Heather Gantt-Evans, chief information security officer at SailPoint, joins Neha Pradhan for a little serious and light-hearted conversation on this special episode for Cybersecurity Awareness Month. They discuss why building security into products, people, and processes is a priority for enterprises and how to find the right balance between driving cybersecurity strategies. Both talk about meeting identity security needs, how big a threat is shadow IT in remote work environments, the importance of cybersecurity awareness training, building a security-first corporate mindset, and more.
Here are the edited excerpts from our interview with Heather Gantt-Evans:
- 0:00: Introduction
Hello, and welcome to the eighth episode of Tech Talk brought to you by Toolbox. I am your host Neha Pradhan, and I am here today with our special guest Heather Gantt-Evans, CISO, SailPoint. She is responsible for SailPoint’s next-generation cyber strategy to decrease risk and exposure points across the business and increase collaboration between teams. Heather brings an impressive depth of knowledge around cyber transformation and security experience. On today’s special episode for Cybersecurity Awareness Month, Heather and I will discuss why building security into products, people, and processes is a priority for enterprises and how to find the right balance between driving cybersecurity strategies.
Heather, it’s a pleasure to have you on the show. Thank you for joining me on Tech Talk.
- 1:24: How did SailPoint redefine its approach to identity security during the pandemic?
Yeah, thanks for the question. I still view myself as any other customer of SailPoint’s technologies because I use them every day. So, speaking from that lens, the things that excite me most about using our products is our strong focus on meeting the end-user. For an identity solution to really meet the needs of the customers, the solution must be able to adapt to the customer’s environment and operational capacity. I appreciate that we have a strong focus on automation to help elevate the operational burden of running an identity security program in the first place. And then, we also leverage an immense number of integrations and end-user customizations to allow the solution to fit into the environment and meet and user preferences.
Then last, but probably most important, we focus on securing all types of identities, which is important for any approach to identity security. We focus on human and non-human access to shadow IT, which is why we recently invested in our SaaS management solution. It helps discover shadow IT so that the identity security team can then manage access to previously ungoverned applications.
As for the pandemic, I personally believe that the pandemic just accelerated the move away from perimeter-based security to identity. The world we work in now is not just bring your own device (BYOD), it is bring your own environment. So, we cannot manage all those environments, but we can understand who has access, what do they have access to and what are they doing with that access?
- 3:56: How big a threat is shadow IT in remote work environments?
Yeah, that’s a great question. And most shadow IT, these days is related to SaaS applications, which is what you were saying with the cloud applications. And so shadow IT is a massive security threat, or a few key reasons. First shadow IT apps are not managed by it or secured by the cybersecurity team.
This means that the company has no control over the protection of the data in those apps or insights into the third-party cybersecurity posture. Just because an application is popular, doesn’t mean it’s secure. It also means that identity and access governance has not been established for those applications, which can lead to people retaining access to applications when inappropriate. For example, after they are fired or after they moved apartments, which could result in segregation of duties violations.
Another impact is the degraded ability to provide assurance to compliance auditors that all applications leveraging company data or meeting relevant compliance standards. And then lastly, if a data breach did occur with due to a shadow IT app, it can place the company in a double jeopardy situation due to the likely policy violation that resulted in the use of the shadow IT in the first place.
The best way to manage shadow IT is first ensuring it, and third-party risk is part of the procurement process. Secondly, ensuring a robust IT front door policy and procedure. And then lastly, leveraging shadow IT discovery tools or other asset discovery solutions to help discover that shadow IT.
- 6:20 : What steps can enterprise IT teams take to gain visibility into the state of remote endpoints?
That’s a hard one. If the device is connected to your network, there is a way to get visibility into it. Whether it’s through, logs, network and cloud monitoring, asset discovery, et cetera. But I think beyond visibility, the next step is really the important one. And that’s ensuring that you’re enforcing policies that deny access to company managed assets. If the assets attempting to connect are missing key security controls, then define what those required security controls are and making sure they’re in place. Have your anti-virus up or your operating system up-to-date and ensure you have policies in line to enforce.
- 7:49: What are the hidden gaps in zero trust protection that businesses could overlook while replacing legacy security solutions?
Well, I think as far as replacing legacy security solutions, I would say that the intent of zero trust architecture is not necessarily to replace legacy security solutions. For example, we’re not ever going to get rid of the firewall or endpoint protection or SIM, but what we are doing is re-centering around the identity as opposed to the perimeter.
I think the closest we won’t get to retiring a legacy solution is with their attire of VPN. As we get more confident in our ability to provide just in time access, ensure MFA for all accesses monitoring, access anomalies, et cetera. But I’m not sure we’ll see too much change in the suite of technology controls.
I think we’re just going to get better of making sure it’s all connected ecosystem centered around the identity itself. As it pertains to gaps, there’s always going to be gaps in security. We just have to do our best to ensure that we’ve got strong architectural strategies in place and strong, continuous monitoring.
- 9:30: How can businesses become more confident in terms of cloud security before moving their entire workloads to the cloud?
I want to be tangible in my advice on this one. So first I would advise to invest in cloud security architect and ensure that architect is well supported with a strong architectural review process. So, making sure that the teams that are moving to the cloud or leveraging the cloud security architect for those architectural reviews. And then for continuous monitoring, it’s important to have a robust cloud security posture management function to include a technology that helps people whose day-to-day job is to monitor the cloud security posture.
- 11:25: Do you think a great zero trust strategy can open new revenue streams or minimize the financial impacts of a data breach?
I don’t know that we will be able to open new revenue streams for the business, but I do think we will be able to help reduce operational costs and minimize breach impacts with more advances in AI and making data-driven decisions around identity security risks. So, that’s an exciting area of emerging innovation right now that I see. To be able to impede the security with the right AI data-driven decision-making, that’s something I look forward to seeing improved drastically over the next few years.
- 12:40: Can you share why cybersecurity awareness training is important in the hybrid work era?
Now that we are in this bring your own environment world, we must consider educating. How to spot a phishing attempt, but also how to secure your home network? This is something I think our IT team does a great job of, and I really appreciate it. The hybrid work era cybersecurity training can also become a source of community with fun things like a gamified tournament’s escape room, style training, lunch and learns. All of which are so important in our work from home reality where the opportunities to bond and engage are not quite what they used to be.
- 13:45: What advice do you have for CISOs to facilitate and build a security-first corporate mindset?
Yeah, I would say first it’s important to really map out what services you’re offering to the business. I think that’s important because it helps engrain a customer service-oriented attitude. Once you’re centered around what services you’re offering, it’s important to have customer friendly, thoughtful interactions through easy to use frequently asked question pages, help contact information, and ultimately leveraging that customer service-oriented attitude as a focus area. We don’t always want to be the blockade.
We want to help them find the path to yes. And then conducting outreach to market your service and solicit customer feedback. We can’t be a basement dwelling team. We must be connected and centered around common goals. And the only way we can do that is through outreach and soliciting feedback, and then make security training and awareness as fun as possible. Gamify it, do fun stuff for cybersecurity awareness month, reward participation. All these things can go a long way from bringing the cyber security mission and team to the center of the organization.
Â
SailPoint is an identity security provider for the cloud enterprise. The company is committed to protecting businesses from the inherent risk that comes with providing technology access across today’s diverse and remote workforce.
About Tech Talk
Tech Talk is an interview series that features notable CTOs and senior technology executives from around the world. Join us as we talk to these technology and IT leaders who share their insights and research on data, analytics, and emerging technologies. If you are a tech expert and wish to share your thoughts, write to [email protected]Opens a new window
How is your company prepared for cybersecurity awareness month? Share your thoughts with us on LinkedInOpens a new window , FacebookOpens a new window , and TwitterOpens a new window .