Could you build a data-first security program? What would you do if you focused your security program on just the asset?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Brian Vecci (@brianthevecci), field CTO, Varonis.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Varonis
Full transcript
[David Spark] Could you build a data-first security program? What would you do if you focusyour security program on just the asset?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series, and joining me for this very episode is Steve Zalewski. Steve, say hello to our audience.
[Steve Zalewski] Hello, audience. Great to be here again.
[David Spark] You know what I would do if I was on one of these other podcasts? I would say, “Hey, Steve. How’s your weekend? What’s going on?” and then we’d have the pointless banter up front that drives me crazy. Guess what, Steve? I don’t care about your weekend. No, what I do care about is our sponsor, Varonis. Thank you, Varonis, for sponsoring this very episode. In fact, they’ve been a phenomenal sponsor of the CISO Series and we greatly appreciate Varonis’s support and we want you to as well support them. But what’s great about Varonis is they brought our topic and our guest for today’s discussion and it is data-first security. And, man, this really is the whole game, data-first, but wow, we are all over the map in our security programs that often have to do with walled gardens, east-west traffic, this, that. Which some of it has to do with data, some of it doesn’t, user permissions, which is important, like, there are things that are important but what if our program was just data-first, Steve?
[Steve Zalewski] Well, I was a little tongue-in-cheek when I said we know how to do this, we’ve known how to do this for years, we got all kinds of people, processes, and technology. So, what’s holding us back at this point? And that was kind of my tongue-in-cheek.
[David Spark] Because crazy complicated is the answer to that.
[Steve Zalewski] And the reasons why it’s crazy complicated, I think, is really the conversation for today, is this is another snowflake problem. No two people have the same requirements for their company and it’s the devil in the details here that makes it so complicated.
[David Spark] Excellent point. And to help us in this discussion, a guest we’ve had on the other show who’s phenomenal and so thrilled to have him back on again. He is the Field CTO over at Varonis, our sponsor guest, Brian Vecci. Brian, thank you so much for joining us.
[Brian Vecci] Thank you for having me once again, looking forward to it.
What’s the situation?
2:29.493
[David Spark] Rob Sobers of Varonis – your colleague, Brian – he kind of puts together three items that we should all understand with our situation. One is do I know where my sensitive data lives? Two, do I know that only the right people have access? Three, do I know that it is being used appropriately? “In practice, answering any of these questions, let alone all three, continuously and comprehensively is an immensely difficult technical hurdle,” his quote. And Justin Jacobs over at OneTrust said, “Data proliferation can get overwhelming, especially if you don’t know what you don’t know.” So, going back to your earlier comment, Steve. We know how to do this but super crazy complicated. Because Rob Sobers’ three questions seem really good, but wow, we should know the answer to those but we don’t.
[Steve Zalewski] Agreed. And here’s where I’m going to go with this is those three questions are the right three questions but they’re the correct technical questions, so to speak. Which is if I’m responsible for protecting, this is all I need and I can do my job. The reality and the details is but that’s not how the business presents the problem, right? The business has this issue of wanting to replicate data, so I’ve got dark data out there or grey data that I don’t know about. They want ephemeral data, they want to be able to create large data lakes and then rip them back down because they don’t want to pay to keep them stored. They don’t have retention policies because it’s too hard. Digital transformation and the introduction of shadow IT and stealth IT, that’s the reality that we’re talking to, yet the technology of who has access to what gets lost. And then finally, production data in non-production environments, the rebellious developers, right? These are the kind of systemic issues that really were coming out as we were having these conversations that lead to why it’s so hard.
[David Spark] Brian, are these the three right questions to ask?
[Brian Vecci] I think so because if you look at a given data set, whether we’re talking about production data in a non-production environment, data that’s in a data lake, business data that’s being used internally, externally, or usually a combination of both, if you know what it is, whether it’s got intellectual property or PII or other sensitive information, you know why it’s important, who it belongs to, and you know how it’s being used, and you know not only who has access to it but whether it’s exposed. If you can answer allthose questions, you know whether it’s at risk, whether you can get rid of it, whether it has the right security controls, whether it’s being used appropriately. But if you can’t answer any one of those questions, and what Steve really gets to the core of here, is that for most data sets, doesn’t matter what the use is or why it’s being created. He’s right, it’s a snowflake problem, every organization, even every department in every organization is different.
It’s incredibly difficult to answer even one of these questions. What is this and why is it important? Who’s using it and is that appropriate or not? And is this data accessible by only – Rob asked the questions people – but so much data is accessed and created by applications these days that are interconnected as well. Do only the right people have access? If you can’t answer that, how can you prove that it’s secure? If you don’t know how it’s being used, how do you know whether you can get rid of it or whether that use is appropriate or not? And if you don’t know what it is, how do you even prioritize? Otherwise we end up boiling the ocean. I think for any given data set, answering these three questions is both critical and incredibly difficult because the how you answer them changes.
[Steve Zalewski] Yep. And I’m going to riff on that for a minute because then I’m going to say and then there’s the who cares reality. Which is the business and digital transformation is the business being able to fail fast, yet the responsibility on security is we can never fail. And so the business doesn’t even care about those three questions because they’re being driven by a different metric.
What else is required?
6:35.399
[David Spark] Yaron Levi, CISO of Dolby,said,”Even if data classification policy exists, data is almost never classified and tagged at the point of creation. All the tools that try to classify the data after the fact fail miserably. ” And Abhishek Singh of Araali Networks said, “Data needs to be encapsulated by an app/service, never directly exposed. Data security then becomes an app/service access control problem.” Interesting take. And Jonathan Waldrop of Insight Global said, “Data security is difficult because you almost never get to do this in a pure ‘greenfield’ environment.” These are all really, really good points in that it would be great if it’s classified at the moment of creation. It’s not. We can’t go back to greenfield. Just nobody has a greenfield situation right now. And then it would be awesome if data just stayed within the app and never left. Brian, how could we get to any of these points?
[Brian Vecci] Well, I think as much as I love what Jonathan said, it would be great if we had a greenfield environment but we never do. There is no greenfield business, it doesn’t exist and whenever there is, there isn’t the requirements for this level of security and data protection so it never happens. As for data needs to be encapsulated by an app/service, that’s great in theory. Eighty percent of data is in file systems on premises or in cloud stores like 365. The app or service are the people that are using it. And going to Yaron’s point, he’s right. Even if data classification policy exists, data’s almost never classified and tagged at the point of creation. Did you know that users will tag or classify data differently – the exact same file, the exact same content – depending on whether they’ve had lunch or not?
[David Spark] Really?
[Brian Vecci] It is absolutely true. So, you can’t rely on data to be tagged at the point of creation simply because people are unreliable. I do disagree with him that tools that try to classify data after the fact fail miserably. There are ways to do this in an automatic way and you can use combinations of manual tagging, automatic classification, and policies to dramatically reduce risk. But all of these things are true, so if they’re all true, how do we protect our data? Well, we start by understanding what it is and then going back to Rob’s point. If you can start to answer those three questions, which is different for different processes, different data stores, different collaboration platforms. That’s why this is so complicated, which is what Steve said right at the top.
[Steve Zalewski] And what I’m going to call out on what else is required, these are all true, your lawyer better be your best friend at this point. And the reason why I say that is traditionally we’ve been trying to protect business data and worried about the classification of the business data. And more and more now, it’s all about the consumer data and the PII. And that is not managed by our business, it is not managed by IT for those policies. That is now a legal conversation that you have to have with your chief data privacy officer based on the countries of origin of the data, the laws in that country as to allow what can move when and how. So, even if you owned the problem, and let’s hope you don’t, you really need your legal teams because they’re ultimately the ones that have to interpret the policies and you’re going to end up owning the implementation of the policies. And so I want to be very clear which was if you don’t have your legal teams and your chief data privacy officer, the data protection of the business data is the easy problem now, and you really need to get ahead of the consumer data problem that most companies have because that’s the one that is outside of the control of the business or IT.
[Brian Vecci] I think what’s really interesting just to riff on that a little bit is that oftentimes, that PII or that consumer data ends up in places that the business, IT, security, and legal don’t expect at all. The number of privacy officers that I’ve talked with after we’ve done a risk assessment and shown them that they have 350,000 folders that contain UK VAT numbers that are open to every single person in the company is, well,a lot more than zero. One of our customers did an analysis in the runup to the GDPR where they were looking for the PII of European citizens. And they started by doing surveys of their business and trying to understand the data flows. How did they get in, how is it processed, how is it ultimately destroyed? And what they found was that a single personal record, the personal record of an individual, existed between one and two times in their structured database systems and applications. Going back to Abhishek Singh’s comment, data needs to be encapsulated by an app or service, and that’s great. It was being treated appropriately and it showed up in all of their business surveys.
That same personal record, once it got into a file because somebody had created a chart or a spreadsheet pivoting out of a database, once it got into a file, that exact same personal record existed on their systems between 17 and 18 times. Because somebody would create a spreadsheet and they would create a spreadsheet version two, and then version three, and then version four, final draft, real final draft this time, revised, revised, send it to somebody in an email, drop it on the departmental share, and it ends up all over the place. And now it’s in places where they’re completely blind, they don’t know it exists, it’s not monitored at all, they have no idea who’s got access to it or who’s supposed to use it, and it’s completely outside of the bounds of any control from either the privacy officer, IT, security, let alone the business, just because it ends up everywhere.
So, I think what’s happening is data kind of finds a way, going back to the Jurassic Park quote. Data will end up in places that you don’t expect, accessible by people that you don’t expect to have access to it, being used in ways that you don’t know about, and it goes back again to answering those questions. So many organizations are completely blind, especially in my experience the privacy officers.
[David Spark] So, this is a warning. If you do this, we’re going to have dinosaurs roaming through our offices. Correct?
[Brian Vecci] That’s my view of the world.
[David Spark] Brian has put down the warning to all of us.
Nothing will happen until we take action
12:26.500
[David Spark] Yaron Levi, CISO of Dolby, once again said, “Almost always the proposition from security vendors sounds exactly the same ‘our tool will give you visibility’ but without having a proper strategy, policy, and process in place before buying a tool, said visibility is (often) not actionable and is nothing more than noise. Tools are needed but only after there is a plan and governance process in place.” And Matt Black of Minted said, “It’s important to teach the data owners about the risks in collecting and storing the information they want to have.” And lastly, Paul Culligan of Data Defense Solutions said, “If exec leadership held the heads of the various lines of business accountable for their ongoing data classification and data security, IT Security could stand a chance at building a program of effective controls around it.” So, having a plan seems like a good place to start, but like we saw at the beginning, just having that plan is not enough. It’s still not knowing the answers to those first three questions. Brian?
[Brian Vecci] I, again, couldn’t agree more. It’s tough to build a plan though when you don’t have any visibility. So, Yaron makes a really…
[David Spark] Is this a chicken and egg issue?
[Brian Vecci] Yeah. It kind of is. If you don’t have the visibility, if you don’t know what you have, where it is, how it’s being used, what’s important, you don’t really know where you’re at risk and you don’t even know what you’re going to measure and what target you’re shooting for, it’s very difficult to build a plan. And that’s one thing that we’ve seen over and over and over again. Even organizations that think they have a plan, once they turn on the lights, it’s like trying to clean your garage. Once you turn on the lights and you realize, “Oh, my goodness. Here’s the problems that I actually need to solve,” you can build a much more actionable plan. But if you try to put the cart before the horse and you try to build a plan without any visibility, you end up just building plans in theory that you’re never going to be able to take action on.
[David Spark] Steve, can you do sort of a little bit of visibility, build a plan, and then build a better plan? I mean, is that kind of the idea?
[Steve Zalewski] You can do that. There are probably a thousand ways to build a house. The question becomes not what’s the right way, what is the appropriate way given the limitations that you have. It’s all about requirements and scope I think is really where we’re driving at. If the business doesn’t want to take responsibility, what do you do? You’re powerless. If you’re focused on business data like I said, that’s yesterday’s problem, that’s an easy problem, because the business does own the data, it’s within your network, it’s within your company’s purview.
When you talk about PII data, the new world, I’m going to argue that the old world and the old rules, like I talked about the requirements and scope, have changed and here’s why.Business data, business owners, totally get it. They’ll claim they don’t know how to do it, don’t want to do it, are uncomfortable with the organization’s definitions, clarifications, classifications. So, then it falls to IT as the steward of the data to try to do the best they can and they point to Security. And Security sometimes will do the classification or Security will say, “We don’t know,” and point it over to Audit and Compliance. And so therefore they can do an assessment and tell the business, “You got to do this, otherwise we’re not SOX compliant.” See the way that everybody points the finger to the next guy in the chain? And before you know it you got this endless circle.
Now here’s what’s really interesting about that. When I look at consumer data, and I call it consumer, PII data, whatever you want, right, I go look. The new world is that the countries themselves that the consumer is in are the business owners. The countries are passing laws around what is considered PII and what’s not and what the consequences are. Your legal team is now the policy owner. They’re the ones that have to read the laws to interpret what they mean to tell us what needs to be protected or not. Well, they’re never in that role. That’s not a role they’re really comfortable with owning, they want to be a trusted partner and give you recommendations. IT is still the steward of the data nominally unless it’s stored in a SaaS provider, in which case it’s outside of our network and I got a third party risk hoping that they do it right. And Security either operates the tool if it’s on in-house data, or are responsible for managing the third party risk for the SaaS. That is completely different from the old world and so that’s what I’m saying which was so now we’re talking about I’m not building a house, I’ve got to build a hotel. And so let’s now have that conversation from ground up to make sure we know who’s responsible for what.
[Brian Vecci] The interesting thing about SaaS, and I’m glad you brought it up, is that it really is, of course, a shared responsibility model. Your SaaS provider is going to be, to use your hotel analogy, is basically giving you the grounds. They’re making sure that you have the ability to put locks on doors and hand keys to the right people. But it’s not your SaaS provider’s job, it’s not Microsoft’s job if you’re using 365 or T-Drive or Box or Salesforce or Okta to make sure that you’re giving keys to the right people. Going back to the original three questions that we’re trying to answer, what data do I have, your SaaS provider might give you a tool to do some basic classification but they’re not going to tell you what data’s important, you’re putting it there. Who’s got access to it? That’s not your SaaS provider’s job. It’s your job to manage access control. And how’s it being used, they can give you the logs but it’s not their job to determine, “Yeah, Brian should be accessing this data,” or, “Brian has absolutely no business accessing this data,” because he’s hijacked somebody’s account and is now accessing PII or business operational data that can bring us down. Once data’s in the cloud, you have a shared responsibility model and it’s still our job to make sure that we can answer all of these questions regardless of where the data sits, whether it’s on premises or in a SaaS.
[Steve Zalewski] Yeah. Well, at least the risk and compliance teams, they don’t know what to do either. So, that’s what I mean, which was the old feedback loop that was broken, we now have a new set of players and the feedback loop can be reestablished but even as we understand that it’s broken. And then the other point I want to make is structured versus unstructured data. And getting technical for a moment, structured data generally in a data store, in a database,got a schema, I know what it is. Unstructured data, it’s in maybe a spreadsheet, it’s in a Word document, it’s in a text file, it could be anywhere else. More and more, the data that we’re now trying to manage is unstructured, it is not residing in a data store in a business application per se. It is moving at the API level between any two business applications and they’re doing stuff with it. So, even looking at the old business paradigm of understanding that I can at least know what a Social Security number looks like or what a credit card number looks like, more and more I can’t rely on the schemas to know what it is. I’m trying to interpret what I would now call unstructured data and be able to determine that. Which is an incredibly difficult problem and we’re just making it worse.
What are the complaints?
19:49.624
[David Spark] Shawn Bowen, CISO over at World Fuel Services, said, “Corporate data (Office files, stuff on OneDrive, Box, etc.) versus operational data (databases, data lakes, etc.) and the strategies to address each. And if your organization happens to have a chief data officer, they typically only care about the ‘operational data’ so you only have half an ally there.” So, touching on what you literally just said, Steve. And Sanjay Sawhney of Tala Security said, “Although data security is much effective in the long term than other controls (network, endpoint, application), it is much more intrusive and therefore leads to resistance in operationalizing it in most organizations.” Interesting take there by Sanjay. What do you think about that, Brian? Do you think that people resist these sort of data security-specific tools?
[Brian Vecci] I think people have resisted them in the past because they have been intrusive and Shawn is right. It’s a much harder problem once you talk about files in unstructured systems. Steve said it as well. So, I think I agree with both of these takes and it means we need a different approach. Kind of modern problems require modern solutions. Most of our data these days is unstructured. That’s where the risk lies, that’s what we’re seeing. Every single breach involves files or emails, every single ransomware attack involves files since that’s what’s getting locked down. Sanjay’s right that traditional approaches have been intrusive. You need a different approach and manual methods just simply don’t work, just because a single terabyte of data has 80,000 folders in it. Now imagine you’ve get a petabyte of data. How can you possibly manage that with the old way of doing things? It has been too intrusive, which is why we need to rethink our security strategy and start from the data-first.
[David Spark] All right. Let’s give some uplifting positive advice from here on in, because it’s been depressing. Most of this is like, “Oh, geez. This is just a monstrous problem.” What is some basic where to begin advice, Steve?
[Steve Zalewski] Yeah, and I was going to go there, which was this is the tissue paper analogy, right? Which was people are just taking tissues out of the box for all the reasons why we can’t do it. And that became very clear when we did the post about why can’t we keep it simple and get it done. And you’re seeing all the history. Why I kept harping on looking at consumer data is move to where the problem is going. Let’s get ahead of the game, okay? So, what I said was really simple. If you’rea security practitioner and you have a piece of this problem, realize first and foremost the game has changed, the rules have changed, the field of play has changed. But if you’re not careful, you’re going to be left owning the inevitable defeat of a breach or an incident. And so that’s when I said first and foremost, your lawyer is your best friend. You have got to get them in the conversation with you and make sure that they own the part of the problem that you can’t, which was the policies for interpretation and they have to work with the business. So, what I say is leverage the fact that it’s a new game, learn the game, decide what role you’re going to play. Because you have the opportunity to define a new role as a security practitioner and set yourself up for success.
[David Spark] Brian, let me ask the question this way. If you’re able to answer any of the questions that were at the beginning, how does that change a security program? Meaning I’m asking this in a way that it’s like this is an effort worth going after because it will do what, Brian?
[Brian Vecci] So, the right way to think about this is when you start answering those questions – what do I have, where is it at risk, how’s it being used – it allows you to take effective action. You’re never going to be able to boil the ocean. There are too many files, there’s too many data stores, it’s too complex. But you can prioritize, you can measure, and you can take action. If you know what data you have and where important information like PII or intellectual property’s concentrated and where that data is accessible to too many people, 20% of data in a given organization is open to literally everybody in the company and the average user has access to 17 million files on the first day that they start. This is why we see companies failing over and over again, and ending up on the front page of the newspaper because they’ve been locked out of their data or they’ve suffered a massive breach. Nobody really has the understanding of what they have, where it’s at risk, let alone the ability to start effectively making changes. You need to start with, really, visibility – understanding what you have so that you can build a plan to measure and reduce risk. There’s ways to do this but you need to have the right visibility and metrics in place to do that.
Closing
24:46.016
[David Spark] Excellent point and a good point to wrap up our discussion. Now, we get to the point of asking what your favorite quote is and why. And by the way, this episode was packed with good stuff in terms of not just Steve and Brian right here but the quotes from our community. So, kudos to everybody on just that. And by the way, Steve, you’re the one who initiated this discussion on LinkedIn so thank you for doing that and thank you to everybody who answered as well. I’ll begin with you, Brian. What was your favorite quote and why?
[Brian Vecci] My favorite quote is one that we didn’t actually discuss a whole lot but Paul Culligan from Data Defense Solutions says, “If exec leadership held the heads of various lines of businesses accountable for their ongoing data classification and data security, IT Security could stand a chance at building a proper program of effective controls around it.” He’s 100% right. IT should report to Security and not the other way around. Let me put it this way – the organizations, the businesses, the enterprises that put Security at the top of the pyramid rather than thinking about it as something that needs to be addressed after the fact are the ones that are far and away the most successful in protecting their data. And the one thing that we’ve been saying, or really, dancing around this entire podcast is that data’s a business asset, it’s an organizational one. It doesn’t belong to IT. It’s not like your laptop or your phone or the servers or the network itself. If any of those break, you call up your vendor and you get a replacement. If you lose your data, that’s a business problem. So, we need to treat data as a business asset and we need to have security that is focused on it as a business asset.
[David Spark] And adding to what Paul Culligan said as well, I should mention that really teases the whole thing of classification does not happen at the point of creation. If it was owned by others and they understood the importance of classifying it, then it would become a much easier issue to deal with. Right, Brian?
[Brian Vecci] I agree completely.
[David Spark] All right. Steve, your favorite quote and why?
[Steve Zalewski] So, I have one and a half. First, the traditional is Yaron Levi, the CISO at Dolby, what we talked about a little bit earlier which is almost always the proposition from security vendorssounds exactly the same, “Our tool will give you visibility,” when in reality visibility is often not actionable, and that we’ve got to focus on the plan and the governance. Know what you are going to do rather than just go find stuff and then show people. And I think why I want that one is a lot of this episode is we have yesterday’s problem and we have tomorrow’s problem, so here’s your chance to look at plan and governance, to look at the new world of PII data, and establish the team that you’re going to work with and your role within the team. I think that is really heavy-hitting to me for this is how you get it right and you have the opportunity. This is a once in a lifetime for us, to look at that new coming problem and figure out how we’re going to own it, and for all the things Brian said.
The half, I want to go to Abhishek Singh from Araali Networks, “Data needs to be encapsulated by an app/service, never directly exposed. Data security then becomes an app/service access control problem.” And Brian talked a little bit about it but it’s a good idea. But I think where we’re actually going, and this is part of the next generation of capability, is we’re understanding now that patch management, what we did a episode on, vulnerability patching, is that we need to look further up the stack. And we got to get better at identity and access management so that we can identify that how the data is being used at a point in time may be the way as we go forward in order to be able to, in a real-time mode, determine if the exchange of that data is appropriate, and not simply rely on data classification. So, we’ve got to move the thinking from layers three and four up to layers seven and eight. And I think that actually is the genesis of where some new technology is going.
[David Spark] Awesome. Thank you very much, Steve. I’m going to use that as your closing comment, by the way. I also want to mention our sponsor again, Varonis. Thank you so much, Varonis, and for bringing Brian to us as well, for sponsoring us and supporting us. Brian, I’m going to let you have the last word here. By the way, I know you’re hiring. By the way, confirmyesyou’re hiring at Varonis?
[Brian Vecci] Absolutely. As fast as we possibly can.
[David Spark] Practically everyone’s hiring right now and you’re all fighting to get great talent. But any last comments about the discussion here, how people can get in contact with you, how Varonis can help in this in any way? You have the final word here.
[Brian Vecci] Sure. It might not surprise everybody to learn, if you’re not familiar with us already, that Varonis is a data-first security company. And we focus on the data that organizations tend to have the most of and know the least about, which is file systems and unstructured stores, on premises and in the cloud, and the infrastructure like Active Directory and Azure AD and Teams and VPN that gets people access to that data. Varonis understands what data and what you have by looking in the contents of files, we look at all the access controls and the ways people get access to data, whether it’s SharePoint groups or Active Directory groups or individual ACLs. And we monitor everything, so we know what’s normal and what’s abnormal.
The reason that our customers use us and the reasons that you might want to do a risk assessment with us is that you can make sure that data’s properly protected, the right people have access to just what they need, you can prove that it’s being kept private. And that under whatever galaxy of regulations you need to meet, whether it’s GDPR, CCPA, SOX, HIPAA, or PCI, you can prove that those controls are in place because you’re monitoring everything with the right context of who you are, what device you’re using, and what that data is, and what you normally access. When something goes wrong, whether it’s an inside or an outside attacker, cybercriminal group or an APT, you know about it quickly and you can effectively respond to it, and our incident response services are completely free. So, if you’d like to learn more, go to varonis.com. We’d love to talk to you.
[David Spark] And if someone wants to get in contact with you, best way is…?
[Brian Vecci] They can get in contact with me on LinkedIn Brian Vecci, Twitter brianthevecci, Instagram if you want. I just got back from a ski trip and put some posts up there.
[David Spark] Well, everyone wants to see those.
[Brian Vecci] Yeah.
[David Spark] All right. Thank you very much, Brian. Thank you very much, Steve. By the way, Brian mentioned getting the risk assessment. I think a lot of times people don’t choose these because they don’t want to see the reality of their situation. It is better to know, people. Come on. Take advantage of these services like what Varonis offers. Know what you’ve got. It may scare you at the beginning, nobody likes seeing it. By the way, Brian, confirm me, you’ve never done a risk assessment and go, “Oh, my God. It’s perfect. You don’t need us.”
[Brian Vecci] I think once in 11 years did we, and we did a risk assessment on a single server that was actually pretty clean but in general a no.
[David Spark] No.
[Brian Vecci] And actually we don’t live in a world anymore where a CISO is saying, “I don’t want to know because then I’d have to fix it.” Everybody wants to fix it these days because it only takes one bad actor to ruin your day.
[David Spark] I know. But sometimes we’re a little scared. Anyways. I’m just reminding you, take them up on this offer. Thank you very much, Brian Vecci. Thank you to Varonis. Thank you to Steve Zalewski. Thank you to our audience for all your contributions and for listening to Defense in Depth.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website CISOseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and Cyber Security Headlines – Week in Review. We’re always looking for fascinating discussions for Defense in Depth. If you’ve seen one or started one yourself, send us the link. We’d love to see it. And when any of our hosts posts a discussion on LinkedIn, participate. Your comment could be heard in a future episode. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to Defense in Depth.