Cybersecurity in the New Different — SolarWinds TechPod 033

Stream on:
The more things change, the more they stay the same. Although this adage holds much truth, it’s important to understand how it applies to the digital transformation we’ve witnessed this year.  We’re in whats truly a new normal. In this episode, SolarWinds Vice President of Security, Tim Brownjoined by Christopher Kissel, research directorSecurity and Trust Products at IDCwill walk listeners through the new era, what to expect when it comes to digital shifts impacting security, and how to properly address and embrace these changes for success.  This episode of TechPod is brought to you by SolarWinds in honor of Cybersecurity Awareness Month, as we explore what digital transformation means to security best practices. Check out the SolarWinds Trust Center for lots of good information on security including our sponsored research, compliance and certification links, product information, and more. Visit www.solarwinds.com/trust-center. Related Links:
Chris McManus

Host | Marketing Manager, ITSM, SolarWinds

Chris McManus is a multimedia content producer at SolarWinds. He works with Service Desk customers on case studies and video stories, and he’s the go-to… Read More
Chris Kissel

Guest

Christopher Kissel is a research director in IDC's Security Products group, responsible for cybersecurity technology analysis, emerging trends, and market share reporting. Mr. Kissel’s primary… Read More
Tim Brown

Guest | SolarWinds CISO and VP, Security

Tim Brown is at the front line of the most vexing challenge facing organizations today: IT security. Tim is currently the Chief Information Security Office… Read More

Episode Transcript

Announcer: This episode of TechPod is brought to you by SolarWinds, in honor of Cybersecurity Awareness Month, as we explore what digital transformation means to security best practices. Check out the SolarWinds Trust Center for lots of good information on security, including our sponsored research, compliance and certification links, product information, and more. Visit solarwinds.com/trust-center.

Chris: Welcome to SolarWinds TechPod. I’m your host for this episode, Chris McManus. On this podcast, October is Cybersecurity Awareness Month, which is taking on a whole new meaning in 2020. Today’s discussion will focus on the impact of our unique circumstances on digital transformation and what that means for IT security practitioners. We hear from experts on the key shifts in how industries are operating some of the most important risk factors and best practices to help lock down this new era of multiple everything from endpoints to clouds. Joining me today, SolarWinds Vice President of security, Tim Brown. Hello Tim.

Timothy: Hi, Chris, great to be here.

Chris: Great to have you. And we’ve also got Chris Kissel, who is the research director of security and trust products at IDC. Hey Chris.

Christopher: Hey, how you doing Chris? I was going to comment that I’ve got a face made for podcasts, so I’m pretty excited about this.

Chris: Yes, don’t we all. So welcome both of you to TechPod and welcome to our audience. Really looking forward to the discussion today. In the title, Tim, we’ve got the term “the new different,” which is something we use a lot around here at SolarWinds. I think we’re all experiencing the new different in our own ways. But if we take a broad look, what can you tell us about the impact of all these current circumstances that we’re dealing with on the ways digital transformation is changing?

Timothy: Yeah, new different is just really a good way to think about things. We’re not going back to the new normal, it won’t be normal. It’s just going to be different. And different is okay, we just have to understand that… I don’t think we’re going to get back to travel. I don’t think we’re going to get back instantly to big meetings. I don’t think conferences are going to stay the same. I think we’re going to see this model of social distance saying, this model of new communications, this model of kind of how we’re working. Be different for a period of time. And it’s just going to look like something new. I love this stat right. In 2015, 82% of execs said yes to digital transformation, but only 23% were ready, so they couldn’t get there. Right.

Timothy: But fast forward, 2020, five years of digital adoption in eight weeks. I know that we sent 4,000 people home to work in a matter of week, a matter of two weeks. And we had to do that. There was just no choice. We wanted to keep doing business. We needed to make sure everybody had computers. We needed to make sure everybody was prepared. We needed to make sure that we could manage people in a different way. We needed to make sure that we were still moving forward. And would we do that with choice? No. Were we forced to do it? Absolutely. So I think we’re not the only ones that went through that. I think many have gone through that.

Chris: Chris, I heard you snickering in the background there, only 23% were ready, that one struck a chord?

Christopher: It did. And also let me tell you what was cool about what Tim said is exactly right. So, the way we kind monitor digital transformation at IDC is we had five distinct cycles. Business continuity, cost optimization, business resiliency, targeted investments in future enterprise. So we actually thought that customers were stairstepping and they might go, okay, what’s our business continuity? What can we do for cost optimization? Well, all of a sudden you got to do all five of those steps at once. So if you were thinking about how you were going to have your remote employees come into your larger network, that wasn’t a problem where you go, well, we got to send them a headset, we’ve got to set up a VPN. You got to do all that at the same time. So I thought that comment was completely apt. And it’s sort of been a thing that got foisted on you where you had to go from, you obviously do your resiliency first, but anytime you spend money now you’re pressured to think of what the future extensibility will be and you had to do all this in one swallow basically.

Timothy: Yup, absolutely. And it was quick, it was hurried. And I think the companies that are doing okay through this, so the companies that have been able to do that transition but we’re looking at some what are the transitions that are still going to come? What’s going to happen?

Chris: I think all of us just as people are seeing some of the effects especially as consumers, you look at the ways some of these industries are changing when you go to a restaurant, when you go to the grocery store, when you now either go to the doctor’s office or you’ve got a virtual appointment with your doctor. The list goes on and on. Chris, how are you seeing the way all of these changes across industries are impacting IT teams?

Christopher: We had a couple of different interviews where I spoke to somebody who had a small chain of hotels and they said, “Look, man we still think about compliance as the number one concerns.” So even though the business had changed materially, they really wanted to make sure that whatever processes they had, the limited ones on-premises, they had redundancy to prove that look, we’re still taking care of data. So in a weird way, compliance takes a larger form because you don’t really have the same excuse that the motors running. In a lot of cases, people could stop and stare and they had to worry about whether they were still NIST compliant or PCI DSS compliant. I can also say that we found that the IT spending in general, I just want to throw a few quick stats, I’ll give it over to Tim, was less and more catastrophic than you think.

Christopher: So if you went into 2020, I think IDC, we were forecasting that there would be about a 5% or 6% increase in IT spending. I think we’re down to around 2% or 3% overall even into the year. But the way it worked out, I’ll give you like a quick reference point. In the United States when we asked people about COVID spending, 22% said that they spent less than they thought they would. 22% said they spent more than they thought they would in IT spending, 53% said they spent less. But in real dollars, not perception dollars. It was more like a 36 spent more and 42% spent less.

Christopher: So the perception of how big this was going to be versus the reality, not quite as bad on an IT level. Now, and I’ll spin it back to the industries again, you’re absolutely right about things like travel and hospitality. They’d been wiped out, they have to come up with new paradigms because those things were everything from IT ticketing, to ticket management, all of those things have been radically changed. And they’ve also had to condense a lot of processes. Some of the bigger networks weren’t in the same place. Tim, what are you seeing with all this?

Timothy: Yeah, I think you brought up a great point on compliance still being job one for a lot of people. In the security industry we use a term of minimal essential core. That says that you need to make this minimal standard of securing yourself, or you shut the doors, literally shut them, lock them and stop doing business that moment. Because the cost of risk, keeping the doors open when you’re not meeting that piece of value means that, “Oh, I’m going to lose all my customer data, then on top of going out of business I’m going to get a suit for multiple millions of dollars for losing all the people’s data, because I don’t have enough protections in place to even continue down the path of business.” So meeting that minimal essential core for those companies that are struggling, it’s critical.

Timothy: It’s critical, like if you’re in retail, if you’re in hospitality and you’re running your hotel chain, like Chris said, you still need to meet your regulatory burden. You still need to have that minimal essential core of protections in place because you have past data, you have past data on employees. You have past data on guests, you have past credit card data. You have all this data that if you can’t protect it it’s not worth the risk to continue forward with business. So we’ve got some that are always doing that in the security area, but minimal essential core right now for those companies that are struggling, it’s an important concept. But yeah, just another thing on healthcare and where we go from an advancement. Think about healthcare.

Timothy: The amount of telehealth we’ve done is been wonderful. The number of different models we’ve done to be able to diagnose people, the number of different Zoom meetings and other meetings to help. They’ve relaxed a lot of the rules for how you get prescriptions for things. Oh, you can answer over telemedicine that you have a sinus infection. Or, you answered the questions. You had consult over the video with someone and they’ll be able to prescribe something for you. So those types of advancements will go far beyond what we’re thinking of, just in this moment in time. The amount of efficiency we can drive from it, the amount of more data we get, all of those things have to move forward. So this doesn’t necessarily need to be a bad thing is the point that I think we’ll get more innovation and different services out of it.

Christopher: I think you said that pretty beautifully actually. I thought about, as you were talking about it, my doctor and I, I had a prescription come up in May and he said, “Well, I’m not going to re-up your prescription unless we do a tele appointment.” Now, we got online and we talked a few things over and he said, “Look, now I can go ahead and give you your blood pressure pill and all that stuff.” But the cool thing about it was, is instead of going to the doctor’s office it was something we could do immediately. And there were reasons for both of us at the time we really didn’t know how acute the COVID virus was going to be. So he wanted to keep his practice going. I still wanted to keep my health regimen going.

Christopher: So there are certain things that can happen and we always did. We’ve always had that Tangerine Dream that five or six years from now that, well, some of the things that you could do on your Apple watch about monitoring your heart rate. Yeah. And these things are now some of the connective backbones and the tissues. Those things are… Well, I guess it made a double entendre there, but I think that the idea is those things are happening a little faster now out of necessity. And we’re finding that a necessity, being the mother of invention, that some of this is not uncomfortable and it actually is preferable towards digital transformation.

Timothy: Yeah, absolutely. IoT in healthcare, we’ve been beating around the edges of it for years, years, years, years. But I think we’ll see even more, as you said, your Apple watch is monitoring you, you want to share it with your doctor. You can get blood pressure, you can get other things, you can get heart rates, you can get… And then more IoT devices can even do additional measurements. So I think this is going to, from a digital transformation, healthcare information, data is all going to be bringing back centralized to be able to help. But it is more data. More data is important for us to secure and other things.

Chris: So we’ve talked a lot about some of the changes that are going on, changes in spending even as you alluded to Chris, it may not be quite as much more spending as perceived. But certainly some of it is changing. Tim, you brought up risks are changing. Tim, do you think risks are increasing as we see some of these changes or are they just different.

Timothy: I think they’re different. And we have to keep in mind how they’re different. If you look at IT organizations, look at companies that are more in the information kind of model where they’re trying to have online systems that they’ve been protecting for a long time. Our control point used to be a network. We used to be able to say, “Yep, I’ve got a network. So, and I’m going to protect that network. I’m going to clean that network. I’m going to clean my pipe everywhere. And I’m going to be able to have that as a very important part of my overall security.” And now we have, instead of one pipe for my 500 people that are in office, I have 500 pipes. How can I make sure those pipes are cleaned?

Timothy: Well, I can’t really make sure all of those pipes are really clean. Shipping people home for everything. So doing VPN for all people, for all purposes, really isn’t the right thing to do. If I’m using Office 365, why do I wrote them home to my office before I write them out to the cloud? Why not write them straight to the cloud? Well, in order to do that, I need to have the right types of control points, the right access control on the application, the right monitoring on the application, the right access on the application. So it’s different. Is it more secure or less secure? It’s different. And I think as we look at some companies that were really stuck to saying, I have an office model, and that’s what I’m surrounded by, it’s more difficult for those companies than the companies that have started to live in hybrid models, hybrid worlds. So SAAS applications, on-premises applications in a mixture of two and security controls that ended up being those mixtures.

Christopher: Yeah. Tim and I’m going to tell you that I think that everything he said is dead on line. And I think that there’s another thing that we really didn’t quite anticipate is that data has its own gravity now. So if you think about like personal identifiable information or DNS resolvers, all these things that the attacker really is very interested in or straight from web application firewall things. The part of it is that when you had a flatter architecture and you had things on-premises, you could actually put more controls through identity and access management. And you might for lack of a smarter way to say it, do it as a local check where you go, well, my file integrity manager tells me that I haven’t dropped or gained any files that’s good enough.

Christopher: You really have to care about the data itself. So you have special rules for access coming in from and out of the network getting to the data. The data itself has to be monitored. So I think that might be the biggest change. And you put it beautifully where you said you went from 50 pipes in to about 500. Or maybe even more depending on how SAAS based your company is, or how many users you have. So data becomes its own gravity. Yeah. And I’ll let you get back in because they just thought that was such a smart point.

Timothy: Yeah. And I think back to data. When we look at data, the new economies, this new digital transformation, we’ve already started using data and using more and more and more data at different places. But now those companies that have survived, those companies that are going to thrive are those that have really kind of pushed the limit on data. They’re saying, of course, I’ve got a great customer relationship management now. I know everything about my customer. I know how to communicate with them remotely. I don’t have to wait for them to come into my restaurant. I’m going to promote them to come in for my specials or I’m going to promote them to order my specials online. I’m going to care and feed them. I’m going to communicate to them more. So if you look the retail operations that are doing great right now, many of them don’t have storefronts. Right.

Timothy: But they have absolutely incredible marketing teams that understand, “Hey, Tim Brown likes broccoli, but doesn’t like a Brussel sprouts.” Actually, I do like Brussel sprouts. But you know what I mean, that amount of data. So that is the security quandary though, is the more data that we have, the more data we have to protect, the more critical we are about that data, the more regulation we have around privacy and other things. So we’re in this, hey, I need data to survive. I need data to be productive in this new digital world. I need to be able to have all this data, collect all this data, use all this data, but at the same time, how do I meet my privacy regulations and privacy burden?

Christopher: Right. Real quick I was going to say that back to your kind of original point about you have to have at least these minimal controls or you can’t open the door. You know what I mean? Because you’re so vulnerable or you’ve created something bad. So surprisingly I have to admit when I thought my coverage area, the acronym is arrow analytics, intelligence, response, and orchestration. I cover SIM tools. I cover network intelligence and threat analytic tools, AKA the Vectra Darktrace. I cover device vulnerability, assessment, application, vulnerability assessment. I thought that all of those technologies would have a tough years in terms of revenue because I kind of saw those as almost on-premises tools. What’s really happened to the part of control points is you still need a SIM to prove that you’re taking care of your logs and your data and your monitoring and compliance reporting.

Christopher: That’s not an optional. So the difference in SIM is it’s moving more from a EPS model towards a user seat model and some SAAS space thing. So that’s just a little bit different in 2020. You do need the network intelligence or something where you’re looking at things and going, well, I need to reconcile my user behavior, port anomalies. You can do that through either SIM or network intelligence. Long story, short for all of my discreet tools, I thought it was going to be a… And it has been a lesser year than I thought it would be if you’d asked me in December. But some of these businesses are really thriving because it’s the only way to get visibility over multiple VPNs or multiple co-location points. And those are the tools that actually were adaptable and extensible. So it’s been an interesting year from that part of it, from the security vantage point.

Timothy: Yeah, absolutely. And that’s what we’re seeing is that tools are still critical. They’re even more critical than they were before. Is your network up and running? Are your servers well configured? Are we able to collect all the data into the SIM? All of those things are necessary to be able to keep your business running and keep your business healthy. One of the big points that I want to make sure people realize, one of the things that I am convinced about, the companies that come out of the end of this are the companies that have been IT centric. I don’t think we’re going backwards from an IT perspective. I think IT is going to be even more critical to businesses going forward. So I’m a glass half full on this one completely, that IT is absolutely positively necessary to help with this transformation and make companies successful.

Chris: As we talk about the transformation and both of you have talked about the different sources of data and how that has impacted us specifically over the last six months here. I think the question then becomes what else can we offer this audience in terms of what IT security measures you can take in order to minimize risk, in order to keep the company data secure?

Timothy: Yeah, absolutely. I’ll start with some of the ones that I have here and Chris can add on. So always start with a good cyber hygiene, Chris probably has the numbers better than I do, but a very high percentage of the actual breaches and actual exploits that we see that occur because of just cyber hygiene. They occur because people aren’t patching aggressively. They occur because people don’t have the basics in place. They occur because people have too many access rights too many things. Take care of your people, take care of your infrastructure, make sure you’re patching it, make sure that you’re not susceptible to general drive by bad guys. And always, always, always start with those before you go to the next things. Right.

Timothy: The next thing is reassess your crown jewels and your mission and business critical resources, because they probably changed. The things that were not so mission and business critical like people’s homes, people’s home offices, people’s equipment at home. For your critical people that are working at home, protect them differently than protecting just your normal people. So understand that these 20% of your population can actually do material harm to you. And for those 20%, yeah, maybe you’re going to force some home for VPN for everything. Maybe you’re going to manage and control their home network. Maybe you’re going to make sure that their machine gets locked down much more regularly so that you can’t have common use on it. Somebody’s kid can’t come in and just play on the machine and get you into trouble, or go off to browse somewhere and get it infected.

Timothy: So think about that 20% of that are people are special and treat them special. And that goes into embracing remote everywhere and understand that you’re going to have people coming from everywhere, having machines they never call home, but still need to be managed well.

Timothy: We talked about the network not being a control point anymore. So again, important component. Monitor more and that’s one of the things, Chris brought up about SIM still being important. We have to monitor more and look for abnormal. One of the things we didn’t quite talk about is that in this time of change, change equals more security risk, it really does. So we’re in a time of some more unemployment than what we’ve had before. More unemployment makes more people go to that dark side of security. More political unrest means that there’s a lot of global activity that companies can get kind of sucked into the collateral damage. So one of the big things that I tell folks is that they should consider the second half of 2020 having a higher risks than the first half, and last year, we really are at a different risk level than we were simply because the environment changes so much.

Christopher: Hey Tim.

Timothy: Yeah?

Christopher: I was going to say, I feel like this is going to date me, but when we watched Welcome Back Kotter, I’m Horshack, ooh, let me in, let me in. All of that’s true. And I can tell you that one of the exercises that we did here was is our boss made us listen to earnings statements from three or four companies. And I can tell you that, I’m not just mentioning competitors to be a jerk, but it’s like Splunk and Qualys and Rapid 7, all of their CEOs on the earnings said the exact same thing, we’re okay, we feel like our business is resilient. We like what we’ve done. We cannot account for civil unrest. We cannot account for the presidential election. We cannot account for the second batch of COVID. If there is one, a second wave, or if there’s a longer implication for not having vaccines.

Christopher: So that part of it is true. And I also wanted to add a couple of little things in with your mantras about the security part of it, because I thought again, all of that online I wanted to add that for good cyber hygiene, I’m a big big fan of the SANS top 20 controls. If you deploy five of them, you will cut down on 98% of your intrusions. And I think you’re going to cover about 90%, 95% of all compliance standards. So if you have to go to PCI, DSS and go, we did these things, you’ve knocked out 95% of them. There’s not a significant difference between FedRAMP and NIST, and PCI DSS, to monitor your stuff, count your stuff, and make sure you have basic protection. So you do that. You move over, and you’re always in the good space.

Timothy: Yeah. And just don’t discount. Right? We say that cyber hygiene, but is basic cyber hygiene, but basic cyber hygiene is hard. Okay. So believe me we’re not saying that it is easy and you should, just do it. It is, yeah, do it, and it’s a lot of work and it’s hard and it’s difficult and it’s grunt work and it’s not fun and it’s not cool. But if you do it, you are much better protected than if you’re focusing on, I’m just going to buy the next fancy tool.

Christopher: I think you just described what it takes to be a good husband too, but I’m not married. I couldn’t resist. No. And there’s a couple of things I wanted to add to it too. I liked the idea of automate as many things as possible because you’ve got real… Your adversary they get to pick the battlefield. You have to automate as many of those procedures as possible. And not even just on a security level, there’s weird things that are coming up now where you want to automate your active directory with something like your VPNs or your overall network, just so you could know who the users are. They’re not just IP or Mac addresses. That’s something that needs automated. You want to try to, I know we’re going to talk about a little bit later, but you want to flatten the difference between your SecOps, your DevOps, and your IT ops teams, that’s completely important.

Christopher: Everything in your network counts unfortunately, your identity and access management counts, your IT counts. If your network is somehow gummed up, because it doesn’t understand all the pipes coming in, well, that’s a real bad thing for security, because a lot of things like firewalls and intrusion detection and protection systems are based on events per second. So now they’re conflicted and they either drop packets or they let people through. They’re not quite there. So even though there’s clutter, you have to understand all of that. And one of the notes when we put together this podcast document, document, document, understand what you did well, understand what went awry, just know it. There’s a thing that I’ve always called COVID kindness. Well, it’s not just me, it’s what we were putting up with. Putting it together in IDC is that, look in this era, it’s going to matter if your employer shows you empathy.

Christopher: It’s going to matter if your distributors who you might have to put onto a different part of the network if they show empathy. If you’re delivering tools and services, you can’t get so snarky that you want to hand it to the IT guy. You’ve got to do a little bit of handholding. Because these are all conditions that none of us created. And the basic ideas about good citizenry, I think, are going to matter in business now, but I think that they propel you in the next two or three years. People remember how cool you were and how much you helped. I really do believe it.

Timothy: Oh yeah, absolutely. Absolutely. And it is important from a number of different perspectives. One of my buddy companies was a big into oil and gas. And when oil gas had a tough time, like three or four years ago they basically brought us into the room and said, “Yep, those vendors who stick with us through these times will be the vendors we spend millions of dollars with. Those vendors who don’t understand that we were going to need to long-tail stuff, we’re going to need to take our PCs and make them last five years. We’re going to need to do these things. Those people that work with us, we’re going to be with them for the next 50 years. Those people that don’t, we’re never going to work with again.”

Timothy: So it’s the same type of model. We just have to show that empathy, show that kindness, and it pays back in dividends. You just have to be patient with it. And that goes for your direct clients, that goes for yourself internally, that goes for your employees and your people. It’s a really great point, Chris.

Chris: Chris, when you brought up automation and finding creative ways to automate, have you found that companies have almost like it was a luxury before and now because of 2020 they have kind of been forced to find some of these ways to become more efficient?

Christopher: It’s perfectly put Chris, it’s exactly for the reason that you think, but it’s also for the same reason that some people put ketchup on eggs and fries and everything else. Once you get comfortable with the idea of automation, it’s not just a forced multiplier in that, yes, you get cost optimization, you get a couple of other things. It also becomes sort of habitual where you start tying things together. You do start thinking of your IT and your network availability in the same context of what I’ve got to do to keep that continuing, as far as patches go, or putting devices isolating endpoints temporarily. It’s not a gold metal thing unless you land the dismount. You know what I mean? That’s the whole thing. It’s helped on several levels.

Timothy: Yeah. And just becomes part of your DNA. You do it once, you automate it the second time. You never do the same thing three times. And if you can get into that mentality, you start seeing I have code that does that. I have code that does that. I have code that does that. And as you progress down that path, you start becoming more and more and more efficient, but it is definitely a mentality as much as it is a process and people thing.

Chris: Over the last a half hour or so, we have talked about a number of changes that are impacting every discipline of IT, ITOps, DevOps, SecOps. And I think on the last episode that the three of us did together we talked about how some of these groups are working in silos before the pandemic.

Chris: So here in many cases they’re not even in the same building together anymore. So when we talk about some of these challenges, Tim, how do we start to bridge the gap between operations, development, and security?

Timothy: Yeah, absolutely. And right now it’s more important than ever. And it’s a little bit harder. So it’s not going to happen if you just sit back and don’t do anything. It’s going to happen if you invite your counterparts to the right meetings, it’s going to be over inclusion. It’s going to be actually everybody working towards these goals together to collaborate because we’re losing the water cooler talks, we’re losing the hallway talks, we’re losing the talks that often drive a lot of the innovation and the direction that we’re going.

Timothy: So it’s so critical that you be overly inclusive, make your meetings a little bigger. It’s okay that they’re not as efficient as what they would have been before. We’re in a different world, but that different world requires collaboration to be successful. Plus use tools, use the same language, try to combine on platforms, try to make sure that you are having mechanisms that help you communicate on the backend, but don’t forget the people part of it. Don’t forget that teams need to collaborate and when you need to collaborate it’s okay in today’s world to say, “Yep, I’m going to invite an extra three people to my meeting because I think they should be aware of this and I’m not sure if they’re going to be.” So it’s okay to be a little bit less efficient to be able to gain that collaboration that you need between the groups to move forward.

Christopher: Let me add a couple of points of color, I think that are important with it. You’re exactly right when… Let me add three things. The first thing I’m thinking of is the adversary. So the adversary, I think about the attack cycle, the adversary can be on your computer at the time of bios. So you’re turning your computer on the adversary starts there. And the adversary could be, after I shut down my Amazon purchasing thing, they’re in an SSL/TLS cookie, and the adversary can be anywhere in between. So you do have to have visibility on it, you have to understand it, you got be tight.

Christopher: Secondly, there can’t really be uberous between security and IT. I think about a very common thing where if I’m a security guy and I go, “Oh, we need a patch. We need the new OS 10 patch. We could use a patch for Office 365.” I throw it over the wall and the IT guy’s like, “I don’t care. Whenever I want to do it, or hey, this would be good if we could do these things in the firewall, somebody write this instruction set.” Well, that’s great. All that’s cool. So you do have to have a sort of a [inaudible 00:35:46] between everybody and make sure that you’re on the same page and it’s more necessary than ever.

Christopher: And I would also tell you, and we’d talked about it a couple of different times that you do have to do things based on risks. So you certainly can’t have your most sensitive assets exposed. You almost want to instead of think of things as security IT or NetOps, you do want to think of it as the financial server PII information. I think that might be, you do want a way to think of it in a unified way, because you do have to worry about your indemnities especially in a risky time. I over blew that, but my whole point was is that risk is an important monitor in all this.

Timothy: Absolutely. And prioritization you spoke to, and it’s so important. One of the things that made a big difference that we did internally. We consolidated our systems and essentially any type of security issue that comes up, for us it’s put into Jira, it’s marked with a security tag, that security tag has a CVSS score on it. And no matter where it came from, whether it came from an external scan, whether it came from an internal scan, whether it came from internally reported, or came from outside, they all follow that same process. And then there’s expectation based on this level of CVSS score. It has a path that goes forward. But we all understand that in the organization and it helps us drive communications over the same channel, over the same platform, over the same model. And really makes us be speaking the same language throughout the process and have the same expectations. So that’s something that I think we all need to do. If we’re all working in different systems, it just falls apart in some ways, it makes it much harder.

Chris: We’re gonna wrap this up here, I know we’ve covered a lot of ground. I want to bring it back almost to where we started. Things are different, October is Cybersecurity Awareness Month. It’s for all of the aforementioned changes, it is much different in 2020. And the things that are on people’s minds are different than maybe they have been in years past. Chris, I’ll start with you for any final thoughts on what you expect the impact of all of these changes to be. And maybe some things that folks should keep it top of mind.

Christopher: First of all, keep Tim Brown in your life. He’s up more optimistic than most. No, I’m dead serious, there are some cool things. Let me give you one thing, when Tim says that you’re thinking different doesn’t necessarily mean worse in many ways it could be better. I’m going to give you a quick set of numbers that we tracked at IDC. When I started here in 2018, we divided companies up by digital adapters and digital laggards. So we felt that 41% of companies were digital adapters and 49 were laggards. And now we think that it’s 58 to 42, and that was going into 2020. Now, I’m just using this idea, the reason why they put those things together is they looked at manufacturing. So they took all of these companies and said, “If you’re a laggard or you’re an adapter.” And this is we’re talking about manufacturing, so this is things like cars and airplanes, and really heavy.

Christopher: And we found that the digital leaders were increasing their revenues by 2.4%, actually more precisely the number was after costs, they realized the 2.4% gain over the companies that were lagging. So digital transformation while it’s really difficult to do and we’ve talked about the different phases and it may be not fun. Sometimes they say greatness is sometimes thrust upon you. But the idea with this is that if you can do it, if you can have grace under pressure, some of this digital transformation is going to go straight to your line of business and ultimately make you a better company, whether you like the medicine or not. So that’s my biggest takeaway from… That’s why I was complimenting Tim on his earlier optimism. There are some points of this that are going to be, okay, and not so bad in the future.

Chris: Tim, we’ll let you close with a final piece of optimism here before we run out of time on the TechPod. Bring us home on a happy note here.

Timothy: So just the optimism is absolutely there. I do believe that IT-led companies are going to be more and more there. And I believe that we will come out of this, like what we’ve come out of many different environments in the past 100 years. We’re going to come out stronger.

Timothy: But it is going to be important from a security perspective to make sure that we are taking care of the basics, making sure that we are paying attention to security. The bad guys will adjust just as quickly as the good guy adjust, they have forever and ever, and ever. So we must adjust as well. So stop thinking about security, think about risk, think about the risk that your company is facing in these new models. Adjust your approach to risk. Security tend to be a binary on or off, bad way to think about it. Think about risks. Think about what risk you’re willing to accept in the new model and adjust to that. So I am optimistic. I expect we’re going to be come out of this stronger as a whole world. And I think that it is going to an exciting time. Exciting time are fantastic for us to look forward to.

Chris: Well, Chris, Tim, thank you both so much. It was a pleasure speaking with you guys. I get smarter on each of these that we do. So thank you so much for making time for us today.

Timothy: Thanks Chris, it was great.

Christopher: Chris, you were excellent too, sir.

Timothy: And you too, Chris.

Christopher: Thank you.

Chris: Thanks too. We’ll let Tim eat his Brussel sprouts. Thank you for listening to TechPod. For a copy of all of this research and other useful security resources, be sure to visit the SolarWinds Trust Center at SolarWinds.com/trust-center.