had a good time as well.

Gardner: And a big thank you to our audience for joining this BriefingsDirect IT security culture discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of Traceable AI-sponsored BriefingsDirect interviews.

Stay tuned for our next podcast in this series, with a deep-dive look at new security tools and methods with Sanjay Nagaraj, Chief Technology Officer and Co-Founder at Traceable AI.

Look for other security podcasts and content at www.briefingsdirect.com.

Thanks again for listening. Please pass this along to your business community and do come back for our next chapter.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Traceable.ai.

Transcript of a discussion on creating broader awareness of security risks and building a security-minded culture across organizations and ecosystems. Copyright Interarbor Solutions, LLC, 2005-2021. All rights reserved.

You may also be interested in:

      How API security provides a killer use case for ML and AI

      Securing APIs demands tracing and machine learning that analyze behaviors to head off attacks

      Rise of APIs brings new security threat vector -- and need for novel defenses

      Learn More About the Technologies and Solutions Behind Traceable.ai.

      Three Threat Vectors Addressed by Zero Trust App Sec

      Web Application Security is Not API Security

      Does SAST Deliver? The Challenges of Code Scanning.

      Everything You Need to Know About Authentication and Authorization in Web APIs

      Top 5 Ways to Protect Against Data Exposure

      TraceAI : Machine Learning Driven Application and API Security