Embracing New Technologies with a Security-First Mindset Analyst Chat 216

Show video

Welcome to the KuppingerCole Analyst Chat.  I'm your host. My name is Matthias Reinwarth.   I'm an Analyst and Advisor with KuppingerCole  Analysts. My guest today is Alexei Balaganski.   He is a Lead Analyst with KuppingerCole and he  is our CTO. Hi Alexei, good to have you back. Hello, Matthias, thanks for having me again.  And I guess I have to apologize that once I  

am suffering from a terrible cold today, so  if I sound weird, just let me know, please. Our technology will fix that. We have an AI  filter also for audio, so that won't be an   issue. But we want to have a quick discussion,  a bit more philosophical discussion around the   nature of cybersecurity in general and how  we as analysts and maybe you as the audience,   as users, as end users, as vendors should have  a maybe slightly different look at the landscape   of cybersecurity. You've been traveling a lot  recently, you've been visiting other events apart  

from the important ones, EIC and cyberevolution,  of course, and you had a new updated look at what   happens in technology, in cybersecurity, in the  way we are doing IT in general. And that made you   reach out to me and talk to me and to the audience  about what's happening right now. What was your   starting point to say, okay, we need to... maybe  a bit reconsider cybersecurity and IT in general. Right, right. Well, obviously, the billion-dollar  question is, we spend so much more money, we,   I mean, collectively, the humankind, the entire  industry, so much money on cybersecurity tools   and solutions, and yet the situation doesn't  seem to be improving. I mean, the breaches are  

only increasing, and they happen more often, and  they cost a lot more nowadays. So why are we not   getting the results we are looking for? Maybe,  just maybe we are doing something wrong and by   we I mean again kind of collectively the entirety  of all the IT and cybersecurity specialists around   the world including of course analysts like  us. And yes you are right, for me this big   aha moment was at one of those conferences I  have attended earlier this year specifically   it was the KubeCon in Paris back in March and  it got me thinking. I mean, usually our job   as KuppingerCole Analysts, for example, would be  something like, that something we would take pride   in is that knowing every relevant vendor in the  cybersecurity industry, right? And people would   come to us just because we know every relevant  vendor. And I think it's actually a pretty  

limited approach towards the entire cybersecurity  as a philosophical concept, if you will, because   if we only know the tools, if we only can help  our customers to find the best fitting tool to   solve a specific issue, we are always at least one  step behind the hackers. We are always reacting,   we are always responding to an existing risk using  an existing tool, and we are not looking too far   into the future. And... again, what made me think  that way, because most of the things I've seen at   KubeCon and some other similar events around the  world, at least those companies, those scientists,   they never had security in mind. What they are  doing, they are basically designing the future of   the entire IT industry for the next two years and  more. And of course, this includes AI, generative   AI tools, the cloud native tools, the multi-cloud  and hybrid architectures and containers and   Kubernetes and next generation networking  and whatnot. None of those technologies are   specifically marketed or even described as having  anything to do with security. And yet they are.  

I mean, they do have everything to do with  security of our collective future. So maybe   just maybe we are looking at this whole  thing from a slightly incorrect perspective. Does that mean that the issue is on our  side or should that also... We have been   talking about this security by design,  security by default an aspect for quite   some time when somewhere as to presented  at these events that you just mentioned,   new technology is developed, introduced,  presented, implemented. Shouldn't we  

assume that security by default, by design  should be implemented there. Of course,   we need to have a look at that. We need to be  prepared for that, not only retrospectively   acting towards what has happened already, but  shouldn't that be a joint effort from those   who do the technology development and  us doing the cybersecurity development? And again, Matthias, you are, of course,  absolutely correct in that assumption,   but you are looking at it from the wrong  end, if you will. I mean, in real life,   this whole development happened for one reason  only. There are businesses out there which demand  

new capabilities, new solutions for their new  business issues. The company wants to run more   applications on the infrastructure and they, for  example, would go out and look what's there in the   academic world of the cloud technology and they  would find something like, for example, I've seen   a really curious and interesting solution which  we could describe as a serverless Kubernetes   workloads running on the WebAssembly language.  We probably don't have to dive deeply into the   technical intricacies of this, but the point is  someone has invented the way to run many more   applications on the same server infrastructure  than traditional Kubernetes and containers. A   company would even say they can run like 50 times  more apps, meaning that in theory you can save up   to 50 times more in your infrastructure cost.  Awesome. Every business would jump immediately   onto this opportunity. Have they ever considered  security issues of those new technologies? Never.   They don't care. They only want to save money.  And the guys who have developed this technology,  

they probably care about security a little bit  more because they know about it a little bit more.   But for them, it's also not a priority because  they engineers busy on fixing bugs and improving   performance and making it a sellable product.  The question is who is going to be this force,   this pressure, making all those stakeholders  involved in this new technology stop, sit down and   discuss security and consider the implications and  new risks and maybe just imagine what would happen   if 50 of your obligations would be compromised  with the same vulnerability instead of one. It  

would also cost 50 times more in non-compliance  fees, for example. The question is, who is   responsible for that? Is it me, an analyst? Is it  you, a consultant, an advisor? Is it the vendor?   Is it the customer, a journalist, a government  official regulating us all? I don't have an   answer for that. Probably everyone. The question  is like what can we do on our end to raise this   awareness to connect those people to involve the  real security guys who actually do care about   security and know about it and can anticipate some  of those issues in advance to sit down together   with those innovative vendors and talk about  their issues. That's a million dollar question. Right, but when we look again, that might be the  wrong angle. If we look at what we are doing when   it comes to projects, when it comes to looking at  commercial environments where these solutions are   actually in use right now, if we look at that,  we come across lots of regulations. So having  

cybersecurity governance compliance and proper  mitigating measures for all types of risks,   be they cybersecurity or compliance, making  that properly, achieving that properly is one   of the key issues. And I think many organizations  just want to avoid what you just said. So going   for the actual benefit, having more applications  around scaling up quickly, saving money when that   actually means falling in compliant, when it comes  to falling for high fees, when it comes to being   in the press or losing data in a situation where  they did not expect that. So... I know this is   the analyst preaching and I know that this is this  retrospective or more regulation fee discussion,   but in the end, this still holds true. So  why aren't these technology vendors thinking   of cybersecurity at the same moment as they are  describing new scalable, new sexy technologies? Well, I guess if we knew the answer to this  question, we would be the benevolent leaders of   the entire world. Unfortunately, we are not. And  yes, well, I guess the underlying core problem is   that the majority of the businesses around the  world's security is just nuisance. They do not  

want to think about it. They do not want to invest  into it. And the only reason they would gradually   even spend some money on cybersecurity because the  compliance auditors tell them, right? So security   sucks, security costs money, it doesn't bring  any return on investment, at least that's how   most people think. So yes, selling security is  extremely difficult, but we have to understand,   even though people do not care about security,  or at least they do not care about cybersecurity,   they do care a lot about being secure and safe.  I guess it's just a fundamental misunderstanding   and us analysts and them vendors and the customers  are there speaking different languages because of   course nobody wants to be hacked. Of course nobody  wants to be caught in a non-compliance lawsuit or  

whatever hit by a regulation. They... But again,  they want to earn more money because this is   something which every business understands. This  is tangible. Wow, this thing, I buy it today and   I can save 50 times more money in comparison to  an existing technology. Awesome. Give me two of  

those, maybe even 20. And understanding that  this can actually cause some security issues   in the future only comes too late usually. The  question is who has to tell them? Who has to   explain to them that there are those issues?  And those issues are actually solvable, they   are addressable. Either through an improvement  directly in the product, or maybe through some   compensating controls, or maybe even a boring  security tool, or maybe just a change in the   policy. Because again, for example, we are talking  a lot about Zero Trust. And again, we are talking  

a lot that Zero Trust is not a tool. It's not a  product, it's just a different mindset. And it's   actually very easy to implement if you are ready  to do it consistently. I guess the same has to be   somehow invented for all these new cloud-native  technologies, for example, or for AI technologies   coming further in the future. Someone has to come  up with this great short list of rules, how to  

do... again, not how to do cybersecurity for AI  or cybersecurity for multi-cloud, but how to do   AI securely and how to do multi-clouds securely.  And this is a minor change in semantics, but it's   a huge difference in the ability to actually  explain and sell it to end users, I guess.

But if we look at that from that angle, could  that mean that this is not necessarily an issue   for the technology developing community, but it's  an issue of the architects that combine all these   Lego blocks of architectural building blocks for  multi-cloud, for whatever you've mentioned right   now, and even those technologies that we've  used before or still are using right now,   retrospectively looking at this as an  analyst. Combining all of this into   actual tangible real-life architectures.  Shouldn't that then be the issue of the   architect to combine existing and new security  technologies together with these new shiny sexy   technologies that come with the promise of  more performance, greener, more ecological,   leveraging of resources, et cetera, et  cetera? Is this an architecture problem? You are hitting the point, right there,  Matthias. Of course it's an architecture   problem. The question is who is supposed to design  such an architecture and who can design such an   architecture? Can you? Can a CISO of a bank do  it? Does every CISO of every bank... are they   supposed to do that separately? Never talking to  each other and never asking an expert like us or a   vendor directly to help them? Probably not. It's a  lot of reinventing the wheel over and over again.  

So I guess the biggest thing that's lacking  is basically communication and awareness,   again and again. Someone has to bring  it up. Someone has to bring all the   right people to the same table for a  discussion. And someone has to invent   best practices and someone has to test those  best practices maybe with their own mistakes   and share those findings from their own  mistakes and step by step it will come to   a common blueprint for such an architecture. The  question is, well, who and when and where? And I   imagine that one of the better places to do  this kind of discussions is again, attending   the right event, the right kind of conference.  You mentioned our own EIC briefly, but that's   exactly the place where you probably should go  to meet the right people if you are specifically   looking for best practices and new architectures  for, obviously, identity and cloud, because that's   right in the name. Or perhaps we are not yet ready  to offer you like a 100 % AI-focused conference,   but we will be talking about AI and securing  AIs. as well. So yes, absolutely. We welcome  

everyone to participate in such a discussion.  We can serve as moderators and as neutral and   still highly opinionated people to basically say,  yes, your idea looks great and no, your idea lacks   in a specific area. And hopefully in the end,  someone will come up with such an architecture. Right, and I think what you said I think  is absolutely true. While we are talking,   people are inventing technologies for the next  10 years and they are already there. They are  

in tests, they are in production. They need  to be integrated into an overall architecture   that claims to be secure and is secure and  is designed to be secure. And as you said,   we need to foster that communication between the  experts of different areas. It's great that these   people invent these new technologies because  they will be the foundation for next years,   for in two years, the infrastructures that we will  be using and leverage that with this explosion of   new services that we expect to happen. But the  communication part is really of importance. EIC,   cyberevolution, of course, are important building  blocks, but just making people talk to each other,   be these forums, be these industry associations  where you can talk to each other. We will see at  

EIC that eIDAS 2.0 will take shape and form  and will really take a vital role in real   life. This is an example of where this happens  just right now. But the next step should be   and is expected to be that we as analysts,  but everybody in their individual roles,   vendors, end users, architects, technology  providers really work together in making that   not only shiny, performant, ecologically  interesting, but also safe and secure.

Right. Well, you know, as Lewis Carroll said over  100 years ago, now here you see it takes all the   running you can do to keep in the same place. If  you want to get somewhere else, you must run at   least twice as fast as that. And nowhere it  applies more than in the IT industry today,  

because if you just want to stay relevant,  you have to run as fast as you can. And if   you want to actually achieve something,  like better security for your business or   a more sophisticated and optimized architecture  blueprint or just a better product, you have to   constantly continue your own education. And you  cannot do it alone. You have to do it in groups,   in communities, in the right venues and forums  and, as you just said, conferences. So absolutely,   this should be the top priority of every  IT expert, regardless whether they consider   themselves being involved in cybersecurity or  not. So leave your ivory tower, go out for work,  

meet new people, learn about new technologies,  even if they sound completely futuristic today,   like quantum and next generation large  language models and whatever, serverless   WebAssembly Kubernetes workloads. Those things do  already exist and they already do work. So there   are probably people out there buying those tools,  completely oblivious to the new risks and threats   of the... Because yeah, the hackers are also out  there buying the same tools and they know much   better how to abuse those tools. So you have to  be running all the time just to keep up with them.   And well, join us in this marathon,  I guess. You are very welcome. Absolutely. Thank you very much Alexei for  highlighting this and for actually doing that  

already great summary. So really we need to do  this. And as a side note, this really enables   us to have a look at all these new technologies,  which are really fascinating. So there are lots   of interesting technologies around that are  really worth having a look beyond what we've   been talking about the last four years.  So there's more to come. We need to make   this right. We need to make this properly. And  we need to make that secure. But in the end,   we are also exposed to really nice new  technologies. Meeting at EIC, of course,  

is an important part. EIC will be from the 4th  to the 7th of June this year in Berlin at Berlin   Alexanderplatz at the conference center. And  I'm really looking forward to meeting all these   interesting people there, also these people that  come with these new technologies. And let's hope   that we as analysts, that we as advisors can  play our role, our part in making these new   technologies also more secure and not only looking  back at technologies that have been around for 10,   12, 15 years already. Thanks Alexei  for being my guest today. Any final   words that you would like to highlight  when it comes to these new technologies? Again, never stop learning. Absolutely  come visit us at our events,   but also consider going to completely new  ones which you have not visited before,   be it a security event like RSA or a cloud  conference like KubeCon or something else   entirely. If it's even remotely relevant  for your current and future business plans,  

absolutely go there and educate, educate,  educate yourself as much as you can. Thanks Alexei for being my guest  today. Looking forward to having   you as a guest in this podcast again. And   really looking forward to learning more from  your perspective when it comes to this in-depth   cybersecurity knowledge that you have. Looking  forward to having you again. Thanks Alexei. Thank you, Matthias, and thanks everyone. Bye bye.

2024-06-03

Show video