KeyConf NYC Interviews – Education Around Secrets Management
David Spark: Preston, you just gave a presentation. Just give me a quick 32nd overview. What did you talk about?
Preston Davis: So, the topic was targeted to cover secrets management inside of OpenShift using the Akeyless security platform, Secrets Management platform. So, Secrets Management, the vault, the remote access data protection, all of those components. What we ended up discussing though is some of all of that along with the component that seemed to have been mis from a lot of the conversation today which is education of secrets. It’s one thing to talk about tools and tool sets but it’s another thing to talk about the education of the company. And so, that’s what the presentation turned out to be.
DS: That brings me to a discussion I’d like to have. I was chatting with some others about the fact that with a Secrets Management Program in place, security awareness training actually kind of shifts as a result.
PD: Yes.
DS: And it may have conflicting information. This is what I’m a little concerned about.
PD: Me too.
DS: What is the education start, I want you to start real like 30,000 feet and then let’s bring it down. What is the education we need to do around secrets management?
PD: So, that is a broad question. I will say that.
DS: Yeah. So that’s why I want you to start at 30,000 feet. We’ll come down. Don’t worry. We’ll get down to the ground.
PD: Fair enough. So, the education that we need to have around secrets really starts with understanding the target model the company or the organization is going for. You know you’ll hear a lot of organizations say oh we want to have 5, 9s and we want to make sure that there’s no entry point for any bad actors. Forgetting the fact that bad actors can actually originate from the inside, right. So, the understanding of what that security stance is. That’s the 30,000-foot view. Understanding what the target objective.
DS: Okay, so our goal is keeping people out and five nines of assurance. Alright, how do we get there? Hey, by the way, I’m on board. You’re not going to get many arguments. It’s like, yeah, that sounds awesome. Let’s do it.
PD: It helps to promote healthy business.
DS: There you go. Okay. So, we’re working our way there. How do we work our way there?
PD: So, we work our way there by helping to identify the critical components that are needed in order to have proper security and the question always comes up, what is proper security, okay? Proper security for McDonald’s may not be the same as proper security for Saks Fifth Avenue, right. It’s two completely different business models. So, proper security in this context is the understanding of your product portfolio, understanding where your target, where your touch points are for not only the target that you’re trying to reach but also from your employee perspective, alright. Once we identify these segments, then, we can start to drill down into how do I secure home base? How do I secure my primary trust?
DS: Let me shift this a little bit because this is an issue we’ve been talking about, and again, on our shows, and I am quite passionate about this and that. And what I kind of find fascinating about security in general. Businesses are in competition like size like-minded businesses or businesses that sell similar products in the same industry are in competition.
PD: Yes.
DS: But the security for these direct competitors are not in competition.
PD: Correct.
DS: So, it would behoove, not McDonald’s and Saks, but McDonald’s and Wendy’s and Taco Bell, to be talking to each other. Again, not the business leaders but the security leaders.
PD: Yes.
DS: Because the issues we’re having here, I bet they look a lot like yours.
PD: Yeah. And they’re pretty standard all across the board. When you’re talking about like minded… or businesses that have the same business model. Similar business models. These businesses would gain so much more benefit.
DS: If they talk to each other.
PD: If they talk to each other.
DS: And by the way and I talked to security leaders galore, none of them take joy in watching one of their competitors get attacked. Often quite what happens is “Crap, I may be next.”
PD: Exactly. When you see, let’s throw a hypothetical, okay. Let’s say that McDonald’s gets attacked and you know someone hops in and is able to transfer $10 million dollars out of their bank account in the Bitcoin, alright. So, we’re case scenario but let’s say that that happens.
DS: Sure.
PD: Alright. What you’ll see from the other vendors is not yeah somebody got McDonald’s. What you’ll see is oh crap, If that can happen to someone like them, then why am I not next? I expect to be next because someone a giant in this industry just took a major hit. And I may not be as large as them. I may not have the same.
DS: The best response I ever heard this from another security leader is, not only am I passionate about connecting with my colleagues, but if they’re in trouble, my security team is their security team. I was like, we are here to help you. Because not only will it help your competitor out of a sticky security bind which is essentially what you do want to do.
PD: Correct.
DS: But because again, we don’t want any of us hurt. But think about the education your team gets in a crisis that by the way is not your crisis.
PD: Right.
DS: Which you can often a lot better because it’s not your crisis.
PD: Not only that but the goodwill that you build and the ability for that reciprocal treatment if ever you fall on to that situation.
DS: That’s a good point. Goodwill, I mean think about that. My direct competitor came and helped me while the house is burning down.
PD: Right.
DS: I’m like oh I owe you big time. Kind of think like you took me out of a gym like you would believe you took me at a gym. And we’re thinking like this was amazing education for my team. We’re happy to do this and now we know what we need to deal with.
PD: Exactly. This is this is typical human behavior that we’re discussing, alright. When we start to take that human behavior model and we move it up into the business. What we’re trying to identify is just how to be a human.
DS: Let me ask you this. So, I think most, do you believe most security leaders think this way the way we’ve been touched talking? Yes?
PD: I believe that they do but I believe that they’re afraid to act upon the way that they think.
DS: Interest point. So, because I I’m talking to another security leader about it and he said yeah, I’d love to talk to the other security leaders in my industry but oh jeez my CEO wouldn’t like that at all. Like so how does let’s bubble this up to this discussion. How would you as a security leader talk to your CEO like yes, you want me to have a frank discussion with my direct competitor?
PD: Yes.
DS: So, how would you, we’re having that discussion. What would I’m the CEO? You’re coming to me. What would you say?
PD: In Instead of well actually I would come directly to you.
DS: By the way thanks for promoting me to CEO, by the way. I’m going to thank you.
PD: Anytime for that bonus for you.
DS: You can.
PD: So, if I’m coming to you as my CEO and I’m telling you that, look I know that we are Taco franchise 22 and I want to speak with Burger Franchise one. Okay. I want to speak to their security team. I would position this in a way to where you clearly understood the benefits of this conversation.
DS: Yeah.
PD: And it sounds simple. We’re using simple terms here but the realistic point of view here is that when we’re talking about the sharing of knowledge, right. We’re not talking about sharing my sales targets, my promotion models, my business objectives. What we’re talking about is sharing an understanding of how to secure my front door, how to secure my backdoor, and how to make sure that my motion sensors all throughout the house are active, alright? That’s what we’re discussing.
So, me coming to you as a CEO, I’m going to tell you, look, we have a lot of great momentum going here. We have a good understanding of our security practices and models but we only understand what we touch, okay. If we are looking to grow beyond our current knowledge point, then we need outside influence.
DS: You got my okay.
PD: Thank you.
DS: Thank you so much, Preston. I appreciate it.
PD: I appreciate the time. Thank you for having me.