1 00:00:09,700 --> 00:00:12,500 You're listening to the identity epicenter podcast. 2 00:00:12,800 --> 00:00:15,600 This is a show that talks about identity and access management 3 00:00:15,700 --> 00:00:18,600 and making sure you know who has access to what let's get 4 00:00:18,600 --> 00:00:27,100 started. Welcome to the identity. 5 00:00:27,100 --> 00:00:29,400 The center podcast I'm Jeff. And that's Jim. 6 00:00:29,400 --> 00:00:31,900 Hey, Jim. Hey, Jeff, how are you? 7 00:00:32,200 --> 00:00:34,600 Oh, not so bad yourself. Good good. 8 00:00:34,600 --> 00:00:38,600 I feel like we've been looking at each other, on our web cams 9 00:00:38,600 --> 00:00:41,100 pretty much all day today. We did our livestream this 10 00:00:41,100 --> 00:00:46,100 morning. So, I guess a Week Ago, by the 11 00:00:46,100 --> 00:00:50,400 time, people are listening to this, it talked about our guests 12 00:00:50,400 --> 00:00:52,900 today. I'm very excited to get into 13 00:00:52,900 --> 00:00:54,900 this deaf's a cop. Sarina. 14 00:00:55,800 --> 00:01:00,900 But before we go down down that route, I wanted to talk to you 15 00:01:00,900 --> 00:01:05,300 about a meeting that we just had and a question that came up. 16 00:01:05,300 --> 00:01:11,800 So the recommended to a client that they put together some 17 00:01:11,800 --> 00:01:17,100 training on how to use their their IGA system, right? 18 00:01:17,100 --> 00:01:20,900 Because one of the main pieces of feedback we got during our 19 00:01:20,900 --> 00:01:26,600 workshops was that People didn't know that they could do certain 20 00:01:26,600 --> 00:01:29,700 things in the tool that they could actually do, right? 21 00:01:29,700 --> 00:01:33,700 So capability, existed, these folks have been living without 22 00:01:33,700 --> 00:01:36,400 it. So our recommendation was to 23 00:01:37,300 --> 00:01:41,400 train people up on that, but that's kind of a that's like a 24 00:01:41,400 --> 00:01:43,700 big thing, right? Like, so how do you go about 25 00:01:43,700 --> 00:01:46,400 doing that training? Where do you start? 26 00:01:46,400 --> 00:01:48,600 How much do you do? What was your thought? 27 00:01:48,600 --> 00:01:50,400 As we were having that conversation? 28 00:01:50,900 --> 00:01:53,500 Yeah, I thought it was interesting because my mind 29 00:01:53,500 --> 00:01:56,500 immediately we went to how much training do. 30 00:01:56,500 --> 00:01:58,900 You actually need to put out there if the process is good 31 00:01:59,400 --> 00:02:02,200 like, and I always use the example but Amazon's like a 32 00:02:02,208 --> 00:02:04,800 perfect version of that, everyone knows how to spend 33 00:02:04,800 --> 00:02:07,100 money on Amazon. I didn't take a class on how to 34 00:02:07,100 --> 00:02:09,600 search for things and find what I want. 35 00:02:09,600 --> 00:02:12,100 Add to a carton, you know, and buy it. 36 00:02:12,400 --> 00:02:14,800 It's just a process and a full that makes sense in this work 37 00:02:15,100 --> 00:02:17,100 and works. I think, in the case of 38 00:02:17,100 --> 00:02:19,700 identity, there's clearly going to be some training that needs 39 00:02:19,700 --> 00:02:22,600 to be done. But I always would I would take 40 00:02:22,600 --> 00:02:25,800 a step back and just like okay how does this actually working 41 00:02:25,800 --> 00:02:28,200 like this is make sense. Are we asking stupid questions 42 00:02:28,200 --> 00:02:33,700 that we don't need to ask just a data on the screen relevant to 43 00:02:33,700 --> 00:02:35,100 whatever is we're trying to get done? 44 00:02:35,600 --> 00:02:38,400 You know the probably the classic example is like access 45 00:02:38,400 --> 00:02:40,900 requests. I need to request access to this 46 00:02:40,900 --> 00:02:46,500 thing and it's obscured or obfuscated by some weird, it 47 00:02:46,500 --> 00:02:49,300 sounding Active Directory, Group name, that someone came up with 48 00:02:49,300 --> 00:02:53,400 like 20 years ago and Morphed into like, oh, this is the, you 49 00:02:53,400 --> 00:02:56,700 know, the axis that gives you marketing and admin access on 50 00:02:56,700 --> 00:02:59,600 the Azure instance, like, okay, that totally makes sense. 51 00:03:00,000 --> 00:03:03,300 So I like I think about it very critically because I think this 52 00:03:03,300 --> 00:03:07,000 is like one of my true passions on the identity side is the 53 00:03:07,000 --> 00:03:09,800 customer experience. Like if you had to do a lot of 54 00:03:09,800 --> 00:03:13,200 training, you gotta really rethink is it's the way you're 55 00:03:13,200 --> 00:03:16,400 presenting the customer to make sense and then once you get to 56 00:03:16,400 --> 00:03:18,700 where you think you're going with that, you know, hit it from 57 00:03:18,700 --> 00:03:20,800 Bunch different spots, lunch and learns. 58 00:03:21,100 --> 00:03:24,400 Adios documentation. I think people learn different 59 00:03:24,400 --> 00:03:29,400 ways, you know, have have a few options, but I think personally, 60 00:03:29,400 --> 00:03:31,900 I would start with, you know, why do we need to do to the 61 00:03:31,900 --> 00:03:34,900 training of the first place? Yeah, that's a really 62 00:03:34,900 --> 00:03:40,400 interesting Viewpoint. I think one of the things that 63 00:03:41,900 --> 00:03:47,400 the IG has platform for this particular organization is 64 00:03:47,400 --> 00:03:51,800 designed that one hundred percent the time you have. 100% 65 00:03:51,800 --> 00:03:55,500 of the options. And so I think if they brought 66 00:03:55,500 --> 00:03:59,300 people in and said, look, here's the happy path and it's very 67 00:03:59,300 --> 00:04:01,000 simple. And it's going to work 80 68 00:04:01,000 --> 00:04:04,500 percent of the time, 20% of the time, you might need to go down 69 00:04:04,500 --> 00:04:09,300 the path where every options available that would take care 70 00:04:09,300 --> 00:04:12,100 of a lot of the problems. Yeah, I feel like this is a 71 00:04:12,100 --> 00:04:16,500 situation where you want to put people on a rails experience as 72 00:04:16,500 --> 00:04:19,100 much as you can, you know, maybe it's a rollercoaster, hopefully 73 00:04:19,100 --> 00:04:22,700 maybe it's not as exciting. From an access perspective but 74 00:04:22,700 --> 00:04:27,200 you know there's a defined path and sometimes having too much 75 00:04:27,300 --> 00:04:32,200 control or power over that or even just choices in general can 76 00:04:32,700 --> 00:04:36,800 really kind of impact the overall service and yeah the 77 00:04:36,808 --> 00:04:38,400 usability of it right. We're not. 78 00:04:38,500 --> 00:04:41,100 I know I think there's somewhere in between the Borg and everyone 79 00:04:41,100 --> 00:04:44,100 doing the same thing. And you know I'm trying to think 80 00:04:44,100 --> 00:04:46,500 like who would be more free you know freewheeling like where 81 00:04:46,500 --> 00:04:49,000 everybody kind of whatever you want Q I guess would be the 82 00:04:49,000 --> 00:04:51,600 other one we just kind of do it. Does whatever you Yes, that's a 83 00:04:51,608 --> 00:04:54,500 star, star Star Trek next Generation reference. 84 00:04:54,500 --> 00:04:58,000 So that's something right? Yeah, no. 85 00:04:58,000 --> 00:05:03,400 I mean, you know I and I think the folks at this client had put 86 00:05:03,400 --> 00:05:08,200 a lot of effort into written documentation and putting you 87 00:05:08,200 --> 00:05:13,600 know notes and read you know, red block of text and people 88 00:05:13,600 --> 00:05:16,300 don't even see it and they're not going to take time to read 89 00:05:16,300 --> 00:05:19,600 the document. So you're right it has to be 90 00:05:19,600 --> 00:05:22,400 easy. But Then on top of that 91 00:05:22,500 --> 00:05:26,300 understanding, someone's not going to read a 20-page word doc 92 00:05:26,300 --> 00:05:30,300 with a bunch of screenshots. Maybe a video would work better. 93 00:05:30,700 --> 00:05:32,300 Yeah, for sure. I know I've done videos on the 94 00:05:32,300 --> 00:05:35,800 past when I did roll out of an access request was, here's how 95 00:05:35,800 --> 00:05:38,300 to use it. Did screen, share, you know, 96 00:05:38,400 --> 00:05:41,700 screen recording. Basically, I definitely got 97 00:05:41,700 --> 00:05:45,400 someone else to do the Talking part because my voice is it was 98 00:05:45,400 --> 00:05:46,600 not exactly where I wanted to be. 99 00:05:46,600 --> 00:05:50,000 And yet here I am doing a podcast, but I think there's a 100 00:05:50,008 --> 00:05:53,800 variety of ways you Information out you'll never solve for 101 00:05:53,800 --> 00:05:57,000 everything. Have the available options, you 102 00:05:57,000 --> 00:06:00,100 could run metrics and see who's using what you have take you if 103 00:06:00,108 --> 00:06:02,700 you've got like a web hosting and how many hits as a page, get 104 00:06:02,900 --> 00:06:05,200 or if you've got a Wiki or something like that, you know 105 00:06:05,207 --> 00:06:10,300 how many views Etc, find out what your users want from a 106 00:06:10,308 --> 00:06:13,900 training perspective and then put your focus there rather than 107 00:06:13,900 --> 00:06:17,100 trying to figure out on your own without any input from the folks 108 00:06:17,100 --> 00:06:18,400 that you're going to be pushing this on to. 109 00:06:19,200 --> 00:06:22,500 Well, I hope our listeners want Want deaf set cops because 110 00:06:22,500 --> 00:06:24,600 that's where we're going to talk about today, right? 111 00:06:24,600 --> 00:06:26,300 Yeah, for sure. This is a conversation. 112 00:06:26,300 --> 00:06:29,000 We teased on our live stream this morning, talking about Deb 113 00:06:29,000 --> 00:06:31,400 sex shops and some of the myths and things like that to go along 114 00:06:31,400 --> 00:06:33,700 with it. I'm really excited to have this 115 00:06:33,700 --> 00:06:36,600 conversation because I don't think we've actually gotten into 116 00:06:37,000 --> 00:06:41,400 this topic at least on the identity side with at least very 117 00:06:41,400 --> 00:06:45,900 much over the 134 episodes or so that we've put out already over 118 00:06:45,900 --> 00:06:47,700 the last over two and a half years. 119 00:06:48,300 --> 00:06:51,100 So yeah, we're going to talk tough suck-ups and I To 120 00:06:51,108 --> 00:06:53,600 introduce Our Guest today is name, is Mike Fraser. 121 00:06:54,000 --> 00:06:56,400 He's the VP of Dev SEC, Ops with Sophos. 122 00:06:56,500 --> 00:06:59,200 Welcome to the show. Thanks for having me dropping in 123 00:06:59,200 --> 00:07:01,000 gym. Yeah, thank you so much for 124 00:07:01,000 --> 00:07:05,900 joining us and I'm curious to see where this conversation will 125 00:07:05,900 --> 00:07:07,700 go. Not curious, but interested 126 00:07:07,700 --> 00:07:09,700 because I think there's a lot of different ways that we can kind 127 00:07:09,700 --> 00:07:12,200 of get through this, but this is the first time you're with us. 128 00:07:12,200 --> 00:07:15,500 So we have tradition around here that we like to understand your 129 00:07:15,500 --> 00:07:18,600 origin story. How did you get into the 130 00:07:18,600 --> 00:07:20,900 wonderful world of cyber security? 131 00:07:21,000 --> 00:07:24,500 Charity and they by extension identity and access management. 132 00:07:24,500 --> 00:07:27,900 Is it something that that you chose, or did it choose you? 133 00:07:28,300 --> 00:07:32,500 That's a great question. So I, I was in computers as a 134 00:07:32,500 --> 00:07:38,600 kid and join the Air Force on. I was 18, but decided because I 135 00:07:38,900 --> 00:07:42,500 had such an affinity for computers as a teenager that I 136 00:07:42,500 --> 00:07:43,800 wanted to do something different. 137 00:07:43,800 --> 00:07:47,000 And so, I actually worked on Weapons Systems likes a physical 138 00:07:47,000 --> 00:07:50,900 weapon systems on F-15 fighter jets. 139 00:07:51,000 --> 00:07:54,600 Men actually transition to, the gar become a cyber security 140 00:07:55,300 --> 00:07:58,500 engineer. So I started in cyber very very 141 00:07:58,500 --> 00:08:02,700 early in my career but then I because I have an 142 00:08:02,700 --> 00:08:08,300 entrepreneurial Drive got into starting out and 143 00:08:08,300 --> 00:08:10,600 brick-and-mortar computer repair shop. 144 00:08:10,600 --> 00:08:13,600 And then I kind of move through Cloud. 145 00:08:14,200 --> 00:08:17,700 Was there at the very early days of cloud where people are 146 00:08:17,700 --> 00:08:20,300 scratching head going? What is this Cloud thing? 147 00:08:20,300 --> 00:08:24,000 How do I I how do I even use it? And so, I actually started a 148 00:08:24,300 --> 00:08:26,300 private Cloud company for the SMB. 149 00:08:27,500 --> 00:08:30,400 Also found the timing was imperative when you're trying to 150 00:08:30,400 --> 00:08:35,100 release a product and Hardware is very hard and so had a couple 151 00:08:35,100 --> 00:08:40,200 different Consulting companies in cloud and cybersecurity and 152 00:08:40,200 --> 00:08:43,500 virtual desktop infrastructure and then decided to get into 153 00:08:44,200 --> 00:08:48,400 workspace as a service. And then finally into what is, 154 00:08:48,400 --> 00:08:50,800 what was RE Factor, which was the whole reason. 155 00:08:51,000 --> 00:08:55,300 So opposed where we were, I was really trying to solve the issue 156 00:08:55,300 --> 00:08:59,000 of Bridging, the Gap between cyber security where I started 157 00:08:59,000 --> 00:09:01,600 out my career, going to the other side in the software 158 00:09:01,600 --> 00:09:03,300 engineering world and really being able to bridge. 159 00:09:03,300 --> 00:09:08,200 The gap between cyber security and Dev or devops, which was 160 00:09:08,200 --> 00:09:12,700 just a huge issue out there. And something I really wanted to 161 00:09:12,700 --> 00:09:17,200 solve a new, it myself, is kind of being in the trenches as 162 00:09:17,600 --> 00:09:20,000 both, the cyber security engineer and then coming over to 163 00:09:20,000 --> 00:09:26,300 the Software engineering World in a fun fact, I went to get my 164 00:09:26,600 --> 00:09:30,600 bachelor's and master's degree wall starting refactoring, 165 00:09:30,600 --> 00:09:33,500 computer science because I needed to use my g.i. bill 166 00:09:33,900 --> 00:09:38,900 benefit from Port expired, for my Air Force days, but I also 167 00:09:39,600 --> 00:09:43,600 really wanted to fully immerse myself into the software 168 00:09:44,100 --> 00:09:47,800 engineering / computer science side of the world side. 169 00:09:47,800 --> 00:09:51,300 Truly, I had a good holistic understanding of the Trying to 170 00:09:51,300 --> 00:09:55,800 solve nothing like an expiration date to us per action and all 171 00:09:55,800 --> 00:09:58,500 facets of life. Let's talk a little bit about 172 00:09:58,500 --> 00:10:02,300 refactor because I think it's an interesting thing. 173 00:10:02,500 --> 00:10:05,700 Let's leave it that I T as code and I think we've been hearing, 174 00:10:05,800 --> 00:10:08,900 you know, as code for a long time. 175 00:10:09,300 --> 00:10:12,600 And I'd love to hear, you know, what exactly was refactor, 176 00:10:12,600 --> 00:10:14,400 because I think that's how you ended up at Sophos. 177 00:10:15,000 --> 00:10:17,600 Yeah, exactly. So I yeah, I actually coined the 178 00:10:17,600 --> 00:10:19,600 term. It is code. 179 00:10:19,900 --> 00:10:23,800 I In the whole, premise around what we were building a tree. 180 00:10:23,800 --> 00:10:27,400 Factor was the around the principle of if everything 181 00:10:27,400 --> 00:10:30,000 becomes code or becomes it is code. 182 00:10:30,200 --> 00:10:33,200 It's not just about app development anymore. 183 00:10:33,200 --> 00:10:34,800 We need to look at everything else. 184 00:10:34,800 --> 00:10:36,700 That Rings. The cloud is infrastructures 185 00:10:36,700 --> 00:10:38,700 code. Configuration is code, policy is 186 00:10:38,700 --> 00:10:41,500 code. And really try to take the same 187 00:10:41,800 --> 00:10:46,500 principles that devops was to adding infrastructure as code to 188 00:10:46,800 --> 00:10:50,300 Agile software development and really create an agile approach 189 00:10:50,300 --> 00:10:55,100 to More general-purpose automation with security built 190 00:10:55,100 --> 00:10:58,300 into it. And I was also tired of seeing 191 00:10:58,500 --> 00:11:02,200 everything in our world, in cyber, are all Point Solutions. 192 00:11:02,200 --> 00:11:05,800 I wanted to build a platform that could cater to multiple 193 00:11:05,800 --> 00:11:09,300 personas so that cyber security engineer could up skill and 194 00:11:09,300 --> 00:11:12,300 actually be a part of what the devops team is doing and vice 195 00:11:12,300 --> 00:11:15,100 versa, build something that had the features and functionality 196 00:11:15,200 --> 00:11:17,400 because most cyber security products out there. 197 00:11:17,500 --> 00:11:20,800 Devops doesn't want to touch because of the fact that it 198 00:11:20,900 --> 00:11:23,600 Wasn't built for them. And it's too in some way 199 00:11:23,600 --> 00:11:28,600 simplistic, the other way I look at it is kind of opinion people 200 00:11:28,600 --> 00:11:31,600 that want something is very opinionated versus creating your 201 00:11:31,600 --> 00:11:34,200 own opinions. So we had to balance, very 202 00:11:34,200 --> 00:11:36,600 delicately between bowls, we have something I'm super 203 00:11:36,600 --> 00:11:39,100 flexible but also, you can package up so that you could 204 00:11:39,100 --> 00:11:42,200 basically put out your opinions and somebody could use the 205 00:11:42,200 --> 00:11:45,000 automation content, they're very consumable way. 206 00:11:45,300 --> 00:11:47,300 Seems like that ties in pretty well with what we kind of 207 00:11:47,300 --> 00:11:49,600 started off the show today with training. 208 00:11:49,600 --> 00:11:52,900 And how do you make Things usable for a variety of 209 00:11:52,900 --> 00:11:58,800 audiences and now you're working with Sophos as AV as the VP of 210 00:11:58,800 --> 00:12:02,500 devstack Ops which one very cool title to. 211 00:12:02,600 --> 00:12:07,100 What the hell does that mean? Yes, they're coming on board to 212 00:12:07,100 --> 00:12:08,900 say so and it's actually saw post. 213 00:12:08,900 --> 00:12:11,700 It's a site that no, no, you're fine. 214 00:12:11,900 --> 00:12:15,400 I'd say, give me six months to still try to be on point with 215 00:12:15,400 --> 00:12:17,400 bouncing it correctly. So all good. 216 00:12:18,400 --> 00:12:22,300 But yeah. So I so Refactor is now become 217 00:12:22,700 --> 00:12:27,900 sofas Factory, which is basically it's the same product, 218 00:12:27,900 --> 00:12:32,800 just just rebranded and I'm driving the dev second strategy. 219 00:12:32,800 --> 00:12:35,700 But again, around this kind of holistic thought, process of 220 00:12:35,700 --> 00:12:39,100 having more general-purpose automation, to be able to 221 00:12:39,100 --> 00:12:41,300 support. Also the broader ecosystem to. 222 00:12:41,300 --> 00:12:44,800 So, one of the big pieces that we were driving at refactor, was 223 00:12:45,000 --> 00:12:47,500 I want everything. The basically become building 224 00:12:47,500 --> 00:12:51,200 blocks that can be come from different vendors and this, Ice 225 00:12:51,200 --> 00:12:54,600 nicely into the I Am side because it's a huge issue there 226 00:12:55,300 --> 00:12:59,200 and but more generally kind of the broader ecosystem because 227 00:12:59,200 --> 00:13:03,400 there's a lot of vendors that are trying to figure out how to 228 00:13:03,800 --> 00:13:06,400 modernize their approach of the products that they've had in 229 00:13:06,400 --> 00:13:09,900 market for a long time. And then you have a lot of new 230 00:13:10,000 --> 00:13:12,100 vendors coming into the market that are a little bit more 231 00:13:12,100 --> 00:13:16,300 bleeding edge for the typical cyber security teams out there 232 00:13:16,300 --> 00:13:20,000 as well. And so that's like a huge huge 233 00:13:20,000 --> 00:13:24,200 push on our end, but But I basically Sophos Factory product 234 00:13:24,200 --> 00:13:27,300 and team at Sophos around F, PSI cops. 235 00:13:29,000 --> 00:13:32,200 So Mike, we we try to make sure that we don't leave anyone in 236 00:13:32,200 --> 00:13:35,100 the dust. And, you know, our listener base 237 00:13:35,100 --> 00:13:41,700 is really all over the Spectrum in terms of background and years 238 00:13:41,700 --> 00:13:45,500 of experience. So like to start off with kind 239 00:13:45,500 --> 00:13:52,100 of a 10-1 around Dev SEC, Ops, which to me sounds like part of 240 00:13:52,100 --> 00:13:55,400 three different words, development, security and 241 00:13:55,400 --> 00:13:58,000 operations, right? I mean, doesn't that simple, it 242 00:13:58,000 --> 00:14:00,800 could be. I think it's a little bit more, 243 00:14:01,900 --> 00:14:05,500 a little bit more involved, exclamation to it, but my 244 00:14:05,500 --> 00:14:10,700 philosophy undef set cops is, it's more General is so dense. 245 00:14:10,700 --> 00:14:13,900 I got frillies about the principles of devops and then 246 00:14:13,900 --> 00:14:18,200 adding in security to the mix. Also though I want to be clear 247 00:14:18,200 --> 00:14:22,900 it's not just AB SEC redefined its really kind of a new 248 00:14:22,900 --> 00:14:26,900 paradigm of again this whole concept of it is code. 249 00:14:26,900 --> 00:14:29,900 So if it becomes codes and Looking at again, your 250 00:14:29,900 --> 00:14:33,300 infrastructure, your configuration security is code 251 00:14:33,300 --> 00:14:37,300 whether that's policy or, you know, developing towards apis 252 00:14:37,300 --> 00:14:40,100 and other things that you're trying to programmatically 253 00:14:40,100 --> 00:14:43,400 create so you can have a continuous process to build more 254 00:14:43,400 --> 00:14:46,700 modern solutions. And Dave said cops to your point 255 00:14:46,700 --> 00:14:50,400 is the combination of three different words and I look at it 256 00:14:50,400 --> 00:14:56,500 as a collaborative process between Dev or devops security 257 00:14:56,500 --> 00:14:59,900 and hops because the fact that Only if you're going to truly 258 00:14:59,900 --> 00:15:03,100 achieve that set cops in an organization, it's not just 259 00:15:03,300 --> 00:15:06,200 we're going to add security to the developers plate. 260 00:15:06,200 --> 00:15:08,700 It's really thinking about this is a more collaborative process. 261 00:15:08,700 --> 00:15:13,400 We have so many different domains, including I am inside 262 00:15:13,400 --> 00:15:16,600 of cybersecurity that. There's no way that you can 263 00:15:16,600 --> 00:15:19,600 expect developers to just say. Yeah, we're going to pick up all 264 00:15:19,600 --> 00:15:22,600 things security because we're modernizing, that's the approach 265 00:15:22,600 --> 00:15:25,200 here and then on the other side, on the cyber security side, I 266 00:15:25,200 --> 00:15:27,800 really am passionate about seeing cyber security 267 00:15:27,800 --> 00:15:30,800 practitioners up. Upscale and redefining the 268 00:15:30,800 --> 00:15:34,600 definition of developers to because it's not just about app 269 00:15:34,600 --> 00:15:37,400 development anymore. And so I want to give cyber 270 00:15:37,400 --> 00:15:40,700 security practitioners and teens not just to see the table but to 271 00:15:40,700 --> 00:15:42,700 be actively involved in the process. 272 00:15:42,700 --> 00:15:45,900 And as cliche as it may sound really, truly start breaking 273 00:15:45,900 --> 00:15:49,500 down the silos and organization so that they can all cohesively 274 00:15:49,500 --> 00:15:51,800 work and collaborate together. Yeah. 275 00:15:51,800 --> 00:15:55,500 When I think of the ideas code, I think about you know, 276 00:15:55,500 --> 00:16:01,500 automation of the deployment of T infrastructure applications. 277 00:16:02,400 --> 00:16:06,400 I think there's obviously an I am tying, but could you kind of 278 00:16:06,800 --> 00:16:10,400 elaborate on that identity is critical to anything that you're 279 00:16:10,400 --> 00:16:13,300 going to build? Obviously, you have to be able 280 00:16:13,300 --> 00:16:18,200 to tie into various different systems. 281 00:16:18,200 --> 00:16:22,300 You have to be able to also have the identity tied into any of 282 00:16:22,300 --> 00:16:25,900 the automation that you're trying to do inside of these 283 00:16:25,900 --> 00:16:30,700 more modern solutions. I look at the I MP says one of 284 00:16:30,700 --> 00:16:33,800 the core building blocks when you're building more of these 285 00:16:34,300 --> 00:16:37,400 steps, a cop's / ideas, code type of solutions. 286 00:16:38,000 --> 00:16:42,600 Because at the end of the day, you have to be able to tie in 287 00:16:42,600 --> 00:16:48,500 what you're doing into whether it's, you know, apis or SSO or 288 00:16:48,500 --> 00:16:51,400 whatever it may be from an identity standpoint, you have to 289 00:16:51,408 --> 00:16:55,600 be able to continuously tie into a to write and then looking at 290 00:16:55,600 --> 00:16:58,000 other things like zero trust, and so on. 291 00:16:58,700 --> 00:17:02,500 We want to be able to ensure over time that you're able to 292 00:17:03,700 --> 00:17:07,300 get authorization to various different systems to, but it's 293 00:17:07,300 --> 00:17:11,000 not necessary depending on what you're doing. 294 00:17:11,000 --> 00:17:13,099 But because of the fact that you're tied into so many 295 00:17:13,099 --> 00:17:15,300 different systems and everything changes to, right? 296 00:17:15,300 --> 00:17:18,599 So if you take the building block approach, you may be using 297 00:17:18,599 --> 00:17:22,200 one technology today. But, you know, six months a year 298 00:17:22,200 --> 00:17:24,700 down the road, you may want to change something else or have 299 00:17:24,700 --> 00:17:28,200 something in addition to, you really want to take a much more 300 00:17:28,600 --> 00:17:31,900 Jeweler approach to that as you're tying into, it was 301 00:17:32,100 --> 00:17:34,800 basically building a solution that has many different parts to 302 00:17:34,800 --> 00:17:39,200 it and requires identity for each of the different parts 303 00:17:39,200 --> 00:17:42,300 inside of the solution that you're building. 304 00:17:42,600 --> 00:17:44,300 Yeah. Whenever I think of ideas code, 305 00:17:44,300 --> 00:17:50,200 I'm thinking about like automated deployment of, you 306 00:17:50,200 --> 00:17:52,600 know, infrastructure and the application. 307 00:17:52,600 --> 00:17:58,200 So you need to have accounts that have the right to do 308 00:17:58,200 --> 00:18:01,200 things. Was, you know, to pull from a 309 00:18:01,500 --> 00:18:06,100 code repo or, you know, initiated new instance or 310 00:18:06,100 --> 00:18:10,300 connect to a database. So there's a lot of accounts 311 00:18:10,300 --> 00:18:14,700 that that it is code process requires. 312 00:18:15,000 --> 00:18:19,600 So, is it the management of those and from an IM standpoint 313 00:18:19,600 --> 00:18:24,300 of we're talking about mostly the authentication process or is 314 00:18:24,300 --> 00:18:26,800 it like life cycle of those accounts? 315 00:18:26,800 --> 00:18:29,800 You know what all would be first is my premise. 316 00:18:29,800 --> 00:18:32,800 Correct. And and second is what are the, 317 00:18:33,400 --> 00:18:38,100 you know what kind of components of I am is it authentication 318 00:18:38,100 --> 00:18:43,100 authorization user life cycle? Things like that? 319 00:18:43,200 --> 00:18:45,200 Yeah, that's a that's an interesting question. 320 00:18:45,200 --> 00:18:48,000 So I think it's it's all all all. 321 00:18:48,100 --> 00:18:53,800 All the above the issue with trying to figure out how you're 322 00:18:54,000 --> 00:18:57,000 building towards a different solutions is there is around, 323 00:18:57,000 --> 00:19:00,500 use cases. I have some customers that are 324 00:19:01,000 --> 00:19:04,400 working to they wanted to on-boarding and off-boarding of 325 00:19:04,400 --> 00:19:06,600 users and they're going to tie in a multiple different systems 326 00:19:06,600 --> 00:19:09,900 do that and they're going to they're going to use a much more 327 00:19:10,400 --> 00:19:15,600 dep SEC Ops type of approach. Then there's the, I need to tie 328 00:19:15,600 --> 00:19:19,500 in to particular systems to your point. 329 00:19:19,500 --> 00:19:24,500 Whether it's a repo, a code repo, or its I need to offer 330 00:19:24,500 --> 00:19:28,500 authorization against this API or I need to be able. 331 00:19:28,600 --> 00:19:32,400 All to, you know, tie into this VM and go set something up or 332 00:19:32,400 --> 00:19:37,200 whatever may be and so there's all there's a different piece of 333 00:19:37,200 --> 00:19:41,400 identity that's a part of that and a lot of what drives around 334 00:19:41,400 --> 00:19:45,700 F PSI, cops around concept of CI CD, continuous integration, 335 00:19:45,700 --> 00:19:51,100 continuous deployment in the the problem that exists with that is 336 00:19:51,100 --> 00:19:54,300 that you end up giving the keys the kingdom when it comes to 337 00:19:54,300 --> 00:19:57,400 that because you're tying into all these different systems and 338 00:19:57,400 --> 00:20:01,800 you have to go face. Actually tied together different 339 00:20:01,800 --> 00:20:04,700 steps that you're trying to automate in there and so when 340 00:20:04,700 --> 00:20:07,800 you're doing that you have to be very careful about the level of 341 00:20:07,800 --> 00:20:13,200 access and authorization that you're giving around who in a 342 00:20:13,208 --> 00:20:16,000 lot of these systems. They don't really have any sort 343 00:20:16,000 --> 00:20:17,700 of like privileged access management. 344 00:20:17,700 --> 00:20:20,000 Other than like, yeah, you can have access to this or know you 345 00:20:20,000 --> 00:20:24,400 can't and you're not thinking about the granularity inside of 346 00:20:24,400 --> 00:20:27,700 the pipeline to create, even if you have granularity on how you 347 00:20:27,700 --> 00:20:30,500 can access, To execute said pipelines. 348 00:20:30,500 --> 00:20:34,500 And so that's still a problem that exists out there in the 349 00:20:34,500 --> 00:20:37,500 space and something that I'm working towards trying to help 350 00:20:39,300 --> 00:20:42,900 solve for because of the fact that it's a, it's a, it's a 351 00:20:42,908 --> 00:20:45,300 problem out there. And if you're your point trying 352 00:20:45,300 --> 00:20:48,200 to get into more of the steps that cops where you're 353 00:20:48,200 --> 00:20:50,400 incorporating, other things outside of just traditional 354 00:20:50,400 --> 00:20:55,400 active, you really have to think about how you're structuring the 355 00:20:55,400 --> 00:20:59,500 identity piece to all this. And how that Ties into the 356 00:20:59,600 --> 00:21:02,700 Automation and the continuous automation of that as well. 357 00:21:02,700 --> 00:21:06,800 So that you can also be able to have an understanding and be 358 00:21:06,800 --> 00:21:09,700 able to also audit like who's doing, what, where, when, and 359 00:21:09,700 --> 00:21:10,400 how. Right. 360 00:21:11,000 --> 00:21:13,300 Yeah. And when I, when I speak with 361 00:21:13,300 --> 00:21:16,600 clients a lot, they're trying to get their arms around. 362 00:21:18,700 --> 00:21:24,100 This whole Dev psi-cops process or devstack. 363 00:21:24,100 --> 00:21:26,300 Anyway, they might not have the operation side down. 364 00:21:26,300 --> 00:21:30,500 In other words, the Developers Are solving the problem because 365 00:21:30,500 --> 00:21:33,200 they have the problem and they need to solve it in order to 366 00:21:33,200 --> 00:21:35,800 move forward. So they kind of Define their 367 00:21:35,800 --> 00:21:39,500 processes and everything. But even at a more fundamental 368 00:21:39,500 --> 00:21:44,300 level just wondering, you know, when does an organization need 369 00:21:44,300 --> 00:21:48,300 to kind of build a capability around dep SEC Ops, is it like, 370 00:21:48,700 --> 00:21:52,900 you know, how, how large they get is it only certain types of 371 00:21:52,900 --> 00:21:57,300 companies or what do you you know, in other words who needs 372 00:21:57,300 --> 00:22:02,300 deficit, cops? I think every every organization 373 00:22:02,300 --> 00:22:06,800 needs, that's a cop's, the conundrum though is Hannibal 374 00:22:07,400 --> 00:22:11,000 where you're probing with the question, which is the size of 375 00:22:11,000 --> 00:22:15,300 the company and the maturity of different teams in the company. 376 00:22:15,900 --> 00:22:19,400 So the larger the organization, the more likely they have 377 00:22:19,400 --> 00:22:23,000 different teams that are dedicated to supporting the 378 00:22:23,100 --> 00:22:26,600 different pieces of the dev second outside again. 379 00:22:26,900 --> 00:22:30,000 I don't look at this. It's just trying to add 380 00:22:30,000 --> 00:22:34,400 particular tools into your just your devops, you know, an active 381 00:22:34,400 --> 00:22:35,900 process. I think about it more 382 00:22:35,900 --> 00:22:39,100 holistically. And so if you take that approach 383 00:22:39,100 --> 00:22:43,800 to the what Dev Cyclops is then, you're really thinking about how 384 00:22:43,800 --> 00:22:49,800 do I incorporate this type of approach as I'm modernizing and 385 00:22:49,800 --> 00:22:55,400 also, how do I think about the ways that different teams can 386 00:22:55,400 --> 00:22:58,800 support what they've created? And so that takes a turkey? 387 00:22:59,000 --> 00:23:01,000 And type of skill set to be able to build. 388 00:23:01,000 --> 00:23:03,900 I often equate. This also in the software 389 00:23:03,900 --> 00:23:07,200 engineering world to software Engineers are great at people. 390 00:23:07,200 --> 00:23:09,500 They can build stuff from scratch developers. 391 00:23:10,600 --> 00:23:14,300 If you're just generalizing the term app developers have to have 392 00:23:14,300 --> 00:23:18,300 code that they start from but they can then add additional 393 00:23:18,300 --> 00:23:21,800 functionality to it and I take that same thought process to 394 00:23:22,000 --> 00:23:24,600 what devstack copses you have those that can build something 395 00:23:24,600 --> 00:23:29,000 from scratch and then you have those that can tweak and Sighs. 396 00:23:29,000 --> 00:23:31,800 But they have to have something that's already created. 397 00:23:31,800 --> 00:23:34,900 So you can apply the 80/20 rule, is that where 80% of the way 398 00:23:34,900 --> 00:23:37,100 there? They can go and customize a 20% 399 00:23:37,100 --> 00:23:39,700 of it to get the outcome of the end result they're looking for 400 00:23:39,700 --> 00:23:43,200 and support it too. And I see that as the future of 401 00:23:43,900 --> 00:23:46,400 of devstack cops in general is you're still going to need the 402 00:23:46,400 --> 00:23:49,700 folks that are going to be able to create the base automation 403 00:23:49,700 --> 00:23:52,100 content that you're going to use and then you're going to have 404 00:23:52,100 --> 00:23:53,800 the other folks that can consume it. 405 00:23:54,000 --> 00:23:56,300 But you have to think about this more about across. 406 00:23:56,400 --> 00:23:58,800 I think you brought this up earlier Jim the full. 407 00:23:58,900 --> 00:24:02,800 Form of technical talent to ensure that you can cater to 408 00:24:02,800 --> 00:24:05,200 both sides of that. So you probably also heard, you 409 00:24:05,208 --> 00:24:09,400 know, the shift left in the shift right out there. 410 00:24:09,600 --> 00:24:13,300 And I look at it as like, you need to shift left for sure, try 411 00:24:13,300 --> 00:24:16,600 to get as close to the beginning of the creation of whatever 412 00:24:16,600 --> 00:24:19,800 you're trying to build through Dev Cyclops pipeline process. 413 00:24:20,000 --> 00:24:23,200 But you need to also be able to take that and shift it right in 414 00:24:23,200 --> 00:24:27,100 more of a consumable type of approach where it's more low 415 00:24:27,100 --> 00:24:28,800 code, no code. So you have to have high quality 416 00:24:28,900 --> 00:24:33,500 Code and Loco no code and be able to balance both of those on 417 00:24:33,500 --> 00:24:36,500 both sides of that because just shifting left is not the answer 418 00:24:36,700 --> 00:24:39,600 and just shifting right where I abstract everything and make it 419 00:24:39,600 --> 00:24:44,400 super simplistic, you need to be able to do both and that's you 420 00:24:44,400 --> 00:24:46,900 know that's the least, that's how I think about it. 421 00:24:47,300 --> 00:24:49,200 Okay. I'm going to take the bait just 422 00:24:49,200 --> 00:24:52,500 shifting left because I think we don't want to leave anybody in 423 00:24:52,500 --> 00:24:55,700 the dust. My understanding is Shifting 424 00:24:55,700 --> 00:24:58,700 left has to do with we're moving to it agile. 425 00:24:59,000 --> 00:25:03,900 Software development process. Now we're testing earlier, we're 426 00:25:03,900 --> 00:25:05,800 not doing that waterfall methodology. 427 00:25:05,800 --> 00:25:08,300 Where we're going to build a product and then now guess what? 428 00:25:08,300 --> 00:25:13,700 We're going to start testing it. It's this continuous integration 429 00:25:13,700 --> 00:25:17,700 development process where we're testing as we're going. 430 00:25:17,700 --> 00:25:22,300 So to work through talking about really is the automated testing 431 00:25:22,600 --> 00:25:25,900 script based testing of applications that are running 432 00:25:25,900 --> 00:25:28,000 all the time. Okay? 433 00:25:28,200 --> 00:25:32,300 So Obviously I'm getting to my point of ignorance talk to us 434 00:25:32,300 --> 00:25:34,100 about shift left. Yeah it's fine. 435 00:25:34,400 --> 00:25:37,800 It's the concept of ship left. Is trying to incorporate 436 00:25:38,000 --> 00:25:42,900 security is close to the beginning of the dev process so 437 00:25:42,900 --> 00:25:47,800 that you can have the scanning. And Remediation happening is 438 00:25:47,800 --> 00:25:51,200 suttas as close to the beginning of a pipeline process as 439 00:25:51,200 --> 00:25:53,600 possible when you're releasing software. 440 00:25:54,100 --> 00:25:58,200 Conceptually now, in cybersecurity the whole reason 441 00:25:58,200 --> 00:26:01,100 this whole shift Of thing came to be is because of the fact 442 00:26:01,100 --> 00:26:05,500 that most of the cyber security products out, there were being 443 00:26:05,600 --> 00:26:08,100 used outside of the development process. 444 00:26:08,100 --> 00:26:11,100 So now it's the concept of trying to reduce that insect. 445 00:26:11,100 --> 00:26:15,200 Now we take this and move this forward to the concept of it is 446 00:26:15,200 --> 00:26:18,500 code. It's not anymore about being a 447 00:26:18,500 --> 00:26:21,300 part of just the dev process. Even though I'm taking the same 448 00:26:21,300 --> 00:26:26,500 approach and how I create and release my Solutions now that 449 00:26:26,500 --> 00:26:30,700 they're all software-defined, but I'm Also, thinking about how 450 00:26:30,700 --> 00:26:34,700 I can build this from code, from the very beginning, but then 451 00:26:34,700 --> 00:26:38,500 package it up in a consumable format where you have to now 452 00:26:38,500 --> 00:26:40,500 shift, right? Because it needs to be in a 453 00:26:40,500 --> 00:26:43,900 format that other folks that aren't just developers or devops 454 00:26:43,900 --> 00:26:47,500 Engineers can actually consume. So there's a there and there's a 455 00:26:47,508 --> 00:26:51,600 debate going on on this but I truly believe it's a shift left 456 00:26:51,600 --> 00:26:55,700 first and then shift, right? And again it's not just about 457 00:26:55,800 --> 00:26:58,700 app development, it's now about thinking about everything. 458 00:26:59,100 --> 00:27:02,600 Holistically from a technology standpoint in your organization 459 00:27:02,900 --> 00:27:07,200 that may or may not be about just application development and 460 00:27:07,200 --> 00:27:08,900 there's a lot of organizations that aren't developing 461 00:27:08,900 --> 00:27:11,400 applications at all right. But they need to take the same 462 00:27:11,400 --> 00:27:14,000 approach now, they're Building Solutions because if I'm no 463 00:27:14,000 --> 00:27:19,500 longer Racket and center rack and stacking infrastructure in 464 00:27:19,508 --> 00:27:25,000 my data center or I'm now using the cloud, that's one great use 465 00:27:25,000 --> 00:27:29,200 case, where this becomes a major issue at scale and You have to. 466 00:27:29,200 --> 00:27:31,400 Now, start thinking about how do I build things from 467 00:27:31,400 --> 00:27:34,400 infrastructures code? How do I set up guard rails and 468 00:27:34,400 --> 00:27:36,800 policies around that? And then how do I tie in the 469 00:27:36,800 --> 00:27:39,600 other building blocks that too? Because I may want to be able to 470 00:27:39,600 --> 00:27:42,300 assess the infrastructure created against see is 471 00:27:42,300 --> 00:27:44,200 benchmarks. I may want to be able to 472 00:27:44,500 --> 00:27:46,900 remediate it. I may want to incorporate 473 00:27:46,900 --> 00:27:49,900 Integrations to be able to pop that data into my ticketing 474 00:27:49,900 --> 00:27:51,900 system or cmdb or whatever it may be. 475 00:27:52,100 --> 00:27:55,700 And so again thinking about this more holistically and then how 476 00:27:55,700 --> 00:27:58,700 do I, you know, tie in the other building blocks here. 477 00:27:58,800 --> 00:28:01,800 Because I may want to incorporate using a particular 478 00:28:02,000 --> 00:28:05,300 IM solution across the board, for every single building, block 479 00:28:05,300 --> 00:28:08,000 that I create or multiple different. 480 00:28:08,000 --> 00:28:12,900 I am Solutions depending on the organization and who supports 481 00:28:12,900 --> 00:28:15,900 different implementations of different products that are 482 00:28:15,900 --> 00:28:20,800 being used in the organization. So what is the x axis from your 483 00:28:20,800 --> 00:28:23,500 definition of Shifting left? Because the way that I'm 484 00:28:23,500 --> 00:28:28,300 picturing, it is all the way on the left, is the developer who 485 00:28:28,300 --> 00:28:30,500 ever is. Creating the thing and then all 486 00:28:30,500 --> 00:28:34,500 the way on the right is the consumer or the customer of 487 00:28:34,500 --> 00:28:37,600 whatever that thing will eventually be and everything in 488 00:28:37,600 --> 00:28:39,200 the middle is all the stuff that happens. 489 00:28:39,700 --> 00:28:43,200 The people and parts that contribute to getting it all the 490 00:28:43,200 --> 00:28:47,300 way to the right and he talked earlier about you know shift not 491 00:28:47,300 --> 00:28:50,300 necessarily shifting, right? But you know, spreading out for 492 00:28:50,300 --> 00:28:54,500 example the security responsibilities across the 493 00:28:54,500 --> 00:28:57,800 spectrum is that and I thinking about that correctly in the 494 00:28:57,808 --> 00:29:01,000 context of kind What you were looking at for my awesome. 495 00:29:01,400 --> 00:29:05,100 I think everyone needs to be thinking about security, but I 496 00:29:05,100 --> 00:29:09,100 do still think it's on the cyber security team and any ancillary 497 00:29:09,100 --> 00:29:13,100 teams in the organization to be able to long-term still support 498 00:29:13,100 --> 00:29:15,500 that. I think the problem though is as 499 00:29:15,500 --> 00:29:19,900 lived in if I decide I'm going to need to go say cloud native, 500 00:29:19,900 --> 00:29:22,500 but I'm going to deploy kubernetes cluster is usually 501 00:29:22,500 --> 00:29:25,400 that's on the plate of the devops team, not the security 502 00:29:25,400 --> 00:29:28,500 team and then screw team is either brought in after the fact 503 00:29:28,800 --> 00:29:31,500 Or the devops team has to pick up on the security side. 504 00:29:31,500 --> 00:29:35,700 And so my thought, in my opinion on this is that if you build 505 00:29:35,700 --> 00:29:41,300 things and building blocks that each team has to maintain then 506 00:29:41,300 --> 00:29:42,700 being able to bring them all together. 507 00:29:42,700 --> 00:29:47,600 Then the security team still is able to manage the risk in your 508 00:29:47,600 --> 00:29:50,400 organization and support different cybersecurity 509 00:29:50,400 --> 00:29:52,400 products. They have to support, but being 510 00:29:52,400 --> 00:29:56,000 able to work in conjunction with the dev or the devops team and 511 00:29:56,000 --> 00:29:58,800 then also the Ops Team who's going to have to support any of 512 00:29:58,800 --> 00:30:02,000 The stuff once it goes into production and other systems in 513 00:30:02,000 --> 00:30:05,400 their organization that may not be directly tied to 514 00:30:05,400 --> 00:30:07,700 cybersecurity. But it's imperative that there. 515 00:30:07,700 --> 00:30:11,500 You're able to utilize those systems in conjunction with the 516 00:30:11,500 --> 00:30:15,600 security products in the organization, but I don't, I'm 517 00:30:15,600 --> 00:30:19,900 also against the thought process that developers are now going to 518 00:30:19,900 --> 00:30:23,800 become the Security Experts and our, the devops engineers are 519 00:30:23,800 --> 00:30:25,200 going to put this on their plate. 520 00:30:25,600 --> 00:30:28,200 And so you probably heard talk out there about, oh, we can 521 00:30:28,200 --> 00:30:30,100 build these Papa dep SEC out scenes. 522 00:30:30,400 --> 00:30:32,600 Do you ever try to hire a devops engineer? 523 00:30:32,600 --> 00:30:36,200 That is very difficult, if you ever try to hire a devstack 524 00:30:36,200 --> 00:30:39,900 Opera engineer, that's like trying to find a rainbow color, 525 00:30:40,100 --> 00:30:42,400 grimaud painted unicorn out there in the wild, right? 526 00:30:42,400 --> 00:30:46,200 Like it's just not, it's not in reach to be able to think that 527 00:30:46,200 --> 00:30:48,700 you can add a whole nother domain to somebody that already 528 00:30:48,700 --> 00:30:52,200 had that has the expertise around to different domains 529 00:30:52,200 --> 00:30:54,300 already. Devon Ops for. 530 00:30:54,900 --> 00:30:58,600 So I did not hear you use the word contains. 531 00:30:58,800 --> 00:31:03,600 Nurses station but I often hear Dev set cops, you know, linked 532 00:31:03,600 --> 00:31:07,900 to things like Docker. And a lot of times that's when, 533 00:31:08,200 --> 00:31:11,100 you know, engaging with the conversation with the client is 534 00:31:11,100 --> 00:31:15,600 they've got Docker, they're doing a lot of deaf set, cops 535 00:31:15,600 --> 00:31:19,300 work. How big is containerization in 536 00:31:19,300 --> 00:31:21,000 the world? Dev cecrops is that? 537 00:31:21,000 --> 00:31:24,700 Usually the driver? Or is it just part of the 538 00:31:24,700 --> 00:31:26,600 puzzle? That's a great question. 539 00:31:26,600 --> 00:31:30,600 So there's a school of thought. A out there that that data set, 540 00:31:30,600 --> 00:31:36,000 cops is purely driven around to your point containers really, 541 00:31:36,100 --> 00:31:40,000 you know, Cloud native Technologies, like kubernetes. 542 00:31:40,400 --> 00:31:44,300 And it's interesting because I last year we ended up engaging 543 00:31:44,300 --> 00:31:48,200 with platform 1 which is the Air Force's dep SEC cops initiative. 544 00:31:48,200 --> 00:31:51,400 So we want a super small business Innovation, research 545 00:31:51,600 --> 00:31:55,900 contract with Platform One around their initiative. 546 00:31:56,100 --> 00:31:59,700 What I found though is kind of working through this is Really 547 00:32:00,100 --> 00:32:03,100 the Legacy side of systems, you have to score that you should 548 00:32:03,100 --> 00:32:06,400 still be able to apply Dev second principles, but it's not 549 00:32:06,400 --> 00:32:10,600 directly tied to Cloud native or, you know, containerization 550 00:32:10,800 --> 00:32:13,000 known as the other side where it's like, it may or may not 551 00:32:13,000 --> 00:32:15,900 make sense for your organization to go that way. 552 00:32:16,100 --> 00:32:19,700 I don't think that Dev set, cops and containerization are 553 00:32:19,700 --> 00:32:22,500 mutually exclusive. I think that the principles and 554 00:32:22,500 --> 00:32:25,900 the approach, the dep's a cop, should be able to be applied to 555 00:32:26,200 --> 00:32:28,500 traditional you go infrastructure, use case. 556 00:32:28,700 --> 00:32:31,900 Has that you can apply to like Network automation or 557 00:32:31,900 --> 00:32:35,700 configuration management for devices that may or may not be 558 00:32:36,000 --> 00:32:38,500 physical. And then also thinking about how 559 00:32:38,500 --> 00:32:40,700 you're applying those same principles to, you know, 560 00:32:40,700 --> 00:32:44,000 building kubernetes cluster Zone applying, you know, security 561 00:32:44,000 --> 00:32:47,600 control suppose. So it's from my perspective 562 00:32:47,600 --> 00:32:51,300 that's like Ops is a is the approach and how you're trying 563 00:32:51,300 --> 00:32:56,900 to modernize, but being able to not, just put it into just 564 00:32:56,900 --> 00:33:01,100 solely containers or containers. Reservation I think is is a way 565 00:33:01,100 --> 00:33:04,000 to think about it in organizations and there's all 566 00:33:04,000 --> 00:33:07,200 kinds of different use cases that I have worked with 567 00:33:07,500 --> 00:33:09,600 customers on that are using it for that are again. 568 00:33:09,600 --> 00:33:15,600 Aren't what you see out there is traditional Pure kubernetes or 569 00:33:15,600 --> 00:33:19,600 containerization use cases? Yeah, I think Dev PSI cops, 570 00:33:19,600 --> 00:33:24,100 probably the closest parallel in the, I am world, the traditional 571 00:33:24,100 --> 00:33:27,500 I am world for me just privileged access management 572 00:33:27,500 --> 00:33:32,800 where you've got this group. Up of Highly technical users and 573 00:33:33,200 --> 00:33:35,700 your quote-unquote going to do something to them. 574 00:33:35,700 --> 00:33:39,700 You're going to change the way they work by implementing some 575 00:33:39,700 --> 00:33:44,600 technology, that's just between them and what they have to do 576 00:33:44,600 --> 00:33:48,200 for their job. And so I think there's probably 577 00:33:48,200 --> 00:33:51,200 a right way to do that and a wrong way to do that. 578 00:33:51,600 --> 00:33:55,700 I'm wondering, you know, you've probably seen both but, you 579 00:33:55,700 --> 00:33:58,500 know, you and you've implemented implemented death. 580 00:33:58,700 --> 00:34:02,800 Cops program yourself kind of what's the right way to do that. 581 00:34:02,800 --> 00:34:05,600 And if you could back with any real world example, I think that 582 00:34:05,600 --> 00:34:08,100 would be interesting. Yeah, that's a great question. 583 00:34:08,100 --> 00:34:13,100 I think, from my my perspective, when you're thinking about how 584 00:34:13,199 --> 00:34:20,400 organizations are building out a deep sigh, cops program, the 585 00:34:20,400 --> 00:34:24,699 keys to thinking about that, and to your point about like 586 00:34:24,800 --> 00:34:28,300 privileged access management or different products that you're 587 00:34:28,300 --> 00:34:32,300 trying, To incorporate this. The mix is who supports these 588 00:34:32,300 --> 00:34:36,400 different products and what level are they add technically 589 00:34:36,400 --> 00:34:40,600 to support anything, net new, and there's some examples in 590 00:34:40,600 --> 00:34:42,500 the. I am space from different 591 00:34:42,500 --> 00:34:46,199 vendors that may, you know, may have existed for a long time. 592 00:34:46,199 --> 00:34:49,100 So they've been catering, primarily to the cyber security 593 00:34:49,100 --> 00:34:50,800 teams. And now other products are 594 00:34:50,800 --> 00:34:54,800 coming out, there are catering more to the developer side of 595 00:34:54,800 --> 00:34:57,200 different teams. And so, you really have to think 596 00:34:57,200 --> 00:35:02,000 about how these are Packaged up in use and then what else 597 00:35:02,000 --> 00:35:06,000 they're supporting in conjunction with it is. 598 00:35:06,000 --> 00:35:08,400 A lot of times it'll be like Hashi courts. 599 00:35:08,400 --> 00:35:11,600 Good example though, so I'll bring them up around for of the 600 00:35:11,600 --> 00:35:16,300 developer devops type of approach for how those Pro who 601 00:35:16,300 --> 00:35:19,300 uses those products. But the security team has to 602 00:35:19,300 --> 00:35:24,900 support, say the bolts implementation, and then how do 603 00:35:24,900 --> 00:35:27,800 you incorporate those into the next piece? 604 00:35:27,800 --> 00:35:31,000 Which is going to be All right, now that I can pull Secrets or 605 00:35:31,000 --> 00:35:35,700 credentials and get authorization to then go creates 606 00:35:35,700 --> 00:35:39,100 a infrastructure as code who is supporting that. 607 00:35:39,100 --> 00:35:43,200 And I think that the ability to get cyber security to be 608 00:35:43,300 --> 00:35:46,000 involved in that and be able to support that as you're building 609 00:35:46,000 --> 00:35:50,500 out, your depths at cops program is imperative and also the go 610 00:35:50,500 --> 00:35:53,700 back to my prior point, the upskilling part, because a lot 611 00:35:53,700 --> 00:35:58,300 of times, this is completely outside of the scope of what 612 00:35:58,700 --> 00:36:01,400 Cyber security, practitioners know, and understand. 613 00:36:01,400 --> 00:36:03,400 And so, it's net. New skills that have to be 614 00:36:03,400 --> 00:36:07,900 learned to be a part of this. So maybe I need to learn how I 615 00:36:07,900 --> 00:36:10,100 can pull secrets programmatically from Vault, and 616 00:36:10,100 --> 00:36:13,300 I need to know how I can build some infrastructure as code 617 00:36:13,300 --> 00:36:16,800 saying Terror for many of the cloud native templates and 618 00:36:16,800 --> 00:36:20,300 thinking about it again, back to the whole it is code 619 00:36:20,400 --> 00:36:23,300 conversation. How does that get incorporated 620 00:36:23,300 --> 00:36:28,500 into the the outcomes organizations, trying to drive? 621 00:36:28,600 --> 00:36:30,900 I've through whether they're pushing to, go to the public 622 00:36:30,900 --> 00:36:34,700 cloud or any sort of other initiatives that are going to 623 00:36:34,700 --> 00:36:37,600 help them accelerate what they're trying to do. 624 00:36:37,600 --> 00:36:42,800 And I think that's a huge piece of the hate to use this term but 625 00:36:42,800 --> 00:36:45,500 of digital transformation, which is a completely loaded term. 626 00:36:45,500 --> 00:36:50,400 But it's it's part of that process that organizations are 627 00:36:50,400 --> 00:36:54,100 trying to go through that. They can basically modernize is 628 00:36:54,100 --> 00:36:57,600 really what the root of that is and that requires different 629 00:36:57,600 --> 00:37:01,000 teams to be a part of And also again the Alps killing piece to 630 00:37:01,000 --> 00:37:03,800 so that the full spectrum of technical talent in the 631 00:37:03,808 --> 00:37:07,000 organization can be a part of the deaf, psych Ops program that 632 00:37:07,000 --> 00:37:08,600 you build inside your organization. 633 00:37:09,000 --> 00:37:13,300 Yeah, my perspective on. Is that if I'm the in the 634 00:37:13,300 --> 00:37:17,500 information security office, I don't need to run the hot Chic 635 00:37:17,500 --> 00:37:22,000 or poor the The Vault or whatever technology is 636 00:37:22,000 --> 00:37:26,100 necessarily backing up. I don't necessarily need my 637 00:37:26,100 --> 00:37:28,500 folks to do the administration work. 638 00:37:28,700 --> 00:37:32,700 What I want to make sure of is that the proper controls are in 639 00:37:32,700 --> 00:37:35,500 place, the proper auditing is in place. 640 00:37:36,100 --> 00:37:40,200 And you know what? I prefer to see is some 641 00:37:40,200 --> 00:37:45,000 leadership from that development side, coming to the information 642 00:37:45,000 --> 00:37:49,000 security office. To say, hey, we've got a process 643 00:37:49,000 --> 00:37:54,000 here where we're managing identity and access and we want 644 00:37:54,000 --> 00:37:56,800 to make sure that we're in alignment, that, you know, we 645 00:37:56,800 --> 00:37:58,500 have the proper controls in place. 646 00:37:59,400 --> 00:38:02,300 I think the same thing for privileged access management. 647 00:38:02,300 --> 00:38:06,100 It shouldn't have to be that the I am team comes and says, hey we 648 00:38:06,100 --> 00:38:10,000 need to take over your process. It should be that the 649 00:38:10,500 --> 00:38:14,600 engineering team says, hey, we're managing all these servers 650 00:38:14,600 --> 00:38:19,000 we need to make sure that we have proper controls and 651 00:38:19,100 --> 00:38:23,100 auditing and place. So I think that that would be 652 00:38:23,100 --> 00:38:24,500 idea. I don't know that it's always 653 00:38:24,500 --> 00:38:27,200 going to happen but I do think it needs to be a partnership. 654 00:38:27,200 --> 00:38:32,200 I don't think Some kind of antagonistic process where you 655 00:38:32,200 --> 00:38:37,000 know, from a from a app Dev team or from an infrastructure team 656 00:38:37,000 --> 00:38:41,700 where it's like, oh you guys are just want to come in like take 657 00:38:41,700 --> 00:38:44,700 over this process and you're going to make my life suck? 658 00:38:45,900 --> 00:38:48,000 Yeah. I think there's two ways to 659 00:38:48,000 --> 00:38:50,400 think about it, to from that perspective. 660 00:38:51,000 --> 00:38:53,100 And this goes to some of the work that I've been doing with 661 00:38:53,100 --> 00:38:56,000 some, some largesse eyes as well, our system integrators 662 00:38:56,000 --> 00:39:00,700 around, there's the tear And there's like the support of the 663 00:39:01,000 --> 00:39:03,800 underlying infrastructure and the configuration of the 664 00:39:03,800 --> 00:39:05,600 different. I am products that you have to 665 00:39:05,600 --> 00:39:08,100 support which a lot of organizations are trying to 666 00:39:08,107 --> 00:39:12,500 figure out how they can do, you know, in a much more modern, 667 00:39:12,500 --> 00:39:16,100 sophisticated way of leveraging, kind of debts, that cops 668 00:39:16,100 --> 00:39:18,900 approach to building it around infrastructure as code. 669 00:39:18,900 --> 00:39:21,700 And and so on, then there's the other side of it to your point, 670 00:39:21,700 --> 00:39:26,900 which is the how do I then use those products in the dev 671 00:39:26,900 --> 00:39:29,600 cecrops pipelining. SS where I'm trying to build 672 00:39:29,600 --> 00:39:34,800 these newer modern solutions and so that is also the other 673 00:39:34,800 --> 00:39:39,400 approach and I think that it does to your point require a 674 00:39:40,100 --> 00:39:43,500 relationship. That's not not confrontational 675 00:39:43,500 --> 00:39:48,200 between development and devops whoever's managing that side of 676 00:39:48,200 --> 00:39:51,300 it and the cybersecurity team who's going to have to support 677 00:39:51,700 --> 00:39:55,100 the different products that are now being used inside of that 678 00:39:55,100 --> 00:39:58,400 process to and not everything is going to be you know, too much. 679 00:39:58,600 --> 00:40:02,300 Sample, like using hashing core, your Dev team and devops. 680 00:40:02,300 --> 00:40:03,800 You may be using it, but you may have other. 681 00:40:03,800 --> 00:40:08,300 I am most likely have other IM products in your organization. 682 00:40:08,500 --> 00:40:11,100 And so, you have to think about how do I incorporate those into. 683 00:40:11,300 --> 00:40:14,900 Is, I may have two or three or four different products inside 684 00:40:14,900 --> 00:40:16,900 my organization. So I have to think about how 685 00:40:16,900 --> 00:40:21,000 each one of those is used in. Can I have those as essentially 686 00:40:21,000 --> 00:40:23,300 the building blocks I mentioned earlier as a part of that 687 00:40:23,300 --> 00:40:26,400 process where I can swap one out for another if another team is 688 00:40:26,600 --> 00:40:30,300 using and supporting it and I'm not just beholding to the Deb. 689 00:40:30,300 --> 00:40:33,200 So the devops team because now they're forcing us to have to 690 00:40:33,200 --> 00:40:38,000 use this this net new product I think longer term strategy is. 691 00:40:38,400 --> 00:40:42,800 Can you package up the integration automation around 692 00:40:42,800 --> 00:40:45,000 these? I am products in a consumable 693 00:40:45,000 --> 00:40:49,500 way that you can have other teams using it without them 694 00:40:49,500 --> 00:40:52,700 having to know the inner workings of say like how V 695 00:40:52,700 --> 00:40:54,200 works. It's just like, oh, I just need 696 00:40:54,200 --> 00:40:57,700 to build on these few inputs and I can run this. 697 00:40:57,700 --> 00:40:59,900 And now I get the Result. So I'm looking for, I know, Brad 698 00:40:59,900 --> 00:41:03,500 that secret and use it in my process, right? 699 00:41:03,500 --> 00:41:07,300 And so, thinking about it, much more around the consumption 700 00:41:07,300 --> 00:41:11,000 pieces, this critical, and how folks can can use this type of 701 00:41:11,008 --> 00:41:14,400 stuff, you know, we've been talking off a lot about Dev, 702 00:41:14,400 --> 00:41:18,200 sock, hops in the context. They think of it, kind of 703 00:41:18,200 --> 00:41:24,100 already existing, but what happens if it doesn't exist. 704 00:41:24,100 --> 00:41:28,400 How do you insert or create a culture of death cegavske? 705 00:41:28,500 --> 00:41:31,300 It it seems to me like it's very much a culture in a mindset and 706 00:41:31,300 --> 00:41:34,700 less the actual technology portion of it. 707 00:41:34,700 --> 00:41:40,000 So the technology is an enabler, but if there is, if there is no 708 00:41:40,000 --> 00:41:42,700 Dev SEC Ops today, how do I start one? 709 00:41:42,700 --> 00:41:44,700 How do I insert myself into that process? 710 00:41:45,700 --> 00:41:49,900 Yeah, that's a great question. I, you really need to look at 711 00:41:50,000 --> 00:41:56,900 how you're doing work today. In your organization and who has 712 00:41:56,900 --> 00:41:59,900 responsibilities for? The different work and you may 713 00:41:59,900 --> 00:42:02,300 have a super mature Devol practice, you may have. 714 00:42:02,300 --> 00:42:04,400 And I mean not doing any devops you organization. 715 00:42:05,500 --> 00:42:08,200 So conceptually from a principle standpoint that would be. 716 00:42:08,200 --> 00:42:12,200 The first thing is, how do I get things in place to be able to 717 00:42:13,200 --> 00:42:17,000 even build what I would consider a more of a devops tile 718 00:42:17,000 --> 00:42:18,700 practice. And some of that stuff is like, 719 00:42:19,000 --> 00:42:21,700 continuous feedback loops between teams, so you can be 720 00:42:21,700 --> 00:42:24,200 more collaborative. And you know what, either team 721 00:42:24,700 --> 00:42:25,900 with different teams you're doing. 722 00:42:26,100 --> 00:42:31,000 Then also thinking about it from a process standpoint, so 723 00:42:31,600 --> 00:42:34,500 feedback scrape, but you need to have a semblance on the 724 00:42:34,500 --> 00:42:38,000 understanding of what not just what other teams are doing but 725 00:42:38,000 --> 00:42:43,700 how you can incorporate more of the agile process into what 726 00:42:43,700 --> 00:42:48,300 you're trying to create and continuously update and monitor 727 00:42:48,700 --> 00:42:50,300 as well, what your super critical. 728 00:42:50,600 --> 00:42:56,000 And then from longer-term strategy, it's being able to get 729 00:42:56,000 --> 00:43:01,400 a semblance on again around the The solution building side in 730 00:43:01,400 --> 00:43:04,600 the organization heat, apply those principles to what you're 731 00:43:04,600 --> 00:43:07,300 basically trying to create from a solution standpoint and then 732 00:43:07,300 --> 00:43:10,600 being able to iterate quickly on that and having each of the 733 00:43:10,600 --> 00:43:14,300 teams involved from a collaboration standpoint and 734 00:43:15,600 --> 00:43:20,000 technology is critical to this but also is equally critical is 735 00:43:20,200 --> 00:43:23,200 having the processes in program in place. 736 00:43:23,200 --> 00:43:26,100 Because if you don't have an understanding on what you need 737 00:43:26,100 --> 00:43:29,500 to do to build the practice or the Graham, you're not going to 738 00:43:29,500 --> 00:43:33,000 have an understanding about how to even apply technology that 739 00:43:33,000 --> 00:43:36,400 could help you to start redefining this in your 740 00:43:36,400 --> 00:43:41,600 organization might commit. Ask you to put your your future 741 00:43:41,600 --> 00:43:45,300 thinking cap on so Jeff. And I did a live stream today 742 00:43:45,300 --> 00:43:48,300 and someone asks about Quantum Computing and how it would 743 00:43:48,600 --> 00:43:53,400 impact password policies and pastoralists and, you know, 744 00:43:53,400 --> 00:43:57,400 positions like these major trends that are happening around 745 00:43:57,400 --> 00:44:00,000 us. Things like The cloud which, you 746 00:44:00,000 --> 00:44:02,100 know, guess is the new trend anymore. 747 00:44:02,900 --> 00:44:07,800 But I'm wondering what are some some Trends, or some things that 748 00:44:07,800 --> 00:44:10,900 you see in the future, that that you get excited about what's 749 00:44:10,900 --> 00:44:16,400 going to change in the dev SEC Ops landscape and make it 750 00:44:16,400 --> 00:44:19,800 better. That's so, I don't know if I 751 00:44:19,800 --> 00:44:24,300 will get into Quantum Computing and how we read from that, from 752 00:44:24,300 --> 00:44:29,600 Dev SEC house, but I do think AI ML. 753 00:44:29,600 --> 00:44:35,200 And it's funny because when I was in school, I took a a IML 754 00:44:35,200 --> 00:44:39,000 class. I learned firsthand of the fact 755 00:44:39,000 --> 00:44:43,300 that what we think about AI. It's very rudimentary. 756 00:44:43,900 --> 00:44:47,300 A lot of its Brute Force type algorithms. 757 00:44:47,600 --> 00:44:53,200 And I do see though that if you start taking the approach on dep 758 00:44:53,200 --> 00:44:57,200 SEC, Ops the next kind of approach to it is, now how can I 759 00:44:57,200 --> 00:45:00,700 apply? Any of the any of the data that 760 00:45:00,700 --> 00:45:06,100 I'm now, building from what I'm doing to make better predictions 761 00:45:06,100 --> 00:45:11,600 on what users want to do, or longer-term, even have the 762 00:45:11,900 --> 00:45:16,100 robots, be able to go do stuff with it, which I know in a lot 763 00:45:16,100 --> 00:45:21,100 of organizations is terrifying, but at the same time, I think 764 00:45:21,300 --> 00:45:25,500 longer term will see more and more intelligent automation 765 00:45:25,500 --> 00:45:28,300 where we're actually leveraging large. 766 00:45:28,400 --> 00:45:30,900 Cassettes around machine learning and then being able to 767 00:45:30,900 --> 00:45:35,800 apply more of an AI approach. Thinking about, you know, can I 768 00:45:35,800 --> 00:45:39,400 now have these night out a machine, go do these things that 769 00:45:39,400 --> 00:45:42,200 murder automate have machines, do it, but I'm controlling what 770 00:45:42,200 --> 00:45:46,800 it does to actually be able to make decisions off of the data 771 00:45:46,800 --> 00:45:49,800 that I build off of that. So that's, that's where I see 772 00:45:49,800 --> 00:45:53,000 the next Trend. And maybe on the next podcast, 773 00:45:53,000 --> 00:45:55,500 we'll talk about Quantum Computing, you know, a year or 774 00:45:55,508 --> 00:45:58,300 two out because I may be more applicable at that point. 775 00:45:58,500 --> 00:46:01,800 And I got a quick question for you, even great with your time. 776 00:46:01,800 --> 00:46:05,400 I don't even got a couple minutes left here but You know 777 00:46:05,400 --> 00:46:09,200 I'm a Star Trek guy, the Borg are they in AI. 778 00:46:10,000 --> 00:46:14,900 Oh that's a that's a good question because there are 779 00:46:14,900 --> 00:46:22,100 differing between machine and human interaction with human 780 00:46:22,100 --> 00:46:25,100 rights framework. Yeah, cyborg of sorts. 781 00:46:26,600 --> 00:46:29,700 I don't think the board themselves are I do think that 782 00:46:29,700 --> 00:46:35,800 the control of the board is driven by hey, I bet it's 783 00:46:36,900 --> 00:46:39,300 conceptually think about it from a collective standpoint. 784 00:46:39,300 --> 00:46:47,500 It would be possible to be a I but I yeah it's that's a good 785 00:46:47,500 --> 00:46:49,500 question. I think I'm on the fence on that 786 00:46:49,500 --> 00:46:52,200 one. I thought I'd throw you on the 787 00:46:52,200 --> 00:46:54,700 spot there. So let's wrap up with something 788 00:46:54,700 --> 00:46:59,700 in the Star Trek universe. Who is your favorite Star Trek 789 00:46:59,700 --> 00:47:04,900 Captain or officer. So I have I have two one. 790 00:47:07,100 --> 00:47:13,800 Cumin and one synthetic. So Captain Picard for sure the 791 00:47:13,800 --> 00:47:18,300 Next Generation You by far is my favorite captain of full-time 792 00:47:18,300 --> 00:47:23,500 across all whole Star Trek and then data. 793 00:47:23,500 --> 00:47:27,500 So a nice, a data and not data because of my love for the next 794 00:47:27,500 --> 00:47:33,000 generation and data is is also right there up there with 795 00:47:33,700 --> 00:47:38,000 Captain Picard so I like both of them equally Ali iconic 796 00:47:38,000 --> 00:47:40,900 characters for sure. Jim about yourself, who's your 797 00:47:40,900 --> 00:47:43,200 favorite Star Trek. ER, I'm not gonna have an 798 00:47:43,200 --> 00:47:45,000 original answer here but be cards. 799 00:47:45,000 --> 00:47:48,000 My favorite, I mean, I just think that guy was so cool. 800 00:47:49,800 --> 00:47:52,400 Yeah, I don't know what it is about him, but like he totally 801 00:47:52,400 --> 00:47:55,500 nailed that role for sure. You know, you can do hash cap 802 00:47:55,500 --> 00:47:58,200 hashtag my captain or you know whatever you want to do it for 803 00:47:58,200 --> 00:48:01,200 Picard for sure. I'm on that one, you know, I'm 804 00:48:01,200 --> 00:48:04,500 old school but I like Spock. I mean, there's something about 805 00:48:04,500 --> 00:48:08,700 the logic, the lack of ammo. And things like that, that 806 00:48:08,700 --> 00:48:11,400 you're not, not sort of tainting, the decision-making 807 00:48:11,500 --> 00:48:13,700 sometimes to a detriment for sure. 808 00:48:13,700 --> 00:48:18,700 But yeah, I always thought it was a fascinating, you know, not 809 00:48:18,700 --> 00:48:21,800 only character but roll right to be able to kind of show that, 810 00:48:21,800 --> 00:48:26,100 and he kind of saw it go over with data, trying to figure out. 811 00:48:26,100 --> 00:48:28,000 There are several episodes of him, trying to figure out the 812 00:48:28,008 --> 00:48:30,600 Human Experience and emotion and things like that, which was 813 00:48:30,600 --> 00:48:33,700 always a who, you know, going from the cold. 814 00:48:33,800 --> 00:48:37,500 Yeah, thatís a cold. But the robot To him all of a 815 00:48:37,500 --> 00:48:41,300 sudden experiencing happiness or sadness, or things like that, 816 00:48:41,300 --> 00:48:44,400 and taking it to the extremes. So I guess Spock would be mine 817 00:48:44,400 --> 00:48:47,800 for sure, over the captain, or was he? 818 00:48:47,800 --> 00:48:49,300 There you go. Was question. 819 00:48:49,300 --> 00:48:53,600 Who's your favorite character? It was Captain or officer and 820 00:48:53,600 --> 00:48:57,200 Spock was definitely an officer. Although he did take command at 821 00:48:57,200 --> 00:49:00,000 certain times based on what was happening. 822 00:49:00,400 --> 00:49:04,200 You know, at the time with with Kirk, I'm surprised nobody 823 00:49:04,200 --> 00:49:06,500 brought up the end of Troy or well. 824 00:49:06,800 --> 00:49:11,500 I was going to say, I thought it was only the curry captain, and 825 00:49:11,500 --> 00:49:16,600 who's definitely achieved my food not for a plug for the new 826 00:49:16,600 --> 00:49:19,100 show part, but a lot of them are back on there. 827 00:49:19,100 --> 00:49:23,300 So it's wrist to see them acting, you know, decades into 828 00:49:23,300 --> 00:49:26,500 the future on from the Next Generation. 829 00:49:26,600 --> 00:49:32,100 Yeah, it's exciting stuff out there rod on all fronts Star 830 00:49:32,100 --> 00:49:36,200 Trek so yeah they boldly went where they are already before I 831 00:49:36,207 --> 00:49:37,400 guess. It would be the way to put that 832 00:49:37,400 --> 00:49:40,500 one. Mikey been super cool. 833 00:49:40,500 --> 00:49:44,600 With your time was start to get things wrapped up here, I really 834 00:49:44,600 --> 00:49:47,600 enjoyed the conversation today. I learned a lot sort of from 835 00:49:47,600 --> 00:49:51,800 that Dev SEC Ops mindset. What is something that people 836 00:49:51,800 --> 00:49:53,900 who are listening here? Just this conversation. 837 00:49:53,900 --> 00:49:57,500 Just now should be taking away from from what we talked about, 838 00:49:57,500 --> 00:50:02,200 the dep SEC Ops takes time and effort to build, you know, a 839 00:50:02,600 --> 00:50:05,600 program in your organization. You're coming at it from the 840 00:50:05,900 --> 00:50:10,200 cyber 30 practitioner side, think about how you can start 841 00:50:10,200 --> 00:50:13,300 ups killing yourself. I kind of equate that to, you 842 00:50:13,300 --> 00:50:15,500 know, you don't need to become a software engineer, but you 843 00:50:15,500 --> 00:50:19,300 should know computer science, fundamentals, because the shift 844 00:50:19,300 --> 00:50:22,300 is happening. And you at least want to have 845 00:50:22,300 --> 00:50:25,600 the Baseline of understanding of how things are done. 846 00:50:25,600 --> 00:50:28,800 And accomplished is everything, becomes everything is code or it 847 00:50:28,800 --> 00:50:32,800 is code. And it's I'm super excited to 848 00:50:32,800 --> 00:50:35,200 see where the market goes with around this. 849 00:50:35,500 --> 00:50:39,900 It's I We're very very Forefront of this even though you've heard 850 00:50:39,900 --> 00:50:43,400 that's a cop's for you know years. 851 00:50:43,400 --> 00:50:45,700 Now I think we're getting to the point where it's starting to 852 00:50:46,000 --> 00:50:49,900 truly accelerate but it's one of the basis of devstack cops. 853 00:50:49,900 --> 00:50:53,800 It's change and that's very difficult for any organization. 854 00:50:54,400 --> 00:50:58,800 And so that's a think of driving factor is the industry shifting 855 00:50:58,800 --> 00:51:03,900 faster so fast that organizations have to adapt and 856 00:51:03,900 --> 00:51:06,400 change. And I like to say with that 857 00:51:06,400 --> 00:51:11,500 said, Now, choosing a Star Trek phrase resistance is futile. 858 00:51:11,800 --> 00:51:15,700 So fruit prepare to be a citizen to be assimilated. 859 00:51:17,600 --> 00:51:18,800 Jim. How about yourself final 860 00:51:18,800 --> 00:51:20,100 thoughts for this? Episode of? 861 00:51:20,100 --> 00:51:21,900 That was so good. So good. 862 00:51:23,000 --> 00:51:29,100 Yeah, but I think, you know, kind of come from the, I am 863 00:51:29,100 --> 00:51:33,100 program manager point of view and think about this is it's got 864 00:51:33,100 --> 00:51:36,300 to be a partnership. Don't go in and try and take 865 00:51:36,300 --> 00:51:39,000 things over. You know quote unquote insert 866 00:51:39,000 --> 00:51:45,600 yourself understand from you know your users your developers 867 00:51:45,600 --> 00:51:50,000 and your infrastructure team. What are their needs? 868 00:51:50,000 --> 00:51:54,200 What are their concerns? And you let them know here are 869 00:51:54,300 --> 00:51:57,700 our needs from infosec standpoint. 870 00:51:57,800 --> 00:52:01,200 I think when that gets on the table then you can start to 871 00:52:01,200 --> 00:52:04,400 solution around what those needs are. 872 00:52:04,800 --> 00:52:07,900 And we can, you know, if you pursue this as kind of a 873 00:52:07,900 --> 00:52:13,600 partnership all parties leading to try to make sure that all the 874 00:52:13,600 --> 00:52:16,600 needs are taken care of. That's the right approach, 875 00:52:16,700 --> 00:52:19,500 that's what I say. Yeah, collaboration partnership 876 00:52:19,500 --> 00:52:21,900 is exactly what I was thinking to know what is expert in 877 00:52:21,900 --> 00:52:25,900 everything, you know, be a good partner, I guess to the rest of 878 00:52:25,908 --> 00:52:27,700 the business. We're whichever side you fall 879 00:52:27,700 --> 00:52:30,700 on, okay. I think that'll do it for this 880 00:52:30,700 --> 00:52:33,400 week. I will have in our show notes, 881 00:52:34,000 --> 00:52:35,400 Mike's. LinkedIn. 882 00:52:35,400 --> 00:52:37,300 Hopefully, you're cool with that, and connecting with people 883 00:52:37,300 --> 00:52:40,500 out there, and also a link to Sophos. 884 00:52:40,500 --> 00:52:42,100 Hopefully, I pronounced it correctly that time. 885 00:52:42,500 --> 00:52:44,500 So you can learn more about what's happening there. 886 00:52:44,500 --> 00:52:45,300 Good. Okay, cool. 887 00:52:46,300 --> 00:52:49,500 And, you know, obviously you can check us out on the web identity 888 00:52:49,500 --> 00:52:52,400 at the center of.com. We're on Twitter at idac 889 00:52:52,400 --> 00:52:54,700 podcast. You can check out our live 890 00:52:54,700 --> 00:52:57,700 streams which again we're trying to do those weekly slowly 891 00:52:57,700 --> 00:53:00,700 growing, it slowly, figuring it out, but having interesting 892 00:53:00,700 --> 00:53:03,400 conversations there as well. You can find us on YouTube at 893 00:53:03,400 --> 00:53:06,900 idea c.y. I've and yeah, with that, we'll 894 00:53:06,900 --> 00:53:09,200 go ahead and leave it my Q. Thanks so much for your time, 895 00:53:09,200 --> 00:53:12,200 Jim sinks for your time and we'll talk with everyone. 896 00:53:12,200 --> 00:53:19,600 The next one Jeremy guys, Thanks for listening to the identity at 897 00:53:19,600 --> 00:53:21,800 the center podcast. If you like what you heard, 898 00:53:21,800 --> 00:53:25,100 don't forget to subscribe and visit us on the web and identity 899 00:53:25,100 --> 00:53:26,000 at the center.com.