The Amplitude of Tech
Welcome to The Amplitude of Tech podcast, produced by Amplix, a leading technology advisory firm, where we bring the voices of technology thought leaders, subject matter experts, and enterprise IT decision makers to you to talk about today’s transformative technology and how it can create opportunities for increased success.
The Amplitude of Tech
Identity Is the New Edge: A Field CISO's Playbook for Identity Security and AI Threats
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Attackers don't need a zero-day anymore. A stolen username and password, accelerated by AI, is cheaper, faster, and harder to detect. In this episode, Brian Zimmer, Field CISO at CyberMaxx, joins Shawn to break down why identity is the real perimeter, how managed detection and response has to evolve to match identity-based attacks, and what CISOs need to do right now to build governance programs that protect users without creating the friction that drives them to bad habits.
What You'll Learn:
- Why credential-based attacks are the attacker's preferred playbook and how AI has made them even cheaper to execute at scale
- How the shift to remote work collapsed the castle-and-moat model and put user identity at the center of every security decision
- What a strong identity governance program actually looks like, from joiners and movers to certificate management and privileged access
- Why authentication and authorization are not the same thing, and why conflating them is a governance gap CISOs need to close
- How to minimize friction for your users while maximizing cost and noise for attackers
- Why AI agents need identity governance just as urgently as the humans using them, and who in the org actually owns that problem
- How modern MDR has to evolve from isolating machines to responding at the identity layer
- The practical steps a CIO or CISO should take today to start treating identity as the new edge
Hey everyone welcome to the Amplitude of Tech podcast. I'm Sean Corner, Chief Marketing Officer of Amplix. Today we had Brian Zimmer. He's the field CISO from Cybermax. Uh had a great conversation about identity as the new edge, as well as human-centered design and security. I think we covered some really interesting topics on this one. Hope you enjoy it. All right, Brian Zimmer, welcome to the podcast. Thank you very much. Good to be here. Well, I say that for now. We'll see how it goes. I was gonna say I'm happy to have you here, except that you're a uh Penguins fan and I'm a Flyers fan and uh the hockey players are going about to go as we're recording this. So we'll see if we're still friends in the next couple of weeks. Peace in our time. So um why don't you just take a few seconds here and tell everyone who you are, where you're from, and what you do?
SPEAKER_02Yeah, I've I've prepared an 85 slide deck to cover my uh my background, so it's gonna be very exciting. So I'm uh Brian Zimmer. I'm based in Charlotte, North Carolina. Place is terrible. Tell your friends, nobody moved down here anymore. We're good. I'm the field CISO at a modern managed detection response company called Cybermax. I was uh uh North American CTO for a uh competitor that that I won't mention before that, and uh ran global pre-sales at uh E Plus security before that, and done a lot of a lot of stuff in my career, but solely cybersecurity. It's the only thing I've ever done in my career.
SPEAKER_01Um I'm not saying I've done it well, I'm just saying I've done it. You you've seen quite an evolution over your career in uh cybersecurity. Why don't we just like zoom out for a second before we get into the good stuff here and just you know what what has the journey been like?
SPEAKER_02What has the journey been like? It's it's okay, so it's been interesting. That's that's a lame thing to say. What's what I feel is I get to the 15th hole of a uh whole career, it's kept me young. It's kept me involved, it's kept me learning, it's kept me around younger people who are experimenting and have open minds and new ideas. And I'm really grateful for that. And I'm also grateful for, frankly, the the evolution and the change, as well as the gravity of this space. I've been very fortunate, and one of the best pieces of advice that I ignored when I was at Bank of America at a guy who was in the unified communications space route switch tell me that I was too focused on security and that I needed to broader broaden my horizons. And I'm I'm glad I didn't take that advice.
SPEAKER_01Yeah, you don't always want to take advice, you have to make sure you consider the source. But I do wonder, you know, I I come from the telecom side, so I could be forgiven hopefully if I'm a little bit off on this. But when I started in this industry almost 30 years ago, security was not something talked about a whole lot. That's exactly right. And so I feel like today, what's different is everything needs to be looked at through the lens of security. So, you know, what has driven that paradigm shift?
SPEAKER_02I will I will validate what you said, first of all. Part of the reason that you're right is that we have gotten better, we as security practitioners, because I will tell you, mea culpa, a lot of us were not good at our jobs, myself included. In fact, we I I was particularly terrible at conveying risk, conveying priorities, understanding being sympathetic and empathetic to lines of business. Right. If you're running a contact center and Zimmer comes in and tells you, stop the presses, you have to do all those things, well, that's not very helpful. And I think what we as security practitioners have done, especially in the last 10 years, is really understand the business and understand where we fit in the business's journey and outcome and goals. We are now in the boardrooms and we are doing a decent job in that boardroom, whereas 10 to 15 years ago, we were, we were not, especially 20 years ago. So we've brought, we've upped our game to speak business, not security. And I went on off on that tangent so long I forgot the the core of your your question. Refresh my memory.
SPEAKER_01Yeah, I'm just, you know, I was wondering how the paradigm has shifted from security not getting much love to security being, you know, really a whole piece.
SPEAKER_02Right. So along those lines, the one thing that we've done is we've started speaking in outcomes, we've started speaking in business continuity, we've been, we've started speaking in risk, risk minimization. And these are things that I'm not an expert in. You want you want to talk expertise and risk, talk to my friend Jack Freud. He he'll he'll get you squared away. I will not. And the other thing, and Sunil Yu talks about this, and I'm very fortunate to be in an event with Sunil in a month or so, or maybe less. He talks about us being in the age of recovery. And what he means by that is you know, products and services and defensive strategies are all built around stopping and sometimes even containing. But we know from experience that something will slip past us and we will have to recover. And so what we've gotten better at over the last five years or so is thinking about what recovery looks like, minimizing business impact, getting business operations restored quickly.
SPEAKER_01Yeah. So if I think back to what it was like back then, the enterprise was a little bit like a castle in that it was small and within the walls of the actual building that the people were working in for the most part. And so it was easy to defend the same way that a castle is easy to defend. You could have high walls, you could build a moat, you could do all the things uh to keep people out. And the surface area was a lot smaller because it was just these four walls, or however many locations you had, right? And then, you know, I really didn't pay much attention to the evolution until really COVID happened. And at that time, people got pushed from the office and outside of those walls to their homes, and they had multiple devices that were then connecting to the to the corporate network. And of course, this didn't happen over overnight, right? It it grew exponentially overnight because of the pandemic. But, you know, I had worked from home before then and I had a laptop and there was a third anyway, so I understand that. But moral of the story is it accelerated so much, and the surface area of the average enterprise expanded, you know, really multiplied by the number of employees they had and probably two to three devices for each employee. And then you have things like IoT starting to gain some momentum in the enterprise. So that perimeter has become a lot bigger. The surface area is a lot larger, and it's a lot harder to defend. So is there a more modern paradigm that businesses should be operating under?
SPEAKER_02Yeah, I think I think your pre- the premise is exactly right. There's no but we all lived it, we all experienced it. It wasn't really all that fun. I think that's why we see the rise of SASE, so secure access service edge technologies. I think that brings us to one of the main themes of what we wanted to talk about, which is identity. I think when you when we when that architecture, when that operations changed, that was sloppy conjugation of verbs and nouns there. But I think I think everybody knows where I'm going. I think that put the emphasis on the user, the user's identity, the user's authentication and authorization. It put a premium on securing all of those devices that you're talking about, the user's endpoint, their Mac, their PC, their mobile phone, even their in-home infrastructure. So I think that is the big we were going that way anyway, but I think COVID was the one thing that just pushed us right over the edge. So for better or for worse, right? Because you know, I talked to somebody yesterday and they said, you know, thank, thank God, COVID got my organization comfortable with remote work. So I don't know.
SPEAKER_01There's there's good and bad out of it, right? Yeah, it's hard to see where things would have gone without that. It certainly accelerated, but I think it was going that way anyway. I mean, you you always had some portion of your workforce that was on the road, right? Typically salespeople are out and about in their little territories, and then you had executives and people that might have been trainers, you know, traveling throughout the country, and those people always need to be online. But like I said, I was working from home I mean, probably a decade before COVID happened, right? So people were doing it, and I think it was it was starting to increase. Businesses were seeing the benefits of letting employees at least have some flexibility, if not completely work from home. Yeah, but this definitely, you know, set the world on fire and and sped up that process. Um, and I, you know, as far as I know, that the jury is still out as to whether or not this is a good thing for productivity for businesses. You periodically hear a study come and and say that people are more productive, and then you you see a conflicting study the next week, right? So I don't know really where we stand there, but that's the reality of where we are, is it's a ratchet effect, right? It it pushed us into this position, and it's really, really hard to go back. And you saw a lot of CEOs driving a back to office mandate and then kind of back from that, right? Yeah. Yeah. So that's our new reality. And I when we did a planning call here, I liked what you said. You said uh identity is the new edge. So just unpack that for me.
SPEAKER_02Well, I think the premise here is that our identity, whether it be our you know, mainly our user persona, is the one thing that attackers want. And so what goes into that persona? That's your logon credentials, your email, your password, uh, your one-time password, um, your multi-factor authentication. We've seen that intercepted in a couple of attacks. Once an attacker has that, they can do a lot of, they can be profitable. Let's let's speak that way. They can be profitable. The other thing, since we're all business people here, when you look at these attacks on the identity, they are low cost. They are low cost, high reward. So if you are out there researching remote code execution, or God forbid you're having to buy what we call a zero-day exploit, that that those costs are astronomical compared to the low cost of user ID, password, etc. In conclusion, there are very few things that are cheaper and more effective than the user credentials and the user persona.
SPEAKER_01And this is a lot easier to scale now because of AI, so that's gonna be compounding the problem, right?
SPEAKER_02Yes. I would say so, yes. And to paint the full picture, one of the use cases or one of the plays that AI uh can make for an attacker is it can scour forums and boards, and we'll just say places where those things are held or stored or sold or brokered, et cetera. We use your verb. It can then quickly um adapt to and and implement passwords or uh uh credential stuffing, et cetera. So it it raises raises the game because it takes something that is already low cost, now it adds speed, and the it in the sentence is AI. So I've got something that is low cost, now I have AI, which is um allowing me to attack an organization and get results quicker than I could 18 months ago. And that's where we as defenders, in my opinion, need to really level our game up.
SPEAKER_01Yeah. And uh it allows them to um shoot more shots to to borrow from the uh the hockey uh conversation earlier uh at the same cost. Yes, yes, yeah.
SPEAKER_02Um yeah, shots on net, shots on goal, shots. Like take a shot, put something on net, let's see what happens, let's see. And and here's the thing, here's the way I like to talk to to business leaders and my peers. It's a really it's really about cost. Are you imposing cost on an attacker? Are you making them burn through time? Are you making them burn through money? Are you making them burn through opportunity? What ca- are you making them burn through stealth? Are are you causing them to be noisy? What we want to do is impose cost on the attackers. And we do that through a variety of controls. But I will get off on a tangent, so I'll I'll stop talking there.
SPEAKER_01No, I think that's a good tangent because I I I don't often think about it in those terms. I think about it as blocking shots, but that makes sense. If you just become a less desirable target or a less cost-effective or a target that is not as profitable, then they're likely to move on to the next one. Is that what you're saying?
SPEAKER_02Yeah, in in essence, I think the other the other way I like to speak is time. Especially with the swift implementation of AI as an as an attacker, as an attacker's tool, we're seeing the the time to take on what we call action on objectives highly compressed. It's highly compressed. So what we want to do is impose time costs. And what that time does, it allows us as defenders, and again, I work for a managed detection response firm, it allows us the time that we need to see, evaluate, eradicate, all around respond, and then evict that threat actor. We need that time, we need that noise from that attacker because if they move fast and they move quietly, then we can't see them. They're operating in our infrastructure, they're moving to action on objectives, which is the last stage of their attack.
SPEAKER_01So I'm gonna keep talking on hockey analogy, but how does AI mean how does AI now help you um, you know, go where the puck is going to be rather than where the puck is?
SPEAKER_02Yeah, I think it's there's a couple things in no particular order. It also gives us speed. It gives us speed. It allows us to have a level one analyst in an agentic workflow constantly looking, constantly running. And for smaller organizations, that matters a lot, and that really helps them level up. The next thing is it reduces these esoteric, high learning curve barrier to entry situations. Meaning, I'm going to get a SOC analyst on day one and he's going to use AI. Now, is it it do we want a SOC analyst that knows what he or she is doing? Absolutely. Do we want them trained? Absolutely, all that. But here's one of the other advantages. I can, as a SOC analyst, as a level one SOC analyst, speak in plain English to my prompt. So if I have clawed code, I'm in the system. Hey, query Splunk, query S1, query Microsoft Defender, Query Sentinel. Now take into account, here's the third thing I think. I think that's what number I'm on. Let's take in into account enrichments. So where am I vulnerable? I'll give you an example that that's sort of thematically related. Take a look at this credential involved in this suspicious behavior. Now query all of my intelligence, including in open source intelligence. Is this user in a password breach? Is he on? Is he or she on? Have I been pwned? Have her credentials been compromised? Let's use that as an enrichment. With that information, I can move much quicker than I could even two years ago. Yeah. So those those are three, three just quick elements. Forget about orchestration, forget about automation, which um, you know, we had SOAR tools going back a decade. Where we are now with AI underpinning and driving a lot of our SOAR capabilities is far advanced from where we were way back then.
SPEAKER_01Yeah, it's incredible how quickly things are moving. And I want to go back to the user issue because you're you know, we're talking about identity and we're talking about it in terms of users, but and this is where AI AI is going to come back up into the conversation, but um, a user is not just a human, right? Or identity at least is not just a human, but we've got identity of machines and devices, and we've got browsers, and now we've got AI agents. So talk to me a little bit about how that adds a little complexity to the um, you know, the issue of authentication.
SPEAKER_02Yeah, it always has been a complex environment and an environment that is shifting, but now again, it's just faster, broader. What I mean by broader is if you if you're of a certain age, you can remember service accounts or daemons that that machine that would run as the machine, cron jobs, et cetera. We are well past that era. These non-machine identities, APIs, secret keys, they are everywhere. And we still, as an as an industry, struggle with the basics like managing a CMDB. You know, what are my assets? Who owns them? What's the IP? Then we we struggle with managing vulnerabilities. How in the world are we going to effectively manage these machine identities, the secrets management, APIs, et cetera, is at the forefront of a strong identity governance program. And a lot of organizations continue to struggle. This is not me with a judgmental tone. Like I said, the attack surface, the situation is broad. And getting a smaller regional hospital in Nebraska or Oklahoma, just, you know, picking places to successfully manage that in the face of attackers, that's a tall task.
SPEAKER_01How do they do it? How do you set up proper governance and what is the risk of bad governance?
SPEAKER_02Well, let's talk about good governance. You know, good governance names, it names them. First of all, good governance exists. And a lot of organizations simply don't do data governance and they don't do identity governance. And data governance is a topic for another time, probably. But identity governance in a lot of organizations doesn't exist. It's it's the the what, the why, the who, the policies, the standards, that that that framework, that that reporting, the driving of separations, separation of duties, privilege management, auditability. I mentioned reporting, but also data visualization. So that that's the what it is. And in just mentioning that, you can see why organizations would struggle to do that because they're they're just they're going from one problem to another and building that, it's a big task. Now, there are platforms like Okta. I don't work for Okta. I'm not partnered with Okta. Okta is one. I've implemented Okta in the past. It was wildly successful. But you still need to have the policies, the procedures, and the oversight to set up that good governance. So I'll I'll pause there and then let you steer me uh appropriately.
SPEAKER_01Well, let's take a second and talk about what Okta is. I I know it at a high level, but it's basically an identity management single sign-on platform, right? I'm sure I'm oversimplifying that by miles and miles, right? But what else can you tell the audience about that or similar type of platforms and the role that it plays?
SPEAKER_02I will, I will, since you did a good job of setting it up and explaining it high level, I'll do, I'll, I'll tackle what its role is because its role is so, so important compared to and it's a huge step in where we are now compared to years ago. In essence, what it allows you to do is have one identity, one identity that logs into your ERP, one identity, one password that logs into your Outlook or your Google mail. It simplifies the experience for the user so that the user is not writing down passwords, writing down user accounts in a spreadsheet. That's what we don't want. The other thing. Thing that it does, it is it relieves the burden on the organization and allows the user to self-help. So do a password reset, manage their credentials, manage their entitlements. They can open up a request that says, hey, I don't have access to system Y, please grant that to me. And it can be a whole lot faster. When you reduce that friction, as a security person, my position is you make a user a lot happier and you prevent them from having to write down their passwords, write down their usernames, write down all of their keys and their it allows us to have one thing in one place that greases the skid, so to speak, for a better user experience. But better doesn't mean less secure. That's what I love about these, like intra, for example, from Microsoft. It allows us to make a much easier user experience, but a much more secure user experience. How is it different from something like LastPass, or is it? So this is a different topic and one that I'm really excited about. LastPass, one password, I use another one. Beekeeper is um what I've seen organizations use. Dashlane, these password managers are fantastic. They allow something very similar for you to have a secure vault, which is protected by a longer, let's say, passphrase, usually a key or some stronger identification or authorization, authentication and authorization. And it allows you to, again, remember one as opposed to multiple, writing them down, storing them someplace insecure insecurely. It also allows you to have that ability to do it everywhere. So they are related, but I would say they're complementary technology. So you could use Beekeeper with your identity management, your single sign-on platform, and they should be integrated.
SPEAKER_01So here's the multi-billion dollar question, but like when are we going to have some sort of centralized blockchain-driven identity that allows me to just log in because it knows it's me? I think we're getting dangerously close.
SPEAKER_02We're getting dangerously close to two things. Number one, that user experience, that technology, but we're also getting dangerously close to outside of my area of expertise. So it's two things. But I I think with a lot of the protocols that exist, Web Authend, for example, uh, we have secure keys now. So I think we're getting dangerously close. And the uh not to be overly positive, but we are a lot further along and a lot more secure in this realm than we were a couple years ago. I think organizations have made a lot of strides. I know, I think most organizations have now implemented across the board one-time passwords, two-factor authentication, multi-factor, sometimes Yubi-Keys, et cetera, et cetera, card authentication, like like they do in the military. So we're a lot further along than than uh than we were years ago and for the better.
SPEAKER_01We are and we aren't, right? It's it's still such a uh fractured and siloed experience. And I'm gonna rant for a second, so just indulge me. But just this week, right, I I was locked out of Outlook and Teams for 12 hours. And it was because something happened on the back end and if it logged me out and forced me to re-register the machine. And then when I started going through the process that Microsoft was prompting me through, it just kept taking me to a dead end. And it was this circular process of this, this, that, and then dead end, and then X out, and then it pops up again, and then I have to do that again. And this went on and on and on. And then eventually the pop-up window itself wouldn't load, and it just was spinning. And so then I had to restart the computer because that's always what you do. And then finally I got worked out, but but also just this morning I was logging into a portal and it requires the two-factor authentication. And then it also wants, so it wants my password first. Well, I have a pass key set up, but is it the Apple pass key where sometimes it pops up on my iPhone and I have to validate it or authenticate it on my iPhone, or is it the Google Chrome pass key? I don't even know. And so that but the password that popped up was wrong, so I had to figure out where that was going, and then I had to change the password in there, and then I had to get logged in, then I had to do the two-factor. This one goes to my email. Sometimes they go to my text messages, sometimes I can't get in at all, and I got to call customer service. So, moral of this story and what I'm trying to get at here is there's a lot of friction because of security. And I understand how necessary it is, but what is the cost of all this friction to the economy in general, to enterprises specifically, as they you know, create barriers to bad guys getting in, but also to their employees getting in as well. And is there room, or at least is there a movement, hopefully coming, of human-centered design insecurity?
SPEAKER_02Man, I I love the setup. I love the rant. I think we can all agree with it. I think we've all been there. I think it highlights a couple of things. Number one, it just accentuates this topic of friction, ease of use. If you okay, I'm a security guy. If I impose friction, I have to understand what the results of that friction are. And from an engineering perspective, have we created a desire line? Desire line is you'll see a sidewalk and then you'll see a path. So for those of you that don't know, that's a desire line. A desire line is what the user of the system has decided is the place to go, is the path. You designed it one way. The user has said, I'm going to use it a different way. I think we are getting better at on identifying desire lines. I think we are getting better at understanding user behavior. And I think this goes back to exactly what I said at the beginning. I think we're getting better at listening in the boardroom, conveying these concepts in the boardroom, and building solutions that minimize friction to our users, but maximize friction to the attackers. Are we there yet? No. Will we ever be there? No. I don't know. But I know we're a hell of a lot farther along than we were. And I think, you know, it's it's what do you what do you what do you do when you're in a hole? You stop digging. I think we've stopped digging. I really do. I think we are much more attuned, much more attentive to the risks, as well as the operational friction we put on our admins and our users.
SPEAKER_01And especially in the identity space. Yeah, we in marketing, we talk about user experience and user interface design, and they go together, right? So I've mentioned it a few times on this podcast, but I don't think I've ever really got into what it is. What it is is using data about users and their behaviors and doing stakeholder interviews to understand, you know, intent and designing an information architecture and then a user journey that gives the user affordances to find what it is that they're looking for in an intuitive way and lead them down a path that allows them to achieve their goal, but also achieve the goal that we as the enterprise designing the website have for them, right? So um it's all about using design and design cues to leave a breadcrumb trail to get people to do what you want them to do. And hopefully what you want them to do is also correlated with what they want to do, and so then everybody's happy, right? That's good user experience design. And and then when you design those paths, you have to then create the interface to match those paths and give them those affordances so that they can find their way around. So it's very well established that you can influence behavior with design. We see it in CX now, where people are intentionally designing customer experiences or patient experiences in healthcare, where they're giving them a path or a journey to accomplish what they need to accomplish, but also accomplish what the enterprise wants them to accomplish and have a good experience while doing it. And so what I'm trying to get at with this is people are an enterprise's biggest risk because we have cognitive biases, because we get fatigued of doing things that we have to do that are overly complex, because we're always seeking out shortcuts. That's just how our brains work. We just evolved to be that way, and you can't fight human nature. So if you want better compliance, I feel like the best thing that you can do, and I mean security compliance, is to reduce that friction. And that will ultimately lead to them doing what you need them to do in order to be safe and secure, but also increase or at least reduce the impact to productivity.
SPEAKER_02And let's turn over some new ground. There's another user community that we haven't tackled, and that's the admin community and the developer community. So we talked about our end users, your scenario applies to them, but your scenario also applies to admins, developers, et cetera. And if we're gonna again stay thematically congruent, uh, that's my SAT phrase for the day. My uh mom would be very proud of me, apparently. Big, big uh polysyllabic words. So privilege access management, privileged identity management, secrets management. I think that is uh it's another area where we we have identified a high risk with the user, the admin, and we've introduced attacker friction, and we've tried to minimize the friction for that user. So we're automatic, we're automatically updating secrets. We are scanning our infrastructure for them, we're rotating keys. We are providing temporary root access, temporary admin access, or maybe even a step down as appropriate for those users, those users being admins, developers, et cetera. So that's another completely different user base where the identity is the edge. Because what better person, if you're an attacker, to go after than a developer who has access to important keys? What better person to go after than an admin? What better person to go after than an admin who left the organization eight months ago and you didn't disable his or her access and she still has it up and running. And I can't remember what attack used that. And I don't I don't know if it was Snowflake, maybe Snowflake, the Snowflake compromise used an older user account. But though those scenarios are not hypothetical, those are happening in the here and the now.
SPEAKER_01Yeah, I guess the challenge with all this is being intentional, right? And and if you're a lean IT team that's got a lot of things that they have to cover, are you ever going to really be able to step back and say, hey, let's reimagine the security experience that our users, because I I feel like I've certainly never sat on the other side of this conversation as a CISO, right? But I I feel like what happens is there's you end up with an ad hoc defense posture. It's we need to do this. Okay, now we need to go do this, and now we need to go do this, and uh-oh, this thing's not working with this thing. And so when can you actually sit back and say, let's look at this holistically and let's intentionally design how our users and and the outside world are going to interact with our network and and our digital properties? That's that's a tough one.
SPEAKER_02So the the boilerplate answers are when the project begins, when the new CISO comes in, when there is some sort of event that drives the ability for the organization to take a breath and to do that. I think the other major event is probably the adoption or recertification uh of and vis-a-vis a framework, like ISO, like uh the CIS top 18 controls. I think I think you have to look for those events in order to spot the time, the right time to do that. But that is a tough question. And the CISO's role and the CIO's role, because remember, we're talking about identity governance and data governance, although we said we were going to put that aside, which are which have security elements, but they are not security per se. So it's a CIO CISO activity. And um it is a fight worth having, but you know, from the cheap CIS, we need to be careful about saying, well, they should have just should have just done it. Well, they're doing other things, right? So I think it's spotting the right time. And I think I listed four potentially right times to rehave that conversation. And I think those are those are Yeah.
SPEAKER_01It seems like um at least what you could be doing is as you're making decisions on new technologies that need to be implemented or new vendors that you need to bring in, thinking about that experience and how it's going to work with the other security measures that you have in place that are user-facing and impact them or end user facing.
SPEAKER_00Yeah.
SPEAKER_01Let's run it all the way back for a second because I want to get back to talking about AI agents and their identities. Okay. So uh a question that I've asked a few times on this podcast, and I feel like uh it's it's yet to be answered head on, that I want to pose to you is are we approaching a time where businesses need to start thinking about HR for AI agents? And what I mean by that is an AI agent is, for all intents and purposes, an employee, right? There's upsides to it where you don't have to pay them and you don't have to manage vacation and you don't have to deal with their medical issues and whatever. But what you do have to deal with still is their role, they their org chart, where they kind of fit in the organization, who owns them, uh, who's accountable for them, what data and applications do they have access to, who's onboarding them and how do you onboard them, who's training them and how do you continue to train them? How do you manage and govern them? And what about conflict resolution? Because one AI agent could certainly be conflicting with another AI agent, and so who wins? So that's why I'm calling it HR for AI, not to be confused with AI for HR. What are your thoughts on this? Like, how do you go about approaching these, looking at it through the lens of identity management?
SPEAKER_02I well, first of all, I think you're right. I think the premise is right. I think the premise is sound. I think there's probably there's probably a handful of people. Well, let me say, many more people that are more qualified than me. Here's what I would say AI governance, in and of itself, just like data governance, identity governance, corporate governance, has to be something that as a CIO and definitely a CISO, you did yesterday. When's the best time to plant a tree? 20 years ago. When's the second best time to plant a tree right now? So begin that task. I think there are other really, really crucial overlaps that you highlighted. Number one, identity governance, the identity governance pursuant to an AI identity is a thing, and it should be governed under your AI governance policy or your corporate governance. That is a task that must be done. Data governance is what what does AI crave? It craves data. That's how it drives its decision making. So the data governance is really important. I can say, parenthetically, I did data uh protection and privacy at E Plus for a couple of years. Organizations are woefully unprepared for AI because they are woefully unprepared, and they were a decade ago for data governance. So now we've got AI governance, corporate governance, identity governance, data governance. All of those things are woven together in a Venn diagram. I agree with you that conflict resolution is really relevant. I agree. It is a thing, an agent or a user's usage of a model. There's two separate things. They could be in opposition. How do we sort it out? How do we resolve that conflict? I agree with you. I don't have a hard and fast answer, but I think it is an HR issue in some respects, or a quasi-HR issue, right? We're not going to get somebody from HR to feel a complaint that someone's model did X or agent did XYZ. But we are going to have this quasi resolution or HR resolution. There was another thing that I will throw two shout-outs that are really important. Number one, Daniel Meessler has been doing a ton of work on this topic. I would recommend viewers, listeners go check out Daniel's work. More immediately, Dan Guido uh presented, this was a couple weeks ago, I think, on how his company, Trail of Bits, they do phenomenal work. He has been such a positive influence and leader in this industry for two decades now. Go watch his talk. Uh, he shows how they took Trail of Bits to being really an AI first organization and what their methodology was. Highly recommend it. You'll probably get more out of listening to Dan than you ever would and listening to me. I can guarantee that. So those are my my two action items for the viewers and the listeners.
SPEAKER_01Got it. We'll uh we'll put it in the show notes. We've never had show notes before, but now it seems like we need them. So I will put them in there. You're welcome, everybody. That's that's that's what all the podcast hosts say is. It'll be in the show notes. It'll be in the show notes. I don't even know what that means yet, but we're all so yeah, I'd like, you know, it seems like I'm calling it HR for AI, and it does seem like it needs to fit into HR in some way, at least from an org chart and responsibility and like role perspective, right? Because when you're when you're looking at the organization, you need to understand who rolls to what, and that's for decision making and that's for accountability. And so these agents ultimately are going to I mean, there's a risk of them making huge mistakes. And so you need to know what there's gotta be an audit trail back to who is is uh running the show for each one of these agents and who's using them and what are they using them for, and what right are they using them the way they're supposed to be, right?
SPEAKER_02But but they and this is where we might actually delightfully come across a slight disagreement. Humans make mistakes and they make them at a much greater rate and a much greater pace, and sometimes with as big a consequence as or bigger. I shut down an entire time zone at Bank of America because I made a group policy push. You're welcome. Thanks, everybody. So I think we need to be, and Dan actually gets into this in his in his talk about our tolerance for mistakes and our tolerance as we grow and we we we we foster the symbiotic relationship between our AI tooling and us as carbon-based life forms and our knowledge, skills, and abilities. The thing that Dan does in his talk that's so great is he talks about how you're taking a user and you're enhancing that user. You're enhancing it for the better, betterment of the company, the betterment of the customer, and the betterment of that user and that user's role. And let's hover over that for a second because the user and the company are not the same thing. They're able to take skill sets in Claude or in Anthropic and share them. They're able to take functions and share them across the organization. The other place where I would maybe slightly disagree with you, you know, you're talking in HR for AI. So I think that function has to exist in AI governance. I don't, I don't think it's HR proper. And I I don't and I don't mean to say that that's your argument, but I think it goes back to governance. And here's here's another example. Organizations have forever just struggled with DLP, data loss prevention. Data loss prevention is part and parcel to a strong data governance program. Do we want people exfiling data? Do we want them misusing it? Do we want them, are we going to allow them to make mistakes? What guardrails are we going to put in place? Well, that also applies to AI. It's almost a one-to-one replacement in in um maybe not replacement, but there is correlation between what we would do in a strong data governance, strong DLP program, and strong AI governance and the guardrails that we would put on it in an organization.
SPEAKER_01So a few responses. Number one is we don't allow disagreement with me on this podcast. So you're firm and fair. But the second thing is, yeah, I certainly wasn't saying HR owns the agents, right? But I do think that the agents would probably be reflected in HR, just in the sense that, you know, if one of my employees is doing something and someone has to question it or there's an accountability issue there, they're going to come to me. Are they going to go to IT? Like I know IT is ultimately owning all these agents, right? But I guess it also depends on how these agents are deployed. And I don't know how enterprises, how much autonomy people are having in enterprises. Like right now, I know there's a lot of there's a shadow AI problem, right? Like I could have an agent running right now that nobody in my business knows about. In the future, maybe it's on the map, but maybe I'm still able to create agents within a certain box that I've been allowed to do, right? So I don't know. I guess I'm just saying, like, from a mapping perspective, there needs to be some visibility in the organization, not just in the IT department for who rolls to or what roles to who, I guess. Yeah.
SPEAKER_02I agree with you a hundred percent. And I think I think the more we flesh this out, think about what the ultimate goal of a DLP program is. DLP says this user or this user persona or this profile or this system account, whatever it is, did this to this datum element at this time. This is the action that we took. We blocked it, we quarantined it, we allowed it, but notified. What we need to wrap our heads around is the governance, which is lacking. You nailed it. We have a huge shadow problem, but we had shadow cloud, right? We had shadow IT. We're used to this. We know how to do this. Our muscle memory is there. What's what needs to be built, in my estimation, is the response action. And again, I see to you know, to a man with a hammer, everything is a nail. I see things coming from a monitoring and response perspective where I want to know what that user, what that agent did to that del that data at what time, what response action do I take? This is why I come back to agreeing with you. That does look like an HR motion. User, you may not take protected information and drop it in your instance of open AI. We have purchased Claude for that reason and wrapped guardrails around it. I noticed you did it. I stopped it. I have intervened with a strong talking to. That's the HR motion that you're talking about. And that element, you are 100% correct.
SPEAKER_01Yeah, I don't think uh Melanie from HR, and this is now her second shout-out on this podcast, uh, which is odd, but Melanie from HR is not going to be spinning up agents and training them and onboarding them. Like I get that. But but yes, as it pertains to how humans in the business are interacting with them and who's accountable for their actions, maybe, maybe to some extent. But anyway, the more interesting thing that that I thought that you brought up there was uh you're right about the mistakes, right? So we we do put an outsized focus on the potential mistakes that AI can make compared to the mistakes that human beings make. I mean, we see it uh with driverless driving and radiology, and like there's a million examples of AI outperforming humans in terms of error rate, right? But I think it's because we are prediction machines, right? Like that's how our brain works is we're running multiple prediction models at one time, and then we kind of land on which is the best prediction, the most likely prediction. But we've had our whole lives to have experience with human beings. And so we're better at predicting because we have better priors in the prediction models where and there's more data, right? Whereas this AI thing is so new to us that we just we don't have the data to draw from. And humans are we're bad with statistics. I mean, we it's just how it is, right? Like we we don't really think statistically. There's always base rate neglect and all these other, you know, uh biases and mistakes that we we make. So I think what you're seeing here is is a human physiology, uh human neurology that is has evolved for hundreds of thousands, millions of years without AI, and we just haven't been able to kind of catch up to the new paradigm. Oh, 100%, yeah.
SPEAKER_02Um but you know, it in and I understand the stress um that a lot of folks feel. I I'm not so doom and gloom. I'm not so I'm not giving into the hyperbole. Um I think there are I I think the future is very bright. I think it's gonna, you talk about the, you know, we mentioned the word paradigm. The paradigm will shift drastically. It'll shift in the SOC, it will shift in the accounting office, it will shift in the GRC, the governance, risk, and compliance function. Um there's a but but those are good things, in my estimation. I saw a thing on on Twitter a decade ago when it was called Twitter. Somebody said, you know, look at this picture. You got a bunch of guys sitting around with slide rules and calculators. This room right here is a spreadsheet. I think we're we're in those times right now with AI.
SPEAKER_01Yeah, I agree. So let's bring it home. Uh let's get into some practical advice for people that want to start to operate with this identity as the new edge philosophy. So, what are steps one and two for the technology leaders listening to this?
SPEAKER_02Yeah. I think I think recognize number one, recognize its importance. Understand where it factors into an attacker's mindset. And the answer that we already gave it's first. It is the edge. That is your crown jewels. Those are your crown jewels. So accept reality. Let's start there. Number two, assess your your governance program. Does it exist? What does it look like? How do you manage what we call joiners, movers, adders, levers? Are you doing it in a programmatic way? Have you established the what, the why, the who, the policies, the standards, etc.? Next, assess and tackle authentication and authorization. Those are not the same things. As a business leader, as a security leader, separate them out. Authentication, who are you? Authorization, what are you allowed to do? Look at your protocols. Are your protocols for authentication and authorization strong? Are they defensible? Identity management, different from governance, it's a sub subparticle, subparticle, subpart. I don't know. Again, back to those joiners, movers, adders, levers, user identities, machine identities, and access control. The other thing that always goes mistaken or that that goes overlooked is certificate management. Certificate management is huge in identity management and data management. A lot of business leaders overlook certificates. Certificates are how we identify and authorize users and machines. Um, and then maybe the last part would be privileged access management, privilege identity management. Most organizations are have rolled out uh cyberwork. They've rolled out uh delinea, they've rolled out the the other um tools and products that manage those things. But those are really frontline tools now if you accept our premise that identity is the new edge. And I guess the last thing I would I would throw in there is password managers. You and I talked about it earlier. It is time. We are well past time where you can, as a CIO and as a CISO, you can vouch for it. You can roll out a password manager to your users and it will be successful. And you can rest assured when you're rolling out Okta, for example, you're rolling out Beekeeper, Dashlane, et cetera, that it will be successful and that you will actually minimize user friction, and that by doing that, you will increase your security outcome.
SPEAKER_01And then anytime you introduce an intervention, sorry, people on video saw my dog just make an appearance again. She does that from time to time. Talk about a leftover from COVID. I embrace it. Exactly. Uh I embrace it. So uh anytime you introduce any kind of intervention, there's the potential for unintended consequences. So uh is there anything that you can you know predict that could potentially become a challenge because of this change?
SPEAKER_02That's more of a CIO question. Um I I would I will like water go around that boulder and say all of these OEMs and all of these solutions allow you a nice, slow ramp up and a demo period, a proof of concept period. My former CEO Doug King at E Plus, he's now moved on to uh another organization, and they're lucky to have him. Very, very slowly, methodically, in a time-bound and metric-driven way, rolled out Okta to our organization. It was seamless. It was seamless. Why? Because Doug knew what he was doing. Okta knew what he was doing, Mark Pileccio and all of the other organiz or the other players in that organization knew what they were doing and knew how to sort out those issues during that slow and deliberate rollout.
SPEAKER_01Um but again, like hey, go ahead. The takeaway sounds like uh focus on change management and and as uh former guest Gary Sorrentino from Zoom said, human change management.
SPEAKER_02Yes. Yes, and communicating constantly with your users, especially your admins, because those, you know, they're sitting on all the privileged accounts, they're sitting on all of the the secrets management. There's one more element that that we didn't mention. If you ex if you, the user, accept Brian and Sean's premise that identity is the new edge, and you accept Samil Yu's premise that we have entered into the age of recovery and his architecture, the dye architecture, distributed, immutable, ephemeral, big fan of it. If you accept all of this, what's the one thing that you have to be doing? You have to be monitoring and you have to have the ability to respond to user-based attacks. So, Sean, you mentioned training up users, spot phishing, doing uh user awareness training. We all do that. That's great. But on the flip side, as SOC responders, as socks, as people that run a SOC and respond, reporting, monitoring, and response to user-based attacks and incidents is key. It's not shutting a firewall port anymore. It's not closing, it's not isolating the machine. It's responding to the user identity at the identity layer, at the uh at the identity governance layer.
SPEAKER_01That makes sense.
SPEAKER_02Last question, aside from what we talked about today, what's something that you wish more CISOs were thinking about or talking about in this space that Yeah, I think it's uh I think it's true identity governance and minimizing friction and doing it because we are going to achieve achieve a more secure outcome in that minimization of friction to the user, imposing friction to the attacker, and that gets us where we want to be. But identity governance and also data governance is not a security topic. It's not. But it has whopping and massive security implications. And so CISOs really need to, if they already don't have a seat at the table, which I would find highly unlikely, then they need to push their themselves in like a 13-year-old at Thanksgiving who says, Doug Gaunt, I need to be at the adults' table. Been there. I was summarily dismissed from the adults table, but you know, fear CISO, yeah, you've got to push away into that conversation because it is essential.
SPEAKER_01Well, hopefully you have a seat at the adults table at least at Thanksgiving. Doug Gauntlet, I've earned it. All right. Brian Zimmer, thank you so much for your time and expertise. You're very welcome.