No Pain, No Gain, Zero Trust

Steve King 00:13
Good day everyone, I’m Steve King, the managing director of cyber theory. Today’s episode is going to focus on movement toward a zero trust strategy in cybersecurity and joining me today is Dr. Chase Cunningham many referred to as the doctor of zero trust. Chase is the Chief Strategy Officer for Ericom software, a leading provider of zero trust secure access solutions. Chase worked with John Kinder bag at Forrester refining the principles and framework for a zero trust reference architecture. In addition to serving on several boards and holding leadership positions at companies like Accenture, in the analysis and applications of threat intelligence, Chase served as a naval chief cryptologist with more than 20 years experience in cyber forensics and analytic operations within the NSA, CIA, FBI and other government agencies. So welcome, Chase, I’m glad you could join me today.

Chase Cunningham 01:20
Hey, thanks for having me on.

Steve King 01:22
Sure. So zero trust. Let’s start with a negative media coverage, and social media chatter over zero trust just being a bumper sticker. Seems like it came out of RSA. It seems unclear to many that this is a strategy and not a product. How did we get here?

Chase Cunningham 01:43
Well, I mean, ZTE, honestly, has been around since 2003 2004, when there was this discussion going on around deep parameterize security. And that was basically the idea of you know, what we do, and we didn’t have high walls, if you will. And that was a very forward looking approach to the problem back then. And it’s evolved since that time, John, like you said, Kinberg was smart enough and visionary enough to realize that there was a bigger, better play. And that deep parameterize is kind of a gobbledygook in the mouth, when you’re trying to talk about it. So he looked at it and did some really good approach to the problem and put the terms zero trust together, which is what we’re doing and what we’re getting to anyway. And it’s kind of become a thing, because it actually is the intelligent approach to fixing the problem. I mean, that’s, that’s what we’re trying to do is eliminate trust relationships from inside systems,

Steve King 02:34
right. And if you look at the way that the zero trust architecture is implemented, if you will, or conceived, the whole idea is to reduce the attack surface to to minimize the amount of excessive trust in both the networks and application, State access, etc. And to granularize, if you will, the approach to identity management, access, authorization, and authentication, all of this is toward the objective of making the bad guys jobs harder, not not easier. There is never been a promise or any implication, at least from my point of view, that zero trust is going to solve all of our problems and lead us to the Promised Land. Is that your sort of conception of the movement here? I mean, we’re trying to do something that is incrementally approach and makes sense to me anyway.

Chase Cunningham 03:39
Yeah, I mean, that’s the reality of it is, is this people have been digging themselves into this kind of hole for the last 3040 years, sometimes even longer years, as far as architecting, their environments to be built around Max sharing Max relationships, fall connections, all those things. And really, what we’re doing is we’re whittling away at that sort of installed problem and moving towards a more effective application of the fix. And it’s going to take time, it’s not easy. And to be fairly Frank, like, just like, if you had a bodybuilder that went to zero body fat, they die, you’re never going to be zero. But it’s much better to say zero trust and to say, less than x percentage trust. I mean, that’s what we’re trying to do is try and drive the narrative here to getting towards as little as possible trust is, like, like John has said, Trust is a vulnerability. And we need to eliminate that within these systems. And, you know, this is not, don’t trust your employees at all. That’s not at all we’re talking about. We’re just saying that there are fundamental things within computerized and network systems that need to be removed to better the current posture of those systems.

Steve King 04:47
Right. And as I look out on the landscape and talk to people every day, as part of my job is to understand what’s going on here on a minute to minute basis. It seems to me that we insist of moving towards zero trust, generally speaking, we’re we’re moving more toward increased complexity, increased density increased tool integration about which we know very little increased application dependency, standard dependency upon open source API’s and open source third party software, it seems we’re moving more rapidly in the direction away from zero trust. And we’re getting more people interested in sort of pumping the brakes a little bit and saying, Okay, how do I restart this thing?

Chase Cunningham 05:38
Yeah, complexity is the is the enemy, I guess you could say of efficacy. Maybe that’s not totally accurate. But I mean, really, if we think about the problem space that we are already in, it’s like you’re saying it’s way too complex, too many moving parts, too many things that are allowed to connect just because the there’s a lot of times when I do these workshops, I find that there’s no reason for these organizations to be in the state that they’re in. And if they would just kind of back up and take a real pragmatic look at the problem and eliminate what they absolutely know that they don’t need, you wind up in a better position right off the bat. So this is strategic implementation of technology to solve a problem. And like you said, I would also argue with people that they would say that this is, this is not a product, correct. It’s not a product. This is the, you know, combination of products to solve a problem. And it’s, there’s no one there is no One Ring to rule them all that I’m aware of yet.

Steve King 06:34
Right. But we do have a plethora of products that are consumed by the zero trust strategy, if you will, I think that it’s not like we can’t get there because we don’t have the technology. It seems to me we can’t get there because we don’t have the understanding the will the determination, the the comprehension of what that architecture might look like, just intellectually?

Chase Cunningham 06:58
Yeah, I mean, it’s just, I do the it workshops, people all the time. And like one of my first slides is I remind people, that change sucks. I mean, to be, you know, to be blunt, light change is not comfortable. Change is not something anybody wants to do. I mean, even in your personal life, right? Any small change that you do, it’s going to be different than where you are now. So it’s going to by its very nature will be uncomfortable. However, you are in a place in time, where we have a choice, we either change and get better, or we don’t. And the same thing continues to happen. And that’s what you see with organizations that have taken this on. They they realize that change has to happen. They put some heat and effort into it, some dollars behind it, and they get better. And then, you know, like you mentioned earlier, they become better.

Steve King 07:43
Yeah, and that’s the that’s the goal, at least from my point of view. Talk to us a little bit about your experience as a cryptologist. And why crypto is so important in cybersecurity just for those folks that don’t quite get that.

Chase Cunningham 07:57
I mean, crypto cryptology is a core thing. It’s been around Honestly, when I was going to school, they said cryptology is the second oldest profession mankind ever came up with, which is, you know, you can guess what number one is, but I mean, cryptology, as far as being part of cybersecurity is key and core to this, all of our algorithms, all of our hashing the things we do with passwords, you know, encryption, etc. All that is based on cryptography, you know, for me, I was lucky enough to go to Code School for the, you know, within the Navy system, and spend a lot of time looking at lots and lots of ones and zeros to figure out how to pop those codes. And it’s, um, it’s interesting to see it from either side.

Steve King 08:36
Yeah. You also have quite a bit of experience with applied artificial intelligence and machine learning. On the sort of predictive analytic side, what, what do you see as the best and most likely use cases going forward for those technologies? And how do you see those being implemented? I think we have lots of folks on Desperate side of the fence in this Caesar world, sort of hoping for the breakthrough technology that will indeed take them on the path to the promised land.

Chase Cunningham 09:11
I mean, that we have a lot of those capabilities that are already kind of present in the market. And what you typically see is the the use of ml and algorithms and good process and compute to solve kind of binary problems, right? Like, there’s no reason that a human being should have to do a password reset for someone’s account. There’s no reason that a human being should have to do very basic, I guess you would call it like L point five level response for cyber stuff. So what you want to do is use those capabilities that are out there to automate that. And then you don’t need 50 humans to do the work of what three or four can typically do. And what I’ve found in cyber specifically, when you look at lots of operations areas is where they say they don’t have enough people. It’s usually because they’re not using a technology for the purposes of which it’s optimized to be I don’t need, you know, I can dig an irrigation ditch with a spoon. It’s way better to do it with a steam shovel.

Steve King 10:07
Right? The application of those technology, I just don’t see them sort of bleeding out into the field here in a way that that is offsetting some of some of those problems we’ve got. People continually complain about resource constrained and all that, and I get it. Some of that is skill set based, but it seems that repetitive human behavior activity that AI and ML can solve and sort of caught on yet. Is that just my imagination? Or do you? What is your thought of it? No, I

Chase Cunningham 10:40
think you’re pretty, pretty accurate. I think it’s starting to bubble its way up into that. I think we’re seeing, you know, some of this rolling out in the different operations centers, and in some broader areas where, where it’s being adopted. And there’s some there’s some vendors that are doing some pretty good stuff in the space. But yeah, I agree. We’re not We’re not there yet. I think we’re still pretty early days. And a lot of it, we’re we’re starting to see kind of the, I guess you would call it inkling that it’s going to work its way into those into those areas and start solving the problem. Luckily, this is a problem, or this is a solution that gets better as we apply it more so you know, becomes a kind of feed the beast methodology.

Steve King 11:20
Yeah, well, that’s good to hear. Recall running my owns socks, I felt like I had to provide psychological counseling to all my security analysts on a weekly basis, just just to sort of keep them saying that’s like the worst job in the planet. So anything that could take the place of, of staring at a screen all day long, looking for anomalous behavior would be great. So yeah, early enthusiasm for, for products that that would do that. But I just haven’t seen any of that rollout in any meaningful way. We’ve seen a lot of activity, by the way within the current administration around cybersecurity. And I know that being a member of our zero trust Council, and thank you for that, we’re going to be doing more and more promotion around that whole nature, the whole notion rather of private and public partnership toward improving our ability to both move to architectures like zero trust and to frameworks like that. And then to share information among the various different agencies, JC DC is a good example, I hope of the beginning of that of that approach. What’s your prognosis, having spent so many years at the federal level, in our ability to pull off what needs to be done?

Chase Cunningham 12:45
I mean, I was actually just reading a report today that was kind of put out on the progress going on, since the executive order on ZTE came out, and there’s there’s solid progress, I want to say the numbers I saw were roughly about $400 million has been allocated so far since October one, which, hey, it’s only November 8. So I mean, in 30, something days, there’s been dollars kind of put into pots, which you know, nothing happens in any space until dollars show up. So I think we’re starting to see some movement, it’s not going to happen overnight.

Steve King 13:15
Tell us about your workshops a little bit, if you will, you know what the purpose is, who you present them to how they work and what you’re trying to accomplish here.

Chase Cunningham 13:25
I’ve kind of evolved it over time, it used to be where I was really heavily focused on like the technology side of it, and looking at which pieces of gear kind of did which thing and mapped it to the ZTS framework and then put, you know, suggested which things should go in place to help an organization. And what I found was, that was kind of great for the people, you know, digging the ditches and doing the trench work. But actually, I started getting a lot of conversation with the people workshop wise around boards, and CEOs and CFOs. And those workshops have been really big on strategy, kind of looking at the ins and outs, the marketplace itself, which things make sense, you know, plot plan scheme. And I’ve gotten a lot of really positive interaction and feedback on those on those workshops, because we’re dealing with the people that are setting, you know, strategic vision for the company. It’s not the CISOs that are asking for those. It’s board CEOs, CFOs, which I think is a good thing and is indicative that we’re finally starting to get a fair shake in the market as far as being security people getting our seat at the table.

Steve King 14:25
Yeah, no kidding. How did you bridge the sort of language or, or jargon gap with those folks, when you make those kinds of presentations? I’m sure a lot of our audience would like to know that because that’s been a long and frustrating journey for many.

Chase Cunningham 14:41
Yeah, I mean, I’ve had to go back and kind of, I guess you would say send myself through a modified MBA program kind of on my own where I’ve had to I mean, I’ve I know computer science, I didn’t know much about business. To be perfectly frank, I’ve had to go back and kind of learn my way around. What words actually ring true for business people which things they care about. The most what drives adoption and what’s non starters. And it’s been a, it’s been great for me on a personal level just to wrap my head around. Honestly, I have a mantra that I kind of say to myself, like, don’t speak tech. And I, I’ve worked really hard to not do that. But you also, you know, at some point in there, you have the flavor and a little bit of here’s all this business strategy. Here’s the things that affect the budget that the Oh, and by the way, security benefits that overall strategic initiative.

Steve King 15:29
Yeah. What’s the thesis that you use to sort of engage with these folks, though, is it a tiny I’m sure it’s business focused, but you have a grand question or a great opener, the pulls them in and gets them to start to pay attention.

Chase Cunningham 15:44
Yeah, I actually just show them some data from studies that I’ve got that I’ve pulled from a variety of resources. One of them says that 50% of consumers are more willing to do business with a company that can tell them how they enable security and privacy. So that’s number one. And then the other one is a couple of data points that I believe IBM published on, if you’re an organization engages in zero trust, your employees will be more engaged, and statistically speaking, they will be and you will reduce security costs, because you’re not double dipping. And my point to them is, who doesn’t want more customers, happier employees, and wouldn’t like to have security costs reduced? And then that’s where the conversation begins?

Steve King 16:21
Mm hmm. That’s right. And, and, you know, obvious to many of us, what isn’t obvious to many of us, however, is that many boards treat cyber security threat in the same context, they do any enterprise risk management contingency or threat in that they, you know, figure out a way to transfer that risk in some manner, way, shape, or form or accept it. So it always, you know, I talked to lots of groups and people, and it always surprises everyone, when I say, you know, this is, you know, $50 million fine, or a $50 million loss is not a big deal. to $10 billion company who, you know, regularly goes about the business, either accepting or transferring risk to insurers, or what have you. How do you offset that business as usual, from a DRM point of view,

Chase Cunningham 17:16
I mean, the risk that I talked to people about really is the risk of their, their brand being damaged, which all everyone’s always kind of concerned about that, and rightfully so. And then the other piece is their ability to continue to be present in the future state. And what I mean by that is, you’re going more digital, you’re going more cloud, your customers are going to be more mobile, digital, etc, etc, you had better have a way to make sure that you’re talking to that demographic about how they leverage your solutions, and how they do it in a matter that works for them, which includes things like default, they, I mean, people that in the next sort of, you know, purchasing arena, they expect things to be secure, they expect privacy to be enabled, and you have to be able to make sure that they understand that that’s a real thing. And if you can’t, you will lose to the competition.

Steve King 18:01
That’s brilliant actually being present in the future state is a great tagline and, and one that I’m sure you can leverage, that’s almost of FUD notion, but spun in a very positive way. So I like that a lot. I may steal it from you.

Chase Cunningham 18:17
Go ahead. It’s not trademarked? Not trademark. Alright.

Steve King 18:21
So finally, and I’m conscious of the clock here. I don’t want to blow up too much your time. And we’re gonna see each other in a couple of weeks anyway. But final question relative to your con software year, tell us about your mission as a company and how you expect to achieve it in terms of how you expect it to roll out in terms of over the next few years.

Chase Cunningham 18:45
Yeah, so really, for us where we’ve gone over the last year is to deploy a stack for small and midsize enterprises that’s built around ZTE strategically. And I say that because what we’ve got is a capability that can be deployed from basically the entirety of the OSI model, and it’s affordable. And the reason that we’re able to do that for small and midsize businesses is we don’t have any overhead cost. We are born in the cloud bred in the cloud. We don’t have any sort of existential things making us charge more. So where we’re winning businesses on these small midsize enterprises that need full suite security solution, and they’re needing it at a price point they can afford. And we win on that, you know, six days out of the week and twice on Sunday. And it’s it’s working really well for us, we’re going to continue pushing it that and to be perfectly frank, we’re okay not competing in Mega enterprises, because there’s a lot of competition there. We would rather help the folks that needed that aren’t mega enterprises.

Steve King 19:39
I would think also, and you can correct me if I’m wrong, that it’s also less mysterious and less confusing down at the SNP level. Because what you’re talking about is sort of offloading the entirety of the headache versus the competitive nature that you find in a larger enterprise when you’re trying discuss your solution and mid, you know, 23 other ones that are all kind of saying the same thing.

Chase Cunningham 20:06
Correct. And then the other two pieces of that as we remind them, like, you know, your your big partners, the mega companies, they’re already spending a lot of money on security, they probably aren’t going to get ripped, but you might introduce that threat. Do you want to be holding that bag? And then the other piece is they know folks that have gone out of business because of a security incident. And our goal is to make sure that we help them not have that happen to them as well.

Steve King 20:28
Yeah, that’s great. Well, we’re almost out of time. I want to thank our guests, Dr. Chase Cunningham again, for taking time out of your schedule chase to join me in what I hope was an interesting exchange around zero trust and the direction in which we’re hopefully heading here in the cybersecurity defense landscape. So thanks again for for helping me out here.

Chase Cunningham 20:54
Hey, thanks for having me. Always glad to talk with you and looking forward to hopefully running into here in a few weeks. All right,

Steve King 20:59
great. Thanks, Chase. Talk to you soon. And thanks to our listeners for joining us in another one of cyber theories unplugged reviews of the complex and often frightening world of cybersecurity technology in our new digital reality. Until next time, I’m your host Steve King, signing out.