[Music] [Music] [Applause] [Music] me [Music] [Applause] [Music] [Music] so [Music] [Music] [Applause] [Music] so [Applause] [Music] [Applause] [Music] [Music] me [Applause] [Music] [Music] [Music] [Music] [Applause] [Music] [Music] [Applause] so [Music] [Music] [Music] [Music] so [Applause] [Music] so [Applause] [Music] [Applause] [Music] [Music] um [Applause] [Music] [Music] [Music] [Music] [Applause] [Music] so so [Applause] so [Music] so welcome to cyber security insights we're excited to talk to you today about some of the key developments in the cyber security area let me start off by saying you know security's always been a board room topic boards care about it but right now it's actually getting even more important given what's happening covered 19 given the risk the world faces the fact that 70 percent of the workforce is now really working from home at vmware we have all of our employees working for we made that a mandate not just required but we're taking a cautious approach as to how they come back that's the reality of many of our customers but the bad guys are not staying still 148 increase in ransomware during this time they're just looking for every way to take advantage of innocent people working at home and then we've seen 52 percent increase of all attacks in the march time frame targeting the financial sector so it's very important that you we have a different approach to security because our belief is the security industry has been broken uh you'll see on this chart 5000 odd vendors 15 or 20 different categories and it's often i described like going to a doctor to stay healthy and she tells you you've got to take 5 000 tablets and you fall off your chest and that's just not possible you know so how do you prevent staying having 5000 tablets taking 5000 tablets to stay healthy you eat your vegetables your fruit your proteins drink your water you make it part of your hygiene and that's what needs to happen in security we've got to move away from this bolted on approach siloed approach where you've got you know various differences feels like even 5000 tablets 5000 security tools are all kind of like healthcare deem themselves very important and also from security that's just focused on threats and the new approach needs to be one that's more built-in intrinsically part of the platform like making a part of your diet more unified as opposed to just siloed across all of the key pillars of security and a lot more context-centric rather than just threat centric to do this we've been looking at kind of the value proposition of vmware we're you know about a 10.8 billion dollar company and have played across these three or four layers off being a digital foundation for the world any cloud any app any device with intrinsic security you've seen this from us several uh over the last several years what we've sought to do is layer into that diagram five or six important control points in security that we think are going to be super important to make security intrinsic let's start off on the bottom right corner of this with network security we think a new approach for network security means that if you look at data center networking or firewalls or load balancing or sd-wan what is a 30 billion dollar opportunity a new approach you know could be one way you could have in one platform all of those capabilities in something that's more software-defined that's what we've been doing uh in with nsx a platform some customers call us sort of the tesla of networking because we're taking a somewhat you know traditional hardware-defined approach to networking and building a more software-defined networking stack for security much the same way a tesla is building a software-defined car if you go to the left-hand side you see kind of the endpoints but it's two different forms of endpoint an endpoint that's on the client side near the device a laptop tablet a phone or a endpoint that's closer to the server a workload or a container and in both areas we believe we have an opposition proposition to really be the best uh security solution for endpoint and workload security identity we think there's a tremendous opportunity to be the best solution that not just some ourselves but also partners with the best of breed players for example um octa or azure active directory in cloud security we're going to do a lot ourselves for example cloud security posture management but we're also going to partner with the likes of well web gateways and and proxies like z scale or netscope and then analytics is the big kahuna because the more data that you have the more equipped you are to prevent breaches and what we believe here is this notion of what the analysts are now calling xdr collecting telemetry from all of these control points which we have exposure to network endpoint workload identity cloud and having one big data lake where you reason over this with a variety of behavioral and ai algorithms and then provide the best way by which you can protect customers from possible future security events this is something we well best because we actually collecting the most telemetry of anybody from disparate different sources and you're gonna only see this increase so vmware's proposition uh as you look at this we today have a billion dollar security business i know you're gonna listen to that and say wow where did that come from some customers call us one of the best kept uh security secrets in the industry uh a significant about that comes from network security a growing part of it now comes from endpoint security we think the opportunity is to take that billion dollar business it's about 20 000 odd customers and double or triple that by really focusing in these five or six control points you're going to see us build the best products in each of these categories but one that's intrinsic and also works between them in ways that are incredible let me give you a couple examples with carbon black we're going to make it agentless on the server side with vsphere nobody else can do that we're going to do that and you're going to see that very soon with carbon black we're going to make it unified with workspace 1 on the console so you have a unified approach there on both the console and the agent something that you also start seeing from us very soon these are things that nobody else in users can do network security you're going to see from one platform data center networking load balancing firewalls and sd-wan beautiful security-centric networking story so this is the approach for folks and now i think as we listen to several of the thought leaders and analysts you're going to hear them get into this story in more detail thank you very much let's continue in this show cyber security insights and now we'd like to explore the unified approach of security and i.t how do you unify them as a foundation for success our special guest today is chris sherman who's senior analyst at forrester and a pretty renowned security uh researcher and thought leader himself chris welcome to the show great to be here with you sanjay you know i'm sitting here in my living room in cleveland ohio as we uh ride down the curve right fighting off a cabin fever and staying healthy hope you're doing the same chris i'm doing well but listen i look at your beautiful looking um you know i can't confess that my background is my natural i've got a virtual background is that actually your living room or is that a virtual background it is this is my living room we built the house last year and it's also my little private iot lab because you know i'm a huge nerd and i love my devices we've been you know kind of a big fan of a lot of the forester research zero trust security you mentioned your research and iot uh i.t security and i'd like to explore this a little further with you chris i'm a big fan of your research read a lot of your stuff uh but let's kind of focus in you know clearly in this time having security strategy and i.t strategy be together in this current climate many organizations have had to pivot uh due to covert 19. you know one example is employees having to work at home which raises a whole host of cyber security issues and you know having reviewed the research results it makes them i think even more relevant the need for security and i.t to join forces i believe right now to defeating the cyber criminals during the pandemic um so that we don't have this risk and quite frankly you know we've been finding the risk is even higher because the bad guys aren't sleeping uh even if there's a crisis going on so maybe you can tell us a little bit more about this research and your findings absolutely yeah so you know i think the genesis of this research really started with a conversation i had with some of your team members back in november uh we talked about you know the high level of friction between these two teams right between i.t and security and frankly the lack of support that a lot of the existing tools in the market really have for you know integrating the two and when you look across the industry there really aren't a whole lot of resources for buyers or you know technology strategists that you know want to understand these dynamics and you know this is really what led to vmware commissioning forester to uh you know this past february to survey over 1400 security and it ops decision makers across the globe we really wanted to probe those dynamics right you know what's holding companies back from eliminating this friction right this really was actually the largest sample size of any commissioned study that i've been a part of here at forester and it really led to some excellent results and and data as you know from the uh published research i'm looking forward to to reading them and knowing more about it and you know i think if you think about the research and uh you know there's a shift in security driving alignment and collaboration security and it's you know kind of the top initiative we see in the next 12 months uh maybe even tell us about why the relationship between these security and id teams um you know are important whys have been strained across both you know all three of people process and technology yeah i mean so i team security really are two sides of the same coin right but unfortunately their teams have struggled to work well together for many years according to our survey date it's gotten to the point where 83 of both team staff report a negative relationship between the two it's very unfortunate but there are many reasons for this you know many reasons for this friction especially with the vp director and manager roles between the security and the ite teams you know at a high level most of this is driven by the fact that security and i.t have differing priorities right our data backs us up you know you have i.t on one side that's focused on technology efficiency and uptime and from our conversations with it staff it's clear you know they view security as philosophically opposite you know to this right often as roadblocks to accomplishing their goals and then on the other side security's top priority is as you'd expect responding to security events and incidents and preventing compromises and this difference in priorities is the source of a lot of friction also both security and i.t staff are really unhappy with the technology that the tools specifically that they're using or the security tools the c cios and csos you know that we talked to all had the same complaint they have too many disjointed tools in fact the average across our study was 27 security products on average in each organization and even the most established security solutions like take firewalls for example you know it caused some serious angst right we found that only 52 percent of respondents felt that their firewalls were satisfactory in terms of the performance and the security uh efficacy i think you know listen a couple of points i'll point point out from what you talked about that resonate deeply with us one is when you talked about uh i don't know it was 25 or 27 odd tools i'd be surprised the number of csos i talked to who say it's in the dozens one i think i always sort of keep a record for the number of tools i've heard one tell me it was like 100 different security tools i asked you know him was there a hundred different consoles so it's just the number of tools and consoles uh the other one that you resonated with me was even in one of the more mature areas like firewalls you would have thought oh people are really happy there we find the same level of dissatisfaction with people saying listen traditional hardware-based approaches appliance-based approaches lots of policy way way too complicated um now let's talk a little bit about staffing i think it's it's you know listen at the end of the day security is a team sport it does depend on products and processes and technology but there's also people and you know we security teams are understaffed they're increasingly dealing with a complex portfolio of these non-integrated products how uh is this impacting teams and what can companies you do as you advise them to reduce complexity from the plethora of different products that are often point products today well you're right right finding and training the right item security staff is really critical to the success of the respective teams unfortunately this continues to be a major pain point right across the whole industry in fact 64 of the security teams that we surveyed and 53 of the it teams reported they're understaffed but yeah i mean amid this global pandemic when most organizations are focused on surviving and you know maybe keeping the lights on or i guess in this case maybe the vpn's running right and getting by with limited resources and protecting an increasingly remote workforce it's much more difficult to collaborate and work together across teams but our data showed that one of the major results of this you know the formation of communication silos you know teams aren't communicating enough right they're they're communicating within their or organization designed for their particular use case right with very little integration and collaboration across those silos and you know this is where tools could help right most of the time though they the tools actually just reflect or amplify those silos by reinforcing the division right between the two teams ultimately organizations may be looking for technologies that can support the needs of both it and security right this will help alleviate any tension that might arise over things like competition over limited resources right ideally once the teams come together and agree on goals as well as objectives and and measures of success for that matter right they can address their technology stack inherent complexity wisely said listen the security attacks are becoming more sophisticated uh organizations are considering now i think the approach as you've described is a unified strategy to address these critical issues uh can you tell us more about how you've seen these unified approaches to security strategy being effective well so i mean it seems like we've been talking about unifying the tools and strategies by you know i.t ops and security for years right but it's only been recently that we've seen the two sides really demonstrate any appetite to actually do so unfortunately most of the tools again right on the market are focused on one or the other and integrations are only starting to really accelerate to the point where our true unified vision is even possible this not only aligns teams under common goals right having a common tool set but it also aligns workflows between those two teams and helps foster collaboration uh listen uh you mentioned a couple of these these examples are really good for people to kind of grop you know in this have you uh outside of these exams or any other sort of tangible results uh that you think companies can expect uh as they bring together their security and id strategies and make them more unified what are the results from your research you think customers can expect to gain yeah there are several other you know clear benefits right that we identified in this research right the benefits to unifying the tech stacks between it ops and security our research showed that companies with a unified strategy reported fewer security incidents fewer data breaches which makes sense right given how critical endpoint configuration and overall i.t hygiene is to the security posture of an organization also you know building security capabilities directly into the it infrastructure helps to motivate non-security staff to take some ownership right over basic security fundamentals and this all helps speed right this this increases the speed to you know both detect new threats and uh respond once they're you know identified you know time to containment right this was also validated by our survey data a common strategy really can empower both to you know mitigate risk ensure continuous compliance and improve you know their threat response uh workflows you know between the two teams really companies need to find tools that meet the needs of both teams and at the end of the day as you pointed out security is a team sport right we all benefit from working together to protect the business and its employees right from malicious actors especially in these difficult times that's great chris thank you for uh your research um um so i just encourage all of you are listening um if you want to um you know get chris's research um you know go to this url on the screen here and you'll be able to download it uh we're excited about it i mean listen you know personally when i watch it teams and security teams sometimes sort of spar each other um you know i i i think that increasingly whether the security team reports under the cio sometimes that's the case sometimes security teams report into the chief legal officer or they report maybe into the cfo wherever reporting structures are only you have to build a team sport because there's aspect of this that's policy aspects of this that are technology there are aspects of this that are people uh thank you for this research chris as always i'm a fan of uh the stuff as are all of we and what you're right so it's always good to be able to see more this is also much of the other extended uh forest to work like zero trust that have become kind of the things that i've seen now becoming more pervasive in the industry so thank you all for listening to this uh and we hope we'll continue to serve you in the course of this program cyber security insights with more insights like this it's my pleasure right now to also continue this uh cyber security insights series now with a wonderful interview um with the head of security and infrastructure at circle k suzanne hall um i've had a chance to briefly meet her prior to this and she's got an incredible vision of how infrastructure security comes together uh in the context of retail so i'm looking forward to the discussion suzanne thank you for joining us today thanks sanjay glad to be here great hey listen maybe i'll start with um you know circle okay some folks may know you in the locality in the areas where they shop or whatever have you but many folks around the country may not and we're assuming there'll be a very large audience watching this tell us a little bit about the company what you guys do uh what's your vision and how are you serving uh customers and consumers oh terrific oh well yeah so circle k uh many people do not realize it's actually a canadian-owned company we are a global uh convenience and fuel service organization uh with with offices all across north america uh large part of northern europe um and with franchises in a large part of asia as well we're the second largest convenience store company in the world and the 11th largest retailer we yeah we acquired circle k the brand um back in the early 2000's and uh our goals right now over the next five years are to try and double in size um which is a pretty aggressive goal goal considering uh our organization which really is taking a you know 60 billion dollar organization and trying to double that in the next five years so wish us luck let's focus now a little bit more on the infrastructure and security part of it um it's interesting that you own both as you think about those areas um you know how are they linked together and what have you been doing to tie uh infrastructure topics and security topics which are often you know you have a ciso and then a cto owns infrastructure in your case you own both and i think it's a classic way in which you know we're trying to kind of get traditional it teams the security work world to go you're living it then you're breathing and you're implementing your team uh how is it working out and how are you making it work yeah oh sorry it was actually a key part of me being attracted to the to this world i've been here about 18 months um i really feel for certain organizations culturally if you can make it work where security operations can function together um it really empowers your security team to move things quickly and it also gives me the opportunity to take ultimately super scarce resources from the security side and build uh more security acumen within my network teams and my hosting teams and my infra um so that i get actually really smart technologists that also get security collaborating with really great security folks that also get technology there's a lot of synergies that i that i get from that from combining these two organizations and where circle k was before i got here you know we we um did need to rapidly mature a lot of our security program um because it had just um grown uh i think the organization grew beyond the competencies of the security team before i got here and so by having both sides of that house i was really able to move things quickly um kind of i don't have to i don't have to uh negotiate between the network team and the hosting team the security team because they all report up to me and i get i get to pick who wins all the time so it works really well i'd love to talk to you but just cover it it's on on everybody's mind it's changed transformed how we all work you and i are doing this interview work from home uh if we were doing it in different concerts i have to come to you or come to us we have done this in the studio together or in an event um and certainly it's you know kind of changing the ways in which we work and family life and so on and so forth but how is it changing your business how is it changing your i.t organization uh and how have you had to adapt to um you know this time that we're sheltering place work at home yeah well it's really it's changed everything for us as i'm sure for for most of your of your clients as well um you know obviously serp okay being convenience we are uh on the front lines we are open across the globe we may have some small stores that may get closed for periodic periods of time or maybe some shortened hours but we've got convenience workers and gas station workers working around the globe through coven so we've had to change how the stores look and feel um we've had to rapidly deploy things like curbside delivery to really adjust to uh customers um wants and expectations and then we've had to take the entire back office and put people working at home which was not our culture um before this all happened and we had to do that almost like in watching a wave go across the globe as it started uh offices started closing in northern europe first uh and then and then all the way through to ireland and then and then obviously the east coast and canada and all the way through to the west coast so um we actually had a very short period of time to create a remote working uh operation um luckily enough um we had some really talented folks we put a couple different solutions in place and uh within two weeks or so we were able to get everybody working remotely that could work remotely and then that really empowered us to support all those operations folks that needed to get things like plexiglass into the stores hand sanitizers into the stores masks uh um into the stores uh to serve our customers and to serve our staff i'd like to move on um then to the um the kind of the context of this infrastructure and i.t workers and security work i.t teams and security teams working better together one of the things we find often and we did some research with forester that where companies performed well and had great you know security prevention practices breaches places where i t and security work well together and traditionally often csos uh may be separate from the infrastructure team sometimes csos don't even report into ci support elsewhere and that can be uh not intensely so sometimes intentionally but often just a silo or a warring mentality you're good evidence now where you're bringing these together let's talk a little away from technology for a second and the people process collaboration how have you been able to bring these cultures together so that they work together for the common good of either cost saving protection whatever have you yeah you know um and so i've had the benefit of being a cso and a cio and a couple different organizations and also i was in i was in consulting for many years i worked for a big four uh from a letter of cyber practice with one of the big four firms and i'll tell you cyber programs uh move fast forward best when there's a couple of key elements in place and the first one is you have to have shared goals anytime that the cyber team is trying to implement something um in that the network team isn't on board with or the network team picked a tool they don't want to implement the tool that the cyber team is as um and has selected i mean that's that's always a recipe for failure so somehow you have to really work on aligned goals and i do that even though i own the infrastructure teams and the security teams um nobody's successful if we're not all successful together and really focusing on what does success look like for for each one of the each one of our areas and look sometimes you know we do have to take some uh educated risks in the environment you know for responding to things quickly but we also don't take we don't um let those risks sort of linger and and never get remediated right so we really work together to make sure that any new risks that we're taking on we have a focus on how we're going to mitigate that and we hold ourselves accountable and um and the network team is equally accountable for responding to security events as a security team is the key element i also say to my security teams is when you're working with production operations teams and and folks you've got to have skin in the game you've got to recognize that they're trying to keep systems up and running 24 7 you know for the operations of the organization right so we can take credit cards and cash in the stores and make the sales and deliver the goods and services when we need to if the security team isn't seen as fully on board with that mission and that um that responsibility then there's there's a non-equity sort of relationship going on between the two different teams so you really need to bring them all together and make sure that everybody um understands supports each other's wins and goals it's awesome that you've been a cio and a ciso and you've seen all of these in various different companies i'm sure maybe in smaller bigger wherever have you so you're able to really relate to that uh i find the csos i talk to uh most of my relationships in the years past have been with cfos and cios uh i set myself a personal goal this year as we started getting more into security as i've been shaping that strategy of the company to meet a thousand cesars i was 15 years ago at symantec and most of the csos i know are retired and moved on so uh it's a good new way of my understanding and i find as i talk to them so refreshing the ones who are strategic like yourself uh have had tremendous experience in id or are also owned them and are able to paint a vision that's very collaborative as to as opposed to ones who don't then are also able to strategically bring teams together so it's really good to to see that i'd like to kind of just work a little bit more into security because i mean your strategy plays into the reason we're quite carbon black um and you i have some obviously you know knowledge and investment vmware but i'm listening as i was listening to prior to getting on to this you know program together you're probably doing more with carbon black which is awesome i mean it'll probably strengthen our relationship with vmware too and of course but we can talk a little bit about that what's been your history carbon black why you picked them and where do you see that going on the endpoint security um and then i'll talk a little bit about how we're trying to try that into infrastructure too yeah so um so my relationship with carbon black goes back to uh almost right after i first arrived at circle k um obviously i know uh from having come from consulting a number of different uh tools and products out there um although carbon black always had a really good reputation and strength and um i went to carbon black pretty early on and said you know here's my here's my situation i've got a little bit of carbon black and a little bit of other things in different places i really want to standardize on a single tool i really want to get to a better visibility of my overall network and of my of my risks and ultimately i want to have a single pane of glass but um that you know i've got folks working from an eyes on 24 7. um you know carbon black hands a table really quickly and had a great vision uh for how they could get us uh standardized across some different versions that we had um and when i said okay i want to do this in six weeks or fewer um they didn't say we can't make that happen um i think a lot of people on my team wish that they'd said that we can't make that happen but um but now we were able to really rather quickly um deploy and and get up to speed across all of our stores across all of our networks all of our you know we're a very distributed organization i've got offices all across north america and europe um and uh and we were able to in six weeks get get standardized and get things up and running and i had gained great visibility uh in that and i'm a big believer when looking at all sorts of tools whether they're input tools or security tools that you know you can tell whether or not you've picked the right solution if it's fit for purpose relatively quickly if it feels like it's too hard to implement if it just feels like it's you're not getting the value out of out of something in a relatively quick period of time you really do need to look at whether or not the tool you're looking at is fit for purpose in your environment and i would say the carbon black team and the carbon black tool that made it really easy for us and um you know it's giving us great visibility we have been able to uh detect and respond to a number of different instances you know retail is a very uh high threat high target industry these days um so it's been it's been super helpful in us defending um circle k in our environment and with 130 000 employees i suspect your number of endpoints are in the tens of thousands on the client side and probably just as many in terms of server-side endpoints right so your your kind of surface area of potential endpoints is pretty large oh indeed and you know but you know you have over 15 000 stores every store has multiple point of sale systems and at multiple uh computers laptops tablets devices um and that's and that's even before i go out into the uh what we call the forecourt which is where the gas dispensers and pumps are so yeah it's very complex well listen we look forward to that journey together part of what she has talked about here is a key part to our vision uh folks listening to this is to basically bring together security to make it key parts of the infrastructure both in the endpoint the network and the cloud thank you for your partnership i look forward to getting to know you and your team better um thank you also for all you're doing to serve the community during these tough times especially those workers at circle key that are the front line in the stores we appreciate you tremendously and we look forward to continuing this dialogue thank you very much thank you thank you everybody for watching this cyber security insight segments titled security as a team sport we talked about the shift in security and how security is moving to a shared responsibility model in this team sport in this segment we also discussed the benefits of a consolidated security and an i.t strategy that allows for fewer breaches and a faster response to security incidents as key benefits that have implemented a common strategy for those who have done this i encourage all of you to watch this part two of cyber security insights the securities of dual mission and we will have two security leaders discussing how security helps not only protect but help drives the business forward thank you all for watching this segment [Music] you