Adopting Zero Trust with Lexmark's Bryan Willett: Culture of Security
Catch this episode on YouTube, Apple, Spotify, or Amazon.
This week we chat with Bryan Willett, Lexmark’s CISO, who has built a legacy over the past 25 years working for the global company. Starting from his early days as a firmware developer, transitioning into managing teams and projects, and now as the CISO, Bryan has built a long-standing successful career. During our chat, we talk about how security professionals can advance their careers from protecting products and users and converting that into business language that CISOs navigate on a daily basis.
Producer’s Notes: PS, in the Austin area? On September 22-24, Neal is helping put on the Texas Cyber Summit. Stop by and say hi! He’ll also have some Zero Trust stickers to hand out. Also, if it’s not abundantly clear, Elliot was under the weather during this taping.
As a company, Lexmark needs no introduction. It’s a historic brand with a global footprint with thousands upon thousands of assets connected to them. With that kind of reach, it was important for security to be a critical ingredient for their recipe of success, and in the past six years, Bryan has ensured they were ahead of the curve. Prior to the pandemic, they were moving towards a cloud model, which positioned them strongly against the abrupt shift to remote work. During that time they embraced DevSecOps, instilled a culture of security, and build trust through transparency by way of security frameworks and controls.
Developing a Culture of Security
Many moons ago, when organizations had well-defined perimeters and VPNs could (in theory) security protect assets, it was easier to ensure only a small team was responsible for security.
For a global enterprise with offices and users around the world, that is a significant amount of pressure, especially when software is being created across many other teams. Today, we know this approach doesn’t work and that everyone is in some way responsible for securing the company.
Bryan shares his own experience taking Lexmark through this journey:
“One of the things that were really instrumental though, for building out our program, as an organization, as a firmware development organization, we tried to pin the security of the product to a small group of people. The security team, right? And what I really tried to establish there was really the same thing that has led to what our program looks like today. And that's. Security's not just this small group's responsibility, it's everyone's responsibility. If you're writing code, you need to know how to write code securely.”
Unlike many companies that offer security awareness training as their base foundation to secure best practices, Lexmark took it several steps further.
“If you're gonna test the code, you need to know how to test the code securely. And so we really worked on building out a security development life cycle, and the critical part with that was building out the awareness training because when a developer, someone comes outta school with a computer science degree, what do they teach them? They teach them how to make widgets, right? And, and they're gonna know how to make widgets and make lots of widgets. They never teach them, ‘here's how you secure that widget.’ And so it, it then falls back to their employer to go make up for that gap on their education.”
That’s when Bryan and team decided to build a curriculum for each role, specific to the coding language developers were working in, and ensured everyone understood the risks at play and how to migate them.
It was this kind of mentality that allowed Bryan to get noticed from leadership and evolve beyond his role as an engineer. More specifically, he started to convert risks into business language, especially as customers increased their asks for visibility into security controls. Between ISO/IEC Standard 15408 and ISO 27001 frameworks, Lexmark was in a stronger position to securely capture customer/user data and build predictive analytics to determine when hardware may need to be repaired.
From Building Firmware to Becoming CISO
Bryan started working with Lexmark as a firmware developer stemming from his background in electrical engineering. During his initial days, he learned how to become a closer. Someone who could take on projects and see them through from start to finish, and he feels much of this mentality is what led him to become a CISO today. While building firmware to protect hardware and the people who use it, he was eventually pushed towards taking on more work.
“And for me, I remember my manager at the time coming in and saying, ‘Hey, we really need somebody to go and take over our network and security firmware teams’. And I'm like, I don't know. I'm not sure I want to go do that. And, finally, I said, all right, I'll go do it.
I need to do something different anyway, I've been doing what I've been doing for five years. I need to go do something different. And that just, you know, boom opened a whole new door.”
It was during this time that Bryan learned how to navigate everything from integrating new products and features that enterprise customers needed to threat hunting against their new solutions to the ever-lasting need to patch software.
Security as an Enabler, Not Blocker
As a security leader, it’s easy to lift the draw bridge and lock down everything in the name of security. However, any rapidly growing company will tell you that is the fastest way to encourage your users to find ways around, under, or over the moat and create its own set of risks. For Bryan, he started with compromise.
“Hey, you can't do this, or you can't do that. And the persona that I wanted to bring to the organization was more of a, yes, you can do that, but, I need you to do these things in order to go do that. Right. We wanted to be an enabler.”
So how, as a leader, to you enable a company to take such a significant leap toward incorporating security into all aspects of the business? According to Bryan, it takes two elements:
“The people around me, we are blessed with an amazing set of talent there. For instance, our cloud product cloud teams, they were quickly adopting DevSecOps models of operation very early in our cloud journey and having them moving in parallel with me. They're evangelizing to their teams, it’s the way that things should be done. And then what the role I play is supporting them.”
Zero Trust Without Saying It’s Zero Trust
More and more, Neal and Elliot have heard from security leaders that Zero Trust is either a repackaging of what they’ve already been doing for the past decade or a refining of those practices. In tandem, we’ve also seen that internally, many leaders shy away from potentially buzzy terms, in particular Zero Trust, as the term itself doesn’t seem to hold the same weight as it once did. There should be no surprise in this as every cloud-driven security technology vendor of the sun tries to apply it to their organization, and the lines are completely blurred.
“I'm very careful with Zero Trust within my team because Zero Trust has become the catchphrase to mean almost everything that you do in a security organization. I was telling my team the other day, I said, I don't wanna hear Zero Trust. I want to hear what you are doing specifically to implement in terms of a control that's going to help lower our risk overall.”
This makes sense from a technology and process perspective, because regardless of the umbrella term, it always comes down to securing users, devices, brand reputation, code, etc.
“But zero trust as a model, right? As a principle of the themes that you should be doing, I think are excellent. I put them right in parallel with CIS 18 in terms of the 18 controls they recommend that an organization should put in place and I had certainly researched that when I first took the role, but that was not necessarily what I had initially set out to go and implement.”
Takeaways from Lexmark’s CISO
Security should enable the business to move forward, but there is initial pain to smooth out
Security controls and frameworks are great for communicating risks, security posture, and effective controls
Change management requires stakeholders across the board
Zero Trust principles are great guiding stones, but from a tool/technology perspective, it’s not important
When shifting technology to modern solutions, it’s best to take a phased approach
This includes keeping VPNs active for some use cases
Coming Up Next
Here’s who we have on tap for the coming weeks:
Christine Owen Director at Guidehouse on Sept 22
Maureen Rosado ZT consultant on Oct 6
J.R. Cunningham CSO of Nuspire on Oct 20
We are also looking for our final guests for the year, so if you have or are implementing Zero Trust and are not a technology vendor, we’d love to chat.
Adopting Zero Trust with Bryan Willett Transcript
Elliot: Hello, and welcome to another episode of adopting zero trust today, we have a fantastic guest for y'all. This is actually going to be our very first CISO in our series. And not just any CISO he has tied to one of probably, I don't wanna say one of the most historic brands I'd say around the US, cuz this has a global footprint.
But we have an absolutely wonderful guest here. Brian. I do not want to butcher background as I usually do with my guest. So I'm going to actually hand it off to you. Maybe you can share a little bit about your experience and then we'll kind of go down some of the history, since you have a bit of a legacy working over there.
Bryan: Huh? Well, yes, you don't hear that very often nowadays, so thank you guys for having me. It's it's a pleasure to be here. So yeah, Brian Willett, I I'm the CSO for Lexmark. I have been with Lexmark 25 years. Here in two months, 25 years. I spent 18 of those years in the re research and development organization very focused on product security and ensuring that we were able to deliver secure firmware, secure software to our customers.
And then six years ago, I took the CSO job at Lexmark. Really investing in. The overall security practice going from what was a fairly small organization to building a, what I would consider a fairly robust security organization. That's that's been doing a fantastic job so far as always.
We, you know, knock on wood there to to hopefully be able to keep saying.
Elliot: Rocking. So before we get into the world of zero trust, I'd love to just kind of get a little bit more of an understanding your journey to where you are today. Cuz obviously being in an organization for 25 years is. Not very common in the security space. I mean, between burnout from the beginning and folks working the SOC to just being able to transfer your skills to essentially business language is obviously of great importance.
And I think. That is going to definitely be one of the main topics that we'll go into today is being able to convert zero trust into business language that other folks in the organization can understand, not just from the security perspective, but before we jump into that, I just love a little bit more insight into some of the many hats that you've worn over the years, how it's kind of led you to this.
Bryan: Yeah it's it's been a very interesting journey. My, my background education is electrical engineering, and I started at Lexmark as a as a firmware developer back in 1997. And I did that for several years. And during that journey really got to Really got to learn how to be an engineer, how to be a closer and which I don't care.
What role you're in knowing how to close something is critically important. From there I got into project management. This was the typical kind of engineering career path at the time got into project management, got into management. And and, you know, when you think about your career, there's a, there's kind of one of those distinct inflection points in your career where something happens and you this whole new pass kind of opens up.
And for me, it was I remember the manager, my manager at the time coming in and saying, Hey, we really need somebody to go and take over our network and security firmware. And, you know, I'm like, I don't know. I, you know, I'm not sure I want to go do that. And finally I said, all right, I'll go do it.
I need to do something different. Anyway, I've been doing what I've been doing for five years. I need to go do something different. And that just, you know, boom opened a whole new door. And the the things that, that I got into there was everything from. Looking at the firmware and how do you properly harden the firmware to make sure that it couldn't be hacked itself?
The patching of the firmware and responding to vulnerabilities that would come in for products to. Feature sets, right? What features do enterprise customers need in order to integrate their product or integrate our product into their it ecosystem? And then we got into the world of certifications.
You, you get common criteria ISO 15, 4 0 8. Is the other name for it? And that really, you know, it opens your world to the standards world, which is a very different group of people to hang out with. They are intelligent. They really know what they're talking about. It's not always my cup of tea, but, you know, they're there for a good reason.
One of the things that, that was really instrumental though, for building out our program, You know, a lot of at the time we tried to as a, as an organization, as a firmware development organization, we tried to pin the security of the product to a small group of people the security team, right.
To go and harden that. And what I really tried to establish there was really the same thing that has led to what our program looks like today. And that's. Security's not just this small group's responsibility, it's everyone's responsibility. If you're writing code, you need to know how to write code securely.
If you're gonna test the code, you need to know how to test the code securely. And so we really worked on building out a security development life cycle and the critical part with that was building out the awareness training because when a developer computer science someone comes outta school with a computer science.
What do they teach them? They teach them how to make widgets, right. And they're gonna know how to make widgets and make lots of widgets. They never teach them. Here's how you secure that widget. And so it then falls back to to, to their employer really, to go make up for that gap on on their education.
And so that's where we picked. And started running with with creating a curriculum to that was specific to the technologies. The developers were working in and specific to the the languages they were working in to help them understand what the risk were and then how to mitigate those risk.
So that was that was a big part of it. And, you know, along the way We started seeing questions from customers coming in about ISO 27,001. And in particular, you know, one of Lexmark's main business. Offerings is is our manage print services offering. So customer wants to buy a printer, but they don't necessarily want to deal with the break fix.
They don't wanna deal with ordering the supplies for it. They just want somebody to handle that for them. Well, we do that, but to do that, we have to collect data off the printers to understand how they're operating, to do predictive analytics on it, to figure out when is it going to break so we can get somebody out there at the right.
well, because we're collecting that data into our environment. As a customer, who's doing any sort of third party risk management, they're gonna start asking questions about, well, what are the controls that you have on all of these systems that that are collecting data? And at the time at Lexmark, I was kind of the only guy manager at the time, running around with the tin foil hat on going, Hey guys.
You know, we need to do something about this. And and that got noticed, and it got noticed enough that they said, Hey, why don't you come up here and take the CSO job and you go fix it. So that's how I ended up where I am. And and it's been quite a journey ever since then.
Neal: So we'll probably touch on this a little bit later, but I think from your background perspective, to me, it's kind of intriguing how long born you've been. That's awesome to see someone go from starter package to leadership package. You know, it's kind of the military pipeline dream to be a private and be a four star.
What are the All that fun stuff, but long and short, you know, when we get to this a little bit later, maybe I think printers were the original. IOT. Oh my gosh. Hair on fire devices on the, you know, for the world at large, thinking about like the amplification reflection, attacks, like Mariah botnet and things like that, that took advantage initially of printers and other similar devices.
Right. But anyway, I know we'll go down that rabbit hole soon, but props to you for sticking through it. First off
Bryan: Yep. Yeah. Well, thank you.
Elliot: very much appreciate you walking us through that journey. I'm curious. And this is probably a pretty broad question to ask you, but. You know, what does the security infrastructure look like from year one? And how significantly has it changed to, I guess this year?
Bryan: from year one, it was it was probably the most popular antivirus out there. That was our security story. right. And and when I say antivirus, I'm talking the old traditional antivirus. That's what I walked into the door with. And when it was probably a month. Really? It was about a month after I started we worked on getting funding to go and start changing out the entire infrastructure, getting NextGen firewalls getting a an EDR in.
Getting the the network access controls, getting those in place. Right. We really started building a program out to to dramatically change the technology. But more importantly, the people right. Get the right people in place with the right skills in order to monitor and respond to whatever might come up.
And also architect properly architect, the systems that we were putting in place and them, you know, one of the key messages that, that we really had to work on within the. Is originally it was more of a team of no,
Hey, you can't do this or you can't do that. And the persona that I wanted to bring to the organization was more of a, yes, you can do that, but.
I need you to do these things in order to go do that. Right. We wanted to be an enabler not a naysayer on any of the projects that we were working on, but it, that doesn't mean that teams didn't go through a number, you know, a bit of pain in order to make it happen. Because you're, in my case, I was driving such a cultural change at Lexmark with how we.
How we had been working as a individual user, you know, on the, on your laptop, doing the work you were doing to migrating towards towards a more secure posture for the overall organization, that culture change was massive and it required a significant amount of engagement. of myself and of my team to be out there evangelizing, you know, what we were trying to do and why we were trying to do it.
And that you know, I can't. I can't undervalue, I guess the effort that went in just to that part you know, putting in a tool. Yes. That takes a little time to put a new tool in, but because it requires a behavior change by the entire organization that just requires a lot of work, a lot of change management with the, with that entire user base to help them get through the change.
And that I just can't under it under emphasize how critical that is.
Elliot: Yeah, I think that makes sense. I mean, even when you indicated. Awareness training when you said that I initially went to, oh yeah, this is probably what everyone does. You get those crappy slide decks or some animated videos and you teach through fishing, but what you had highlighted is significantly different than honestly, any organization that I've chatted with.
I mean, you're basically doing proper training in DevSecOps and being able to actually coach people through that and build that into the process. I mean, I'll give. Applause towards that. That's absolutely fantastic. That's, not really built into most organizations.
Bryan: It's not, but, you know, I don't wanna take all the credit because to be honest an organization is only as good as all the people around you. Right. And what I'll tell you, one of the things that's kept me at Lexmark is long as I have been is I have always been challenged by the people around me, right?
The people around me we are blessed with an amazing set of talent there and. Because of the talent they are quickly, like for instance, our cloud product cloud teams, they were quickly adopting devs sec op models of operation very early in our cloud journey and having them moving right side and, you know, right.
And parallel with me. And. You know, they're evangelizing to their teams, the way that things should be done. And then what the role I play is supporting them. Right. I am trying to I'm trying to support them whenever and however I can, because I know they're trying to do the right thing. I want to empower them to do the right thing.
And usually that, for me, the empowerment is either I can go and write a policy if I need to, which I prefer not. But if I have to, I. But it's really through my words and my actions and those words one, and by the way, this is the first thing you learn when you get this job, is your words mean a lot.
And and when you show support for specific initiative or a specific group taking initiative that is overall supportive for your group, it, it You know, it, it really helps to amplify what you're trying to do within the organization.
Neal: All this and the process flow that y'all have put into place and the growth that y'all had kind of getting us onto the focal topic of the day along zero trust and what that is and what that isn't have you seen gaps being bridged with that concept or zero trust as a whole?
Have you seen a transition courtesy? What you've done already into a mentality? What zero trust may or may not mean to you? And I guess the really starter package of that question. First, what does it really, what does zero trust mean to you? And then how has that stuff transitioned you into that yay or NA process of defining that and maybe growing into that mentality.
Bryan: Yeah. So I'm very careful with zero trust within my within my team, because zero trust has become the catch phrase to mean almost everything that you do in a security organization. And, you know, I was telling my team the other day, I said I don't wanna hear zero trust. I want to hear what are you doing specifically to implement in terms of a control that's going to help it's going to help lower our risk overall.
But zero trust as a model, right? As, as a principle of the themes that you should be doing, I think are excellent. I kind of put them right in parallel with with the CIS 18 in terms of the 18 controls, they recommend that a organization should put in place and we. I had certainly researched that when I first took the role, but that was not necessarily what I had initially set out to go and implement.
What I was after initially was, do I know what's on the network? Do I know who owns what's on the network? Do I, am I able to manage what's on the network? am I able to monitor what's on the network and can I patch it? Right. And I, now I just call that mastering the fundamentals for us, right?
Can we master those fundamentals? And it's hard. I honestly, when you're dealing with 15, 20,000 assets or more on your network, that is hard. And it takes a lot of discipline. For an organization to swing to that mindset of where we were was was most users just kind of manage their own device and they would just get it on the network and go do their thing to know we are going to manage that device and we're going to make sure that you're patched and we're going to make sure we can monitor what's going on with it.
That suddenly people are going, oh, I got work. I gotta do now. Right. And but they rose to the challenge. Right. And they have we have really. Of course, this is what I'm talking about. That early steps. This is six years ago now, right? So this is quite a while ago, but the team has really elevated our practices there.
We've implemented that across every OS platform that we have. So most of our users, windows, but we have Mac, we have Lenox for developers. And they across all three platforms, both. And so this is kinda interesting too. It manages much of our windows platforms, but we we have partnerships with the R and D organization.
To help manage our Linux workstation. So we work hand in hand with them. So where we set policy, we tell them what needs to be in place. And they have worked very closely with us to to make sure that the right configuration is on that device and that it's patched and that we can monitor.
And that has worked out really well. You know, that was step one. And then from there we got into other controls. So one of the ways that we really forced the issue of knowing what assets were on the network is we implemented network access controls. When we implemented that and we forced everybody to put their name by every asset that was going to be on the network.
it got filled out real quick because we weren't going to allow it on the network unless we knew who owned it that helped significantly. And then of course, when you think of the broader sense, so Lexmark's been a cloud first strategy for. For even longer than I've been in, in my role.
But it really accelerated in the last five years. And as you know, with cloud first what's your firewall at your identity? And so we invested a lot of effort into into further securing the identities for all of our users getting multifactor in place and then improving multifactor again, and then improving multifactor.
And that's just, it's a constant it is a constant area of improvement for us because you know, one of the guys on my team, he likes to quote Darwin all the time. He says, what do you get when you build a smarter mouse trap, smarter mice. And that's what's going on with.
Everything right. Whether it's vulnerabilities and how people exploit them, how quickly they exploit them to identities and how they socially engineer someone to compromise their identity. It is a constant game of cat and mouse going on. And then one of the other side effects. us going cloud first, it also really changes your need for your premise network, right? It you go from one massive premise network that, you know, you had data centers, you had a lot of business applications within the data centers. You had a lot of users who just had need for connecting to a lot of different systems on your network to very quickly.
Most of your users, all they need is an internet drop. And that's all they need. And so that, that really changes the paradigm of what access. We start to grant users now as they, they start to get on the network. And it, and I don't think I said it yet, but it's a journey, right. Zero trust. And that principle's a journey and you we continue on that journey. to continue improving that segmentation of the network, but it's one of those projects that we're working with, the it organization to move things to the cloud. And we're starting to work on reducing that that lateral movement opportunity.
Elliot: Yeah, I think that makes sense. So I don't want to distract too much from the conversation of zero trust, being a journey, cuz I that's where I want to point us to, but two sidetrack. So we have definitely. Plenty of pitches from zero trust security vendors that provide whatever technology and they slap zero trust on there.
Always wanting to chime in and kind of give their spiel. One of the reasons why we don't do that is so we can actually have conversations like you with you and practitioners who are actually implementing it. Before we go back towards that journey conversation, I'm curious because of how you even position it internally.
Do you feel it is a hindrance for those organizations to say, I have a zero trust solution, or should they probably come to the table with what the actual solution is as you're kind of highlighting some of these aspects?
Bryan: Well, to your point, I probably get a hundred emails a day or a hundred contacts a day from vendors that are trying to sell me the latest technology that's gonna fix my problems. You know, yes. To your. Zero trust coming to me with just zero trust. Doesn't tell me anything. I need to know exactly what kind of controls you're gonna put.
You're going to offer me that will dramatically reduce my risk posture, but there's a second part to it. Not only do we have to look at the technology, we have to look at the overall return on, in. Because some of these tools are not cheap that right. They are rather expensive to go put in your environment.
And the cost per user is fairly pricey. And you know, you have to look at every one of these and understand, okay, what risk is this going to take out of the environment? What is that risk in terms of a dollar value to me? And then and then what is the cost for me to go put that in place? What I find more often than not is.
If I invest in my people and the process with the tools I have, I usually get more bang for the buck than going and buying the latest, amazing tool that's being sold to me. And that. You know what's interesting about that. And I will even claim this for myself as an engineer. Right.
I love building stuff. I love the latest new thing that's out there. But as a matter of practice, focusing on the people in the process that that boring old thing, right. Just people in process it it gets me the biggest return every time. Doesn't mean, I don't look though. I keep looking. I keep looking for the that, that new magic solution that's gonna solve on all my problems, but I haven't found it yet.
Elliot: Yeah, of course that magical silver bullet that all, I don't know, it was 10 years ago. All future platforms can apparently solve which actually transit transitions us right back over to the conversation about zero trust as a journey. Because obviously there is no. Completion. There is no finish line.
As you were mentioning, obviously threats and techniques are always adjusting and shifting and turning. That's where I get to throw Neil back into this conversation because that's his world. But you know, how are you taking into account? I guess the different shifts. The world that are impacting us.
So obviously a couple years ago we had a little pandemic which caused a lot of organizations to either freeze up or go over a boat. You know, how are you able to adjust for different things that are being thrown your way?
Bryan: first and foremost, let's take COVID as an example. We were postured extremely well for COVID when it happened because of the investments we had made. in our video conferencing capabilities for the individual users because of the investments we had already made in the endpoint protection for the users.
And our ability to manage that remotely from the cloud that really set us up well for going to remote work now where we had a problem I think every company had a problem is we still had a strong need for access to the premise network. We had not moved.
We were still in the middle of our cloud journey and so VPN was a problem.
It, we knew that if we had to get every employee on the VPN, the capacity wasn't going to be there. So we had already had a project in flight to replace our VPN. We were working on moving from a appliances on premise to virtualize concentrators in the cloud. We we had some innovative network engineers who figured out how to how to plum that data across across Azure's cloud such that it was our backbone for moving data worldwide.
And it it, it was accelerated what was going to be about, about a six months project on was that March 12th, 2020, when we all went home. It ended up being completed in a month. And so by the beginning of April we had that up and running and we got everybody migrated to it fairly quickly.
And we had a few issues here and there, but overall it worked well. And you know, again, it was, it. Enabling the users to get to what they needed to get to, but still being able to monitor what they were doing and take action when necessary. And we were just well positioned for
Neal: So quick question then on that you mentioned the magic word that I think everybody think solves a lot of these issues. VPN
On that note as part of this transition process, did you do away with VPN in a grand scale for these remote workers or is it still part of the micro processes into those other segmented areas?
Bryan: Today, it's still part of the micro processes. There are several very specific processes that require to be connected to our network at the moment. What I see is in the next year, though we're going to be down to a very small set of processes that need to be connected. And once we do that, once we get to that point in our journey, That's where we will start looking at tools like sassy, right?
Because the licensing costs for sassy across my entire user base, that doesn't work. But the licensing costs for a very small user base use with it. That makes sense. And the controls that it provides, because the processes that I'm focused on here are kind of are more sensitive process.
And having that additional that additional security, additional monitoring that sassy provides. I is very interesting in that space.
Neal: No, that makes sense. No, that's good. Like I said, a lot of people tend to think somehow VPN is part of the larger picture. And I think what some people are realizing, especially in a remote work world at home, all that fun stuff. To your point, VPN is still probably a part of the solution in general, at least an added layer, but it's not the layer that everybody thinks it is.
You know, it's still, there's still a lot of things that have to go. Under today's standards prior to zero trust constructs for that to still be what it is and secure. And so now it's good to see. I like to get those thoughts personally, on that, as you know, as we consistently move further out from a remote workforce, even post COVID still.
So thank you.
Elliot: Very cool. Yeah, I totally agree with what Neil saying here. I think that's a lot of what we're seeing too is. it's impossible to do any kind of rip and replace anyways, for any kind of technology, especially something like VPN. Now, does it make sense to call VPN technology zero trust or aligning with zero trust?
Probably not. I know there are some companies that definitely like to do that. They might be on the first page at Google. But yeah there's a lot of that marketing fluff out there.
Bryan: The there is, you know, the thing with VPN, it's not that VPN couldn't fully implement zero trust. The question is what is the management overhead to make that really a micro segmentation type technology for your user. and that's really, the challenge is working through that, managing that dealing with, you know, you, if you have 8,000 users, 10,000 users, you're always gonna have probably 10% of them who have unique use cases of things they need to do that's outside the norm of the personas that you might set up in an environment.
So the challenge with VPN is it doesn. I'm sure tomorrow somebody will call me with a tool. That'll help me profile. Exactly. Who's connecting to what? So I can go configure VPN groups properly to do that. But that is where I see sassy playing a better role. Right. They built that into the product and it's better positioned with the right tools to help you go and create those segmentations.
Elliot: Yeah, I totally agree. I mean, I think whether you want to call it zero trust, network access or software defined perimeter, that's definitely baked into that sassy solution, which will help get organizations there. I. The other point that you highlighted is it is sort of designed for enterprise organizations, but it is also a little over bloated for some the smaller shops.
So even if they could necessarily afford it, you know, they don't have the resources internally to actually run the system. They'll just use like pieces of it. So I think technologically I mean, some of the information that we need is out there, but back to the VPN side, Neil and I were having a conversation recently, it might have been in our last episode, but if we look at least privilege access, I mean, if you really wanted to get to the bottom of it, to the concept, you almost have to create like a.
Thumbprint or fingerprint of the actual person, their user to get down to that level of granular information. This is a little bit over my head, but that's where I can punt it to Neil on how that works.
Neal: Yeah, that, so the question, Brian. Last episode, we talked a little bit about biometric E type user fingerprinting user based metrics, right? And the whole password list construct that's coming down for the last now seems 10 plus years people been trying to sales pitch it. I personally see a world where that makes sense on certain things.
But at the same vein, like you mentioned, you build a better mouse trap, you get better mice. But that, that being mentioned, do you see kind of an echelon approach? To start doing that fingerprinting of the user at a more granular level, how is their typing speed? What's their offset key space.
Although those are the fun things that make up that constructive passwordless security, even in the device realm too. Right? Cuz you can do that for devices as well.
Bryan: You can. I mean, you're really getting into that user behavior analytics and understanding exactly what they do in their. And of course, when you do that fingerprinting, you're assuming a bad, actor's not on your network first. And so there's tools out there to do that. The, I guess I would go back to, they're not always cost effective and there's always going to be exceptions.
And so therefore you have to continue managing to the exception and. What we've been working on is kind of slightly different. So we established a data governance group within within likes markets. It's not just group it's a program. And you know, for obvious reasons, if you look at any organization, that's going to be com compliant with GDPR.
You have to look. Where's your data who has access to your data et cetera. So we established a data governance program, and one of the key things that we put in place were data stewards within the organization and the data stewards. They were responsible for one looking at our chief privacy officers policies.
And making sure that it applied to the data that they were responsible for. And then second looking at the contractual requirements that we get from our customers around their data. And these stewards should know when within their purview what data might be customer data versus what data might just be, you know, Lexmark data.
and when we have specific requirements for those customers, they may have to further implement policies around that. And then the kicker with this comes back to process and that's that the stewards are responsible for determining who has access to that data and doing a re-validation process on a regular cadence for access to that data.
We do that at a application level. We do that at a access to the application level. And then as you, you know, as you imagine someone going to a Sasse, then you're gonna again do it at a network level. We're not there yet. As I mentioned before, we're not in a Sasse, but we are absolutely doing it an application and access level on a regular cadence for, and it depends on the data, right?
The classification of the data is what kicks it all. In terms of what level and how often that you do your re-validation, but that's kind of critical with all of this. And I bring that up because even if I get a technology tool out there to go and do this for me, I still need someone out there who understands.
Contractually what's proper what's appropriate. And looks at job for instance, looks at job descriptions and understands. Should this job description have access to this type of data? A tool's not going to do that for me, at least not today day.
Neal: Yeah. I mean, those are good points. Our back within itself is a, it's a good thing, but you're right. There's a lot that goes into making sure that you have all those data access controls and privacy things. And I being American, my brain always forgets about GDPR. And I also don't live in California.
So I don't think about that much either, but you're right. That is an interesting thing. And not sure how much you can talk to it or not, but you're the first person we've talked with so far that has to worry about corporate. As much as consumer data from a services offering, like you mentioned at the beginning y'all's network, isn't just your corporation, right?
It's potentially millions of devices and users that aren't your employee base that you have to worry about. And that's a whole nother layer of complexity. I imagine aside from just how you segment it, but also monitor, manage and form that trust bond for what you're doing with those devices and vice versa, how they accept it.
Right. So I'm kind of curious. If you're able to talk to it, some of the aspects that go into play on that consumer layer side of the house.
Bryan: well, I actually have one correction for your view. Lexmark, our primary path to market is B. And so we don't have that much direct consumer data like it, you know, if you go to Lowe's or home Depot, right. You've set up an account with them and they have lots of data about you, including credit card information, et cetera.
Because, you know, I it's interesting. Every time I check out, right, it says, Hey, do you wanna send your receipt to your personal email? And which is nice, but it just shows the amount of data and the amount of correlation they've done between everything you do there. I don't have that because we're B2B, almost all of our contracts are with other businesses.
But still because we're dealing with numerous verticals, I'm dealing with direct contracts with government, with healthcare, with retail you know, all of those, we've seen them all in the news at some point or another. Most of them are housing, some type of sensitive data. So from that aspect, we have to be able to demonstrate.
Whether it's the devices that we put into their environment have been hardened and secured. And we are supporting them in the sense that we're providing patches to the customer, to to allow them to harden that device and the configuration of the configurability to harden that device, to to the data collections that we do from those devices.
We we need to be able to demonstrate. Those systems are hardened and that we have the right controls to ensure that we haven't created a back door back into their environment, right. That is a daily conversation that we have with our customers. And it's a focus, a strong focus on my team to make sure that every one of those applications that is supporting our customer that we're able to.
To closely monitor and that we know that it's been hardened appropriately. So that's a, that is a critical part of it. But, you know, to your point, GDPR plays into that. I need to know process flows. I need to know for this process, what kind of data is flowing from this system to that system, to the next.
And who has control over that data to make sure that it's still complying with the data stewards policy as it relates to the data.
Elliot: might even be good to highlight the. The conversation that you and I had before, obviously we hit record, but I think we were chatting about opt after. I know I'm gonna mess up concept cause I don't really have a good background on it. But to my understanding, it is a self-managed IOT platform that you all provide to your customers.
So that might be a good focal point and example kind of highlight how you basically provide that and secure that. And I guess, establish trust around.
Bryan: Yeah. So I'll explain Opta just a little more opt ultra is it's. It's an interesting swing of business for. Where I described it before we have managed print services offerings that we've offered our customers for a long time, where we're able to collect the data off the devices, which as Neil, as you described earlier, printers being kind of that original IOT device.
So we've actively collected data off of those devices. And then we've run analytics on that to go and detect when a device is going to fail ahead of time. So we can get a service person out proactively. Well, we've taken that platform and we've genericized it such. New customers can quickly scale their ability to collect data off of their systems.
You know, you think of lots of equipment that's out there, whether it's engines or x-rays, or, you know, manufacturing equipment, whatever it may be that. Has sensors on it. It's just not connected in any way for a a big data analytics engine to go process that and provide intelligence to help your business process and optimize your business process.
So we now have made that available and this. This really gets back to what I was talking about early in my development career, where we have a security development life cycle and in that security development life cycle of course it started with training and of the developers to know how to develop something, but there's gates within that process from.
What are the requirements and how do the requirements fit in with the security needs of the organization to I'm pulling in open source code. And have I looked at that open source for, is it a actively maintained? Does it have vulnerabilities on it? And let's make sure we're using actively maintain packages in the product that we're building to the analysis of the code that you're developing and looking at that static code analysis to just the feature set, right?
The. Am I offering the right encryption algorithms. Am I offering the right transport algorithms and protocols that would meet the requirements of any secure organization. And that journey, not only have we done it on the printers, but the, this new offering, the opt, your offering, both the the cloud offering, which is the data collection side of it.
And then there's another offering called an edge device, which is which is a compute platform where it can collect data off the edge and then push it up into into your cloud data collector and or thera as we call the opt ultra. all of those have gone through the exact same security development life cycle process in the exact same checkpoints and gates to ensure that we are delivering a trustworthy product to the to the customer.
And then an additional part of it was was our supply chain. You know, if you guys have read the news about You know, the us government being very concerned about tampering with electronics, right. We have been very involved with with, of course their concerns and the potential potential regulatory requirements.
They're looking at, putting in place. And so our response to that has been to implement a holistic supply chain security program where it was a program partnership between R and D supply chain and the it organization, my group to. Look at everything from how do you know the components that you're picking out to go in, into a, an embedded system are authentic and they haven't been tampered with, to analyzing the overall design of the hardware to make sure it's been hardened properly to I've gone to this contract manufacturer and what's their inspection process on the components that come in the line.
What are their controls to make sure that somebody doesn't tamper with. With the controller card manufacturing process to validation at the end of the line that it hasn't been tampered with two, I ship it. And how do I know somebody did get into the container and go and modify it in the container?
And so that's been a holistic program that we put into our printer manufacturing process and development process to the new edge device as well. So again, it's. All of this is to give the customer confidence that we are delivering an authentic and trustworthy device. And and that's critical.
And not only is it just the authentic and trustworthy, but we're gonna continue to stand behind it. And we're going to continue sending you updates and maintain this thing. So that, that when the next log four J comes. You have something you, you know, we're gonna be right there with something for you to get that hatched.
Neal: So quick curiosity question that the Intel analyst me wants to ask needs to ask this tool offering that you're talking about ultra. Is this collecting more system logs in the sense of what's going on specifically with how the device is operating along with a, like the things you need to make your service offering back to those devices, or is it also capable of collecting more security based function type log sets?
I could I take that data and use it to go do some kind of security research against my tooling that you've provided me an output?
Bryan: Well, the beauty of the platform is it'll do what you want. It's a platform.
Neal: Like that answer.
Bryan: the you know, the, our use case has been capturing more sensor level data. and then doing the analysis on the sensor level data or logs that come off the device and analyzing the logs themselves. But it depends on the customer, what the customer has available in terms of the sensor data that you can collect off of it.
And then of course the magic isn't, I mean, there's magic in the data collection, but the real magic is that the. The business process that you're able to help enable for them by analyzing that data that you're collecting and hopefully optimizing their business process to make it make for their customer, make it a better overall experience for them.
Elliot: Being in your position, having a global footprint, obviously there's a lot of different inner conversations, but curious what threat intelligence sharing might look like for you and your organization.
Do you work internally with certain groups or do you work with ISX? You know, how are you sort of tapping into that evolving shifting L.
Bryan: We we tap in anywhere we can honestly. So my team is is a worldwide organization. And so between my team and the it team, the R and D team, the supply chain team and the legal team on top of that. We are regularly looking at whether it's changes in regulation, changes in changes in policy.
I mean, I just got someone walking down the hall the other day, they said, Hey, I see Nancy, Pelosi's gone to Taiwan. Have we looked at have we looked at if we've been getting more attacks because of it, right? It is a regular communication internally about it, but externally We have been tapping into lots of things, CSA.
I'm glad the us has finally set up CSA. That has been a, that has been a an awesome use of tax dollars. We we also tap into podcast. We tap into threat feeds. I mean, there. There are sands, you know, storm center. They are an excellent daily feed of things that are going on for us to go look at and analyze.
We have we have a group just that, that monitors the security news, and we're constantly looking at that to figure out what's going on. So it is a, it's a constant group process. And. It kind of has to be because everybody has their sort of. Angle that they're looking at things. And within my group, one of the things that has really made us I would say effective has been the diversity of view and diversity of business experience that has gone into the organization.
You know, you heard about me, I'm from R and D. I've got people on my team that are from internal audit. I've got people on my team that are from services. And when they go look at all the threat and tell that we're looking at, they all kind of have different alarms that sort of go off and go, Hey, we might wanna go look over here because of this that's going on.
And so that's it's been a collective.
Neal: Elliott's POA in my day to day, I do a lot of things with ISAC and ISOs and collaboration. I also get up on stage at conferences and yell at people for not collaborating a lot. But yeah I just think to your point though, the diversity of. The persons in the mix that to me is the biggest impact around what we're doing in a security organization.
So whether it's adopting zero trust mentality, or whatever that means, or whether it's growing some other direction, knowing that somewhere in the org, there's people who potentially have an opposing viewpoint around something and being able to have that discussion is very important as we grow and having an open mind for that.
That, that's the thing that I like to do as an Intel analyst and whether I believe it or not I'll always come speculative and play devil's. Even if
Bryan: And you should.
Elliot: thank you so much for that. I think just wanted to bring us background towards zero trust. So obviously our listeners know that we like to go off on tangents in many different directions, but you know, to focus, but back in on zero trust.
It sounds like over from the last 25 years and really in your role as a CISO, a lot of what you've been doing has been adopting and taking what is now repackaged as your trust today. Whether we're calling it a framework or a concept strategy certainly not just technology. I think that is of importance to highlight.
You're taking natural progression and a lot of organizations in your footsteps are doing the same as well. So I'd just love your general take on how you feel. The organization is aligning with some of the principles that you see as far as zero trust goes. And if you feel that it is sort of like a repackaging, if.
Bryan: And I agree. It very much is a repackaging. When Forrester first came out with zero trust it, it seemed novel, but then once you dug in it, it made a lot of sense. And it still, as I said earlier, it still. In principle, what we look at in our strategy, but it gets a lot more detailed as you get into your implementation.
And that's where, you know, if I were an organization especially smaller organizations, that's C I S a team I would live and die by it. It is,
It is an excellent framework for someone to to secure their organiz.
Elliot: Perfect. Yeah, actually that gives me one final question. If anyone was interested in getting started or learning about zero trust, do you have any particular points that you'd like to direct them towards if it's CISA's? I think they have a maturity model NIST and a bunch of other
Bryan: one as well. Yeah. You know, I love NIST it can be dry reading sometimes. But it's very thorough. It can, it just can be dry. You know, CISA is good. NIST is good. What I find is A lot of that material. I honestly, all of that material can be very dry. I if you go back and look at some of the other best practices and then you go look at zero trust in terms of just the overall framework I think you get the point of zero trust, but then you get back to the practicality of what am I gonna go implement in, in what order?
That's what I would direct people to do is, you know, again, advertising C I S 18. It is a great framework. And it's not the only one we use. We're ISO 27,001. We're so two we're we use the N CSF as well, but sometimes in terms of communicating to your organization, something like a C I S 18, just makes it easier to communi.
Elliot: Well, excellent. I think that actually gives about as much information that as I can pull outta your head for. I really appreciate you being able to cover us across the spectrum from being able to speak to this from a business aspect, not just the nitty gritty, granular stuff that we usually jump into.
So thank you so much for sharing your insight and your expertise here. Neil and I both greatly appreciate.
Bryan: Yeah. Thank you guys. Thank you for having me.
Neal: That's been a great conversation, Brian. I appreci.
Elliot: All right. Well, that is our episode here. So thank you again for listening and maybe watching as always, we will be back in two weeks with another episode. Thank you all so much.