S1 E13 Supply Chain and Third-Party Risk in the Ripple Effect Era with Tony Fergusson

Show Notes

In this episode, Jenny welcomes Tony Fergusson, CISO in Residence, EMEA at Zscaler, to discuss why third-party dependence has become one of the biggest hidden risks to operational resilience. Tony and Jenny delve into how organizations are grappling with a hyper-connected world, moving beyond perimeter defense to a proactive containment strategy. The conversation highlights the reliance on external partners rising faster than protection and the collapse of the patching window due to AI-driven threats like Mythos. Tony advocates for an evolution of Zero Trust from "least privilege" to a model based on "least information" and "least function". 

Chapters

• 0:00: Why Cyber Resilience Matters Now
• 1:11: Meet Tony Ferguson And The Risk
• 2:08: From Castle Walls To Ecosystems
• 4:33: Zero Trust For Vendors And Contractors
• 10:55: When Exploitation Beats Your Patching
• 14:21: Least Privilege Becomes Least Information
• 17:58: Tokenisation And Data Masking In Practice
• 20:44: AI Agents And The Need For Least Function
• 21:55: Making Security Easier To Adopt
• 24:40: Curiosity As A Resilience Superpower

Transcript

Why Cyber Resilience Matters Now

SPEAKER_01 0:01

Cyber resilience is fast emerging as the driving force behind survival and success in a world of unprecedented digital transformation. Through trend-based discussions with cybersecurity experts and pioneers, real-life case studies and practical advice, the Resilience Factor offers the tools and strategies needed to build business and personal resilience in all areas of cybersecurity and networking. Not only that, but you'll get to hear from a range of industry-leading professionals and experts at the very top of their game. Join us as we build a vital resource to drive organizational resilience within a fast-moving security landscape. This week we are joined by Tony Ferguson, CISO in Resident Amir at Zscaler, to discuss why third-party dependence has become one of the biggest hidden risks to operational resilience. Tony is an early zero trust advocate with deep experience in networking, security, and instant recovery. He works with organisations on how to reduce exposure from overshared data, brittle third-party access, and expanding digital ecosystems.

Meet Tony Ferguson And The Risk

SPEAKER_01 1:11

Welcome listeners. We hope you enjoyed the conversation. And welcome, Tony.

SPEAKER_00 1:15

Thanks for having me.

SPEAKER_01 1:16

It's a pleasure to have you. Tony, uh, first of all, can you just give us a quick sense of your royality Scalar and then maybe why third party and supply chain risk has become a big focus for organizations?

SPEAKER_00 1:28

So I was a really early adopter or a pioneer in Zero Trust. So I actually spent 10 years really adopting this technology and actually leveraging Z Scalar's technology. But in the last six years, I've been working for Zscaler and really helping a lot of our large customers around Zero Trust. And of course, uh third party and uh risk and resilience uh keeps on coming up again and again.

SPEAKER_01 1:55

Why has it become a big focus though? I mean, it seems to be a topic on everyone's lips at the moment. Is that just because of the external hacks and things or what else? Like, why is it a big focus right now?

SPEAKER_00 2:07

I mean,

From Castle Walls To Ecosystems

SPEAKER_00 2:08

yeah, you know, it used to be so simple, right? In the in the days where we would have our our own data centers, our our own castle in that sense, um, and we were able to control everything. Um, but you know, we we we really do live in a hyper-connected world, you know, where companies are yeah, leveraging uh a lot of cloud services these days, and those cloud services are connected to other third parties. And companies obviously invite lots of whether they're you know consultants coming into the organizations or they use different vendors. This this has really become quite a complex actual uh topic. And of course, that increases companies' attack surface. So I think companies are starting to realize how much they rely on these technologies and these technology partners, but how much risk they have against, for example, the adversaries that are also looking for holes in uh their systems or even better, in the third party systems.

SPEAKER_01 3:09

On the last episode, we spoke to your colleague, Martin uh Ditchburn, about the Ripple Effect report that e-scaler recently published, which was around potential external security dangers. Une of the themes seemed to be that organizations are more connected than ever, which is what you were just saying, but that they're not necessarily more protected. I mean, how should people be thinking differently about external partners?

SPEAKER_00 3:36

Yeah. Something that I'm trying to get a lot of my a lot of my customers to really start to think about when we talk about zero trust and the the concepts around this, um, treating your own internal employees or your consultants or your third parties, treating them all equally in the sense of zero trust, least privilege is a is a great way to move. Um, but I don't think we're quite there yet. Like organizations are still trying to sometimes get zero trust adopted across their own internal employees. So then they haven't even got to the point where they're able to remove and do least privilege access for their third parties and their consultants. So I think that's you know a hard area for organizations, especially when, you know, if when we talk about manufacturing and OT and these types of areas where you have different parties inside different technologies and they want access

Zero Trust For Vendors And Contractors

SPEAKER_00 4:33

and they have their own access tools that they want to bring along. And these are often VPNs, which of course we don't like VPNs here at Zscaler. So it's really uh really difficult for them to then say to the third party, hey, go and use this product. This is safer. Yeah. Now we are seeing some of the third parties, some of these vendors moving towards zero trust, um, using different tools to access. So they're not introducing that risk to the environments. But again, it's uh it's a it's a slow road. And uh, yeah, these large companies uh they don't they don't move fast. There's a lot of inertia and technology that that they need to support. So it's a really hard battle.

SPEAKER_01 5:18

Yeah. The thing that surprised me in the report was the gap between resilience and readiness. Maybe you could comment on these stats, but it says that 68% of IT leaders say they rely on contractors and third parties more than ever. Yeah. Yet adoption of key third-party risk controls is below 50%. And it says that that suggests reliance is rising faster than protection. And I that to me is astonishing, really. It it it it it speaks to a lack of strategy in my mind.

SPEAKER_00 5:48

Yeah, it it does. And and I look, I I don't think it I don't think it is just with with third-party access. I mean, if we look at the in today's world, everything is moving extremely fast. Um, and we're all struggling to keep up. Um, if you look at you know, the influence of AI on on the industry at the moment, that is accelerating everything. So I think the game has really changed, you know, and look at Mythos as a great example of how this has changed the game of how we look at vulnerability management. I mean, before you say, hey, it's okay, I've got four days to patch, and I'm gonna patch all my machines and we would release the updates. Now, you know, we're talking about that this is time is collapsed from zero, from when uh there's a release of a uh of a vulnerability to the time it's actually exploited. So it's completely changed the game of what we need to do as an organization and we need to think differently and and maybe take a different strategy towards solving some of these problems.

SPEAKER_01 6:55

Yeah. It said in the report that only 42% of respondents explicitly include contractors and gig workers in their resilience strategy. And uh you wrote an article uh recently uh about the trust gap, if you like, and said that and and it was you mentioned it mentioned something about like this artificial divide. And I just wonder whether that's it. It's that like to not include, given what you've just said, contractors and sort of casual employees and things, it's seems very short-sighted. Do you want to talk to me a little bit more about that artificial divide? Because you said before we used to protect the four walls, protect the castle, but there isn't a castle as such anymore. It's all it's ever expanding. So, what's that artificial divide? And why do you think that they don't include contractors? Is it just like you say, it's just so fast-paced, it's so interconnected that it's just people are catching up.

SPEAKER_00 7:52

Yeah, I I think one part is the inertia piece, right? This is how we've always done it. This is how we're continuing to do it. So, you know, using like VPNs and other remote access methods. So I think that's one part of it. But the whole idea of this having trust, one of the big misconceptions about zero trust is we think, oh, you know, zero trust, it's it's a really sort of a bad name because it sounds like you don't have trust. But to actually implement zero trust, you actually have to build it. So you have to build trust. So you build trust with identity and with devices to applications. So you build this trust. And I think that's what's sort of missing when you think about third parties. Are we building the trust in an architectural way between third parties and our systems in a way that's not just least privilege? So giving them access to the things that they require, but also least information, giving them the only the information that they require, and then almost moving towards least function. What are the functions that they need to do on the systems? And if we start thinking and taking zero trust to the next level, we can start thinking about how we can use techniques and maybe not even providing the data to them. Zero knowledge proofs are a great example of trying to give your third-party information, but without actually giving them the information. They just verify the information.

SPEAKER_01 9:23

Yeah, it's specific questions and queries, isn't it? And they only get just the answer to that. I was intrigued by that concept in your article. It's an interesting one.

SPEAKER_00 9:33

Yeah, I think when you start you know looking at the ways we can um hide identities, um, tokenize information, and the way there's lots of techniques out there that can help protect, firstly, the information for organizations. But then I think the most important thing at the moment, especially like with the likes of Mythos, is that if if you are breached or a part of your system is breached, that you contain the blast. Yeah. And that's really that whole zero trust um philosophy of, hey, yes, I can I can survive as a company if one of my users or one of my parties hear a breach. But if they actually move into my systems, we have my crown drills, we have my data, that's a massive problem. So I think that's also something we need to really start thinking about because I don't think we can sit here now and say, oh, we're gonna be okay. Yeah, we've got 50,000 vulnerabilities coming our way. How are we gonna patch them? We are gonna be vulnerable, we will see systems breached, but what is the impact? And how how do we become and stay resilient?

SPEAKER_01 10:42

Yeah, I mean, I think if we could perhaps look at some examples of that. I mean, what of of what kinds of risks we're talking about? Uh like what does it look like for an organization? Because I think that's

When Exploitation Beats Your Patching

SPEAKER_01 10:55

that's really one of the key points that people are interested in. What what do we really mean?

SPEAKER_00 10:59

Yeah. And so this is where it gets really difficult to talk about third parties, or are we even talking about supply chain risk or the nth party, right? Because it's not as simple as um, what about if my third party gets breached? Because, you know, think about open source software at the moment. We see adversaries going after software packages and breaching those and knowing that they are fundamentally part of many organizations. So it does expand in a way when you start to think third-party supply chain and where is the risk. And I think that's always the problem with this area, is we have to look so far down into the chain. Where is the risk? And obviously, it's not always seen. And the different angles that can be used against corporation, it's there are just so many from their public attack surface, uh, from you know, the old phishing email and getting into their systems. Uh we see like tokens and these types of things stolen from organizations to get access to big databases like Snowflake, right? And then a whole lot of data is leaked. And it wasn't even their third party, it was another third party of a party. So um that these are the sorts of things that are uh happening and more frequently. So it's really understanding the total where all your data like if you think about an organization and their data, do they understand where their data is and where it's going? That's probably the first step. Do they even have visibility of this?

SPEAKER_01 12:39

Always, always the first step, and then some sort of segmentation. I think it's been true even before we were so uh technically advanced. You know, what is important and and and can we separate it out? Uh so let's think about a better way of doing it. Um how can how can organizations really practically work with suppliers without handing over more data than they need to? I mean, is that back to those zero proofs or yeah?

SPEAKER_00 13:10

Um so if you look at information and think about how information is is stored and um if we if we look at like the entropy of of data, right? So you have like clear text at one end and then you have you know complete random data at the other, which is maybe encrypted. Um there's there's other layers in between this that um that that I talked a little bit about before about being tokenized. So, you know, let me give you a good example. So, you know, at C Scalar, when you when you come into our platform, um, we don't actually want to store your username. We don't even want to know who you are. We don't even want to store the company, right? So we can tokenize all that information that that is the information that is actually in our cloud. So if anything does happen, you're not able to attribute it back to a person or corporation. Yeah. So there's all sorts of ways of masking the important, especially PII information, that you know, if you're gonna share with your third parties, do you have to share that that the real uh PII information of the people that are involved here? Or maybe you can anonymize this

Least Privilege Becomes Least Information

SPEAKER_00 14:21

information. So there's all sorts of methods in here that you can start to think about um to reduce the risk. So I think that's one part is really thinking about their data, minimizing the amount of data. And I call this um least information. So, like zero trust was least privilege, moving to least information. So I think that's the first step. And then the next one that needs to come is think about AI agents. Agents are now able to act on behalf of yourself. So if you have an agent on your computer, it can act, and we have a big problem there in identifying that agent to start with, and we're trying to solve that. But we need to think about that agent. What functions should that agent have access to? What functions should it be able to do? We've heard horror stories of AI agents deleting systems. Right.

SPEAKER_01 15:14

And backups.

SPEAKER_00 15:15

And backups, yeah, exactly. Yeah, and backups. So so think about this in the way of third parties. What functions should we allow them to have? Should they just have read access? Maybe not access to delete, um, maybe access to edit, but not delete. So those sorts of things I think are fundamental that we need to move to least function. And then I think the last piece is then really understanding how do I reduce the blast radius? And that really means that we need to start thinking about segmentation and we need to think about reducing the attack surface.

SPEAKER_01 15:53

Can I as I've got you, can I ask a question? Because this is the thing that always comes up. I I obviously work from the people on the culture side a lot. And I think I'm wondering whether it's easier or more easy or more difficult to get their parties to kind of buy into this very specific queries, this least information, this least access model. Because I know in an organization, it all it meets like you said before, zero trust is uh is perhaps not the best. It's like the best term because it describes what we're doing, but it's not the best term in winning people over because people hate the thought of being restricted, especially if they've already had something on a legacy system and now we're going to take it away and you have to ask for it. So, like what around that whole sort of human trust side of things, what kind of uh effects have you seen, or how's how does that play out with the parties when it's done well or done badly? I mean, what what impact does that have on relationships and and and supply chain strategy? Do you think?

SPEAKER_00 16:56

Yeah.

SPEAKER_01 16:56

Does it work?

SPEAKER_00 16:57

Yeah, so yeah, and that's why I always say I don't like the the the name zero trust because it sounds a negative, right? Yeah. It's a it's a it's a negative term.

SPEAKER_01 17:07

We don't trust you.

SPEAKER_00 17:09

But we we don't like so and you know, and especially when you talk to employees, they're like, oh no, we're doing zero trust that nobody yeah, do not trust what I'm doing, right? Look, there is a big impact, and I I think the way to win um always is is to say, hey, um, we're gonna change the way we're doing something, but we're also gonna make it easier. Yeah. So I always like to try to simplify the approach. So, yes, you can have access to this, and we'll maybe minimize your access here, but at the same time, we're gonna make it easier for you to access. So we're gonna be able to allow you to come straight from your web browser into our systems rather than going through this VPN and doing all this complexity. We're just gonna allow you to come straight into your web browser, type this, and away

Tokenisation And Data Masking In Practice

SPEAKER_00 17:58

you go. Not only is it more secure, but it's easier to use, right? And that's that double win. And that's where you build trust with either your own employees or your third parties, that you're able to do a double win, make it more secure and make it actually easier to use. So I think that's something we can all learn to do in security, rather than being the no, you can't do this or I'm removing access. No, I'm just giving you a different way, but it's an easier method to do.

SPEAKER_01 18:28

And is that where you think people should start? I mean, if you had a piece of advice for for people to start on this uh this journey of being better protected from that dependence on third parties, is that really where you where you'd start by kind of exp because that's where I would start explaining to people this is why? Because you can show people how and you can show people, you know, what you're doing, but I think sometimes it's telling people why why you're doing it. And I I feel like that's where you're going with it, really. It's like, look, we're doing it because it is more secure, but it's also easier for you, makes you makes it more efficient. Is that where you'd start with advice for IT leaders?

SPEAKER_00 19:08

Yeah, yeah, look, um a big piece of this is the mindset and getting um getting your own people and your third parties and everyone to understand that the world has changed from you know the way we used to do it. We used to have firewalls and we'd have VPNs and we'd try to protect the castle, and now we're in an interconnected world. And so the the trust boundaries have disappeared, right? So we have to really educate and change the mindset of not only our own internal people that are working with this, but all of our third parties, and explain to them that, hey, yeah, look, I want you to work and do work with us, but we need to have some boundaries, right? And that's also protecting them. Yeah, it's also a benefit to them that they are not able to damage the system.

SPEAKER_01 19:58

That's that's to me is the key. It's that what's in it for me thing. You're saying, look, you know, we've got the technology, this is how we're going to use it, and this is why we're going to do it, but there is a a mutual benefit to it all. I think that to me would be so key. It's fascinating to me because the idea of that castle, because I never really thought the castle was that well protected anyway. I was a social engineer, you know, but uh the idea that the castle's everywhere, but like we can restrict access at all the little points is a fascinating one. I'm gonna watch with interest how this all develops and maybe speak to you again in a you know in a while and see see what's moved on in the next 30 seconds, 30 days, year, years time. Um, so thank you. It's been a brilliant insight.

AI Agents And The Need For Least Function

SPEAKER_01 20:44

And I've got one last question. It's a question that we ask all our guests, and it's a bit daft, but it's very revealing sometimes, and so I'm gonna ask it to you. Um, so Tony Ferguson, what is your personal resilience superpower?

SPEAKER_00 21:01

Okay, so when I was younger, um my my parents would tell you that I was a very curious kid, and I think curiosity is very powerful. So I would, you know, look at a little radio set and I need to know how does it work though? So I would pull it apart and I wanted to see every piece of moving part. I wanted to understand right down to every piece of how this how this thing works. And I think we can sort of use those sorts of same things when we talk about technology and understand, so what is my risk? Right, be curious about what information does your third parties have. Um, be curious about what things they could have access, what damage could they do? So if you're more curious about these types of things and learn, um, always keep learning about new technologies,

Making Security Easier To Adopt

SPEAKER_00 21:55

how things are changing, then you're able to sort of keep up with this. But I think we Ask a lot of questions and don't just take things for granted and say it'll be okay. Yeah, be curious.

SPEAKER_01 22:07

Yeah, absolutely. Brilliant answer and a great great to chat to you about all of this, Tony. Thanks so much for joining us on the show. Thanks. So let's reflect on that conversation with Tony Ferguson. Tony touched on the misconceptions of zero trust.

SPEAKER_00 22:25

Oh, you know, zero trust. It's a really sort of a bad name because it sounds like you don't have trust. But to actually implement zero trust, you actually have to build it. So you build trust with identity and with devices to applications.

SPEAKER_01 22:40

And when it comes to building trust with third parties, we need to rethink.

SPEAKER_00 22:45

Are we building the trust in an architectural way between third parties and our systems in a way that's not just least privilege, so giving them access to the things that they require, but also least information, giving them only the information that they require. What are the functions that they need to do on the systems? And if we start thinking in taking zero trust to the next level, we can start thinking about how we can use techniques and maybe not even providing the data to them.

SPEAKER_01 23:19

Tony helps set out how organizations can work with suppliers without handing over more data than they need to.

SPEAKER_00 23:26

So there's all sorts of ways of masking the important, especially PII information, that, you know, if you're going to share with your third parties, do you have to share that the real uh PII information of the people that are involved here? Or maybe you can anonymize this information. So I think that's the first step. And then the next one that needs to come is think about AI agents. What functions should that agent have access to? What functions should it be able to do? We've heard horror stories of AI agents deleting systems. So think about this in the way of third parties. What functions should we allow them to have?

SPEAKER_01 24:06

And finally, we talked about the best practice for changing organizational culture so that people can adopt the least information model.

SPEAKER_00 24:14

I think the way to win um always is is to say, hey, um, we're gonna change the way we're doing something, but we're also gonna make it easier. Yes, you can have access to this, and we will maybe minimize your access here, but at the same time, we're gonna make it easier for you to access. And that's that double win, and that's where you build trust with either your own employees or your third parties, that you're

Curiosity As A Resilience Superpower

SPEAKER_00 24:40

able to do a double win, make it more secure, and make it actually easier to use.

SPEAKER_01 24:48

The Resilience Factor Podcast is brought to you by Zscalar, a leading cloud-based cybersecurity platform revolutionizing the way businesses protect themselves from cyber threats. By transitioning from traditional appliance-based systems to a cloud-delivered model and the implementation of Zero Trust principles, Zscaler provides businesses with optimal protection from cyber threats.