Norbert Kiss [00:00:00]:
Get your unpatched systems patched, myth configurations under control, then concentrate on identity and make sure that we start with visibility and least privilege. And if you start from there, things will start to open up. But keep in mind that, you know, as you’re introducing AI tools and everything, the identity problem is going to accelerate. So it’s really important that we start with the basics and go from there.
Karissa Breen [00:00:38]:
Joining me now is Norbert Kiss, Senior Vice President, Asia Pacific from Delinea. And today we’re discussing the importance of securing machine identities as part of your cybersecurity strategy. So, Norbert, thanks for joining me and welcome.
Norbert Kiss [00:00:51]:
Hey Chris. So great. Thanks for the opportunity. Great to be here.
Karissa Breen [00:00:54]:
Okay, so this is an interesting topic. Now I want to start with, I want to hear your view, given your experience, given your role, about the importance of securing machine identities. But then also, what does that actually mean?
Norbert Kiss [00:01:08]:
Well, maybe I can just start with a little bit of context first. So I spent some years working in the, in the DevOps space and saw what was a huge and you know, rapid change in application development in companies around the region, especially as companies strive to go cloud native. If you remember, that was a trend. There was a really hot topic, you know, three, four, five years ago and wanted to increase their cloud native adoption and, you know, application modernization. And in fact I was, you know, I saw a lot of great companies, big banks, financial institutions really go from huge monolithic applications to, you know, applications that were modernized and quick to market and so on. So I saw a lot of change in that area. And customers also wanted to move from self hosted applications to cloud hosted microservices. So that was sort of the start of the machine or non human identity explosion.
Norbert Kiss [00:01:59]:
These are microservices or applications, you know, constantly calling on each other at huge scale. They were going across containers, they were going across systems, they were going across services, going across cloud infrastructure, and even in fact going across country borders. So these were machines making calls on each other to get data, huge scale. And these were all extracting or accessing data and systems, you know, often with very little consideration of security. And in actual fact, I can remember a lot of developers talking to me saying, these security teams, they’re getting in the way of me developing applications at the pace that I need to develop. And that was true. It’s come a long way since then. But that Was true.
Norbert Kiss [00:02:37]:
So this scale of development, historically, it was breathtaking and the applications were being written at sort of breakneck speeds, and they still are today. The current extension of that is the use of AI. So that’s the next phase that we’re going through now. So often AI has unfettered, sometimes unsanctioned access to systems and assets across the infrastructure. So that’s a little bit of context. But why has it become important, I think is really what the question is. And that is that all that access is done through the use of credentials and mostly non human identities really opens up a large attack services for many companies. And given that risk, it exposes companies to a lot of risk and it should become a top three issue for the CISOs.
Norbert Kiss [00:03:18]:
I mean, there are other risks and issues that they need to address, such as network security issues, ransomware attacks, third party supply chain risk, and so on. But identity security really needs to become in the top three issues. These machine identities, they include bots, AI agents, there’s software integrations like APIs. They’re now outnumbering human identities 46 to 1. So think of that scale that was last year. So every one human identity, there’s 46 non human identities that a CISO has to manage. And that’s really, really important and really key for the CISO to get on top of. Each of these applications need credentials to do their job, and the bad actors know that.
Norbert Kiss [00:03:56]:
So they know if they go after those credentials, they’re probably going to get pretty good access to systems. And if left unsecured, they become a prime, a prime target for attackers. So that’s why it needs to become very important for us for the CISOs today.
Karissa Breen [00:04:08]:
Okay, so there’s a couple of things in there that I want to get into. What would you say people just don’t get about, you know, securing machine identities, would you say?
Norbert Kiss [00:04:19]:
Firstly, they often don’t know how many of them actually exist on their systems. That’s something that scares me a little bit when I speak to, you know, colleagues and, you know, customers around the region. They have a pretty good understanding of human identities. They don’t have a very good understanding of exactly what non human identities are on their systems and actually what they’re doing and what they have access to. That’s really important. The bad actors know that and that’s what they’re going after. You know, it’s a new attack service for them. And One thing that CISOs need to look at is, you know, how do we manage them in the same way as we manage human identities and the rollout of API and corporations now, sort of non human identity and the quantities and the complexity of it.
Karissa Breen [00:04:56]:
Okay, so let’s start back. Someone’s listening, they’re probably thinking, right? Norbert is right in the sense of I don’t know how many of these identities I have. From a machine perspective, where can people start? Obviously there’s a discovery phase and all of that, but given what you do, what would be your advice to, you know, top three things that you can say for people? This is where you got to start to make sure that you’re mitigating all of the, you know, all these risks and any potential incidents that could happen off the back of this, which is what you sort of mentioned before.
Norbert Kiss [00:05:24]:
Good question. You touched on one of the points is, you know, start with discovery invisibility. I mean you can’t protect what you don’t know. What’s hard to protect what you don’t know. And you need to know what identities are on your systems and what they’re doing. And as part of that visibility you’re looking for strange activity. For example, an identity looking for admin access to a service it’s never had access before is probably a red flag and needs to be addressed. You know, you need to find out what people are rolling out, you know, developers, the use of AI and what sort of non human identities they’re introducing into your, into your environment.
Norbert Kiss [00:05:56]:
That’s really key. Also you need to think about them as human identities. You know, start with least privileged, start with lifecycle management, you know, across all the accounts, whether they’re human or machine identities. Use tools that are available, privilege access management, for example, identity governance, administration, cloud infrastructure, entitled management, those sorts of buzzwords and tools that are available to CISOs to make sure they get on top of those. And also adopt intelligent authorization so that you can dynamically access what identity is doing and actually you can withdraw access once that task is complete. So those tools are all available now too to customers out there and you know, they should be looking at those non human identities in the same way that they look at their human identities.
Karissa Breen [00:06:39]:
Okay, I want to look at just human identities for a moment. So when we look at privileged account management or PAM as people would refer to it as. Do you think that companies out there aren’t continuously monitoring who has access to what? I’ll give you an example and this is probably maybe a real example. I’m an ex, I used to work in financial services and given the sensitivity of the nature of the work. You know, occasionally there’d be someone that calls me up from the identity sort of team and say hey, like we’ve noticed you’ve got this on your account, why do you need it and have to explain and obviously it’s a lot more manual. But do you think that companies nowadays aren’t continuously monitoring these accounts in terms of the privilege, the privileged accounts and then as a result something happens, no one knew about it all of that. What do you think that the main issue is focusing on the human identities that people aren’t doing from your perspective?
Norbert Kiss [00:07:30]:
Yeah, that’s another good question. So you know, about 44% of tax are fairfoot of credentials and that’s got a lot to do with how they manage the lifecycle of credentials in companies such as, you know, pass regitation, you know, removing access that was given previously. I’ve, I’ve spoken to companies that still manage passwords, you know, on spreadsheets and so on. And so, you know, an increased focus on the management of the human identities. And once you’ve got that under control, you then roll that out to the non human identities as well. There’s no reason you should treat the two any different. I think generally customers got a lot better at the human identities, especially around multi factor authentication. And now you’re probably saying just as a user, often if you want to access another system, you need to re authenticate using another multi factor authentication.
Norbert Kiss [00:08:16]:
That’s another step forward in we’re lifting someone’s privilege. So we just want to give them the approval for this privilege, another multi factor authentication authorization and then we’ll withdraw that privilege going forward. I do think generally across the region customers have a much better handle on the human identities, but there’s still a lot of work to do in sort of in keeping them up to date, you know, refreshed, you know, password management, you know, what systems they’ve got access to. You know, one of the things we talk a lot with our customers about is starting with least privilege and working up from there. So let’s bring everyone down to least privilege and authorize privilege as it’s needed and we need to do that as seamlessly as possible because we slow people down in companies, you know, people don’t want to get frustrated by their security, but we need to make sure that the security policies are in place to, you know, just a recent example with a big customer in Australia who had compromised credentials, they thought they were pretty good at managing human to human identities. They had stolen credentials which had way too much Privilege, they bought everything down. It was a ransomware attack. Took them over a week to get their SaaS services back up online and took them nearly another month to get nearly 400 applications online.
Norbert Kiss [00:09:20]:
Interestingly, when I, when I asked the CISO there, Do you know how much this impacted your business financially? And they said yes, it was 15% of one month’s revenue and given it was a multibillion dollar public company, that was a pretty big impact. And he said to me in the same breath, but what I can’t value is the goodwill that we lost with our customers and that’s something that we’re still recovering from. So suffice to say this, this CISO has one of the best identity security implementations I’ve seen. He needs to roll out the same policies to the non human identities as well.
Karissa Breen [00:09:49]:
Okay, so staying on this path, I’ve got, I’ve got something else then I’m curious to hear your thoughts on. So again an example, real life example that I’ve had. Some of these people, organizations have the best intention, okay. They’ve got a really good process in place in terms of, you know, their identity and managing privileged accounts. So for example, you’re a contractor, you come in, you got six months, you have to set up an identity but then automatically because of how it’s set up, because you’re a contractor, your account gets rolled off in, you know, six months or whatever it is. Right. Which we get. The problem that I faced is that one, the system was really slow for memory.
Karissa Breen [00:10:23]:
The second thing was every Monday everyone lost at least once a week. Every Monday I’d get to work, someone definitely had lost their account some way or the other. The challenge then became to your, your point, Norbert? Before around the 15% loss, you know, we’ve got these special guys flying in from X around the world. They’re pretty expensive day rates and you’ve got 10 of them that drop off and we can’t them reinstated very quickly that then started to cause a financial loss and, and as well as productivity because we couldn’t get these people reinstated fast enough because of how maybe strict some of the, you know, the, the identity sort of process was. So do you have any sort of insight around that?
Norbert Kiss [00:11:06]:
Yes, it’s a management issue. I don’t have an answer but I have some insights. Right. So it is a little bit of a double edged sword and it goes back to what I said about the developer saying, well, if I get the security people involved, they’re just going to slow me down. But you can’t not get the security people involved. And we look, we spend a lot of time in our own product development, you know, understanding how do we manage identity so that the company doesn’t lose productivity or, you know, people don’t lose access for those reasons. And that is getting better in the tools that are available to customers now. And we continue to improve that.
Norbert Kiss [00:11:38]:
Some of it is just about how you manage it internally. It’s not necessarily a product issue, it’s a process issue internally. We spend a lot of time with security best practices with our customers and advise them, how do we stop that from happening? How do you stop a third party vendor, for example, who’s accessing your systems, losing their credentials and they can’t complete purchase orders or they can’t ship something because they don’t have that particular access available to them at the time? So the answer is more than one. The internal processes, it’s the tools that you implement in order to make sure that the process is productive and we’re not dropping off identities that should have access. And it goes back to visibility, you know, watching, you know, what’s happening to these credentials, which ones should be available, which ones shouldn’t be available, and so on. So I hope that answers your question, because your question was quite a complex one because I think it goes just beyond the product and the tools that are available. It also goes beyond into the processes that, you know, the company implements, you know, around identity management.
Karissa Breen [00:12:38]:
I know it was complicated and I think that, to your point, the company process, and it is convoluted and I get the intentions there. But sometimes we’re trying to do the right thing by covering a base here. But then it’s like, well, now we’ve got other issues elsewhere that, you know, 10 people have dropped off and they’re 5,000 bucks a day, like that’s costing a little bit of money by that point. So I want to now press on and talk more around IoT AI agents. Everyone’s talking about it, the adoption towards artificial intelligence in the market as well. And it’s growing, as you know. So walk me through the threats, the compliance landscape, or just walk me through how you see it in your mind.
Norbert Kiss [00:13:18]:
AI is the next phase and one of the biggest threats. Everybody wants to use AI to improve their productivity, give employees access to AI tools, and that’s opening up a whole new plethora of security risks. The way I think about it, particularly thinking about a company, but I’m thinking about maybe a healthcare. The healthcare industry, they’re putting AI tools on there, the AI tools generally hosted in a SaaS environment. You know, you’re getting some machine learning to, you know, access all the data of this health company so that the AI can provide the information that you want AI to provide, you know, health records and moving it to a, you know, a SaaS server in the US to process that information. And you just don’t know what these AI agents are doing. So you need to have visibility of that. So the AI is definitely increasing the attack service and often with little to no, little to no governance.
Norbert Kiss [00:14:09]:
Recently the RSA conference, there was this, there was this talk about agentic AI. And that’s, that’s another really, really interesting angle where agentic AI is about. You ask AI to produce an outcome and it goes and makes decisions on your systems in order to produce that outcome. So it may lift access to certain credentials so that it can get data to achieve what you’ve asked it to achieve. And if you don’t have visibility on the identities that that AI is using and what systems it’s accessing, you won’t know what’s going on. Flip side to that, you know, we have the bad actors are using AI the same. I mean, they’re using AI tools in order to sniff around and find out, you know, how they can get access to your system. So it’s growing and it’s AI versus AI in some instances.
Norbert Kiss [00:14:52]:
But the real key point here is that you’ve got to treat it as identity and you’ve got to know what identity is, accessing what and keep control of that, you know, threats like AI powered phishing, deepfake. So there’s just two examples that I’ve been speaking about just in the last couple of days. There was a big firm in Hong Kong and they were deceived into actually transferring tens of millions of dollars to fraudsters. And they use deepfake technology to impersonate people on zoom calls. So they’re literally on video calls. These are public. You know, you can Google these. The incident just underscores how sophisticated that the attacks are becoming by the use of AI as well.
Norbert Kiss [00:15:26]:
There was a recent one, high profile one in Malaysia where one of the financial institutions, they were using deepfake to instruct the CFO to initiate a transfer. And luckily that was stopped. But the CFO had no idea that the person they were talking to and they were interacting with was not actually a real person. It was, it was through AI and commenced through stolen credentials. Right. So it’s a very complex issue and you know, we talk to CISOs all the time about how to address those threats. And it does eventually boil down to make sure you understand the identities that are accessing the systems and how to control that. I just want to flip now to the regulatory frameworks around that because I think that’s super interesting and I do think governments are making progress there.
Norbert Kiss [00:16:06]:
For example, there’s the Australian security critical infrastructure, you know, and also the Singapore 1 Data Protection act and they’re raising the bar on access controls and they recognize this as a challenge and they saying that identity governance is really key and they’re increasing their recommendation on focusing on both human and non human identities and they recognize how quickly those non human identities are going to accelerate. There’s a framework that a lot of customers use, the Essential eight guidelines, which is a very strong framework a lot of people follow. And within that there’s two elements that focus on the identities, both human and, and machine. The first one talks about multi factor authentication, but not just once. As you reauthorize an identity to give different access, you know, increased access to systems, you know, reauthorize that through multi factor authentication. And the second one is monitoring or restricting administration privileges, so giving just in time access for administration privileges and then withdrawing it when it’s not needed. So that was a slightly long answer. But the AI phase of, you know, where we are in technology right now is a big problem for CSOs and they need to look through these human identities, non human identities in the framework that’s available to them.
Karissa Breen [00:17:11]:
So going back to the deep fakes scenario that you gave, and I was across that incident as well, the Hong Kong one. So one thing I’ve spoken to a lot of security folks out there is they’re saying, oh yeah, but kb, you know, like it’s a, it’s actually a business process. So for example, if we use that, you know, perhaps they have to get multiple people to sign off before the cf like with it, you know, not just willingly transfer money. Right. Like I’ve heard that a lot from security people then. So how do we get to the point where it’s like, okay, yes, deep fakes an issue, someone is obviously gonna be victim of that, which is unfortunate. But then yes, tooling and all this type of stuff is one thing. But then also there is still there needs to be a backbone around the business process side of things as well.
Karissa Breen [00:17:57]:
So how would you find a happy medium or equilibrium on that front?
Norbert Kiss [00:18:01]:
Yeah, that’s a good question. I think they need to work in partnership with each Other, to be honest with you, I mean, what we do is make sure that you know what all these identities and regardless of the source are doing on your system. Part of the rollout of these tools is when we go and implement tools in customers, we don’t just do the technical software loading and so on. We bring partners in that know the best practices around processes and around teaching staff how to protect their identity and, and so on. And what are the, what are the other questions that people in the business should be asking in order to see is this real? Isn’t it real? So they’re more on the business side. So I’d encourage the CISOs to be working with their operations people and their finance people in unison, saying, look, I’m going to get my security sorted out and I’m going to get those best practices sorted out in terms of the identities and make sure everyone’s got the right access. But we need to do that in partnership with other processes. Like, don’t just assume things have multiple approval processes, you know, when large transactions, you know, are being requested and so on.
Norbert Kiss [00:19:04]:
Look, I don’t have the perfect answer for that because it does go horizontally across the organization. So, you know, we don’t work with customers just on putting software on their system and working away. We do work with our partners broadly in order to make sure that all the processes are in play at the same time.
Karissa Breen [00:19:19]:
Would you say this is the biggest gap, though, in terms of. Yes, okay, the tooling and all that type of stuff. But then it’s just the process, to your point, horizontally across the organization, making sure everyone understands you gotta have multiple approvals if there’s a large sum of money that has to be transferred or whatever it is. Would you say that’s the biggest gap at the moment? Perhaps there’s just not a lot of correlation between all these different areas of the business.
Norbert Kiss [00:19:41]:
I don’t know if it’s the biggest gap. I think it’s one of the gaps. I think the other one is just getting control of who’s got access to what. That would be the first step, in my view, is, you know, we speak to our customers and say, you know, who’s got access to these systems? Who’s, you know, what identities are authorizing these payments? Are they real identities? Do you know that? And that goes back to what we spoke about a little bit before about get visibility, find out what’s happening on your network. Look, you know, use AI to figure out that there’s an unusual pattern going on here. I don’t See, I don’t know why this identity is suddenly involved in this transfer. You know, they’re the sorts of tools that are starting to roll out. The challenge gets a little bit worse.
Norbert Kiss [00:20:15]:
You know, I’m not trying to be Mr. Negative here, but this is going to, you know, we’ve seen these identities scale. It’s going to accelerate even faster than it has. So we need to get on top of that now. And at the same time, we need to alert the rest of the business that you need to. Your processes need to catch up with this because we’re going to have a lot more identities doing a lot more on our system. So, yes, it’s a gap. I don’t know if it’s the biggest one, but it’s certainly my top two or three for sure.
Karissa Breen [00:20:39]:
Okay, so then how do we start to close the gap? I know we’ve sort of discussed that a little bit, but what can people start to do today more of. I mean, because some of these things do seem rudimentary. Right. So it’s not like people have had a Denny’s, you know, for years. So it’s not like this is a new sort of problem. But we were able to increase the velocity to your point by leveraging AI to be like, oh, you know, now there’s two identities that are, you know, approving these things, and there should only be one, for example. So there, there is the technology capability that can start to combat a lot of these problems. But I’m really curious to see how, how do people start to, you know, correct the course, get on the right track, sort these things out from the, at the identity sort of level in order to make things a little bit easier throughout their security operations day to day.
Karissa Breen [00:21:23]:
Right. As you mentioned at the start, you know, it’s a lot of things start and stop. The buck starts and stops with identity.
Norbert Kiss [00:21:28]:
Yeah, that’s true, it does. And access to systems. Right. And just summing in your question there, which was. Which was really interesting. Yes. We’ve been managing identities for years and, you know, it goes back since I’ve been in the industry, which has been quite a long time, but we haven’t seen it at this scale. And the scale that I’ve seen the last four, four years has just been immense.
Norbert Kiss [00:21:46]:
And it’s going to accelerate, you know, with the technologies that we’ve got available to us now. And what we’re asking tools like AI to do, this whole identity is just going to explode even more than it has. So we’ve got to get on top of this now. Right. But it goes back to the fundamental issue. Understand what’s going on in your network. And I mentioned it before, discovery visibility is really key. Start with the least privilege, like, you know, assume nothing, assume that person shouldn’t have access to systems, and find ways to give access without slowing people’s productivity down.
Norbert Kiss [00:22:17]:
Okay, yes, we can give you access for an hour now with. Then we’re going to get. Then we’re going to withdraw it. Because if your credentials are stolen, we don’t want to give anyone, you know, unfettered access to our systems. Right. You know, use the tools that I mentioned before, too. I mean, they’re key. There are good tools that can monitor everything that’s going on with identities and highlight idiosyncrasies, like suddenly, why, okay, I know it’s Norbert, but why is he accessing this server at 2:00am he’s never done that before.
Norbert Kiss [00:22:41]:
So let’s fl that, you know, use just in time approvals. We do a lot of that with our customers. Like, Norbert needs access to this particular system, you know, for 30 minutes today. It can either be approved automatically or go to someone for approval. So it’s those sorts of processes that I think will help. And then I really like your question about how do we then bring the rest of the business into that. Like, how do we make sure that the processes that are surrounding the system are also in place to make sure that we, you know, any strange request for funds transfer that we haven’t, that we haven’t seen before doesn’t get activated without. Without someone rechecking it.
Norbert Kiss [00:23:15]:
But to your point, it goes back to. It all points back to the identity and making sure we understand that the identity has the right access and is doing the right things at the right time.
Karissa Breen [00:23:24]:
Okay, so the other thing I want to get your thoughts on, Norbit, is so, for example, something gets flagged. You’re doing something you shouldn’t be doing. What about that gap, though, in times, in terms of responding to make sure that you don’t just randomly transfer, you know, a million bucks to someone else that you shouldn’t be doing. So company gets the alert, say Norbert’s doing something. Look into it. Hey, that’s not. Shouldn’t be a thing. What about the gap in between that happening and something potentially going wrong? How do, how do we start to intercept that? It could be minutes, could be hours, could be days.
Karissa Breen [00:23:58]:
Who knows? What does that then look like to make sure that companies are ahead of something really going wrong?
Norbert Kiss [00:24:04]:
Yeah. So there’s a number of ways. Firstly, today, it’s slow. You know, if someone’s credentials are stolen, you won’t know. To the system, it looks like this person with the right credentials is logged on and they’ve got access. So I’m not, I’m not going to do anything. Right. So again, goes back to making sure that we know who’s on the system and they’re doing what they’re.
Norbert Kiss [00:24:21]:
What they’re supposed to do. There are tools available now and they’re getting very clever to say, look, there’s a pattern here that I don’t recognize, that this person’s trying to transfer something at a, at a, at a strange time to a strange account. And we haven’t seen that before. So let’s block it for the moment and seek approval. That’s usually going to be a human approval. So you need to make sure your processes are in place to make sure that, you know, you’re not slowing down, you know the business flow as well. And also, you can use AI tools that we have already built into our product. So, look, I’ve seen this pattern before.
Norbert Kiss [00:24:52]:
It looks all right. You can set parameters where you can automatically approve it. So limit potentially any exposure. You can have limits with your exposure. So there are a bunch of tools available to do that. But again, I’m sorry to sound like sort of a broken record here, but it goes back to, you know, that identity. Is that identity doing what it’s supposed to do and is it supposed to have access to the system? Because if it isn’t, we need to block it and make sure that we get the right approval for it. And those tools, we have those tools today.
Norbert Kiss [00:25:19]:
We do that at scale. What I think the customers aren’t quite ready because they’re dealing with their human identities and so on. And that’s a journey that we need to go on with our customers to make sure they understand that.
Karissa Breen [00:25:29]:
So would you say it’s harder to secure machine identities, based on what you’ve said throughout the interview, than human identities?
Norbert Kiss [00:25:36]:
It’s not harder. Technically, I think human identities are easy to count. You can see them, they’re people. What you don’t know is what machine identities have been created on the system and what they’re doing. And that again, goes back to get the visibility. I’m a little bit surprised often that people don’t know what’s going on in the network and they’re surprised when they see it. And I love going through that journey with the customer because look at this, there’s A thousand machine identities here that you didn’t even know existed that are accessing credit card numbers, for example. They say we need to make sure that they’re controlled, that we’re rotating credentials and so on.
Norbert Kiss [00:26:08]:
So it’s not harder technically to protect it. It’s just the process of identifying them and making sure that we put them under the same umbrella that we would put a human identity.
Karissa Breen [00:26:19]:
When you say same umbrella, do you mean in terms of the impact it could cause? Is that what you mean?
Norbert Kiss [00:26:24]:
No, I meant like credential rotation and making sure they got the right access. And so I’ve actually seen credentials, non human identity credentials, hard coded into people’s code. The average in 2024, by the way, this is a number that I remember in my head. Non human identities credentials on Average last for 627 days. The human identity lasts for less than 30, generally speaking. Right. So there are non human identities with credentials that are, that are on people’s systems that haven’t been changed for some time. A bad actor gets that they’ve got unfettered access to your system.
Norbert Kiss [00:26:55]:
And unless you’re monitoring and visualizing that, it’s tough to know what’s really going on in your network.
Karissa Breen [00:27:00]:
Okay, so I want to sort of switch gears for a moment and talk about prioritizing. Now, as you know, Norbert, everyone’s got a thousand and things to do. No one’s getting through it. You know, I’m speaking to people like yourself day in, day out, and every person comes on and say, oh, this thing’s more important. How do you effectively start? Or what would be your advice for some people listening that how do I start prioritizing this? Because as I mentioned, everyone that I speak to, every person I spoke to is like, hey, this needs to be the priority. And I get that. And look, all the got super smart people that I’m speaking to on this show. And it’s.
Karissa Breen [00:27:33]:
Oh, that was such a good point. But not everything can have the attention of the priority. So what would be your best guess to ensuring that people are managing their priorities internally more effectively? Effectively, yeah.
Norbert Kiss [00:27:45]:
Look, I sympathize, you know, with the CISOs. I, you know, I talk to CISOs every day and I sympathize with their complexity. You know, they’ve, they’ve got to get it right 100% of the time. And the bad actors have got to get it right once in order to get access. So it’s a tall order. And the things we’ve been talking about today is, you know, how it’s going to scale in the future, but let’s just go back to basics, you know, let’s get your human identities under control. Let’s do that first and let’s do that through visibility, let’s do that through, you know, identifying what access they have, and let’s bring it everything back down to least privilege and work up from there. And if you do that, you then mitigate some of the risk even in the non human identities as well.
Norbert Kiss [00:28:24]:
But let’s start with the human identities, bring it down to least privilege and work up from there. And let’s do that without, you know, without upsetting productivity and, you know, people saying, oh, I can’t log on today. And there we have, we have ways of doing that and working with the processes, with our customers to do that. Right. But we do need to shout out to the CISOs that, you know, that 44% of breaches are stemming from compromised credentials. We need to know that’s happening and we need to know the impact and the business impact and the cost to the business of that happening. So, you know, do all the other things get your unpatched systems patched, you know, your configurations under control, for example, then concentrate on identity and make sure that we start with visibility and least privilege. And if you start from there, things will start to open up.
Norbert Kiss [00:29:07]:
But keep in mind that, you know, as you’re introducing the, you know, AI tools and everything, that that is, the identity problem is going to accelerate. So it’s really important that we start with the basics and go back from there.
Karissa Breen [00:29:19]:
Yeah, I mean, people always talk about the basics and security and again, we’re still struggling to get it right. What would you say, though, in terms of, and I know we’re speaking a lot about identity over the years, et cetera. Do you think, though that, and I hate to say say it given, I mean, I’ve worked in the security field myself historically. Do you think that people just find identity a little banal, perhaps? So sometimes it feels a bit relegated. I hate to say it. Sorry, Norbert.
Norbert Kiss [00:29:43]:
Oh, yes, they do. I mean, how many times have we logged on the system saying, oh, what’s that password? Jeez, I’ve forgotten. Reset it. Like, it’s just frustrating. Right. And those security, the security tools are there for a reason. Right. But you know, we need to do a better job as vendors as well.
Norbert Kiss [00:29:57]:
We need to make it easier for the customers, easier for the customers to implement effective security strategies. And we think about that every day whenever we’re developing a new feature. Or putting something into our product. We’re thinking about how do we accelerate that for the customers, because the complexity to the CISOs and their security teams is enormous. Right. And it is frustrating. And that’s why I said on the previous question is let’s just dumb it down and get back to basics and let’s talk about identity management and least privilege. And if we start from there, we then have a good launch platform on which to, you know, bringing all these other problems that we’re going to have going forward.
Norbert Kiss [00:30:30]:
So the tools are getting stronger that customers have access to, you know, vendors like us, for example. You know, we’re constantly thinking about how do we make it just easier. And we start with visibility. So let’s just see what’s happening. Let’s just know what’s going on and then we can make decisions from there. Right. It’s very seldom, Karissa, that we talk to a customer and we solve all their problems in, you know, in one conversation. It’s.
Norbert Kiss [00:30:53]:
If we start there, the tools that you have available to us on our platform will take you on this longer journey. But let’s, let’s just get to the basics. Let’s make sure that we’ve secured you as best we can and then build from there.
Karissa Breen [00:31:04]:
What about moving forward, though? Like, the future of identity? What does that look like? And again, to your point, like, I mean, look how many people have gone down to the hell, oh, I forgot my password, or I don’t know what’s happening, or so and so locked me out because I’ve had this privileged account management access to do something. Now I can’t do my job and now I’m complaining. My manager, there seems to be a lot of internal politics, a lot of people doing a lot of paper pushing and not actually doing the work. Right. So what then do you think in terms of, yes, security is always going to be there around, that’s going to be always first in terms of identity, but then also just in terms of productivity as well. Like, what do you think now and how do we get to a point, like you mentioned, the onus should be on vendors to make it easier for people. What does that then look like and how do you sort of see things moving forward now?
Norbert Kiss [00:31:48]:
I can’t see anything in the near future where the identity problem goes away. People are going to want access to systems forever. Right. And it’s the way that we give them tools to get those access that needs to improve. We’re all frustrated with passwords. I watched one of your previous podcasts about passwordless access. And I think that’s something that’s coming and going to come faster and other ways of identifying people and making sure that this is nobody who’s coming onto our system and so on. So I think there’s a lot of sort of evolution to happen to happen there.
Norbert Kiss [00:32:18]:
And once we know that it’s Norbert, then, you know, how do we make sure that Norbert’s got the access rights that he needs in order to do the job that he needs to do. And a lot of that’s going to come through intelligent, you know, the AI functionality we build into our own product monitoring, seeing what, you know, what Norbert’s done before, for example, on the network and giving him the access that he needs in order to do that. To be honest with you, I think the answer you’re seeking is we’re going to have this magic way of getting on and having, having, you know, all the right access rights at exactly the right time. In reality, that’s a way off. I think the customers have got a long way to come in terms of their internal processes. And even vendors like us, you know, we’ve got more technology to build into our offerings to make sure that happens. And the challenge we both have together, customers and the vendors, is that it’s starting to scale pretty rapidly and challenge. And by the way, the bad actors, they’re on it as well.
Norbert Kiss [00:33:09]:
They see this challenge and that’s why we need to get on as quickly as we can and we need to make sure that we understand what’s going on on people’s networks so we can stop something now while we’re fixing all these, all this process. I don’t have a perfect answer to that, to be frank with you, because I think it’s an evolution and it will continue over time. But we’re certainly better than we were last year. And we were better than last year, we were better than the year before. Certainly it’s improving quite rapidly right now.
Karissa Breen [00:33:33]:
So Norma, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?
Norbert Kiss [00:33:38]:
Take identity management seriously and you know, speak to people about tools that are available to them and get ready for the non human explosion. You know, I saw it in the, as I started the call, you know, I saw it in my sort of time in DevOps and modern application development and I saw that explosion. It’s coming again with AI and we don’t want to slow down AI. That’s the way of improving productivity. Everyone wants access to AI. Both external, you know, the normal sort of chatgpt, but also, you know, much more in depth AI into your systems and look at that. Get the basics right first and get ready for that, for that explosion. Get the visibility and you know, speak to us, speak to people in the industry.
Norbert Kiss [00:34:17]:
Look for best practices. There are a lot of good events that are run and you know that a lot of CISOs attend to and share the challenges they have. And so that’s a good learning. Yeah. And look, I sympathise. It’s rapidly changing and we’re on top of it and we’re trying to work with our customers as best we can for them to get on top of it as well.
