The Voice of Cyber®

Episode 255 Deep Dive: Jason Baden | Simplifying API Security: The Impact and Evolution of Secure Application Development
First Aired: May 08, 2024

In this episode, we’re joined by Jason Baden (Regional Vice President – F5) as he shares his insights on the evolving landscape of cybersecurity,  simplifying API security, and the critical need for education around security spending. Jason also discusses the challenges and opportunities in API security, the impact of security spending on businesses, and the growing collaboration between developers and security professionals.

Jason has almost 20 years’ experience as a senior executive in the IT and telecommunications industry. Prior to joining F5, he was Country Manager at Ruckus Networks and was responsible for leading the ANZ team strategy, as well as the smooth integration of ARRIS following its acquisition of Ruckus Networks. He has also previously held roles at Juniper Networks, AXS-One, Airwide Solutions, and Optus.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Jason Baden [00:00:00]:
Every time you’re talking about security, whether it’s physical, whether it’s application or it’s virtual is, is that the lowest one is the one that is the easiest to target. So almost everybody has to have the same level of security to make sure that they’re not being breached.

KB [00:00:34]:
Joining me today is Jason Baden, regional vice president, ANZ from F5. And today, we’re talking about simplifying API security. So, Jason, thanks for joining and welcome.

Jason Baden [00:00:44]:
Thank you so much, Chris. So great to be here.

KB [00:00:46]:
Okay. So let’s start with exactly that. So what is your view on what does simplifying API security actually look like?

Jason Baden [00:00:55]:
Sure. So I think API security over the last 5 years has really changed. It’s been a really interesting place for the whole entire market in regards to APIs previously were not really talked about. They weren’t really known. And as we’ve continued to evolve applications, APIs have really come to the forefront. And I think if you arm someone on the street that now they know exactly what an API is and they, in the sense that they know that that is something that could be vulnerable or it could be or could have some security issues. So what we’re seeing now is, is that across the board, API’s, much wider in the overall business context and where this was traditionally just a security conversation has now opened up much wider. So what I was, what we’re seeing now is, is it traditionally talk to a security consultant.

Jason Baden [00:01:45]:
They’re talking about APIs, they’re building out their application. Now what we’re seeing is, is that the senior leadership of an organization or board members are saying, we wanna know about APIs. We wanna know how many APIs we’ve got. We wanna know where they sit, and we wanna know if they’re secured or not.

KB [00:02:00]:
Okay. So there’s a couple of things in there that you said. So you said originally, they weren’t really talked about. Why do you think that’s the case?

Jason Baden [00:02:07]:
I don’t think anybody knew what they were. I don’t think we had that level of interaction between where an application was sitting and who it was talking to traditionally an application with sit on prem. It would be very static. It would be not looked at that often. It would do the same thing over and over again. And if you think about a large bank, they would have that application sitting in a main frame and that didn’t have a lot of interaction outside of the organization. Applications have continued to evolve. Now what happens is, is that you’ve got other computers or you’ve got other applications looking in to get information out of those.

Jason Baden [00:02:41]:
And therefore there’s those interactions that are going on.

KB [00:02:43]:
So what you’re saying, Jason, API has made a bit of a resurgence post the, telco breach here in Australia?

Jason Baden [00:02:50]:
I think that what it has done is it has increased the conversation in every organization. Anybody who’s got an application that is outward focused that any, security breach brings it to the forefront. And I think it, the extent of some of those security breaches that have occurred has meant that now a lot more people want to know exactly where that is. What I have seen from, you know, talking to traditionally, we’ve been talking to security, you know, leadership. So chief information security officers, you know, security leads, they’re the traditional people that we would discuss API security with. Now what happens is, is that we get the board discussion or there’s a senior leadership C level discussion about where do our API sit? Are we secured? You know, does everybody know where they are and what they’re doing now? What we would see in that scenario is that privately, there is always a concern that is it, do you have coverage of absolutely every, can you give a 100% commitment that that’s covered off? It’s not always possible. And that goes back to discoverability.

KB [00:03:51]:
So what’s the conversation like now? What do people wanna know, generally speaking?

Jason Baden [00:03:55]:
They want to know is our API, you know, do we know where they are? So if we have an application and it is exposed outside of our organization, has that got security around it? Do we know exactly where it is? If you are building an application, firstly, we wanna know where it is. And then secondly, we wanna know if it’s secured.

KB [00:04:13]:
And do people know where they are? Would you say?

Jason Baden [00:04:16]:
I would say that there is a lot of work and effort that goes into finding absolutely every API that an organization has. And there is that focus from all levels of the organization now to make sure that they have coverage of those. And I think that say for example, you know, in banking and finance, they’ve been doing this for a very long time, so they’ve got a really good handle on where applications are, what they’re doing, what their security is. There’s a lot of risk for those. And then I think there’s organizations that are coming to this later and saying, okay, well, now that we’ve got applications out there, do we have that same level of security? And it goes back to every time you’re talking about security, whether it’s physical, whether it’s application or it’s virtual is, is that the lowest one is the one that is the easiest to target. So almost everybody has to have the same level of security to make sure that they’re not exposed, you know, they’re not being breached.

KB [00:05:11]:
So when you say same level of security, how do you sort of, well, I mean, how, as in a client, how do they sort of know, like, how do you get a good barometer on that from your perspective?

Jason Baden [00:05:22]:
So that’s a good question. It comes back down to the level of applications and the amount of applications that you’ve got exposed that, you know, could be interacting with, you know, external parties. So if you’ve got very suit, it’s much easier to get those secured. But if you’ve got a lot, you’ve got to make sure that you absolutely know where they are and then the, you know, that requires a lot more work. And so we have customers that have over a 1000 APIs. They have those exposed. They would go across multiple silos of the business. Those would be completely different applications that all bubbles up to the top to be able to say, well, we need to know where all of those are and that kind of audit and discoverability is the key thing.

Jason Baden [00:06:03]:
So, but if you have somebody that has a very few amount of applications, then that could be an easier job to be able to make sure that you’ve got that audit of where those are, what they’re doing and how they’re getting out there. But then again, you’ve gotta be able to understand what that exposure is. So it has to go from all the way from those small customer base, all the way up to the large, but the complexity increases as you go through that.

KB [00:06:25]:
So what does a small amount sort of look like?

Jason Baden [00:06:28]:
I think a large customer base would have over a1000. So they’re, you know, they could have multiple thousands of APIs that, you know, would be used for billing. You’d be for for e commerce could be for customer interaction. A much smaller one might have, you know, maybe 1 single website and that might have, you know, maybe, you know, 10 to a 100 APIs that they might have to manage in that perspective. So a a smaller business.

KB [00:06:53]:
So just going around the audit side of things that you mentioned before, would you say people are doing the audit, people meaning customers, and then they’re almost surprised that, wow. I didn’t know I sort of had that. Are you seeing that a lot happen post audit?

Jason Baden [00:07:08]:
I think so. I think what I would say now is, is that in the current business climate that we’ve got, there is a lot of work going into making sure that people know where APIs are. And so making sure that you have visibility of the applications, making sure that they are secured, you know, there’s good visibility of those. The problem is, is, is that say for example, ones that you don’t know, or, you know, may have been used for, you know, as a one off or, and never been secured or never been clearly articulated that were there. I think that’s where the fear is within the customer base is that they need to be able to understand how we got our arms around everything, because traditionally if you’ve got an application, it should be quite easy to be able to understand where those, those APIs are, where they’re going and what they’re doing. Those are clearly mapped out. Do we have security around them? Do we know what those are? Where we’re spending a lot of time at the moment is about around discoverability and making sure that there isn’t something that got forgotten about that person had left and therefore that could still be exposed. Making sure that you’ve got any of those applications that may even only be in development phase have got security around them as well.

Jason Baden [00:08:16]:
And I think that’s the place where the fear really is within a bigger organization, not so much about what they can see. It’s what they don’t, they can’t see.

KB [00:08:24]:
And that’s a good point you raised around the discoverability because I was just going to say, what about when people leave the company? I’ve worked at a bank myself, and, like, I remember, you know, using certain applications, and I was probably the only one using it for the type of role I was doing. And then I left. So I’m like, whatever happened to that? Who knows is the answer. But it was just more so curious that that’s probably the common cause. Someone started there, they’ve left, and then no one knew they’re even using a specific application. Is that something that you commonly see?

Jason Baden [00:08:51]:
Yeah. Okay. I would say your example there, I can absolutely tell you that in senior security meetings, that’s a conversation they’re having. Because they do not want to be in a position where that has occurred, someone has left, or there is something exposed that someone doesn’t know about. And I think that goes back to the people element of this conversation where you say, you know, the board or senior leadership or the C level come down and they talk to the security team and they say, we want a category confirmation that we have no externally exposed APIs that could be breached. And that’s a difficult conversation because of what you were just talking about. What happens if somebody left 3 years ago and that application just been running in the background and now I’ve actually done an order or had to use it or, you know, had any exposure to it. Now you need to go back and find those.

Jason Baden [00:09:36]:
And so a lot of the work that we’re doing is around discoverability and making sure that those, anything that’s external to the organization can be captured. And that’s the place where I think a lot of the work’s being done, which then is captured, then you can secure it. But if you didn’t know that it was there, you don’t know if you’re gonna secure it or not.

KB [00:09:56]:
Absolutely. So just okay. I wanna follow this discoverability up a little bit more. So let’s use an example. Let’s use a bank, for example, as you’ve been referring to it. You’ve got 50,000 plus people. You’ve got contractors coming in and out of there. You’ve got people.

KB [00:10:09]:
Maybe they had a bad experience. They’re out the door after 4 weeks. Who knows? So how how often should you be doing these audits? Because the the, you know, the velocity of people coming in and out of these organizations, you can’t just do it like once a year. So how often should this stuff be running from your perspective?

Jason Baden [00:10:26]:
All the time. It’s it’s something that has to be run permanently for exposure across the entire organization. It’s discoverability is something that could happen from today to tomorrow. It might be a change within the network that that hasn’t occurred. And so where we see the investment in f 5 and especially around ATI security is about being able to get that first position to be able to discover that. And what that means is, is it ultimately you’ve got to do a, you’ve got to do a checkpoint. There has to be a line in a sand. You have to be able to get to a position where you’ve gone across the network and found everything that’s possible to be found.

Jason Baden [00:11:04]:
But then moving forward, if there’s any changes or anything has occurred, if that isn’t captured at the time that it’s happened, it’s ultimately a vulnerability. And therefore that is exposed and that could be, that could be breached. So it is something that can’t, can’t be done once a week or once a month or once a year effectively, you need to have that coverage all the time.

KB [00:11:23]:
Yeah, which makes sense because especially around the example I gave with so many people, you know, people starting and stopping and leaving, Like, who knows what people are up to?

Jason Baden [00:11:33]:
The biggest difference as well is is that, previously, there was that that feeling that, you know, developers could go rogue or they could just build it or their, you know, speech to development was the most important process. What we’ve seen is, is that again, going back to the people is that there’s really strong guardrails now around application development. Anything that you’ve, that you’re building out there needs to go through a clear development cycle, but also includes security. So it’s very difficult to kind of breach where previously I think we had seen is, is that developers were, well, you can’t slam me down with security. It’s just not important. I think even into the wider business market issues that everybody knows that if you do that, you can see what the downstream effects are if you haven’t got your application secured.

KB [00:12:18]:
That’s a good point. So when you say downstream impacts, do you think, generally, people are aware of that? Because perhaps and I noticed from working in a company myself, you you sort of don’t. You just feel like a bit of a drop in the ocean. You don’t notice those things as much when you’re just an analyst, like working against 700 people in a bank, for example, like in the security department. So do you think people may lose sight of that at times?

Jason Baden [00:12:40]:
In the last 12 months, there has been a real driver that security is everybody’s responsibility and where the driver is coming from is, is that your company’s exposure to that is really strong. And that is driven from the leadership down to ensure that people are aware of that. And I think that that is where I’m seeing much more of it being driven is, is that there is such reputational impact to a company that potentially could have a breach that therefore their focus is all the way through that. They want to have those checks and balances all the way down to that developer level. So yes, you might be a contractor that’s come in to do some development work that will absolutely get checked for security. That wouldn’t, they wanna make sure that those APIs are not exposed to, to the wider area. And they’ve got that, that coverage, that’s where I’m seeing the majority of that being driven through. And that has changed.

Jason Baden [00:13:34]:
I’m not saying that that’s, always been the case. I’m not sure how long ago was you’re in the bank, but I think that there’s a real driver within all those organizations to be able to, drive that all the way through.

KB [00:13:44]:
So when you said checked for security, now in my experience, people don’t like being checked. And I think I I left the bank in 2016. I started there, like, 2013, maybe. So there was a common problem we used to have. And, again, I know things have evolved since then, and we’ve got proper, you know, security champions and application security, etcetera. But how do you think people sort of take that whole, oh, well, you know, we’re we’re checking you, like, without it being, you know, abrasive. But how do you think people take that now? Do you think people are getting better about it?

Jason Baden [00:14:13]:
I, well, what I would say adding onto that, it’s about automation is just that the coverage that when we say checking is that the checking isn’t actually done on an individual basis or a individual person. It’s that as an application goes through the development cycle, there’s automated ways to be able to make sure that those exposures are going through, because it just isn’t feasible for one person to go through that and look at it. It has to be automated. And what we see is that, you know, there’s really smart people pulling together those automations for those, those checks, making sure that those APIs are not exposed. And then if there is some kind of, you know, change or issue with those, then they will get get through to a human review, but a lot of these are done just automatically.

KB [00:14:59]:
So that does make sense. I meant more just from my team perspective, more sort of generating the right camaraderie between I’m a developer versus I’m the application security person. How does that is that getting better, would you say, in terms of working closer together?

Jason Baden [00:15:13]:
100%. I don’t think there’s that us and them mentality. I think we see that those teams are very tightly connected and it’s a single unified voice to ensure that an application can get to market or can get used, or it can get exposed for either a customer use case or interact with a different, application. And so that is very much a, you know, that’s, I think that that camaraderie has been built in as we’ve gone through this process. It’s part of everybody’s lexicon now. Security has to be part of that. It’s not just about, developing that application as quickly as possible and getting it out there.

KB [00:15:50]:
So I’m curious now to know because the whole sort of premise of our interview today is around simplifying API security. So how would you as a company, someone listening to this, how do they identify if they are approaching API security in a simplified way?

Jason Baden [00:16:05]:
Yes. So I think the biggest thing for us around application security is, is that F5 has always been part of that. And if you look back to 5 or 6 years ago, it was very much an on prem position. We talked about, you know, that we knew where the was it sat on prem. That was the place as we went through that. I think that the view was over the last few years is that everything was going to end up in the cloud and we were going to know exactly where every application was because it was all just going to be in the cloud. What I would say now is that absolutely right now is just that there is no one place where an application sits, and I don’t see that that’s going to change. I think there’s going to be an outsource the application to, you know, potentially a SAS service to be able to, deliver API deliver API security around that.

Jason Baden [00:16:55]:
The view on that is, is that how do you uniformly offer every application, you know, the same security posture? And so I think that’s the position you need to come from. How do you make sure that you’ve got one, one offering that allows you to go across every application and you can, it’s very easy to manage and that’s how you simplify it. Because what we see is, is that if you’ve got an application in every single one of those multi clouds in a, you know, in different clouds, you’ve got them on prem that can be quite difficult to manage all those security postures.

KB [00:17:25]:
Now you mentioned before, Jason, you wanna be able to get to that position first, get to that position first, meaning f fives. Does that do you mean sort of the discoverability perspective? Is that what you mean by that statement?

Jason Baden [00:17:36]:
Being able to get to that position is is that you know where all your applications are at, that you know that they’re, that you’ve secured them and that you have visibility of those APIs are exposed outside of the network. And the first position that you’d be able to do is be able to make sure that you’ve ordered all of those and be able to understand exactly where those are. From a F5 where we sit in that is, is that it’s very much about making sure that you can, you can see all the APIs that you’ve captured all of those APIs, you’ve discovered them and therefore, then you can secure them. So that’s the that’s kind that’s that that’s tends to be the process that we’ve been through with, with large customers that, you know, have those 1,000 plus applications.

KB [00:18:17]:
So going along the lines of simplifying API security, what does it look like for people who have a more rigmarole process? What does that sort of look like from your experience?

Jason Baden [00:18:28]:
Again, it comes down to people. It’s just that if you have siloed business units or you don’t have a uniform structure across your entire organization, that is where that’s where the complexity comes in. Even that if you have one part of your network say that that’s sitting in the cloud and you have a particular security posture in there, but you have a different, more stringent security posture on your, on prem solution, then that can lead to exposure to, you know, different security problems because you may, one area may be, you know, more exposed, one may be less, but, you know, is there that uniformity across all of your applications that allows you to bend to simplify that. That’s where I think that it’s making sure that there’s somebody at the correct level within an organization. Usually the, the CISO, the chief information security offer that sets those policies and ensures that those policies have been implemented.

KB [00:19:21]:
Yeah. That makes sense. And would you also say that from your perspective or from where you’re sitting, majority of companies, and I say majority loosely, would have more of a simplified approach to API security or less so?

Jason Baden [00:19:36]:
I would say so talking about f 5 specifically here, f 5, the customer base that we deal with is banking and finance. These are kind of the areas that we spend, that we have the majority of our customers, banking and finance, telecommunication companies and government. And so we have very strong relationship across all three of those, all three of them incredibly exposed to, you know, attacks and attack vectors. And they spend a lot of time and investment around security. We spend a lot of time with them working through what those options look like. I think all of them take it incredibly seriously. And I don’t know, I think the exposure to where we are in the market at this point in time has meant that there has been more reviews on that, but I think it’s incremental increases. It’s not, you’re not starting from scratch.

Jason Baden [00:20:25]:
Now I think that there are certain parts of the market where we’ve seen it’s that there’s been places around critical infrastructure that the government, has called out that they go and, and do those deep dives into, as I said before, is that you look for the low hanging fruit, or you look for a place where you can get, find someone who hasn’t invested as much money in security. What I would say is that the level of work that has gone into the Australian market around that has greatly increased, and we’re seeing, a much greater increase in understanding and investment around that.

KB [00:20:57]:
Now when you say understanding, now before, I think this other conversation, they weren’t as in APIs weren’t really talked about because people didn’t really know what they were. Where do you think that understanding is coming from, from the large sort of breaches we’ve had here in Australia, as well as people like yourself going out, coming on these podcasts, etcetera? Do you think it’s that that’s sort of permeated in in the industry for people to understand more around APIs?

Jason Baden [00:21:18]:
I was at ACER a couple of weeks ago and the keynote speaker, you know, their conversation is around app developers and, you know, even getting out to that position where the national security coordinator, the new one for the government, Lieutenant General Michelle Giddis, She’s saying her 2nd highest priority is making sure that app developers have secure applications. And so this is very much a public facing role. This is about talking about security to, you know, to the general public. And when you’re talking about application developers having a secure application and thinking that the general public need to know about that, we’re really getting that into the general conversation. People ask all the time about what was F5 doing? And now it’s very easy to have a conversation about API security. We’ve seen breaches, people have been impacted. They wanna know about that. I think a few years ago, it was a, you know, don’t worry about that.

Jason Baden [00:22:14]:
That’s, you know, that’s somebody else’s problem. It’s now very much in the public domain.

KB [00:22:18]:
So I wanna switch gears now, and I’m aware, just like yourself, of the macroeconomic headwinds, which are forcing customers to be, you know, scrutinize every single dollar spent. So as a result, value needs to be delivered, which makes sense. So how can companies sort of ascertain whether they’re getting value or not? What does that look like?

Jason Baden [00:22:40]:
That’s a really good question. I think there’s there’s a couple of places to look at this institute. I would say over the last 12 months and, you know, we’ve been through, you know, kind of post COVID where now absolutely seeing some economic headwinds is, is that in the past 12 months, I’ve probably met with more CFOs in regards to security that I probably have in the last. And the reason that I say that is, is that while there is absolutely an impact on dollar spending and where that fits, even at the, moving all the way up to the level of the CFO, they do not want to release money unless they know that this is going to have an impact on their business or that you’re ensuring that you’re getting value for money through that process. And one of the places I would say is, is that there’s a much greater understanding now for customers that have existing infrastructure, that they’re running security within their network, critical vulnerabilities CVEs as we call them. And what does that mean to their business? Because if they’re running something that does have exposure to CVEs and can be exposed, people will be able to exploit that and that could have a bigger impact on them as well. So we find that the level of spending comes back to how much is that going to have an impact on our business. And even at the level of, you know, the chief financial officer, they wanna know that they’re getting their value for money or that they actually need to do this for their own company’s benefit.

KB [00:24:01]:
Yeah. That’s a good point. I always look at it like a CFO is about how much money is the business earning and then how much are we burning on products and services. Like, that’s, fundamentally those are the main sort of things that they’re they’re worried about because they’re the ones that are managing the money. So would you say just generally people in the industry maybe aren’t talking in the right discourse to a CFO? Because at the end of the day, it’s like, cool. You know, how many attacks are blocked is all well and good, but that doesn’t have as much bearing perhaps on a CFO. And I can ask this because I’ve spoken to a number of CFOs that have actively said, yeah. I don’t really care about that.

KB [00:24:34]:
I just care about all this thing that I’m buying that I don’t really know much about. Like, it’s costing money, but is it doing the thing yes or no? But would you say that it’s hard for someone in that position to really understand whether the thing, meaning a vendor product, for example, is doing, doing what it’s supposed to?

Jason Baden [00:24:49]:
I would say, and, and I say this because I’ve had these conversations really recently is that they are really digging into it. And, you know, the CFO while again, may not be technical. They’re incredibly business savvy and what they need to know is it’s about risk versus reward. And so I think there’s, there’s these conversations that you have, where you have exposure to that, any kind of vulnerability, if they understand the level of that issue, they, I have seen them fund things once they go through that process. So they hadn’t. So you have to absolutely take them on that journey. And I think that their internal people are doing a great job. They’re being able to articulate that, but at the end of the day, is it, those dollars are competing priorities and you’ve got to make those decisions.

Jason Baden [00:25:34]:
The CFO wants to make sure that they’re spending their money on something that is critical to get their business running and making sure that they’re secure as well. So I do think that there is a level of upskill that we’ve seen from that. I also think that that’s occurred at the board level as well. This is that the funding that goes into these, they need to understand where that risk is. They have a, responsibility for the organization to make sure that they’ve got those, the security parts tab at all.

KB [00:25:58]:
I just remember a CFO, call him mate of mine, called me a while ago and was like, hey. I’m paying all this money for security. Do you reckon that’s too much? And I’m thinking, it’s a very hard question to answer straight out of the game. But it also the reason why I’m telling you this story is because it just gave me insight into how they think. They’re like, well, that’s a lot of money for stuff that I can’t physically touch or see. I mean, if you’re buying stock, for example, you can actually see the stuff. Security is a little bit hard to see. Right? So maybe sometimes they feel like they’re paying for all this stuff out of thin air, and it’s not really there.

KB [00:26:28]:
And also if they haven’t been breached, as we all know, then you’re doing your job right. But, again, going back to a CFO perspective, they’re just gonna probably see it at times, well, this is costing a lot of money more than any other department. Security is not cheap as we know. So how do you manage those sort of conversations then as well and educating on someone who isn’t a technologist at heart, who doesn’t have a lot of experience slash exposure to this field.

Jason Baden [00:26:53]:
I could not agree with you more. I think that the, the reality is, is that the CFO is getting into that next level of detail, because I think you’re right. Your, your friend that is there saying, Hey, I think I’m spending a lot of money on it. They are absolutely investing the time to understand where are they spending that money and, and look, you know, at the end of the day, the customer is the one that makes the decision on that risk profile. And I think more than anything, what we see with the CFO and the organization in general is, is that it’s about risk and they need to understand the risk. And once they understand the risk, they can make a decision from there. It’s not a vendor’s job or F5’s job or a security company’s job to make the decision for the customer. They have to make that decision.

Jason Baden [00:27:36]:
They have to feel as though they’ve got all the information to be able to do that. So where I would go back to is that it’s really about education and understanding that level of risk. And what I would say is that, you know, a couple of years ago, that probably wasn’t even there. People would just say, okay, well, look, you know, we’ve got these budgets, we’re spending them. We should be where that’s going because of the competing amount of, available, you know, expenditure, you have to go through that next level of detail. My experience has been is, is that CFOs, once they understand what that value is that’s been delivered, they’re usually pretty quick at signing it off because they realize they just want to understand what that risk profile is. I think there’s also the view that as long as they understand 1, what are they getting for their money? But the second part about it is, is that are they getting any operational efficiencies? And I think that has been harder to articulate. And so that has been a place that we’ve spent a lot of time making sure that, you know, can you automate this? Is there some way to outsource it? Is the, you know, we know that there’s never enough security consultant, you know, resources in the market to be able to deliver all that is, is there a part of that, that the, someone like F5 can take on to help those, help those customers reduce down their, you know, their workload? Because it’s not about, you’re not going to save any money from those security consultants because they’re always going to have more work than they can actually do.

Jason Baden [00:28:56]:
But if you can push some of that responsibility outside of the organization, that also helps as well.

KB [00:29:02]:
Okay. I wanna flip over now to probably the Gen AI space. We’ll just talk a little bit on this because everyone still wants to know a lot about it. So maybe let’s talk about the potential within AI, and Gen AI in terms of being able to predict problems and threats by leveraging analysis of data. This is interesting to me because I was a former, reporting analyst, and I love data and data manipulation. So what does this sort of look like from your point of view, Jason?

Jason Baden [00:29:28]:
Yeah. Generative AI is gonna be is is a complete game changer. I think there’s probably 3 key areas that are important for us in this, especially to someone like f5. There’s one which is just the amount of data that is going to be generated because of generated AI is that, you know, we’re seeing so much information that has to go through that. Again, those are via APIs. Those do need to be secured. We’re going to increase the amount of traffic that is that’s going to be delivered. So your data that you, that you wanna look at is just gonna be increased.

Jason Baden [00:30:01]:
I don’t think we can even guess how many fold, but it’s gonna be a lot. And so I think that is a, that’s a key insight to AI as we get through that. The second one is about being able to identify and collectively help organizations. So where previously they were sitting on their own and they were doing their own analysis or writing their own policies. I think what we’re seeing now is, is that that will be able to be leveraged because you’ll be able to get that collective from the entire world. So if somebody is breached in, you know, the first person that could be breached for a situation that automatically then can go through to everybody. And I think generative AI will help that from a perspective of stopping breaches earlier because, more people know about it. And then I think the last one is, is that you’re going to be able to, you know, this is really a people area and a resource you’re going to be able to help drive that down about, you know, how quickly can you get things done? And I know that at f5 we’ve got in the coming months, we’ve got a, you know, an AI chatbot that’s coming out where you’d be able to say, Hey, look, I’m AI.

Jason Baden [00:31:04]:
I’m just about to release a new, a new application. Can you provide me some, you know, some firewall options for that? What, how would you do this? And so you’ll be able to go back and leverage the, you know, the help of, what F5 has already been doing to, to deliver applications.

KB [00:31:21]:
Would you say as well, Jason, people are still a bit rattled by? I feel like I’m asking everyone this question, but when I’m looking at stuff online, like LinkedIn and comments, people just still seem rattled by the whole concept. Why do you think that’s the case? I think it’s probably one of the greatest

Jason Baden [00:31:32]:
things ever.

KB [00:31:32]:
I think,

Jason Baden [00:31:36]:
the fear that people will have is that there is there something that they’ve missed, you know, is as everybody upskills who’s gener AI and they’re able to use that is, is that, of course, you know, the, the bad actors on the other side, they can also use it too. So I think that there’s a, there’s a, you know, you always get back into that arms race is that you’re only as bad as, you know, somebody who could use the technology better than you. So I think it’s up to everybody to embrace it because it’s not going to go away. It’s absolutely part of us moving forward. And what we need to do is get the benefit for the good people, as opposed to give, handing that over to the bad ones, because they will be using that. I think we’ve seen things like fishing examples where they’ll very easy be be able to pick that. They they have moved, very quickly. I think we’ve seen, you know, voice generation has, you know, really increased.

Jason Baden [00:32:25]:
And so therefore, there’s gotta be better ways that we can address that as well. You know, that is gonna continue. If there’s a API security flaw that you could could leverage, that might be very easy to use that globally if you haven’t leveraged that as well. They could pick that up and take that anywhere.

KB [00:32:42]:
So the only thing I’m curious then to know around the AI front or Gen AI front, would you say that this will help reduce dollars spent? Going back to my previous question around, you know, people sort of looking into staff more and scrutinizing dollars spent, Are you, are you gonna see a reduction in that? Would you say?

Jason Baden [00:33:00]:
Yes, absolutely. I think that there is a way that we can leverage AI to take out some of those, those possible mistakes or possible areas where you could, you know, take out some of that, you know, tough work of building policies that you could very easily just say, this is my application. This is what it’s going to do. Could you please tell me the best policies to put in front of that? And that could take immense amounts of workload out of, you know, security consultants, work time, which would allow them to do, I guess, the heavy lifting, the things that are much harder, that last 5% because you’ve, you take the hard parts out early.

KB [00:33:39]:
So do you think that, you know, reducing dollars spent will be a bit more music to the CFOs ears? Would you say moving forward?

Jason Baden [00:33:45]:
I think that I’d love to be able to say that that’s gonna reduce down. I think the question would be is, is that what we’ve seen is, is that there’s never enough dollars to go around. And what we tend to see, I’ve asked this question before security officers and say, if you had, you know, if I give you an extra $1,000,000, will that cover off all our security issues? And that would likely say no. So I think what you are always going to find is, is that is there a never, is there ever enough money for security? Potentially not. What you want to do is you want to make sure that you’ve covered off the biggest issues, the ones that you can see the most obvious ones, but there will always be competing areas where they could, you know, they could increase their security posture by if they had more resources or more dollars to be able to do that.

KB [00:34:29]:
Oh, absolutely. I think that’s just human nature. Not enough hours in a day. Don’t get paid enough by my employer. So, Jason, is there any sort of closing comments or final thoughts you’d like to leave our audience with today?

Jason Baden [00:34:39]:
Applications are gonna continue to grow. I think that applications are absolutely being discussed in coffee shops, in boardrooms, not just in the security side of the business. And what we wanna be able to do at F5 is at, is make sure that those are secured wherever they are, whether they’re on prem, in the cloud or they’re, or they’re hosted. So for us, it’s really about making sure that the application is secured and, and we’ve got that covered on.

Outro [00:35:11]:
This is KBCast, the voice of cyber.

KB [00:35:15]:
Thanks for tuning in. For more industry leading news and thought provoking articles, visit kbidot leading news and thought provoking articles, visit to get access today.

Outro [00:35:24]:
This episode is brought to you by MerckSec, your smarter route to security talent. MerckSec’s executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and midsized businesses scale faster and more efficiently. Find out more today.

Share This