Network security used to be the name of the game. But many see asset management and identity as the new perimeters. Does this mean network security is now dead?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining us is Davi Ottenheimer, vp, trust and digital ethics, Inrupt.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, HackerOne
Security tip of the week – Tenable
Jump to the full tip here.
To learn more about exposure management, go to tenable.com.
Full Transcript
Intro
0:00.000
[David Spark] Network security used to be the name of the game, but as we’re increasingly recognizing identity as our new perimeter, does that mean network security is now dead?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of CISO Series, and joining me as my co-host for this episode, he’s the new co-host here over at the CISO Series. We love having him. It’s Eddie Contreras, the CISO of Frost Bank.
Eddie, say hello to the audience.
[Edward Contreras] Hello, audience, and welcome back to another exciting episode.
[David Spark] It will be a good episode because actually, our guest is also one of our favorites as well, but I’ll introduce him in just a moment. First, our sponsor. Our sponsor, also one of our favorite sponsors because they’re a great supporter of the CISO Series, it’s Cyera.
Secure your data wherever it lives. More about exactly that a little bit later in the show.
Eddie, we don’t hear as much talk about network security these days. I mean, it literally used to be everything we talked about for a period of time in security, and Ross Haleliuk of Venture in Security wondered, that in an age where we’re focusing more on identity and running everything in the cloud, what relevance does network security have anymore?
And I will say, I remember going to an AWS event, this actually quite a number of years ago, like 10 years ago, and when I asked people about their IT department, they said, “What IT department?” So, many don’t have one. So, is this a diminishing investment?
Many companies that are cloud-first do not have an IT department. What will become of the network and network security? Eddie, what’s your thoughts?
[Edward Contreras] Everything changes over time, and I think that is the understanding of our environment. Anybody who gets into this field understands whatever cert you took back in the ’80s, ’90s, and 2000s, you’ve probably made some adjustments. There are probably new certs out there.
You can’t go and hang your hat on your Novell certification…
[David Spark] [Laughter] No.
[Edward Contreras] …with IPX/SPX routing anymore, but routing is still a thing. You have to understand, okay, the concept behind the cert, the understanding of the underlying foundational elements of what you studied, is that still present? And I think that’s the conversation people need to have is conceptually, are you still talking about two things communicating with each other?
Whether or not it’s network security or identity security, you’re still combining two areas that typically haven’t been combined in the past. And I think the theory there still is relevant, the theory there is still prevalent, and I think the reality now is it’s a constant state of change, a constant state of learning, and this concept will also adjust again in another 5 to 10 years.
[David Spark] And would it be safe to say that there’s some industries that just kind of hold onto the network given the nature of the industry?
[Edward Contreras] There are, there are. There are places that you have to communicate with that may not be within your geolocation. There are technologies that other companies may not be upgrading and you still may need to work with them. So, you have to be aware and understand.
I’m sure no one’s really using vacuum tubes anymore, and that was a way of communicating, but the reality is it’s not there anymore, but there are still the need to be able to do certain things where air gaps are helpful. Sensitivity is the largest driving factor.
And so, I think it’s relevant, but you have to understand how much of that change is going to impact some of your decisions. Maybe the design concepts change, maybe some of the controls change, but fundamentally, you’re still trying to connect two different things together.
[David Spark] There was a time messages were being sent via pneumatic tubes too, yes.
[Edward Contreras] Yes, they were.
[David Spark] I haven’t seen it, but somewhere in Paris, there is like a whole network still of those, not being used, but when they were being used. Let’s bring our guest on, thrilled to have him on. He is one of our favorite guests. We love having him on, and I hope he feels the same way about us.
It is the VP of Trust and Digital Ethics over at Inrupt, none other than Davi Ottenheimer. Davi, thanks for joining us again.
[Davi Ottenheimer] Thanks for having me.
Is anyone happy with this solution?
4:02.305
[David Spark] Jon King of SmithRx said, “Network security is still foundational. What’s dying is people thinking it’s acceptable to treat network security as a standalone function. Instead, network security needs to complement identity- and data-focused security capabilities and facilitate active defense.
Dive deeper into the implications of ‘network security is dying,’ you get root hijacking, DNS hijacking, response poisoning, label switching, VLAN hopping, adversary in the middle, are all still valid attack vectors, and the security of identities relies, or at least a part of it, on network security.”
And Shashwat Sehgal of P0 Security said, “There are a lot of use cases for which network security is good enough and you do not need to go into identity. So, for example, SaaS access, all those things. You could probably solve them with identity as well, and if anything, solve them somewhat better, but not 10X better, to warrant an entirely new approach.
Network controls are good enough, especially for an enterprise that has already invested in firewalls. Plus, an enterprise will always need a firewall for non-security use cases.” So, what do you think about this, Eddie? These are arguments for why network security still has validity even though we’re switching, kind of like what you said at the beginning.
[Edward Contreras] I like these quotes, besides the fact that we had some really good phrases thrown in there and acronyms used, it’s always good to have big acronyms. I think what you come across when it comes to this conversation is, it’s broadening the conversation.
It’s really nice to know that your typical infrastructure network person is talking about identities and vice versa. Your identity person is really having to understand the OSI model and understanding at what point in time is a negotiation occurring?
So, I think when you think about the bleed or the blend into each other and these technologies coming to fruition, when you have a new SaaS vendor where the identities are managed by a third party, when you have identity federation occurring in a centralized environment, no longer is it happening the traditional way, it’s forcing everybody to have that discussion, and that actually brings better awareness.
It’s really good when a networking person is bringing a concept forward, even though that concept may in a traditional sense have been a part of a blueprinting session for topologies, now all of a sudden, it’s part of access management control because wait a minute, you’re brokering that identity in layer seven now.
And so, that’s a little bit different. And so, I think it’s a broadening, it’s a widening, and it’s more inclusive. And of course, the more inclusive you are, the more eyes you have on security. So, I think it’s a benefit for security.
[David Spark] Right, Davi, I throw this to you. And in fact, this is kind of timely that we have you on being that Inrupt’s charge is creating a new internet and that is very identity focused. Am I right on that?
[Davi Ottenheimer] That’s correct. New web, really, not new internet, but yeah, a better web.
[David Spark] New web, right. And so, I’m sure these issues came to mind as you’re developing Inrupt, yes?
[Davi Ottenheimer] For sure. I mean, my head kind of explodes when I hear people say, “You don’t need to go into identity.” [Laughter] I think the entire future of all of our technology is based on identity. It’s actually one of the shortcomings. The cookie explosion, for example, is such a horrible, horrible nightmare experience where everybody’s clicking through all kinds of identity-related connections.
That needs to be fixed, and it’s because network security is evolving. It’s not going away. It’s really changing. We’re talking about connectivity, and connectivity is so dependent on identity management now. Anyone who’s been working on AWS for the last 10 years knows IAM is your friend, and it’s replaced most of the work that we did primarily at the network layer because it’s been baked in.
But of course, identity is connected directly to data in transit. You can’t connect and open up passages to move data anywhere unless you have the authorization authentication enabled. I think people fundamentally misunderstand what evolution means.
They think it’s a replacement, not a step in the same direction as before.
[David Spark] Now, Tim Berners-Lee is in charge of Inrupt, and he is essentially the man who introduced our first web that we’re aware of. What is he seeing? I’m sure you talk to him about this. What is he seeing differently about this new web and what we maybe got wrong with the old web?
[Davi Ottenheimer] Well, I don’t want to speak for Tim, but I’ll do my best. Having worked for him for a number of years now very closely, and in fact, I feel privileged to have the ability to sit down and talk to him. My whole career has been on the web, 30-some years of trying to make the web secure, and I’m sitting with the guy who invented it saying, “Why did you do this?
Why’d you do that? What were you thinking?” It’s fascinating because what he identified around 2014, ’15 was the silos that had formed in the web. In other words, the opposite of connectivity. People were getting locked into places, their data was being taken away from them, flowing away from them in transit to someplace and stored someplace that was out of their control.
Facebook as an example, a canonical example and you can’t get out of it. So, you wanted more connectivity, not less.
And so, in that sense, the idea of the web, the name itself, the moniker of being linked and connected, lots of distributed nodes all being connected, was being violated in a sense that he was able to come up with a new protocol called Solid, which was the idea of Social Link Data, being able to be more centered around yourself.
In other words, your data doesn’t flow away from you, your data stays with you, and all the apps that you’ll use connect into your storage. So, in its most primitive form, if you want to think about it as a storage protocol, it allows you to write apps now that would connect to data wherever it lives because of the network being represented as an authentication authorization protocol.
So, that’s just a lot of fancy ways of saying the thing about the web that may have undermined it and allowed it to be siloed and taken over, monopolized by a few big platforms was that it didn’t have the right kind of network security that enabled people to preserve their own control over their own data.
And that’s what it’s doing is he’s basically written a protocol, and we’ve been implementing it, and it’s been successful and deployed at the nation level. So, at a national level, you can have a data utility, the same way you might have a power utility.
And so, everybody gets their own wallet, or they get their own personal data storage. And that has, as a network protocol, the ability to allow the market to explode. You can write apps anywhere, anytime, and write in and out of a place that’s remote, a remote storage protocol.
It’s pretty awesome.
So, it really is about network security. It really is about the way things should have been done from the beginning, but it was just an evolution that didn’t happen. And to be fair, we saw a lot of this in 2000, OIDC, right, as a perfect example, or OpenID Connect.
All these protocols that were about fixing the way that identity worked probably would have taken off, but the dot-bomb crash, the market implosion, put them on ice. And so, around 2000, there’s all this movement towards a better identity system, better network security, honestly.
And then we had to wait 10 years until the market reformulated. And by then, what we had was a lot of mobile apps and a lot of platforms that weren’t particularly interested in these open standards as much as they were as locking people in digital moats.
What he saw was a version of the web, an abuse of the web, using the web to move people into places they couldn’t get out of and had no control over their own lives anymore. And so, he wrote a simple open protocol that really fixes it, and that’s what we’ve been implementing.
Why is this relevant?
11:36.579
[David Spark] Thomas Jones of Inotiv, said, “I don’t think network security could ever die.” Kind of what you just said, Davi. “It’s the only layer that can observe and decrypt transient behavior to and from your assets. We’ve just broadened ‘assets’ to include identities and accounts now.
It’s the behavior of these identities and accounts to and from assets that create a signature-like traffic pattern unique to the line of business and the organization. This traffic signature establishes the baseline of ‘normal’ activity. It’s the deviations from the normalcy that we in security investigate for both authorized and unauthorized accounts.”
And Murat Balaban of Zenarmor said, “As long as we have packets flowing, we’ll have network security. It’s not going anywhere. Identity is an important piece of ‘context.'” And Tyson Supasatit of Dropzone AI said, “Pharmaceuticals, manufacturing, government, retail, transportation, healthcare, etc.
These companies will still have a network perimeter, making it critical to control and monitor in/outbound traffic, as well as internal East-West traffic.” All right, more people doubling down on the fact that network security can’t go away at all, Eddie.
I mean, I think there’s an agreement that it is all about identity, but this thing isn’t going away, is it?
[Edward Contreras] No way, and I like what Murat said. I’ll use a similar analogy, bring it in. Network security, it’s kind of like the brakes, the gas pedal, and the safety mechanisms of a car. You know they’re there for a reason. They’re definitely needed to get the car going, but yet identity security is like the ignition and the key.
You can hand that to anybody, and yes, they can drive the car, but they can also drive the car past the guardrails. They can drive the car slower, cause accidents faster. There’s all these things that can happen, and so you still need that underlying technology to make sure that the occupants in the car are safe.
And what I’m hearing here is very similar to what we’re talking about is foundationally, network security is going to help you achieve your ultimate goal. Where identity security and identity connections, yes, so many new entrants are into there. Not everybody needs to understand how the car works, but you have to know that it’s there, and it’s there protecting you.
And so, yeah, I do think these are things that work in conjunction with each other. They cannot work independently. Even if you don’t have a data center, like in our previous segment, if you don’t have your own data center, and you’ve outsourced everything to an IaaS or PaaS partner, at some point in time, you’re still connecting two things together, whether they’re coming through your environment or not.
And you cannot, no matter how much you want to, you can never get rid of accountability. So, you cannot take that and say, “Okay, someone else is going to be accountable.” And so, accountability makes network security forever be a part of the equation.
[David Spark] Davi, are we just having this conversation solely because there are so many technology companies that exist that do not have a server room? I mean, I think that might be the reason we feel this way.
[Davi Ottenheimer] Yeah, that’s fair. I mean, it’s abstracted away. It’s like nobody looks at their plumbing anymore, so do we really need plumbers? It’s in the walls. It’s under the table. Why do we have plumbers anymore? The knowledge necessary to really keep the world running is not going to suddenly be fine without network security.
It just doesn’t make any sense. I mean, philosophically, we have to understand that when things move between two places, they still need security. And we can call that network or we can call it whatever we want, but the movement, the transmit has to have security.
If we assume it’s there and we don’t have a way of… If we don’t have the expertise or intelligence to figure out what happened between point A and point B, we’re in a world of hurt.
And that gets especially important with quantum. The risk of quantum now is going to hit people in the face in a couple years, and they’re going to have to do risk calculations that are based on how much exposure do I have in my network? And then what’s the strength of my algorithms in transmit, right?
It’s the whole, you have a key exchange, you have to look at all the PKI infrastructure, and it’s all network security. So, everybody’s going to have to run around and look at it all. I mean, you can look at stored security and say, “Well, it’s a bit weaker.” But network security is fundamentally hosed.
You’re going to have to have a lot of plumbers crawling around telling you how to replumb everything because suddenly, lead pipes are bad, and you got to have new piping, and if you don’t have plumbers who know how to do plumbing? Boy, are you screwed.
It’s not difficult to actually do the replacement if you know what you’re doing, but it’s a lot of work if you have a lot of pipes.
[Edward Contreras] And I think you may not even have to go as far as quantum, which I don’t think it’s that far out, but you don’t have to go that far. Think about APIs. So, much is going on right now with APIs and having developers embed identities into an API.
And APIs are connecting to other APIs, and now you have agentic technology coming in and developing APIs as well. So, just by itself, API sprawl, is that eliminating network security? Absolutely not. But it’s one of those things that’s amplifying the need to be able to have these environments coexist.
But I think Davi brings up a good point. If you can’t solve for API security, what are you going to do when quantum comes up, and now it’s something that you have to address there?
Sponsor – Cyera
16:56.454
[David Spark] Before we go on any further, I do want to tell you about our spectacular sponsor and that is HackerOne. Well, I don’t need to tell you that AI is changing everything. Your product, your infrastructure, your threat models. And the only way to stay ahead is with security that’s just as smart.
HackerOne combines cutting-edge AI with human ingenuity to protect your systems from evolving threats in the Age of AI. At an unprecedented pace, cyber criminals are exploiting AI to launch faster, larger scale attacks. Meanwhile, organizations are rapidly integrating AI into every layer of operations, escalating risk, and calling for increased regulation.
Bottom line? Offensive AI is outpacing defensive strategies. Enterprises need a proactive approach to AI security and safety.
HackerOne is the global leader in offensive security solutions. Trusted by AI innovators like Anthropic, Adobe, and Snap, HackerOne helps customers find and fix vulnerabilities across the software development lifecycle. The HackerOne platform offers bug bounty, vulnerability disclosure, pentesting, AI red teaming, and code security.
Powered by AI and the world’s largest community of security researchers, they give organizations an unmatched edge, whether you’re testing large language models or identifying bugs before production. AI needs both protection and participation. HackerOne uniquely offers both.
Testing your models in ways internal teams simply can’t. You can find out more at hackerone.com.
What should we be measuring?
18:40.725
[David Spark] Adrian Sanabria of Enterprise Security Weekly said, “Everyone loves to rebrand stuff as if it’s the new X, as if the old stuff somehow disappeared. In reality, data centers never went away. XP is still running, and we never solved BYOD and other 10-year-old challenges.” Sudarshan Pisupati of Zscaler said, “I don’t know if identity is the new perimeter, but what nearly every red team report will show is that identity compromise and subsequent lateral movement is integral to any attack story.
When zero trust network access is coupled with identity threat and posture context, attack surface has the potential to drop precipitously and reduce risk and impact.” All right, Davi, I throw this to you is, I think actually many of these security vendors out there would like us all to think that identity is the new attack surface because that is the product that many of them are selling, and they don’t want to think about it as a network security issue.
But as we are discovering here, it’s not going to un-intertwine itself, is it, Davi?
[Davi Ottenheimer] No. I mean, marketing language gets in the way of everything. If we think about cloud, it’s really a concept from the 1950s, right? Artificial intelligence was from the 1950s, we still call it artificial intelligence. But we had like timeshare in the 1950s, and we call it cloud instead of timeshare.
So, it’s been rebranded 100 times. These old concepts are fundamentally what’s sticking around. The rebranding is going to continue until people are happy, which is never. And so, identity is so fundamental though to networking now, it’s hard to express just how critical it is to say, in network security, you have to be able to identify who somebody is, when they were authenticated, and how they were authenticated.
And we saw that shift around the early 2000s when Wi-Fi really took off. People were connecting with mobile devices, all these new devices from all different places, and you had to do investigations. And a big part of that was what’s the identity of the thing on the network that’s just sort of coming and going and traveling from point to point because there are all these towers that are disconnected.
It was very different than the old perimeter where you could lock people out unless they had the physical access. And I remember some of the old 802.1X exploits where people would plug into phones or people would drop modems. A lot of that was physical.
But as we moved into the more and more virtual or software-based world, we realized identity was just the cornerstone that you had to have because people hopping on and off did so with some sort of form of, like I would say Java Web Token now contains identity claims.
And so, that tells you who they are when they show up with their identity card. If you don’t have an identity card, which is built on top of OAuth2, then you’re weak and you’re vulnerable. So, I think all this stuff’s definitely going to stick around and evolve and it’s the same concepts as ever.
But in order to keep up with it, you got to look at the threat models appropriately. We’re changing the way we connect, where we connect, how we connect, the devices we connect from, but the concepts are all the same.
[David Spark] Let me toss to you, Eddie, on this is, are we just simply leaning more into identity and not forgetting security? It’s just sort of like there’s a needle of interest in time and money we’re spending, and it’s just going more to identity.
A lot of people would like to believe that the network is disappearing, but it’s not disappearing. It’s just we’re putting more focus on identity, yes?
[Edward Contreras] I think you’re bringing more people into an area that they feel they’ve overtaken the area but not recognizing that the area still is the ground that they stand on. I remember a time when we were working at a data center and the discussion was, should you capture East-West traffic since we’re already capturing North and South?
Why capture East-West? Well, introduce identities in the layer three segment, introduce identities in microservices and microsegmentation. And now the question’s not, should you capture traffic between East-West? It’s do you capture traffic between subnets?
What’s important about that now? And so, all of a sudden, you have identities that are getting these capabilities at multiple layers and you’re realizing, wait a minute, this conversation is not shrinking, it’s amplifying. It’s now everywhere.
You have to understand how the identities work across the ecosystem because you never know where that identity is being established and then what’s given to that identity once it has been established. So, I think the conversation is evolving. It’s bringing more people into the conversation.
And if anything, I think it’s highlighting the fact that network security [Laughter] absolutely is a part of all these conversations now. You just may not be calling it that.
[David Spark] Okay, so when you hear people saying the network surface is expanding, is that what’s expanding? Or kind of like what you said, Davi, is no, it’s just all the different ways they’re connecting is changing, so it’s just complicating the matters, yes?
[Davi Ottenheimer] Yeah, there’s more devices, more things are connecting more often in more ways. If we open it up, it makes more sense. Our decentralized identity and user agency models are more democratic and sensible. That’s better for the market.
If we centralize, it really sucks. If we were on IBM and AT&T, X25 protocols, we would be hating life. It’d be like French Minitel. It would just be awful. But instead, we have like TCP/IP, open world, HTML, HTTP, all these open standards. So, what’s happening is as the market grows and more things connect in more ways, you end up in these places like what’s a self-issued identity?
What happens if I issue my own identity and show up with ID tokens that I’m cutting myself? You know, self-signed certificates.
I used to run my blog on self-signed certificates, by the way, and I had no readers, which was fine. I didn’t really care. But at some point, there were so many readers showing up saying, “Hey, I need to get a certificate from you in order to read your blog and be authentic,” and I was like, “Okay, I just can’t manage more than a few people, a few friends reading this with certificates.” So, I switched to CAs where people could get a certificate from a central authority.
And so, there’s ways of building groups and federation, ways of verifying people’s credentials so that we can scale. So, what’s happening is we have to build these sort of concepts, computer science concepts of scalable, repeatable standards so people can connect to one another and communicate safely, and that’s foundational.
I mean, if you look at networks in terms of transit, and think about what’s safe to put on the roads, you have to have standards, rules, laws, regulations. And the fact that we moved from horses to cars, we still need laws.
[David Spark] I’ll let you close this out, Eddie.
[Edward Contreras] Yeah, I think when it comes to identities, there’s so many players in the field now, especially tech companies that are competing with each other, and sometimes these identities are established internally. They’re black box, they’re IP.
It’s kind of their crème de la crème of how they make money. And so, are you going to expose that? No, let’s just bring it into the ecosystem. And so, all of a sudden, you have identities that were born somewhere else and now you have to interact with.
And so, you have to acknowledge that they’re there. It’s just a growing concept. It’s not going to go anywhere, but I do think identities just tend to play at all levels now.
This week’s security tip – Tenable
25:43.447
[David Spark] Hey everyone, I got a really good tip on insider threats, the unintentional kind, and exposure management. Stay tuned.
[Voiceover] This week’s security tip is brought to you by Tenable, the exposure management company.
[David Spark] Insider threats come with a badge. Many of the biggest risks to an organization come with very legitimate credentials. Employees, contractors, service accounts, and automation scripts are all capable of unintentionally creating a massive internal attack surface, without any malicious intent.
In fact, most insider incidents come from negligence or oversight. Now, this could be simply a forgotten service account that still had privileged access or a contractor’s credentials that were never revoked.
In one real-world case, a former contractor regained access to a network months after leaving just by using an old automation account that had been quietly upgraded during a system change. The single oversight gave them privileged visibility into production data.
So, in these situations, think beyond “who has access to what” and just start asking, “What can this account do once inside?” Integrating identity lifecycle management, anomaly detection, and behavioral analytics into your exposure management program can help uncover these hidden attack paths before they’re exploited.
[Voiceover] This has been your weekly security tip. To learn more about exposure management, go to tenable.com.
What needs to be considered?
27:32.017
[David Spark] What needs to be considered? Martin Roesch of Netography said, “The tooling for a lot of network security never made the architectural leaps that it needed to in order to remain relevant. The incumbents didn’t have the free cash flow to be able to innovate and got stuck.
A case of the sunk cost fallacy on the vendor side of the world. You need to start with something that delivers the same capabilities uniformly across all clouds and on-prem to let you understand what you’ve got and what it’s doing. You need to be able to handle the major issues of today like zero trust containment, breaches, exfiltration, and ransomware activities, and that requires a major rethink of how you go about it.
Interconnecting the clouds and having them interact with each other will lead to a necessary renaissance in network security tooling, starting at the observably and detection function.” All right. This sounds a lot like what you’re doing, Davi. I mean, essentially a complete rethinking of the web.
What, from what Martin here, do you take to heart?
[Davi Ottenheimer] Got to love Marty. I remember the early days of Sourcefire and Snort, one of the biggest customers they ever had, I think in the beginning. But as a big fan, I think what he’s really saying here is this is an opportunity for innovation, rebuilding network security for our post-perimeter world, and there’s some marketing speak for you.
I think identity is so important to telling you who’s coming in and where they’re coming from and how they represented themselves, but you still need to have that network security to figure out what’s going on when they’re in there. That’s what we were always doing with Snort.
It was sucking up the data and looking at it and investigating it, and that’s not going to go away anytime soon. So, when you have a relevance now, you might actually have opportunity for real innovation because you can build cloud-native observability.
So, you get cross-platform observability that you don’t have right now, and that’s where the next layer of network talent’s going to go is being able to tell what’s actually going on inside those connections.
[David Spark] Eddie, this innovative viewpoint that Martin has here, are we heading in any of these directions?
[Edward Contreras] I think so. And unfortunately, there is a marketing play to this. It really is about mass adoption, market penetration. You can build a great technology. If not everybody’s adopting it, you’re going to always have to deal with all these complexities of uniqueness and isolationist and so forth.
And so, yeah, that’s just the world that we live in. The reason certain operating systems took off more than others had less to do with security and what’s best for the industry, and it all came back to, well, they had a better user interface, right?
And that’s really what drove adoption. And I think identities and network security might be going through this now is you’re going to have some really good protocols coming out. You’re going to have what everybody agrees is probably the best thing, and then someone in marketing is going to say, “But yeah, I got a really good UI here and you’re going to want to use that.” And that’s really what it is.
And so, you’re up against some anomalies in this industry. You’re not up against just technically what’s best or technically what makes sense, but you’re up against these other factors that weigh in and influence our industry. And so, unfortunately, I don’t think it’s a clean-cut answer, and if we could always land on the right one, we would have a long time ago.
But the fact that everybody calls search engines “Google it,” the fact that everybody talks about AI and LLMs as ChatGPT, it kind of tells you who’s really got to the market first, and I think this is probably one of those areas where it’s going to follow suit.
[David Spark] Yeah, we’ve already seen a ton of consolidation.
Closing
31:11.085
[David Spark] All right, this comes to the point of the show – Davi, I’m going to toss to you first on this one – where you can tell me which quote was your favorite and why.
[Davi Ottenheimer] I kind of like Murat because he gets right to the chase. The point is when you have packets flying, you have network security because it’s all about connectivity and you need to see what’s going on between point A and point B. If you want to know, is it safe?
Is it okay for you to transmit? Is it safe during transmit? What happened while they were being transmitted? Or what were people doing? And where do you get your signatures from? Behavioral analysis, all that’s network security. And it’s just going to get more and more interesting, I think in the years ahead.
So, network security’s not only not going away, it’s going to be reborn into something much more interesting and exciting.
[David Spark] Very good. All right, Eddie, your favorite quote and why.
[Edward Contreras] So, my favorite quote is Adrian’s quote. Whenever you can reference XP in these days, I think it’s a good way to start a conversation. I just can picture Adrian. He came into a company or worked with somebody, had a philosophy of, “Hey, XP’s dead.” They found a very weak cipher.
Why are we using this weak cipher? And then all of a sudden, you realize someone has XP running general ledger consolidations at the end of the day, and you’re like, “Oh, my goodness, really, that’s what’s happening?” So, yeah, XP, if you can quote XP, you’re going to get my vote every day of the week.
[David Spark] When’s the last time you saw XP in action?
[Edward Contreras] I plead the Fifth.
[David Spark] [Laughter] All right, huge thanks to our sponsor. That’d be Cyera. Secure your data wherever it lives. Remember, go to cyera.com. Cyera, our sponsor. Thank you so much for supporting the CISO Series. Ah. Now I’ll ask both you, Davi, and Eddie, are you hiring at Inrupt and at Frost Bank?
Davi, yes?
[Davi Ottenheimer] Of course, always looking for good talent.
[David Spark] To work with Davi and possibly Tim Berners-Lee and Bruce Schneier as well. Is he still there? Yes?
[Davi Ottenheimer] Yeah, of course.
[David Spark] Those are three incredible minds, all three of them, phenomenal. That is a great opportunity. Eddie, you got openings at Frost Bank?
[Edward Contreras] We do, and I don’t have the powerhouse names behind that, but I can tell you we have Tex-Mex in Texas, in San Antonio, so we have a good team, a strong team, and we are [Laughter] absolutely hiring for everybody.
[David Spark] But you could work with Eddie Contreras, and that alone is enough.
[Edward Contreras] There you go. [Laughter]
[David Spark] Give me two Tim Berners-Lee’s and two Bruce Schneier’s, they will not equal one Eddie Contreras. All right, thank you very much, Eddie. Thank you very much, Davi. And thank you to our audience. We greatly appreciate it, and I don’t say this pat, I actually mean this.
We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.